CompTIA PenTest+ PT0-002 (PT0-002) — Questions 76150

509 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
Multi-Selecteasy

A penetration tester is developing a rules of engagement document for a client. Which TWO elements should the tester include to ensure proper scope boundaries?

Select 2 answers
A.List of authorized testing tools
B.Target IP addresses and subnets
C.Credentials for privileged accounts
D.Escalation procedures for critical findings
E.Emergency contact information for law enforcement
AnswersB, D

Clear definition of the target systems is essential for scope.

Why this answer

The rules of engagement should clearly define what is in scope and how to handle findings. Target IP addresses and subnets (B) specify the scope of systems to test, and escalation procedures (D) outline how to communicate critical findings. While authorized tools (A) may be listed, they are not scope boundaries; privileged credentials (C) are sometimes provided but not a scope boundary; emergency contact info (E) is typically part of incident response, not ROE scope.

77
Multi-Selecteasy

Which two tools are commonly used for password cracking in penetration testing?

Select 2 answers
A.Metasploit
B.Nmap
C.Hashcat
D.John the Ripper
E.Wireshark
AnswersC, D

Hashcat is a password cracking tool.

Why this answer

Options A and C are correct. John the Ripper and Hashcat are widely used password crackers. Option B is wrong because Wireshark is a packet analyzer.

Option D is wrong because Nmap is a network scanner. Option E is wrong because Metasploit is an exploitation framework.

78
MCQmedium

A penetration testing firm is hired to assess a client's hybrid infrastructure with on-premises and cloud servers in multiple regions. The client specifies testing only the on-premises systems due to budget and compliance. Which of the following should the tester emphasize in the rules of engagement (ROE)?

A.Detailed network diagrams of the cloud environment
B.Explicit exclusion of all cloud-based assets
C.Approval from the cloud service provider
D.A list of all cloud API endpoints
AnswerB

This ensures that the tester and client are aligned on what is off-limits, reducing the risk of scope creep and compliance violations.

Why this answer

The client explicitly restricted testing to on-premises systems due to budget and compliance. The rules of engagement (ROE) must clearly define the authorized scope to prevent accidental testing of cloud assets, which could violate the contract and potentially breach the cloud provider's terms of service. Option B is correct because explicitly excluding all cloud-based assets ensures the tester does not touch any cloud resources, aligning with the client's constraints.

Exam trap

The trap here is that candidates may think they need cloud provider approval or network diagrams to understand the environment, but the key is respecting the client's explicit scope limitation by excluding cloud assets in the ROE.

How to eliminate wrong answers

Option A is wrong because detailed network diagrams of the cloud environment are irrelevant and out of scope; the tester is not authorized to test cloud systems, and requesting such diagrams could imply intent to test them, violating the client's restrictions. Option C is wrong because approval from the cloud service provider is not required when the cloud assets are explicitly excluded from testing; the tester has no need to interact with the cloud provider's infrastructure, and seeking such approval could create unnecessary legal or contractual complications.

79
MCQmedium

A client wants to test a mobile app that uses certificate pinning. The penetration tester needs to perform dynamic analysis of the app's network traffic. Which of the following should be included in the rules of engagement to enable this testing?

A.Include a provision to install a custom CA certificate on a rooted/jailbroken device.
B.Request the app's source code for static analysis instead of dynamic analysis.
C.Use a proxy tool like Burp Suite without any modification to the device.
D.Obtain a list of API endpoints from the developer and test them manually.
AnswerA

This is the standard approach to bypass certificate pinning. By installing a custom CA certificate that the testing proxy uses, the tester can intercept and modify traffic. Rooting/jailbreaking may void warranties, so client permission is essential.

Why this answer

Certificate pinning in mobile apps rejects any proxy or interception certificate that is not the expected pinned certificate. Installing a custom CA certificate on a rooted/jailbroken device allows the tester to bypass the pinning by injecting a trusted root CA that the proxy (e.g., Burp Suite) uses to sign its certificates, enabling decryption of HTTPS traffic for dynamic analysis.

Exam trap

The trap here is that candidates assume a proxy tool alone can intercept pinned traffic, forgetting that certificate pinning explicitly rejects untrusted CAs, so device modification (root/jailbreak and custom CA) is mandatory for dynamic analysis.

How to eliminate wrong answers

Option B is wrong because static analysis of source code does not capture runtime network behavior, which is required for dynamic analysis of traffic; the client specifically requested dynamic analysis. Option C is wrong because using a proxy tool like Burp Suite without modifying the device will fail — the app's certificate pinning will reject the proxy's certificate, preventing any interception of HTTPS traffic.

80
MCQhard

You are a penetration tester hired to assess the security of a mid-sized company. The company's internal network consists of a web server running Apache 2.4.29 on Ubuntu 18.04, a database server with MySQL 5.7 on CentOS 7, and a file server running Samba 4.8 on a separate Linux distribution. You are given a standard domain user account with limited privileges. After initial reconnaissance, you discover that the web server has a SQL injection vulnerability in its login form. However, when you attempt to exploit it with SQLmap, the web application firewall (WAF) blocks all your payloads. You also notice that the file server is accessible via SMB with guest access enabled, allowing you to list shares without authentication. The database server is isolated on a separate VLAN and is not directly accessible from your workstation. Which of the following actions should you take NEXT to further your assessment?

A.Use SQLmap with --tamper scripts to bypass the WAF
B.Scan the file server for vulnerabilities using Nmap NSE scripts
C.Attempt to brute-force the MySQL root password on the database server
D.Conduct a phishing campaign against employees to gain elevated credentials
AnswerB

The SMB guest access provides a direct opportunity to enumerate the file server and potentially find vulnerabilities (e.g., EternalBlue) that could lead to system compromise.

Why this answer

With guest access to the SMB file server, you can probe it for vulnerabilities using Nmap's scripting engine (NSE). This could reveal additional weaknesses that might provide a foothold or lateral movement paths. Attempting to bypass the WAF immediately (option A) is possible but may be time-consuming and less likely to succeed without more information.

Brute-forcing the MySQL root password (option C) is not feasible because you cannot reach the database server directly. Phishing (option D) is an option but it does not leverage the current access and may not be the most efficient next step.

81
MCQmedium

A penetration tester has completed the test and is writing the technical report. The client's security team is highly skilled and wants detailed information about each vulnerability, including the exact request/response used to exploit it. The team also wants to understand the potential impact on the business. Which of the following is the best way to structure the findings for this audience?

A.Provide only a list of CVSS scores and short descriptions.
B.Include a separate 'Executive Summary' section that covers business impact, and a 'Technical Appendix' with detailed reproduction steps.
C.Combine business impact and technical details in a single paragraph for each finding.
D.Omit technical details to keep the report concise.
AnswerB

This structure allows each audience to find the appropriate level of detail.

Why this answer

Option B is correct because it separates the business impact discussion into an Executive Summary for the client's leadership while providing the detailed technical reproduction steps (exact request/response pairs) in a Technical Appendix, satisfying the highly skilled security team's need for granular exploit details without diluting the business risk narrative.

Exam trap

The trap here is that candidates often pick Option C thinking it is efficient to combine everything, but Cisco tests the understanding that skilled technical audiences require clear separation of business impact and raw technical data to avoid confusion and ensure actionable findings.

How to eliminate wrong answers

Option A is wrong because providing only CVSS scores and short descriptions omits the exact request/response data the client's skilled security team explicitly requires to validate and remediate each vulnerability; it also fails to address business impact, which the team requested. Option C is wrong because combining business impact and technical details in a single paragraph for each finding creates a cluttered, hard-to-scan format that forces the reader to wade through raw HTTP request/response payloads to find the business risk summary, reducing clarity for both technical and non-technical stakeholders.

82
Multi-Selectmedium

A penetration tester is preparing a final report after a web application test. The tester wants to prioritize vulnerabilities based on risk. Which TWO factors should the tester primarily consider when assigning risk ratings?

Select 2 answers
A.Business impact
B.Ease of exploitation
C.Number of times the vulnerability was detected
D.CVSS base score
E.Time to remediate
AnswersA, D

Business impact contextualizes risk for the organization, a key component of risk ratings.

Why this answer

CVSS base score and business impact are the primary factors for risk ratings per CompTIA PenTest+ objectives.

83
MCQeasy

During the reconnaissance phase, a penetration tester wants to identify subdomains of a target domain without making direct requests to the target's own DNS servers. Which technique would be BEST for this purpose?

A.Using the 'nslookup' command interactively
B.Performing a zone transfer
C.Using search engines and public certificate transparency logs
D.Using the 'host' command
AnswerC

These sources aggregate data from external observations and do not require contacting the target, thus are passive.

Why this answer

Option C is correct because search engines (e.g., Google dorking) and public certificate transparency logs (e.g., crt.sh) allow a tester to discover subdomains by querying aggregated historical DNS and TLS certificate data, without sending any queries to the target's authoritative DNS servers. This passive reconnaissance technique avoids alerting the target's infrastructure and complies with the requirement of no direct requests to the target's DNS servers.

Exam trap

CompTIA often tests the distinction between active and passive reconnaissance, and the trap here is that candidates may choose zone transfer (Option B) because it is a well-known DNS enumeration technique, but they overlook that it requires direct contact with the target's DNS server and is typically blocked, whereas certificate transparency logs provide a passive alternative that avoids direct interaction.

How to eliminate wrong answers

Option A is wrong because using 'nslookup' interactively sends DNS queries directly to the target's DNS servers (or configured resolvers), which violates the requirement of not making direct requests to the target's own DNS servers. Option B is wrong because performing a zone transfer (AXFR) requires a direct TCP connection to the target's authoritative DNS server on port 53, and most modern DNS servers are configured to deny zone transfers except to authorized secondary servers, making it both a direct request and often unsuccessful.

84
MCQhard

Refer to the exhibit. The firewall rules shown are in effect. A tester has compromised a host at 192.168.1.100 and wants to exfiltrate data to an external server. Which technique will most likely succeed?

A.Use DNS tunneling to an external DNS server
B.Send data over HTTPS to an external server
C.Exfiltrate via HTTP to an external server
D.Initiate an RDP connection to the external server
AnswerB

Outbound HTTPS to any destination is allowed, making this the best choice.

Why this answer

Option B is correct because HTTPS (TCP/443) is typically allowed through firewalls for web traffic, and the encrypted payload can bypass deep packet inspection. The compromised host at 192.168.1.100 can initiate an outbound HTTPS connection to an external server, making data exfiltration over HTTPS the most likely to succeed given the firewall rules.

Exam trap

The trap here is that candidates may assume DNS tunneling is stealthy because it uses a common protocol, but they overlook that firewalls often allow HTTPS by default while DNS traffic is more closely monitored for anomalies.

How to eliminate wrong answers

Option A is wrong because DNS tunneling relies on UDP/53 traffic, which is often monitored for anomalous query patterns or blocked by security controls like DNS sinkholing or rate limiting, making it less reliable than HTTPS. Option C is wrong because HTTP (TCP/80) is frequently inspected or blocked by modern firewalls and proxies, and unencrypted traffic can be easily detected or filtered. Option D is wrong because RDP (TCP/3389) is a remote management protocol that is typically blocked at the perimeter firewall to prevent unauthorized remote access, and it is not designed for stealthy data exfiltration.

85
MCQmedium

A penetration tester has compromised a Linux web server via a remote file inclusion vulnerability. The tester wants to maintain persistent access on the system. Which technique is MOST reliable for persistence on a Linux system?

A.Adding a cron job to run a reverse shell every minute
B.Creating a local user account with UID 0
C.Modifying the sudoers file to grant the tester sudo access
D.Installing a kernel module rootkit
AnswerA

Cron jobs are simple, reliable, and persist across reboots.

Why this answer

A cron job is the most reliable persistence mechanism because it operates independently of user login sessions, runs with root privileges if configured in the root crontab, and can execute a reverse shell at a fixed interval (e.g., every minute). Unlike user accounts or sudoers modifications, a cron job does not require the attacker to maintain an active session or rely on system services that may be monitored or disabled.

Exam trap

The trap here is that candidates may assume creating a root-equivalent user (UID 0) is stealthy, but in practice it is easily detected by auditing tools and log reviews, whereas a cron job blends in with normal system activity and provides automated, recurring access.

How to eliminate wrong answers

Option B is wrong because creating a local user account with UID 0 (root) is highly visible in /etc/passwd and /etc/shadow, and many security tools and system administrators actively monitor for unauthorized UID 0 accounts. Option C is wrong because modifying the sudoers file grants sudo access but does not provide persistence; the tester would still need an active session or another method to regain access if the current session is lost.

86
MCQeasy

A penetration tester is preparing the executive summary for a client's board of directors. Which of the following is the most appropriate content for this section?

A.Detailed step-by-step reproduction steps for each vulnerability
B.A list of all discovered IP addresses and open ports
C.A high-level overview of risks, business impact, and recommended strategic improvements
D.The raw output of automated scanning tools used during the test
AnswerC

This format allows board members to understand the security posture in the context of business risk and make informed decisions.

Why this answer

The executive summary is intended for the board of directors, who require a high-level understanding of risks, business impact, and strategic recommendations rather than technical details. Option C aligns with the PT0-002 objective of tailoring communication to the audience, focusing on risk posture and remediation priorities that inform executive decision-making.

Exam trap

CompTIA often tests the candidate's ability to distinguish between audience-appropriate content, trapping those who confuse the executive summary with the technical report by including granular technical data like reproduction steps or raw scan results.

How to eliminate wrong answers

Option A is wrong because detailed step-by-step reproduction steps belong in the technical report or findings appendix, not the executive summary, which must avoid overwhelming non-technical stakeholders with procedural minutiae. Option B is wrong because a raw list of IP addresses and open ports is operational data for the technical team; the executive summary should synthesize this into risk context and business impact, not present unprocessed reconnaissance output.

87
MCQhard

A client requests a penetration test but refuses to provide any information about the target systems due to security concerns. What is the most appropriate response from the tester?

A.Escolate to management
B.Offer a grey box test with minimal info
C.Conduct a black box test as requested
D.Decline the engagement
AnswerC

Black box testing assumes no prior information, meeting the client's requirements.

Why this answer

Conducting a black box test is appropriate when the client wants zero information sharing. Declining may be premature, insisting on disclosure violates the client's policy, and offering a grey box still requires some information.

88
MCQeasy

A penetration tester is conducting information gathering on a target organization. The tester discovers a public code repository that contains configuration files with embedded credentials. Which of the following is the BEST next step?

A.Notify the organization's security team of the exposed credentials.
B.Attempt to crack the passwords to gain further access.
C.Document the findings and proceed with passive reconnaissance.
D.Use the credentials to log into the target system immediately.
AnswerA

This is the ethical and professional course of action to mitigate risk.

Why this answer

Option A is correct because the tester has discovered exposed credentials in a public code repository, which is a critical security finding that requires immediate disclosure to the organization's security team. Ethical penetration testing mandates that any discovered vulnerabilities, especially those involving credential exposure, be reported promptly to prevent unauthorized access and potential data breaches. Proceeding with further exploitation without authorization violates the rules of engagement and could cause legal or operational harm.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with active exploitation, thinking that documenting and moving on is sufficient, when in fact exposed credentials demand immediate action to prevent real-world compromise.

How to eliminate wrong answers

Option B is wrong because attempting to crack the passwords is an active exploitation step that goes beyond passive information gathering and violates the scope of engagement without prior authorization. Option C is wrong because documenting the findings and proceeding with passive reconnaissance ignores the urgency of exposed credentials, which could be exploited by malicious actors in the meantime. Option D is wrong because using the credentials to log into the target system immediately constitutes unauthorized access and is a violation of ethical hacking principles and legal boundaries.

89
MCQmedium

A penetration tester is writing a Bash script to automate the extraction of password hashes from a Windows system after gaining SYSTEM-level access. The script uses 'reg.exe' to save the SAM and SYSTEM hives. Which command should the tester include in the script to export the SAM hive to a file?

A.reg save HKLM\SAM sam.hive
B.reg export HKLM\SAM sam.hive
C.reg backup HKLM\SAM sam.hive
D.reg copy HKLM\SAM sam.hive
AnswerA

reg save creates a binary copy of the hive, which can be used for offline extraction.

Why this answer

The correct command is 'reg save HKLM\SAM sam.hive' because 'reg save' creates a binary copy of the specified registry hive, which is necessary for offline extraction of password hashes. The SAM hive contains the hashed credentials, and saving it as a file allows tools like 'samdump2' or 'secretsdump.py' to parse the hashes. The other options either export in a non-binary format or use a non-existent command.

Exam trap

The trap here is that candidates confuse 'reg export' (which produces a human-readable text file) with 'reg save' (which produces a binary hive file), leading them to choose the export option for hash extraction.

How to eliminate wrong answers

Option B is wrong because 'reg export' exports the registry hive in a text-based .reg file format, which is not suitable for binary hash extraction and cannot be parsed by hash-dumping tools. Option C is wrong because 'reg backup' is not a valid command in reg.exe; the correct command for saving a hive is 'reg save', and 'backup' is a misconception or a different utility.

90
MCQhard

A penetration tester is writing a report and needs to classify vulnerabilities by risk level. The client has a formal risk acceptance process. Which of the following best describes the purpose of including a risk acceptance section in the report?

A.To provide step-by-step remediation instructions
B.To record vulnerabilities the client has decided not to fix, with justification
C.To justify why the tester did not exploit certain vulnerabilities
D.To document all vulnerabilities found during the test
AnswerB

Formalizes the client's decision to accept risk.

Why this answer

Option C is correct because the risk acceptance section formally documents which vulnerabilities the client chooses not to remediate, providing a clear record for compliance and future audits. Option A is incorrect because risk acceptance is about accepting risk, not documenting all findings. Option B is incorrect as it is part of the remediation plan, not acceptance.

Option D is incorrect because it is for client's decision, not tester's justification.

91
MCQeasy

A penetration tester is compiling the final report. The client's compliance officer requires a section that maps each finding to specific regulatory requirements (e.g., PCI DSS, HIPAA). Which section of the report is best suited for this mapping?

A.Executive Summary
B.Technical Findings
C.Compliance Mapping
D.Appendices
AnswerC

This section is specifically designed to correlate vulnerabilities to compliance standards, addressing the compliance officer's need.

Why this answer

The Compliance Mapping section is specifically designed to cross-reference each technical finding with relevant regulatory frameworks such as PCI DSS, HIPAA, or GDPR. This allows the compliance officer to quickly verify that all required controls are addressed and that the report meets audit or legal standards. The other sections focus on summarizing or detailing technical issues, not on mapping findings to specific regulations.

Exam trap

The trap here is that candidates often confuse the Technical Findings section as the place for all detailed information, including compliance references, but the exam expects a dedicated Compliance Mapping section to satisfy audit and regulatory requirements separately.

How to eliminate wrong answers

Option A is wrong because the Executive Summary provides a high-level overview of the engagement's objectives, scope, and critical risks for management, not a detailed mapping to regulatory requirements. Option B is wrong because the Technical Findings section describes vulnerabilities, exploitation steps, and remediation in depth, but does not explicitly correlate each finding with specific compliance standards like PCI DSS or HIPAA.

92
MCQeasy

A penetration tester wants to discover email addresses associated with a target domain (example.com) without sending any network packets to the target's systems. Which technique is BEST suited for this?

A.Google dorking
B.DNS brute forcing
C.WHOIS lookup
D.SMB enumeration
AnswerA

Google dorking can reveal email addresses from public sources indexed by search engines, requiring no direct interaction with the target.

Why this answer

Google dorking uses advanced search operators (e.g., site:example.com intext:@example.com) to index publicly available information from Google's cached pages, allowing discovery of email addresses without sending any packets to the target's infrastructure. This passive reconnaissance technique relies solely on pre-existing search engine data, making it ideal for avoiding direct interaction with the target.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with techniques like DNS brute forcing or WHOIS lookups, but DNS brute forcing is active (sends packets) and WHOIS lookups only yield limited administrative contacts, not the broad email discovery that Google dorking provides.

How to eliminate wrong answers

Option B (DNS brute forcing) is wrong because it involves sending DNS queries to the target's name servers to enumerate subdomains, which generates network packets and active interaction with the target's systems. Option C (WHOIS lookup) is wrong because while it is passive, it typically returns administrative and technical contact emails (e.g., admin@example.com) rather than a broad set of user email addresses associated with the domain, and it queries public WHOIS databases, not the target's own systems.

93
Multi-Selecthard

A penetration tester is assessing a wireless network's security. The tester wants to capture WPA2 handshakes for offline password cracking. Which two attacks can be used to force a client to re-authenticate and capture the handshake? (Choose TWO.)

Select 2 answers
A.Rogue DHCP server attack
B.ARP poisoning attack
C.Evil twin attack
D.Disassociation attack
E.Deauthentication attack
AnswersD, E

Disassociation frames also disconnect clients, prompting reconnection and handshake capture.

Why this answer

A deauthentication attack (Option E) sends deauth frames from the access point to the client, forcing it to disconnect and reconnect, thereby generating a new WPA2 4-way handshake. A disassociation attack (Option D) similarly sends disassociation frames to break the client's connection, prompting re-authentication. Both attacks exploit management frame vulnerabilities in 802.11 to capture the handshake for offline cracking.

Exam trap

CompTIA often tests the distinction between deauthentication and disassociation attacks as both valid methods, while candidates may mistakenly think only one is correct or confuse them with ARP poisoning or evil twin attacks.

94
MCQeasy

Which agreement is typically signed before a penetration test to protect both parties from legal liability?

A.Authorization letter
B.Indemnification agreement
C.Hold harmless agreement
D.Mutual NDA
AnswerC

This agreement waives liability for damages during testing.

Why this answer

A hold harmless agreement (or similar liability waiver) protects both the client and tester from legal claims arising from the test. Mutual NDA covers confidentiality, while authorization and statement of work define scope but not liability.

95
MCQeasy

A penetration tester wants to discover all subdomains of a target domain without directly querying the target's DNS servers to avoid detection. Which technique is most appropriate?

A.DNS zone transfer
B.Brute-force subdomain enumeration using a wordlist
C.Passive DNS enumeration using public data sources
D.SNMP community string enumeration
AnswerC

Passive enumeration relies on publicly available records and does not require sending packets to the target, thus avoiding detection.

Why this answer

Passive DNS enumeration leverages public data sources such as certificate transparency logs, search engine caches, and passive DNS databases (e.g., VirusTotal, SecurityTrails) to discover subdomains without sending any queries to the target's authoritative DNS servers. This approach avoids generating DNS traffic that could be logged or detected by the target's monitoring systems, making it ideal for stealthy reconnaissance.

Exam trap

The trap here is that candidates may confuse passive enumeration with brute-force or zone transfer techniques, overlooking the explicit requirement to avoid direct DNS queries and detection, which only passive methods satisfy.

How to eliminate wrong answers

Option A is wrong because DNS zone transfer (AXFR) requires the target's DNS server to be misconfigured to allow unrestricted zone transfers, and it directly queries the target's DNS server, which would be detected. Option B is wrong because brute-force subdomain enumeration using a wordlist involves sending numerous DNS queries to the target's DNS servers to test each subdomain, generating detectable traffic and defeating the requirement to avoid direct queries.

96
MCQmedium

A penetration tester is using Burp Suite to test a web application. The tester notices that the application relies on client-side JavaScript validation to restrict input. To bypass this validation and test for server-side vulnerabilities, which Burp Suite feature is MOST useful for automatically modifying requests before they are sent to the server?

A.Proxy (with Match and Replace rules)
B.Intruder
C.Repeater
D.Decoder
AnswerA

The Proxy module intercepts HTTP traffic and can apply automatic modifications via Match and Replace rules, effectively bypassing client-side restrictions.

Why this answer

The Proxy's Match and Replace rules allow the tester to automatically modify HTTP requests in transit, such as stripping or altering client-side validation parameters (e.g., maxlength, pattern attributes) before they reach the server. This bypasses client-side JavaScript restrictions because the modifications occur after the browser's validation but before the request is forwarded to the server, enabling direct testing of server-side input handling.

Exam trap

The trap here is that candidates often confuse Intruder's ability to send many requests with automatic modification of live traffic, not realizing that Intruder requires manual payload configuration and does not intercept browser-generated requests in real-time like Proxy Match and Replace does.

How to eliminate wrong answers

Option B (Intruder) is wrong because Intruder is designed for automated brute-force attacks, fuzzing, or parameter enumeration by sending many crafted requests, but it does not automatically modify requests as they pass through a proxy; it requires manual configuration of payload positions and does not intercept live browser traffic. Option C (Repeater) is wrong because Repeater is used for manually resending and tweaking individual requests after they have been captured, but it does not automatically modify requests in real-time before they are sent to the server; it operates on already-captured requests and lacks the automatic, on-the-fly substitution capability of Match and Replace rules.

97
MCQmedium

A penetration tester wants to identify all subdomains for a target domain using only public records. Which technique is most effective for this purpose?

A.Searching crt.sh (Certificate Transparency logs).
B.DNS zone transfer.
C.Using Nmap to brute-force subdomains.
D.Querying the domain's MX records.
AnswerA

Certificate logs are public and contain SAN entries, making them an excellent source for passive subdomain enumeration. Tools like crt.sh or digicert can be queried.

Why this answer

Certificate Transparency logs, accessible via crt.sh, are a public record of all SSL/TLS certificates issued for a domain. Since certificates often include Subject Alternative Names (SANs) listing subdomains, querying crt.sh reveals subdomains without any interaction with the target's infrastructure. This technique is passive, requires no authorization, and leverages mandatory logging per RFC 6962, making it highly effective for enumeration from public records.

Exam trap

The trap here is that candidates confuse 'public records' with 'active DNS queries' and choose DNS zone transfer (B) or brute-forcing (C), failing to recognize that Certificate Transparency logs are the only passive, public-record-based option listed.

How to eliminate wrong answers

Option B is wrong because DNS zone transfer (AXFR) is not a public record technique; it requires explicit server configuration to allow transfers, and modern DNS servers almost always restrict it to authorized secondary nameservers, making it a high-risk, active technique that rarely succeeds against hardened targets. Option C is wrong because using Nmap to brute-force subdomains is an active scanning technique that generates network traffic to the target's DNS servers, which is not 'using only public records' and can be detected or blocked, unlike passive methods.

98
MCQeasy

A penetration tester is writing the executive summary of a report for a client. The client's executive team needs to understand the overall risk posture. Which of the following should be included in the executive summary?

A.Detailed step-by-step replication steps for each vulnerability
B.A list of all CVSS scores for each finding
C.A high-level overview of the test's objectives, scope, and key findings with business impact
D.Raw scan output from vulnerability scanners
AnswerC

This is exactly what executives need to understand the outcomes and make informed decisions about resource allocation.

Why this answer

The executive summary is intended for non-technical leadership who need to grasp the overall risk posture quickly. Option C provides a high-level overview of objectives, scope, and key findings with business impact, which aligns with the PT0-002 objective of tailoring communication to the audience. Detailed technical data like replication steps or raw CVSS scores belong in the technical report, not the executive summary.

Exam trap

The trap here is that candidates confuse the executive summary with the technical report, thinking that including raw data like CVSS scores or replication steps makes the summary more 'complete,' when in fact it overwhelms the intended audience with irrelevant detail.

How to eliminate wrong answers

Option A is wrong because detailed step-by-step replication steps are operational details meant for the technical report or remediation team, not for executives who need a strategic risk overview. Option B is wrong because a list of all CVSS scores is too granular and lacks business context; executives need interpreted risk levels (e.g., critical, high) tied to business impact, not raw numerical scores.

99
MCQmedium

A penetration tester has gained initial access to a Linux server through a vulnerable web application. The server has a restrictive outbound firewall that only allows traffic on ports 80, 443, and 53. The tester wants to establish a reverse shell that is likely to bypass the firewall. Which of the following techniques would be most effective?

A.Use a reverse shell listener on TCP port 3389 and connect from the target
B.Use a bind shell on the target's port 4444 and connect directly
C.Use a reverse shell over DNS by encoding commands in DNS queries
D.Use a reverse shell on TCP port 8080 and hope it is not blocked
AnswerC

DNS traffic (UDP 53) is often allowed outbound for name resolution. Tools like dnscat2 can encapsulate data in DNS packets, enabling a reverse shell that can bypass the firewall.

Why this answer

Option C is correct because DNS traffic on port 53 is typically allowed through restrictive outbound firewalls, and encoding reverse shell commands within DNS queries allows the tester to tunnel traffic over DNS, bypassing the firewall's port restrictions. Tools like dnscat2 or iodine can encapsulate TCP data in DNS requests, making the reverse shell appear as legitimate DNS traffic.

Exam trap

The trap here is that candidates may assume a reverse shell on a non-standard port (like 3389) will work because it's a common service port, but the firewall's explicit allow list (80, 443, 53) makes any other port blocked, and DNS tunneling is the only technique that leverages an allowed protocol for covert communication.

How to eliminate wrong answers

Option A is wrong because TCP port 3389 is used for RDP (Remote Desktop Protocol), which is not a standard outbound port allowed by the firewall (only ports 80, 443, and 53 are allowed), and even if it were, a reverse shell listener on that port would still be blocked by the firewall. Option B is wrong because a bind shell opens a listening port on the target (port 4444), but the restrictive outbound firewall does not block inbound connections; the issue is that the tester cannot initiate a direct connection to the target from outside due to the firewall's outbound rules, and the bind shell requires the tester to connect to the target, which is not possible if the target is behind NAT or has no direct route.

100
MCQeasy

A penetration tester needs to enumerate active hosts and open ports on a network segment with minimal network traffic. Which tool should the tester use?

A.Nmap
B.Metasploit
C.Nikto
D.Hydra
AnswerA

Nmap is the standard tool for host discovery and port scanning, with options like -sn for ping sweeps that produce minimal traffic.

Why this answer

Nmap with -sn (ping scan) is designed for host discovery using minimal network traffic. Hydra is for password cracking, Metasploit is an exploitation framework, and Nikto is a web server scanner.

101
MCQmedium

A penetration tester has completed a test and is finalizing the report. The client's security team needs to know the exact commands and steps to reproduce a critical remote code execution vulnerability. In which section of the report should this information be primarily documented?

A.Executive Summary
B.Methodology
C.Findings and Remediation
D.Appendix
AnswerC

This section details each finding, including how to reproduce it, evidence, and remediation recommendations. It is intended for the technical team.

Why this answer

The Findings and Remediation section is the correct place to document the exact commands and steps to reproduce a critical remote code execution vulnerability. This section provides detailed technical evidence, including proof-of-concept (PoC) code, command syntax, and step-by-step reproduction steps, enabling the client's security team to validate and remediate the issue. The Executive Summary is too high-level for such technical details, and the Methodology section describes the overall testing approach, not specific exploit commands.

Exam trap

The trap here is that candidates confuse the Methodology section (which describes the general process) with the Findings section (which contains specific exploit details), leading them to incorrectly choose Methodology when the question asks for exact commands and steps to reproduce.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for management, focusing on risk ratings, business impact, and strategic recommendations, not the precise commands or reproduction steps. Option B is wrong because the Methodology section outlines the penetration testing framework, tools, and techniques used (e.g., scanning, enumeration, exploitation phases) but does not include the specific commands or step-by-step reproduction of individual vulnerabilities.

102
MCQeasy

A penetration tester is performing passive reconnaissance on a target organization. Which of the following activities would be considered passive reconnaissance?

A.Scanning open ports on the target web server
B.Using a search engine to find exposed documents
C.Sending a crafted ICMP echo request to the target
D.Attempting a SQL injection on a login form
AnswerB

Correct. Search engines index publicly accessible data; this activity does not send traffic to the target.

Why this answer

Passive reconnaissance involves gathering information without directly interacting with the target's systems. Using a search engine to find exposed documents (e.g., via Google dorking) relies on publicly indexed data, which does not send any packets to the target's infrastructure. This aligns with the definition of passive reconnaissance as it leverages third-party sources rather than engaging the target directly.

Exam trap

The trap here is that candidates often confuse 'passive' with 'low-interaction' activities, mistakenly thinking that sending a single ICMP packet or a simple port scan is passive because it seems minimal, but any direct packet transmission to the target constitutes active reconnaissance.

How to eliminate wrong answers

Option A is wrong because scanning open ports on the target web server requires sending TCP or UDP packets to the target, which constitutes active reconnaissance as it directly interacts with the target's systems. Option C is wrong because sending a crafted ICMP echo request (ping) to the target is an active probe that elicits a response from the target's network stack, making it active reconnaissance, not passive.

103
MCQhard

A penetration tester has gained a foothold on a Linux server through a vulnerable web application. The server has an outbound firewall that blocks all traffic except DNS queries (UDP 53). The tester needs to establish a reverse shell to maintain access. Which technique is most likely to succeed?

A.Use a bind shell on a high TCP port and connect from the tester's machine
B.Encode the payload in Base64 and use DNS tunneling to execute commands
C.Attempt a reverse shell over HTTP using TCP port 80
D.Use SSH reverse port forwarding to the tester's server on port 443
AnswerB

DNS tunneling can encode arbitrary data within DNS queries, which are allowed through the firewall, and can be used to establish a two-way communication channel, enabling a reverse shell.

Why this answer

Option B is correct because DNS tunneling encapsulates non-DNS traffic (e.g., command output) within DNS query and response packets, which are allowed through the firewall on UDP port 53. This technique bypasses the outbound firewall restriction by making the malicious traffic appear as legitimate DNS queries, enabling the tester to execute commands and exfiltrate data without triggering network-level blocks.

Exam trap

The trap here is that candidates assume a reverse shell over HTTP (TCP 80) will work because HTTP is commonly allowed, but the question explicitly states the firewall blocks all traffic except DNS queries (UDP 53), making TCP-based reverse shells fail regardless of the port.

How to eliminate wrong answers

Option A is wrong because a bind shell opens a listening port on the target server, but the outbound firewall blocks all traffic except DNS queries, so the tester cannot initiate a connection from their machine to the target's high TCP port; the firewall would drop the inbound connection attempt. Option C is wrong because a reverse shell over HTTP using TCP port 80 would require the target server to initiate an outbound TCP connection, but the firewall blocks all outbound traffic except UDP 53, so the TCP SYN packet would be dropped by the firewall.

104
MCQeasy

A penetration tester is performing a client-side attack against a user. The tester sends an email with a malicious attachment that, when opened, executes a macro that downloads a payload. Which type of attack is this?

A.Spear phishing
B.Vishing
C.Smishing
D.Watering hole
AnswerA

This is the correct answer because the attack targets a specific user via email with a malicious attachment, which is the definition of spear phishing.

Why this answer

Spear phishing is a targeted phishing attack where the attacker crafts a personalized email to a specific individual or organization, often including a malicious attachment. In this scenario, the email with a macro-enabled attachment that downloads a payload is a classic spear phishing technique, as it exploits human trust and social engineering to deliver malware. This contrasts with generic phishing, which casts a wide net, and the client-side attack vector relies on the user executing the macro.

Exam trap

The trap here is that candidates confuse spear phishing with generic phishing or social engineering categories like vishing/smishing, but the key differentiator is the use of a personalized email with a malicious attachment, not the delivery medium (voice or SMS).

How to eliminate wrong answers

Option B (Vishing) is wrong because vishing (voice phishing) uses telephone calls or voice messages to trick victims into revealing sensitive information, not email attachments with macros. Option C (Smishing) is wrong because smishing (SMS phishing) uses text messages or SMS to deliver malicious links or requests, not email attachments with macros.

105
MCQhard

A penetration tester is using a vulnerability scanner to assess an internal network. The scanner reports a critical vulnerability in a custom web application, but manual verification shows the application is not vulnerable. Which of the following is the MOST likely cause of this false positive?

A.The scanner used an outdated vulnerability database that does not match the application's patches
B.The scanner identified the application version from the HTTP response header, but the vulnerability was already patched in that version
C.The scanner detected a vulnerable library used by the application, but the application's implementation does not expose the vulnerable code path
D.The scanner performed an exploit attempt that succeeded on a different service on the same host
AnswerC

This is a classic false positive: the scanner sees the library version but cannot determine if the vulnerable functionality is reachable. The tester must manually validate.

Why this answer

Option C is correct because vulnerability scanners often identify libraries or components with known CVEs, but they cannot determine whether the application's code actually invokes the vulnerable functions. In this case, the scanner flagged a library with a known vulnerability, but the custom web application's implementation does not expose the vulnerable code path, resulting in a false positive. This is a common limitation of static or version-based detection versus dynamic, context-aware analysis.

Exam trap

The trap here is that candidates often assume a scanner's version-based detection is definitive, overlooking the fact that a vulnerable library may be present but not actively used in a way that exposes the vulnerability.

How to eliminate wrong answers

Option A is wrong because an outdated vulnerability database would more likely cause false negatives (missing real vulnerabilities) rather than false positives; a false positive typically arises from over-aggressive or version-based detection, not from missing patches. Option B is wrong because if the vulnerability was already patched in that version, the scanner should not report it based on the HTTP response header; this scenario would indicate a scanner misconfiguration or a bug, not a typical false positive cause, and the question specifies the application is not vulnerable, not that it was patched.

106
MCQmedium

During scoping, a client asks the tester to avoid a specific IP range containing legacy systems. The tester discovers these systems are vulnerable but out of scope. What should the tester do?

A.Passively monitor traffic without active exploitation
B.Ignore the legacy systems and continue as agreed
C.Notify the client and request a scope change
D.Exploit the legacy systems and include them in the report
AnswerC

Professional approach to handle out-of-scope vulnerabilities.

Why this answer

Option C is correct because the tester should notify the client and request a scope change before testing out-of-scope systems. Option A is wrong because it violates the agreed scope. Option B is wrong because ignoring a critical vulnerability is not best practice.

Option D is wrong because passive monitoring may still be considered testing.

107
MCQmedium

During a penetration test, a tester needs to capture and analyze the traffic between a client and a server over an encrypted HTTPS connection. The tester has access to the server's private key. Which technique or tool should the tester employ?

A.Use Nmap's ssl-enum-ciphers script
B.Use Burp Suite with a proxy
C.Import the private key into Wireshark and enable TLS decryption
D.Capture packets with TCPDump and analyze with OpenSSL
AnswerC

Wireshark can use the private key to decrypt TLS traffic when configured in the TLS protocol preferences.

Why this answer

Using Wireshark with the server's private key allows decryption of TLS traffic by configuring the SSL/TLS protocol with the private key in the preferences. Burp Suite requires a CA certificate and proxy setup, but without client-side changes, it's less direct. TCPDump alone cannot decrypt.

OpenSSL can be used to decrypt a captured session if the handshake is captured, but Wireshark is the standard tool for analysis.

108
MCQmedium

A penetration tester is using a vulnerability scanner on a web application and notices that many findings are false positives caused by the scanner sending oversized payloads that the application truncates or rejects. Which scanner configuration change would MOST effectively reduce false positives in this scenario?

A.Increase the scan intensity to send more payloads
B.Enable safe checks or anti-false positive mode
C.Increase the HTTP request timeout
D.Disable vulnerability detection for certain plugins
AnswerB

Safe checks use additional verification steps to confirm a vulnerability before reporting it, reducing false positives.

Why this answer

Enabling safe checks or anti-false positive mode configures the scanner to send payloads that conform to expected application input constraints (e.g., length limits, character sets) rather than oversized or malformed payloads. This reduces false positives by ensuring that the scanner only reports vulnerabilities that are actually reachable and exploitable under normal application behavior, rather than triggering truncation or rejection logic that is not a security flaw.

Exam trap

The trap here is that candidates may confuse 'increasing scan intensity' with 'more thorough testing,' but in reality, it amplifies the very behavior (oversized payloads) that causes false positives, while 'safe checks' directly mitigates the root cause.

How to eliminate wrong answers

Option A is wrong because increasing scan intensity sends more payloads, which would likely increase the number of oversized payloads and thus increase false positives, not reduce them. Option C is wrong because increasing the HTTP request timeout only affects how long the scanner waits for a response; it does not change the payload size or content, so it cannot reduce false positives caused by payload truncation or rejection.

109
Multi-Selectmedium

A penetration tester is analyzing a network packet capture to identify potential attacks. Which two indicators suggest a successful SQL injection attempt?

Select 2 answers
A.Multiple failed login attempts
B.A large number of HTTP 500 errors
C.A query string containing ' OR 1=1--
D.Unexpected data in the response body
E.A significant increase in outbound traffic
AnswersC, D

This is a classic SQL injection payload.

Why this answer

Options B and E are correct. B shows a direct SQL injection attempt. E shows unexpected data in the response, indicating successful extraction.

Option A is wrong because 500 errors might occur but are not specific. Option C is wrong because outbound traffic is not a direct indicator. Option D is wrong because login failures relate to authentication, not SQL injection.

110
MCQmedium

A client requests a penetration test of a new mobile application that is still in development and only accessible on a test server behind the corporate VPN. The tester should include which of the following in the scope?

A.The production servers hosting the app when it goes live
B.Only the test server and the mobile application client
C.The corporate VPN infrastructure
D.All third-party APIs used by the application
AnswerB

These are the actual targets of the test and should be scoped.

Why this answer

Option B is correct because the scope of a penetration test for an application still in development should be limited to the test server and the mobile application client. This ensures the assessment focuses on the application's security posture without including production systems that are not yet live or the corporate VPN infrastructure, which is typically out of scope unless explicitly requested. The tester should only evaluate the components directly relevant to the application's functionality and security during development.

Exam trap

The trap here is that candidates may mistakenly include the corporate VPN infrastructure or production servers, thinking they are necessary for a comprehensive test, but the scope must be strictly limited to the components specified by the client to avoid unauthorized testing and scope creep.

How to eliminate wrong answers

Option A is wrong because including production servers that are not yet live or accessible during the test would extend the scope beyond the client's request, potentially introducing risks to systems that are not part of the current development phase. Option C is wrong because the corporate VPN infrastructure is a network component that provides access to the test server, but it is not part of the mobile application itself; testing it would require separate authorization and is outside the scope of an application-focused penetration test.

111
MCQeasy

A client requests a penetration test of their production environment that includes critical financial transaction systems. The client is concerned about potential service disruptions. Which of the following should the tester include in the Rules of Engagement to address this concern?

A.The tester will only use passive reconnaissance techniques
B.A 'stop loss' condition that requires immediate termination of testing if system metrics exceed defined thresholds
C.Exclude all financial transaction systems from the scope of testing
D.The client must provide a service level agreement (SLA) to the tester
AnswerB

This ensures that testing halts if it starts to cause unacceptable performance degradation, protecting production systems.

Why this answer

Option B is correct because a 'stop loss' condition is a standard mechanism in Rules of Engagement (RoE) that defines specific system metrics (e.g., CPU utilization > 90%, memory usage > 80%, or transaction latency > 500ms) which, when exceeded, require immediate termination of testing. This directly addresses the client's concern about service disruptions in the production environment by providing a safety threshold that prevents the penetration test from causing performance degradation or outages in critical financial transaction systems.

Exam trap

The trap here is that candidates may confuse 'scope exclusion' (Option C) with a valid risk mitigation strategy, but the PT0-002 exam expects testers to include controls like stop-loss conditions to enable safe testing of in-scope critical systems rather than excluding them.

How to eliminate wrong answers

Option A is wrong because passive reconnaissance techniques (e.g., OSINT, traffic sniffing without injection) are insufficient for a full penetration test of financial transaction systems; they cannot validate active vulnerabilities like SQL injection or authentication bypass, and the client's concern about disruption is not addressed by limiting to passive techniques since active testing is still needed for meaningful security assessment. Option C is wrong because excluding all financial transaction systems from scope would render the penetration test ineffective for the client's primary concern—these systems are the critical assets that need testing; the goal is to test them safely, not to avoid them entirely.

112
MCQhard

A penetration tester is analyzing a password hash obtained from a Windows domain controller. The hash format is $NT$70676e... and the tester wants to crack it using a rule-based attack. Which tool is best suited for this task?

A.Cain & Abel
B.John the Ripper
C.Hydra
D.Nikto
AnswerB

John the Ripper has built-in support for NTLM hashes and rule-based attacks.

Why this answer

John the Ripper is a classic password cracker that supports NTLM hashes and rule-based attacks. Hashcat is also capable but typically requires specifying the hash mode; John is more straightforward for initial cracking. Hydra is for online cracking, not offline hash cracking.

Cain & Abel is outdated and less efficient.

113
MCQeasy

A penetration testing firm is hired to assess a U.S.-based company that has recently expanded operations to a country with strict data privacy laws (e.g., GDPR-style regulations). Which of the following is the MOST important legal consideration to include in the rules of engagement?

A.The client's headquarters location determines which laws apply
B.Data collected during the test must be stored only within the country of operation and deleted after the engagement
C.All findings must be reported in the local language of the country of operation
D.The penetration testers must be citizens of the country where the systems reside
AnswerB

This addresses data sovereignty and privacy requirements common in many jurisdictions, making it a key legal consideration for the ROE.

Why this answer

Option B is correct because under strict data privacy laws like GDPR, personal data collected during a penetration test must be stored within the jurisdiction where it was obtained and deleted once the engagement is complete. This ensures compliance with data localization and minimization requirements, which are critical legal considerations in the rules of engagement.

Exam trap

The trap here is that candidates often confuse practical or contractual preferences (like language or citizenship) with mandatory legal requirements, overlooking the core data sovereignty and deletion obligations that are non-negotiable under strict privacy laws.

How to eliminate wrong answers

Option A is wrong because data privacy laws often apply based on the location of the data subjects or where the data is processed, not solely the client's headquarters; for example, GDPR applies to any entity processing EU residents' data regardless of headquarters location. Option C is wrong because while reporting in the local language may be a practical or contractual requirement, it is not a legal mandate under typical data privacy laws like GDPR, which focus on data protection rather than language of reporting. Option D is wrong because there is no legal requirement under GDPR or similar laws that penetration testers must be citizens of the country where the systems reside; such a restriction would be unusual and not a standard legal consideration.

114
MCQeasy

A penetration tester has physical access to a small office. The network switch is in a locked cabinet, but the tester notices the lock is broken. The switch has multiple ports, and the tester wants to connect to the internal network. The tester has a laptop with an Ethernet port. However, the tester suspects that port security is enabled on the switch ports, which would block the connection if the MAC address is not authorized. Which action should the tester take first to gain network access?

A.Perform a MAC flooding attack to fill the switch's MAC table.
B.Use a DHCP starvation attack to exhaust IP addresses.
C.Plug the laptop into an available switch port.
D.Connect to the switch's console port and attempt default credentials.
AnswerD

If successful, the tester can disable port security or add their MAC address as authorized, gaining network access.

Why this answer

Option D is correct because the tester has physical access to the switch and the lock is broken, allowing direct console access. If port security is enabled, plugging into a data port (Option C) would be blocked. The fastest first step is to connect to the console port and try default credentials (e.g., cisco/cisco) to gain administrative control of the switch, which can then be used to disable port security or add the tester's MAC address to the allowed list.

Exam trap

The trap here is that candidates assume physical access to a switch port means they can simply plug in (Option C), but Cisco exams emphasize that port security is a common Layer 2 control that must be bypassed via management access first, not by attacking the data plane.

How to eliminate wrong answers

Option A is wrong because a MAC flooding attack aims to overflow the switch's CAM table, forcing it into hub mode (flooding traffic out all ports), but it does not bypass port security—the tester's own MAC would still be unauthorized and the port would be err-disabled or blocked. Option B is wrong because a DHCP starvation attack exhausts the DHCP pool to cause a denial of service or force clients to use a rogue DHCP server; it does not grant the tester network access through a port-secured switch port. Option C is wrong because if port security is enabled with MAC address filtering, plugging directly into an available port will trigger a security violation (e.g., shutdown, restrict, or protect mode), blocking the tester's connection immediately.

115
MCQeasy

A client requests a penetration test of their network and provides a list of IP addresses. During scoping, the tester notices that several IP addresses belong to a major cloud service provider. What should the tester do FIRST before including those IP addresses in the test?

A.Proceed with testing since the client provided the IP addresses
B.Ask the client to verify ownership and obtain written authorization from the cloud provider if needed
C.Exclude the cloud IP addresses from the scope without further discussion
D.Perform a quick port scan to determine if the IPs are responsive before deciding
AnswerB

This ensures that testing is performed legally and ethically, with proper authorization from all parties involved.

Why this answer

Option B is correct because testing cloud provider IP addresses without explicit authorization violates the cloud provider's terms of service and could be considered unauthorized access, potentially leading to legal action. The tester must first verify that the client actually owns those IPs (e.g., via ARIN WHOIS or cloud provider documentation) and obtain written authorization from the cloud provider, as the provider's shared infrastructure means the tester's traffic could impact other tenants. This aligns with the PT0-002 scoping requirement to confirm all targets are within the authorized boundary.

Exam trap

CompTIA often tests the misconception that a client-provided IP list is sufficient authorization, but the trap here is that cloud IPs require additional verification and written permission from the provider due to multi-tenant risks and legal boundaries.

How to eliminate wrong answers

Option A is wrong because proceeding with testing solely based on the client's list ignores the critical step of verifying ownership and authorization, risking violation of laws like the Computer Fraud and Abuse Act (CFAA) and cloud provider policies. Option C is wrong because excluding cloud IPs without discussion may omit legitimate client-owned resources (e.g., a VPC or dedicated host) that should be tested, and the tester must first clarify ownership rather than making assumptions.

116
MCQeasy

During scoping, a client insists that no social engineering be used. Which rule of engagement element does this affect?

A.Rules of engagement
B.Constraints
C.Limitations
D.Scope
AnswerC

Limitations specify restrictions like disallowed techniques.

Why this answer

Limitations define what is off-limits or restricted during the test, such as prohibiting social engineering. Rules of engagement and scope are broader concepts, while constraints is a less specific term.

117
MCQeasy

A penetration tester is conducting an internal network scan and wants to minimize the chance of detection by the target's intrusion detection system (IDS). Which Nmap timing template is the MOST appropriate for this goal?

A.T0 (Paranoid)
B.T1 (Sneaky)
C.T3 (Normal)
D.T5 (Insane)
AnswerA

T0 uses the slowest timing, ideal for stealth by spacing out packets to avoid IDS thresholds.

Why this answer

The T0 (Paranoid) timing template is the most appropriate because it introduces an extremely slow scan rate, sending packets at a rate of no more than one packet every 5 minutes (300 seconds). This slow pace is designed to evade threshold-based intrusion detection systems (IDS) that trigger alerts when they detect a high volume of traffic from a single source within a short time window, making it ideal for stealthy internal reconnaissance.

Exam trap

The trap here is that candidates often choose T1 (Sneaky) thinking it is 'stealthy enough' without realizing that the PT0-002 exam expects the most extreme option (T0) when the goal is to minimize detection, as any detectable pattern—even at 15-second intervals—can be caught by modern IDS/IPS systems.

How to eliminate wrong answers

Option B (T1 - Sneaky) is wrong because, while slower than normal, it sends packets at intervals of 15 seconds, which is still too fast for environments where the IDS has a low threshold for connection attempts and may still trigger alerts. Option C (T3 - Normal) is wrong because it uses the default timing template with no deliberate delay, sending packets as fast as the network and target allow, which is highly likely to be detected by any IDS monitoring for scan patterns.

118
MCQmedium

A penetration tester is analyzing a Python script that uses the 'scapy' library. The script contains the line: `packet = IP(dst='10.0.0.1')/TCP(dport=80, flags='S')`. The tester then uses `sr1(packet, timeout=2)`. What is the primary purpose of this code?

A.Perform a TCP SYN scan to determine if port 80 is open
B.Perform a DNS resolution for the target IP
C.Send a TCP ACK packet to test firewall rules
D.Complete a full TCP three-way handshake
AnswerA

The SYN packet is sent; if a SYN-ACK is received, the port is open. This is a stealthy port scan technique.

Why this answer

The code constructs an IP packet with destination 10.0.0.1 and a TCP segment with destination port 80 and the SYN flag set (flags='S'). The sr1() function sends this packet and waits for a response (up to 2 seconds). This is the classic technique for a TCP SYN scan: if a SYN-ACK is received, the port is open; if an RST is received, the port is closed.

The primary purpose is therefore to probe whether port 80 on the target is open.

Exam trap

The trap here is confusing the flags in a TCP header: candidates may mistakenly think 'S' stands for 'send' or 'scan' rather than 'SYN', or they may conflate SYN scans with ACK scans, which serve different purposes in firewall rule detection.

How to eliminate wrong answers

Option B is wrong because DNS resolution is performed using DNS query packets (typically UDP port 53) or via libraries like socket.gethostbyname(), not by sending a TCP SYN packet to port 80. Option C is wrong because a TCP ACK packet would have flags='A', not flags='S'; ACK scans are used to map firewall rules (looking for RST responses), not to determine if a port is open.

119
MCQmedium

During an internal penetration test, a tester is trying to identify live hosts on a network segment. The tester wants to avoid generating a high volume of traffic or alerts. Which scanning technique is most appropriate for this task?

A.Full TCP connect scan on common ports
B.ICMP echo request sweep
C.SYN stealth scan on port 80 and 443
D.ARP ping scan
AnswerD

ARP scans are local, low-traffic, and often not monitored, making them ideal for stealthy host discovery on the same subnet.

Why this answer

An ARP ping scan (option D) is the most appropriate technique because it operates at Layer 2 (Data Link layer) using ARP requests to determine if an IP address is active on the local subnet. Since ARP traffic is confined to the local broadcast domain and does not generate IP-level packets, it produces minimal network traffic and is unlikely to trigger IDS/IPS alerts, making it ideal for stealthy host discovery on a local network segment.

Exam trap

The trap here is that candidates often choose a SYN stealth scan (option C) thinking it is the quietest option, but they overlook that ARP scans are even more stealthy and efficient for local subnet discovery because they avoid IP-layer detection entirely.

How to eliminate wrong answers

Option A is wrong because a full TCP connect scan completes the three-way handshake on every port, generating a high volume of traffic and easily triggering alerts on firewalls or intrusion detection systems. Option B is wrong because an ICMP echo request sweep sends ICMP packets that are often blocked or filtered by network devices, and the broadcast nature of ICMP can still produce noticeable traffic and alerts. Option C is wrong because a SYN stealth scan on ports 80 and 443, while stealthier than a full connect scan, still sends TCP SYN packets that traverse Layer 3 and can be detected by network monitoring tools; it also limits discovery to only two ports, potentially missing live hosts that do not have those services open.

120
MCQeasy

A penetration tester receives the JSON output above from a vulnerability scanner. Which of the following actions should the tester take FIRST to validate this finding?

A.Manually submit the same payload to the endpoint to confirm the error.
B.Immediately report the finding as critical.
C.Check if the application has a WAF in place.
D.Re-run the scan with a different payload.
AnswerA

Manual verification is the standard first step to confirm a scanner finding.

Why this answer

Option A is correct because manually submitting the same payload confirms the scanner result and eliminates false positives. Option B is premature; Option C skips verification; Option D is not the first step.

121
MCQhard

A penetration tester is preparing a report for a client that requires compliance with PCI DSS. Which of the following is the MOST important consideration for the report structure?

A.Include a separate section for vulnerabilities found in the ASV scan.
B.The client's name and sensitive data should be anonymized.
C.All findings must be encrypted at rest and in transit.
D.The report should map findings to specific PCI DSS requirements.
AnswerD

Compliance reports need to show how findings relate to standards.

Why this answer

Option B is correct because PCI DSS requires specific reporting formats and evidence mapping. Option A is wrong because encryption is a security measure, not a report structure consideration. Option C is wrong while useful, it does not specifically address compliance.

Option D is wrong because anonymity may conflict with accountability.

122
MCQmedium

A penetration tester wrote a Python script to automate HTTP request fuzzing. The script uses the 'requests' library to send payloads and checks for reflected content in the response. The tester wants to analyze the script for potential improvements. Which of the following code changes would MOST directly reduce false positives in detecting reflection?

A.Convert the response to lowercase before checking for reflection
B.Add a random delay between requests
C.Remove the User-Agent header from requests
D.Use a session object to maintain cookies
AnswerA

Correct. Case-insensitive matching reduces false positives caused by case differences in the reflected content.

Why this answer

Option A directly reduces false positives by normalizing the case of the response before checking for reflected content. HTTP responses may contain the payload in different cases (e.g., 'Test' vs 'test'), and without case-insensitive matching, the script would miss reflections that differ only in case, incorrectly reporting a false negative. Converting to lowercase ensures that any case variation of the reflected payload is detected, thereby reducing false positives from case-sensitive mismatches.

Exam trap

CompTIA often tests the distinction between performance/evasion techniques (like delays or header manipulation) and accuracy improvements (like case normalization), leading candidates to mistakenly choose options that affect request timing or stealth rather than detection logic.

How to eliminate wrong answers

Option B is wrong because adding a random delay between requests is a technique to avoid rate limiting or detection by WAFs/IDS, not to reduce false positives in reflection detection; it does not affect the accuracy of content matching. Option C is wrong because removing the User-Agent header may actually increase false positives or cause request failures, as many web servers reject or alter responses for requests without a valid User-Agent, potentially introducing reflection artifacts or blocking the request entirely.

123
MCQhard

Based on the exhibit, which tool would be most effective for exploiting this vulnerability?

A.Burp Suite Repeater
B.Nikto
C.Hydra
D.sqlmap
AnswerD

sqlmap automates detection and exploitation of SQL injection flaws.

Why this answer

The error log shows a SQL injection vulnerability. SQLmap is designed to automate SQL injection exploitation. Burp Suite Repeater can manually craft requests, but sqlmap automates the process.

Hydra is for password cracking, and Nikto is for web scanning.

124
MCQmedium

While analyzing a malicious document, a tester extracts a VBA macro. Which tool can help decode the macro for analysis?

A.oledump
B.pdf-parser
C.Nmap
D.Wireshark
AnswerA

oledump can extract VBA macros from Office documents.

Why this answer

Option A is correct because oledump extracts and analyzes OLE objects, including VBA macros. Option B is wrong because pdf-parser is for PDF analysis. Option C is wrong because Wireshark is for network traffic.

Option D is wrong because Nmap is for network scanning.

125
MCQeasy

A penetration tester is performing a port scan on a target network and receives no response to SYN packets sent to port 443. However, the service is known to be running. Which scanning technique should the tester use next to confirm the service?

A.SYN scan
B.TCP connect scan
C.UDP scan
D.Idle scan
AnswerB

Completes the handshake and can bypass firewall rules that drop SYN packets.

Why this answer

Option B (TCP connect scan) is correct because when a SYN scan receives no response to port 443, it may indicate that a firewall or packet filter is dropping the SYN packets. A TCP connect scan completes the full three-way handshake (SYN, SYN-ACK, ACK), which can bypass some stateless firewall rules that only block initial SYN packets but allow established connections. This technique confirms the service by successfully establishing a connection, even if SYN packets are filtered.

Exam trap

The trap here is that candidates assume a SYN scan is always the best stealth option, but when SYN packets are filtered, completing the TCP handshake (connect scan) can bypass simple stateless firewall rules that drop initial SYN packets.

How to eliminate wrong answers

Option A (SYN scan) is wrong because it is the technique that already failed—sending SYN packets to port 443 received no response, so repeating the same scan will not yield different results. Option C (UDP scan) is wrong because port 443 is used for HTTPS (TCP), not UDP; a UDP scan would be irrelevant for confirming a TCP-based service. Option D (Idle scan) is wrong because it is a stealth technique used to spoof the source IP via a zombie host, not a method to confirm a service when SYN packets are filtered; it would still rely on SYN packets and would not bypass the filtering issue.

126
MCQmedium

A penetration tester is performing a vulnerability scan of a network and finds that one server is running an outdated version of OpenSSL. Which of the following is the most likely security implication of this finding?

A.The server is vulnerable to SQL injection
B.The server is vulnerable to cross-site scripting
C.The server is vulnerable to buffer overflow
D.The server is vulnerable to Heartbleed
AnswerD

Heartbleed is a specific OpenSSL vulnerability (CVE-2014-0160) that affects versions 1.0.1 through 1.0.1f.

Why this answer

Outdated versions of OpenSSL, particularly versions 1.0.1 through 1.0.1f, are vulnerable to the Heartbleed bug (CVE-2014-0160). This vulnerability allows an attacker to read up to 64 KB of memory from the server's heap, potentially exposing private keys, session tokens, and other sensitive data. The Heartbleed bug is a specific buffer over-read vulnerability in the TLS/DTLS heartbeat extension, making D the correct answer.

Exam trap

The trap here is that candidates may confuse 'buffer overflow' (a write-based code execution vulnerability) with 'buffer over-read' (a read-based information disclosure like Heartbleed), leading them to select option C instead of the more specific and correct answer D.

How to eliminate wrong answers

Option A is wrong because SQL injection is a web application vulnerability caused by improper input sanitization in database queries, not a flaw in the OpenSSL cryptographic library. Option B is wrong because cross-site scripting (XSS) is a client-side injection vulnerability in web applications, unrelated to the OpenSSL protocol implementation. Option C is wrong because while Heartbleed is technically a buffer over-read (a type of memory safety issue), the term 'buffer overflow' typically refers to a buffer write overflow (e.g., stack or heap overflow) that allows code execution, whereas Heartbleed is a read-only over-read that leaks memory contents without allowing arbitrary code execution.

127
MCQhard

A PenTest team is planning to perform a physical social engineering engagement to gather information from a client's facility. Which of the following reconnaissance techniques would be LEAST likely to be detected?

A.Shoulder surfing
B.Email phishing
C.Tailgating
D.Dumpster diving
AnswerD

Dumpster diving is passive physical reconnaissance and rarely triggers alarms.

Why this answer

Option A is correct because dumpster diving is a physical, low-tech method that often goes unnoticed. Options B, C, and D involve direct interaction and have higher detection risk.

128
MCQmedium

A penetration tester is conducting information gathering on a target company. The company has an internal Confluence wiki that is only accessible from within the corporate network. The tester wants to discover any externally accessible references to the wiki without actively interacting with the target's systems. Which of the following techniques would be MOST effective?

A.Query the target's TLS certificate transparency logs for subdomains
B.Search for exposed Confluence login pages on Shodan
C.Use the Wayback Machine to find historical public references
D.Perform a zone transfer on the target's DNS servers
AnswerA

Certificate transparency logs list subdomains with SSL certs, which may include internal services.

Why this answer

Querying TLS certificate transparency logs is the most effective technique because it allows the tester to discover subdomains associated with the target's domain without any active interaction. Certificate Transparency (CT) logs are publicly accessible records of all SSL/TLS certificates issued by Certificate Authorities (CAs), and they often include subdomains that may point to internal services like Confluence if they were ever exposed via a public certificate. This passive reconnaissance method reveals externally accessible references that the target may have inadvertently made public.

Exam trap

The trap here is that candidates may think Shodan is a passive reconnaissance tool, but querying Shodan for specific services like Confluence login pages still involves active probing of the target's IP addresses, which counts as active interaction in the context of this question.

How to eliminate wrong answers

Option B is wrong because searching for exposed Confluence login pages on Shodan requires active scanning of the target's IP ranges, which constitutes active interaction with the target's systems, violating the requirement to avoid active interaction. Option C is wrong because the Wayback Machine archives historical snapshots of publicly accessible web pages, but it would only contain references to the Confluence wiki if those pages were previously publicly accessible on the internet, which is unlikely for an internal-only wiki. Option D is wrong because performing a zone transfer on the target's DNS servers is an active DNS query technique that requires direct interaction with the target's DNS infrastructure, and most modern DNS servers are configured to deny zone transfers to unauthorized hosts.

129
MCQmedium

A client wants a penetration test that simulates a disgruntled employee with access to the internal network but no administrative privileges. The client provides a standard user account on the domain. The tester discovers that the account has local administrator rights on a critical file server. Which step should the tester take according to typical Rules of Engagement?

A.Continue testing with the elevated privileges because they were provided
B.Use the privileges to escalate to domain admin and test further
C.Pause testing and inform the client of the unexpected privilege level for guidance
D.Revert to a lower-privileged account provided by the client
AnswerC

The tester should communicate with the client to clarify the intended scope and receive authorization for the elevated access.

Why this answer

Option C is correct because the Rules of Engagement (RoE) require the tester to operate within the agreed scope and privilege level. Discovering that the provided standard user account has unexpected local administrator rights on a critical file server represents a scope change that could invalidate the test's assumptions and potentially cause unintended damage. The tester must pause and inform the client to obtain explicit guidance before proceeding with elevated privileges.

Exam trap

The trap here is that candidates assume any discovered privilege is fair game to use, ignoring the RoE's requirement to stay within the authorized scope and the ethical obligation to seek client guidance when unexpected access is found.

How to eliminate wrong answers

Option A is wrong because continuing to test with the elevated privileges violates the RoE scope, which specified a standard user account with no administrative privileges; using unapproved privileges can lead to unauthorized access and legal issues. Option B is wrong because using local admin rights to escalate to domain admin exceeds the agreed scope and could compromise the entire domain without client consent, which is a breach of ethical hacking principles and the test's authorization.

130
MCQhard

A penetration tester needs to communicate the financial impact of a critical vulnerability to the board of directors. Which metric is most appropriate for this audience?

A.CVSS base score (e.g., 9.8 out of 10).
B.Risk rating (High, Medium, Low).
C.Annualized loss expectancy (ALE).
D.Number of affected systems.
AnswerC

ALE estimates the expected monetary loss per year due to a risk, making it easy for non-technical executives to understand the financial impact.

Why this answer

The board of directors is concerned with financial risk and business impact, not technical severity. Annualized loss expectancy (ALE) quantifies the expected monetary loss per year from a vulnerability, making it directly relevant for executive decision-making. CVSS scores and risk ratings are technical metrics that do not translate to financial terms.

Exam trap

The trap here is that candidates often choose CVSS score or risk rating because they are familiar from technical reports, but the question specifically asks for a metric to communicate financial impact to the board, which requires a quantitative financial measure like ALE.

How to eliminate wrong answers

Option A is wrong because CVSS base score (e.g., 9.8) measures technical severity based on exploitability and impact metrics, but it does not incorporate asset value, threat frequency, or financial loss—so it cannot communicate monetary impact to the board. Option B is wrong because risk rating (High, Medium, Low) is a qualitative label derived from likelihood and impact, but it lacks the specific dollar figures needed to convey financial consequences to non-technical stakeholders.

131
MCQmedium

A penetration testing firm is scoping a test for a client that uses a hybrid infrastructure with both on-premises servers and cloud-based services (IaaS). The client specifies that only the cloud environment should be tested this year. Which concept is MOST important for the tester to discuss during the scoping meeting to avoid testing out-of-scope assets?

A.The shared responsibility model between the client and the cloud provider
B.The need to test on-premises systems as well to get a complete picture
C.The potential for false positives in cloud vulnerability scanners
D.The cost of third-party cloud penetration testing tools
AnswerA

The client is responsible for securing their own data and configurations, while the provider secures the underlying infrastructure. Testing should focus only on the client's area of responsibility.

Why this answer

The shared responsibility model defines which security controls and operational tasks are managed by the cloud provider versus the client. In a scoping meeting, understanding this model is critical because the penetration tester must only target the client's side of the responsibility boundary (e.g., guest OS, applications, and IaaS configurations) and avoid testing the provider's underlying infrastructure, which is out-of-scope. Without this discussion, the tester could inadvertently probe the provider's hypervisor or physical network, violating the scope agreement and potentially causing legal or contractual issues.

Exam trap

The trap here is that candidates may focus on technical testing concerns like false positives or scope expansion, rather than recognizing that the shared responsibility model is the foundational scoping concept that prevents testing the cloud provider's infrastructure.

How to eliminate wrong answers

Option B is wrong because the client explicitly specified that only the cloud environment should be tested this year; insisting on testing on-premises systems would directly violate the scope and is not a scoping discussion point but a scope expansion request. Option C is wrong because false positives in cloud vulnerability scanners are a technical testing concern, not a scoping issue; the most important discussion for avoiding out-of-scope assets is defining the boundary of responsibility, not the accuracy of tools.

132
MCQmedium

A penetration tester has gained access to a Windows workstation and extracted NTLM password hashes. The tester wants to move laterally to a server that authenticates using NTLM. The tester does not have the plaintext passwords. Which technique is MOST appropriate to authenticate to the server using the captured hashes?

A.Pass-the-hash
B.Brute force
C.Rainbow tables
D.Keylogging
AnswerA

Pass-the-hash uses the captured NTLM hash to authenticate to remote services without needing the plaintext password.

Why this answer

Pass-the-hash (PtH) is the correct technique because it allows the tester to authenticate to the remote server using the captured NTLM hash directly, without needing the plaintext password. NTLM authentication uses a challenge-response protocol where the hash itself is the secret; by presenting the hash in the response, the tester can impersonate the user. This is a well-known lateral movement technique in Windows environments, often executed with tools like Mimikatz (sekurlsa::pth) or Impacket's wmiexec.py.

Exam trap

The trap here is that candidates may think they need the plaintext password for authentication and choose brute force or rainbow tables, not realizing that NTLM authentication accepts the hash directly in the challenge-response exchange, making pass-the-hash the most efficient lateral movement technique.

How to eliminate wrong answers

Option B (Brute force) is wrong because brute force attempts to guess the plaintext password by trying many combinations, which is computationally expensive and time-consuming; the tester already has the hash and does not need the plaintext for NTLM authentication. Option C (Rainbow tables) is wrong because rainbow tables are precomputed tables used to reverse a hash into a plaintext password, which is unnecessary here since the hash itself can be used directly for authentication via pass-the-hash; additionally, rainbow tables are ineffective against salted hashes or modern NTLM hashes without significant precomputation.

133
MCQhard

A penetration test is being conducted for a healthcare organization subject to HIPAA. The tester is given access to a production system that contains electronic protected health information (ePHI). Which of the following should be included in the rules of engagement to ensure compliance?

A.A clause requiring encryption of all test data at rest and in transit.
B.A business associate agreement (BAA) signed between the client and the testing firm.
C.A detailed data handling and destruction procedure within the rules of engagement.
D.A restriction to only test in non-production environments.
AnswerC

The RoE should explicitly state how ePHI will be handled, stored, accessed, and destroyed to ensure HIPAA compliance.

Why this answer

Option C is correct because HIPAA requires covered entities to ensure the confidentiality, integrity, and availability of ePHI, which includes proper disposal of data after testing. A detailed data handling and destruction procedure within the rules of engagement (RoE) ensures that test data containing ePHI is securely wiped or destroyed in compliance with 45 CFR § 164.310(d)(2)(i) and NIST SP 800-88 guidelines. Without this clause, the tester might leave residual ePHI on production systems, violating HIPAA's security rule.

Exam trap

The trap here is that candidates confuse a BAA (a separate legal requirement) with a clause that must be included in the rules of engagement, or they assume encryption is a mandatory RoE clause when HIPAA treats it as addressable and not a procedural scope item.

How to eliminate wrong answers

Option A is wrong because while encryption of test data at rest and in transit is a good security practice, it is not a specific HIPAA compliance requirement that must be included in the rules of engagement; HIPAA mandates encryption as an addressable implementation specification under 45 CFR § 164.312(a)(2)(iv), but the RoE focuses on scope and handling procedures, not technical controls. Option B is wrong because a Business Associate Agreement (BAA) is a legal contract between the covered entity and the business associate (the testing firm) that must be signed before any ePHI access, but it is not part of the rules of engagement document; the BAA is a separate prerequisite, not a clause within the RoE.

134
MCQhard

During scoping, a tester learns that the client's network has multiple subsidiaries with different IP ranges. The client wants a test that covers all subsidiaries but with a limited number of target IPs. How should the tester proceed?

A.Ask for a larger budget
B.Select a representative sample of IPs from each subsidiary
C.Test only the corporate headquarters and ignore subsidiaries
D.Use a subnet calculator to combine all ranges
AnswerB

Sampling provides coverage across the entire organization within limits.

Why this answer

Selecting a representative sample of IPs from each subsidiary allows coverage across all subsidiaries while respecting the target limit. Testing only headquarters ignores subsidiaries, and combining ranges may produce too many targets. Asking for a larger budget may not be an option.

135
MCQmedium

A penetration tester is performing internal reconnaissance from a compromised host and wants to map the local network without sending any packets. Which technique is most suitable?

A.Use tcpdump to passively capture and analyze broadcast traffic.
B.Send ARP requests to all possible IP addresses using a ping sweep.
C.Query the local DNS server for all host records in the domain.
D.Use traceroute to discover network paths.
AnswerA

Passive capture of broadcast frames (ARP, DHCP, etc.) reveals live hosts and their IP addresses without sending a single packet.

Why this answer

Option A is correct because tcpdump can passively capture broadcast traffic (e.g., ARP, NetBIOS, mDNS) without sending any packets. This allows the tester to map active hosts and services on the local network by listening to existing network chatter, fulfilling the 'no packets sent' constraint.

Exam trap

The trap here is that candidates may assume 'passive' techniques like tcpdump still require sending packets, or they confuse passive capture with active scanning methods like ARP sweeps or DNS queries, which inherently generate network traffic.

How to eliminate wrong answers

Option B is wrong because sending ARP requests as part of a ping sweep generates packets on the network, violating the requirement to avoid sending any packets. Option C is wrong because querying the local DNS server sends a DNS query packet, which is an active network request; it also may not reveal all host records due to DNS caching or security configurations like zone transfer restrictions.

136
MCQmedium

A penetration tester has captured NTLM hashes from a compromised machine and wants to move laterally to a server that requires NTLM authentication. The tester does not have the plaintext password. Which attack technique is MOST appropriate for authenticating using the captured hashes?

A.Brute force the password from the hash
B.Pass-the-hash
C.NTLM relay
D.Kerberoasting
AnswerB

Pass-the-hash uses the NTLM hash to authenticate without needing the plaintext password, enabling lateral movement.

Why this answer

Pass-the-hash (PtH) is the most appropriate technique because it allows the tester to authenticate to the target server using the captured NTLM hash directly, without needing the plaintext password. NTLM authentication uses the hash as a secret, so the hash can be passed to the server in the challenge-response handshake. This is a well-known lateral movement technique in Windows environments.

Exam trap

CompTIA often tests the distinction between pass-the-hash and NTLM relay, where candidates confuse the need for an active relay target versus simply using a captured hash to authenticate directly.

How to eliminate wrong answers

Option A is wrong because brute-forcing the password from the hash is computationally expensive and time-consuming, especially for strong passwords, and is not the most efficient method for immediate lateral movement. Option C is wrong because NTLM relay involves intercepting and forwarding an authentication attempt from a client to a server, not using a pre-captured hash to authenticate directly; it requires an active connection from another machine.

137
MCQmedium

During an internal penetration test, a tester discovers that the client's network uses ARP poisoning to intercept traffic for security monitoring. The tester wants to enumerate live hosts without being detected by network monitoring tools. Which of the following is the BEST approach?

A.Use passive network sniffing to capture broadcast traffic
B.Perform a UDP scan
C.Perform a SYN scan with decoys
D.Use ARP requests to discover hosts
AnswerA

Passive sniffing collects broadcast packets like ARP and DHCP without sending anything.

Why this answer

Option D is correct because passive network sniffing captures broadcast traffic without generating any packets, avoiding detection. Option A generates ARP traffic; Option B generates SYN packets; Option C generates UDP packets.

138
MCQmedium

Based on the Nmap output above, which of the following conclusions is MOST accurate regarding the target host?

A.The host is running Linux because SSH is open.
B.The host is running a web server on port 8080.
C.The SSH service is configured to use a non-standard port.
D.A firewall is likely blocking access to port 8080.
AnswerD

Filtered state typically results from a firewall dropping packets.

Why this answer

Option B is correct because 'filtered' indicates a firewall or ACL is blocking access to port 8080. Option A is wrong because filtered means state unknown; Option C is wrong because SSH is on standard port 22; Option D is not definitive from this scan alone.

139
MCQmedium

A penetration tester is conducting an internal network scan and wants to minimize the chance of being detected by an intrusion detection system (IDS). Which TCP scan type is most likely to evade detection?

A.TCP connect scan
B.SYN scan
C.FIN scan
D.UDP scan
AnswerC

A FIN scan sends only FIN packets. Many systems and IDS do not log these as intrusively, though some modern firewalls may detect them. It is generally considered more stealthy than SYN or connect scans.

Why this answer

A FIN scan sends a TCP packet with only the FIN flag set, which is less likely to trigger IDS signatures that are tuned to detect common SYN-based scans. Many IDS systems monitor for SYN packets as they initiate connections, but a FIN scan exploits the fact that closed ports respond with an RST packet, while open ports ignore the FIN (per RFC 793), allowing the tester to infer port state without completing a full handshake.

Exam trap

The trap here is that candidates assume SYN scans are stealthier because they are 'half-open,' but CompTIA often tests that FIN scans evade IDS better because they avoid the SYN packet that triggers common detection signatures.

How to eliminate wrong answers

Option A is wrong because a TCP connect scan uses the full three-way handshake (SYN, SYN-ACK, ACK), which is easily logged by the target system and detected by IDS as a standard connection attempt. Option B is wrong because a SYN scan (half-open scan) sends a SYN packet and waits for a SYN-ACK, but many IDS systems are specifically configured to flag rapid SYN packets as a port scan, making it more detectable than a FIN scan.

140
MCQeasy

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to identify the technologies and frameworks used by the target's web application without making any requests to the target's servers. Which resource is BEST suited for this task?

A.Nmap service scan with -sV
B.Shodan.io
C.BuiltWith.com
D.Wappalyzer browser extension
AnswerC

BuiltWith.com is a passive reconnaissance tool that catalogues technology profiles from public data, allowing identification of frameworks and libraries without interacting with the target.

Why this answer

BuiltWith.com is a passive reconnaissance resource that profiles web application technologies by analyzing publicly available data, such as JavaScript libraries, web frameworks, and analytics tools, without sending any requests to the target's servers. It aggregates information from various public sources and historical data, making it ideal for identifying technologies without direct interaction.

Exam trap

The trap here is that candidates often confuse Shodan.io's passive-looking interface with true passive reconnaissance, not realizing that Shodan's data is derived from active scanning, while BuiltWith.com relies on non-intrusive public data aggregation.

How to eliminate wrong answers

Option A is wrong because Nmap's -sV flag performs an active service scan that sends probes to the target's servers to determine service versions, which violates the passive reconnaissance requirement. Option B is wrong because Shodan.io is a search engine for internet-connected devices and services, but it primarily relies on active scanning data from its own crawlers and may not provide detailed web application technology stacks like frameworks or libraries without making requests to the target.

141
MCQmedium

During a penetration test of a large e-commerce platform, the client requests additional testing on a newly discovered microservice mid-engagement. The scope defined in the rules of engagement (ROE) explicitly lists all target systems. What should the penetration tester do FIRST?

A.Add the microservice to the test and include it in the final report as an unadvertised finding
B.Decline the request because the microservice was not part of the original scope
C.Inform the client that a scope amendment is needed and pause testing on the microservice until it is approved
D.Test the microservice only if it is using the same technology stack as other targets
AnswerC

This is the correct procedure. Communicating the need for a formal amendment ensures the test remains within authorized bounds and protects both parties.

Why this answer

Option C is correct because the rules of engagement (ROE) are a legally binding document that defines the scope of testing. Adding a new microservice mid-engagement without an approved scope amendment violates the ROE and could lead to legal or contractual issues. The penetration tester must first pause testing on the microservice and formally request a scope amendment to ensure all activities remain authorized.

Exam trap

The trap here is that candidates may confuse 'professional flexibility' (Option A) with proper scope management, or think that declining outright (Option B) is safer, when the correct answer requires following formal change control procedures to maintain legal and ethical boundaries.

How to eliminate wrong answers

Option A is wrong because adding the microservice without amending the ROE constitutes unauthorized testing, which could breach the contract and expose the tester to liability; the final report should only include findings from authorized targets. Option B is wrong because outright declining the request without offering a path forward (scope amendment) is unprofessional and fails to address the client's evolving needs; the correct procedure is to pause testing and seek formal approval, not simply refuse.

142
MCQmedium

A penetration tester is using a vulnerability scanner to assess a web application. The scanner reports a 'SQL Injection' finding with a high confidence level. However, manual verification of the same payload does not trigger the vulnerability in a browser. Which of the following is the most likely reason for this discrepancy?

A.The scanner used a different HTTP method than the one used in manual testing
B.The scanner's payloads were URL-encoded differently
C.The vulnerability exists only in the scanner's simulated environment
D.The scanner might have generated a false positive due to a misinterpretation of the server's response
AnswerD

False positives are common in automated scanners. The scanner may have incorrectly flagged a response as vulnerable when manual testing proves otherwise.

Why this answer

The most likely reason is that the scanner generated a false positive due to a misinterpretation of the server's response. Vulnerability scanners often infer SQL injection based on response patterns (e.g., database error messages, timing differences) that may not actually be exploitable. Manual verification in a browser failed because the payload did not produce a true SQL error or data leak, confirming the scanner's alert was incorrect.

Exam trap

CompTIA often tests the concept that automated scanners can produce false positives due to response misinterpretation, and candidates mistakenly choose option C (simulated environment) because they confuse the scanner's internal test logic with an actual isolated environment.

How to eliminate wrong answers

Option A is wrong because HTTP method differences (e.g., GET vs POST) could cause the scanner to test a different endpoint, but the question states the same payload was used; if the scanner used a different method, manual testing with the same method would still match. Option B is wrong because URL encoding differences (e.g., %27 vs ') would be normalized by the browser or server; manual testing typically uses the same encoding as the scanner's output. Option C is wrong because the scanner does not create a simulated environment; it sends real HTTP requests to the live web application, so the vulnerability cannot exist only in a simulated environment.

143
MCQhard

During passive reconnaissance, a penetration tester wants to compile a list of valid employee email addresses for a target company to be used in a future phishing campaign. Which technique is LEAST likely to be detected by the target or its security controls?

A.Using theHarvester to search public sources
B.Sending probe emails to validate addresses
C.Scraping LinkedIn profiles for email patterns
D.Mining GitHub repositories for company email patterns
AnswerD

Searching public GitHub repositories for email addresses is a purely passive activity with no direct interaction with the target, making it the least likely to be detected.

Why this answer

Option D is correct because mining GitHub repositories for email patterns is a passive reconnaissance technique that relies on publicly accessible code and commit histories. The target company has no visibility into GitHub's public data, and no direct interaction with the target's systems occurs, making it the least likely to trigger alerts or be detected by security controls such as IDS/IPS, email gateways, or network monitoring.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates mistakenly think scraping LinkedIn is passive, but LinkedIn's anti-scraping measures and the need for automated interaction make it an active technique that can be detected.

How to eliminate wrong answers

Option A is wrong because theHarvester actively queries public sources like search engines and PGP key servers, which can generate logs or rate-limiting alerts that the target might detect if they monitor for reconnaissance activity. Option B is wrong because sending probe emails directly interacts with the target's email infrastructure, triggering SMTP logs, SPF/DKIM checks, and potentially alerting security teams via email security gateways or honeypot accounts. Option C is wrong because scraping LinkedIn profiles requires automated access to LinkedIn's platform, which can be detected by LinkedIn's anti-scraping mechanisms and rate limiting, and the target may monitor for unusual profile viewing patterns.

144
MCQmedium

During a web application penetration test, a tester identifies a potential SQL injection vulnerability in a search field. The tester wants to extract data from the database without generating error messages that could trigger an alert. Which technique is most appropriate?

A.In-band SQL injection
B.Error-based SQL injection
C.Blind SQL injection (time-based)
D.Union-based SQL injection
AnswerC

Time-based blind injection uses time delays to infer data without generating errors, making it stealthy.

Why this answer

Option C is correct because blind SQL injection (time-based) allows data extraction without generating visible error messages or database output. By using conditional time delays (e.g., IF condition THEN WAITFOR DELAY '0:0:5' in SQL Server or SLEEP(5) in MySQL), the tester can infer true/false conditions based on response timing, avoiding any error-based alerts that might be monitored by a WAF or IDS.

Exam trap

The trap here is that candidates often choose error-based or union-based injection because they are more familiar, failing to recognize that the question explicitly requires avoiding error messages and alerts, which only time-based blind injection achieves.

How to eliminate wrong answers

Option A is wrong because in-band SQL injection relies on the same channel to both inject and retrieve data (e.g., via UNION or error messages), which would produce visible output or errors that could trigger alerts. Option B is wrong because error-based SQL injection deliberately forces database errors to extract information from error messages, directly generating alerts. Option D is wrong because union-based SQL injection requires the attacker to see the results of a UNION query in the application response, which would expose the attack and potentially trigger monitoring systems.

145
MCQeasy

A penetration tester is planning a social engineering campaign against a corporation. The goal is to trick the CEO into revealing sensitive information. Which type of attack should the tester use?

A.Vishing
B.Spear phishing
C.Pharming
D.Whaling
AnswerD

Whaling is a form of spear phishing that targets senior executives such as CEOs, making it the correct choice for this scenario.

Why this answer

Whaling is a targeted form of phishing that specifically focuses on high-profile individuals, such as the CEO. In this scenario, the goal is to trick the CEO into revealing sensitive information, making whaling the correct choice because it is designed to impersonate trusted entities or create urgent scenarios to deceive senior executives.

Exam trap

CompTIA often tests the distinction between spear phishing and whaling, where the trap is that candidates choose spear phishing because it is a broader term, but the question's focus on a CEO specifically requires the more precise 'whaling' classification.

How to eliminate wrong answers

Option A is wrong because vishing (voice phishing) uses phone calls or voice messages, not email or other digital messages, and while it could target a CEO, the question implies a digital attack vector. Option B is wrong because spear phishing targets specific individuals or groups but is not exclusively reserved for high-level executives like a CEO; whaling is the more precise term for targeting C-suite personnel. Option C is wrong because pharming redirects users from legitimate websites to fraudulent ones by exploiting DNS vulnerabilities or local host file manipulation, and it does not involve directly tricking an individual via email or messaging.

146
MCQeasy

A tester is using the following Nmap command: nmap -sC -sV -p 1-65535 target_ip. What is the primary purpose of the -sC option?

A.Use default scripts
B.Scan all ports
C.Perform a version scan
D.Do a SYN scan
AnswerA

-sC enables default NSE scripts for service enumeration and vulnerability detection.

Why this answer

The -sC option in Nmap is equivalent to --script=default, which runs a collection of common, non-intrusive enumeration scripts against the target. These scripts perform tasks such as service banner grabbing, HTTP title extraction, and SSL/TLS certificate retrieval, providing valuable reconnaissance data without requiring manual script selection.

Exam trap

The trap here is that candidates confuse -sC with -sV or -sS, because all three options start with 's' and are commonly used together, but each has a distinct function that must be memorized for the exam.

How to eliminate wrong answers

Option B is wrong because scanning all ports is achieved by the -p 1-65535 argument, not by -sC. Option C is wrong because performing a version scan is the purpose of -sV, not -sC. Option D is wrong because a SYN scan is the default scan type when run as root, but it is explicitly invoked with -sS, not -sC.

147
Multi-Selecthard

During the scoping phase of a penetration test, the tester and client must define the rules of engagement (ROE). Which THREE of the following should be included in the ROE? (Select THREE.)

Select 3 answers
A.Contact information for the client to report issues during the test.
B.Types of attacks permitted (e.g., phishing, social engineering).
C.Specific vulnerabilities that will be exploited.
D.Post-test remediation steps.
E.Boundaries such as IP ranges and subnets to test.
AnswersA, B, E

This ensures timely communication of critical findings.

Why this answer

The ROE should cover attack types, communication protocols, and scope boundaries. Specific vulnerabilities are unknown beforehand, and remediation is part of the post-test phase.

148
MCQmedium

A penetration tester writes a Python script to test an API for vulnerabilities. The script sends requests with multiple payloads and checks if the response contains an error message indicating a potential injection. Which of the following code snippets would BEST reduce false positives by verifying that the injected parameter is processed?

A.Check if the response status code is 500 for each payload
B.Compare the response time of the injected request to a baseline without injection
C.Check if the response contains a specific error message that is only triggered when the injection is successful
D.Compare the response of the injected request to the response of a benign request with the same parameter structure
AnswerD

Correct. By comparing responses, the tester can confirm that the injection causes a different behavior than a normal request, reducing false positives.

Why this answer

Option D is correct because comparing the response of an injected request to a benign request with the same parameter structure directly confirms that the injected parameter was processed and caused a different application behavior, thereby reducing false positives. This technique, often called differential analysis, isolates the effect of the injection from normal variations in the API response, such as dynamic content or session tokens. It is more reliable than checking for specific error messages or status codes, which may be suppressed or generic.

Exam trap

The trap here is that candidates often choose Option C because they assume error messages are reliable indicators of injection success, but in practice, modern APIs suppress detailed errors and may return the same generic error for both benign and malicious inputs, making differential analysis a more robust approach.

How to eliminate wrong answers

Option A is wrong because a 500 status code indicates a server error but does not confirm that the injected parameter was processed; it could be triggered by malformed requests, resource exhaustion, or unrelated bugs, leading to false positives. Option B is wrong because comparing response time can detect time-based injections (e.g., SQLi with SLEEP), but it is not a general method for verifying that the injected parameter is processed; many injections do not cause measurable time differences, and network latency can introduce false positives. Option C is wrong because checking for a specific error message assumes the application exposes detailed error information, which is often disabled in production; moreover, the same error message might appear for benign inputs or other issues, causing false positives or negatives.

149
MCQeasy

A penetration tester is analyzing a Python script that uses the 'socket' library. The script creates a socket, connects to a target IP and port, sends a payload, and then receives a response. The script is most likely designed for which type of attack?

A.Port scanning
B.Brute-force attack
C.Buffer overflow exploit
D.SQL injection
AnswerC

A buffer overflow exploit sends a crafted payload that overwrites memory, often followed by receiving a shell or status response.

Why this answer

The script uses the 'socket' library to create a raw TCP connection, send a payload, and receive a response. This pattern is characteristic of a buffer overflow exploit, where a crafted payload is sent to trigger a memory corruption vulnerability, often followed by receiving a shell or error response. The direct send-and-receive cycle with a specific payload aligns with exploitation, not reconnaissance or authentication testing.

Exam trap

The trap here is that candidates confuse the send-and-receive pattern with port scanning or brute-force attacks, overlooking that the script's single-payload design and lack of iteration or credential logic specifically indicate an exploit delivery mechanism.

How to eliminate wrong answers

Option A is wrong because port scanning typically involves iterating through multiple ports and analyzing connection states (e.g., SYN, ACK, RST) or timeouts, not sending a single payload and waiting for a response on one port. Option B is wrong because a brute-force attack requires repeated authentication attempts with different credentials, not a single payload transmission and response reception; the script lacks any loop or credential generation logic.

150
Multi-Selecthard

A penetration tester is performing information gathering using DNS enumeration. Which of the following records can be queried to discover additional subdomains or hostnames? (Choose three.)

Select 3 answers
A.MX
B.NS
C.PTR
D.A
E.CNAME
AnswersA, B, D

MX records disclose mail exchange servers, which can be additional hostnames.

Why this answer

The A record maps a hostname to an IPv4 address. During DNS enumeration, querying A records for known subdomains or performing a brute-force of common hostnames (e.g., admin.example.com, mail.example.com) can reveal additional subdomains and hostnames by returning valid IP addresses. This is a standard technique in reconnaissance to expand the attack surface.

Exam trap

The trap here is that candidates often think PTR records are useful for forward DNS enumeration, but they require a known IP and are used in reverse lookups, not for discovering subdomains from a domain name.

Page 1

Page 2 of 7

Page 3

All pages