CompTIA CompTIA Certifications PT0-003 Questions & Answers

• Question 21:

  A penetration tester attempted a DNS poisoning attack. After the attempt, no traffic was seen from the target machine. Which of the following MOST likely caused the attack to fail?

  A. The injection was too slow.

  B. The DNS information was incorrect.

  C. The DNS cache was not refreshed.

  D. The client did not receive a trusted response.

  Correct Answer: C

  A DNS poisoning attack is an attack that exploits a vulnerability in the DNS protocol or system to redirect traffic from legitimate websites to malicious ones. A DNS poisoning attack works by injecting false DNS records into a DNS server or resolver's cache, which is a temporary storage of DNS information. However, if the DNS cache was not refreshed, then the attack would fail, as the target machine would still use the old and valid DNS records from its cache. The other options are not likely causes of the attack failure.

• Question 22:

  Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.)

  A. OWASP ZAP

  B. Nmap

  C. Nessus

  D. BeEF

  E. Hydra

  F. Burp Suite

  Correct Answer: AF

• Question 23:

  A penetration tester is conducting a penetration test and discovers a vulnerability on a web server that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell. Enumerating the server for privilege escalation, the tester discovers the following:

  

  Which of the following should the penetration tester do NEXT?

  A. Close the reverse shell the tester is using.

  B. Note this finding for inclusion in the final report.

  C. Investigate the high numbered port connections.

  D. Contact the client immediately.

  Correct Answer: C

  The image shows the output of the netstat -antu command, which displays active internet connections for the TCP and UDP protocols. The output shows that there are four established TCP connections and two listening UDP connections on the host. The established TCP connections have high numbered ports as their local addresses, such as 49152, 49153, 49154, and 49155. These ports are in the range of ephemeral ports, which are dynamically assigned by the operating system for temporary use by applications or processes. The foreign addresses of these connections are also high numbered ports, such as 4433, 4434, 4435, and 4436. These ports are not well-known or registered ports for any common service or protocol. The combination of high numbered ports for both local and foreign addresses suggests that these connections are suspicious and may indicate a backdoor or a covert channel on the host. Therefore, the penetration tester should investigate these connections next to determine their nature and purpose. The other options are not appropriate actions for the penetration tester at this stage.

• Question 24:

  Which of the following can be used to store alphanumeric data that can be fed into scripts or programs as input to penetration-testing tools?

  A. Dictionary

  B. Directory

  C. Symlink

  D. Catalog

  E. For-loop

  Correct Answer: A

  A dictionary can be used to store alphanumeric data that can be fed into scripts or programs as input to penetration-testing tools. A dictionary is a collection of key- value pairs that can be accessed by using the keys. For example, a dictionary can store usernames and passwords, or IP addresses and hostnames, that can be used as input for brute-force or reconnaissance tools.

• Question 25:

  A compliance-based penetration test is primarily concerned with:

  A. obtaining Pll from the protected network.

  B. bypassing protection on edge devices.

  C. determining the efficacy of a specific set of security standards.

  D. obtaining specific information from the protected network.

  Correct Answer: C

• Question 26:

  A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?

  A. Key reinstallation

  B. Deauthentication

  C. Evil twin

  D. Replay

  Correct Answer: B

  Deauth will make the client connect again

• Question 27:

  A penetration testing firm performs an assessment every six months for the same customer. While performing network scanning for the latest assessment, the penetration tester observes that several of the target hosts appear to be residential

  connections associated with a major television and ISP in the area.

  Which of the following is the most likely reason for the observation?

  A. The penetration tester misconfigured the network scanner.

  B. The network scanning tooling is not functioning properly.

  C. The IP ranges changed ownership.

  D. The network scanning activity is being blocked by a firewall.

  Correct Answer: C

  When a penetration tester notices several target hosts appearing to be residential connections associated with a major television and ISP, it's likely that the IP ranges initially assigned to the target organization have changed ownership and are now allocated to the ISP for residential use. This can happen due to reallocation of IP addresses by regional internet registries. Misconfiguration of the scanner (option A), malfunctioning of scanning tools (option B), or firewall blocking (option D) would not typically result in the discovery of residential connections in place of expected organizational targets.

• Question 28:

  Which of the following best explains why communication is a vital phase of a penetration test?

  A. To discuss situational awareness

  B. To build rapport with the emergency contact

  C. To explain the data destruction process

  D. To ensure the likelihood of future assessments

  Correct Answer: A

  Communication is a vital phase of a penetration test to ensure all parties involved are aware of the test's progress, findings, and any potential impact on business operations. Discussing situational awareness involves sharing real-time insights about the security posture, any vulnerabilities found, and potential risks. This enables the organization to make informed decisions, mitigate risks promptly, and ensure the test aligns with business objectives and constraints.

• Question 29:

  Which of the following tools can a penetration tester use to brute force a user password over SSH using multiple threads?

  A. CeWL

  B. John the Ripper

  C. Hashcat

  D. Hydra

  Correct Answer: D

  Hydra is a powerful tool for conducting brute-force attacks against various protocols, including SSH. It is capable of using multiple threads to perform concurrent attempts, significantly increasing the efficiency of the attack. This capability makes Hydra particularly suited for brute-forcing user passwords over SSH, as it can quickly try numerous combinations of usernames and passwords. The tool's ability to support a wide range of protocols, its flexibility in handling different authentication mechanisms, and its efficiency in managing multiple simultaneous connections make it a go-to choice for penetration testers looking to test the strength of passwords in a target system's SSH service.

• Question 30:

  A penetration tester was hired to test Wi-Fi equipment.

  Which of the following tools should be used to gather information about the wireless network?

  A. Kismet

  B. Burp Suite

  C. BeEF

  D. WHOIS

  Correct Answer: A

  Kismet is a well-known tool used in penetration testing for wireless network detection, packet sniffing, and intrusion detection. It is particularly useful for gathering information about Wi-Fi networks as it can detect hidden networks and capture network packets. This capability allows penetration testers to analyze the wireless environment, identify potential vulnerabilities, and assess the security posture of the Wi-Fi equipment being tested. Unlike the other tools listed, Kismet is specifically designed for wireless network analysis, making it the ideal choice for this task.