CompTIA Updated PT0-003 Exam Questions and Answers by gigi

An external assessment focuses on testing the security of internet-facing services. Here’s why option C is correct:

External Assessment: It involves evaluating the security posture of services exposed to the internet, such as web servers, mail servers, and other public-facing infrastructure. The goal is to identify vulnerabilities that could be exploited by attackers from outside the organization’s network.

Segmentation: This type of assessment focuses on ensuring that different parts of a network are appropriately segmented to limit the spread of attacks. It’s more relevant to internal network architecture.

Mobile: This assessment targets mobile applications and devices, not general internet-facing services.

Web: While web assessments focus on web applications, the scope of an external assessment is broader and includes all types of internet-facing services.

References from Pentest:

Horizontall HTB: Highlights the importance of assessing external services to identify vulnerabilities that could be exploited from outside the network​​.

Luke HTB: Demonstrates the process of evaluating public-facing services to ensure their security​​.

Conclusion:

Option C, External, is the most appropriate type of assessment for targeting internet-facing services used by the client.

=================

When a penetration tester obtains an NTLM hash from a legacy Windows machine, they need to use a tool that can leverage this hash for further attacks, such as pass-the-hash attacks, or for cracking the hash. Here’s a breakdown of the options:

Option A: Responder

Responder is primarily used for poisoning LLMNR, NBT-NS, and MDNS to capture hashes, but not for leveraging NTLM hashes obtained post-exploitation.

Option B: Hydra

Hydra is a password-cracking tool but not specifically designed for NTLM hashes or pass-the-hash attacks.

Option C: BloodHound

BloodHound is used for mapping out Active Directory relationships and identifying potential attack paths but not for using NTLM hashes directly.

Option D: CrackMapExec

CrackMapExec is a versatile tool that can perform pass-the-hash attacks, execute commands, and more using NTLM hashes. It is designed for post-exploitation scenarios involving NTLM hashes.

References from Pentest:

Forge HTB: Demonstrates the use of CrackMapExec for leveraging NTLM hashes to gain further access within a network​​.

Horizontall HTB: Shows how CrackMapExec can be used for various post-exploitation activities, including using NTLM hashes to authenticate and execute commands​​.

Conclusion:

Option D, CrackMapExec, is the most suitable tool for continuing the attack using an NTLM hash. It supports pass-the-hash techniques and other operations that can leverage NTLM hashes effectively.

=================

Seeing services like OpenSSH 1.2p2 open on 99 hosts, and port 161 (SNMP) with unknown banners on 110 hosts suggests a high level of uniformity, which is uncommon in real-world Windows environments. This strongly points to honeypots being present, possibly for detection or deception.

The official CompTIA guide discusses this under scan anomalies:

“Identical responses from a large number of hosts, especially deprecated versions or unchanging banners, could indicate the presence of honeypots or decoy systems.”

Maintaining persistent access in a compromised system is a crucial goal for a penetration tester after achieving initial access. Here’s an explanation of each option and why creating registry keys is the preferred method:

Creating registry keys (Answer: A):

Modifying or adding specific registry keys can ensure that malicious code or backdoors are executed every time the system starts, thus maintaining persistence.

Advantages: This method is stealthy and can be effective in maintaining access over long periods, especially on Windows systems.

Example: Adding a new entry to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key to execute a malicious script upon system boot.