CompTIA PenTest+ PT0-002 (PT0-002) — Questions 901975

993 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

A penetration tester is planning a test that involves scanning for vulnerabilities across a large IP range. The client has provided a list of IPs that are in-scope, but the tester notices that some IPs belong to a third-party company hosting a client application. What should the tester do?

A.Assume the client has permission and scan all IPs
B.Exclude the third-party IPs and notify the client
C.Scan the IPs because they are on the client's list
D.Scan only the third-party IPs that respond to ping
AnswerB

The tester should exclude them and ask the client to obtain permission.

Why this answer

The tester must ensure that all in-scope IPs are authorized. If an IP belongs to a third party, the tester needs written permission from that provider before testing.

902
MCQmedium

Based on the exhibit, which additional Nmap command should the tester run to gather the most useful information for a web application test?

A.nmap -A 192.168.1.10
B.nmap -sV 192.168.1.10
C.nmap -O 192.168.1.10
D.nmap -sC 192.168.1.10
AnswerB

Version detection identifies software and versions, essential for web app testing.

Why this answer

The -sV option performs version detection on open ports, revealing software versions on HTTP/HTTPS and the proxy. -O is OS detection, -sC runs default scripts (useful but version first), and -A does both. However, -sV is the most direct for web app testing as it identifies application versions, which is crucial for vulnerability research.

903
MCQeasy

Which of the following tools would a penetration tester most likely use to perform passive reconnaissance on a target domain?

A.Wireshark
B.Nmap
C.Metasploit
D.theHarvester
AnswerD

theHarvester is designed for passive reconnaissance by querying public sources.

Why this answer

theHarvester is a passive reconnaissance tool that gathers information from public sources such as search engines, PGP key servers, and the Shodan API without directly interacting with the target domain. It collects email addresses, subdomains, IPs, and employee names using OSINT (Open Source Intelligence) techniques, making it ideal for passive information gathering.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with active scanning tools like Nmap or Wireshark, failing to recognize that passive methods rely on publicly available data without sending any packets to the target.

How to eliminate wrong answers

Option A is wrong because Wireshark is a network protocol analyzer that captures and inspects live traffic, which requires active packet sniffing on the network, not passive reconnaissance. Option B is wrong because Nmap is an active scanning tool that sends crafted packets to target hosts to discover open ports and services, generating detectable traffic. Option C is wrong because Metasploit is an exploitation framework used for active penetration testing, including payload delivery and post-exploitation, not passive information gathering.

904
MCQmedium

A client with a hybrid on-premises and cloud infrastructure requests a penetration test. The client uses an IaaS provider for some servers. Which of the following is the MOST important aspect to clarify in the rules of engagement regarding the cloud environment?

A.The list of operating systems used in the cloud
B.The authorization from the cloud provider for testing
C.The public IP addresses of the cloud servers
D.The budget allocated for cloud testing
AnswerB

Correct. Under shared responsibility, the customer must ensure they have permission from the cloud provider to test certain components; the ROE should specify that this authorization has been obtained.

Why this answer

The most critical aspect to clarify in the rules of engagement for a cloud environment is obtaining explicit authorization from the IaaS provider. Without this authorization, the penetration test may violate the provider's acceptable use policy or terms of service, potentially leading to legal action or service termination. This is a foundational scoping requirement because the client does not own the underlying infrastructure; the cloud provider retains control over the network and hypervisor layers.

Exam trap

The trap here is that candidates focus on technical scoping details like IP addresses or OS lists, overlooking the critical legal and contractual prerequisite of obtaining the cloud provider's explicit authorization, which is a unique requirement for cloud environments compared to on-premises testing.

How to eliminate wrong answers

Option A is wrong because the list of operating systems used in the cloud is a technical detail that can be discovered during reconnaissance or provided in the scope, but it is not the most important legal or contractual aspect to clarify in the rules of engagement. Option C is wrong because while public IP addresses are necessary for targeting, they are operational details that can be scoped later; the primary concern is obtaining the cloud provider's written permission to test, as testing without it could be considered unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA).

905
MCQmedium

After compromising a Windows workstation, the tester wants to extract password hashes from the local SAM database. Which Metasploit meterpreter command should be used?

A.getsystem
B.getuid
C.shell
D.hashdump
AnswerD

hashdump extracts password hashes from SAM.

Why this answer

hashdump dumps the SAM database hashes.

906
MCQeasy

During a penetration test, a tester discovers a web application that reflects user input in the HTTP response without proper escaping or encoding. The input is not sanitized and is included in the page's HTML. Which type of vulnerability is most likely present?

A.SQL injection
B.Cross-Site Scripting (XSS)
C.Stored XSS
D.Cross-Site Request Forgery (CSRF)
AnswerB

Reflecting unsanitized user input in the HTTP response is a primary indicator of a reflected XSS vulnerability, allowing script injection.

Why this answer

The vulnerability is reflected Cross-Site Scripting (XSS) because the web application immediately echoes user-supplied input in the HTTP response without proper escaping or encoding, allowing an attacker to inject arbitrary HTML or JavaScript that executes in the victim's browser. This matches the classic definition of reflected XSS, where the payload is part of the request and reflected back, not stored on the server.

Exam trap

The trap here is that candidates confuse reflected XSS with stored XSS because both involve injecting script into a web page, but the key differentiator is whether the payload is persisted on the server (stored) or immediately reflected in the response (reflected).

How to eliminate wrong answers

Option A is wrong because SQL injection requires user input to be incorporated into a database query without proper sanitization, not simply reflected in the HTTP response; the description lacks any mention of database interaction or query construction. Option C is wrong because stored XSS requires the malicious input to be persisted on the server (e.g., in a database or file) and later served to other users, whereas the scenario describes input being reflected immediately in the response without storage.

907
MCQmedium

A penetration tester is writing the technical report for a client. The client's security team needs detailed, step-by-step instructions on how to reproduce each vulnerability found. In which section of the report should this information be placed?

A.Executive summary
B.Risk rating section
C.Findings and recommendations
D.Appendix
AnswerC

This section provides a detailed breakdown of each finding, including how it was discovered, steps to reproduce, and recommended remediation actions.

Why this answer

The 'Findings and recommendations' section is the correct location for detailed, step-by-step reproduction instructions because it provides the technical depth needed for the client's security team to validate and remediate each vulnerability. This section typically includes exact commands, payloads, and sequences used during testing, aligning with the PT0-002 objective of delivering actionable technical details.

Exam trap

The trap here is that candidates confuse the 'Executive summary' (which summarizes findings for management) with the 'Findings and recommendations' section, mistakenly thinking step-by-step instructions belong in the high-level overview due to a misunderstanding of report audience segmentation.

How to eliminate wrong answers

Option A is wrong because the executive summary is a high-level overview for non-technical stakeholders, focusing on business impact and risk posture, not step-by-step technical reproduction steps. Option B is wrong because the risk rating section assigns severity scores (e.g., CVSS v3.1 base scores) and prioritizes findings, but does not contain the granular procedural instructions needed to replicate vulnerabilities.

908
MCQmedium

A client has a highly dynamic cloud environment where resources are frequently spun up and down. What scoping challenge does this present?

A.Compliance issues
B.Lack of logs
C.Insufficient testing time
D.Inconsistent attack surface
AnswerD

Resources changing frequently make it hard to scope and test consistently.

Why this answer

An inconsistent attack surface makes it difficult to define a stable scope of targets. Testing may miss transient resources or encounter resources that change during the engagement. Other options are risks but not specific scoping challenges.

909
MCQhard

During a penetration test, the tester gains a Meterpreter session on a Windows target and wants to escalate privileges to SYSTEM. The current user has the SeImpersonatePrivilege token. Which tool should the tester use to exploit this privilege?

A.PrintSpoofer
B.Windows-Exploit-Suggester
C.whoami /priv
D.Mimikatz
AnswerA

PrintSpoofer uses SeImpersonatePrivilege to gain SYSTEM.

Why this answer

PrintSpoofer exploits the SeImpersonatePrivilege to impersonate SYSTEM tokens.

910
MCQhard

A penetration tester is evaluating a cloud environment (AWS) and finds an S3 bucket with public write access. Which attack is most likely to succeed if the tester wants to plant malicious files that will be served to users?

A.Exhaust the bucket's storage quota
B.Upload a malicious JavaScript file to the bucket
C.Encrypt all objects in the bucket for ransom
D.Modify the bucket policy to grant further permissions
AnswerB

Public write allows uploading files; if the bucket serves web content, users will download the malicious file.

Why this answer

Option B is correct because an S3 bucket with public write access allows anyone to upload objects without authentication. A penetration tester can upload a malicious JavaScript file (e.g., for cross-site scripting or drive-by download) that, when accessed by users via the bucket's public URL, executes in their browsers. This directly exploits the misconfiguration to serve malicious content to end users.

Exam trap

The trap here is that candidates may confuse 'public write access' with 'public read access' and assume the goal is to read data, or they may overthink the attack path and choose a privilege escalation option (D) instead of directly exploiting the write permission to plant malicious content.

How to eliminate wrong answers

Option A is wrong because exhausting the bucket's storage quota is a denial-of-service tactic, not a method to plant malicious files served to users; it disrupts availability but does not achieve the goal of serving malicious content. Option C is wrong because encrypting all objects for ransom (e.g., ransomware) requires write access but does not plant files that are served to users; it denies access to existing data and is a different attack vector (data extortion). Option D is wrong because modifying the bucket policy to grant further permissions is a privilege escalation step that could enable other attacks, but it does not directly plant malicious files to be served to users; the tester already has public write access, so changing the policy is unnecessary for the stated goal.

911
MCQmedium

A penetration tester is analyzing a Python script that uses the 'requests' library to send HTTP requests with a custom header that mimics a mobile device. The script also uses 'beautifulsoup4' to parse the response and extract specific data. Which task is this script most likely performing?

A.Web scraping to gather publicly available information.
B.Fuzzing for SQL injection.
C.Performing a brute-force attack on a login form.
D.Testing for directory traversal vulnerabilities.
AnswerA

The combination of requests and BeautifulSoup indicates scraping. The mobile User-Agent helps evade simple bot detection, making it ideal for collecting data from web pages.

Why this answer

The script uses the 'requests' library to send HTTP requests with a custom header mimicking a mobile device, and 'beautifulsoup4' to parse the HTML response and extract data. This combination is specifically designed for web scraping, where the custom header helps avoid bot detection by making the request appear to come from a mobile browser, and BeautifulSoup extracts targeted information from the page structure.

Exam trap

The trap here is that candidates may confuse the use of a custom header with security testing (e.g., fuzzing or brute-forcing), but the presence of BeautifulSoup for HTML parsing clearly indicates data extraction, not injection or authentication bypass.

How to eliminate wrong answers

Option B is wrong because fuzzing for SQL injection typically involves sending malformed input (e.g., special characters, SQL keywords) in parameters or form fields, not setting a custom User-Agent header or parsing HTML with BeautifulSoup; tools like Burp Suite Intruder or custom loops with 'requests' are used, but the focus is on injecting payloads, not extracting data from responses. Option C is wrong because a brute-force attack on a login form requires iterating through username/password combinations and analyzing response status codes or error messages, not simply setting a mobile User-Agent and parsing HTML for data extraction; BeautifulSoup is unnecessary for brute-force logic, which typically checks for login success indicators like redirects or specific text.

912
MCQhard

During a penetration test, a tester identifies a buffer overflow vulnerability in a Linux binary. The system has ASLR and NX (Non-Executable) enabled. The tester finds a ROP gadget at a fixed address in a library that is loaded at a constant address across reboots. Which exploitation method is the most appropriate to achieve code execution?

A.Return-to-libc attack
B.Return-Oriented Programming (ROP) chain
C.Heap spraying
D.SEH overwrite exploit
AnswerB

ROP chains bypass both ASLR (if gadgets are at fixed addresses) and NX by reusing existing code snippets.

Why this answer

Option B is correct because Return-Oriented Programming (ROP) is specifically designed to bypass both ASLR and NX when a fixed-address ROP gadget is available. Since the library is loaded at a constant address across reboots, the tester can chain gadgets from that library to execute arbitrary code without needing to inject executable shellcode.

Exam trap

The trap here is that candidates may confuse return-to-libc with ROP, but return-to-libc is limited to calling a single function and cannot chain multiple gadgets, which is necessary for complex code execution when NX is enabled.

How to eliminate wrong answers

Option A is wrong because a return-to-libc attack typically relies on calling a single function (e.g., system()) and does not provide the flexibility to chain multiple operations; it is less effective when ASLR randomizes the base address of libc, but here the library is at a fixed address, making ROP more appropriate for complex code execution. Option C is wrong because heap spraying is a technique used to increase the predictability of heap layout for exploiting use-after-free or heap overflow vulnerabilities, not for bypassing NX or achieving code execution via a buffer overflow with ROP gadgets.

913
MCQmedium

During a penetration test, the tester exploits a local file inclusion (LFI) vulnerability to read /etc/passwd. The tester then wants to achieve remote code execution. Which technique is most likely to succeed if the web application is running as the www-data user?

A.Uploading a web shell via file upload
B.Using PHP wrapper php://input to execute commands
C.Reading /proc/self/environ triggers code execution
D.Using SSH to create a reverse shell
AnswerB

The php://input wrapper reads raw POST data, and if allow_url_include is enabled, it can be used to execute PHP code injected in the request body.

Why this answer

Option B is correct because the PHP wrapper php://input allows reading raw POST data, and when used with an LFI vulnerability, an attacker can inject PHP code into the POST body that gets executed by the include() function. Since the web application runs as www-data, this technique bypasses file upload restrictions and directly achieves remote code execution without needing write permissions.

Exam trap

The trap here is that candidates confuse passive file reads (like /proc/self/environ) with active code execution techniques, or assume file upload is always available when the primary vulnerability is LFI.

How to eliminate wrong answers

Option A is wrong because uploading a web shell via file upload requires a separate file upload vulnerability, which is not guaranteed; even if present, the uploaded file must be accessible and executable, and the www-data user may lack write permissions to the web root. Option C is wrong because reading /proc/self/environ only reveals environment variables and does not trigger code execution; it is a passive information disclosure, not an active exploitation technique.

914
MCQeasy

A client wants a social engineering test focusing on phishing. What should be included in the scope to ensure ethical handling?

A.The rules of engagement for notifying employees after the test
B.The attacker infrastructure details
C.The list of approved sender domains to use
D.The expected number of employees who should fall for the email
AnswerA

Ensures ethical closure.

Why this answer

Option B is correct because the rules of engagement should include how to notify employees after the test. Option A is wrong because attacker infrastructure details are operational, not scope. Option C is wrong because expected failure rates are not typically defined.

Option D is wrong although important, notification rules are more critical.

915
MCQeasy

A penetration tester wants to use Google dorking to find publicly accessible documents containing sensitive information on a target domain 'example.com'. Which Google dork would be MOST appropriate to locate PDF files with the word 'confidential'?

A.site:example.com intitle:confidential pdf
B.filetype:pdf site:example.com password
C.site:example.com filetype:pdf confidential
D.site:example.com inurl:pdf confidential
AnswerC

Correct. This dork specifically targets PDFs on the domain containing 'confidential'.

Why this answer

Option C is correct because the Google dork 'site:example.com filetype:pdf confidential' combines the site restriction to the target domain, the filetype filter for PDFs, and the keyword 'confidential' to search for PDF documents containing that word. This directly matches the requirement to locate publicly accessible PDF files with the word 'confidential' on example.com.

Exam trap

The trap here is that candidates often confuse 'filetype:pdf' with 'inurl:pdf' or 'intitle:pdf', not realizing that 'filetype' specifically filters by file extension, while 'inurl' and 'intitle' search for text in the URL or title, which may not correspond to actual PDF files.

How to eliminate wrong answers

Option A is wrong because 'intitle:confidential pdf' searches for the word 'confidential' in the page title and the literal word 'pdf' anywhere in the page, not for PDF files containing 'confidential'. Option B is wrong because it searches for PDF files containing the word 'password', not 'confidential'. Option D is wrong because 'inurl:pdf confidential' looks for the string 'pdf' in the URL and the word 'confidential' anywhere on the page, which does not guarantee the file is a PDF and may miss PDFs with 'confidential' in the content.

916
Multi-Selectmedium

A penetration tester is conducting a vulnerability scan of a Linux server using OpenVAS. Which TWO scan configurations would provide the MOST comprehensive results? (Select TWO.)

Select 2 answers
A.Scan using the 'Full and fast' configuration
B.Scan using only the 'Discovery' category
C.Authenticated scan with SSH credentials
D.Scan using the 'Denial of Service' configuration
E.Unauthenticated scan with default settings
AnswersA, C

Correct. Full and fast includes all plugins and is comprehensive.

Why this answer

Authenticated scans with credentials allow the scanner to log in and check for missing patches, misconfigurations, and vulnerabilities that are not visible externally. Full and fast scan configurations are typical for comprehensive coverage.

917
MCQmedium

A penetration tester is analyzing a Python script that uses the 'scapy' library to craft custom network packets. The relevant code is: ```python from scapy.all import * packet = IP(dst="192.168.1.1")/TCP(dport=80, flags="S") response = sr1(packet, timeout=2) if response.haslayer(TCP): print(response.getlayer(TCP).flags) ``` What is the primary goal of this script?

A.To perform a TCP connect scan by completing the three-way handshake
B.To perform a SYN scan and determine if port 80 is open
C.To send an HTTP GET request and capture the web page
D.To perform a UDP scan on port 80
AnswerB

The script sends a SYN packet to port 80 and analyzes the response flags; a SYN-ACK indicates the port is open.

Why this answer

The script uses Scapy to craft a TCP SYN packet (flags='S') to port 80 and sends it with sr1(), which waits for a single response. If a TCP layer is present in the reply, it prints the flags. This is the classic behavior of a SYN scan (half-open scan): it sends a SYN and analyzes the response to determine if the port is open (SYN-ACK) or closed (RST), without completing the handshake.

Option B correctly identifies this as a SYN scan to check if port 80 is open.

Exam trap

The trap here is that candidates may confuse a SYN scan with a full connect scan (Option A) because both involve sending a SYN, but the key difference is that a SYN scan never sends the final ACK, making it stealthier and not a full handshake.

How to eliminate wrong answers

Option A is wrong because a TCP connect scan completes the full three-way handshake (SYN, SYN-ACK, ACK), whereas this script only sends a SYN and does not send the final ACK, making it a half-open SYN scan. Option C is wrong because the script sends a raw TCP SYN packet, not an HTTP GET request; it does not include any HTTP payload or application-layer data, so it cannot retrieve a web page.

918
Multi-Selectmedium

Which THREE factors are critical to include in the rules of engagement for a penetration test?

Select 3 answers
A.Emergency contact information
B.Target IP ranges
C.Testing schedule
D.List of tools to be used
E.Post-exploitation procedures
AnswersA, B, C

Essential for stopping the test if issues arise.

Why this answer

Rules of engagement typically include target IP ranges (scope), testing schedule (time windows), and emergency contact information. Tools list and post-exploitation procedures are often documented in the test plan but are not always part of the RoE.

919
MCQhard

A penetration tester is conducting vulnerability scanning on a web application that uses a Web Application Firewall (WAF). The scanner triggers a WAF block after several requests. Which of the following techniques would be MOST effective to continue scanning while evading the WAF?

A.Increase scan speed
B.Randomize request parameters and headers
C.Use HTTP/2 multiplexing
D.Perform a full TCP connect scan
AnswerB

Randomization breaks signature-based detection by varying requests.

Why this answer

Option C is correct because randomizing request parameters and headers makes it harder for the WAF to detect pattern-based scanning. Option A increases detection likelihood; Option B may not evade pattern detection; Option D is for port scanning, not web.

920
MCQeasy

During a penetration test, a tester discovers a web application that reflects user input in the HTTP response without sanitization. Which attack is most likely to be successful?

A.Server-side request forgery
B.SQL injection
C.Reflected cross-site scripting
D.Cross-site request forgery
AnswerC

Reflected XSS occurs when user input is echoed back unsanitized.

Why this answer

Reflected cross-site scripting (XSS) is the correct answer because the vulnerability described—user input reflected in the HTTP response without sanitization—directly enables an attacker to inject malicious scripts (e.g., JavaScript) that execute in the victim's browser. This occurs when the application fails to validate or encode the input before including it in the response, allowing the attacker to craft a URL with a script payload that, when visited, runs in the context of the vulnerable web application's origin.

Exam trap

The trap here is that candidates often confuse reflected XSS with stored XSS or CSRF, but the key differentiator is that the input is immediately reflected in the response without sanitization, not stored on the server or requiring a forged request.

How to eliminate wrong answers

Option A is wrong because server-side request forgery (SSRF) exploits server-side functionality to make requests to internal or external resources, not the reflection of user input in HTTP responses. Option B is wrong because SQL injection targets database queries by injecting SQL commands into input fields, not by reflecting input in HTTP responses without sanitization. Option D is wrong because cross-site request forgery (CSRF) tricks a user into performing unintended actions on a web application where they are authenticated, relying on forged requests rather than reflected input in the response.

921
MCQhard

During a web application test, the tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester modifies the JWT header to set the algorithm to 'none' and removes the signature. The server accepts the token. What type of attack is this?

A.JWT algorithm confusion (alg:none)
B.JWT injection
C.JWT session stealing
D.JWT secret brute-force
AnswerA

This is a JWT algorithm confusion attack where the 'none' algorithm bypasses signature verification.

Why this answer

Setting the JWT algorithm to 'none' exploits a misconfiguration where the server does not enforce signature verification, leading to JWT algorithm confusion.

922
MCQmedium

A penetration tester is analyzing a PowerShell script that uses Invoke-WebRequest and Invoke-RestMethod to interact with a target web service. The script parses JSON responses to extract session tokens and then uses those tokens in subsequent requests. Which attack technique is this script most likely performing?

A.Brute-forcing web application login credentials.
B.Exploiting an API by manipulating request parameters and observing responses.
C.Performing a SQL injection attack on a web form.
D.Conducting a directory traversal attack to read arbitrary files.
AnswerB

The script dynamically extracts session tokens and reuses them, which is common when testing APIs for parameter manipulation, privilege escalation, or injection flaws. It allows the tester to bypass authentication and test authenticated endpoints.

Why this answer

The script uses Invoke-WebRequest and Invoke-RestMethod to interact with a web service, parsing JSON responses to extract session tokens and reusing them in subsequent requests. This pattern is characteristic of API manipulation, where an attacker modifies request parameters (e.g., headers, query strings, or payload) and observes how the API responds to infer vulnerabilities or escalate privileges, rather than directly attacking authentication or injecting SQL.

Exam trap

The trap here is that candidates confuse the use of Invoke-WebRequest and Invoke-RestMethod with brute-force attacks, but the script's focus on token extraction and reuse points to API parameter manipulation, not credential guessing.

How to eliminate wrong answers

Option A is wrong because brute-forcing login credentials would involve repeatedly submitting different username/password pairs, not parsing JSON session tokens from responses and using them in subsequent requests; the script's focus on token extraction indicates session management exploitation, not credential guessing. Option C is wrong because SQL injection requires injecting SQL syntax into input fields to manipulate database queries, whereas the script uses Invoke-WebRequest and Invoke-RestMethod to handle structured JSON data and tokens, with no mention of SQL payloads or database error responses.

923
Multi-Selectmedium

A penetration tester is performing a Kerberoasting attack. Which TWO steps are required for a successful Kerberoasting attack?

Select 2 answers
A.Enumerate domain admins
B.Request TGS tickets for service accounts
C.Perform a relay attack
D.Crack the TGS tickets offline using Hashcat
E.Capture NTLMv2 hashes using Responder
AnswersB, D

TGS tickets are encrypted with the service account's NTLM hash.

Why this answer

Kerberoasting involves requesting TGS tickets for service accounts and then cracking the tickets offline.

924
Multi-Selecthard

A penetration tester is handling a client's pushback on a finding. Which THREE approaches are appropriate? (Select THREE.)

Select 3 answers
A.Re-evaluate the finding and adjust if new information is available
B.Provide additional evidence to support the finding
C.Immediately lower the severity to satisfy the client
D.Listen to the client's concerns and discuss them
E.Refuse to change the report under any circumstances
AnswersA, B, D

The tester should be open to adjusting based on new facts.

Why this answer

When handling pushback, the tester should listen, provide evidence, and possibly adjust the report if valid points are made.

925
MCQhard

A penetration tester is evaluating vulnerabilities using the DREAD model. For a specific vulnerability, the tester assigns the following scores: Damage=8, Reproducibility=7, Exploitability=9, Affected users=6, Discoverability=5. Which of the following is the overall DREAD risk rating?

A.9
B.8
C.7
D.6
AnswerC

The average is 7.

Why this answer

DREAD scores are averaged across the five categories. Compute (8+7+9+6+5)/5 = 35/5 = 7.

926
MCQmedium

You are testing a web application and notice that it uses JSON Web Tokens (JWT) for authentication. You change the algorithm to 'none' and remove the signature, and the token is accepted. Which JWT vulnerability did you exploit?

A.KID injection
B.Algorithm none attack
C.Weak secret brute-force
D.Token replay
AnswerB

Setting alg to 'none' bypasses signature verification.

Why this answer

Alg:none attack exploits weak validation that accepts unsigned tokens.

927
MCQmedium

A tester is performing a privilege escalation on a Windows system and finds that the user has SeImpersonatePrivilege enabled. Which tool could be used to escalate to SYSTEM?

A.PsExec
B.PrintSpoofer
C.evil-winrm
D.pth-winexe
AnswerB

Correct: PrintSpoofer exploits SeImpersonatePrivilege to get SYSTEM.

Why this answer

SeImpersonatePrivilege can be exploited using tools like PrintSpoofer or Potato attacks to impersonate SYSTEM tokens.

928
MCQhard

You have obtained a NTLM hash of a domain admin account and want to authenticate to a remote server without cracking the password. Which technique enables you to authenticate using the hash?

A.Pass-the-Hash
B.AS-REP roasting
C.Pass-the-Ticket
D.Kerberoasting
AnswerA

Pass-the-Hash uses the NTLM hash to authenticate to services that accept NTLM authentication.

Why this answer

Pass-the-hash uses the NTLM hash directly to authenticate without needing the plaintext password. Tools like pth-winexe or CrackMapExec can perform this.

929
MCQmedium

A penetration tester is performing active reconnaissance on a target network. The tester wants to identify all live hosts in the 192.168.1.0/24 subnet and determine which ones have port 80 open. Which technique is most efficient for this task?

A.Perform a full TCP connect scan on all 65535 ports for each IP address.
B.Use a ping sweep to identify live hosts, then run a SYN scan on port 80 for those hosts.
C.Run a SYN scan on port 80 for every IP in the subnet without ping probing.
D.Use ARP requests to map the subnet and then check for port 80 on each host.
AnswerB

A ping sweep quickly finds responsive IPs, and then a SYN scan on only those hosts for the single port is highly efficient.

Why this answer

Option B is correct because it combines two efficient steps: first, a ping sweep (ICMP Echo Request or ARP scan) identifies live hosts in the 192.168.1.0/24 subnet, reducing the number of targets; second, a SYN scan on port 80 for only those live hosts is faster and less intrusive than scanning all ports or all IPs without prior host discovery. This approach minimizes network traffic and scan time while accurately identifying hosts with HTTP services.

Exam trap

The trap here is that candidates often choose option C, thinking that skipping ping probing saves time, but they overlook the inefficiency of scanning all 256 IPs (including many dead hosts) versus first identifying live hosts to reduce the scan scope.

How to eliminate wrong answers

Option A is wrong because performing a full TCP connect scan on all 65535 ports for each IP in a /24 subnet is highly inefficient, generating massive traffic and taking excessive time, and it does not focus on the specific goal of identifying hosts with port 80 open. Option C is wrong because running a SYN scan on port 80 for every IP in the subnet without ping probing wastes time and resources scanning inactive or non-existent hosts, and it may also trigger intrusion detection systems more aggressively due to scanning dead IPs.

930
MCQeasy

When performing vulnerability scanning, which of the following best describes a false positive?

A.A vulnerability that is correctly identified and verified.
B.A vulnerability that is exploited during the test.
C.A vulnerability that the scanner reports but does not actually exist.
D.A vulnerability that exists but the scanner fails to detect it.
AnswerC

A false positive is an incorrect identification of a vulnerability.

Why this answer

A false positive in vulnerability scanning occurs when the scanner reports a vulnerability that does not actually exist. This is option C. False positives are caused by factors such as overly aggressive signature matching, misconfigured scan profiles, or incomplete verification of service responses.

They waste resources by prompting unnecessary remediation efforts.

Exam trap

The trap here is confusing false positives with false negatives; candidates often pick option D because they misremember the definition, but false negatives are missed vulnerabilities, not incorrect reports.

How to eliminate wrong answers

Option A is wrong because a vulnerability that is correctly identified and verified is a true positive, not a false positive. Option B is wrong because a vulnerability that is exploited during the test is a confirmed exploit, not a false positive; false positives are not exploitable. Option D is wrong because a vulnerability that exists but the scanner fails to detect it is a false negative, not a false positive.

931
MCQeasy

A penetration tester has completed an internal network test. The client's IT manager requests a document that lists each vulnerability with its CVSS score, risk rating, and a brief description of the impact. Which section of the final report should contain this information?

A.Executive Summary
B.Technical Findings
C.Methodology
D.Remediation Summary
AnswerB

The Technical Findings section lists vulnerabilities with CVSS scores, risk ratings, and impact descriptions, tailored for technical staff.

Why this answer

The Technical Findings section is the correct location because it provides a detailed, itemized list of each discovered vulnerability, including its CVSS score, risk rating, and impact description. This section is intended for technical stakeholders who need granular data to prioritize remediation, unlike the Executive Summary which offers high-level business impact and risk overviews.

Exam trap

The trap here is that candidates confuse the Executive Summary's role as a summary of all findings with the Technical Findings' role of providing detailed, per-vulnerability data, leading them to incorrectly select the Executive Summary for listing CVSS scores and impacts.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for non-technical management, focusing on business risk, strategic recommendations, and key findings without listing individual CVSS scores or detailed impact descriptions. Option C is wrong because the Methodology section describes the tools, techniques, and procedures used during the test (e.g., Nmap scans, exploitation frameworks), not the specific vulnerabilities found.

932
MCQeasy

In a penetration test report, which section should contain detailed technical information such as affected systems, proof-of-concept code, and remediation steps?

A.Technical findings
B.Appendices
C.Executive summary
D.Methodology
AnswerA

This section contains the detailed technical information for each vulnerability.

Why this answer

The technical findings section is where detailed vulnerability descriptions, evidence, and remediation steps are documented.

933
MCQeasy

Which Metasploit command is used to display information about the current meterpreter session, including the target OS and user?

A.hashdump
B.getuid
C.getsystem
D.sysinfo
AnswerD

sysinfo provides detailed system information including OS and architecture.

Why this answer

The 'sysinfo' meterpreter command displays system information such as OS, architecture, and sometimes user context.

934
MCQhard

Refer to the exhibit. A penetration tester finds this configuration file during an assessment. Which of the following is the most critical security concern with this configuration?

A.The bind password is stored in plaintext
B.The server name is an internal hostname
C.The use of LDAP instead of LDAPS
D.The port is non-standard
AnswerC

LDAP over SSL (LDAPS) provides encryption; without it, credentials are transmitted in clear text.

Why this answer

LDAP transmits credentials and queries in cleartext over TCP port 389, making it vulnerable to sniffing and credential theft. LDAPS (LDAP over SSL/TLS) encrypts the entire session on port 636, protecting the bind password and directory data in transit. Since the configuration uses LDAP instead of LDAPS, an attacker on the network can capture the bind password and potentially gain unauthorized access to the directory service.

Exam trap

CompTIA often tests the distinction between a static misconfiguration (like plaintext storage) and a protocol-level vulnerability (like cleartext transmission), tricking candidates into choosing the plaintext password option without recognizing that the network exposure is the more critical risk.

How to eliminate wrong answers

Option A is wrong because while the bind password is stored in plaintext in the configuration file, the question asks for the most critical security concern with this configuration, and the use of LDAP (unencrypted) exposes that password to network sniffing, making the lack of encryption a more fundamental issue. Option B is wrong because using an internal hostname is a standard practice for internal services and does not inherently introduce a security vulnerability; it only prevents external resolution, which is often desirable. Option D is wrong because a non-standard port is not inherently a security concern; it can even provide a minor degree of obscurity, but it does not address the lack of encryption or authentication protection.

935
MCQmedium

Which of the following penetration testing standards includes detailed guidelines for pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting?

A.OSSTMM
B.OWASP Testing Guide
C.NIST SP 800-115
D.PTES
AnswerD

PTES covers all phases of a penetration test.

Why this answer

PTES (Penetration Testing Execution Standard) covers the entire testing lifecycle from pre-engagement to reporting.

936
MCQmedium

A multi-tenant SaaS application needs tenant isolation testing. Which type of testing is most appropriate?

A.White-box testing with access to source code
B.Vulnerability scanning of the underlying infrastructure
C.Black-box testing from the internet
D.Gray-box testing with a tenant account
AnswerD

Allows testing from an authenticated perspective.

Why this answer

Option A is correct because gray-box testing with a tenant account allows authentication and testing of isolation. Option B is wrong because black-box from the internet cannot test isolation. Option C is wrong because white-box with source code may not reflect real access.

Option D is wrong because infrastructure scanning does not test isolation.

937
MCQmedium

A penetration tester is performing reconnaissance on a target organization and uses Shodan to find internet-facing devices. Which of the following is the BEST use case for Shodan in this context?

A.Identifying subdomains through DNS brute-forcing
B.Discovering open ports and services on public IP ranges
C.Enumerating email addresses from corporate websites
D.Extracting metadata from documents found on the target's website
AnswerB

Shodan collects banner data from services like HTTP, SSH, FTP, etc., allowing testers to see what is exposed on the internet.

Why this answer

Shodan is a search engine for internet-connected devices that scans public IP ranges and indexes the banners returned by services. Its primary use in reconnaissance is to discover open ports and running services on target IP ranges, revealing attack surface such as exposed databases, web servers, or industrial control systems. This aligns directly with the information-gathering phase of a penetration test.

Exam trap

The trap here is that candidates confuse Shodan's banner-gathering capability with active DNS enumeration or web scraping, leading them to select options that describe unrelated reconnaissance tasks.

How to eliminate wrong answers

Option A is wrong because Shodan does not perform DNS brute-forcing; that task is accomplished with tools like dnsrecon, subfinder, or Gobuster, which query DNS servers directly. Option C is wrong because Shodan indexes service banners and device metadata, not email addresses from corporate websites; email enumeration is typically done via web scraping, search engines, or tools like theHarvester.

938
Multi-Selecthard

During a penetration test, the tester discovers a critical SQL injection vulnerability. The client cannot deploy the full fix (parameterized queries) immediately due to legacy code. Which THREE actions should the tester recommend as compensating controls? (Choose three.)

Select 3 answers
A.Disable detailed error messages to prevent information disclosure
B.Restrict the database account used by the application to least privilege
C.Patch the database management system to the latest version
D.Implement a web application firewall (WAF) rule to block SQL injection patterns
E.Apply input validation and sanitization on the affected parameters
AnswersB, D, E

Limits potential damage.

Why this answer

Compensating controls reduce risk while the full fix is pending. WAF rules, input validation, and restricted DB privileges are appropriate. Disabling error messages is not a direct compensating control, and patching the DBMS may not address the injection.

939
Matchingmedium

Match each type of social engineering attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fraudulent emails to obtain sensitive information

Targeted phishing at a specific individual or organization

Voice-based phishing over phone calls

Phishing via SMS text messages

Following an authorized person into a restricted area

Why these pairings

Social engineering attacks exploit human psychology to gain access or information.

940
MCQeasy

Which of the following tools is primarily used for enumerating subdomains via search engine queries?

A.Metasploit
B.Netcat
C.theHarvester
D.Nmap
AnswerC

theHarvester is designed for OSINT, including subdomain enumeration via search engines.

Why this answer

theHarvester is specifically designed to gather emails, subdomains, IPs, and URLs from public sources, including search engines like Google, Bing, and Yahoo. It leverages search engine APIs and scraping techniques to enumerate subdomains without directly interacting with the target infrastructure, making it the correct tool for this task.

Exam trap

The trap here is that candidates often confuse Nmap's DNS brute-force scripts (like dns-brute) with passive subdomain enumeration, but Nmap actively queries DNS servers, whereas theHarvester passively collects data from search engines without touching the target's infrastructure.

How to eliminate wrong answers

Option A is wrong because Metasploit is a penetration testing framework focused on exploit development and execution, not passive subdomain enumeration via search engines. Option B is wrong because Netcat is a networking utility for reading/writing data across TCP/UDP connections, lacking any search engine querying capability. Option D is wrong because Nmap is a network scanner that probes live hosts and services using raw packets, not a tool for passive subdomain discovery through search engine queries.

941
Drag & Dropmedium

Drag and drop the steps to perform a social engineering campaign using a phishing email with a malicious attachment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Social engineering involves pretexting, payload creation, listener setup, delivery, and shell acquisition.

942
MCQhard

A penetration tester is tasked with performing vulnerability scanning on a target organization that uses a web application firewall (WAF) and an intrusion prevention system (IPS). The tester wants to avoid being blocked while still gathering comprehensive data. Which scanning approach is most effective?

A.Use a slow, distributed scan from multiple IP addresses with random delays
B.Perform an aggressive scan with a high thread count to complete before the WAF adapts
C.Only perform passive reconnaissance and avoid active scanning
D.Use known WAF bypass techniques for each request
AnswerA

This reduces the chance of triggering IPS/WAF alerts by mimicking normal traffic patterns and avoiding high request rates from a single source.

Why this answer

A slow, distributed scan from multiple IP addresses with random delays is most effective because it evades rate-based detection mechanisms in WAFs and IPSs. By spreading the scan across many sources and introducing jitter, the traffic appears as normal user activity rather than a coordinated attack, allowing comprehensive data collection without triggering blocks.

Exam trap

The trap here is that candidates assume a fast, aggressive scan will 'beat' the WAF/IPS before it adapts, but in reality these systems use real-time rate limiting and signature detection that will block the source IP almost immediately, making the slow distributed approach the only viable option.

How to eliminate wrong answers

Option B is wrong because an aggressive scan with a high thread count will rapidly generate a high volume of requests, which WAFs and IPSs are specifically designed to detect and block as a denial-of-service or scanning pattern, likely resulting in the tester being blocked before completion. Option C is wrong because passive reconnaissance alone cannot gather comprehensive vulnerability data such as open ports, service versions, or missing patches, which require active probing to identify.

943
Multi-Selectmedium

Which TWO of the following should be included in the methodology section of a penetration test report?

Select 2 answers
A.List of vulnerabilities discovered
B.Step-by-step remediation instructions
C.The client's network diagram
D.The specific tools and commands used during testing
E.The testing approach (e.g., black-box, white-box)
AnswersD, E

Methodology includes tools.

Why this answer

The methodology section of a penetration test report documents the testing approach and the specific techniques used to ensure reproducibility and transparency. Option D is correct because listing the specific tools and commands (e.g., Nmap with `-sV -sC`, Metasploit modules, or custom scripts) allows the client to understand exactly how each test was performed. Option E is correct because stating the testing approach (e.g., black-box, white-box, or gray-box) defines the scope and context of the engagement, which is a core part of the methodology.

Exam trap

CompTIA often tests the distinction between the methodology section (which describes the 'how' and 'approach') and the findings/recommendations sections, leading candidates to mistakenly include vulnerability lists or remediation steps in the methodology.

944
MCQmedium

A penetration tester is analyzing a Bash script that uses 'curl' to send HTTP requests with payloads and checks for a specific string in the response. The script contains: 'if echo $response | grep -q "root:x:0:0"'. Which vulnerability is the script most likely testing for?

A.SQL injection
B.Local file inclusion
C.Cross-site scripting
D.Remote code execution
AnswerB

The script is attempting to read the /etc/passwd file via a file inclusion vulnerability, which would return the password file content containing the 'root:x:0:0' line.

Why this answer

The script checks for the string 'root:x:0:0' in the HTTP response, which is the standard format of the root user entry in the /etc/passwd file on Unix-like systems. This indicates the script is testing whether the server is returning the contents of a local file (e.g., /etc/passwd) via a path traversal or file inclusion vulnerability, making Local File Inclusion (LFI) the correct answer.

Exam trap

The trap here is that candidates may confuse the presence of a specific string in the response with SQL injection (e.g., thinking 'root:x:0:0' is a database record), but the format is a direct match for the /etc/passwd file, which is a classic LFI indicator.

How to eliminate wrong answers

Option A is wrong because SQL injection typically involves manipulating SQL queries to extract database contents, not checking for static system file strings like 'root:x:0:0'. Option C is wrong because cross-site scripting (XSS) focuses on injecting client-side scripts into web pages, not on retrieving server-side file contents. Option D is wrong because remote code execution (RCE) would involve executing arbitrary commands on the server, whereas the script only checks for a file content string in the response, not command output or execution indicators.

945
MCQhard

Refer to the exhibit. A penetration tester discovers this IAM policy attached to a public user role. Which attack is most likely to succeed?

A.Bucket ACL misconfiguration leading to public listing
B.Privilege escalation to admin
C.Resource exhaustion through large object uploads
D.Data exfiltration and modification
AnswerD

GetObject allows reading (exfiltration) and PutObject allows writing (modification) to the bucket.

Why this answer

The IAM policy grants `s3:PutObject` and `s3:GetObject` actions on the `arn:aws:s3:::example-bucket/*` resource, allowing a public user to both upload and download objects. This directly enables data exfiltration (via GetObject) and modification (via PutObject overwriting existing objects). The policy does not restrict object listing or require encryption, making D the most likely successful attack.

Exam trap

CompTIA often tests the distinction between bucket-level actions (like ListBucket) and object-level actions (like GetObject/PutObject), trapping candidates who assume that without ListBucket, data cannot be exfiltrated—but attackers can guess object keys or use other enumeration methods.

How to eliminate wrong answers

Option A is wrong because the policy does not grant `s3:ListBucket` or `s3:GetBucketAcl`, so a public user cannot list bucket contents or view/modify the bucket ACL; bucket ACL misconfiguration is not directly exploitable here. Option B is wrong because the policy only allows specific S3 actions on a single bucket ARN, with no permissions for IAM, STS, or other services that would enable privilege escalation to admin. Option C is wrong because resource exhaustion through large object uploads is a potential denial-of-service vector, but the question asks for the attack most likely to succeed given the explicit read/write permissions, and data exfiltration/modification is more directly enabled and common.

946
Multi-Selectmedium

A penetration tester is conducting passive reconnaissance using OSINT techniques. Which TWO of the following are examples of passive OSINT sources?

Select 2 answers
A.Social engineering
B.Certificate transparency logs (crt.sh)
C.snmpwalk
D.WHOIS databases
E.Nmap SYN scan
AnswersB, D

Certificate logs are publicly accessible and passive.

Why this answer

Certificate transparency logs (crt.sh) are a passive OSINT source because they provide publicly accessible records of SSL/TLS certificates issued for domains. A penetration tester can query these logs without interacting with the target's systems, making it a non-intrusive information-gathering technique.

Exam trap

Cisco often tests the distinction between passive reconnaissance (no direct interaction with the target) and active reconnaissance (generates traffic or requires interaction), and candidates may mistakenly classify tools like snmpwalk or Nmap scans as passive because they are automated or do not require credentials.

947
MCQmedium

A penetration tester is writing the findings section of a report. The tester discovered a cross-site scripting vulnerability that allows session hijacking. The technical team wants to understand exactly how to reproduce it, while the business owner wants to know the risk it poses to customer data. Which approach best addresses both audiences?

A.Include a single detailed description with both technical and business impact
B.Write two separate sections: one for technical details and one for risk analysis
C.Place technical details in an appendix and include only risk ratings in the main body
D.Provide a video demonstration separately from the written report
AnswerB

Separation allows the technical team to quickly find reproduction steps and the business owner to focus on risk and impact.

Why this answer

Option B is correct because it separates the technical reproduction steps (for the technical team) from the business impact analysis (for the business owner), ensuring each audience receives the information in the format they need. This aligns with the PT0-002 objective of tailoring communication to different stakeholders, avoiding confusion or information overload. A single combined description (Option A) would likely be too technical for the business owner or too vague for the technical team.

Exam trap

The trap here is that candidates may choose Option A, thinking a single comprehensive section is efficient, but the PT0-002 exam emphasizes that different stakeholders require different levels of detail—technical teams need exact reproduction steps, while business owners need risk context—so separating them is the correct approach.

How to eliminate wrong answers

Option A is wrong because a single detailed description mixing technical steps and business impact risks confusing both audiences—the technical team may find the risk language irrelevant, while the business owner may be overwhelmed by technical jargon like 'XSS payload injection via unescaped user input in the HTTP GET parameter.' Option C is wrong because placing technical details in an appendix and only risk ratings in the main body fails to provide the technical team with the step-by-step reproduction steps they need, and the business owner may not understand the context of the risk ratings without supporting explanation. Option D is wrong because a video demonstration alone does not replace a written report; it lacks the structured, searchable documentation required for compliance and audit trails, and it may not be accessible to all stakeholders (e.g., those with visual impairments or network restrictions).

948
MCQhard

A penetration testing firm is contracted to perform an external test of a company's web applications. During the scoping meeting, the client mentions that they use a CDN and WAF provided by a third party. The client wants the test to accurately reflect the security of their backend servers behind these protections. What should the tester recommend?

A.Test the CDN and WAF as part of the scope
B.Obtain the backend server IPs from the client and test them directly
C.Include a plan to bypass the WAF in the rules of engagement
D.Only test the public-facing URLs as they are
AnswerB

This allows the tester to assess the backend servers as intended, bypassing the CDN/WAF but with the client's authorization. It is the most accurate way to test the client's own infrastructure.

Why this answer

Option B is correct because the client wants the test to accurately reflect the security of their backend servers behind the CDN and WAF. By obtaining the backend server IPs directly, the tester can bypass the third-party protections and assess the actual security posture of the origin servers, which is the true target of the external test. This approach ensures that vulnerabilities not mitigated by the CDN/WAF are identified, aligning with the client's goal of evaluating backend security.

Exam trap

The trap here is that candidates may assume bypassing the WAF is the correct approach (Option C), but the ethical and practical method is to test the backend servers directly with client permission, not to actively circumvent security controls during the test.

How to eliminate wrong answers

Option A is wrong because testing the CDN and WAF as part of the scope would evaluate the third-party provider's security, not the client's backend servers, and may violate the terms of service or contractual agreements with the provider. Option C is wrong because including a plan to bypass the WAF in the rules of engagement is risky, potentially illegal, and could disrupt the WAF's operation or trigger false positives; the proper approach is to test the backend IPs directly with client authorization. Option D is wrong because only testing public-facing URLs would leave the backend servers untested, as the CDN and WAF may mask vulnerabilities or block malicious traffic, failing to meet the client's requirement to assess backend security.

949
MCQmedium

A penetration tester is conducting passive reconnaissance on a target organization. Which of the following techniques would provide the MOST useful information about internal network architecture without directly interacting with the target's systems?

A.Performing a zone transfer against the target's DNS servers
B.Searching for the target's SSL certificates in Certificate Transparency logs
C.Using Nmap to scan common ports on the target's public IP range
D.Querying the target's WHOIS records for IP addresses
AnswerB

Certificate Transparency logs are public and can be queried without contacting the target. They often expose subdomains that may not be publicly listed elsewhere.

Why this answer

Certificate Transparency (CT) logs are publicly accessible, append-only ledgers of SSL/TLS certificates. By searching CT logs for certificates issued to the target organization, a penetration tester can discover subdomains, hostnames, and even internal-facing server names that are included in Subject Alternative Names (SANs) or Common Names (CNs). This reveals internal network architecture details (e.g., 'mail.internal.example.com') without any direct interaction with the target's systems, making it a purely passive reconnaissance technique.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with low-interaction techniques like WHOIS lookups or zone transfers, not realizing that zone transfers and Nmap scans are active techniques that directly interact with the target's systems, while Certificate Transparency logs are a purely passive, third-party data source.

How to eliminate wrong answers

Option A is wrong because performing a zone transfer against the target's DNS servers is an active technique that directly interacts with the target's infrastructure; it sends a DNS query (AXFR) to the target's nameserver, which may be logged or blocked. Option C is wrong because using Nmap to scan common ports on the target's public IP range is an active scanning technique that sends packets to the target's systems, generating network traffic and potentially triggering intrusion detection systems. Option D is wrong because querying the target's WHOIS records for IP addresses provides only registration and administrative contact information, not internal network architecture details such as subdomains or hostnames.

950
MCQmedium

A client wants to test a web application that uses multiple third-party APIs for payment processing, shipping, and customer relationship management. The client states that the APIs are critical for operations but cannot be taken offline. Which scoping consideration is most important to include in the rules of engagement?

A.The tester must use only non-intrusive scanning techniques on the APIs.
B.The tester must exclude all API endpoints from testing.
C.The tester must coordinate testing schedules with the API vendors.
D.The tester must provide a list of all API calls to be made prior to testing.
AnswerA

Non-intrusive techniques reduce the likelihood of causing service disruption while still allowing assessment.

Why this answer

Option A is correct because the client explicitly stated that the APIs are critical for operations and cannot be taken offline. Non-intrusive scanning techniques, such as passive traffic analysis or read-only API calls with safe HTTP methods (GET, HEAD), minimize the risk of service disruption, data corruption, or rate-limit triggering. This aligns with the scoping requirement to maintain availability while still allowing security testing of the API layer.

Exam trap

The trap here is that candidates may assume 'non-intrusive' means only using automated scanners or that coordinating with vendors (Option C) is necessary for third-party APIs, but the core scoping principle is to avoid impacting production availability while still testing the API attack surface.

How to eliminate wrong answers

Option B is wrong because excluding all API endpoints would leave the most critical attack surface (third-party integrations for payment, shipping, and CRM) completely untested, violating the client's goal of a comprehensive security assessment. Option C is wrong because coordinating schedules with API vendors is impractical and unnecessary; the tester only needs to coordinate with the client, and the APIs are consumed by the web app, not owned by the tester. Option D is wrong because providing a list of all API calls prior to testing is overly restrictive and unrealistic for dynamic testing; it would prevent the tester from discovering undocumented endpoints or chaining calls in ways an attacker would, and it violates the principle of simulating real-world adversarial behavior.

951
Multi-Selectmedium

A penetration tester is performing active reconnaissance on a web application and wants to discover hidden API endpoints. Which TWO tools are BEST suited for this task? (Select TWO.)

Select 2 answers
A.Wappalyzer
B.Nikto
C.theHarvester
D.Feroxbuster
E.Gobuster
AnswersD, E

Correct. Feroxbuster is a fast directory/file bruteforcer.

Why this answer

Gobuster can be used to bruteforce directories and files, including API paths. Feroxbuster is a similar tool written in Rust that is faster and supports recursion. Both are effective for API endpoint discovery.

952
MCQmedium

During an internal penetration test, the tester gains a low-privilege shell on a Linux server running a web application. The web application runs as the www-data user. The tester discovers that the www-data user can read the /etc/shadow file. The server has AppArmor enabled, which restricts certain actions. The tester wants to escalate privileges to root. Which technique is most likely to succeed?

A.Extract password hashes from /etc/shadow and crack them offline.
B.Use a kernel exploit like Dirty COW.
C.Search for SUID binaries with known vulnerabilities and exploit one.
D.Add the www-data user to the sudoers file.
AnswerC

SUID binaries run as root, and a vulnerable one can provide a direct root shell, bypassing AppArmor if the binary's profile allows.

Why this answer

Option C is correct because SUID binaries that are misconfigured or have known vulnerabilities can be exploited to execute commands with the privileges of the binary's owner (often root). Since the tester already has a low-privilege shell and can read /etc/shadow, searching for SUID binaries is a standard privilege escalation technique that does not require kernel exploits or write access to /etc/sudoers. The presence of AppArmor does not inherently block SUID exploitation unless specific profiles restrict the binary.

Exam trap

The trap here is that candidates assume reading /etc/shadow directly leads to root access via password cracking, but they overlook the practical difficulty of using the cracked password without an interactive login method, and they underestimate the effectiveness of SUID exploitation in a restricted environment like AppArmor.

How to eliminate wrong answers

Option A is wrong because extracting password hashes from /etc/shadow and cracking them offline only yields the password for a user account (e.g., root), but the tester does not have a way to use that password to log in as root (e.g., SSH may be disabled, or the tester lacks interactive login). Option B is wrong because kernel exploits like Dirty COW (CVE-2016-5195) are likely to be blocked by AppArmor's kernel-level restrictions, and modern kernels have patched this vulnerability; the question explicitly states AppArmor is enabled, which reduces the success rate of kernel exploits. Option D is wrong because adding the www-data user to the sudoers file requires write access to /etc/sudoers, which the www-data user does not have (the file is typically owned by root and has 440 permissions), and the tester cannot modify it from a low-privilege shell.

953
MCQmedium

A penetration tester is scoping a test for a multinational company that must comply with GDPR. The tester wants to ensure that any personal data captured during the test is handled appropriately. Which document should be reviewed?

A.Test plan
B.Authorization letter
C.Data processing agreement
D.Non-disclosure agreement
AnswerC

DPA defines how personal data must be handled, ensuring GDPR compliance.

Why this answer

A data processing agreement (DPA) outlines how personal data is processed and protected, which is essential for GDPR compliance. An NDA covers confidentiality but not data processing specifics. An authorization letter grants permission, and a test plan is technical.

954
MCQmedium

A penetration tester is preparing a report for a client that includes both a technical security team and an executive leadership team. The executive team needs to understand the overall risk posture, while the technical team requires detailed reproduction steps. Which reporting structure best serves both audiences?

A.A single report with an executive summary and technical appendices
B.Two completely separate reports: one for executives and one for technical staff
C.Only an executive summary, omitting technical details
D.Only a technical report with all details
AnswerA

This structure allows both audiences to find the information they need in one document. The executive summary is concise and non-technical, while technical appendices provide depth.

Why this answer

A single report with an executive summary and technical appendices is the correct structure because it satisfies both audiences: the executive summary provides a high-level risk posture overview (e.g., CVSS scores, business impact), while the technical appendices contain detailed reproduction steps (e.g., exact commands, payloads, and packet captures) for the technical team. This approach aligns with the PT0-002 objective of tailoring communication to stakeholders without losing technical rigor.

Exam trap

The trap here is that candidates think separate reports are more 'professional' or 'targeted,' but the PT0-002 exam expects a single cohesive report with layered detail to ensure consistency and traceability between the executive summary and technical findings.

How to eliminate wrong answers

Option B is wrong because two completely separate reports can lead to misalignment between the executive summary and technical details, causing executives to miss critical context or technical staff to lack business impact understanding. Option C is wrong because omitting technical details prevents the technical team from validating or reproducing findings, violating the reporting requirement for actionable remediation steps. Option D is wrong because a purely technical report overwhelms executives with jargon and lacks the risk posture summary they need for decision-making, failing the communication objective.

955
Multi-Selecteasy

Which TWO of the following are common methods used to bypass network access controls during a penetration test? (Choose two.)

Select 2 answers
A.SSID broadcasting
B.MAC spoofing
C.802.1Q trunking (VLAN hopping)
D.ARP poisoning
E.SQL injection
AnswersB, C

Spoofing a allowed MAC address can bypass MAC-based ACLs.

Why this answer

MAC spoofing allows a tester to impersonate an authorized device by changing the MAC address of their network interface to match a whitelisted MAC, thereby bypassing MAC-based access control lists (ACLs) or port security. This is a common bypass because many network access controls rely on MAC addresses as a simple authentication factor, which can be trivially altered using tools like `macchanger` or `ifconfig`.

Exam trap

CompTIA often tests the distinction between passive reconnaissance (like SSID broadcasting) and active bypass techniques, leading candidates to incorrectly select SSID broadcasting as a bypass method when it is merely a visibility setting.

956
MCQhard

A penetration tester is assessing a custom web application that uses JSON Web Tokens (JWT) for authentication. The tester suspects the token may be using a weak secret. Which tool is best suited to attempt cracking the JWT secret?

A.Hashcat
B.DirBuster
C.Burp Suite Intruder
D.sqlmap
AnswerA

Hashcat supports JWT (HMAC-SHA) cracking with its mode 16500.

Why this answer

Hashcat is a powerful password cracking tool that can crack JWT secrets using dictionary or brute-force attacks. John the Ripper is similar but hashcat is generally faster and more GPU-optimized. DirBuster is for directory discovery, sqlmap for SQL injection, and Burp Suite Intruder can be used but is less efficient for offline cracking.

957
MCQhard

A penetration tester has obtained a TGT from a domain controller by cracking the krbtgt hash. Which attack can the tester now perform to gain persistent administrative access to any resource in the domain?

A.Pass-the-Hash
B.Silver Ticket
C.Golden Ticket
D.DCSync
AnswerC

With the krbtgt hash, an attacker can create a Golden Ticket—a forged TGT that allows impersonation of any user for any service in the domain.

Why this answer

A Golden Ticket attack is the correct answer because the tester has cracked the krbtgt hash, which is the key used by the Key Distribution Center (KDC) to sign all Ticket Granting Tickets (TGTs). With this hash, the tester can forge a TGT for any user (including a domain admin) with an arbitrary long validity period, granting persistent administrative access to any resource in the domain without needing to interact with the domain controller again.

Exam trap

The trap here is that candidates confuse the scope of a Silver Ticket (limited to a single service) with a Golden Ticket (full domain compromise), often picking Silver Ticket because they think 'service ticket' sounds broader, but the krbtgt hash specifically enables TGT forgery, not service ticket forgery.

How to eliminate wrong answers

Option A is wrong because Pass-the-Hash (PtH) uses an NTLM hash of a user's password to authenticate, not the krbtgt hash, and it does not provide persistent access to all resources—it only allows impersonation of that specific user until the hash changes. Option B is wrong because a Silver Ticket forges a service ticket (TGS) using the hash of a service account (e.g., for a specific service like HTTP or CIFS), not the krbtgt hash, and it only grants access to that specific service, not to any resource in the domain.

958
Multi-Selecthard

A penetration tester is reverse-engineering a .NET binary to understand its authentication logic. Which three tools are suitable for decompiling .NET assemblies? (Choose THREE.)

Select 3 answers
A.jadx
B.dotPeek
C.Ghidra
D.ILSpy
E.dnSpy
AnswersB, D, E

JetBrains dotPeek is a free .NET decompiler.

Why this answer

dnSpy, ILSpy, and JetBrains dotPeek are decompilers for .NET. Ghidra is for native code, jadx for Android APK.

959
MCQeasy

A penetration tester is engaged to perform a red team exercise for a large enterprise. The client wants the test to simulate a realistic attack from an external threat actor. Which of the following scoping elements is most important to include in the rules of engagement?

A.A list of all IP addresses to be scanned
B.The time window for the test
C.The amount of data to be exfiltrated
D.The specific vulnerabilities to be exploited
AnswerB

Defining the start and end times ensures the test does not interfere with critical operations and allows the blue team to be prepared.

Why this answer

In a red team exercise simulating an external threat actor, the rules of engagement must define the time window for testing to ensure the test aligns with operational constraints and minimizes business disruption. This scoping element is critical because it sets legal and logistical boundaries, such as avoiding peak business hours or maintenance windows, which is a core requirement for realistic yet safe adversarial simulation.

Exam trap

CompTIA often tests the misconception that a fixed target list (Option A) is essential for scoping, when in reality, red team exercises require discovery phases that mimic real attackers, making a predefined IP list counterproductive to the simulation's authenticity.

How to eliminate wrong answers

Option A is wrong because providing a list of all IP addresses to be scanned would undermine the realism of an external attack simulation, where the threat actor must discover targets through reconnaissance (e.g., DNS enumeration, Shodan, or passive scanning). Option C is wrong because specifying the amount of data to be exfiltrated is a constraint that would artificially limit the test's realism; in a real attack, exfiltration volume is determined by the attacker's objectives and the environment's defenses, not pre-defined limits.

960
MCQhard

During a penetration test, you successfully execute a Meterpreter session on a Windows target. You want to dump password hashes from the SAM database. Which Meterpreter command should you use?

A.getsystem
B.hashdump
C.getuid
D.sysinfo
AnswerB

hashdump retrieves password hashes from the SAM.

Why this answer

hashdump is the Meterpreter command to dump SAM hashes.

961
MCQmedium

You are tasked with identifying the technologies used by a web application (e.g., web server, frameworks, libraries) during the reconnaissance phase. Which tool would you use?

A.Gobuster
B.theHarvester
C.Nmap
D.WhatWeb
AnswerD

WhatWeb is specifically designed for web technology identification.

Why this answer

WhatWeb is a tool for fingerprinting web technologies. It identifies software, frameworks, and other components by analyzing HTTP responses and page content. Wappalyzer is a browser extension but WhatWeb is command-line and scriptable.

962
MCQhard

A penetration tester has successfully exploited a buffer overflow vulnerability in a Linux binary. However, the binary has Data Execution Prevention (DEP) enabled and Address Space Layout Randomization (ASLR) disabled. Which exploitation technique is MOST appropriate to achieve code execution in this environment?

A.Return-oriented programming (ROP) to bypass DEP
B.Simple shellcode injection on the stack
C.ASLR bypass techniques
D.Heap spraying
AnswerA

ROP chains use existing code snippets (gadgets) to perform operations without injecting executable code, bypassing DEP effectively.

Why this answer

Return-oriented programming (ROP) is the most appropriate technique because DEP marks the stack and heap as non-executable, preventing direct shellcode injection. With ASLR disabled, the attacker can reliably locate and chain small instruction sequences (gadgets) from the binary or loaded libraries to achieve arbitrary code execution without needing executable memory regions.

Exam trap

CompTIA often tests the misconception that DEP can be bypassed by simply injecting shellcode onto the stack, ignoring that DEP explicitly prevents execution from non-executable pages, making ROP or similar code-reuse techniques mandatory.

How to eliminate wrong answers

Option B is wrong because simple shellcode injection on the stack fails when DEP is enabled, as the CPU will raise an access violation when trying to execute code from a non-executable memory region. Option C is wrong because ASLR bypass techniques (such as information leaks or brute-forcing) are unnecessary when ASLR is already disabled; the core challenge here is DEP, not address randomization.

963
MCQmedium

During a network penetration test, the tester identifies that a web server is vulnerable to a buffer overflow. The server is running on a Windows system with DEP enabled. Which technique should the tester use to bypass DEP?

A.Return-to-libc attack
B.Return-Oriented Programming (ROP)
C.Use a NOP sled and shellcode injection
D.Stack pivoting
AnswerB

ROP uses existing code gadgets to execute arbitrary commands without injecting new code.

Why this answer

Return-Oriented Programming (ROP) is the correct technique to bypass Data Execution Prevention (DEP) on Windows. DEP marks memory pages (like the stack and heap) as non-executable, preventing direct shellcode execution. ROP chains together small instruction sequences (gadgets) already present in executable memory (e.g., in loaded DLLs) to achieve arbitrary behavior without injecting or executing new code.

Exam trap

The trap here is that candidates often confuse DEP bypass with simple shellcode injection (Option C) or assume stack pivoting alone bypasses DEP, when in fact ROP is the standard technique to execute code without relying on executable stack memory.

How to eliminate wrong answers

Option A is wrong because a return-to-libc attack typically calls a single libc function (e.g., system()) to execute a command, but on Windows with DEP, the stack is non-executable and the attack still relies on calling existing functions; however, ROP is more flexible and is the standard modern bypass for DEP, while return-to-libc is more associated with Linux and does not fully address the need for chaining multiple calls. Option C is wrong because a NOP sled and shellcode injection rely on executing code on the stack, which is blocked by DEP (non-executable stack). Option D is wrong because stack pivoting is a technique to redirect the stack pointer to a controlled memory region (e.g., heap) to facilitate ROP or other attacks, but it is not itself a method to bypass DEP; it is often used in conjunction with ROP, not as a standalone bypass.

964
MCQmedium

You are contracted to perform a penetration test for a healthcare organization. During the testing, you discover a critical SQL injection vulnerability that exposes patient health information. The deadline for the final report is one week away. The client's IT manager asks you to exclude this finding from the report because they are already aware of it and are working on a fix. The IT manager claims that including it would cause panic among stakeholders. What is the BEST course of action?

A.Agree to exclude it but note it verbally
B.Explain that findings must be included in the report regardless of awareness, and offer to present the finding in a controlled manner to management
C.Report the issue to the client's compliance officer without informing the IT manager
D.Include it only in the technical appendix
AnswerB

This maintains integrity while addressing the client's concerns about stakeholder reaction.

Why this answer

Option A is correct. According to reporting best practices, all findings must be documented regardless of awareness. Offering to present the finding in a controlled manner addresses the client's concern while ensuring transparency.

Option B is wrong because verbal notes are not part of the formal report and may be forgotten. Option C is wrong because hiding the finding in an appendix still includes it but may not give it appropriate visibility. Option D is wrong because bypassing the IT manager could damage trust and violate reporting protocols.

965
MCQmedium

A penetration tester has identified a critical misconfiguration in a cloud storage bucket that exposes sensitive customer data. The client's technical team has already applied a fix, but the tester wants to ensure the report accurately reflects the risk and the remediation. Which section of the report should include the steps to reproduce the vulnerability?

A.Executive summary
B.Findings and risk rating
C.Technical details and proof of concept
D.Remediation recommendations
AnswerC

This is the correct section, as it contains the exact commands, screenshots, and steps needed to reproduce the vulnerability for technical staff.

Why this answer

The technical details and proof of concept (POC) section is the correct place to include step-by-step reproduction steps because it provides the client's technical team with the exact commands, API calls, or configuration checks needed to verify the vulnerability and the fix. This section is distinct from the executive summary (which targets non-technical stakeholders) and the findings and risk rating (which focuses on impact and severity). By including reproduction steps here, the tester ensures the remediation can be validated without ambiguity.

Exam trap

The trap here is that candidates confuse the 'findings and risk rating' section with the 'technical details' section, assuming reproduction steps belong with the risk description, when in fact the PT0-002 exam expects a clear separation: risk rating is for impact, technical details is for replication.

How to eliminate wrong answers

Option A is wrong because the executive summary is intended for management and non-technical stakeholders, providing a high-level overview of risks and business impact, not detailed reproduction steps. Option B is wrong because the findings and risk rating section describes the vulnerability's nature, impact, and CVSS score, but does not include the procedural steps to replicate the issue; those steps belong in the technical details section.

966
Multi-Selectmedium

A penetration tester is preparing to perform an authenticated vulnerability scan of a network. Which THREE of the following are important considerations before starting the scan? (Select THREE.)

Select 3 answers
A.Using default community strings for SNMP
B.Configuring the scanner to use the appropriate credentials
C.Ensuring the scan will not disrupt production services
D.Selecting a random scan time to avoid detection
E.Obtaining written authorization from the target organization
AnswersB, C, E

Credentials are required for authenticated scans; using wrong credentials leads to incomplete results.

Why this answer

Authenticated scans require valid credentials to log into systems for deeper assessment. It's important to understand the risk of service disruption, ensure credentials have appropriate privileges, and obtain written authorization to avoid legal issues.

967
MCQmedium

A penetration tester has gained a low-privilege shell on a Windows server and discovers the user has the SeImpersonatePrivilege. Which tool could the tester use to escalate privileges to SYSTEM?

A.Mimikatz
B.SharpHound
C.PowerUp
D.PrintSpoofer
AnswerD

PrintSpoofer leverages SeImpersonatePrivilege to get SYSTEM access.

Why this answer

PrintSpoofer exploits SeImpersonatePrivilege to escalate privileges on Windows.

968
MCQhard

A penetration tester is engaged to perform a social engineering assessment targeting the sales department. The RoE specifies that testing is allowed only during business hours. Which of the following actions would be most appropriate when planning the engagement?

A.Deploy USB drop attacks at the office entrance over the weekend
B.Conduct a phishing campaign with emails sent at 2:00 AM
C.Perform a tailgating attempt at 7:00 PM after most employees have left
D.Launch a vishing attack during normal business hours
AnswerD

Correct. Vishing during business hours complies with RoE.

Why this answer

Tailgating outside business hours would violate the RoE; the tester should design attacks that fit within the allowed times.

969
MCQeasy

A penetration tester is hired to perform a test with no prior knowledge of the target environment. The tester is given only the company name and must gather all necessary information from public sources. Which type of penetration test is this?

A.Grey box
B.Black box
C.Red team
D.White box
AnswerB

Black box provides no prior knowledge.

Why this answer

In a black box test, the tester has no prior knowledge or credentials, simulating an external attacker.

970
MCQhard

A penetration tester is engaged to assess a corporate network that uses a centralized logging server (SIEM) with a 24/7 SOC. The tester has gained initial access to a Windows workstation via a phishing email. The goal is to move laterally to a domain controller without triggering alerts. The internal network is segmented into VLANs: a user VLAN (192.168.1.0/24) and a server VLAN (10.0.0.0/24) with strict firewall rules allowing only specific ports (e.g., RDP from user VLAN to server VLAN is denied). The tester discovers that the workstation has a PowerShell script that runs every hour to check for drive space on all servers using WinRM (port 5985) with stored domain admin credentials. The script is scheduled via a domain GPO. Which of the following actions should the tester perform to achieve lateral movement to the domain controller with the lowest chance of detection?

A.Alter the firewall rules to allow direct access from the user VLAN to the server VLAN
B.Use a RDP client to connect directly to the domain controller from the workstation
C.Modify the existing PowerShell script to include a reverse shell that connects back to the tester
D.Perform a pass-the-hash attack from the workstation to the domain controller using SMB
AnswerC

This leverages existing trusted infrastructure and credentials, blending in with normal operations.

Why this answer

Option C is correct because modifying the existing PowerShell script to include a reverse shell allows the tester to execute code on the domain controller using WinRM (port 5985), which is already permitted by the firewall and part of a legitimate scheduled task. This approach leverages the stored domain admin credentials and the trusted script execution path, avoiding any new connections or anomalies that would trigger SOC alerts. The reverse shell blends into the normal WinRM traffic, making detection by the SIEM or SOC highly unlikely.

Exam trap

The trap here is that candidates often choose pass-the-hash (Option D) because it is a well-known lateral movement technique, but they overlook the strict firewall rules and logging that would expose the SMB traffic, whereas modifying an existing trusted script (Option C) is stealthier and aligns with the scenario's constraints.

How to eliminate wrong answers

Option A is wrong because altering firewall rules requires administrative privileges on the firewall itself, which the tester does not have from a compromised workstation, and any change would be immediately detected by the SOC as an unauthorized configuration modification. Option B is wrong because RDP from the user VLAN to the server VLAN is explicitly denied by the firewall rules, and attempting a direct RDP connection would be blocked and logged as a failed connection attempt, triggering an alert. Option D is wrong because pass-the-hash over SMB typically uses port 445, which is likely blocked or restricted between VLANs, and the SMB protocol generates significant network logs that the SIEM would flag as anomalous lateral movement.

971
MCQmedium

While performing web application reconnaissance, a tester wants to enumerate hidden directories and files on a web server. Which of the following tools is specifically designed for directory brute-forcing?

A.Nikto
B.Gobuster
C.WPScan
D.Nmap
AnswerB

Gobuster is a tool for directory/file and DNS subdomain brute-forcing, commonly used in web app recon.

Why this answer

Gobuster is specifically designed for directory brute-forcing by using a wordlist to discover hidden directories and files on a web server. It sends HTTP GET requests to the target and reports valid responses (e.g., 200, 301, 403), making it the correct tool for this task.

Exam trap

The trap here is that candidates may confuse Nikto's web scanning capabilities with directory brute-forcing, but Nikto's focus is on vulnerability detection rather than enumerating hidden paths via wordlists.

How to eliminate wrong answers

Option A is wrong because Nikto is a web server vulnerability scanner that checks for known vulnerabilities, outdated software, and misconfigurations, not a directory brute-forcer. Option C is wrong because WPScan is a specialized scanner for WordPress sites, focusing on themes, plugins, and user enumeration, not generic directory brute-forcing. Option D is wrong because Nmap is a network port scanner and host discovery tool, not designed for HTTP-based directory enumeration.

972
MCQmedium

A penetration tester is performing passive reconnaissance on a target organization. The tester wants to gather information about the target's technology stack, including web server software and frameworks, without directly interacting with the target systems. Which technique is most effective?

A.Running Nmap with the -A flag against the target's public IP range
B.Using theHarvester to search for email addresses and subdomains
C.Querying public records with BuiltWith
D.Performing a DNS zone transfer
AnswerC

BuiltWith uses public data and DNS records to profile the technologies used by a website, including web servers, frameworks, and analytics tools, all without sending any traffic to the target.

Why this answer

BuiltWith is a passive reconnaissance tool that queries public web data and DNS records to identify a target's technology stack, such as web server software (e.g., Apache, Nginx) and frameworks (e.g., React, Django), without sending any packets to the target's systems. This makes it ideal for passive information gathering, as it relies on third-party databases and cached information rather than direct interaction.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with low-interaction active tools like Nmap's -A flag, failing to recognize that any direct network probing constitutes active reconnaissance, even if it's just a single scan.

How to eliminate wrong answers

Option A is wrong because running Nmap with the -A flag performs active reconnaissance by sending probes directly to the target's IP range, which can be detected by intrusion detection systems and violates the passive requirement. Option B is wrong because theHarvester focuses on gathering email addresses and subdomains from search engines and public sources, not on identifying the technology stack like web server software or frameworks.

973
MCQmedium

A penetration tester is analyzing the results of a vulnerability scan against a web application. The scanner reports a potential SQL injection vulnerability in a login form parameter. However, manual testing with the same payload does not produce any error messages or changes in behavior. Which of the following is the most likely reason for the false positive?

A.The scanner used a payload that was not URL-encoded
B.The web application is using a parameterized query that sanitizes input
C.The scanning engine is outdated and does not support the latest SQL syntax
D.The login form is protected by a CAPTCHA that blocks automated scanning
AnswerB

Parameterized queries separate SQL logic from data, preventing injection even if input appears malicious. The scanner may have flagged based on the payload string, but the application handled it safely.

Why this answer

Option B is correct because the use of parameterized queries (prepared statements) separates SQL logic from user input, preventing SQL injection even if the input contains malicious payloads. The scanner's payload triggered a false positive because the application's database layer safely handles the input, so no error or behavioral change occurs during manual testing.

Exam trap

The trap here is that candidates often assume a vulnerability scanner's report is always accurate and overlook the possibility of false positives due to input handling mechanisms like parameterized queries, instead focusing on payload encoding or scanner version issues.

How to eliminate wrong answers

Option A is wrong because URL-encoding is a standard practice for transmitting special characters in HTTP requests; if the scanner's payload were not URL-encoded, the web server would likely reject or truncate the request, not produce a false positive. Option C is wrong because an outdated scanning engine might miss new SQL syntax or produce false negatives, but it would not cause a false positive; the scanner reported a vulnerability that manual testing disproves, which is a false positive, not a false negative.

974
MCQhard

A penetration tester is analyzing a Linux binary and wants to decompile it to understand its logic. Which open-source tool is specifically designed for reverse engineering and can generate C-like pseudocode from compiled binaries?

A.IDA Pro Free
B.dnSpy
C.Ghidra
D.jadx
AnswerC

Correct. Ghidra includes a decompiler that produces pseudocode.

Why this answer

Ghidra, developed by the NSA, is a reverse engineering framework that can decompile binaries into C-like pseudocode.

975
MCQmedium

During a Windows privilege escalation attempt, the tester finds that the current user has the SeImpersonatePrivilege enabled. Which tool is commonly used to exploit this privilege to gain SYSTEM?

A.PrintSpoofer
B.SharpUp
C.Mimikatz
D.PowerUp
AnswerA

PrintSpoofer leverages SeImpersonatePrivilege to escalate to SYSTEM.

Why this answer

PrintSpoofer exploits SeImpersonatePrivilege to impersonate SYSTEM and spawn a shell.

Page 12

Page 13 of 14

Page 14
CompTIA PenTest+ PT0-002 PT0-002 Questions 901–975 | Page 13/14 | Courseiva