CompTIA PenTest+ Domain 4: Attacks and Exploits

Password spraying tries one common password across many accounts to stay under per-account lockout thresholds, exactly the low-and-slow technique the scenario describes.

• ATargeting one account with many passwords is single-account brute forcing, which quickly trips the lockout the tester is deliberately trying to avoid, so it does not match.
• CCredential stuffing replays username and password pairs stolen from prior breaches, not a single attacker-chosen password sprayed across many accounts, so the underlying mechanism differs.
• DPass-the-hash authenticates with a captured NTLM hash and never submits password guesses, so it cannot explain attempts of a cleartext password against many usernames.

Credential stuffing is the automated injection of breached username and password pairs to take over accounts where users reused the same password, matching the scenario precisely.

• APassword spraying uses one or a few common passwords against many accounts; here the tester replays specific leaked pairs, so the defining mechanism is different.
• BBrute force systematically generates or iterates candidate passwords, while the scenario reuses already-known credentials from a breach, which is the hallmark of a different attack.
• DKerberoasting cracks encrypted Kerberos service tickets offline and is unrelated to replaying leaked web credentials against a login form, so it does not apply here.

Locking or throttling an account after a threshold of failed logons directly defeats online brute forcing by cutting off the high volume of guesses the attack depends on.

• BFull-disk encryption protects data if hardware is stolen, yet it has no effect on an attacker guessing valid credentials against a running, network-exposed SSH service.
• CVerifying the host key fingerprint defends against on-path interception of the session, but it does nothing to slow repeated password guesses aimed at the account.
• DSegmenting the management VLAN limits who can reach the service, yet once reachable the brute-force guessing rate is unchanged, so it is not the most direct control.

Kerberoasting requests TGS tickets for SPN-bound service accounts and cracks their RC4-encrypted portion offline to recover the service account password, exactly as described.

• AAS-REP roasting abuses accounts that have Kerberos pre-authentication disabled and cracks AS-REP material; this scenario cracks TGS service tickets tied to SPNs, a distinct technique.
• BPass-the-ticket reuses a stolen valid Kerberos ticket to authenticate directly and involves no offline password cracking of service accounts, so it does not fit the described workflow.
• CA golden ticket forges a ticket-granting ticket using the KRBTGT account hash; the scenario instead requests legitimate service tickets to crack offline, a different objective entirely.

Pass-the-hash authenticates as a user by presenting the captured NTLM hash to the protocol, bypassing the step that needs the cleartext password, which matches the scenario.

• AKerberoasting cracks service-ticket encryption offline to recover passwords; here the tester never cracks anything and instead reuses the hash itself, so the mechanism is different.
• CCredential stuffing replays leaked cleartext username and password pairs against logins; it does not use a raw hash as the authenticator, so it does not describe this lateral movement.
• DPassword spraying submits common cleartext passwords across many accounts, while the tester here submits a hash for one known user, so the spraying pattern does not apply.

By answering LLMNR and NBT-NS broadcasts as a spoofed authoritative responder, the tester forces victims to authenticate to their host and captures the credentials, which is name-resolution poisoning.

• BARP cache poisoning forges MAC-to-IP mappings at layer 2 to intercept traffic; it does not rely on answering LLMNR or NBT-NS name queries, so it is a different on-path method.
• CA DNS zone transfer is a reconnaissance request to copy DNS records from a server; it neither spoofs name resolution nor captures authentication material from victims as described.
• DKerberoasting cracks service tickets offline within Active Directory; it has nothing to do with responding to broadcast name-resolution requests to harvest credentials on the LAN.

ARP cache poisoning sends spoofed ARP replies binding the attacker's MAC to the gateway's IP, so victim traffic flows through the attacker, achieving the on-path position described.

• AVLAN hopping moves frames between VLANs by abusing trunking or double tagging; it does not forge MAC-to-IP mappings to redirect traffic between a host and its gateway.
• BDNS poisoning corrupts name-to-address resolution to misdirect connections, while the scenario manipulates layer-2 ARP entries, not DNS records, so it describes a different on-path technique.
• DPass-the-hash is a credential-reuse technique for authentication; it provides no traffic-interception capability and cannot place a machine between a host and its gateway.

Emulating switch trunk negotiation tricks the port into forming a trunk, letting the host reach traffic on other VLANs; this switch-spoofing form of VLAN hopping matches the scenario.

• AARP cache poisoning forges MAC-to-IP mappings to intercept traffic on one segment; it does not negotiate a trunk or expose traffic across multiple VLANs as described.
• BMAC flooding overflows the switch CAM table to force fail-open flooding, whereas the scenario negotiates a trunk to reach other VLANs, which is a separate layer-2 attack.
• CDNS spoofing falsifies name-resolution responses; it operates above layer 2 and cannot grant trunk-level access to multiple VLANs by emulating switch signaling.

Requiring SMB signing makes relayed sessions fail an integrity check, so authentication captured from one host cannot be forwarded and replayed to another server, directly stopping SMB relay.

• AEnabling LLMNR actually widens the name-resolution poisoning surface that feeds relay attacks, increasing exposure rather than preventing the relaying of captured authentication.
• CEnforcing TLS 1.3 protects web transport confidentiality but does not sign or validate SMB sessions, so relayed NTLM authentication over SMB remains possible.
• DRotating the krbtgt password invalidates forged golden tickets in Kerberos; it has no bearing on NTLM authentication being relayed over SMB between hosts.

Reading LSASS process memory to extract cached hashes and tickets is OS credential dumping, since LSASS stores credential material generated after users authenticate to the host.

• BKerberoasting requests and cracks service tickets offline; it does not read LSASS memory on a host, so it does not describe extracting cached credentials from process memory.
• CPass-the-ticket reuses an already-obtained Kerberos ticket to authenticate; it consumes credential material rather than harvesting it from LSASS memory as the scenario states.
• DProcess injection runs code inside another process to evade defenses or elevate; while sometimes paired with dumping, by itself it does not describe reading LSASS for credentials.

Process injection executes arbitrary code in the address space of a separate live process, masking activity under a legitimate process and evading process-based defenses, exactly as described.

• ACredential dumping extracts stored authentication secrets; it does not describe executing code inside another process's memory to evade process-based detection as the scenario requires.
• BAbusing a SUID binary is a Linux privilege-escalation path; it neither writes code into a running process's address space nor targets the process-based defenses described here.
• DPass-the-hash reuses a captured hash to authenticate elsewhere; it is a credential-reuse technique and does not involve injecting code into a running process's memory.

The NTDS.dit file on a domain controller stores the Active Directory database, so copying and parsing it exposes password hashes for all domain accounts, matching the scenario.

• AThe SAM hive holds only local account hashes on a single machine; it cannot yield every domain account's hash, so it does not match copying the domain database.
• CDumping LSASS memory reveals only credentials cached for users currently or recently logged on to that host, not the full set of domain account hashes the tester obtained.
• DCracking service tickets is Kerberoasting, which targets individual SPN accounts offline; it does not provide a wholesale copy of every domain account hash from a database file.

The Security Account Manager database stores local user password hashes on a Windows host and can be extracted from the registry, which is exactly what a non-domain server exposes.

• BNTDS.dit holds Active Directory domain account hashes and exists on domain controllers; a standalone, non-domain server has no NTDS.dit, so this source does not apply.
• CThe Kerberos ticket cache holds tickets for authenticated sessions, not stored local password hashes; extracting it would not yield the local SAM account hashes described.
• DThe /etc/shadow file stores password hashes on Linux systems; on a Windows server the local hashes live in the SAM, so referencing the shadow file is the wrong platform.

AS-REP roasting abuses accounts with Kerberos pre-authentication disabled, requesting AS-REP material encrypted with the user's password and cracking it offline, exactly as described.

• AKerberoasting targets accounts with service principal names and cracks TGS service tickets; this scenario targets accounts lacking pre-authentication and cracks AS-REP data, a different requirement.
• BPass-the-hash reuses a captured hash to authenticate and involves no offline cracking of Kerberos messages from preauth-disabled accounts, so it does not fit the described attack.
• CA golden ticket forges a TGT using the KRBTGT hash; it neither depends on accounts lacking pre-authentication nor cracks returned authentication data offline as the scenario states.

With an unquoted path containing spaces, Windows tries each space-delimited fragment, so a binary planted in a writable parent directory can run as the service's SYSTEM account.

• AThe authentication protocol the service uses is irrelevant to this flaw; the escalation comes from how Windows resolves an unquoted path with spaces, not from NTLM versus Kerberos.
• BSYSTEM services are auditable like other services; the vulnerability arises from path resolution of an unquoted executable path, not from any inability to log or monitor the service.
• DAddress space layout randomization concerns memory-corruption exploitation; this misconfiguration is about file-path resolution, so ASLR status does not create the escalation path.

A setuid binary owned by root runs with root privileges regardless of the caller, so coercing such a binary into executing arbitrary commands yields root, which is the abuse described.

• AA world-writable passwd file is a different misconfiguration; here the escalation stems from a setuid binary running with its owner's privileges, not from editing the password file directly.
• CUnquoted service paths are a Windows service-resolution flaw; this scenario is on Linux and centers on the SUID bit, so the Windows path issue is the wrong platform and mechanism.
• DReusing an NTLM hash is a Windows authentication technique; it does not explain gaining root on Linux through a binary that carries the setuid bit.

Installing the MS17-010 security update fixes the SMBv1 vulnerability, and disabling the legacy SMBv1 protocol removes the exposed attack surface, directly remediating the reported finding.

• BA stronger password policy reduces credential-guessing risk but does nothing to fix a remote code-execution flaw in the SMBv1 protocol implementation, so it misses the actual issue.
• CEnabling LLMNR adds a spoofable name-resolution service and increases risk; it neither patches the SMBv1 flaw nor reduces the exposed protocol surface described in the finding.
• DMoving accounts to Kerberos changes the authentication protocol but leaves the vulnerable SMBv1 service unpatched and reachable, so the wormable code-execution flaw remains exploitable.

Forging ticket-granting tickets with the stolen KRBTGT hash to impersonate any account is the golden ticket attack, granting persistent, near-unlimited Kerberos access across the domain.

• AA silver ticket forges a service ticket using a specific service account's hash and is limited to that service; the scenario forges TGTs with the KRBTGT hash for domain-wide access.
• BPass-the-hash reuses a user's NTLM hash to authenticate; it does not forge Kerberos ticket-granting tickets from the KRBTGT hash to impersonate arbitrary users domain-wide.
• CKerberoasting cracks service tickets offline to recover service-account passwords; it neither requires the KRBTGT hash nor forges ticket-granting tickets as the scenario describes.

Positioning between two devices so traffic passes through the attacker to be sniffed, captured, or modified is the defining behavior of an on-path, adversary-in-the-middle attack.

• APrivilege escalation raises an attacker's permission level on a system; it does not describe inserting oneself into the communication path between two hosts to intercept traffic.
• BA denial-of-service attack aims to disrupt availability, not to silently relay and read traffic between parties; the scenario is about interception, not service disruption.
• DCredential dumping extracts stored secrets from a compromised host's memory or databases; it does not involve intercepting live traffic between two communicating systems.

Pass-the-ticket reuses a stolen valid Kerberos ticket by injecting it into a session to authenticate as its owner without the password, exactly matching the described technique.

• AKerberoasting requests and cracks service tickets offline to recover passwords; here the tester reuses an already-valid stolen ticket directly, so no cracking is involved.
• CPassword spraying guesses common passwords across many accounts; the scenario uses a captured ticket rather than guessing any password, so the mechanisms are unrelated.
• DA golden ticket is forged from the KRBTGT hash rather than stolen from memory; the tester here reuses an existing legitimate ticket, which distinguishes it from forging one.

Password spraying produces many authentication failures distributed across numerous accounts, so a spike in failed logon events spanning many usernames is the strongest, most direct indicator.

• BA single successful logon during business hours is normal activity; it does not reveal the high volume of failures across many accounts that characterizes a spraying campaign.
• CIncreased outbound DNS volume can indicate tunneling or exfiltration, but it is unrelated to authentication attempts, so it would not reliably reveal password-spraying behavior.
• DA rise in encrypted SMB traffic reflects file or session activity, not authentication failures; it does not capture the failed-logon pattern that exposes spraying.

Long, random, regularly rotated service-account passwords, such as group managed service accounts, make the offline cracking of captured service tickets infeasible, directly mitigating Kerberoasting.

• AReducing ticket lifetime limits a ticket's reuse window but does not prevent an attacker from cracking the requested service ticket offline, so it poorly addresses Kerberoasting.
• BDisabling SMBv1 removes a legacy file-sharing vulnerability; it is unrelated to the Kerberos service-ticket cracking that defines Kerberoasting, so it does not mitigate this attack.
• CNetwork Level Authentication hardens RDP session establishment; it does nothing to protect service-account tickets from being requested and cracked offline in a Kerberoasting attack.

Injected input altering the query results and returning database errors is the signature of SQL injection, where client-supplied data is inserted into the application's SQL statement.

• ACross-site scripting injects browser-executable script that runs in a victim's browser; it does not interfere with the back-end database query or surface SQL engine errors as described.
• BCSRF abuses an authenticated user's session to force unwanted state-changing requests; it neither manipulates a database query nor produces SQL errors from injected input as seen here.
• DSSRF coerces the server into fetching attacker-chosen URLs; it targets outbound requests to other systems, not the structure of a back-end SQL query as observed here.

Input taken from the request and reflected straight into the immediate, non-persistent response so it executes via a crafted link is the defining behavior of reflected cross-site scripting.

• AStored XSS requires the payload to be saved server-side and served to other users later; here the input is echoed immediately from the request and is not persisted in a data store.
• CSQL injection manipulates a back-end database query, not browser rendering; the scenario shows script executing in the victim's browser, which is a client-side scripting flaw.
• DInsecure deserialization abuses untrusted serialized objects to alter logic or run code server-side; it does not describe request input reflected into HTML and executed in a browser.

A payload saved by the application and later rendered to every viewer so it executes in their browsers is the defining characteristic of stored, or persistent, cross-site scripting.

• AReflected XSS only fires for users who open a specially crafted request or link; here the payload affects every visitor to the page, indicating it was stored rather than reflected per request.
• BCSRF tricks an authenticated user into submitting an unwanted request; it does not store an executable script that runs in the browsers of all subsequent page viewers.
• CDirectory traversal manipulates file paths to read or write files outside the web root; it has nothing to do with executable script saved and re-rendered to other users.

Using ../ sequences in a filename parameter to read files outside the intended directory is exactly the path traversal technique against poorly validated file access.

• BSSRF makes the server issue requests to attacker-chosen URLs; the scenario reads local files through path manipulation, not by forcing outbound network requests.
• CSQL injection targets database queries through crafted input; reading arbitrary files via ../ path sequences is a file-system access flaw, not a database query manipulation.
• DXSS executes script in a victim's browser; retrieving server-side files outside the web root through traversal sequences is unrelated to client-side script execution.

Coercing the server to fetch a user-supplied URL pointing at internal resources and returning their content is the defining behavior of server-side request forgery.

• ACSRF causes a victim's browser to send authenticated requests the user did not intend; here the server itself is coerced to fetch an attacker-chosen URL, which is a different flaw.
• BAn open redirect sends the user's browser to an attacker-controlled destination; the scenario shows the server fetching internal resources, not redirecting a client to an external site.
• DXSS runs script in a victim's browser; the issue here is the server making unintended back-end requests to internal addresses, which is server-side rather than client-side.

Forcing an authenticated user's browser to submit an unwanted state-changing request because the application lacks an anti-CSRF token is the textbook definition of CSRF.

• ASSRF makes the server send requests to attacker-chosen destinations; this attack instead rides the victim's authenticated browser session to perform an action the user did not intend.
• CSession fixation forces a victim to use a session identifier the attacker knows; here a valid session already exists and is abused to submit a forged request, which is different.
• DInsecure deserialization manipulates serialized objects the server trusts; it does not describe a forged cross-site request executed in an authenticated victim's browser.

A weakly configured XML parser resolving an attacker-defined external entity to disclose a local file is precisely an XML external entity injection vulnerability.

• ASQL injection manipulates database queries; the scenario abuses an XML parser resolving an external entity to read a local file, which is a parser weakness, not a query flaw.
• BXSS executes script in a browser; here a server-side XML parser discloses local file contents through external entity resolution, which is unrelated to client-side scripting.
• CSSTI abuses template engines that evaluate user input as template syntax; this scenario exploits XML external entity processing in a parser, a distinct mechanism.

Appending shell metacharacters so user input is executed as an operating-system command by the server through a system call is the defining behavior of OS command injection.

• BSQL injection targets a database query; here the injected payload runs operating-system shell commands through a system call, not against a database engine.
• CSSRF coerces the server to make network requests to chosen URLs; this scenario executes arbitrary OS commands via shell metacharacters, a different class of flaw.
• DLocal file inclusion causes the app to include server files via a path parameter; here the app passes input to a shell and executes commands rather than including a file.

User input evaluated as native template syntax by the server-side engine, returning a computed expression result, is the hallmark of server-side template injection.

• AXSS executes in the browser; here a server-side template engine evaluates the injected expression and returns the computed result, indicating server-side execution rather than client-side scripting.
• BSQL injection manipulates a database query; the scenario shows a template engine evaluating injected template syntax, which is a templating flaw, not a database one.
• DCSRF forces an authenticated victim to submit an unwanted request; it has nothing to do with a template engine evaluating attacker-supplied expressions on the server.

A rogue access point impersonating a legitimate SSID to lure clients into connecting so their traffic is manipulated or captured is the definition of an evil twin.

• AA deauthentication flood forces clients to disconnect using spoofed management frames; it can assist this attack but does not itself impersonate the legitimate network to capture traffic.
• CBrute forcing a captured handshake attacks the pre-shared key offline; it does not involve impersonating the SSID to get clients to associate to the tester's access point.
• DBluejacking sends unsolicited messages over Bluetooth; it is unrelated to creating a malicious Wi-Fi access point that mimics a corporate SSID to intercept traffic.

The four-way handshake exchanged when a client authenticates contains the material needed to validate passphrase guesses offline against a wordlist for WPA2-PSK.

• AThe broadcast SSID identifies the network by name but carries no cryptographic key material; it cannot be used to validate passphrase guesses offline against a wordlist.
• BA deauthentication frame is a tool used to force a client to reconnect; the frame itself carries no key data and is not what gets tested against a wordlist.
• CA captive portal is a web authentication page used on open networks; it is unrelated to the cryptographic material needed to crack a WPA2 pre-shared key offline.

Sending spoofed management frames that disassociate a client so it must re-authenticate, often to capture the resulting handshake, is a deauthentication attack.

• BAn evil twin impersonates a legitimate SSID to lure clients to a rogue AP; the scenario instead disconnects a client from its real AP using forged management frames.
• CMAC spoofing changes a device's hardware address to impersonate another host; while frames are spoofed here, the described goal of forcing disassociation defines a deauth attack.
• DKRACK exploits weaknesses in the four-way handshake to reinstall keys; it is a cryptographic protocol attack, not the act of flooding a client with disassociation frames.

An unauthorized access point attached to the corporate network without sanction, creating an uncontrolled entry point into the internal network, is by definition a rogue access point.

• AAn evil twin is an attacker-controlled AP impersonating a known SSID to lure clients; this is an employee-installed, unauthorized AP bridged into the LAN, not SSID impersonation.
• BA captive-portal bypass evades a web authentication gateway on a guest network; the finding here is an unauthorized AP connected to the internal network, a different issue.
• DJamming floods the RF spectrum to deny wireless service; the scenario describes an unauthorized AP providing connectivity, which is the opposite of denying it.

Breaking out of a container to access the underlying host and adjacent containers, typically via an over-privileged configuration, is a container escape, also called escape to host.

• ASSRF makes an application send requests to unintended destinations; it does not describe breaking out of a container to reach the host operating system as shown here.
• CSUID-based escalation elevates privileges within one host's file permissions; the scenario specifically crosses the container boundary to reach the host, which is broader than a SUID misconfiguration.
• DPass-the-hash reuses captured password hashes to authenticate to other systems; it has nothing to do with escaping a container to the host through a privileged configuration.

Abusing SSRF to query the instance metadata endpoint and harvest the VM's temporary IAM credentials is a cloud instance metadata service attack.

• AContainer escape breaks out of a container to the host; here the tester queries the cloud instance metadata service for credentials, which does not involve crossing a container boundary.
• BBucket enumeration discovers and reads exposed object storage; the scenario instead abuses the instance metadata endpoint to obtain the virtual machine's attached IAM credentials.
• CDNS rebinding manipulates name resolution to bypass same-origin restrictions; while it can aid SSRF, the described action is querying the metadata API to steal instance credentials.

A service account granted broad administrative rights it does not need is an over-permissive IAM misconfiguration that violates the principle of least privilege.

• BAbsent MFA concerns how identities authenticate; the finding here is the excessive scope of permissions granted, which is an authorization rather than an authentication problem.
• CLack of encryption at rest protects stored-data confidentiality; it is unrelated to a service account being granted far more permissions than its workload requires.
• DA public storage bucket is an access-control issue on object storage; the scenario concerns an identity's excessive IAM permissions, a distinct misconfiguration.

Long-term keys hard-coded into a committed file are unsecured credentials in files, an exposure where access keys are recoverable by anyone with repository access.

• AInsecure deserialization abuses untrusted serialized objects; the finding here is hard-coded long-term credentials in a file, which is an unsecured-credentials issue, not deserialization.
• BSSRF coerces a server to make requests; it does not describe credentials committed in plaintext to a repository, which is a credential-storage exposure problem.
• DXSS executes script in a browser; it is unrelated to discovering plaintext cloud access keys embedded in a source-code repository's configuration file.

A bucket policy permitting anonymous public read exposes data and is mitigated by enabling block-public-access controls and applying restrictive bucket policies.

• ASSRF concerns coercing a server to make requests; the issue here is a storage bucket policy granting public anonymous read, which is an access-control misconfiguration, not SSRF.
• CWeak logging hampers detection of activity; it does not itself make a bucket world-readable, which is the access-control flaw the scenario describes.
• DWeak transport encryption affects data in transit; the finding is unrestricted public read access to stored objects, an authorization misconfiguration rather than a TLS weakness.

Returning another user's object because the API trusts a user-supplied identifier without verifying ownership is broken object level authorization, known as BOLA.

• ASSRF coerces the server to fetch attacker-chosen URLs; here the API simply fails to verify that the caller is permitted to access the object referenced by the supplied identifier.
• BSecurity misconfiguration covers insecure default or incomplete settings; the specific flaw shown is the missing per-object authorization check on a user-supplied identifier.
• CInjection executes attacker-controlled commands or queries through unsanitized input; changing an object ID to read another user's data is an access-control failure, not injection.

A tailored email aimed at a specific individual using personal or role context to increase believability is spear phishing, a targeted variant of phishing.

• BWhaling is a spear-phishing variant aimed specifically at high-level executives; here the target is a regular employee, so the precise technique is spear phishing.
• CVishing is voice phishing conducted over the phone; the described attack uses a crafted email with an attachment, not a telephone call, so it is not vishing.
• DTailgating is a physical attack where someone follows an authorized person through a secure door; it is unrelated to a targeted email with a malicious attachment.

Phoning a target while impersonating someone and using a fabricated, believable scenario to extract an action is voice phishing (vishing) carried out through a pretext.

• ATailgating and shoulder surfing are physical, in-person techniques; the scenario is a phone call using a fabricated story, which is voice phishing combined with pretexting.
• CWatering-hole and typosquatting attacks compromise or mimic websites victims visit; neither matches a phone call using an invented identity and backstory against a help-desk agent.
• DSmishing uses SMS text messages and baiting lures victims with something enticing; the described attack is a phone call with a pretext, not a text or a planted lure.

Crafted input that overrides the model's original instructions and bypasses its guardrails to produce unintended output is the definition of prompt injection.

• AA model denial-of-service overwhelms the LLM with resource-heavy input to degrade availability; here the input manipulates the model's behavior to bypass instructions, which is different.
• BTraining-data poisoning corrupts the data used to train or fine-tune a model; the scenario manipulates a deployed model at inference time through crafted input, not its training set.
• DInsecure deserialization abuses untrusted serialized objects in application code; it is unrelated to manipulating an LLM's behavior through adversarial natural-language input.