Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

CompTIA Exam PT0-003 Topic 4 Question 2 Discussion

Actual exam question for CompTIA's PT0-003 exam
Question #: 2
Topic #: 4
[All PT0-003 Questions]

A penetration tester obtains password dumps associated with the target and identifies strict lockout policies. The tester does not want to lock out accounts when attempting access. Which of the following techniques should the tester use?

Show Suggested Answer Hide Answer
Suggested Answer: A

To avoid locking out accounts while attempting access, the penetration tester should use credential stuffing.

Credential Stuffing:

Definition: An attack method where attackers use a list of known username and password pairs, typically obtained from previous data breaches, to gain unauthorized access to accounts.

Advantages: Unlike brute-force attacks, credential stuffing uses already known credentials, which reduces the number of attempts per account and minimizes the risk of triggering account lockout mechanisms.

Tool: Tools like Sentry MBA, Snipr, and others are commonly used for credential stuffing attacks.

Other Techniques:

MFA Fatigue: A social engineering tactic to exhaust users into accepting multi-factor authentication requests, not applicable for avoiding lockouts in this context.

Dictionary Attack: Similar to brute-force but uses a list of likely passwords; still risks lockout due to multiple attempts.

Brute-force Attack: Systematically attempts all possible password combinations, likely to trigger account lockouts due to high number of failed attempts.

Pentest Reference:

Password Attacks: Understanding different types of password attacks and their implications on account security.

Account Lockout Policies: Awareness of how lockout mechanisms work and strategies to avoid triggering them during penetration tests.

By using credential stuffing, the penetration tester can attempt to gain access using known credentials without triggering account lockout policies, ensuring a stealthier approach to password attacks.


Contribute your Thoughts:

Tyra
3 months ago
I think the best option is B) MFA fatigue, as it allows for multiple login attempts without locking out.
upvoted 0 times
...
Merlyn
3 months ago
But wouldn't using a dictionary attack still risk locking out accounts?
upvoted 0 times
...
Polly
4 months ago
This tester is really trying to walk a fine line, isn't he? Gotta respect the creativity, but a good old-fashioned brute-force attack might be the way to go.
upvoted 0 times
...
Thurman
4 months ago
MFA fatigue, huh? That's a creative approach, but I don't know if I'd want to put in the effort. Seems like a lot of work for not much payoff.
upvoted 0 times
Viola
3 months ago
C: I think a dictionary attack could work too. It's worth a try.
upvoted 0 times
...
Beckie
3 months ago
B: Yeah, I agree. MFA fatigue seems like it would take too much time.
upvoted 0 times
...
Emelda
3 months ago
A: Credential stuffing sounds like a better option. It's more efficient.
upvoted 0 times
...
...
Devon
4 months ago
I disagree, I believe the answer is C) Dictionary attack.
upvoted 0 times
...
Merlyn
4 months ago
I think the answer is A) Credential stuffing.
upvoted 0 times
...
Barrie
4 months ago
Credential stuffing? Really? That's just asking to get caught. I'd steer clear of that one.
upvoted 0 times
Mila
3 months ago
B: Maybe try a dictionary attack instead?
upvoted 0 times
...
Tamekia
3 months ago
A: I agree, credential stuffing is too risky.
upvoted 0 times
...
...
Raul
4 months ago
I'm not sure a dictionary attack is the best idea here. That could still trigger the lockout policies, no? Maybe a brute-force attack would be a safer bet.
upvoted 0 times
...
Frank
4 months ago
Hmm, I would go with option C. A dictionary attack is a good way to avoid account lockouts while still trying to crack those passwords.
upvoted 0 times
Stevie
3 months ago
A: Definitely, we don't want to trigger any lockout policies while trying to crack those passwords.
upvoted 0 times
...
Glen
3 months ago
B: Yeah, that makes sense. It's a good way to avoid locking out accounts.
upvoted 0 times
...
Lynelle
3 months ago
A: I think a dictionary attack is the way to go in this situation.
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77