CompTIA PenTest+ PT0-002 (PT0-002) — Questions 301375

509 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Multi-Selectmedium

Which TWO of the following are appropriate ways to handle sensitive data discovered during a penetration test when producing the final report? (Select TWO.)

Select 2 answers
A.Include the raw sensitive data in an appendix with restricted distribution.
B.Encrypt the report with a strong password and email it to all stakeholders.
C.Label the entire report as 'Sensitive' and leave data unaltered.
D.Securely delete any copies of sensitive data after the report is delivered.
E.Redact or mask the sensitive data in the report.
AnswersD, E

This follows data minimization principles.

Why this answer

Options B and D are correct. Sensitive data should be sanitized in the report (e.g., redacted or anonymized), and any retained data should be securely destroyed after the report is delivered. Option A is wrong because assigning a separate sensitivity label is not a handling method.

Option C is wrong because including raw data increases risk. Option E is wrong because secure transmission is about delivery, not report content.

302
MCQmedium

A penetration test report includes a finding about a SQL injection vulnerability in a public-facing web application. Which section of the report would be the MOST appropriate place to provide step-by-step remediation instructions for the development team?

A.Executive Summary
B.Risk Assessment
C.Technical Findings
D.Appendices
AnswerC

This section is where remediation steps for each finding should be documented for the development team.

Why this answer

Option C is correct because the Technical Findings section of a penetration test report is designed to provide detailed, step-by-step remediation instructions for technical audiences, such as the development team. This section includes specific code-level fixes, parameterized query examples, and input validation techniques to address the SQL injection vulnerability, ensuring the team can implement precise changes.

Exam trap

Cisco often tests the distinction between report sections by making candidates confuse the high-level Executive Summary with the detailed Technical Findings, especially when the question emphasizes 'step-by-step remediation' for a technical team.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is intended for non-technical stakeholders (e.g., management) and provides a high-level overview of risks and business impact, not granular remediation steps. Option B is wrong because the Risk Assessment section focuses on the likelihood, impact, and severity rating of findings (e.g., CVSS scores), not on how to fix the vulnerability technically.

303
MCQeasy

A penetration tester is performing internal reconnaissance on a Windows domain. The tester wants to enumerate SMB shares on multiple hosts quickly. Which tool is best suited for this task?

A.nmap -sV --script=smb-enum-shares
B.enum4linux
C.nbtscan
D.dig
AnswerB

enum4linux automates enumeration of SMB shares, users, and other Windows information.

Why this answer

B is correct because enum4linux is a dedicated tool that automates the enumeration of SMB shares, users, and other information from Windows and Samba systems using the SMB protocol (primarily over TCP/445 and NetBIOS over TCP/139). It leverages the SMB RPC calls (e.g., NetShareEnum) to quickly list shares across multiple hosts, making it ideal for internal reconnaissance in a Windows domain.

Exam trap

The trap here is that candidates often choose nmap because it is a versatile scanning tool, but they overlook that enum4linux is purpose-built for rapid SMB share enumeration across multiple hosts, making it the more efficient choice for this specific task.

How to eliminate wrong answers

Option A is wrong because while nmap with the smb-enum-shares script can enumerate SMB shares, it is not the fastest tool for quickly scanning multiple hosts; nmap's script scanning is slower and more suited for detailed single-host analysis. Option C is wrong because nbtscan only enumerates NetBIOS name tables (using NBNS over UDP/137) and does not enumerate SMB shares; it provides hostnames and MAC addresses, not share lists.

304
MCQeasy

A penetration tester is preparing the executive summary of a report for a client's board of directors. Which of the following metrics would be MOST valuable for this audience to understand the overall security posture?

A.The exact CVSS score for each vulnerability found
B.A heat map showing the number of vulnerabilities by severity (Critical, High, Medium, Low)
C.A detailed list of commands used during exploitation
D.The names of the operating systems and applications that were tested
AnswerB

This provides a quick, visual representation of the overall security posture and is easily understood by non-technical stakeholders.

Why this answer

The board of directors needs a high-level, risk-based overview of the security posture, not technical details. A heat map with vulnerability counts by severity (Critical, High, Medium, Low) provides an immediate visual representation of risk distribution, enabling strategic decisions without requiring technical expertise. This aligns with the PT0-002 objective of tailoring reporting to the audience.

Exam trap

The trap here is that candidates may think exact CVSS scores (Option A) are more precise and therefore more valuable, but the board needs actionable risk summaries, not technical precision.

How to eliminate wrong answers

Option A is wrong because exact CVSS scores (e.g., 7.5) are too granular for a board audience; they require context and are better suited for technical remediation teams. Option C is wrong because a detailed list of commands used during exploitation is operational data for technical staff, not strategic information for executives, and would obscure the overall risk picture.

305
Multi-Selecthard

A penetration tester is scoping a test for a client that uses a hybrid identity system. The client wants to ensure that the test does not affect production authentication. Which TWO actions should the tester recommend?

Select 2 answers
A.Test using non-production accounts
B.Conduct testing during off-peak hours
C.Use a separate domain for testing
D.Perform password spraying against all users
E.Disable MFA for test accounts
AnswersA, C

Keeps test traffic away from real user accounts.

Why this answer

Using non-production accounts and a separate test domain isolate the test from production identity systems. Password spraying against all users could disrupt accounts, and disabling MFA may weaken security. Off-peak scheduling reduces impact but does not prevent direct interaction with production systems.

306
MCQeasy

A penetration tester is conducting an internal assessment of a company's web application. The application provides a file upload feature that accepts images but does not validate the file type on the server side. The tester has identified that the application runs on an Apache server with PHP support. The tester wants to execute a command on the server to establish a reverse shell. The tester has a Linux client and has already crafted a PHP reverse shell payload. The tester has also verified that outbound connections are allowed from the server. After uploading the malicious PHP file, the tester attempts to access it via a browser but receives a 404 error. The tester suspects the uploaded file may have been renamed or moved. Which of the following steps should the tester take next to achieve code execution?

A.Modify the PHP payload to avoid detection by antivirus on the server.
B.Use a directory listing tool to scan for hidden files in the upload directory.
C.Re-upload the file with a different extension like .php5 or .phtml.
D.Check the web server access and error logs to identify the actual path where the file was saved.
AnswerD

Logs can show the URL and path used, revealing any renaming or relocation of the uploaded file.

Why this answer

The 404 error suggests the file is not at the expected location. Checking the web server access logs can reveal the actual path or filename that the server used for the uploaded file. Option C is the most logical next step.

Option A is incorrect because the server is providing a 404, not a parsing error. Option B is premature before determining the file path. Option D would only be relevant if the file were successfully accessed but not executed.

307
MCQmedium

After a penetration test, the client's development team requires detailed, step-by-step instructions to reproduce a SQL injection vulnerability found in the user login functionality. In which section of the standard penetration testing report should this information be included?

A.Executive Summary
B.Technical Findings
C.Recommendations
D.Risk Rating
AnswerB

This section contains detailed information about each vulnerability, including steps to reproduce, proof of concept, and technical impact.

Why this answer

The Technical Findings section is the correct location because it provides detailed, step-by-step reproduction steps for vulnerabilities, including the exact SQL injection payloads, input fields, and HTTP request parameters used to exploit the login functionality. This section is intended for technical audiences (e.g., developers) who need to understand and remediate the issue, not for high-level summaries or general advice.

Exam trap

The trap here is that candidates often confuse the purpose of the Recommendations section, thinking it should include step-by-step reproduction steps, when in fact it only contains high-level remediation guidance, while the Technical Findings section is the proper place for detailed exploitation procedures.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for non-technical stakeholders, containing business impact, risk ratings, and strategic recommendations, not step-by-step technical reproduction instructions. Option C is wrong because the Recommendations section provides high-level remediation advice (e.g., 'use parameterized queries') but does not include the detailed, step-by-step reproduction steps needed by the development team to verify and fix the specific vulnerability.

308
MCQhard

A penetration tester has discovered a local file inclusion (LFI) vulnerability in a PHP web application. The vulnerable code uses the following pattern: include($_GET['page']);. The application runs on a Linux server with Apache and PHP. The tester wants to achieve remote code execution (RCE). Which technique is most likely to succeed given this LFI?

A.Use the php://input wrapper and send PHP code in the POST body.
B.Use the file:// wrapper to read sensitive files like /etc/passwd.
C.Use the data:// wrapper with a base64-encoded PHP payload.
D.Set allow_url_include to On in php.ini via the LFI.
AnswerA

php://input reads the raw POST data. When included, the PHP interpreter will execute any code contained in the POST body. This is a common technique to turn LFI into RCE, and it does not require allow_url_include to be enabled.

Why this answer

The correct technique is to use the php://input wrapper because it allows the attacker to pass arbitrary PHP code in the HTTP POST body, which the include() function will execute as PHP. Since the vulnerable code directly includes user input without sanitization, the php://input stream reads the raw POST data and processes it as a PHP script, achieving remote code execution.

Exam trap

The trap here is that candidates often assume data:// is the most direct way to inject code, but they overlook that php://input is more reliable because it does not require allow_url_include to be enabled, which is a common security hardening measure.

How to eliminate wrong answers

Option B is wrong because the file:// wrapper only reads local files and does not allow code execution; it would only read sensitive files like /etc/passwd, not achieve RCE. Option C is wrong because while the data:// wrapper can execute PHP code if the allow_url_include directive is enabled, it is often disabled by default in modern PHP configurations, making it less reliable than php://input, which is more commonly available and does not require allow_url_include to be enabled for this purpose.

309
MCQmedium

You are writing the final report for a penetration test. The client has requested that the report be delivered in an encrypted format. Additionally, the client wants to include raw screenshots and command outputs for evidence. The tester has captured screenshots that show user credentials in clear text from a successful phishing attack. What is the BEST way to handle this?

A.Exclude the evidence and only describe the finding
B.Redact or obfuscate the credentials in the screenshots before including them
C.Provide the screenshots in a separate unencrypted file
D.Include the raw screenshots as requested
AnswerB

This preserves the evidence while protecting sensitive information.

Why this answer

Option B is correct. Redacting or obfuscating sensitive data like credentials protects confidentiality while still providing evidence. Option A is wrong because exposing credentials in raw screenshots violates data protection best practices.

Option C is wrong because removing the evidence may weaken the report's credibility. Option D is wrong because unencrypted delivery defeats the purpose of encryption and exposes data.

310
Multi-Selecthard

Which THREE of the following are important elements to include in the remediation section of a penetration test report? (Select THREE.)

Select 3 answers
A.Priority levels (e.g., Critical, High, Medium) based on risk.
B.A list of all external parties notified about the vulnerabilities.
C.Step-by-step instructions to fix each vulnerability.
D.CVE identifiers or references to industry best practices.
E.Detailed timeline of when each finding was discovered.
AnswersA, C, D

Prioritization guides the client on what to fix first.

Why this answer

Options A, C, and D are correct. Remediation should include specific steps, reference to industry standards, and priority based on risk. Option B is not a standard part of remediation; it's for methodology.

Option E is about disclosure, not remediation.

311
MCQeasy

After completing a penetration test, you present the findings to the client's technical team. During the debrief meeting, the technical lead argues that one of the identified vulnerabilities is not exploitable in their environment and should be removed from the report. The evidence you have shows it is exploitable. What is the BEST response?

A.Immediately remove the finding to maintain good client relations
B.Challenge the technical lead and insist it stays
C.Document the disagreement and include both perspectives in the report
D.Offer to demonstrate the exploit to confirm
AnswerC

This provides transparency and allows the client to evaluate the risk based on both views.

Why this answer

Option D is correct. The best practice is to document the disagreement and include both perspectives, allowing the client to make an informed decision. Option A is wrong because removing the finding compromises the report's accuracy.

Option B is wrong because it may escalate conflict without constructive outcome. Option C is wrong because demonstrating exploits during a debrief may not be appropriate or feasible.

312
MCQhard

During a penetration test, a tester identifies a critical SQL injection vulnerability. The client remediates the issue, but a retest reveals the same vulnerability in a different module of the application. How should the tester present this information in the final report to best communicate recurring risks?

A.List each instance as a separate finding with its own risk rating.
B.Increase the CVSS score of the second finding to reflect the repeated issue.
C.Note that the vulnerability was successfully remediated earlier and reappeared, so it is now considered a new finding.
D.Document the recurrence and recommend a root-cause analysis and secure coding training to prevent future regressions.
AnswerD

This provides a comprehensive view of the problem and offers strategic remediation advice.

Why this answer

Option D is correct because it addresses the root cause of the recurrence rather than treating each instance as an isolated event. By recommending a root-cause analysis and secure coding training, the tester helps the client prevent future regressions across the entire codebase, which is the core goal of a penetration test report. This aligns with the PT0-002 objective of providing actionable remediation guidance beyond simply listing vulnerabilities.

Exam trap

The trap here is that candidates may think treating each recurrence as a separate or escalated finding is more thorough, but the exam emphasizes that the report should drive systemic improvement rather than just cataloging symptoms.

How to eliminate wrong answers

Option A is wrong because listing each instance as a separate finding with its own risk rating would inflate the risk count without addressing the underlying systemic issue, leading to a fragmented and less actionable report. Option B is wrong because increasing the CVSS score of the second finding is not a valid practice; CVSS scores are based on the intrinsic characteristics of a vulnerability, not on the history of its recurrence. Option C is wrong because noting the vulnerability as a new finding ignores the fact that it is a regression of a previously fixed issue, which should trigger a deeper investigation into why the fix failed, not simply be treated as a brand-new finding.

313
MCQmedium

During a penetration test, a tester discovers a binary that appears to be obfuscated. Which approach is best for deobfuscation?

A.Use a debugger like GDB
B.Execute the binary in a sandbox
C.Run the 'strings' command
D.Recompile the binary from source
AnswerA

A debugger steps through code, helping to reverse obfuscation.

Why this answer

Option A is correct because a debugger like GDB allows dynamic analysis to follow execution and decode obfuscation. Option B is wrong because strings may not reveal obfuscated content. Option C is wrong because sandboxes analyze behavior, not code deobfuscation.

Option D is wrong because source is not available.

314
MCQmedium

A penetration tester wants to passively gather information about a target's technology stack, including web server software and frameworks. Which resource is best suited for this task without sending any packets to the target?

A.Shodan
B.Nmap with -sT scan
C.BuiltWith
D.Wappalyzer browser extension
AnswerC

BuiltWith uses historical and public data to identify technologies used by a website, making it a passive information source.

Why this answer

BuiltWith is a web-based reconnaissance tool that analyzes a target website's technology stack by examining publicly available data, such as HTTP headers, HTML source code, and JavaScript files, without sending any packets from the tester's machine. It passively gathers information about web server software, frameworks, analytics tools, and more, making it ideal for passive information gathering.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with tools that appear passive from their own machine but rely on active scanning by a third-party service, like Shodan, or they may incorrectly think Nmap can be used passively when it inherently requires packet transmission.

How to eliminate wrong answers

Option A is wrong because Shodan is a search engine for internet-connected devices that actively probes and indexes banners from services, but it relies on its own active scanning infrastructure, not passive gathering from the tester's perspective; the tester does not send packets, but Shodan itself does. Option B is wrong because Nmap with -sT scan performs a TCP connect scan, which sends SYN and ACK packets to the target, making it an active scanning technique that violates the requirement of not sending any packets.

315
MCQeasy

A penetration tester has obtained a dump of NTLM password hashes from a Windows Domain Controller. The tester wants to crack these hashes as quickly as possible using GPU acceleration. Which tool is the BEST choice for this task?

A.John the Ripper
B.Hashcat
C.Ophcrack
D.THC-Hydra
AnswerB

Hashcat is designed for high-speed password cracking with GPU support; it is the fastest tool for NTLM hashes when a compatible GPU is available.

Why this answer

Hashcat (Option B) is the best choice because it is specifically designed for GPU-accelerated password cracking, supporting NTLM hashes with the -m 1000 mode. It leverages OpenCL or CUDA to parallelize cracking across thousands of GPU cores, making it significantly faster than CPU-based tools for large hash dumps. John the Ripper can use GPUs but requires additional configuration and is generally slower for NTLM hashes, while Ophcrack is limited to LM hashes and cannot handle NTLM hashes at all.

Exam trap

The trap here is that candidates often assume John the Ripper is the universal cracking tool due to its popularity, overlooking that Hashcat is the industry standard for GPU-accelerated NTLM cracking because of its optimized kernel and native support for the NTLM hash mode (-m 1000).

How to eliminate wrong answers

Option A is wrong because John the Ripper, while capable of GPU acceleration via the 'john --devices' flag, is primarily CPU-optimized and requires manual setup for OpenCL, resulting in slower performance compared to Hashcat's native GPU pipeline for NTLM hashes. Option C is wrong because Ophcrack is designed exclusively for LM hashes using rainbow tables and cannot process NTLM (NT hash) dumps, making it completely unsuitable for this task.

316
Multi-Selecteasy

A penetration tester is reviewing Python code for a web application and finds the following snippet: import sqlite3 def get_user(username): conn = sqlite3.connect('users.db') cursor = conn.cursor() query = "SELECT * FROM users WHERE username = '" + username + "'" cursor.execute(query) return cursor.fetchall() Which TWO of the following vulnerabilities are present in this code? (Select TWO.)

Select 2 answers
A.Improper error handling
B.SQL injection
C.Cross-site scripting (XSS)
D.Command injection
E.Path traversal
AnswersA, B

No try-except block is present, so exceptions may leak stack traces.

Why this answer

Option A is correct because the code concatenates user input directly into an SQL query, allowing SQL injection. Option E is correct because the code does not handle exceptions; if the database query fails, unhandled exceptions could reveal sensitive information. Options B, C, and D are not present because there is no output to a browser (XSS), no system command execution (command injection), and no file path manipulation (path traversal).

317
MCQmedium

A penetration tester is testing a web application that has input validation blocking single quotes. The tester wants to perform a SQL injection attack. Which of the following techniques would be MOST effective to bypass the filter?

A.Using URL encoding for the single quote (%27)
B.Using double quotes instead of single quotes
C.Using a second-order SQL injection
D.Using a payload without quotes, such as numeric injection
AnswerD

If the input is used in a numeric context (e.g., WHERE id=5), quoting is not needed, allowing injection without single quotes.

Why this answer

Option D is correct because numeric injection does not require quotes at all, directly bypassing the single-quote filter. When the vulnerable parameter expects a numeric value (e.g., an ID), the tester can inject SQL logic like `OR 1=1` without any quotes, making it the most effective technique against input validation that blocks single quotes.

Exam trap

The trap here is that candidates often assume URL encoding or alternative quote characters will bypass the filter, but they overlook that the filter operates on the decoded input or that SQL syntax strictly requires single quotes for string delimiters.

How to eliminate wrong answers

Option A is wrong because URL encoding (%27) is typically decoded by the web server before the input reaches the application, so the filter still sees the single quote and blocks it. Option B is wrong because double quotes are not interchangeable with single quotes in SQL; string literals in SQL (e.g., MySQL, PostgreSQL) require single quotes, so double quotes would not close the string and would likely cause a syntax error or be treated as identifiers. Option C is wrong because second-order SQL injection relies on storing malicious input (often containing quotes) in the database and later executing it; the initial injection still needs to bypass the filter to store the payload, so it does not solve the immediate problem of the single-quote filter.

318
MCQeasy

During the scoping phase of a penetration test, a client wants to test a third-party API that is integral to their web application. However, they do not have permission from the third-party provider. Which of the following should the tester do first?

A.Proceed with testing the API but restrict the test to read-only operations
B.Exclude the third-party API from the scope and document the limitation
C.Contact the third-party provider directly to obtain permission
D.Include the API in the scope and note the legal risks in the report
AnswerB

This is the correct approach. The scope should clearly state what is in and out of bounds. The client can then seek permission separately if desired.

Why this answer

Option B is correct because testing a third-party API without explicit permission from the provider violates legal and ethical boundaries, potentially constituting unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA). The penetration tester must first document this limitation in the scope to ensure the client understands the risk and to maintain the test's legality. Proceeding without permission could lead to liability for both the tester and the client.

Exam trap

The trap here is that candidates may assume 'read-only' testing is safe or that direct contact with the third party is proactive, but the exam emphasizes that scope limitations must be documented and that the client, not the tester, is responsible for obtaining permissions.

How to eliminate wrong answers

Option A is wrong because restricting testing to read-only operations does not grant legal permission; any interaction with the third-party API without authorization, even read-only, can still be considered unauthorized access and may violate the provider's terms of service or applicable laws. Option C is wrong because the tester should not contact the third-party provider directly, as this is the client's responsibility; the tester lacks the contractual relationship to negotiate permissions and doing so could breach confidentiality or scope agreements.

319
MCQhard

Refer to the exhibit. A penetration tester reviews this S3 bucket policy. The bucket contains sensitive data. Which of the following best describes the security issue?

A.The policy allows only specific users to read objects
B.The policy allows anyone with an IP in the 10.0.0.0/8 range to read objects
C.The policy allows anonymous write access
D.The policy allows any AWS principal to read objects
AnswerB

Overly permissive and misconfigured.

Why this answer

Option A is correct because the policy allows anyone with an IP in the 10.0.0.0/8 range to read objects, which is overly permissive and ineffective since private IPs are not routable on the internet. Option B is wrong because condition restricts IP. Option C is wrong because principal is any.

Option D is wrong because action is GetObject only.

320
MCQeasy

A penetration tester is reviewing a Bash script that contains the following command: 'openssl s_client -connect target:443 -servername target 2>/dev/null | openssl x509 -noout -text'. What is the primary purpose of this command?

A.Extract the SSL certificate in text form.
B.Perform a man-in-the-middle attack.
C.Test for weak cipher suites.
D.Verify the certificate's revocation status.
AnswerA

Correct. 'openssl s_client' establishes a connection, and piping to 'openssl x509 -noout -text' outputs the certificate details.

Why this answer

The command uses `openssl s_client` to establish a TLS connection to `target:443` and then pipes the certificate output to `openssl x509 -noout -text`, which decodes and prints the certificate in human-readable text form. The primary purpose is to retrieve and display the SSL/TLS certificate details (e.g., issuer, subject, validity dates, SANs) for inspection, not to attack or test cipher suites.

Exam trap

The trap here is that candidates may confuse certificate retrieval with cipher suite testing or assume any use of `openssl s_client` implies an attack, when in fact the command is a standard diagnostic tool for inspecting certificate content.

How to eliminate wrong answers

Option B is wrong because the command does not intercept or modify traffic between two parties; it simply connects to the server and displays its certificate, which is a normal client operation, not a man-in-the-middle attack. Option C is wrong because testing for weak cipher suites requires specifying cipher lists or using tools like `sslscan` or `nmap --script ssl-enum-ciphers`; this command only retrieves the certificate and does not enumerate or test cipher negotiation.

321
MCQeasy

A penetration tester is using a vulnerability scanner that reports a 'Critical' severity for an 'SMBv1 vulnerability' on a Windows server. Which of the following is the correct remediation recommendation?

A.Apply the latest Windows security patches
B.Disable SMBv1 on the server
C.Enable SMB signing
D.Enable SMB encryption
AnswerB

Disabling the insecure protocol is the most effective remediation.

Why this answer

The correct remediation for an SMBv1 vulnerability is to disable SMBv1 on the server. SMBv1 is a legacy protocol that lacks modern security features and is known to be exploited by malware like EternalBlue (used in WannaCry). Disabling SMBv1 eliminates the attack surface without affecting SMBv2 or SMBv3, which are secure and still functional.

Exam trap

The trap here is that candidates assume patching (Option A) is sufficient for all vulnerabilities, but for SMBv1, the protocol itself is deprecated and must be disabled rather than just patched.

How to eliminate wrong answers

Option A is wrong because applying the latest Windows security patches only addresses specific CVEs but does not remove the inherently insecure SMBv1 protocol; patches can be bypassed or incomplete, whereas disabling SMBv1 is the definitive fix. Option C is wrong because enabling SMB signing provides integrity and authentication for SMB traffic but does not mitigate the SMBv1 protocol's fundamental vulnerabilities, such as buffer overflow exploits. Option D is wrong because enabling SMB encryption protects data in transit but does not disable or patch the SMBv1 protocol itself, leaving the server still vulnerable to SMBv1-specific attacks.

322
MCQhard

During an internal test, a penetration tester discovers a web application that is vulnerable to Server-Side Template Injection (SSTI). The application uses a template engine that does not sandbox user input. Which of the following payloads would be MOST effective to achieve remote code execution on the server?

A.{{7*7}}
B.<script>alert('xss')</script>
C.${7*7}
D.{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
AnswerD

Correct. This payload exploits Python object chaining to execute system commands, achieving remote code execution.

Why this answer

Option D is correct because it exploits Python's object model to access the `os` module via `__class__.__init__.__globals__`, bypassing the template engine's lack of sandboxing. This allows the attacker to execute arbitrary system commands like `id` on the server, achieving remote code execution (RCE). The payload is specific to Jinja2 or similar Python-based template engines that expose built-in objects.

Exam trap

The trap here is that candidates confuse SSTI with simple template injection tests (like `{{7*7}}`) or XSS, failing to recognize that the correct payload must chain object introspection to access system commands for RCE.

How to eliminate wrong answers

Option A is wrong because `{{7*7}}` is a simple math expression that only tests for SSTI vulnerability (returning 49) but does not achieve RCE. Option B is wrong because `<script>alert('xss')</script>` is a Cross-Site Scripting (XSS) payload, not an SSTI payload, and it targets client-side execution, not server-side RCE. Option C is wrong because `${7*7}` is a Java Expression Language (EL) injection syntax, not applicable to Python-based template engines; it would not execute in a Jinja2 context and does not lead to RCE.

323
MCQmedium

A penetration tester is using an Nmap NSE script to enumerate SMB shares on a target Windows server. The script runs without errors but returns no shares, even though the server has shares configured. Which is the MOST likely cause?

A.The script requires administrative credentials
B.The target is running Windows 10 with SMB signing enabled
C.The script is not being run with the correct arguments
D.The target is blocking ICMP traffic
AnswerA

SMB share enumeration typically requires valid credentials, without which the script cannot enumerate shares.

Why this answer

The Nmap SMB enumeration scripts (e.g., smb-enum-shares.nse) by default attempt to connect as a guest or anonymous user. On modern Windows servers, especially those with default security configurations, anonymous access to SMB shares is disabled. The script requires valid administrative credentials to list all shares, as the SMB protocol restricts share enumeration to authenticated users with appropriate privileges.

Exam trap

The trap here is that candidates assume Nmap scripts run with full default access, overlooking that SMB enumeration on modern Windows requires explicit authentication, not just a null session.

How to eliminate wrong answers

Option B is wrong because SMB signing, while a security feature, does not prevent enumeration of shares; it only ensures packet integrity and authentication, and the Nmap script can handle signed connections. Option C is wrong because the script runs without errors and returns no shares, indicating it executed correctly but lacked the necessary permissions; incorrect arguments would typically cause a syntax error or unexpected behavior, not a silent empty result.

324
Drag & Dropmedium

Drag and drop the steps to perform a password cracking attack using John the Ripper into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password cracking requires hash acquisition, type identification, running the tool, and using results for further attacks.

325
MCQmedium

A penetration tester is analyzing a Python script that uses the 'subprocess' module to execute shell commands. The tester notices that the script passes user-supplied input directly to the shell without any sanitization or validation. Which vulnerability class is most likely present in this script?

A.Command injection
B.SQL injection
C.Path traversal
D.Buffer overflow
AnswerA

Untrusted input passed directly to a shell interpreter allows attackers to execute arbitrary system commands, which is the definition of command injection.

Why this answer

The script uses the `subprocess` module to execute shell commands with user-supplied input passed directly to the shell without sanitization. This allows an attacker to inject arbitrary shell metacharacters (e.g., `;`, `|`, `&&`) to execute unintended commands, which is the classic definition of command injection. The vulnerability arises because the input is concatenated into a command string rather than passed as a list of arguments, bypassing the shell's argument separation.

Exam trap

The trap here is that candidates may confuse command injection with SQL injection because both involve untrusted input, but the key differentiator is the execution context—shell commands versus database queries—and the specific module (`subprocess`) indicates shell execution, not database interaction.

How to eliminate wrong answers

Option B is wrong because SQL injection requires the input to be passed to a database query (e.g., via SQL statements), not to a shell command via the `subprocess` module. Option C is wrong because path traversal involves manipulating file paths to access restricted directories (e.g., using `../`), which is unrelated to executing arbitrary shell commands through the `subprocess` module.

326
MCQeasy

A penetration tester wants to perform DNS brute-force enumeration to discover subdomains of a target domain. Which tool is specifically designed for this purpose?

A.nmap
B.dnsrecon
C.Wireshark
D.Hydra
AnswerB

Dnsrecon is a DNS enumeration tool that includes brute-force functionality to discover subdomains. It is specifically designed for this task.

Why this answer

B is correct because dnsrecon is a specialized DNS enumeration tool that includes a brute-force mode for discovering subdomains. It uses a wordlist to query DNS servers for common subdomain names, leveraging the DNS protocol's inherent structure to map out a target's domain hierarchy without relying on zone transfers.

Exam trap

The trap here is that candidates often confuse nmap's general DNS script (e.g., dns-brute.nse) with a dedicated tool, but the question specifically asks for a tool 'designed for this purpose,' and dnsrecon is purpose-built for DNS enumeration, whereas nmap's script is an add-on.

How to eliminate wrong answers

Option A is wrong because nmap is a network scanning tool focused on port discovery and service fingerprinting, not DNS-specific brute-force enumeration; while it can perform DNS queries via scripts, it lacks the dedicated subdomain brute-force functionality of dnsrecon. Option C is wrong because Wireshark is a packet analyzer used for capturing and inspecting network traffic, not for actively generating DNS queries to enumerate subdomains.

327
MCQmedium

A penetration tester has completed the test and is preparing the final report. The client requested a risk rating for each vulnerability. Which of the following frameworks is MOST commonly used to standardize vulnerability severity ratings in penetration testing reports?

A.OWASP Top 10
B.CVSS
C.CVE
D.NIST SP 800-115
AnswerB

Correct. CVSS provides a standardized and widely accepted severity score for vulnerabilities.

Why this answer

CVSS (Common Vulnerability Scoring System) is the industry-standard framework for assigning numeric severity scores (0-10) to vulnerabilities based on metrics like attack vector, complexity, and impact. Penetration testers use CVSS scores to provide consistent, quantitative risk ratings that clients can compare across findings. OWASP Top 10 is a list of web application risk categories, not a scoring system, and CVE is a vulnerability identifier database, not a rating framework.

Exam trap

The trap here is that candidates confuse OWASP Top 10 (a risk categorization list) with a scoring framework, or mistake CVE (an identifier system) for a severity rating system, when CVSS is the only option that provides a standardized numerical severity scale for individual vulnerabilities.

How to eliminate wrong answers

Option A is wrong because OWASP Top 10 is a periodic awareness document that ranks broad categories of web application security risks (e.g., injection, broken authentication), not a framework for assigning individual vulnerability severity scores. Option C is wrong because CVE (Common Vulnerabilities and Exposures) is a dictionary of unique identifiers for publicly known vulnerabilities, with no scoring or rating mechanism—it simply names and describes the flaw.

328
MCQhard

A penetration tester is analyzing a malicious script found on a compromised Linux server. The script uses obfuscation techniques including base64 encoding and variable substitution. Which tool or method is most effective for deobfuscating the script to understand its functionality?

A.Use a Python emulator like Unicorn
B.Analyze packet captures with Wireshark
C.Disassemble with IDA Pro
D.Run the script with 'bash -x' in a sandbox
AnswerD

'bash -x' prints each command before execution, revealing the deobfuscated actions in a controlled environment.

Why this answer

For deobfuscating shell scripts, running the script in a sandboxed environment with static analysis (e.g., using 'set -x' or a debugger) is most effective. IDA Pro is for binary analysis, Wireshark for network packets, and Nmap for scanning.

329
MCQeasy

A penetration testing firm is hired to assess a mobile banking application. The client wants to test both Android and iOS versions, but only the production environment. Which of the following is the MOST important scoping consideration to include in the rules of engagement?

A.Requiring jailbroken/rooted devices for testing
B.Specifying the number of concurrent users during testing
C.Defining the test window to avoid peak hours
D.Excluding the backend API from testing
AnswerA

Rooting/jailbreaking enables deep testing that is often necessary for comprehensive mobile app security assessments.

Why this answer

Requiring jailbroken or rooted devices is the most important scoping consideration because mobile banking applications often implement runtime integrity checks (e.g., MagiskHide, Frida detection) that prevent the app from running on compromised devices. Without explicit authorization to bypass these controls, the penetration tester cannot perform deep dynamic analysis, such as hooking API calls or inspecting encrypted local storage, which is essential for a thorough security assessment of the production environment.

Exam trap

The trap here is that candidates often confuse operational scheduling (Option C) with technical feasibility, overlooking that without a jailbroken/rooted device, the tester cannot bypass runtime integrity checks and thus cannot perform the most critical parts of the mobile app assessment.

How to eliminate wrong answers

Option B is wrong because specifying the number of concurrent users is irrelevant for a mobile application penetration test; load testing is a performance concern, not a security scoping consideration, and the rules of engagement focus on authorization boundaries, not throughput metrics. Option C is wrong because defining the test window to avoid peak hours is an operational consideration to minimize business impact, but it is not the most important scoping factor; the core technical constraint for mobile app testing is the device's integrity state, as production apps often refuse to run on jailbroken/rooted devices, making authorization to use such devices a prerequisite for any meaningful testing.

330
MCQmedium

A penetration tester discovers that a previously reported vulnerability from a prior test has not been remediated. How should this be communicated in the current report?

A.Only mention it in the executive summary, referencing the past report.
B.Include it as a recurring finding and note the lack of remediation.
C.Omit the finding to avoid repetition.
D.Reduce the severity rating because it was already reported.
AnswerB

This provides accountability and highlights the need for action.

Why this answer

Option B is correct because penetration testing standards (e.g., PTES, OWASP) require that previously identified vulnerabilities that remain unpatched be documented as recurring findings with explicit reference to the prior report. This ensures the client understands the risk persists and can track remediation progress over time. Including the finding with a note on lack of remediation maintains the integrity of the current risk assessment and supports compliance with reporting frameworks like NIST SP 800-115.

Exam trap

The trap here is that candidates mistakenly think repeating a finding is redundant or that the executive summary is sufficient, but CompTIA expects the finding to be fully documented in the technical body of the report with a clear note on recurrence.

How to eliminate wrong answers

Option A is wrong because relegating a recurring vulnerability solely to the executive summary omits the technical details, evidence, and risk context needed for the technical audience to act on the finding. Option C is wrong because omitting the finding violates the principle of full disclosure and could lead to legal liability if the client assumes the vulnerability was fixed. Option D is wrong because reducing the severity rating based solely on prior reporting is a logical fallacy; the risk to the environment remains unchanged unless compensating controls have been verified.

331
MCQmedium

A penetration tester is performing a man-in-the-middle attack on a network using ARP spoofing. What is the primary purpose of ARP spoofing?

A.To assign a fake IP address to the attacker's device
B.To associate the attacker's MAC address with the IP address of a legitimate host
C.To modify the routing table of the target
D.To poison the DNS cache of the target
AnswerB

This redirects traffic destined for that IP to the attacker.

Why this answer

ARP spoofing works by sending forged ARP replies to associate the attacker's MAC address with the IP address of a legitimate host (e.g., the default gateway). This causes traffic destined for that IP to be sent to the attacker instead, enabling interception and manipulation of network communications.

Exam trap

The trap here is that candidates confuse ARP spoofing with IP address spoofing or DNS poisoning, but the exam specifically tests that ARP spoofing manipulates MAC-to-IP mappings at Layer 2, not IP addresses or higher-layer caches.

How to eliminate wrong answers

Option A is wrong because ARP spoofing does not assign a fake IP to the attacker; the attacker retains their own IP and instead manipulates the IP-to-MAC mapping on other hosts. Option C is wrong because ARP spoofing operates at Layer 2 (Data Link) and does not modify routing tables, which are Layer 3 constructs managed by protocols like RIP or OSPF. Option D is wrong because DNS cache poisoning targets the DNS resolver's cache (Layer 7), whereas ARP spoofing targets the ARP cache (Layer 2) to redirect traffic at the network access layer.

332
Multi-Selectmedium

A penetration tester is analyzing the results of a vulnerability scan. Which of the following findings indicate that a vulnerability is likely exploitable? (Choose two.)

Select 2 answers
A.The vulnerability is classified as 'critical' by the scanner
B.CVSS base score of 4.0
C.The vulnerability has been patched by the vendor
D.Public exploit code is available online
E.Multiple hosts share the same vulnerability
AnswersA, D

Critical severity often indicates that exploitation is likely and impact is high.

Why this answer

Option A is correct because a 'critical' classification by the scanner typically indicates a high-severity vulnerability with a CVSS base score of 9.0 or higher, which often corresponds to remotely exploitable flaws that can lead to complete compromise. Scanners like Nessus or OpenVAS assign critical severity based on factors such as attack vector, complexity, and impact, making such vulnerabilities highly likely to be exploitable in practice.

Exam trap

CompTIA often tests the distinction between vulnerability severity and exploitability, where candidates mistakenly assume a medium CVSS score (e.g., 4.0) or widespread presence (multiple hosts) implies the vulnerability is easily exploitable, ignoring that exploitability requires a working exploit or low attack complexity.

333
MCQmedium

A penetration tester is conducting an internal network test. During the engagement, the tester discovers a critical vulnerability that could be exploited to gain domain admin privileges. According to best practices, how should the tester communicate this finding to the client?

A.Immediately notify the client's point of contact via a secure channel
B.Only communicate it if the client asks for a status update
C.Wait until the end of the test to include it in the formal report
D.Exploit the vulnerability to demonstrate impact and then fix it before reporting
AnswerA

Timely communication of critical risks is essential.

Why this answer

Option A is correct because critical findings should be communicated immediately to allow the client to take urgent action, rather than waiting for the formal report. Option B is too slow. Option C delays communication.

Option D is inappropriate as testers should not remediate without authorization.

334
MCQmedium

A penetration tester is analyzing a Ruby script that uses the 'metasploit-framework' gem. The script includes a line: `Msf::Simple::Framework.create` and then calls `run_single('use exploit/multi/handler')`. What is the primary purpose of this script?

A.Automate a port scan across multiple targets
B.Set up a Metasploit payload handler to catch reverse shells
C.Create a Metasploit resource script for automated attacks
D.Load and execute a local exploit against a specified target
AnswerB

The multi/handler module is a generic payload handler that listens for incoming connections from exploited systems.

Why this answer

The script uses `Msf::Simple::Framework.create` to instantiate a Metasploit Framework instance and then calls `run_single('use exploit/multi/handler')` to load the multi/handler module. This module is specifically designed to listen for incoming connections from payloads (e.g., reverse shells) that have been executed on a target, making the script's primary purpose to set up a handler to catch reverse shells.

Exam trap

The trap here is that candidates may confuse the `use exploit/multi/handler` command with a generic exploit or attack automation, when in fact it is purely a listener for incoming reverse connections, not an active exploit or scanning tool.

How to eliminate wrong answers

Option A is wrong because the script does not include any port scanning logic or calls to modules like `auxiliary/scanner/portscan`; it only loads a handler module. Option C is wrong because the script directly executes a Metasploit command via `run_single` rather than writing or generating a resource script (`.rc` file) for later automated execution.

335
MCQhard

Refer to the exhibit. A penetration tester used a vulnerability scanner and obtained the above result. What is the BEST way to represent this finding in the report to ensure the client can reproduce and fix it?

A.Include only the URL and parameter name.
B.Include the full request with the exact payload and evidence.
C.Provide the exact error message from the database.
D.List the vulnerability scanner used and its version.
AnswerB

This allows the client to replicate the issue and test the fix.

Why this answer

Option D is correct because the report should include the full request details, including payload and evidence. Option A is wrong because the URL and parameter are not enough to show exploitation. Option B is wrong because the scanner name is not critical.

Option C is wrong because the error message is evidence, not the fix.

336
MCQhard

A penetration tester discovers that a web application uses a vulnerable Java deserialization endpoint. The classpath includes the Apache Commons Collections library. Which attack technique is most likely to achieve remote code execution?

A.Java deserialization of untrusted data (RCE via Commons Collections).
B.SQL injection.
C.Cross-site scripting.
D.Command injection.
AnswerA

The presence of Commons Collections provides known gadget chains (e.g., ysoserial) that can achieve code execution during deserialization, making this the direct attack vector.

Why this answer

The correct answer is A because the presence of the Apache Commons Collections library in the classpath, combined with a vulnerable Java deserialization endpoint, enables the classic 'gadget chain' attack. Attackers craft a malicious serialized object that, when deserialized, invokes methods in Commons Collections (e.g., InvokerTransformer) to execute arbitrary system commands, achieving remote code execution (RCE). This is a well-documented exploit chain (e.g., CVE-2015-7501) that directly leverages the library's reflection-based classes.

Exam trap

The trap here is that candidates may confuse deserialization attacks with other input-based attacks like SQLi or XSS, failing to recognize that the specific vulnerability is the unsafe deserialization of Java objects using a known gadget library (Commons Collections) to achieve server-side RCE.

How to eliminate wrong answers

Option B is wrong because SQL injection targets database queries via input manipulation, not Java deserialization of objects; it does not exploit the deserialization endpoint or the Commons Collections library. Option C is wrong because cross-site scripting (XSS) injects client-side scripts into web pages, not server-side code execution via deserialization; it cannot achieve RCE through Java object deserialization.

337
MCQhard

Refer to the exhibit. A penetration tester runs this script against a target service and receives the output 'Error: [Errno 104] Connection reset by peer'. What is the most likely cause?

A.The target service is not running.
B.The target service expects a different protocol.
C.The payload caused the service to crash due to a buffer overflow.
D.The target is blocking the IP after detecting scanning.
AnswerC

The large payload and abrupt disconnection are consistent with a buffer overflow crash.

Why this answer

The connection reset indicates that the remote server closed the connection abruptly, often because the service crashed. Sending a large payload of 'A' characters suggests a buffer overflow attempt, which could cause the service to crash. Option B correctly identifies this.

If the service were not running, the error would be 'Connection refused'. Option C is possible but less likely given the script's purpose. Option D is not supported by the evidence.

338
MCQmedium

A penetration tester is attempting a pass-the-hash (PtH) attack against a Windows domain-joined machine. The tester has obtained the NTLM hash of a local administrator account. Which tool can be used directly to authenticate using the hash to gain remote command execution?

A.John the Ripper
B.Metasploit's psexec module
C.Mimikatz
D.Nmap
AnswerB

The psexec module in Metasploit allows authentication with a plaintext password or NTLM hash to execute commands on a remote Windows system via SMB.

Why this answer

Metasploit's psexec module (exploit/windows/smb/psexec) directly accepts an NTLM hash via the 'SMBPass' option and uses it to authenticate over SMB, then creates a service on the target to execute commands. This is a classic pass-the-hash technique against Windows systems, as the module leverages the SMB protocol and Windows service control manager without needing the plaintext password.

Exam trap

The trap here is that candidates confuse Mimikatz's ability to perform pass-the-hash locally (spawning a cmd.exe with the hash) with the ability to directly execute commands remotely, but Mimikatz requires additional tools like PsExec or WinRM to achieve remote execution, whereas Metasploit's psexec module is a single-step solution.

How to eliminate wrong answers

Option A is wrong because John the Ripper is a password cracking tool that attempts to recover plaintext passwords from hashes, not a tool that can directly authenticate using a hash for remote command execution. Option C is wrong because Mimikatz is primarily a credential extraction and manipulation tool that can perform pass-the-hash locally (e.g., via sekurlsa::pth) to spawn a process with the hash, but it does not directly provide remote command execution against a domain-joined machine without additional steps like scheduling a remote task or using PsExec.

339
Matchingmedium

Match each penetration testing tool to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and port enumeration

Exploit development and execution

Web application security testing

Password cracking

Network packet analysis

Why these pairings

These tools are commonly used in penetration testing for specific tasks.

340
MCQmedium

A Python proof-of-concept sends repeated login attempts but does not preserve cookies between requests. The application sets a CSRF token in a session cookie. What change is most likely required for accurate testing?

A.Use a requests.Session object and refresh the CSRF token before each attempt.
B.Remove all headers from the requests.
C.Increase the payload length only.
D.Disable TLS certificate verification as the main fix.
AnswerA

This maintains session state and handles token-based workflows.

Why this answer

The correct answer is A because the proof-of-concept fails to maintain session state across requests, which is essential for handling CSRF tokens that are typically tied to a session. Using a `requests.Session` object automatically persists cookies (including the session cookie containing the CSRF token) across requests, and refreshing the CSRF token before each attempt ensures the token is valid for each login attempt, mimicking real browser behavior.

Exam trap

The trap here is that candidates may think the issue is about request headers or payload size, when the real problem is the lack of session state management (cookie persistence) and CSRF token synchronization across requests.

How to eliminate wrong answers

Option B is wrong because removing all headers would likely break the application's request handling (e.g., missing Content-Type or User-Agent), and does not address the core issue of cookie persistence or CSRF token management. Option C is wrong because increasing payload length only affects the data sent in the request body, but does not solve the problem of missing session cookies or invalid CSRF tokens, which are handled via headers and cookies, not payload size.

341
MCQmedium

A penetration tester has been given access to a network tap on a client's internal network. The tester wants to perform initial reconnaissance by identifying all live hosts and their operating systems without sending any packets that could be detected. Which technique is most appropriate?

A.Perform an ARP scan using arp-scan from a connected workstation.
B.Run Wireshark to capture traffic and analyze source IP addresses and TCP/IP stack signatures.
C.Use Nmap with the -sn flag to perform a ping sweep of the subnet.
D.Initiate a DNS zone transfer request to the internal DNS servers.
AnswerB

Wireshark (or similar tools) passively captures network traffic. Source IPs reveal active hosts, and analysis of TCP/IP parameters (e.g., TTL, window size) allows OS fingerprinting without sending any packets.

Why this answer

Option B is correct because capturing traffic with Wireshark from a network tap is entirely passive—it never injects packets into the network. By analyzing source IP addresses and TCP/IP stack signatures (e.g., TTL values, window sizes, and IP ID patterns), the tester can identify live hosts and infer their operating systems without sending any detectable traffic. This aligns perfectly with the requirement to avoid sending any packets.

Exam trap

The trap here is that candidates often assume passive techniques like packet capture cannot identify operating systems, or they mistakenly think that ARP scans and ping sweeps are 'quiet' because they use low-level protocols, forgetting that any packet injection is detectable.

How to eliminate wrong answers

Option A is wrong because an ARP scan using arp-send sends ARP request packets onto the network, which can be detected by network monitoring tools or intrusion detection systems, violating the 'no packets sent' constraint. Option C is wrong because Nmap with the -sn flag performs a ping sweep that sends ICMP echo requests, TCP SYN packets to port 443, or ARP probes (depending on privileges), all of which generate detectable network traffic.

342
MCQmedium

A penetration tester analyzes a PowerShell script that uses the 'Invoke-Command' cmdlet to run a command on multiple remote Windows systems. The script checks if the local Administrator account is using a default password. Which phase of the penetration test is this script most directly supporting?

A.Lateral movement
B.Credential dumping
C.Enumeration of misconfigurations
D.Privilege escalation
AnswerC

The script enumerates remote systems to identify if the default Administrator password is still in use, which is a misconfiguration. This is a form of enumeration used to identify weaknesses.

Why this answer

The script uses Invoke-Command to check if the local Administrator account on multiple remote Windows systems uses a default password. This directly supports the enumeration of misconfigurations phase, as it identifies a common security weakness (default credentials) that could be exploited. It does not involve moving between systems (lateral movement) or extracting stored credentials (credential dumping).

Exam trap

The trap here is confusing the act of checking for default credentials (enumeration of misconfigurations) with the subsequent exploitation step (lateral movement) or the method of extracting stored credentials (credential dumping).

How to eliminate wrong answers

Option A is wrong because lateral movement involves using compromised credentials or techniques to access additional systems, not simply checking for default passwords across remote hosts. Option B is wrong because credential dumping refers to extracting password hashes or plaintext credentials from memory (e.g., using Mimikatz) or from SAM/registry hives, not testing if a known default password is still in use.

343
MCQeasy

A penetration tester has submitted the final report to the client. The client's legal team requests a separate document that describes the methodology used, but does not include any actual findings or sensitive data. Which type of document should the tester provide?

A.A new executive summary that omits the findings
B.A copy of the technical findings with redacted details
C.A document describing the testing methodology and scope
D.The remediation plan without the exploit steps
AnswerC

This document covers the 'how' and 'what' of the test without any vulnerability details, suitable for legal review.

Why this answer

The client's legal team specifically requested a document describing the methodology used without any actual findings or sensitive data. Option C, a document describing the testing methodology and scope, directly fulfills this requirement by providing a high-level overview of the penetration testing approach, tools, and boundaries, while excluding all findings, evidence, and sensitive client data. This type of document is often called a 'Methodology Statement' or 'Scope of Work' and is commonly used for legal or compliance purposes to demonstrate due diligence without exposing risk details.

Exam trap

The trap here is that candidates confuse the purpose of an executive summary (which summarizes findings) with a methodology-only document, leading them to choose Option A, but the legal team explicitly wants no findings or sensitive data, making a pure methodology document the only correct choice.

How to eliminate wrong answers

Option A is wrong because an executive summary, by definition, includes a high-level overview of the findings and risk ratings, which the legal team explicitly asked to omit. Option B is wrong because a copy of the technical findings with redacted details still contains sensitive data (even if redacted, the underlying structure and context of findings remain), and the legal team requested a document that does not include any actual findings or sensitive data at all.

344
Matchingmedium

Match each wireless attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Rogue AP mimicking a legitimate one

Forcing clients to disconnect from AP

Brute-forcing the WPS PIN to recover passphrase

Exploiting WPA2 handshake to decrypt traffic

Sending unsolicited messages over Bluetooth

Why these pairings

Wireless attacks are common in penetration testing of wireless networks.

345
MCQmedium

A penetration tester discovers a web application that deserializes user-controlled data without validation. The application uses Java serialization. The tester creates a malicious serialized object that executes a system command. Which of the following conditions is required for this exploit to succeed?

A.The application must be running with root privileges
B.The application must use a custom ClassLoader
C.The Java runtime must have a gadget chain available in its classpath
D.The application must be running on a Windows operating system
AnswerC

Gadget chains like those in Apache Commons Collections are necessary to transform deserialization into code execution.

Why this answer

Java deserialization exploits rely on the presence of specific classes (gadget chains) in the application's classpath that can be chained together to achieve arbitrary code execution. The attacker crafts a serialized object that, when deserialized, triggers a sequence of method calls (gadget chain) that ultimately executes a system command. Without a suitable gadget chain available in the classpath, the deserialization of a malicious object will not lead to code execution.

Exam trap

CompTIA often tests the misconception that privilege escalation (root) or custom class loading is required, when in fact the core requirement is the availability of gadget chains in the classpath.

How to eliminate wrong answers

Option A is wrong because the exploit does not require root privileges; it relies on the application's own permissions and the presence of gadget chains, not on the operating system user. Option B is wrong because a custom ClassLoader is not a prerequisite for Java deserialization attacks; the exploit works with the default class loading mechanism as long as the necessary gadget classes are in the classpath.

346
MCQhard

After a penetration test, the client requests that the tester remove certain findings from the final report because they reveal sensitive information about a new product. What is the BEST response from the tester?

A.Agree to remove the findings but note in the report that they were omitted.
B.Remove the findings entirely and do not mention them.
C.Refuse to remove the findings and threaten to disclose them publicly.
D.Insist on including the findings but obfuscate the sensitive details.
AnswerA

This maintains transparency while respecting client wishes.

Why this answer

Option D is correct because the client owns the data and can decide what is included, but the tester should ensure the report accurately reflects risks. Option A is wrong because refusing cooperation could damage the relationship. Option B is wrong because the client has the right to manage their information.

Option C is wrong because omitting findings undermines the report's integrity; instead, document the decision.

347
MCQmedium

A penetration tester is writing a Bash script to enumerate network shares on multiple Windows hosts. The script uses smbclient to list shares. Which command should be used within the script to attempt to connect to a host with a known username and password?

A.smbclient -L //host -U username%password
B.smbclient //host/share -U username%password
C.smbmap -H host -u username -p password
D.net use \\host\share /user:username password
AnswerA

The -L flag lists shares, and -U specifies credentials. This is the standard method to enumerate SMB shares.

Why this answer

Option A is correct because the `smbclient -L //host` command lists available shares on a remote SMB/CIFS host, and appending `-U username%password` provides the credentials for authentication. This matches the requirement to enumerate network shares on multiple Windows hosts using a known username and password within a Bash script.

Exam trap

The trap here is that candidates confuse the `-L` (list shares) option with the direct share connection syntax (`//host/share`), or they mistakenly select a different tool like `smbmap` when the question explicitly specifies using `smbclient` in the script.

How to eliminate wrong answers

Option B is wrong because `smbclient //host/share -U username%password` attempts to connect directly to a specific share (e.g., `//host/share`) rather than listing all shares, which is not the goal of enumeration. Option C is wrong because `smbmap` is a different tool (not `smbclient`) and is not the command specified in the question's context of using `smbclient` within a Bash script.

348
Multi-Selecteasy

A penetration tester needs to perform initial reconnaissance on a target domain. Which of the following tools are specifically designed for domain enumeration? (Select TWO).

Select 2 answers
A.Wireshark
B.Metasploit
C.theHarvester
D.Netcat
E.recon-ng
AnswersC, E

theHarvester is designed for domain and email enumeration.

Why this answer

Options A and C are correct. TheHarvester and Recon-ng are purpose-built for domain enumeration. Metasploit is for exploitation; Netcat is a networking utility; Wireshark is for packet analysis.

349
MCQmedium

During a penetration test, a tester gains shell access on a Linux server as a low-privileged user. The user is identified to be a member of the 'docker' group. Which technique is most effective for escalating privileges to root?

A.Use docker to mount the entire host filesystem and modify the root password.
B.Use docker to run a container with network host mode to access internal services.
C.Use docker to pull a malicious image from the internet to compromise other containers.
D.Use docker to create a new user with root privileges inside a container.
AnswerA

Running 'docker run -v /:/mnt -it ubuntu bash' mounts the host root filesystem. From inside the container, the attacker can chroot to /mnt and modify /etc/shadow or add an SSH authorized key, gaining full root access.

Why this answer

Membership in the 'docker' group grants the user effective root-equivalent access because the Docker daemon runs as root and allows any member of the 'docker' group to issue commands that can mount arbitrary host paths. By running a container with the host filesystem mounted (e.g., `docker run -v /:/mnt --privileged -it alpine chroot /mnt`), the tester can directly modify the `/etc/shadow` file or the root password, thereby escalating privileges to root without needing any additional exploit.

Exam trap

The trap here is that candidates may think Docker group membership only allows container management or network manipulation, overlooking the fact that the Docker socket grants full root-equivalent file system access via volume mounts.

How to eliminate wrong answers

Option B is wrong because using network host mode (`--network host`) only gives the container access to the host's network stack, which might help with lateral movement or service discovery but does not provide a mechanism to escalate privileges to root on the host itself. Option C is wrong because pulling a malicious image from the internet could compromise other containers or the host if the image exploits a vulnerability, but it is not a reliable or direct method for privilege escalation; the most effective and immediate technique is to mount the host filesystem and modify authentication files.

350
MCQmedium

A penetration tester is analyzing a Python script that uses the 'scapy' library to craft and send packets. The script contains the following code snippet: 'send(IP(dst=target)/TCP(dport=port, flags='S'))'. The script then listens for responses and looks for packets with flags 'SA'. Which type of scan is this script performing?

A.TCP Connect scan
B.TCP SYN scan (half-open scan)
C.TCP FIN scan
D.TCP Xmas scan
AnswerB

The script sends SYN packets and checks for SYN-ACK responses, indicating an open port. It does not complete the handshake, making it a half-open scan.

Why this answer

The script sends a TCP SYN packet (flags='S') and listens for a SYN-ACK response (flags='SA'), which is the defining behavior of a TCP SYN scan (also known as a half-open scan). This scan never completes the three-way handshake, making it stealthier than a full TCP Connect scan. The use of Scapy's `send()` function (Layer 3) rather than `sr()` or a socket-level connect confirms it is crafting raw packets, not relying on the OS's TCP stack.

Exam trap

The trap here is that candidates see the use of Scapy and assume any crafted packet scan is a 'half-open' scan, but the specific flag combination (SYN sent, SYN-ACK expected) is what uniquely identifies a TCP SYN scan, not the library used.

How to eliminate wrong answers

Option A is wrong because a TCP Connect scan uses the operating system's `connect()` system call to complete the full three-way handshake, whereas this script manually crafts and sends raw packets with Scapy and never sends the final ACK. Option C is wrong because a TCP FIN scan sends a packet with only the FIN flag set (flags='F'), not a SYN flag, and expects a RST response from closed ports or no response from open ports, not a SYN-ACK.

351
MCQhard

After completing a penetration test, the client's technical team requests a document that provides step-by-step reproduction instructions for each vulnerability, including exact payloads, tools used, and screenshots. Which deliverable BEST satisfies this requirement?

A.Executive Summary
B.Technical Findings Report
C.Remediation Guide
D.Vulnerability Scanner Output
AnswerB

This section contains detailed descriptions, CVSS scores, step-by-step reproduction instructions, payloads, and evidence for each vulnerability, making it suitable for the development team.

Why this answer

The Technical Findings Report (Option B) is the correct deliverable because it is specifically designed to provide granular, step-by-step reproduction steps, exact payloads, tool commands, and screenshots for each vulnerability. This level of detail is essential for the client's technical team to validate and remediate the findings, aligning with the PT0-002 objective of producing a comprehensive technical report that supports evidence-based remediation.

Exam trap

The trap here is that candidates often confuse the Technical Findings Report with the Remediation Guide, mistakenly thinking that remediation steps include reproduction details, but the PT0-002 exam emphasizes that the Technical Findings Report is the only deliverable that provides the exact payloads and step-by-step reproduction instructions required for technical validation.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview intended for management, containing no step-by-step reproduction instructions, payloads, or screenshots; it focuses on risk ratings and business impact, not technical replication. Option C is wrong because the Remediation Guide focuses on fixing vulnerabilities (e.g., patching, configuration changes) and does not include reproduction steps, exact payloads, or tool commands; its purpose is to guide remediation, not to validate findings through replication.

352
MCQmedium

A penetration tester is analyzing a Python script used during a test. The script contains the following code: 'import requests; r = requests.get('http://target', headers={'User-Agent': 'Mozilla/5.0'}); print(r.text)'. What is the primary purpose of setting the User-Agent header in this script?

A.To bypass IP-based rate limiting.
B.To mimic a legitimate browser to evade detection by web application firewalls.
C.To authenticate to the web server.
D.To enable SSL/TLS encryption.
AnswerB

Many WAFs inspect the User-Agent and may block requests that don't look like they come from a standard browser.

Why this answer

Setting the User-Agent header to 'Mozilla/5.0' makes the HTTP request appear to originate from a standard web browser rather than a Python script. This helps evade detection by web application firewalls (WAFs) and other security controls that may block or flag requests with non-browser User-Agent strings, which are common indicators of automated or malicious traffic.

Exam trap

The trap here is that candidates may confuse the User-Agent header with mechanisms that affect rate limiting or authentication, when in fact it is purely a client identification field used for evasion and content negotiation.

How to eliminate wrong answers

Option A is wrong because the User-Agent header does not affect IP-based rate limiting, which is enforced by the server based on the source IP address, not the User-Agent string. Option C is wrong because authentication to a web server typically requires credentials (e.g., via HTTP Basic Auth, tokens, or cookies), not a User-Agent header; the User-Agent is merely a client identification string defined in RFC 7231.

353
MCQeasy

A penetration tester is analyzing a Python script that uses the 'socket' module to create a TCP connection to a target IP and port. The script then sends a payload (e.g., 'GET / HTTP/1.0\r\n\r\n') and waits for a response. Which tool function is this script most likely performing?

A.Port scanning
B.Banner grabbing
C.Vulnerability scanning
D.Password cracking
AnswerB

Sending a payload and reading the response is the typical method for banner grabbing.

Why this answer

The script creates a TCP connection, sends an HTTP GET request, and waits for a response. This is the classic behavior of banner grabbing, where the goal is to retrieve the service banner (e.g., HTTP server version) from the target. The 'socket' module is used to manually craft the connection and payload, which is a low-level technique for service identification, not for scanning multiple ports or assessing vulnerabilities.

Exam trap

The trap here is that candidates may confuse banner grabbing with port scanning because both involve connecting to a port, but banner grabbing focuses on service identification from a single connection, not enumeration of open ports.

How to eliminate wrong answers

Option A is wrong because port scanning involves iterating over multiple ports to discover open ones, whereas this script targets a single IP and port. Option C is wrong because vulnerability scanning requires checking for known weaknesses (e.g., via a database of CVEs) and often uses automated tools like Nessus, not a simple socket connection sending a static HTTP request.

354
Multi-Selecthard

Which THREE of the following are common elements found in a Burp Suite project file? (Select THREE.)

Select 3 answers
A.Target scope definitions
B.Session handling rules
C.Active scan insertion points
D.Intruder attack definitions
E.Proxy history
AnswersA, D, E

The project file includes the configured scope.

Why this answer

Burp Suite project files store target scope (A), proxy history (C), and intrusion attack definitions (E). Active scan rules (B) are predefined but not stored per project; session handling rules (D) are stored in project options.

355
MCQmedium

A client requests a penetration test of their internal network. During scoping, the tester learns that the client uses a managed security service provider (MSSP) that monitors all network traffic. The client does not want the MSSP to be informed about the test. What is the most appropriate action for the tester to take?

A.Proceed with the test without informing the MSSP, as the client has requested confidentiality
B.Include a clause in the rules of engagement that holds the tester harmless for any disruptions caused by the MSSP's monitoring
C.Advise the client to inform the MSSP about the scheduled test and coordinate a maintenance window or exclusion list
D.Perform the test only after hours to minimize the chance of the MSSP detecting the test activity
AnswerC

Proper coordination ensures the MSSP can whitelist test traffic, avoid false positives, and prevent unnecessary incident response. This aligns with best practices for scoping.

Why this answer

Option C is correct because failing to inform the MSSP could trigger automated incident response actions (e.g., IPS blocking, SIEM alerting, or even network isolation) that disrupt the test and potentially cause false-positive security incidents. Coordinating a maintenance window or exclusion list ensures the MSSP's monitoring tools (like Snort, Suricata, or proprietary NDR) do not interfere with legitimate test traffic, preserving both test integrity and the client's operational security.

Exam trap

The trap here is that candidates assume client confidentiality overrides all other considerations, but the PT0-002 exam emphasizes that penetration testing must not cause unintended operational disruptions or violate third-party agreements, making coordination with the MSSP a mandatory scoping step.

How to eliminate wrong answers

Option A is wrong because proceeding without informing the MSSP violates standard penetration testing best practices and could cause the MSSP's monitoring systems (e.g., IDS/IPS, SIEM correlation rules) to flag the test traffic as malicious, leading to automated blocking, alert fatigue, or unnecessary escalation to the client's security team. Option B is wrong because a hold-harmless clause does not prevent the MSSP from actively blocking or alerting on test traffic; it only shifts liability after disruption occurs, which still compromises the test's accuracy and may violate the MSSP's own terms of service or SLAs.

356
MCQmedium

A penetration tester is conducting a vulnerability scan of a network segment that contains several legacy servers. The tester uses a commercial vulnerability scanner with default settings. The scan completes and reports a critical vulnerability on a server running an outdated version of Apache with known remote code execution. However, the tester suspects this might be a false positive because the server is behind an application-layer firewall that blocks the specific exploit. Which of the following steps should the tester take to confirm the vulnerability?

A.Rerun the scan with increased intensity to ensure the vulnerability is real
B.Ignore the finding because the vulnerability is protected by the firewall
C.Manually test the vulnerability by sending a crafted exploit payload to the server
D.Check the firewall logs to see if the scanner's traffic was blocked
AnswerC

Manual testing directly confirms whether the vulnerability is exploitable.

Why this answer

Option B is correct because manual testing is the definitive way to confirm a vulnerability. The firewall might not block all exploit attempts, or the vulnerability could be exploitable via a different vector. Option A (rerun with increased intensity) may not change the result.

Option C (check firewall logs) provides insight but does not confirm the vulnerability. Option D (ignore) is incorrect because the firewall may not be a permanent protection.

357
Matchingmedium

Match each scanning technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sends SYN packet, waits for SYN-ACK, then RST

Completes full TCP three-way handshake

Sends UDP packets to determine open ports

Used to map firewall rulesets

Sends packets with FIN, PSH, URG flags set

Why these pairings

Scanning techniques are fundamental to network reconnaissance in penetration testing.

358
MCQeasy

A penetration tester is preparing the final report. The client's IT director wants a high-level overview of the test results, including the number of findings and the overall risk rating. Which section of the report should the tester point to?

A.Executive summary
B.Technical findings
C.Methodology
D.Recommendations
AnswerA

The executive summary contains a concise high-level overview for management.

Why this answer

The executive summary is specifically designed to provide a high-level overview for management and non-technical stakeholders, such as the IT director. It summarizes the number of findings, overall risk rating, and key business impacts without delving into technical details, making it the correct section for this request.

Exam trap

The trap here is that candidates often confuse the 'executive summary' with the 'technical findings' section, mistakenly thinking a high-level overview belongs in the detailed technical results, but the exam expects you to recognize that management-focused summaries are always in the executive summary.

How to eliminate wrong answers

Option B is wrong because the technical findings section contains detailed vulnerability descriptions, proof-of-concept code, and remediation steps, which is too granular for a high-level overview. Option C is wrong because the methodology section describes the testing approach, tools, and scope, not the summary of results or risk ratings.

359
MCQeasy

A client wants to conduct a penetration test of their e-commerce website. They are concerned about impacting live transactions. Which clause should be included in the Rules of Engagement to address this?

A.Exclusion of network stress testing and availability testing.
B.Out-of-scope systems list.
C.In-scope IP addresses.
D.Authorization for testing.
AnswerA

This clause directly addresses the concern by prohibiting activities that could overload the web servers or cause downtime, ensuring live transactions remain unaffected.

Why this answer

Option A is correct because the client's primary concern is avoiding disruption to live transactions. A clause excluding network stress testing and availability testing (e.g., DoS attacks, resource exhaustion, or high-volume scanning) directly addresses this by prohibiting any action that could degrade performance or cause downtime. This is a standard Rules of Engagement (RoE) safeguard for production e-commerce environments where transaction integrity and uptime are critical.

Exam trap

The trap here is that candidates often confuse 'out-of-scope systems' with operational restrictions, failing to realize that even in-scope systems can be disrupted by stress testing, so a specific exclusion clause is required.

How to eliminate wrong answers

Option B is wrong because an out-of-scope systems list defines which hosts or networks are off-limits, but it does not specifically prohibit stress or availability testing on in-scope systems; the client's concern is about impacting live transactions on the target e-commerce site, not about accessing unrelated systems. Option C is wrong because listing in-scope IP addresses merely identifies the targets for testing, but it does not include any operational restrictions; without an explicit clause against stress testing, the tester could still perform disruptive actions on those IPs, violating the client's requirement.

360
MCQmedium

A penetration tester has gained a foothold on a Windows server running IIS. The tester wants to perform an SMB relay attack to move laterally within the domain. Which of the following conditions must be met for this attack to succeed?

A.The target server must have SMB signing disabled or not enforced
B.The tester must have local administrator privileges on the IIS server
C.The target server must be running SMBv1
D.The tester must have a valid domain user account to trigger the relay
AnswerA

SMB signing prevents relay attacks because the relayed authentication would lack the required signature, causing the target to reject the connection. Without signing enforced, the relay is possible.

Why this answer

SMB relay attacks work by intercepting an SMB authentication attempt and forwarding it to a target server. For the relay to succeed, the target server must not require SMB signing, or signing must be disabled, because signing cryptographically binds the authentication to the original session, preventing the relayed credentials from being reused. If SMB signing is enforced, the target server will reject the relayed authentication, as the signature will not match the new session.

Exam trap

The trap here is that candidates often assume SMB relay requires SMBv1 or local admin privileges, but the critical condition is the absence of SMB signing enforcement, which is a common misconfiguration in enterprise environments.

How to eliminate wrong answers

Option B is wrong because local administrator privileges on the IIS server are not required for an SMB relay attack; the attacker only needs to be able to capture or trigger an SMB authentication attempt (e.g., via a rogue SMB server or by tricking a user) and relay it to the target. Option C is wrong because SMB relay attacks do not require SMBv1; they can work over SMBv2 or SMBv3 if signing is not enforced, though SMBv1 is often targeted due to its weaker security defaults.

361
MCQhard

You are conducting a penetration test on a web application that uses a JavaScript challenge-response authentication mechanism. During testing, you notice that the client-side JavaScript code is heavily obfuscated and includes a function that seems to compute a token based on user input and a server-provided nonce. Your goal is to bypass the authentication by generating valid tokens without interacting with the server's intended logic. You have extracted the obfuscated JavaScript and used a beautifier to make it more readable, but the logic is still complex. Which of the following approaches is most likely to succeed in bypassing the authentication?

A.Capture a valid token and replay it with a new nonce
B.Use a JavaScript debugger to dynamically analyze the obfuscated function and replicate its token generation
C.Send random tokens to the server and rely on statistical guessing
D.Use a brute-force script to try all possible token values based on the nonce
AnswerB

Debugging allows you to understand the logic and create a script to generate valid tokens.

Why this answer

Option D is correct because using a JavaScript debugger to step through the obfuscated code allows you to understand the token generation logic and replicate it locally. Option A is wrong because sending random tokens has a negligible chance of success. Option B is wrong because brute-forcing the token algorithm is impractical without understanding the logic.

Option C is wrong because replaying the nonce from a previous session will likely be rejected by the server due to nonce expiration or reuse protection.

362
MCQmedium

Refer to the exhibit. A penetration tester obtains this output from a Linux server. The tester notes that port 3389 is typically used for RDP on Windows. Which of the following is the MOST likely explanation?

A.The server has been compromised and is used as a jump box
B.The server is running a honeypot mimicking RDP
C.The server is running a Windows virtual machine using RDP
D.The server is running a service that mimics RDP using xrdp
AnswerD

xrdp is common on Linux.

Why this answer

Option D is correct because Linux can host RDP using xrdp. Option A is possible but less likely without evidence of a VM. Option B is plausible but not most likely.

Option C is uncommon.

363
MCQmedium

A penetration tester is reviewing a Bash script that uses 'nmap' with the '-sC' and '-sV' flags. The script runs the scan and saves the output to a text file. Later, the tester uses 'grep' to extract lines containing 'open'. What is the primary purpose of this script?

A.Identify all open ports and services running on them
B.Perform a vulnerability scan using NSE scripts
C.Detect the operating system of the target
D.Perform a stealthy SYN scan
AnswerA

This is the primary purpose of combining service detection and default scripts.

Why this answer

The '-sC' flag runs default NSE scripts (which perform service enumeration and basic checks), and '-sV' enables version detection. Together, they identify open ports and the services/versions running on them. The subsequent 'grep' for 'open' extracts lines showing open ports, confirming the primary purpose is to enumerate open ports and their associated services.

Exam trap

CompTIA often tests the distinction between default NSE scripts (service enumeration) and vulnerability-specific scripts (e.g., 'vuln'), leading candidates to mistakenly think '-sC' implies vulnerability scanning.

How to eliminate wrong answers

Option B is wrong because '-sC' runs default NSE scripts, not a full vulnerability scan; vulnerability scanning typically requires specific NSE scripts like 'vuln' or '-sV' with '--script vuln'. Option C is wrong because OS detection requires the '-O' flag, which is not used in this script; '-sC' and '-sV' do not perform OS fingerprinting.

364
MCQmedium

A tester is performing a vulnerability scan against a critical production server. The client requests minimal impact on system performance. Which scan type should the tester use?

A.TCP connect scan
B.Vulnerability scan with low-thread count
C.Aggressive Nmap scan
D.Stealth SYN scan
AnswerB

Low thread count minimizes system impact while still performing the scan.

Why this answer

Option B is correct because a vulnerability scan with a low-thread count reduces the number of concurrent connections and packets sent to the target, minimizing CPU, memory, and network overhead on the production server. This directly addresses the client's requirement for minimal performance impact while still performing a legitimate security assessment. Unlike aggressive or stealth scans, this approach throttles the scan intensity to avoid service disruption.

Exam trap

The trap here is that candidates often assume 'stealth' (SYN scan) is always the safest choice for production systems, but the question specifically asks for minimal performance impact, which is controlled by scan intensity (thread count) rather than scan type alone.

How to eliminate wrong answers

Option A is wrong because a TCP connect scan completes the full three-way handshake for every port, generating a high volume of packets and stateful connections that can degrade server performance, especially on a critical production system. Option C is wrong because an aggressive Nmap scan (e.g., using -T4 or -T5 timing templates, service version detection, and OS fingerprinting) sends a high rate of probes and performs multiple concurrent tests, which can overwhelm a production server and cause latency or resource exhaustion. Option D is wrong because a stealth SYN scan, while less intrusive than a connect scan, still sends a large number of raw SYN packets in rapid succession (often with default timing), which can still cause performance degradation on a production server if not rate-limited; it does not inherently minimize impact.

365
MCQeasy

A penetration tester wants to identify all publicly accessible Amazon S3 buckets that belong to a specific organization. Which technique is most effective for passive reconnaissance?

A.Use Google dorks to search for bucket names and URLs.
B.Send DNS queries for common bucket name prefixes.
C.Use nmap to scan all AWS IP ranges for open ports.
D.Perform a DNS zone transfer on the target organization's domain.
AnswerA

Google dorking is a passive technique that leverages already indexed data to find S3 buckets without sending any traffic to the target.

Why this answer

Google dorks (e.g., site:s3.amazonaws.com "companyname") allow a penetration tester to passively discover publicly accessible S3 bucket names and URLs indexed by search engines without sending any traffic to the target organization. This technique leverages existing search engine caches, making it purely passive and highly effective for identifying misconfigured buckets that have been crawled.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse DNS queries (which are active) with passive techniques like search engine dorking, or assume that scanning IP ranges is a valid way to discover S3 buckets when in reality S3 buckets are identified by their DNS names, not by port scanning.

How to eliminate wrong answers

Option B is wrong because sending DNS queries for common bucket name prefixes (e.g., companyname-bucket.s3.amazonaws.com) is an active reconnaissance technique that generates DNS traffic and can be logged by the organization's DNS servers or AWS, violating the passive nature required. Option C is wrong because nmap scanning of AWS IP ranges is active reconnaissance that sends packets to AWS infrastructure, potentially triggering alerts, and S3 buckets are accessed via HTTPS on port 443, not by scanning for open ports on arbitrary IPs.

366
MCQeasy

A penetration testing firm is contracted to test a multi-tenant SaaS application. During scoping, the client needs to ensure that testing does not affect other tenants' data. Which scoping control is most important to implement?

A.Isolated testing environment
B.Data anonymization
C.Signed waiver from all tenants
D.Limit test to read-only operations
AnswerA

An isolated environment allows testing without risk to other tenants' data or availability.

Why this answer

An isolated testing environment is the most important scoping control because it ensures that the penetration testing activities, including any potentially disruptive scans or exploits, are contained within a dedicated instance of the SaaS application. This prevents any cross-tenant data leakage or service degradation, as the tester's actions are restricted to a logically or physically separate environment that does not share databases or compute resources with production tenants. Without isolation, even read-only testing could inadvertently access or modify data belonging to other tenants due to shared multi-tenant architecture.

Exam trap

The trap here is that candidates may confuse data anonymization as a sufficient control for multi-tenant isolation, overlooking that anonymization does not prevent cross-tenant data access or service disruption in a shared environment.

How to eliminate wrong answers

Option B (Data anonymization) is wrong because data anonymization is a data protection technique applied to production data to remove personally identifiable information (PII), but it does not prevent the tester's actions from affecting other tenants' data or the application's shared infrastructure; it only reduces the risk of exposing sensitive data if accessed. Option C (Signed waiver from all tenants) is wrong because a signed waiver is a legal document that releases the testing firm from liability, but it does not technically prevent the testing from affecting other tenants' data; it merely shifts responsibility after a breach occurs, which is not a proactive scoping control.

367
MCQeasy

After a penetration test, the client requests a document that includes the methodology used, a list of all vulnerabilities found along with their CVSS scores, and detailed steps for remediation. Which type of report section is this?

A.Executive summary
B.Technical report
C.Rules of engagement
D.Scope of work
AnswerB

This section contains detailed findings, CVSS scores, and remediation guidance for technical teams.

Why this answer

The client's request for methodology, vulnerability list with CVSS scores, and remediation steps describes the detailed, technical findings of the penetration test. This content is characteristic of the Technical Report section, which provides in-depth analysis and actionable data for technical stakeholders, as opposed to high-level summaries or contractual documents.

Exam trap

The trap here is confusing the Executive Summary's high-level risk ratings with the Technical Report's detailed CVSS scores and remediation steps, leading candidates to incorrectly select the Executive Summary when the question explicitly lists granular technical details.

How to eliminate wrong answers

Option A is wrong because the Executive Summary provides a high-level overview for non-technical management, not the detailed methodology, CVSS scores, and step-by-step remediation instructions. Option C is wrong because the Rules of Engagement (RoE) is a pre-engagement document defining scope, boundaries, and legal terms, not a post-test deliverable containing findings and remediation.

368
MCQmedium

A penetration tester is writing a Bash script to enumerate users from the /etc/passwd file on a compromised Linux system. Which command will efficiently print only the usernames?

A.cut -d: -f1 /etc/passwd
B.awk -F: '{print $1}' /etc/passwd
C.grep -o '^[^:]*' /etc/passwd
D.sed 's/:.*//' /etc/passwd
AnswerA

Cut splits lines at ':' and outputs field 1 (the username). This is simple and efficient.

Why this answer

Option A is correct because the `cut` command with `-d:` sets the field delimiter to colon (the separator in /etc/passwd) and `-f1` extracts the first field, which is the username. This is the most efficient and straightforward method for this specific task, as it directly isolates the username column without pattern matching or processing overhead.

Exam trap

The trap here is that candidates often overthink the problem and choose `awk` or `grep` because they are more familiar with them for text processing, overlooking that `cut` is the simplest and most efficient tool for fixed-delimiter column extraction.

How to eliminate wrong answers

Option B is wrong because although `awk -F: '{print $1}'` also correctly extracts the first colon-delimited field, it is less efficient than `cut` for this simple column extraction; `awk` is a full text-processing language that incurs more overhead, making it not the 'most efficient' choice as asked. Option C is wrong because `grep -o '^[^:]*'` uses a regular expression to match from the start of the line up to the first colon, which works but is slower and more complex than necessary; it also requires the `-o` flag to output only the matched portion, and the regex engine adds unnecessary processing for a simple field extraction.

369
MCQhard

A penetration tester gains a foothold on a Linux system with ASLR and NX enabled. The tester identifies a stack buffer overflow in a SUID binary. The binary has no PIE (Position Independent Executable) and is compiled without stack canaries. The tester wants to execute a shell. Which technique should be used?

A.Return-to-libc attack
B.Heap spraying
C.ROP chain
D.Buffer overflow with NOP sled
AnswerC

ROP chains use gadgets from the non-randomized binary (since it lacks PIE) to execute arbitrary code, bypassing both ASLR and NX.

Why this answer

Since the binary has no PIE and lacks stack canaries, the attacker can predict the address of the return address on the stack. However, with ASLR and NX enabled, the stack is non-executable and system library addresses are randomized. A ROP chain allows the tester to bypass both protections by chaining small instruction sequences (gadgets) already present in the binary or loaded libraries to achieve arbitrary code execution, such as calling execve to spawn a shell.

Exam trap

CompTIA often tests the misconception that return-to-libc alone bypasses ASLR, but without a leak, the randomized libc base makes the attack fail; the trap here is that candidates may overlook the need for an information leak or assume that a non-PIE binary eliminates ASLR entirely.

How to eliminate wrong answers

Option A is wrong because a return-to-libc attack relies on knowing the address of a libc function like system(), but ASLR randomizes the base address of libc, making the address unpredictable without an information leak. Option B is wrong because heap spraying is used to exploit heap-based vulnerabilities or to bypass ASLR by filling the heap with shellcode, but here the vulnerability is a stack buffer overflow and NX prevents execution of shellcode placed on the stack or heap.

370
MCQmedium

A tester conducts a vulnerability scan and receives a high number of false positives. Which of the following is the BEST way to reduce false positives in subsequent scans?

A.Credentialed scanning
B.Increase scan timeout values
C.Aggressive scanning
D.Use a scan template specifically for the target OS
AnswerD

Using an OS-specific template helps the scanner interpret results more accurately, reducing false positives.

Why this answer

Option D is correct because using a scan template tailored to the target OS improves accuracy. Option A may increase false positives; Option B is aggressive; Option C increases timeouts but does not address false positives.

371
Multi-Selectmedium

Which TWO of the following are effective methods for bypassing AppLocker during a penetration test? (Choose two.)

Select 2 answers
A.Execute code via WMIC
B.Use InstallUtil.exe to run a malicious .exe
C.Run regsvr32.exe to execute a .dll
D.Use PowerShell with Bypass execution policy
E.Launch a script with cscript.exe
AnswersB, C

InstallUtil is a trusted binary that can be used to execute code.

Why this answer

Option A is correct because regsvr32 can be used to execute code via DLL registration. Option D is correct because InstallUtil is a trusted Microsoft executable that can run arbitrary code. Option B is wrong because PowerShell execution policy is separate from AppLocker.

Option C is wrong because WMIC is not typically allowed by AppLocker. Option E is wrong because Cscript is often blocked, but using trusted binaries is the key.

372
MCQmedium

During a reconnaissance phase, a penetration tester is using a tool to enumerate NetBIOS names on a target internal network. The tester issues the command 'nbtstat -A 192.168.1.100' on a Windows machine. What type of information is the tester most likely trying to obtain?

A.The operating system version and patch level
B.A list of currently open TCP ports on the remote system
C.The MAC address of the remote network interface
D.The NetBIOS name table including computer name, logged-in users, and domain
AnswerD

nbtstat -A retrieves the NetBIOS name table, which contains names associated with the system, useful for identifying roles and users.

Why this answer

The `nbtstat -A` command queries the NetBIOS name table of a remote system using its IP address. This table contains the computer name, logged-in users, and domain/workgroup information, which are critical for identifying targets and potential trust relationships during internal reconnaissance.

Exam trap

The trap here is that candidates confuse `nbtstat -A` with `nbtstat -a` (which uses a NetBIOS name instead of an IP) or assume it returns OS details, when in fact it only returns the NetBIOS name table entries.

How to eliminate wrong answers

Option A is wrong because `nbtstat -A` does not reveal OS version or patch level; that information is typically obtained via tools like `nmap` OS fingerprinting or SMB version queries. Option B is wrong because `nbtstat` operates at the NetBIOS layer (port 137-139) and does not enumerate open TCP ports; port scanning requires tools like `nmap` or `netstat`. Option C is wrong because while NetBIOS can sometimes reveal MAC addresses via the <00> or <03> entries in the name table, the primary purpose of `nbtstat -A` is to retrieve the full NetBIOS name table, not specifically the MAC address; ARP or `getmac` would be more direct for MAC address enumeration.

373
MCQeasy

Which of the following is the most important factor when determining the scope of a penetration test?

A.Tester's available tools
B.Business objectives
C.Latest vulnerabilities
D.Number of testing team members
AnswerB

Objectives define the purpose and targets of the test.

Why this answer

The client's business objectives drive the scope to ensure the test addresses what the client needs to protect. Tools, vulnerabilities, and team size are secondary considerations.

374
Drag & Dropmedium

Drag and drop the steps to perform a vulnerability scan using Nessus into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Vulnerability scanning involves setup, policy creation, execution, report analysis, and remediation verification.

375
MCQhard

A penetration tester is targeting a web application that uses parameterized queries for all database interactions. Which attack vector is most likely to succeed?

A.Cross-site request forgery
B.SQL injection
C.Cross-site scripting
D.Business logic flaws
AnswerD

Parameterized queries do not protect against logic flaws such as manipulating pricing or access controls.

Why this answer

Parameterized queries prevent SQL injection by separating SQL code from user input, making option B ineffective. Business logic flaws (D) are vulnerabilities in the application's design or workflow that are not mitigated by secure coding practices like parameterized queries, so they remain exploitable. This attack vector targets the intended functionality of the application, such as manipulating pricing or bypassing authentication steps, which parameterized queries do not protect against.

Exam trap

The trap here is that candidates assume parameterized queries eliminate all database-related attacks, overlooking that business logic flaws are independent of query construction and remain a viable attack vector.

How to eliminate wrong answers

Option A is wrong because cross-site request forgery exploits the trust a site has in a user's browser, not database query construction, and parameterized queries have no impact on CSRF defenses. Option B is wrong because parameterized queries are specifically designed to prevent SQL injection by ensuring user input is treated as data, not executable code, so this attack vector will fail. Option C is wrong because cross-site scripting exploits client-side script injection in web pages, not database interactions, and parameterized queries do not affect XSS vulnerabilities.

Page 4

Page 5 of 7

Page 6

All pages