PT0-003 Exam Dumps - CompTIA PenTest+ Questions and Answers

Maintaining persistent access in a compromised system is a crucial goal for a penetration tester after achieving initial access. Here’s an explanation of each option and why creating registry keys is the preferred method:

Creating registry keys (Answer: A):

Modifying or adding specific registry keys can ensure that malicious code or backdoors are executed every time the system starts, thus maintaining persistence.

Advantages: This method is stealthy and can be effective in maintaining access over long periods, especially on Windows systems.

Example: Adding a new entry to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key to execute a malicious script upon system boot.

1: Null session enumeration

Weak SMB file permissions

Fragmentation attack

2: nmap

-sV

-p 1-1023

192.168.2.2

3: #!/usr/bin/python

export $PORTS = 21,22

for $PORT in $PORTS:

try:

s.connect((ip, port))

print(“%s:%s – OPEN” % (ip, port))

except socket.timeout

print(“%:%s – TIMEOUT” % (ip, port))

except socket.error as e:

print(“%:%s – CLOSED” % (ip, port))

finally

s.close()

port_scan(sys.argv[1], ports)

Data Loss Prevention (DLP) tools monitor network traffic and files for sensitive information leaks. The most effective way to bypass DLP is to use encryption, since DLP systems cannot inspect encrypted content.

Option A (Encoding) ❌: Base64 or Hex encoding can sometimes bypass filters, but many DLP tools detect common encoding schemes.

Option B (Compression) ❌: Compression can change file signatures, but modern DLP systems can inspect compressed files.

Option C (Encryption) ✅: Correct.

Strong encryption prevents DLP tools from analyzing file contents.

Option D (Obfuscation) ❌: Code obfuscation may work for source code leaks, but DLP solutions use heuristics to detect patterns.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Bypassing Security Controls

Risk scores quantify the severity and likelihood of exploitation for each finding. This helps organizations prioritize which vulnerabilities to remediate first based on potential impact and exploitability.

Methodology outlines how the test was performed.

Findings list shows issues, but without prioritization.

Executive summary provides a high-level overview for decision-makers, not technical prioritization.

A screenshot of a computer Description automatically generated

A screenshot of a computer Description automatically generated

A screenshot of a computer Description automatically generated

When the client indicates that the scope ' s hosts and assets are not included in the vulnerability scan results, it suggests that the tester may have missed discovering all the devices in the scope. Here’s the best course of action:

Performing a Discovery Scan:

Purpose: A discovery scan identifies all active devices on the network before running a detailed vulnerability scan. It ensures that all in-scope devices are included in the assessment.

Process: The discovery scan uses techniques like ping sweeps, ARP scans, and port scans to identify active hosts and services.

Comparison with Other Actions:

Rechecking the Scanner Configuration (A): Useful but not as comprehensive as ensuring all hosts are discovered.

Using a Different Scan Engine (C): Not necessary if the issue is with host discovery rather than the scanner’s capability.

Configuring All TCP Ports on the Scan (D): Helps in detailed scanning but does not address missing hosts.

Performing a discovery scan ensures that all in-scope devices are identified and included in the vulnerability assessment, making it the best course of action.

======

Covert data exfiltration is a crucial aspect of advanced penetration testing. Penetration testers often need to move data out of a network without being detected by the organization ' s security monitoring tools. Here ' s a breakdown of the potential methods and why DNS is the preferred choice for covert data exfiltration:

FTP (File Transfer Protocol) (Option A):

Characteristics: FTP is a clear-text protocol used to transfer files.

Drawbacks: It is easily detected by network security tools due to its lack of encryption and distinctive traffic patterns. Most modern networks block or heavily monitor FTP traffic to prevent unauthorized file transfers.

The Common Vulnerability Scoring System (CVSS) provides a standardized way to evaluate the severity of security vulnerabilities. It includes:

Base Metrics: Inherent characteristics of a vulnerability (e.g., attack vector, complexity).

Temporal Metrics: Factors that change over time (e.g., exploit availability).

Environmental Metrics: Customization based on an organization’s environment.

Correct answers:

Helping to prioritize remediation based on threat context (Option B):

CVSS scores help organizations prioritize vulnerabilities based on real-world impact.

The Environmental metric allows customization based on business risk.

Data Loss Prevention (DLP) tools monitor sensitive data and prevent unauthorized exfiltration. The two best options to bypass DLP are:

Compress and encrypt the data (Option B):

Compression reduces file size, making detection harder. Encryption further protects the data by making it unreadable without a key.

DLP tools often inspect content based on known patterns (e.g., credit card numbers, sensitive keywords). Encrypted files bypass content inspection since DLP cannot analyze encrypted data.

To detect all open ports and enumerate services, the tester needs to:

Use -sV (Service Version Detection)

Use -Pn (Disables ICMP ping to bypass firewalls)

Use -p- (Scans all 65,535 TCP ports)

nmap -sV -Pn -p- 10.10.10.10 (Option D):

This command performs full-port scanning, including high-numbered ports like 50123/tcp (ms-rpc).

Without -p-, high ports would be missed.