CompTIA PenTest+ PT0-002 (PT0-002) — Questions 376450

509 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQeasy

A client has limited budget for a penetration test covering critical assets. Which scoping decision best balances coverage and cost?

A.Test only the external perimeter
B.Focus on physical security assessments
C.Perform full-scope test of a representative subset
D.Conduct only automated scans
AnswerC

Balances cost and coverage.

Why this answer

Option C is correct because testing a representative subset of critical systems is efficient. Option A is wrong because it only tests perimeter. Option B is wrong because it is too limited.

Option D is wrong because it is not comprehensive.

377
MCQmedium

A penetration tester is analyzing a Bash script that uses the tool 'curl' to send HTTP requests. The script contains the following line: curl -X POST -d "username=admin&password[$ne]=a" http://target/login. Which type of attack is this script most likely attempting?

A.Cross-Site Scripting (XSS)
B.SQL Injection
C.NoSQL Injection
D.Directory Traversal
AnswerC

The $ne operator is a MongoDB query operator. By injecting it into the password field, the attacker attempts to make the query return true for any user, bypassing authentication.

Why this answer

The payload `password[$ne]=a` uses MongoDB's `$ne` (not equal) operator, which is a NoSQL query operator. When the backend parses this as a MongoDB query, it will match any document where the password is not equal to 'a', effectively bypassing authentication. This is a classic NoSQL injection attack, not SQL injection, because the syntax targets NoSQL databases like MongoDB.

Exam trap

The trap here is that candidates see a POST request with parameters and immediately think SQL injection, but the square bracket syntax `[$ne]` is a dead giveaway for NoSQL injection, which is a distinct attack vector targeting document-based databases.

How to eliminate wrong answers

Option A is wrong because Cross-Site Scripting (XSS) involves injecting client-side scripts into web pages, not manipulating database query operators via HTTP parameters. Option B is wrong because SQL injection uses SQL-specific syntax (e.g., `' OR 1=1 --`) to manipulate relational databases, whereas `[$ne]` is a MongoDB operator and does not work against SQL databases.

378
MCQmedium

After completing a penetration test, the tester prepares the final report. According to best practices, which of the following should be included in the executive summary?

A.Detailed list of vulnerabilities and CVSS scores
B.Step-by-step exploitation procedures
C.The tester's personal opinions about the security posture
D.High-level findings, risk ratings, and strategic recommendations
AnswerD

This provides executives with a clear understanding of the overall security posture and necessary actions.

Why this answer

Option D is correct because the executive summary should provide high-level findings, risk ratings, and strategic recommendations. Option A is wrong because detailed vulnerability lists belong in the technical section. Option B is wrong because exploitation procedures are too detailed.

Option C is wrong because personal opinions are unprofessional and subjective.

379
Multi-Selecteasy

A penetration tester is gathering information using passive reconnaissance techniques. Which of the following are considered passive reconnaissance methods? (Choose two.)

Select 2 answers
A.Using nmap to scan for open ports
B.Performing a DNS brute force attack
C.Conducting a vulnerability scan with Nessus
D.Reviewing the target's social media profiles
E.Analyzing job postings for technology stack clues
AnswersD, E

Social media review does not involve direct interaction with target systems.

Why this answer

Options B and D are correct because they involve reviewing publicly available information without directly interacting with the target's systems. Option A (nmap) is active scanning. Option C (DNS brute force) sends queries.

Option E (vulnerability scan) is active.

380
MCQmedium

A client requests a penetration test that includes an API endpoint hosted by a third-party vendor. The client does not have a signed agreement with the vendor for testing. What is the most appropriate action for the tester?

A.Proceed with testing the API endpoint as requested by the client
B.Exclude the API endpoint from scope until the client obtains written permission from the vendor
C.Test the API endpoint using only non-intrusive methods
D.Include a disclaimer in the report that the tester is not liable for any damages
AnswerB

This is the only safe path. Once the vendor provides written consent, the endpoint can be added to the scope legally.

Why this answer

The tester must exclude the API endpoint from scope until the client obtains written permission from the vendor because testing a third-party API without explicit authorization violates legal boundaries and could constitute unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA). Even though the client requests the test, the tester has no contractual or legal relationship with the vendor, making any testing activity potentially illegal. This aligns with the PT0-002 objective of ensuring proper scoping and authorization before any testing begins.

Exam trap

The trap here is that candidates assume the client's request overrides legal boundaries, or that non-intrusive testing is a safe middle ground, when in fact any unauthorized interaction with a third-party system is prohibited without explicit written permission.

How to eliminate wrong answers

Option A is wrong because proceeding without vendor permission exposes the tester and client to legal liability for unauthorized access, regardless of the client's request. Option C is wrong because non-intrusive methods still involve sending crafted requests to the API endpoint, which constitutes unauthorized access without a signed agreement; there is no technical distinction that makes non-intrusive testing legally permissible.

381
MCQeasy

A penetration tester discovers a critical vulnerability in a client's production environment. What is the BEST immediate course of action before including this finding in the final report?

A.Immediately communicate the finding to the client's point of contact.
B.Wait until the final report is complete to include all findings together.
C.Include the finding only in the technical appendix of the final report.
D.Stop the penetration test and wait for further instructions.
AnswerA

Immediate communication allows the client to take urgent action to mitigate the risk.

Why this answer

Option B is correct because ethical obligations require immediate notification of critical findings to allow the client to take protective measures. Option A is wrong because delaying report generation could leave the client vulnerable. Option C is wrong because simply including it in the final report may be too late.

Option D is wrong because halting the test without communication is not productive.

382
MCQmedium

A penetration tester is reviewing a Python script that attempts to exploit a command injection vulnerability. The script uses the 'subprocess' module with the 'shell=True' argument. Which of the following code changes would be MOST effective to reduce the risk of unintended consequences when executing system commands?

A.Replace subprocess with os.system()
B.Use the 'shlex.quote()' function to sanitize user input before passing to subprocess
C.Avoid using shell=True and pass the command as a list of arguments
D.Use the 'exec()' function to run the command
AnswerC

When shell=True is omitted and the command is a list, subprocess executes the command directly without invoking a shell, eliminating shell injection.

Why this answer

Option C is correct because setting `shell=True` in Python's `subprocess` module causes the command string to be interpreted by the system shell, which introduces command injection risks if any part of the string is user-controlled. By passing the command as a list of arguments (e.g., `['ls', '-l', filename]`) and omitting `shell=True`, the subprocess module directly executes the binary without shell interpretation, eliminating shell metacharacter injection. This is the most effective mitigation as it avoids shell parsing entirely, which is the root cause of the vulnerability.

Exam trap

CompTIA often tests the misconception that input sanitization (like quoting) is sufficient to prevent command injection, when in fact the most secure approach is to avoid shell invocation altogether by using a list of arguments with `shell=False`.

How to eliminate wrong answers

Option A is wrong because replacing `subprocess` with `os.system()` still invokes the system shell to execute the command, inheriting the same command injection risks and providing no improvement; in fact, `os.system()` offers even less control over execution. Option B is wrong because while `shlex.quote()` can help sanitize input for shell use, it is not foolproof—edge cases like null bytes or certain locale-dependent characters can bypass quoting, and relying on quoting still leaves the command exposed to shell parsing, making it less robust than removing shell involvement entirely.

383
MCQmedium

A client requires a penetration test of their web application that uses Single Sign-On (SSO) with a third-party identity provider. The client is concerned that testing could lock out real user accounts and disrupt operations. Which of the following should be included in the rules of engagement to address this concern?

A.Prohibit all testing of the authentication mechanism
B.Provide test accounts that are excluded from lockout policies
C.Only perform testing during business hours
D.Require the tester to use only passive reconnaissance techniques
AnswerB

Test accounts that are configured to not lock out allow the tester to perform authentication testing without the risk of locking out real users, which meets the client's requirement.

Why this answer

Option B is correct because providing test accounts that are excluded from lockout policies allows the penetration tester to thoroughly assess the SSO authentication mechanism—including the SAML or OIDC flows—without risking the lockout of real user accounts. This directly addresses the client's operational concern while still enabling comprehensive testing of the identity provider integration.

Exam trap

The trap here is that candidates may assume restricting testing to business hours (Option C) is sufficient to mitigate account lockout risks, but they fail to recognize that lockout policies operate independently of time and that real user accounts remain vulnerable to disruption regardless of when testing occurs.

How to eliminate wrong answers

Option A is wrong because prohibiting all testing of the authentication mechanism would leave critical SSO vulnerabilities (e.g., SAML assertion injection, OIDC token replay) unexamined, violating the core objective of a penetration test. Option C is wrong because performing testing only during business hours does not prevent account lockouts; lockout policies apply regardless of time, and real user accounts could still be disabled during testing, causing operational disruption.

384
MCQmedium

A penetration tester is tasked with identifying live hosts on a large subnet without generating excessive traffic. Which of the following techniques is most appropriate for efficient host discovery?

A.ARP scan
B.TCP SYN scan on port 80 and 443
C.DNS zone transfer
D.ICMP echo sweep
AnswerB

These ports are commonly open on servers; SYN scan is lightweight and effective.

Why this answer

A TCP SYN scan on ports 80 and 443 is the most appropriate technique because it targets common web service ports, which are often open on live hosts, and generates minimal traffic compared to a full port scan. Unlike ICMP or ARP scans, a TCP SYN scan can bypass firewalls that block ICMP echo requests and is effective across routed subnets where ARP is limited to the local broadcast domain. This approach balances stealth and efficiency for large-scale host discovery.

Exam trap

The trap here is that candidates often choose ICMP echo sweep (Option D) because they associate 'ping' with host discovery, but fail to consider that ICMP is frequently blocked by firewalls, making TCP SYN scans on common ports a more reliable and stealthier alternative in modern networks.

How to eliminate wrong answers

Option A is wrong because an ARP scan only works within the same local subnet (broadcast domain) and cannot discover hosts across routers, making it unsuitable for a large subnet that may span multiple networks. Option C is wrong because a DNS zone transfer is a technique for enumerating DNS records (e.g., hostnames and IPs) from a misconfigured DNS server, not for actively probing live hosts, and it relies on a vulnerable server rather than direct network scanning. Option D is wrong because an ICMP echo sweep (ping sweep) can be blocked by firewalls or rate-limited, and it generates more traffic than a targeted TCP SYN scan on two ports, making it less efficient and more detectable.

385
MCQmedium

During a penetration test, the tester discovers a critical vulnerability that could allow an attacker to take over the entire Active Directory domain. The tester wants to report this to the client as soon as possible. Which communication channel is most appropriate for this initial notification?

A.Update the final report with the finding
B.Send an email to the technical contact
C.Call the main point of contact immediately
D.Post the finding in the shared collaboration portal
AnswerC

A direct phone call ensures prompt notification and allows for immediate discussion of containment steps.

Why this answer

Option C is correct because a critical vulnerability that could lead to full Active Directory domain compromise requires immediate attention to prevent potential exploitation. The most appropriate communication channel for urgent, high-severity findings during a penetration test is a direct phone call to the main point of contact, as it ensures real-time, synchronous communication and allows for immediate clarification and action. This aligns with the PT0-002 exam's emphasis on escalation procedures for critical findings, where email or collaboration portals may introduce delays.

Exam trap

The trap here is that candidates may choose email (Option B) thinking it provides a written record, but the exam emphasizes that for critical vulnerabilities, immediate verbal notification is required to minimize risk, with written follow-up as a secondary step.

How to eliminate wrong answers

Option A is wrong because updating the final report with the finding is a post-engagement activity and does not provide timely notification; critical vulnerabilities must be communicated immediately, not deferred to a final deliverable. Option B is wrong because sending an email to the technical contact, while faster than a final report, is asynchronous and may not be read promptly, risking exploitation before the client is aware; a phone call is required for urgent findings. Option D is wrong because posting the finding in a shared collaboration portal relies on the client actively monitoring the portal, which introduces unacceptable delay for a critical vulnerability that could lead to domain takeover.

386
MCQeasy

A penetration tester wants to enumerate SMB shares, user lists, and operating system information from a Windows target without authenticating. Which of the following tools is BEST suited for this task?

A.enum4linux
B.smbclient
C.nmblookup
D.nbtscan
AnswerA

enum4linux uses null sessions to extract extensive information from Windows/Samba targets without credentials.

Why this answer

enum4linux is a Perl wrapper around tools like smbclient, nmblookup, and nbtscan, specifically designed to extract SMB shares, user lists, and OS information from Windows targets without authentication by leveraging null sessions and SMB RPC calls (e.g., via MSRPC over SMB). It automates the enumeration of these details using the Server Message Block (SMB) protocol, making it the best choice for unauthenticated reconnaissance.

Exam trap

The trap here is that candidates often confuse nmblookup or nbtscan as tools for SMB enumeration, but they only handle NetBIOS name resolution, not the deeper SMB share or user enumeration that enum4linux automates.

How to eliminate wrong answers

Option B (smbclient) is wrong because it requires authentication to list shares or access files; without credentials, it can only attempt a null session but lacks the automated enumeration of user lists and OS details that enum4linux provides. Option C (nmblookup) is wrong because it only performs NetBIOS name resolution via NBNS queries, not SMB share or user enumeration. Option D (nbtscan) is wrong because it scans for NetBIOS name services (port 137) to retrieve hostnames and MAC addresses, but it does not enumerate SMB shares or user lists.

387
MCQeasy

A penetration tester is preparing a report for a client's CISO who is not technical. The CISO needs to understand the overall risk posture and the business impact of the findings. Which section of the report should be tailored for this audience?

A.Executive summary
B.Technical findings
C.Appendices with raw scan data
D.Remediation details
AnswerA

This section is designed for decision-makers like the CISO, summarizing risks and business impact in non-technical language.

Why this answer

The executive summary is designed for non-technical stakeholders like a CISO to quickly grasp the overall risk posture and business impact without needing to interpret raw data or technical jargon. It synthesizes findings into high-level business risks, such as potential financial loss or regulatory exposure, rather than detailing specific vulnerabilities or exploit chains. This section ensures the audience can make informed decisions about resource allocation and risk acceptance.

Exam trap

The trap here is that candidates confuse 'executive summary' with 'remediation details' or 'technical findings,' assuming the CISO needs operational specifics, when in fact the exam tests the principle that non-technical audiences require a distilled, business-focused overview of risk posture and impact.

How to eliminate wrong answers

Option B is wrong because technical findings contain detailed vulnerability descriptions, exploit steps, and proof-of-concept code that require technical expertise to understand, making it unsuitable for a non-technical CISO. Option C is wrong because appendices with raw scan data (e.g., Nmap XML, Nessus .nessus files) are dense, unprocessed outputs that overwhelm non-technical readers and obscure business impact. Option D is wrong because remediation details focus on specific patches, configuration changes, or code fixes, which are operational instructions for technical teams, not a high-level risk summary for executive decision-making.

388
MCQmedium

Refer to the exhibit. During scoping, what risk does this policy pose?

A.Public read access to all objects
B.Insecure SSL configuration
C.Lack of encryption
D.Unauthorized deletion of objects
AnswerA

With Principal set to *, anyone can read objects.

Why this answer

The policy allows any principal (Principal: *) to perform the GetObject action on all objects in the company-data bucket, meaning public read access. Unauthorized deletion is not allowed (only GetObject). SSL configuration and encryption are not addressed in this policy.

389
MCQhard

During a penetration test, a tester finds a custom binary that is vulnerable to a stack-based buffer overflow. The binary has DEP enabled but no ASLR. Which of the following exploitation techniques would be MOST effective to achieve code execution?

A.Return-oriented programming (ROP) to bypass DEP
B.Heap spraying to inject shellcode
C.ret2libc to call system() with a controlled argument
D.Stack pivoting to redirect execution to a known location
AnswerC

ret2libc leverages existing libc functions (like system) at fixed addresses (since no ASLR) to execute commands, bypassing DEP.

Why this answer

Option C is correct because ret2libc allows the tester to call the system() function from libc with a controlled argument (e.g., "/bin/sh") to spawn a shell, bypassing DEP (which prevents code execution on the stack) without needing to execute shellcode. Since ASLR is disabled, the address of system() and the string "/bin/sh" in libc are predictable, making this technique reliable and effective.

Exam trap

The trap here is that candidates may choose ROP (Option A) thinking it is always required to bypass DEP, but ret2libc is a simpler and more effective technique when ASLR is disabled, as it directly calls a libc function without needing to chain gadgets.

How to eliminate wrong answers

Option A is wrong because Return-oriented programming (ROP) is also a valid technique to bypass DEP, but it is more complex and unnecessary when ASLR is disabled; ret2libc is simpler and more direct for achieving code execution. Option B is wrong because heap spraying is used to bypass ASLR by filling the heap with NOP sleds and shellcode, but ASLR is already disabled, and DEP prevents execution of shellcode on the heap, making this ineffective. Option D is wrong because stack pivoting is a technique to redirect execution to a controlled memory region (e.g., the heap) when the stack is not directly controllable, but here the vulnerability is a stack-based buffer overflow where the stack is directly controllable, and DEP is bypassed via ret2libc, not by pivoting.

390
MCQhard

A tester needs to analyze a compiled .NET application. Which tool is most suitable?

A.Ghidra
B.x64dbg
C.IDA Pro
D.dnSpy
AnswerD

dnSpy decompiles .NET assemblies and allows debugging.

Why this answer

Option A is correct because dnSpy is a .NET debugger and decompiler. Option B is wrong because IDA Pro is for binary analysis, not specifically .NET. Option C is wrong because Ghidra is for general reverse engineering.

Option D is wrong because x64dbg is for debugging x64 applications, not .NET native.

391
MCQmedium

During reconnaissance, a penetration tester discovers a public GitHub repository belonging to the target organization. The repository contains internal project names, server IP addresses, and code comments with database credentials. Which reconnaissance technique does this represent?

A.OSINT (Open-Source Intelligence)
B.DNS enumeration
C.Port scanning
D.Social engineering
AnswerA

OSINT gathers information from public sources like GitHub, which can leak internal details without interacting with the target's systems.

Why this answer

The discovery of a public GitHub repository containing internal project names, server IP addresses, and database credentials is a classic example of OSINT (Open-Source Intelligence). OSINT involves collecting and analyzing publicly available information from sources like code repositories, social media, and websites to gain insights about a target without direct interaction. This technique leverages the fact that sensitive data is often inadvertently exposed in public repositories, making it a passive reconnaissance method.

Exam trap

The trap here is that candidates may confuse OSINT with active reconnaissance techniques like DNS enumeration or port scanning, failing to recognize that passive collection from public sources (like GitHub) is a distinct OSINT method.

How to eliminate wrong answers

Option B (DNS enumeration) is wrong because it specifically involves querying DNS servers to discover hostnames, IP addresses, and DNS records (e.g., A, MX, CNAME) using tools like `dnsrecon` or `nslookup`, not by analyzing code repositories. Option C (Port scanning) is wrong because it actively probes target systems for open TCP/UDP ports and services using tools like `nmap`, which requires network connectivity and is an active reconnaissance technique, not passive information gathering from public sources. Option D (Social engineering) is wrong because it relies on manipulating human behavior through phishing, pretexting, or impersonation to extract information, whereas this scenario involves finding already exposed data in a public repository without any human interaction.

392
MCQeasy

A penetration tester wants to perform a network scan that minimizes the chance of detection by an intrusion detection system (IDS). Which Nmap timing template is MOST appropriate?

A.-T0
B.-T3
C.-T5
D.-T2
AnswerA

T0 (paranoid) is the slowest template, designed to avoid detection by rate-based IDS alerts.

Why this answer

The -T0 (Paranoid) timing template is the most appropriate for minimizing detection by an IDS because it introduces extreme delays between packet transmissions (up to 5 minutes between probes) and uses a very slow scan rate. This makes the scan traffic blend into normal network noise, reducing the likelihood of triggering signature-based or anomaly-based IDS alerts that rely on detecting rapid, sequential connection attempts.

Exam trap

The trap here is that candidates often choose -T2 (Polite) thinking it is slow enough to evade detection, but they fail to recognize that -T0 is the only template specifically designed for IDS evasion with delays measured in minutes, not seconds.

How to eliminate wrong answers

Option B (-T3) is wrong because it is the default Nmap timing template, which balances speed and reliability but sends packets at a rate that is easily detectable by most IDS/IPS systems. Option C (-T5) is wrong because it is the Insane template, which uses the fastest timing (minimum delays, aggressive parallelism) and is almost guaranteed to trigger IDS alerts due to its high packet rate and obvious scan patterns. Option D (-T2) is wrong because it is the Polite template, which slows down scans to avoid overwhelming networks but still sends packets at intervals (typically 0.4 seconds) that are too aggressive for stealthy scanning and can be detected by modern IDS solutions.

393
MCQhard

During a red team engagement, a penetration tester needs to pivot from a compromised internal web server to a database server that is not directly accessible. The web server has two network interfaces: 10.0.1.5 and 192.168.1.5. The database server is at 192.168.1.10. Which technique should the tester use to reach the database?

A.ARP spoofing
B.DNS tunneling
C.Port knocking
D.Pivoting through the web server
AnswerD

The web server can route traffic to the database subnet, allowing the tester to attack the database.

Why this answer

D is correct because the web server has two network interfaces (10.0.1.5 and 192.168.1.5), making it a dual-homed host that can act as a pivot point. The tester can use the compromised web server as a proxy or relay to route traffic from the attacker's machine (reachable via 10.0.1.5) to the database server at 192.168.1.10, which is on a separate subnet not directly accessible. This technique, known as pivoting, typically involves tools like SSH port forwarding, Metasploit's route add, or a SOCKS proxy to forward traffic through the compromised host.

Exam trap

The trap here is that candidates confuse pivoting with other network manipulation techniques like ARP spoofing or port knocking, failing to recognize that the dual-homed web server provides a routing path between subnets, which is the core requirement for pivoting.

How to eliminate wrong answers

Option A is wrong because ARP spoofing operates at Layer 2 within the same broadcast domain to intercept traffic between hosts, but it cannot bridge traffic across different subnets (10.0.1.0/24 and 192.168.1.0/24) or provide access to a host that is not directly reachable from the attacker. Option B is wrong because DNS tunneling encapsulates non-DNS traffic within DNS queries and responses, which is used for exfiltration or command-and-control, not for routing traffic through a dual-homed host to reach an internal database server. Option C is wrong because port knocking is an authentication method that opens a firewall port after a sequence of connection attempts, but it does not enable routing or forwarding of traffic from one subnet to another through a compromised host.

394
MCQhard

A penetration tester has gained low-privilege shell access on a Linux server. The tester runs `sudo -l` and sees the following entry: `(root) NOPASSWD: /usr/bin/python3 /opt/scripts/*.py` The `/opt/scripts/` directory is owned by the tester's current user. Which technique is most effective for escalating privileges to root?

A.Create a symbolic link from a Python script to a system file like /etc/shadow
B.Write a malicious Python script to /opt/scripts/ that spawns a root shell
C.Exploit a kernel vulnerability to overwrite the sudo binary
D.Overwrite an existing Python script in /usr/bin/ with a malicious payload
AnswerB

Since the user owns the directory, they can write a Python script that executes `/bin/bash` or similar, then run it via sudo to gain a root shell.

Why this answer

Option B is correct because the tester's user owns `/opt/scripts/` and can write arbitrary files there. The sudo rule allows executing any `.py` file in that directory as root without a password. By writing a Python script that calls `os.setuid(0); os.system('/bin/bash')` or similar, the tester can spawn a root shell, directly leveraging the misconfigured sudoers entry.

Exam trap

The trap here is that candidates may think symbolic links or overwriting system files are viable, but the key is that the sudo rule specifically executes Python scripts from a writable directory, making a crafted script the simplest and most direct escalation path.

How to eliminate wrong answers

Option A is wrong because creating a symbolic link from a Python script to `/etc/shadow` would not execute as root; `sudo` runs the Python interpreter on the linked file, but `/etc/shadow` is not a valid Python script and would cause an error, not privilege escalation. Option C is wrong because exploiting a kernel vulnerability is unnecessary and less reliable; the sudo misconfiguration provides a direct, low-risk path to root without kernel exploits. Option D is wrong because the sudo rule only applies to `/opt/scripts/*.py`, not to `/usr/bin/`; overwriting a script there would not be executed with root privileges via this sudo entry.

395
MCQmedium

Refer to the exhibit. After running a port scan in Metasploit, what is the next best step to identify vulnerabilities on the open ports?

A.Perform a brute-force attack against SSH and HTTP
B.Immediately exploit the open HTTP service
C.Run a Nessus scan on the host
D.Use the scanner to run service version detection on those ports
AnswerD

Knowing the exact version of services allows matching against known vulnerabilities.

Why this answer

After a port scan in Metasploit, the next best step is to run service version detection (e.g., using the `scanner/portscan/tcp` auxiliary module's `VERSION` option or the `db_nmap -sV` command) to identify the exact software and version running on each open port. This version information is critical for matching against known vulnerabilities in databases like CVE or Exploit-DB, enabling targeted exploitation. Option D is correct because it follows the systematic penetration testing methodology of enumeration before exploitation.

Exam trap

The trap here is that candidates often jump to exploitation (Option B) or brute-forcing (Option A) without performing version detection, missing the critical enumeration step that identifies the exact service version needed to select the correct exploit.

How to eliminate wrong answers

Option A is wrong because performing a brute-force attack against SSH and HTTP without first identifying service versions is premature and inefficient; it wastes time on guessing credentials when the services might have known unpatched vulnerabilities that are easier to exploit. Option B is wrong because immediately exploiting the open HTTP service without version detection risks using an incorrect or incompatible exploit, which could crash the service or alert defenders, and violates the principle of thorough enumeration. Option C is wrong because running a Nessus scan on the host is a valid next step, but the question specifically asks for the next best step after a Metasploit port scan, and Metasploit's built-in service version detection (e.g., `db_nmap -sV` or auxiliary scanner modules) is more direct and integrated into the Metasploit workflow, whereas Nessus is an external tool that requires separate setup and may not be available in all exam scenarios.

396
MCQhard

A tester needs to identify all open ports on a target system behind a firewall that is blocking ICMP and dropping unsolicited SYN packets. Which of the following scanning techniques is most likely to succeed?

A.Ping sweep
B.TCP connect scan
C.FIN scan
D.UDP scan
AnswerB

Completes the three-way handshake, appearing as normal traffic.

Why this answer

A TCP connect scan (option B) completes the full three-way handshake, which is more likely to succeed against a firewall that drops unsolicited SYN packets because the firewall may allow outbound connections initiated from inside the network. Since the tester is behind the firewall, the SYN packet is sent as part of a legitimate connection attempt, and if the port is open, the target responds with SYN-ACK, completing the handshake. This technique bypasses the firewall's rule against unsolicited SYN packets because the connection appears to be initiated from the trusted side.

Exam trap

The trap here is that candidates assume a FIN scan (option C) is stealthier and will bypass firewalls, but they overlook that the firewall is dropping unsolicited packets regardless of flag combinations, making the TCP connect scan the only viable option when the tester is behind the firewall.

How to eliminate wrong answers

Option A is wrong because a ping sweep uses ICMP Echo Requests, which are explicitly blocked by the firewall, so it will not identify open ports. Option C is wrong because a FIN scan sends a packet with only the FIN flag set, which is an unsolicited packet that the firewall will drop, and it relies on RFC 793 behavior that many modern systems and firewalls do not follow. Option D is wrong because a UDP scan sends UDP packets to target ports, and the firewall dropping unsolicited SYN packets does not directly affect UDP, but the firewall may also block or rate-limit UDP traffic, and UDP scanning is inherently unreliable due to lack of consistent responses.

397
MCQhard

A penetration tester is targeting a Windows domain controller. After compromising a standard user account, the tester wants to escalate to domain admin. Which attack is most effective if the tester can capture plaintext passwords from memory?

A.Create a golden ticket
B.Create a silver ticket
C.Pass-the-hash attack
D.DCSync attack
AnswerC

With a captured NTLM hash, the tester can authenticate to other services as that user, potentially gaining domain admin if the user has privileges.

Why this answer

Option C is correct because capturing plaintext passwords from memory (e.g., via Mimikatz sekurlsa::logonpasswords) allows the tester to directly use the domain admin's plaintext credentials in a pass-the-hash attack. This attack reuses the NTLM hash (or plaintext) to authenticate to other systems without needing to crack or forge tickets, making it the most direct escalation path from a standard user to domain admin when plaintext passwords are available.

Exam trap

The trap here is that candidates often confuse pass-the-hash with Kerberos-based attacks (golden/silver tickets) or DCSync, but the key differentiator is that plaintext passwords in memory enable direct NTLM authentication, not ticket forgery or replication attacks.

How to eliminate wrong answers

Option A is wrong because a golden ticket requires forging a Kerberos TGT using the KRBTGT account's hash, which is not obtained from plaintext passwords in memory of a standard user; it requires domain admin privileges or a DCSync attack. Option B is wrong because a silver ticket forges a service ticket (TGS) using the service account's NTLM hash, which does not grant domain admin privileges and is limited to a specific service. Option D is wrong because a DCSync attack requires domain admin or equivalent privileges to replicate directory data; it cannot be executed from a standard user account, even with plaintext passwords.

398
MCQeasy

A penetration tester has discovered a vulnerable service running on a Linux server that allows remote code execution. Which of the following is the most appropriate next step to maintain access?

A.Clear all system logs to avoid detection
B.Immediately report the finding to the client
C.Install a backdoor for persistent access
D.Escalate privileges to root
AnswerC

A backdoor ensures the tester can re-enter the system if needed.

Why this answer

Option B is correct because after gaining initial access, installing a backdoor ensures persistent access. Option A is wrong because erasing logs prematurely could alert defenders. Option C is wrong because privilege escalation may not be necessary if current access is sufficient.

Option D is wrong because reporting should occur after the engagement, not during.

399
MCQeasy

A penetration tester is preparing the final report. The client's CEO wants a high-level overview of the test results, including the overall security posture and business risk, without technical details. Which section of the report should the tester emphasize for the CEO?

A.Technical findings and recommendations
B.Executive summary
C.Methodology
D.Appendices
AnswerB

The executive summary is intended for management and provides a concise, non-technical summary of the test, including overall risk level, key business impacts, and high-level recommendations.

Why this answer

The executive summary is the section of a penetration testing report that provides a high-level overview of the test results, focusing on the overall security posture and business risk without technical details. It is specifically designed for non-technical stakeholders like the CEO, who need to understand the impact on the organization without delving into specific vulnerabilities or exploitation steps.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical findings section, mistakenly believing the CEO needs detailed vulnerability data to understand risk, when in fact the executive summary is the only section tailored for non-technical decision-makers.

How to eliminate wrong answers

Option A is wrong because technical findings and recommendations contain detailed vulnerability descriptions, exploit steps, and remediation commands (e.g., specific CVEs, patch versions, or configuration changes) that are too granular for a CEO's high-level needs. Option C is wrong because the methodology section describes the testing approach, tools used (e.g., Nmap, Metasploit), and scope limitations, which are operational details irrelevant to a business risk overview. Option D is wrong because appendices include raw data such as scan outputs, log excerpts, and evidence files (e.g., PCAPs or screenshots), which are too technical and voluminous for an executive audience.

400
MCQeasy

A penetration tester is preparing a report for a client who has both a technical security team and a non-technical executive team. The tester wants to ensure that each audience receives the appropriate level of detail. Which of the following is the most effective approach?

A.Provide the same comprehensive report to both audiences, assuming the security team will interpret it for executives.
B.Create a single report that includes an executive summary at the beginning and a detailed technical section later.
C.Write two separate reports: one for executives with only business impact and another for technical staff with all details.
D.Present only the executive summary and invite the technical team to ask questions orally.
AnswerB

This structure serves both audiences: executives can read the summary, while the technical team can dive into the details.

Why this answer

Option B is correct because it provides a single report with an executive summary for non-technical stakeholders and a detailed technical section for the security team, satisfying both audiences' needs without duplication or omission. This approach aligns with industry best practices for penetration testing reporting, as outlined in standards like PTES and NIST SP 800-115, ensuring clear communication of risks and technical findings.

Exam trap

The trap here is that candidates may choose Option C, thinking two separate reports are more precise, but the exam emphasizes efficiency and consistency, where a single report with both sections avoids redundancy and ensures all stakeholders share the same foundational information.

How to eliminate wrong answers

Option A is wrong because it assumes the technical team will interpret the report for executives, which risks miscommunication or omission of critical business impacts, and fails to provide a tailored summary for non-technical readers. Option C is wrong because creating two separate reports can lead to inconsistencies, duplication of effort, and potential loss of context between business impact and technical details, which may confuse decision-making. Option D is wrong because it omits a written technical report, leaving the technical team without documented evidence for remediation, and relies on oral communication that can be forgotten or misinterpreted.

401
MCQhard

During a vulnerability scan of a web application, the penetration tester notices that the scanner reports a critical SQL injection vulnerability in the login parameter. However, manual testing confirms that the input is properly sanitized and the vulnerability is a false positive. Which of the following actions should the tester take to ensure accurate vulnerability identification and avoid wasting time on false positives in future scans?

A.Increase the scan intensity to ensure the vulnerability is accurately detected
B.Correlate the scanner output with manual verification and document the discrepancy
C.Modify the scanner's configuration to exclude false positive patterns
D.Ignore the finding and proceed with manual testing only
AnswerB

This ensures accurate reporting and improves future scan tuning.

Why this answer

Option B is correct because the penetration tester should correlate automated scanner output with manual verification to confirm findings, then document the discrepancy for future reference. This ensures accurate vulnerability identification by leveraging human analysis to filter false positives, which is a standard practice in PT0-002 methodology for information gathering and vulnerability scanning.

Exam trap

The trap here is that candidates may think modifying scanner configuration (Option C) is the immediate fix, but PT0-002 emphasizes documenting and correlating findings before making changes to avoid masking real vulnerabilities.

How to eliminate wrong answers

Option A is wrong because increasing scan intensity does not address false positives; it may generate more noise by sending additional payloads without improving detection accuracy, potentially overwhelming the target and wasting resources. Option C is wrong because modifying the scanner's configuration to exclude false positive patterns is premature without first documenting the discrepancy; doing so could inadvertently suppress real vulnerabilities that share similar patterns. Option D is wrong because ignoring the finding and proceeding with manual testing only disregards the value of automated scanning for efficiency and coverage, and fails to improve future scan accuracy through documentation.

402
MCQeasy

After completing a penetration test, the client's technical team requests a detailed list of all vulnerabilities found, prioritized by severity, along with step-by-step reproduction steps and remediation guidance. In which section of the standard penetration testing report should this information be provided?

A.Executive Summary
B.Methodology
C.Findings
D.Appendices
AnswerC

Correct. The technical findings section contains detailed descriptions of each vulnerability, including severity, reproduction steps, and remediation.

Why this answer

The Findings section of a standard penetration testing report is the correct location for a detailed, prioritized list of vulnerabilities with step-by-step reproduction steps and remediation guidance. This section provides the technical depth required by the client's technical team, contrasting with the high-level summaries found elsewhere.

Exam trap

The trap here is that candidates confuse the Executive Summary's high-level risk overview with the detailed technical breakdown required by the client's technical team, leading them to choose Option A instead of the Findings section.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for non-technical stakeholders, not a detailed technical list with reproduction steps. Option B is wrong because the Methodology section describes the tools, techniques, and scope of the test, not the specific vulnerabilities found. Option D is wrong because Appendices contain supplementary material like raw logs or configuration files, not the primary vulnerability details and remediation steps.

403
Multi-Selecthard

During a vulnerability scan of a Linux server, the tester notices that the NMAP scan reports port 22 as filtered. Which of the following could be causing this result? (Select TWO).

Select 2 answers
A.Firewall blocking the port
B.ICMP echo requests being blocked
C.SSH service not running
D.Host is down
E.Network congestion
AnswersA, B

A firewall can return a filtered state if it drops packets without rejection.

Why this answer

Options A and E are correct. A firewall blocking the port and ICMP echo request blocking both contribute to Nmap reporting filtered. Option B would show closed; Option C would show host down; Option D is unlikely.

404
MCQmedium

You are conducting a penetration test for a financial institution. The rules of engagement specify that you are not to access any production customer data. During the test, you discover a SQL injection vulnerability in a public-facing web application that allows you to extract customer personally identifiable information (PII). You successfully demonstrate the injection but do not extract any actual PII. According to ethical guidelines and the rules of engagement, what is the appropriate course of action?

A.Extract a small sample of PII to prove impact, then report the vulnerability.
B.Continue the test but avoid exploiting the SQL injection further to stay within scope.
C.Document the vulnerability and include it in the final report without further action.
D.Immediately stop the test and notify the client with details of the finding.
AnswerD

This is the ethical and professional response to a critical finding with potential data exposure.

Why this answer

Accessing PII would violate the ROE and likely breach confidentiality. The best practice is to halt testing, notify the client immediately, and let them assess the critical risk. Option A violates ROE; C ignores the urgency; D fails to alert the client promptly.

405
MCQhard

A penetration tester has obtained the NTLM hash of a service account during an internal test. The tester wants to gain access to a specific SQL server that uses Kerberos authentication. The tester does not know the plaintext password. Which attack is MOST appropriate to forge a service ticket for the SQL server?

A.Silver Ticket attack
B.Golden Ticket attack
C.Pass-the-hash attack
D.SMB relay attack
AnswerA

The Silver Ticket attack creates a forged TGS ticket for a specific service using the service account's hash, granting access to that service.

Why this answer

A Silver Ticket attack is the most appropriate because it forges a service ticket (TGS) for a specific service, such as the SQL server, using the NTLM hash of the service account. Since the tester has the NTLM hash but not the plaintext password, they can craft a valid Kerberos service ticket without needing to authenticate to the domain controller, directly granting access to the SQL server.

Exam trap

The trap here is that candidates often confuse Silver Ticket attacks (forging service tickets) with Golden Ticket attacks (forging TGTs), but the key distinction is that a Silver Ticket targets a specific service using the service account's hash, while a Golden Ticket grants domain-wide access using the KRBTGT hash.

How to eliminate wrong answers

Option B (Golden Ticket attack) is wrong because it forges a Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account hash, which grants domain-wide access, not a targeted service ticket for a specific SQL server. Option C (Pass-the-hash attack) is wrong because it reuses an NTLM hash to authenticate over NTLM, but the SQL server uses Kerberos authentication, which requires a Kerberos ticket, not an NTLM hash directly. Option D (SMB relay attack) is wrong because it relays captured NTLM authentication to another service, but the goal is to forge a Kerberos service ticket, not relay NTLM challenges.

406
MCQhard

A penetration tester is performing internal reconnaissance on a Windows Active Directory environment. The tester has a low-privileged domain user account. Which of the following techniques is most likely to help identify all domain controllers and their IP addresses without generating excessive network traffic or alerts?

A.Perform a full subnet ping sweep using Nmap
B.Query the DNS service for SRV records of _ldap._tcp.dc._msdcs.domain.local
C.Use NetBIOS name resolution by sending broadcasts
D.Enumerate SMB shares on all IP addresses in the subnet
AnswerB

This DNS query directly retrieves the list of domain controllers. It is a normal DNS operation and unlikely to raise alerts.

Why this answer

Option B is correct because querying DNS for SRV records of _ldap._tcp.dc._msdcs.domain.local is a standard, low-noise method to discover all domain controllers in an Active Directory environment. This query leverages the automatic registration of LDAP service records by domain controllers, requiring only a single DNS lookup rather than sweeping the network, thus avoiding excessive traffic and typical security alerts.

Exam trap

The trap here is that candidates often default to active scanning techniques like Nmap ping sweeps (Option A) because they are familiar, overlooking that DNS SRV record queries are a passive, targeted, and far more efficient method for discovering domain controllers in an Active Directory environment.

How to eliminate wrong answers

Option A is wrong because a full subnet ping sweep using Nmap generates significant network traffic and is easily detected by intrusion detection systems (IDS) or endpoint protection, which is contrary to the requirement of avoiding excessive traffic or alerts. Option C is wrong because NetBIOS name resolution via broadcasts is limited to the local subnet, does not reliably discover all domain controllers across multiple subnets, and broadcasts can be noisy and logged. Option D is wrong because enumerating SMB shares on all IP addresses in the subnet is a high-traffic, noisy technique that probes each host individually, likely triggering alerts, and does not directly identify domain controllers.

407
MCQmedium

A client wants to test a web application that uses a third-party payment gateway. The client explicitly wants the payment gateway to be excluded from the test to avoid service disruption. Where should this exclusion be formally documented?

A.Non-Disclosure Agreement (NDA)
B.Statement of Work (SOW)
C.Rules of Engagement (ROE)
D.Penetration Test Plan
AnswerC

The ROE documents scope, exclusions, and rules for the test.

Why this answer

The Rules of Engagement (ROE) document is the correct place to formally exclude the third-party payment gateway from testing. The ROE defines the scope, boundaries, and constraints of the penetration test, including specific systems or services that must not be targeted. This ensures the client's requirement to avoid service disruption to the payment gateway is legally and operationally enforced.

Exam trap

The trap here is that candidates often confuse the Penetration Test Plan (which details how to test) with the Rules of Engagement (which defines what is allowed and forbidden), leading them to incorrectly select the Plan instead of the ROE for scope exclusions.

How to eliminate wrong answers

Option A is wrong because a Non-Disclosure Agreement (NDA) is a legal contract for confidentiality, not for defining test scope or exclusions. Option B is wrong because the Statement of Work (SOW) describes the high-level objectives, deliverables, and timeline, but it does not contain the granular operational constraints like system exclusions. Option D is wrong because the Penetration Test Plan details the technical methodology and procedures, but the formal authorization to exclude specific targets belongs in the ROE, which is the authoritative document for rules and boundaries.

408
MCQmedium

A client requests that the penetration tester deliver the final report in an encrypted format via email. Which encryption method should the tester use to ensure confidentiality?

A.Rely on TLS encryption for the email transport
B.Upload the report to a web server using HTTPS
C.Compress the report in a password-protected ZIP file
D.Use S/MIME or PGP to encrypt the email message
AnswerD

Provides end-to-end encryption.

Why this answer

Option A is correct because S/MIME or PGP encrypts the email content and attachments end-to-end. Option B (SSL/TLS) protects in transit but not at endpoints. Option C (HTTPS) only applies to web delivery.

Option D (ZIP with password) is weaker as passwords are often transmitted separately.

409
MCQhard

A penetration tester is writing a return-oriented programming (ROP) exploit for a Linux binary to bypass Data Execution Prevention (DEP). The binary has DEP enabled, but the tester identifies a gadget in a dynamically linked library that is not affected by ASLR. Which condition must be true for the ROP chain to succeed?

A.The library must be loaded at a fixed address
B.The stack must be executable
C.The binary must be compiled with stack canaries
D.The exploit must bypass ASLR for the main binary
AnswerA

Correct. If the library does not use ASLR, its base address is predictable, allowing the ROP chain to call gadgets reliably.

Why this answer

Option A is correct because for a ROP chain to succeed when DEP is enabled, the attacker needs to control the execution flow by chaining together gadgets (small instruction sequences ending with a return) that reside in executable memory regions. If a dynamically linked library is not affected by ASLR, it means it is loaded at a fixed, predictable address, allowing the tester to reliably use gadgets from that library without needing to bypass ASLR for that specific module. This fixed address ensures the ROP chain's addresses are valid across runs, which is essential for the exploit to work.

Exam trap

The trap here is that candidates often assume ASLR must be fully bypassed for any exploit to work, but the question specifically isolates a library not affected by ASLR, making the ROP chain viable without bypassing ASLR for the main binary.

How to eliminate wrong answers

Option B is wrong because DEP specifically prevents execution on the stack; if the stack were executable, the attacker could simply inject shellcode directly, making a ROP chain unnecessary. Option C is wrong because stack canaries are a defense against buffer overflow-based stack corruption, not against ROP; ROP chains operate by overwriting return addresses and chaining gadgets, and canaries would only prevent the initial overflow if not bypassed, but they do not affect the success of a ROP chain once the overflow occurs. Option D is wrong because the question states the library is not affected by ASLR, so the ROP chain can use gadgets from that library without needing to bypass ASLR for the main binary; the main binary's ASLR status is irrelevant if the gadgets are in a fixed-address library.

410
MCQeasy

During a penetration test, the tester identifies a low-risk information disclosure vulnerability in a public-facing web server. The tester includes this finding in the final report. Which component of the risk rating should the tester use to justify the low severity?

A.CVSS base score
B.Exploitability metrics
C.Impact metrics
D.Temporal score
AnswerA

The base score is the standard metric for severity, calculated from exploitability and impact. A low base score justifies the low-risk rating.

Why this answer

The CVSS base score is the correct component to justify the low severity because it represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and across user environments. In this case, the information disclosure vulnerability has a low base score due to factors such as low attack complexity and low impact on confidentiality, which are captured in the base metrics. The base score is the standard starting point for communicating severity, making it the appropriate justification for the low-risk rating in the report.

Exam trap

CompTIA often tests the misconception that exploitability metrics or impact metrics alone determine the severity, when in fact the CVSS base score is the aggregate of both and is the authoritative component for justifying the risk rating in a report.

How to eliminate wrong answers

Option B is wrong because exploitability metrics (e.g., attack vector, attack complexity, privileges required, user interaction) are sub-components of the CVSS base score that influence the overall severity, but they alone do not define the final risk rating; they must be combined with impact metrics to produce the base score. Option C is wrong because impact metrics (e.g., confidentiality, integrity, availability) are also sub-components of the base score and do not independently justify the low severity; the base score integrates both exploitability and impact. Option D is wrong because the temporal score adjusts the base score based on factors that change over time (e.g., exploit code maturity, remediation level, report confidence), but the question asks for the component to justify the low severity at the time of the test, not a future-adjusted score.

411
MCQhard

A penetration tester is conducting an external assessment against a client's web application hosted on an AWS EC2 instance behind an Application Load Balancer (ALB). The tester has performed passive reconnaissance and identified the public IP of the ALB, but the web application is only accessible via a specific domain name. During active scanning, the tester runs Nmap against the public IP and only sees port 443 open. The tester then performs a DNS Zone Transfer attempt against the authoritative name servers, which fails. While reviewing the web application, the tester notices that the application sets a cookie with the path '/admin'. The tester suspects there is an internal subnet used for backend services. Which of the following techniques would be MOST effective to discover internal hostnames or IP ranges?

A.Attempt a zone transfer against a different authoritative DNS server.
B.Examine SSL certificate Subject Alternative Names (SANs) in the certificate presented by the ALB.
C.Use the AWS Metadata Service to extract information about the underlying EC2 instance.
D.Perform a ping sweep of the internal RFC 1918 addresses and look for responses.
AnswerB

Internal hostnames are often included in SANs for web servers.

Why this answer

Option D is correct because SSL certificates often include Subject Alternative Names (SANs) that list internal hostnames. Option A is impossible from outside the network; Option B requires internal access to the metadata service; Option C already failed.

412
MCQeasy

After a penetration test, the client's technical team wants to understand the exact steps required to reproduce a cross-site scripting vulnerability found in the web application. In which section of the standard penetration testing report should this information be included?

A.Executive Summary
B.Technical Findings and Recommendations
C.Methodology
D.Appendices
AnswerB

This section contains detailed technical information for each vulnerability, including the steps to reproduce.

Why this answer

The Technical Findings and Recommendations section is the correct place for step-by-step reproduction steps because it provides detailed, actionable technical information for the client's technical team. This section typically includes specific payloads, HTTP request/response details, and the exact sequence of user interactions needed to trigger the XSS vulnerability, enabling the team to verify and remediate the issue.

Exam trap

The trap here is that candidates confuse the high-level 'Methodology' section (which describes the overall testing process) with the detailed 'Technical Findings' section, mistakenly thinking reproduction steps belong in the methodology rather than the findings.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for non-technical stakeholders, focusing on business impact and risk ratings, not detailed reproduction steps. Option C is wrong because the Methodology section describes the overall testing approach and tools used (e.g., OWASP ZAP, Burp Suite), not the specific steps for a single vulnerability. Option D is wrong because Appendices contain supplementary material like raw scan outputs or log excerpts, but the primary, structured reproduction steps belong in the main body of the Technical Findings section.

413
MCQmedium

During a penetration test, a tester has access to a Windows domain-joined machine. The tester finds that the machine is running a service that uses named pipes for interprocess communication. The tester wants to perform a relay attack to capture authentication credentials. Which of the following conditions is necessary for an SMB relay attack to succeed?

A.SMB signing must be disabled or not enforced
B.The attacker must be on the same subnet
C.The target must have a publicly available SMB share
D.The attacker must have admin privileges on the relay machine
AnswerA

SMB signing provides integrity and authentication checks; if it is disabled or not enforced, the relayed authentication succeeds because the server does not verify the source of the message.

Why this answer

SMB relay attacks work by intercepting an authentication attempt and forwarding it to a target server. For the relay to succeed, the target server must not require SMB signing, because signing ensures that the relayed authentication packet is cryptographically bound to the original session, preventing the attacker from replaying it. When SMB signing is disabled or not enforced, the relayed authentication is accepted as valid, allowing credential capture.

Exam trap

CompTIA often tests the misconception that SMB relay requires the attacker to be on the same subnet or have admin privileges, but the critical technical condition is the absence of SMB signing enforcement on the target server.

How to eliminate wrong answers

Option B is wrong because SMB relay attacks can be performed across subnets as long as the attacker can route the traffic between the victim and the target server; being on the same subnet is not a requirement. Option C is wrong because the target does not need a publicly available SMB share; the relay works against any SMB server that accepts authentication, even if no shares are accessible. Option D is wrong because the attacker does not need admin privileges on the relay machine; the relay is performed from the attacker's machine or a controlled system, and the attack succeeds based on network position and protocol weaknesses, not local administrative rights.

414
MCQmedium

A penetration tester is using theHarvester tool to gather email addresses and subdomains for a target domain. Which source is theHarvester commonly configured to use for passive reconnaissance?

A.Shodan
B.Google search
C.DNS zone transfer
D.Social media APIs
AnswerB

Google search is a common source for theHarvester to passively collect emails and subdomains.

Why this answer

TheHarvester is a passive reconnaissance tool that collects emails, subdomains, and other data from public sources without directly interacting with the target. Google search is a primary source because theHarvester uses Google's search engine via its API or scraping to find indexed pages containing email addresses and subdomains, leveraging Google's dorking capabilities for passive data gathering.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse Shodan (a passive search engine for devices) with theHarvester's passive email/subdomain gathering, or assume DNS zone transfer is passive when it is an active query that requires direct server interaction.

How to eliminate wrong answers

Option A is wrong because Shodan is a search engine for internet-connected devices and services, used for active or passive scanning of open ports and banners, not for harvesting emails or subdomains from web content. Option C is wrong because DNS zone transfer is an active reconnaissance technique that attempts to retrieve the entire DNS zone file from a nameserver, requiring direct interaction and often failing due to security restrictions, whereas theHarvester focuses on passive methods. Option D is wrong because while social media APIs can provide user data, theHarvester's default configuration does not commonly use them; it primarily relies on search engines like Google, Bing, and Yahoo for passive email and subdomain discovery.

415
MCQhard

A penetration tester is performing passive reconnaissance on a target organization. The tester wants to identify internal IP address ranges used by the organization without interacting directly with their network. Which of the following techniques would be most effective for this purpose?

A.Querying public BGP route databases and looking up the organization's autonomous system (AS) number
B.Performing a DNS zone transfer against the target's authoritative DNS servers
C.Using Shodan to search for devices from the target organization
D.Sending ARP requests on the local network segment to discover hosts
AnswerA

BGP databases contain announced IP prefixes for AS numbers. By finding the target's ASN, the tester can see all public IP ranges associated with the organization.

Why this answer

Querying public BGP route databases (e.g., RADB, ARIN) using the organization's AS number allows a tester to retrieve IP prefixes announced by the target. This is passive reconnaissance because it uses publicly available routing data without sending any packets to the target's network, making it ideal for identifying internal IP ranges from an external perspective.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse DNS zone transfers (which are active and often restricted) with passive DNS lookups, or assume Shodan is always passive when it actually relies on active scanning data from the past.

How to eliminate wrong answers

Option B is wrong because a DNS zone transfer (AXFR) is an active technique that requires direct interaction with the target's authoritative DNS servers; it is not passive and often fails due to security restrictions. Option C is wrong because using Shodan involves querying a search engine that has previously scanned the target's public-facing devices, which is technically passive but relies on historical scan data and may not reveal internal IP ranges not exposed to the internet. Option D is wrong because sending ARP requests is an active, link-local discovery method that requires being on the same broadcast domain as the target, which is not passive and not feasible during external reconnaissance.

416
MCQhard

During a penetration test, a tester gains access to a Linux server as a low-privileged user. The server has a cron job that executes a script owned by root but writable by the tester's group. Which privilege escalation technique should the tester use?

A.Kernel exploit
B.Misconfigured sudo permissions
C.Cron job exploitation via script modification
D.Path hijacking in the cron job
AnswerC

The tester can modify the script that is executed as root by the cron job. When the job runs, the injected code executes with root privileges.

Why this answer

The cron job executes a script owned by root but writable by the tester's group. This means the tester can modify the script's contents. When the cron job runs (as root), the modified script executes with root privileges, allowing the tester to gain a root shell or execute arbitrary commands as root.

This is a classic cron job exploitation via script modification.

Exam trap

The trap here is that candidates may confuse path hijacking (which exploits an unqualified command in the script) with direct script modification (which exploits writable permissions on the script file itself), but the question explicitly states the script is writable, making modification the correct choice.

How to eliminate wrong answers

Option A is wrong because a kernel exploit targets vulnerabilities in the Linux kernel itself, but the scenario describes a misconfigured file permission (writable script) rather than a kernel bug. Option B is wrong because misconfigured sudo permissions would require the tester to have sudo access or a sudoers entry, which is not mentioned; the attack vector here is a writable cron script, not sudo. Option D is wrong because path hijacking in a cron job involves manipulating the PATH environment variable to execute a malicious binary instead of the intended one, but the scenario explicitly states the script itself is writable, so modifying the script directly is the more direct and reliable technique.

417
MCQhard

A penetration tester is analyzing a Python script that imports the 'scapy' library. The script defines a function that sends a series of TCP SYN packets to a target IP and port range, and then waits for SYN-ACK responses. Which attack is the script performing?

A.TCP SYN flood
B.Port scanning
C.ARP poisoning
D.DNS spoofing
AnswerB

The script performs a SYN scan to identify open ports by observing SYN-ACK responses, which is a form of port scanning.

Why this answer

The script sends TCP SYN packets to a range of ports and waits for SYN-ACK responses. This is the classic behavior of a SYN scan, a type of port scanning that identifies open ports by observing which ports respond with a SYN-ACK. The use of Scapy to craft and send these packets confirms the script is performing port scanning, not a denial-of-service attack.

Exam trap

The trap here is confusing a TCP SYN flood (a denial-of-service attack that sends many SYN packets without completing handshakes) with a SYN scan (a reconnaissance technique that sends SYN packets and analyzes responses to identify open ports).

How to eliminate wrong answers

Option A is wrong because a TCP SYN flood aims to overwhelm a target with a high volume of SYN packets, exhausting resources and causing denial of service; the script described waits for SYN-ACK responses, which is not characteristic of a flood attack. Option C is wrong because ARP poisoning involves sending forged ARP replies to associate the attacker's MAC address with the IP of another host on a local network, which is unrelated to sending TCP SYN packets to a range of ports. Option D is wrong because DNS spoofing involves corrupting DNS responses to redirect traffic to malicious sites, which does not involve sending TCP SYN packets to a target IP and port range.

418
MCQmedium

A penetration tester has obtained the NTLM hash of a local administrator account on a Windows domain-joined system. The tester wants to use this hash to authenticate to another system on the network and execute commands remotely. Which tool is commonly used for pass-the-hash attacks to achieve remote code execution?

A.Hydra
B.Impacket's wmiexec.py
C.PsExec
D.Sqlmap
AnswerB

wmiexec.py authenticates via WMI using an NTLM hash, enabling remote command execution.

Why this answer

Impacket's wmiexec.py is the correct tool because it directly supports pass-the-hash (PtH) authentication using NTLM hashes over Windows Management Instrumentation (WMI). It accepts an NTLM hash via the `-hashes` flag and establishes a remote WMI session, enabling command execution without needing the plaintext password. This makes it ideal for lateral movement in a domain environment where a local administrator hash has been captured.

Exam trap

CompTIA often tests the distinction between tools that require plaintext credentials versus those that can operate directly with NTLM hashes, leading candidates to mistakenly choose PsExec because it is a well-known remote execution tool, even though it does not natively support pass-the-hash without additional credential injection steps.

How to eliminate wrong answers

Option A (Hydra) is wrong because it is a network login cracker that performs brute-force or dictionary attacks against authentication services, not a pass-the-hash tool; it requires plaintext passwords, not NTLM hashes. Option C (PsExec) is wrong because while it can execute commands remotely, it does not natively support pass-the-hash; it requires a plaintext password or a valid Kerberos ticket, and using an NTLM hash directly would require additional tools like Mimikatz to inject the hash into the session. Option D (Sqlmap) is wrong because it is a SQL injection exploitation tool, completely unrelated to Windows authentication or remote command execution via NTLM hashes.

419
MCQhard

A vulnerability scanner reports a reflected XSS vulnerability in a web application. Manual testing confirms that the application HTML-encodes all user input in the response. Which scanner misconfiguration is MOST likely causing this false positive?

A.The scanner used a POST request instead of a GET request for the payload
B.The scanner's payload was reflected in a different context not subject to HTML encoding
C.The scanner used a payload with special characters that were truncated by the server
D.The scanner's payload triggered a server error that echoed back the input without encoding
AnswerD

Error messages may reflect input without encoding, leading the scanner to flag a false XSS finding.

Why this answer

Option D is correct because a server error that echoes back the unencoded input bypasses the application's normal HTML-encoding logic. In this scenario, the vulnerability scanner detects the reflected payload in the error response, which is not subject to the same encoding as the application's standard output. This creates a false positive because the reflected XSS is not exploitable through the normal application flow, but only through an error condition that the scanner inadvertently triggered.

Exam trap

CompTIA often tests the distinction between a vulnerability being present in an error response versus the normal application flow, tricking candidates into thinking any reflection of input confirms XSS without considering the response context.

How to eliminate wrong answers

Option A is wrong because the HTTP method (POST vs GET) does not affect whether input is HTML-encoded in the response; encoding is applied server-side regardless of the request method. Option B is wrong because if the payload were reflected in a different context not subject to HTML encoding, the finding would be a true positive, not a false positive. Option C is wrong because truncation of special characters would likely prevent the payload from being reflected at all, or would break the XSS vector, leading to a false negative rather than a false positive.

420
MCQhard

During an internal penetration test, a tester compromises a server that is part of a Kubernetes cluster. The tester has access to the node's operating system but not to the cluster's administrative credentials. Which of the following techniques would most likely allow the tester to escalate privileges to cluster-admin or access sensitive resources within the cluster?

A.Extracting a service account token from a running container and using it to access the Kubernetes API
B.Exploiting a kernel vulnerability on the node to escape to the host and then compromise the Kubernetes API server
C.Searching for a kubeconfig file on the node that contains a cluster-admin token
D.Modifying a ConfigMap to inject a malicious pod that runs with elevated privileges
AnswerA

Service account tokens are mounted inside pods. By entering a container (e.g., via the container runtime), the tester can read the token and authenticate to the API server, potentially with elevated rights.

Why this answer

Option A is correct because service account tokens are automatically mounted into pods at /var/run/secrets/kubernetes.io/serviceaccount/token. An attacker with node-level access can extract this token from a running container's filesystem and use it to authenticate to the Kubernetes API server. Since service accounts are often granted broad permissions via RBAC bindings, this token may allow the tester to access sensitive resources or even escalate to cluster-admin if the service account has such privileges.

Exam trap

The trap here is that candidates may assume kernel exploits (Option B) are always the best escalation path, but in Kubernetes, the service account token is a simpler and more direct method to access the API server from a compromised node.

How to eliminate wrong answers

Option B is wrong because exploiting a kernel vulnerability to escape to the host is unnecessary—the tester already has node-level OS access. Even after escaping, compromising the API server would require network access and authentication, which is not directly achieved by a kernel exploit. Option C is wrong because kubeconfig files on a node typically contain only node-level credentials (e.g., kubelet client certificates), not cluster-admin tokens; cluster-admin tokens are rarely stored on worker nodes.

Option D is wrong because modifying a ConfigMap cannot directly inject a pod; ConfigMaps store configuration data, not pod definitions. To create a malicious pod, the tester would need API server access, which is the goal, not the method.

421
MCQhard

During an internal penetration test, a tester gains access to a domain-joined Windows 10 workstation as a local administrator. The tester wants to escalate privileges to Domain Admin. Which attack involves requesting Kerberos service tickets that can be cracked offline to reveal the plaintext password of a service account?

A.Pass-the-hash
B.Kerberoasting
C.Golden ticket
D.Silver ticket
AnswerB

This attack requests and cracks Kerberos service tickets to obtain service account passwords.

Why this answer

Kerberoasting is the correct attack because it involves requesting Kerberos service tickets (TGS-REP) for service accounts registered with Service Principal Names (SPNs) in Active Directory. These tickets are encrypted with the service account's NTLM hash, which can be cracked offline to reveal the plaintext password. Since the tester has local administrator access on a domain-joined workstation, they can use tools like Rubeus or Impacket to request these tickets without needing domain admin privileges initially.

Exam trap

CompTIA often tests Kerberoasting by contrasting it with pass-the-hash, where candidates mistakenly think pass-the-hash involves cracking hashes offline, but it actually reuses the hash directly for authentication without offline cracking.

How to eliminate wrong answers

Option A (Pass-the-hash) is wrong because it reuses an NTLM hash to authenticate without cracking it, not requesting Kerberos service tickets for offline cracking. Option C (Golden ticket) is wrong because it forges a Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account hash, not requesting service tickets for offline cracking. Option D (Silver ticket) is wrong because it forges a service ticket for a specific service using the service account's hash, not requesting and cracking tickets offline.

422
MCQmedium

A penetration tester is scoping a test for a multinational corporation that has offices in the United States and the European Union. The client wants to test the entire environment. Which of the following is the MOST important legal consideration for the tester to include in the rules of engagement?

A.Ensuring all testing is performed from a single external IP address
B.Obtaining explicit written authorization from each country's legal department
C.Ensuring compliance with GDPR and data protection laws
D.Restricting testing to non-business hours to minimize impact
AnswerC

GDPR imposes strict rules on handling personal data; the test must be scoped to avoid violations.

Why this answer

Option C is correct because the multinational corporation operates in the European Union, where the General Data Protection Regulation (GDPR) imposes strict requirements on the processing and transfer of personal data. A penetration test that accesses or stores EU residents' personal data must comply with GDPR, including data minimization, lawful processing, and breach notification obligations. Failure to include GDPR compliance in the rules of engagement could result in severe fines (up to 4% of annual global turnover) and legal liability for the tester and client.

Exam trap

The trap here is that candidates often focus on technical constraints like IP whitelisting or broad authorization, overlooking that GDPR compliance is a mandatory legal requirement that overrides all other considerations when testing in or involving EU data subjects.

How to eliminate wrong answers

Option A is wrong because testing from a single external IP address is a technical constraint that might be used for firewall whitelisting or attribution, but it is not a legal consideration; it does not address cross-border data transfer laws, privacy regulations, or jurisdictional consent requirements. Option B is wrong because obtaining explicit written authorization from each country's legal department is impractical and not the most important legal consideration; while authorization is necessary, the primary legal risk in an EU context is GDPR compliance, which governs how personal data is handled during the test, not just permission to test.

423
Multi-Selectmedium

Which TWO of the following are common techniques used during a pass-the-hash attack? (Select TWO.)

Select 2 answers
A.Extracting NTLM hashes from LSASS
B.Performing a brute-force attack on the hash
C.Using a password spray attack
D.Injecting hashes into a process to authenticate
E.Requesting Kerberos TGS tickets
AnswersA, D

LSASS stores NTLM hashes in memory; extracting them enables PtH.

Why this answer

Option A is correct because in a pass-the-hash attack, the attacker first extracts NTLM hashes from the Local Security Authority Subsystem Service (LSASS) process memory. LSASS stores user credentials, including NTLM hashes, after successful authentication. By dumping LSASS (e.g., using Mimikatz sekurlsa::logonpasswords), the attacker obtains the hash without needing the plaintext password.

Exam trap

CompTIA often tests the distinction between pass-the-hash and hash cracking: candidates mistakenly think brute-forcing the hash (Option B) is part of the attack, but pass-the-hash reuses the hash as-is, never attempting to reverse it.

424
MCQeasy

A penetration tester needs to gather information about a target organization's employees and email addresses from public sources. Which passive reconnaissance tool is BEST suited for this task?

A.Nikto
B.Nmap
C.Wireshark
D.Maltego
AnswerD

Maltego excels at OSINT gathering, including email addresses and employee information.

Why this answer

Maltego is a passive reconnaissance tool that excels at gathering information from public sources, including employee names, email addresses, and organizational relationships, by querying open-source intelligence (OSINT) data such as social media, search engines, and DNS records. It uses transforms to automate data collection and link analysis, making it ideal for this task without directly interacting with the target's systems.

Exam trap

The trap here is that candidates often confuse active scanning tools (like Nikto or Nmap) with passive reconnaissance, failing to recognize that Maltego is specifically designed for OSINT gathering from public sources without sending probes to the target.

How to eliminate wrong answers

Option A is wrong because Nikto is an active web server scanner that sends HTTP requests to identify vulnerabilities, not a passive tool for gathering employee or email data from public sources. Option B is wrong because Nmap is an active network scanning tool that sends packets to discover hosts and services, which is not passive and does not collect employee or email information. Option C is wrong because Wireshark is a network protocol analyzer that captures and inspects live traffic, requiring active packet capture and not suitable for passive OSINT gathering from public sources.

425
MCQmedium

During a web application test, a penetration tester discovers that the server returns verbose error messages containing full file paths. Which type of attack is directly facilitated by this information disclosure?

A.Path traversal
B.SQL injection
C.CSRF
D.Cross-site scripting
AnswerA

Disclosed file paths allow an attacker to construct traversal payloads to access arbitrary files.

Why this answer

Verbose error messages revealing file paths can enable path traversal attacks, as the attacker learns the directory structure. SQL injection may be facilitated by database error messages, but file paths are specific to path traversal.

426
MCQmedium

During a penetration test, the tester discovers that a third-party vendor has remote access to the client's network. The vendor was not mentioned in the scope of work. How should the tester communicate this finding in the report?

A.Ignore it entirely because it is outside the testing agreement.
B.Document it in the 'Observations' or 'Out-of-Scope Findings' section.
C.Include it as a critical vulnerability in the main findings.
D.Remove the finding because it is out of scope.
AnswerB

This allows the client to be aware without implying it was a tested vulnerability.

Why this answer

Option C is correct because the finding should be documented as an observation because it is relevant to the overall security posture but may be out of scope. Option A is wrong because it unnecessarily delays reporting. Option B is wrong because ignoring it could miss an important risk.

Option D is wrong because it is not a confirmed vulnerability but an observation.

427
Matchingmedium

Match each compliance standard to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Payment card data security

Protected health information privacy

Personal data protection for EU citizens

Financial reporting and internal controls

Information security management system

Why these pairings

Penetration testers must understand compliance requirements relevant to clients.

428
MCQmedium

A penetration tester has completed an engagement and needs to present findings to a mixed audience of technical engineers and business executives. Which section of the penetration test report is BEST suited for communicating high-level risk ratings and potential business impact to the non-technical stakeholders?

A.Executive Summary
B.Technical Findings and Vulnerability Details
C.Remediation Steps
D.Appendix
AnswerA

The executive summary is designed for non-technical audiences and provides a high-level overview of findings, risk ratings, and business impact.

Why this answer

The Executive Summary is the correct section because it is specifically designed to communicate high-level risk ratings, business impact, and strategic recommendations to non-technical stakeholders such as executives. It avoids technical jargon and focuses on the business context, aligning with the PT0-002 objective of tailoring reports to the audience.

Exam trap

CompTIA often tests the candidate's ability to distinguish between audience-appropriate report sections, and the trap here is assuming that 'Technical Findings' is the most important section for all stakeholders, when in fact the Executive Summary is the primary communication tool for non-technical decision-makers.

How to eliminate wrong answers

Option B is wrong because Technical Findings and Vulnerability Details contains in-depth technical descriptions, CVSS scores, proof-of-concept code, and exploit paths that are intended for engineers, not for executives who need a high-level overview. Option C is wrong because Remediation Steps provides specific technical fixes (e.g., patch versions, configuration changes) that require technical understanding to implement, and it does not prioritize business impact or risk ratings for non-technical readers.

429
MCQeasy

A penetration tester wants to discover subdomains of a target domain without sending any packets directly to the target's network. Which resource is most effective for this purpose?

A.DNS brute force with a wordlist
B.Certificate Transparency logs
C.WHOIS lookup
D.Traceroute
AnswerB

These logs contain issued certificates which include subdomains; they can be queried passively.

Why this answer

Certificate Transparency (CT) logs are publicly accessible, append-only ledgers that record every SSL/TLS certificate issued by a Certificate Authority (CA). Since certificates often include Subject Alternative Names (SANs) listing subdomains, querying CT logs (e.g., via crt.sh or tools like `certigo`) reveals subdomains without any direct network probes. This makes CT logs the most effective passive reconnaissance resource, as no packets are sent to the target's infrastructure.

Exam trap

CompTIA often tests the distinction between active and passive reconnaissance; the trap here is assuming DNS brute force is passive because it uses a wordlist, but it actively queries DNS servers, whereas CT logs are truly passive as they rely on publicly archived certificate data.

How to eliminate wrong answers

Option A is wrong because DNS brute force with a wordlist requires sending DNS queries to the target's authoritative name servers, which generates network traffic and directly interacts with the target's infrastructure, violating the 'no packets sent' constraint. Option C is wrong because WHOIS lookup provides registration details (e.g., registrar, admin contacts) for the domain itself, not subdomains; it relies on WHOIS servers and does not enumerate subdomains from certificate data.

430
MCQmedium

During a penetration test, a tester needs to perform a man-in-the-middle (MITM) attack on a local network to capture credentials. Which tool should the tester use to ARP spoof and intercept traffic?

A.Wireshark
B.Nmap
C.TCPDump
D.Ettercap
AnswerD

Ettercap is designed for MITM attacks including ARP poisoning.

Why this answer

Ettercap is a comprehensive MITM tool that supports ARP spoofing, sniffing, and injection. Wireshark is for packet analysis, not active spoofing. TCPDump is for packet capture only.

Nmap can be used for discovery but not MITM.

431
MCQhard

A penetration tester has compromised a Windows domain-joined workstation and needs to identify all domain controllers and their IP addresses without triggering detection mechanisms. Which technique is most likely to avoid raising alerts?

A.Perform an LDAP query using ADSI to enumerate domain controllers
B.Attempt a DNS zone transfer from the internal DNS server
C.Perform an ARP scan of the subnet to identify active IP addresses
D.Use Nmap to perform a SYN scan of the entire subnet looking for Kerberos service ports
AnswerA

LDAP queries are common and legitimate domain activity, making them stealthy for internal reconnaissance.

Why this answer

Performing an LDAP query using ADSI to enumerate domain controllers is stealthy because it uses standard, authenticated Windows API calls that blend into normal domain traffic. This technique queries the directory service for the 'domainController' object class, which returns the DNS hostnames and IP addresses without generating suspicious network scans or DNS anomalies.

Exam trap

The trap here is that candidates often assume DNS zone transfers are the standard way to enumerate domain controllers, but they fail to recognize that zone transfers are typically restricted and logged, whereas LDAP queries are routine and less likely to trigger alerts.

How to eliminate wrong answers

Option B is wrong because attempting a DNS zone transfer from the internal DNS server typically requires an 'allow-transfer' ACL and generates a distinct AXFR query that is often logged and monitored by security teams, raising alerts. Option C is wrong because performing an ARP scan of the subnet sends a burst of broadcast requests that can be detected by network intrusion detection systems (NIDS) or endpoint protection platforms (EPP) as reconnaissance activity.

432
MCQmedium

A penetration tester is reviewing a Python script that uses the 'mitmproxy' library. The script sets up a proxy and captures HTTP traffic, then modifies certain requests in real time. Which of the following is the most likely purpose of this script?

A.To perform passive network mapping and port scanning
B.To intercept and manipulate API requests for security testing
C.To capture raw network packets for offline analysis
D.To automatically detect SQL injection vulnerabilities
AnswerB

Mitmproxy allows the tester to view and alter requests/responses, useful for testing input validation and logic flaws.

Why this answer

The mitmproxy library is specifically designed for man-in-the-middle interception and modification of HTTP/HTTPS traffic. By setting up a proxy and modifying requests in real time, the script's most likely purpose is to intercept and manipulate API requests for security testing, such as fuzzing parameters, injecting payloads, or bypassing client-side controls.

Exam trap

The trap here is that candidates often confuse mitmproxy with passive sniffing tools like Wireshark, failing to recognize that mitmproxy's core feature is active interception and modification of application-layer traffic, not just passive observation or raw packet capture.

How to eliminate wrong answers

Option A is wrong because passive network mapping and port scanning rely on tools like Nmap or Wireshark to observe traffic without modification, whereas mitmproxy actively intercepts and alters traffic, which is not passive. Option C is wrong because capturing raw network packets for offline analysis is the function of packet sniffers like tcpdump or Wireshark, which operate at the network layer (Layer 3) and do not modify requests; mitmproxy works at the application layer (Layer 7) and is designed for real-time manipulation, not offline capture.

433
Matchingmedium

Match each network protocol to its well-known port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

22

443

53

25

3389

Why these pairings

These are standard well-known port assignments for common protocols used in penetration testing.

434
MCQmedium

A penetration tester is writing a Bash script to automate enumeration of a Linux system after gaining a shell. The script needs to extract user information from the /etc/passwd file. Which command would be most efficient for listing only the usernames?

A.cat /etc/passwd | cut -d: -f1
B.cat /etc/passwd | awk '{print $1}'
C.cat /etc/passwd | head
D.grep 'user' /etc/passwd
AnswerA

This correctly splits each line by colon and outputs the first field (username).

Why this answer

Option A is correct because the `cut` command with `-d: -f1` splits each line of /etc/passwd on the colon delimiter and extracts the first field, which is the username. This is the most efficient and purpose-built approach for parsing colon-delimited files in Linux, avoiding unnecessary overhead from other tools.

Exam trap

The trap here is that candidates often assume `awk` with default field splitting works for colon-delimited files, but they forget to specify the `-F:` flag, leading to incorrect output that includes the entire line or unexpected fields.

How to eliminate wrong answers

Option B is wrong because `awk '{print $1}'` defaults to whitespace field splitting, but /etc/passwd uses colons as delimiters, so it would print the entire line (since the line has no spaces before the first colon) rather than just the username. Option C is wrong because `head` outputs the first 10 lines of the file by default, not just usernames, and does not parse or extract specific fields at all.

435
MCQhard

A penetration tester is analyzing a Python script that performs a buffer overflow attack. The script imports the struct module and the socket module. It constructs a payload by packing a pattern of characters, then overwriting a return address with a specific offset. Which of the following is the most critical piece of information the tester must determine before running this script against the target?

A.The IP address and port of the target service
B.The exact location of a JMP ESP instruction in memory
C.The version of the operating system running on the target
D.The username and password for the target service
AnswerB

For a buffer overflow where the shellcode is placed in the stack, overwriting the return address with the address of a JMP ESP instruction (which must be at a fixed, predictable address) will redirect execution to the shellcode. Determining this address is crucial for a reliable exploit.

Why this answer

The script performs a buffer overflow attack by overwriting a return address. To redirect execution to attacker-controlled shellcode, the tester must overwrite the return address with the address of a JMP ESP instruction (or equivalent) that is reliably located in memory. Without this address, the overwritten return pointer will cause a crash or unpredictable behavior, making exploitation impossible.

Exam trap

The trap here is that candidates often focus on network connectivity (IP/port) or OS version, overlooking that the core technical challenge in a buffer overflow exploit is controlling execution flow via a reliable return address like JMP ESP.

How to eliminate wrong answers

Option A is wrong because while the IP address and port are necessary to connect to the target service, they are not the most critical piece of information for the exploitation phase; the script already imports socket and presumably has connection details. Option C is wrong because the OS version can help in selecting appropriate offsets or shellcode, but the immediate critical requirement is the address of a JMP ESP instruction, which depends on the specific executable or loaded DLL, not just the OS version.

436
MCQeasy

A penetration tester is asked to perform a test that focuses on identifying vulnerabilities in a company's external web application without providing any internal credentials. The tester has been given a signed agreement that lists the IP range and URLs. Which of the following scoping considerations is MOST directly addressed by the agreement?

A.Type of testing (black box vs white box)
B.Time constraints for the test
C.Rules of engagement regarding social engineering
D.Data handling procedures
AnswerA

Correct. The lack of internal credentials and the external IP/URL scope clearly indicate a black box test, which is a primary scoping consideration.

Why this answer

The signed agreement explicitly defines the IP range and URLs for testing, which directly informs the type of testing. Since no internal credentials are provided, this is a black box test, where the tester has no prior knowledge of the internal system. The agreement's scope (IPs and URLs) is the primary factor that determines the testing approach, making 'Type of testing (black box vs white box)' the most directly addressed scoping consideration.

Exam trap

The trap here is that candidates may confuse the provision of an IP range and URL list with a 'white box' scenario, but the lack of internal credentials and the signed agreement's focus on external targets clearly define it as a black box test, not a white box test.

How to eliminate wrong answers

Option B is wrong because time constraints, while important in scoping, are not directly addressed by an agreement that only lists IP ranges and URLs; time constraints would be specified in a separate section of the rules of engagement or project timeline. Option C is wrong because rules of engagement regarding social engineering are not implied by the provision of an IP range and URL list; social engineering rules require explicit consent and separate authorization, and the absence of internal credentials does not automatically permit social engineering.

437
MCQmedium

A penetration tester is finalizing a report for a client. The client's technical team needs a concise list of each vulnerability with its risk rating, CVSS score, and recommended remediation steps. In which section of the report should this information be placed?

A.Findings and technical details
B.Executive summary
C.Scope and methodology
D.Appendix
AnswerA

This section is designed to present each vulnerability with its risk rating, CVSS score, impact, and remediation.

Why this answer

The Findings and technical details section is the correct placement because it is specifically designed to provide a detailed, itemized list of vulnerabilities, including risk ratings, CVSS scores, and remediation steps, which the client's technical team needs for action. This section goes beyond high-level summaries to deliver the granular data required for patching and mitigation, aligning with the PT0-002 objective of structuring reports for different audiences.

Exam trap

The trap here is that candidates confuse the Executive summary's role for technical audiences, but the PT0-002 exam emphasizes that technical details belong in the Findings section, while the Executive summary is for non-technical decision-makers.

How to eliminate wrong answers

Option B is wrong because the Executive summary is intended for non-technical stakeholders (e.g., management) and provides a high-level overview of risks, business impact, and strategic recommendations, not a concise list of each vulnerability with CVSS scores and remediation steps. Option C is wrong because the Scope and methodology section describes the testing boundaries, tools used, and techniques employed (e.g., Nmap scans, exploitation frameworks), not the detailed findings or remediation guidance.

438
MCQeasy

A client is planning a penetration test of their AWS cloud environment. They will provide the tester with an IAM user account with limited permissions. Which of the following scoping restrictions is most important to include in the rules of engagement to avoid unexpected costs?

A.The tester must not create any new AWS resources that incur costs.
B.The tester must use only premium AWS services for testing.
C.The tester must request permission from AWS Support before each test.
D.The tester must avoid testing in the us-east-1 region due to higher costs.
AnswerA

This restriction prevents the tester from accidentally or intentionally launching billable resources. It is a standard and critical control for cloud penetration tests.

Why this answer

Option A is correct because creating new AWS resources (e.g., EC2 instances, RDS databases, Lambda functions) can incur direct costs under the tester's IAM user account, even with limited permissions. The rules of engagement must explicitly prohibit resource creation to prevent unexpected billing, as AWS charges for resources provisioned regardless of the test's purpose. This scoping restriction aligns with the principle of cost containment in penetration testing engagements.

Exam trap

The trap here is that candidates may focus on technical restrictions like service tiers or support permissions, overlooking the direct financial risk of resource creation, which is the most critical scoping concern in cloud penetration testing.

How to eliminate wrong answers

Option B is wrong because requiring the use of only premium AWS services would increase costs unnecessarily and contradicts the goal of avoiding unexpected expenses; premium services are more expensive and not required for effective testing. Option C is wrong because requesting permission from AWS Support before each test is impractical and not a standard scoping restriction; AWS Support does not authorize individual penetration tests, and the tester should rely on the client's authorization and the AWS Acceptable Use Policy.

439
MCQeasy

A penetration tester is preparing the final report. The client's CEO needs to understand the overall risk level and the business impact of the findings. Which of the following should be included in the executive summary?

A.A detailed list of all vulnerabilities with CVSS scores
B.The exact commands and payloads used during exploitation
C.A quantitative risk analysis including annualized loss expectancy
D.A high-level summary of the test's scope, overall risk rating, and business impact
AnswerD

This is exactly what the executive summary is designed for: giving non-technical leaders a clear picture of the risk without overwhelming them with technical details.

Why this answer

The executive summary is designed for senior management, such as the CEO, who needs a concise overview of the penetration test's scope, overall risk rating, and business impact to make informed decisions. Detailed technical data, such as CVSS scores or exploitation commands, is inappropriate for this audience and belongs in the technical report. Option D directly addresses the requirement for a high-level, business-focused summary.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical report, mistakenly thinking that including detailed CVSS scores or exploitation commands demonstrates thoroughness, when in fact the exam expects a clear separation of audience-specific content.

How to eliminate wrong answers

Option A is wrong because a detailed list of all vulnerabilities with CVSS scores is too granular for an executive summary; CVSS scores are technical metrics that require context and are better placed in the technical findings section. Option B is wrong because exact commands and payloads used during exploitation are operational details intended for the technical team, not for a CEO who needs business impact analysis. Option C is wrong because while quantitative risk analysis (e.g., ALE) can be useful, it is not always feasible or required in a penetration test report; the executive summary should focus on qualitative risk ratings and business impact, not specific financial calculations that may rely on assumptions not validated by the test.

440
MCQhard

A penetration tester has compromised a Linux server and wants to move laterally to a Windows server. The Linux server has network access to the Windows server on port 445. The tester has a captured NTLM hash of a domain administrator account. Which technique is most likely to allow the tester to authenticate and execute commands on the Windows server?

A.Pass-the-hash using Impacket's psexec
B.Kerberos Golden Ticket attack
C.SMB relay attack using the hash
D.Brute-force password cracking of the hash
AnswerA

Pass-the-hash allows authentication using the NTLM hash directly, enabling lateral movement to Windows systems.

Why this answer

Option A is correct because the tester has a captured NTLM hash of a domain administrator account and network access to the Windows server on port 445 (SMB). Pass-the-hash (PtH) allows authentication using the NTLM hash directly without needing the plaintext password. Impacket's psexec uses the SMB protocol to authenticate with the hash and execute commands remotely, making it the most direct and effective technique for lateral movement in this scenario.

Exam trap

The trap here is that candidates may confuse pass-the-hash with SMB relay, but relay requires intercepting a live authentication attempt, whereas pass-the-hash directly uses the captured hash to authenticate without any relay.

How to eliminate wrong answers

Option B is wrong because a Kerberos Golden Ticket attack requires forging a Ticket Granting Ticket (TGT) using the KRBTGT account's hash, which is not captured here; the captured hash is for a domain administrator account, not the KRBTGT account, and the attack also requires domain controller access, not just SMB to a Windows server. Option C is wrong because an SMB relay attack requires the tester to intercept and relay authentication attempts from a client to a server, but the tester already possesses the hash and does not need to relay it; relay attacks are used when the hash cannot be directly used (e.g., with NTLMv2 and no local admin rights), but here the hash is directly usable for pass-the-hash.

441
MCQeasy

A penetration tester needs to automate a series of web application attacks against a login page to identify weak credentials. Which tool is most appropriate?

A.Nmap
B.Hydra
C.Burp Suite
D.Wireshark
AnswerB

Hydra is a network logon cracker that supports multiple protocols for brute-forcing credentials.

Why this answer

Option A is correct because Hydra is a tool designed for brute-force attacks on login pages. Option B is wrong because Nmap is for network discovery. Option C is wrong because Wireshark is for packet capture.

Option D is wrong because Burp Suite is for web application testing but not primarily for brute-forcing credentials.

442
MCQhard

After completing a penetration test, the client's technical team requests the detailed raw data (e.g., scan results, exploit logs, packet captures) used to support the findings. According to best practices, which of the following should the penetration tester do?

A.Include all raw data in the appendices of the final report
B.Provide the raw data in a separate, sanitized deliverable with a data handling agreement
C.Refuse to provide raw data to protect the confidentiality of the testing process
D.Provide the raw data only if the client signs a non-disclosure agreement
AnswerB

This approach protects confidentiality and allows the client to use the data responsibly.

Why this answer

Option B is correct because raw data such as scan results, exploit logs, and packet captures often contain sensitive information like IP addresses, credentials, or system details. Best practices (e.g., PTES, NIST SP 800-115) dictate that raw data should be provided in a separate, sanitized deliverable accompanied by a data handling agreement to ensure confidentiality and proper data governance, rather than embedding it directly in the final report.

Exam trap

The trap here is that candidates may assume the final report should include all evidence for completeness (Option A), overlooking the confidentiality and data handling risks inherent in raw, unsanitized data.

How to eliminate wrong answers

Option A is wrong because including all raw data in the appendices of the final report risks exposing sensitive information to unauthorized readers and violates data minimization principles; the final report should contain only synthesized findings and evidence. Option C is wrong because refusing to provide raw data outright is not a best practice—clients have a legitimate need for supporting evidence, and a professional tester should provide it under controlled conditions with a data handling agreement.

443
MCQhard

During a penetration test, a tester exploits a buffer overflow vulnerability in a legacy application. After gaining code execution, what is the next best step to maintain access?

A.Create a backdoor user account
B.Install an antivirus solution
C.Patch the buffer overflow vulnerability
D.Erase the application logs
AnswerA

A backdoor account provides reliable access even if the exploit is patched.

Why this answer

After gaining code execution via a buffer overflow, the next best step is to create a backdoor user account to maintain persistent access to the compromised system. This ensures the tester can re-enter the environment without re-exploiting the vulnerability, which may be patched or monitored. Creating a local user account (e.g., via `net user` or `useradd`) is a standard persistence technique in penetration testing, allowing continued access for lateral movement or data exfiltration.

Exam trap

CompTIA often tests the distinction between maintaining access (persistence) and covering tracks (log deletion) or remediation (patching), leading candidates to mistakenly choose log erasure or patching as the immediate next step after exploitation.

How to eliminate wrong answers

Option B is wrong because installing an antivirus solution would likely detect and remove the tester's tools or backdoors, undermining the goal of maintaining access; it also violates the tester's objective of stealth. Option C is wrong because patching the buffer overflow vulnerability would fix the exploited flaw, but this is a remediation step for the client, not a step to maintain the tester's access; it would actually prevent future exploitation. Option D is wrong because erasing application logs may help cover tracks, but it does not provide a mechanism for re-entry; log deletion is a post-exploitation cleanup step, not a persistence method.

444
MCQmedium

A penetration tester is reviewing a Python script that uses the `requests` library to send HTTP POST requests to a login endpoint. The script attempts to bypass authentication by sending SQL injection payloads in the username field. Which of the following code changes would MOST effectively help the tester identify successful injections by reducing false negatives?

A.Using a `requests.Session` object to maintain cookies across requests
B.Parsing the response for specific error messages such as 'SQL syntax' or 'mysql_fetch_array'
C.Implementing a random delay between requests to avoid rate limiting
D.Adding a function to automatically resend each payload multiple times
AnswerB

This allows the script to confirm that the injection payload was processed by the database, reducing false negatives.

Why this answer

Option B is correct because parsing the HTTP response for database-specific error messages (e.g., 'SQL syntax', 'mysql_fetch_array') directly indicates that the SQL injection payload triggered a detectable database error, confirming a successful injection. This reduces false negatives by catching cases where the login fails but the injection still executes, rather than relying solely on authentication bypass (which may not occur if the injection is blind or the query structure differs).

Exam trap

The trap here is that candidates often confuse session management (Option A) or evasion techniques (Option C) with detection logic, overlooking that the core goal is to reduce false negatives by explicitly checking for injection success indicators in the response.

How to eliminate wrong answers

Option A is wrong because using a `requests.Session` object maintains cookies and session state across requests, which is useful for session handling but does not help identify whether a SQL injection payload succeeded; it addresses session continuity, not detection of injection success. Option C is wrong because implementing a random delay between requests helps avoid rate limiting or WAF detection, but it does not improve the accuracy of identifying successful injections; it only evades defenses, not reduces false negatives in detection.

445
MCQmedium

A penetration tester is using Nmap to scan a target web server. The tester only wants to see which of the top 100 ports are open, but wants to minimize network traffic and time. Which Nmap command is most appropriate?

A.nmap -sS -p- target
B.nmap -sT -p 1-100 target
C.nmap -sC -p 1-1000 target
D.nmap -sV --top-ports 100 target
AnswerD

--top-ports 100 scans the most frequently open ports, minimizing traffic and time while focusing on likely candidates.

Why this answer

Option D is correct because `--top-ports 100` instructs Nmap to scan only the 100 most commonly open ports, which minimizes network traffic and time compared to scanning all ports or a large range. The `-sV` flag enables version detection, which is not strictly required but is commonly used in information gathering; however, the key factor for minimizing traffic and time is the `--top-ports` option, which uses a statistically derived list to reduce scan scope.

Exam trap

The trap here is that candidates confuse `-p 1-100` (first 100 ports numerically) with `--top-ports 100` (most commonly open ports), leading them to choose option B, which misses high-numbered common ports like 443 (HTTPS) or 8080 (HTTP-alt).

How to eliminate wrong answers

Option A is wrong because `-p-` scans all 65535 ports, which generates maximum traffic and takes the longest time, contradicting the goal of minimizing both. Option B is wrong because `-sT` performs a full TCP connect scan, which is slower and more detectable than a SYN scan, and `-p 1-100` scans only the first 100 ports numerically, not the top 100 most common ports, potentially missing open ports like 443 or 8080. Option C is wrong because `-sC` runs default NSE scripts, which adds significant traffic and time, and `-p 1-1000` scans 1000 ports, far more than the requested top 100, increasing scan duration.

446
MCQmedium

A penetration tester discovers a Java application that deserializes user-controlled data without validation. The tester crafts a malicious serialized object that executes a command upon deserialization. The application runs on a Linux server with a standard Java runtime. Which of the following is the most likely outcome if the malicious object is accepted?

A.The application will crash immediately due to an exception.
B.The application will disclose sensitive information in the response.
C.The tester will gain a shell with the privileges of the current user.
D.The tester will be able to execute arbitrary commands on the server.
AnswerD

Successful exploitation of insecure deserialization in Java often results in remote code execution.

Why this answer

Java deserialization of untrusted data allows an attacker to supply a crafted serialized object that, when deserialized, can execute arbitrary code via gadget chains (e.g., CommonsCollections). Since the application runs on a Linux server with a standard Java runtime, the attacker can achieve remote code execution (RCE) with the privileges of the application's user, not necessarily an interactive shell. Option D is correct because the primary impact is arbitrary command execution, which may or may not yield a shell depending on the payload.

Exam trap

The trap here is that candidates often conflate 'arbitrary command execution' with 'gaining a shell' (Option C), but the exam expects the broader, more precise impact—arbitrary command execution—since a shell is just one specific form of command execution and not guaranteed by every payload.

How to eliminate wrong answers

Option A is wrong because while deserialization can throw exceptions, a crafted malicious object is designed to execute code before or instead of throwing an unhandled exception, so a crash is not the most likely outcome. Option B is wrong because deserialization RCE does not inherently disclose sensitive information in the response; information disclosure would require a specific payload or secondary vulnerability. Option C is wrong because gaining a shell is a possible outcome of arbitrary command execution, but it is not guaranteed; the most direct and accurate description is arbitrary command execution, as the payload may execute a command without spawning an interactive shell.

447
MCQeasy

During the reconnaissance phase, a penetration tester wants to map out the target's DNS infrastructure without directly interacting with the target's servers. Which of the following techniques BEST achieves this?

A.Performing a DNS zone transfer
B.Querying publicly available DNS records
C.Using Nmap to scan for DNS servers
D.Sending crafted DNS queries to the target's DNS server
AnswerB

Using public DNS resolvers to retrieve records like A, MX, or CNAME is passive and avoids direct interaction.

Why this answer

Option B is correct because querying publicly available DNS records (e.g., via passive DNS, WHOIS, or DNS dumpster) allows the tester to gather DNS information without any direct interaction with the target's servers. This technique relies on third-party databases and cached records, avoiding any packets sent to the target, which is essential for stealth during reconnaissance. It aligns with passive information gathering, as defined in the PT0-002 objectives.

Exam trap

The trap here is that candidates often confuse 'passive reconnaissance' with 'active reconnaissance' and choose a technique like DNS zone transfer or Nmap scanning, which are clearly active and detectable, because they assume any DNS enumeration must involve direct queries.

How to eliminate wrong answers

Option A is wrong because a DNS zone transfer is an active query that directly interacts with the target's authoritative DNS server, requiring the server to allow AXFR requests, which is a direct interaction and not passive. Option C is wrong because using Nmap to scan for DNS servers involves sending packets to the target's network to probe for open ports (e.g., UDP 53), which is active reconnaissance and directly interacts with the target's infrastructure.

448
MCQmedium

A penetration tester is testing a web application that uses JSON Web Tokens (JWTs) for authentication. The tester discovers that the server does not verify the JWT signature properly. The tester crafts a JWT with an arbitrary payload and sets the algorithm to 'none'. Which attack does this enable?

A.SQL injection
B.Server-side request forgery
C.Authentication bypass
D.Cross-site request forgery
AnswerC

Setting the algorithm to 'none' and forging the token allows the attacker to bypass authentication and gain unauthorized access.

Why this answer

Option C is correct because setting the JWT algorithm to 'none' removes all cryptographic verification. If the server does not validate the signature, it will accept a token with an arbitrary payload, allowing the attacker to impersonate any user without knowing the secret key. This directly results in an authentication bypass, as the server trusts the forged token.

Exam trap

The trap here is that candidates may confuse JWT algorithm manipulation with injection attacks (SQLi) or server-side request forgery (SSRF), but the core of this question is about signature verification failure leading to authentication bypass.

How to eliminate wrong answers

Option A is wrong because SQL injection targets database queries via input fields, not JWT token manipulation; the 'none' algorithm attack does not involve injecting SQL commands. Option B is wrong because server-side request forgery (SSRF) exploits server-side requests to internal resources, whereas this attack modifies the JWT itself to bypass authentication, not to trigger outbound requests.

449
Multi-Selectmedium

A penetration tester is conducting an external assessment of a target organization and wants to gather information without sending any packets that might be logged by the target's network monitoring systems. Which TWO of the following methods are considered passive reconnaissance?

Select 2 answers
A.Send spear-phishing emails to employees
B.Query the target's DNS servers using nslookup
C.Use Shodan to identify exposed services
D.Conduct WHOIS lookups on the target's domain
E.Perform a full port scan using Nmap
AnswersC, D

Shodan crawls the internet and stores publicly available information, so queries against Shodan are passive.

Why this answer

Passive reconnaissance involves collecting information from publicly available sources without directly interacting with the target's systems. WHOIS lookups and Shodan searches both rely on public databases and do not send probes to the target network. DNS queries (option D) can be logged by the target's DNS servers and are therefore active.

Port scanning (option A) and phishing emails (option C) are active techniques that directly interact with the target.

450
MCQeasy

A penetration tester runs the following command and receives the output. What does this output indicate?

A.The target has three services running
B.The target has a misconfigured SSL certificate
C.The target is using default credentials
D.The target is running a vulnerable version of OpenSSH
AnswerA

The scan shows three open ports (22, 80, 443) with services.

Why this answer

Option B is correct because the output shows three open ports: 22, 80, 443. Option A is wrong because OpenSSH 7.4 is not necessarily vulnerable. Option C is wrong because no credentials are shown.

Option D is wrong because the SSL certificate is not detailed.

Page 5

Page 6 of 7

Page 7

All pages