Practice Free PT0-003 Exam Online Questions
Question #71
A penetration tester writes the following script to enumerate a /24 network:
1 #!/bin/bash
2 for i in {1..254}
3 ping -c1 192.168.1.$i
4 done
The tester executes the script, but it fails with the following error:
-bash: syntax error near unexpected token ‘ping’
Which of the following should the tester do to fix the error?
- A . Add do after line 2
- B . Replace {1..254} with $(seq 1 254)
- C . Replace bash with zsh
- D . Replace $i with ${i}
Correct Answer: B
B
Explanation:
The missing do keyword is the reason for the syntax error. Bash for loops must include a do statement before executing commands within the loop.
Corrected script:
#!/bin/bash
for i in {1..254}; do
ping -c1 192.168.1.$i
done
From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 4 C Scanning and Enumeration): “In Bash scripting, control structures like for-loops require correct syntax, including the ‘do’ keyword for loop logic to execute properly.”
Reference: Chapter 4, CompTIA PenTest+ PT0-003 Official Study Guide
B
Explanation:
The missing do keyword is the reason for the syntax error. Bash for loops must include a do statement before executing commands within the loop.
Corrected script:
#!/bin/bash
for i in {1..254}; do
ping -c1 192.168.1.$i
done
From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 4 C Scanning and Enumeration): “In Bash scripting, control structures like for-loops require correct syntax, including the ‘do’ keyword for loop logic to execute properly.”
Reference: Chapter 4, CompTIA PenTest+ PT0-003 Official Study Guide
Question #72
Which of the following is within the scope of proper handling and most crucial when working on a penetration testing report?
- A . Keeping both video and audio of everything that is done
- B . Keeping the report to a maximum of 5 to 10 pages in length
- C . Basing the recommendation on the risk score in the report
- D . Making the report clear for all objectives with a precise executive summary
Correct Answer: D
D
Explanation:
Importance of a Clear Executive Summary:
The executive summary is essential because it provides decision-makers with a concise overview of the findings, risks, and recommendations without requiring deep technical knowledge.
Clarity in objectives ensures that all stakeholders understand the purpose, scope, and outcomes of the test.
Why Not Other Options?
A: Keeping video and audio records is helpful during testing but not typically included in the final report for handling purposes.
B: Limiting the report to 5C10 pages may compromise its comprehensiveness and omit critical details.
C: Recommendations based solely on the risk score may not address the broader context or organizational priorities.
CompTIA Pentest+
Reference: Domain 5.0 (Reporting and Communication)
D
Explanation:
Importance of a Clear Executive Summary:
The executive summary is essential because it provides decision-makers with a concise overview of the findings, risks, and recommendations without requiring deep technical knowledge.
Clarity in objectives ensures that all stakeholders understand the purpose, scope, and outcomes of the test.
Why Not Other Options?
A: Keeping video and audio records is helpful during testing but not typically included in the final report for handling purposes.
B: Limiting the report to 5C10 pages may compromise its comprehensiveness and omit critical details.
C: Recommendations based solely on the risk score may not address the broader context or organizational priorities.
CompTIA Pentest+
Reference: Domain 5.0 (Reporting and Communication)
Question #73
During a testing engagement, a penetration tester compromises a host and locates data for exfiltration.
Which of the following are the best options to move the data without triggering a data loss prevention tool? (Select two).
- A . Move the data using a USB flash drive.
- B . Compress and encrypt the data.
- C . Rename the file name extensions.
- D . Use FTP for exfiltration.
- E . Encode the data as Base64.
- F . Send the data to a commonly trusted service.
Correct Answer: B,E
B,E
Explanation:
Data Loss Prevention (DLP) tools monitor sensitive data and prevent unauthorized exfiltration.
The two best options to bypass DLP are:
Compress and encrypt the data (Option B):
Compression reduces file size, making detection harder. Encryption further protects the data by making it unreadable without a key.
DLP tools often inspect content based on known patterns (e.g., credit card numbers, sensitive keywords). Encrypted files bypass content inspection since DLP cannot analyze encrypted data.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Data Exfiltration Techniques" Encode the data as Base64 (Option E):
Base64 encoding disguises data by converting it into ASCII text, making it less likely to trigger DLP signature-based detection.
Many DLP systems do not analyze encoded text deeply, assuming it is non-sensitive.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Encoding and Obfuscation in Exfiltration"
Incorrect options:
Option A (USB flash drive): Physical exfiltration is risky and easily detectable in enterprise environments.
Option C (Rename file extensions): DLP systems analyze content, not just filenames.
Option D (FTP for exfiltration): FTP is monitored by security tools and is a high-risk method.
Option F (Trusted service): Many organizations monitor outbound traffic to cloud storage or email services.
B,E
Explanation:
Data Loss Prevention (DLP) tools monitor sensitive data and prevent unauthorized exfiltration.
The two best options to bypass DLP are:
Compress and encrypt the data (Option B):
Compression reduces file size, making detection harder. Encryption further protects the data by making it unreadable without a key.
DLP tools often inspect content based on known patterns (e.g., credit card numbers, sensitive keywords). Encrypted files bypass content inspection since DLP cannot analyze encrypted data.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Data Exfiltration Techniques" Encode the data as Base64 (Option E):
Base64 encoding disguises data by converting it into ASCII text, making it less likely to trigger DLP signature-based detection.
Many DLP systems do not analyze encoded text deeply, assuming it is non-sensitive.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Encoding and Obfuscation in Exfiltration"
Incorrect options:
Option A (USB flash drive): Physical exfiltration is risky and easily detectable in enterprise environments.
Option C (Rename file extensions): DLP systems analyze content, not just filenames.
Option D (FTP for exfiltration): FTP is monitored by security tools and is a high-risk method.
Option F (Trusted service): Many organizations monitor outbound traffic to cloud storage or email services.
Question #74
A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool:
bash
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
111/tcp open rpcbind
2049/tcp open nfs
Based on the output, which of the following services provides the best target for launching an attack?
- A . Database
- B . Remote access
- C . Email
- D . File sharing
Correct Answer: D
D
Explanation:
From the Nmap results:
Service Analysis:
SSH (22): Secure Shell is a remote access protocol that is typically well-secured with encryption and authentication mechanisms. It’s not the easiest to exploit without valid credentials or known vulnerabilities.
SMTP (25): The port is filtered, which indicates that it might be blocked by a firewall, making it less accessible as an attack vector.
RPCBind (111): RPC services can sometimes expose vulnerabilities, but they are less common in modern systems.
NFS (2049): Network File System is a file-sharing service. Misconfigured NFS servers often expose sensitive files or directories that can be accessed without proper authentication.
Best Target:NFS (port 2049) is the most attractive target. Attackers can exploit insecure exports, gain unauthorized access to shared directories, or elevate privileges if the server allows root access over NFS.
CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification)
Domain 3.0 (Attacks and Exploits)
D
Explanation:
From the Nmap results:
Service Analysis:
SSH (22): Secure Shell is a remote access protocol that is typically well-secured with encryption and authentication mechanisms. It’s not the easiest to exploit without valid credentials or known vulnerabilities.
SMTP (25): The port is filtered, which indicates that it might be blocked by a firewall, making it less accessible as an attack vector.
RPCBind (111): RPC services can sometimes expose vulnerabilities, but they are less common in modern systems.
NFS (2049): Network File System is a file-sharing service. Misconfigured NFS servers often expose sensitive files or directories that can be accessed without proper authentication.
Best Target:NFS (port 2049) is the most attractive target. Attackers can exploit insecure exports, gain unauthorized access to shared directories, or elevate privileges if the server allows root access over NFS.
CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification)
Domain 3.0 (Attacks and Exploits)
Question #74
A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool:
bash
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
111/tcp open rpcbind
2049/tcp open nfs
Based on the output, which of the following services provides the best target for launching an attack?
- A . Database
- B . Remote access
- C . Email
- D . File sharing
Correct Answer: D
D
Explanation:
From the Nmap results:
Service Analysis:
SSH (22): Secure Shell is a remote access protocol that is typically well-secured with encryption and authentication mechanisms. It’s not the easiest to exploit without valid credentials or known vulnerabilities.
SMTP (25): The port is filtered, which indicates that it might be blocked by a firewall, making it less accessible as an attack vector.
RPCBind (111): RPC services can sometimes expose vulnerabilities, but they are less common in modern systems.
NFS (2049): Network File System is a file-sharing service. Misconfigured NFS servers often expose sensitive files or directories that can be accessed without proper authentication.
Best Target:NFS (port 2049) is the most attractive target. Attackers can exploit insecure exports, gain unauthorized access to shared directories, or elevate privileges if the server allows root access over NFS.
CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification)
Domain 3.0 (Attacks and Exploits)
D
Explanation:
From the Nmap results:
Service Analysis:
SSH (22): Secure Shell is a remote access protocol that is typically well-secured with encryption and authentication mechanisms. It’s not the easiest to exploit without valid credentials or known vulnerabilities.
SMTP (25): The port is filtered, which indicates that it might be blocked by a firewall, making it less accessible as an attack vector.
RPCBind (111): RPC services can sometimes expose vulnerabilities, but they are less common in modern systems.
NFS (2049): Network File System is a file-sharing service. Misconfigured NFS servers often expose sensitive files or directories that can be accessed without proper authentication.
Best Target:NFS (port 2049) is the most attractive target. Attackers can exploit insecure exports, gain unauthorized access to shared directories, or elevate privileges if the server allows root access over NFS.
CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification)
Domain 3.0 (Attacks and Exploits)
Question #76
A penetration tester sets up a C2 (Command and Control) server to manage and control payloads deployed in the target network.
Which of the following tools is the most suitable for establishing a robust and stealthy connection?
- A . ProxyChains
- B . Covenant
- C . PsExec
- D . sshuttle
Correct Answer: B
B
Explanation:
C2 servers are used to remotely control compromised systems while avoiding detection.
Covenant (Option B):
Covenant is an advanced C2 framework designed for stealthy post-exploitation in red team operations.
Supports encrypted communication, privilege escalation, and evasion techniques.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "C2 Frameworks in Post-Exploitation"
Incorrect options:
Option A (ProxyChains): Used for proxying connections, but not a C2 framework.
Option C (PsExec): A Windows command-line tool for remote execution, but not a C2 tool.
Option D (sshuttle): Used for network tunneling, not full C2.
B
Explanation:
C2 servers are used to remotely control compromised systems while avoiding detection.
Covenant (Option B):
Covenant is an advanced C2 framework designed for stealthy post-exploitation in red team operations.
Supports encrypted communication, privilege escalation, and evasion techniques.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "C2 Frameworks in Post-Exploitation"
Incorrect options:
Option A (ProxyChains): Used for proxying connections, but not a C2 framework.
Option C (PsExec): A Windows command-line tool for remote execution, but not a C2 tool.
Option D (sshuttle): Used for network tunneling, not full C2.
Question #77
Which of the following techniques is the best way to avoid detection by Data Loss Prevention (DLP) tools?
- A . Encoding
- B . Compression
- C . Encryption
- D . Obfuscation
Correct Answer: C
C
Explanation:
Data Loss Prevention (DLP) tools monitor network traffic and files for sensitive information leaks. The most effective way to bypass DLP is to use encryption, since DLP systems cannot inspect encrypted content.
Option A (Encoding) ❌ : Base64 or Hex encoding can sometimes bypass filters, but many DLP tools detect common encoding schemes.
Option B (Compression) ❌ : Compression can change file signatures, but modern DLP systems can inspect compressed files.
Option C (Encryption) ✅ : Correct.
Strong encryption prevents DLP tools from analyzing file contents.
Option D (Obfuscation) ❌ : Code obfuscation may work for source code leaks, but DLP solutions use heuristics to detect patterns.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Bypassing Security Controls
C
Explanation:
Data Loss Prevention (DLP) tools monitor network traffic and files for sensitive information leaks. The most effective way to bypass DLP is to use encryption, since DLP systems cannot inspect encrypted content.
Option A (Encoding) ❌ : Base64 or Hex encoding can sometimes bypass filters, but many DLP tools detect common encoding schemes.
Option B (Compression) ❌ : Compression can change file signatures, but modern DLP systems can inspect compressed files.
Option C (Encryption) ✅ : Correct.
Strong encryption prevents DLP tools from analyzing file contents.
Option D (Obfuscation) ❌ : Code obfuscation may work for source code leaks, but DLP solutions use heuristics to detect patterns.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Bypassing Security Controls
Question #78
A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services.
Which of the following commands should the tester use?
- A . nmap -sU -sW -p 1-65535 example.com
- B . nmap -sU -sY -p 1-65535 example.com
- C . nmap -sU -sT -p 1-65535 example.com
- D . nmap -sU -sN -p 1-65535 example.com
Correct Answer: C
C
Explanation:
To find the state of both TCP and UDP ports using Nmap, the appropriate command should combine both TCP and UDP scan options:
Understanding the Options:
-sU: Performs a UDP scan.
-sT: Performs a TCP connect scan.
Command
Command: nmap -sU -sT -p 1-65535 example.com
This command will scan both TCP and UDP ports from 1 to 65535 on the target example.com.
Combining -sU and -sT ensures that both types of services are scanned.
Comparison with Other Options:
-sW: Initiates a TCP Window scan, not relevant for identifying the state of TCP and UDP services.
-sY: Initiates a SCTP INIT scan, not relevant for this context.
-sN: Initiates a TCP Null scan, which is not used for discovering UDP services.
C
Explanation:
To find the state of both TCP and UDP ports using Nmap, the appropriate command should combine both TCP and UDP scan options:
Understanding the Options:
-sU: Performs a UDP scan.
-sT: Performs a TCP connect scan.
Command
Command: nmap -sU -sT -p 1-65535 example.com
This command will scan both TCP and UDP ports from 1 to 65535 on the target example.com.
Combining -sU and -sT ensures that both types of services are scanned.
Comparison with Other Options:
-sW: Initiates a TCP Window scan, not relevant for identifying the state of TCP and UDP services.
-sY: Initiates a SCTP INIT scan, not relevant for this context.
-sN: Initiates a TCP Null scan, which is not used for discovering UDP services.
Question #79
During a penetration test, a tester captures information about an SPN account.
Which of the following attacks requires this information as a prerequisite to proceed?
- A . Golden Ticket
- B . Kerberoasting
- C . DCShadow
- D . LSASS dumping
Correct Answer: B
B
Explanation:
Kerberoasting is an attack that specifically targets Service Principal Name (SPN) accounts in a Windows Active Directory environment.
Here’s a detailed explanation:
Understanding SPN Accounts:
SPNs are unique identifiers for services in a network that allows Kerberos to authenticate service accounts. These accounts are often associated with services such as SQL Server, IIS, etc.
Kerberoasting Attack:
Prerequisite: Knowledge of the SPN account.
Process: An attacker requests a service ticket for the SPN account using the Kerberos protocol. The ticket is encrypted with the service account’s NTLM hash. The attacker captures this ticket and attempts to crack the hash offline.
Objective: To obtain the plaintext password of the service account, which can then be used for lateral
movement or privilege escalation.
Comparison with Other Attacks:
Golden Ticket: Involves forging Kerberos TGTs using the KRBTGT account hash, requiring domain admin credentials.
DCShadow: Involves manipulating Active Directory data by impersonating a domain controller, typically requiring high privileges.
LSASS Dumping: Involves extracting credentials from the LSASS process on a Windows machine, often requiring local admin privileges.
Kerberoasting specifically requires the SPN account information to proceed, making it the correct answer.
B
Explanation:
Kerberoasting is an attack that specifically targets Service Principal Name (SPN) accounts in a Windows Active Directory environment.
Here’s a detailed explanation:
Understanding SPN Accounts:
SPNs are unique identifiers for services in a network that allows Kerberos to authenticate service accounts. These accounts are often associated with services such as SQL Server, IIS, etc.
Kerberoasting Attack:
Prerequisite: Knowledge of the SPN account.
Process: An attacker requests a service ticket for the SPN account using the Kerberos protocol. The ticket is encrypted with the service account’s NTLM hash. The attacker captures this ticket and attempts to crack the hash offline.
Objective: To obtain the plaintext password of the service account, which can then be used for lateral
movement or privilege escalation.
Comparison with Other Attacks:
Golden Ticket: Involves forging Kerberos TGTs using the KRBTGT account hash, requiring domain admin credentials.
DCShadow: Involves manipulating Active Directory data by impersonating a domain controller, typically requiring high privileges.
LSASS Dumping: Involves extracting credentials from the LSASS process on a Windows machine, often requiring local admin privileges.
Kerberoasting specifically requires the SPN account information to proceed, making it the correct answer.
Question #80
During a security assessment, a penetration tester uses a tool to capture plaintext log-in credentials on the communication between a user and an authentication system. The tester wants to use this information for further unauthorized access.
Which of the following tools is the tester using?
- A . Burp Suite
- B . Wireshark
- C . Zed Attack Proxy
- D . Metasploit
Correct Answer: B
B
Explanation:
Wireshark is a network packet analyzer used to capture and analyze network traffic in real-time. During a penetration test, it is often used to inspect unencrypted communication to extract sensitive information like plaintext login credentials.
Here’s how it works:
Packet Capturing: Wireshark captures the network packets transmitted over a network interface. If a user logs in through an insecure communication protocol (e.g., HTTP, FTP, or Telnet), the credentials are transmitted in plaintext.
Traffic Filtering: Using filters (e.g., http, tcp.port == 21), the tester narrows down the relevant traffic to locate the login request and response packets.
Sensitive Data Extraction: Analyzing the captured packets reveals plaintext credentials in the data payload, such as in HTTP POST requests.
Exploit the Information: After extracting the plaintext credentials, the tester can attempt unauthorized access to resources using these credentials. CompTIA Pentest+
Reference: Domain 1.0 (Planning and Scoping)
Domain 2.0 (Information Gathering and Vulnerability Identification)
Wireshark Usage Guide
B
Explanation:
Wireshark is a network packet analyzer used to capture and analyze network traffic in real-time. During a penetration test, it is often used to inspect unencrypted communication to extract sensitive information like plaintext login credentials.
Here’s how it works:
Packet Capturing: Wireshark captures the network packets transmitted over a network interface. If a user logs in through an insecure communication protocol (e.g., HTTP, FTP, or Telnet), the credentials are transmitted in plaintext.
Traffic Filtering: Using filters (e.g., http, tcp.port == 21), the tester narrows down the relevant traffic to locate the login request and response packets.
Sensitive Data Extraction: Analyzing the captured packets reveals plaintext credentials in the data payload, such as in HTTP POST requests.
Exploit the Information: After extracting the plaintext credentials, the tester can attempt unauthorized access to resources using these credentials. CompTIA Pentest+
Reference: Domain 1.0 (Planning and Scoping)
Domain 2.0 (Information Gathering and Vulnerability Identification)
Wireshark Usage Guide