CompTIA CompTIA Certifications PT0-003 Questions & Answers

• Question 141:

  A penetration tester needs to confirm the version number of a client's web application server. Which of the following techniques should the penetration tester use?

  A. SSL certificate inspection

  B. URL spidering

  C. Banner grabbing

  D. Directory brute forcing

  Correct Answer: C

  Banner grabbing is a technique used to obtain information about a network service, including its version number, by connecting to the service and reading the response.

  Understanding Banner Grabbing:

  Manual Banner Grabbing:

  Step-by-Step Explanationtelnet target_ip 80

  uk.co.certification.simulator.questionpool.PList@58886243 nc target_ip 80

  Automated Banner Grabbing:

  nmap -sV target_ip

  Benefits:

  References from Pentesting Literature:

  References:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 142:

  During a penetration test, the tester uses a vulnerability scanner to collect information about any possible vulnerabilities that could be used to compromise the network. The tester receives the results and then executes the following command:

  snmpwalk -v 2c -c public 192.168.1.23

  Which of the following is the tester trying to do based on the command they used?

  A. Bypass defensive systems to collect more information.

  B. Use an automation tool to perform the attacks.

  C. Script exploits to gain access to the systems and host.

  D. Validate the results and remove false positives.

  Correct Answer: D

  The command snmpwalk -v 2c -c public 192.168.1.23 is used to query SNMP (Simple Network Management Protocol) data from a device. Here's the purpose in the context provided:

  SNMP Enumeration:

  Purpose of the Command:

  Comparison with Other Options:

  By using snmpwalk, the tester is validating the results from the vulnerability scanner and removing any false positives, ensuring accurate reporting.

• Question 143:

  During a penetration test, a tester attempts to pivot from one Windows 10 system to another Windows system. The penetration tester thinks a local firewall is blocking connections. Which of the following command-line utilities built into Windows is most likely to disable the firewall?

  A. certutil.exe

  B. bitsadmin.exe

  C. msconfig.exe

  D. netsh.exe

  Correct Answer: D

  Understanding netsh.exe:

  Disabling the Firewall:

  netsh advfirewall set allprofiles state off

  Usage in Penetration Testing:

  References from Pentesting Literature:

  References:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 144:

  A tester is performing an external phishing assessment on the top executives at a company. Two-factor authentication is enabled on the executives' accounts that are in the scope of work. Which of the following should the tester do to get access to these accounts?

  A. Configure an external domain using a typosquatting technique. Configure Evilginx to bypass two-factor authentication using a phishlet that simulates the mail portal for the company.

  B. Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a brute-force attack method.

  C. Configure an external domain using a typosquatting technique. Configure SET to bypass two-factor authentication using a phishlet that mimics the mail portal for the company.

  D. Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a vishing method.

  Correct Answer: A

  To bypass two-factor authentication (2FA) and gain access to the executives' accounts, the tester should use Evilginx with a typosquatting domain. Evilginx is a man-in-the-middle attack framework used to bypass 2FA by capturing session

  tokens.

  Phishing with Evilginx:

  Typosquatting:

  Steps:

  Pentest References:

  Phishing: Social engineering technique to deceive users into providing sensitive information.

  Two-Factor Authentication Bypass: Advanced phishing attacks like those using Evilginx can capture and reuse session tokens, bypassing 2FA mechanisms. OSINT and Reconnaissance: Identifying key targets (executives) and crafting

  convincing phishing emails based on gathered information. Using Evilginx with a typosquatting domain allows the tester to bypass 2FA and gain access to high-value accounts, demonstrating the effectiveness of advanced phishing

  techniques.

• Question 145:

  During an assessment, a penetration tester obtains an NTLM hash from a legacy Windows machine. Which of the following tools should the penetration tester use to continue the attack?

  A. Responder

  B. Hydra

  C. BloodHound

  D. CrackMapExec

  Correct Answer: D

  When a penetration tester obtains an NTLM hash from a legacy Windows machine, they need to use a tool that can leverage this hash for further attacks, such as pass-the-hash attacks, or for cracking the hash. Here's a breakdown of the

  options:

  Option A: Responder

  Option B: Hydra

  Option C: BloodHound

  Option D: CrackMapExec

  References from Pentest:

  Forge HTB: Demonstrates the use of CrackMapExec for leveraging NTLM hashes to gain further access within a network.

  Horizontall HTB: Shows how CrackMapExec can be used for various post- exploitation activities, including using NTLM hashes to authenticate and execute commands.

  Conclusion:

  Option D, CrackMapExec, is the most suitable tool for continuing the attack using an NTLM hash. It supports pass-the-hash techniques and other operations that can leverage NTLM hashes effectively.

• Question 146:

  A penetration tester finished a security scan and uncovered numerous vulnerabilities on several hosts. Based on the targets' EPSS and CVSS scores, which of the following targets is the most likely to get attacked?

  Host | CVSS | EPSS

  Target 1 | 4 | 0.6

  Target 2 | 2 | 0.3

  Target 3 | 1 | 0.6 Target 4 | 4.5 | 0.4

  A. Target 1: CVSS Score = 4 and EPSS Score = 0.6

  B. Target 2: CVSS Score = 2 and EPSS Score = 0.3

  C. Target 3: CVSS Score = 1 and EPSS Score = 0.6

  D. Target 4: CVSS Score = 4.5 and EPSS Score = 0.4

  Correct Answer: A

  Based on the CVSS (Common Vulnerability Scoring System) and EPSS (Exploit Prediction Scoring System) scores, Target 1 is the most likely to get attacked.

  CVSS:

  EPSS:

  Analysis:

  Pentest References:

  Vulnerability Prioritization: Using CVSS and EPSS scores to prioritize vulnerabilities based on severity and likelihood of exploitation. Risk Assessment: Understanding the balance between impact (CVSS) and exploit likelihood (EPSS) to

  identify the most critical targets for remediation or attack. By focusing on Target 1, which has a balanced combination of severity and exploitability, the penetration tester can address the most likely target for attacks based on the given scores.

• Question 147:

  During a penetration test, the tester identifies several unused services that are listening on all targeted internal laptops. Which of the following technical controls should the tester recommend to reduce the risk of compromise?

  

  A. Multifactor authentication

  B. Patch management

  C. System hardening

  D. Network segmentation

  Correct Answer: C

  When a penetration tester identifies several unused services listening on targeted internal laptops, the most appropriate recommendation to reduce the risk of compromise is system hardening. Here's why:

  System Hardening:

  Comparison with Other Controls:

  System hardening is the most direct control for reducing the risk posed by unused services, making it the best recommendation.

• Question 148:

  Given the following statements:

  Implement a web application firewall. Upgrade end-of-life operating systems.

  Implement a secure software development life cycle. In which of the following sections of a penetration test report would the above statements be found?

  A. Executive summary

  B. Attack narrative

  C. Detailed findings

  D. Recommendations

  Correct Answer: D

  The given statements are actionable steps aimed at improving security. They fall under the recommendations section of a penetration test report. Here's why option D is correct:

  Recommendations: This section of the report provides specific actions that should be taken to mitigate identified vulnerabilities and improve the overall security posture. Implementing a WAF, upgrading operating systems, and implementing a

  secure SDLC are recommendations to enhance security. Executive Summary: This section provides a high-level overview of the findings and their implications, intended for executive stakeholders. Attack Narrative: This section details the

  steps taken during the penetration test, describing the attack vectors and methods used.

  Detailed Findings: This section provides an in-depth analysis of each identified vulnerability, including evidence and technical details.

  References from Pentest:

  Forge HTB: The report's recommendations section suggests specific measures to address the identified issues, similar to the given statements. Writeup HTB: Highlights the importance of the recommendations section in providing actionable

  steps to improve security based on the findings from the assessment.

  Conclusion:

  Option D, recommendations, is the correct section where the given statements would be found in a penetration test report.

• Question 149:

  A penetration tester creates a list of target domains that require further enumeration. The tester writes the following script to perform vulnerability scanning across the domains:

  line 1: #!/usr/bin/bash

  line 2: DOMAINS_LIST = "/path/to/list.txt"

  line 3: while read -r i; do

  line 4: nikto -h $i -o scan-$i.txt and

  line 5: done

  The script does not work as intended. Which of the following should the tester do to fix the script?

  A. Change line 2 to {"domain1", "domain2", "domain3", }.

  B. Change line 3 to while true; read -r i; do.

  C. Change line 4 to nikto $i | tee scan-$i.txt.

  D. Change line 5 to done < "$DOMAINS_LIST".

  Correct Answer: D

  The issue with the script lies in how the while loop reads the file containing the list of domains. The current script doesn't correctly redirect the file's content to the loop. Changing line 5 to done < "$DOMAINS_LIST" correctly directs the loop to

  read from the file.

  Step-by-Step

  Original Script:

  DOMAINS_LIST="/path/to/list.txt"

  while read -r i; do

  nikto -h $i -o scan-$i.txt and

  done

  Identified Problem:

  Solution:

  DOMAINS_LIST="/path/to/list.txt"

  while read -r i; do

  nikto -h $i -o scan-$i.txt and

  done < "$DOMAINS_LIST"

  References from Pentesting Literature:

• Question 150:

  A penetration tester needs to evaluate the order in which the next systems will be selected for testing. Given the following output:

  Hostname | IP address | CVSS 2.0 | EPSS

  hrdatabase | 192.168.20.55 | 9.9 | 0.50

  financesite | 192.168.15.99 | 8.0 | 0.01

  legaldatabase | 192.168.10.2 | 8.2 | 0.60

  fileserver | 192.168.125.7 | 7.6 | 0.90

  Which of the following targets should the tester select next?

  A. fileserver

  B. hrdatabase

  C. legaldatabase

  D. financesite

  Correct Answer: A

  Given the output, the penetration tester should select the fileserver as the next target for testing, considering both CVSS and EPSS scores.

  CVSS (Common Vulnerability Scoring System):

  EPSS (Exploit Prediction Scoring System):

  Evaluation:

  Pentest References:

  Prioritization: Balancing between severity (CVSS) and exploitability (EPSS) is crucial for effective vulnerability management. Risk Assessment: Evaluating both the impact and the likelihood of exploitation helps in making informed decisions

  about testing priorities. By selecting the fileserver, which has a high EPSS score, the penetration tester focuses on a target that is more likely to be exploited, thereby addressing the most immediate risk.