PT0-002 Exam Questions and Answers

A penetration testing firm is scoping a test for a financial institution. The client insists that the test only be performed on systems located in the corporate headquarters, excluding cloud-based infrastructure and remote branch offices. Which of the following should the penetration tester emphasize during the scoping discussion?

The test will include social engineering of remote employees

The exclusion of cloud infrastructure may leave critical assets untested

Correct. Emphasizing the risk of untested critical assets helps the client understand the scope limitation's impact on overall security assurance.

The test can only be performed during off-hours

The tester will require VPN access to the corporate network

Why: The exclusion of cloud and remote systems represents a significant gap in coverage. The tester should highlight that critical assets may remain untested, potentially giving a false sense of security.

A penetration tester is scoping a test for a multinational corporation that has offices in the United States and the European Union. The client wants to test the entire environment. Which of the following is the MOST important legal consideration for the tester to include in the rules of engagement?

Ensuring all testing is performed from a single external IP address

Obtaining explicit written authorization from each country's legal department

Ensuring compliance with GDPR and data protection laws

GDPR imposes strict rules on handling personal data; the test must be scoped to avoid violations.

Restricting testing to non-business hours to minimize impact

Why: When testing in the EU, compliance with the General Data Protection Regulation (GDPR) is mandatory. The tester must ensure that the testing activities do not violate data protection laws, such as by processing personal data without proper safeguards. This legal consideration should be explicitly addressed in the rules of engagement.

During a penetration test of a large e-commerce platform, the client requests additional testing on a newly discovered microservice mid-engagement. The scope defined in the rules of engagement (ROE) explicitly lists all target systems. What should the penetration tester do FIRST?

Add the microservice to the test and include it in the final report as an unadvertised finding

Decline the request because the microservice was not part of the original scope

Inform the client that a scope amendment is needed and pause testing on the microservice until it is approved

This is the correct procedure. Communicating the need for a formal amendment ensures the test remains within authorized bounds and protects both parties.

Test the microservice only if it is using the same technology stack as other targets

Why: Scope creep can compromise the test's integrity and legal protections. The proper first step is to communicate the requested change to the client and discuss the need for a scope amendment, including potential timeline and cost adjustments. Proceeding without authorization could violate the ROE and cause unintended consequences.

A penetration testing firm is hired to assess a U.S.-based company that has recently expanded operations to a country with strict data privacy laws (e.g., GDPR-style regulations). Which of the following is the MOST important legal consideration to include in the rules of engagement?

The client's headquarters location determines which laws apply

Data collected during the test must be stored only within the country of operation and deleted after the engagement

This addresses data sovereignty and privacy requirements common in many jurisdictions, making it a key legal consideration for the ROE.

All findings must be reported in the local language of the country of operation

The penetration testers must be citizens of the country where the systems reside

Why: When a penetration test involves systems in multiple jurisdictions, especially those with strict data privacy laws, it is critical to address data handling and storage requirements to ensure compliance. This includes specifying what data can be collected, how it must be protected, and where it can be stored.

A penetration testing firm is scoping a test for a client that has a hybrid infrastructure with on-premises servers and cloud-based virtual machines. The client insists on testing only the on-premises systems due to budget constraints. Which of the following should the penetration tester emphasize during the scoping discussion?

The on-premises systems are more critical, so testing them is sufficient.

Cloud systems are generally more secure and do not require testing.

Limiting the scope to on-premises may result in an incomplete risk picture because cloud systems are part of the attack surface.

Both on-premises and cloud systems contribute to the overall attack surface; excluding one may leave critical vulnerabilities undetected.

Testing cloud systems would violate the shared responsibility model.

Why: Testing only on-premises systems ignores a significant portion of the attack surface, especially if the cloud systems host critical services or sensitive data. This can lead to an incomplete risk assessment and false sense of security. The tester should explain that cloud assets are part of the organization's overall attack surface and should be included to provide a comprehensive evaluation.

A penetration testing firm is engaged to assess a cloud infrastructure hosted in multiple AWS regions. The client specifies that only systems in US-based regions should be tested due to data sovereignty concerns. Which of the following is the MOST critical documentation to include in the rules of engagement (ROE) to ensure compliance?

Statement of Work (SOW)

List of allowed AWS regions and associated VPC CIDR ranges

This explicitly defines the geographic scope, preventing tests in non-US regions and ensuring compliance with data sovereignty laws.

Data Processing Agreement (DPA)

Penetration testing methodology document

Why: Given data sovereignty concerns, the ROE must clearly define the geographic scope of testing. Including a list of allowed AWS regions ensures that testers do not inadvertently access systems in regions where regulations (e.g., GDPR) might apply. The SOW describes the work but not the boundary details as precisely. The data processing agreement (DPA) is more about how data is handled, not scope. The methodology is about testing approach, not legal boundaries.

Want more Planning and Scoping practice?

All Information Gathering and Vulnerability Scanning questions

Domain 2: Information Gathering and Vulnerability Scanning

During a vulnerability scan, a penetration tester notices that the scanner is repeatedly attempting to exploit a service, causing the service to crash and generating misleading findings. Which of the following scan configurations would BEST help the tester avoid this issue while still identifying potential vulnerabilities?

Enable SYN scan instead of full TCP connect scan

Adjust the scan timing template to a slower rate

Activate the 'safe checks' option in the scanner

Correct. Safe checks perform non-intrusive testing, minimizing disruption and reducing false positives from exploitation attempts.

Increase the port range to include high ports

Why: Enabling the 'safe checks' option configures the scanner to use non-intrusive test methods that identify vulnerabilities without attempting exploitation, thus reducing the risk of crashing services and producing false positives from aggressive behavior.

A penetration tester is performing reconnaissance on a target organization and uses Shodan to find internet-facing devices. Which of the following is the BEST use case for Shodan in this context?

Identifying subdomains through DNS brute-forcing

Discovering open ports and services on public IP ranges

Shodan collects banner data from services like HTTP, SSH, FTP, etc., allowing testers to see what is exposed on the internet.

Enumerating email addresses from corporate websites

Extracting metadata from documents found on the target's website

Why: Shodan is a search engine that indexes banners and service information from internet-connected devices. It is most commonly used to discover open ports, running services, and associated vulnerabilities on public IP ranges. This aids in identifying attack surface without direct interaction.

During the reconnaissance phase, a penetration tester wants to map out the target's DNS infrastructure without directly interacting with the target's servers. Which of the following techniques BEST achieves this?

Performing a DNS zone transfer

Querying publicly available DNS records

Using public DNS resolvers to retrieve records like A, MX, or CNAME is passive and avoids direct interaction.

Using Nmap to scan for DNS servers

Sending crafted DNS queries to the target's DNS server

Why: Querying publicly available DNS records using tools like dig or nslookup against public DNS resolvers (e.g., 8.8.8.8) does not send traffic directly to the target's servers. This is passive reconnaissance. Other options involve active interaction with the target's infrastructure.

A penetration tester is conducting passive reconnaissance on a target organization. Which of the following techniques would provide the MOST useful information about internal network architecture without directly interacting with the target's systems?

Performing a zone transfer against the target's DNS servers

Searching for the target's SSL certificates in Certificate Transparency logs

Certificate Transparency logs are public and can be queried without contacting the target. They often expose subdomains that may not be publicly listed elsewhere.

Using Nmap to scan common ports on the target's public IP range

Querying the target's WHOIS records for IP addresses

Why: Analyzing SSL/TLS certificates from Certificate Transparency logs can reveal subdomains and hostnames, which often reflect internal naming conventions or hidden services. This is a passive technique that does not involve direct interaction with the target's infrastructure.

A penetration tester is using a vulnerability scanner to assess an internal network. The scanner reports a critical vulnerability in a custom web application, but manual verification shows the application is not vulnerable. Which of the following is the MOST likely cause of this false positive?

The scanner used an outdated vulnerability database that does not match the application's patches

The scanner identified the application version from the HTTP response header, but the vulnerability was already patched in that version

The scanner detected a vulnerable library used by the application, but the application's implementation does not expose the vulnerable code path

This is a classic false positive: the scanner sees the library version but cannot determine if the vulnerable functionality is reachable. The tester must manually validate.

The scanner performed an exploit attempt that succeeded on a different service on the same host

Why: Vulnerability scanners often rely on banner grabbing or version detection. If the application uses a library or component that has the same version string as a known vulnerable version, but the vulnerable code has been patched or the library is used in a different way, the scanner may incorrectly flag it. This is a common source of false positives.

A penetration tester is conducting an internal network scan and wants to minimize the chance of detection by the target's intrusion detection system (IDS). Which Nmap timing template is the MOST appropriate for this goal?

T0 (Paranoid)

T0 uses the slowest timing, ideal for stealth by spacing out packets to avoid IDS thresholds.

T1 (Sneaky)

T3 (Normal)

T5 (Insane)

Why: Nmap timing templates control scan speed and stealth. -T0 (Paranoid) sends packets very slowly, often waiting for responses before sending the next, which significantly reduces the chance of IDS detection. -T1 is slightly faster but still very slow. -T3 is normal. -T5 is insane speed and highly likely to trigger alarms.

Want more Information Gathering and Vulnerability Scanning practice?

All Attacks and Exploits questions

Domain 3: Attacks and Exploits

A penetration tester has gained a foothold on a Windows server and wants to move laterally to a domain controller. The tester has access to a service account that is a member of the 'Remote Management Users' group on the domain controller. Which of the following tools would be MOST appropriate for lateral movement in this scenario?

PsExec

MS16-075 exploit

WinRM

Correct. WinRM is designed for remote management and the account's group membership makes it usable for lateral movement.

BloodHound

Why: WinRM (Windows Remote Management) allows remote command execution and is typically enabled on domain controllers. Membership in the 'Remote Management Users' group grants the required permissions to use WinRM for lateral movement.

During an internal test, a penetration tester discovers a web application that is vulnerable to Server-Side Template Injection (SSTI). The application uses a template engine that does not sandbox user input. Which of the following payloads would be MOST effective to achieve remote code execution on the server?

${7*7}

{{config.__class__.__init__.__globals__['os'].popen('id').read()}}

Correct. This payload exploits Python object chaining to execute system commands, achieving remote code execution.

Why: Payload D uses Python's object introspection to access the `os` module and execute commands, which is a common technique for SSTI in Jinja2/Flask applications. This achieves remote code execution.

During a penetration test, a tester finds a custom binary that is vulnerable to a stack-based buffer overflow. The binary has DEP enabled but no ASLR. Which of the following exploitation techniques would be MOST effective to achieve code execution?

Return-oriented programming (ROP) to bypass DEP

Heap spraying to inject shellcode

ret2libc to call system() with a controlled argument

ret2libc leverages existing libc functions (like system) at fixed addresses (since no ASLR) to execute commands, bypassing DEP.

Stack pivoting to redirect execution to a known location

Why: With DEP enabled, shellcode cannot be executed directly on the stack. However, since ASLR is disabled, the addresses of system functions in libc are predictable. The ret2libc technique (a form of ROP) allows the attacker to call system() with a controlled argument (e.g., "/bin/sh") to gain code execution without needing to execute shellcode.

A penetration tester is testing a web application that has input validation blocking single quotes. The tester wants to perform a SQL injection attack. Which of the following techniques would be MOST effective to bypass the filter?

Using URL encoding for the single quote (%27)

Using double quotes instead of single quotes

Using a second-order SQL injection

Using a payload without quotes, such as numeric injection

If the input is used in a numeric context (e.g., WHERE id=5), quoting is not needed, allowing injection without single quotes.

Why: If single quotes are blocked, but the vulnerable parameter expects a numeric value, the tester can inject SQL payloads that do not require quotes, such as "OR 1=1" or "UNION SELECT ...". This numeric injection directly exploits the vulnerability without needing quotes. Other options like encoding may be filtered, and second-order injection is contingent on another input point.

During a web application test, a penetration tester discovers that the application exposes internal object references (e.g., user ID in a URL) and does not properly authorize access. The tester can view other users' private data by simply changing the ID parameter. Which type of vulnerability does this represent?

Cross-Site Request Forgery (CSRF)

Insecure Direct Object Reference (IDOR)

Correct. The scenario describes exactly this: direct manipulation of an object reference (user ID) to access other users' data without proper authorization.

SQL Injection

Cross-Site Scripting (XSS)

Why: Insecure Direct Object Reference (IDOR) occurs when an application exposes a reference to an internal implementation object, such as a database key, without proper access control checks. The tester can manipulate the reference to access unauthorized data.

A penetration tester is attempting to exploit a buffer overflow vulnerability in a Linux binary. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be the MOST effective to achieve code execution?

Inject shellcode into the buffer and redirect execution to it

Use a ROP chain to call mprotect() to make the stack executable, then jump to shellcode

Perform a return-to-libc attack to call system("/bin/sh")

Correct. Return-to-libc bypasses DEP by reusing existing executable code in libc. Without ASLR, addresses are predictable, making this straightforward.

Use a heap spray to place shellcode at a known address and then trigger the overflow

Why: With DEP enabled, the tester cannot directly execute shellcode on the stack or heap. However, with ASLR disabled, the addresses of functions in libc are predictable. Return-to-libc (ret2libc) allows calling system functions like system() with controlled arguments, bypassing DEP.

Want more Attacks and Exploits practice?

All Reporting and Communication questions

Domain 4: Reporting and Communication

After completing a penetration test, the lead tester is preparing the executive summary. The client's CISO wants to understand the business impact of a critical vulnerability found in the customer-facing web application. Which of the following is the BEST way to convey this in the report?

List the CVSS score and exploitability metrics

Describe the attack scenario and potential financial loss

Correct. This explains the real-world consequences in business terms, which is most relevant for an executive summary.

Provide the raw log entries showing the exploitation

Recommend a specific patch version

Why: Executive summaries should focus on business impact. Describing the attack scenario and potential financial loss directly addresses the CISO's need to understand risk in business terms.

A penetration tester has completed the test and is preparing the final report. The client requested a risk rating for each vulnerability. Which of the following frameworks is MOST commonly used to standardize vulnerability severity ratings in penetration testing reports?

OWASP Top 10

CVSS

Correct. CVSS provides a standardized and widely accepted severity score for vulnerabilities.

CVE

NIST SP 800-115

Why: CVSS (Common Vulnerability Scoring System) is the industry-standard framework for assigning a severity score (0-10) to vulnerabilities, providing a consistent method for risk rating.

A penetration test report includes a finding about a SQL injection vulnerability in a public-facing web application. Which section of the report would be the MOST appropriate place to provide step-by-step remediation instructions for the development team?

Executive Summary

Risk Assessment

Technical Findings

This section is where remediation steps for each finding should be documented for the development team.

Appendices

Why: The Technical Findings section (often called Vulnerability Details or Technical Report) is where each vulnerability is described in depth, including its impact, proof of concept, and specific remediation steps. This is the section intended for technical staff to understand and fix the issue.

After completing a penetration test, the client's technical team requests the detailed raw data (e.g., scan results, exploit logs, packet captures) used to support the findings. According to best practices, which of the following should the penetration tester do?

Include all raw data in the appendices of the final report

Provide the raw data in a separate, sanitized deliverable with a data handling agreement

This approach protects confidentiality and allows the client to use the data responsibly.

Refuse to provide raw data to protect the confidentiality of the testing process

Provide the raw data only if the client signs a non-disclosure agreement

Why: Best practice is to provide raw data in a separate, sanitized deliverable with a data handling agreement. This ensures the client can verify findings while protecting the tester's methodology and any sensitive data that may be in the logs. Including everything in the report appendices is impractical and may leak proprietary information.

A penetration tester is preparing the executive summary for a report. Which of the following metrics would be MOST valuable to include for non-technical stakeholders to understand the overall security posture?

A list of all tools used during the penetration test

The total number of vulnerabilities discovered and their average CVSS score

The number of critical and high-risk findings along with the average time to exploit them

This gives executives a clear, non-technical view of the most pressing issues and how quickly an attacker could take advantage of them.

A detailed step-by-step exploitation walkthrough of one critical vulnerability

Why: Non-technical stakeholders like executives need high-level, business-impact-oriented metrics. The number of critical and high-risk findings provides a clear indication of the most significant security risks, while time-to-exploit gives context on how quickly an attacker could cause damage.

After a penetration test, the client's development team requests that the report include specific, actionable remediation steps for each vulnerability. Where in the report should this information be placed?

In the executive summary to emphasize the need for fixing vulnerabilities

In the appendix as a separate remediation checklist

Within the technical report section, under each vulnerability finding

Correct. Each vulnerability finding should include a remediation subsection that provides clear, actionable steps for the responsible team.

In a separate document attached to the report to avoid cluttering the main report

Why: The technical findings section (often called 'Findings' or 'Technical Details') is the appropriate place for detailed remediation steps, including code examples, configuration changes, and patch recommendations. This section targets technical audiences such as developers and system administrators.

Want more Reporting and Communication practice?

All Tools and Code Analysis questions

Domain 5: Tools and Code Analysis

A penetration tester wrote a Python script to automate HTTP request fuzzing. The script uses the 'requests' library to send payloads and checks for reflected content in the response. The tester wants to analyze the script for potential improvements. Which of the following code changes would MOST directly reduce false positives in detecting reflection?

Convert the response to lowercase before checking for reflection

Correct. Case-insensitive matching reduces false positives caused by case differences in the reflected content.

Add a random delay between requests

Remove the User-Agent header from requests

Use a session object to maintain cookies

Why: Converting both the response and the payload to lowercase before comparing eliminates case-sensitivity issues, which is a common cause of false negatives and false positives when checking for reflected content.

A penetration tester is analyzing a PowerShell script used for post-exploitation on a Windows domain. The script contains the following line: Invoke-Command -ComputerName $target -ScriptBlock { get-process -Name "explorer" }. What is the primary purpose of this command?

To start the Explorer process on a remote system

To check if a user is logged in on the remote system

The presence of explorer.exe is a strong indicator of an interactive user session.

To enumerate running processes on the remote system

To execute a script block locally on the remote system

Why: The command uses Invoke-Command to run a script block remotely on the target system. The script block retrieves the process list and filters for 'explorer'. On Windows, the explorer.exe process is typically present only when a user is interactively logged in. Therefore, this command is used to check whether a user is logged in on the remote system.

A penetration tester wants to identify live hosts on a large internal network. Which Nmap option would be the FASTEST for initial host discovery?

-sV (Version detection)

-sS (SYN stealth scan)

-sn (Ping sweep)

The -sn option uses minimal probes to determine host availability and is the fastest method for host discovery.

-A (Aggressive scan)

Why: The -sn option performs a ping sweep (ICMP echo, TCP ACK on port 80, etc.) and only reports which hosts are up, without scanning ports. It is the quickest method for mapping live hosts on a network.

A penetration tester writes a Python script to test an API for vulnerabilities. The script sends requests with multiple payloads and checks if the response contains an error message indicating a potential injection. Which of the following code snippets would BEST reduce false positives by verifying that the injected parameter is processed?

Check if the response status code is 500 for each payload

Compare the response time of the injected request to a baseline without injection

Check if the response contains a specific error message that is only triggered when the injection is successful

Compare the response of the injected request to the response of a benign request with the same parameter structure

Correct. By comparing responses, the tester can confirm that the injection causes a different behavior than a normal request, reducing false positives.

Why: To accurately detect injection vulnerabilities, the tester should confirm that the injected payload affects the response differently than a benign baseline. Comparing the response from a payload injection to a baseline request (e.g., without injection) helps ensure that the error is caused by the injection and not a generic application error.

A penetration tester is reviewing a Python script that uses the `requests` library to send HTTP POST requests to a login endpoint. The script attempts to bypass authentication by sending SQL injection payloads in the username field. Which of the following code changes would MOST effectively help the tester identify successful injections by reducing false negatives?

Using a `requests.Session` object to maintain cookies across requests

Parsing the response for specific error messages such as 'SQL syntax' or 'mysql_fetch_array'

This allows the script to confirm that the injection payload was processed by the database, reducing false negatives.

Implementing a random delay between requests to avoid rate limiting

Adding a function to automatically resend each payload multiple times

Why: A false negative occurs when a real vulnerability is not detected. Parsing the response for common SQL error messages (e.g., 'SQL syntax', 'mysql_fetch_array') helps confirm that the injection payload was processed and triggered a database error, thus reducing false negatives. Using a session object maintains state but does not improve detection. Adding delays prevents rate limiting but does not affect accuracy. Sending duplicate payloads may increase coverage but does not directly reduce false negatives.

A penetration tester writes a Python script to test for directory traversal vulnerabilities in a web application. The script uses the requests library to send a payload like '../../etc/passwd' and checks if the response contains the string 'root:'. However, the tester notices many false negatives because the application requires URL encoding of the dots and slashes. Which code modification would BEST improve the detection rate?

Increase the number of payloads in the list

URL-encode the payload using urllib.parse.quote()

Proper URL encoding ensures the payload is correctly interpreted by the server, matching common attack vectors.

Check the HTTP status code instead of response content

Use raw sockets to send HTTP requests manually

Why: Directory traversal payloads often require URL encoding to bypass input filters. Using urllib.parse.quote() ensures the payload is properly encoded, which matches what a real attacker would do and reduces false negatives. Adding more payloads (option A) could help but does not address the encoding issue. Checking status codes (option B) is not reliable for detecting traversal success. Using raw sockets (option D) is unnecessary and adds complexity.

Want more Tools and Code Analysis practice?