CompTIA PenTest+ PT0-002 (PT0-002) — Questions 226300

509 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQmedium

A wireless network test must not disrupt the network. How can the tester crack WPA2 passwords without disruption?

A.Scan for rogue access points
B.Use passive sniffing to capture traffic and crack offline
C.Perform a deauthentication attack
D.Attempt a brute-force attack against the Wi-Fi password
AnswerB

Non-disruptive.

Why this answer

Option D is correct because passive sniffing captures the handshake without sending packets. Option A is wrong because deauth is active. Option B is wrong because brute-force is active.

Option C is wrong because it doesn't test password strength.

227
MCQmedium

A client wants a penetration test of their cloud infrastructure hosted on AWS. The client states that they want to test the security of their EC2 instances, S3 buckets, and IAM configurations. The client's security team is concerned about potential service disruption due to testing. Which of the following should be included in the rules of engagement to address this concern?

A.A clause that the tester will avoid using any automated scanning tools.
B.A clear definition of what constitutes a denial-of-service condition and a requirement to stop testing immediately if such a condition is detected.
C.A requirement that the tester only performs manual testing and no tools.
D.A clause that the tester will test only during business hours.
AnswerB

This addresses the concern directly by defining thresholds and a response plan.

Why this answer

Option B is correct because it directly addresses the client's concern about service disruption by establishing a clear threshold for denial-of-service (DoS) conditions and a mandatory stop action. In AWS, automated scanning or aggressive testing can inadvertently trigger Auto Scaling events, exhaust burst credits on EC2 instances, or saturate S3 request limits, leading to degraded performance. Defining what constitutes a DoS condition (e.g., CPU > 90%, network packet loss > 5%) ensures the tester can halt immediately, protecting the client's cloud infrastructure while still allowing effective security testing.

Exam trap

The trap here is that candidates often choose options A or C, mistakenly believing that avoiding automation or restricting testing hours will prevent service disruption, when in reality the key is having a clear, measurable definition of disruption and a stop condition, as required by the PT0-002 exam's focus on scoping and risk management.

How to eliminate wrong answers

Option A is wrong because completely avoiding automated scanning tools is impractical for a thorough penetration test of AWS EC2, S3, and IAM configurations; tools like Nmap, Burp Suite, or custom scripts are essential for discovering vulnerabilities such as open ports, misconfigured bucket policies, or weak IAM roles. Option C is wrong because requiring only manual testing is overly restrictive and unrealistic for testing cloud-scale environments; automated tools are needed to efficiently enumerate S3 bucket permissions, scan for IAM privilege escalation paths, and test EC2 security group rules. Option D is wrong because testing only during business hours does not mitigate the risk of service disruption; in fact, testing during peak usage could increase the chance of impacting production workloads, and the client's concern is about disruption itself, not timing.

228
MCQmedium

A penetration tester is performing reconnaissance on a target domain. The tester queries the public DNS records and finds an SPF record that includes an 'include' mechanism pointing to a third-party email service. Which technique can the tester use to potentially discover more subdomains or internal infrastructure?

A.Perform a DNS zone transfer
B.Enumerate MX records for the third-party
C.Query the TXT records of the third-party domain
D.Use Google dorks to find exposed email addresses
AnswerC

The SPF include points to another domain; querying that domain's TXT records may reveal additional SPF includes or other records that expose further domains or subdomains.

Why this answer

The SPF record's 'include' mechanism points to a third-party email service, which itself may have SPF or other TXT records that reveal additional domains or subdomains used for email infrastructure. By querying the TXT records of the third-party domain, the tester can discover these included domains, potentially expanding the attack surface. This technique leverages the recursive nature of SPF includes to map out related infrastructure.

Exam trap

The trap here is that candidates often assume DNS zone transfers (option A) are the go-to method for subdomain discovery, but the question specifically leverages the SPF 'include' mechanism, making TXT record enumeration the correct and targeted technique.

How to eliminate wrong answers

Option A is wrong because DNS zone transfers (AXFR) require explicit server configuration to allow them and are rarely successful against public DNS servers; they are not a reliable method for discovering subdomains from an SPF include. Option B is wrong because enumerating MX records for the third-party domain only reveals mail exchange servers, not necessarily subdomains or internal infrastructure of the target; it does not leverage the SPF include chain. Option D is wrong because Google dorks for exposed email addresses are a passive reconnaissance technique for finding user emails, not for systematically discovering subdomains or internal network infrastructure from an SPF record.

229
Multi-Selectmedium

A penetration tester is examining a compiled binary obtained during an engagement. The tester wants to identify potential buffer overflow vulnerabilities and understand the control flow. Which TWO tools would be most appropriate for this task?

Select 2 answers
A.Wireshark
B.Nmap
C.OllyDbg
D.Burp Suite
E.Ghidra
AnswersC, E

OllyDbg is a debugger that can step through the binary to observe behavior and identify overflows.

Why this answer

OllyDbg is a debugger that allows dynamic analysis to identify overflow vulnerabilities by examining memory and registers. Ghidra is a disassembler and decompiler that provides static analysis of control flow and potential vulnerabilities. Nmap is a network scanner, Wireshark is a packet analyzer, and Burp Suite is a web proxy, none of which are suitable for binary analysis.

230
MCQmedium

During a vulnerability scan, a penetration tester notices that the scanner is repeatedly attempting to exploit a service, causing the service to crash and generating misleading findings. Which of the following scan configurations would BEST help the tester avoid this issue while still identifying potential vulnerabilities?

A.Enable SYN scan instead of full TCP connect scan
B.Adjust the scan timing template to a slower rate
C.Activate the 'safe checks' option in the scanner
D.Increase the port range to include high ports
AnswerC

Correct. Safe checks perform non-intrusive testing, minimizing disruption and reducing false positives from exploitation attempts.

Why this answer

Option C is correct because the 'safe checks' option in vulnerability scanners (such as Nessus or OpenVAS) disables intrusive plug-ins that attempt to exploit services aggressively, which can cause service crashes. This configuration allows the scanner to identify potential vulnerabilities without disrupting the target service, avoiding misleading findings from crashed services.

Exam trap

The trap here is that candidates confuse scan rate adjustments (timing templates) or stealth techniques (SYN scan) with the ability to prevent service disruption, when in fact only disabling intrusive checks directly addresses the crashing issue.

How to eliminate wrong answers

Option A is wrong because enabling SYN scan (a half-open scan) only changes the TCP handshake method to reduce network noise and avoid connection logging, but it does not prevent the scanner from sending exploit payloads that crash services. Option B is wrong because adjusting the scan timing template to a slower rate reduces packet transmission speed to avoid network congestion or IDS alerts, but it does not disable the intrusive exploit attempts that cause service crashes. Option D is wrong because increasing the port range to include high ports expands the scope of the scan to discover more services, but it does not mitigate the aggressive exploitation behavior that crashes services.

231
MCQmedium

A penetration tester is using Hashcat to crack NTLM hashes obtained from a Windows system. The tester wants to use a rule-based attack to maximize cracking success. Which Hashcat mode should be used for NTLM hashes?

A.-m 1000
B.-m 1100
C.-m 3000
D.-m 5500
AnswerA

Mode 1000 is specifically for NTLM hashes, which is the correct choice for cracking NTLM.

Why this answer

Hashcat mode -m 1000 is specifically designated for NTLM hashes, which are the Windows NT LAN Manager hash format stored in the SAM database. A rule-based attack with this mode applies transformation rules to wordlists to generate candidate passwords, maximizing cracking success by leveraging common password patterns and mutations.

Exam trap

The trap here is confusing NTLM hashes (mode 1000) with NetNTLMv1 (mode 5500) or other Windows-related hash types, as candidates often mix up local authentication hashes with network authentication challenge-response hashes.

How to eliminate wrong answers

Option B (-m 1100) is wrong because it corresponds to Domain Cached Credentials (DCC), also known as MS Cache Hash, not NTLM. Option C (-m 3000) is wrong because it is used for LM (LAN Manager) hashes, an older and weaker Windows hash format. Option D (-m 5500) is wrong because it is used for NetNTLMv1 hashes, which are challenge-response hashes used in network authentication, not the local NTLM hash stored in the SAM.

232
MCQmedium

A penetration tester is conducting passive reconnaissance on a target organization using Google dorking. The tester wants to find PDF documents that may contain usernames and passwords. Which Google search query is most appropriate for this task?

A.site:target.com filetype:pdf password
B.site:target.com username password
C.site:target.com filetype:xls password
D.site:target.com intitle:'index of' password
AnswerA

This query restricts results to the target domain, only PDF files, and pages containing the word 'password'. It is the most direct way to find potential credential disclosures in PDF format.

Why this answer

Option A is correct because it uses the `filetype:pdf` operator to specifically target PDF documents, combined with the keyword `password` to find files likely containing credentials. Google dorking with `site:target.com` restricts results to the target domain, making this query efficient for passive reconnaissance of exposed sensitive information in PDFs.

Exam trap

CompTIA often tests the distinction between operators that filter by file type (`filetype:`) versus those that search for directory structures (`intitle:'index of'`), causing candidates to confuse passive reconnaissance techniques for document discovery with those for directory enumeration.

How to eliminate wrong answers

Option B is wrong because it lacks the `filetype:` operator, so it returns general web pages containing the words 'username' and 'password' rather than specific document files. Option C is wrong because it targets `filetype:xls` (Excel files), not PDF documents as specified in the question. Option D is wrong because `intitle:'index of'` is used to find directory listings, not PDF documents, and it does not include `filetype:pdf` to filter for PDFs.

233
MCQmedium

A client requests a penetration test of their production environment, which includes critical financial transaction systems. The client is concerned about potential service disruptions. Which of the following should the tester include in the Rules of Engagement to address this concern?

A.A detailed schedule of every attack method to be used
B.A clause stating that testing will stop immediately if any service degradation is detected
C.A scope that limits testing to off-peak hours and includes a rollback plan for any changes
D.A list of all tools and versions that will be used during the test
AnswerC

Testing during low-usage periods and having a rollback plan directly reduces the risk of impacting live transactions.

Why this answer

Option C is correct because it directly addresses the client's concern about service disruptions by limiting testing to off-peak hours and including a rollback plan. This ensures that any changes made during the test can be reversed quickly, minimizing the risk to critical financial transaction systems. The Rules of Engagement (RoE) must balance thorough testing with operational stability, and this scope provision achieves that.

Exam trap

CompTIA often tests the misconception that immediate stoppage upon any degradation (Option B) is the best safeguard, but the trap is that this lacks measurable criteria and could halt testing unnecessarily, whereas a well-defined scope with off-peak hours and rollback plans is the correct, proactive approach.

How to eliminate wrong answers

Option A is wrong because providing a detailed schedule of every attack method violates operational security (OPSEC) and is impractical; the RoE should specify types of attacks, not a rigid timeline, as testers need flexibility to adapt to findings. Option B is wrong because a clause to stop testing immediately upon any service degradation is too vague and reactive; it lacks predefined thresholds for what constitutes degradation, potentially causing premature termination without proper analysis. Option D is wrong because listing all tools and versions is unnecessary for the RoE; while tool inventory may be part of a separate agreement, the RoE focuses on scope, constraints, and legal boundaries, not granular tool details.

234
MCQmedium

A penetration tester has completed the test and is writing the findings section. For a critical vulnerability, the tester wants to provide a clear and actionable remediation recommendation. Which of the following is the best practice for writing this recommendation?

A.State 'Upgrade the software to the latest version'
B.Provide a step-by-step guide including commands, patches, and configuration changes
C.Recommend applying vendor-supplied patches but do not include specific versions
D.Suggest hiring a third-party consultant to fix the issue
AnswerB

This gives the client a clear path to remediation, reducing the chance of misinterpretation and ensuring the vulnerability is properly addressed.

Why this answer

Option B is correct because a penetration test report must provide actionable remediation that the client can implement immediately. A step-by-step guide with specific commands, patch identifiers, and configuration changes ensures the client can verify and apply the fix without ambiguity, which is critical for a high-severity vulnerability.

Exam trap

The trap here is that candidates often choose Option A or C because they seem efficient, but the exam emphasizes that a penetration test report must be actionable and specific, not generic or reliant on external parties.

How to eliminate wrong answers

Option A is wrong because stating 'Upgrade to the latest version' is too vague; it does not specify the exact version number, patch level, or any prerequisite steps, leaving room for misinterpretation or incomplete remediation. Option C is wrong because recommending vendor-supplied patches without specific version numbers fails to address the exact vulnerable component; the client may apply an outdated or incorrect patch, leaving the vulnerability unmitigated. Option D is wrong because suggesting a third-party consultant shifts responsibility without providing any technical guidance; the report should empower the client's own team to act, not defer action to an external party.

235
Drag & Dropmedium

Drag and drop the steps to perform a DNS enumeration using dig into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DNS enumeration starts with basic queries, then specific records, zone transfer attempt, and analysis.

236
MCQmedium

A client with a hybrid infrastructure (on-premises and cloud IaaS) requests a penetration test covering both environments. The cloud provider's terms of service require notification and restrict scanning to specific IP ranges. In which document should these constraints be documented?

A.Non-Disclosure Agreement (NDA)
B.Rules of Engagement (ROE)
C.Penetration Testing Report
D.Scope of Work (SOW)
AnswerB

The ROE is the correct document to specify constraints like notification requirements and allowed IP ranges.

Why this answer

The Rules of Engagement (ROE) document is the authoritative source for defining the legal and technical boundaries of a penetration test, including provider-mandated constraints such as notification requirements and restricted IP ranges. In a hybrid infrastructure with cloud IaaS, the ROE must explicitly list the allowed source IPs, target CIDR blocks, and any time windows or rate limits imposed by the cloud provider to ensure compliance with their terms of service. This document is signed by both the client and the testing team before any testing begins, making it the correct place to document these operational constraints.

Exam trap

Cisco often tests the distinction between the SOW (high-level scope) and the ROE (detailed operational rules), so the trap here is that candidates confuse the SOW's 'what' with the ROE's 'how' and 'under what constraints'.

How to eliminate wrong answers

Option A is wrong because a Non-Disclosure Agreement (NDA) only governs confidentiality of information shared between parties, not the technical or operational boundaries of the test. Option C is wrong because the Penetration Testing Report is a post-engagement deliverable that summarizes findings and remediation steps; it does not define pre-engagement constraints like IP ranges or notification requirements. Option D is wrong because the Scope of Work (SOW) defines the high-level objectives, deliverables, and timelines of the engagement, but it does not contain the granular operational rules (e.g., specific IP ranges, scanning windows, or provider-mandated restrictions) that belong in the ROE.

237
MCQmedium

After the penetration test, the client requests a one-page summary of the test's scope, key findings, and recommended next steps for the board of directors. Which document should the penetration tester provide?

A.Executive Summary
B.Detailed Technical Report
C.Vulnerability Scan Report
D.Remediation Plan
AnswerA

The executive summary is designed for leadership, offering a high-level view of the engagement's outcome and action items.

Why this answer

The executive summary is specifically designed to provide a high-level overview of the penetration test's scope, key findings, and recommended next steps for non-technical stakeholders like the board of directors. It distills complex technical details into business-focused language, enabling informed decision-making without requiring deep cybersecurity expertise.

Exam trap

The trap here is that candidates confuse the executive summary with the detailed technical report, assuming the board needs full technical evidence, when in fact the board requires a concise, business-impact-focused narrative that omits exploit details.

How to eliminate wrong answers

Option B is wrong because the detailed technical report contains in-depth exploit chains, raw logs, and system-level data that would overwhelm a board of directors and is intended for technical teams. Option C is wrong because a vulnerability scan report is an automated output listing CVEs and severity scores, lacking the manual exploitation context and business risk analysis required for a penetration test summary. Option D is wrong because a remediation plan focuses solely on step-by-step fix instructions for technical staff, omitting the scope and high-level findings needed for executive review.

238
MCQmedium

A penetration tester is using theHarvester tool to gather information about a target domain. The tester wants to collect email addresses and subdomains from public search engines and PGP key servers. Which source is theHarvester commonly configured to use for this passive reconnaissance?

A.Direct DNS zone transfer
B.Shodan
C.Baidu
D.Google and Bing search engines
AnswerD

theHarvester typically uses public search engines like Google and Bing, as well as PGP key servers, to find email addresses and subdomains in a passive manner.

Why this answer

Option D is correct because theHarvester is specifically designed to perform passive reconnaissance by querying public search engines (like Google and Bing) and PGP key servers to collect email addresses, subdomains, and other open-source intelligence (OSINT). It does not initiate direct connections to the target's infrastructure, making it a passive tool. The default configuration often includes Google and Bing as primary sources for this data.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with active techniques like DNS zone transfers (Option A) or assume Shodan (Option B) is a default source for theHarvester, when in fact theHarvester's core functionality relies on traditional search engines and PGP key servers for email and subdomain discovery.

How to eliminate wrong answers

Option A is wrong because a direct DNS zone transfer is an active reconnaissance technique that requires a misconfigured DNS server to allow AXFR requests, whereas theHarvester performs passive reconnaissance without interacting with the target's DNS servers. Option B is wrong because Shodan is a search engine for internet-connected devices and services, but theHarvester does not natively integrate Shodan as a source for email and subdomain collection; it focuses on search engines and PGP key servers. Option C is wrong because while Baidu is a search engine, theHarvester's common configurations prioritize Google and Bing due to their broader coverage and API accessibility for passive OSINT gathering.

239
MCQmedium

A penetration tester has gained access to a Windows domain and wants to perform a Kerberoasting attack. Which account privileges are required to request service tickets for Kerberoasting?

A.Domain Admin
B.Any domain user
C.Local Administrator on the domain controller
D.Enterprise Admin
AnswerB

Any authenticated user in the domain can request service tickets, making Kerberoasting a low-privilege attack vector.

Why this answer

Kerberoasting exploits the Kerberos protocol's TGS-REP step, where any domain user can request a service ticket for any service principal name (SPN) in Active Directory. The domain controller returns the ticket encrypted with the service account's NTLM hash, which the attacker can then crack offline. No special privileges beyond being a valid domain user are required because the TGS request is part of normal Kerberos authentication.

Exam trap

Cisco often tests the misconception that Kerberoasting requires administrative privileges, when in fact any authenticated domain user can request service tickets because the Kerberos protocol does not enforce authorization checks at the TGS request stage.

How to eliminate wrong answers

Option A is wrong because Domain Admin privileges are not needed; Kerberoasting only requires the ability to authenticate to the domain, and Domain Admin is an overprivileged role that would expose the attacker to more detection. Option C is wrong because Local Administrator on the domain controller is irrelevant; the attack does not require local administrative access to any machine, as the TGS request is made over the network to the domain controller. Option D is wrong because Enterprise Admin is a forest-wide administrative role; Kerberoasting can be performed by any authenticated domain user without any elevated group membership.

240
MCQhard

A client is subject to PCI DSS compliance and requests a penetration test. The client's network has a mix of in-scope systems (cardholder data environment) and out-of-scope systems. During scoping, the tester recommends a specific approach to ensure accurate segmentation testing. Which of the following is the most important consideration for the rules of engagement?

A.The tester must have network access to both in-scope and out-of-scope systems
B.The tester must be provided with a diagram of the network segmentation
C.The tester must agree not to scan any out-of-scope IP addresses
D.The tester must obtain written authorization from the client's security team
AnswerB

A segmentation diagram defines the boundaries and is essential for the tester to plan and conduct tests that verify isolation between CDE and other networks.

Why this answer

For accurate segmentation testing under PCI DSS, the tester must verify that the segmentation controls (e.g., firewalls, VLANs, ACLs) effectively isolate the cardholder data environment (CDE) from out-of-scope systems. A network diagram is essential because it documents the expected segmentation boundaries, IP ranges, and traffic flows, allowing the tester to design targeted tests (e.g., using traceroute, nm scans, or firewall rule validation) to confirm that no unauthorized paths exist between segments. Without this diagram, the tester cannot determine which systems should be reachable and which should be blocked, making segmentation validation unreliable.

Exam trap

The trap here is that candidates confuse the need for a network diagram (a scoping/planning artifact) with operational restrictions like not scanning out-of-scope IPs, but PCI DSS segmentation testing explicitly requires probing those out-of-scope systems to prove isolation.

How to eliminate wrong answers

Option A is wrong because providing network access to both in-scope and out-of-scope systems would defeat the purpose of segmentation testing; the tester should only have access to the CDE (in-scope) and must attempt to reach out-of-scope systems from that position to verify isolation. Option C is wrong because the tester must scan out-of-scope IP addresses as part of segmentation testing—specifically, to confirm that those systems are not reachable from the CDE—so agreeing not to scan them would prevent the core validation. Option D is wrong because written authorization from the client's security team is a general legal/contractual requirement for any penetration test, not a specific consideration for segmentation testing; the question asks for the most important consideration for the rules of engagement regarding segmentation.

241
MCQeasy

A penetration tester has discovered a critical SQL injection vulnerability in a web application. The developer team will fix the issue. Which level of detail is most appropriate for this audience?

A.Provide the CVSS score and a brief description.
B.Include the full proof-of-concept code and the exact HTTP requests used.
C.Describe the business impact in financial terms.
D.List all findings in a bullet-point summary without additional context.
AnswerB

This level of detail allows developers to reproduce the vulnerability step-by-step, identify the vulnerable code, and apply the correct fix.

Why this answer

Option B is correct because the developer team needs the exact technical details to reproduce and fix the vulnerability. Providing the full proof-of-concept code and exact HTTP requests allows developers to understand the injection point, the payload structure, and the vulnerable parameter, enabling them to implement a precise fix such as parameterized queries or input validation.

Exam trap

The trap here is that candidates may choose a high-level summary (like CVSS score or business impact) thinking it is sufficient for all audiences, but the PT0-002 exam emphasizes tailoring the level of detail to the recipient's role—developers need technical specifics to remediate, not just risk scores or financial context.

How to eliminate wrong answers

Option A is wrong because a CVSS score and brief description provide only a severity rating and high-level summary, which lacks the technical specifics (e.g., vulnerable parameter, injection syntax) developers need to remediate the SQL injection. Option C is wrong because describing business impact in financial terms is relevant for management or stakeholders, not for developers who require technical details to fix the code. Option D is wrong because a bullet-point summary without context omits critical information like the exact HTTP requests, payloads, and vulnerable endpoints, leaving developers without enough detail to reproduce or patch the vulnerability.

242
Multi-Selectmedium

A web application test must cover OWASP Top 10. Which THREE should be explicitly included? (Choose three.)

Select 3 answers
A.SQL injection testing
B.Directory traversal testing
C.Cross-site scripting (XSS) testing
D.Buffer overflow testing
E.Broken authentication testing
AnswersA, C, E

In OWASP Top 10.

Why this answer

Options A, B, and D are correct because XSS, SQL injection, and broken authentication are consistently in the OWASP Top 10. Option C is not typically a web vulnerability. Option E is sometimes considered but not always as a separate category.

243
Multi-Selecthard

Which TWO of the following are benefits of using a fuzzing tool during the code analysis phase of a penetration test? (Select TWO.)

Select 2 answers
A.Replaces the need for static code analysis
B.Identifies input validation vulnerabilities
C.Validates authentication mechanisms
D.Reveals crashes or error conditions that may indicate exploitable bugs
E.Guarantees 100% code coverage
AnswersB, D

Fuzzing sends unexpected inputs to trigger validation flaws.

Why this answer

Fuzzing can discover input validation flaws (A) and reveal crashes or error conditions (D). It does not directly perform static code analysis (B) or validate authentication (C). It may help find buffer overflows, but that is a subset of input validation issues.

244
MCQhard

Which of the following best describes the purpose of a return-oriented programming (ROP) chain?

A.Bypass Data Execution Prevention (DEP)
B.Bypass Address Space Layout Randomization (ASLR)
C.Evade antivirus detection
D.Execute shellcode directly
AnswerA

ROP chains execute payloads without injecting code, bypassing DEP.

Why this answer

Option A is correct because ROP chains bypass Data Execution Prevention (DEP) by using existing code gadgets. Option B is wrong because ASLR is bypassed by information leaks. Option C is wrong because shellcode insertion is not the primary goal; ROP chains enable execution without new code.

Option D is wrong because evasion is not the main purpose.

245
Multi-Selecthard

Which THREE of the following are best practices for writing a penetration test report?

Select 3 answers
A.Organize findings by severity and likelihood
B.Include a glossary of terms for non-technical readers
C.Use technical jargon to demonstrate expertise
D.Provide clear remediation steps for each finding
E.Include all vulnerabilities discovered even if they are duplicates or false positives
AnswersA, B, D

Prioritizing findings helps the client focus on the most critical risks first.

Why this answer

Options B, D, and E are correct. Including clear remediation steps (B) helps the client fix issues. Organizing findings by severity and likelihood (D) improves readability.

A glossary (E) aids non-technical readers. Option A is wrong because duplicates and false positives should be filtered out. Option C is wrong because excessive jargon hinders communication.

246
MCQhard

During a penetration test for a financial institution, the tester discovers that a third-party vendor's system is vulnerable and could expose customer PII. The tester is unsure if the vendor is within scope. How should the tester proceed?

A.Perform additional testing on the vendor system to confirm the vulnerability
B.Ignore the finding since it is out of scope
C.Include the vulnerability in the final report as a high-risk finding
D.Communicate with the client to clarify whether the vendor is in scope
AnswerD

Clarifies boundaries before reporting.

Why this answer

Option B is correct because the tester should immediately contact the client to clarify scope; reporting an out-of-scope finding could violate boundaries. Option A is premature and could cause legal issues. Option C is too passive.

Option D is incorrect because the tester should not test out-of-scope systems.

247
MCQhard

During a penetration test, a tester identifies a buffer overflow vulnerability in a Linux binary that has both ASLR and NX (Non-Executable) enabled. The tester discovers a ROP gadget at a fixed address in a library that is not affected by ASLR. Which technique can be used to exploit this vulnerability and achieve code execution?

A.Heap spraying to predict memory layout and inject shellcode
B.Return-oriented programming (ROP) using the fixed gadgets
C.Stack canary bypass using information leak
D.Format string attack to overwrite GOT entries
AnswerB

ROP uses fixed gadgets to create a chain that bypasses NX and, with fixed addresses, can also bypass ASLR.

Why this answer

Return-oriented programming (ROP) is the correct technique because ASLR and NX are both enabled, preventing direct shellcode execution and making memory addresses unpredictable. However, the tester found a ROP gadget at a fixed address in a library not affected by ASLR, allowing the construction of a chain of gadgets to achieve arbitrary code execution without needing to inject or execute shellcode on the stack.

Exam trap

The trap here is that candidates may choose heap spraying (Option A) thinking it bypasses ASLR, but they forget that NX still blocks shellcode execution, making ROP the only viable technique when fixed gadgets are available.

How to eliminate wrong answers

Option A is wrong because heap spraying is used to increase the predictability of heap memory layout for exploiting use-after-free or heap-based vulnerabilities, but it does not bypass NX (which prevents shellcode execution) and does not leverage fixed-address ROP gadgets. Option C is wrong because a stack canary bypass using an information leak addresses stack smashing protection but does not overcome NX or ASLR; it would still require a method to execute code, which ROP provides. Option D is wrong because a format string attack can overwrite GOT entries to redirect execution, but it does not inherently bypass NX or ASLR unless combined with other techniques, and the question specifies that a fixed-address ROP gadget is available, making ROP the direct and intended approach.

248
MCQmedium

A penetration tester gained low-privileged access to a Linux server and found that the user can run a custom script located at /opt/tool/backup.sh with setuid root. The script begins with a hashbang #!/bin/bash and uses an internal variable defined as BASEDIR=$(dirname $0) to determine paths. Which technique is most likely to allow privilege escalation?

A.Modify the $0 variable during execution
B.Create a malicious executable named 'dirname' in a directory earlier in the PATH
C.Overwrite /opt/tool/backup.sh with a reverse shell
D.Exploit a buffer overflow in the Bash interpreter
AnswerB

Since the script uses $(dirname $0) without an absolute path, the system searches PATH for 'dirname'. If the attacker puts a malicious 'dirname' script in a writable directory earlier in PATH, it will be executed as root.

Why this answer

Option B is correct because the script uses `BASEDIR=$(dirname $0)` to resolve paths. If the user can place a malicious executable named `dirname` earlier in the PATH than the legitimate `/usr/bin/dirname`, then when the script runs with setuid root, the shell will execute the attacker's `dirname` binary instead, allowing arbitrary code execution as root.

Exam trap

The trap here is that candidates may focus on modifying `$0` (Option A) or overwriting the script (Option C), but the actual vulnerability lies in the insecure use of a relative command (`dirname`) within a setuid script, which allows PATH hijacking.

How to eliminate wrong answers

Option A is wrong because the `$0` variable is set by the shell to the script's path (e.g., `/opt/tool/backup.sh`) and cannot be modified by the user during execution; it is read-only in this context. Option C is wrong because the user has only low-privileged access and cannot overwrite `/opt/tool/backup.sh` (owned by root) without already having root privileges. Option D is wrong because there is no indication of a buffer overflow vulnerability in the Bash interpreter; the script is a simple shell script, and the attack vector is PATH hijacking, not memory corruption.

249
MCQeasy

A penetration tester is preparing the executive summary of a penetration test report. Which of the following BEST describes the primary audience and appropriate level of technical detail?

A.A narrative of the testing methodology for other penetration testers.
B.High-level findings and business impact for management and executives.
C.Detailed technical analysis for system administrators.
D.Step-by-step exploitation procedures for developers.
AnswerB

Executives need a summary of risks and business implications without technical jargon.

Why this answer

Option D is correct because the executive summary targets non-technical stakeholders who need a high-level overview of risks and business impact. Option A is wrong because the executive summary is not for technical staff. Option B is wrong because it should avoid deep technical details.

Option C is wrong because the audience is not primarily the testers.

250
MCQeasy

A penetration tester is analyzing a Python script that uses the 'paramiko' library. The script reads a list of IP addresses from a file and attempts to connect to each host using the same username and a list of common passwords. Which attack technique is the script most likely performing?

A.Brute-force attack against SSH credentials
B.SQL injection attack against a database
C.Cross-site scripting (XSS) attack against a web application
D.ARP spoofing attack to intercept network traffic
AnswerA

The script iterates over hosts and passwords, attempting SSH authentication with 'paramiko'. This is the definition of a brute-force attack on SSH credentials.

Why this answer

The script uses the 'paramiko' library, which is a Python implementation of the SSHv2 protocol. By reading a list of IP addresses and attempting connections with the same username and a list of common passwords, it is performing a brute-force attack against SSH credentials. This technique systematically tries multiple password guesses to gain unauthorized access to SSH services.

Exam trap

The trap here is that candidates may confuse the paramiko library with general network scripting and incorrectly associate it with web attacks like SQL injection or XSS, rather than recognizing it as an SSH-specific library used for credential brute-forcing.

How to eliminate wrong answers

Option B is wrong because SQL injection targets database queries via input fields, not SSH connections using paramiko. Option C is wrong because cross-site scripting (XSS) injects malicious scripts into web pages viewed by other users, and has no relation to SSH authentication attempts. Option D is wrong because ARP spoofing manipulates the Address Resolution Protocol to intercept network traffic at Layer 2, and does not involve password guessing against SSH services.

251
MCQeasy

After completing a penetration test, the client's board of directors requests a document that provides a high-level overview of the test's objectives, key findings, and business impact. Which section of the standard penetration testing report should be produced for this audience?

A.Executive Summary
B.Technical Findings Section
C.Methodology Section
D.Appendix with Logs
AnswerA

The executive summary is the appropriate section for a non-technical audience to understand overall risk and impact.

Why this answer

The executive summary is the section of a penetration testing report designed for non-technical stakeholders, such as the board of directors. It provides a high-level overview of the test's objectives, key findings, and business impact, avoiding technical jargon and focusing on risk and remediation priorities. This aligns with the PT0-002 objective of tailoring communication to the audience.

Exam trap

The trap here is that candidates confuse the 'Executive Summary' with the 'Technical Findings Section,' thinking the board needs detailed exploit proof-of-concepts, when in fact the board requires only business-level risk context and strategic recommendations.

How to eliminate wrong answers

Option B is wrong because the Technical Findings Section contains detailed vulnerability descriptions, exploit steps, and raw data (e.g., CVSS scores, CVE references) that are too technical for a board-level audience. Option C is wrong because the Methodology Section describes the tools and techniques used (e.g., Nmap scanning, Metasploit modules), which is operational detail irrelevant to business impact. Option D is wrong because the Appendix with Logs includes raw output (e.g., packet captures, system logs) that is only useful for technical remediation teams, not for high-level decision-making.

252
MCQmedium

A penetration tester is performing an internal network assessment and needs to quickly identify all live hosts and their open ports across a large subnet (10.0.0.0/16). The tester wants to minimize network disruption and avoid IDS detection. Which tool and technique should the tester use?

A.Use nmap with -sT (TCP connect scan) and -p- (all ports) on the entire subnet
B.Use masscan with a low rate (--rate=100) to scan all ports on all IPs
C.Use a combination of ping sweep with fping followed by nmap -sS (SYN scan) on discovered hosts
D.Use netcat to perform a sequential port scan on each IP in the subnet
AnswerC

Reduces scope and uses stealthy SYN scan, minimizing detection.

Why this answer

Option B is correct because it reduces the scan scope with a ping sweep, then uses a stealthy SYN scan to identify open ports, minimizing traffic and detection risk. Option A scans all ports with connect scan which is noisy. Option C is extremely slow and inefficient.

Option D masscan is fast but less stealthy and may still trigger alerts.

253
MCQhard

During an internal penetration test, a tester gains a shell as the 'www-data' user on a Linux server. The server runs a PHP web application that connects to a PostgreSQL database using credentials stored in a config file. The tester discovers that the PostgreSQL server trusts all local connections (no password required) and that the web application's database user has the 'CREATEFUNC' privilege. Which technique is most effective for escalating privileges to database administrator (superuser) and executing system commands as the database service account?

A.Use the stored credentials to log in as the web application user and run SELECT * FROM pg_shadow; to extract password hashes of other users.
B.Create a PostgreSQL function using a trusted language like Python or Perl that executes arbitrary system commands, then run it.
C.Exploit a kernel vulnerability to gain root access and then dump the database files.
D.Use the 'sudo' command to switch to the postgres user if the www-data user has sudo privileges.
AnswerB

This technique leverages CREATEFUNC to run shell commands as the database service account, enabling privilege escalation.

Why this answer

Option B is correct because the 'CREATEFUNC' privilege allows the web application database user to create user-defined functions in PostgreSQL. By creating a function in a trusted language (e.g., Python, Perl, or C) that executes arbitrary system commands, the tester can run those commands with the privileges of the database service account (e.g., 'postgres'), effectively escalating to superuser-level control and executing system commands without needing a password.

Exam trap

The trap here is that candidates may overlook the direct power of 'CREATEFUNC' in PostgreSQL and instead focus on password extraction (Option A) or generic kernel exploits (Option C), missing that database-level function creation is the most efficient and immediate escalation path.

How to eliminate wrong answers

Option A is wrong because querying pg_shadow extracts password hashes but does not directly escalate to superuser or execute system commands; it only provides hashes that would need to be cracked, and the web application user already has CREATEFUNC, making function creation a more direct path. Option C is wrong because exploiting a kernel vulnerability is unnecessary and less efficient; the tester already has a shell and can leverage database privileges to escalate without kernel exploits. Option D is wrong because the 'sudo' command requires the www-data user to have specific sudo privileges (e.g., to run commands as postgres), which is not indicated in the scenario; the tester has no evidence of sudo access.

254
MCQhard

You are a penetration tester performing an internal assessment of a corporate network. The network consists of a Windows Active Directory domain with Windows 10 clients and Windows Server 2019 servers. The goal is to escalate privileges from a standard domain user to domain administrator. You have obtained initial access to a workstation as a low-privileged user named 'jdoe'. During reconnaissance, you discover that the workstation has PowerShell Remoting (WinRM) enabled and that a scheduled task runs every 5 minutes with the credentials of a service account 'svc_app'. The service account is a member of the 'Backup Operators' group, which has SeBackupPrivilege. You also find that the system has an outdated version of the PsExec tool in the PATH. Which of the following is the most effective course of action to escalate privileges?

A.Wait for the scheduled task to run and capture the service account password using a network sniffer.
B.Use PsExec to run a command as SYSTEM directly.
C.Modify the scheduled task to run a reverse shell with the service account's privileges.
D.Exploit the SeBackupPrivilege by using the Windows Backup and Restore capabilities to copy the SAM registry hive and dump local account hashes.
AnswerD

SeBackupPrivilege allows reading any file, including SAM and SYSTEM hives, enabling extraction of local administrator hashes.

Why this answer

Option C is correct because by leveraging SeBackupPrivilege, you can backup and restore system files, such as the SAM and SYSTEM hives, to extract local administrator password hashes. Option A is less effective because PsExec may not work without admin rights. Option B relies on guessable credentials.

Option D is noisy and may alert defenders.

255
MCQmedium

A penetration tester is analyzing a Python script that uses the 'requests' library. The script sends a GET request to a target URL with a crafted parameter value containing a SQL sleep function, then measures the response time. What attack is the script most likely performing?

A.Cross-site scripting (XSS) attack.
B.Blind time-based SQL injection.
C.Command injection attack.
D.Error-based SQL injection.
AnswerB

Correct. The script uses a sleep function to cause a delay if the injection is successful, then compares response times to detect the vulnerability.

Why this answer

The script sends a crafted parameter containing a SQL sleep function (e.g., `' OR SLEEP(5)--`) and measures the response time. If the database executes the sleep, the response is delayed, confirming a SQL injection vulnerability without relying on visible output. This is the hallmark of a blind time-based SQL injection attack using the `requests` library to time the HTTP response.

Exam trap

The trap here is that candidates see 'sleep function' and assume it is a command injection payload, but the `SLEEP()` function is a SQL-specific function, not an OS command, and the context of the `requests` library sending a GET request with a crafted parameter points directly to SQL injection, not command injection.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages to execute in a victim's browser, not measuring server-side response times with SQL sleep functions. Option C is wrong because command injection involves injecting operating system commands into a vulnerable application (e.g., via shell metacharacters), not SQL sleep functions or database timing delays.

256
MCQeasy

A penetration tester is tasked with performing passive reconnaissance against a client without triggering any alerts. Which of the following techniques would be MOST appropriate?

A.Nmap SYN scan
B.Shodan search
C.Brute-force login
D.Netcat banner grab
AnswerB

Shodan performs passive reconnaissance by querying its database of internet-facing devices.

Why this answer

Shodan is a search engine that indexes banners from internet-facing devices, allowing a penetration tester to gather information about a client's exposed services (e.g., open ports, software versions) without sending any packets to the target. This makes it a purely passive technique that will not trigger any alerts on the client's network or intrusion detection systems.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with low-and-slow active techniques, assuming that a single SYN scan or banner grab is 'quiet enough' to avoid detection, but any packet sent to the target is active and can be logged.

How to eliminate wrong answers

Option A is wrong because an Nmap SYN scan sends crafted TCP SYN packets to the target, which is an active reconnaissance technique that can be detected by firewalls and IDS/IPS. Option C is wrong because brute-force login attempts actively send authentication requests to a service, generating logs and potentially triggering account lockout or alerting mechanisms. Option D is wrong because a Netcat banner grab requires establishing a TCP connection to the target service, which is an active interaction that can be logged and detected.

257
Multi-Selecthard

An internal test prohibits buffer overflow exploits. Which TWO techniques are appropriate to test privilege escalation without violating the rule? (Choose two.)

Select 2 answers
A.Use a kernel exploit that involves a heap overflow
B.Exploit EternalBlue (MS17-010)
C.Abuse misconfigured service permissions to run as SYSTEM
D.Use Metasploit's meterpreter to run getsystem
E.Perform a pass-the-hash attack
AnswersC, E

Configuration issue, no exploit.

Why this answer

Options C and E are correct because pass-the-hash and abusing service permissions do not involve memory corruption. Option A may use exploits, option B is a buffer overflow, option D is a heap overflow.

258
MCQeasy

A client wants a penetration test that includes social engineering attacks against employees. They request that the testing team not target the executive leadership team. What should be included in the rules of engagement to address this requirement?

A.A list of excluded users or groups, specifically the executive leadership team
B.The maximum number of phishing emails that can be sent
C.The time window for conducting social engineering activities
D.A description of the social engineering techniques that will be used
AnswerA

Clearly documenting exclusions in the rules of engagement ensures the testing team knows which targets to avoid.

Why this answer

Option A is correct because the rules of engagement (RoE) must explicitly define the scope and boundaries of the test. Including a list of excluded users or groups, specifically the executive leadership team, ensures that social engineering attacks are not directed at them, directly addressing the client's requirement. This is a standard scoping practice in penetration testing to prevent unintended consequences and maintain legal and ethical compliance.

Exam trap

The trap here is that candidates may confuse operational constraints (like volume or timing) with scoping exclusions, failing to recognize that only a direct list of excluded entities satisfies the requirement to avoid targeting a specific group.

How to eliminate wrong answers

Option B is wrong because the maximum number of phishing emails is a constraint on the volume of attacks, not a mechanism to exclude specific targets like the executive leadership team. Option C is wrong because the time window for conducting social engineering activities controls when attacks occur, not who is targeted; it does not prevent attacks against the executive team.

259
MCQeasy

A penetration tester wants to quickly capture and analyze network packets during an internal test to identify unencrypted protocols. Which command-line tool is commonly used for packet capture on Linux?

A.tcpdump
B.nslookup
C.nmap
D.netcat
AnswerA

tcpdump captures and displays packets in real-time or from a file.

Why this answer

tcpdump is the standard command-line packet capture tool on Linux, allowing the tester to capture raw network packets and filter them by protocol (e.g., HTTP, FTP, Telnet) to identify unencrypted traffic. It uses libpcap to capture packets at the network interface level, making it ideal for quickly analyzing plaintext protocols during an internal penetration test.

Exam trap

The trap here is that candidates may confuse nmap's ability to detect open ports and services with packet capture, but nmap does not capture or display packet payloads, which is required for identifying unencrypted protocols.

How to eliminate wrong answers

Option B (nslookup) is wrong because it is a DNS lookup tool used to query name servers for domain name resolution, not for capturing or analyzing network packets. Option C (nmap) is wrong because it is a network scanning tool used for port discovery and service enumeration, not for real-time packet capture or protocol analysis.

260
Matchingmedium

Match each evasion technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Splitting packets to evade IDS/IPS

Converting payload to bypass signature detection

Faking source IP to hide origin

Routing traffic through multiple proxies

Delaying requests to avoid rate limiting

Why these pairings

Evasion techniques help penetration testers bypass security controls.

261
MCQmedium

A penetration tester is performing internal reconnaissance. The tester discovers that the internal DNS server allows recursive queries from the tester's machine. Which technique can the tester use to enumerate internal hosts and network ranges?

A.Perform DNS cache snooping
B.Attempt a DNS zone transfer (AXFR)
C.Query for all SRV records
D.Perform a reverse DNS sweep of the entire subnet
AnswerB

A successful zone transfer gives a complete list of all hosts and subdomains within the zone.

Why this answer

B is correct because a DNS zone transfer (AXFR) allows a client to request a complete copy of the DNS zone from a DNS server. If the server is misconfigured to allow recursive queries and does not restrict AXFR requests, the tester can enumerate all internal hostnames and IP addresses, effectively mapping the internal network ranges.

Exam trap

The trap here is that candidates confuse the ability to perform recursive queries (which allows resolution of external names) with the ability to perform a zone transfer (which requires explicit AXFR permission), leading them to incorrectly choose DNS cache snooping or SRV record queries instead.

How to eliminate wrong answers

Option A is wrong because DNS cache snooping reveals cached queries (e.g., recently resolved domains) but does not enumerate internal hosts or network ranges; it only shows what has been queried. Option C is wrong because querying for all SRV records only returns service-specific records (e.g., _ldap._tcp.domain.com) and does not provide a full list of hosts or network ranges; it is not a comprehensive enumeration technique.

262
MCQhard

A client has a critical web application that cannot be tested in the production environment due to availability requirements. A staging environment exists that exactly mirrors production, but it uses different IP addresses, domain names, and a subset of data. The staging environment is isolated from production networks. Which scoping element is most important to include in the rules of engagement to ensure a valid test?

A.Explicitly define the staging environment as the target scope
B.Require the tester to use non-disruptive testing techniques only
C.Include the production IP ranges in the scope 'just in case'
D.Specify that the test must be performed from the internet only
AnswerA

The rules of engagement must specify the exact targets. Since the test is to be performed against staging, it must be listed as the authorized target system. This ensures legal coverage and clarity.

Why this answer

Option A is correct because the staging environment is an exact mirror of production but uses different IP addresses, domain names, and a subset of data. Explicitly defining the staging environment as the target scope ensures the tester focuses all activities on the authorized systems, preventing any accidental impact on production. This scoping element is critical for a valid test because it aligns the test with the client's availability requirements while still allowing comprehensive security testing on a representative environment.

Exam trap

The trap here is that candidates may confuse operational constraints (like non-disruptive techniques) with scoping requirements, or they may incorrectly assume that including production IPs as a 'safety net' is acceptable, when it actually violates the core principle of scope definition and availability requirements.

How to eliminate wrong answers

Option B is wrong because requiring non-disruptive testing techniques only is a constraint on methodology, not a scoping element; it does not address the need to define the target environment, and the staging environment is isolated so disruptive techniques could be safely used. Option C is wrong because including production IP ranges in the scope 'just in case' violates the client's availability requirements and could lead to unauthorized testing on production systems, which is both risky and against the rules of engagement.

263
MCQhard

Based on the exhibit, which host or network can SSH to 10.0.1.10?

A.192.168.1.0/24
B.10.0.1.0/24
C.None
D.0.0.0.0/0
AnswerC

Due to the first drop rule covering the entire 10.0.1.0/24 subnet, no SSH traffic can reach 10.0.1.10.

Why this answer

The first rule drops all traffic from any source to the 10.0.1.0/24 network. Since 10.0.1.10 falls within that subnet, all traffic to it is dropped before subsequent rules are evaluated, including the SSH allow rule. Therefore, no host can SSH to 10.0.1.10.

264
MCQeasy

A penetration tester is finalizing a report. Which section should include a detailed technical explanation of how each vulnerability was exploited?

A.Executive Summary
B.Findings and Recommendations
C.Methodology
D.Appendix
AnswerB

This section contains detailed technical information about each vulnerability, including how it was exploited.

Why this answer

The Findings and Recommendations section is the correct place for detailed technical explanations of how each vulnerability was exploited because it provides the technical audience (e.g., system administrators, developers) with the step-by-step attack chain, including specific commands, payloads, and tools used. This section bridges the gap between raw scan data and actionable remediation, ensuring that the technical team can reproduce and verify the findings. The Executive Summary is too high-level for this detail, and the Methodology section describes the overall approach, not per-vulnerability exploitation steps.

Exam trap

The trap here is that candidates confuse the Methodology section (which describes the overall testing process) with the per-vulnerability exploitation details, leading them to incorrectly select Methodology instead of Findings and Recommendations.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is intended for non-technical stakeholders (e.g., executives, management) and should only contain a high-level overview of risks, business impact, and key metrics—not detailed exploitation steps. Option C is wrong because the Methodology section describes the overall testing approach, tools, and scope (e.g., whether black-box or white-box testing was used), but it does not break down the specific exploitation steps for each individual vulnerability.

265
MCQmedium

A penetration tester with a low-privileged domain user account performs a Kerberoasting attack. What is the primary goal of this attack?

A.Obtain the NTLM hash of the krbtgt account.
B.Obtain a list of all domain users.
C.Obtain a Kerberos ticket that can be used to impersonate a domain admin.
D.Obtain the plaintext password of a user account with a Service Principal Name (SPN).
AnswerD

Kerberoasting requests TGS tickets for SPN-linked accounts. These tickets can be cracked offline to reveal the password, potentially granting higher privileges if the account has administrative rights.

Why this answer

Kerberoasting targets service accounts that have a Service Principal Name (SPN) registered in Active Directory. The attacker requests a Kerberos service ticket (TGS) for the SPN, which is encrypted with the service account's NTLM hash. The attacker then cracks this hash offline to recover the plaintext password, enabling lateral movement or privilege escalation.

Exam trap

CompTIA often tests the misconception that Kerberoasting directly yields a domain admin ticket or a TGT, when in fact it only provides a service ticket that must be cracked offline to recover the plaintext password of the service account.

How to eliminate wrong answers

Option A is wrong because the krbtgt account's NTLM hash is used to sign Kerberos Ticket-Granting Tickets (TGTs), not service tickets; obtaining it requires a different attack like a Golden Ticket or DCSync. Option B is wrong because listing domain users is typically done via LDAP queries (e.g., enum4linux, ldapsearch) and is not the goal of Kerberoasting, which focuses on cracking service account passwords. Option C is wrong because Kerberoasting yields a TGS for a specific service, not a TGT; impersonating a domain admin would require a TGT or a forged ticket (e.g., Silver Ticket), not a service ticket for a single SPN.

266
MCQmedium

A penetration tester has gained a foothold on a Windows server and wants to move laterally to a domain controller. The tester has access to a service account that is a member of the 'Remote Management Users' group on the domain controller. Which of the following tools would be MOST appropriate for lateral movement in this scenario?

A.PsExec
B.MS16-075 exploit
C.WinRM
D.BloodHound
AnswerC

Correct. WinRM is designed for remote management and the account's group membership makes it usable for lateral movement.

Why this answer

WinRM (Windows Remote Management) is the most appropriate tool because the tester's service account is a member of the 'Remote Management Users' group on the domain controller, which grants explicit permission to connect via WinRM over HTTP/HTTPS (ports 5985/5986). This allows direct PowerShell remoting or winrs execution for lateral movement without requiring administrative privileges or additional exploits.

Exam trap

The trap here is that candidates often assume PsExec is the universal lateral movement tool, but it requires administrative privileges, whereas WinRM is specifically permitted by the 'Remote Management Users' group membership described in the scenario.

How to eliminate wrong answers

Option A is wrong because PsExec requires administrative privileges (typically local admin or domain admin) on the target system to execute services remotely, and membership in 'Remote Management Users' does not grant the necessary admin rights. Option B is wrong because MS16-075 is a local privilege escalation exploit (leveraging SeImpersonatePrivilege) that allows a low-privileged user to impersonate SYSTEM; it is not a lateral movement tool and does not leverage Remote Management Users group membership.

267
MCQmedium

During a web application test, a penetration tester suspects an LDAP injection vulnerability. The application uses user input to dynamically construct an LDAP query. The tester submits the following payload in the username field: 'admin)(&)'. The application returns a list of all users instead of the expected single user. Which of the following best describes the reason this payload was effective?

A.The payload causes an LDAP error that triggers a fallback to list all users.
B.The payload modifies the base DN to search the entire directory.
C.The payload introduces a logical OR that negates the original condition.
D.The payload closes the original filter and appends a tautology that returns all objects.
AnswerD

The correct interpretation: by closing the original filter with ')' and injecting '(&)', the tester creates a condition that is always true, causing the query to return all directory objects.

Why this answer

Option D is correct because the payload 'admin)(&)' closes the original LDAP filter after 'admin' and appends '(&)' which is a tautology (always true). This causes the LDAP query to match all directory objects, returning the full user list instead of a single user. The attack exploits the way LDAP filters are parsed: injecting a closing parenthesis and a new filter that evaluates to true for every entry.

Exam trap

The trap here is that candidates confuse the LDAP injection payload with SQL injection patterns, mistakenly thinking the '&' operator creates an OR condition, when in LDAP prefix notation '&' is an AND operator and the tautology works by appending an always-true filter, not by negating the original condition.

How to eliminate wrong answers

Option A is wrong because the payload does not cause an LDAP error; it successfully modifies the filter syntax to return all users, not a fallback behavior. Option B is wrong because the payload does not alter the base DN (distinguished name) of the search; it only manipulates the filter component of the query. Option C is wrong because the payload introduces a logical AND (the '&' operator) which is a conjunction, not a logical OR; the tautology makes the entire filter true, not by negating the original condition but by appending an always-true clause.

268
MCQmedium

A client review of a penetration test report reveals confusion about why a particular vulnerability exists. The client's security engineer wants to understand the root cause and the exact steps to reproduce the issue. Which section of the report should the tester point the engineer to?

A.Executive Summary
B.Technical Findings
C.Methodology
D.Risk Rating Appendix
AnswerB

This section includes in-depth vulnerability descriptions, root cause analysis, reproduction steps, and remediation guidance.

Why this answer

The Technical Findings section provides the detailed, step-by-step reproduction steps and root cause analysis that the security engineer needs. This section includes specific commands, payloads, and configurations that led to the vulnerability, enabling the engineer to understand and verify the issue. The Executive Summary and Methodology sections do not contain this level of technical detail.

Exam trap

The trap here is that candidates confuse the purpose of the Methodology section (which describes the testing process) with the Technical Findings section (which contains the actual vulnerability details and reproduction steps).

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview intended for non-technical stakeholders, summarizing business risks and key findings without providing reproduction steps or root cause details. Option C is wrong because the Methodology section describes the overall testing approach, tools, and scope, but does not include the specific vulnerability reproduction steps or root cause analysis.

269
MCQeasy

Refer to the exhibit. A penetration tester has performed a basic Nmap scan and found an open MySQL service. Which of the following should the tester do NEXT to further investigate the MySQL service?

A.Perform a UDP scan on port 3306
B.Connect to the MySQL service using default credentials
C.Run a version detection scan using -sV on port 3306
D.Scan for other hosts with port 3306 open
AnswerC

Version detection reveals the MySQL version, aiding vulnerability assessment.

Why this answer

Option C is correct because the next logical step after discovering an open MySQL service (port 3306) is to perform version detection using `-sV` in Nmap. This identifies the exact MySQL version, which is critical for determining known vulnerabilities (CVEs) and appropriate exploitation techniques. Without version information, the tester cannot assess whether the service is outdated or misconfigured.

Exam trap

The trap here is that candidates may think default credential testing (Option B) is the immediate next step, but the PT0-002 exam emphasizes systematic information gathering—version detection must precede exploitation attempts to avoid unnecessary noise or failed attacks.

How to eliminate wrong answers

Option A is wrong because MySQL runs over TCP, not UDP; port 3306 is a TCP port, and a UDP scan would be irrelevant and waste time. Option B is wrong because attempting default credentials without first identifying the MySQL version or understanding the authentication mechanism is premature and could alert the target or lock out accounts. Option D is wrong because scanning for other hosts with port 3306 open is a broad reconnaissance step that should occur after understanding the current target's service details, not before.

270
MCQeasy

A penetration tester is writing the executive summary of a penetration test report. Which of the following elements is MOST important to include for a non-technical audience?

A.Detailed list of all ports and services found
B.CVSS scores for every vulnerability
C.A high-level summary of the overall risk and key findings
D.Raw tool output from vulnerability scans
AnswerC

This provides the essential overview that executives need to understand the test's outcome and make informed decisions.

Why this answer

C is correct because the executive summary is intended for a non-technical audience, such as senior management or stakeholders, who need a concise overview of the organization's security posture. A high-level summary of the overall risk and key findings communicates the business impact and strategic priorities without overwhelming them with technical details. This aligns with the PT0-002 objective of tailoring communication to the audience, ensuring the report drives decision-making rather than technical analysis.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical report, assuming that including raw data like port lists or CVSS scores demonstrates thoroughness, when in fact the exam tests the ability to tailor content to the audience's technical level.

How to eliminate wrong answers

Option A is wrong because a detailed list of all ports and services found is too granular for a non-technical audience; it belongs in the technical findings or appendices, where system administrators can act on it. Option B is wrong because CVSS scores for every vulnerability are numerical metrics that require context to interpret; non-technical readers may not understand the scoring methodology or its implications, and presenting all scores without prioritization can obscure the overall risk picture.

271
Multi-Selectmedium

Which THREE of the following are best practices when communicating findings to stakeholders during a penetration test?

Select 3 answers
A.Share raw exploit code and logs without sanitization
B.Provide regular status updates to the client point of contact
C.Always include full technical details in every communication
D.Notify the client immediately upon discovering a critical vulnerability
E.Adjust the level of technical detail based on the audience
AnswersB, D, E

Keeps client informed.

Why this answer

Options A, B, and D are correct. Regular status updates (A) keep stakeholders informed. Immediate notification of critical findings (B) allows timely action.

Tailoring communication to audience (D) ensures understanding. Option C is wrong because technical details may be omitted for non-technical audience. Option E is wrong because evidence should be sanitized, not raw.

272
MCQeasy

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to identify all publicly accessible cloud storage buckets that might belong to the target without directly interacting with the target's infrastructure. Which of the following techniques would be most effective for this purpose?

A.Perform DNS enumeration using tools like `dnsrecon` to discover subdomains pointing to cloud storage services
B.Search for exposed cloud storage buckets using search engine dorks (e.g., 'site:s3.amazonaws.com target-company')
C.Query certificate transparency logs to find SSL certificates issued to the target's cloud storage endpoints
D.Perform a WHOIS lookup to find IP ranges owned by the target and then scan those ranges for open storage services
AnswerB

Search engine dorks are a passive technique that relies on cached indexes of cloud storage buckets that are misconfigured and publicly accessible, without sending any traffic to the target.

Why this answer

Option B is correct because search engine dorks allow a penetration tester to query publicly indexed content on cloud storage platforms like AWS S3 without sending any traffic to the target's infrastructure. By using a dork such as 'site:s3.amazonaws.com target-company', the tester leverages the search engine's pre-cached index to identify buckets that may be misconfigured or publicly accessible, which aligns perfectly with passive reconnaissance requirements.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with techniques that appear passive but actually generate direct network queries (like DNS enumeration), or they may overlook that certificate transparency logs reveal domains, not storage buckets, leading them to choose a technically passive but functionally irrelevant option.

How to eliminate wrong answers

Option A is wrong because DNS enumeration with tools like `dnsrecon` involves actively querying DNS servers, which generates network traffic to the target's authoritative name servers or resolvers, making it an active reconnaissance technique rather than passive. Option C is wrong because querying certificate transparency logs (e.g., via crt.sh) is a passive technique, but it reveals SSL certificates and domain names, not cloud storage buckets; it does not directly identify publicly accessible storage endpoints like S3 buckets.

273
MCQmedium

A penetration tester is analyzing a Bash script that performs network scanning. The script contains the following command: 'for ip in $(seq 1 254); do hping3 -S -p 22 -c 1 $TARGET_SUBNET.$ip 2>/dev/null | grep -q "flags=SA" && echo "$TARGET_SUBNET.$ip: open"; done'. What is the primary purpose of this script?

A.Conduct a TCP SYN scan to identify hosts with port 22 open
B.Perform a vulnerability assessment against SSH services
C.Execute an ICMP ping sweep to discover live hosts
D.Complete a full TCP three-way handshake and log successful connections
AnswerA

The script sends SYN packets to port 22 and looks for SYN-ACK responses, which is the definition of a TCP SYN scan.

Why this answer

The script uses hping3 with the -S flag (SYN) and -p 22 (port 22) to send TCP SYN packets to each IP in the target subnet. The grep -q 'flags=SA' checks for a SYN-ACK response, which indicates the port is open and listening. This is the classic behavior of a TCP SYN scan (half-open scan) to identify hosts with port 22 open.

Exam trap

The trap here is that candidates may confuse a TCP SYN scan on a specific port with a general ICMP ping sweep, or assume that scanning port 22 automatically implies an SSH vulnerability assessment, when in fact the script only performs port discovery, not vulnerability testing.

How to eliminate wrong answers

Option B is wrong because the script does not perform any vulnerability assessment; it only checks if port 22 is open (SYN-ACK received) and does not attempt to exploit or enumerate SSH service versions or vulnerabilities. Option C is wrong because the script uses TCP SYN packets to port 22, not ICMP echo requests (ping), so it is not an ICMP ping sweep; it specifically targets a single TCP port to identify live hosts with that port open.

274
MCQmedium

A penetration testing firm is scoping a test for a financial institution. The client insists that the test only be performed on systems located in the corporate headquarters, excluding cloud-based infrastructure and remote branch offices. Which of the following should the penetration tester emphasize during the scoping discussion?

A.The test will include social engineering of remote employees
B.The exclusion of cloud infrastructure may leave critical assets untested
C.The test can only be performed during off-hours
D.The tester will require VPN access to the corporate network
AnswerB

Correct. Emphasizing the risk of untested critical assets helps the client understand the scope limitation's impact on overall security assurance.

Why this answer

Option B is correct because the client's exclusion of cloud-based infrastructure and remote branch offices creates a significant gap in the test scope. A penetration test that ignores cloud assets (e.g., AWS, Azure, or SaaS applications) may miss critical vulnerabilities in systems that process or store sensitive financial data, as these are often part of the institution's attack surface. The tester must emphasize that such exclusions can lead to a false sense of security, as attackers frequently target cloud and remote assets due to their accessibility and potential misconfigurations.

Exam trap

The trap here is that candidates may focus on operational details like timing or social engineering, rather than recognizing that scope exclusions (especially cloud) directly undermine the test's ability to assess the full attack surface, which is a core principle of scoping in PT0-002.

How to eliminate wrong answers

Option A is wrong because social engineering of remote employees is a separate attack vector that does not address the core scoping issue of excluding cloud and branch office systems; the client's restriction is on the systems tested, not the methods used. Option C is wrong because the timing of the test (off-hours vs. business hours) is a separate operational consideration, not a direct response to the client's exclusion of cloud and branch infrastructure; the primary scoping concern is the incomplete coverage of the attack surface, not the schedule.

275
MCQmedium

A penetration tester has compromised a Windows workstation and obtained a low-privileged domain user account. The tester discovers that this user belongs to a group that has the 'GenericWrite' privilege over a computer object in Active Directory. Which attack is most directly enabled by this misconfiguration?

A.Kerberoasting
B.Shadow Credentials
C.AS-REP Roasting
D.DCSync Attack
AnswerB

With GenericWrite over a computer object, the tester can write to the msDS-KeyCredentialLink attribute to add a rogue key credential, enabling a Shadow Credentials attack to request a TGT for the computer account.

Why this answer

The 'GenericWrite' privilege over a computer object allows the attacker to write to the msDS-KeyCredentialLink attribute of that object. By adding a rogue key credential, the attacker can trigger the Key Distribution Center (KDC) to accept a certificate-based authentication, enabling the Shadow Credentials attack to obtain a TGT for the computer account and escalate privileges.

Exam trap

The trap here is that candidates confuse the GenericWrite privilege with the ability to perform Kerberoasting or AS-REP Roasting, but those attacks require different preconditions (SPN or no pre-authentication) and do not directly exploit write access to computer object attributes.

How to eliminate wrong answers

Option A is wrong because Kerberoasting requires the attacker to have a valid TGT for a domain user and targets service accounts with SPNs, not computer objects with GenericWrite. Option C is wrong because AS-REP Roasting targets user accounts that do not require Kerberos pre-authentication, not computer objects, and does not leverage GenericWrite over an object.

276
MCQeasy

A penetration tester is writing the findings section of a report. The tester identified a critical SQL injection vulnerability that allows extraction of the entire customer database. The client's technical team has already remediated the issue. How should the tester present this finding to ensure clarity and usefulness?

A.Include the vulnerability with the risk rating, a brief description, and a note that it was remediated during the test
B.Exclude the vulnerability from the report because it has already been fixed
C.Document the vulnerability in full, including reproduction steps, impact, and evidence, and note the remediation status
D.Reduce the risk rating of the vulnerability because it has been fixed, and include it in an appendix
AnswerC

This approach ensures the report is complete and useful for the client's records, compliance, and future prevention. The remediation status provides closure.

Why this answer

Option C is correct because penetration testing standards (e.g., PTES, OWASP) require full documentation of all findings regardless of remediation status. Including reproduction steps, impact analysis, and evidence ensures the report serves as a permanent record for compliance, audit, and future reference. Noting the remediation status provides clear context that the issue has been resolved, which is critical for stakeholders who need to verify the fix.

Exam trap

The trap here is that candidates mistakenly think remediated vulnerabilities should be omitted or minimized, but the PT0-002 exam expects full documentation to maintain report integrity and support post-remediation validation.

How to eliminate wrong answers

Option A is wrong because it omits essential technical details such as reproduction steps and evidence, which are necessary for validating the remediation and for legal/regulatory compliance. Option B is wrong because excluding a remediated vulnerability violates reporting best practices and can lead to incomplete audit trails, making it impossible to prove the issue was ever addressed.

277
MCQhard

After completing a penetration test, the lead tester is preparing the executive summary. The client's CISO wants to understand the business impact of a critical vulnerability found in the customer-facing web application. Which of the following is the BEST way to convey this in the report?

A.List the CVSS score and exploitability metrics
B.Describe the attack scenario and potential financial loss
C.Provide the raw log entries showing the exploitation
D.Recommend a specific patch version
AnswerB

Correct. This explains the real-world consequences in business terms, which is most relevant for an executive summary.

Why this answer

Option B is correct because the executive summary must communicate business risk, not technical details. Describing the attack scenario and potential financial loss directly addresses the CISO's need to understand the business impact, such as revenue loss from a data breach or regulatory fines. This aligns with the PT0-002 objective of tailoring reports to the audience, where executives require risk context rather than exploit mechanics.

Exam trap

The trap here is that candidates confuse technical severity (CVSS) with business impact, assuming a high CVSS score inherently conveys business risk, but the CISO explicitly needs the financial and operational consequences, not just the score.

How to eliminate wrong answers

Option A is wrong because listing the CVSS score and exploitability metrics provides a technical severity rating but does not translate that into business impact (e.g., dollar amounts or reputational harm), which the CISO specifically requested. Option C is wrong because providing raw log entries showing exploitation is operational evidence for technical teams, not a summary for executive decision-making; it fails to convey the broader business consequences.

278
MCQmedium

A penetration tester is analyzing a Python script that uses the requests library to automate web vulnerability scanning. The script sends POST requests with payloads but receives 403 Forbidden responses for many requests, even though manual testing with the same payloads works. Which is the most likely cause?

A.Missing User-Agent header
B.Incorrect Content-Type header
C.Script is sending too many requests too fast
D.Payloads are URL-encoded incorrectly
AnswerA

Many WAFs block requests that lack a common browser User-Agent, flagging them as automated. Adding a realistic User-Agent often resolves 403 errors.

Why this answer

Option A is correct because many web servers and WAFs (Web Application Firewalls) block requests that lack a User-Agent header or use a default one like 'python-requests/2.x.x'. Manual testing typically uses a browser, which sends a legitimate User-Agent, while the script's default header triggers the 403 Forbidden response. Setting a realistic User-Agent header in the script mimics browser behavior and bypasses this common filter.

Exam trap

CompTIA often tests the misconception that 403 errors are always due to rate limiting or authentication issues, but here the trap is that the script's default User-Agent header is the root cause, not request frequency or content type.

How to eliminate wrong answers

Option B is incorrect because an incorrect Content-Type header would typically cause a 400 Bad Request or 415 Unsupported Media Type, not a 403 Forbidden, and the payloads work manually, so the Content-Type is likely correct. Option C is incorrect because rate limiting usually results in 429 Too Many Requests or connection timeouts, not a consistent 403 Forbidden on every request; the issue is with the request's identity, not its frequency.

279
MCQeasy

A penetration tester is performing passive reconnaissance to discover email addresses associated with a target domain. The tester wants to avoid sending any packets directly to the target's infrastructure. Which tool is most appropriate for this task?

A.Using the whois command to query domain registration details
B.Using Shodan to identify email servers and associated addresses
C.Using Google dorking with advanced search queries to find email addresses in indexed pages
D.Using theHarvester to search public sources like search engines, PGP key servers, and social media
AnswerD

TheHarvester is a passive reconnaissance tool that aggregates email addresses, subdomains, and other information from multiple public sources without sending traffic to the target, making it ideal for this scenario.

Why this answer

TheHarvester is designed specifically for passive reconnaissance, gathering email addresses, subdomains, and other data from public sources such as search engines, PGP key servers, and social media without sending any packets directly to the target's infrastructure. This aligns perfectly with the requirement to avoid direct interaction with the target domain.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates may confuse 'passive' with 'using public sources' and incorrectly choose Google dorking (Option C) because it seems passive, but theHarvester is the dedicated tool that systematically aggregates email addresses from multiple public sources, making it the most appropriate for this specific task.

How to eliminate wrong answers

Option A is wrong because the whois command queries domain registration details from WHOIS servers, which are not part of the target's infrastructure but still involve sending DNS queries that could be logged or traced, and it does not directly discover email addresses associated with the domain. Option B is wrong because Shodan actively scans the internet for exposed devices and services, including email servers, which involves sending packets to the target's infrastructure and is not passive reconnaissance. Option C is wrong because Google dorking uses search engines to find indexed pages, which is passive, but it is less efficient and targeted for discovering email addresses compared to theHarvester, which automates the process across multiple public sources.

280
MCQeasy

During a penetration test, a tester needs to perform a man-in-the-middle attack on a network that uses WPA2-Enterprise with PEAP. Which tool is most appropriate for capturing the authentication handshake to attempt offline cracking?

A.Wireshark
B.aircrack-ng
C.Ettercap
D.hostapd-wpe
AnswerD

hostapd-wpe sets up a rogue access point that captures EAP credentials for offline cracking.

Why this answer

hostapd-wpe (Wireless Pwnage Edition) is specifically designed to set up a rogue access point that impersonates a legitimate WPA2-Enterprise network. It captures the MSCHAPv2 challenge-response from the PEAP authentication handshake, which can then be used for offline dictionary or brute-force attacks against the user's credentials. Unlike other tools, hostapd-wpe handles the full EAP/PEAP exchange required for this attack.

Exam trap

The trap here is that candidates often confuse aircrack-ng's ability to capture WPA2-PSK handshakes with the different requirements of WPA2-Enterprise, where the attack targets the MSCHAPv2 credentials rather than the 4-way handshake.

How to eliminate wrong answers

Option A is wrong because Wireshark is a packet analyzer that can capture traffic but cannot perform a man-in-the-middle attack or initiate an authentication handshake; it lacks the ability to set up a rogue AP. Option B is wrong because aircrack-ng is used for cracking WPA/WPA2-PSK (pre-shared key) handshakes, not WPA2-Enterprise with PEAP, which uses EAP-MSCHAPv2 and requires a different attack vector. Option C is wrong because Ettercap is a network sniffing and MITM tool for LAN-based attacks (e.g., ARP spoofing), but it does not support 802.11 wireless rogue AP setup or EAP/PEAP handshake capture.

281
MCQeasy

A penetration testing firm is hired to assess a client's web application that integrates with a third-party payment processor's API. The client wants to include the payment processor's API in the test scope. Which action should the tester take FIRST?

A.Begin testing the API because it is part of the client's environment
B.Request written permission from the payment processor
C.Only test the client's internal systems, excluding the API
D.Use the payment processor's sandbox environment without notifying them
AnswerB

This is the correct first step. The tester must obtain explicit permission from the third party to ensure legal and ethical testing.

Why this answer

The correct first action is to request written permission from the payment processor because the API is owned and operated by a third party, not the client. Testing a third-party API without explicit authorization could violate the Computer Fraud and Abuse Act (CFAA) and the payment processor's terms of service, potentially leading to legal liability for both the tester and the client. The scope of a penetration test must be legally defined and agreed upon by all parties whose systems are being tested.

Exam trap

The trap here is that candidates assume the client's request automatically grants legal authority to test any integrated system, overlooking the critical distinction between ownership and integration in scoping agreements.

How to eliminate wrong answers

Option A is wrong because beginning to test the API without authorization assumes the client has the legal right to grant access to a third-party system, which is a common misconception that can lead to unauthorized access and legal consequences. Option C is wrong because it ignores the client's explicit request to include the API in the test scope, failing to meet the engagement requirements and potentially leaving critical integration vulnerabilities unassessed.

282
MCQhard

A penetration tester is exploiting a Linux system that has ASLR enabled but no stack canaries. The vulnerability is a classic stack-based buffer overflow. Which of the following is the most effective method to achieve code execution?

A.Prepend a NOP sled and inject shellcode into the buffer
B.Return-to-libc (ret2libc)
C.Return to the PLT entry for system()
D.Use a ROP chain to bypass ASLR and execute shellcode
AnswerC

The PLT (Procedure Linkage Table) address is not randomized by ASLR, allowing reliable calls to library functions.

Why this answer

Option C is correct because with ASLR enabled, direct shellcode injection fails due to randomized stack addresses, but the PLT entry for system() has a fixed, known address in the binary. Since there are no stack canaries, a simple buffer overflow can overwrite the return address to jump directly to system() in the PLT, passing a pointer to a command string (e.g., "/bin/sh") already in memory, achieving code execution without needing to know runtime addresses.

Exam trap

The trap here is that candidates assume ASLR always prevents code execution, but they overlook that PLT entries have fixed addresses in the binary, making ret2plt a viable bypass when no stack canaries are present.

How to eliminate wrong answers

Option A is wrong because ASLR randomizes the stack base address, making it impossible to reliably predict where the NOP sled and shellcode reside, so the overwritten return address will likely point to an invalid location. Option B is wrong because return-to-libc typically requires knowing the runtime address of libc functions, which is randomized by ASLR; the PLT entry is a better target as it is resolved at load time and has a fixed address in the binary. Option D is wrong because a ROP chain can bypass ASLR only if you can leak a runtime address first (e.g., via an info leak), which is not provided in this scenario; without a leak, ROP cannot reliably locate gadgets in randomized memory regions.

283
MCQeasy

A small business owner contacts you to perform a penetration test. The company has a single office with 50 employees, uses a cloud-based email service (Office 365), and hosts a public-facing website on a shared server. The owner is concerned about external threats but does not allow any testing that could disrupt operations. The owner wants to test the security of the website and the email system against common attacks, such as SQL injection, XSS, and phishing. Based on these constraints and the environment, which type of penetration test is most appropriate?

A.Covert red team exercise simulating a persistent attacker.
B.Full disclosure black-box test from an external perspective.
C.External gray-box test with a restricted schedule and prior notification.
D.Internal vulnerability assessment of the local network.
AnswerC

This allows focused testing with minimal disruption and aligns with client's constraints.

Why this answer

Given the owner's concern about disruption and the need to test external assets, a gray-box test (some information provided) with a schedule that avoids peak hours and with prior notification best balances effectiveness and risk. Black-box could be disruptive; red team is covert and may cause alarm; internal assessment is not relevant for external assets.

284
MCQeasy

A penetration testing firm is scoping a test for a client that has a hybrid infrastructure with on-premises servers and cloud-based virtual machines. The client insists on testing only the on-premises systems due to budget constraints. Which of the following should the penetration tester emphasize during the scoping discussion?

A.The on-premises systems are more critical, so testing them is sufficient.
B.Cloud systems are generally more secure and do not require testing.
C.Limiting the scope to on-premises may result in an incomplete risk picture because cloud systems are part of the attack surface.
D.Testing cloud systems would violate the shared responsibility model.
AnswerC

Both on-premises and cloud systems contribute to the overall attack surface; excluding one may leave critical vulnerabilities undetected.

Why this answer

Option C is correct because the client's hybrid infrastructure means that cloud-based virtual machines are part of the overall attack surface, and limiting the scope to on-premises systems ignores potential attack vectors such as misconfigured cloud APIs, insecure inter-VPC routing, or compromised cloud credentials that could lead to lateral movement into on-premises systems. A penetration test must assess all components that can be exploited to provide a complete risk picture, as cloud systems often serve as entry points or pivot points into the on-premises environment.

Exam trap

The trap here is that candidates may assume budget constraints justify limiting scope to on-premises, but the exam tests the principle that a penetration test must cover the entire attack surface to be valid, and cloud systems are a critical part of that surface in hybrid architectures.

How to eliminate wrong answers

Option A is wrong because it assumes on-premises systems are inherently more critical, which is a subjective and unsupported claim; in a hybrid infrastructure, cloud systems may host sensitive data or applications and can be the initial breach vector, so excluding them leaves critical risks unassessed. Option B is wrong because it incorrectly states that cloud systems are generally more secure and do not require testing; in reality, cloud systems are subject to misconfigurations (e.g., open S3 buckets, overly permissive IAM roles) and shared responsibility model gaps that require dedicated security testing.

285
Drag & Dropmedium

Drag and drop the steps to perform a man-in-the-middle (MITM) attack using ARP spoofing with Bettercap into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ARP spoofing MITM requires enabling forwarding, spoofing both target and gateway, then capturing traffic.

286
MCQeasy

A penetration tester needs to describe a stored XSS vulnerability to a web developer who will fix it. Which level of detail is most appropriate for this audience?

A.Provide the CVSS score and risk rating.
B.Describe the business impact and potential regulatory fines.
C.Include the specific vulnerable URL, the request parameters, the payload used, and a code snippet for proper output encoding.
D.Use a graph showing the number of vulnerabilities by severity across the application.
AnswerC

This level of detail gives the developer everything needed to reproduce the vulnerability and apply the correct fix. It is precise and actionable.

Why this answer

Option C is correct because a web developer needs precise, actionable technical details to remediate the vulnerability: the exact URL, request parameters, the payload that triggered the stored XSS, and a code snippet showing proper output encoding (e.g., using OWASP ESAPI or context-specific escaping). This level of detail enables the developer to locate the vulnerable code, understand the injection point, and apply the correct fix without ambiguity.

Exam trap

The trap here is that candidates confuse the audience's needs: they may pick business impact (Option B) for a developer, but developers require technical details (Option C) to actually fix the code, not just awareness of consequences.

How to eliminate wrong answers

Option A is wrong because a CVSS score and risk rating provide a severity metric but no technical specifics about the vulnerable endpoint, input vector, or remediation steps, which a developer needs to fix the code. Option B is wrong because describing business impact and regulatory fines addresses management concerns but omits the technical details (e.g., the vulnerable parameter, payload, or encoding fix) required for a developer to remediate the stored XSS vulnerability.

287
MCQhard

A penetration tester has gained a low-privileged shell on a Linux server and discovers a binary with the SUID bit set owned by root. The binary executes a system command using a relative path without sanitizing user input. Which of the following techniques would the tester MOST likely use to escalate privileges?

A.Exploit a kernel vulnerability to gain root
B.Modify the PATH environment variable to point to a malicious script with the same name as the command called by the binary
C.Impersonate the root user using sudo
D.Preload a shared library using LD_PRELOAD
AnswerB

PATH hijacking leverages the SUID binary's use of a relative path; by placing a malicious executable earlier in PATH, the binary executes it with root privileges.

Why this answer

Option B is correct because the SUID binary executes a system command using a relative path without sanitizing user input. By modifying the PATH environment variable to include a directory containing a malicious script with the same name as the command, the tester can cause the binary to execute the attacker-controlled script instead of the intended system command, thereby escalating privileges to root when the SUID binary runs.

Exam trap

The trap here is that candidates may think kernel exploitation (Option A) is always the go-to for privilege escalation, but the question specifically describes a misconfigured SUID binary with a relative path and unsanitized input, making PATH hijacking the most direct and likely technique.

How to eliminate wrong answers

Option A is wrong because exploiting a kernel vulnerability is a different technique that does not leverage the specific misconfiguration of the SUID binary with a relative path and unsanitized input; it would be used if no such binary existed or if kernel exploits were available, but the question explicitly describes a binary that can be exploited via PATH hijacking. Option C is wrong because impersonating the root user using sudo requires the tester to already have sudo privileges or know the root password, which is not the case here; the tester has a low-privileged shell and cannot simply use sudo without proper authorization.

288
MCQeasy

A client requests a penetration test but only provides network diagrams and application credentials. Which type of test is being scoped?

A.Red team
B.Black box
C.Grey box
D.White box
AnswerC

Grey box testing involves limited information sharing, such as network diagrams and credentials.

Why this answer

A grey box test provides the tester with limited information such as network diagrams and credentials, which matches the scenario. Black box tests provide no information, white box tests provide full information, and red team engagements are a type of test, not a box color.

289
MCQmedium

The client's development team needs to reproduce a cross-site scripting (XSS) vulnerability discovered during the penetration test. They require the exact payload and step-by-step instructions. Which deliverable should the tester provide to meet this need?

A.Executive Summary
B.Detailed Vulnerability Report with reproduction steps
C.Rules of Engagement
D.Risk Assessment Matrix
AnswerB

This deliverable provides the technical depth required by the development team to understand and fix the vulnerability.

Why this answer

The correct answer is B because the development team needs the exact payload and step-by-step instructions to reproduce the XSS vulnerability. A Detailed Vulnerability Report with reproduction steps provides the precise technical details, including the payload string, input vectors, and browser behavior, enabling the team to replicate the issue in their environment. This aligns with the PT0-002 objective of delivering actionable findings for remediation.

Exam trap

The trap here is that candidates may confuse the Executive Summary (Option A) with a deliverable that contains technical details, but the exam expects you to know that reproduction steps belong in the detailed vulnerability report, not in a summary document.

How to eliminate wrong answers

Option A is wrong because an Executive Summary is a high-level overview for management, lacking the specific payload and step-by-step reproduction instructions needed by the development team. Option C is wrong because the Rules of Engagement define the scope, authorization, and constraints of the penetration test, not the technical details of a discovered vulnerability.

290
MCQmedium

A penetration tester is performing a social engineering campaign against a client. The tester wants to send a phishing email that bypasses the email security gateway and appears to come from an internal source. Which technique is most effective?

A.Set the Reply-To address to an attacker-controlled email
B.Insert a custom email header that mimics internal mail
C.Use a URL shortener to hide the malicious link
D.Register a similar domain and spoof the display name
AnswerA

This bypasses gateways because the sender appears legitimate, but replies go to the attacker.

Why this answer

Setting the Reply-To address to an attacker-controlled email is the most effective technique because many email security gateways (ESGs) perform SPF, DKIM, and DMARC validation on the SMTP envelope sender (Return-Path) but do not validate the Reply-To header. By spoofing the From address to an internal user and setting Reply-To to an attacker-controlled address, replies bypass the ESG's authentication checks while the email appears to come from an internal source, increasing the likelihood of user interaction.

Exam trap

The trap here is that candidates often confuse the Reply-To header with the From header, assuming that setting the Reply-To address is equivalent to spoofing the sender, when in fact the ESG's authentication checks focus on the From and envelope sender, not the Reply-To, making this a subtle but effective bypass.

How to eliminate wrong answers

Option B is wrong because inserting a custom email header that mimics internal mail does not bypass SPF/DKIM/DMARC validation; the ESG still checks the SMTP envelope sender and the From header against DNS records, so the email will likely be rejected or flagged. Option C is wrong because using a URL shortener hides the malicious link but does not address the ESG's authentication checks on the sender domain; the email still fails SPF/DKIM/DMARC if the From domain is spoofed, and many ESGs now block or sandbox shortened URLs. Option D is wrong because registering a similar domain and spoofing the display name only bypasses human inspection, not the ESG's automated checks; the ESG will still validate the actual domain in the From header against SPF/DKIM/DMARC records, and the similar domain will fail unless it is also configured with proper authentication records.

291
MCQhard

Refer to the exhibit. A penetration tester is presenting this finding to a non-technical executive. Which improvement should be made to the description?

A.Include the CVSS vector
B.List the exact database tables affected
C.Add a proof-of-concept screenshot
D.Describe the business impact in plain language
AnswerD

Translating technical impact into business terms (e.g., financial, reputational risk) is essential for executive communication.

Why this answer

Describing the business impact in plain language helps executives understand the risk without technical jargon.

292
MCQhard

A client wants a penetration test that includes testing of their internal network, external perimeter, and wireless. However, they have a very limited budget. Which approach would best meet the client's needs while staying within budget?

A.Use vulnerability scanners for all three areas
B.Conduct a targeted test focusing on high-risk areas identified through threat modeling
C.Only test internal and external
D.Only test external and wireless
AnswerB

This balances coverage and cost by prioritizing the most critical assets.

Why this answer

Conducting a targeted test focused on high-risk areas identified through threat modeling allows coverage of all three areas with limited depth, maximizing value within budget. Skipping areas or using only automated tools may not meet the client's full requirements.

293
Multi-Selectmedium

A penetration tester is performing passive reconnaissance against a target domain. Which of the following resources can be used to gather information about the target without directly sending packets to the target's network? (Select two.) (Choose 2.)

Select 2 answers
A.Shodan
B.Nmap
C.WHOIS database
D.hping3
AnswersA, C

Shodan aggregates data from active scans and makes it available for passive research.

Why this answer

Shodan is a search engine that scans the internet for devices and services, indexing banners and metadata from publicly exposed systems. Since it queries its own pre-collected database rather than sending packets to the target's network, it qualifies as passive reconnaissance. This allows a penetration tester to discover open ports, services, and even specific vulnerabilities associated with the target domain without direct interaction.

Exam trap

The trap here is that candidates often confuse 'passive' with 'stealthy' and incorrectly choose Nmap with options like -sS (stealth SYN scan), but any direct packet transmission to the target's network, regardless of stealth, constitutes active reconnaissance.

294
MCQmedium

A penetration tester is performing a vulnerability scan on a target network. The tester uses Nmap with the default NSE scripts against a web server. The scan report shows several 'http-vuln-cve2017-5638' findings. What does this indicate?

A.The target is vulnerable to Apache Struts2 remote code execution
B.The target is vulnerable to the Heartbleed bug in OpenSSL
C.The target is vulnerable to the Shellshock Bash vulnerability
D.The target has a SQL injection vulnerability
AnswerA

The script specifically tests for the Struts2 vulnerability that allows unauthenticated remote code execution via Content-Type headers.

Why this answer

The Nmap script 'http-vuln-cve2017-5638' specifically targets the Apache Struts2 remote code execution vulnerability (CVE-2017-5638). This vulnerability exists in the Jakarta Multipart parser used by Apache Struts2, allowing an attacker to execute arbitrary commands via crafted Content-Type headers. The presence of this finding in the scan report indicates the web server is running a vulnerable version of Apache Struts2.

Exam trap

The trap here is that candidates may confuse the CVE number or the technology name, assuming any 'http-vuln-cve' script refers to a generic web vulnerability, when in fact each script is tied to a specific software and CVE, such as Apache Struts2 for CVE-2017-5638.

How to eliminate wrong answers

Option B is wrong because the Heartbleed bug (CVE-2014-0160) is a vulnerability in OpenSSL, not Apache Struts2, and is detected by Nmap scripts like 'ssl-heartbleed', not 'http-vuln-cve2017-5638'. Option C is wrong because the Shellshock Bash vulnerability (CVE-2014-6271) affects the Bash shell and is typically exploited via CGI scripts, not through Apache Struts2's Jakarta Multipart parser, and is detected by scripts such as 'http-shellshock'.

295
MCQmedium

Refer to the exhibit. A penetration tester is reviewing a web server error log. Based on the log, what vulnerability does the tester suspect?

A.Cross-site scripting
B.SQL injection
C.Remote code execution
D.Hardcoded credentials
AnswerD

The log reveals a database connection attempt with a username and password, suggesting credentials are hardcoded in the source code.

Why this answer

Option D is correct because the warning shows that a password is being used for database connection, and the message indicates hardcoded credentials (user 'test' with a password) are present in the code. Option A (XSS) is not evident. Option B (SQL injection) is not shown.

Option C (remote code execution) is not indicated.

296
MCQeasy

A penetration tester needs to provide a metric that communicates the financial risk of the identified vulnerabilities to the client's CFO. Which metric is most appropriate?

A.Annual Loss Expectancy (ALE).
B.CVSS base score.
C.Number of critical findings.
D.Technical difficulty of exploitation.
AnswerA

ALE expresses risk in financial terms, allowing the CFO to understand potential monetary impact and prioritize remediation spending.

Why this answer

Annual Loss Expectancy (ALE) is the most appropriate metric for communicating financial risk to a CFO because it quantifies the expected monetary loss per year from a vulnerability, calculated as ALE = Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO). This directly translates technical risk into financial terms, enabling informed budget decisions for remediation. CVSS base scores and critical finding counts lack a financial dimension, making them unsuitable for executive-level risk communication.

Exam trap

CompTIA often tests the misconception that technical severity scores (like CVSS) are sufficient for executive reporting, but the trap here is that financial risk requires a dollar-based metric like ALE, not a technical or count-based measure.

How to eliminate wrong answers

Option B is wrong because CVSS base score is a technical severity metric (0-10) based on exploitability and impact factors, not a financial measure; it does not incorporate asset value or loss frequency, so it cannot express monetary risk to a CFO. Option C is wrong because the number of critical findings is a raw count of high-severity vulnerabilities without any financial context; it ignores asset valuation, likelihood of exploitation, and potential loss, making it irrelevant for financial risk communication.

297
MCQeasy

A client wants a penetration test of their internal network. They are concerned about causing any disruption to the production systems. The tester should include which of the following in the rules of engagement to address this concern?

A.A list of all tools that will be used during the test
B.A clear definition of the testing window and contact information for emergency stop
C.A requirement for the client to disable their antivirus software
D.A statement that the tester will not be liable for any damages
AnswerB

This is essential to manage and halt testing if disruptions occur, aligning with client's concern.

Why this answer

Option B is correct because a clearly defined testing window with emergency stop contact information directly addresses the client's concern about production disruption. This ensures the tester can immediately halt activities if any instability is detected, aligning with the principle of minimizing operational impact during a penetration test.

Exam trap

The trap here is that candidates may mistakenly think listing tools or disabling antivirus is necessary for a thorough test, but the core concern is disruption prevention, which is directly addressed by the testing window and emergency stop clause in the RoE.

How to eliminate wrong answers

Option A is wrong because listing all tools used during the test does not prevent or mitigate disruption to production systems; it only provides transparency about the testing methodology. Option C is wrong because requiring the client to disable antivirus software would actually increase the risk of disruption, as it removes a critical security control that could detect and block malicious activity, potentially leading to unintended system instability or compromise.

298
MCQeasy

A penetration tester is preparing a report for a client. The client's C-suite executives need a high-level overview of the engagement results without technical jargon. Which section of the report is most appropriate for this audience?

A.Executive summary
B.Technical findings and remediation steps
C.Appendices with raw scan data
D.Methodology section
AnswerA

Provides high-level overview suitable for C-suite.

Why this answer

Option B is correct because the executive summary is designed for non-technical stakeholders, providing a high-level overview of findings and recommendations. Option A (Technical findings) contains detailed technical explanations not suitable for executives. Option C (Methodology) describes testing approach, not prioritized for executives.

Option D (Appendices) contain raw data not summarized.

299
MCQmedium

During a penetration test, the tester finds that a web application is vulnerable to server-side template injection (SSTI). Which of the following payloads would be most effective to test for SSTI in an Express-based Node.js application using Handlebars?

A.{{7*7}}
B.{{7*'7'}}
C.<%= 7*7 %>
D.${7*7}
AnswerA

If SSTI is present, this will output 49.

Why this answer

In Handlebars, the expression {{7*7}} evaluates the multiplication directly, returning 49. This confirms SSTI because the server processes the template expression before rendering. Other payloads like {{7*'7'}} may cause type coercion errors or not execute in the same way, making {{7*7}} the most reliable test.

Exam trap

CompTIA often tests the distinction between server-side template syntax (Handlebars) and client-side or other framework syntaxes, so candidates mistakenly choose ERB or template literal payloads that are not processed by the server.

How to eliminate wrong answers

Option B ({{7*'7'}}) is wrong because in Handlebars, multiplying a number by a string may cause a type error or unexpected behavior, not a clean numeric result, making it less reliable for SSTI detection. Option C (<%= 7*7 %>) is wrong because this is an ERB-style tag used in Ruby or other frameworks, not in Handlebars or Express/Node.js. Option D (${7*7}) is wrong because this is JavaScript template literal syntax, which is client-side and not processed by the server-side Handlebars engine.

300
MCQeasy

A client wants to conduct a penetration test of their web application, but they are concerned about potential service disruption. They request that the tester avoid using any techniques that could cause the application to crash or become unresponsive. Which of the following should the tester include in the rules of engagement to address this requirement?

A.Specify that the tester will only use ACK scans and never send data payloads.
B.Include a clause that prohibits denial-of-service attacks and rate-limits all automated tools.
C.State that the tester will not use any automated tools and will perform only manual testing.
D.Do not include any specific limitation; the tester assumes responsibility for any outages.
AnswerB

Explicitly prohibiting DoS and implementing rate limits directly addresses the client's concern about service disruption.

Why this answer

Option B is correct because it directly addresses the client's concern by prohibiting denial-of-service attacks and implementing rate-limiting on automated tools. Rate-limiting prevents overwhelming the web application with requests, which could cause resource exhaustion or unresponsiveness, while the prohibition on DoS ensures no intentional disruption occurs. This aligns with the rules of engagement (RoE) requirement to scope the test safely.

Exam trap

The trap here is that candidates confuse 'avoiding service disruption' with 'avoiding all automated tools' or 'avoiding all payloads,' when the correct approach is to control the intensity of testing through rate-limiting and explicit prohibitions on disruptive techniques like DoS.

How to eliminate wrong answers

Option A is wrong because ACK scans are a type of port scan that can still cause service disruption if sent at high rates or to vulnerable services, and the statement 'never send data payloads' is overly restrictive and irrelevant to preventing crashes—many safe techniques (e.g., SQL injection payloads) require data but can be rate-limited. Option C is wrong because it unnecessarily bans all automated tools, which would severely limit the test's effectiveness; manual testing alone cannot efficiently cover a large web application, and automated tools can be safely used with rate-limiting and proper configuration.

Page 3

Page 4 of 7

Page 5

All pages