PT0-003: CompTIA PenTest+

Incorrect. `requests.get(url)` is a valid method call for issuing an HTTP GET request and is appropriate for checking whether a URL is reachable and what status code it returns. While you might enhance it with headers, timeouts, or session reuse for scale, the method itself is not the required change to fix the core correctness issue in the snippet.

Incorrect. `import requests` is correct and required to use the requests library. The bug is not caused by a missing or incorrect import. If anything, additional imports (e.g., for concurrency) could improve performance for a very large list, but the question asks what change is required for correctness, which is in the status check logic.

Incorrect. The delimiter in `split("\n")` is reasonable for a newline-separated file and is not the primary issue. A more robust approach might use `splitlines()` to handle different newline formats and avoid trailing empty entries, but the script’s fundamental problem is mis-checking the HTTP status (wrong attribute and wrong interpretation of 401).

Golden Ticket attacks involve forging Kerberos Ticket Granting Tickets (TGTs). The key prerequisite is obtaining the krbtgt account’s secret (NTLM hash/AES key) from the domain, typically after domain admin-level compromise. SPN information is not required to create a Golden Ticket; the attacker can mint TGTs and then request access to services broadly.

DCShadow is an Active Directory attack where an adversary registers a rogue domain controller and pushes malicious changes via replication mechanisms. It typically requires high privileges (e.g., Domain Admin, Enterprise Admin, or specific replication-related rights). It does not rely on SPN enumeration; the core prerequisite is replication capability and elevated permissions, not service account identifiers.

LSASS dumping is a post-exploitation technique to extract credentials (NTLM hashes, Kerberos tickets, plaintext creds) from the Local Security Authority Subsystem Service process memory on a Windows host. The prerequisite is local admin/SYSTEM-level access (or equivalent) on the target machine, not SPN account information. SPNs are unrelated to dumping LSASS.

Incorrect. Pass-the-hash over SMB would use NTLM hashes rather than a plaintext password. In CME, PtH is typically performed by supplying hashes (e.g., --hashes or similar) instead of -p with a cleartext string. Since the command uses -p Summer123@, it is attempting standard authentication with a password, not replaying a captured hash.

Incorrect. Common protocol scanning refers to discovering open ports/services across hosts (e.g., using nmap or masscan). CrackMapExec is primarily for SMB/AD credential testing, enumeration, and post-exploitation workflows, not broad multi-protocol scanning. This command specifically targets SMB and attempts logons; it is not enumerating multiple protocols or doing port discovery.

Incorrect. Remote command execution with CME requires additional options such as -x (run a command) or -X (run PowerShell), and typically successful credentials with sufficient privileges. This command only supplies targets and credentials for authentication attempts; it does not include any execution flags or payloads, so it is not executing commands on endpoints.

“dig +short A AAAA local.domain” performs targeted lookups for A and AAAA records for a single name (local.domain). It may return only the zone apex IPs (or nothing) and will not enumerate subdomains or other record types. Useful for quick resolution checks, but it cannot retrieve “all corporate domain DNS records.”

“nslookup local.domain” resolves one name using the system’s default resolver. It provides limited information (typically A/AAAA) and does not attempt a zone transfer or enumerate the namespace. It’s a basic troubleshooting query, not a comprehensive DNS enumeration technique.

“nslookup -server local.dns.server local.domain *” resembles an attempt to query a wildcard, but DNS does not support listing all records via “*”. A wildcard record only answers for non-existent names; it does not enumerate existing hostnames. Even if it returns something, it won’t provide a complete zone listing like AXFR.

Banner grabbing is an active technique that connects to a service (e.g., HTTP, SSH, SMTP) to read identifying strings and version details. Even though it may involve only a small number of connections, it still generates traffic to the target and is commonly logged by the service and monitored by IDS/IPS or SIEM rules. It is therefore more detectable than passive sniffing.

TCP/UDP scanning is active reconnaissance that sends crafted packets to many ports/hosts to determine open services and firewall behavior. This produces distinctive patterns (SYN scans, UDP probes, retransmissions, port sweeps) that network security tools frequently detect and alert on. While rate limiting and evasion exist, scanning remains inherently noisy compared to passive collection.

Ping sweeps are active host discovery, typically using ICMP echo requests (and sometimes ARP or TCP-based pings) across an address range. This can quickly identify live hosts, but it generates bursts of ICMP or other probe traffic that is easy to spot in logs and is often blocked or alerted on. It is more likely to be flagged than passive sniffing.

Burp Suite is an intercepting web proxy used for testing web applications by capturing and modifying HTTP/S requests and responses. It can reveal credentials if the tester routes a browser through Burp or performs TLS interception, but it is not primarily a packet sniffer for general network communications. The scenario describes capturing plaintext credentials from network communication, which more directly matches a packet analyzer like Wireshark.

Zed Attack Proxy (OWASP ZAP) is also an intercepting proxy focused on web application testing. Like Burp, it captures and manipulates web requests when the client is configured to use the proxy, and it can help find auth/session issues. However, it is not the typical tool for passive packet capture of arbitrary network traffic between two systems unless you are explicitly proxying that traffic.

Metasploit is an exploitation and post-exploitation framework used to deliver payloads, run exploits, and manage sessions (e.g., Meterpreter). While it has auxiliary modules and can support some sniffing in certain contexts after compromise, it is not the standard tool for capturing plaintext credentials from network traffic during a general assessment. The described activity aligns better with Wireshark.

Incorrect. This command runs nmap locally against <target_cidr> and then pipes nmap’s textual output into nc to port 22 on the compromised host. That does not cause the scan packets to traverse the compromised host, so it is not pivoting. It also attempts to send arbitrary text to an SSH port, which is not a meaningful “relay” for enumeration traffic.

Incorrect. This is a classic named-pipe netcat relay pattern, but as written it’s malformed (mknod syntax is wrong) and conceptually it creates a bidirectional relay for a single TCP flow, not a scalable pivot for enumerating an entire CIDR. It also mixes listening on 8000 with connecting to <target_cidr> on port 80, which doesn’t implement a general proxy for tools like nmap.

Incorrect. This attempts to chain netcat listeners/connectors and then scan 127.0.0.1:8000, but it doesn’t actually establish a pivot through the compromised host. There’s no step that places a proxy on the compromised host or forwards traffic through it. Additionally, nmap syntax is off (scanning “127.0.0.1 8000” is not a correct way to specify a port without -p).

Sidecar scanning is not a standard wireless reconnaissance or troubleshooting term in the PenTest+ context. It does not describe a recognized method for identifying whether an SSID is being broadcast on a particular RF channel. Because the problem is specifically about Wi-Fi network visibility, the tester needs a technique tied to 802.11 channel and beacon analysis. That makes this option a distractor rather than a practical troubleshooting approach.

Stealth scanning focuses on reducing the likelihood of detection during reconnaissance rather than improving the ability to find a wireless network. Even if a scan is performed quietly or passively, the core troubleshooting need is still to inspect the relevant wireless channels for beacon or probe-response traffic. The question asks for the most effective troubleshooting technique, not the least detectable one. Therefore, stealth scanning does not best address the SSID visibility problem.

Static analysis scanning is used to inspect source code, binaries, or applications without executing them. It is relevant to software security testing, not to wireless signal discovery or 802.11 management frame analysis. A missing SSID on a phone is a radio-frequency and wireless configuration issue, not a code-analysis problem. For that reason, static analysis scanning is clearly unrelated to the scenario.

URL spidering (crawling) maps a web application by following links and discovering endpoints. While it may trigger some DNS lookups initially (e.g., for new hostnames), most crawling stays within the same domain and primarily increases HTTP/HTTPS requests, not sustained high DNS volume. A major DNS spike is less consistent with spidering than with DNS tunneling behavior.

HTML scraping extracts content from web pages and APIs. Like spidering, it mainly drives HTTP/HTTPS traffic and application-layer load. DNS usage typically remains stable because the scraper repeatedly accesses the same hostnames after initial resolution. Scraping might increase bandwidth and web server logs, but it is unlikely to produce a substantial, ongoing increase in DNS traffic.

A DoS attack can increase DNS traffic if the DNS infrastructure is targeted (e.g., query floods, amplification). However, the scenario is a consumer-facing web application assessment and the observation is a DNS spike without mention of service outage. In PenTest+ context, a sustained DNS increase during an assessment more commonly indicates DNS tunneling/exfiltration than an overt DoS, which is often out of scope.

Database is not supported by the scan results. Common database ports (e.g., 1433 MSSQL, 3306 MySQL, 5432 PostgreSQL, 1521 Oracle) are not shown as open. While databases can be excellent targets, you should base your selection on observed services/ports. Here, the evidence points to SSH, RPC/NFS, and filtered SMTP—not a database service.

Remote access maps to SSH on 22/tcp. SSH can be a target if weak passwords, exposed keys, outdated daemons, or misconfigurations exist, but it typically requires authentication and is often well-hardened. Without additional findings (version vulnerabilities, credential reuse, default creds), SSH is usually less immediately fruitful than an exposed file-sharing service like NFS.

Email maps to SMTP on 25/tcp, but Nmap reports it as filtered. Filtered indicates a firewall/ACL is blocking probes or limiting connectivity, which reduces immediate attack options. Even when open, SMTP attacks often depend on specific server misconfigurations (open relay, vulnerable MTA versions, user enumeration). In this output, SMTP is not the best initial target.

Incorrect. PTES can be used for web application tests just as well as for network or internal tests; it describes phases and deliverables, not a web-specific approach. DREAD is also not inherently web-specific. The deciding factor between DREAD and PTES is whether you need threat/risk scoring (DREAD) versus a full testing methodology (PTES).

Incorrect. Mobile application assessments may use specialized techniques (reverse engineering, device security checks, API testing), but that does not make DREAD preferable to PTES. PTES remains a general engagement framework. DREAD would only be chosen here if the goal is to score and prioritize mobile threats, not simply because the target is mobile.

Incorrect. Thick client testing involves different attack surfaces (local storage, IPC, update mechanisms, client-server protocols), but PTES still applies as the overarching process. DREAD is not a thick-client methodology; it is a threat rating model. Platform type does not determine DREAD vs PTES; the need for threat prioritization does.

VM (Vulnerability Management) refers to an organizational process and supporting tools for identifying, prioritizing, remediating, and tracking vulnerabilities across systems. While VM platforms may ingest scan results and sometimes include application findings, they are not purpose-built to enumerate application dependencies and map them to open-source CVEs. VM is broader asset-centric management, not focused dependency composition analysis.

IAST (Interactive Application Security Testing) instruments the application (agents/sensors) to observe code execution during functional testing and detect issues like injection, insecure deserialization, and weak crypto usage. Although IAST may reveal some runtime component details, it is not the primary or most reliable approach for identifying all vulnerable open-source libraries and their versions, especially transitive dependencies and build-time packages.

DAST (Dynamic Application Security Testing) tests a running application from the outside (black-box) by sending requests and analyzing responses. It excels at finding runtime vulnerabilities such as XSS, SQLi, auth/session issues, and misconfigurations. However, DAST generally cannot accurately inventory all embedded open-source libraries and versions; it may only infer some components via headers or fingerprints, which is incomplete for dependency vulnerability detection.

Reducing file permissions is not the best prevention for XXE. /etc/passwd is typically world-readable and changing its permissions can break system functionality. More importantly, XXE is a parser configuration flaw; even if file reads are restricted, attackers may still exploit XXE for SSRF (accessing internal web services/metadata endpoints) or other data exposures. Least privilege helps limit impact but does not remove the vulnerability.

Frequent log review is a detection/monitoring control, not a preventive control. It may help identify exploitation attempts after the fact, but it does not stop the XML parser from resolving external entities and disclosing data. For exam questions asking how to best prevent the vulnerability type, choose a control that removes the root cause (unsafe XML parsing) rather than an operational process.

A WAF can sometimes detect and block obvious XXE payloads, but it is not the best prevention. XXE can be obfuscated or encoded to bypass signatures, and WAF rules vary widely. The underlying issue remains an insecure XML parser configuration. WAFs are best treated as defense-in-depth, not the primary fix for XXE.

Initiating a social engineering campaign can help gain initial access or additional credentials, but it is generally less direct once the tester already has an internal foothold. Post-compromise, internal techniques (credential dumping, token impersonation, Kerberoasting, etc.) are typically faster and more reliable for escalating privileges and reaching sensitive systems needed for exfiltration and ransomware objectives.

Compromising an endpoint is usually part of gaining the initial foothold. The prompt already indicates the tester has obtained internal foothold, implying at least one endpoint is compromised. The next task should build on that access to reach higher-value targets and broader control; credential dumping is a more appropriate immediate next step than simply compromising another endpoint.

Share enumeration (discovering accessible SMB/NFS shares and their contents) is valuable for locating sensitive data, but it is often constrained by current permissions. Without elevated or additional credentials, enumeration may not reveal or allow access to truly confidential repositories. In ransomware/exfiltration tradecraft, credential acquisition typically precedes deep discovery to maximize access and impact.

Port mirroring (SPAN) is a wired switch feature that copies traffic from one or more ports/VLANs to a monitoring port for packet capture. It helps with visibility and troubleshooting on Ethernet networks, not with assessing RF channel usage or the ability to disrupt Wi-Fi communications. It does not directly enable wireless disruption testing and typically requires switch access/authorization.

Sidecar scanning generally refers to using an auxiliary device or sensor (a “sidecar”) to perform scanning/monitoring without impacting the primary system, or to gain an alternate vantage point. While it can be used for reconnaissance, it is not the specific technique for determining which Wi-Fi channels are in use or evaluating channel-based disruption/jamming feasibility.

ARP poisoning (ARP spoofing) is a Layer 2 man-in-the-middle technique used to redirect traffic on a local network by corrupting ARP tables. It can disrupt communications by causing misrouting, but it requires the attacker to be on the same broadcast domain and typically already associated to the network. It does not directly address wireless RF disruption and is not the best fit for “disrupt wireless communications” in the channel/interference sense.

A generative AI assistant is generally not appropriate for reviewing a client penetration test report unless the engagement explicitly authorizes its use and the tool is approved for sensitive data. Uploading findings, evidence, or client identifiers can violate NDAs and data handling requirements. While AI can help with wording, the exam typically emphasizes confidentiality and controlled handling of client information.

The customer’s designated contact is usually the recipient for final delivery, coordination, and follow-up discussions (e.g., retest planning, remediation validation). However, requesting the client to review before internal QA is risky: it can expose unvetted findings, cause confusion if corrections are needed, and may disclose sensitive details prematurely. Internal review should occur first.

A cybersecurity industry peer implies an external party. Even if technically skilled, involving someone outside the authorized engagement team can breach confidentiality and contractual obligations (NDA, rules of engagement). External review is only acceptable if the contract explicitly permits it and the peer is formally included/authorized. For the exam, this is generally incorrect.

Reverting configuration changes is a restoration task to return systems to their pre-test state (undo firewall rules, remove test accounts, revert settings). While necessary, it can actually eliminate evidence or the vulnerable condition if done before evidence collection. It focuses on environment stability, not on retaining penetration test outputs.

Keeping chain of custody documents who handled evidence, when, and how, preserving integrity and traceability (often for legal or regulatory needs). It helps prove evidence wasn’t altered, but it does not inherently prevent artifacts from being deleted during cleanup. You still must preserve/collect the artifacts first for chain of custody to matter.

Exporting credential data preserves a specific subset of outputs (captured passwords/hashes/tokens), but it is not comprehensive and may violate scope or data-handling requirements if done improperly. It also doesn’t address other critical outputs like exploit proof, logs, screenshots, and command history that are commonly lost during cleanup.

Shoulder surfing is a physical social-engineering technique used to observe credentials or sensitive information directly from a victim’s screen/keyboard. It is not typically the first step in developing a spear-phishing campaign because it requires physical proximity, increases risk of detection, and is more aligned with onsite assessments. Phishing campaigns usually begin with passive OSINT to build pretexts and target lists.

Recon-ng is a reconnaissance framework that automates OSINT collection (domains, contacts, hosts, breaches, etc.). While useful during recon, it’s not the best “first” action when developing a spear-phishing campaign because you first need to identify targets and context. Social media OSINT often provides the initial targeting and pretext details that then feed tools like Recon-ng.

Password dumps are collections of credentials typically obtained from breaches, dark web sources, or post-exploitation. They are not a first step for creating a phishing campaign and may be out of scope unless explicitly authorized. Even when allowed, they are usually used later for credential stuffing or validation, not for initial pretext development.

Incorrect. Removing the reported lines (or the entire try/catch) is not a sound remediation because exceptions still need to be handled. Eliminating error handling can cause crashes, undefined behavior, or loss of auditability. The goal is not to remove exception handling, but to handle it securely by controlling what is exposed and where diagnostic details are recorded.

Incorrect. A secure coding-awareness program is a good long-term preventive control, but it does not directly remediate the vulnerable code identified by the SAST report. Exam questions asking for the “best method to remediate” typically expect a concrete code/configuration change that fixes the issue now, not an organizational initiative alone.

Incorrect. This is not a false positive in most contexts: printStackTrace() commonly leaks internal implementation details and can expose sensitive information in logs or responses. SAST tools flag it because it is a recognized insecure error-handling pattern. The appropriate action is to implement controlled logging and safe error responses, not to dismiss the finding.