CompTIA PT0-003 CompTIA PenTest+ Exam Practice Test

Page: 1 / 14
Total 239 questions
Question 1

During an assessment, a penetration tester runs the following command:

dnscmd.exe /config /serverlevelplugindll C:\users\necad-TA\Documents\adduser.dll

Which of the following is the penetration tester trying to achieve?



Answer : B

The tester is attempting to register a malicious DLL as a server-level plugin to escalate privileges.

Privilege escalation (Option B):

The command uses dnscmd.exe, a legitimate Windows tool for managing DNS servers.

By setting a malicious DLL (adduser.dll) as a server-level plugin, attackers can gain SYSTEM-level privileges.

This technique is a DLL hijacking attack.


Incorrect options:

Option A (DNS enumeration): The command modifies DNS settings rather than querying them.

Option C (Command injection): The attacker is not injecting arbitrary shell commands.

Option D (List of users): The command does not retrieve user information.

Question 2

An external legal firm is conducting a penetration test of a large corporation. Which of the following would be most appropriate for the legal firm to use in the subject line of a weekly email update?



Answer : A

Penetration test results are sensitive information and must be handled confidentially.

Privileged & Confidential Status Update (Option A):

Helps ensure compliance with legal and regulatory standards by labeling the report as confidential.

Encourages secure handling by recipients.


Incorrect options:

Option B (Action Required): Suggests an immediate response is needed, which may not always be the case.

Option C (Important Weekly Status Update): Does not emphasize confidentiality.

Question 3

A penetration tester is performing a network security assessment. The tester wants to intercept communication between two users and then view and potentially modify transmitted dat

a. Which of the following types of on-path attacks would be best to allow the penetration tester to achieve this result?



Answer : B

An on-path attack (previously known as MITM -- Man-in-the-Middle) allows an attacker to intercept and modify communication between two parties.

ARP poisoning (Option B):

Attackers send fake ARP replies to associate their MAC address with the IP address of a legitimate device (e.g., gateway).

This forces traffic to flow through the attacker's system, enabling packet capture and manipulation.

Tools like Ettercap, Bettercap, and ARP spoofing scripts are commonly used.


Incorrect options:

Option A (DNS spoofing): Redirects users to malicious domains but does not intercept traffic.

Option C (VLAN hopping): Allows traffic to traverse VLANs, but does not intercept user communication.

Question 4

During a security assessment, a penetration tester wants to compromise user accounts without triggering IDS/IPS detection rules. Which of the following is the most effective way for the tester to accomplish this task?



Answer : A

To avoid triggering IDS/IPS alerts, the attacker should use offline cracking on compromised hashes rather than direct brute-force attempts.

Crack user accounts using compromised hashes (Option A):

Hashes can be cracked offline using tools like Hashcat or John the Ripper.

No direct login attempts, avoiding detection by security systems.


Incorrect options:

Option B (Brute force): Generates excessive failed logins, triggering IDS/IPS alerts.

Option C (SQL injection): Exploits database vulnerabilities, not direct account compromise.

Option D (XSS attack): Can steal cookies but does not directly compromise accounts.

Question 5

A penetration tester aims to exploit a vulnerability in a wireless network that lacks proper encryption. The lack of proper encryption allows malicious content to infiltrate the network. Which of the following techniques would most likely achieve the goal?



Answer : A

If a wireless network lacks proper encryption, attackers can inject malicious packets into the traffic stream.

Packet injection (Option A):

Attackers forge and transmit fake packets to manipulate network behavior.

Common in WEP/WPA attacks to force IV collisions or spoof DHCP responses.


Incorrect options:

Option B (Bluejacking): Sends spam messages via Bluetooth, not for network exploitation.

Option C (Beacon flooding): Overloads wireless access points, not an attack on encryption.

Question 6

During an assessment, a penetration tester plans to gather metadata from various online files, including pictures. Which of the following standards outlines the formats for pictures, audio, and additional tags that facilitate this type of reconnaissance?



Answer : A

Metadata extraction allows attackers to collect sensitive information from digital files.

EXIF (Exchangeable Image File Format) (Option A):

EXIF metadata contains camera details, GPS coordinates, timestamps, and software versions used to edit the file.

Attackers use tools like ExifTool to extract metadata for reconnaissance.


Incorrect options:

Option B (GIF): A file format for images, but not a metadata standard.

Option C (COFF): Common Object File Format, related to executable files, not images.

Option D (ELF): Executable and Linkable Format, used for Linux binaries, not metadata analysis.

Question 7

During an engagement, a penetration tester runs the following command against the host system:

host -t axfr domain.com dnsl.domain.com

Which of the following techniques best describes what the tester is doing?



Answer : A

A DNS zone transfer attack occurs when a misconfigured DNS server allows attackers to retrieve the entire DNS record set.

Zone transfer (Option A):

The command host -t axfr domain.com dnsl.domain.com requests an AXFR (authoritative transfer) of the DNS records.

This provides subdomains, email servers, and internal DNS records, which attackers can use for reconnaissance.


Incorrect options:

Option B (Host enumeration): Host enumeration gathers information about a specific host, not the entire DNS zone.

Option C (DNS poisoning): DNS poisoning modifies cache entries to redirect users. This is a different attack.

Page:    1 / 14   
Total 239 questions