CompTIA PenTest+ (PT0-002) — Question 209

A penetration tester learned that when users request password resets, help desk analysts change users' passwords to 123change. The penetration tester decides to brute force an internet-facing webmail to check which users are still using the temporary password. The tester configures the brute-force tool to test usernames found on a text file and the password 123change.

Which of the following techniques is the penetration tester using?

Answer options

• A. Brute-force attack
• B. LDAP injection
• C. Password spraying
• D. Kerberoasting

Correct answer: C

Explanation

The correct answer is C, Password spraying, which involves attempting a common password across multiple usernames to identify valid accounts. A brute-force attack typically involves testing all possible combinations for a single username, which is not what the tester is doing. LDAP injection is a method used to manipulate LDAP queries, and Kerberoasting is a technique for exploiting service tickets in Kerberos authentication, neither of which apply in this scenario.