CompTIA PenTest+ PT0-002 (PT0-002) — Questions 451509

509 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQmedium

A penetration testing firm is contracted to test a cloud-based infrastructure. The client uses a shared responsibility model. Which of the following should be clarified in the rules of engagement to avoid legal issues?

A.Who is responsible for patching the operating system
B.Whether the tester needs authorization from the cloud provider
C.The encryption method for data at rest
D.The backup strategy for logs
AnswerB

Many cloud providers require explicit authorization for penetration testing; failing to obtain it can lead to service termination or legal action.

Why this answer

In a shared responsibility model, the cloud provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud. However, penetration testing activities may violate the cloud provider's terms of service or acceptable use policy, potentially triggering legal action. Therefore, obtaining explicit authorization from the cloud provider is critical to ensure the tester's actions are legally permitted and to avoid liability for unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA).

Exam trap

CompTIA often tests the misconception that operational security tasks like patching or encryption are the primary legal concerns in a shared responsibility model, when in fact the critical legal issue is obtaining explicit authorization from the cloud provider to avoid violating their terms of service or anti-hacking laws.

How to eliminate wrong answers

Option A is wrong because patching the operating system is a shared responsibility that varies by service model (e.g., IaaS vs. PaaS), but it is an operational security task, not a legal authorization issue that must be clarified in the rules of engagement to avoid legal issues. Option C is wrong because encryption methods for data at rest are a security control configuration, not a legal authorization requirement; while important for data protection, they do not address the legal risk of unauthorized testing against the cloud provider's infrastructure.

452
Multi-Selectmedium

A penetration tester is planning to perform a vulnerability scan of an internal network. Which of the following should be considered before scanning? (Choose three.)

Select 3 answers
A.Obtain written authorization from the client
B.Define the scope and rules of engagement
C.Perform the scan during peak business hours
D.Ensure the scanning tool is updated with latest signatures
E.Test all available exploit modules
AnswersA, B, D

Authorization is essential to avoid legal issues.

Why this answer

Option A is correct because written authorization from the client is a legal and ethical prerequisite before any scanning activity. Without explicit permission, the penetration tester could be liable for unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA) or similar regulations, as vulnerability scanning involves sending probes that may trigger intrusion detection systems or cause unintended disruptions.

Exam trap

The trap here is that candidates confuse vulnerability scanning with exploitation, assuming that testing exploits (Option E) is part of the scan, when in fact scanning is passive detection and exploitation requires separate authorization and a different phase.

453
MCQmedium

Based on the exhibit, which additional Nmap command should the tester run to gather the most useful information for a web application test?

A.nmap -A 192.168.1.10
B.nmap -sV 192.168.1.10
C.nmap -O 192.168.1.10
D.nmap -sC 192.168.1.10
AnswerB

Version detection identifies software and versions, essential for web app testing.

Why this answer

The -sV option performs version detection on open ports, revealing software versions on HTTP/HTTPS and the proxy. -O is OS detection, -sC runs default scripts (useful but version first), and -A does both. However, -sV is the most direct for web app testing as it identifies application versions, which is crucial for vulnerability research.

454
MCQeasy

Which of the following tools would a penetration tester most likely use to perform passive reconnaissance on a target domain?

A.Wireshark
B.Nmap
C.Metasploit
D.theHarvester
AnswerD

theHarvester is designed for passive reconnaissance by querying public sources.

Why this answer

theHarvester is a passive reconnaissance tool that gathers information from public sources such as search engines, PGP key servers, and the Shodan API without directly interacting with the target domain. It collects email addresses, subdomains, IPs, and employee names using OSINT (Open Source Intelligence) techniques, making it ideal for passive information gathering.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with active scanning tools like Nmap or Wireshark, failing to recognize that passive methods rely on publicly available data without sending any packets to the target.

How to eliminate wrong answers

Option A is wrong because Wireshark is a network protocol analyzer that captures and inspects live traffic, which requires active packet sniffing on the network, not passive reconnaissance. Option B is wrong because Nmap is an active scanning tool that sends crafted packets to target hosts to discover open ports and services, generating detectable traffic. Option C is wrong because Metasploit is an exploitation framework used for active penetration testing, including payload delivery and post-exploitation, not passive information gathering.

455
MCQmedium

A client with a hybrid on-premises and cloud infrastructure requests a penetration test. The client uses an IaaS provider for some servers. Which of the following is the MOST important aspect to clarify in the rules of engagement regarding the cloud environment?

A.The list of operating systems used in the cloud
B.The authorization from the cloud provider for testing
C.The public IP addresses of the cloud servers
D.The budget allocated for cloud testing
AnswerB

Correct. Under shared responsibility, the customer must ensure they have permission from the cloud provider to test certain components; the ROE should specify that this authorization has been obtained.

Why this answer

The most critical aspect to clarify in the rules of engagement for a cloud environment is obtaining explicit authorization from the IaaS provider. Without this authorization, the penetration test may violate the provider's acceptable use policy or terms of service, potentially leading to legal action or service termination. This is a foundational scoping requirement because the client does not own the underlying infrastructure; the cloud provider retains control over the network and hypervisor layers.

Exam trap

The trap here is that candidates focus on technical scoping details like IP addresses or OS lists, overlooking the critical legal and contractual prerequisite of obtaining the cloud provider's explicit authorization, which is a unique requirement for cloud environments compared to on-premises testing.

How to eliminate wrong answers

Option A is wrong because the list of operating systems used in the cloud is a technical detail that can be discovered during reconnaissance or provided in the scope, but it is not the most important legal or contractual aspect to clarify in the rules of engagement. Option C is wrong because while public IP addresses are necessary for targeting, they are operational details that can be scoped later; the primary concern is obtaining the cloud provider's written permission to test, as testing without it could be considered unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA).

456
MCQeasy

During a penetration test, a tester discovers a web application that reflects user input in the HTTP response without proper escaping or encoding. The input is not sanitized and is included in the page's HTML. Which type of vulnerability is most likely present?

A.SQL injection
B.Cross-Site Scripting (XSS)
C.Stored XSS
D.Cross-Site Request Forgery (CSRF)
AnswerB

Reflecting unsanitized user input in the HTTP response is a primary indicator of a reflected XSS vulnerability, allowing script injection.

Why this answer

The vulnerability is reflected Cross-Site Scripting (XSS) because the web application immediately echoes user-supplied input in the HTTP response without proper escaping or encoding, allowing an attacker to inject arbitrary HTML or JavaScript that executes in the victim's browser. This matches the classic definition of reflected XSS, where the payload is part of the request and reflected back, not stored on the server.

Exam trap

The trap here is that candidates confuse reflected XSS with stored XSS because both involve injecting script into a web page, but the key differentiator is whether the payload is persisted on the server (stored) or immediately reflected in the response (reflected).

How to eliminate wrong answers

Option A is wrong because SQL injection requires user input to be incorporated into a database query without proper sanitization, not simply reflected in the HTTP response; the description lacks any mention of database interaction or query construction. Option C is wrong because stored XSS requires the malicious input to be persisted on the server (e.g., in a database or file) and later served to other users, whereas the scenario describes input being reflected immediately in the response without storage.

457
MCQmedium

A penetration tester is writing the technical report for a client. The client's security team needs detailed, step-by-step instructions on how to reproduce each vulnerability found. In which section of the report should this information be placed?

A.Executive summary
B.Risk rating section
C.Findings and recommendations
D.Appendix
AnswerC

This section provides a detailed breakdown of each finding, including how it was discovered, steps to reproduce, and recommended remediation actions.

Why this answer

The 'Findings and recommendations' section is the correct location for detailed, step-by-step reproduction instructions because it provides the technical depth needed for the client's security team to validate and remediate each vulnerability. This section typically includes exact commands, payloads, and sequences used during testing, aligning with the PT0-002 objective of delivering actionable technical details.

Exam trap

The trap here is that candidates confuse the 'Executive summary' (which summarizes findings for management) with the 'Findings and recommendations' section, mistakenly thinking step-by-step instructions belong in the high-level overview due to a misunderstanding of report audience segmentation.

How to eliminate wrong answers

Option A is wrong because the executive summary is a high-level overview for non-technical stakeholders, focusing on business impact and risk posture, not step-by-step technical reproduction steps. Option B is wrong because the risk rating section assigns severity scores (e.g., CVSS v3.1 base scores) and prioritizes findings, but does not contain the granular procedural instructions needed to replicate vulnerabilities.

458
MCQmedium

A client has a highly dynamic cloud environment where resources are frequently spun up and down. What scoping challenge does this present?

A.Compliance issues
B.Lack of logs
C.Insufficient testing time
D.Inconsistent attack surface
AnswerD

Resources changing frequently make it hard to scope and test consistently.

Why this answer

An inconsistent attack surface makes it difficult to define a stable scope of targets. Testing may miss transient resources or encounter resources that change during the engagement. Other options are risks but not specific scoping challenges.

459
MCQhard

A penetration tester is evaluating a cloud environment (AWS) and finds an S3 bucket with public write access. Which attack is most likely to succeed if the tester wants to plant malicious files that will be served to users?

A.Exhaust the bucket's storage quota
B.Upload a malicious JavaScript file to the bucket
C.Encrypt all objects in the bucket for ransom
D.Modify the bucket policy to grant further permissions
AnswerB

Public write allows uploading files; if the bucket serves web content, users will download the malicious file.

Why this answer

Option B is correct because an S3 bucket with public write access allows anyone to upload objects without authentication. A penetration tester can upload a malicious JavaScript file (e.g., for cross-site scripting or drive-by download) that, when accessed by users via the bucket's public URL, executes in their browsers. This directly exploits the misconfiguration to serve malicious content to end users.

Exam trap

The trap here is that candidates may confuse 'public write access' with 'public read access' and assume the goal is to read data, or they may overthink the attack path and choose a privilege escalation option (D) instead of directly exploiting the write permission to plant malicious content.

How to eliminate wrong answers

Option A is wrong because exhausting the bucket's storage quota is a denial-of-service tactic, not a method to plant malicious files served to users; it disrupts availability but does not achieve the goal of serving malicious content. Option C is wrong because encrypting all objects for ransom (e.g., ransomware) requires write access but does not plant files that are served to users; it denies access to existing data and is a different attack vector (data extortion). Option D is wrong because modifying the bucket policy to grant further permissions is a privilege escalation step that could enable other attacks, but it does not directly plant malicious files to be served to users; the tester already has public write access, so changing the policy is unnecessary for the stated goal.

460
MCQmedium

A penetration tester is analyzing a Python script that uses the 'requests' library to send HTTP requests with a custom header that mimics a mobile device. The script also uses 'beautifulsoup4' to parse the response and extract specific data. Which task is this script most likely performing?

A.Web scraping to gather publicly available information.
B.Fuzzing for SQL injection.
C.Performing a brute-force attack on a login form.
D.Testing for directory traversal vulnerabilities.
AnswerA

The combination of requests and BeautifulSoup indicates scraping. The mobile User-Agent helps evade simple bot detection, making it ideal for collecting data from web pages.

Why this answer

The script uses the 'requests' library to send HTTP requests with a custom header mimicking a mobile device, and 'beautifulsoup4' to parse the HTML response and extract data. This combination is specifically designed for web scraping, where the custom header helps avoid bot detection by making the request appear to come from a mobile browser, and BeautifulSoup extracts targeted information from the page structure.

Exam trap

The trap here is that candidates may confuse the use of a custom header with security testing (e.g., fuzzing or brute-forcing), but the presence of BeautifulSoup for HTML parsing clearly indicates data extraction, not injection or authentication bypass.

How to eliminate wrong answers

Option B is wrong because fuzzing for SQL injection typically involves sending malformed input (e.g., special characters, SQL keywords) in parameters or form fields, not setting a custom User-Agent header or parsing HTML with BeautifulSoup; tools like Burp Suite Intruder or custom loops with 'requests' are used, but the focus is on injecting payloads, not extracting data from responses. Option C is wrong because a brute-force attack on a login form requires iterating through username/password combinations and analyzing response status codes or error messages, not simply setting a mobile User-Agent and parsing HTML for data extraction; BeautifulSoup is unnecessary for brute-force logic, which typically checks for login success indicators like redirects or specific text.

461
MCQhard

During a penetration test, a tester identifies a buffer overflow vulnerability in a Linux binary. The system has ASLR and NX (Non-Executable) enabled. The tester finds a ROP gadget at a fixed address in a library that is loaded at a constant address across reboots. Which exploitation method is the most appropriate to achieve code execution?

A.Return-to-libc attack
B.Return-Oriented Programming (ROP) chain
C.Heap spraying
D.SEH overwrite exploit
AnswerB

ROP chains bypass both ASLR (if gadgets are at fixed addresses) and NX by reusing existing code snippets.

Why this answer

Option B is correct because Return-Oriented Programming (ROP) is specifically designed to bypass both ASLR and NX when a fixed-address ROP gadget is available. Since the library is loaded at a constant address across reboots, the tester can chain gadgets from that library to execute arbitrary code without needing to inject executable shellcode.

Exam trap

The trap here is that candidates may confuse return-to-libc with ROP, but return-to-libc is limited to calling a single function and cannot chain multiple gadgets, which is necessary for complex code execution when NX is enabled.

How to eliminate wrong answers

Option A is wrong because a return-to-libc attack typically relies on calling a single function (e.g., system()) and does not provide the flexibility to chain multiple operations; it is less effective when ASLR randomizes the base address of libc, but here the library is at a fixed address, making ROP more appropriate for complex code execution. Option C is wrong because heap spraying is a technique used to increase the predictability of heap layout for exploiting use-after-free or heap overflow vulnerabilities, not for bypassing NX or achieving code execution via a buffer overflow with ROP gadgets.

462
MCQmedium

During a penetration test, the tester exploits a local file inclusion (LFI) vulnerability to read /etc/passwd. The tester then wants to achieve remote code execution. Which technique is most likely to succeed if the web application is running as the www-data user?

A.Uploading a web shell via file upload
B.Using PHP wrapper php://input to execute commands
C.Reading /proc/self/environ triggers code execution
D.Using SSH to create a reverse shell
AnswerB

The php://input wrapper reads raw POST data, and if allow_url_include is enabled, it can be used to execute PHP code injected in the request body.

Why this answer

Option B is correct because the PHP wrapper php://input allows reading raw POST data, and when used with an LFI vulnerability, an attacker can inject PHP code into the POST body that gets executed by the include() function. Since the web application runs as www-data, this technique bypasses file upload restrictions and directly achieves remote code execution without needing write permissions.

Exam trap

The trap here is that candidates confuse passive file reads (like /proc/self/environ) with active code execution techniques, or assume file upload is always available when the primary vulnerability is LFI.

How to eliminate wrong answers

Option A is wrong because uploading a web shell via file upload requires a separate file upload vulnerability, which is not guaranteed; even if present, the uploaded file must be accessible and executable, and the www-data user may lack write permissions to the web root. Option C is wrong because reading /proc/self/environ only reveals environment variables and does not trigger code execution; it is a passive information disclosure, not an active exploitation technique.

463
MCQeasy

A client wants a social engineering test focusing on phishing. What should be included in the scope to ensure ethical handling?

A.The rules of engagement for notifying employees after the test
B.The attacker infrastructure details
C.The list of approved sender domains to use
D.The expected number of employees who should fall for the email
AnswerA

Ensures ethical closure.

Why this answer

Option B is correct because the rules of engagement should include how to notify employees after the test. Option A is wrong because attacker infrastructure details are operational, not scope. Option C is wrong because expected failure rates are not typically defined.

Option D is wrong although important, notification rules are more critical.

464
MCQmedium

A penetration tester is analyzing a Python script that uses the 'scapy' library to craft custom network packets. The relevant code is: ```python from scapy.all import * packet = IP(dst="192.168.1.1")/TCP(dport=80, flags="S") response = sr1(packet, timeout=2) if response.haslayer(TCP): print(response.getlayer(TCP).flags) ``` What is the primary goal of this script?

A.To perform a TCP connect scan by completing the three-way handshake
B.To perform a SYN scan and determine if port 80 is open
C.To send an HTTP GET request and capture the web page
D.To perform a UDP scan on port 80
AnswerB

The script sends a SYN packet to port 80 and analyzes the response flags; a SYN-ACK indicates the port is open.

Why this answer

The script uses Scapy to craft a TCP SYN packet (flags='S') to port 80 and sends it with sr1(), which waits for a single response. If a TCP layer is present in the reply, it prints the flags. This is the classic behavior of a SYN scan (half-open scan): it sends a SYN and analyzes the response to determine if the port is open (SYN-ACK) or closed (RST), without completing the handshake.

Option B correctly identifies this as a SYN scan to check if port 80 is open.

Exam trap

The trap here is that candidates may confuse a SYN scan with a full connect scan (Option A) because both involve sending a SYN, but the key difference is that a SYN scan never sends the final ACK, making it stealthier and not a full handshake.

How to eliminate wrong answers

Option A is wrong because a TCP connect scan completes the full three-way handshake (SYN, SYN-ACK, ACK), whereas this script only sends a SYN and does not send the final ACK, making it a half-open SYN scan. Option C is wrong because the script sends a raw TCP SYN packet, not an HTTP GET request; it does not include any HTTP payload or application-layer data, so it cannot retrieve a web page.

465
Multi-Selectmedium

Which THREE factors are critical to include in the rules of engagement for a penetration test?

Select 3 answers
A.Emergency contact information
B.Target IP ranges
C.Testing schedule
D.List of tools to be used
E.Post-exploitation procedures
AnswersA, B, C

Essential for stopping the test if issues arise.

Why this answer

Rules of engagement typically include target IP ranges (scope), testing schedule (time windows), and emergency contact information. Tools list and post-exploitation procedures are often documented in the test plan but are not always part of the RoE.

466
MCQhard

A penetration tester is conducting vulnerability scanning on a web application that uses a Web Application Firewall (WAF). The scanner triggers a WAF block after several requests. Which of the following techniques would be MOST effective to continue scanning while evading the WAF?

A.Increase scan speed
B.Randomize request parameters and headers
C.Use HTTP/2 multiplexing
D.Perform a full TCP connect scan
AnswerB

Randomization breaks signature-based detection by varying requests.

Why this answer

Option C is correct because randomizing request parameters and headers makes it harder for the WAF to detect pattern-based scanning. Option A increases detection likelihood; Option B may not evade pattern detection; Option D is for port scanning, not web.

467
MCQeasy

During a penetration test, a tester discovers a web application that reflects user input in the HTTP response without sanitization. Which attack is most likely to be successful?

A.Server-side request forgery
B.SQL injection
C.Reflected cross-site scripting
D.Cross-site request forgery
AnswerC

Reflected XSS occurs when user input is echoed back unsanitized.

Why this answer

Reflected cross-site scripting (XSS) is the correct answer because the vulnerability described—user input reflected in the HTTP response without sanitization—directly enables an attacker to inject malicious scripts (e.g., JavaScript) that execute in the victim's browser. This occurs when the application fails to validate or encode the input before including it in the response, allowing the attacker to craft a URL with a script payload that, when visited, runs in the context of the vulnerable web application's origin.

Exam trap

The trap here is that candidates often confuse reflected XSS with stored XSS or CSRF, but the key differentiator is that the input is immediately reflected in the response without sanitization, not stored on the server or requiring a forged request.

How to eliminate wrong answers

Option A is wrong because server-side request forgery (SSRF) exploits server-side functionality to make requests to internal or external resources, not the reflection of user input in HTTP responses. Option B is wrong because SQL injection targets database queries by injecting SQL commands into input fields, not by reflecting input in HTTP responses without sanitization. Option D is wrong because cross-site request forgery (CSRF) tricks a user into performing unintended actions on a web application where they are authenticated, relying on forged requests rather than reflected input in the response.

468
MCQmedium

A penetration tester is analyzing a PowerShell script that uses Invoke-WebRequest and Invoke-RestMethod to interact with a target web service. The script parses JSON responses to extract session tokens and then uses those tokens in subsequent requests. Which attack technique is this script most likely performing?

A.Brute-forcing web application login credentials.
B.Exploiting an API by manipulating request parameters and observing responses.
C.Performing a SQL injection attack on a web form.
D.Conducting a directory traversal attack to read arbitrary files.
AnswerB

The script dynamically extracts session tokens and reuses them, which is common when testing APIs for parameter manipulation, privilege escalation, or injection flaws. It allows the tester to bypass authentication and test authenticated endpoints.

Why this answer

The script uses Invoke-WebRequest and Invoke-RestMethod to interact with a web service, parsing JSON responses to extract session tokens and reusing them in subsequent requests. This pattern is characteristic of API manipulation, where an attacker modifies request parameters (e.g., headers, query strings, or payload) and observes how the API responds to infer vulnerabilities or escalate privileges, rather than directly attacking authentication or injecting SQL.

Exam trap

The trap here is that candidates confuse the use of Invoke-WebRequest and Invoke-RestMethod with brute-force attacks, but the script's focus on token extraction and reuse points to API parameter manipulation, not credential guessing.

How to eliminate wrong answers

Option A is wrong because brute-forcing login credentials would involve repeatedly submitting different username/password pairs, not parsing JSON session tokens from responses and using them in subsequent requests; the script's focus on token extraction indicates session management exploitation, not credential guessing. Option C is wrong because SQL injection requires injecting SQL syntax into input fields to manipulate database queries, whereas the script uses Invoke-WebRequest and Invoke-RestMethod to handle structured JSON data and tokens, with no mention of SQL payloads or database error responses.

469
MCQmedium

A penetration tester is performing active reconnaissance on a target network. The tester wants to identify all live hosts in the 192.168.1.0/24 subnet and determine which ones have port 80 open. Which technique is most efficient for this task?

A.Perform a full TCP connect scan on all 65535 ports for each IP address.
B.Use a ping sweep to identify live hosts, then run a SYN scan on port 80 for those hosts.
C.Run a SYN scan on port 80 for every IP in the subnet without ping probing.
D.Use ARP requests to map the subnet and then check for port 80 on each host.
AnswerB

A ping sweep quickly finds responsive IPs, and then a SYN scan on only those hosts for the single port is highly efficient.

Why this answer

Option B is correct because it combines two efficient steps: first, a ping sweep (ICMP Echo Request or ARP scan) identifies live hosts in the 192.168.1.0/24 subnet, reducing the number of targets; second, a SYN scan on port 80 for only those live hosts is faster and less intrusive than scanning all ports or all IPs without prior host discovery. This approach minimizes network traffic and scan time while accurately identifying hosts with HTTP services.

Exam trap

The trap here is that candidates often choose option C, thinking that skipping ping probing saves time, but they overlook the inefficiency of scanning all 256 IPs (including many dead hosts) versus first identifying live hosts to reduce the scan scope.

How to eliminate wrong answers

Option A is wrong because performing a full TCP connect scan on all 65535 ports for each IP in a /24 subnet is highly inefficient, generating massive traffic and taking excessive time, and it does not focus on the specific goal of identifying hosts with port 80 open. Option C is wrong because running a SYN scan on port 80 for every IP in the subnet without ping probing wastes time and resources scanning inactive or non-existent hosts, and it may also trigger intrusion detection systems more aggressively due to scanning dead IPs.

470
MCQeasy

A penetration tester has completed an internal network test. The client's IT manager requests a document that lists each vulnerability with its CVSS score, risk rating, and a brief description of the impact. Which section of the final report should contain this information?

A.Executive Summary
B.Technical Findings
C.Methodology
D.Remediation Summary
AnswerB

The Technical Findings section lists vulnerabilities with CVSS scores, risk ratings, and impact descriptions, tailored for technical staff.

Why this answer

The Technical Findings section is the correct location because it provides a detailed, itemized list of each discovered vulnerability, including its CVSS score, risk rating, and impact description. This section is intended for technical stakeholders who need granular data to prioritize remediation, unlike the Executive Summary which offers high-level business impact and risk overviews.

Exam trap

The trap here is that candidates confuse the Executive Summary's role as a summary of all findings with the Technical Findings' role of providing detailed, per-vulnerability data, leading them to incorrectly select the Executive Summary for listing CVSS scores and impacts.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for non-technical management, focusing on business risk, strategic recommendations, and key findings without listing individual CVSS scores or detailed impact descriptions. Option C is wrong because the Methodology section describes the tools, techniques, and procedures used during the test (e.g., Nmap scans, exploitation frameworks), not the specific vulnerabilities found.

471
MCQhard

Refer to the exhibit. A penetration tester finds this configuration file during an assessment. Which of the following is the most critical security concern with this configuration?

A.The bind password is stored in plaintext
B.The server name is an internal hostname
C.The use of LDAP instead of LDAPS
D.The port is non-standard
AnswerC

LDAP over SSL (LDAPS) provides encryption; without it, credentials are transmitted in clear text.

Why this answer

LDAP transmits credentials and queries in cleartext over TCP port 389, making it vulnerable to sniffing and credential theft. LDAPS (LDAP over SSL/TLS) encrypts the entire session on port 636, protecting the bind password and directory data in transit. Since the configuration uses LDAP instead of LDAPS, an attacker on the network can capture the bind password and potentially gain unauthorized access to the directory service.

Exam trap

CompTIA often tests the distinction between a static misconfiguration (like plaintext storage) and a protocol-level vulnerability (like cleartext transmission), tricking candidates into choosing the plaintext password option without recognizing that the network exposure is the more critical risk.

How to eliminate wrong answers

Option A is wrong because while the bind password is stored in plaintext in the configuration file, the question asks for the most critical security concern with this configuration, and the use of LDAP (unencrypted) exposes that password to network sniffing, making the lack of encryption a more fundamental issue. Option B is wrong because using an internal hostname is a standard practice for internal services and does not inherently introduce a security vulnerability; it only prevents external resolution, which is often desirable. Option D is wrong because a non-standard port is not inherently a security concern; it can even provide a minor degree of obscurity, but it does not address the lack of encryption or authentication protection.

472
MCQmedium

A multi-tenant SaaS application needs tenant isolation testing. Which type of testing is most appropriate?

A.White-box testing with access to source code
B.Vulnerability scanning of the underlying infrastructure
C.Black-box testing from the internet
D.Gray-box testing with a tenant account
AnswerD

Allows testing from an authenticated perspective.

Why this answer

Option A is correct because gray-box testing with a tenant account allows authentication and testing of isolation. Option B is wrong because black-box from the internet cannot test isolation. Option C is wrong because white-box with source code may not reflect real access.

Option D is wrong because infrastructure scanning does not test isolation.

473
MCQmedium

A penetration tester is performing reconnaissance on a target organization and uses Shodan to find internet-facing devices. Which of the following is the BEST use case for Shodan in this context?

A.Identifying subdomains through DNS brute-forcing
B.Discovering open ports and services on public IP ranges
C.Enumerating email addresses from corporate websites
D.Extracting metadata from documents found on the target's website
AnswerB

Shodan collects banner data from services like HTTP, SSH, FTP, etc., allowing testers to see what is exposed on the internet.

Why this answer

Shodan is a search engine for internet-connected devices that scans public IP ranges and indexes the banners returned by services. Its primary use in reconnaissance is to discover open ports and running services on target IP ranges, revealing attack surface such as exposed databases, web servers, or industrial control systems. This aligns directly with the information-gathering phase of a penetration test.

Exam trap

The trap here is that candidates confuse Shodan's banner-gathering capability with active DNS enumeration or web scraping, leading them to select options that describe unrelated reconnaissance tasks.

How to eliminate wrong answers

Option A is wrong because Shodan does not perform DNS brute-forcing; that task is accomplished with tools like dnsrecon, subfinder, or Gobuster, which query DNS servers directly. Option C is wrong because Shodan indexes service banners and device metadata, not email addresses from corporate websites; email enumeration is typically done via web scraping, search engines, or tools like theHarvester.

474
Matchingmedium

Match each type of social engineering attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fraudulent emails to obtain sensitive information

Targeted phishing at a specific individual or organization

Voice-based phishing over phone calls

Phishing via SMS text messages

Following an authorized person into a restricted area

Why these pairings

Social engineering attacks exploit human psychology to gain access or information.

475
MCQeasy

Which of the following tools is primarily used for enumerating subdomains via search engine queries?

A.Metasploit
B.Netcat
C.theHarvester
D.Nmap
AnswerC

theHarvester is designed for OSINT, including subdomain enumeration via search engines.

Why this answer

theHarvester is specifically designed to gather emails, subdomains, IPs, and URLs from public sources, including search engines like Google, Bing, and Yahoo. It leverages search engine APIs and scraping techniques to enumerate subdomains without directly interacting with the target infrastructure, making it the correct tool for this task.

Exam trap

The trap here is that candidates often confuse Nmap's DNS brute-force scripts (like dns-brute) with passive subdomain enumeration, but Nmap actively queries DNS servers, whereas theHarvester passively collects data from search engines without touching the target's infrastructure.

How to eliminate wrong answers

Option A is wrong because Metasploit is a penetration testing framework focused on exploit development and execution, not passive subdomain enumeration via search engines. Option B is wrong because Netcat is a networking utility for reading/writing data across TCP/UDP connections, lacking any search engine querying capability. Option D is wrong because Nmap is a network scanner that probes live hosts and services using raw packets, not a tool for passive subdomain discovery through search engine queries.

476
Drag & Dropmedium

Drag and drop the steps to perform a social engineering campaign using a phishing email with a malicious attachment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Social engineering involves pretexting, payload creation, listener setup, delivery, and shell acquisition.

477
MCQhard

A penetration tester is tasked with performing vulnerability scanning on a target organization that uses a web application firewall (WAF) and an intrusion prevention system (IPS). The tester wants to avoid being blocked while still gathering comprehensive data. Which scanning approach is most effective?

A.Use a slow, distributed scan from multiple IP addresses with random delays
B.Perform an aggressive scan with a high thread count to complete before the WAF adapts
C.Only perform passive reconnaissance and avoid active scanning
D.Use known WAF bypass techniques for each request
AnswerA

This reduces the chance of triggering IPS/WAF alerts by mimicking normal traffic patterns and avoiding high request rates from a single source.

Why this answer

A slow, distributed scan from multiple IP addresses with random delays is most effective because it evades rate-based detection mechanisms in WAFs and IPSs. By spreading the scan across many sources and introducing jitter, the traffic appears as normal user activity rather than a coordinated attack, allowing comprehensive data collection without triggering blocks.

Exam trap

The trap here is that candidates assume a fast, aggressive scan will 'beat' the WAF/IPS before it adapts, but in reality these systems use real-time rate limiting and signature detection that will block the source IP almost immediately, making the slow distributed approach the only viable option.

How to eliminate wrong answers

Option B is wrong because an aggressive scan with a high thread count will rapidly generate a high volume of requests, which WAFs and IPSs are specifically designed to detect and block as a denial-of-service or scanning pattern, likely resulting in the tester being blocked before completion. Option C is wrong because passive reconnaissance alone cannot gather comprehensive vulnerability data such as open ports, service versions, or missing patches, which require active probing to identify.

478
Multi-Selectmedium

Which TWO of the following should be included in the methodology section of a penetration test report?

Select 2 answers
A.List of vulnerabilities discovered
B.Step-by-step remediation instructions
C.The client's network diagram
D.The specific tools and commands used during testing
E.The testing approach (e.g., black-box, white-box)
AnswersD, E

Methodology includes tools.

Why this answer

The methodology section of a penetration test report documents the testing approach and the specific techniques used to ensure reproducibility and transparency. Option D is correct because listing the specific tools and commands (e.g., Nmap with `-sV -sC`, Metasploit modules, or custom scripts) allows the client to understand exactly how each test was performed. Option E is correct because stating the testing approach (e.g., black-box, white-box, or gray-box) defines the scope and context of the engagement, which is a core part of the methodology.

Exam trap

CompTIA often tests the distinction between the methodology section (which describes the 'how' and 'approach') and the findings/recommendations sections, leading candidates to mistakenly include vulnerability lists or remediation steps in the methodology.

479
MCQmedium

A penetration tester is analyzing a Bash script that uses 'curl' to send HTTP requests with payloads and checks for a specific string in the response. The script contains: 'if echo $response | grep -q "root:x:0:0"'. Which vulnerability is the script most likely testing for?

A.SQL injection
B.Local file inclusion
C.Cross-site scripting
D.Remote code execution
AnswerB

The script is attempting to read the /etc/passwd file via a file inclusion vulnerability, which would return the password file content containing the 'root:x:0:0' line.

Why this answer

The script checks for the string 'root:x:0:0' in the HTTP response, which is the standard format of the root user entry in the /etc/passwd file on Unix-like systems. This indicates the script is testing whether the server is returning the contents of a local file (e.g., /etc/passwd) via a path traversal or file inclusion vulnerability, making Local File Inclusion (LFI) the correct answer.

Exam trap

The trap here is that candidates may confuse the presence of a specific string in the response with SQL injection (e.g., thinking 'root:x:0:0' is a database record), but the format is a direct match for the /etc/passwd file, which is a classic LFI indicator.

How to eliminate wrong answers

Option A is wrong because SQL injection typically involves manipulating SQL queries to extract database contents, not checking for static system file strings like 'root:x:0:0'. Option C is wrong because cross-site scripting (XSS) focuses on injecting client-side scripts into web pages, not on retrieving server-side file contents. Option D is wrong because remote code execution (RCE) would involve executing arbitrary commands on the server, whereas the script only checks for a file content string in the response, not command output or execution indicators.

480
MCQhard

Refer to the exhibit. A penetration tester discovers this IAM policy attached to a public user role. Which attack is most likely to succeed?

A.Bucket ACL misconfiguration leading to public listing
B.Privilege escalation to admin
C.Resource exhaustion through large object uploads
D.Data exfiltration and modification
AnswerD

GetObject allows reading (exfiltration) and PutObject allows writing (modification) to the bucket.

Why this answer

The IAM policy grants `s3:PutObject` and `s3:GetObject` actions on the `arn:aws:s3:::example-bucket/*` resource, allowing a public user to both upload and download objects. This directly enables data exfiltration (via GetObject) and modification (via PutObject overwriting existing objects). The policy does not restrict object listing or require encryption, making D the most likely successful attack.

Exam trap

CompTIA often tests the distinction between bucket-level actions (like ListBucket) and object-level actions (like GetObject/PutObject), trapping candidates who assume that without ListBucket, data cannot be exfiltrated—but attackers can guess object keys or use other enumeration methods.

How to eliminate wrong answers

Option A is wrong because the policy does not grant `s3:ListBucket` or `s3:GetBucketAcl`, so a public user cannot list bucket contents or view/modify the bucket ACL; bucket ACL misconfiguration is not directly exploitable here. Option B is wrong because the policy only allows specific S3 actions on a single bucket ARN, with no permissions for IAM, STS, or other services that would enable privilege escalation to admin. Option C is wrong because resource exhaustion through large object uploads is a potential denial-of-service vector, but the question asks for the attack most likely to succeed given the explicit read/write permissions, and data exfiltration/modification is more directly enabled and common.

481
MCQmedium

A penetration tester is writing the findings section of a report. The tester discovered a cross-site scripting vulnerability that allows session hijacking. The technical team wants to understand exactly how to reproduce it, while the business owner wants to know the risk it poses to customer data. Which approach best addresses both audiences?

A.Include a single detailed description with both technical and business impact
B.Write two separate sections: one for technical details and one for risk analysis
C.Place technical details in an appendix and include only risk ratings in the main body
D.Provide a video demonstration separately from the written report
AnswerB

Separation allows the technical team to quickly find reproduction steps and the business owner to focus on risk and impact.

Why this answer

Option B is correct because it separates the technical reproduction steps (for the technical team) from the business impact analysis (for the business owner), ensuring each audience receives the information in the format they need. This aligns with the PT0-002 objective of tailoring communication to different stakeholders, avoiding confusion or information overload. A single combined description (Option A) would likely be too technical for the business owner or too vague for the technical team.

Exam trap

The trap here is that candidates may choose Option A, thinking a single comprehensive section is efficient, but the PT0-002 exam emphasizes that different stakeholders require different levels of detail—technical teams need exact reproduction steps, while business owners need risk context—so separating them is the correct approach.

How to eliminate wrong answers

Option A is wrong because a single detailed description mixing technical steps and business impact risks confusing both audiences—the technical team may find the risk language irrelevant, while the business owner may be overwhelmed by technical jargon like 'XSS payload injection via unescaped user input in the HTTP GET parameter.' Option C is wrong because placing technical details in an appendix and only risk ratings in the main body fails to provide the technical team with the step-by-step reproduction steps they need, and the business owner may not understand the context of the risk ratings without supporting explanation. Option D is wrong because a video demonstration alone does not replace a written report; it lacks the structured, searchable documentation required for compliance and audit trails, and it may not be accessible to all stakeholders (e.g., those with visual impairments or network restrictions).

482
MCQhard

A penetration testing firm is contracted to perform an external test of a company's web applications. During the scoping meeting, the client mentions that they use a CDN and WAF provided by a third party. The client wants the test to accurately reflect the security of their backend servers behind these protections. What should the tester recommend?

A.Test the CDN and WAF as part of the scope
B.Obtain the backend server IPs from the client and test them directly
C.Include a plan to bypass the WAF in the rules of engagement
D.Only test the public-facing URLs as they are
AnswerB

This allows the tester to assess the backend servers as intended, bypassing the CDN/WAF but with the client's authorization. It is the most accurate way to test the client's own infrastructure.

Why this answer

Option B is correct because the client wants the test to accurately reflect the security of their backend servers behind the CDN and WAF. By obtaining the backend server IPs directly, the tester can bypass the third-party protections and assess the actual security posture of the origin servers, which is the true target of the external test. This approach ensures that vulnerabilities not mitigated by the CDN/WAF are identified, aligning with the client's goal of evaluating backend security.

Exam trap

The trap here is that candidates may assume bypassing the WAF is the correct approach (Option C), but the ethical and practical method is to test the backend servers directly with client permission, not to actively circumvent security controls during the test.

How to eliminate wrong answers

Option A is wrong because testing the CDN and WAF as part of the scope would evaluate the third-party provider's security, not the client's backend servers, and may violate the terms of service or contractual agreements with the provider. Option C is wrong because including a plan to bypass the WAF in the rules of engagement is risky, potentially illegal, and could disrupt the WAF's operation or trigger false positives; the proper approach is to test the backend IPs directly with client authorization. Option D is wrong because only testing public-facing URLs would leave the backend servers untested, as the CDN and WAF may mask vulnerabilities or block malicious traffic, failing to meet the client's requirement to assess backend security.

483
MCQmedium

A penetration tester is conducting passive reconnaissance on a target organization. Which of the following techniques would provide the MOST useful information about internal network architecture without directly interacting with the target's systems?

A.Performing a zone transfer against the target's DNS servers
B.Searching for the target's SSL certificates in Certificate Transparency logs
C.Using Nmap to scan common ports on the target's public IP range
D.Querying the target's WHOIS records for IP addresses
AnswerB

Certificate Transparency logs are public and can be queried without contacting the target. They often expose subdomains that may not be publicly listed elsewhere.

Why this answer

Certificate Transparency (CT) logs are publicly accessible, append-only ledgers of SSL/TLS certificates. By searching CT logs for certificates issued to the target organization, a penetration tester can discover subdomains, hostnames, and even internal-facing server names that are included in Subject Alternative Names (SANs) or Common Names (CNs). This reveals internal network architecture details (e.g., 'mail.internal.example.com') without any direct interaction with the target's systems, making it a purely passive reconnaissance technique.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with low-interaction techniques like WHOIS lookups or zone transfers, not realizing that zone transfers and Nmap scans are active techniques that directly interact with the target's systems, while Certificate Transparency logs are a purely passive, third-party data source.

How to eliminate wrong answers

Option A is wrong because performing a zone transfer against the target's DNS servers is an active technique that directly interacts with the target's infrastructure; it sends a DNS query (AXFR) to the target's nameserver, which may be logged or blocked. Option C is wrong because using Nmap to scan common ports on the target's public IP range is an active scanning technique that sends packets to the target's systems, generating network traffic and potentially triggering intrusion detection systems. Option D is wrong because querying the target's WHOIS records for IP addresses provides only registration and administrative contact information, not internal network architecture details such as subdomains or hostnames.

484
MCQmedium

A client wants to test a web application that uses multiple third-party APIs for payment processing, shipping, and customer relationship management. The client states that the APIs are critical for operations but cannot be taken offline. Which scoping consideration is most important to include in the rules of engagement?

A.The tester must use only non-intrusive scanning techniques on the APIs.
B.The tester must exclude all API endpoints from testing.
C.The tester must coordinate testing schedules with the API vendors.
D.The tester must provide a list of all API calls to be made prior to testing.
AnswerA

Non-intrusive techniques reduce the likelihood of causing service disruption while still allowing assessment.

Why this answer

Option A is correct because the client explicitly stated that the APIs are critical for operations and cannot be taken offline. Non-intrusive scanning techniques, such as passive traffic analysis or read-only API calls with safe HTTP methods (GET, HEAD), minimize the risk of service disruption, data corruption, or rate-limit triggering. This aligns with the scoping requirement to maintain availability while still allowing security testing of the API layer.

Exam trap

The trap here is that candidates may assume 'non-intrusive' means only using automated scanners or that coordinating with vendors (Option C) is necessary for third-party APIs, but the core scoping principle is to avoid impacting production availability while still testing the API attack surface.

How to eliminate wrong answers

Option B is wrong because excluding all API endpoints would leave the most critical attack surface (third-party integrations for payment, shipping, and CRM) completely untested, violating the client's goal of a comprehensive security assessment. Option C is wrong because coordinating schedules with API vendors is impractical and unnecessary; the tester only needs to coordinate with the client, and the APIs are consumed by the web app, not owned by the tester. Option D is wrong because providing a list of all API calls prior to testing is overly restrictive and unrealistic for dynamic testing; it would prevent the tester from discovering undocumented endpoints or chaining calls in ways an attacker would, and it violates the principle of simulating real-world adversarial behavior.

485
MCQmedium

During an internal penetration test, the tester gains a low-privilege shell on a Linux server running a web application. The web application runs as the www-data user. The tester discovers that the www-data user can read the /etc/shadow file. The server has AppArmor enabled, which restricts certain actions. The tester wants to escalate privileges to root. Which technique is most likely to succeed?

A.Extract password hashes from /etc/shadow and crack them offline.
B.Use a kernel exploit like Dirty COW.
C.Search for SUID binaries with known vulnerabilities and exploit one.
D.Add the www-data user to the sudoers file.
AnswerC

SUID binaries run as root, and a vulnerable one can provide a direct root shell, bypassing AppArmor if the binary's profile allows.

Why this answer

Option C is correct because SUID binaries that are misconfigured or have known vulnerabilities can be exploited to execute commands with the privileges of the binary's owner (often root). Since the tester already has a low-privilege shell and can read /etc/shadow, searching for SUID binaries is a standard privilege escalation technique that does not require kernel exploits or write access to /etc/sudoers. The presence of AppArmor does not inherently block SUID exploitation unless specific profiles restrict the binary.

Exam trap

The trap here is that candidates assume reading /etc/shadow directly leads to root access via password cracking, but they overlook the practical difficulty of using the cracked password without an interactive login method, and they underestimate the effectiveness of SUID exploitation in a restricted environment like AppArmor.

How to eliminate wrong answers

Option A is wrong because extracting password hashes from /etc/shadow and cracking them offline only yields the password for a user account (e.g., root), but the tester does not have a way to use that password to log in as root (e.g., SSH may be disabled, or the tester lacks interactive login). Option B is wrong because kernel exploits like Dirty COW (CVE-2016-5195) are likely to be blocked by AppArmor's kernel-level restrictions, and modern kernels have patched this vulnerability; the question explicitly states AppArmor is enabled, which reduces the success rate of kernel exploits. Option D is wrong because adding the www-data user to the sudoers file requires write access to /etc/sudoers, which the www-data user does not have (the file is typically owned by root and has 440 permissions), and the tester cannot modify it from a low-privilege shell.

486
MCQmedium

A penetration tester is scoping a test for a multinational company that must comply with GDPR. The tester wants to ensure that any personal data captured during the test is handled appropriately. Which document should be reviewed?

A.Test plan
B.Authorization letter
C.Data processing agreement
D.Non-disclosure agreement
AnswerC

DPA defines how personal data must be handled, ensuring GDPR compliance.

Why this answer

A data processing agreement (DPA) outlines how personal data is processed and protected, which is essential for GDPR compliance. An NDA covers confidentiality but not data processing specifics. An authorization letter grants permission, and a test plan is technical.

487
MCQmedium

A penetration tester is preparing a report for a client that includes both a technical security team and an executive leadership team. The executive team needs to understand the overall risk posture, while the technical team requires detailed reproduction steps. Which reporting structure best serves both audiences?

A.A single report with an executive summary and technical appendices
B.Two completely separate reports: one for executives and one for technical staff
C.Only an executive summary, omitting technical details
D.Only a technical report with all details
AnswerA

This structure allows both audiences to find the information they need in one document. The executive summary is concise and non-technical, while technical appendices provide depth.

Why this answer

A single report with an executive summary and technical appendices is the correct structure because it satisfies both audiences: the executive summary provides a high-level risk posture overview (e.g., CVSS scores, business impact), while the technical appendices contain detailed reproduction steps (e.g., exact commands, payloads, and packet captures) for the technical team. This approach aligns with the PT0-002 objective of tailoring communication to stakeholders without losing technical rigor.

Exam trap

The trap here is that candidates think separate reports are more 'professional' or 'targeted,' but the PT0-002 exam expects a single cohesive report with layered detail to ensure consistency and traceability between the executive summary and technical findings.

How to eliminate wrong answers

Option B is wrong because two completely separate reports can lead to misalignment between the executive summary and technical details, causing executives to miss critical context or technical staff to lack business impact understanding. Option C is wrong because omitting technical details prevents the technical team from validating or reproducing findings, violating the reporting requirement for actionable remediation steps. Option D is wrong because a purely technical report overwhelms executives with jargon and lacks the risk posture summary they need for decision-making, failing the communication objective.

488
Multi-Selecteasy

Which TWO of the following are common methods used to bypass network access controls during a penetration test? (Choose two.)

Select 2 answers
A.SSID broadcasting
B.MAC spoofing
C.802.1Q trunking (VLAN hopping)
D.ARP poisoning
E.SQL injection
AnswersB, C

Spoofing a allowed MAC address can bypass MAC-based ACLs.

Why this answer

MAC spoofing allows a tester to impersonate an authorized device by changing the MAC address of their network interface to match a whitelisted MAC, thereby bypassing MAC-based access control lists (ACLs) or port security. This is a common bypass because many network access controls rely on MAC addresses as a simple authentication factor, which can be trivially altered using tools like `macchanger` or `ifconfig`.

Exam trap

CompTIA often tests the distinction between passive reconnaissance (like SSID broadcasting) and active bypass techniques, leading candidates to incorrectly select SSID broadcasting as a bypass method when it is merely a visibility setting.

489
MCQhard

A penetration tester is assessing a custom web application that uses JSON Web Tokens (JWT) for authentication. The tester suspects the token may be using a weak secret. Which tool is best suited to attempt cracking the JWT secret?

A.Hashcat
B.DirBuster
C.Burp Suite Intruder
D.sqlmap
AnswerA

Hashcat supports JWT (HMAC-SHA) cracking with its mode 16500.

Why this answer

Hashcat is a powerful password cracking tool that can crack JWT secrets using dictionary or brute-force attacks. John the Ripper is similar but hashcat is generally faster and more GPU-optimized. DirBuster is for directory discovery, sqlmap for SQL injection, and Burp Suite Intruder can be used but is less efficient for offline cracking.

490
MCQhard

A penetration tester has obtained a TGT from a domain controller by cracking the krbtgt hash. Which attack can the tester now perform to gain persistent administrative access to any resource in the domain?

A.Pass-the-Hash
B.Silver Ticket
C.Golden Ticket
D.DCSync
AnswerC

With the krbtgt hash, an attacker can create a Golden Ticket—a forged TGT that allows impersonation of any user for any service in the domain.

Why this answer

A Golden Ticket attack is the correct answer because the tester has cracked the krbtgt hash, which is the key used by the Key Distribution Center (KDC) to sign all Ticket Granting Tickets (TGTs). With this hash, the tester can forge a TGT for any user (including a domain admin) with an arbitrary long validity period, granting persistent administrative access to any resource in the domain without needing to interact with the domain controller again.

Exam trap

The trap here is that candidates confuse the scope of a Silver Ticket (limited to a single service) with a Golden Ticket (full domain compromise), often picking Silver Ticket because they think 'service ticket' sounds broader, but the krbtgt hash specifically enables TGT forgery, not service ticket forgery.

How to eliminate wrong answers

Option A is wrong because Pass-the-Hash (PtH) uses an NTLM hash of a user's password to authenticate, not the krbtgt hash, and it does not provide persistent access to all resources—it only allows impersonation of that specific user until the hash changes. Option B is wrong because a Silver Ticket forges a service ticket (TGS) using the hash of a service account (e.g., for a specific service like HTTP or CIFS), not the krbtgt hash, and it only grants access to that specific service, not to any resource in the domain.

491
MCQeasy

A penetration tester is engaged to perform a red team exercise for a large enterprise. The client wants the test to simulate a realistic attack from an external threat actor. Which of the following scoping elements is most important to include in the rules of engagement?

A.A list of all IP addresses to be scanned
B.The time window for the test
C.The amount of data to be exfiltrated
D.The specific vulnerabilities to be exploited
AnswerB

Defining the start and end times ensures the test does not interfere with critical operations and allows the blue team to be prepared.

Why this answer

In a red team exercise simulating an external threat actor, the rules of engagement must define the time window for testing to ensure the test aligns with operational constraints and minimizes business disruption. This scoping element is critical because it sets legal and logistical boundaries, such as avoiding peak business hours or maintenance windows, which is a core requirement for realistic yet safe adversarial simulation.

Exam trap

CompTIA often tests the misconception that a fixed target list (Option A) is essential for scoping, when in reality, red team exercises require discovery phases that mimic real attackers, making a predefined IP list counterproductive to the simulation's authenticity.

How to eliminate wrong answers

Option A is wrong because providing a list of all IP addresses to be scanned would undermine the realism of an external attack simulation, where the threat actor must discover targets through reconnaissance (e.g., DNS enumeration, Shodan, or passive scanning). Option C is wrong because specifying the amount of data to be exfiltrated is a constraint that would artificially limit the test's realism; in a real attack, exfiltration volume is determined by the attacker's objectives and the environment's defenses, not pre-defined limits.

492
MCQhard

A penetration tester has successfully exploited a buffer overflow vulnerability in a Linux binary. However, the binary has Data Execution Prevention (DEP) enabled and Address Space Layout Randomization (ASLR) disabled. Which exploitation technique is MOST appropriate to achieve code execution in this environment?

A.Return-oriented programming (ROP) to bypass DEP
B.Simple shellcode injection on the stack
C.ASLR bypass techniques
D.Heap spraying
AnswerA

ROP chains use existing code snippets (gadgets) to perform operations without injecting executable code, bypassing DEP effectively.

Why this answer

Return-oriented programming (ROP) is the most appropriate technique because DEP marks the stack and heap as non-executable, preventing direct shellcode injection. With ASLR disabled, the attacker can reliably locate and chain small instruction sequences (gadgets) from the binary or loaded libraries to achieve arbitrary code execution without needing executable memory regions.

Exam trap

CompTIA often tests the misconception that DEP can be bypassed by simply injecting shellcode onto the stack, ignoring that DEP explicitly prevents execution from non-executable pages, making ROP or similar code-reuse techniques mandatory.

How to eliminate wrong answers

Option B is wrong because simple shellcode injection on the stack fails when DEP is enabled, as the CPU will raise an access violation when trying to execute code from a non-executable memory region. Option C is wrong because ASLR bypass techniques (such as information leaks or brute-forcing) are unnecessary when ASLR is already disabled; the core challenge here is DEP, not address randomization.

493
MCQmedium

During a network penetration test, the tester identifies that a web server is vulnerable to a buffer overflow. The server is running on a Windows system with DEP enabled. Which technique should the tester use to bypass DEP?

A.Return-to-libc attack
B.Return-Oriented Programming (ROP)
C.Use a NOP sled and shellcode injection
D.Stack pivoting
AnswerB

ROP uses existing code gadgets to execute arbitrary commands without injecting new code.

Why this answer

Return-Oriented Programming (ROP) is the correct technique to bypass Data Execution Prevention (DEP) on Windows. DEP marks memory pages (like the stack and heap) as non-executable, preventing direct shellcode execution. ROP chains together small instruction sequences (gadgets) already present in executable memory (e.g., in loaded DLLs) to achieve arbitrary behavior without injecting or executing new code.

Exam trap

The trap here is that candidates often confuse DEP bypass with simple shellcode injection (Option C) or assume stack pivoting alone bypasses DEP, when in fact ROP is the standard technique to execute code without relying on executable stack memory.

How to eliminate wrong answers

Option A is wrong because a return-to-libc attack typically calls a single libc function (e.g., system()) to execute a command, but on Windows with DEP, the stack is non-executable and the attack still relies on calling existing functions; however, ROP is more flexible and is the standard modern bypass for DEP, while return-to-libc is more associated with Linux and does not fully address the need for chaining multiple calls. Option C is wrong because a NOP sled and shellcode injection rely on executing code on the stack, which is blocked by DEP (non-executable stack). Option D is wrong because stack pivoting is a technique to redirect the stack pointer to a controlled memory region (e.g., heap) to facilitate ROP or other attacks, but it is not itself a method to bypass DEP; it is often used in conjunction with ROP, not as a standalone bypass.

494
MCQmedium

You are contracted to perform a penetration test for a healthcare organization. During the testing, you discover a critical SQL injection vulnerability that exposes patient health information. The deadline for the final report is one week away. The client's IT manager asks you to exclude this finding from the report because they are already aware of it and are working on a fix. The IT manager claims that including it would cause panic among stakeholders. What is the BEST course of action?

A.Agree to exclude it but note it verbally
B.Explain that findings must be included in the report regardless of awareness, and offer to present the finding in a controlled manner to management
C.Report the issue to the client's compliance officer without informing the IT manager
D.Include it only in the technical appendix
AnswerB

This maintains integrity while addressing the client's concerns about stakeholder reaction.

Why this answer

Option A is correct. According to reporting best practices, all findings must be documented regardless of awareness. Offering to present the finding in a controlled manner addresses the client's concern while ensuring transparency.

Option B is wrong because verbal notes are not part of the formal report and may be forgotten. Option C is wrong because hiding the finding in an appendix still includes it but may not give it appropriate visibility. Option D is wrong because bypassing the IT manager could damage trust and violate reporting protocols.

495
MCQmedium

A penetration tester has identified a critical misconfiguration in a cloud storage bucket that exposes sensitive customer data. The client's technical team has already applied a fix, but the tester wants to ensure the report accurately reflects the risk and the remediation. Which section of the report should include the steps to reproduce the vulnerability?

A.Executive summary
B.Findings and risk rating
C.Technical details and proof of concept
D.Remediation recommendations
AnswerC

This is the correct section, as it contains the exact commands, screenshots, and steps needed to reproduce the vulnerability for technical staff.

Why this answer

The technical details and proof of concept (POC) section is the correct place to include step-by-step reproduction steps because it provides the client's technical team with the exact commands, API calls, or configuration checks needed to verify the vulnerability and the fix. This section is distinct from the executive summary (which targets non-technical stakeholders) and the findings and risk rating (which focuses on impact and severity). By including reproduction steps here, the tester ensures the remediation can be validated without ambiguity.

Exam trap

The trap here is that candidates confuse the 'findings and risk rating' section with the 'technical details' section, assuming reproduction steps belong with the risk description, when in fact the PT0-002 exam expects a clear separation: risk rating is for impact, technical details is for replication.

How to eliminate wrong answers

Option A is wrong because the executive summary is intended for management and non-technical stakeholders, providing a high-level overview of risks and business impact, not detailed reproduction steps. Option B is wrong because the findings and risk rating section describes the vulnerability's nature, impact, and CVSS score, but does not include the procedural steps to replicate the issue; those steps belong in the technical details section.

496
MCQhard

A penetration tester is engaged to assess a corporate network that uses a centralized logging server (SIEM) with a 24/7 SOC. The tester has gained initial access to a Windows workstation via a phishing email. The goal is to move laterally to a domain controller without triggering alerts. The internal network is segmented into VLANs: a user VLAN (192.168.1.0/24) and a server VLAN (10.0.0.0/24) with strict firewall rules allowing only specific ports (e.g., RDP from user VLAN to server VLAN is denied). The tester discovers that the workstation has a PowerShell script that runs every hour to check for drive space on all servers using WinRM (port 5985) with stored domain admin credentials. The script is scheduled via a domain GPO. Which of the following actions should the tester perform to achieve lateral movement to the domain controller with the lowest chance of detection?

A.Alter the firewall rules to allow direct access from the user VLAN to the server VLAN
B.Use a RDP client to connect directly to the domain controller from the workstation
C.Modify the existing PowerShell script to include a reverse shell that connects back to the tester
D.Perform a pass-the-hash attack from the workstation to the domain controller using SMB
AnswerC

This leverages existing trusted infrastructure and credentials, blending in with normal operations.

Why this answer

Option C is correct because modifying the existing PowerShell script to include a reverse shell allows the tester to execute code on the domain controller using WinRM (port 5985), which is already permitted by the firewall and part of a legitimate scheduled task. This approach leverages the stored domain admin credentials and the trusted script execution path, avoiding any new connections or anomalies that would trigger SOC alerts. The reverse shell blends into the normal WinRM traffic, making detection by the SIEM or SOC highly unlikely.

Exam trap

The trap here is that candidates often choose pass-the-hash (Option D) because it is a well-known lateral movement technique, but they overlook the strict firewall rules and logging that would expose the SMB traffic, whereas modifying an existing trusted script (Option C) is stealthier and aligns with the scenario's constraints.

How to eliminate wrong answers

Option A is wrong because altering firewall rules requires administrative privileges on the firewall itself, which the tester does not have from a compromised workstation, and any change would be immediately detected by the SOC as an unauthorized configuration modification. Option B is wrong because RDP from the user VLAN to the server VLAN is explicitly denied by the firewall rules, and attempting a direct RDP connection would be blocked and logged as a failed connection attempt, triggering an alert. Option D is wrong because pass-the-hash over SMB typically uses port 445, which is likely blocked or restricted between VLANs, and the SMB protocol generates significant network logs that the SIEM would flag as anomalous lateral movement.

497
MCQmedium

A penetration tester is performing passive reconnaissance on a target organization. The tester wants to gather information about the target's technology stack, including web server software and frameworks, without directly interacting with the target systems. Which technique is most effective?

A.Running Nmap with the -A flag against the target's public IP range
B.Using theHarvester to search for email addresses and subdomains
C.Querying public records with BuiltWith
D.Performing a DNS zone transfer
AnswerC

BuiltWith uses public data and DNS records to profile the technologies used by a website, including web servers, frameworks, and analytics tools, all without sending any traffic to the target.

Why this answer

BuiltWith is a passive reconnaissance tool that queries public web data and DNS records to identify a target's technology stack, such as web server software (e.g., Apache, Nginx) and frameworks (e.g., React, Django), without sending any packets to the target's systems. This makes it ideal for passive information gathering, as it relies on third-party databases and cached information rather than direct interaction.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with low-interaction active tools like Nmap's -A flag, failing to recognize that any direct network probing constitutes active reconnaissance, even if it's just a single scan.

How to eliminate wrong answers

Option A is wrong because running Nmap with the -A flag performs active reconnaissance by sending probes directly to the target's IP range, which can be detected by intrusion detection systems and violates the passive requirement. Option B is wrong because theHarvester focuses on gathering email addresses and subdomains from search engines and public sources, not on identifying the technology stack like web server software or frameworks.

498
MCQmedium

A penetration tester is analyzing the results of a vulnerability scan against a web application. The scanner reports a potential SQL injection vulnerability in a login form parameter. However, manual testing with the same payload does not produce any error messages or changes in behavior. Which of the following is the most likely reason for the false positive?

A.The scanner used a payload that was not URL-encoded
B.The web application is using a parameterized query that sanitizes input
C.The scanning engine is outdated and does not support the latest SQL syntax
D.The login form is protected by a CAPTCHA that blocks automated scanning
AnswerB

Parameterized queries separate SQL logic from data, preventing injection even if input appears malicious. The scanner may have flagged based on the payload string, but the application handled it safely.

Why this answer

Option B is correct because the use of parameterized queries (prepared statements) separates SQL logic from user input, preventing SQL injection even if the input contains malicious payloads. The scanner's payload triggered a false positive because the application's database layer safely handles the input, so no error or behavioral change occurs during manual testing.

Exam trap

The trap here is that candidates often assume a vulnerability scanner's report is always accurate and overlook the possibility of false positives due to input handling mechanisms like parameterized queries, instead focusing on payload encoding or scanner version issues.

How to eliminate wrong answers

Option A is wrong because URL-encoding is a standard practice for transmitting special characters in HTTP requests; if the scanner's payload were not URL-encoded, the web server would likely reject or truncate the request, not produce a false positive. Option C is wrong because an outdated scanning engine might miss new SQL syntax or produce false negatives, but it would not cause a false positive; the scanner reported a vulnerability that manual testing disproves, which is a false positive, not a false negative.

499
MCQmedium

A penetration tester wants to fuzz a network protocol to find buffer overflows. Which tool is most appropriate?

A.John the Ripper
B.Peach Fuzzer
C.Nessus
D.Wireshark
AnswerB

Peach Fuzzer generates malformed data for protocol fuzzing.

Why this answer

Option A is correct because Peach Fuzzer is designed for protocol fuzzing. Option B is wrong because Wireshark captures packets. Option C is wrong because Nessus is a vulnerability scanner.

Option D is wrong because John the Ripper cracks passwords.

500
Drag & Dropmedium

Drag and drop the steps to perform privilege escalation on a Linux system using kernel exploit enumeration into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Privilege escalation requires system info gathering, exploit search, compilation, execution, and verification.

501
MCQeasy

A penetration tester wants to identify live hosts on a large internal network. Which Nmap option would be the FASTEST for initial host discovery?

A.-sV (Version detection)
B.-sS (SYN stealth scan)
C.-sn (Ping sweep)
D.-A (Aggressive scan)
AnswerC

The -sn option uses minimal probes to determine host availability and is the fastest method for host discovery.

Why this answer

The -sn option performs a ping sweep, sending ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default. It does not perform port scanning, making it the fastest method for initial host discovery on a large internal network because it only checks for host availability without enumerating services.

Exam trap

The trap here is that candidates often confuse host discovery with port scanning, assuming that a SYN scan (-sS) is the fastest because it is stealthy, but they overlook that -sn is designed specifically for host discovery and avoids the overhead of port scanning entirely.

How to eliminate wrong answers

Option A is wrong because -sV performs version detection, which requires an open port to be found first and then sends additional probes to determine service versions, making it significantly slower and not suitable for initial host discovery. Option B is wrong because -sS performs a SYN stealth scan, which scans for open ports on each host, requiring multiple packet exchanges per port and per host, which is much slower than a simple ping sweep for just identifying live hosts.

502
MCQhard

A penetration testing firm is engaged to assess a cloud infrastructure hosted in multiple AWS regions. The client specifies that only systems in US-based regions should be tested due to data sovereignty concerns. Which of the following is the MOST critical documentation to include in the rules of engagement (ROE) to ensure compliance?

A.Statement of Work (SOW)
B.List of allowed AWS regions and associated VPC CIDR ranges
C.Data Processing Agreement (DPA)
D.Penetration testing methodology document
AnswerB

This explicitly defines the geographic scope, preventing tests in non-US regions and ensuring compliance with data sovereignty laws.

Why this answer

Option B is correct because the rules of engagement (ROE) must explicitly define the authorized scope to prevent testing outside US-based regions, which could violate data sovereignty laws. Listing allowed AWS regions and their associated VPC CIDR ranges provides a precise technical boundary for the penetration test, ensuring that only in-scope systems are targeted. Without this, the testing team might inadvertently access resources in non-US regions, leading to legal and compliance breaches.

Exam trap

The trap here is that candidates often confuse the SOW (which defines high-level scope) with the ROE (which requires specific technical boundaries like region and CIDR lists), leading them to select Option A instead of the more precise Option B.

How to eliminate wrong answers

Option A is wrong because a Statement of Work (SOW) describes the overall project objectives, deliverables, and timelines, but it does not provide the granular technical scope (e.g., specific AWS regions and IP ranges) required to enforce data sovereignty restrictions during testing. Option C is wrong because a Data Processing Agreement (DPA) governs how personal data is processed and protected between parties, but it does not define the operational boundaries (e.g., which AWS regions or VPCs are permitted) for a penetration test; it is a legal document, not a scoping control.

503
Multi-Selecthard

Which TWO of the following actions are appropriate when handling personally identifiable information (PII) discovered during a penetration test?

Select 2 answers
A.Include raw PII in the report as proof of access
B.Transfer PII to the client's secure storage for inclusion in the report
C.Securely delete any PII that is not required for reporting
D.Redact or mask PII in screenshots and logs before inclusion
E.Anonymize PII by replacing with fake data in the report
AnswersC, D

Minimizes data retention.

Why this answer

Options B and D are correct. PII should not be included in reports; instead, use redacted evidence (B). If PII is accidentally collected, it must be securely deleted (D).

Option A violates protection. Option C is acceptable but not the best practice; redaction is preferred over anonymization when evidence is needed. Option E is incorrect because it transfers risk inappropriately.

504
MCQmedium

During a penetration test, the tester discovers active ransomware on a critical server. Which communication should the tester perform FIRST according to standard rules of engagement?

A.Include it in the final report
B.Immediately notify the client's emergency contact
C.Attempt to contain the ransomware
D.Log the finding and continue testing
AnswerB

The tester should promptly alert the client to allow them to take immediate action to mitigate the active threat.

Why this answer

The standard rules of engagement (ROE) for penetration testing require immediate notification of the client's emergency contact upon discovery of active ransomware. This is because ransomware represents an active, ongoing security incident that demands urgent response to prevent data loss and further spread, overriding the normal testing timeline. The tester must not attempt containment or continue testing, as those actions could interfere with incident response or violate legal boundaries.

Exam trap

CompTIA often tests the misconception that a penetration tester should attempt to contain or remediate active threats, but the correct action is always to notify the client's emergency contact immediately, as testers are observers, not incident responders.

How to eliminate wrong answers

Option A is wrong because including ransomware in the final report delays critical notification, potentially allowing the ransomware to encrypt more data or spread laterally, which violates the ROE requirement for immediate incident reporting. Option C is wrong because the tester lacks authorization and expertise to contain ransomware; attempting containment could destroy forensic evidence, trigger further encryption, or breach legal agreements. Option D is wrong because logging and continuing testing ignores the active threat, risking catastrophic data loss and violating the ethical duty to report imminent harm under the ROE.

505
MCQmedium

A penetration tester is preparing the final report. The client's legal team requests a document that outlines the scope, limitations, and any data handling procedures to comply with regulatory requirements. Which section of the report should include this information?

A.Executive Summary
B.Methodology
C.Scope and Rules of Engagement
D.Technical Findings
AnswerC

This section explicitly states the authorized scope, limitations, and data handling procedures, meeting legal and compliance requirements.

Why this answer

The Scope and Rules of Engagement section is the correct location for documenting the scope, limitations, and data handling procedures because it formally defines the boundaries of the penetration test, including authorized targets, testing windows, and legal constraints. This section ensures compliance with regulatory requirements by specifying how data is collected, stored, and disposed of, which is critical for audits and legal review.

Exam trap

The trap here is that candidates confuse the Executive Summary with a catch-all for legal disclaimers, but the exam expects the precise placement of contractual and compliance details in the Scope and Rules of Engagement section.

How to eliminate wrong answers

Option A is wrong because the Executive Summary provides a high-level overview of findings and risk posture for management, not the detailed legal and procedural boundaries of the engagement. Option B is wrong because the Methodology section describes the technical approach, tools, and techniques used (e.g., NIST SP 800-115 phases), not the contractual scope or data handling policies.

506
Matchingmedium

Match each vulnerability category to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attacker injects malicious SQL queries

Attacker injects client-side scripts into web pages

Attacker tricks user into performing unwanted actions

Writing more data to a buffer than it can hold

Accessing files outside the web root directory

Why these pairings

These are common web application vulnerabilities tested in the PT0-002 exam.

507
MCQmedium

A penetration tester is attempting to exploit a Linux system that has ASLR and DEP enabled. The tester has identified a buffer overflow vulnerability in a network service compiled without stack canaries and with a non-executable stack (NX). The binary is statically linked and not PIE. Which exploitation technique is most likely to succeed under these conditions?

A.Heap spraying to place shellcode in the heap and then overwrite a function pointer to execute the shellcode
B.Return-to-libc attack using libc functions
C.Return-Oriented Programming (ROP) to call mprotect and then execute shellcode on the stack
D.Ret2plt to call system() via the PLT
AnswerC

ROP allows the attacker to chain gadgets to call mprotect and change memory permissions on the stack to executable, then jump to shellcode placed on the stack. This bypasses NX while leveraging the known addresses from the statically linked, non-PIE binary.

Why this answer

Option C is correct because the binary is statically linked (no libc to return to) and has a non-executable stack (NX), so shellcode cannot execute directly on the stack. Return-Oriented Programming (ROP) allows the attacker to chain gadgets from the binary itself to call mprotect() and change the stack region to executable, then pivot to shellcode placed on the stack. Since ASLR is enabled but the binary is not PIE, its code base address is fixed, making ROP gadgets reliably addressable.

Exam trap

The trap here is that candidates assume return-to-libc is always viable, forgetting that a statically linked binary has no libc to return to, making ROP the only way to call mprotect and bypass NX.

How to eliminate wrong answers

Option A is wrong because heap spraying is typically used to increase the predictability of heap layout for a use-after-free or similar vulnerability, but here the vulnerability is a stack-based buffer overflow; overwriting a function pointer would require a separate write primitive and does not bypass NX on the stack. Option B is wrong because return-to-libc relies on libc functions being present at a known address, but the binary is statically linked, meaning no shared libc is loaded, and ASLR would randomize libc's base address even if it were dynamically linked.

508
MCQmedium

A penetration tester wants to identify hosts on a network that are running web servers on any TCP port, including non-standard ports. Which Nmap command is most efficient for this task?

A.nmap -sV -p- target
B.nmap -sC -p 80,443 target
C.nmap -O -p- target
D.nmap -sT -p 8000,8080 target
AnswerA

This scans all TCP ports and performs service detection, making it possible to identify web servers running on any port.

Why this answer

Option A is correct because `-sV` enables version detection to identify web server software, and `-p-` scans all 65535 TCP ports, including non-standard ones. This combination efficiently discovers web servers on any port without unnecessary overhead like OS detection or default script scanning.

Exam trap

The trap here is that candidates often choose `-sC` (default scripts) thinking it checks for web servers, but it only runs on the specified ports and doesn't detect services on non-standard ports.

How to eliminate wrong answers

Option B is wrong because `-sC` runs default scripts but only scans ports 80 and 443, missing non-standard ports. Option C is wrong because `-O` performs OS detection, which is irrelevant for identifying web servers, and `-p-` alone doesn't enable service detection. Option D is wrong because `-sT` is a full TCP connect scan limited to ports 8000 and 8080, ignoring the vast majority of potential web server ports.

509
MCQhard

During an internal penetration test, a tester captures an NTLMv2 hash of a domain admin account using a Responder attack. The organization's password policy requires at least 12 characters with uppercase, lowercase, numbers, and special characters. Which password cracking technique is most likely to succeed first?

A.Dictionary attack with common passwords
B.Brute-force attack with all possible 8-character combinations
C.Hybrid attack combining dictionary words with numbers and special characters
D.Rainbow table attack on the hash
AnswerC

This approach uses word mangling and is effective for passwords that are variations of common words.

Why this answer

Option C is correct because NTLMv2 hashes are computationally expensive to crack, and a hybrid attack that combines dictionary words with numbers and special characters is the most efficient approach given the 12-character minimum policy. This technique leverages common password patterns (e.g., 'Password123!') that users often create to meet complexity requirements, making it faster than brute-forcing all possible 12-character combinations.

Exam trap

The trap here is that candidates may assume a brute-force attack is always the most thorough method, but they overlook the time constraints of cracking 12-character hashes, making hybrid attacks the practical first choice.

How to eliminate wrong answers

Option A is wrong because a dictionary attack with common passwords is unlikely to succeed against a 12-character minimum policy, as users are forced to create longer, more complex passwords that rarely appear in standard wordlists. Option B is wrong because a brute-force attack with all possible 8-character combinations would fail to crack a 12-character password, as it only covers 8-character space and would never reach the required length.

Page 6

Page 7 of 7

All pages