CompTIA CompTIA Certifications PT0-003 Questions & Answers

• Question 171:

  A penetration tester is performing network reconnaissance. The tester wants to gather information about the network without causing detection mechanisms to flag the reconnaissance activities. Which of the following techniques should the tester use?

  A. Sniffing

  B. Banner grabbing

  C. TCP/UDP scanning

  D. Ping sweeps

  Correct Answer: A

  To gather information about the network without causing detection mechanisms to flag the reconnaissance activities, the penetration tester should use sniffing. Sniffing:

  Advantages:

  Comparison with Other Techniques:

  Pentest References:

  Reconnaissance Phase: Using passive techniques like sniffing during the initial reconnaissance phase helps gather information without alerting the target. Network Analysis: Understanding the network topology and identifying key assets and

  vulnerabilities without generating traffic that could trigger alarms. By using sniffing, the penetration tester can gather detailed information about the network in a stealthy manner, minimizing the risk of detection.

• Question 172:

  Which of the following components should a penetration tester include in an assessment report?

  A. User activities

  B. Customer remediation plan

  C. Key management

  D. Attack narrative

  Correct Answer: D

  An attack narrative provides a detailed account of the steps taken during the penetration test, including the methods used, vulnerabilities exploited, and the outcomes of each attack. This helps stakeholders understand the context and

  implications of the findings.

  Components of an Assessment Report:

  Importance of Attack Narrative:

  References from Pentesting Literature:

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 173:

  A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes. Which of the following steps should the tester take next?

  A. Enable monitoring mode using Aircrack-ng.

  B. Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes.

  C. Run KARMA to break the password.

  D. Research WiGLE.net for potential nearby client access points.

  Correct Answer: A

  Enabling monitoring mode on the wireless adapter is the essential step before capturing WPA2 handshakes. Monitoring mode allows the adapter to capture all wireless traffic in its vicinity, which is necessary for capturing handshakes.

  Preparation:

  Enable Monitoring Mode:

  Step-by-Step Explanationairmon-ng start wlan0

  uk.co.certification.simulator.questionpool.PList@6a986d34 iwconfig

  Capture WPA2 Handshakes:

  airodump-ng wlan0mon

  References from Pentesting Literature:

  References:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 174:

  A penetration testing team wants to conduct DNS lookups for a set of targets provided by the client. The team crafts a Bash script for this task. However, they find a minor error in one line of the script:

  1 #!/bin/bash

  2 for i in $(cat example.txt); do

  3 curl $i

  4 done

  Which of the following changes should the team make to line 3 of the script?

  A. resolvconf $i

  B. rndc $i

  C. systemd-resolve $i

  D. host $i

  Correct Answer: D

  Script Analysis:

  Error Identification:

  Correct Command:

  Corrected Script:

  Pentest References:

  In penetration testing, DNS enumeration is a crucial step. It involves querying DNS servers to gather information about the target domain, which includes resolving domain names to IP addresses and vice versa. Common tools for DNS

  enumeration include host, dig, and nslookup. The host command is particularly straightforward for simple DNS lookups. By correcting the script to use host $i, the penetration testing team can effectively perform DNS lookups on the targets

  specified in example.txt.

• Question 175:

  A penetration tester needs to identify all vulnerable input fields on a customer website. Which of the following tools would be best suited to complete this request?

  A. DAST

  B. SAST

  C. IAST

  D. SCA

  Correct Answer: A

  Dynamic Application Security Testing (DAST):

  Advantages of DAST:

  Examples of DAST Tools:

  Pentest References:

  Web Application Testing: Understanding the importance of testing web applications for security vulnerabilities and the role of different testing methodologies.

  Security Testing Tools: Familiarity with various security testing tools and their applications in penetration testing.

  DAST vs. SAST: Knowing the difference between DAST (dynamic testing) and SAST (static testing) and when to use each method. By using a DAST tool, the penetration tester can effectively identify all vulnerable input fields on the customer

  website, ensuring a thorough assessment of the application's security.

• Question 176:

  A penetration tester enumerates a legacy Windows host on the same subnet. The tester needs to select exploit methods that will have the least impact on the host's operating stability. Which of the following commands should the tester try first?

  A. responder -I eth0 john responder_output.txt

  B. hydra -L administrator -P /path/to/pwlist.txt -t 100 rdp://

  C. msf > use msf > set msf > set PAYLOAD windows/meterpreter/reverse_tcp msf > run

  D. python3 ./buffer_overflow_with_shellcode.py 445

  Correct Answer: A

  Responder is a tool used for capturing and analyzing NetBIOS, LLMNR, and MDNS queries to perform various man-in-the-middle (MITM) attacks. It can be used to capture hashed credentials, which can then be cracked offline. Using

  Responder has the least impact on the host's operating stability compared to more aggressive methods like buffer overflow attacks or payload injections.

  Understanding Responder:

  Command Breakdown:

  Why This is the Best Choice:

  References from Pentesting Literature:

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 177:

  A penetration tester wants to use multiple TTPs to assess the reactions (alerted, blocked, and others) by the client's current security tools. The threat-modeling team indicates the TTPs in the list might affect their internal systems and servers. Which of the following actions would the tester most likely take?

  A. Use a BAS tool to test multiple TTPs based on the input from the threat-modeling team.

  B. Perform an internal vulnerability assessment with credentials to review the internal attack surface.

  C. Use a generic vulnerability scanner to test the TTPs and review the results with the threat-modeling team.

  D. Perform a full internal penetration test to review all the possible exploits that could affect the systems.

  Correct Answer: A

  BAS (Breach and Attack Simulation) tools are specifically designed to emulate multiple TTPs (Tactics, Techniques, and Procedures) used by adversaries. These tools can simulate various attack vectors in a controlled manner to test the

  effectiveness of an organization's security defenses and response mechanisms. Here's why option A is the best choice:

  Controlled Testing Environment: BAS tools provide a controlled environment where multiple TTPs can be tested without causing unintended damage to the internal systems and servers. This is critical when the threat-modeling team indicates

  potential impacts on internal systems.

  Comprehensive Coverage: BAS tools are designed to cover a wide range of TTPs, allowing the penetration tester to simulate various attack scenarios. This helps in assessing the reactions (alerted, blocked, and others) by the client's security

  tools comprehensively.

  Feedback and Reporting: These tools provide detailed feedback and reporting on the effectiveness of the security measures in place, including which TTPs were detected, blocked, or went unnoticed. This information is invaluable for the

  threat- modeling team to understand the current security posture and areas for improvement.

  References from Pentest:

  Anubis HTB: This write-up highlights the importance of using controlled tools and methods for testing security mechanisms. BAS tools align with this approach by providing a controlled and systematic way to assess security defenses. Forge

  HTB: Emphasizes the use of various testing tools and techniques to simulate real-world attacks and measure the effectiveness of security controls. BAS tools are mentioned as a method to ensure comprehensive coverage and minimal risk to

  internal systems.

  Conclusion:

  Using a BAS tool to test multiple TTPs allows for a thorough and controlled assessment of the client's security tools' effectiveness. This approach ensures that the testing is systematic, comprehensive, and minimally disruptive, making it the

  best choice.

• Question 178:

  During an engagement, a penetration tester found some weaknesses that were common across the customer's entire environment. The weaknesses included the following:

  Weaker password settings than the company standard Systems without the company's endpoint security software installed Operating systems that were not updated by the patch management system.

  Which of the following recommendations should the penetration tester provide to address the root issue?

  A. Add all systems to the vulnerability management system.

  B. Implement a configuration management system.

  C. Deploy an endpoint detection and response system.

  D. Patch the out-of-date operating systems.

  Correct Answer: B

  Identified Weaknesses:

  Configuration Management System:

  Other Recommendations:

  Pentest References:

  System Hardening: Ensuring all systems adhere to security baselines and configurations to reduce attack surfaces.

  Automation in Security: Using configuration management tools to automate security practices, ensuring compliance and reducing manual errors. Implementing a configuration management system addresses the root issue by ensuring

  consistent security configurations, software deployments, and patch management across the entire environment.

• Question 179:

  A tester runs an Nmap scan against a Windows server and receives the following results:

  Nmap scan report for win_dns.local (10.0.0.5)

  Host is up (0.014s latency) Port State Service

  53/tcp open domain

  161/tcp open snmp

  445/tcp open smb-ds

  3389/tcp open rdp

  Which of the following TCP ports should be prioritized for using hash-based relays?

  A. 53

  B. 161

  C. 445

  D. 3389

  Correct Answer: C

  Port 445 is used for SMB (Server Message Block) services, which are commonly targeted for hash-based relay attacks like NTLM relay attacks.

  Understanding Hash-Based Relays:

  Prioritizing Port 445:

  Execution:

  References from Pentesting Literature:

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 180:

  Which of the following is most important when communicating the need for vulnerability remediation to a client at the conclusion of a penetration test?

  A. Articulation of cause

  B. Articulation of impact

  C. Articulation of escalation

  D. Articulation of alignment

  Correct Answer: B

  When concluding a penetration test, effectively communicating the need for vulnerability remediation is crucial. Here's why the articulation of impact is the most important aspect:

  Articulation of Cause (Option A):

  Articulation of Impact (Option B):

  Articulation of Escalation (Option C):

  Articulation of Alignment (Option D):

  Conclusion: Articulating the impact of vulnerabilities is the most crucial element when communicating the need for remediation. By clearly explaining the potential risks and consequences, penetration testers can effectively convey the urgency

  and importance of addressing the discovered issues, thus motivating clients to take prompt and appropriate action.