CompTIA Updated PT0-003 Exam Questions and Answers by leonidas

Since the ICS is air-gapped (not connected to external networks), the best approach is manual assessment, which involves on-site testing, physical access, and reviewing configurations to identify vulnerabilities.

Option A (Channel scanning) ❌: This is used for wireless networks, not for isolated ICS systems.

Option B (Stealth scans) ❌: A stealth scan is a method to avoid detection while scanning, but it still requires network connectivity.

Option C (Source code analysis) ❌: If the ICS is a proprietary system, source code might not be available. Also, vulnerabilities could exist outside the code, such as misconfigurations.

Option D (Manual assessment) ✅: Correct. The ICS is offline, so a manual review of system settings, firmware, and configurations is the best approach.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – ICS & SCADA Testing

The command uses find / -type f -ls to traverse the filesystem from the root directory and list every file while outputting extended metadata similar to a long listing. This includes key attributes such as owner, group, permissions (mode bits), size, timestamps, and full path. In PenTest+ post-exploitation and local enumeration practices, collecting this information supports permission enumeration—identifying files that are misconfigured (for example, world-writable or group-writable), sensitive files with overly broad read access, or binaries with special permissions (such as SUID/SGID) that can enable privilege escalation. Writing the results to /tmp/recon.txt preserves the data for offline review and filtering (e.g., searching for writable directories, credential files, configuration files, or unexpected permission patterns).

This is not primarily secrets enumeration because the command does not read file contents or search for tokens/password strings. It is not user enumeration (which focuses on accounts, groups, sudo rules, and login artifacts) and not service enumeration (which targets running processes, listening ports, and service configurations). The direct goal is mapping permissions across the filesystem.

PEAP is an 802.1X “enterprise” wireless authentication method that uses a TLS tunnel to protect an inner authentication exchange (commonly username/password–based mechanisms). In PenTest+ wireless assessments, credential collection against enterprise Wi-Fi is most often attempted through rogue access point / evil twin style attacks combined with social engineering and traffic relaying, where the tester stands up an attacker-controlled AP to entice clients to connect and then captures authentication attempts or harvests credentials via a controlled portal/workflow.

WiFi-Pumpkin is a framework designed to rapidly create rogue APs and support interception and credential-harvesting scenarios, aligning with the objective of collecting credentials during a controlled wireless security test. InSSIDer is primarily for wireless discovery and signal/AP enumeration, not credential collection. HackRF One is SDR hardware useful for radio experimentation and analysis, but it is not a complete PEAP credential-harvesting workflow by itself. Aircrack-ng is most associated with WPA/WPA2-PSK capture/cracking and general 802.11 attacks, but it is not the best fit for PEAP credential collection compared with a rogue-AP framework.

Given the output, the penetration tester should select the fileserver as the next target for testing, considering both CVSS and EPSS scores.

CVSS (Common Vulnerability Scoring System):

Purpose: CVSS provides a numerical score to represent the severity of vulnerabilities, helping to prioritize remediation efforts.

Higher Scores: Indicate more severe vulnerabilities.

EPSS (Exploit Prediction Scoring System):

Purpose: EPSS estimates the likelihood that a vulnerability will be exploited in the wild within the next 30 days.

Higher Scores: Indicate a higher likelihood of exploitation.

Evaluation:

hrdatabase: CVSS = 9.9, EPSS = 0.50

financesite: CVSS = 8.0, EPSS = 0.01

legaldatabase: CVSS = 8.2, EPSS = 0.60

fileserver: CVSS = 7.6, EPSS = 0.90

The fileserver has the highest EPSS score, indicating a high likelihood of exploitation, despite having a slightly lower CVSS score compared to hrdatabase and legaldatabase.

Pentest References:

Prioritization: Balancing between severity (CVSS) and exploitability (EPSS) is crucial for effective vulnerability management.

Risk Assessment: Evaluating both the impact and the likelihood of exploitation helps in making informed decisions about testing priorities.

By selecting the fileserver, which has a high EPSS score, the penetration tester focuses on a target that is more likely to be exploited, thereby addressing the most immediate risk.

======