Question 12 - Top CompTIA Pentest+ PT0-003 Real Exam Questions [Jan 2026 Update]

Q: 12

[Attacks and Exploits] You are a penetration tester running port scans on a server. INSTRUCTIONS Part 1: Given the output, construct the command that was used to generate this output from the available options. Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Your Answer

Correct Answer:

PART 1: COMMAND CONSTRUCTION

CORRECT ANSWER: NMAP -SV -O --TOP-PORTS=100 192.168.2.2

PART 2: ATTACK VECTOR IDENTIFICATION

CORRECT ANSWER:
WEAK SMB FILE PERMISSIONS
NULL SESSION ENUMERATION

Explanation

For Part 1, the command is derived directly from the scan output. The presence of SERVICE VERSION requires the -sV switch for version detection. The detailed operating system information (Running: Linux 2.4.X) requires the -O switch for OS detection. The summary line "Not shown: 96 closed ports" combined with the 4 visible open ports confirms that exactly 100 ports were scanned, corresponding to the --top-ports=100 option. The scan log indicates a single host was targeted.

For Part 2, the open TCP ports 139 (netbios-ssn) and 445 (microsoft-ds) indicate active SMB services. These services are historically susceptible to information gathering and misconfiguration exploits. A null session enumeration is a primary technique for anonymously querying these services to gather intelligence like usernames and share names. Following enumeration, testing for weak SMB file permissions on any accessible shares is a standard and critical step for a penetration tester.

References

Lyon, G. (2024). Nmap Reference Guide. Nmap Project. Retrieved from https://nmap.org/book/man.html

Section: "Version Detection": Describes the -sV option to determine the service and version information of listening ports.

Section: "OS Detection": Describes the -O option to enable remote operating system detection using TCP/IP stack fingerprinting.

Section: "Port Scanning Options": Explains the --top-ports option, which scans the specified number of most common ports from the nmap-services file.

Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (2008). NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-115

Section 4.3.2, "Network Port and Service Identification": Details the use of port scanners like Nmap to identify active services that may present potential security vulnerabilities.

Section 5.4.1, "Vulnerability Validation Activities": Discusses the process of validating potential vulnerabilities found during discovery, which includes testing for issues like default passwords, weak configurations, and anonymous access (such as NetBIOS null sessions).

Microsoft. (2023, September 21). Secure SMB traffic in Windows Server. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-secure-traffic

This document provides official vendor guidance on securing SMB, which is predicated on mitigating the risks posed by attackers, such as eavesdropping and unauthorized access to file shares—the very risks tested for by checking for null sessions and weak permissions.

PART 1: COMMAND CONSTRUCTION

PART 2: ATTACK VECTOR IDENTIFICATION

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE