In an unprotected network file repository a penetration test

In an unprotected network file repository a penetration test - CompTIA Pentest+ PT0-003

Question

In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format: <name- serial_number>.
Which of the following would be the best action for the tester to take NEXT with this information?

Answers

Create a custom password dictionary as preparation for password spray testing.
Recommend using a password manager/vault instead of text files to store passwords securely
Recommend configuring password complexity rules in all the systems and applications.
correct

Document the unprotected file repository as a finding in the penetration-testing report.

Explanation

Correct Answer: D. Document the unprotected file repository as a finding in the penetration-testing report.

As a penetration tester, your primary responsibility is to identify vulnerabilities and report them. Since you found cleartext credentials and employee data in an unprotected file repository, the first action should be to document this security flaw as a finding in the penetration test report.

The file repository is unprotected, meaning anyone with access can view or steal the credentials and employee data.
The password format (<name-serial_number>) indicates a weak, predictable pattern, which further increases the risk of credential compromise.
Reporting this as a finding ensures that the organization addresses and remediates the issue.

Why the Other Options Are Incorrect:

Create a custom password dictionary as preparation for password spray testing.

While this could be useful in an active attack scenario, it is not the most immediate or ethical next step.
Risk: The goal of a penetration test is to assess security and report weaknesses, not to actively exploit every flaw unless explicitly authorized.

Before attempting a password spray, you should report the weak credential storage issue first.

Recommend using a password manager/vault instead of text files to store passwords securely.

While using a password manager is a good security recommendation, it is not the first action the tester should take.
Risk: Making recommendations comes after documenting findings in the report.

Before making recommendations, document the issue as a security risk first.

Recommend configuring password complexity rules in all the systems and applications.

While enforcing strong password policies is important, the primary issue here is the unprotected storage of credentials.
Risk: Even with strong password policies, storing credentials in plaintext is a severe security risk.

Password complexity alone does not fix the issue of unprotected credentials.

View Full Course Content Try our Free Questions

No Payment Cards Needed

CompTIA Pentest+ exam

Normally $69

$45/month

Subjects Included

CompTIA Pentest+

Additional Features

Over 300 Practice Questions with Answers
Quizzes in every Lesson Provided
Detailed Analysis of Questions with Answers and Explanations
Detailed Notes with Chapters, Topics & Lessons
24/7 Live chat support
24/7 WhatsApp support
One Full Month Access

Get Started

View Other Pricing Plans

CompTIA Prep

CompTIA Cloud+ CV0-004

Start Course Prep

CompTIA Prep

CompTIA Server+ SK0-005

Start Course Prep

Easy way to pass your test within a week with prepsaret

You don’t need one month to study and pass your test.
With Prepsaret, it takes you a few days to grasp all the concepts needed to pass your exams

View Courses Offered