CompTIA PenTest+ PT0-002 (PT0-002) — Questions 676750

993 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
Multi-Selectmedium

A penetration tester is performing host discovery on a subnet. Which TWO of the following Nmap options can be used to discover live hosts?

Select 2 answers
A.-sn
B.-O
C.-sP
D.-sV
E.-sS
AnswersA, C

-sn is the ping sweep flag for host discovery.

Why this answer

Both -sn (ping sweep) and -sP (older alias for ping sweep) perform host discovery without port scanning. -sS and -sV are for port scanning and version detection respectively, not host discovery.

677
Multi-Selecteasy

A penetration tester is using Hashcat to crack password hashes. Which TWO attack modes are commonly used?

Select 2 answers
A.Brute-force attack (-a 3)
B.Dictionary attack (-a 0)
C.Rule-based attack (-a 0 with rules)
D.Mask attack (-a 6)
E.Rainbow table attack
AnswersA, B

Tries all combinations.

Why this answer

Dictionary attack (-a 0) and brute-force (-a 3) are standard modes. Hybrid (-a 6) is also common, but only TWO are asked. The question asks for two, so dictionary and brute-force are correct.

678
MCQhard

Refer to the exhibit. A penetration tester runs this script against a target service and receives the output 'Error: [Errno 104] Connection reset by peer'. What is the most likely cause?

A.The target service is not running.
B.The target service expects a different protocol.
C.The payload caused the service to crash due to a buffer overflow.
D.The target is blocking the IP after detecting scanning.
AnswerC

The large payload and abrupt disconnection are consistent with a buffer overflow crash.

Why this answer

The connection reset indicates that the remote server closed the connection abruptly, often because the service crashed. Sending a large payload of 'A' characters suggests a buffer overflow attempt, which could cause the service to crash. Option B correctly identifies this.

If the service were not running, the error would be 'Connection refused'. Option C is possible but less likely given the script's purpose. Option D is not supported by the evidence.

679
MCQmedium

A penetration tester is attempting a pass-the-hash (PtH) attack against a Windows domain-joined machine. The tester has obtained the NTLM hash of a local administrator account. Which tool can be used directly to authenticate using the hash to gain remote command execution?

A.John the Ripper
B.Metasploit's psexec module
C.Mimikatz
D.Nmap
AnswerB

The psexec module in Metasploit allows authentication with a plaintext password or NTLM hash to execute commands on a remote Windows system via SMB.

Why this answer

Metasploit's psexec module (exploit/windows/smb/psexec) directly accepts an NTLM hash via the 'SMBPass' option and uses it to authenticate over SMB, then creates a service on the target to execute commands. This is a classic pass-the-hash technique against Windows systems, as the module leverages the SMB protocol and Windows service control manager without needing the plaintext password.

Exam trap

The trap here is that candidates confuse Mimikatz's ability to perform pass-the-hash locally (spawning a cmd.exe with the hash) with the ability to directly execute commands remotely, but Mimikatz requires additional tools like PsExec or WinRM to achieve remote execution, whereas Metasploit's psexec module is a single-step solution.

How to eliminate wrong answers

Option A is wrong because John the Ripper is a password cracking tool that attempts to recover plaintext passwords from hashes, not a tool that can directly authenticate using a hash for remote command execution. Option C is wrong because Mimikatz is primarily a credential extraction and manipulation tool that can perform pass-the-hash locally (e.g., via sekurlsa::pth) to spawn a process with the hash, but it does not directly provide remote command execution against a domain-joined machine without additional steps like scheduling a remote task or using PsExec.

680
MCQmedium

A Python proof-of-concept sends repeated login attempts but does not preserve cookies between requests. The application sets a CSRF token in a session cookie. What change is most likely required for accurate testing?

A.Use a requests.Session object and refresh the CSRF token before each attempt.
B.Remove all headers from the requests.
C.Increase the payload length only.
D.Disable TLS certificate verification as the main fix.
AnswerA

This maintains session state and handles token-based workflows.

Why this answer

The correct answer is A because the proof-of-concept fails to maintain session state across requests, which is essential for handling CSRF tokens that are typically tied to a session. Using a `requests.Session` object automatically persists cookies (including the session cookie containing the CSRF token) across requests, and refreshing the CSRF token before each attempt ensures the token is valid for each login attempt, mimicking real browser behavior.

Exam trap

The trap here is that candidates may think the issue is about request headers or payload size, when the real problem is the lack of session state management (cookie persistence) and CSRF token synchronization across requests.

How to eliminate wrong answers

Option B is wrong because removing all headers would likely break the application's request handling (e.g., missing Content-Type or User-Agent), and does not address the core issue of cookie persistence or CSRF token management. Option C is wrong because increasing payload length only affects the data sent in the request body, but does not solve the problem of missing session cookies or invalid CSRF tokens, which are handled via headers and cookies, not payload size.

681
MCQmedium

A penetration tester has been given access to a network tap on a client's internal network. The tester wants to perform initial reconnaissance by identifying all live hosts and their operating systems without sending any packets that could be detected. Which technique is most appropriate?

A.Perform an ARP scan using arp-scan from a connected workstation.
B.Run Wireshark to capture traffic and analyze source IP addresses and TCP/IP stack signatures.
C.Use Nmap with the -sn flag to perform a ping sweep of the subnet.
D.Initiate a DNS zone transfer request to the internal DNS servers.
AnswerB

Wireshark (or similar tools) passively captures network traffic. Source IPs reveal active hosts, and analysis of TCP/IP parameters (e.g., TTL, window size) allows OS fingerprinting without sending any packets.

Why this answer

Option B is correct because capturing traffic with Wireshark from a network tap is entirely passive—it never injects packets into the network. By analyzing source IP addresses and TCP/IP stack signatures (e.g., TTL values, window sizes, and IP ID patterns), the tester can identify live hosts and infer their operating systems without sending any detectable traffic. This aligns perfectly with the requirement to avoid sending any packets.

Exam trap

The trap here is that candidates often assume passive techniques like packet capture cannot identify operating systems, or they mistakenly think that ARP scans and ping sweeps are 'quiet' because they use low-level protocols, forgetting that any packet injection is detectable.

How to eliminate wrong answers

Option A is wrong because an ARP scan using arp-send sends ARP request packets onto the network, which can be detected by network monitoring tools or intrusion detection systems, violating the 'no packets sent' constraint. Option C is wrong because Nmap with the -sn flag performs a ping sweep that sends ICMP echo requests, TCP SYN packets to port 443, or ARP probes (depending on privileges), all of which generate detectable network traffic.

682
MCQmedium

A penetration tester needs to perform a Kerberoasting attack against a Windows Active Directory environment. Which tool from the Impacket suite should the tester use to request service tickets and extract TGS hashes for offline cracking?

A.wmiexec.py
B.secretsdump.py
C.GetUserSPNs.py
D.psexec.py
AnswerC

Correct. Specifically for requesting TGS for SPN accounts.

Why this answer

GetUserSPNs.py in the Impacket suite is used to find and request service principal names (SPNs) and retrieve TGS hashes for Kerberoasting.

683
MCQmedium

A penetration tester analyzes a PowerShell script that uses the 'Invoke-Command' cmdlet to run a command on multiple remote Windows systems. The script checks if the local Administrator account is using a default password. Which phase of the penetration test is this script most directly supporting?

A.Lateral movement
B.Credential dumping
C.Enumeration of misconfigurations
D.Privilege escalation
AnswerC

The script enumerates remote systems to identify if the default Administrator password is still in use, which is a misconfiguration. This is a form of enumeration used to identify weaknesses.

Why this answer

The script uses Invoke-Command to check if the local Administrator account on multiple remote Windows systems uses a default password. This directly supports the enumeration of misconfigurations phase, as it identifies a common security weakness (default credentials) that could be exploited. It does not involve moving between systems (lateral movement) or extracting stored credentials (credential dumping).

Exam trap

The trap here is confusing the act of checking for default credentials (enumeration of misconfigurations) with the subsequent exploitation step (lateral movement) or the method of extracting stored credentials (credential dumping).

How to eliminate wrong answers

Option A is wrong because lateral movement involves using compromised credentials or techniques to access additional systems, not simply checking for default passwords across remote hosts. Option B is wrong because credential dumping refers to extracting password hashes or plaintext credentials from memory (e.g., using Mimikatz) or from SAM/registry hives, not testing if a known default password is still in use.

684
MCQeasy

A penetration tester has submitted the final report to the client. The client's legal team requests a separate document that describes the methodology used, but does not include any actual findings or sensitive data. Which type of document should the tester provide?

A.A new executive summary that omits the findings
B.A copy of the technical findings with redacted details
C.A document describing the testing methodology and scope
D.The remediation plan without the exploit steps
AnswerC

This document covers the 'how' and 'what' of the test without any vulnerability details, suitable for legal review.

Why this answer

The client's legal team specifically requested a document describing the methodology used without any actual findings or sensitive data. Option C, a document describing the testing methodology and scope, directly fulfills this requirement by providing a high-level overview of the penetration testing approach, tools, and boundaries, while excluding all findings, evidence, and sensitive client data. This type of document is often called a 'Methodology Statement' or 'Scope of Work' and is commonly used for legal or compliance purposes to demonstrate due diligence without exposing risk details.

Exam trap

The trap here is that candidates confuse the purpose of an executive summary (which summarizes findings) with a methodology-only document, leading them to choose Option A, but the legal team explicitly wants no findings or sensitive data, making a pure methodology document the only correct choice.

How to eliminate wrong answers

Option A is wrong because an executive summary, by definition, includes a high-level overview of the findings and risk ratings, which the legal team explicitly asked to omit. Option B is wrong because a copy of the technical findings with redacted details still contains sensitive data (even if redacted, the underlying structure and context of findings remain), and the legal team requested a document that does not include any actual findings or sensitive data at all.

685
MCQmedium

A tester finds a Linux binary with the SUID bit set. The binary is owned by root and executes a shell command. The tester runs the binary and gets a root shell. Which command would the tester likely have used to discover this SUID binary?

A.find / -perm -u=s
B.find / -type f -perm /4000
C.which suid
D.ls -laR / | grep SUID
AnswerB

This finds files with SUID bit set (4000).

Why this answer

The command 'find / -perm /4000' finds files with SUID bit set. The /4000 syntax searches for exactly SUID. Using -u=s is incorrect.

686
MCQmedium

A penetration tester discovers a web application that deserializes user-controlled data without validation. The application uses Java serialization. The tester creates a malicious serialized object that executes a system command. Which of the following conditions is required for this exploit to succeed?

A.The application must be running with root privileges
B.The application must use a custom ClassLoader
C.The Java runtime must have a gadget chain available in its classpath
D.The application must be running on a Windows operating system
AnswerC

Gadget chains like those in Apache Commons Collections are necessary to transform deserialization into code execution.

Why this answer

Java deserialization exploits rely on the presence of specific classes (gadget chains) in the application's classpath that can be chained together to achieve arbitrary code execution. The attacker crafts a serialized object that, when deserialized, triggers a sequence of method calls (gadget chain) that ultimately executes a system command. Without a suitable gadget chain available in the classpath, the deserialization of a malicious object will not lead to code execution.

Exam trap

CompTIA often tests the misconception that privilege escalation (root) or custom class loading is required, when in fact the core requirement is the availability of gadget chains in the classpath.

How to eliminate wrong answers

Option A is wrong because the exploit does not require root privileges; it relies on the application's own permissions and the presence of gadget chains, not on the operating system user. Option B is wrong because a custom ClassLoader is not a prerequisite for Java deserialization attacks; the exploit works with the default class loading mechanism as long as the necessary gadget classes are in the classpath.

687
MCQmedium

During a web application test, a tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester attempts to modify the 'alg' header to 'none' and sends the token. The server accepts the forged token. Which vulnerability is being exploited?

A.kid injection
B.alg:none attack
C.Algorithm confusion
D.Weak signing secret
AnswerB

Setting alg to none bypasses signature verification.

Why this answer

The 'alg:none' attack exploits JWT libraries that accept tokens without verifying signatures. This allows an attacker to forge tokens. Weak secret brute-force would crack the signing key; kid injection manipulates the key ID.

688
MCQmedium

A penetration tester is exploiting a SQL injection vulnerability in a web application. They want to extract data from the database without displaying it on the page. Which SQL injection technique should they use?

A.Blind time-based SQL injection
B.Stacked queries
C.UNION-based SQL injection
D.Error-based SQL injection
AnswerA

Time-based blind SQL injection uses conditional time delays to extract data bit by bit.

Why this answer

Blind SQL injection techniques like time-based or boolean-based are used when data is not returned directly in the response. Time-based uses delays to infer information.

689
MCQhard

After a penetration test, the client requests that the tester remove certain findings from the final report because they reveal sensitive information about a new product. What is the BEST response from the tester?

A.Agree to remove the findings but note in the report that they were omitted.
B.Remove the findings entirely and do not mention them.
C.Refuse to remove the findings and threaten to disclose them publicly.
D.Insist on including the findings but obfuscate the sensitive details.
AnswerA

This maintains transparency while respecting client wishes.

Why this answer

Option D is correct because the client owns the data and can decide what is included, but the tester should ensure the report accurately reflects risks. Option A is wrong because refusing cooperation could damage the relationship. Option B is wrong because the client has the right to manage their information.

Option C is wrong because omitting findings undermines the report's integrity; instead, document the decision.

690
MCQhard

During a web application test, a penetration tester needs to modify an HTTP request in real-time, send it repeatedly with different parameter values, and analyze the responses. Which Burp Suite tool is best suited for this task?

A.Intruder
B.Repeater
C.Proxy
D.Sequencer
AnswerA

Correct: automates sending requests with multiple payloads and analyzes responses.

Why this answer

Burp Suite Intruder is specifically designed for automated, customizable attacks that send multiple HTTP requests with varying parameter values (payloads) and analyze responses. It supports real-time modification of requests, payload positions, and response analysis, making it the ideal tool for fuzzing, brute-forcing, and parameter testing during a web application penetration test.

Exam trap

The trap here is that candidates often confuse Repeater's ability to manually resend requests with Intruder's automated, multi-payload capability, leading them to choose Repeater when the question explicitly requires repeated sending with different parameter values.

How to eliminate wrong answers

Option B (Repeater) is wrong because Repeater is used for manually sending a single request multiple times with manual modifications, not for automated, repeated sending with different parameter values. Option C (Proxy) is wrong because Proxy intercepts and forwards HTTP traffic between browser and server but does not provide automated payload substitution or response analysis across multiple requests. Option D (Sequencer) is wrong because Sequencer analyzes the randomness of session tokens or other data, not for modifying and replaying requests with different parameter values.

691
MCQmedium

A penetration tester is writing a Bash script to enumerate network shares on multiple Windows hosts. The script uses smbclient to list shares. Which command should be used within the script to attempt to connect to a host with a known username and password?

A.smbclient -L //host -U username%password
B.smbclient //host/share -U username%password
C.smbmap -H host -u username -p password
D.net use \\host\share /user:username password
AnswerA

The -L flag lists shares, and -U specifies credentials. This is the standard method to enumerate SMB shares.

Why this answer

Option A is correct because the `smbclient -L //host` command lists available shares on a remote SMB/CIFS host, and appending `-U username%password` provides the credentials for authentication. This matches the requirement to enumerate network shares on multiple Windows hosts using a known username and password within a Bash script.

Exam trap

The trap here is that candidates confuse the `-L` (list shares) option with the direct share connection syntax (`//host/share`), or they mistakenly select a different tool like `smbmap` when the question explicitly specifies using `smbclient` in the script.

How to eliminate wrong answers

Option B is wrong because `smbclient //host/share -U username%password` attempts to connect directly to a specific share (e.g., `//host/share`) rather than listing all shares, which is not the goal of enumeration. Option C is wrong because `smbmap` is a different tool (not `smbclient`) and is not the command specified in the question's context of using `smbclient` within a Bash script.

692
Multi-Selectmedium

During a web application penetration test, a tester wants to identify vulnerabilities that allow unauthorized access to internal resources. Which TWO of the following are commonly exploited to access internal services?

Select 2 answers
A.Server-side request forgery (SSRF)
B.Cross-site scripting (XSS)
C.SQL injection (SQLi)
D.Command injection
E.XML external entity (XXE) injection
AnswersA, E

Correct: SSRF allows accessing internal resources.

Why this answer

SSRF can be used to access internal services by making the server request internal IPs. XXE can also be used for SSRF by using external entities to make HTTP requests. XSS is client-side, SQLi is database, command injection is OS commands.

693
MCQmedium

A penetration tester is performing DNS reconnaissance and wants to enumerate all subdomains of a target domain by querying DNS servers in an attempt to transfer the entire zone file. Which technique is the tester using?

A.DNS zone transfer
B.DNS reverse lookup
C.DNS cache snooping
D.DNS tunneling
AnswerA

Zone transfer requests the entire zone file, revealing all DNS records.

Why this answer

DNS zone transfer (AXFR) is a mechanism that allows a secondary DNS server to replicate the entire zone file from a primary server. If misconfigured, anyone can request it.

694
Multi-Selecteasy

A penetration tester needs to perform initial reconnaissance on a target domain. Which of the following tools are specifically designed for domain enumeration? (Select TWO).

Select 2 answers
A.Wireshark
B.Metasploit
C.theHarvester
D.Netcat
E.recon-ng
AnswersC, E

theHarvester is designed for domain and email enumeration.

Why this answer

Options A and C are correct. TheHarvester and Recon-ng are purpose-built for domain enumeration. Metasploit is for exploitation; Netcat is a networking utility; Wireshark is for packet analysis.

695
MCQmedium

During a penetration test, a tester gains shell access on a Linux server as a low-privileged user. The user is identified to be a member of the 'docker' group. Which technique is most effective for escalating privileges to root?

A.Use docker to mount the entire host filesystem and modify the root password.
B.Use docker to run a container with network host mode to access internal services.
C.Use docker to pull a malicious image from the internet to compromise other containers.
D.Use docker to create a new user with root privileges inside a container.
AnswerA

Running 'docker run -v /:/mnt -it ubuntu bash' mounts the host root filesystem. From inside the container, the attacker can chroot to /mnt and modify /etc/shadow or add an SSH authorized key, gaining full root access.

Why this answer

Membership in the 'docker' group grants the user effective root-equivalent access because the Docker daemon runs as root and allows any member of the 'docker' group to issue commands that can mount arbitrary host paths. By running a container with the host filesystem mounted (e.g., `docker run -v /:/mnt --privileged -it alpine chroot /mnt`), the tester can directly modify the `/etc/shadow` file or the root password, thereby escalating privileges to root without needing any additional exploit.

Exam trap

The trap here is that candidates may think Docker group membership only allows container management or network manipulation, overlooking the fact that the Docker socket grants full root-equivalent file system access via volume mounts.

How to eliminate wrong answers

Option B is wrong because using network host mode (`--network host`) only gives the container access to the host's network stack, which might help with lateral movement or service discovery but does not provide a mechanism to escalate privileges to root on the host itself. Option C is wrong because pulling a malicious image from the internet could compromise other containers or the host if the image exploits a vulnerability, but it is not a reliable or direct method for privilege escalation; the most effective and immediate technique is to mount the host filesystem and modify authentication files.

696
MCQmedium

A tester identifies a SQL injection vulnerability in a login form. The application responds with different error messages for valid and invalid queries. Which type of SQL injection is most likely present, and what tool could automate exploitation?

A.UNION-based SQLi; sqlmap
B.Time-based blind SQLi; nmap
C.Error-based SQLi; Burp Suite
D.Blind SQLi; sqlmap
AnswerD

Blind SQLi relies on boolean or time-based responses; sqlmap can automate it.

Why this answer

Blind boolean-based SQL injection infers data based on true/false responses; sqlmap automates exploitation.

697
MCQmedium

A penetration tester is analyzing a Python script that uses the 'scapy' library to craft and send packets. The script contains the following code snippet: 'send(IP(dst=target)/TCP(dport=port, flags='S'))'. The script then listens for responses and looks for packets with flags 'SA'. Which type of scan is this script performing?

A.TCP Connect scan
B.TCP SYN scan (half-open scan)
C.TCP FIN scan
D.TCP Xmas scan
AnswerB

The script sends SYN packets and checks for SYN-ACK responses, indicating an open port. It does not complete the handshake, making it a half-open scan.

Why this answer

The script sends a TCP SYN packet (flags='S') and listens for a SYN-ACK response (flags='SA'), which is the defining behavior of a TCP SYN scan (also known as a half-open scan). This scan never completes the three-way handshake, making it stealthier than a full TCP Connect scan. The use of Scapy's `send()` function (Layer 3) rather than `sr()` or a socket-level connect confirms it is crafting raw packets, not relying on the OS's TCP stack.

Exam trap

The trap here is that candidates see the use of Scapy and assume any crafted packet scan is a 'half-open' scan, but the specific flag combination (SYN sent, SYN-ACK expected) is what uniquely identifies a TCP SYN scan, not the library used.

How to eliminate wrong answers

Option A is wrong because a TCP Connect scan uses the operating system's `connect()` system call to complete the full three-way handshake, whereas this script manually crafts and sends raw packets with Scapy and never sends the final ACK. Option C is wrong because a TCP FIN scan sends a packet with only the FIN flag set (flags='F'), not a SYN flag, and expects a RST response from closed ports or no response from open ports, not a SYN-ACK.

698
MCQhard

A penetration tester is compiling evidence for a critical-severity SQL injection vulnerability. Which of the following is the most important piece of evidence to include in the report to demonstrate exploitability while remaining responsible?

A.A video of the full exploitation process, including data extraction.
B.A screenshot of the database table with all user credentials.
C.Raw network captures showing SQL injection attempts.
D.A proof-of-concept script that retrieves the current database user (e.g., 'SELECT user()').
AnswerD

This demonstrates exploitability without accessing sensitive data.

Why this answer

Proof-of-concept code should demonstrate the vulnerability without causing harm or exposing sensitive data.

699
MCQhard

After completing a penetration test, the client's technical team requests a document that provides step-by-step reproduction instructions for each vulnerability, including exact payloads, tools used, and screenshots. Which deliverable BEST satisfies this requirement?

A.Executive Summary
B.Technical Findings Report
C.Remediation Guide
D.Vulnerability Scanner Output
AnswerB

This section contains detailed descriptions, CVSS scores, step-by-step reproduction instructions, payloads, and evidence for each vulnerability, making it suitable for the development team.

Why this answer

The Technical Findings Report (Option B) is the correct deliverable because it is specifically designed to provide granular, step-by-step reproduction steps, exact payloads, tool commands, and screenshots for each vulnerability. This level of detail is essential for the client's technical team to validate and remediate the findings, aligning with the PT0-002 objective of producing a comprehensive technical report that supports evidence-based remediation.

Exam trap

The trap here is that candidates often confuse the Technical Findings Report with the Remediation Guide, mistakenly thinking that remediation steps include reproduction details, but the PT0-002 exam emphasizes that the Technical Findings Report is the only deliverable that provides the exact payloads and step-by-step reproduction instructions required for technical validation.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview intended for management, containing no step-by-step reproduction instructions, payloads, or screenshots; it focuses on risk ratings and business impact, not technical replication. Option C is wrong because the Remediation Guide focuses on fixing vulnerabilities (e.g., patching, configuration changes) and does not include reproduction steps, exact payloads, or tool commands; its purpose is to guide remediation, not to validate findings through replication.

700
MCQmedium

A penetration tester is using Nmap to identify the operating system of a target host. Which Nmap option should be used to enable OS detection?

A.-sV
B.-O
C.-sC
D.-A
AnswerB

-O enables OS detection.

Why this answer

The -O option enables OS detection in Nmap.

701
MCQeasy

A penetration tester wants to identify all live hosts and open ports on a network segment. Which Nmap scan type is most efficient for this purpose?

A.Nmap -sP
B.Nmap -sU
C.Nmap -sT
D.Nmap -sS
AnswerD

SYN scan is the default and efficient for port scanning.

Why this answer

The -sS option performs a SYN stealth scan, which is fast and less likely to be logged by services, making it efficient for live host and open port discovery.

702
MCQmedium

A penetration tester is exploiting a SQL injection vulnerability in a login page. The tester wants to extract data from another table without returning data in the original query. Which SQL injection technique should the tester use?

A.Out-of-band SQL injection
B.Error-based SQL injection
C.UNION-based SQL injection
D.Blind time-based SQL injection
AnswerC

UNION-based allows retrieving data from other tables by appending a SELECT.

Why this answer

Union-based SQL injection combines results from multiple SELECT statements into a single output. Blind time-based injection uses conditional delays to infer data bit by bit.

703
MCQmedium

A penetration tester is analyzing a Python script used during a test. The script contains the following code: 'import requests; r = requests.get('http://target', headers={'User-Agent': 'Mozilla/5.0'}); print(r.text)'. What is the primary purpose of setting the User-Agent header in this script?

A.To bypass IP-based rate limiting.
B.To mimic a legitimate browser to evade detection by web application firewalls.
C.To authenticate to the web server.
D.To enable SSL/TLS encryption.
AnswerB

Many WAFs inspect the User-Agent and may block requests that don't look like they come from a standard browser.

Why this answer

Setting the User-Agent header to 'Mozilla/5.0' makes the HTTP request appear to originate from a standard web browser rather than a Python script. This helps evade detection by web application firewalls (WAFs) and other security controls that may block or flag requests with non-browser User-Agent strings, which are common indicators of automated or malicious traffic.

Exam trap

The trap here is that candidates may confuse the User-Agent header with mechanisms that affect rate limiting or authentication, when in fact it is purely a client identification field used for evasion and content negotiation.

How to eliminate wrong answers

Option A is wrong because the User-Agent header does not affect IP-based rate limiting, which is enforced by the server based on the source IP address, not the User-Agent string. Option C is wrong because authentication to a web server typically requires credentials (e.g., via HTTP Basic Auth, tokens, or cookies), not a User-Agent header; the User-Agent is merely a client identification string defined in RFC 7231.

704
MCQmedium

A tester finds that a web application is vulnerable to Server-Side Request Forgery (SSRF). The tester wants to access the cloud metadata endpoint to obtain instance credentials. Which IP address is commonly used for the cloud metadata service?

A.127.0.0.1
B.10.0.0.1
C.192.168.1.1
D.169.254.169.254
AnswerD

This is the link-local address for cloud metadata.

Why this answer

The cloud metadata endpoint is typically at 169.254.169.254 for AWS, GCP, and Azure.

705
MCQhard

A tester is performing DNS enumeration on a domain and wants to attempt a zone transfer. Which DNS record type is primarily used for zone transfers?

A.SOA
B.AXFR
C.NS
D.PTR
AnswerB

AXFR is the record type used for full zone transfers.

Why this answer

Zone transfers use the AXFR (Authoritative Transfer) record type to replicate DNS data between servers.

706
MCQeasy

A penetration tester is analyzing a Python script that uses the 'socket' module to create a TCP connection to a target IP and port. The script then sends a payload (e.g., 'GET / HTTP/1.0\r\n\r\n') and waits for a response. Which tool function is this script most likely performing?

A.Port scanning
B.Banner grabbing
C.Vulnerability scanning
D.Password cracking
AnswerB

Sending a payload and reading the response is the typical method for banner grabbing.

Why this answer

The script creates a TCP connection, sends an HTTP GET request, and waits for a response. This is the classic behavior of banner grabbing, where the goal is to retrieve the service banner (e.g., HTTP server version) from the target. The 'socket' module is used to manually craft the connection and payload, which is a low-level technique for service identification, not for scanning multiple ports or assessing vulnerabilities.

Exam trap

The trap here is that candidates may confuse banner grabbing with port scanning because both involve connecting to a port, but banner grabbing focuses on service identification from a single connection, not enumeration of open ports.

How to eliminate wrong answers

Option A is wrong because port scanning involves iterating over multiple ports to discover open ones, whereas this script targets a single IP and port. Option C is wrong because vulnerability scanning requires checking for known weaknesses (e.g., via a database of CVEs) and often uses automated tools like Nessus, not a simple socket connection sending a static HTTP request.

707
Multi-Selecthard

A penetration tester is presenting findings to a mixed audience of technical staff and executives. Which THREE of the following should the tester do to effectively communicate to both groups? (Choose THREE.)

Select 3 answers
A.Include detailed technical evidence for the technical audience.
B.Provide a separate executive summary and a technical summary.
C.Use technical jargon to impress the executives.
D.Focus only on high-level findings for the entire presentation.
E.Use analogies and business impact for the executives.
AnswersA, B, E

Technical staff need evidence to validate findings.

Why this answer

Effective communication to mixed audiences requires adjusting language, providing separate summaries, and using clear visuals.

708
MCQmedium

A penetration tester wants to perform a directory brute-force attack against a web server to discover hidden files and directories. Which tool is best suited for this task?

A.WPScan
B.Nikto
C.Gobuster
D.Nmap
AnswerC

Gobuster is designed for directory, file, and DNS subdomain brute-forcing with support for various modes.

Why this answer

Gobuster is a popular tool for directory and file brute-forcing using wordlists, making it ideal for discovering hidden resources on web servers.

709
MCQmedium

A penetration tester is about to start an engagement. Which document outlines the IP ranges that are in scope, the testing window, and the emergency stop criteria?

A.Non-Disclosure Agreement (NDA)
B.Statement of Work (SOW)
C.Rules of Engagement (RoE)
D.Get-out-of-jail letter
AnswerC

Correct. The RoE includes IP ranges, testing times, and stop conditions.

Why this answer

The rules of engagement (RoE) specify technical and procedural boundaries for the test.

710
Multi-Selectmedium

A penetration tester has compromised a Windows machine and wants to perform lateral movement to another machine on the same network. The tester has obtained NTLM hashes, but not plaintext passwords. Which TWO tools can be used for pass-the-hash attacks?

Select 2 answers
A.SSH
B.WinRM
C.CrackMapExec
D.PsExec
E.pth-winexe
AnswersC, E

CrackMapExec supports pass-the-hash with NTLM hashes.

Why this answer

pth-winexe and CrackMapExec support pass-the-hash by using NTLM hashes directly. PsExec and WinRM require plaintext credentials unless modified.

711
Multi-Selecthard

Which THREE of the following are common elements found in a Burp Suite project file? (Select THREE.)

Select 3 answers
A.Target scope definitions
B.Session handling rules
C.Active scan insertion points
D.Intruder attack definitions
E.Proxy history
AnswersA, D, E

The project file includes the configured scope.

Why this answer

Burp Suite project files store target scope (A), proxy history (C), and intrusion attack definitions (E). Active scan rules (B) are predefined but not stored per project; session handling rules (D) are stored in project options.

712
MCQmedium

A client requests a penetration test of their internal network. During scoping, the tester learns that the client uses a managed security service provider (MSSP) that monitors all network traffic. The client does not want the MSSP to be informed about the test. What is the most appropriate action for the tester to take?

A.Proceed with the test without informing the MSSP, as the client has requested confidentiality
B.Include a clause in the rules of engagement that holds the tester harmless for any disruptions caused by the MSSP's monitoring
C.Advise the client to inform the MSSP about the scheduled test and coordinate a maintenance window or exclusion list
D.Perform the test only after hours to minimize the chance of the MSSP detecting the test activity
AnswerC

Proper coordination ensures the MSSP can whitelist test traffic, avoid false positives, and prevent unnecessary incident response. This aligns with best practices for scoping.

Why this answer

Option C is correct because failing to inform the MSSP could trigger automated incident response actions (e.g., IPS blocking, SIEM alerting, or even network isolation) that disrupt the test and potentially cause false-positive security incidents. Coordinating a maintenance window or exclusion list ensures the MSSP's monitoring tools (like Snort, Suricata, or proprietary NDR) do not interfere with legitimate test traffic, preserving both test integrity and the client's operational security.

Exam trap

The trap here is that candidates assume client confidentiality overrides all other considerations, but the PT0-002 exam emphasizes that penetration testing must not cause unintended operational disruptions or violate third-party agreements, making coordination with the MSSP a mandatory scoping step.

How to eliminate wrong answers

Option A is wrong because proceeding without informing the MSSP violates standard penetration testing best practices and could cause the MSSP's monitoring systems (e.g., IDS/IPS, SIEM correlation rules) to flag the test traffic as malicious, leading to automated blocking, alert fatigue, or unnecessary escalation to the client's security team. Option B is wrong because a hold-harmless clause does not prevent the MSSP from actively blocking or alerting on test traffic; it only shifts liability after disruption occurs, which still compromises the test's accuracy and may violate the MSSP's own terms of service or SLAs.

713
MCQmedium

A penetration tester is conducting a vulnerability scan of a network segment that contains several legacy servers. The tester uses a commercial vulnerability scanner with default settings. The scan completes and reports a critical vulnerability on a server running an outdated version of Apache with known remote code execution. However, the tester suspects this might be a false positive because the server is behind an application-layer firewall that blocks the specific exploit. Which of the following steps should the tester take to confirm the vulnerability?

A.Rerun the scan with increased intensity to ensure the vulnerability is real
B.Ignore the finding because the vulnerability is protected by the firewall
C.Manually test the vulnerability by sending a crafted exploit payload to the server
D.Check the firewall logs to see if the scanner's traffic was blocked
AnswerC

Manual testing directly confirms whether the vulnerability is exploitable.

Why this answer

Option B is correct because manual testing is the definitive way to confirm a vulnerability. The firewall might not block all exploit attempts, or the vulnerability could be exploitable via a different vector. Option A (rerun with increased intensity) may not change the result.

Option C (check firewall logs) provides insight but does not confirm the vulnerability. Option D (ignore) is incorrect because the firewall may not be a permanent protection.

714
MCQhard

A penetration tester is analyzing the output of a Nessus vulnerability scan and notices a critical vulnerability reported against a web server that is actually a false positive due to outdated plugin data. What is the best course of action for the tester?

A.Accept the finding as accurate and include it in the report
B.Remove the finding from the report entirely
C.Manually verify the vulnerability by testing it
D.Ignore the finding because it's a false positive
AnswerC

Manual verification confirms if the vulnerability exists.

Why this answer

Option C is correct because a false positive due to outdated plugin data must be manually verified before any action is taken. The tester should use a tool like `curl` or a browser to send the exact request that Nessus simulated (e.g., an HTTP GET to a specific endpoint) and inspect the response headers or body to confirm whether the vulnerability actually exists. Only after manual validation can the tester decide to include, exclude, or note the finding in the report.

Exam trap

The trap here is that candidates may think a false positive should be removed or ignored outright, but the correct approach is to manually verify the finding to ensure the vulnerability is truly absent before making any reporting decision.

How to eliminate wrong answers

Option A is wrong because blindly accepting a known false positive would introduce inaccurate risk into the report, potentially causing unnecessary remediation efforts. Option B is wrong because removing the finding entirely without documentation violates reporting integrity; the tester should note the false positive and the manual verification steps taken. Option D is wrong because ignoring the finding without verification could miss a real vulnerability if the plugin data was outdated but the vulnerability still exists in a different form.

715
MCQhard

A penetration tester is conducting a wireless security assessment. The target network uses WPA2-PSK. The tester has captured the four-way handshake. Which tool from the Aircrack-ng suite can be used to attempt to recover the pre-shared key by performing a dictionary attack?

A.airtun-ng
B.aircrack-ng
C.airodump-ng
D.aireplay-ng
AnswerB

Correct. It cracks WEP/WPA keys using captured packets.

Why this answer

Aircrack-ng is the tool within the suite that performs dictionary or brute-force attacks on captured WPA/WPA2 handshakes to recover the PSK.

716
MCQmedium

A tester wants to identify the technologies used by a web application before conducting a deeper assessment. Which tool would be most appropriate for passive technology fingerprinting?

A.Nmap
B.Wappalyzer
C.OpenVAS
D.Nikto
AnswerB

Wappalyzer passively identifies technologies from HTTP responses and page content.

Why this answer

Wappalyzer is a browser extension or online tool that identifies web technologies (CMS, frameworks, analytics) by analyzing page content and headers without sending probes.

717
Multi-Selecthard

During a cloud security assessment of AWS, a tester wants to identify misconfigurations using automated tools. Which THREE tools are specifically designed for AWS security auditing?

Select 3 answers
A.Hashcat
B.Pacu
C.Prowler
D.CrackMapExec
E.ScoutSuite
AnswersB, C, E

Correct: AWS exploitation framework.

Why this answer

Pacu is an open-source AWS exploitation framework designed for offensive security testing. It automates the identification of misconfigurations, such as overly permissive IAM policies, exposed S3 buckets, and vulnerable Lambda functions, making it a correct choice for cloud security auditing.

Exam trap

Cisco often tests candidates' ability to distinguish between general-purpose security tools (like Hashcat for cracking) and cloud-specific auditing tools (like Pacu, Prowler, and ScoutSuite), leading to confusion when tools have overlapping names or functions.

718
Multi-Selecthard

A penetration tester is conducting a social engineering engagement targeting the finance department. Which THREE of the following actions are most appropriate to include in the scope of the engagement?

Select 3 answers
A.Exploiting a SQL injection vulnerability in the finance web app
B.Making pretext phone calls (vishing) to obtain sensitive information
C.Attempting to tailgate into the finance office
D.Sending phishing emails to finance employees
E.Performing a vulnerability scan on the finance network
AnswersB, C, D

Correct. Vishing is a social engineering technique.

Why this answer

Social engineering can include phishing, vishing, and USB drops. Physical tailgating may be included but requires careful planning; however, it is often in scope. The question asks for three appropriate actions.

Common social engineering vectors: phishing, vishing, and physical intrusion (tailgating). USB drops are also common. But we need three.

The best three: phishing, vishing, and tailgating. USB drops are also valid but tailgating is more direct. I'll include phishing, vishing, and tailgating.

Explanation: These are typical social engineering techniques.

719
Multi-Selectmedium

A penetration tester is analyzing a network capture with Wireshark. Which TWO of the following are common uses of Wireshark in a pentest?

Select 2 answers
A.Brute-forcing SSH credentials
B.Identifying cleartext protocols (e.g., FTP, HTTP) and extracting credentials
C.Performing active vulnerability scanning of hosts
D.Reassembling data streams to extract files transferred over the network
E.Cracking WPA2 handshakes directly
AnswersB, D

Correct: Wireshark can filter and display cleartext passwords.

Why this answer

Wireshark captures and inspects network traffic at the packet level. It can identify cleartext protocols like FTP (port 21) and HTTP (port 80), which transmit data without encryption, allowing an attacker to extract credentials directly from the payload. This is a passive reconnaissance technique, not an active attack.

Exam trap

Cisco often tests the distinction between passive observation (Wireshark) and active exploitation (e.g., brute-forcing or cracking), leading candidates to mistakenly attribute active attacks to Wireshark's capabilities.

720
MCQhard

A penetration tester is assessing a web application that uses JSON Web Tokens (JWT) for authentication. The tester discovers that the server does not validate the signature algorithm properly. Which attack should the tester attempt to forge a valid token?

A.Brute-force the secret key
B.KID injection
C.Use 'alg:none'
D.Algorithm confusion attack
AnswerC

Setting algorithm to 'none' bypasses signature verification.

Why this answer

If the server accepts 'none' algorithm, the token can be forged without a signature.

721
MCQeasy

A penetration tester is preparing the final report. The client's IT director wants a high-level overview of the test results, including the number of findings and the overall risk rating. Which section of the report should the tester point to?

A.Executive summary
B.Technical findings
C.Methodology
D.Recommendations
AnswerA

The executive summary contains a concise high-level overview for management.

Why this answer

The executive summary is specifically designed to provide a high-level overview for management and non-technical stakeholders, such as the IT director. It summarizes the number of findings, overall risk rating, and key business impacts without delving into technical details, making it the correct section for this request.

Exam trap

The trap here is that candidates often confuse the 'executive summary' with the 'technical findings' section, mistakenly thinking a high-level overview belongs in the detailed technical results, but the exam expects you to recognize that management-focused summaries are always in the executive summary.

How to eliminate wrong answers

Option B is wrong because the technical findings section contains detailed vulnerability descriptions, proof-of-concept code, and remediation steps, which is too granular for a high-level overview. Option C is wrong because the methodology section describes the testing approach, tools, and scope, not the summary of results or risk ratings.

722
MCQeasy

A client wants to conduct a penetration test of their e-commerce website. They are concerned about impacting live transactions. Which clause should be included in the Rules of Engagement to address this?

A.Exclusion of network stress testing and availability testing.
B.Out-of-scope systems list.
C.In-scope IP addresses.
D.Authorization for testing.
AnswerA

This clause directly addresses the concern by prohibiting activities that could overload the web servers or cause downtime, ensuring live transactions remain unaffected.

Why this answer

Option A is correct because the client's primary concern is avoiding disruption to live transactions. A clause excluding network stress testing and availability testing (e.g., DoS attacks, resource exhaustion, or high-volume scanning) directly addresses this by prohibiting any action that could degrade performance or cause downtime. This is a standard Rules of Engagement (RoE) safeguard for production e-commerce environments where transaction integrity and uptime are critical.

Exam trap

The trap here is that candidates often confuse 'out-of-scope systems' with operational restrictions, failing to realize that even in-scope systems can be disrupted by stress testing, so a specific exclusion clause is required.

How to eliminate wrong answers

Option B is wrong because an out-of-scope systems list defines which hosts or networks are off-limits, but it does not specifically prohibit stress or availability testing on in-scope systems; the client's concern is about impacting live transactions on the target e-commerce site, not about accessing unrelated systems. Option C is wrong because listing in-scope IP addresses merely identifies the targets for testing, but it does not include any operational restrictions; without an explicit clause against stress testing, the tester could still perform disruptive actions on those IPs, violating the client's requirement.

723
MCQmedium

A penetration tester has gained a foothold on a Windows server running IIS. The tester wants to perform an SMB relay attack to move laterally within the domain. Which of the following conditions must be met for this attack to succeed?

A.The target server must have SMB signing disabled or not enforced
B.The tester must have local administrator privileges on the IIS server
C.The target server must be running SMBv1
D.The tester must have a valid domain user account to trigger the relay
AnswerA

SMB signing prevents relay attacks because the relayed authentication would lack the required signature, causing the target to reject the connection. Without signing enforced, the relay is possible.

Why this answer

SMB relay attacks work by intercepting an SMB authentication attempt and forwarding it to a target server. For the relay to succeed, the target server must not require SMB signing, or signing must be disabled, because signing cryptographically binds the authentication to the original session, preventing the relayed credentials from being reused. If SMB signing is enforced, the target server will reject the relayed authentication, as the signature will not match the new session.

Exam trap

The trap here is that candidates often assume SMB relay requires SMBv1 or local admin privileges, but the critical condition is the absence of SMB signing enforcement, which is a common misconfiguration in enterprise environments.

How to eliminate wrong answers

Option B is wrong because local administrator privileges on the IIS server are not required for an SMB relay attack; the attacker only needs to be able to capture or trigger an SMB authentication attempt (e.g., via a rogue SMB server or by tricking a user) and relay it to the target. Option C is wrong because SMB relay attacks do not require SMBv1; they can work over SMBv2 or SMBv3 if signing is not enforced, though SMBv1 is often targeted due to its weaker security defaults.

724
MCQeasy

Which of the following is the most appropriate evidence to include in a penetration testing report for a SQL injection vulnerability?

A.A verbal description of the exploit
B.Screenshots of the successful injection with timestamps
C.A link to a public exploit database
D.Raw source code of the application
AnswerB

Screenshots demonstrate proof of exploitability.

Why this answer

Screenshots with timestamps provide clear visual evidence of the exploitation and help validate the finding.

725
MCQhard

You are conducting a penetration test on a web application that uses a JavaScript challenge-response authentication mechanism. During testing, you notice that the client-side JavaScript code is heavily obfuscated and includes a function that seems to compute a token based on user input and a server-provided nonce. Your goal is to bypass the authentication by generating valid tokens without interacting with the server's intended logic. You have extracted the obfuscated JavaScript and used a beautifier to make it more readable, but the logic is still complex. Which of the following approaches is most likely to succeed in bypassing the authentication?

A.Capture a valid token and replay it with a new nonce
B.Use a JavaScript debugger to dynamically analyze the obfuscated function and replicate its token generation
C.Send random tokens to the server and rely on statistical guessing
D.Use a brute-force script to try all possible token values based on the nonce
AnswerB

Debugging allows you to understand the logic and create a script to generate valid tokens.

Why this answer

Option D is correct because using a JavaScript debugger to step through the obfuscated code allows you to understand the token generation logic and replicate it locally. Option A is wrong because sending random tokens has a negligible chance of success. Option B is wrong because brute-forcing the token algorithm is impractical without understanding the logic.

Option C is wrong because replaying the nonce from a previous session will likely be rejected by the server due to nonce expiration or reuse protection.

726
MCQeasy

Which PowerShell script is commonly used for post-exploitation enumeration of Active Directory, such as querying user accounts and group memberships?

A.Nishang
B.Empire
C.Invoke-Mimikatz
D.PowerView
AnswerD

Correct: AD enumeration tool in PowerShell.

Why this answer

PowerView (option D) is a PowerShell script within the PowerSploit framework specifically designed for post-exploitation enumeration of Active Directory. It provides cmdlets like Get-NetUser, Get-NetGroup, and Get-NetComputer to query user accounts, group memberships, and domain trust relationships via LDAP queries, making it the correct choice for this task.

Exam trap

The trap here is that candidates confuse post-exploitation frameworks (Empire) or credential-dumping tools (Invoke-Mimikatz) with the specific script designed for AD enumeration, or they assume Nishang's broad toolkit includes dedicated AD enumeration, when PowerView is the precise answer for querying user accounts and group memberships.

How to eliminate wrong answers

Option A (Nishang) is wrong because it is a collection of PowerShell scripts for penetration testing and offensive security, but it focuses on broader tasks like reverse shells, keylogging, and data exfiltration, not specifically on Active Directory enumeration. Option B (Empire) is wrong because it is a post-exploitation framework that uses PowerShell agents for command and control, but it is not a single script; it relies on modules like PowerView for AD enumeration, so it is not the script itself. Option C (Invoke-Mimikatz) is wrong because it is a PowerShell wrapper for Mimikatz, which extracts credentials (e.g., plaintext passwords, Kerberos tickets) from memory, not for querying AD user accounts or group memberships.

727
MCQmedium

Refer to the exhibit. A penetration tester obtains this output from a Linux server. The tester notes that port 3389 is typically used for RDP on Windows. Which of the following is the MOST likely explanation?

A.The server has been compromised and is used as a jump box
B.The server is running a honeypot mimicking RDP
C.The server is running a Windows virtual machine using RDP
D.The server is running a service that mimics RDP using xrdp
AnswerD

xrdp is common on Linux.

Why this answer

Option D is correct because Linux can host RDP using xrdp. Option A is possible but less likely without evidence of a VM. Option B is plausible but not most likely.

Option C is uncommon.

728
MCQmedium

A penetration tester is reviewing a Bash script that uses 'nmap' with the '-sC' and '-sV' flags. The script runs the scan and saves the output to a text file. Later, the tester uses 'grep' to extract lines containing 'open'. What is the primary purpose of this script?

A.Identify all open ports and services running on them
B.Perform a vulnerability scan using NSE scripts
C.Detect the operating system of the target
D.Perform a stealthy SYN scan
AnswerA

This is the primary purpose of combining service detection and default scripts.

Why this answer

The '-sC' flag runs default NSE scripts (which perform service enumeration and basic checks), and '-sV' enables version detection. Together, they identify open ports and the services/versions running on them. The subsequent 'grep' for 'open' extracts lines showing open ports, confirming the primary purpose is to enumerate open ports and their associated services.

Exam trap

CompTIA often tests the distinction between default NSE scripts (service enumeration) and vulnerability-specific scripts (e.g., 'vuln'), leading candidates to mistakenly think '-sC' implies vulnerability scanning.

How to eliminate wrong answers

Option B is wrong because '-sC' runs default NSE scripts, not a full vulnerability scan; vulnerability scanning typically requires specific NSE scripts like 'vuln' or '-sV' with '--script vuln'. Option C is wrong because OS detection requires the '-O' flag, which is not used in this script; '-sC' and '-sV' do not perform OS fingerprinting.

729
MCQmedium

After completing a penetration test, the tester must deliver a report. According to standard practices, which of the following is a required component of the deliverables?

A.Executive summary, technical findings, and remediation guidance
B.Remediation guidance and a list of all tested IPs
C.Only technical findings and proof-of-concept code
D.Executive summary and raw data logs
AnswerA

These are standard components of a penetration test report.

Why this answer

A typical penetration test report includes an executive summary, technical findings, and remediation guidance.

730
MCQeasy

A penetration tester runs the following command: `hashcat -m 1000 -a 0 hashes.txt rockyou.txt`. What type of attack is being performed?

A.Brute-force attack
B.Hybrid attack
C.Rule-based attack
D.Dictionary attack
AnswerD

Correct: -a 0 is dictionary attack.

Why this answer

The command uses mode 1000 (NTLM) and attack mode 0 (dictionary) with rockyou.txt wordlist. This is a dictionary attack.

731
MCQmedium

A penetration tester is writing a report and wants to provide a remediation recommendation for an outdated Apache server. Which of the following is the most specific and actionable recommendation?

A.Reconfigure Apache to be more secure
B.Apply security patches to Apache
C.Upgrade Apache from version 2.4.41 to 2.4.54
D.Update the Apache software to the latest version
AnswerC

Specifies exact versions, making it actionable.

Why this answer

Option C is the most specific and actionable recommendation because it explicitly states the exact version to upgrade from (2.4.41) and to (2.4.54), which eliminates ambiguity. In penetration testing reports, vague terms like 'latest version' or 'patches' can lead to incomplete remediation, whereas a precise version number ensures the system administrator knows exactly what action to take to address the vulnerability.

Exam trap

The trap here is that candidates often choose a vague but technically correct-sounding option like 'Update to the latest version' (Option D) without realizing that the PT0-002 exam requires recommendations to be specific, actionable, and verifiable—exact version numbers are the gold standard for remediation in penetration testing reports.

How to eliminate wrong answers

Option A is wrong because 'Reconfigure Apache to be more secure' is too generic and does not address the outdated software; configuration changes alone cannot fix known vulnerabilities in the codebase. Option B is wrong because 'Apply security patches to Apache' is ambiguous—patches may not be available for version 2.4.41, and the term 'patches' could refer to hotfixes rather than a full version upgrade, which is the standard remediation for outdated software. Option D is wrong because 'Update the Apache software to the latest version' is not specific enough; 'latest version' could change over time, and without a target version number, the recommendation lacks the precision needed for verifiable remediation in a penetration test report.

732
Multi-Selecthard

A penetration tester discovers a critical vulnerability that cannot be fully remediated immediately. The client asks for recommendations. Which THREE of the following should the tester include?

Select 3 answers
A.Implement compensating controls to reduce risk.
B.Prioritize remediation of this vulnerability first.
C.Delete the finding from the report.
D.Offer to retest after remediation is applied.
E.Ignore the vulnerability until the next test.
AnswersA, B, D

Correct. Compensating controls provide interim protection.

Why this answer

When full remediation is not possible, recommend compensating controls, prioritize critical fixes, and offer retesting.

733
MCQmedium

During a penetration test, the tester wants to discover publicly exposed IoT devices related to the target organization. Which OSINT tool is specifically designed for searching devices connected to the internet?

A.Censys
B.Shodan
C.Maltego
D.theHarvester
AnswerB

Shodan specializes in internet-connected device discovery.

Why this answer

Shodan is a search engine that indexes banners from internet-connected devices, including IoT, webcams, routers, and industrial control systems.

734
Multi-Selecthard

A penetration tester is performing active reconnaissance on a web application and needs to discover parameters that the application accepts. Which TWO tools are most commonly used for parameter discovery? (Select TWO.)

Select 2 answers
A.ffuf
B.theHarvester
C.WPScan
D.Nikto
E.Arjun
AnswersA, E

ffuf is a fast web fuzzer that can be used for parameter brute-forcing.

Why this answer

ffuf (Fuzz Faster U Fool) is a high-performance web fuzzer commonly used for parameter discovery by brute-forcing HTTP request parameters (GET/POST) against a target endpoint. Arjun is a dedicated parameter discovery tool that uses a wordlist of common parameter names and analyzes response differences (e.g., status codes, content length) to identify valid parameters. Both tools are specifically designed for active reconnaissance to enumerate hidden or undocumented parameters in web applications.

Exam trap

The trap here is that candidates often confuse general-purpose web scanners (like Nikto) or CMS-specific tools (like WPScan) with dedicated parameter discovery tools, leading them to select options that perform different reconnaissance tasks.

735
MCQmedium

A tester is performing a vulnerability scan against a critical production server. The client requests minimal impact on system performance. Which scan type should the tester use?

A.TCP connect scan
B.Vulnerability scan with low-thread count
C.Aggressive Nmap scan
D.Stealth SYN scan
AnswerB

Low thread count minimizes system impact while still performing the scan.

Why this answer

Option B is correct because a vulnerability scan with a low-thread count reduces the number of concurrent connections and packets sent to the target, minimizing CPU, memory, and network overhead on the production server. This directly addresses the client's requirement for minimal performance impact while still performing a legitimate security assessment. Unlike aggressive or stealth scans, this approach throttles the scan intensity to avoid service disruption.

Exam trap

The trap here is that candidates often assume 'stealth' (SYN scan) is always the safest choice for production systems, but the question specifically asks for minimal performance impact, which is controlled by scan intensity (thread count) rather than scan type alone.

How to eliminate wrong answers

Option A is wrong because a TCP connect scan completes the full three-way handshake for every port, generating a high volume of packets and stateful connections that can degrade server performance, especially on a critical production system. Option C is wrong because an aggressive Nmap scan (e.g., using -T4 or -T5 timing templates, service version detection, and OS fingerprinting) sends a high rate of probes and performs multiple concurrent tests, which can overwhelm a production server and cause latency or resource exhaustion. Option D is wrong because a stealth SYN scan, while less intrusive than a connect scan, still sends a large number of raw SYN packets in rapid succession (often with default timing), which can still cause performance degradation on a production server if not rate-limited; it does not inherently minimize impact.

736
Multi-Selectmedium

A penetration tester is reviewing code for insecure deserialization vulnerabilities. Which two languages are commonly associated with this vulnerability? (Choose two.)

Select 2 answers
A.Ruby
B.Python
C.Java
D.PHP
E..NET
AnswersC, E

Java deserialization vulnerabilities are common.

Why this answer

Java and .NET deserialization vulnerabilities are well-known and have been exploited in many frameworks.

737
MCQeasy

A penetration tester wants to identify all publicly accessible Amazon S3 buckets that belong to a specific organization. Which technique is most effective for passive reconnaissance?

A.Use Google dorks to search for bucket names and URLs.
B.Send DNS queries for common bucket name prefixes.
C.Use nmap to scan all AWS IP ranges for open ports.
D.Perform a DNS zone transfer on the target organization's domain.
AnswerA

Google dorking is a passive technique that leverages already indexed data to find S3 buckets without sending any traffic to the target.

Why this answer

Google dorks (e.g., site:s3.amazonaws.com "companyname") allow a penetration tester to passively discover publicly accessible S3 bucket names and URLs indexed by search engines without sending any traffic to the target organization. This technique leverages existing search engine caches, making it purely passive and highly effective for identifying misconfigured buckets that have been crawled.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse DNS queries (which are active) with passive techniques like search engine dorking, or assume that scanning IP ranges is a valid way to discover S3 buckets when in reality S3 buckets are identified by their DNS names, not by port scanning.

How to eliminate wrong answers

Option B is wrong because sending DNS queries for common bucket name prefixes (e.g., companyname-bucket.s3.amazonaws.com) is an active reconnaissance technique that generates DNS traffic and can be logged by the organization's DNS servers or AWS, violating the passive nature required. Option C is wrong because nmap scanning of AWS IP ranges is active reconnaissance that sends packets to AWS infrastructure, potentially triggering alerts, and S3 buckets are accessed via HTTPS on port 443, not by scanning for open ports on arbitrary IPs.

738
MCQeasy

A penetration testing firm is contracted to test a multi-tenant SaaS application. During scoping, the client needs to ensure that testing does not affect other tenants' data. Which scoping control is most important to implement?

A.Isolated testing environment
B.Data anonymization
C.Signed waiver from all tenants
D.Limit test to read-only operations
AnswerA

An isolated environment allows testing without risk to other tenants' data or availability.

Why this answer

An isolated testing environment is the most important scoping control because it ensures that the penetration testing activities, including any potentially disruptive scans or exploits, are contained within a dedicated instance of the SaaS application. This prevents any cross-tenant data leakage or service degradation, as the tester's actions are restricted to a logically or physically separate environment that does not share databases or compute resources with production tenants. Without isolation, even read-only testing could inadvertently access or modify data belonging to other tenants due to shared multi-tenant architecture.

Exam trap

The trap here is that candidates may confuse data anonymization as a sufficient control for multi-tenant isolation, overlooking that anonymization does not prevent cross-tenant data access or service disruption in a shared environment.

How to eliminate wrong answers

Option B (Data anonymization) is wrong because data anonymization is a data protection technique applied to production data to remove personally identifiable information (PII), but it does not prevent the tester's actions from affecting other tenants' data or the application's shared infrastructure; it only reduces the risk of exposing sensitive data if accessed. Option C (Signed waiver from all tenants) is wrong because a signed waiver is a legal document that releases the testing firm from liability, but it does not technically prevent the testing from affecting other tenants' data; it merely shifts responsibility after a breach occurs, which is not a proactive scoping control.

739
MCQmedium

During a web application penetration test, the tester captures a login request in Burp Suite and wants to automate a brute-force attack against the password field. Which Burp Suite tool is specifically designed for this purpose?

A.Intruder
B.Scanner
C.Sequencer
D.Repeater
AnswerA

Intruder is the tool for performing automated, customizable attacks.

Why this answer

Intruder is the correct tool because it is specifically designed for automated customized attacks, including brute-force attacks, against web application parameters. It allows the tester to define a payload position (e.g., the password field in a login request) and iterate through a list of candidate passwords, automatically resending the request with each payload value and analyzing the responses.

Exam trap

The trap here is that candidates often confuse Repeater (which is for manual, single-request testing) with Intruder (which is for automated, multi-request attacks), leading them to choose Repeater because they think it can be used for brute-forcing by manually sending requests one by one.

How to eliminate wrong answers

Option B (Scanner) is wrong because Burp Scanner is an automated vulnerability detection tool that identifies security flaws (e.g., SQL injection, XSS) by passively and actively scanning requests, not for performing brute-force attacks against a specific field. Option C (Sequencer) is wrong because it analyzes the randomness of session tokens or other data to assess cryptographic strength, not for automating password guessing. Option D (Repeater) is wrong because it allows manual resending and modification of a single request for testing, but it lacks the ability to automate multiple requests with varying payloads, which is essential for a brute-force attack.

740
Multi-Selectmedium

During a web application penetration test, you find that the application is vulnerable to CSRF. Which TWO factors could prevent exploitation even if a CSRF vulnerability exists? (Select TWO.)

Select 2 answers
A.Application uses JSON content type
B.SameSite cookie attribute set to Lax
C.Custom request header that is checked by the server
D.Presence of a CSRF token that is validated server-side
E.Application uses HTTPS
AnswersB, C

SameSite Lax prevents cookies from being sent on cross-site POST requests.

Why this answer

SameSite Lax strict prevents cross-site requests; custom headers can be used to validate origin.

741
Multi-Selectmedium

A penetration tester is writing remediation recommendations. Which THREE practices should the tester follow? (Select THREE.)

Select 3 answers
A.Recommend updates with specific version numbers
B.Suggest compensating controls if full remediation is not immediate
C.Recommend only one fix for each vulnerability
D.Avoid mentioning retesting to reduce client concern
E.Prioritize critical and high-severity findings first
AnswersA, B, E

Specific version numbers provide clear guidance.

Why this answer

Good remediation recommendations are specific, prioritized, and offer alternatives if full fixes are impossible.

742
MCQeasy

Which tool is used for security auditing of AWS environments and can enumerate misconfigurations in IAM, S3, and other services?

A.Pacu
B.CrackMapExec
C.Prowler
D.ScoutSuite
AnswerA

Correct: AWS-specific security testing framework.

Why this answer

Pacu is an open-source AWS security testing framework designed for offensive security audits. It includes modules that enumerate and exploit misconfigurations in IAM policies, S3 bucket permissions, and other AWS services, making it the correct tool for this specific purpose.

Exam trap

The trap here is that candidates often confuse Prowler or ScoutSuite with Pacu because all three are AWS security tools, but only Pacu is designed for offensive enumeration and exploitation of misconfigurations, while the others are primarily compliance and reporting tools.

How to eliminate wrong answers

Option B (CrackMapExec) is wrong because it is a post-exploitation tool for assessing Active Directory environments, not AWS cloud services. Option C (Prowler) is wrong because, while it is an AWS security auditing tool, it focuses on CIS benchmark compliance and best-practice checks rather than active exploitation or enumeration of misconfigurations. Option D (ScoutSuite) is wrong because it is a multi-cloud security auditing tool that provides a compliance report but lacks the offensive, exploitation-oriented modules that Pacu offers for enumerating and exploiting misconfigurations.

743
Multi-Selecthard

During a web application penetration test, the tester wants to discover hidden parameters that the application accepts. Which THREE tools are BEST suited for parameter bruteforcing? (Select THREE.)

Select 3 answers
A.WPScan
B.Arjun
C.Nikto
D.ffuf
E.Burp Suite Intruder
AnswersB, D, E

Correct. Arjun specializes in parameter discovery.

Why this answer

Arjun is specifically designed to discover hidden HTTP parameters by performing parameter bruteforcing using a wordlist. It sends requests with various parameter names and analyzes responses to identify which ones are accepted by the web application, making it a dedicated tool for this task.

Exam trap

The trap here is that candidates may confuse general web vulnerability scanners (like Nikto or WPScan) with tools that are purpose-built for parameter bruteforcing, leading them to select tools that lack the specific functionality for discovering hidden parameters.

744
MCQeasy

After a penetration test, the client requests a document that includes the methodology used, a list of all vulnerabilities found along with their CVSS scores, and detailed steps for remediation. Which type of report section is this?

A.Executive summary
B.Technical report
C.Rules of engagement
D.Scope of work
AnswerB

This section contains detailed findings, CVSS scores, and remediation guidance for technical teams.

Why this answer

The client's request for methodology, vulnerability list with CVSS scores, and remediation steps describes the detailed, technical findings of the penetration test. This content is characteristic of the Technical Report section, which provides in-depth analysis and actionable data for technical stakeholders, as opposed to high-level summaries or contractual documents.

Exam trap

The trap here is confusing the Executive Summary's high-level risk ratings with the Technical Report's detailed CVSS scores and remediation steps, leading candidates to incorrectly select the Executive Summary when the question explicitly lists granular technical details.

How to eliminate wrong answers

Option A is wrong because the Executive Summary provides a high-level overview for non-technical management, not the detailed methodology, CVSS scores, and step-by-step remediation instructions. Option C is wrong because the Rules of Engagement (RoE) is a pre-engagement document defining scope, boundaries, and legal terms, not a post-test deliverable containing findings and remediation.

745
MCQmedium

A penetration tester is preparing a proposal for a client. The client wants a test that includes a detailed technical report with remediation steps and an executive summary for management. Which standard or framework is most commonly used to structure the testing process from pre-engagement through post-engagement?

A.OWASP Testing Guide
B.OSSTMM
C.PTES
D.NIST SP 800-115
AnswerC

PTES covers the entire penetration testing lifecycle.

Why this answer

The Penetration Testing Execution Standard (PTES) provides a comprehensive framework covering all phases from pre-engagement to post-engagement.

746
MCQeasy

A penetration tester is conducting a network attack and wants to intercept traffic between two hosts on the same local network by spoofing ARP responses. Which tool is specifically designed for this purpose?

A.Bettercap
B.Responder
C.Hashcat
D.John the Ripper
AnswerA

Bettercap supports ARP spoofing and other MITM techniques.

Why this answer

Bettercap is a powerful tool that includes ARP spoofing capabilities for man-in-the-middle attacks on local networks.

747
MCQmedium

A penetration tester is writing a Bash script to enumerate users from the /etc/passwd file on a compromised Linux system. Which command will efficiently print only the usernames?

A.cut -d: -f1 /etc/passwd
B.awk -F: '{print $1}' /etc/passwd
C.grep -o '^[^:]*' /etc/passwd
D.sed 's/:.*//' /etc/passwd
AnswerA

Cut splits lines at ':' and outputs field 1 (the username). This is simple and efficient.

Why this answer

Option A is correct because the `cut` command with `-d:` sets the field delimiter to colon (the separator in /etc/passwd) and `-f1` extracts the first field, which is the username. This is the most efficient and straightforward method for this specific task, as it directly isolates the username column without pattern matching or processing overhead.

Exam trap

The trap here is that candidates often overthink the problem and choose `awk` or `grep` because they are more familiar with them for text processing, overlooking that `cut` is the simplest and most efficient tool for fixed-delimiter column extraction.

How to eliminate wrong answers

Option B is wrong because although `awk -F: '{print $1}'` also correctly extracts the first colon-delimited field, it is less efficient than `cut` for this simple column extraction; `awk` is a full text-processing language that incurs more overhead, making it not the 'most efficient' choice as asked. Option C is wrong because `grep -o '^[^:]*'` uses a regular expression to match from the start of the line up to the first colon, which works but is slower and more complex than necessary; it also requires the `-o` flag to output only the matched portion, and the regex engine adds unnecessary processing for a simple field extraction.

748
MCQhard

A penetration tester gains a foothold on a Linux system with ASLR and NX enabled. The tester identifies a stack buffer overflow in a SUID binary. The binary has no PIE (Position Independent Executable) and is compiled without stack canaries. The tester wants to execute a shell. Which technique should be used?

A.Return-to-libc attack
B.Heap spraying
C.ROP chain
D.Buffer overflow with NOP sled
AnswerC

ROP chains use gadgets from the non-randomized binary (since it lacks PIE) to execute arbitrary code, bypassing both ASLR and NX.

Why this answer

Since the binary has no PIE and lacks stack canaries, the attacker can predict the address of the return address on the stack. However, with ASLR and NX enabled, the stack is non-executable and system library addresses are randomized. A ROP chain allows the tester to bypass both protections by chaining small instruction sequences (gadgets) already present in the binary or loaded libraries to achieve arbitrary code execution, such as calling execve to spawn a shell.

Exam trap

CompTIA often tests the misconception that return-to-libc alone bypasses ASLR, but without a leak, the randomized libc base makes the attack fail; the trap here is that candidates may overlook the need for an information leak or assume that a non-PIE binary eliminates ASLR entirely.

How to eliminate wrong answers

Option A is wrong because a return-to-libc attack relies on knowing the address of a libc function like system(), but ASLR randomizes the base address of libc, making the address unpredictable without an information leak. Option B is wrong because heap spraying is used to exploit heap-based vulnerabilities or to bypass ASLR by filling the heap with shellcode, but here the vulnerability is a stack buffer overflow and NX prevents execution of shellcode placed on the stack or heap.

749
MCQmedium

A tester conducts a vulnerability scan and receives a high number of false positives. Which of the following is the BEST way to reduce false positives in subsequent scans?

A.Credentialed scanning
B.Increase scan timeout values
C.Aggressive scanning
D.Use a scan template specifically for the target OS
AnswerD

Using an OS-specific template helps the scanner interpret results more accurately, reducing false positives.

Why this answer

Option D is correct because using a scan template tailored to the target OS improves accuracy. Option A may increase false positives; Option B is aggressive; Option C increases timeouts but does not address false positives.

750
Multi-Selectmedium

Which TWO of the following are effective methods for bypassing AppLocker during a penetration test? (Choose two.)

Select 2 answers
A.Execute code via WMIC
B.Use InstallUtil.exe to run a malicious .exe
C.Run regsvr32.exe to execute a .dll
D.Use PowerShell with Bypass execution policy
E.Launch a script with cscript.exe
AnswersB, C

InstallUtil is a trusted binary that can be used to execute code.

Why this answer

Option A is correct because regsvr32 can be used to execute code via DLL registration. Option D is correct because InstallUtil is a trusted Microsoft executable that can run arbitrary code. Option B is wrong because PowerShell execution policy is separate from AppLocker.

Option C is wrong because WMIC is not typically allowed by AppLocker. Option E is wrong because Cscript is often blocked, but using trusted binaries is the key.

Page 9

Page 10 of 14

Page 11