During an internal penetration test, a tester compromises a Windows OS-based endpoint and bypasses the defensive mechanisms. The tester also discovers that the endpoint is part of an Active Directory (AD) local domain.
The tester's main goal is to leverage credentials to authenticate into other systems within the Active Directory environment.
Which of the following steps should the tester take to complete the goal?
Answer : A
Since the tester has compromised a Windows machine and bypassed security, the best next step is to extract credentials from memory to move laterally within Active Directory.
Option A (Mimikatz) : Correct.
Mimikatz extracts hashed credentials, plaintext passwords, and Kerberos tickets from memory.
Attackers use Pass-the-Hash (PtH) or Pass-the-Ticket (PtT) to authenticate on other systems without cracking passwords.
Option B (Hashcat) : Cracking passwords takes time and is not necessary if Mimikatz provides reusable credentials.
Option C (Evil-WinRM) : Evil-WinRM is useful for remotely executing commands, but without valid credentials, it won't work.
Option D (Metasploit) : Metasploit payloads may be useful for initial exploitation, but credential dumping is a better next step.
Reference: CompTIA PenTest+ PT0-003 Official Guide -- Credential Dumping & Lateral Movement
A company hires a penetration tester to perform an external attack surface review as part of a security engagement. The company informs the tester that the main company domain to investigate is comptia.org. Which of the following should the tester do to accomplish the assessment objective?
Answer : A
An external attack surface review focuses on identifying publicly accessible assets that an attacker could exploit. The first step in this process is information gathering, which involves enumerating domains, subdomains, public IPs, DNS records, and other internet-facing resources. This is done using passive reconnaissance tools such as Whois, Shodan, Google Dorking, and OSINT techniques.
Option A is correct because it aligns with the assessment goal---finding public-facing systems and their vulnerabilities before an attacker does.
Option B (phishing assessment) is incorrect because it involves social engineering, which is not part of an external attack surface review.
Option C (physical security review) is incorrect as it pertains to physical penetration testing, not an external attack analysis.
Option D (vulnerability assessment) is incorrect because a vulnerability assessment is a later step after reconnaissance. The first step is identifying assets through information gathering.
A penetration tester reviews a SAST vulnerability scan report. The following vulnerability has been reported as high severity:
Source file: components.ts
Issue 2 of 12: Command injection
Severity: High
Call: .innerHTML = response
The tester inspects the source file and finds the variable response is defined as a constant and is not referred to or used in other sections of the code. Which of the following describes how the tester should classify this reported vulnerability?
Answer : B
A false positive occurs when a vulnerability scan incorrectly flags a security issue that does not exist or is not exploitable in the context of the application. Here's the reasoning:
Definition of Command Injection:Command injection vulnerabilities occur when user-controllable data is passed to an interpreter or command execution context without proper sanitization, allowing an attacker to execute arbitrary commands.
Code Analysis:
The response variable is defined as a constant (const), which implies its value is immutable during runtime.
The response is not sourced from user input nor used elsewhere, meaning there is no attack surface or exploitation pathway for an attacker to influence the content of response.
Scanner Misclassification:Static Application Security Testing (SAST) tools may flag vulnerabilities based on patterns (e.g., .innerHTML usage) without assessing the source and flow of data, resulting in false positives.
Final Classification:Since the response variable is static and unchangeable, the flagged issue is not exploitable. This makes it a false positive.
CompTIA Pentest+ Reference:
Domain 3.0 (Attacks and Exploits)
Domain 4.0 (Penetration Testing Tools)
OWASP Static Code Analysis Guide
A penetration tester reviews a SAST vulnerability scan report. The following lines of code have been reported as vulnerable:
Issue 40 of 126
Language: Java
Severity: Medium
Call:
try {
// ...
} catch (SomeException e) {
e.printStackTrace();
}
Which of the following is the best method to remediate this vulnerability?
Answer : A
The correct answer is A. Implementing a logging framework
The vulnerable code uses:
e.printStackTrace();
In Java applications, printStackTrace() can expose sensitive internal details, such as class names, file paths, line numbers, application logic, database errors, and other implementation information. If this output is displayed to users or written insecurely, it can help an attacker understand the application and craft further attacks.
The best remediation is to replace direct stack trace printing with a proper logging framework, such as Log4j, SLF4J, or java.util.logging, configured with appropriate log levels and secure log handling. A logging framework allows developers to record useful diagnostic information while controlling where logs are stored, what level of detail is included, and whether sensitive data is exposed.
B is incorrect because simply removing the reported code lines may break exception handling and does not provide a proper secure error-handling solution.
C is incorrect because secure coding awareness is useful as a long-term improvement, but it does not directly remediate this specific vulnerable code.
D is incorrect because this is not a false positive. Direct use of printStackTrace() is commonly flagged by SAST tools because it can result in information disclosure.
In PenTest+ terms, this falls under Tools and Code Analysis, specifically SAST findings, insecure error handling, information disclosure, and secure coding remediation.
During a penetration test, a junior tester uses Hunter.io for an assessment and plans to review the information that will be collected. Which of the following describes the information the junior tester will receive from the Hunter.io tool?
Answer : A
Hunter.io is a tool used for finding professional email addresses associated with a domain. Here's what it provides:
Functionality of Hunter.io:
Email Address Collection: Gathers email addresses associated with a target domain from various sources across the internet.
Verification: Validates the email addresses to ensure they are deliverable.
Sources: Aggregates data from public sources, company websites, and other internet databases.
Comparison with Other Options:
DNS Records (B): Hunter.io does not focus on DNS records; tools like dig or nslookup are used for DNS information.
Data Breach Information (C): Services like Have I Been Pwned are used for data breach information.
Web Page Information (D): Tools like wget, curl, or specific web scraping tools are used for collecting detailed web page information.
Hunter.io is specifically designed to collect and validate email addresses for a given domain, making it the correct answer.
======
While conducting a reconnaissance activity, a penetration tester extracts the following information:
Emails:
admin@acme.com
sales@acme.com
support@acme.com
Which of the following risks should the tester use to leverage an attack as the next step in the security assessment?
Answer : A
Discovering valid corporate email addresses during reconnaissance is a classic OSINT outcome that directly enables social engineering attacks, especially phishing and related credential-harvesting techniques. In the PenTest+ methodology, information gathered in reconnaissance is leveraged to obtain an initial foothold, often by targeting users with realistic, role-based lures (for example, ''support'' tickets, ''sales'' leads, or ''admin'' notifications). The primary risk created by exposed or easily discoverable email identities is that an attacker can use them to deliver malicious links, weaponized attachments, or impersonation-based requests that may result in credential compromise or malware execution, leading to unauthorized access to internal systems and the network.
The other options do not logically follow from the provided evidence: email enumeration alone does not demonstrate sensitive servers are internet-exposed, does not indicate SQL injection likelihood (which is tied to web input validation and testing), and does not prove a data breach---only that addresses exist or can be collected publicly. Therefore, the most appropriate risk to leverage next is unauthorized network access via phishing/social engineering.
During a penetration test, the tester uses a vulnerability scanner to collect information about any possible vulnerabilities that could be used to compromise the network. The tester receives the results and then executes the following command:
snmpwalk -v 2c -c public 192.168.1.23
Which of the following is the tester trying to do based on the command they used?
Answer : D
The command snmpwalk -v 2c -c public 192.168.1.23 is used to query SNMP (Simple Network Management Protocol) data from a device. Here's the purpose in the context provided:
SNMP Enumeration:
Function: snmpwalk is used to retrieve a large amount of information from the target device using SNMP.
Community String: -c public specifies the community string, which is essentially a password for SNMP queries.
Purpose of the Command:
Validate Results: The tester uses SNMP to gather detailed information about the network devices to confirm the findings of the vulnerability scanner and remove any false positives.
Detailed Information: SNMP can provide detailed information about device configurations, network interfaces, and other settings that can validate the scanner's results.
Comparison with Other Options:
Bypassing Defensive Systems (A): Not directly related to SNMP enumeration.
Using Automation Tools (B): While SNMPwalk is automated, the primary purpose here is validation.
Script Exploits (C): SNMPwalk is not used for scripting exploits but for information gathering.
By using snmpwalk, the tester is validating the results from the vulnerability scanner and removing any false positives, ensuring accurate reporting.
======