Practice Free PT0-003 Exam Online Questions
A penetration tester discovers a deprecated directory in which files are accessible to anyone.
Which of the following would most likely assist the penetration tester in finding sensitive information without raising suspicion?
- A . Enumerating cached pages available on web pages
- B . Looking for externally available services
- C . Scanning for exposed ports associated with the domain
- D . Searching for vulnerabilities and potential exploits
A
Explanation:
Comprehensive and Detailed
When a penetration tester finds a deprecated web directory that’s publicly accessible, the goal is to gather as much information as possible without triggering alerts.
Enumerating cached pages (such as those stored by Google Cache, the Wayback Machine, or local proxy caches) allows the tester to:
View historical or deleted content that might contain sensitive data, credentials, or configuration info.
Gather evidence without directly interacting with the target system, thus minimizing detection risk.
Why not the others:
B. Looking for externally available services: Useful for attack surface mapping, but not for extracting data from the discovered directory.
C. Scanning for exposed ports: Active probing that increases detection risk; unrelated to exploring a directory.
D. Searching for vulnerabilities/exploits: Premature; reconnaissance and content discovery come first.
CompTIA PT0-003 Mapping:
Domain 2.0: Information Gathering and Vulnerability Scanning OSINT and passive reconnaissance to identify exposed data and files.
Which of the following post-exploitation activities allows a penetration tester to maintain persistent access in a compromised system?
- A . Creating registry keys
- B . Installing a bind shell
- C . Executing a process injection
- D . Setting up a reverse SSH connection
A
Explanation:
Maintaining persistent access in a compromised system is a crucial goal for a penetration tester after achieving initial access.
Here’s an explanation of each option and why creating registry keys is the preferred method:
Creating registry keys ( Answer A):
Modifying or adding specific registry keys can ensure that malicious code or backdoors are executed every time the system starts, thus maintaining persistence.
Advantages: This method is stealthy and can be effective in maintaining access over long periods, especially on Windows systems.
Example: Adding a new entry to the HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry key to execute a malicious script upon system boot.
Reference: Persistence techniques involving registry keys are common in penetration tests and are highlighted in various cybersecurity resources as effective methods to maintain access. Installing a bind shell (Option B):
A bind shell listens on a specific port and waits for an incoming connection from the attacker. Drawbacks: This method is less stealthy and can be easily detected by network monitoring tools. It also requires an open port, which might be closed or filtered by firewalls. Executing a process injection (Option C):
Process injection involves injecting malicious code into a running process to evade detection. Drawbacks: While effective for evading detection, it doesn’t inherently provide persistence. The injected code will typically be lost when the process terminates or the system reboots. Setting up a reverse SSH connection (Option D):
A reverse SSH connection allows the attacker to connect back to their machine from the compromised system.
Drawbacks: This method can be useful for maintaining a session but is less reliable for long-term persistence. It can be disrupted by network changes or monitoring tools.
Conclusion: Creating registry keys is the most effective method for maintaining persistent access in a compromised system, particularly in Windows environments, due to its stealthiness and reliability.
Which of the following post-exploitation activities allows a penetration tester to maintain persistent access in a compromised system?
- A . Creating registry keys
- B . Installing a bind shell
- C . Executing a process injection
- D . Setting up a reverse SSH connection
A
Explanation:
Maintaining persistent access in a compromised system is a crucial goal for a penetration tester after achieving initial access.
Here’s an explanation of each option and why creating registry keys is the preferred method:
Creating registry keys ( Answer A):
Modifying or adding specific registry keys can ensure that malicious code or backdoors are executed every time the system starts, thus maintaining persistence.
Advantages: This method is stealthy and can be effective in maintaining access over long periods, especially on Windows systems.
Example: Adding a new entry to the HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry key to execute a malicious script upon system boot.
Reference: Persistence techniques involving registry keys are common in penetration tests and are highlighted in various cybersecurity resources as effective methods to maintain access. Installing a bind shell (Option B):
A bind shell listens on a specific port and waits for an incoming connection from the attacker. Drawbacks: This method is less stealthy and can be easily detected by network monitoring tools. It also requires an open port, which might be closed or filtered by firewalls. Executing a process injection (Option C):
Process injection involves injecting malicious code into a running process to evade detection. Drawbacks: While effective for evading detection, it doesn’t inherently provide persistence. The injected code will typically be lost when the process terminates or the system reboots. Setting up a reverse SSH connection (Option D):
A reverse SSH connection allows the attacker to connect back to their machine from the compromised system.
Drawbacks: This method can be useful for maintaining a session but is less reliable for long-term persistence. It can be disrupted by network changes or monitoring tools.
Conclusion: Creating registry keys is the most effective method for maintaining persistent access in a compromised system, particularly in Windows environments, due to its stealthiness and reliability.
Which of the following OT protocols sends information in cleartext?
- A . TTEthernet
- B . DNP3
- C . Modbus
- D . PROFINET
C
Explanation:
Operational Technology (OT) protocols are used in industrial control systems (ICS) to manage and automate physical processes.
Here’s an analysis of each protocol regarding whether it sends information in cleartext:
TTEthernet (Option A):
TTEthernet (Time-Triggered Ethernet) is designed for real-time communication and safety-critical systems.
Security: It includes mechanisms for reliable and deterministic data transfer, not typically sending
information in cleartext.
DNP3 (Option B):
DNP3 (Distributed Network Protocol) is used in electric and water utilities for SCADA (Supervisory Control and Data Acquisition) systems.
Security: While the original DNP3 protocol transmits data in cleartext, the DNP3 Secure Authentication extensions provide cryptographic security features.
Modbus ( Answer C):
Modbus is a communication protocol used in industrial environments for transmitting data between electronic devices.
Security: Modbus transmits data in cleartext, which makes it susceptible to interception and unauthorized access.
Reference: The lack of security features in Modbus, such as encryption, is well-documented and a known vulnerability in ICS environments.
PROFINET (Option D):
PROFINET is a standard for industrial networking in automation.
Security: PROFINET includes several security features, including support for encryption, which means it doesn’t necessarily send information in cleartext.
Conclusion: Modbus is the protocol that most commonly sends information in cleartext, making it vulnerable to eavesdropping and interception.
DRAG DROP
During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.
INSTRUCTIONS
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
A computer screen shot of a computer Description automatically generated
A screen shot of a computer Description automatically generated
A computer screen with white text Description automatically generated
An orange screen with white text Description automatically generated
DRAG DROP
You are a penetration tester reviewing a client’s website through a web browser.
INSTRUCTIONS
Review all components of the website through the browser to determine if vulnerabilities are present.
Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Explanation:
A screenshot of a computer Description automatically generated
An external legal firm is conducting a penetration test of a large corporation.
Which of the following would be most appropriate for the legal firm to use in the subject line of a weekly email update?
- A . Privileged & Confidential Status Update
- B . Action Required Status Update
- C . Important Weekly Status Update
- D . Urgent Status Update
A
Explanation:
Penetration test results are sensitive information and must be handled confidentially.
Privileged & Confidential Status Update (Option A):
Helps ensure compliance with legal and regulatory standards by labeling the report as confidential.
Encourages secure handling by recipients.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Secure Communication and Reporting"
Incorrect options:
Option B (Action Required): Suggests an immediate response is needed, which may not always be the case.
Option C (Important Weekly Status Update): Does not emphasize confidentiality.
Option D (Urgent Status Update): Could cause unnecessary alarm unless truly urgent.
During a pre-engagement activity with a new customer, a penetration tester looks for assets to test.
Which of the following is an example of a target that can be used for testing?
- A . API
- B . HTTP
- C . IPA
- D . ICMP
A
Explanation:
An API (Application Programming Interface) is a common target in penetration testing, especially in modern web and mobile applications. APIs can be entry points for injection attacks, authentication bypasses, and data leakage.
From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 1 C Planning and Scoping): “Testers should identify all targets, including web applications, APIs, and other exposed services as part of the rules of engagement.”
Reference: Chapter 1, CompTIA PenTest+ PT0-003 Official Study Guide
A penetration tester successfully gained access to manage resources and services within the company’s cloud environment. This was achieved by exploiting poorly secured administrative credentials that had extensive permissions across the network.
Which of the following credentials was the tester able to obtain?
- A . IAM credentials
- B . SSH key for cloud instance
- C . Cloud storage credentials
- D . Temporary security credentials (STS)
A
Explanation:
IAM (Identity and Access Management) credentials are used to control and manage access to cloud services and resources. When a penetration tester obtains IAM credentials, especially those with administrative privileges, they can perform high-level operations such as provisioning services, modifying configurations, or accessing sensitive data across the cloud environment. SSH keys would only grant access to a specific instance, not cloud-wide services.
Cloud storage credentials are limited to storage access, not administrative capabilities.
Temporary security credentials (STS) provide limited-time access and are not typically used for broad administrative tasks.
Reference: PT0-003 Objective 1.3 C Exploit cloud-based vulnerabilities, including credential abuse and privilege escalation via IAM.
During a security assessment, a penetration tester wants to compromise user accounts without triggering IDS/IPS detection rules.
Which of the following is the most effective way for the tester to accomplish this task?
- A . Crack user accounts using compromised hashes.
- B . Brute force accounts using a dictionary attack.
- C . Bypass authentication using SQL injection.
- D . Compromise user accounts using an XSS attack.
A
Explanation:
To avoid triggering IDS/IPS alerts, the attacker should use offline cracking on compromised hashes
rather than direct brute-force attempts.
Crack user accounts using compromised hashes (Option A):
Hashes can be cracked offline using tools like Hashcat or John the Ripper.
No direct login attempts, avoiding detection by security systems.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Password Cracking Techniques and
Evasion"
Incorrect options:
Option B (Brute force): Generates excessive failed logins, triggering IDS/IPS alerts.
Option C (SQL injection): Exploits database vulnerabilities, not direct account compromise.
Option D (XSS attack): Can steal cookies but does not directly compromise accounts.