CompTIA PT0-003 - CompTIA PenTest+ Exam

Badge cloning typically involves copying the data from access control badges, which frequently utilize the following technologies:

NFC (Near-Field Communication):

NFC is a subset of RFID technology that operates at short ranges (up to 10 cm). It is commonly used in modern access control systems, payment systems, and badge technologies. NFC cloning tools can intercept and copy badge data.

RFID (Radio-Frequency Identification):

RFID operates over a broader range of frequencies and distances than NFC. Many legacy access systems use RFID badges, which are susceptible to cloning attacks using RFID readers and cloning devices.

Exclusions:

Bluetooth, Modbus, Zigbee, CAN bus are not typically used in badge-based access control systems and are unrelated to badge cloning.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Domain 4.0 (Penetration Testing Tools)

Upon discovering evidence of an advanced persistent threat (APT) on the network, the penetration tester should report the finding immediately.

Advanced Persistent Threat (APT):

Definition: APTs are prolonged and targeted cyberattacks in which an intruder gains access to a network and remains undetected for an extended period.

Significance: APTs often involve sophisticated tactics, techniques, and procedures (TTPs) aimed at stealing data or causing disruption.

Immediate Reporting:

Criticality: Discovering an APT requires immediate attention from the organization’s security team due to the potential impact and persistence of the threat.

Chain of Command: Following the protocol for reporting such findings ensures that appropriate incident response measures are initiated promptly.

Other Actions:

Analyzing the Finding: While analysis is important, it should be conducted by the incident response team after reporting.

Removing the Threat: This action should be taken by the organization’s security team following established incident response procedures.

Documenting and Continuing Testing: Documentation is crucial, but the immediate priority should be reporting the APT to ensure prompt action.

Pentest References:

Incident Response: Understanding the importance of immediate reporting and collaboration with the organization’s security team upon discovering critical threats like APTs.

Ethical Responsibility: Following ethical guidelines and protocols to ensure the organization can respond effectively to significant threats.

By reporting the finding immediately, the penetration tester ensures that the organization’s security team is alerted to the presence of an APT, allowing them to initiate an appropriate incident response.

======

Software Composition Analysis (SCA) is used to analyze dependencies in applications and identify vulnerable open-source libraries.

Option A (VM - Virtual Machine) ❌: A VM is a computing environment, not a vulnerability detection tool.

Option B (IAST - Interactive Application Security Testing) ❌: IAST analyzes runtime behavior, but it does not specialize in detecting vulnerable libraries.

Option C (DAST - Dynamic Application Security Testing) ❌: DAST scans running applications for vulnerabilities, but it does not analyze open-source libraries.

Option D (SCA - Software Composition Analysis) ✅: Correct.

Identifies security flaws in dependencies.

Used for managing supply chain risks.

📖 Reference: CompTIA PenTest+ PT0-003 Official Guide – Software Composition Analysis (SCA)

A false positive occurs when a vulnerability scan incorrectly flags a security issue that does not exist or is not exploitable in the context of the application. Here ' s the reasoning:

Definition of Command Injection:Command injection vulnerabilities occur when user-controllable data is passed to an interpreter or command execution context without proper sanitization, allowing an attacker to execute arbitrary commands.

Code Analysis:

The response variable is defined as a constant (const), which implies its value is immutable during runtime.

The response is not sourced from user input nor used elsewhere, meaning there is no attack surface or exploitation pathway for an attacker to influence the content of response.

Scanner Misclassification:Static Application Security Testing (SAST) tools may flag vulnerabilities based on patterns (e.g., .innerHTML usage) without assessing the source and flow of data, resulting in false positives.

Final Classification:Since the response variable is static and unchangeable, the flagged issue is not exploitable. This makes it a false positive.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Domain 4.0 (Penetration Testing Tools)

OWASP Static Code Analysis Guide

To acquire valid credentials through a social engineering campaign, the tester needs (1) a way to deliver controlled phishing messages and track engagement, and (2) a method to capture authentication material when targets attempt to log in. Gophish is a phishing campaign framework used to send realistic emails, manage templates and landing pages, and collect campaign metrics (opens, clicks, submitted data). This directly supports the operational side of a sanctioned phishing assessment described in PenTest+ social engineering activities.

Evilginx aligns with credential acquisition by acting as a reverse-proxy phishing technique that relays “real” authentication traffic to the legitimate site while capturing credentials and related session artifacts during the login flow. This is especially relevant in modern environments where testers may need to evaluate the effectiveness of protections like MFA and conditional access controls.

Other options are supportive but not the most direct for credential capture: theHarvester/Maltego help identify or organize targets, Shodan focuses on exposed systems, and TruffleHog searches for leaked secrets in repositories rather than conducting a social engineering campaign.

A. Deploy a command-and-control server with custom profiles to facilitate execution.

B. Use Python 3 with added testing libraries and script the relevant action to test.

C. Utilize the PowerShell PowerView tool with custom scripting additions based on test results.

D. Implement Atomic Red Team to chain critical TTPs and perform the test.

Answer: D

To automate adversarial activities in a repeatable, measurable way, PenTest+ emphasizes using frameworks that map directly to attacker behaviors (TTPs) and support consistent execution across environments. Atomic Red Team is designed specifically for this purpose: it provides standardized, modular tests aligned to common adversary techniques and allows defenders and testers to validate detection and response capabilities by repeatedly executing those behaviors in a controlled manner. Starting with Atomic Red Team helps translate lessons learned from penetration tests into an ongoing validation program by selecting only the techniques relevant to the organization’s threat model and then chaining them into realistic sequences. This supports continuous security testing, regression checks after changes, and objective measurement of control effectiveness.

By contrast, deploying a full command-and-control platform first increases operational complexity and risk without ensuring the activities are standardized or easily repeatable. Writing custom Python scripts or extending PowerView can work, but those approaches typically require more bespoke development and do not inherently provide a structured library of TTP tests that can be consistently run and reported. Atomic Red Team is the best “first” step for automation.

The attacker is attempting to access restricted files by navigating directories beyond their intended scope.

Directory Traversal (Option C):

The request uses encoded " ../ " sequences (%2e%2e%2f = ../) to move up directories and access /etc/passwd.

This is a classic directory traversal attack aimed at accessing system files.

Obtaining a wireless preshared key (PSK) in a WPA/WPA2-Personal environment typically relies on capturing the 4-way handshake (or equivalent key exchange) between a client and the access point. PenTest+ emphasizes that the handshake is captured when a client authenticates or reauthenticates to the network; once the handshake is collected, the tester can attempt an offline password attack to determine the PSK (subject to rules of engagement and authorization).

Using aireplay-ng to perform a deauthentication attack forces connected clients to disconnect and then automatically reconnect, which triggers a new handshake that can be captured by the tester’s monitoring interface. This directly supports the goal of acquiring material needed to recover the PSK.

An evil twin (A) and captive portal (C) are social-engineering approaches more aligned with credential harvesting for enterprise/portal-based access, not reliably extracting a WPA2-PSK. Password spraying with Hydra (B) targets online login services and is not applicable to cracking a WPA/WPA2 PSK, which is derived from the handshake and performed offline.

The correct answer is A. Evilginx

Evilginx is a phishing framework commonly associated with adversary-in-the-middle phishing attacks. It can proxy authentication traffic between a victim and a legitimate service, allowing the attacker to capture credentials and session tokens. Because session tokens may be captured after successful authentication, Evilginx is known for being able to defeat or bypass some MFA workflows during authorized social engineering assessments.

B is incorrect because the listed commands resemble a phishing module configuration, but they are not the best-known or most appropriate option for capturing MFA/session tokens.

C is incorrect because wget portal.office.com only retrieves web content, and setting an environment variable named MFA does not create an MFA capture capability.

D is incorrect because Recon-ng is an OSINT and reconnaissance framework. It is used for information gathering, not for capturing MFA tokens or conducting adversary-in-the-middle phishing.

In PenTest+ terms, this falls under Attacks and Exploits, specifically social engineering, phishing, credential harvesting, and MFA/session-token capture techniques used during authorized engagements.

Port 445 is used for SMB (Server Message Block) services, which are commonly targeted for hash-based relay attacks like NTLM relay attacks.

Understanding Hash-Based Relays:

NTLM Relay Attack: An attacker intercepts and relays NTLM authentication requests to another service, effectively performing authentication on behalf of the victim.

SMB Protocol: Port 445 is used for SMB/CIFS traffic, which supports NTLM authentication.

Prioritizing Port 445:

Vulnerability: SMB is often targeted because it frequently supports NTLM authentication, making it susceptible to relay attacks.

Tools: Tools like Responder and NTLMRelayX are commonly used to capture and relay NTLM hashes over SMB.

Execution:

Capture Hash: Use a tool like Responder to capture NTLM hashes.

Relay Hash: Use a tool like NTLMRelayX to relay the captured hash to another service on port 445.

References from Pentesting Literature:

Penetration testing guides frequently discuss targeting SMB (port 445) for hash-based relay attacks.

HTB write-ups often include examples of NTLM relay attacks using port 445.

Step-by-Step ExplanationReferences:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

======

Given the output, the penetration tester should select the fileserver as the next target for testing, considering both CVSS and EPSS scores.

CVSS (Common Vulnerability Scoring System):

Purpose: CVSS provides a numerical score to represent the severity of vulnerabilities, helping to prioritize remediation efforts.

Higher Scores: Indicate more severe vulnerabilities.

EPSS (Exploit Prediction Scoring System):

Purpose: EPSS estimates the likelihood that a vulnerability will be exploited in the wild within the next 30 days.

Higher Scores: Indicate a higher likelihood of exploitation.

Evaluation:

hrdatabase: CVSS = 9.9, EPSS = 0.50

financesite: CVSS = 8.0, EPSS = 0.01

legaldatabase: CVSS = 8.2, EPSS = 0.60

fileserver: CVSS = 7.6, EPSS = 0.90

The fileserver has the highest EPSS score, indicating a high likelihood of exploitation, despite having a slightly lower CVSS score compared to hrdatabase and legaldatabase.

Pentest References:

Prioritization: Balancing between severity (CVSS) and exploitability (EPSS) is crucial for effective vulnerability management.

Risk Assessment: Evaluating both the impact and the likelihood of exploitation helps in making informed decisions about testing priorities.

By selecting the fileserver, which has a high EPSS score, the penetration tester focuses on a target that is more likely to be exploited, thereby addressing the most immediate risk.

======