PT0-003 CompTIA PenTest+ Exam Free Practice Exam Questions (2026 Updated)

During a penetration test, one of the critical steps for maintaining access and covering tracks is to clear evidence of the attack. Manipulating data to hide activities on an internal server involves ensuring that logs and traces of the attack are removed. Here's a detailed explanation of why clearing the Windows event logs is the best method for this scenario:

Understanding Windows Event Logs: Windows event logs are a key forensic artifact that records system, security, and application events. These logs can provide detailed information about user activities, system changes, and potential security incidents.

Why Clear Windows Event Logs:

Comprehensive Coverage: Clearing the event logs removes all recorded events, including login attempts, application errors, and security alerts. This makes it difficult for an investigator to trace back the actions performed by the attacker.

Avoiding Detection: Penetration testers clear event logs to ensure that their presence and activities are not detected by system administrators or security monitoring tools.

Method to Clear Event Logs:

Use the built-in Windows command line utility wevtutil to clear logs. For example:

shell

Copy code

wevtutil cl System

wevtutil cl Security

wevtutil cl Application

These commands clear the System, Security, and Application logs, respectively.

Alternative Options and Their Drawbacks:

Modify the System Time: Changing the system time can create confusion but is easily detectable and can be reverted. It does not erase existing log entries.

Alter Log Permissions: Changing permissions might prevent new entries but does not remove existing ones and can alert administrators to suspicious activity.

Reduce Log Retention Settings: This can limit future logs but does not affect already recorded logs and can be easily noticed by administrators.

Case References:

HTB Writeups: Many Hack The Box (HTB) writeups demonstrate the importance of clearing logs post-exploitation to maintain stealth. For example, in the "Gobox" and "Writeup" machines, maintaining a low profile involved managing log data to avoid detection​​​​.

Real-World Scenarios: In real-world penetration tests, attackers often clear logs to avoid detection by forensic investigators and incident response teams. This step is crucial during red team engagements and advanced persistent threat (APT) simulations.

In conclusion, clearing Windows event logs is a well-established practice for hiding activities during a penetration test. It is the most effective way to remove evidence of the attack from the system, thereby maintaining stealth and ensuring that the tester's actions remain undetected.

======

Enabling monitoring mode on the wireless adapter is the essential step before capturing WPA2 handshakes. Monitoring mode allows the adapter to capture all wireless traffic in its vicinity, which is necessary for capturing handshakes.

Preparation:

Wireless USB Dongle: Ensure the wireless USB dongle is compatible with monitoring mode and packet injection.

Aircrack-ng Suite: Use the Aircrack-ng suite, a popular set of tools for wireless network auditing.

Enable Monitoring Mode:

Command: Use the airmon-ng tool to enable monitoring mode on the wireless interface.

Step-by-Step Explanationairmon-ng start wlan0

Verify: Check if the interface is in monitoring mode.

iwconfig

Capture WPA2 Handshakes:

Airodump-ng: Use airodump-ng to start capturing traffic and handshakes.

airodump-ng wlan0mon

References from Pentesting Literature:

Enabling monitoring mode is a fundamental step in wireless penetration testing, discussed in guides like "Penetration Testing - A Hands-on Introduction to Hacking".

HTB write-ups often start with enabling monitoring mode before proceeding with capturing WPA2 handshakes.

CrackMapExec (CME) is the best choice because it supports authenticated enumeration against Active Directory and can retrieve domain configuration information—including password policy details—using valid domain credentials. In the PenTest+ methodology, once a tester has a standard domain account, a common next step is to enumerate domain settings that influence attack feasibility and safety, such as minimum password length, complexity requirements, lockout threshold, lockout duration, and password history. These values directly inform how to build a “policy-aware” custom wordlist and how to tune dictionary or spraying attempts to remain within rules of engagement and avoid triggering lockouts.

Responder is primarily used for LLMNR/NBT-NS poisoning and capturing or relaying authentication on local networks; it does not query AD policy as its main function. Hydra is a login brute-force tool that performs attacks, not policy retrieval. msfvenom is a payload generator used for exploitation and post-exploitation delivery, unrelated to enumerating AD password policy. Therefore, CME is the most appropriate tool to retrieve the password policy for informed dictionary construction.

A blind web application test means that the tester has no prior knowledge of the application's internal workings. The best tool for automated scanning and vulnerability detection is a web application proxy such as OWASP ZAP.

ZAP (Option A):

OWASP Zed Attack Proxy (ZAP) is a widely used web application scanner for finding common vulnerabilities (e.g., SQL injection, XSS, authentication flaws).

It provides passive and active scanning features to test web applications for security weaknesses.

The script shows:

Use of BlobServiceClient.from_connection_string() — this is Azure Blob Storage interaction.

It opens a local file in binary mode (with open(file_path, "rb")).

Calls blob_client.upload_blob(data) — clearly indicating uploading the local file to cloud storage.

This matches data exfiltration activity, where stolen or sensitive local files are sent to an external system (cloud storage).

Why not the others?

A. API endpoint: The code uses Azure Blob storage SDK, not a REST API endpoint.

B. Download data from cloud storage: Code uploads, not downloads.

C. Alternate data streams (ADS): That’s a Windows NTFS feature, unrelated to cloud storage.

CompTIA PT0-003 Objective Mapping:

Domain 3.0 Attacks and Exploits

3.2: Post-exploitation techniques (data exfiltration, cloud storage use).

A rootkit is a type of malicious software designed to provide an attacker with unauthorized access to a computer system while concealing its presence. Rootkits achieve this by modifying the host’s operating system or other software to hide their existence, allowing the attacker to maintain control over the system without detection.

Definition and Purpose:

Rootkits are primarily used to gain and maintain root access (administrative privileges) on a system.

They disguise themselves as legitimate software or integrate deeply into the operating system to avoid detection.

Mechanisms of Action:

Kernel Mode Rootkits: These operate at the kernel level, which is the core of the operating system, making them very powerful and hard to detect.

User Mode Rootkits: These run in the same space as user applications, intercepting and altering standard system API calls to hide their presence.

Bootkits: These infect the Master Boot Record (MBR) or Volume Boot Record (VBR) and load before the operating system, making them extremely difficult to detect and remove.

Detection and Prevention:

Detection Tools: Tools like RootkitRevealer, Chkrootkit, and rkhunter can help in identifying rootkits.

Prevention: Regular system updates, use of strong antivirus and anti-malware solutions, and integrity checking tools like Tripwire can help in preventing rootkit infections.

Real-World Examples:

Sony BMG Rootkit: In 2005, Sony BMG included a rootkit in their digital rights management (DRM) software on music CDs. The rootkit hid files and processes, leading to a major scandal when it was discovered.

Stuxnet: This sophisticated worm included a rootkit component to hide its presence on infected systems, making it one of the most infamous examples of rootkit use in a cyber attack.

References from Pentesting Literature:

In "Penetration Testing - A Hands-on Introduction to Hacking" by Georgia Weidman, rootkits are discussed in the context of post-exploitation, where maintaining access to the compromised system is crucial.

Various HTB write-ups, such as the analysis of complex attacks involving multiple stages of exploitation, often highlight the use of rootkits in maintaining persistent access.

Step-by-Step ExplanationReferences:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups on sophisticated attacks

======

BeEF (Browser Exploitation Framework) is a penetration testing tool that focuses on web browsers. It has built-in functionality for generating malicious QR codes, which can be used to direct users to malicious websites, execute browser-based attacks, or gather information.

Understanding BeEF:

Purpose: BeEF is designed to exploit vulnerabilities in web browsers and gather information from compromised browsers.

Features: Includes tools for generating malicious payloads, QR codes, and social engineering techniques.

Creating Malicious QR Codes:

Functionality: BeEF has a feature to generate QR codes that, when scanned, redirect the user to a malicious URL controlled by the attacker.

Command: Generate a QR code that directs to a BeEF hook URL.

Step-by-Step Explanationbeef -x --qr

Usage in Physical Security Assessments:

Deployment: Place QR codes in strategic locations to test whether individuals scan them and subsequently compromise their browsers.

Exploitation: Once scanned, the QR code can lead to browser exploitation, information gathering, or other payload execution.

References from Pentesting Literature:

BeEF is commonly discussed in penetration testing guides for its browser exploitation capabilities.

HTB write-ups and social engineering exercises often mention the use of BeEF for creating malicious QR codes and exploiting browser vulnerabilities.

The Nmap command nmap -sv -sT -p- 192.168.1.0/24 is designed to discover services on a network. Here is a breakdown of the command and its purpose:

Command Breakdown:

nmap: The network scanning tool.

-sV: Enables service version detection. This option tells Nmap to determine the version of the services running on open ports.

-sT: Performs a TCP connect scan. This is a more reliable method of scanning as it completes the TCP handshake but can be easily detected by firewalls and intrusion detection systems.

-p-: Scans all 65535 ports. This ensures a comprehensive scan of all possible TCP ports.

192.168.1.0/24: Specifies the target network range (subnet) to be scanned.

Purpose of the Scan:

Service Discovery (Answer: C): The primary purpose of this scan is to discover which services are running on the network's hosts and determine their versions. This information is crucial for identifying potential vulnerabilities and understanding the network's exposure.

The provided Bash script is used to ping a range of IP addresses to identify active hosts in a network. Here's a detailed breakdown of the script and the necessary modification:

Original Script:

1 network_addr="192.168.1"

2 for h in {1..254}; do

3 ping -c 1 -W 1 $network_addr.$h > /dev/null

4 if [ $? -eq 0 ]; then

5 echo "Host $h is up"

6 else

7 echo "Host $h is down"

8 fi

9 done

Analysis:

Line 2: The loop uses {1..254} to iterate over the range of host addresses. However, this notation might not work in all shell environments, especially if not using bash directly or if the script runs in a different shell.

Using seq for Better Compatibility:

The seq command is a more compatible way to generate a sequence of numbers. It ensures the loop works in any POSIX-compliant shell.

Modified Line 2:

for h in $(seq 1 254); do

This change ensures broader compatibility and reliability of the script.

Modified Script:

1 network_addr="192.168.1"

2 for h in $(seq 1 254); do

3 ping -c 1 -W 1 $network_addr.$h > /dev/null

4 if [ $? -eq 0 ]; then

5 echo "Host $h is up"

6 else

7 echo "Host $h is down"

8 fi

9 done

======

Operational Technology (OT) protocols are used in industrial control systems (ICS) to manage and automate physical processes. Here’s an analysis of each protocol regarding whether it sends information in cleartext:

TTEthernet (Option A):

TTEthernet (Time-Triggered Ethernet) is designed for real-time communication and safety-critical systems.

Security: It includes mechanisms for reliable and deterministic data transfer, not typically sending information in cleartext.

DNP3 (Option B):

DNP3 (Distributed Network Protocol) is used in electric and water utilities for SCADA (Supervisory Control and Data Acquisition) systems.

Security: While the original DNP3 protocol transmits data in cleartext, the DNP3 Secure Authentication extensions provide cryptographic security features.

Modbus (Answer: C):

Modbus is a communication protocol used in industrial environments for transmitting data between electronic devices.

Security: Modbus transmits data in cleartext, which makes it susceptible to interception and unauthorized access.

kube-hunter is a tool designed to perform security assessments on Kubernetes clusters. It identifies various vulnerabilities, focusing on weaknesses and misconfigurations. Here’s why option B is correct:

Kube-hunter: It scans Kubernetes clusters to identify security issues, such as misconfigurations, insecure settings, and potential attack vectors.

Network Configuration Errors: While kube-hunter might identify some network-related issues, its primary focus is on Kubernetes-specific vulnerabilities and misconfigurations.

Application Deployment Issues: These are more related to the applications running within the cluster, not the cluster configuration itself.

Security Vulnerabilities in Docker Containers: Kube-hunter focuses on the Kubernetes environment rather than Docker container-specific vulnerabilities.

References from Pentest:

Forge HTB: Highlights the use of specialized tools to identify misconfigurations in environments, similar to how kube-hunter operates within Kubernetes clusters​​.

Anubis HTB: Demonstrates the importance of identifying and fixing misconfigurations within complex environments like Kubernetes clusters​​.

Conclusion:

Option B, weaknesses and misconfigurations in the Kubernetes cluster, accurately describes the type of vulnerabilities that kube-hunter is designed to detect.

======

The command snmpwalk -v 2c -c public 192.168.1.23 is used to query SNMP (Simple Network Management Protocol) data from a device. Here’s the purpose in the context provided:

SNMP Enumeration:

Function: snmpwalk is used to retrieve a large amount of information from the target device using SNMP.

Version: -v 2c specifies the SNMP version.

Community String: -c public specifies the community string, which is essentially a password for SNMP queries.

Purpose of the Command:

Validate Results: The tester uses SNMP to gather detailed information about the network devices to confirm the findings of the vulnerability scanner and remove any false positives.

Detailed Information: SNMP can provide detailed information about device configurations, network interfaces, and other settings that can validate the scanner’s results.

Comparison with Other Options:

Bypassing Defensive Systems (A): Not directly related to SNMP enumeration.

Using Automation Tools (B): While SNMPwalk is automated, the primary purpose here is validation.

Script Exploits (C): SNMPwalk is not used for scripting exploits but for information gathering.

By using snmpwalk, the tester is validating the results from the vulnerability scanner and removing any false positives, ensuring accurate reporting.

======

The smbclient tool is used to access SMB/CIFS resources on a network. It allows penetration testers to connect to shared resources and enumerate users on a network, particularly in Windows environments. While finger and rwho are more common on Unix/Linux systems, smbclient provides better functionality for enumerating users across a network.

Understanding smbclient:

Purpose: smbclient is used to access and manage files and directories on SMB/CIFS servers.

Capabilities: It allows for browsing shared resources, listing directories, downloading and uploading files, and enumerating users.

User Enumeration:

Command: Use smbclient with the -L option to list available shares and users.

Step-by-Step Explanationsmbclient -L //target_ip -U username

Example: Enumerating users on a target system.

smbclient -L //192.168.50.2 -U anonymous

Advantages:

Comprehensive: Provides detailed information about shared resources and users.

Cross-Platform: Can be used on both Linux and Windows systems.

References from Pentesting Literature:

SMB enumeration is a common practice discussed in penetration testing guides for identifying shared resources and users in a network environment.

HTB write-ups frequently mention the use of smbclient for enumerating network shares and users.

Risk scoring is the report element that most directly enables an organization to prioritize remediation work because it translates technical findings into an ordered view of business risk. In PenTest+ reporting guidance, testers are expected to communicate not only what is vulnerable but also how severe the issue is and how likely it is to be exploited, often incorporating factors such as exploitability, impact, exposure, and the presence of compensating controls. This produces a defensible ranking that helps stakeholders decide what to fix first when time and resources are limited.

Proof of concept supports validation by demonstrating that exploitation is possible, but it does not inherently provide comparative urgency across multiple findings. An attack narrative explains the path the tester used to achieve objectives (useful for understanding chaining and scope impact), but it is typically descriptive rather than a prioritization mechanism. The executive summary is aimed at leadership-level communication and overall posture, yet it usually depends on underlying risk ratings to justify what should be addressed first. Therefore, risk scoring most directly drives remediation prioritization.

WiGLE.net is the best choice because it is purpose-built for identifying and mapping wireless networks (SSIDs/BSSIDs) using aggregated wardriving-style data and location-based search. In PenTest+ reconnaissance, testers often need to quickly determine what wireless networks are present in or around a physical location—especially when assessing how corporate mobile devices might encounter nearby SSIDs that could be abused for evil-twin or misassociation scenarios. WiGLE helps identify networks by area and provides details that support follow-on testing decisions, such as which SSIDs are common, whether naming patterns suggest corporate ownership, and whether nearby networks could confuse users or devices.

Wireshark is a packet analyzer and requires traffic capture; it is not a discovery database for “what networks exist” in a geographic area. theHarvester and Recon-ng are OSINT tools oriented toward emails, domains, hosts, and identity data—not local wireless network identification. For the stated goal of identifying available Wi-Fi networks for mobile-device exposure assessment, WiGLE.net most directly fits the objective.

Debugging Mode:

Purpose: Debugging mode provides detailed error messages and debugging information, useful during development.

Risk: In a production environment, it exposes sensitive information and vulnerabilities, making the system more susceptible to attacks.

Common Causes:

Configuration Changes: During testing or penetration testing, configurations might be altered to facilitate debugging. If not reverted, these changes can leave the system in a vulnerable state.

Oversight: Configuration changes might be overlooked during deployment.

Best Practices:

Deployment Checklist: Ensure a checklist is followed that includes reverting any debug configurations before moving to production.

Configuration Management: Use configuration management tools to track and manage changes.

References from Pentesting Literature:

The importance of reverting configuration changes is highlighted in penetration testing guides to prevent leaving systems in a vulnerable state post-testing.

HTB write-ups often mention checking and ensuring debugging modes are disabled in production environments.

Comprehensive and Detailed Explanation:

When a penetration tester finds a deprecated web directory that’s publicly accessible, the goal is to gather as much information as possible without triggering alerts.

Enumerating cached pages (such as those stored by Google Cache, the Wayback Machine, or local proxy caches) allows the tester to:

View historical or deleted content that might contain sensitive data, credentials, or configuration info.

Gather evidence without directly interacting with the target system, thus minimizing detection risk.

Why not the others:

B. Looking for externally available services: Useful for attack surface mapping, but not for extracting data from the discovered directory.

C. Scanning for exposed ports: Active probing that increases detection risk; unrelated to exploring a directory.

D. Searching for vulnerabilities/exploits: Premature; reconnaissance and content discovery come first.

CompTIA PT0-003 Mapping:

Domain 2.0: Information Gathering and Vulnerability Scanning

OSINT and passive reconnaissance to identify exposed data and files.

Kerberoasting is an attack that involves requesting service tickets for service accounts from a Kerberos service, extracting the service tickets, and attempting to crack them offline to retrieve the plaintext passwords.

Understanding Kerberoasting:

Purpose: To obtain service account passwords by cracking the encrypted service tickets (TGS tickets) offline.

Service Principal Names (SPNs): SPNs are used in Kerberos authentication to uniquely identify a service instance.

Command Breakdown:

setspn.exe -Q /: This command queries all SPNs in the domain.

Use Case: Identifying accounts with SPNs that can be targeted for Kerberoasting.

Kerberoasting Steps:

Identify SPNs: Use setspn.exe to list service accounts with SPNs.

Request TGS Tickets: Request TGS tickets for the identified SPNs.

Extract Tickets: Use tools like Mimikatz to extract the service tickets.

Crack Tickets: Use password cracking tools like Hashcat to crack the extracted tickets offline.

References from Pentesting Literature:

Kerberoasting is a well-documented attack method in penetration testing guides, specifically targeting service accounts in Active Directory environments.

HTB write-ups often detail the use of Kerberoasting for gaining credentials from service accounts.

Step-by-Step ExplanationReferences:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

======

Upon discovering evidence of an advanced persistent threat (APT) on the network, the penetration tester should report the finding immediately.

Advanced Persistent Threat (APT):

Definition: APTs are prolonged and targeted cyberattacks in which an intruder gains access to a network and remains undetected for an extended period.

Significance: APTs often involve sophisticated tactics, techniques, and procedures (TTPs) aimed at stealing data or causing disruption.

Immediate Reporting:

Criticality: Discovering an APT requires immediate attention from the organization’s security team due to the potential impact and persistence of the threat.

Chain of Command: Following the protocol for reporting such findings ensures that appropriate incident response measures are initiated promptly.

Other Actions:

Analyzing the Finding: While analysis is important, it should be conducted by the incident response team after reporting.

Removing the Threat: This action should be taken by the organization’s security team following established incident response procedures.

Documenting and Continuing Testing: Documentation is crucial, but the immediate priority should be reporting the APT to ensure prompt action.

Pentest References:

Incident Response: Understanding the importance of immediate reporting and collaboration with the organization’s security team upon discovering critical threats like APTs.

Ethical Responsibility: Following ethical guidelines and protocols to ensure the organization can respond effectively to significant threats.

By reporting the finding immediately, the penetration tester ensures that the organization’s security team is alerted to the presence of an APT, allowing them to initiate an appropriate incident response.

======