CompTIA PenTest+ Exam PT0-003 Practice Questions

Page: 1 / 14
Total 331 questions
Question 1

A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent:

xml

Copy code

]>

&foo;

Which of the following should the tester recommend in the report to best prevent this type of vulnerability?



Answer : C

The vulnerability in question is XML External Entity (XXE) injection, which occurs when an application processes XML input containing external entities that access files on the server or external resources.

Disabling External Entities:

The root cause of the issue is the application's ability to process external entities (<!ENTITY foo SYSTEM ...>). Disabling external entities entirely prevents XXE attacks.

This can be achieved by properly configuring the XML parser (e.g., in Java, disable DocumentBuilderFactory.setFeature('http://apache.org/xml/features/disallow-doctype-decl', true)).

Why Not Other Options?

A (chmod o-rwx): File permission hardening may reduce the impact of a successful attack but does not mitigate XXE at the parser level.

B (Review logs): Reviewing logs is a reactive measure, not a prevention mechanism.

D (WAF): A WAF may block some malicious requests but is not a reliable mitigation for XXE vulnerabilities embedded in legitimate XML input.

CompTIA Pentest+ Reference:

Domain 3.0 (Attacks and Exploits)

OWASP XXE Prevention Cheat Sheet


Question 2

During a security assessment of an e-commerce website, a penetration tester wants to exploit a vulnerability in the web server's input validation that will allow unauthorized transactions on behalf of the user. Which of the following techniques would most likely be used for that purpose?



Answer : D

Cross-site scripting (XSS) is a client-side attack where an attacker injects malicious scripts into a web page viewed by other users. When executed in a browser, it can steal session cookies, perform unauthorized transactions, or execute malicious actions on behalf of the victim.

Option D (Cross-site scripting) is correct because XSS can manipulate client-side input validation to execute unauthorized transactions.

Option A (Privilege escalation) is incorrect because it involves gaining higher privileges on a system, not attacking input validation in a web application.

Option B (DOM injection) is incorrect because DOM-based attacks manipulate browser-side JavaScript but are not necessarily used for unauthorized transactions.

Option C (Session hijacking) is incorrect because session hijacking requires capturing a valid user session, whereas XSS can steal session tokens for this purpose.


Question 3

Which of the following frameworks can be used to classify threats?



Answer : B

STRIDE is a threat classification model created by Microsoft that breaks down threats into six categories:

Spoofing

Tampering

Repudiation

Information disclosure

Denial of Service

Elevation of privilege

It is specifically designed for threat modeling.

PTES is a general pentesting methodology.

OSSTMM is a framework for operational security testing.

OCTAVE is a risk assessment methodology, not focused on threat classification.


Question 4

A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services. Which of the following commands should the tester use?



Answer : C

To find the state of both TCP and UDP ports using Nmap, the appropriate command should combine both TCP and UDP scan options:

Understanding the Options:

-sU: Performs a UDP scan.

-sT: Performs a TCP connect scan.

Command

Command: nmap -sU -sT -p 1-65535 example.com

This command will scan both TCP and UDP ports from 1 to 65535 on the target example.com. Combining -sU and -sT ensures that both types of services are scanned.

Comparison with Other Options:

-sW: Initiates a TCP Window scan, not relevant for identifying the state of TCP and UDP services.

-sY: Initiates a SCTP INIT scan, not relevant for this context.

-sN: Initiates a TCP Null scan, which is not used for discovering UDP services.

======


Question 5

While performing an internal assessment, a tester uses the following command:

crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@

Which of the following is the main purpose of the command?



Answer : C

The command crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@ is used to perform password spraying on internal systems. CrackMapExec (CME) is a post-exploitation tool that helps automate the process of assessing large Active Directory networks. It supports multiple protocols, including SMB, and can perform various actions like password spraying, command execution, and more.

CrackMapExec:

CrackMapExec: A versatile tool designed for pentesters to facilitate the assessment of large Active Directory networks. It supports various protocols such as SMB, WinRM, and LDAP.

Purpose: Commonly used for tasks like password spraying, credential validation, and command execution.

Command Breakdown:

crackmapexec smb: Specifies the protocol to use, in this case, SMB (Server Message Block), which is commonly used for file sharing and communication between nodes in a network.

192.168.1.0/24: The target IP range, indicating a subnet scan across all IP addresses in the range.

-u user.txt: Specifies the file containing the list of usernames to be used for the attack.

-p Summer123@: Specifies the password to be used for all usernames in the user.txt file.

Password Spraying:

Definition: A technique where a single password (or a small number of passwords) is tried against a large number of usernames to avoid account lockouts that occur when brute-forcing a single account.

Goal: To find valid username-password combinations without triggering account lockout mechanisms.

Pentest Reference:

Password Spraying: An effective method for gaining initial access during penetration tests, particularly against organizations that have weak password policies or commonly used passwords.

CrackMapExec: Widely used in penetration testing for its ability to automate and streamline the process of credential validation and exploitation across large networks.

By using the specified command, the tester performs a password spraying attack, attempting to log in with a common password across multiple usernames, identifying potential weak accounts.

======


Question 6

During an assessment, a penetration tester obtains access to a Microsoft SQL server using sqlmap and runs the following command:

sql> xp_cmdshell whoami /all

Which of the following is the tester trying to do?



Answer : C

The command xp_cmdshell executes system-level commands from SQL Server. The command whoami /all is used to enumerate user privileges, group memberships, and security contexts on Windows systems.

From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 8 -- Post-Exploitation Techniques):

''Using xp_cmdshell and system commands like whoami /all allows testers to identify the privilege level of the database user and system access level.''


Question 7

A tester needs to begin capturing WLAN credentials for cracking during an on-site engagement. Which of the following is the best command to capture handshakes?



Answer : D

The command airodump-ng -c 6 --bssid <target_mac> <iface> is used to capture WPA/WPA2 4-way handshakes on a specific channel and BSSID. This handshake is necessary for offline password cracking using tools like Hashcat or John the Ripper.

From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 7 -- Wireless Attacks):

''Airodump-ng is used to capture handshakes between a client and access point. The attacker can then attempt to crack the captured handshake offline.''


Page:    1 / 14   
Total 331 questions