CompTIA PenTest+ PT0-002 (PT0-002) — Questions 175

509 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQhard

During a penetration test, a vulnerability scanner reports a critical SQL injection vulnerability in a web application. However, manual testing shows that the parameter is not injectable due to proper parameterized queries. Which of the following is the MOST likely cause of this false positive?

A.The scanner used a payload that caused a different error unrelated to SQL injection
B.The scanner detected a stored XSS instead
C.The scanner matched a generic error message that is not specific to SQL injection
D.The scanner tested a different parameter than what was reported
AnswerC

Scanners often use keyword matching and will flag any page that returns a database error string, even if the vulnerability does not exist.

Why this answer

A vulnerability scanner often relies on pattern matching in HTTP responses to flag SQL injection. If the application returns a generic error message (e.g., 'An error occurred') after sending a malicious payload, the scanner may incorrectly classify it as SQL injection. However, because the application uses parameterized queries, the payload is safely handled, and the error is unrelated to SQL syntax — making this a classic false positive caused by generic error message matching.

Exam trap

The trap here is that candidates assume a scanner's SQL injection flag must be caused by an actual SQL error, when in fact scanners often rely on generic error message patterns that can be triggered by any application exception.

How to eliminate wrong answers

Option A is wrong because a payload causing a different error unrelated to SQL injection would still require the scanner to misinterpret that error as SQL injection, which is essentially the same mechanism as matching a generic error message; the core issue is the scanner's inability to distinguish error types, not the error's origin. Option B is wrong because stored XSS would manifest as injected script execution in stored content, not as an SQL injection flag from a vulnerability scanner; the scanner would need to detect script reflection or execution, not an SQL error pattern.

2
MCQmedium

You are performing a web application penetration test for a client that uses a custom content management system (CMS). During the initial reconnaissance, you identify that the CMS has a file upload feature that accepts JPEG images. You suspect that the application may be vulnerable to unrestricted file upload, allowing you to upload a malicious PHP script to gain remote code execution. However, the application validates file extensions and checks the MIME type of the uploaded file. You have access to Burp Suite and a Python environment. Which of the following approaches is most likely to successfully bypass the file upload restrictions and achieve remote code execution?

A.Change the file extension to .php.jpg and submit using Burp Repeater
B.Encode the PHP payload in base64 and submit it as a JPEG file
C.Use curl with --data-binary to send a raw PHP payload with a proper JPEG content-type header
D.Create a polyglot file that starts with JPEG magic bytes but contains PHP code at the end, and upload with a .php extension
AnswerD

Polyglot files can pass MIME type checks while containing executable code.

Why this answer

Option B is correct because appending PHP code to a valid JPEG image (polyglot) can bypass MIME type checks and extension filters if the application only inspects the magic bytes. Option A is wrong because changing the extension to .php.jpg will likely be rejected by the extension whitelist. Option C is wrong because curl's --data-binary is not designed for file upload with multipart/form-data.

Option D is wrong because base64 encoding the payload does not change the content type and will still be detected as PHP.

3
MCQeasy

Refer to the exhibit. A penetration tester gained a Meterpreter session on a Windows server. Which of the following should the tester include in the report to provide the most actionable remediation advice?

A.That SYSTEM-level access was achieved on the server.
B.The command used to gain the session.
C.The username 'NT AUTHORITY\SYSTEM' as a local user.
D.The operating system and architecture details.
AnswerA

This indicates full control and requires immediate attention.

Why this answer

Option B is correct because the session shows SYSTEM level access, indicating a critical compromise. Option A is wrong because merely listing commands is not actionable. Option C is wrong because the user details from getuid are shown.

Option D is wrong because architecture is system info.

4
MCQmedium

A penetration tester is analyzing a PowerShell script that contains the following code: Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -like "* *"} | Select-Object Name, PathName, State What is the primary purpose of this script?

A.Enumerate all installed services to find vulnerable applications
B.Identify services that run with elevated privileges
C.List services that have unquoted paths in their binary path
D.Check for services with weak file permissions
AnswerC

The wildcard pattern '* *' catches paths with spaces, which is the hallmark of an unquoted service path vulnerability. The script identifies such services for further analysis.

Why this answer

The script uses Get-WmiObject to query the Win32_Service class, then filters with Where-Object where the PathName property contains a space (the -like '* *' pattern). This specifically targets services whose binary path includes a space but is not enclosed in quotes, a classic unquoted service path vulnerability. The Select-Object then outputs the service name, path, and state, making option C the correct answer.

Exam trap

Cisco often tests the distinction between enumerating services for unquoted paths versus checking for weak permissions or privilege levels; the trap here is that candidates may confuse the path format check with a security permission audit.

How to eliminate wrong answers

Option A is wrong because the script does not check for vulnerabilities in the services themselves; it only looks at the path format. Option B is wrong because the script does not filter or check for elevated privileges (e.g., LocalSystem account); it simply lists services with unquoted paths regardless of privilege level. Option D is wrong because the script does not examine file permissions (e.g., using Get-Acl or checking weak DACLs); it only inspects the path string for spaces.

5
MCQeasy

A penetration tester is tasked with exploiting a web application that uses an insecure deserialization vulnerability. Which type of attack should the tester primarily use to execute arbitrary code on the server?

A.Cross-site scripting (XSS)
B.SQL injection
C.Malicious object deserialization
D.Cross-site request forgery (CSRF)
AnswerC

Insecure deserialization allows an attacker to supply crafted objects that execute arbitrary code upon deserialization.

Why this answer

Insecure deserialization vulnerabilities occur when an application deserializes untrusted data without proper validation, allowing an attacker to manipulate serialized objects. By crafting a malicious object (e.g., a PHP gadget chain or a Java serialized object with a custom readObject() method), the tester can trigger arbitrary code execution on the server during the deserialization process. This directly aligns with option C, as the attack vector is the deserialization of a malicious object.

Exam trap

CompTIA often tests the misconception that insecure deserialization is a form of injection (like SQLi or XSS), but the key distinction is that the attack exploits the deserialization process itself, not input validation or user-triggered actions.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) exploits client-side script injection in the browser, not server-side code execution via deserialization. Option B is wrong because SQL injection targets database queries through input fields, not the deserialization of serialized objects. Option D is wrong because cross-site request forgery (CSRF) forces a user to perform unintended actions on a web application, not execute arbitrary code on the server through deserialization.

6
MCQhard

A contract prohibits DoS testing, but a tester finds a WAF that could be tested with a technique resembling slowloris. What is the best course of action?

A.Use a different technique, such as a buffer overflow
B.Proceed with a slowloris attack
C.Send a single malformed HTTP request and observe
D.Request a scope change to include DoS testing
AnswerD

Proper to obtain permission before testing.

Why this answer

Option D is correct because the tester should request a scope change to include DoS testing after explaining the risk. Option A is wrong because it violates the contract. Option B is wrong because even a single request might be considered excessive.

Option C is wrong because it does not address the prohibition.

7
MCQmedium

A penetration testing firm is hired to assess a client's network that includes both internal servers and external cloud-based services. The client wants to test only the internal network due to compliance concerns about testing cloud infrastructure. Which of the following should the penetration tester MOST strongly emphasize during the scoping meeting?

A.That cloud services are often the most vulnerable and should be included for a thorough test
B.That the test will not provide a complete risk picture without cloud components
C.That the client can always test cloud services later in a separate engagement
D.That compliance concerns are unfounded and the test should proceed anyway
AnswerB

This emphasizes the scope gap and ensures stakeholders understand that the assessment will be partial.

Why this answer

Option B is correct because the scope of a penetration test directly determines the validity of its risk assessment. Excluding cloud services creates a significant blind spot, as the client's attack surface includes both internal servers and external cloud-based services; without testing the cloud components, the test cannot provide a complete risk picture. The penetration tester must emphasize this limitation during scoping to ensure the client understands that the final report will not reflect the full security posture of their hybrid environment.

Exam trap

The trap here is that candidates may choose Option A because it sounds technically aggressive and 'security-first,' but the PT0-002 exam tests the ability to prioritize scoping discussions based on client-defined constraints and risk communication, not on unsupported claims about vulnerability prevalence.

How to eliminate wrong answers

Option A is wrong because it makes an unsubstantiated claim that cloud services are 'often the most vulnerable,' which is not a universal truth and distracts from the core scoping issue: the client's compliance concerns, not relative vulnerability. Option C is wrong because it suggests deferring cloud testing to a separate engagement, which fails to address the immediate need for a holistic risk assessment and may lead to fragmented, less actionable results; the tester's role is to advocate for complete coverage within the current engagement's constraints.

8
MCQhard

A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester finds a cron job that runs a script as root every five minutes. The script is located in /opt/backup.sh and is world-writable. Which technique should the tester use to escalate privileges?

A.Kernel exploit
B.SUID binary exploitation
C.Cron job script manipulation
D.Password cracking
AnswerC

Since the script is world-writable and run as root, the tester can insert a reverse shell or other commands to gain root access when the cron job fires.

Why this answer

Option C is correct because the cron job runs as root and the script /opt/backup.sh is world-writable, meaning any user can modify it. By injecting a reverse shell or privilege escalation command into the script, the tester can execute arbitrary code with root privileges when the cron job triggers. This is a classic cron job script manipulation attack, leveraging the scheduled task's root execution context.

Exam trap

The trap here is that candidates may overthink and choose a kernel exploit or SUID attack, overlooking the simpler and more direct vector of modifying a world-writable script executed by a privileged cron job.

How to eliminate wrong answers

Option A is wrong because kernel exploits target vulnerabilities in the Linux kernel to gain root, but the scenario provides a direct, simpler path via a writable cron script; kernel exploits are unnecessary and risk system instability. Option B is wrong because SUID binary exploitation involves finding a setuid-root binary that can be abused to run commands as root, but no such binary is mentioned; the vulnerability here is the writable script, not a misconfigured SUID file.

9
MCQmedium

A penetration tester receives an Nmap scan report showing that port 445/TCP is open on a target Windows host. The tester wants to determine if the host is vulnerable to EternalBlue (MS17-010) without triggering an alert. Which Nmap NSE script is most appropriate to use?

A.smb-vuln-ms17-010.nse
B.smb-enum-shares.nse
C.smb-os-discovery.nse
D.smb-enum-users.nse
AnswerA

This script sends probes to test for the MS17-010 vulnerability; it is the direct tool for identifying EternalBlue.

Why this answer

The smb-vuln-ms17-010.nse script is specifically designed to check for the EternalBlue vulnerability (MS17-010) by sending crafted SMB transactions to trigger a known response pattern, without exploiting the vulnerability itself. This makes it ideal for stealthy detection because it does not execute the actual exploit code that would cause a crash or generate an alert in a properly monitored environment.

Exam trap

The trap here is that candidates may confuse general SMB enumeration scripts (like smb-enum-shares or smb-os-discovery) with vulnerability-specific scripts, assuming any SMB script can detect EternalBlue, when only the dedicated ms17-010 script performs the necessary non-exploitative probe.

How to eliminate wrong answers

Option B (smb-enum-shares.nse) is wrong because it enumerates shared folders and their permissions, not vulnerability detection; it cannot determine if the host is vulnerable to EternalBlue. Option C (smb-os-discovery.nse) is wrong because it attempts to retrieve the Windows operating system version via SMB, which may provide context but does not test for the specific MS17-010 vulnerability.

10
MCQeasy

A penetration tester has completed a network penetration test for a large financial institution. The client has requested a report that includes details for both technical staff and executive management. The tester has written a single report with a technical focus, including raw CLI outputs and exploit code. During the review, the chief information security officer (CISO) expresses confusion about the overall risk posture and wants a concise summary. Which action should the tester take to best address the CISO's concerns?

A.Schedule a meeting to walk through the technical details.
B.Remove all technical details and replace them with high-level statements.
C.Provide a separate document with only the executive summary.
D.Add an executive summary at the beginning that highlights critical risks and business impact.
AnswerD

This integrates both audiences; the executive summary gives a high-level view and technical sections remain for staff.

Why this answer

Adding an executive summary directly in the report provides a concise, business-oriented overview that addresses the CISO's needs while retaining technical details for staff.

11
MCQeasy

A company wants to test the security of their internet-facing web application without impacting production servers or user data. The tester must be authorized to attempt authentication bypass and SQL injection. Which item is most critical to include in the scope definition to ensure the test is focused and lawful?

A.A list of user accounts with credentials for authenticated testing
B.A list of target URLs and IP addresses of the web application
C.A detailed testing schedule and hours of operation
D.The testing methodology and tools to be used
AnswerB

This directly defines the boundaries of the test, ensuring the tester confines attacks to the agreed systems.

Why this answer

Option B is correct because the scope definition must explicitly list target URLs and IP addresses to establish legal authorization boundaries and prevent unintended access to production systems. Without precise targets, the tester could inadvertently impact non-authorized systems, violating the rules of engagement and potentially causing data breaches or service disruption.

Exam trap

The trap here is that candidates confuse operational details (like credentials or schedules) with the legal and technical boundaries required to keep testing lawful and focused, leading them to pick options that are useful but not critical for scope definition.

How to eliminate wrong answers

Option A is wrong because providing user accounts with credentials is not a scope definition item; it is a test execution detail that may be included in the rules of engagement but does not define the lawful boundaries of testing. Option C is wrong because a detailed testing schedule and hours of operation, while useful for coordination, do not define the scope of systems under test and thus do not ensure the test is focused and lawful.

12
MCQhard

A penetration tester is attempting to exploit a buffer overflow vulnerability in a Linux binary. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be the MOST effective to achieve code execution?

A.Inject shellcode into the buffer and redirect execution to it
B.Use a ROP chain to call mprotect() to make the stack executable, then jump to shellcode
C.Perform a return-to-libc attack to call system("/bin/sh")
D.Use a heap spray to place shellcode at a known address and then trigger the overflow
AnswerC

Correct. Return-to-libc bypasses DEP by reusing existing executable code in libc. Without ASLR, addresses are predictable, making this straightforward.

Why this answer

With DEP enabled, the stack is non-executable, so injecting shellcode directly into the buffer (Option A) would fail. Since ASLR is disabled, library addresses are fixed, making a return-to-libc attack viable. Option C exploits this by overwriting the return address with the address of system() and placing the string "/bin/sh" in memory, achieving code execution without needing an executable stack.

Exam trap

The trap here is that candidates often assume DEP alone forces the use of ROP chains, but when ASLR is disabled, a simpler return-to-libc attack is more effective and directly achieves code execution without the complexity of building a ROP chain.

How to eliminate wrong answers

Option A is wrong because DEP marks the stack as non-executable, so any shellcode injected into the buffer will cause a segmentation fault when the CPU tries to execute it. Option B is wrong because while a ROP chain to call mprotect() could make the stack executable, it is more complex and unnecessary when ASLR is disabled; a simpler return-to-libc attack directly achieves code execution. Option D is wrong because heap spray is typically used to bypass ASLR by placing shellcode at a predictable heap address, but ASLR is already disabled, making this technique overcomplicated and less direct than a return-to-libc attack.

13
MCQhard

A large enterprise hires your firm to perform a penetration test on a new cloud-based product that integrates with several third-party services. The product is built on AWS and uses serverless functions (Lambda), API Gateway, DynamoDB, and S3. The client provides you with access to a staging environment that mirrors production in architecture but with relaxed security controls: the staging environment has less restrictive security groups, enabled debugging endpoints, and broad IAM permissions. The client insists that the staging environment is sufficient for testing and that production testing is not allowed due to compliance constraints. What is the best recommendation?

A.Propose a limited production test during a maintenance window, accepting the compliance risk.
B.Request that the staging environment be reconfigured to match production security controls, then test.
C.Refuse to proceed until production access is granted.
D.Test the staging environment as is and note the differences in the final report.
AnswerB

This ensures valid results without violating compliance.

Why this answer

Testing a non-representative environment may produce false positives or miss real vulnerabilities. The correct approach is to align the staging environment to production as closely as possible. Option A may lead to inaccurate conclusions; B is too rigid; D violates compliance and likely is not feasible.

14
MCQmedium

A client engages a penetration testing firm to evaluate the security of their internal network. During the scoping meeting, the client states that they use a network access control (NAC) solution that might block the tester's machine if it is connected to the internal network without prior authorization. Which of the following should be included in the rules of engagement to address this potential issue?

A.Include a requirement that the client disables NAC during the testing window.
B.State that the tester will not connect to the internal network and will only test externally.
C.Specify that the tester will bypass NAC as part of the test objectives.
D.Add a clause requiring the client to whitelist the tester's MAC address in the NAC policy before testing.
AnswerD

Whitelisting the tester's MAC address allows the NAC to recognize the testing device as authorized, preventing service disruption without weakening overall security.

Why this answer

Option D is correct because whitelisting the tester's MAC address in the NAC policy allows the tester's machine to connect to the internal network without being blocked, while keeping the NAC solution active for other devices. This approach preserves the real-world security posture of the client's environment and ensures the tester can perform internal network assessments as scoped. It is a standard practice in penetration testing to request MAC address whitelisting to avoid false positives from NAC enforcement.

Exam trap

The trap here is that candidates may assume disabling NAC (Option A) is the simplest solution, but the exam tests whether you understand that altering security controls during a test can invalidate the assessment's realism and that proper scoping requires minimal disruption to the client's environment.

How to eliminate wrong answers

Option A is wrong because disabling NAC entirely would alter the security posture of the client's network, potentially allowing the tester to bypass a control that would normally be present, which does not reflect a realistic attack scenario and may violate the integrity of the test. Option B is wrong because the client specifically engaged the tester to evaluate the security of their internal network, and testing only externally would fail to meet the scope and objectives of the engagement. Option C is wrong because specifying that the tester will bypass NAC as a test objective implies that the tester will attempt to circumvent the NAC solution, which is a separate attack vector and not a scoping or rules-of-engagement measure to address the potential blocking issue; it also risks disrupting the client's network or violating the rules of engagement if not explicitly authorized.

15
MCQhard

A penetration tester is conducting a vulnerability scan of a web application that uses a custom API framework. The scanner reports several potential SQL injection vulnerabilities, but manual testing confirms they are false positives. The tester suspects the scanner is misinterpreting input validation. Which of the following is the most likely reason for these false positives?

A.The scanner used a payload that was blocked by a Web Application Firewall (WAF) before reaching the application
B.The application reflects the injected payload in error messages or response content, causing the scanner to think the injection succeeded
C.The scanner used outdated signatures that do not match the custom API's input validation logic
D.The application returns a generic 'Invalid input' message for all types of invalid input, confusing the scanner
AnswerB

Many scanners check if the payload appears in the response (e.g., error messages containing SQL syntax). If the application echoes back the input without executing it, the scanner may misinterpret this as a successful injection.

Why this answer

Option B is correct because the scanner likely detected the injected payload reflected in the application's response (e.g., in an error message or echoed input), which it interpreted as successful SQL execution. In custom API frameworks, input validation may reject the payload but still reflect it back in the response, causing the scanner to flag a false positive. Manual testing confirms the injection fails, so the reflection is merely a side effect of the API's error handling, not a sign of database interaction.

Exam trap

The trap here is that candidates confuse 'reflected input' (which causes false positives) with 'stored input' or actual SQL error messages, assuming any reflection indicates a vulnerability, when in fact the scanner's heuristic is flawed for custom APIs that echo back sanitized input.

How to eliminate wrong answers

Option A is wrong because a WAF blocking the payload would typically result in a different HTTP response (e.g., 403 Forbidden or a custom block page), not a false positive; the scanner would likely report the request as blocked or fail to get a response, not misinterpret a reflection. Option C is wrong because outdated signatures would more likely cause missed vulnerabilities (false negatives) rather than false positives; the issue here is the scanner's detection logic, not signature age. Option D is wrong because a generic 'Invalid input' message would actually reduce false positives, as the scanner would not see a reflection of its payload; the problem is the opposite—the API reflects the payload, which the scanner misinterprets as success.

16
MCQhard

During a vulnerability scan of a web application, a tester receives an HTTP response with a '405 Method Not Allowed' error when trying to use a PUT request. What does this indicate about the web server's configuration?

A.The server blocks the PUT method for that specific URI.
B.The PUT method is allowed but the resource does not exist.
C.The server does not support the PUT method.
D.The request was malformed and rejected.
AnswerA

405 precisely means the method is not allowed for the requested resource.

Why this answer

A 405 Method Not Allowed error indicates that the server recognized the PUT method as valid but has explicitly disallowed it for the requested URI. This is a server-level access control configuration, often enforced via web server directives (e.g., Apache's `<LimitExcept>` or IIS's request filtering) or application-level routing rules. The tester's PUT request reached the server and was processed, but the server's configuration prevented it from being fulfilled for that specific endpoint.

Exam trap

The trap here is that candidates often confuse a 405 Method Not Allowed with a 501 Not Implemented, mistakenly thinking the server lacks PUT support entirely, when in fact the server supports PUT but has been configured to deny it for that specific URI.

How to eliminate wrong answers

Option B is wrong because a 405 error is not returned when a resource does not exist; that scenario would typically produce a 404 Not Found, regardless of the HTTP method used. Option C is wrong because if the server did not support the PUT method at all, it would likely return a 501 Not Implemented error, not a 405. Option D is wrong because a malformed request would result in a 400 Bad Request error, not a 405, which is specifically about the method being disallowed for the target resource.

17
MCQhard

A penetration tester is finalizing a report and needs to ensure that sensitive data discovered during the test (e.g., password hashes, PII) is handled appropriately. Which of the following is the BEST practice?

A.Sanitize the data by redacting or replacing with placeholders.
B.Destroy all copies of sensitive data after the test and do not include any.
C.Present the data only in the oral debrief, not in written form.
D.Include the raw data in an encrypted appendix for the technical team.
AnswerA

Sanitization reduces risk while still conveying the finding.

Why this answer

Option B is correct because sensitive data should be sanitized (e.g., redacted, hashed) in the report to protect confidentiality. Option A is wrong because including raw data increases risk. Option C is wrong because destroying all data may be counterproductive if the client needs it.

Option D is wrong because leaving it out entirely might hide important context.

18
MCQeasy

A penetration tester runs the following command: nmap -sS -p 1-65535 -T4 -A -O --reason target. What is the primary purpose of the -A option in this command?

A.Enables OS detection, version detection, script scanning, and traceroute.
B.Sets the timing template to aggressive (level 4).
C.Enables aggressive scanning that is more likely to be detected by the target.
D.Performs a SYN (half-open) scan.
AnswerA

Correct. -A is an aggregation flag that combines several scanning techniques to provide detailed information about the target's operating system, running services, and other characteristics.

Why this answer

The -A option in nmap is a composite flag that enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute) in a single switch. This is explicitly documented in nmap's man page and is designed to provide comprehensive reconnaissance in one command, making option A correct.

Exam trap

The trap here is that candidates confuse the 'aggressive' label of -A with nmap's timing templates (e.g., -T4 or -T5), which are actually named 'aggressive' and 'insane' in the documentation, leading them to incorrectly associate -A with scan speed or detectability rather than its true composite functionality.

How to eliminate wrong answers

Option B is wrong because the -T4 flag, not -A, sets the timing template to aggressive (level 4); -A does not control timing. Option C is wrong because while -A does enable 'aggressive' scanning in the sense of combining multiple scan types, the term 'aggressive scanning' in nmap specifically refers to timing templates (e.g., -T4 or -T5), not the -A option, and -A does not inherently make the scan more detectable than other scan combinations.

19
MCQmedium

A client wants a penetration test that simulates an external threat actor with no prior access. The client provides a list of public IP ranges and domain names. Which type of test is this?

A.External black-box test.
B.Internal white-box test.
C.Gray-box test.
D.Red team exercise.
AnswerA

Black-box testing means the tester has no inside knowledge; external means testing from outside the network perimeter. This matches the scenario of simulating an external threat actor.

Why this answer

This is an external black-box test because the client provides only public IP ranges and domain names, simulating an external threat actor with no prior access. The tester has no internal knowledge or credentials, which defines a black-box approach, and the scope is limited to external-facing assets, making it external.

Exam trap

The trap here is confusing 'external' with 'black-box'—candidates may think a gray-box test is appropriate because the client provides some information, but the key is that no internal access or credentials are given, which strictly defines a black-box test.

How to eliminate wrong answers

Option B is wrong because an internal white-box test assumes the tester has full knowledge of the internal network, including credentials and architecture, which contradicts the 'no prior access' requirement. Option C is wrong because a gray-box test typically provides partial internal knowledge (e.g., credentials or network diagrams), which is not the case here as the client only gives public IP ranges and domain names.

20
Matchingmedium

Match each reporting element to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

High-level overview for non-technical management

Detailed steps and tools used during testing

List of vulnerabilities with severity ratings

Recommended actions to fix vulnerabilities

Raw logs, scripts, and supporting evidence

Why these pairings

A penetration testing report typically includes these sections.

21
MCQhard

A penetration tester is performing information gathering on a large organization that uses split-DNS architecture, with internal and external DNS servers. The tester wants to discover internal hostnames without performing any active scans that might trigger detection controls. The tester has obtained the organization's domain name from public WHOIS records. Which of the following techniques would be MOST effective in discovering internal hostnames passively?

A.Run a DNS brute force attack using a common subdomain wordlist
B.Use search engines with site:domain.com to find cached pages with internal references
C.Query the organization's TLS certificate transparency logs for subdomains
D.Perform a DNS zone transfer attempt from the external DNS server
AnswerC

CT logs provide a passive source of subdomain information.

Why this answer

Option C is correct because certificate transparency logs often list all subdomains with publicly trusted SSL certificates, including internal ones. Option A (zone transfer) is active and likely to be blocked. Option B (search engines) may find some hostnames but not comprehensive.

Option D (DNS brute force) is active and noisy.

22
Drag & Dropmedium

Drag and drop the steps to perform a wireless network audit using aircrack-ng into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Wireless auditing requires monitor mode, packet capture, handshake capture, cracking, and verification.

23
MCQeasy

A company needs to test the security of its web application without causing any service disruption. Which testing methodology is most appropriate to include in the scope?

A.Automated vulnerability scanning with a high intensity profile
B.Black-box penetration testing against the production environment
C.White-box code review and static analysis
D.Gray-box penetration testing with a read-only account
AnswerC

Does not interact with live environment.

Why this answer

Option A is correct because white-box code review and static analysis do not interact with the live environment, minimizing disruption. Option B is wrong because black-box testing may involve active scanning that could cause performance issues. Option C is wrong because gray-box testing still involves active testing.

Option D is wrong because high-intensity scanning can cause denial of service.

24
MCQeasy

A penetration tester is hired to perform a security assessment of a small business. The business has a single website hosted on a shared server, and the tester wants to identify the content management system (CMS) and plugins used without sending any traffic that might alert the hosting provider. The tester has no previous knowledge of the website. Which of the following techniques would be BEST for this task?

A.Perform a full TCP port scan with nmap on the server's IP
B.Use the Wayback Machine to view cached historical pages
C.Use the 'view page source' feature after browsing the site normally
D.Submit the website URL to a vulnerability scanner like OpenVAS
AnswerB

Wayback Machine archives are passive; no traffic is sent to the target.

Why this answer

Option A is correct because the Wayback Machine provides historical snapshots of the website without sending any current traffic. Option B (full port scan) is active and likely to be detected. Option C (vulnerability scanner) actively probes the server.

Option D (view page source) requires making an HTTP request, which is active traffic.

25
MCQeasy

Refer to the exhibit. A penetration tester is scoping a test and needs to reach a host at 10.0.1.50. Through which interface will traffic be routed?

A.The route is ambiguous
B.eth0
C.eth2
D.eth1
AnswerC

The 10.0.1.0/24 route directly matches 10.0.1.50.

Why this answer

The most specific route matches the destination. 10.0.1.50 falls within the 10.0.1.0/24 network (Genmask 255.255.255.0), which is routed via eth2. The default route via eth0 and the broader 10.0.0.0/8 route via eth1 are less specific.

26
MCQeasy

A penetration tester has gained administrative access to a Windows system and wants to extract NTLM password hashes from the memory of the Local Security Authority Subsystem Service (LSASS). Which tool is most commonly used for this purpose?

A.John the Ripper
B.Mimikatz
C.Hashcat
D.Netcat
AnswerB

Mimikatz is specifically designed to extract credentials from LSASS memory on Windows systems.

Why this answer

Mimikatz is the most commonly used tool for extracting NTLM password hashes from LSASS memory on a Windows system. It leverages the `sekurlsa::logonpasswords` module to read the LSASS process memory and decrypt stored credentials, including NTLM hashes, without requiring a separate brute-force or dictionary attack.

Exam trap

The trap here is that candidates confuse hash extraction tools (Mimikatz) with hash cracking tools (John the Ripper, Hashcat), assuming any tool that works with hashes can also extract them from memory.

How to eliminate wrong answers

Option A is wrong because John the Ripper is a password cracking tool that operates on already-extracted hash files (e.g., NTLM hashes saved to a file), not a tool for extracting hashes from LSASS memory. Option C is wrong because Hashcat is a GPU-accelerated password recovery tool that cracks hashes from a provided hash list, but it cannot directly access or extract hashes from a running Windows process like LSASS.

27
MCQhard

A penetration tester is performing internal reconnaissance on a network that uses IPv6. The tester wants to discover alive hosts and their IPv6 addresses without sending many packets. Which technique is most effective for this purpose?

A.Perform a full TCP SYN scan on the entire /64 subnet using Nmap with IPv6 addressing
B.Ping the IPv6 all-nodes multicast address (ff02::1) and analyze the responses to discover active hosts
C.Request the DHCPv6 server log from the network administrator to obtain a list of assigned IPv6 addresses
D.Use the `ip neighbor` command on the tester's machine to view the IPv6 neighbor cache after generating traffic
AnswerB

Sending an ICMPv6 echo request to ff02::1 will trigger responses from all hosts that respond to multicast pings, quickly revealing active IPv6 addresses without scanning the entire subnet.

Why this answer

Option B is correct because sending a ping to the IPv6 all-nodes multicast address (ff02::1) triggers a response from all active hosts on the local link that have IPv6 enabled, allowing the tester to discover alive hosts and their IPv6 addresses with minimal packets. This technique leverages the inherent multicast behavior of IPv6, where hosts join the all-nodes multicast group by default, making it highly efficient for reconnaissance without scanning each address individually.

Exam trap

The trap here is that candidates may overlook the efficiency of multicast-based discovery and instead choose a brute-force scan (Option A), not realizing that IPv6 subnets are far too large for exhaustive scanning, or they may mistakenly think DHCPv6 logs (Option C) are always available or reliable in IPv6 environments where SLAAC is common.

How to eliminate wrong answers

Option A is wrong because performing a full TCP SYN scan on an entire /64 subnet (2^64 addresses) is impractical and would generate an enormous number of packets, defeating the goal of discovering hosts without sending many packets; it is also inefficient and likely to be detected or blocked. Option C is wrong because requesting the DHCPv6 server log from the network administrator relies on human cooperation and may not be feasible during a penetration test, and it does not involve the tester actively discovering hosts; additionally, many IPv6 networks use stateless address autoconfiguration (SLAAC) rather than DHCPv6, so the log may not contain all active addresses.

28
MCQeasy

During a penetration test, the tester discovers a critical vulnerability that could lead to a data breach. The tester needs to communicate this to the client's management, who are non-technical. What is the BEST way to communicate this finding?

A.Include the finding only in the final report
B.High-level summary with business impact and recommended timeline for fix
C.Email with subject 'URGENT' and no further details
D.Detailed technical exploit steps
AnswerB

This approach effectively communicates the risk and necessary actions in terms management can understand and act upon.

Why this answer

Option C is correct because communicating a high-level summary with business impact and recommended timeline is most effective for non-technical management. Option A is wrong because technical details may overwhelm them. Option B is wrong because a subject line alone doesn't convey the context.

Option D is wrong because waiting for the final report delays critical communication.

29
MCQmedium

A client requests a penetration test for a new e-commerce application. The application uses a microservices architecture with RESTful APIs and a React frontend. The tester recommends including both a vulnerability assessment and manual penetration testing. However, the client has a tight budget and asks to skip the vulnerability assessment to save costs. Which response best aligns with best practices?

A.Perform only a vulnerability assessment because it covers more vulnerabilities.
B.Use automated scanning tools during the manual penetration test to compensate.
C.Agree to skip the vulnerability assessment and focus only on manual penetration testing.
D.Conduct a vulnerability assessment first and then manually validate findings.
AnswerD

This follows the industry best practice of combining automated scanning with manual validation.

Why this answer

Best practices recommend a vulnerability assessment to identify potential weaknesses, followed by manual validation to reduce false positives and exploit critical issues. Skipping the assessment may leave critical vulnerabilities undetected.

30
MCQhard

A penetration tester is analyzing a Bash script that automates a password spraying attack. The script contains the following loop: 'for user in $(cat users.txt); do for pass in $(cat passwords.txt); do curl -s -o /dev/null -w "%{http_code}" --data "user=$user&pass=$pass" http://target/login; done; done'. The script runs but the output is a continuous stream of HTTP status codes that are hard to interpret. Which improvement would most effectively help the tester identify a successful login?

A.Add a delay with 'sleep 1' between requests to avoid rate limiting.
B.Pipe the output to 'grep -v 200' to exclude any responses that are not 200 OK.
C.Add a conditional statement that checks if the HTTP status code is 302 (redirect) or 200, and if so, prints the successful credentials.
D.Use 'curl -v' to see the full response headers.
AnswerC

This directly identifies successful login attempts by checking for common success status codes and outputting the credentials.

Why this answer

Option C is correct because the script currently outputs a raw stream of HTTP status codes with no context. Adding a conditional to check for 302 (redirect, often indicating a successful login) or 200 (OK) and printing the corresponding credentials allows the tester to immediately identify which user/password pair succeeded, turning an unreadable output into actionable intelligence.

Exam trap

The trap here is that candidates assume filtering out 200 codes (Option B) will reveal successes, but they overlook that many real-world login flows use a 302 redirect for success, making 'grep -v 200' ineffective or misleading.

How to eliminate wrong answers

Option A is wrong because adding a delay with 'sleep 1' would only slow down the attack to avoid rate limiting or detection; it does not help interpret the output stream of status codes. Option B is wrong because piping to 'grep -v 200' would exclude 200 responses, but a successful login might return a 302 redirect (common in web apps) or even a 200; filtering out 200 could miss successes and still leave other codes (e.g., 401, 403) in the output, failing to clearly identify the successful credentials.

31
MCQmedium

During a penetration test, a tester discovers a critical vulnerability that could lead to data exposure. The tester plans to include a screenshot of the exploit in the report. What is the most important step to take before inserting the screenshot?

A.Obtain explicit permission from the client to use the screenshot
B.Remove the finding from the report to avoid sharing sensitive information
C.Check the company policy on screenshot use
D.Sanitize any sensitive data displayed in the screenshot
AnswerD

Prevents exposure of client data.

Why this answer

Option D is correct because testers must sanitize any sensitive data (e.g., real usernames, session tokens) from screenshots before including them in reports to protect client confidentiality. Option A is unnecessary if data is sanitized. Option B is not required by policy.

Option C is incorrect as the tester should not remove the finding but sanitize the evidence.

32
MCQmedium

A penetration tester is hired to assess a web application that integrates with a third-party payment API. The client wants the API included in the test but does not have a signed agreement with the vendor. What is the most appropriate action for the tester?

A.Ask the client to obtain a written authorization from the third-party vendor before testing the API.
B.Proceed with testing the API using anonymous techniques to avoid detection.
C.Test only the client's application logic but not the actual API endpoint.
D.Include the API in the test because the client owns the integration.
AnswerA

This is the proper ethical and legal step to ensure the tester has permission to test the vendor's system.

Why this answer

Option A is correct because testing a third-party API without explicit written authorization from the vendor violates legal and contractual boundaries, potentially constituting unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA). The penetration tester must obtain signed authorization to ensure the test is legally defensible and within scope, as the client cannot grant permission for assets they do not own.

Exam trap

The trap here is that candidates may assume 'anonymous techniques' or 'testing only the application logic' are safe workarounds, failing to recognize that legal authorization is a non-negotiable prerequisite for any testing activity, regardless of technique or scope limitation.

How to eliminate wrong answers

Option B is wrong because using anonymous techniques to avoid detection does not circumvent the lack of legal authorization; it still constitutes unauthorized access and could lead to criminal charges or civil liability. Option C is wrong because testing only the client's application logic without the actual API endpoint would miss critical integration vulnerabilities (e.g., improper handling of API responses, insecure direct object references) and fail to meet the client's requirement to include the API in the test.

33
MCQmedium

A penetration tester has compromised a host and wants to move laterally to a server using pass-the-hash. Which of the following is required for a successful pass-the-hash attack against a Windows target?

A.The target must have SMB signing enabled
B.The target must have the same local admin password hash
C.The target must have a user account with the same password
D.The target must have the same machine account hash
AnswerB

If the local admin account on the target has the same hash, the attacker can authenticate using that hash.

Why this answer

Pass-the-hash (PtH) attacks exploit the NTLM challenge-response authentication mechanism. When a target has the same local administrator password hash as the compromised host, the attacker can use the captured hash to authenticate to the target without knowing the plaintext password. This works because Windows caches the password hash in LSASS, and tools like Mimikatz can extract it for replay.

Exam trap

Cisco often tests the misconception that pass-the-hash requires the plaintext password or that SMB signing is a prerequisite, when in fact the hash alone suffices and SMB signing would block the attack.

How to eliminate wrong answers

Option A is wrong because SMB signing, when enabled, would actually prevent pass-the-hash by requiring packet integrity verification; disabling SMB signing is a common prerequisite for PtH. Option C is wrong because pass-the-hash does not require the same plaintext password—it uses the password hash directly, bypassing the need for the actual password.

34
MCQeasy

A penetration tester is tasked with discovering all publicly accessible Amazon S3 buckets that belong to a target company. Which technique is MOST effective for this purpose?

A.Scanning the target's IP ranges for open ports 443
B.Using dnsdumpster.com to find subdomains
C.Guessing bucket names based on common patterns
D.Querying Google dorks for 'site:s3.amazonaws.com [target_company]'
AnswerD

Google dorking using the site operator to search 's3.amazonaws.com' with the company name can find publicly listed bucket URLs. This is a proven passive reconnaissance technique.

Why this answer

Option D is correct because Google dorks allow a penetration tester to search for indexed S3 bucket URLs that contain the target company's name, revealing publicly accessible buckets without direct interaction with the target's infrastructure. This technique leverages Google's crawlers to find buckets that may have been inadvertently exposed or misconfigured, making it highly effective for passive reconnaissance.

Exam trap

The trap here is that candidates may think DNS enumeration (Option B) or port scanning (Option A) are effective for discovering cloud storage resources, but these methods fail because S3 buckets are external to the target's network and are not tied to the target's DNS or IP ranges.

How to eliminate wrong answers

Option A is wrong because scanning the target's IP ranges for open port 443 (HTTPS) does not specifically identify S3 buckets; S3 buckets are hosted on Amazon's infrastructure (e.g., s3.amazonaws.com) and not on the target's own IP ranges, so this would miss buckets entirely. Option B is wrong because dnsdumpster.com is used for DNS enumeration to find subdomains, but S3 bucket names are not DNS subdomains of the target company; they are separate AWS resources with names like 'bucket-name.s3.amazonaws.com' that do not appear in the target's DNS records. Option C is wrong because guessing bucket names based on common patterns is inefficient and unreliable; while it might occasionally succeed, it is not the most effective method compared to using search engines that index actual bucket URLs.

35
Drag & Dropmedium

Drag and drop the steps to perform a web application fuzzing using Burp Suite Intruder into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Fuzzing involves proxy setup, parameter identification, payload configuration, attack execution, and analysis.

36
MCQeasy

A penetration tester has completed the testing phase and is preparing the final report for the client's board of directors. The board members are non-technical and need to understand the overall security posture and business risk. Which section of the report should the tester focus on for this audience?

A.A detailed list of all vulnerabilities with CVSS scores and exploitation steps
B.An executive summary highlighting key risks and business impact
C.A complete log of all commands executed during the test
D.A network diagram showing all discovered hosts and open ports
AnswerB

The executive summary is tailored for non-technical decision-makers, summarizing risks and impacts.

Why this answer

The board of directors requires a high-level overview that translates technical findings into business risk. An executive summary achieves this by focusing on key risks, potential financial or reputational impact, and strategic recommendations, avoiding technical jargon like CVSS scores or command logs.

Exam trap

CompTIA often tests the candidate's ability to distinguish between report sections for different audiences, trapping those who think all findings must be presented in full detail regardless of the reader's technical level.

How to eliminate wrong answers

Option A is wrong because a detailed list of vulnerabilities with CVSS scores and exploitation steps is too technical for a non-technical board; it belongs in the technical appendix for IT staff. Option C is wrong because a complete log of all commands executed during the test is operational documentation for the penetration tester's own records or for client technical teams, not for board-level risk communication.

37
MCQhard

A vulnerability scanner reports an unauthenticated critical finding on an internal server. Manual testing shows the vulnerable package is present, but the vulnerable service is disabled and not reachable. How should the tester report this?

A.Report the finding with contextual risk adjustment and explain that the vulnerable service is disabled and not reachable.
B.Delete the finding because the package exists but is not currently exploitable.
C.Report it as critical without context because the scanner assigned critical severity.
D.Exploit the service by enabling it first.
AnswerA

This preserves evidence while avoiding overstating exploitability.

Why this answer

Option A is correct because the vulnerability scanner identified a real package vulnerability, but manual verification revealed the service is disabled and unreachable. The tester must report the finding with a contextual risk adjustment to accurately reflect the reduced exploitability, as per standard risk assessment practices in penetration testing. This ensures the organization understands the actual risk without ignoring the presence of the vulnerable package, which could be enabled in the future.

Exam trap

The trap here is that candidates may assume any scanner-reported critical finding must be reported as-is, ignoring the penetration tester's duty to validate and contextualize findings based on actual service state and reachability.

How to eliminate wrong answers

Option B is wrong because deleting the finding ignores the presence of the vulnerable package, which could be enabled later by an administrator or attacker, leading to a false sense of security. Option C is wrong because reporting it as critical without context disregards the tester's responsibility to validate scanner results and adjust risk based on actual exploitability, as the service is disabled and unreachable. Option D is wrong because enabling the service to exploit it is unethical, violates testing scope, and could cause unintended disruption or security breaches.

38
MCQeasy

While performing a password audit, a tester finds that the hash of 'Password123' is stored in the LAN Manager (LM) hash format. What is the primary security weakness of LM hashes?

A.The password is split into two 7-character halves
B.The hash is case-sensitive
C.The hash is salted with a weak random value
D.The hash uses the MD4 hashing algorithm
AnswerA

This reduces keyspace to two 7-character halves, easily brute-forced.

Why this answer

The primary security weakness of LAN Manager (LM) hashes is that the password is converted to uppercase, padded or truncated to 14 characters, and then split into two 7-character halves. Each half is hashed independently using DES as the key for a known constant, which means an attacker can brute-force each 7-character half separately, drastically reducing the keyspace from 14 characters to two sets of 7 characters. This makes LM hashes extremely vulnerable to offline cracking, especially with modern tools like John the Ripper or Hashcat.

Exam trap

The trap here is that candidates often confuse LM hashes with NTLM hashes, incorrectly associating the weakness with MD4 (which is used by NTLM) or salting, when the real vulnerability is the split into two 7-character halves that can be attacked independently.

How to eliminate wrong answers

Option B is wrong because LM hashes are actually case-insensitive — the password is uppercased before hashing, so case sensitivity is not a weakness; rather, the lack of case sensitivity reduces entropy. Option C is wrong because LM hashes are not salted at all; they use a static constant (KGS!@#$%) as the DES key input, making precomputed rainbow tables highly effective. Option D is wrong because LM hashes use DES, not MD4; the MD4 algorithm is used in NTLM hashes, which are a separate and more secure replacement for LM.

39
Drag & Dropmedium

Drag and drop the steps to perform a basic Nmap scan to discover open ports on a target host into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Nmap scanning begins with verifying connectivity, then executing the scan, interpreting results, and documenting them.

40
MCQmedium

A penetration tester is using Burp Suite to intercept and modify HTTP traffic. When browsing to an HTTPS site, the tester observes that the requests are encrypted and not being intercepted by Burp. Which configuration step is most likely missing?

A.The proxy listener is not configured to listen on the correct port
B.The Burp CA certificate has not been installed in the browser's trust store
C.The browser's proxy settings are not configured to use Burp
D.The target site is not in Burp's scope
AnswerB

Correct. Burp acts as a man-in-the-middle for HTTPS by generating a certificate for each site signed by its own CA. The browser's trust store must contain the Burp CA certificate, or it will reject the connection.

Why this answer

Burp Suite intercepts HTTPS traffic by acting as a man-in-the-middle, which requires the browser to trust Burp's self-signed CA certificate. Without installing the Burp CA certificate in the browser's trust store, the browser will refuse to establish a TLS connection through the proxy, leaving requests encrypted end-to-end and invisible to Burp.

Exam trap

The trap here is that candidates confuse proxy configuration (setting the browser to use Burp as a proxy) with TLS interception setup, assuming that simply pointing the browser at the proxy is sufficient to intercept HTTPS traffic.

How to eliminate wrong answers

Option A is wrong because the proxy listener port (typically 8080) is irrelevant to TLS interception; even if the port is correct, HTTPS traffic will still be encrypted without the CA certificate. Option C is wrong because the browser's proxy settings must be configured to route traffic through Burp, but the question states the tester is browsing and observing encrypted requests, implying proxy settings are already in place; the missing step is trust of the CA certificate.

41
MCQmedium

A penetration tester is reviewing a Bash script that contains the following line: 'hydra -l admin -P /usr/share/wordlists/rockyou.txt $TARGET http-post-form "/login:username=^USER^&password=^PASS^:Invalid login"'. What is the primary purpose of this command?

A.Directory brute-forcing
B.Password spraying
C.Credential brute-force on a web login form
D.SQL injection
AnswerC

Hydra's http-post-form module performs brute-force attacks on web forms, substituting username and password fields.

Why this answer

Option C is correct because the Hydra command targets a specific web login form (http-post-form) with a single username (-l admin) and a large password list (rockyou.txt), performing a credential brute-force attack. The syntax defines the POST parameters (username=^USER^&password=^PASS^) and the failure indicator ('Invalid login'), which Hydra uses to iterate through passwords until a successful login is found.

Exam trap

CompTIA often tests the distinction between brute-force (single user, many passwords) and password spraying (many users, single password), and candidates confuse the two because both involve credential guessing.

How to eliminate wrong answers

Option A is wrong because directory brute-forcing uses tools like dirb, gobuster, or ffuf to discover hidden paths or files, not Hydra with login credentials. Option B is wrong because password spraying uses a single password against multiple usernames, whereas this command uses a single username (-l admin) with many passwords, which is the opposite pattern.

42
MCQmedium

A penetration tester is writing the executive summary for a report. The client's CEO needs to understand the business impact of a critical SQL injection vulnerability. Which of the following should the tester include?

A.The exact SQL injection payload used
B.The CVSS vector string
C.The potential for data breach and financial loss
D.The remediation steps in detail
AnswerC

This directly addresses business impact, which is the focus of the executive summary.

Why this answer

The CEO needs to understand the business impact, not technical details. Option C directly addresses the core concern: a SQL injection vulnerability can lead to unauthorized data access, resulting in a data breach and significant financial loss from fines, remediation costs, and reputational damage. This aligns with the executive summary's goal of translating technical risk into business risk.

Exam trap

The trap here is that candidates confuse the purpose of an executive summary with a technical report, choosing detailed technical data (payload or CVSS) instead of business impact, which is what the CEO actually needs.

How to eliminate wrong answers

Option A is wrong because including the exact SQL injection payload is too technical for an executive summary; it belongs in the technical findings section for the development team. Option B is wrong because the CVSS vector string provides a numerical severity score but does not convey the specific business impact (e.g., potential financial loss or regulatory penalties) that the CEO requires for decision-making.

43
Multi-Selectmedium

A penetration tester is performing information gathering for a web application. Which of the following are passive information gathering techniques? (Select THREE).

Select 3 answers
A.DNS zone transfer
B.Source code review from public repositories
C.Port scanning
D.SSL/TLS certificate inspection
E.WHOIS lookup
AnswersB, D, E

Reviewing code on GitHub or similar is passive.

Why this answer

Options B, D, and E are correct because they involve querying public data without sending packets to the target. Option A can be active if performed directly; Option C is active scanning.

44
MCQeasy

A client requests a penetration test of their web application, but they want to exclude all third-party APIs from the scope. Where should this exclusion be documented?

A.Rules of Engagement
B.Executive Summary
C.Findings Report
D.Remediation Plan
AnswerA

The RoE is the formal agreement that outlines what is and is not permitted, making it the correct place for scope exclusions.

Why this answer

The Rules of Engagement (ROE) document is the authoritative source for defining the scope, boundaries, and constraints of a penetration test, including explicit exclusions such as third-party APIs. This document is established during the planning and scoping phase to ensure both the client and the testing team agree on what is and is not in scope, preventing legal or operational issues. Without documenting the exclusion in the ROE, the tester might inadvertently interact with the third-party APIs, violating the agreement and potentially causing service disruptions or legal liabilities.

Exam trap

CompTIA often tests the misconception that scope exclusions belong in the final report or executive summary because candidates confuse 'what was tested' with 'what was excluded,' but the ROE is the only document that governs the testing parameters before execution begins.

How to eliminate wrong answers

Option B is wrong because the Executive Summary is a high-level overview of the test results, typically found in the final report, and is not used to document scope exclusions or operational constraints; it summarizes findings for non-technical stakeholders. Option C is wrong because the Findings Report details vulnerabilities discovered during the test and their remediation, but it does not define the scope or exclusions—those must be established before testing begins in the ROE.

45
MCQhard

You are leading a penetration test for a financial institution. The scope was defined as the external network and web applications. During the test, you identify a vulnerability in an internal application that was accidentally exposed due to a misconfiguration. The client's project manager requests that you extend the test scope to include the internal network to fully assess the risk. The request comes on the last day of testing. According to reporting and communication best practices, what should you do FIRST?

A.Accept the request and test the internal network immediately
B.Include the internal vulnerability in the final report as an out-of-scope finding
C.Reject the request because it is outside the original scope
D.Document the request and communicate it to both the client and your management for formal scope change approval
AnswerD

This ensures proper authorization and protects both parties contractually.

Why this answer

Option C is correct. Any scope change must be formally documented and approved by both parties to ensure legal and contractual coverage. Option A is wrong because proceeding without approval could violate scope boundaries and liability.

Option B is wrong because outright rejection may miss an important opportunity and damage client relations. Option D is wrong because including out-of-scope findings without authorization may breach contract terms.

46
MCQmedium

A penetration tester has gained a shell on a Linux machine as a low-privileged user. The user can execute the binary 'less' with sudo privileges without a password. Which technique can the tester use to escalate privileges to root?

A.Exploit a buffer overflow in the 'less' binary.
B.Use the '!' command within 'less' to execute a shell.
C.Run 'sudo -u root bash' to switch to a root shell.
D.Modify the PATH to trick sudo into running a malicious binary.
AnswerB

Correct. The '!' command in less allows execution of shell commands. With sudo, this runs as root, granting privilege escalation.

Why this answer

The 'less' binary, when executed with sudo, retains its ability to spawn a shell via the '!' command. Since the user can run 'less' as root without a password, typing '!/bin/bash' (or simply '!bash') inside 'less' will execute a shell with root privileges, effectively escalating to root.

Exam trap

The trap here is that candidates may overlook the shell escape feature of pagers like 'less' and instead assume they need to exploit a binary vulnerability or use a generic 'sudo -u root bash' command, which fails because the sudoers rule is specific to 'less' only.

How to eliminate wrong answers

Option A is wrong because exploiting a buffer overflow in 'less' is unnecessary and impractical; the intended privilege escalation vector is the built-in '!' command, not a memory corruption vulnerability. Option C is wrong because 'sudo -u root bash' requires the user to have explicit sudo permissions for 'bash', which they do not; the sudoers entry only grants passwordless execution of 'less', not arbitrary commands.

47
MCQmedium

After completing a penetration test, the tester is writing the report. The client's Chief Information Security Officer (CISO) is the primary audience and wants to understand the overall security posture and the most critical risks to the business. Which section of the report should the tester most heavily focus on for this audience?

A.Technical Findings
B.Executive Summary
C.Appendix - Vulnerability Details
D.Methodology
AnswerB

The Executive Summary provides a concise business-oriented risk overview tailored for executives like a CISO.

Why this answer

The Executive Summary is the section of a penetration test report that provides a high-level overview of the security posture, focusing on business risks and strategic recommendations. For a CISO, who needs to understand the most critical risks to the business without delving into technical details, this section is the most relevant. It translates technical vulnerabilities into business impact, aligning with the CISO's role in risk management and decision-making.

Exam trap

CompTIA often tests the distinction between audience-appropriate report sections, and the trap here is that candidates mistakenly choose Technical Findings or Appendix - Vulnerability Details because they focus on technical depth rather than the business-oriented communication required for a CISO audience.

How to eliminate wrong answers

Option A is wrong because Technical Findings contain detailed exploit steps, affected systems, and raw vulnerability data, which are too granular for a CISO who needs a business-risk perspective rather than technical specifics. Option C is wrong because the Appendix - Vulnerability Details lists raw CVSS scores, CVE IDs, and proof-of-concept code, which are operational details for remediation teams, not for executive-level risk assessment. Option D is wrong because Methodology describes the tools, techniques, and scope of the test (e.g., Nmap scans, Metasploit modules), which is procedural information that does not directly communicate business risk or overall security posture to a CISO.

48
MCQhard

A penetration tester discovers a remote command injection vulnerability in a Java-based web application on a Windows server. The tester wants to execute a PowerShell reverse shell. Which encoding technique is most effective to avoid filter restrictions on special characters?

A.Base64 encoding
B.URL encoding
C.Unicode encoding
D.Hex encoding
AnswerA

PowerShell supports -EncodedCommand, allowing the entire command to be Base64-encoded, which evades many filter restrictions on special characters.

Why this answer

Base64 encoding is the most effective technique because it allows the tester to encode the entire PowerShell command, including special characters like semicolons, pipes, and quotes, into a safe ASCII string that bypasses filter restrictions. PowerShell natively supports the `-EncodedCommand` parameter, which decodes Base64 input directly, making it ideal for remote command injection scenarios where character filtering is strict.

Exam trap

The trap here is that candidates often choose URL encoding because it is familiar from web attacks, but they overlook that PowerShell's `-EncodedCommand` parameter is specifically designed for Base64, making it the most direct and filter-evading method for remote command injection on Windows.

How to eliminate wrong answers

Option B (URL encoding) is wrong because it only encodes individual characters (e.g., %20 for space) and does not prevent filters that block specific special characters like semicolons or pipes; many web application firewalls still inspect decoded content. Option C (Unicode encoding) is wrong because it is not natively supported by PowerShell's command-line parsing for direct execution; PowerShell expects UTF-16LE for `-EncodedCommand`, not general Unicode encoding. Option D (Hex encoding) is wrong because PowerShell does not have a built-in parameter to decode hex-encoded commands directly; the tester would need additional conversion steps, making it less efficient and more likely to be blocked.

49
MCQeasy

In a penetration test report, the executive summary is primarily intended for which audience?

A.IT system administrators
B.Senior management (e.g., CISO, board of directors)
C.Software developers
D.External compliance auditors
AnswerB

The executive summary provides a concise overview of security posture, business impact, and strategic recommendations for decision-makers.

Why this answer

The executive summary is designed for senior management (e.g., CISO, board of directors) because it provides a high-level overview of the penetration test's objectives, key findings, risk impact, and recommended strategic actions. It avoids technical jargon and detailed exploit steps, focusing instead on business risk and remediation priorities that inform decision-making and resource allocation.

Exam trap

The trap here is that candidates confuse the audience for the executive summary with the audience for the technical report, mistakenly thinking that all stakeholders need the same level of detail, when in fact senior management requires a non-technical, risk-focused summary while technical teams need the full exploit details.

How to eliminate wrong answers

Option A is wrong because IT system administrators need detailed technical findings, including specific vulnerabilities, exploitation steps, and remediation commands (e.g., patch versions, configuration changes), which are found in the technical report, not the executive summary. Option C is wrong because software developers require code-level details such as vulnerable functions, input validation flaws, and proof-of-concept exploits to fix application bugs, which are not included in the executive summary. Option D is wrong because external compliance auditors need evidence of specific control failures and adherence to standards (e.g., PCI DSS, ISO 27001), which are documented in the technical findings and compliance mapping sections, not the executive summary.

50
MCQhard

You are a penetration tester conducting an internal network penetration test for a medium-sized company. The network consists of a Windows domain with multiple servers and workstations. The scope includes testing the Active Directory security. The client has provided a low-privileged domain user account for initial access. During the reconnaissance phase, you discover that the domain controller is running Windows Server 2012 R2 with no recent patches. There is a known privilege escalation vulnerability (e.g., Zerologon) that could allow you to become Domain Admin. However, the client's rules of engagement explicitly prohibit the use of any exploit that could cause a denial of service on the domain controller. The Zerologon exploit, if not carefully executed, could crash the domain controller. Which of the following actions should you take?

A.Modify the exploit code to ensure no disruption, then run it
B.Proceed with the Zerologon exploit during off-hours to minimize risk
C.Report the vulnerability immediately without attempting exploitation
D.Avoid the exploit and instead attempt Kerberoasting or AS-REP roasting
AnswerD

Non-disruptive techniques that test AD security.

Why this answer

Option B is correct because it adheres to the rules of engagement while still testing AD security. Option A is wrong because it could cause DoS and violate scope. Option C is wrong because the tester should still perform other tests.

Option D is wrong because modifying exploits is risky and not approved.

51
MCQmedium

A penetration tester is analyzing a Python script that uses the 'requests' library to send HTTP POST requests to a target URL with different payloads. The script also implements a retry mechanism with exponential backoff. What is the most likely purpose of this script?

A.Directory brute-forcing
B.Password spraying
C.SQL injection testing
D.Session hijacking
AnswerB

The script sends POST requests (likely to a login endpoint) with different payloads (passwords) and uses retry with backoff to evade rate limiting, which is characteristic of password spraying.

Why this answer

The script sends HTTP POST requests with different payloads and implements a retry mechanism with exponential backoff. This behavior is characteristic of password spraying, where an attacker attempts a small number of common passwords against many usernames to avoid account lockouts. The exponential backoff helps evade rate-limiting and intrusion detection systems by gradually increasing delays between attempts.

Exam trap

The trap here is that candidates may confuse password spraying with brute-force attacks, but the key distinction is that password spraying uses a small set of passwords across many accounts, while brute-force focuses on many passwords for a single account.

How to eliminate wrong answers

Option A is wrong because directory brute-forcing typically uses HTTP GET requests to discover hidden paths, not POST requests with payloads. Option C is wrong because SQL injection testing usually involves sending crafted payloads in GET parameters or POST data, but the retry mechanism with exponential backoff is not a standard technique for SQLi; it is more aligned with authentication bypass attempts. Option D is wrong because session hijacking involves stealing or predicting session tokens (e.g., cookies or JWTs), not sending POST requests with different payloads and retries.

52
MCQeasy

The client's development team needs to reproduce a cross-site scripting vulnerability found in the login form. They require the exact payload and steps. Which deliverable should the penetration tester provide to meet this need?

A.An executive summary
B.A proof of concept code or walkthrough in the report appendix
C.A spreadsheet of findings with CVSS scores
D.A verbal explanation during the readout
AnswerB

Correct. The appendix often contains detailed proof of concept code, screenshots, and step-by-step reproduction instructions for each finding.

Why this answer

The correct deliverable is a proof of concept (PoC) code or walkthrough in the report appendix because the client's development team needs the exact payload and step-by-step instructions to reproduce the cross-site scripting (XSS) vulnerability. This allows them to validate the finding and implement a fix by injecting a crafted script (e.g., <script>alert('XSS')</script>) into the login form's input fields, demonstrating how user input is not properly sanitized or encoded. Including this in the appendix ensures the technical details are documented for replication without cluttering the main report.

Exam trap

The trap here is that candidates often choose the executive summary or CVSS spreadsheet because they focus on reporting severity rather than the technical reproduction details required by the development team, confusing the purpose of different report sections.

How to eliminate wrong answers

Option A is wrong because an executive summary provides a high-level overview for management, not the precise payload and reproduction steps needed by the development team. Option C is wrong because a spreadsheet of findings with CVSS scores only lists severity ratings and basic descriptions, lacking the exact payload and step-by-step walkthrough required to reproduce the XSS vulnerability. Option D is wrong because a verbal explanation during the readout is not a documented deliverable; the development team needs written, reproducible instructions that can be referenced later, not an ephemeral conversation.

53
MCQeasy

A penetration tester is conducting an external network assessment for a client. During the reconnaissance phase, the tester identifies an IP address range that is not listed in the rules of engagement (ROE). The client had initially provided a list of authorized target IPs. What should the tester do next?

A.Stop testing and notify the client to update the ROE.
B.Include the new IPs in the test scope and proceed.
C.Perform a quick scan of the new IPs to gather more information.
D.Ignore the new IPs and only test the provided range.
AnswerA

This is correct because it ensures all testing remains within agreed scope.

Why this answer

Testing outside the defined scope is unauthorized and could breach contract or legal boundaries. The correct course is to pause and seek clarification, updating the ROE before proceeding.

54
MCQmedium

A penetration tester is contracted to perform a test of a company's critical web application that handles financial transactions. The client requires that testing must not degrade the application's performance for live users. Which of the following scoping controls would best address this requirement?

A.Require the use of only passive reconnaissance techniques and exclude all active scanning
B.Implement rate limiting in the testing tools and schedule the test during a maintenance window with low traffic
C.Include a clause that the client must monitor application performance and halt the test if degradation is observed
D.Test only from a single IP address and use low-packet-rate tools to avoid overwhelming the application
AnswerB

Rate limiting reduces the load on the application, and scheduling during low traffic minimizes impact on users. These controls directly address the performance concern.

Why this answer

Option B is correct because rate limiting and scheduling during a maintenance window directly prevent performance degradation for live users. Rate limiting controls the request rate (e.g., limiting to 10 requests per second) to avoid overwhelming the application, while a maintenance window ensures minimal user impact. This approach balances active testing needs with the client's requirement to preserve live user experience.

Exam trap

CompTIA often tests the misconception that passive reconnaissance alone is sufficient for a full-scope penetration test, but the trap here is that active testing is required for financial transaction validation, and rate limiting with scheduling is the only option that proactively prevents performance degradation.

How to eliminate wrong answers

Option A is wrong because passive reconnaissance alone (e.g., using Wireshark or Shodan) cannot test the application's active functionality, such as transaction processing or input validation, which is critical for a financial web application. Option C is wrong because relying on the client to monitor and halt testing is reactive and may still cause performance degradation before detection, violating the requirement to prevent degradation proactively. Option D is wrong because testing from a single IP with low-packet-rate tools does not guarantee no performance impact; without explicit rate limiting and scheduling, even low-rate traffic during peak hours could degrade performance for live users.

55
MCQmedium

A penetration tester wants to enumerate user accounts and SMB shares from a Windows machine without authenticating. Which tool is specifically designed for this purpose and is commonly used in Linux penetration testing distributions?

A.nmap
B.enum4linux
C.smbclient
D.hydra
AnswerB

Correct. enum4linux is a wrapper around tools like Samba, rpcclient, and net, designed to enumerate users, groups, shares, and OS info from Windows hosts via SMB and RPC without authentication.

Why this answer

enum4linux is specifically designed to enumerate user accounts, SMB shares, and other information from Windows machines via the SMB protocol without requiring authentication. It leverages the SMB null session vulnerability (CVE-1999-0504) to query the remote system for data such as user lists, share lists, and OS details, making it a standard tool in Linux penetration testing distributions like Kali Linux.

Exam trap

The trap here is that candidates often confuse enum4linux with smbclient or nmap, thinking that any SMB-related tool can perform null session enumeration, but enum4linux is the only one specifically built to automate this process without authentication.

How to eliminate wrong answers

Option A is wrong because nmap is a general-purpose network scanner that can discover open ports and services, but it is not specifically designed for enumerating SMB user accounts and shares without authentication; it requires scripts like smb-enum-users.nse to perform such tasks, and even then it is not the dedicated tool for this purpose. Option C is wrong because smbclient is an interactive SMB client used to access shared resources after authentication or with a null session, but it is not primarily designed for enumeration of user accounts and shares without authentication; it requires manual interaction and does not automate the enumeration process. Option D is wrong because hydra is a password brute-forcing tool used for attacking authentication services, not for enumerating user accounts or SMB shares without authentication; it requires valid credentials or a list of usernames to attempt logins.

56
MCQhard

A penetration tester discovers a web application that uses client-side JavaScript to validate user input before form submission. The input is then sent to the server and used directly in a SQL query without server-side validation. Which attack would most effectively exploit this vulnerability?

A.SQL injection
B.Cross-site scripting (XSS)
C.Command injection
D.Parameter pollution
AnswerA

Client-side validation is easily bypassed; by sending malicious SQL payloads directly to the server, the tester can manipulate the database query.

Why this answer

The correct answer is A because the vulnerability described—client-side JavaScript validation with no server-side sanitization, followed by direct use of input in a SQL query—is the classic precondition for SQL injection. An attacker can bypass client-side controls (e.g., by disabling JavaScript or using a proxy like Burp Suite) and submit crafted SQL syntax (e.g., `' OR 1=1 --`) to manipulate the query, extract data, or execute arbitrary SQL commands on the database server.

Exam trap

The trap here is that candidates may confuse client-side validation bypass with XSS, thinking that JavaScript injection is the primary risk, but the key is that the input flows directly into a SQL query, making SQL injection the most effective and direct attack.

How to eliminate wrong answers

Option B is wrong because cross-site scripting (XSS) exploits the injection of client-side scripts into web pages viewed by other users, not the manipulation of SQL queries on the server; the described scenario involves direct server-side SQL execution, not reflected or stored output in a browser. Option C is wrong because command injection targets operating system commands via shell execution (e.g., through `exec()` or `system()` calls), not SQL queries; the input is used in a SQL query, not a system command. Option D is wrong because parameter pollution involves manipulating HTTP parameters (e.g., duplicate `id` parameters) to override or confuse server-side logic, but it does not directly exploit SQL query construction from unsanitized input.

57
MCQmedium

A penetration tester is analyzing a PowerShell script used for post-exploitation on a Windows domain. The script contains the following line: Invoke-Command -ComputerName $target -ScriptBlock { get-process -Name "explorer" }. What is the primary purpose of this command?

A.To start the Explorer process on a remote system
B.To check if a user is logged in on the remote system
C.To enumerate running processes on the remote system
D.To execute a script block locally on the remote system
AnswerB

The presence of explorer.exe is a strong indicator of an interactive user session.

Why this answer

The `Get-Process -Name 'explorer'` command retrieves the Explorer process, which runs only when a user is interactively logged into the Windows desktop. If the command returns a process object, it confirms a user session is active on the remote system. This is a common post-exploitation technique to verify user presence before executing further actions like keylogging or token theft.

Exam trap

The trap here is that candidates see 'Get-Process' and assume it enumerates all processes (option C), missing the specific filter for 'explorer' which is a known indicator of an active user session.

How to eliminate wrong answers

Option A is wrong because `Invoke-Command` with `Get-Process` does not start any process; it only queries existing processes. Option C is wrong because the script block filters specifically for the 'explorer' process, not all running processes, so it does not enumerate all processes. Option D is wrong because `Invoke-Command` executes the script block on the remote system specified by `-ComputerName`, not locally.

58
MCQmedium

A penetration tester is analyzing a web application's JavaScript files to discover hidden API endpoints and potential client-side vulnerabilities. Which tool is specifically designed to extract URLs and endpoints from JavaScript files?

A.Wireshark
B.Burp Suite's Target scope
C.LinkFinder
D.Nmap
AnswerC

LinkFinder is a dedicated tool for finding endpoints in JavaScript files.

Why this answer

LinkFinder is a Python-based tool specifically designed to extract URLs and endpoints from JavaScript files by using regular expressions and parsing techniques. It analyzes JS files for patterns like API routes, relative paths, and hardcoded URLs, making it ideal for discovering hidden endpoints during web application penetration testing.

Exam trap

The trap here is that candidates may confuse network analysis tools (Wireshark) or general-purpose scanners (Nmap) with specialized JavaScript endpoint extractors, or assume Burp Suite's scope management is a discovery tool rather than a filtering mechanism.

How to eliminate wrong answers

Option A is wrong because Wireshark is a network protocol analyzer that captures and inspects packets at the OSI layers 2-7, not a tool for parsing JavaScript files or extracting URLs from code. Option B is wrong because Burp Suite's Target scope defines which hosts and URLs Burp will intercept or scan, but it does not extract endpoints from JavaScript files; that requires a dedicated JS parser like LinkFinder or Burp's built-in Engagement tools. Option D is wrong because Nmap is a network scanning tool used for host discovery, port scanning, and service enumeration, and it has no capability to parse JavaScript files or extract API endpoints.

59
MCQeasy

A client asks a penetration tester to perform a test on an e-commerce website. The website experiences high traffic during weekdays and major sales events. To minimize business disruption, when should the tester schedule the active scanning and exploitation activities?

A.During peak business hours on weekdays
B.During a major holiday sale event
C.During weekends outside of any special promotions
D.Anytime, as long as the tester does not perform denial-of-service attacks
AnswerC

Low traffic periods minimize business disruption while still allowing effective testing.

Why this answer

Option C is correct because scheduling active scanning and exploitation during weekends outside of special promotions aligns with the requirement to minimize business disruption. High-traffic periods like weekdays and major sales events increase the risk of performance degradation or service interruption from scanning tools, which could impact revenue and user experience. By choosing low-traffic windows, the tester reduces the likelihood of overwhelming the web server or triggering rate-limiting mechanisms.

Exam trap

The trap here is that candidates assume 'no denial-of-service attacks' means no disruption, overlooking that active scanning itself can degrade performance and cause business impact during peak periods.

How to eliminate wrong answers

Option A is wrong because peak business hours on weekdays coincide with high user traffic, making active scanning likely to degrade website performance or trigger security controls like WAF rate limits, causing business disruption. Option B is wrong because a major holiday sale event is a critical revenue period where any disruption from scanning could lead to significant financial loss and violate the client's requirement to minimize business impact. Option D is wrong because even without denial-of-service attacks, active scanning can still cause resource exhaustion, latency spikes, or trigger IPS/IDS blocks, which disrupts normal operations during high-traffic periods.

60
MCQhard

A tester is analyzing a piece of malware and needs to identify the original entry point after unpacking. Which technique is most appropriate?

A.Original Entry Point (OEP) finding
B.Hash analysis
C.Import hash matching
D.Code signing verification
AnswerA

OEP finding locates the real entry point after the unpacking stub.

Why this answer

Option A is correct because finding the Original Entry Point (OEP) is a standard step after unpacking to resume analysis. Option B is wrong because hash analysis identifies known malware. Option C is wrong because import hash matching identifies library versions.

Option D is wrong because code signing verification checks authenticity.

61
MCQeasy

A penetration tester has completed the test and is writing the executive summary. The CEO wants to understand the overall security posture without technical jargon. Which of the following is the best approach for the executive summary?

A.List every vulnerability with its CVSS score and technical remediation steps.
B.Provide a high-level overview of the most critical risks, business impact, and recommended strategic improvements.
C.Include a detailed step-by-step reproduction of all attack scenarios.
D.Focus only on network vulnerabilities and omit application-level findings.
AnswerB

This approach aligns with the executive's need for a concise, business-focused summary.

Why this answer

Option B is correct because an executive summary must communicate the overall security posture in business terms, not technical details. The CEO needs to understand the most critical risks, their potential business impact (e.g., financial loss, reputational damage), and recommended strategic improvements—this aligns with the PT0-002 objective of tailoring reports to the audience. Including CVSS scores or step-by-step attack reproductions would overwhelm non-technical readers and fail to convey the big-picture risk.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical report, selecting options that include excessive technical detail (like CVSS scores or attack steps) instead of focusing on business impact and strategic recommendations.

How to eliminate wrong answers

Option A is wrong because listing every vulnerability with CVSS scores and technical remediation steps is too granular for an executive summary; it belongs in the technical report. Option C is wrong because including a detailed step-by-step reproduction of all attack scenarios is appropriate for the technical findings section, not the executive summary, which should focus on risk and impact. Option D is wrong because omitting application-level findings would give an incomplete picture of the security posture; application vulnerabilities (e.g., SQL injection, XSS) often pose critical business risks and must be summarized at a high level.

62
MCQeasy

A penetration tester has compromised a Linux server and gained a low-privilege shell. The tester discovers that the /etc/shadow file is readable by the tester's user. Which attack is most directly enabled by this finding?

A.Pass-the-hash
B.Password cracking offline
C.LLMNR poisoning
D.Kerberoasting
AnswerB

Reading /etc/shadow directly enables offline password cracking because the hashes can be extracted and attacked with tools like John the Ripper or Hashcat.

Why this answer

The /etc/shadow file contains the hashed passwords for all users on the system. If a low-privilege user can read this file, they can copy the password hashes and attempt to crack them offline using tools like John the Ripper or Hashcat. This directly enables an offline password cracking attack, as the tester can brute-force or use dictionary attacks against the hashes without needing to interact with the live system.

Exam trap

The trap here is that candidates may confuse the ability to read a password hash file with a pass-the-hash attack, but pass-the-hash is a Windows-specific technique that requires NTLM hashes and a network authentication context, not a local file read on Linux.

How to eliminate wrong answers

Option A is wrong because pass-the-hash is an attack that uses captured NTLM hashes to authenticate to Windows systems, not Linux systems; it requires a Windows environment and does not apply to reading /etc/shadow. Option C is wrong because LLMNR poisoning is a Windows-specific network attack that exploits the Link-Local Multicast Name Resolution protocol to capture NetNTLMv2 hashes, and it is not related to reading a local file on a Linux server. Option D is wrong because Kerberoasting targets Kerberos service tickets in Active Directory environments to crack service account passwords; it is a Windows domain attack and does not involve the /etc/shadow file on a Linux server.

63
MCQmedium

A penetration testing firm has been hired to test the internal network of a large enterprise. During the scoping meeting, the client states that they want to include all IP ranges, including those used by the HR department's sensitive systems. The tester should recommend which of the following to minimize business impact and avoid disruption?

A.Exclude the HR department's IP range from the test
B.Perform the test during off-peak hours and provide prior notification
C.Use only passive reconnaissance techniques on the HR systems
D.Include the HR systems but require written authorization from HR management
AnswerB

Scheduling testing during off-peak hours reduces impact on business operations, and notifying the HR department in advance allows them to take precautions and avoid data loss or service interruption.

Why this answer

Option B is correct because performing the test during off-peak hours and providing prior notification minimizes business impact by reducing the likelihood of disrupting critical HR operations during normal business hours. This approach aligns with the scoping requirement to include all IP ranges while allowing the client to prepare for potential service interruptions, such as those caused by active scanning techniques like TCP SYN scans or service enumeration. Prior notification ensures that HR staff can take precautions, such as backing up sensitive data or pausing batch jobs, thereby avoiding data corruption or system unavailability.

Exam trap

The trap here is that candidates often choose Option C (passive reconnaissance) thinking it avoids disruption entirely, but they overlook that passive techniques cannot fulfill the test's objective of identifying exploitable vulnerabilities, which requires active interaction with the target systems.

How to eliminate wrong answers

Option A is wrong because excluding the HR department's IP range directly contradicts the client's explicit request to include all IP ranges, including sensitive HR systems, and would leave a critical attack surface untested, potentially missing vulnerabilities like weak authentication on HR databases or exposed SMB shares. Option C is wrong because using only passive reconnaissance techniques on the HR systems is insufficient for a thorough penetration test; passive techniques (e.g., sniffing network traffic or analyzing DNS records) cannot identify active vulnerabilities such as unpatched services, default credentials, or misconfigured firewall rules that require active probing like Nmap version scans or vulnerability scanning with tools like OpenVAS.

64
MCQeasy

A penetration tester has completed the technical portion of a test and is now writing the executive summary. Which of the following is most important to include in this section to effectively communicate with senior management?

A.A detailed list of all tools and commands used during the test
B.The total number of vulnerabilities found and their risk ratings, with a focus on business impact
C.Step-by-step instructions on how to reproduce the most critical vulnerability
D.The names of the penetration testers and their certifications
AnswerB

Risk ratings and business impact are key for executives to understand the severity and make informed decisions about resource allocation for remediation.

Why this answer

The executive summary is intended for senior management, who need to understand the business impact of findings rather than technical details. Option B focuses on the total number of vulnerabilities, their risk ratings, and business impact, which directly aligns with management's decision-making needs. This ensures the report communicates risk in terms of potential financial or operational consequences, not just technical severity.

Exam trap

The trap here is that candidates mistake technical completeness for executive communication, choosing options like A or C because they focus on the tester's work rather than the audience's needs, but the exam specifically tests the distinction between technical reporting and management reporting.

How to eliminate wrong answers

Option A is wrong because a detailed list of all tools and commands used during the test is too technical for senior management; this level of detail belongs in the technical report or appendices, not the executive summary. Option C is wrong because step-by-step instructions on how to reproduce the most critical vulnerability are operational details meant for the technical team, not for high-level management who require a summary of risks and remediation priorities.

65
MCQeasy

During a penetration test report review, the client's IT manager asks for a 'quick reference' that lists each vulnerability, its severity, and the affected system, without detailed exploit steps. Which section of the report should the tester point to?

A.Executive summary
B.Technical findings section
C.Appendix with raw scan results
D.Remediation recommendations
AnswerB

The technical findings section typically includes a summary table listing each vulnerability, its risk severity, and the affected systems, which is perfect for a quick reference.

Why this answer

The technical findings section is the correct place because it provides a structured list of each vulnerability, its severity rating (e.g., CVSS score), and the affected system, while intentionally omitting detailed exploit steps. This directly satisfies the IT manager's request for a 'quick reference' without the operational risk of exposing attack procedures. The executive summary is too high-level, and the appendix with raw scan results lacks the curated, severity-ranked format needed for a quick reference.

Exam trap

The trap here is that candidates confuse the 'quick reference' request with the executive summary, assuming any summary must be in the executive section, but the executive summary lacks the per-vulnerability detail and system mapping that the technical findings section provides.

How to eliminate wrong answers

Option A is wrong because the executive summary is a high-level overview for non-technical stakeholders, focusing on business risk and strategic recommendations, not a per-vulnerability list with severity and affected systems. Option C is wrong because the appendix with raw scan results contains unprocessed, often voluminous output from tools like Nmap or Nessus, which lacks the curated, severity-ranked format and clear mapping of each vulnerability to a specific system that the IT manager needs.

66
MCQhard

During a penetration test, a tester identifies that the target's network uses Private VLANs to isolate hosts. Which technique can be used to bypass this isolation and perform ARP spoofing?

A.ARP cache poisoning from the switch
B.MAC flooding
C.Double tagging
D.VLAN hopping
AnswerD

VLAN hopping (e.g., double tagging) can bypass Private VLAN isolation by sending frames to another VLAN.

Why this answer

Private VLANs isolate hosts within the same VLAN by restricting traffic at the switch level. VLAN hopping (option D) allows an attacker to bypass this isolation by exploiting the switch's trunking protocol (e.g., DTP) to negotiate a trunk link, enabling the attacker to send and receive frames on multiple VLANs, including the target's community or isolated VLAN, thus facilitating ARP spoofing across the Private VLAN boundaries.

Exam trap

CompTIA often tests the distinction between VLAN hopping methods (DTP-based vs. double tagging), and the trap here is that candidates confuse double tagging with the general concept of VLAN hopping, but double tagging is not effective against Private VLANs because it relies on native VLAN misconfigurations on trunk ports, whereas DTP-based hopping directly negotiates a trunk to access all VLANs.

How to eliminate wrong answers

Option A is wrong because ARP cache poisoning from the switch is not a standard attack vector; ARP spoofing targets end hosts, not the switch's ARP cache, and switches do not maintain ARP caches for forwarding decisions in the same way routers do. Option B is wrong because MAC flooding overwhelms the switch's CAM table to force it into hub mode, which can allow sniffing within the same VLAN but does not bypass Private VLAN isolation, as Private VLANs enforce traffic restrictions at the switch level regardless of CAM table state. Option C is wrong because double tagging is a VLAN hopping technique that works by adding two 802.1Q tags to a frame, but it is effective only against trunk ports with native VLAN mismatches and does not directly bypass Private VLAN isolation, which operates on access ports with Private VLAN configuration.

67
MCQmedium

During a web application test, a penetration tester discovers that the application exposes internal object references (e.g., user ID in a URL) and does not properly authorize access. The tester can view other users' private data by simply changing the ID parameter. Which type of vulnerability does this represent?

A.Cross-Site Request Forgery (CSRF)
B.Insecure Direct Object Reference (IDOR)
C.SQL Injection
D.Cross-Site Scripting (XSS)
AnswerB

Correct. The scenario describes exactly this: direct manipulation of an object reference (user ID) to access other users' data without proper authorization.

Why this answer

The vulnerability is Insecure Direct Object Reference (IDOR) because the application exposes internal object references (e.g., user ID in a URL) and fails to enforce proper authorization checks. By simply changing the ID parameter, the tester can access other users' private data without authentication or permission validation, which is the hallmark of IDOR.

Exam trap

CompTIA often tests IDOR by presenting a scenario where a parameter is manipulated to access another user's data, and the trap is confusing it with CSRF (which involves state-changing actions via forged requests) or SQL injection (which involves database query manipulation), rather than recognizing the core issue as missing authorization on direct object references.

How to eliminate wrong answers

Option A is wrong because Cross-Site Request Forgery (CSRF) involves tricking a user into executing unwanted actions on a web application where they are authenticated, not directly manipulating object references to access unauthorized data. Option C is wrong because SQL Injection is a code injection technique that exploits insecure database queries by inserting malicious SQL statements, not by manipulating exposed object references in URLs or parameters.

68
Multi-Selectmedium

A penetration tester is scoping an engagement for a client that has both on-premises and cloud infrastructure. Which TWO documents should be reviewed to understand the client's cloud security posture?

Select 2 answers
A.AWS IAM policies
B.Azure AD logs
C.Cloud service agreement
D.On-premises firewall rules
E.Shared responsibility model
AnswersC, E

Outlines contractual security requirements and protections.

Why this answer

The shared responsibility model defines security boundaries between the cloud provider and client, and the cloud service agreement outlines contractual security obligations. IAM policies and Azure AD logs are technical details, while on-premises firewall rules are not cloud-specific.

69
MCQmedium

A penetration tester is conducting passive reconnaissance against a target domain. The tester wants to discover all subdomains associated with the domain without making any direct DNS queries to the target's authoritative servers. Which technique is BEST suited for this purpose?

A.Using the 'nslookup' command to query the domain's DNS server
B.Querying certificate transparency logs using a site like crt.sh
C.Performing a DNS zone transfer
D.Using the 'whois' lookup to gather domain registration info
AnswerB

Correct. Certificate transparency logs are public and contain all domains/subdomains that have SSL/TLS certificates issued, providing passive subdomain discovery.

Why this answer

Certificate transparency logs, accessible via sites like crt.sh, provide a historical record of all SSL/TLS certificates issued for a domain, including those for subdomains. Querying these logs allows a tester to discover subdomains without making any direct DNS queries to the target's authoritative servers, thus remaining fully passive and avoiding detection.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with techniques that are technically passive from the tester's perspective but still generate network traffic to the target, such as querying public DNS resolvers or using search engines, whereas certificate transparency logs are truly passive as they rely on third-party data repositories.

How to eliminate wrong answers

Option A is wrong because using 'nslookup' to query the domain's DNS server involves direct DNS queries to the target's authoritative servers, which is active reconnaissance and can be logged or detected. Option C is wrong because performing a DNS zone transfer requires a direct connection to the target's DNS server and typically fails unless the server is misconfigured to allow unauthorized transfers; it is also an active technique that generates network traffic.

70
Matchingmedium

Match each Phase of the Penetration Testing Execution Standard (PTES) to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Scope definition, rules of engagement, legal agreements

Collecting information about the target via OSINT

Identifying assets, threats, and attack vectors

Scanning and testing for vulnerabilities

Gaining unauthorized access using exploits

Why these pairings

PTES defines standard phases for penetration testing engagements.

71
Multi-Selecteasy

When calculating the risk rating for a vulnerability found during a penetration test, which two factors are most fundamental to the risk calculation?

Select 2 answers
A.Likelihood and impact
B.CVSS base score and temporal score
C.Number of affected systems and data classification
D.Ease of exploitation and attack vector
AnswersA, D

Risk = Likelihood × Impact. This is the standard formula used in risk management. Likelihood considers factors like ease of exploitation and exposure, while impact considers data sensitivity and business disruption.

Why this answer

Risk rating in penetration testing is fundamentally derived from the likelihood that a vulnerability will be exploited and the impact if it is exploited. These two factors form the core of any risk assessment framework, including NIST SP 800-30 and ISO 31000, because they directly quantify the probability and consequence of a threat event. Without likelihood and impact, you cannot compute a meaningful risk score, as other factors like CVSS scores or asset counts are secondary inputs that feed into these primary dimensions.

Exam trap

CompTIA often tests the misconception that CVSS scores alone define risk, but the trap here is that CVSS is a measure of vulnerability severity, not risk, which requires contextual likelihood and impact to be meaningful.

72
MCQeasy

A client requests a penetration test that simulates an external attacker with no prior knowledge of the internal network. The tester is not provided with any credentials, network diagrams, or source code. Which type of test does this describe?

A.White-box test
B.Black-box test
C.Gray-box test
D.Covert test
AnswerB

In a black-box test, the tester has no internal knowledge and must rely solely on publicly available information and reconnaissance.

Why this answer

This is a black-box test because the tester simulates an external attacker with no prior knowledge of the internal network, no credentials, no network diagrams, and no source code. In black-box testing, the tester must discover all vulnerabilities from an outsider's perspective, relying solely on publicly available information and active reconnaissance techniques such as port scanning, service enumeration, and vulnerability scanning. This approach aligns with the client's requirement to mimic a real-world attacker who has zero insider knowledge.

Exam trap

The trap here is that candidates often confuse black-box testing with gray-box testing, mistakenly thinking that 'no credentials' automatically implies gray-box, but gray-box testing still provides some internal knowledge (e.g., network diagrams or low-privilege access), which is explicitly absent in this scenario.

How to eliminate wrong answers

Option A is wrong because a white-box test provides the tester with full knowledge of the internal network, including credentials, network diagrams, and source code, which contradicts the scenario where no such information is given. Option C is wrong because a gray-box test offers partial knowledge, such as limited credentials or network topology, whereas the scenario explicitly states no prior knowledge or credentials are provided.

73
MCQhard

A penetration tester is analyzing a PowerShell script that uses the 'Invoke-Command' cmdlet to execute commands on remote machines, and 'Set-Service' to change service startup types. What attack is this script most likely performing?

A.Remote service modification for persistence.
B.Lateral movement via PsExec.
C.Credential dumping.
D.Data exfiltration.
AnswerA

By using Invoke-Command to run Set-Service on remote machines, the attacker can enable services or set them to auto-start, ensuring their backdoor continues to run after restart.

Why this answer

The script uses Invoke-Command to execute commands on remote machines and Set-Service to change service startup types. This combination is commonly used to modify a service to start automatically or to create a new service that runs malicious code, establishing persistence on a remote system. The attack does not involve lateral movement via PsExec (which uses SMB and service control manager differently) nor credential dumping (which requires tools like Mimikatz or direct memory access).

Exam trap

The trap here is that candidates confuse the use of Invoke-Command (PowerShell Remoting) with PsExec, but PsExec is a distinct tool that does not use the Invoke-Command cmdlet, and the focus on service modification points to persistence rather than lateral movement or credential theft.

How to eliminate wrong answers

Option B is wrong because PsExec is a separate tool that uses SMB and the Windows Service Control Manager to execute processes remotely, not the Invoke-Command cmdlet which relies on WinRM (WS-Management). Option C is wrong because credential dumping involves extracting password hashes or plaintext credentials from memory (e.g., LSASS) or registry, not modifying service startup types with Set-Service.

74
MCQmedium

A client hires a penetration testing firm to assess a web application. The client uses a third-party content delivery network (CDN) for static assets and explicitly wants to exclude the CDN infrastructure from testing. In which document should this restriction be formally documented?

A.Statement of Work (SOW)
B.Non-Disclosure Agreement (NDA)
C.Master Services Agreement (MSA)
D.Rules of Engagement (ROE)
AnswerD

The ROE is the correct document for specifying what is in scope, what is out of scope, and any specific restrictions like not testing the CDN.

Why this answer

The Rules of Engagement (ROE) document is the correct place to formally document restrictions such as excluding the CDN infrastructure from testing. The ROE defines the scope, boundaries, and specific constraints for the penetration test, including which IP ranges, domains, or systems are off-limits. This ensures the testing team does not inadvertently target the third-party CDN, which could violate contractual agreements or cause unintended disruptions.

Exam trap

The trap here is that candidates confuse the ROE with the SOW, assuming the SOW is the catch-all document for all restrictions, but the ROE is specifically designed for operational boundaries and constraints in penetration testing engagements.

How to eliminate wrong answers

Option A is wrong because the Statement of Work (SOW) describes the high-level objectives, deliverables, and timeline of the engagement, but it does not typically contain granular operational constraints like excluding specific infrastructure components. Option B is wrong because the Non-Disclosure Agreement (NDA) is a legal contract protecting confidential information, not a document for defining testing boundaries or restrictions. Option C is wrong because the Master Services Agreement (MSA) establishes the overarching legal and business terms between parties, but it does not detail per-engagement technical limitations such as CDN exclusion.

75
MCQmedium

A penetration tester writes a Python script to test for directory traversal vulnerabilities in a web application. The script uses the requests library to send a payload like '../../etc/passwd' and checks if the response contains the string 'root:'. However, the tester notices many false negatives because the application requires URL encoding of the dots and slashes. Which code modification would BEST improve the detection rate?

A.Increase the number of payloads in the list
B.URL-encode the payload using urllib.parse.quote()
C.Check the HTTP status code instead of response content
D.Use raw sockets to send HTTP requests manually
AnswerB

Proper URL encoding ensures the payload is correctly interpreted by the server, matching common attack vectors.

Why this answer

Option B is correct because the penetration tester's script is failing to detect directory traversal vulnerabilities due to the web application requiring URL-encoded characters. By using `urllib.parse.quote()` to URL-encode the dots and slashes in the payload (e.g., `%2e%2e%2f` for `../`), the request matches the application's expected input format, reducing false negatives. This directly addresses the root cause—encoding—rather than adding more payloads or changing the detection method.

Exam trap

The trap here is that candidates may think adding more payloads (Option A) or checking status codes (Option C) will solve the detection issue, but the core problem is the lack of proper encoding to match the application's input handling, which is a common oversight in web application testing.

How to eliminate wrong answers

Option A is wrong because increasing the number of payloads in the list does not fix the encoding issue; it only adds more unencoded payloads that will still be rejected or mishandled by the application, leading to continued false negatives. Option C is wrong because checking the HTTP status code instead of response content would not improve detection of directory traversal; the application might return a 200 OK even when the traversal fails (e.g., a generic error page), and the presence of 'root:' in the response is a more reliable indicator of successful exploitation.

Page 1 of 7

Page 2

All pages