Practice Free PT0-003 Exam Online Questions
Question #71
During an engagement, a penetration tester needs to break the key for the Wi-Fi network that uses WPA2 encryption.
Which of the following attacks would accomplish this objective?
- A . ChopChop
- B . Replay
- C . Initialization vector
- D . KRACK
Correct Answer: D
D
Explanation:
To break the key for a Wi-Fi network that uses WPA2 encryption, the penetration tester should use the KRACK (Key Reinstallation Attack) attack.
KRACK (Key Reinstallation Attack):
Definition: KRACK is a vulnerability in the WPA2 protocol that allows attackers to decrypt and potentially inject packets into a Wi-Fi network by manipulating and replaying cryptographic handshake messages.
Impact: This attack exploits flaws in the WPA2 handshake process, allowing an attacker to break the
encryption and gain access to the network.
Other Attacks:
ChopChop: Targets WEP encryption, not WPA2.
Replay: Involves capturing and replaying packets to create effects such as duplicating transactions; it does not break WPA2 encryption.
Initialization Vector (IV): Related to weaknesses in WEP, not WPA2.
Pentest
Reference: Wireless Security: Understanding vulnerabilities in Wi-Fi encryption protocols, such as WPA2, and how they can be exploited.
KRACK Attack: A significant vulnerability in WPA2 that requires specific techniques to exploit.
By using the KRACK attack, the penetration tester can break WPA2 encryption and gain unauthorized access to the Wi-Fi network.
Top of Form
Bottom of Form
D
Explanation:
To break the key for a Wi-Fi network that uses WPA2 encryption, the penetration tester should use the KRACK (Key Reinstallation Attack) attack.
KRACK (Key Reinstallation Attack):
Definition: KRACK is a vulnerability in the WPA2 protocol that allows attackers to decrypt and potentially inject packets into a Wi-Fi network by manipulating and replaying cryptographic handshake messages.
Impact: This attack exploits flaws in the WPA2 handshake process, allowing an attacker to break the
encryption and gain access to the network.
Other Attacks:
ChopChop: Targets WEP encryption, not WPA2.
Replay: Involves capturing and replaying packets to create effects such as duplicating transactions; it does not break WPA2 encryption.
Initialization Vector (IV): Related to weaknesses in WEP, not WPA2.
Pentest
Reference: Wireless Security: Understanding vulnerabilities in Wi-Fi encryption protocols, such as WPA2, and how they can be exploited.
KRACK Attack: A significant vulnerability in WPA2 that requires specific techniques to exploit.
By using the KRACK attack, the penetration tester can break WPA2 encryption and gain unauthorized access to the Wi-Fi network.
Top of Form
Bottom of Form
Question #72
A penetration tester has been asked to conduct a blind web application test against a customer’s corporate website.
Which of the following tools would be best suited to perform this assessment?
- A . ZAP
- B . Nmap
- C . Wfuzz
- D . Trufflehog
Correct Answer: A
A
Explanation:
A blind web application test means that the tester has no prior knowledge of the application’s internal workings. The best tool for automated scanning and vulnerability detection is a web application proxy such as OWASP ZAP.
ZAP (Option A):
OWASP Zed Attack Proxy (ZAP) is a widely used web application scanner for finding common vulnerabilities (e.g., SQL injection, XSS, authentication flaws).
It provides passive and active scanning features to test web applications for security weaknesses.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Web Application Testing Tools" Incorrect options:
Option B (Nmap): Nmap is a network scanning tool, not specialized for web application testing.
Option C (Wfuzz): Wfuzz is a fuzzer for brute-force attacks, but it is not a full web vulnerability scanner.
Option D (Trufflehog): Trufflehog is used for secrets detection in repositories, not web testing.
A
Explanation:
A blind web application test means that the tester has no prior knowledge of the application’s internal workings. The best tool for automated scanning and vulnerability detection is a web application proxy such as OWASP ZAP.
ZAP (Option A):
OWASP Zed Attack Proxy (ZAP) is a widely used web application scanner for finding common vulnerabilities (e.g., SQL injection, XSS, authentication flaws).
It provides passive and active scanning features to test web applications for security weaknesses.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Web Application Testing Tools" Incorrect options:
Option B (Nmap): Nmap is a network scanning tool, not specialized for web application testing.
Option C (Wfuzz): Wfuzz is a fuzzer for brute-force attacks, but it is not a full web vulnerability scanner.
Option D (Trufflehog): Trufflehog is used for secrets detection in repositories, not web testing.
Question #73
During an assessment, a penetration tester obtains access to an internal server and would like to perform further reconnaissance by capturing LLMNR traffic.
Which of the following tools should the tester use?
- A . Burp Suite
- B . Netcat
- C . Responder
- D . Nmap
Correct Answer: C
C
Explanation:
Responder es una herramienta especializada para capturar tráfico LLMNR, NBNS y MDNS, y realizar ataques de spoofing y captura de hashes. Es ampliamente utilizada en entornos Windows para capturar credenciales cuando se resuelven nombres que no existen en el DNS.
Netcat y Burp Suite no están diseñados para este propósito. Nmap sirve para escaneo de redes, pero no para captura ni explotación de LLMNR.
Referencia: PT0-003 Objective 4.2 C Explain lateral movement techniques and privilege escalation tools (Responder is explicitly listed).
C
Explanation:
Responder es una herramienta especializada para capturar tráfico LLMNR, NBNS y MDNS, y realizar ataques de spoofing y captura de hashes. Es ampliamente utilizada en entornos Windows para capturar credenciales cuando se resuelven nombres que no existen en el DNS.
Netcat y Burp Suite no están diseñados para este propósito. Nmap sirve para escaneo de redes, pero no para captura ni explotación de LLMNR.
Referencia: PT0-003 Objective 4.2 C Explain lateral movement techniques and privilege escalation tools (Responder is explicitly listed).
Question #74
A penetration tester cannot find information on the target company’s systems using common OSINT methods. The tester’s attempts to do reconnaissance against internet-facing resources have been blocked by the company’s WAF.
Which of the following is the best way to avoid the WAF and gather information about the target company’s systems?
- A . HTML scraping
- B . Code repository scanning
- C . Directory enumeration
- D . Port scanning
Correct Answer: B
B
Explanation:
When traditional reconnaissance methods are blocked, scanning code repositories is an effective
method to gather information.
Here’s why:
Code Repository Scanning:
Leaked Information: Code repositories (e.g., GitHub, GitLab) often contain sensitive information, including API keys, configuration files, and even credentials that developers might inadvertently commit.
Accessible: These repositories can often be accessed publicly, bypassing traditional defenses like WAFs.
Comparison with Other Methods:
HTML Scraping: Limited to the data present on web pages and can still be blocked by WAF. Directory Enumeration: Likely to be blocked by WAF as well and might not yield significant internal information.
Port Scanning: Also likely to be blocked or trigger alerts on WAF or IDS/IPS systems.
Scanning code repositories allows gathering a wide range of information that can be critical for further penetration testing effort
B
Explanation:
When traditional reconnaissance methods are blocked, scanning code repositories is an effective
method to gather information.
Here’s why:
Code Repository Scanning:
Leaked Information: Code repositories (e.g., GitHub, GitLab) often contain sensitive information, including API keys, configuration files, and even credentials that developers might inadvertently commit.
Accessible: These repositories can often be accessed publicly, bypassing traditional defenses like WAFs.
Comparison with Other Methods:
HTML Scraping: Limited to the data present on web pages and can still be blocked by WAF. Directory Enumeration: Likely to be blocked by WAF as well and might not yield significant internal information.
Port Scanning: Also likely to be blocked or trigger alerts on WAF or IDS/IPS systems.
Scanning code repositories allows gathering a wide range of information that can be critical for further penetration testing effort
Question #75
Given the following statements:
Implement a web application firewall.
Upgrade end-of-life operating systems.
Implement a secure software development life cycle.
In which of the following sections of a penetration test report would the above statements be found?
- A . Executive summary
- B . Attack narrative
- C . Detailed findings
- D . Recommendations
Correct Answer: D
D
Explanation:
The given statements are actionable steps aimed at improving security. They fall under the recommendations section of a penetration test report.
Here’s why option D is correct: Recommendations: This section of the report provides specific actions that should be taken to mitigate identified vulnerabilities and improve the overall security posture. Implementing a WAF, upgrading operating systems, and implementing a secure SDLC are recommendations to enhance security.
Executive Summary: This section provides a high-level overview of the findings and their implications, intended for executive stakeholders.
Attack Narrative: This section details the steps taken during the penetration test, describing the attack vectors and methods used.
Detailed Findings: This section provides an in-depth analysis of each identified vulnerability, including evidence and technical details.
Reference from Pentest:
Forge HTB: The report’s recommendations section suggests specific measures to address the identified issues, similar to the given statements.
Writeup HTB: Highlights the importance of the recommendations section in providing actionable steps to improve security based on the findings from the assessment.
Conclusion:
Option D, recommendations, is the correct section where the given statements would be found in a penetration test report.
D
Explanation:
The given statements are actionable steps aimed at improving security. They fall under the recommendations section of a penetration test report.
Here’s why option D is correct: Recommendations: This section of the report provides specific actions that should be taken to mitigate identified vulnerabilities and improve the overall security posture. Implementing a WAF, upgrading operating systems, and implementing a secure SDLC are recommendations to enhance security.
Executive Summary: This section provides a high-level overview of the findings and their implications, intended for executive stakeholders.
Attack Narrative: This section details the steps taken during the penetration test, describing the attack vectors and methods used.
Detailed Findings: This section provides an in-depth analysis of each identified vulnerability, including evidence and technical details.
Reference from Pentest:
Forge HTB: The report’s recommendations section suggests specific measures to address the identified issues, similar to the given statements.
Writeup HTB: Highlights the importance of the recommendations section in providing actionable steps to improve security based on the findings from the assessment.
Conclusion:
Option D, recommendations, is the correct section where the given statements would be found in a penetration test report.
Question #76
A penetration tester completed OSINT work and needs to identify all subdomains for mydomain.com.
Which of the following is the best command for the tester to use?
- A . nslookup mydomain.com » /path/to/results.txt
- B . crunch 1 2 | xargs -n 1 -I ‘X’ nslookup X.mydomain.com
- C . dig @8.8.8.8 mydomain.com ANY » /path/to/results.txt
- D . cat wordlist.txt | xargs -n 1 -I ‘X’ dig X.mydomain.com
Correct Answer: D
D
Explanation:
Using dig with a wordlist to identify subdomains is an effective method for subdomain enumeration. The command cat wordlist.txt | xargs -n 1 -I ‘X’ dig X.mydomain.com reads each line from wordlist.txt and performs a DNS lookup for each potential subdomain.
Command Breakdown:
cat wordlist.txt: Reads the contents of wordlist.txt, which contains a list of potential subdomains.
xargs -n 1 -I ‘X’: Takes each line from wordlist.txt and passes it to dig one at a time.
dig X.mydomain.com: Performs a DNS lookup for each subdomain.
Why This is the Best Choice:
Efficiency: xargs efficiently processes each line from the wordlist and passes it to dig for DNS resolution.
Automation: Automates the enumeration of subdomains, making it a practical choice for large lists.
Benefits:
Automates the process of subdomain enumeration using a wordlist.
Efficiently handles a large number of subdomains.
Reference from Pentesting Literature:
Subdomain enumeration is a critical part of the reconnaissance phase in penetration testing. Tools like dig and techniques involving wordlists are commonly discussed in penetration testing guides. HTB write-ups often detail the use of similar commands for efficient subdomain enumeration. Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
D
Explanation:
Using dig with a wordlist to identify subdomains is an effective method for subdomain enumeration. The command cat wordlist.txt | xargs -n 1 -I ‘X’ dig X.mydomain.com reads each line from wordlist.txt and performs a DNS lookup for each potential subdomain.
Command Breakdown:
cat wordlist.txt: Reads the contents of wordlist.txt, which contains a list of potential subdomains.
xargs -n 1 -I ‘X’: Takes each line from wordlist.txt and passes it to dig one at a time.
dig X.mydomain.com: Performs a DNS lookup for each subdomain.
Why This is the Best Choice:
Efficiency: xargs efficiently processes each line from the wordlist and passes it to dig for DNS resolution.
Automation: Automates the enumeration of subdomains, making it a practical choice for large lists.
Benefits:
Automates the process of subdomain enumeration using a wordlist.
Efficiently handles a large number of subdomains.
Reference from Pentesting Literature:
Subdomain enumeration is a critical part of the reconnaissance phase in penetration testing. Tools like dig and techniques involving wordlists are commonly discussed in penetration testing guides. HTB write-ups often detail the use of similar commands for efficient subdomain enumeration. Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #77
A tester is performing an external phishing assessment on the top executives at a company. Two-factor authentication is enabled on the executives’ accounts that are in the scope of work.
Which of the following should the tester do to get access to these accounts?
- A . Configure an external domain using a typosquatting technique. Configure Evilginx to bypass two-factor authentication using a phishlet that simulates the mail portal for the company.
- B . Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a brute-force attack method.
- C . Configure an external domain using a typosquatting technique. Configure SET to bypass two-factor authentication using a phishlet that mimics the mail portal for the company.
- D . Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a vishing method.
Correct Answer: A
A
Explanation:
To bypass two-factor authentication (2FA) and gain access to the executives’ accounts, the tester should use Evilginx with a typosquatting domain. Evilginx is a man-in-the-middle attack framework used to bypass 2FA by capturing session tokens.
Phishing with Evilginx:
Evilginx is designed to proxy legitimate login pages, capturing credentials and 2FA tokens in the process.
It uses "phishlets" which are configurations that simulate real login portals.
Typosquatting:
Typosquatting involves registering domains that are misspelled versions of legitimate domains (e.g., example.co instead of example.com).
This technique tricks users into visiting the malicious domain, thinking it’s legitimate.
Steps:
Configure an External Domain: Register a typosquatting domain similar to the company’s domain. Set Up Evilginx: Install and configure Evilginx on a server. Use a phishlet that mimics the company’s mail portal.
Send Phishing Emails: Craft phishing emails targeting the executives, directing them to the typosquatting domain.
Capture Credentials and 2FA Tokens: When executives log in, Evilginx captures their credentials and
session tokens, effectively bypassing 2FA.
Pentest
Reference: Phishing: Social engineering technique to deceive users into providing sensitive information. Two-Factor Authentication Bypass: Advanced phishing attacks like those using Evilginx can capture and reuse session tokens, bypassing 2FA mechanisms.
OSINT and Reconnaissance: Identifying key targets (executives) and crafting convincing phishing emails based on gathered information.
Using Evilginx with a typosquatting domain allows the tester to bypass 2FA and gain access to high-value accounts, demonstrating the effectiveness of advanced phishing techniques.
A
Explanation:
To bypass two-factor authentication (2FA) and gain access to the executives’ accounts, the tester should use Evilginx with a typosquatting domain. Evilginx is a man-in-the-middle attack framework used to bypass 2FA by capturing session tokens.
Phishing with Evilginx:
Evilginx is designed to proxy legitimate login pages, capturing credentials and 2FA tokens in the process.
It uses "phishlets" which are configurations that simulate real login portals.
Typosquatting:
Typosquatting involves registering domains that are misspelled versions of legitimate domains (e.g., example.co instead of example.com).
This technique tricks users into visiting the malicious domain, thinking it’s legitimate.
Steps:
Configure an External Domain: Register a typosquatting domain similar to the company’s domain. Set Up Evilginx: Install and configure Evilginx on a server. Use a phishlet that mimics the company’s mail portal.
Send Phishing Emails: Craft phishing emails targeting the executives, directing them to the typosquatting domain.
Capture Credentials and 2FA Tokens: When executives log in, Evilginx captures their credentials and
session tokens, effectively bypassing 2FA.
Pentest
Reference: Phishing: Social engineering technique to deceive users into providing sensitive information. Two-Factor Authentication Bypass: Advanced phishing attacks like those using Evilginx can capture and reuse session tokens, bypassing 2FA mechanisms.
OSINT and Reconnaissance: Identifying key targets (executives) and crafting convincing phishing emails based on gathered information.
Using Evilginx with a typosquatting domain allows the tester to bypass 2FA and gain access to high-value accounts, demonstrating the effectiveness of advanced phishing techniques.