PT0-003 Exam Dumps - CompTIA PenTest+ Exam

When traditional reconnaissance methods are blocked, scanning code repositories is an effective method to gather information. Here’s why:

Code Repository Scanning:

Leaked Information: Code repositories (e.g., GitHub, GitLab) often contain sensitive information, including API keys, configuration files, and even credentials that developers might inadvertently commit.

Accessible: These repositories can often be accessed publicly, bypassing traditional defenses like WAFs.

Comparison with Other Methods:

HTML Scraping: Limited to the data present on web pages and can still be blocked by WAF.

Directory Enumeration: Likely to be blocked by WAF as well and might not yield significant internal information.

Port Scanning: Also likely to be blocked or trigger alerts on WAF or IDS/IPS systems.

Scanning code repositories allows gathering a wide range of information that can be critical for further penetration testing effort

======

The tester gained information by listening to a private discussion, which is eavesdropping (passive reconnaissance).

Option A (Eavesdropping) ✅: Correct.

Involves intercepting conversations via audio, network traffic, or wireless signals.

Option B (Bluesnarfing) ❌: Stealing data via Bluetooth, which is not mentioned.

Option C (Credential harvesting) ❌: No password collection occurred.

Option D (SQL injection) ❌: SQLi affects databases, not voice communications.

📖 Reference: CompTIA PenTest+ PT0-003 Official Guide – OSINT & Eavesdropping Techniques

When testing a power plant's network and needing to avoid disruption to the grid, configuring a port mirror and reviewing the network traffic is the most appropriate method to identify vulnerabilities without causing disruptions.

Port Mirroring:

Definition: Port mirroring (SPAN - Switched Port Analyzer) is a method of monitoring network traffic by duplicating packets from one or more switch ports to another port where a monitoring device is connected.

Purpose: Allows passive monitoring of network traffic without impacting network operations or device performance.

Avoiding Disruption:

Non-Intrusive: Port mirroring is non-intrusive and does not generate additional traffic or load on the network devices, making it suitable for sensitive environments like power plants where disruption is not acceptable.

Other Options:

Network Scanner Engine: Active scanning might disrupt network operations or devices, which is not suitable for critical infrastructure.

Testing Framework: Validating vulnerabilities on devices might involve active testing, which can be disruptive.

Network Mapper Tool: Running a network mapper tool (like Nmap) actively scans the network and might disrupt services.

Pentest References:

Passive Monitoring: Passive techniques such as port mirroring are essential in environments where maintaining operational integrity is critical.

Critical Infrastructure Security: Understanding the need for non-disruptive methods in critical infrastructure penetration testing to ensure continuous operations.

By configuring a port mirror and reviewing network traffic, the penetration tester can identify vulnerabilities in the power plant's network without risking disruption to the grid.

======

The vulnerability in question is XML External Entity (XXE) injection, which occurs when an application processes XML input containing external entities that access files on the server or external resources.

Disabling External Entities:

The root cause of the issue is the application's ability to process external entities (). Disabling external entities entirely prevents XXE attacks.

This can be achieved by properly configuring the XML parser (e.g., in Java, disable DocumentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl ", true)).

Why Not Other Options?

A (chmod o-rwx): File permission hardening may reduce the impact of a successful attack but does not mitigate XXE at the parser level.

B (Review logs): Reviewing logs is a reactive measure, not a prevention mechanism.

D (WAF): A WAF may block some malicious requests but is not a reliable mitigation for XXE vulnerabilities embedded in legitimate XML input.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

OWASP XXE Prevention Cheat Sheet

In the PenTest+ pre-engagement and scoping process, a “target” refers to an asset or system component that can be assessed—such as an application, host, network segment, cloud resource, or interface that provides business functionality. An API is a valid target because it is a discrete, testable asset with defined inputs/outputs and commonly has its own authentication, authorization, rate limiting, data handling, and business-logic controls. During scoping, APIs are often explicitly listed as in-scope assets (for example, REST endpoints, GraphQL interfaces, or partner-facing integrations) because they can expose sensitive data and functionality even when the main web UI appears secure.

By contrast, HTTP and ICMP are protocols, not assets. They can be part of the assessment (e.g., testing HTTP services or ICMP filtering), but they are not themselves “targets” in the sense of scoping an asset inventory. “IPA” is not a standard target category in PenTest+ scoping language (it is typically associated with file formats or unrelated terms). Therefore, API is the correct example of a target asset.

Correct Syntax for a Range Loop in Bash:

The seq command generates a sequence of numbers in a specified range, which is ideal for iterating over IP addresses in a Class C subnet (1–254).

Example: seq 1 254 will output numbers 1, 2, ..., 254 sequentially.

Explanation of Other Options:

A (crunch): The crunch command is used for wordlist generation and is unrelated to looping in Bash.

C (echo 1-254): This would output "1-254" as a string instead of generating a numeric range.

D ({1.-254}): This is incorrect Bash syntax and would result in a script error.

Final Script:

bash

for var in $(seq 1 254)

do

ping -c 1 192.168.10.$var

done

CompTIA Pentest+ References:

Domain 4.0 (Penetration Testing Tools)

Bash Scripting and Automation

Penetration testers search for hardcoded credentials, API keys, and authentication tokens in source code repositories to identify secrets leakage.

Secrets scanning (Option B):

The find and egrep command scans all files recursively for sensitive keywords like "token," "key," and "login".

Attackers use tools like TruffleHog and GitLeaks to automate secret discovery.

Since the client is worried about the availability of their consumer-facing application, the perimeter network web server (Server 3) is the most critical because:

It is internet-facing, making it a prime target for attackers.

A compromise could lead to data breaches, downtime, or service disruptions.

Even though it has fewer vulnerabilities (14 vs. 92 on QA server), its exposure is higher.

Option A (Development sandbox server) ❌: Internal and not publicly accessible.

Option B (Back-office file transfer server) ❌: Important, but not consumer-facing.

Option C (Perimeter web server) ✅: Correct. Publicly accessible and critical to operations.

Option D (Developer QA server) ❌: May have more vulnerabilities, but it’s less critical.

📖 Reference: CompTIA PenTest+ PT0-003 Official Guide – Prioritizing Vulnerability Testing