PT0-003 Exam Dumps - CompTIA PenTest+ Exam

To avoid locking out accounts while attempting access, the penetration tester should use credential stuffing.

Credential Stuffing:

Definition: An attack method where attackers use a list of known username and password pairs, typically obtained from previous data breaches, to gain unauthorized access to accounts.

Advantages: Unlike brute-force attacks, credential stuffing uses already known credentials, which reduces the number of attempts per account and minimizes the risk of triggering account lockout mechanisms.

Tool: Tools like Sentry MBA, Snipr, and others are commonly used for credential stuffing attacks.

Other Techniques:

MFA Fatigue: A social engineering tactic to exhaust users into accepting multi-factor authentication requests, not applicable for avoiding lockouts in this context.

Dictionary Attack: Similar to brute-force but uses a list of likely passwords; still risks lockout due to multiple attempts.

Brute-force Attack: Systematically attempts all possible password combinations, likely to trigger account lockouts due to high number of failed attempts.

Pentest References:

Password Attacks: Understanding different types of password attacks and their implications on account security.

Account Lockout Policies: Awareness of how lockout mechanisms work and strategies to avoid triggering them during penetration tests.

By using credential stuffing, the penetration tester can attempt to gain access using known credentials without triggering account lockout policies, ensuring a stealthier approach to password attacks.

======

The ms17_010_eternalblue exploit is the most appropriate choice based on the scenario.

Why MS17-010 EternalBlue?

EternalBlue is a critical vulnerability in SMBv1 (port 445) affecting older versions of Windows, including Windows 7.

The exploit can be used to execute arbitrary code remotely, providing shell access to the target system.

Other Options:

A (psexec): This exploit is a post-exploitation tool that requires valid credentials to execute commands remotely.

B (ms08_067_netapi): A vulnerability targeting older Windows systems (e.g., Windows XP). It is unlikely to work on Windows 7.

D (snmp_login): This is an auxiliary module for enumerating SNMP, not gaining shell access.

CompTIA Pentest+ References:

Domain 2.0 (Information Gathering and Vulnerability Identification)

Domain 3.0 (Attacks and Exploits)

Leverage SSRF for Metadata Access:

Server-side request forgery (SSRF) vulnerabilities allow attackers to force a server to send requests to internal resources. In cloud environments, SSRF can often be used to access the metadata service (e.g., AWS EC2 metadata) to retrieve credentials for cloud services.

Once credentials are obtained, they can be used to access privileged systems that are not directly accessible from the internet.

Why Not Other Options?

A (Public bucket): Analyzing the bucket for sensitive data is useful but does not directly lead to privileged system access.

B (Pacu): Pacu is used for AWS exploitation but requires credentials or misconfigured roles. SSRF can provide the credentials needed to run Pacu effectively.

C (SSH brute force): Brute-forcing SSH is noisy and inefficient. Privileged systems are likely better protected than SSH open to the internet.

D (Phishing via XSS): This is a longer-term attack and less direct compared to leveraging SSRF.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

SSRF Exploitation and Cloud Metadata Access Techniques

The question specifies wireless network security assessment with the goal of intercepting sensitive employee data.

WiFi-Pumpkin is specifically designed for Wi-Fi penetration testing. It can act as a rogue access point (evil twin attack) to trick users into connecting, then perform man-in-the-middle (MITM) attacks, traffic interception, credential harvesting, and phishing over Wi-Fi. This matches the goal of capturing sensitive employee data.

Why not the others?

A. Metasploit: General exploitation framework, not specialized for Wi-Fi traffic interception.

C. SET (Social-Engineer Toolkit): Used for phishing/social engineering, not wireless MITM.

D. theHarvester: Information gathering tool for enumerating emails, subdomains, etc.

E. WiGLE.net: Wireless network discovery database (maps SSIDs), not for active interception.

CompTIA PT0-003 Mapping:

Domain 3.0: Attacks and Exploits

3.1: Exploit wireless network vulnerabilities (evil twin, rogue AP, MITM).

Evaluation Criteria:

CVSS (Common Vulnerability Scoring System): Indicates the severity of vulnerabilities, with higher scores representing more critical vulnerabilities.

EPSS (Exploit Prediction Scoring System): Estimates the likelihood of a vulnerability being exploited in the wild.

Analysis:

hrdatabase: CVSS = 9.9, EPSS = 0.50

financesite: CVSS = 8.0, EPSS = 0.01

legaldatabase: CVSS = 8.2, EPSS = 0.60

fileserver: CVSS = 7.6, EPSS = 0.90

Selection Justification:

fileserver has the highest EPSS score of 0.90, indicating a high likelihood of exploitation despite having a slightly lower CVSS score compared to other targets.

This makes it a critical target for immediate testing to mitigate potential exploitation risks.

Pentest References:

Risk Prioritization: Balancing between severity (CVSS) and exploitability (EPSS) is crucial for effective vulnerability management.

Risk Assessment: Evaluating both the impact and the likelihood of exploitation helps in making informed decisions about testing priorities.

By selecting the fileserver, the penetration tester focuses on a target that is highly likely to be exploited, addressing the most immediate risk based on the given scores.

Top of Form

Bottom of Form

Since the tester has compromised a Windows machine and bypassed security, the best next step is to extract credentials from memory to move laterally within Active Directory.

Option A (Mimikatz) ✅: Correct.

Mimikatz extracts hashed credentials, plaintext passwords, and Kerberos tickets from memory.

Attackers use Pass-the-Hash (PtH) or Pass-the-Ticket (PtT) to authenticate on other systems without cracking passwords.

Option B (Hashcat) ❌: Cracking passwords takes time and is not necessary if Mimikatz provides reusable credentials.

Option C (Evil-WinRM) ❌: Evil-WinRM is useful for remotely executing commands, but without valid credentials, it won’t work.

Option D (Metasploit) ❌: Metasploit payloads may be useful for initial exploitation, but credential dumping is a better next step.

📖 Reference: CompTIA PenTest+ PT0-003 Official Guide – Credential Dumping & Lateral Movement

An external attack surface review focuses on identifying publicly accessible assets that an attacker could exploit. The first step in this process is information gathering, which involves enumerating domains, subdomains, public IPs, DNS records, and other internet-facing resources. This is done using passive reconnaissance tools such as Whois, Shodan, Google Dorking, and OSINT techniques.

Option A is correct because it aligns with the assessment goal—finding public-facing systems and their vulnerabilities before an attacker does.

Option B (phishing assessment) is incorrect because it involves social engineering, which is not part of an external attack surface review.

Option C (physical security review) is incorrect as it pertains to physical penetration testing, not an external attack analysis.

Option D (vulnerability assessment) is incorrect because a vulnerability assessment is a later step after reconnaissance. The first step is identifying assets through information gathering.

ProxyChains is a tool that allows you to route your traffic through a chain of proxy servers, which can be used to anonymize your network activity. In this context, it is being used to route Nmap scan traffic through the compromised host, allowing the penetration tester to pivot and enumerate other targets within the network.

Understanding ProxyChains:

Purpose: ProxyChains allows you to force any TCP connection made by any given application to follow through proxies like TOR, SOCKS4, SOCKS5, and HTTP(S).

Usage: It’s commonly used to anonymize network traffic and perform actions through an intermediate proxy.

Command Breakdown:

proxychains nmap -sT : This command uses ProxyChains to route the Nmap scan traffic through the configured proxies.

Nmap Scan (-sT): This option specifies a TCP connect scan.

Setting Up ProxyChains:

Configuration File: ProxyChains configuration is typically found at /etc/proxychains.conf.

Adding Proxy: Add the compromised host as a SOCKS proxy.

Step-by-Step Explanationplaintext

Copy code

socks4 127.0.0.1 1080

Execution:

Start Proxy Server: On the compromised host, run a SOCKS proxy (e.g., using ssh -D 1080 user@compromised_host).

Run ProxyChains with Nmap: Execute the command on the attacker's host.

proxychains nmap -sT

References from Pentesting Literature:

ProxyChains is commonly discussed in penetration testing guides for scenarios involving pivoting through a compromised host.

HTB write-ups frequently illustrate the use of ProxyChains for routing traffic through intermediate systems.