Practice Free PT0-003 Exam Online Questions
A penetration tester wants to use the following Bash script to identify active servers on a network:
1 network_addr="192.168.1"
2 for h in {1..254}; do
3 ping -c 1 -W 1 $network_addr.$h > /dev/null
4 if [ $? -eq 0 ]; then
5 echo "Host $h is up"
6 else
7 echo "Host $h is down"
8 fi
9 done
Which of the following should the tester do to modify the script?
- A . Change the condition on line 4.
- B . Add 2>&1 at the end of line 3.
- C . Use seq on the loop on line 2.
- D . Replace $h with ${h} on line 3.
C
Explanation:
The provided Bash script is used to ping a range of IP addresses to identify active hosts in a network.
Here’s a detailed breakdown of the script and the necessary modification:
Original Script:
1 network_addr="192.168.1"
2 for h in {1..254}; do
3 ping -c 1 -W 1 $network_addr.$h > /dev/null
4 if [ $? -eq 0 ]; then
5 echo "Host $h is up"
6 else
7 echo "Host $h is down"
8 fi
9 done Analysis:
Line 2: The loop uses {1..254} to iterate over the range of host addresses. However, this notation might not work in all shell environments, especially if not using bash directly or if the script runs in a different shell.
Using seq for Better Compatibility:
The seq command is a more compatible way to generate a sequence of numbers. It ensures the loop works in any POSIX-compliant shell.
Modified Line 2:
for h in $(seq 1 254); do
This change ensures broader compatibility and reliability of the script.
Modified Script:
1 network_addr="192.168.1"
2 for h in $(seq 1 254); do
3 ping -c 1 -W 1 $network_addr.$h > /dev/null
4 if [ $? -eq 0 ]; then
5 echo "Host $h is up"
6 else
7 echo "Host $h is down"
8 fi
9 done
A penetration tester conducts reconnaissance for a client’s network and identifies the following system of interest:
$ nmap -A AppServer1.compita.org
Starting Nmap 7.80 (2023-01-14) on localhost (127.0.0.1) at 2023-08-04 15:32:27
Nmap scan report for AppServer1.compita.org (192.168.1.100)
Host is up (0.001s latency).
Not shown: 999 closed ports
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
873/tcp open rsync
8080/tcp open http-proxy
8443/tcp open https-alt
9090/tcp open zeus-admin
10000/tcp open snet-sensor-mgmt
The tester notices numerous open ports on the system of interest.
Which of the following best describes this system?
- A . A honeypot
- B . A Windows endpoint
- C . A Linux server
- D . An already-compromised system
A
Explanation:
A honeypot is a decoy system designed to attract attackers by exposing multiple services and vulnerabilities.
Indicators of a honeypot (Option A):
The system has an unusual combination of Windows (SMB, MSRPC) and Linux (Rsync, SSH) services.
It exposes a large number of open ports, which is uncommon for a production server.
Presence of "zeus-admin" (port 9090) suggests intentionally vulnerable services.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Honeypots and Decoys in Reconnaissance"
Incorrect options:
Option B (Windows endpoint): Windows would not normally run Rsync (873/tcp) or SSH (22/tcp).
Option C (Linux server): Linux servers typically don’t have NetBIOS (139/tcp) or MSRPC (135/tcp).
Option D (Already-compromised system): Although possible, honeypots mimic compromised systems to lure attackers.
A penetration tester needs to help create a threat model of a custom application.
Which of the following is the most likely framework the tester will use?
- A . MITRE ATT&CK
- B . OSSTMM
- C . CI/CD
- D . DREAD
D
Explanation:
The DREAD model is a risk assessment framework used to evaluate and prioritize the security risks of an application. It stands for Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability.
Understanding DREAD:
Purpose: Provides a structured way to assess and prioritize risks based on their potential impact and likelihood.
Components:
Damage Potential: The extent of harm that an exploit could cause.
Reproducibility: How easily the exploit can be reproduced.
Exploitability: The ease with which the vulnerability can be exploited.
Affected Users: The number of users affected by the exploit.
Discoverability: The likelihood that the vulnerability will be discovered.
Usage in Threat Modeling:
Evaluation: Assign scores to each DREAD component to assess the overall risk.
Prioritization: Higher scores indicate higher risks, helping prioritize remediation efforts.
Process:
Identify Threats: Enumerate potential threats to the application.
Assess Risks: Use the DREAD model to evaluate each threat.
Prioritize: Focus on addressing the highest-scoring threats first.
Reference from Pentesting Literature:
The DREAD model is widely discussed in threat modeling and risk assessment sections of penetration testing guides.
HTB write-ups often include references to DREAD when explaining how to assess and prioritize vulnerabilities in applications.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
HOTSPOT
A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.
INSTRUCTIONS
Select the tool the penetration tester should use for further investigation.
Select the two entries in the robots.txt file that the penetration tester should recommend for removal.
The two entries in the robots.txt file that the penetration tester should recommend for removal are:
Allow: /admin
Allow: /wp-admin
These entries expose the WordPress admin panel, which can be a target for brute-force attacks, SQL injection, and other exploits. Removing these entries can help prevent unauthorized access to the web application’s backend. Alternatively, the penetration tester can suggest renaming the admin panel to a less obvious name, or adding authentication methods such as two-factor authentication or IP whitelisting.
A penetration tester finished a security scan and uncovered numerous vulnerabilities on several hosts.
Based on the targets’ EPSS and CVSS scores, which of the following targets is the most likely to get attacked?
- A . Target 1: EPSS Score = 0.6 and CVSS Score = 4
- B . Target 2: EPSS Score = 0.3 and CVSS Score = 2
- C . Target 3: EPSS Score = 0.6 and CVSS Score = 1
- D . Target 4: EPSS Score = 0.4 and CVSS Score = 4.5
A
Explanation:
EPSS and CVSS Analysis:
EPSS (Exploit Prediction Scoring System) indicates the likelihood of exploitation.
CVSS (Common Vulnerability Scoring System) represents the severity of the vulnerability.
Rationale:
Target 1 has the highest EPSS score (0.6) combined with a moderately high CVSS score (4), making it the most likely to be attacked.
Other options either have lower EPSS or CVSS scores, reducing their likelihood of being exploited.
CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification)
A penetration tester cannot find information on the target company’s systems using common OSINT methods. The tester’s attempts to do reconnaissance against internet-facing resources have been blocked by the company’s WAF.
Which of the following is the best way to avoid the WAF and gather information about the target company’s systems?
- A . HTML scraping
- B . Code repository scanning
- C . Directory enumeration
- D . Port scanning
B
Explanation:
When traditional reconnaissance methods are blocked, scanning code repositories is an effective method to gather information.
Here ’ s why:
Code Repository Scanning:
Leaked Information: Code repositories (e.g., GitHub, GitLab) often contain sensitive information, including API keys, configuration files, and even credentials that developers might inadvertently commit.
Accessible: These repositories can often be accessed publicly, bypassing traditional defenses like WAFs.
Comparison with Other Methods:
HTML Scraping: Limited to the data present on web pages and can still be blocked by WAF.
Directory Enumeration: Likely to be blocked by WAF as well and might not yield significant internal information.
Port Scanning: Also likely to be blocked or trigger alerts on WAF or IDS/IPS systems.
Scanning code repositories allows gathering a wide range of information that can be critical for further penetration testing effort
A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services.
Which of the following commands should the tester use?
- A . nmap -sU -sW -p 1-65535 example.com
- B . nmap -sU -sY -p 1-65535 example.com
- C . nmap -sU -sT -p 1-65535 example.com
- D . nmap -sU -sN -p 1-65535 example.com
C
Explanation:
To find the state of both TCP and UDP ports using Nmap, the appropriate command should combine both TCP and UDP scan options:
Understanding the Options:
-sU: Performs a UDP scan.
-sT: Performs a TCP connect scan.
Command
Command: nmap -sU -sT -p 1-65535 example.com
This command will scan both TCP and UDP ports from 1 to 65535 on the target example.com.
Combining -sU and -sT ensures that both types of services are scanned.
Comparison with Other Options:
-sW: Initiates a TCP Window scan, not relevant for identifying the state of TCP and UDP services.
-sY: Initiates a SCTP INIT scan, not relevant for this context.
-sN: Initiates a TCP Null scan, which is not used for discovering UDP services.
Which of the following scenarios would most likely lead a client to reprioritize goals after a penetration test begins?
- A . An end-of-life web server is decommissioned.
- B . A new zero-day vulnerability is publicly disclosed.
- C . The penetration tester is not capturing artifacts for an exploited vulnerability.
- D . A new lead penetration tester is assigned to the project.
B
Explanation:
During an active PenTest+ engagement, goal changes are most commonly driven by new, material risk that affects the client’s threat landscape or business exposure. A publicly disclosed zero-day vulnerability can immediately change what the organization considers most critical because it may be actively exploited in the wild, may impact internet-facing systems, and may require urgent validation of compensating controls, patch readiness, or exposure level. In PenTest+ planning and scoping practices, the tester and client may revisit priorities mid-engagement when emerging threats create a higher likelihood of compromise or when leadership requires rapid answers (for example, “Are we vulnerable?” and “Can you prove impact?”).
Decommissioning an end-of-life server (A) typically reduces scope rather than reprioritizing goals, and it is a routine operational change. Not capturing artifacts (C) is a tester process/quality issue addressed through engagement management, not a client-driven reprioritization trigger. Assigning a new lead tester (D) is a staffing change and should not alter the client’s goals unless scope and requirements change. The zero-day disclosure is the clearest driver for reprioritization.
A penetration tester attempts to obtain the preshared key for a client’s wireless network.
Which of the following actions will most likely aid the tester?
- A . Deploying an evil twin with a WiFi Pineapple
- B . Performing a password spraying attack with Hydra
- C . Setting up a captive portal using SET
- D . Deauthenticating clients using aireplay-ng
D
Explanation:
Obtaining a wireless preshared key (PSK) in a WPA/WPA2-Personal environment typically relies on capturing the 4-way handshake (or equivalent key exchange) between a client and the access point. PenTest+ emphasizes that the handshake is captured when a client authenticates or reauthenticates to the network; once the handshake is collected, the tester can attempt an offline password attack to determine the PSK (subject to rules of engagement and authorization).
Using aireplay-ng to perform a deauthentication attack forces connected clients to disconnect and then automatically reconnect, which triggers a new handshake that can be captured by the tester’s monitoring interface. This directly supports the goal of acquiring material needed to recover the PSK.
An evil twin (A) and captive portal (C) are social-engineering approaches more aligned with credential harvesting for enterprise/portal-based access, not reliably extracting a WPA2-PSK. Password spraying with Hydra (B) targets online login services and is not applicable to cracking a WPA/WPA2 PSK, which is derived from the handshake and performed offline.
A penetration tester identifies the following open ports during a network enumeration scan:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
27017/tcp open mongodb
50123/tcp open ms-rpc
Which of the following commands did the tester use to get this output?
- A . nmap -Pn -A 10.10.10.10
- B . nmap -sV 10.10.10.10
- C . nmap -Pn -w 10.10.10.10
- D . nmap -sV -Pn -p- 10.10.10.10
D
Explanation:
To detect all open ports and enumerate services, the tester needs to:
Use -sV (Service Version Detection)
Use -Pn (Disables ICMP ping to bypass firewalls)
Use -p- (Scans all 65,535 TCP ports)
nmap -sV -Pn -p- 10.10.10.10 (Option D):
This command performs full-port scanning, including high-numbered ports like 50123/tcp (ms-rpc).
Without -p-, high ports would be missed.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Nmap Scanning Techniques"
Incorrect options:
Option A (-A): Includes OS detection but does not guarantee scanning all ports.
Option B (-sV without -p-): Scans default ports only, missing 50123/tcp.
Option C (-w): Invalid Nmap flag.