PT0-003 Exam Dumps - CompTIA PenTest+ Questions and Answers

When a penetration tester identifies an exposed corporate directory containing first and last names and phone numbers, the most effective attack technique to pursue would be smishing. Here's why:

Understanding Smishing:

Smishing (SMS phishing) involves sending fraudulent messages via SMS to trick individuals into revealing personal information or performing actions that compromise security. Since the tester has access to phone numbers, this method is directly applicable.

Why Smishing is Effective:

Personalization: Knowing the first and last names allows the attacker to personalize the messages, making them appear more legitimate and increasing the likelihood of the target responding.

Immediate Access: People tend to trust and respond quickly to SMS messages compared to emails, especially if the messages appear urgent or important.

Alternative Attack Techniques:

Impersonation: While effective, it generally requires real-time interaction and may not scale well across many targets.

Tailgating: This physical social engineering technique involves following someone into a restricted area and is not feasible with just names and phone numbers.

Whaling: This targets high-level executives with highly personalized phishing attacks. Although effective, it is more specific and may not be suitable for the broader set of employees in the directory.

=================

The EPSS (Exploit Prediction Scoring System) estimates how likely a vulnerability is to be exploited. Higher EPSS scores indicate a higher likelihood of exploitation.

Option A (Target 1) ✅:

EPSS 0.6 (60% chance of exploitation)

CVSS 4 (Medium severity)

✅ Best candidate since it has the highest likelihood of exploitation.

Option B (Target 2) ❌: EPSS 0.3 (30%) is lower, making it less likely to be attacked.

Option C (Target 3) ❌: EPSS 0.6 is high, but CVSS 1 is very low, meaning the vulnerability is not critical.

Option D (Target 4) ❌: CVSS 4.5 is higher, but EPSS 0.4 is lower, meaning attackers are less likely to exploit it.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Vulnerability Prioritization with EPSS & CVSS

Based on the Nmap scan results, the services identified on the target server are as follows:

22/tcp open ssh:

Service: SSH (Secure Shell)

Function: Provides encrypted remote access.

Attack Surface: Brute force attacks or exploiting vulnerabilities in outdated SSH implementations. However, it is generally considered secure if properly configured.

25/tcp filtered smtp:

Service: SMTP (Simple Mail Transfer Protocol)

Function: Email transmission.

Attack Surface: Potential for email-related attacks such as spoofing, but the port is filtered, indicating that access may be restricted or protected by a firewall.

111/tcp open rpcbind:

Service: RPCBind (Remote Procedure Call Bind)

Function: Helps in mapping RPC program numbers to network addresses.

Attack Surface: Can be exploited in specific configurations, but generally not a primary target compared to others.

2049/tcp open nfs:

Service: NFS (Network File System)

Function: Allows for file sharing over a network.

Attack Surface: NFS can be a significant target for attacks due to potential misconfigurations that can allow unauthorized access to file shares or exploitation of vulnerabilities in NFS services.

Conclusion: The NFS service (2049/tcp) provides the best target for launching an attack. File sharing services like NFS often contain sensitive data and can be vulnerable to misconfigurations that allow unauthorized access or privilege escalation.

Comprehensive and Detailed Explanation:

The immediate and mandatory post-engagement action after completing an authorized penetration test is to remove any accounts, implants, backdoors, web shells, scheduled tasks, or other persistence mechanisms that were created or used during the test. Leaving persistence (a web shell in this case) is exactly what caused the breach and is an unacceptable post-test lapse.

Why B is correct:

Persistence mechanisms provide continued unauthorized access and are a direct security risk if not removed. Removing them returns the environment to its pre-test security posture and prevents later compromise by third parties.

Removal of persistence is a standard requirement in rules of engagement and in post-test cleanup checklists.

Why the other answers are incomplete or secondary:

A. Enable a host-based firewall on the machine — a reasonable defensive step if missing, but it does not replace removing the persistence that was the cause of the breach.

C. Revert configuration changes made during the engagement — also important and should be done, but the highest priority is removing active persistence that gives access. (Both B and C are valid cleanup activities; B is the single best answer given the question.)

D. Turn off command-and-control infrastructure — this is appropriate for the tester’s own infrastructure, but the critical action on the client side is removing client-side persistence. Also, turning off C2 after the test is expected, but will not remediate the remaining web shell on the client.

CompTIA PT0-003 Mapping:

Domain 5.0 Reporting and Communication — post-engagement cleanup and handoff (remediation actions, removal of test artifacts, maintaining chain of custody and evidence, and returning environment to agreed baseline).

Evaluation Criteria:

CVSS (Common Vulnerability Scoring System): Indicates the severity of vulnerabilities, with higher scores representing more critical vulnerabilities.

EPSS (Exploit Prediction Scoring System): Estimates the likelihood of a vulnerability being exploited in the wild.

Analysis:

hrdatabase: CVSS = 9.9, EPSS = 0.50

financesite: CVSS = 8.0, EPSS = 0.01

legaldatabase: CVSS = 8.2, EPSS = 0.60

fileserver: CVSS = 7.6, EPSS = 0.90

Selection Justification:

fileserver has the highest EPSS score of 0.90, indicating a high likelihood of exploitation despite having a slightly lower CVSS score compared to other targets.

This makes it a critical target for immediate testing to mitigate potential exploitation risks.

Pentest References:

Risk Prioritization: Balancing between severity (CVSS) and exploitability (EPSS) is crucial for effective vulnerability management.

Risk Assessment: Evaluating both the impact and the likelihood of exploitation helps in making informed decisions about testing priorities.

By selecting the fileserver, the penetration tester focuses on a target that is highly likely to be exploited, addressing the most immediate risk based on the given scores.

Top of Form

Bottom of Form

Tailgating is the term used to describe a situation where a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee.

Tailgating:

Definition: Tailgating occurs when an unauthorized person follows an authorized person into a restricted area without the latter’s consent or knowledge. The authorized person typically opens a door or checkpoint, and the unauthorized person slips in behind them.

Example: An attacker waits near the entrance of a building and enters right after an employee, bypassing security measures.

Physical Security:

Importance: Physical security is a crucial aspect of overall security posture. Tailgating exploits human factors and weaknesses in physical security controls.

Prevention: Security measures such as turnstiles, mantraps, and security personnel can help prevent tailgating.

Pentest References:

Physical Penetration Testing: Tailgating is a common technique used in physical penetration tests to assess the effectiveness of an organization’s physical security controls.

Social Engineering: Tailgating often involves social engineering, where the attacker relies on the politeness or unawareness of the employee to gain unauthorized access.

By understanding and using tailgating, penetration testers can evaluate the effectiveness of an organization’s physical security measures and identify potential vulnerabilities that could be exploited by malicious actors.

=================

Badge cloning typically involves copying the data from access control badges, which frequently utilize the following technologies:

NFC (Near-Field Communication):

NFC is a subset of RFID technology that operates at short ranges (up to 10 cm). It is commonly used in modern access control systems, payment systems, and badge technologies. NFC cloning tools can intercept and copy badge data.

RFID (Radio-Frequency Identification):

RFID operates over a broader range of frequencies and distances than NFC. Many legacy access systems use RFID badges, which are susceptible to cloning attacks using RFID readers and cloning devices.

Exclusions:

Bluetooth, Modbus, Zigbee, CAN bus are not typically used in badge-based access control systems and are unrelated to badge cloning.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Domain 4.0 (Penetration Testing Tools)