CompTIA PenTest+ PT0-002 (PT0-002) — Questions 751825

993 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQmedium

During a reconnaissance phase, a penetration tester is using a tool to enumerate NetBIOS names on a target internal network. The tester issues the command 'nbtstat -A 192.168.1.100' on a Windows machine. What type of information is the tester most likely trying to obtain?

A.The operating system version and patch level
B.A list of currently open TCP ports on the remote system
C.The MAC address of the remote network interface
D.The NetBIOS name table including computer name, logged-in users, and domain
AnswerD

nbtstat -A retrieves the NetBIOS name table, which contains names associated with the system, useful for identifying roles and users.

Why this answer

The `nbtstat -A` command queries the NetBIOS name table of a remote system using its IP address. This table contains the computer name, logged-in users, and domain/workgroup information, which are critical for identifying targets and potential trust relationships during internal reconnaissance.

Exam trap

The trap here is that candidates confuse `nbtstat -A` with `nbtstat -a` (which uses a NetBIOS name instead of an IP) or assume it returns OS details, when in fact it only returns the NetBIOS name table entries.

How to eliminate wrong answers

Option A is wrong because `nbtstat -A` does not reveal OS version or patch level; that information is typically obtained via tools like `nmap` OS fingerprinting or SMB version queries. Option B is wrong because `nbtstat` operates at the NetBIOS layer (port 137-139) and does not enumerate open TCP ports; port scanning requires tools like `nmap` or `netstat`. Option C is wrong because while NetBIOS can sometimes reveal MAC addresses via the <00> or <03> entries in the name table, the primary purpose of `nbtstat -A` is to retrieve the full NetBIOS name table, not specifically the MAC address; ARP or `getmac` would be more direct for MAC address enumeration.

752
MCQhard

During a web application test, a tester discovers a parameter that appears to be vulnerable to SQL injection. They want to extract data from a database using a technique that does not rely on visible output. Which type of SQL injection is most appropriate?

A.UNION-based SQL injection
B.Blind time-based SQL injection
C.Out-of-band SQL injection
D.Error-based SQL injection
AnswerB

Time-based injects SQL delays to infer true/false conditions when no visible output is available.

Why this answer

Blind SQL injection, specifically time-based, is used when no error or data is returned, allowing inference via time delays.

753
MCQeasy

Which of the following is the most important factor when determining the scope of a penetration test?

A.Tester's available tools
B.Business objectives
C.Latest vulnerabilities
D.Number of testing team members
AnswerB

Objectives define the purpose and targets of the test.

Why this answer

The client's business objectives drive the scope to ensure the test addresses what the client needs to protect. Tools, vulnerabilities, and team size are secondary considerations.

754
Drag & Dropmedium

Drag and drop the steps to perform a vulnerability scan using Nessus into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Vulnerability scanning involves setup, policy creation, execution, report analysis, and remediation verification.

755
Multi-Selectmedium

During a penetration test of a web application, you want to test for Cross-Site Request Forgery (CSRF) vulnerabilities. Which TWO conditions are necessary for a CSRF attack to succeed?

Select 2 answers
A.The application validates the Referer header
B.The application uses SameSite cookies set to Lax or Strict
C.The request performs a state-changing action (e.g., password change)
D.The application relies on cookies for session authentication
E.The application uses anti-CSRF tokens in forms
AnswersC, D

State-changing actions have impact; read-only requests are less relevant.

Why this answer

CSRF requires the application to rely solely on cookies for authentication and lack anti-CSRF tokens, and the requests must trigger state changes.

756
MCQhard

A penetration tester is targeting a web application that uses parameterized queries for all database interactions. Which attack vector is most likely to succeed?

A.Cross-site request forgery
B.SQL injection
C.Cross-site scripting
D.Business logic flaws
AnswerD

Parameterized queries do not protect against logic flaws such as manipulating pricing or access controls.

Why this answer

Parameterized queries prevent SQL injection by separating SQL code from user input, making option B ineffective. Business logic flaws (D) are vulnerabilities in the application's design or workflow that are not mitigated by secure coding practices like parameterized queries, so they remain exploitable. This attack vector targets the intended functionality of the application, such as manipulating pricing or bypassing authentication steps, which parameterized queries do not protect against.

Exam trap

The trap here is that candidates assume parameterized queries eliminate all database-related attacks, overlooking that business logic flaws are independent of query construction and remain a viable attack vector.

How to eliminate wrong answers

Option A is wrong because cross-site request forgery exploits the trust a site has in a user's browser, not database query construction, and parameterized queries have no impact on CSRF defenses. Option B is wrong because parameterized queries are specifically designed to prevent SQL injection by ensuring user input is treated as data, not executable code, so this attack vector will fail. Option C is wrong because cross-site scripting exploits client-side script injection in web pages, not database interactions, and parameterized queries do not affect XSS vulnerabilities.

757
MCQeasy

A client has limited budget for a penetration test covering critical assets. Which scoping decision best balances coverage and cost?

A.Test only the external perimeter
B.Focus on physical security assessments
C.Perform full-scope test of a representative subset
D.Conduct only automated scans
AnswerC

Balances cost and coverage.

Why this answer

Option C is correct because testing a representative subset of critical systems is efficient. Option A is wrong because it only tests perimeter. Option B is wrong because it is too limited.

Option D is wrong because it is not comprehensive.

758
MCQmedium

During a penetration test, a tester discovers a critical vulnerability that could allow remote code execution on an internet-facing server. According to best practices, what is the most appropriate immediate action?

A.Keep the finding confidential until retesting.
B.Notify the client immediately about the critical finding.
C.Exploit the vulnerability to demonstrate impact.
D.Wait until the final report to disclose the finding.
AnswerB

Correct. Critical findings should be reported promptly.

Why this answer

Critical findings should be communicated immediately so the client can take urgent action.

759
MCQmedium

A penetration tester is analyzing a Bash script that uses the tool 'curl' to send HTTP requests. The script contains the following line: curl -X POST -d "username=admin&password[$ne]=a" http://target/login. Which type of attack is this script most likely attempting?

A.Cross-Site Scripting (XSS)
B.SQL Injection
C.NoSQL Injection
D.Directory Traversal
AnswerC

The $ne operator is a MongoDB query operator. By injecting it into the password field, the attacker attempts to make the query return true for any user, bypassing authentication.

Why this answer

The payload `password[$ne]=a` uses MongoDB's `$ne` (not equal) operator, which is a NoSQL query operator. When the backend parses this as a MongoDB query, it will match any document where the password is not equal to 'a', effectively bypassing authentication. This is a classic NoSQL injection attack, not SQL injection, because the syntax targets NoSQL databases like MongoDB.

Exam trap

The trap here is that candidates see a POST request with parameters and immediately think SQL injection, but the square bracket syntax `[$ne]` is a dead giveaway for NoSQL injection, which is a distinct attack vector targeting document-based databases.

How to eliminate wrong answers

Option A is wrong because Cross-Site Scripting (XSS) involves injecting client-side scripts into web pages, not manipulating database query operators via HTTP parameters. Option B is wrong because SQL injection uses SQL-specific syntax (e.g., `' OR 1=1 --`) to manipulate relational databases, whereas `[$ne]` is a MongoDB operator and does not work against SQL databases.

760
MCQmedium

After completing a penetration test, the tester prepares the final report. According to best practices, which of the following should be included in the executive summary?

A.Detailed list of vulnerabilities and CVSS scores
B.Step-by-step exploitation procedures
C.The tester's personal opinions about the security posture
D.High-level findings, risk ratings, and strategic recommendations
AnswerD

This provides executives with a clear understanding of the overall security posture and necessary actions.

Why this answer

Option D is correct because the executive summary should provide high-level findings, risk ratings, and strategic recommendations. Option A is wrong because detailed vulnerability lists belong in the technical section. Option B is wrong because exploitation procedures are too detailed.

Option C is wrong because personal opinions are unprofessional and subjective.

761
Multi-Selecteasy

A penetration tester is gathering information using passive reconnaissance techniques. Which of the following are considered passive reconnaissance methods? (Choose two.)

Select 2 answers
A.Using nmap to scan for open ports
B.Performing a DNS brute force attack
C.Conducting a vulnerability scan with Nessus
D.Reviewing the target's social media profiles
E.Analyzing job postings for technology stack clues
AnswersD, E

Social media review does not involve direct interaction with target systems.

Why this answer

Options B and D are correct because they involve reviewing publicly available information without directly interacting with the target's systems. Option A (nmap) is active scanning. Option C (DNS brute force) sends queries.

Option E (vulnerability scan) is active.

762
MCQmedium

A client requests a penetration test that includes an API endpoint hosted by a third-party vendor. The client does not have a signed agreement with the vendor for testing. What is the most appropriate action for the tester?

A.Proceed with testing the API endpoint as requested by the client
B.Exclude the API endpoint from scope until the client obtains written permission from the vendor
C.Test the API endpoint using only non-intrusive methods
D.Include a disclaimer in the report that the tester is not liable for any damages
AnswerB

This is the only safe path. Once the vendor provides written consent, the endpoint can be added to the scope legally.

Why this answer

The tester must exclude the API endpoint from scope until the client obtains written permission from the vendor because testing a third-party API without explicit authorization violates legal boundaries and could constitute unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA). Even though the client requests the test, the tester has no contractual or legal relationship with the vendor, making any testing activity potentially illegal. This aligns with the PT0-002 objective of ensuring proper scoping and authorization before any testing begins.

Exam trap

The trap here is that candidates assume the client's request overrides legal boundaries, or that non-intrusive testing is a safe middle ground, when in fact any unauthorized interaction with a third-party system is prohibited without explicit written permission.

How to eliminate wrong answers

Option A is wrong because proceeding without vendor permission exposes the tester and client to legal liability for unauthorized access, regardless of the client's request. Option C is wrong because non-intrusive methods still involve sending crafted requests to the API endpoint, which constitutes unauthorized access without a signed agreement; there is no technical distinction that makes non-intrusive testing legally permissible.

763
Multi-Selecteasy

A company is planning a social engineering engagement. Which TWO items should be included in the pre-engagement documentation?

Select 2 answers
A.List of all employee passwords
B.Network topology diagrams
C.Source code of all applications
D.Emergency contact list
E.Rules of engagement
AnswersD, E

Required to stop testing if needed.

Why this answer

Pre-engagement documentation should include the rules of engagement (RoE) and emergency contacts to handle incidents during social engineering.

764
MCQeasy

A penetration tester discovers a critical vulnerability in a client's production environment. What is the BEST immediate course of action before including this finding in the final report?

A.Immediately communicate the finding to the client's point of contact.
B.Wait until the final report is complete to include all findings together.
C.Include the finding only in the technical appendix of the final report.
D.Stop the penetration test and wait for further instructions.
AnswerA

Immediate communication allows the client to take urgent action to mitigate the risk.

Why this answer

Option B is correct because ethical obligations require immediate notification of critical findings to allow the client to take protective measures. Option A is wrong because delaying report generation could leave the client vulnerable. Option C is wrong because simply including it in the final report may be too late.

Option D is wrong because halting the test without communication is not productive.

765
MCQmedium

During a penetration test, a client asks the tester to clarify the scope of the test. Which of the following is the best approach for the tester?

A.Make a decision based on previous tests.
B.Clarify with the client via email or documented communication.
C.Include the scope in the report after testing.
D.Ignore the question and continue testing.
AnswerB

Documented communication maintains a clear record.

Why this answer

Clarifying scope questions helps ensure the test stays within agreed boundaries and avoids misunderstandings.

766
MCQmedium

A penetration tester is reviewing a Python script that attempts to exploit a command injection vulnerability. The script uses the 'subprocess' module with the 'shell=True' argument. Which of the following code changes would be MOST effective to reduce the risk of unintended consequences when executing system commands?

A.Replace subprocess with os.system()
B.Use the 'shlex.quote()' function to sanitize user input before passing to subprocess
C.Avoid using shell=True and pass the command as a list of arguments
D.Use the 'exec()' function to run the command
AnswerC

When shell=True is omitted and the command is a list, subprocess executes the command directly without invoking a shell, eliminating shell injection.

Why this answer

Option C is correct because setting `shell=True` in Python's `subprocess` module causes the command string to be interpreted by the system shell, which introduces command injection risks if any part of the string is user-controlled. By passing the command as a list of arguments (e.g., `['ls', '-l', filename]`) and omitting `shell=True`, the subprocess module directly executes the binary without shell interpretation, eliminating shell metacharacter injection. This is the most effective mitigation as it avoids shell parsing entirely, which is the root cause of the vulnerability.

Exam trap

CompTIA often tests the misconception that input sanitization (like quoting) is sufficient to prevent command injection, when in fact the most secure approach is to avoid shell invocation altogether by using a list of arguments with `shell=False`.

How to eliminate wrong answers

Option A is wrong because replacing `subprocess` with `os.system()` still invokes the system shell to execute the command, inheriting the same command injection risks and providing no improvement; in fact, `os.system()` offers even less control over execution. Option B is wrong because while `shlex.quote()` can help sanitize input for shell use, it is not foolproof—edge cases like null bytes or certain locale-dependent characters can bypass quoting, and relying on quoting still leaves the command exposed to shell parsing, making it less robust than removing shell involvement entirely.

767
MCQmedium

During a web application penetration test, the tester wants to discover hidden directories and files on the target web server. Which tool is best suited for this task, and what technique does it use?

A.Curl - manual HTTP requests
B.Whatweb - web server identification
C.Wappalyzer - technology fingerprinting
D.Gobuster - directory brute forcing
AnswerD

Gobuster performs directory/file enumeration via brute force.

Why this answer

Directory enumeration tools like gobuster, dirbuster, and dirsearch use wordlist-based brute force to discover hidden directories and files. Gobuster is a common choice. Wappalyzer is for technology fingerprinting, whatweb is for web server identification, and curl is for HTTP requests but lacks directory brute force functionality.

768
MCQeasy

During a penetration test, a tester uses Responder to capture NTLM hashes from a Windows network. Which of the following protocols is MOST commonly targeted by Responder for poisoning?

A.LLMNR
B.DNS
C.ICMP
D.HTTP
AnswerA

LLMNR is a common target for poisoning to capture NTLM hashes.

Why this answer

Responder poisons LLMNR, NBT-NS, and mDNS to capture NTLM hashes. The other options are not primary targets.

769
Multi-Selecthard

A penetration tester is performing lateral movement in a Windows domain after compromising a workstation. Which THREE techniques can be used to move to another machine?

Select 3 answers
A.ARP spoofing
B.Evil-WinRM
C.WMIExec
D.SSH with captured credentials
E.PsExec
AnswersB, C, E

Evil-WinRM uses WinRM for remote PowerShell.

Why this answer

PsExec, WMIExec, and Evil-WinRM are common tools for lateral movement in Windows environments.

770
MCQmedium

A client requires a penetration test of their web application that uses Single Sign-On (SSO) with a third-party identity provider. The client is concerned that testing could lock out real user accounts and disrupt operations. Which of the following should be included in the rules of engagement to address this concern?

A.Prohibit all testing of the authentication mechanism
B.Provide test accounts that are excluded from lockout policies
C.Only perform testing during business hours
D.Require the tester to use only passive reconnaissance techniques
AnswerB

Test accounts that are configured to not lock out allow the tester to perform authentication testing without the risk of locking out real users, which meets the client's requirement.

Why this answer

Option B is correct because providing test accounts that are excluded from lockout policies allows the penetration tester to thoroughly assess the SSO authentication mechanism—including the SAML or OIDC flows—without risking the lockout of real user accounts. This directly addresses the client's operational concern while still enabling comprehensive testing of the identity provider integration.

Exam trap

The trap here is that candidates may assume restricting testing to business hours (Option C) is sufficient to mitigate account lockout risks, but they fail to recognize that lockout policies operate independently of time and that real user accounts remain vulnerable to disruption regardless of when testing occurs.

How to eliminate wrong answers

Option A is wrong because prohibiting all testing of the authentication mechanism would leave critical SSO vulnerabilities (e.g., SAML assertion injection, OIDC token replay) unexamined, violating the core objective of a penetration test. Option C is wrong because performing testing only during business hours does not prevent account lockouts; lockout policies apply regardless of time, and real user accounts could still be disabled during testing, causing operational disruption.

771
MCQmedium

A penetration tester is tasked with identifying live hosts on a large subnet without generating excessive traffic. Which of the following techniques is most appropriate for efficient host discovery?

A.ARP scan
B.TCP SYN scan on port 80 and 443
C.DNS zone transfer
D.ICMP echo sweep
AnswerB

These ports are commonly open on servers; SYN scan is lightweight and effective.

Why this answer

A TCP SYN scan on ports 80 and 443 is the most appropriate technique because it targets common web service ports, which are often open on live hosts, and generates minimal traffic compared to a full port scan. Unlike ICMP or ARP scans, a TCP SYN scan can bypass firewalls that block ICMP echo requests and is effective across routed subnets where ARP is limited to the local broadcast domain. This approach balances stealth and efficiency for large-scale host discovery.

Exam trap

The trap here is that candidates often choose ICMP echo sweep (Option D) because they associate 'ping' with host discovery, but fail to consider that ICMP is frequently blocked by firewalls, making TCP SYN scans on common ports a more reliable and stealthier alternative in modern networks.

How to eliminate wrong answers

Option A is wrong because an ARP scan only works within the same local subnet (broadcast domain) and cannot discover hosts across routers, making it unsuitable for a large subnet that may span multiple networks. Option C is wrong because a DNS zone transfer is a technique for enumerating DNS records (e.g., hostnames and IPs) from a misconfigured DNS server, not for actively probing live hosts, and it relies on a vulnerable server rather than direct network scanning. Option D is wrong because an ICMP echo sweep (ping sweep) can be blocked by firewalls or rate-limited, and it generates more traffic than a targeted TCP SYN scan on two ports, making it less efficient and more detectable.

772
Multi-Selectmedium

During a Linux privilege escalation attempt, a tester checks for misconfigurations that could allow running commands as root. Which of the following are potential vectors? (Select THREE.)

Select 3 answers
A.Unquoted service paths
B.Sudo misconfigurations
C.Writable scripts in cron jobs
D.DLL hijacking
E.SUID/SGID binaries
AnswersB, C, E

Sudo entries allowing arbitrary commands.

Why this answer

SUID/SGID binaries, sudo misconfigurations, and writable cron scripts are common escalation vectors.

773
MCQhard

A penetration tester is using OpenVAS to perform an authenticated vulnerability scan of a Linux server. The tester has provided valid SSH credentials. Which of the following is a primary benefit of performing an authenticated scan over an unauthenticated scan?

A.Ability to detect vulnerabilities that require local access
B.Reduced network bandwidth usage
C.Faster scan completion time
D.Elimination of all false positives
AnswerA

Authenticated scans can assess local vulnerabilities and missing patches.

Why this answer

Authenticated scans have deeper access to the system, allowing the scanner to check configuration files, patch levels, and local vulnerabilities that are not visible externally.

774
MCQmedium

A penetration tester is presenting findings to a group of IT administrators. One administrator questions the validity of a finding, claiming it is not exploitable. How should the tester respond?

A.Insist that the finding is valid based on the tester's experience.
B.Escalate the issue to the project manager.
C.Present the proof-of-concept code and screenshots that demonstrate the exploit.
D.Agree to remove the finding from the report.
AnswerC

Correct. Evidence helps validate the finding.

Why this answer

The tester should provide evidence to support the finding rather than being defensive or dismissive.

775
Multi-Selectmedium

During a web application penetration test, the tester wants to discover hidden API endpoints. Which THREE of the following techniques can be used to achieve this? (Select THREE.)

Select 3 answers
A.Analyzing JavaScript files for API calls
B.Using Arjun for parameter discovery
C.Directory bruteforcing with gobuster
D.Performing a zone transfer
E.Running Nmap with service version detection
AnswersA, B, C

JavaScript files often contain API endpoint URLs.

Why this answer

Directory enumeration tools like gobuster or feroxbuster can find API paths; JavaScript analysis can reveal API calls; and parameter discovery tools like Arjun can find endpoints by brute-forcing parameters.

776
Multi-Selecthard

You have gained a foothold on a Linux server and identified a SUID binary that can be exploited to read arbitrary files. Which THREE techniques could be used to escalate privileges or gather sensitive information?

Select 3 answers
A.Leveraging the binary's ability to write to arbitrary files (if present)
B.Using the binary to read /etc/shadow
C.Using PATH manipulation if the binary calls other commands
D.Performing a DLL hijacking attack
E.Exploiting a kernel vulnerability
AnswersA, B, C

If the binary can write files, you could overwrite system files or add a user.

Why this answer

SUID binaries with file read capabilities can be used to read sensitive files, and when combined with other techniques like PATH manipulation or exploiting the binary's functionality, can lead to privilege escalation.

777
MCQmedium

During a penetration test, the tester discovers a critical vulnerability that could allow an attacker to take over the entire Active Directory domain. The tester wants to report this to the client as soon as possible. Which communication channel is most appropriate for this initial notification?

A.Update the final report with the finding
B.Send an email to the technical contact
C.Call the main point of contact immediately
D.Post the finding in the shared collaboration portal
AnswerC

A direct phone call ensures prompt notification and allows for immediate discussion of containment steps.

Why this answer

Option C is correct because a critical vulnerability that could lead to full Active Directory domain compromise requires immediate attention to prevent potential exploitation. The most appropriate communication channel for urgent, high-severity findings during a penetration test is a direct phone call to the main point of contact, as it ensures real-time, synchronous communication and allows for immediate clarification and action. This aligns with the PT0-002 exam's emphasis on escalation procedures for critical findings, where email or collaboration portals may introduce delays.

Exam trap

The trap here is that candidates may choose email (Option B) thinking it provides a written record, but the exam emphasizes that for critical vulnerabilities, immediate verbal notification is required to minimize risk, with written follow-up as a secondary step.

How to eliminate wrong answers

Option A is wrong because updating the final report with the finding is a post-engagement activity and does not provide timely notification; critical vulnerabilities must be communicated immediately, not deferred to a final deliverable. Option B is wrong because sending an email to the technical contact, while faster than a final report, is asynchronous and may not be read promptly, risking exploitation before the client is aware; a phone call is required for urgent findings. Option D is wrong because posting the finding in a shared collaboration portal relies on the client actively monitoring the portal, which introduces unacceptable delay for a critical vulnerability that could lead to domain takeover.

778
Multi-Selecthard

A penetration testing company is planning a social engineering engagement for a client. The engagement includes phishing and physical tailgating. Which THREE of the following should be clearly defined in the Rules of Engagement? (Select THREE.)

Select 3 answers
A.The format of the final report
B.The specific vulnerabilities to be exploited
C.The conditions under which the test must be stopped immediately
D.The types of social engineering attacks allowed (e.g., phishing, vishing, tailgating)
E.The list of employees and contractors who are in scope for social engineering
AnswersC, D, E

Emergency stop criteria are essential.

Why this answer

RoE should address personnel scope, emergency stop conditions, and specific techniques allowed; vulnerabilities and deliverables are part of SOW.

779
MCQeasy

A penetration tester wants to enumerate SMB shares, user lists, and operating system information from a Windows target without authenticating. Which of the following tools is BEST suited for this task?

A.enum4linux
B.smbclient
C.nmblookup
D.nbtscan
AnswerA

enum4linux uses null sessions to extract extensive information from Windows/Samba targets without credentials.

Why this answer

enum4linux is a Perl wrapper around tools like smbclient, nmblookup, and nbtscan, specifically designed to extract SMB shares, user lists, and OS information from Windows targets without authentication by leveraging null sessions and SMB RPC calls (e.g., via MSRPC over SMB). It automates the enumeration of these details using the Server Message Block (SMB) protocol, making it the best choice for unauthenticated reconnaissance.

Exam trap

The trap here is that candidates often confuse nmblookup or nbtscan as tools for SMB enumeration, but they only handle NetBIOS name resolution, not the deeper SMB share or user enumeration that enum4linux automates.

How to eliminate wrong answers

Option B (smbclient) is wrong because it requires authentication to list shares or access files; without credentials, it can only attempt a null session but lacks the automated enumeration of user lists and OS details that enum4linux provides. Option C (nmblookup) is wrong because it only performs NetBIOS name resolution via NBNS queries, not SMB share or user enumeration. Option D (nbtscan) is wrong because it scans for NetBIOS name services (port 137) to retrieve hostnames and MAC addresses, but it does not enumerate SMB shares or user lists.

780
MCQeasy

A penetration tester is preparing a report for a client's CISO who is not technical. The CISO needs to understand the overall risk posture and the business impact of the findings. Which section of the report should be tailored for this audience?

A.Executive summary
B.Technical findings
C.Appendices with raw scan data
D.Remediation details
AnswerA

This section is designed for decision-makers like the CISO, summarizing risks and business impact in non-technical language.

Why this answer

The executive summary is designed for non-technical stakeholders like a CISO to quickly grasp the overall risk posture and business impact without needing to interpret raw data or technical jargon. It synthesizes findings into high-level business risks, such as potential financial loss or regulatory exposure, rather than detailing specific vulnerabilities or exploit chains. This section ensures the audience can make informed decisions about resource allocation and risk acceptance.

Exam trap

The trap here is that candidates confuse 'executive summary' with 'remediation details' or 'technical findings,' assuming the CISO needs operational specifics, when in fact the exam tests the principle that non-technical audiences require a distilled, business-focused overview of risk posture and impact.

How to eliminate wrong answers

Option B is wrong because technical findings contain detailed vulnerability descriptions, exploit steps, and proof-of-concept code that require technical expertise to understand, making it unsuitable for a non-technical CISO. Option C is wrong because appendices with raw scan data (e.g., Nmap XML, Nessus .nessus files) are dense, unprocessed outputs that overwhelm non-technical readers and obscure business impact. Option D is wrong because remediation details focus on specific patches, configuration changes, or code fixes, which are operational instructions for technical teams, not a high-level risk summary for executive decision-making.

781
MCQmedium

A penetration tester is testing a web application and discovers an endpoint that returns XML data. The tester attempts to read /etc/passwd by injecting an external entity. Which type of attack is this?

A.XXE injection
B.Command injection
C.SSRF
D.SQL injection
AnswerA

XXE uses external entities to read files or make requests.

Why this answer

XML External Entity (XXE) injection allows reading files or performing SSRF via XML processing.

782
MCQmedium

While testing a Linux system, the tester finds a binary with the SUID bit set owned by root. The binary executes a command based on user input without verifying the path. Which privilege escalation technique does this exemplify?

A.Kernel exploit
B.Capability abuse
C.Cron job abuse
D.SUID binary exploitation
AnswerD

The SUID bit allows the binary to run as root, and PATH manipulation can lead to privilege escalation.

Why this answer

PATH manipulation exploits insecure binary execution by modifying the PATH variable to execute malicious code.

783
MCQmedium

Refer to the exhibit. During scoping, what risk does this policy pose?

A.Public read access to all objects
B.Insecure SSL configuration
C.Lack of encryption
D.Unauthorized deletion of objects
AnswerA

With Principal set to *, anyone can read objects.

Why this answer

The policy allows any principal (Principal: *) to perform the GetObject action on all objects in the company-data bucket, meaning public read access. Unauthorized deletion is not allowed (only GetObject). SSL configuration and encryption are not addressed in this policy.

784
Multi-Selecthard

During a penetration test, the tester discovers a web application vulnerable to CSRF. The application uses SameSite cookies set to 'Lax'. Which THREE methods might the tester use to exploit the CSRF vulnerability?

Select 3 answers
A.Use XSS to execute a POST request
B.Change the cookie's SameSite attribute via JavaScript
C.Craft a GET request that triggers a state change
D.Use a subdomain to change the cookie's SameSite to 'None'
E.Force the form to submit via POST only
AnswersA, C, D

XSS can bypass CSRF protections entirely.

Why this answer

SameSite Lax still allows top-level GET requests; state-changing GET requests, XSS, and bypassing via subdomain can work. Changing cookie to Strict is not possible by attacker, and requiring POST only is not a bypass.

785
MCQmedium

During a penetration test, a tester wants to discover all live hosts on a subnet without performing a full port scan. Which Nmap command is most appropriate for this purpose?

A.nmap -sS 192.168.1.0/24
B.nmap -sn 192.168.1.0/24
C.nmap -O 192.168.1.0/24
D.nmap -A 192.168.1.0/24
AnswerB

-sn performs a ping sweep to determine which hosts are up without scanning ports.

Why this answer

The -sn flag performs a ping sweep (host discovery) without port scanning, which is the standard method to discover live hosts on a subnet efficiently.

786
MCQeasy

Which section of a penetration testing report should provide a high-level overview of the test results using business language and strategic recommendations?

A.Executive summary
B.Technical findings section
C.Remediation recommendations
D.Appendices
AnswerA

The executive summary uses business language and provides strategic recommendations.

Why this answer

The executive summary is designed for non-technical stakeholders to understand the overall risk and key actions.

787
MCQmedium

A client requests a penetration test that includes testing of both internal network devices and a public-facing web application. The tester is provided with a VPN account for internal access but no credentials for the web application. Which type of penetration test is this?

A.White box
B.Red team
C.Grey box
D.Black box
AnswerC

Partial knowledge (VPN access) but not full.

Why this answer

Grey box testing involves partial knowledge; the tester has internal network access but not web app credentials.

788
MCQhard

During a penetration test, a tester finds a custom binary that is vulnerable to a stack-based buffer overflow. The binary has DEP enabled but no ASLR. Which of the following exploitation techniques would be MOST effective to achieve code execution?

A.Return-oriented programming (ROP) to bypass DEP
B.Heap spraying to inject shellcode
C.ret2libc to call system() with a controlled argument
D.Stack pivoting to redirect execution to a known location
AnswerC

ret2libc leverages existing libc functions (like system) at fixed addresses (since no ASLR) to execute commands, bypassing DEP.

Why this answer

Option C is correct because ret2libc allows the tester to call the system() function from libc with a controlled argument (e.g., "/bin/sh") to spawn a shell, bypassing DEP (which prevents code execution on the stack) without needing to execute shellcode. Since ASLR is disabled, the address of system() and the string "/bin/sh" in libc are predictable, making this technique reliable and effective.

Exam trap

The trap here is that candidates may choose ROP (Option A) thinking it is always required to bypass DEP, but ret2libc is a simpler and more effective technique when ASLR is disabled, as it directly calls a libc function without needing to chain gadgets.

How to eliminate wrong answers

Option A is wrong because Return-oriented programming (ROP) is also a valid technique to bypass DEP, but it is more complex and unnecessary when ASLR is disabled; ret2libc is simpler and more direct for achieving code execution. Option B is wrong because heap spraying is used to bypass ASLR by filling the heap with NOP sleds and shellcode, but ASLR is already disabled, and DEP prevents execution of shellcode on the heap, making this ineffective. Option D is wrong because stack pivoting is a technique to redirect execution to a controlled memory region (e.g., the heap) when the stack is not directly controllable, but here the vulnerability is a stack-based buffer overflow where the stack is directly controllable, and DEP is bypassed via ret2libc, not by pivoting.

789
MCQhard

A tester needs to analyze a compiled .NET application. Which tool is most suitable?

A.Ghidra
B.x64dbg
C.IDA Pro
D.dnSpy
AnswerD

dnSpy decompiles .NET assemblies and allows debugging.

Why this answer

Option A is correct because dnSpy is a .NET debugger and decompiler. Option B is wrong because IDA Pro is for binary analysis, not specifically .NET. Option C is wrong because Ghidra is for general reverse engineering.

Option D is wrong because x64dbg is for debugging x64 applications, not .NET native.

790
MCQmedium

During reconnaissance, a penetration tester discovers a public GitHub repository belonging to the target organization. The repository contains internal project names, server IP addresses, and code comments with database credentials. Which reconnaissance technique does this represent?

A.OSINT (Open-Source Intelligence)
B.DNS enumeration
C.Port scanning
D.Social engineering
AnswerA

OSINT gathers information from public sources like GitHub, which can leak internal details without interacting with the target's systems.

Why this answer

The discovery of a public GitHub repository containing internal project names, server IP addresses, and database credentials is a classic example of OSINT (Open-Source Intelligence). OSINT involves collecting and analyzing publicly available information from sources like code repositories, social media, and websites to gain insights about a target without direct interaction. This technique leverages the fact that sensitive data is often inadvertently exposed in public repositories, making it a passive reconnaissance method.

Exam trap

The trap here is that candidates may confuse OSINT with active reconnaissance techniques like DNS enumeration or port scanning, failing to recognize that passive collection from public sources (like GitHub) is a distinct OSINT method.

How to eliminate wrong answers

Option B (DNS enumeration) is wrong because it specifically involves querying DNS servers to discover hostnames, IP addresses, and DNS records (e.g., A, MX, CNAME) using tools like `dnsrecon` or `nslookup`, not by analyzing code repositories. Option C (Port scanning) is wrong because it actively probes target systems for open TCP/UDP ports and services using tools like `nmap`, which requires network connectivity and is an active reconnaissance technique, not passive information gathering from public sources. Option D (Social engineering) is wrong because it relies on manipulating human behavior through phishing, pretexting, or impersonation to extract information, whereas this scenario involves finding already exposed data in a public repository without any human interaction.

791
MCQeasy

A penetration tester is using Google dorks to find sensitive information about a target organization. Which search operator would help the tester find PDF files containing the word 'confidential' on the target's website?

A.site:target.com ext:pdf confidential
B.site:target.com intitle:confidential pdf
C.inurl:target.com filetype:pdf confidential
D.site:target.com filetype:pdf intext:confidential
AnswerD

site limits the search to the target domain, filetype:pdf returns only PDF files, and intext:confidential finds pages containing the word 'confidential'.

Why this answer

The filetype operator filters results by file extension (e.g., pdf), and the intext operator searches for the specified text within the page content.

792
Multi-Selectmedium

A penetration tester is performing passive reconnaissance on a target organization. Which TWO of the following sources can provide information about the organization's historical web content? (Select TWO.)

Select 2 answers
A.Nmap
B.Shodan
C.Wayback Machine
D.Wireshark
E.Pastebin
AnswersC, E

Wayback Machine archives web pages over time, providing historical content.

Why this answer

The Wayback Machine archives historical snapshots of websites, and Pastebin can contain pasted content from the organization, including historical data.

793
MCQmedium

After gaining initial access to an internal network, a penetration tester wants to identify live hosts on a subnet without generating excessive traffic. Which Nmap command would be most appropriate for host discovery using ICMP echo requests and TCP SYN to port 80?

A.nmap -A 192.168.1.0/24
B.nmap -sS 192.168.1.0/24
C.nmap -O 192.168.1.0/24
D.nmap -sn 192.168.1.0/24
AnswerD

-sn disables port scan and only performs host discovery.

Why this answer

Nmap's -sn flag performs a ping sweep, which by default uses ICMP echo, TCP SYN to port 80, and other probes. The other options are for port scanning or OS detection.

794
MCQeasy

A penetration tester wants to perform a network scan that minimizes the chance of detection by an intrusion detection system (IDS). Which Nmap timing template is MOST appropriate?

A.-T0
B.-T3
C.-T5
D.-T2
AnswerA

T0 (paranoid) is the slowest template, designed to avoid detection by rate-based IDS alerts.

Why this answer

The -T0 (Paranoid) timing template is the most appropriate for minimizing detection by an IDS because it introduces extreme delays between packet transmissions (up to 5 minutes between probes) and uses a very slow scan rate. This makes the scan traffic blend into normal network noise, reducing the likelihood of triggering signature-based or anomaly-based IDS alerts that rely on detecting rapid, sequential connection attempts.

Exam trap

The trap here is that candidates often choose -T2 (Polite) thinking it is slow enough to evade detection, but they fail to recognize that -T0 is the only template specifically designed for IDS evasion with delays measured in minutes, not seconds.

How to eliminate wrong answers

Option B (-T3) is wrong because it is the default Nmap timing template, which balances speed and reliability but sends packets at a rate that is easily detectable by most IDS/IPS systems. Option C (-T5) is wrong because it is the Insane template, which uses the fastest timing (minimum delays, aggressive parallelism) and is almost guaranteed to trigger IDS alerts due to its high packet rate and obvious scan patterns. Option D (-T2) is wrong because it is the Polite template, which slows down scans to avoid overwhelming networks but still sends packets at intervals (typically 0.4 seconds) that are too aggressive for stealthy scanning and can be detected by modern IDS solutions.

795
MCQhard

During a red team engagement, a penetration tester needs to pivot from a compromised internal web server to a database server that is not directly accessible. The web server has two network interfaces: 10.0.1.5 and 192.168.1.5. The database server is at 192.168.1.10. Which technique should the tester use to reach the database?

A.ARP spoofing
B.DNS tunneling
C.Port knocking
D.Pivoting through the web server
AnswerD

The web server can route traffic to the database subnet, allowing the tester to attack the database.

Why this answer

D is correct because the web server has two network interfaces (10.0.1.5 and 192.168.1.5), making it a dual-homed host that can act as a pivot point. The tester can use the compromised web server as a proxy or relay to route traffic from the attacker's machine (reachable via 10.0.1.5) to the database server at 192.168.1.10, which is on a separate subnet not directly accessible. This technique, known as pivoting, typically involves tools like SSH port forwarding, Metasploit's route add, or a SOCKS proxy to forward traffic through the compromised host.

Exam trap

The trap here is that candidates confuse pivoting with other network manipulation techniques like ARP spoofing or port knocking, failing to recognize that the dual-homed web server provides a routing path between subnets, which is the core requirement for pivoting.

How to eliminate wrong answers

Option A is wrong because ARP spoofing operates at Layer 2 within the same broadcast domain to intercept traffic between hosts, but it cannot bridge traffic across different subnets (10.0.1.0/24 and 192.168.1.0/24) or provide access to a host that is not directly reachable from the attacker. Option B is wrong because DNS tunneling encapsulates non-DNS traffic within DNS queries and responses, which is used for exfiltration or command-and-control, not for routing traffic through a dual-homed host to reach an internal database server. Option C is wrong because port knocking is an authentication method that opens a firewall port after a sequence of connection attempts, but it does not enable routing or forwarding of traffic from one subnet to another through a compromised host.

796
MCQhard

A penetration tester has gained low-privilege shell access on a Linux server. The tester runs `sudo -l` and sees the following entry: `(root) NOPASSWD: /usr/bin/python3 /opt/scripts/*.py` The `/opt/scripts/` directory is owned by the tester's current user. Which technique is most effective for escalating privileges to root?

A.Create a symbolic link from a Python script to a system file like /etc/shadow
B.Write a malicious Python script to /opt/scripts/ that spawns a root shell
C.Exploit a kernel vulnerability to overwrite the sudo binary
D.Overwrite an existing Python script in /usr/bin/ with a malicious payload
AnswerB

Since the user owns the directory, they can write a Python script that executes `/bin/bash` or similar, then run it via sudo to gain a root shell.

Why this answer

Option B is correct because the tester's user owns `/opt/scripts/` and can write arbitrary files there. The sudo rule allows executing any `.py` file in that directory as root without a password. By writing a Python script that calls `os.setuid(0); os.system('/bin/bash')` or similar, the tester can spawn a root shell, directly leveraging the misconfigured sudoers entry.

Exam trap

The trap here is that candidates may think symbolic links or overwriting system files are viable, but the key is that the sudo rule specifically executes Python scripts from a writable directory, making a crafted script the simplest and most direct escalation path.

How to eliminate wrong answers

Option A is wrong because creating a symbolic link from a Python script to `/etc/shadow` would not execute as root; `sudo` runs the Python interpreter on the linked file, but `/etc/shadow` is not a valid Python script and would cause an error, not privilege escalation. Option C is wrong because exploiting a kernel vulnerability is unnecessary and less reliable; the sudo misconfiguration provides a direct, low-risk path to root without kernel exploits. Option D is wrong because the sudo rule only applies to `/opt/scripts/*.py`, not to `/usr/bin/`; overwriting a script there would not be executed with root privileges via this sudo entry.

797
MCQmedium

Refer to the exhibit. After running a port scan in Metasploit, what is the next best step to identify vulnerabilities on the open ports?

A.Perform a brute-force attack against SSH and HTTP
B.Immediately exploit the open HTTP service
C.Run a Nessus scan on the host
D.Use the scanner to run service version detection on those ports
AnswerD

Knowing the exact version of services allows matching against known vulnerabilities.

Why this answer

After a port scan in Metasploit, the next best step is to run service version detection (e.g., using the `scanner/portscan/tcp` auxiliary module's `VERSION` option or the `db_nmap -sV` command) to identify the exact software and version running on each open port. This version information is critical for matching against known vulnerabilities in databases like CVE or Exploit-DB, enabling targeted exploitation. Option D is correct because it follows the systematic penetration testing methodology of enumeration before exploitation.

Exam trap

The trap here is that candidates often jump to exploitation (Option B) or brute-forcing (Option A) without performing version detection, missing the critical enumeration step that identifies the exact service version needed to select the correct exploit.

How to eliminate wrong answers

Option A is wrong because performing a brute-force attack against SSH and HTTP without first identifying service versions is premature and inefficient; it wastes time on guessing credentials when the services might have known unpatched vulnerabilities that are easier to exploit. Option B is wrong because immediately exploiting the open HTTP service without version detection risks using an incorrect or incompatible exploit, which could crash the service or alert defenders, and violates the principle of thorough enumeration. Option C is wrong because running a Nessus scan on the host is a valid next step, but the question specifically asks for the next best step after a Metasploit port scan, and Metasploit's built-in service version detection (e.g., `db_nmap -sV` or auxiliary scanner modules) is more direct and integrated into the Metasploit workflow, whereas Nessus is an external tool that requires separate setup and may not be available in all exam scenarios.

798
Multi-Selectmedium

In a red team exercise, the team wants to simulate a realistic adversary. Which TWO of the following are typically included in the scope of a red team engagement compared to a standard penetration test?

Select 2 answers
A.Extensive vulnerability scanning of all in-scope systems
B.Comprehensive compliance verification against standards
C.Physical security testing (e.g., tailgating, lock picking)
D.Detailed reporting of all vulnerabilities found
E.Social engineering attacks against employees
AnswersC, E

Correct. Red team often includes physical attacks.

Why this answer

Red team exercises often include physical and social engineering attacks, and may attempt to remain undetected for longer periods.

799
MCQhard

During a penetration test, the tester discovers evidence of an ongoing ransomware attack on the client's network. Which of the following is the most appropriate action?

A.Continue the test as planned and include the finding in the final report.
B.Notify the client immediately and recommend contacting law enforcement.
C.Disconnect from the network and destroy all evidence.
D.Try to stop the ransomware attack using penetration testing tools.
AnswerB

Correct. Immediate notification is critical for incident response.

Why this answer

Evidence of criminal activity must be reported immediately to the client and may require law enforcement involvement.

800
MCQmedium

A tester is performing a JWT attack and modifies the header to set the algorithm to 'none'. Which vulnerability are they exploiting?

A.Token theft
B.Weak secret brute-force
C.Kid injection
D.Algorithm confusion
AnswerD

alg:none is a type of algorithm confusion where the server accepts unsigned tokens.

Why this answer

Setting alg to 'none' bypasses signature verification, a known JWT vulnerability.

801
MCQmedium

A tester has gained a low-privilege shell on a Windows machine and found that the user has the SeImpersonatePrivilege enabled. Which attack can be used to escalate privileges to SYSTEM?

A.DLL hijacking
B.Kerberoasting
C.Token impersonation using PrintSpoofer
D.AlwaysInstallElevated
AnswerC

PrintSpoofer leverages SeImpersonatePrivilege to get SYSTEM.

Why this answer

SeImpersonatePrivilege allows impersonating a client after authentication; tools like PrintSpoofer, RoguePotato exploit this to gain SYSTEM.

802
MCQhard

A tester needs to identify all open ports on a target system behind a firewall that is blocking ICMP and dropping unsolicited SYN packets. Which of the following scanning techniques is most likely to succeed?

A.Ping sweep
B.TCP connect scan
C.FIN scan
D.UDP scan
AnswerB

Completes the three-way handshake, appearing as normal traffic.

Why this answer

A TCP connect scan (option B) completes the full three-way handshake, which is more likely to succeed against a firewall that drops unsolicited SYN packets because the firewall may allow outbound connections initiated from inside the network. Since the tester is behind the firewall, the SYN packet is sent as part of a legitimate connection attempt, and if the port is open, the target responds with SYN-ACK, completing the handshake. This technique bypasses the firewall's rule against unsolicited SYN packets because the connection appears to be initiated from the trusted side.

Exam trap

The trap here is that candidates assume a FIN scan (option C) is stealthier and will bypass firewalls, but they overlook that the firewall is dropping unsolicited packets regardless of flag combinations, making the TCP connect scan the only viable option when the tester is behind the firewall.

How to eliminate wrong answers

Option A is wrong because a ping sweep uses ICMP Echo Requests, which are explicitly blocked by the firewall, so it will not identify open ports. Option C is wrong because a FIN scan sends a packet with only the FIN flag set, which is an unsolicited packet that the firewall will drop, and it relies on RFC 793 behavior that many modern systems and firewalls do not follow. Option D is wrong because a UDP scan sends UDP packets to target ports, and the firewall dropping unsolicited SYN packets does not directly affect UDP, but the firewall may also block or rate-limit UDP traffic, and UDP scanning is inherently unreliable due to lack of consistent responses.

803
MCQhard

A penetration tester is targeting a Windows domain controller. After compromising a standard user account, the tester wants to escalate to domain admin. Which attack is most effective if the tester can capture plaintext passwords from memory?

A.Create a golden ticket
B.Create a silver ticket
C.Pass-the-hash attack
D.DCSync attack
AnswerC

With a captured NTLM hash, the tester can authenticate to other services as that user, potentially gaining domain admin if the user has privileges.

Why this answer

Option C is correct because capturing plaintext passwords from memory (e.g., via Mimikatz sekurlsa::logonpasswords) allows the tester to directly use the domain admin's plaintext credentials in a pass-the-hash attack. This attack reuses the NTLM hash (or plaintext) to authenticate to other systems without needing to crack or forge tickets, making it the most direct escalation path from a standard user to domain admin when plaintext passwords are available.

Exam trap

The trap here is that candidates often confuse pass-the-hash with Kerberos-based attacks (golden/silver tickets) or DCSync, but the key differentiator is that plaintext passwords in memory enable direct NTLM authentication, not ticket forgery or replication attacks.

How to eliminate wrong answers

Option A is wrong because a golden ticket requires forging a Kerberos TGT using the KRBTGT account's hash, which is not obtained from plaintext passwords in memory of a standard user; it requires domain admin privileges or a DCSync attack. Option B is wrong because a silver ticket forges a service ticket (TGS) using the service account's NTLM hash, which does not grant domain admin privileges and is limited to a specific service. Option D is wrong because a DCSync attack requires domain admin or equivalent privileges to replicate directory data; it cannot be executed from a standard user account, even with plaintext passwords.

804
MCQeasy

A penetration tester has discovered a vulnerable service running on a Linux server that allows remote code execution. Which of the following is the most appropriate next step to maintain access?

A.Clear all system logs to avoid detection
B.Immediately report the finding to the client
C.Install a backdoor for persistent access
D.Escalate privileges to root
AnswerC

A backdoor ensures the tester can re-enter the system if needed.

Why this answer

Option B is correct because after gaining initial access, installing a backdoor ensures persistent access. Option A is wrong because erasing logs prematurely could alert defenders. Option C is wrong because privilege escalation may not be necessary if current access is sufficient.

Option D is wrong because reporting should occur after the engagement, not during.

805
MCQeasy

During a penetration test, you run the following command on a Linux target: `find / -type f -perm /4000 2>/dev/null`. What are you attempting to identify?

A.World-writable files
B.SUID binaries
C.Files with extended attributes
D.SGID binaries
AnswerB

/4000 matches the SUID bit (4000 in octal).

Why this answer

The find command with -perm /4000 searches for files with SUID bit set, which can be exploited for privilege escalation.

806
MCQeasy

A penetration tester is preparing the final report. The client's CEO wants a high-level overview of the test results, including the overall security posture and business risk, without technical details. Which section of the report should the tester emphasize for the CEO?

A.Technical findings and recommendations
B.Executive summary
C.Methodology
D.Appendices
AnswerB

The executive summary is intended for management and provides a concise, non-technical summary of the test, including overall risk level, key business impacts, and high-level recommendations.

Why this answer

The executive summary is the section of a penetration testing report that provides a high-level overview of the test results, focusing on the overall security posture and business risk without technical details. It is specifically designed for non-technical stakeholders like the CEO, who need to understand the impact on the organization without delving into specific vulnerabilities or exploitation steps.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical findings section, mistakenly believing the CEO needs detailed vulnerability data to understand risk, when in fact the executive summary is the only section tailored for non-technical decision-makers.

How to eliminate wrong answers

Option A is wrong because technical findings and recommendations contain detailed vulnerability descriptions, exploit steps, and remediation commands (e.g., specific CVEs, patch versions, or configuration changes) that are too granular for a CEO's high-level needs. Option C is wrong because the methodology section describes the testing approach, tools used (e.g., Nmap, Metasploit), and scope limitations, which are operational details irrelevant to a business risk overview. Option D is wrong because appendices include raw data such as scan outputs, log excerpts, and evidence files (e.g., PCAPs or screenshots), which are too technical and voluminous for an executive audience.

807
MCQeasy

A penetration tester is preparing a report for a client who has both a technical security team and a non-technical executive team. The tester wants to ensure that each audience receives the appropriate level of detail. Which of the following is the most effective approach?

A.Provide the same comprehensive report to both audiences, assuming the security team will interpret it for executives.
B.Create a single report that includes an executive summary at the beginning and a detailed technical section later.
C.Write two separate reports: one for executives with only business impact and another for technical staff with all details.
D.Present only the executive summary and invite the technical team to ask questions orally.
AnswerB

This structure serves both audiences: executives can read the summary, while the technical team can dive into the details.

Why this answer

Option B is correct because it provides a single report with an executive summary for non-technical stakeholders and a detailed technical section for the security team, satisfying both audiences' needs without duplication or omission. This approach aligns with industry best practices for penetration testing reporting, as outlined in standards like PTES and NIST SP 800-115, ensuring clear communication of risks and technical findings.

Exam trap

The trap here is that candidates may choose Option C, thinking two separate reports are more precise, but the exam emphasizes efficiency and consistency, where a single report with both sections avoids redundancy and ensures all stakeholders share the same foundational information.

How to eliminate wrong answers

Option A is wrong because it assumes the technical team will interpret the report for executives, which risks miscommunication or omission of critical business impacts, and fails to provide a tailored summary for non-technical readers. Option C is wrong because creating two separate reports can lead to inconsistencies, duplication of effort, and potential loss of context between business impact and technical details, which may confuse decision-making. Option D is wrong because it omits a written technical report, leaving the technical team without documented evidence for remediation, and relies on oral communication that can be forgotten or misinterpreted.

808
MCQhard

During a vulnerability scan of a web application, the penetration tester notices that the scanner reports a critical SQL injection vulnerability in the login parameter. However, manual testing confirms that the input is properly sanitized and the vulnerability is a false positive. Which of the following actions should the tester take to ensure accurate vulnerability identification and avoid wasting time on false positives in future scans?

A.Increase the scan intensity to ensure the vulnerability is accurately detected
B.Correlate the scanner output with manual verification and document the discrepancy
C.Modify the scanner's configuration to exclude false positive patterns
D.Ignore the finding and proceed with manual testing only
AnswerB

This ensures accurate reporting and improves future scan tuning.

Why this answer

Option B is correct because the penetration tester should correlate automated scanner output with manual verification to confirm findings, then document the discrepancy for future reference. This ensures accurate vulnerability identification by leveraging human analysis to filter false positives, which is a standard practice in PT0-002 methodology for information gathering and vulnerability scanning.

Exam trap

The trap here is that candidates may think modifying scanner configuration (Option C) is the immediate fix, but PT0-002 emphasizes documenting and correlating findings before making changes to avoid masking real vulnerabilities.

How to eliminate wrong answers

Option A is wrong because increasing scan intensity does not address false positives; it may generate more noise by sending additional payloads without improving detection accuracy, potentially overwhelming the target and wasting resources. Option C is wrong because modifying the scanner's configuration to exclude false positive patterns is premature without first documenting the discrepancy; doing so could inadvertently suppress real vulnerabilities that share similar patterns. Option D is wrong because ignoring the finding and proceeding with manual testing only disregards the value of automated scanning for efficiency and coverage, and fails to improve future scan accuracy through documentation.

809
Multi-Selecthard

A penetration tester discovers evidence of an ongoing criminal activity (e.g., data exfiltration by an insider) during a test. According to best practices and legal considerations, which THREE actions should the tester take?

Select 3 answers
A.Preserve all evidence and document findings for law enforcement
B.Publicly disclose the finding on a vulnerability disclosure platform
C.Immediately stop all testing activities
D.Contact the client's emergency contact per the communication plan
E.Continue testing to gather more evidence
AnswersA, C, D

Correct. Evidence preservation is crucial for investigation.

Why this answer

When discovering criminal activity, the tester should stop testing, notify the client contact, and preserve evidence for investigation.

810
MCQeasy

After completing a penetration test, the client's technical team requests a detailed list of all vulnerabilities found, prioritized by severity, along with step-by-step reproduction steps and remediation guidance. In which section of the standard penetration testing report should this information be provided?

A.Executive Summary
B.Methodology
C.Findings
D.Appendices
AnswerC

Correct. The technical findings section contains detailed descriptions of each vulnerability, including severity, reproduction steps, and remediation.

Why this answer

The Findings section of a standard penetration testing report is the correct location for a detailed, prioritized list of vulnerabilities with step-by-step reproduction steps and remediation guidance. This section provides the technical depth required by the client's technical team, contrasting with the high-level summaries found elsewhere.

Exam trap

The trap here is that candidates confuse the Executive Summary's high-level risk overview with the detailed technical breakdown required by the client's technical team, leading them to choose Option A instead of the Findings section.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for non-technical stakeholders, not a detailed technical list with reproduction steps. Option B is wrong because the Methodology section describes the tools, techniques, and scope of the test, not the specific vulnerabilities found. Option D is wrong because Appendices contain supplementary material like raw logs or configuration files, not the primary vulnerability details and remediation steps.

811
Multi-Selecthard

During a vulnerability scan of a Linux server, the tester notices that the NMAP scan reports port 22 as filtered. Which of the following could be causing this result? (Select TWO).

Select 2 answers
A.Firewall blocking the port
B.ICMP echo requests being blocked
C.SSH service not running
D.Host is down
E.Network congestion
AnswersA, B

A firewall can return a filtered state if it drops packets without rejection.

Why this answer

Options A and E are correct. A firewall blocking the port and ICMP echo request blocking both contribute to Nmap reporting filtered. Option B would show closed; Option C would show host down; Option D is unlikely.

812
MCQmedium

You are conducting a penetration test for a financial institution. The rules of engagement specify that you are not to access any production customer data. During the test, you discover a SQL injection vulnerability in a public-facing web application that allows you to extract customer personally identifiable information (PII). You successfully demonstrate the injection but do not extract any actual PII. According to ethical guidelines and the rules of engagement, what is the appropriate course of action?

A.Extract a small sample of PII to prove impact, then report the vulnerability.
B.Continue the test but avoid exploiting the SQL injection further to stay within scope.
C.Document the vulnerability and include it in the final report without further action.
D.Immediately stop the test and notify the client with details of the finding.
AnswerD

This is the ethical and professional response to a critical finding with potential data exposure.

Why this answer

Accessing PII would violate the ROE and likely breach confidentiality. The best practice is to halt testing, notify the client immediately, and let them assess the critical risk. Option A violates ROE; C ignores the urgency; D fails to alert the client promptly.

813
MCQhard

A penetration tester has obtained the NTLM hash of a service account during an internal test. The tester wants to gain access to a specific SQL server that uses Kerberos authentication. The tester does not know the plaintext password. Which attack is MOST appropriate to forge a service ticket for the SQL server?

A.Silver Ticket attack
B.Golden Ticket attack
C.Pass-the-hash attack
D.SMB relay attack
AnswerA

The Silver Ticket attack creates a forged TGS ticket for a specific service using the service account's hash, granting access to that service.

Why this answer

A Silver Ticket attack is the most appropriate because it forges a service ticket (TGS) for a specific service, such as the SQL server, using the NTLM hash of the service account. Since the tester has the NTLM hash but not the plaintext password, they can craft a valid Kerberos service ticket without needing to authenticate to the domain controller, directly granting access to the SQL server.

Exam trap

The trap here is that candidates often confuse Silver Ticket attacks (forging service tickets) with Golden Ticket attacks (forging TGTs), but the key distinction is that a Silver Ticket targets a specific service using the service account's hash, while a Golden Ticket grants domain-wide access using the KRBTGT hash.

How to eliminate wrong answers

Option B (Golden Ticket attack) is wrong because it forges a Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account hash, which grants domain-wide access, not a targeted service ticket for a specific SQL server. Option C (Pass-the-hash attack) is wrong because it reuses an NTLM hash to authenticate over NTLM, but the SQL server uses Kerberos authentication, which requires a Kerberos ticket, not an NTLM hash directly. Option D (SMB relay attack) is wrong because it relays captured NTLM authentication to another service, but the goal is to forge a Kerberos service ticket, not relay NTLM challenges.

814
MCQhard

A penetration tester is performing internal reconnaissance on a Windows Active Directory environment. The tester has a low-privileged domain user account. Which of the following techniques is most likely to help identify all domain controllers and their IP addresses without generating excessive network traffic or alerts?

A.Perform a full subnet ping sweep using Nmap
B.Query the DNS service for SRV records of _ldap._tcp.dc._msdcs.domain.local
C.Use NetBIOS name resolution by sending broadcasts
D.Enumerate SMB shares on all IP addresses in the subnet
AnswerB

This DNS query directly retrieves the list of domain controllers. It is a normal DNS operation and unlikely to raise alerts.

Why this answer

Option B is correct because querying DNS for SRV records of _ldap._tcp.dc._msdcs.domain.local is a standard, low-noise method to discover all domain controllers in an Active Directory environment. This query leverages the automatic registration of LDAP service records by domain controllers, requiring only a single DNS lookup rather than sweeping the network, thus avoiding excessive traffic and typical security alerts.

Exam trap

The trap here is that candidates often default to active scanning techniques like Nmap ping sweeps (Option A) because they are familiar, overlooking that DNS SRV record queries are a passive, targeted, and far more efficient method for discovering domain controllers in an Active Directory environment.

How to eliminate wrong answers

Option A is wrong because a full subnet ping sweep using Nmap generates significant network traffic and is easily detected by intrusion detection systems (IDS) or endpoint protection, which is contrary to the requirement of avoiding excessive traffic or alerts. Option C is wrong because NetBIOS name resolution via broadcasts is limited to the local subnet, does not reliably discover all domain controllers across multiple subnets, and broadcasts can be noisy and logged. Option D is wrong because enumerating SMB shares on all IP addresses in the subnet is a high-traffic, noisy technique that probes each host individually, likely triggering alerts, and does not directly identify domain controllers.

815
MCQmedium

A client wants to test a web application that uses a third-party payment gateway. The client explicitly wants the payment gateway to be excluded from the test to avoid service disruption. Where should this exclusion be formally documented?

A.Non-Disclosure Agreement (NDA)
B.Statement of Work (SOW)
C.Rules of Engagement (ROE)
D.Penetration Test Plan
AnswerC

The ROE documents scope, exclusions, and rules for the test.

Why this answer

The Rules of Engagement (ROE) document is the correct place to formally exclude the third-party payment gateway from testing. The ROE defines the scope, boundaries, and constraints of the penetration test, including specific systems or services that must not be targeted. This ensures the client's requirement to avoid service disruption to the payment gateway is legally and operationally enforced.

Exam trap

The trap here is that candidates often confuse the Penetration Test Plan (which details how to test) with the Rules of Engagement (which defines what is allowed and forbidden), leading them to incorrectly select the Plan instead of the ROE for scope exclusions.

How to eliminate wrong answers

Option A is wrong because a Non-Disclosure Agreement (NDA) is a legal contract for confidentiality, not for defining test scope or exclusions. Option B is wrong because the Statement of Work (SOW) describes the high-level objectives, deliverables, and timeline, but it does not contain the granular operational constraints like system exclusions. Option D is wrong because the Penetration Test Plan details the technical methodology and procedures, but the formal authorization to exclude specific targets belongs in the ROE, which is the authoritative document for rules and boundaries.

816
Multi-Selectmedium

A penetration tester is performing reconnaissance on a target network and wants to identify all live hosts without sending many packets. Which TWO techniques are MOST effective for host discovery in a local subnet? (Select TWO.)

Select 2 answers
A.ARP scan using arp-scan
B.TCP SYN scan on port 80
C.UDP scan on port 161
D.ICMP ping sweep using nmap -sn
E.DNS zone transfer
AnswersA, D

Correct. ARP scanning is effective for local subnet discovery.

Why this answer

ARP scan using arp-scan is effective because it sends ARP requests to every IP in the subnet and listens for ARP replies. Since ARP is a Layer 2 protocol, it does not require IP-level responses and works even if hosts block ICMP or TCP probes. This technique is extremely fast and generates minimal traffic, making it ideal for local subnet host discovery.

Exam trap

The trap here is that candidates often overlook ARP scans because they think only ICMP or TCP techniques are valid for host discovery, but on a local subnet ARP is the most efficient and stealthy method, while ICMP ping sweeps are also correct but can be blocked by host firewalls.

817
MCQeasy

A penetration tester is performing passive reconnaissance on a target organization. Which of the following tools is best suited for gathering information from public sources such as search engines, social media, and website scraping?

A.theHarvester
B.Metasploit
C.Nessus
D.Nmap
AnswerA

theHarvester is specifically designed for passive information gathering from public sources.

Why this answer

theHarvester is an OSINT tool designed to gather emails, subdomains, IPs, and URLs from public sources like search engines and social media.

818
MCQeasy

A penetration tester needs to enumerate Active Directory users and groups from a Windows domain. Which PowerShell tool is specifically designed for AD enumeration and is commonly used in post-exploitation?

A.Invoke-Mimikatz
B.Nmap
C.CrackMapExec
D.PowerView
AnswerD

Correct. PowerView is for AD reconnaissance.

Why this answer

PowerView (option D) is a PowerShell tool specifically designed for Active Directory enumeration, providing functions to query users, groups, computers, and permissions via LDAP. It is widely used in post-exploitation because it runs in-memory, avoids writing to disk, and integrates seamlessly with PowerShell's pipeline for stealthy reconnaissance.

Exam trap

The trap here is that candidates confuse post-exploitation credential tools (like Invoke-Mimikatz) with enumeration tools, or assume general-purpose scanners (Nmap) or multi-function frameworks (CrackMapExec) are PowerShell-native AD enumeration tools, when PowerView is the correct specialized PowerShell module for this task.

How to eliminate wrong answers

Option A is wrong because Invoke-Mimikatz is a tool for credential dumping (e.g., extracting plaintext passwords, hashes, and Kerberos tickets), not for enumerating AD users and groups. Option B is wrong because Nmap is a network scanning tool that discovers hosts and services via raw packets, not a PowerShell-based AD enumeration tool. Option C is wrong because CrackMapExec is a post-exploitation tool that automates credential spraying, SMB enumeration, and lateral movement, but it is not a PowerShell tool specifically designed for AD user/group enumeration; PowerView fills that niche.

819
MCQhard

After completing a penetration test, the tester is required to provide deliverables that include an executive summary, technical findings, and remediation guidance. However, the client also requests that all test artifacts, such as captured credentials and sample data, be securely destroyed after the report is delivered. Which standard or framework emphasizes the importance of data handling and destruction of test artifacts?

A.OSSTMM
B.OWASP Testing Guide
C.PTES
D.NIST SP 800-115
AnswerD

Correct. NIST SP 800-115 specifically addresses test data handling and destruction.

Why this answer

NIST SP 800-115 includes guidelines for handling and destroying test data to maintain confidentiality and integrity.

820
MCQmedium

A penetration tester is calculating the severity of a vulnerability using the DREAD model. Which of the following factors is assessed under the 'Damage' category?

A.The likelihood that an attacker can reproduce the exploit.
B.The potential data loss or system damage that could result from exploitation.
C.How easy it is for an attacker to discover the vulnerability.
D.The number of users affected by the vulnerability.
AnswerB

Damage assesses the impact of exploitation.

Why this answer

In the DREAD model, the 'Damage' category specifically assesses the potential harm from a successful exploit, such as data loss, system corruption, or service disruption. Option B correctly captures this by focusing on the impact to confidentiality, integrity, or availability, which is the core of the Damage factor.

Exam trap

The trap here is confusing the 'Damage' category with 'Affected Users' (Option D), as both involve impact, but Damage focuses on the severity of harm to data or systems, while Affected Users counts the number of individuals or systems impacted.

How to eliminate wrong answers

Option A is wrong because the likelihood of reproducing an exploit is assessed under the 'Reproducibility' category, not Damage. Option C is wrong because the ease of discovering a vulnerability falls under the 'Discoverability' category, which evaluates how easily an attacker can find the flaw. Option D is wrong because the number of users affected is considered under the 'Affected Users' category, which measures the scope of impact, not the direct damage to data or systems.

821
Multi-Selecthard

A penetration tester is conducting a vulnerability assessment and wants to minimize false positives. Which THREE actions should the tester take? (Select THREE.)

Select 3 answers
A.Run the same scan multiple times
B.Verify findings manually
C.Cross-reference results with multiple scanners
D.Ignore all high-severity findings initially
E.Use authenticated scanning where possible
AnswersB, C, E

Manual verification helps confirm whether a reported vulnerability is genuine.

Why this answer

Option B is correct because manual verification of findings (e.g., confirming a vulnerability by exploiting it or inspecting the service banner) eliminates false positives that automated scanners often report due to signature mismatches or incomplete checks. For example, a scanner might flag a service as vulnerable based on version string alone, but manual testing can confirm whether the actual exploit conditions exist, such as checking for specific configuration flaws or patch levels.

Exam trap

The trap here is that candidates may think running the same scan multiple times (Option A) improves accuracy, but it actually increases noise without validating findings, whereas manual verification and cross-referencing are the proven methods to minimize false positives.

822
MCQmedium

A penetration tester is performing a password cracking task against a dump of NTLM hashes obtained from a Windows domain controller. Which tool would be the most efficient for this task?

A.Hydra
B.John the Ripper
C.Hashcat
D.CrackMapExec
AnswerC

Hashcat is optimized for fast hash cracking using GPU.

Why this answer

Hashcat is a GPU-accelerated password cracker that can crack NTLM hashes quickly, especially with a good wordlist and rules.

823
MCQmedium

A tester wants to perform a Kerberoasting attack against an Active Directory domain. The tester has a domain account with no special privileges. Which of the following is required to successfully request TGS tickets for offline cracking?

A.The service account's password hash
B.A valid domain user account
C.Administrator privileges on a domain controller
D.Local administrator access on a client machine
AnswerB

Any domain user can request TGS tickets for service accounts.

Why this answer

Kerberoasting requires a valid domain account to request TGS tickets for service accounts. No special privileges are needed beyond being authenticated. AS-REP roasting targets users without pre-authentication, not service accounts.

824
MCQmedium

A client requests that the penetration tester deliver the final report in an encrypted format via email. Which encryption method should the tester use to ensure confidentiality?

A.Rely on TLS encryption for the email transport
B.Upload the report to a web server using HTTPS
C.Compress the report in a password-protected ZIP file
D.Use S/MIME or PGP to encrypt the email message
AnswerD

Provides end-to-end encryption.

Why this answer

Option A is correct because S/MIME or PGP encrypts the email content and attachments end-to-end. Option B (SSL/TLS) protects in transit but not at endpoints. Option C (HTTPS) only applies to web delivery.

Option D (ZIP with password) is weaker as passwords are often transmitted separately.

825
MCQhard

A penetration tester is writing a return-oriented programming (ROP) exploit for a Linux binary to bypass Data Execution Prevention (DEP). The binary has DEP enabled, but the tester identifies a gadget in a dynamically linked library that is not affected by ASLR. Which condition must be true for the ROP chain to succeed?

A.The library must be loaded at a fixed address
B.The stack must be executable
C.The binary must be compiled with stack canaries
D.The exploit must bypass ASLR for the main binary
AnswerA

Correct. If the library does not use ASLR, its base address is predictable, allowing the ROP chain to call gadgets reliably.

Why this answer

Option A is correct because for a ROP chain to succeed when DEP is enabled, the attacker needs to control the execution flow by chaining together gadgets (small instruction sequences ending with a return) that reside in executable memory regions. If a dynamically linked library is not affected by ASLR, it means it is loaded at a fixed, predictable address, allowing the tester to reliably use gadgets from that library without needing to bypass ASLR for that specific module. This fixed address ensures the ROP chain's addresses are valid across runs, which is essential for the exploit to work.

Exam trap

The trap here is that candidates often assume ASLR must be fully bypassed for any exploit to work, but the question specifically isolates a library not affected by ASLR, making the ROP chain viable without bypassing ASLR for the main binary.

How to eliminate wrong answers

Option B is wrong because DEP specifically prevents execution on the stack; if the stack were executable, the attacker could simply inject shellcode directly, making a ROP chain unnecessary. Option C is wrong because stack canaries are a defense against buffer overflow-based stack corruption, not against ROP; ROP chains operate by overwriting return addresses and chaining gadgets, and canaries would only prevent the initial overflow if not bypassed, but they do not affect the success of a ROP chain once the overflow occurs. Option D is wrong because the question states the library is not affected by ASLR, so the ROP chain can use gadgets from that library without needing to bypass ASLR for the main binary; the main binary's ASLR status is irrelevant if the gadgets are in a fixed-address library.

Page 10

Page 11 of 14

Page 12