CompTIA CompTIA Certifications PT0-003 Questions & Answers

• Question 41:

  Company.com has hired a penetration tester to conduct a phishing test. The tester wants to set up a fake log-in page and harvest credentials when target employees click on links in a phishing email. Which of the following commands would best help the tester determine which cloud email provider the log-in page needs to mimic?

  A. dig company.com MX

  B. whois company.com

  C. cur1 www.company.com

  D. dig company.com A

  Correct Answer: A

  The dig command is a tool that can be used to query DNS servers and obtain information about domain names, such as IP addresses, mail servers, name servers, or other records. The MX option specifies that the query is for mail exchange records, which are records that indicate the mail servers responsible for accepting email messages for a domain. Therefore, the command dig company.com MX would best help the tester determine which cloud email provider the log-in page needs to mimic by showing the mail servers for company.com. For example, if the output shows something like company-com.mail.protection.outlook.com, then it means that company.com uses Microsoft Outlook as its cloud email provider. The other commands are not as useful for determining the cloud email provider. The whois command is a tool that can be used to query domain name registration information, such as the owner, registrar, or expiration date of a domain. The curl command is a tool that can be used to transfer data from or to a server using various protocols, such as HTTP, FTP, or SMTP. The dig command with the A option specifies that the query is for address records, which are records that map domain names to IP addresses.

• Question 42:

  An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following scans will the assessor MOST likely run?

  A. nmap 192.168.0.1/24

  B. nmap 192.168.0.1/24

  C. nmap oG 192.168.0.1/24

  D. nmap 192.168.0.1/24

  Correct Answer: A

• Question 43:

  Given the following output:

  User-agent:* Disallow: /author/

  Disallow: /xmlrpc.php

  Disallow: /wp-admin

  Disallow: /page/

  During which of the following activities was this output MOST likely obtained?

  A. Website scraping

  B. Website cloning

  C. Domain enumeration

  D. URL enumeration

  Correct Answer: D

  URL enumeration is the activity of discovering and mapping the URLs of a website, such as directories, files, parameters, or subdomains. URL enumeration can help to identify the structure, content, and functionality of a website, as well as potential vulnerabilities or misconfigurations. One of the methods of URL enumeration is to analyze the robots.txt file of a website, which is a text file that tells search engine crawlers which URLs the crawler can or can't request from the site1. The output shown in the question is an example of a robots.txt file that disallows crawling of certain URLs, such as /author/, /xmlrpc.php, /wp-admin, or /page/.

• Question 44:

  A penetration tester found several critical SQL injection vulnerabilities during an assessment of a client's system. The tester would like to suggest mitigation to the client as soon as possible.

  Which of the following remediation techniques would be the BEST to recommend? (Choose two.)

  A. Closing open services

  B. Encryption users' passwords

  C. Randomizing users' credentials

  D. Users' input validation

  E. Parameterized queries

  F. Output encoding

  Correct Answer: DE

  SQL injection is a type of attack that exploits a vulnerability in a web application that allows an attacker to execute malicious SQL statements on a database server. SQL injection can result in data theft, data corruption, authentication bypass,

  or command execution. To mitigate SQL injection vulnerabilities, the following remediation techniques are recommended:

  Users' input validation: This involves checking and sanitizing the user input before passing it to the database server. Input validation can prevent malicious or unexpected input from reaching the database server and causing harm. Input

  validation can be done by using whitelists, blacklists, regular expressions, or escaping mechanisms.

  Parameterized queries: This involves using placeholders or parameters for user input instead of concatenating it with the SQL statement. Parameterized queries can separate the user input from the SQL logic and prevent it from being

  interpreted as part of the SQL statement. Parameterized queries can be implemented by using prepared statements, stored procedures, or frameworks that support them. The other options are not relevant or effective remediation techniques

  for SQL injection vulnerabilities.

• Question 45:

  A penetration tester has been given eight business hours to gain access to a client's financial system. Which of the following techniques will have the highest likelihood of success?

  A. Attempting to tailgate an employee going into the client's workplace

  B. Dropping a malicious USB key with the company's logo in the parking lot

  C. Using a brute-force attack against the external perimeter to gain a foothold

  D. Performing spear phishing against employees by posing as senior management

  Correct Answer: D

• Question 46:

  During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout?

  A. Mask

  B. Rainbow

  C. Dictionary

  D. Password spraying

  Correct Answer: D

  Password spraying is a type of password guessing attack that involves trying one or a few common passwords against many usernames or accounts. Password spraying can avoid account lockout policies that limit the number of failed login attempts per account by spreading out the attempts over time and across different accounts. Password spraying can also increase the chances of success by using passwords that are likely to be used by many users, such as default passwords, seasonal passwords, or company names. Mask is a type of password cracking attack that involves using a mask or a pattern to generate passwords based on known or guessed characteristics of the password, such as length, case, or symbols. Rainbow is a technique of storing precomputed hashes of passwords in a table that can be used to quickly crack passwords by looking up the hashes. Dictionary is a type of password cracking attack that involves using a wordlist or a dictionary of common or likely passwords to try against an account.

• Question 47:

  A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client's data included PII, which is out of scope, and immediately stopped the transfer. Which of the following MOST likely explains the penetration tester's decision?

  A. The tester had the situational awareness to stop the transfer.

  B. The tester found evidence of prior compromise within the data set.

  C. The tester completed the assigned part of the assessment workflow.

  D. The tester reached the end of the assessment time frame.

  Correct Answer: A

  Situational awareness is the ability to perceive and understand the environment and events around oneself, and to act accordingly. The penetration tester demonstrated situational awareness by stopping the transfer of PII, which was out of scope and could have violated the ROE or legal and ethical principles. The other options are not relevant to the situation or the decision of the penetration tester.

• Question 48:

  A penetration tester is conducting an assessment on 192.168.1.112. Given the following output:

  

  Which of the following is the penetration tester conducting?

  A. Port scan

  B. Brute force

  C. Credential stuffing

  D. DoS attack

  Correct Answer: B

  The output shows multiple login attempts with different passwords for the same username "root" on the IP address 192.168.1.112. This is indicative of a brute force attack, where an attacker systematically tries various password combinations to gain unauthorized access. References: The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 4: Conducting Passive Reconnaissance; The Official CompTIA PenTest+ Student Guide (Exam PT0-002), Lesson 4: Conducting Active Reconnaissance.

• Question 49:

  A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company's employees.

  Which of the following tools can help the tester achieve this goal?

  A. Metasploit

  B. Hydra

  C. SET

  D. WPScan

  Correct Answer: A

• Question 50:

  A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service. Which of the following methods would BEST support validation of the possible findings?

  A. Manually check the version number of the VoIP service against the CVE release

  B. Test with proof-of-concept code from an exploit database

  C. Review SIP traffic from an on-path position to look for indicators of compromise D. Utilize an nmap -sV scan against the service

  Correct Answer: B

  Testing with proof-of-concept code from an exploit database is the best method to support validation of the possible findings, as it will demonstrate whether the CVEs are actually exploitable on the target VoIP call manager. Proof-of-concept code is a piece of software or script that shows how an attacker can exploit a vulnerability in a system or application. An exploit database is a repository of publicly available exploits, such as Exploit Database or Metasploit. Reference: https:// dokumen.pub/hacking-exposed-unified-communications-amp-voip- security-secrets-amp- solutions-2nd-edition-9780071798778-0071798773- 9780071798761-0071798765.html