Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPT0-002Flashcards
Free — No Signup RequiredCompTIA· Updated 2026

PT0-002 Flashcards — Free CompTIA PenTest+ PT0-002 Study Cards

Reinforce PT0-002 concepts with active-recall study cards covering all 5 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.

1000+ study cards5 domains coveredActive recall methodFull explanations included
Start 30-card session50-card shuffle
Exam OverviewPractice TestMock ExamStudy GuideFlashcards

Study Sessions

PT0-002 Flashcards

Pick a session size:

⚡Quick 10📝20 Cards🎯30 Cards📊50 Cards💪100 Cards
1,000+ cards · All free

Domains

Information Gathering and Vulnerability Scanning
Planning and Scoping
Reporting and Communication
Attacks and Exploits
Tools and Code Analysis

How to use PT0-002 flashcards effectively

Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For PT0-002 preparation, this means flashcards are one of the highest-return study tools available.

Attempt recall first

Read the PT0-002 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.

Review wrong cards again

When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.

Study by domain

Group your PT0-002 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real PT0-002 exam requires.

Short sessions beat marathon reviews

20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass PT0-002.

PT0-002 flashcard preview

Sample cards from the PT0-002 flashcard bank. Read the question, think of the answer, then read the explanation below.

1

During a penetration test, you need to gather information about a target's email addresses and employee names without directly interacting with the target's systems. Which tool is most appropriate for this passive reconnaissance task?

Information Gathering and Vulnerability Scanning

theHarvester

theHarvester is an OSINT tool designed to gather emails, subdomains, IPs, and employee names from public sources like search engines and social media. Maltego is more for relationship mapping, Shodan for internet-facing devices, and Censys for certificate and network data.

2

A penetration tester is hired to assess the security of a company's internal network. The tester is given full network diagrams, credentials, and source code. Which type of penetration test is being performed?

Planning and Scoping

White box

White box testing provides the tester with full knowledge of the target environment, including credentials and documentation.

3

During a penetration test, a penetration tester discovers a critical vulnerability that allows unauthenticated remote code execution on a public-facing web server. According to best practices for communication during a penetration test, what should the tester do next?

Reporting and Communication

Immediately notify the client of the critical finding and provide initial remediation steps.

Critical findings should be communicated to the client immediately to allow them to take urgent action, even before the formal report is delivered.

4

A penetration tester is conducting an internal network assessment and wants to capture NTLMv2 hashes from Windows hosts without sending any authentication traffic. Which tool and attack technique should the tester use?

Attacks and Exploits

Responder with LLMNR/NBT-NS/mDNS poisoning

Responder poisons LLMNR/NBT-NS/mDNS to trick hosts into sending NTLM hashes to the attacker, capturing them without the attacker needing to authenticate.

5

During a penetration test, you are asked to identify all live hosts on a subnet. Which Nmap scan type is most likely to evade firewalls and determine if a host is up without completing the TCP handshake?

Tools and Code Analysis

SYN scan (-sS)

SYN scan (half-open) sends SYN packets and listens for SYN-ACK; it never completes the handshake, making it stealthier and useful for firewall evasion.

6

A penetration tester is performing passive reconnaissance on a target organization. Which of the following activities would be considered passive reconnaissance?

Using a search engine to find exposed documents

Passive reconnaissance involves gathering information without directly interacting with the target's systems. Using a search engine to find exposed documents (e.g., via Google dorking) relies on publicly indexed data, which does not send any packets to the target's infrastructure. This aligns with the definition of passive reconnaissance as it leverages third-party sources rather than engaging the target directly.

7

A penetration tester is conducting passive reconnaissance on a target organization. Which technique can be used to discover subdomains of the target's domain without sending any packets to the target's network?

Using the 'site:' operator in a search engine query

Option B is correct because using the 'site:' operator in a search engine query (e.g., 'site:example.com') retrieves indexed subdomains from the search engine's cache without sending any packets to the target's network. This is a purely passive technique that leverages publicly available data, aligning with the definition of passive reconnaissance.

8

A penetration tester is analyzing a Python script that uses the 'requests' library to send HTTP POST requests to a target URL with different payloads. The script also implements a retry mechanism with exponential backoff. What is the most likely purpose of this script?

Password spraying

The script sends HTTP POST requests with different payloads and implements a retry mechanism with exponential backoff. This behavior is characteristic of password spraying, where an attacker attempts a small number of common passwords against many usernames to avoid account lockouts. The exponential backoff helps evade rate-limiting and intrusion detection systems by gradually increasing delays between attempts.

9

A penetration tester is planning a red team exercise for a client. The client insists that the testing should not disrupt production systems and only target a replicated staging environment. However, the tester believes that testing the production environment is necessary for realistic adversary simulation. What is the MOST appropriate course of action?

Negotiate with the client to include some production systems, explaining the value, and document agreed scope

While the client's restriction must be respected, it is appropriate to negotiate with the client to include some production systems by explaining the value of realistic adversary simulation. Ultimately, the scope must be agreed upon and documented, so negotiating for a limited production scope is the best course of action.

10

You are conducting a penetration test on a web application that uses a JavaScript challenge-response authentication mechanism. During testing, you notice that the client-side JavaScript code is heavily obfuscated and includes a function that seems to compute a token based on user input and a server-provided nonce. Your goal is to bypass the authentication by generating valid tokens without interacting with the server's intended logic. You have extracted the obfuscated JavaScript and used a beautifier to make it more readable, but the logic is still complex. Which of the following approaches is most likely to succeed in bypassing the authentication?

Use a JavaScript debugger to dynamically analyze the obfuscated function and replicate its token generation

Option B is correct because using a JavaScript debugger allows you to step through the obfuscated code, understand the token generation logic, and replicate it locally to generate valid tokens without interacting with the server's intended logic. Option A is incorrect because replaying a token with a new nonce will likely fail since the token generation depends on both the input and the nonce; the server will compute a different token. Option C is incorrect because sending random tokens has a negligible probability of matching the correct token. Option D is incorrect because brute-forcing all possible token values is impractical unless the token space is small, which is unlikely for a secure challenge-response mechanism.

11

A client review of a penetration test report reveals confusion about why a particular vulnerability exists. The client's security engineer wants to understand the root cause and the exact steps to reproduce the issue. Which section of the report should the tester point the engineer to?

Technical Findings

The Technical Findings section provides the detailed, step-by-step reproduction steps and root cause analysis that the security engineer needs. This section includes specific commands, payloads, and configurations that led to the vulnerability, enabling the engineer to understand and verify the issue. The Executive Summary and Methodology sections do not contain this level of technical detail.

12

A penetration tester has completed the test and is writing the findings section. For a critical vulnerability, the tester wants to provide a clear and actionable remediation recommendation. Which of the following is the best practice for writing this recommendation?

Provide a step-by-step guide including commands, patches, and configuration changes

Option B is correct because a penetration test report must provide actionable remediation that the client can implement immediately. A step-by-step guide with specific commands, patch identifiers, and configuration changes ensures the client can verify and apply the fix without ambiguity, which is critical for a high-severity vulnerability.

13

A client requests a penetration test that includes both their internal network and a third-party cloud service provider's infrastructure. The cloud provider has not given permission for testing. Which action should the penetration tester take regarding the cloud provider's assets?

Exclude the cloud provider's assets from the scope and update the rules of engagement

The correct action is to exclude the cloud provider's assets from the scope and update the rules of engagement (ROE). Penetration testing without explicit authorization from the asset owner violates legal and ethical boundaries, potentially constituting unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA). The ROE must clearly define the scope to avoid testing third-party infrastructure that the client does not own or have permission to test.

14

A client wants to perform a penetration test on a new web application that is still in development. The application is not yet connected to the internet. Which of the following is the most appropriate scope for this test?

Web application vulnerability assessment

The application is not yet connected to the internet, so an external network penetration test (which targets internet-facing assets) is irrelevant. An internal network penetration test focuses on the internal LAN infrastructure, not the application itself. A web application vulnerability assessment is the correct scope because it directly examines the application's code, logic, and configurations for flaws such as SQL injection, XSS, and authentication bypasses, regardless of network connectivity.

15

A client requests a penetration test of a new mobile application that is still in development and only accessible on a test server behind the corporate VPN. The tester should include which of the following in the scope?

Only the test server and the mobile application client

Option B is correct because the scope of a penetration test for an application still in development should be limited to the test server and the mobile application client. This ensures the assessment focuses on the application's security posture without including production systems that are not yet live or the corporate VPN infrastructure, which is typically out of scope unless explicitly requested. The tester should only evaluate the components directly relevant to the application's functionality and security during development.

16

A penetration tester has compromised a host and wants to move laterally to a server using pass-the-hash. Which of the following is required for a successful pass-the-hash attack against a Windows target?

The target must have the same local admin password hash

Pass-the-hash (PtH) attacks exploit the NTLM challenge-response authentication mechanism. When a target has the same local administrator password hash as the compromised host, the attacker can use the captured hash to authenticate to the target without knowing the plaintext password. This works because Windows caches the password hash in LSASS, and tools like Mimikatz can extract it for replay.

17

A client requests a penetration test of their internal network. During scoping, the tester learns that the client uses a managed security service provider (MSSP) that monitors all network traffic. The client does not want the MSSP to be informed about the test. What is the most appropriate action for the tester to take?

Advise the client to inform the MSSP about the scheduled test and coordinate a maintenance window or exclusion list

Option C is correct because failing to inform the MSSP could trigger automated incident response actions (e.g., IPS blocking, SIEM alerting, or even network isolation) that disrupt the test and potentially cause false-positive security incidents. Coordinating a maintenance window or exclusion list ensures the MSSP's monitoring tools (like Snort, Suricata, or proprietary NDR) do not interfere with legitimate test traffic, preserving both test integrity and the client's operational security.

18

A client engages a penetration testing firm to evaluate the security of their internal network. During the scoping meeting, the client states that they use a network access control (NAC) solution that might block the tester's machine if it is connected to the internal network without prior authorization. Which of the following should be included in the rules of engagement to address this potential issue?

Add a clause requiring the client to whitelist the tester's MAC address in the NAC policy before testing.

Option D is correct because whitelisting the tester's MAC address in the NAC policy allows the tester's machine to connect to the internal network without being blocked, while keeping the NAC solution active for other devices. This approach preserves the real-world security posture of the client's environment and ensures the tester can perform internal network assessments as scoped. It is a standard practice in penetration testing to request MAC address whitelisting to avoid false positives from NAC enforcement.

19

A penetration tester has gained a shell on a Linux machine as a low-privileged user. The user can execute the binary 'less' with sudo privileges without a password. Which technique can the tester use to escalate privileges to root?

Use the '!' command within 'less' to execute a shell.

The 'less' binary, when executed with sudo, retains its ability to spawn a shell via the '!' command. Since the user can run 'less' as root without a password, typing '!/bin/bash' (or simply '!bash') inside 'less' will execute a shell with root privileges, effectively escalating to root.

20

A penetration tester is analyzing a Python script that performs a buffer overflow attack. The script imports the struct module and the socket module. It constructs a payload by packing a pattern of characters, then overwriting a return address with a specific offset. Which of the following is the most critical piece of information the tester must determine before running this script against the target?

The exact location of a JMP ESP instruction in memory

The script performs a buffer overflow attack by overwriting a return address. To redirect execution to attacker-controlled shellcode, the tester must overwrite the return address with the address of a JMP ESP instruction (or equivalent) that is reliably located in memory. Without this address, the overwritten return pointer will cause a crash or unpredictable behavior, making exploitation impossible.

21

A penetration tester is analyzing a Python script used during a test. The script contains the following code: 'import requests; r = requests.get('http://target', headers={'User-Agent': 'Mozilla/5.0'}); print(r.text)'. What is the primary purpose of setting the User-Agent header in this script?

To mimic a legitimate browser to evade detection by web application firewalls.

Setting the User-Agent header to 'Mozilla/5.0' makes the HTTP request appear to originate from a standard web browser rather than a Python script. This helps evade detection by web application firewalls (WAFs) and other security controls that may block or flag requests with non-browser User-Agent strings, which are common indicators of automated or malicious traffic.

22

A client hires a penetration testing firm to assess a web application that integrates with a third-party API for payment processing. The client wants to include the API endpoint in the test scope. What should the penetration tester do FIRST to ensure the test is conducted ethically and legally?

Obtain written authorization from the third-party API provider

Option B is correct because the penetration tester must obtain explicit written authorization from the third-party API provider before testing. Without this, testing the API endpoint could violate the Computer Fraud and Abuse Act (CFAA) or similar laws, as the tester would be accessing a system they do not own or have contractual permission to test. The client's scope inclusion does not grant legal access to the third-party's infrastructure.

23

A penetration tester has gained a foothold on a Linux server through a vulnerable web application. The server has an outbound firewall that blocks all traffic except DNS queries (UDP 53). The tester needs to establish a reverse shell to maintain access. Which technique is most likely to succeed?

Encode the payload in Base64 and use DNS tunneling to execute commands

Option B is correct because DNS tunneling encapsulates non-DNS traffic (e.g., command output) within DNS query and response packets, which are allowed through the firewall on UDP port 53. This technique bypasses the outbound firewall restriction by making the malicious traffic appear as legitimate DNS queries, enabling the tester to execute commands and exfiltrate data without triggering network-level blocks.

Study all 1000+ PT0-002 cards

PT0-002 flashcards by domain

The PT0-002 flashcard bank covers all 5 official blueprint domains published by CompTIA. Cards are distributed proportionally, so domains with higher exam weight have more cards.

Domain Coverage

Information Gathering and Vulnerability Scanning

~1 cards

Planning and Scoping

~1 cards

Reporting and Communication

~1 cards

Attacks and Exploits

~1 cards

Tools and Code Analysis

~1 cards

Flashcards vs practice tests: which is better for PT0-002?

Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:

Flashcards — concept retention

Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that PT0-002 questions assume you know.

Best in: weeks 1–3

Practice tests — application

Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.PT0-002 questions test scenario reasoning — not just recall — so practice tests are essential.

Best in: weeks 3–6

The most effective PT0-002 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.

PT0-002 flashcards — frequently asked questions

Are the PT0-002 flashcards free?

Yes. Courseiva provides free PT0-002 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.

How many PT0-002 flashcards are on Courseiva?

Courseiva has 1000+ original PT0-002 flashcards across all 5 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official CompTIA exam objectives.

How are Courseiva flashcards different from Anki or Quizlet?

Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official PT0-002 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.

Can I use PT0-002 flashcards offline?

Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.

Free forever · No credit card required

Track your PT0-002 flashcard progress

Save your results, see which domains need more work, and get spaced repetition recommendations — all free.

Sign Up Free

Free forever · Every certification included

Start Studying

⚡Quick 10 cards📝20-card session🎯30-card session📊50-card shuffle💪100-card marathon

Also Study With

Practice TestMock ExamStudy GuideExam Domains

Related Flashcards

CS0-003SY0-701CEH

Related Flashcard Sets

CS0-003

CompTIA CySA+

SY0-701

CompTIA Security+

CEH

EC-Council CEH

Browse all certifications →