Free CompTIA PT0-003 Practice Questions 2026 - Page 10

Explanation:

A penetration testing report is the primary deliverable of an engagement and serves as the only tangible evidence of the work performed. The most crucial aspect of proper report handling is ensuring it is clear, comprehensive, and accessible to different audiences. This is achieved by aligning the technical findings with the original project objectives and providing a precise executive summary.

The Executive Summary is a high-level overview designed for non-technical stakeholders (such as C-suite executives and board members). It translates technical vulnerabilities into business risks, providing a clear picture of the organization's security posture without requiring deep technical expertise. Simultaneously, the body of the report must detail the specific objectives met, the methodology used, and the evidence of exploitation. Without a clear structure that satisfies both the executive and technical teams, the report fails to provide the necessary roadmap for remediation.

Incorrect Options Analysis

Keeping video and audio (A):
While evidence (screenshots, command logs) is vital, recording "everything" in video and audio is often impractical, creates massive storage/security burdens, and is rarely a requirement for a standard professional report.

Maximum of 5 to 10 pages (B):
Report length should be dictated by the findings and scope. Artificially limiting a report to 10 pages for a complex enterprise environment would likely lead to omitting critical technical details and remediation steps.

Basing recommendations on risk score (C):
While risk scores (like CVSS) are important for prioritization, recommendations should be based on the specific business context and technical feasibility. A "Medium" risk vulnerability might be more critical to fix than a "High" one if it sits on a core business path.

References
CompTIA PenTest+ (PT0-003) Objective 4.1: Given a scenario, report on and explain a technical vulnerability and its risk.

NIST SP 800-115: Technical Guide to Information Security Testing and Assessment (Reporting Phase).

Explanation:

The provided Bash script fails because the while loop in Line 3 is initialized to read input, but it has no defined input source. In Bash scripting, when using read inside a loop to process a file line-by-line, the file must be redirected into the done statement at the end of the loop.

By changing Line 5 to done < "$DOMAINS_LIST", the script tells the shell to take the contents of the file defined in the variable $DOMAINS_LIST and feed them into the while loop. Without this redirection, the read command waits indefinitely for input from stdin (the keyboard), and the script appears to hang or does nothing.

Additionally, note a syntax error in Line 2: In Bash, variable assignments must not have spaces around the equals sign (e.g., DOMAINS_LIST="/path/to/list.txt"). While Option D specifically fixes the functional logic of the loop, the spacing in Line 2 would also need correction for the script to execute successfully.

Incorrect Options Analysis

Change Line 2 to a manual list (A):
While this creates an array, the while read logic is specifically designed to iterate through a file. Changing the variable to a manual list would still require a different loop structure (like for i in "${DOMAINS[@]}") to function.

Change Line 3 to while true (B):
This would create an infinite loop. It does not solve the problem of reading the actual domain names from the text file.

Change Line 4 to tee (C):
The tee command redirects output to both a file and the screen. While useful for logging, it does not fix the primary issue of the loop not receiving any input data to process.

References
CompTIA PenTest+ (PT0-003) Objective 5.1: Given a scenario, use basic scripting concepts (Bash, Python, PowerShell).
GNU Bash Manual: Redirections and the read builtin.

Explanation:

The provided solution uses a combination of core Linux utilities—grep, cut, and sed—to transform raw CSV data into a specific space-delimited format. Each command in the pipeline performs a critical transformation step:

grep -v "IP": This filters out the header row. The -v flag stands for "invert-match," meaning it excludes any line containing the string "IP". This prevents the column headers ("Username, Password") from appearing in the final output.

cut -d"," -f 3,4: This command extracts specific columns. The -d"," flag sets the delimiter to a comma, and -f 3,4 tells the utility to keep only the third and fourth fields (Username and Password). At this stage, the output still contains commas (e.g., admin, Spring11).

sed -e 's/,/ /': The Stream Editor (sed) performs a substitution. The expression 's/,/ /' searches for the first comma on each line and replaces it with a space. This results in the final intended format: admin Spring11.

This pipeline is a standard approach in penetration testing for "data wrangling," allowing the tester to quickly reformat scan results for input into brute-forcing tools or credential stuffing scripts.

Incorrect Options Analysis

Option B (find . -iname):
The find command is used for searching the file system for filenames and directories. It cannot parse the internal contents of a CSV file.

Option C (grep 'username|Password'):
This command simply searches for lines containing those specific strings. It does not perform any field extraction or character replacement, and the syntax for the OR operator (|) would require the -E (Extended Regex) flag to function as intended.

Option D:
While this attempts to use grep -v to exclude hostnames and IPs, it is highly inefficient and manual. It relies on knowing every single value in the Host and IP columns beforehand, which is not practical for large datasets.

References

CompTIA PenTest+ (PT0-003) Objective 5.1: Given a scenario, use basic scripting concepts (Bash).

GNU Coreutils: Documentation for grep, cut, and sed.

Explanation:

Banner grabbing involves connecting to an open port (e.g., SSH on TCP/22) and reading the service’s initial response. SSH servers typically disclose their software and version in that banner unless manually hardened. Example: SSH-2.0-OpenSSH_8.9p1. This allows the tester to identify vulnerable versions.

Why other options are incorrect

A. Network sniffing
– Passive traffic capture may not see the SSH banner unless the tester initiates a connection (which then becomes banner grabbing). Encryption also hides version details.

B. IP scanning
– Only discovers live hosts and open ports (e.g., “port 22 open”). It does not retrieve service version banners without additional probes (which is still banner grabbing).

D. DNS enumeration
– Maps domain names, subdomains, and DNS records. It provides no information about running SSH services or their versions.

References:

CompTIA PenTest+ PT0-003 Exam Objectives – Domain 2.2 (Information Gathering): “Perform service and port scanning including banner grabbing for fingerprinting.”

Nmap documentation – Version detection (-sV) is a form of banner grabbing.

MITRE ATT&CK T1592.002 – “Gather Victim Host Information: Software” – banner grabbing is a common method.

Explanation:

The Nmap scan shows three critical services: SNMP (161/udp), SMB (445/tcp), and RDP (3389/tcp). The host is identified as Windows 7 SP0, which is historically vulnerable to MS17-010 (EternalBlue) if unpatched. EternalBlue is a remote code execution exploit against SMBv1 that allows attackers to gain shell access without authentication. Since the tester’s goal is shell access, this is the most direct and effective exploit to attempt first.

Option A: exploit/windows/smb/psexec
PsExec requires valid credentials to execute commands remotely over SMB. Without credentials, this exploit cannot succeed, so it is not the first choice.

Option B: exploit/windows/smb/ms08_067_netapi
MS08-067 targets Windows XP and Server 2003 systems. While extremely famous, it does not apply to Windows 7, making it irrelevant in this scenario.

Option D: auxiliary/scanner/snmp/snmp_login
This module only attempts SNMP login brute force. It can provide information but does not yield shell access. Since the tester’s objective is shell access, this option is not suitable.

Therefore, MS17-010 EternalBlue is the correct exploit to try first. It directly targets the SMB service on port 445, matches the OS fingerprint (Windows 7), and is known to provide remote shell access if the system is unpatched. In penetration testing methodology, testers prioritize exploits that match the identified OS and services, especially those with high impact and no credential requirement.

References

CompTIA PenTest+ PT0-003 Exam Objectives – Domain 3.0 Attacks and Exploits (Network-based vulnerabilities).
Microsoft Security Bulletin MS17-010: CVE-2017-0144 (EternalBlue) – Microsoft Learn (learn.microsoft.com in Bing)

Explanation:

Covenant is a .NET-based command and control (C2) framework designed specifically for post-exploitation and payload management. It supports encrypted communication, multiple listeners (HTTP/HTTPS), and is highly extensible. Its stealth features include HTTPS beaconing, jitter, and custom traffic profiles, making it robust and stealthy for C2 operations.

Why other options are incorrect

A. ProxyChains
– Forces any TCP traffic through a proxy chain (e.g., Tor, SOCKS). Useful for anonymizing scans or tool traffic, but it is not a C2 framework — it does not manage payloads or provide remote control capabilities.

C. PsExec
– A Windows Sysinternals tool for remote command execution via SMB. It is not a C2 server; it executes a single command or launches a remote shell but lacks persistent beaconing, listener management, or multi-session control.

D. sshuttle
– A transparent proxy over SSH that forwards traffic like a VPN. It is excellent for pivoting or routing traffic through an SSH server but does not function as a C2 framework — no payload generation, no beaconing, no encrypted C2 channel management.

References
CompTIA PenTest+ PT0-003 – Domain 3.0 (Attacks and Exploits): “Compare and contrast C2 frameworks (Covenant, Cobalt Strike, Empire).”
Covenant GitHub / Wiki – Describes itself as “a .NET command and control framework for red teamers.”
MITRE ATT&CK – T1071 (Application Layer Protocol) for C2 communication; Covenant supports HTTPS.

Explanation:

bitsadmin.exe is a legitimate Windows command-line tool used to create and manage Background Intelligent Transfer Service (BITS) jobs. BITS transfers files in the background using idle network bandwidth, supports resumption of interrupted transfers, and can blend in with normal Windows traffic. Attackers abuse it for stealthy exfiltration because BITS jobs are persistent, use HTTP/HTTPS, and are less monitored than standard file copies.

Why other options are incorrect

A. procdump.exe
– A Sysinternals tool for dumping process memory (e.g., LSASS for credentials). It is not used for exfiltration; it captures memory locally.

B. msbuild.exe
– A build tool for .NET applications. Often abused for inline execution of C# code (bypassing application whitelisting), but not typically for exfiltration of files.

D. cscript.exe
– Executes VBScript or JScript scripts. Can be used for many malicious actions (downloaders, keyloggers), but BITS is specifically designed for file transfer and is the most likely LOLBin for exfiltration due to its native background transfer capabilities.

References:

CompTIA PenTest+ PT0-003 – Domain 3.5 (Post-Exploitation): “Data exfiltration using native Windows tools (LOLBins).”

LOLBAS (Living Off the Land Binaries, Scripts, and Libraries) – bitsadmin.exe listed as a file transfer and exfiltration tool.

Explanation:

Encryption transforms data into an unreadable format without the proper decryption key. Most DLP tools rely on content inspection (e.g., regex patterns, fingerprints, keywords) to detect sensitive data like credit card numbers, SSNs, or trade secrets. Encrypted data appears as high-entropy, random binary, which DLP cannot inspect or match against policies. Properly encrypted exfiltration bypasses DLP entirely unless the DLP has the decryption key or performs SSL/TLS interception.

Why other options are incorrect

A. Encoding (e.g., Base64, hex)
– Easily reversible and not secret. DLP tools trivially decode and inspect the original content. Encoding offers zero security.

B. Compression (e.g., ZIP, GZIP)
– Reduces size but does not hide content. DLP tools can decompress and inspect the original data. Some DLP even recursively unpacks archives.

D. Obfuscation (e.g., XOR with known key, ROT13)
– Weak, often reversible without a secret key. DLP can be configured to de-obfuscate common patterns. Not cryptographically secure.

References

CompTIA PenTest+ PT0-003 – Domain 3.5 (Post-Exploitation Data Exfiltration): “Bypassing DLP using encryption.”

NIST SP 800-175B – Encryption provides confidentiality; DLP cannot inspect encrypted payloads without keys.

Explanation:

Bypassing refers to defeating a physical security control without directly unlocking or manipulating the lock mechanism itself. For a rarely used door with electronic locking mechanisms, bypassing could involve:

Shunting the door position sensor (tricking the system into thinking the door is closed)
Voltage or signal manipulation on the lock control wire
Magnetic field interference with the locking mechanism
Accessing the door from an unsecured hinge side or through an adjacent panel
Unlike other methods, bypassing targets the implementation flaw rather than the lock type.

Why other options are incorrect"

A. Lock picking
– Works on mechanical pin/tumbler locks, not electronic locking mechanisms. Electronic locks often lack physical keyways.

B. Impersonating
– Social engineering (pretending to be an employee). Unreliable for a rarely used door, as no one may come to open it legitimately.

C. Jamming
– Transmitting RF noise to disrupt wireless electronic locks (e.g., RFID or remote access). Jamming prevents operation but does not open the door; it causes denial of service, not access.

D. Tailgating
– Following an authorized person through a door. A rarely used door means no legitimate traffic to follow, making tailgating infeasible.

References:

CompTIA PenTest+ PT0-003 – Domain 4.0 (Physical Security Testing): “Physical access bypass techniques for electronic locks.”
The Open Organization of Lockpickers (TOOOL) – Bypassing defined vs. lock picking.
MITRE ATT&CK for ICS – T0859 (Bypass Physical Access Controls).
Physical penetration testing standards – Bypassing includes shunting, forced relay attacks, and magnetic bypass tools for electronic strikes and magnets.