PT0-003 Free Practice Test

A penetration tester cannot find information on the target company's systems using common OSINT methods. The tester's attempts to do reconnaissance against internet- facing resources have been blocked by the company's WAF. Which of the following is the best way to avoid the WAF and gather information about the target company's systems?

1. A. HTML scraping
2. B. Code repository scanning
3. C. Directory enumeration
4. D. Port scanning

Correct Answer: B
When traditional reconnaissance methods are blocked, scanning code repositories is an effective method to gather information. Here??s why:
✑ Code Repository Scanning:
✑ Comparison with Other Methods:
Scanning code repositories allows gathering a wide range of information that can be critical for further penetration testing effort
=================

A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes. Which of the following steps should the tester take next?

1. A. Enable monitoring mode using Aircrack-ng.
2. B. Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes.
3. C. Run KARMA to break the password.
4. D. Research WiGLE.net for potential nearby client access points.

Correct Answer: A
Enabling monitoring mode on the wireless adapter is the essential step before capturing WPA2 handshakes. Monitoring mode allows the adapter to capture all wireless traffic in its vicinity, which is necessary for capturing handshakes.
✑ Preparation:
✑ Enable Monitoring Mode:
Step-by-Step Explanationairmon-ng start wlan0
✑ uk.co.certification.simulator.questionpool.PList@3327f1d6 iwconfig
✑ Capture WPA2 Handshakes: airodump-ng wlan0mon
✑ References from Pentesting Literature: References:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================

A penetration tester assesses an application allow list and has limited command-line access on the Windows system. Which of the following would give the penetration tester information that could aid in continuing the test?

1. A. mmc.exe
2. B. icacls.exe
3. C. nltest.exe
4. D. rundll.exe

Correct Answer: C
When a penetration tester has limited command-line access on a Windows system, the choice of tool is critical for gathering information to aid in furthering the test. Here??s an explanation for each option:
✑ mmc.exe (Microsoft Management Console):
✑ icacls.exe:
✑ nltest.exe:
✑ rundll.exe:
Conclusion: nltest.exe is the best choice among the given options as it provides valuable information about the network, domain controllers, and trust relationships. This information is crucial for a penetration tester to plan further actions and understand the domain environment.
=================

During a security assessment for an internal corporate network, a penetration tester wants to gain unauthorized access to internal resources by executing an attack that uses software to disguise itself as legitimate software. Which of the following host-based attacks should the tester use?

1. A. On-path
2. B. Logic bomb
3. C. Rootkit
4. D. Buffer overflow

Correct Answer: C
A rootkit is a type of malicious software designed to provide an attacker with unauthorized access to a computer system while concealing its presence. Rootkits achieve this by modifying the host??s operating system or other software to hide their existence, allowing the attacker to maintain control over the system without detection.
✑ Definition and Purpose:
✑ Mechanisms of Action:
✑ Detection and Prevention:
✑ Real-World Examples:
✑ References from Pentesting Literature: Step-by-Step ExplanationReferences:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups on sophisticated attacks
=================

A penetration tester needs to collect information over the network for further steps in an internal assessment. Which of the following would most likely accomplish this goal?

1. A. ntlmrelayx.py -t 192.168.1.0/24 -1 1234
2. B. nc -tulpn 1234 192.168.1.2
3. C. responder.py -I eth0 -wP
4. D. crackmapexec smb 192.168.1.0/24

Correct Answer: C
To collect information over the network, especially during an internal assessment, tools that can capture and analyze network traffic are essential. Responder is specifically designed for this purpose, and it can capture NTLM hashes and other credentials by poisoning various network protocols. Here??s a breakdown of the options:
✑ Option A: ntlmrelayx.py -t 192.168.1.0/24 -1 1234
✑ Option B: nc -tulpn 1234 192.168.1.2
✑ Option C: responder.py -I eth0 -wP
✑ Option D: crackmapexec smb 192.168.1.0/24
References from Pentest:
✑ Anubis HTB: Highlights the use of Responder to capture network credentials and hashes during internal assessments.
✑ Horizontall HTB: Demonstrates the effectiveness of Responder in capturing and analyzing network traffic for further exploitation.
=================