CompTIA PenTest+ PT0-002 (PT0-002) — Questions 601675

993 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQeasy

Which section of a penetration testing report should include screenshots, affected systems, and remediation steps?

A.Technical findings
B.Scope and methodology
C.Appendices
D.Executive summary
AnswerA

Correct. This section includes detailed evidence and remediation.

Why this answer

Technical findings contain detailed information for each vulnerability.

602
MCQmedium

A penetration tester is recommending remediation for a critical vulnerability. Which of the following is the best example of a specific, actionable remediation step?

A.Apply security patches.
B.Upgrade Apache from version 2.4.49 to 2.4.51.
C.Update the software to the latest version.
D.Fix the vulnerability.
AnswerB

Correct. This is specific and actionable.

Why this answer

Effective remediation should be specific, including exact versions or commands.

603
Multi-Selectmedium

A penetration tester has completed a web application test and is preparing the final deliverables. According to best practices, which THREE components should be included in the deliverables? (Select THREE.)

Select 3 answers
A.Raw vulnerability scan output
B.Detailed technical findings with evidence
C.Executive summary for management
D.Remediation guidance for each finding
E.Full source code of the application
AnswersB, C, D

Technical report for IT staff.

Why this answer

Option B is correct because penetration testing deliverables must include detailed technical findings with evidence, such as proof-of-concept exploit code, HTTP request/response pairs, or screenshots, to validate each vulnerability. This aligns with PT0-002 best practices, ensuring the client can reproduce and understand the issue without ambiguity.

Exam trap

The trap here is that candidates confuse raw vulnerability scan output (Option A) with validated findings, but PT0-002 emphasizes that deliverables must contain analyst-verified evidence, not unprocessed tool results.

604
MCQmedium

A penetration test report includes a finding about a SQL injection vulnerability in a public-facing web application. Which section of the report would be the MOST appropriate place to provide step-by-step remediation instructions for the development team?

A.Executive Summary
B.Risk Assessment
C.Technical Findings
D.Appendices
AnswerC

This section is where remediation steps for each finding should be documented for the development team.

Why this answer

Option C is correct because the Technical Findings section of a penetration test report is designed to provide detailed, step-by-step remediation instructions for technical audiences, such as the development team. This section includes specific code-level fixes, parameterized query examples, and input validation techniques to address the SQL injection vulnerability, ensuring the team can implement precise changes.

Exam trap

The PT0-002 exam often tests the distinction between report sections by making candidates confuse the high-level Executive Summary with the detailed Technical Findings, especially when the question emphasizes 'step-by-step remediation' for a technical team.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is intended for non-technical stakeholders (e.g., management) and provides a high-level overview of risks and business impact, not granular remediation steps. Option B is wrong because the Risk Assessment section focuses on the likelihood, impact, and severity rating of findings (e.g., CVSS scores), not on how to fix the vulnerability technically.

605
MCQeasy

A penetration tester is performing internal reconnaissance on a Windows domain. The tester wants to enumerate SMB shares on multiple hosts quickly. Which tool is best suited for this task?

A.nmap -sV --script=smb-enum-shares
B.enum4linux
C.nbtscan
D.dig
AnswerB

enum4linux automates enumeration of SMB shares, users, and other Windows information.

Why this answer

B is correct because enum4linux is a dedicated tool that automates the enumeration of SMB shares, users, and other information from Windows and Samba systems using the SMB protocol (primarily over TCP/445 and NetBIOS over TCP/139). It leverages the SMB RPC calls (e.g., NetShareEnum) to quickly list shares across multiple hosts, making it ideal for internal reconnaissance in a Windows domain.

Exam trap

The trap here is that candidates often choose nmap because it is a versatile scanning tool, but they overlook that enum4linux is purpose-built for rapid SMB share enumeration across multiple hosts, making it the more efficient choice for this specific task.

How to eliminate wrong answers

Option A is wrong because while nmap with the smb-enum-shares script can enumerate SMB shares, it is not the fastest tool for quickly scanning multiple hosts; nmap's script scanning is slower and more suited for detailed single-host analysis. Option C is wrong because nbtscan only enumerates NetBIOS name tables (using NBNS over UDP/137) and does not enumerate SMB shares; it provides hostnames and MAC addresses, not share lists.

606
MCQeasy

A penetration tester is preparing the executive summary of a report for a client's board of directors. Which of the following metrics would be MOST valuable for this audience to understand the overall security posture?

A.The exact CVSS score for each vulnerability found
B.A heat map showing the number of vulnerabilities by severity (Critical, High, Medium, Low)
C.A detailed list of commands used during exploitation
D.The names of the operating systems and applications that were tested
AnswerB

This provides a quick, visual representation of the overall security posture and is easily understood by non-technical stakeholders.

Why this answer

The board of directors needs a high-level, risk-based overview of the security posture, not technical details. A heat map with vulnerability counts by severity (Critical, High, Medium, Low) provides an immediate visual representation of risk distribution, enabling strategic decisions without requiring technical expertise. This aligns with the PT0-002 objective of tailoring reporting to the audience.

Exam trap

The trap here is that candidates may think exact CVSS scores (Option A) are more precise and therefore more valuable, but the board needs actionable risk summaries, not technical precision.

How to eliminate wrong answers

Option A is wrong because exact CVSS scores (e.g., 7.5) are too granular for a board audience; they require context and are better suited for technical remediation teams. Option C is wrong because a detailed list of commands used during exploitation is operational data for technical staff, not strategic information for executives, and would obscure the overall risk picture.

607
Multi-Selecthard

A penetration tester is scoping a test for a client that uses a hybrid identity system. The client wants to ensure that the test does not affect production authentication. Which TWO actions should the tester recommend?

Select 2 answers
A.Test using non-production accounts
B.Conduct testing during off-peak hours
C.Use a separate domain for testing
D.Perform password spraying against all users
E.Disable MFA for test accounts
AnswersA, C

Keeps test traffic away from real user accounts.

Why this answer

Using non-production accounts and a separate test domain isolate the test from production identity systems. Password spraying against all users could disrupt accounts, and disabling MFA may weaken security. Off-peak scheduling reduces impact but does not prevent direct interaction with production systems.

608
MCQeasy

A penetration tester is preparing a deliverable for a client. Which of the following should be included in the final report?

A.Executive summary, technical findings, and remediation guidance
B.The tester's personal notes and observations
C.Only the technical findings
D.Only the executive summary
AnswerA

This is the standard structure.

Why this answer

A standard penetration testing report includes an executive summary, technical findings, and remediation guidance.

609
MCQeasy

A penetration tester is performing a network attack and wants to intercept traffic between two hosts on the same local network. Which technique should the tester use to redirect traffic through their machine?

A.DNS poisoning
B.LLMNR poisoning
C.ARP spoofing
D.SSL stripping
AnswerC

ARP spoofing is used to intercept traffic on a local network by sending forged ARP replies.

Why this answer

ARP spoofing allows an attacker to associate their MAC address with the IP address of another host, intercepting traffic intended for that host.

610
MCQeasy

A penetration tester is conducting an internal assessment of a company's web application. The application provides a file upload feature that accepts images but does not validate the file type on the server side. The tester has identified that the application runs on an Apache server with PHP support. The tester wants to execute a command on the server to establish a reverse shell. The tester has a Linux client and has already crafted a PHP reverse shell payload. The tester has also verified that outbound connections are allowed from the server. After uploading the malicious PHP file, the tester attempts to access it via a browser but receives a 404 error. The tester suspects the uploaded file may have been renamed or moved. Which of the following steps should the tester take next to achieve code execution?

A.Modify the PHP payload to avoid detection by antivirus on the server.
B.Use a directory listing tool to scan for hidden files in the upload directory.
C.Re-upload the file with a different extension like .php5 or .phtml.
D.Check the web server access and error logs to identify the actual path where the file was saved.
AnswerD

Logs can show the URL and path used, revealing any renaming or relocation of the uploaded file.

Why this answer

The 404 error suggests the file is not at the expected location. Checking the web server access logs can reveal the actual path or filename that the server used for the uploaded file. Option C is the most logical next step.

Option A is incorrect because the server is providing a 404, not a parsing error. Option B is premature before determining the file path. Option D would only be relevant if the file were successfully accessed but not executed.

611
MCQmedium

After gaining initial access to a Windows host, you want to escalate privileges by exploiting a service that runs as SYSTEM but has an unquoted service path. What is the attack vector?

A.Token impersonation
B.AlwaysInstallElevated
C.Unquoted service path
D.DLL hijacking
AnswerC

If the path to the service binary is not quoted, Windows will interpret spaces as separators, allowing execution of a malicious binary placed earlier in the path.

Why this answer

Unquoted service path vulnerability allows an attacker to place an executable in a path that the service will execute due to ambiguous path parsing.

612
MCQhard

A penetration tester is performing active reconnaissance on a target network and wants to enumerate SNMP devices to gather system information. The tester uses snmpwalk with a common community string. Which community string is most likely to provide read-write access if misconfigured?

A.private
B.public
C.internal
D.manager
AnswerA

'private' is the default read-write community string.

Why this answer

SNMP community strings are like passwords. 'public' is the default read-only community string, 'private' is the default read-write community string. 'internal' and 'manager' are less common defaults. The tester should try 'private' for potential read-write access.

613
MCQeasy

During an internal penetration test, a tester wants to capture NTLMv2 hashes by poisoning LLMNR and NBT-NS traffic. Which tool should the tester use?

A.ntlmrelayx
B.Bettercap
C.Hashcat
D.Responder
AnswerD

Responder is the standard tool for LLMNR/NBT-NS/mDNS poisoning to capture hashes.

Why this answer

Responder is specifically designed to respond to LLMNR and NBT-NS queries and capture NetNTLM hashes.

614
MCQmedium

After a penetration test, the client's development team requires detailed, step-by-step instructions to reproduce a SQL injection vulnerability found in the user login functionality. In which section of the standard penetration testing report should this information be included?

A.Executive Summary
B.Technical Findings
C.Recommendations
D.Risk Rating
AnswerB

This section contains detailed information about each vulnerability, including steps to reproduce, proof of concept, and technical impact.

Why this answer

The Technical Findings section is the correct location because it provides detailed, step-by-step reproduction steps for vulnerabilities, including the exact SQL injection payloads, input fields, and HTTP request parameters used to exploit the login functionality. This section is intended for technical audiences (e.g., developers) who need to understand and remediate the issue, not for high-level summaries or general advice.

Exam trap

The trap here is that candidates often confuse the purpose of the Recommendations section, thinking it should include step-by-step reproduction steps, when in fact it only contains high-level remediation guidance, while the Technical Findings section is the proper place for detailed exploitation procedures.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for non-technical stakeholders, containing business impact, risk ratings, and strategic recommendations, not step-by-step technical reproduction instructions. Option C is wrong because the Recommendations section provides high-level remediation advice (e.g., 'use parameterized queries') but does not include the detailed, step-by-step reproduction steps needed by the development team to verify and fix the specific vulnerability.

615
MCQhard

A penetration tester has discovered a local file inclusion (LFI) vulnerability in a PHP web application. The vulnerable code uses the following pattern: include($_GET['page']);. The application runs on a Linux server with Apache and PHP. The tester wants to achieve remote code execution (RCE). Which technique is most likely to succeed given this LFI?

A.Use the php://input wrapper and send PHP code in the POST body.
B.Use the file:// wrapper to read sensitive files like /etc/passwd.
C.Use the data:// wrapper with a base64-encoded PHP payload.
D.Set allow_url_include to On in php.ini via the LFI.
AnswerA

php://input reads the raw POST data. When included, the PHP interpreter will execute any code contained in the POST body. This is a common technique to turn LFI into RCE, and it does not require allow_url_include to be enabled.

Why this answer

The correct technique is to use the php://input wrapper because it allows the attacker to pass arbitrary PHP code in the HTTP POST body, which the include() function will execute as PHP. Since the vulnerable code directly includes user input without sanitization, the php://input stream reads the raw POST data and processes it as a PHP script, achieving remote code execution.

Exam trap

The trap here is that candidates often assume data:// is the most direct way to inject code, but they overlook that php://input is more reliable because it does not require allow_url_include to be enabled, which is a common security hardening measure.

How to eliminate wrong answers

Option B is wrong because the file:// wrapper only reads local files and does not allow code execution; it would only read sensitive files like /etc/passwd, not achieve RCE. Option C is wrong because while the data:// wrapper can execute PHP code if the allow_url_include directive is enabled, it is often disabled by default in modern PHP configurations, making it less reliable than php://input, which is more commonly available and does not require allow_url_include to be enabled for this purpose.

616
MCQmedium

You are writing the final report for a penetration test. The client has requested that the report be delivered in an encrypted format. Additionally, the client wants to include raw screenshots and command outputs for evidence. The tester has captured screenshots that show user credentials in clear text from a successful phishing attack. What is the BEST way to handle this?

A.Exclude the evidence and only describe the finding
B.Redact or obfuscate the credentials in the screenshots before including them
C.Provide the screenshots in a separate unencrypted file
D.Include the raw screenshots as requested
AnswerB

This preserves the evidence while protecting sensitive information.

Why this answer

Option B is correct. Redacting or obfuscating sensitive data like credentials protects confidentiality while still providing evidence. Option A is wrong because exposing credentials in raw screenshots violates data protection best practices.

Option C is wrong because removing the evidence may weaken the report's credibility. Option D is wrong because unencrypted delivery defeats the purpose of encryption and exposes data.

617
MCQmedium

During a penetration test, the tester performs a SYN scan with Nmap on a target network. The results show that port 443 is open on a web server. The tester then runs a service version detection scan and discovers the server is running Apache 2.4.41. Which Nmap flags were used in sequence?

A.nmap -A then nmap -O
B.nmap -sS then nmap -sV
C.nmap -sV then nmap -sS
D.nmap -sS then nmap -sC
AnswerB

-sS performs SYN scan, -sV detects service versions.

Why this answer

The tester first performed a SYN scan with -sS to identify open ports, then used -sV for service version detection. -sC runs default scripts, -O is for OS detection, and -A enables aggressive scanning (includes OS detection, version detection, script scanning, and traceroute).

618
Multi-Selecthard

Which THREE of the following are important elements to include in the remediation section of a penetration test report? (Select THREE.)

Select 3 answers
A.Priority levels (e.g., Critical, High, Medium) based on risk.
B.A list of all external parties notified about the vulnerabilities.
C.Step-by-step instructions to fix each vulnerability.
D.CVE identifiers or references to industry best practices.
E.Detailed timeline of when each finding was discovered.
AnswersA, C, D

Prioritization guides the client on what to fix first.

Why this answer

Options A, C, and D are correct. Remediation should include specific steps, reference to industry standards, and priority based on risk. Option B is not a standard part of remediation; it's for methodology.

Option E is about disclosure, not remediation.

619
MCQeasy

Which of the following is the primary audience for the executive summary of a penetration test report?

A.Executives and management
B.Developers
C.External auditors
D.System administrators
AnswerA

The executive summary is tailored for non-technical decision-makers.

Why this answer

The executive summary is written for non-technical stakeholders such as executives and managers, using business language and focusing on risk and strategic recommendations.

620
Multi-Selectmedium

A penetration testing firm is scoping a network penetration test for a client. The client has provided a list of IP ranges and subnets. Which TWO of the following should the tester consider when defining the scope?

Select 2 answers
A.Identify any third-party hosted services within the provided IP ranges and obtain explicit permission
B.Define which IP ranges are out of scope and document them
C.All IP addresses owned by the client are in scope
D.Test all IP addresses regardless of ownership to ensure complete coverage
E.Include all subnets that are routable from the internet
AnswersA, B

Correct. Third-party services need separate authorization.

Why this answer

Scoping must distinguish in-scope vs out-of-scope assets and address third-party services that require permission.

621
MCQhard

A penetration tester is writing a report and needs to assign a custom severity rating for a vulnerability that has high business impact but low likelihood of exploitation. Using a custom severity based on business context (impact + likelihood), which rating is most appropriate?

A.Critical
B.High
C.Medium
D.Low
AnswerC

Correct. High impact + low likelihood balances to medium.

Why this answer

High impact but low likelihood typically results in a medium severity when combining both factors.

622
Multi-Selecteasy

Which THREE of the following are common components of a pre-engagement agreement between a penetration tester and a client?

Select 3 answers
A.List of all employee passwords
B.Rules of Engagement (RoE)
C.Statement of Work (SOW)
D.Non-Disclosure Agreement (NDA)
E.Full source code of the target application
AnswersB, C, D

Correct. RoE defines the testing boundaries.

Why this answer

Pre-engagement typically includes SOW, RoE, NDA, permission letters, emergency contacts, and communication plans.

623
MCQeasy

After completing a penetration test, you present the findings to the client's technical team. During the debrief meeting, the technical lead argues that one of the identified vulnerabilities is not exploitable in their environment and should be removed from the report. The evidence you have shows it is exploitable. What is the BEST response?

A.Immediately remove the finding to maintain good client relations
B.Challenge the technical lead and insist it stays
C.Document the disagreement and include both perspectives in the report
D.Offer to demonstrate the exploit to confirm
AnswerC

This provides transparency and allows the client to evaluate the risk based on both views.

Why this answer

Option D is correct. The best practice is to document the disagreement and include both perspectives, allowing the client to make an informed decision. Option A is wrong because removing the finding compromises the report's accuracy.

Option B is wrong because it may escalate conflict without constructive outcome. Option C is wrong because demonstrating exploits during a debrief may not be appropriate or feasible.

624
MCQeasy

A tester has exploited a Linux system and gained a low-privilege shell. The tester runs 'sudo -l' and sees that the current user can run /usr/bin/find as root without a password. Which privilege escalation technique should the tester use?

A.SUID binary exploitation
B.PATH manipulation
C.Kernel exploit
D.GTFOBins technique for find
AnswerD

GTFOBins lists commands that can be abused via sudo, and find with -exec is one.

Why this answer

The find command can be used to execute other commands via its -exec parameter, allowing privilege escalation.

625
MCQhard

During a penetration test, the tester discovers evidence that an external attacker is actively exploiting a vulnerability in the client's environment. Which of the following is the MOST appropriate action?

A.Document the evidence and ignore it
B.Attempt to block the attacker's activities
C.Immediately notify the client and stop testing
D.Continue testing and include the finding in the final report
AnswerC

The tester should stop testing and inform the client of the live attack.

Why this answer

If there is evidence of a live attack or criminal activity, the tester should stop testing and immediately notify the client so they can take appropriate action.

626
MCQeasy

When writing the executive summary of a penetration test report, which of the following is the most appropriate language to use?

A.A list of all vulnerabilities sorted by CVSS score without context.
B.Raw output from scanning tools and network packet captures.
C.Business-oriented language focusing on risk, impact, and high-level recommendations.
D.Detailed technical descriptions of each vulnerability and exploit code used.
AnswerC

This aligns with the needs of executives who need to understand risk and make decisions.

Why this answer

The executive summary should be written in business language, avoiding technical jargon, to convey the overall risk and strategic recommendations to non-technical stakeholders.

627
MCQhard

During a penetration test, a tester identifies a critical SQL injection vulnerability. The client remediates the issue, but a retest reveals the same vulnerability in a different module of the application. How should the tester present this information in the final report to best communicate recurring risks?

A.List each instance as a separate finding with its own risk rating.
B.Increase the CVSS score of the second finding to reflect the repeated issue.
C.Note that the vulnerability was successfully remediated earlier and reappeared, so it is now considered a new finding.
D.Document the recurrence and recommend a root-cause analysis and secure coding training to prevent future regressions.
AnswerD

This provides a comprehensive view of the problem and offers strategic remediation advice.

Why this answer

Option D is correct because it addresses the root cause of the recurrence rather than treating each instance as an isolated event. By recommending a root-cause analysis and secure coding training, the tester helps the client prevent future regressions across the entire codebase, which is the core goal of a penetration test report. This aligns with the PT0-002 objective of providing actionable remediation guidance beyond simply listing vulnerabilities.

Exam trap

The trap here is that candidates may think treating each recurrence as a separate or escalated finding is more thorough, but the exam emphasizes that the report should drive systemic improvement rather than just cataloging symptoms.

How to eliminate wrong answers

Option A is wrong because listing each instance as a separate finding with its own risk rating would inflate the risk count without addressing the underlying systemic issue, leading to a fragmented and less actionable report. Option B is wrong because increasing the CVSS score of the second finding is not a valid practice; CVSS scores are based on the intrinsic characteristics of a vulnerability, not on the history of its recurrence. Option C is wrong because noting the vulnerability as a new finding ignores the fact that it is a regression of a previously fixed issue, which should trigger a deeper investigation into why the fix failed, not simply be treated as a brand-new finding.

628
MCQmedium

During a penetration test, a tester discovers a binary that appears to be obfuscated. Which approach is best for deobfuscation?

A.Use a debugger like GDB
B.Execute the binary in a sandbox
C.Run the 'strings' command
D.Recompile the binary from source
AnswerA

A debugger steps through code, helping to reverse obfuscation.

Why this answer

Option A is correct because a debugger like GDB allows dynamic analysis to follow execution and decode obfuscation. Option B is wrong because strings may not reveal obfuscated content. Option C is wrong because sandboxes analyze behavior, not code deobfuscation.

Option D is wrong because source is not available.

629
MCQmedium

A penetration tester wants to passively gather information about a target's technology stack, including web server software and frameworks. Which resource is best suited for this task without sending any packets to the target?

A.Shodan
B.Nmap with -sT scan
C.BuiltWith
D.Wappalyzer browser extension
AnswerC

BuiltWith uses historical and public data to identify technologies used by a website, making it a passive information source.

Why this answer

BuiltWith is a web-based reconnaissance tool that analyzes a target website's technology stack by examining publicly available data, such as HTTP headers, HTML source code, and JavaScript files, without sending any packets from the tester's machine. It passively gathers information about web server software, frameworks, analytics tools, and more, making it ideal for passive information gathering.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with tools that appear passive from their own machine but rely on active scanning by a third-party service, like Shodan, or they may incorrectly think Nmap can be used passively when it inherently requires packet transmission.

How to eliminate wrong answers

Option A is wrong because Shodan is a search engine for internet-connected devices that actively probes and indexes banners from services, but it relies on its own active scanning infrastructure, not passive gathering from the tester's perspective; the tester does not send packets, but Shodan itself does. Option B is wrong because Nmap with -sT scan performs a TCP connect scan, which sends SYN and ACK packets to the target, making it an active scanning technique that violates the requirement of not sending any packets.

630
MCQeasy

A penetration tester wants to crack NTLM hashes captured during an internal test. Which hashcat mode should the tester use for NTLM hashes?

A.0
B.22000
C.1000
D.13100
AnswerC

Mode 1000 is NTLM.

Why this answer

Hashcat mode 1000 is specifically for NTLM hashes.

631
MCQeasy

A penetration tester discovers a critical vulnerability on a client's web server and wants to communicate it immediately. Which of the following is the most appropriate action?

A.Notify the client's point of contact immediately.
B.Include the finding in the report without prior communication.
C.Wait until the final report is complete.
D.Post the findings on a public forum for disclosure.
AnswerA

This aligns with responsible disclosure and client expectations.

Why this answer

Immediate notification of critical findings ensures the client can take urgent steps to mitigate risk.

632
MCQmedium

A penetration tester is writing a Python script to send a crafted TCP packet to a target. Which Python library should the tester use for low-level packet crafting and injection?

A.requests
B.impacket
C.scapy
D.socket
AnswerC

Correct. Scapy allows crafting and sending custom packets.

Why this answer

Scapy is the correct choice because it is a powerful Python library specifically designed for low-level packet crafting, manipulation, and injection. It allows the tester to construct arbitrary TCP packets at the raw socket level, control individual flags, sequence numbers, and payloads, and send them directly over the wire using Layer 2 or Layer 3 sockets. This makes it ideal for tasks like SYN flooding, TCP handshake manipulation, or custom protocol fuzzing.

Exam trap

Cisco often tests the distinction between high-level protocol libraries (requests, impacket) and low-level packet crafting tools (scapy), trapping candidates who confuse 'network scripting' with 'raw packet manipulation'.

How to eliminate wrong answers

Option A is wrong because the 'requests' library is a high-level HTTP client library used for sending and receiving HTTP requests; it operates at the application layer and cannot craft or inject raw TCP packets. Option B is wrong because 'impacket' is a collection of Python classes for working with network protocols, particularly SMB and Kerberos, but it is not designed for low-level packet crafting and injection; it focuses on protocol-level interactions rather than raw packet manipulation. Option D is wrong because the 'socket' library provides low-level networking interfaces (e.g., raw sockets) but lacks the high-level abstractions, protocol dissection, and packet-building utilities that Scapy offers; using raw sockets alone would require manually constructing all packet headers and handling checksums, which is error-prone and far less efficient.

633
MCQeasy

A penetration tester has obtained a dump of NTLM password hashes from a Windows Domain Controller. The tester wants to crack these hashes as quickly as possible using GPU acceleration. Which tool is the BEST choice for this task?

A.John the Ripper
B.Hashcat
C.Ophcrack
D.THC-Hydra
AnswerB

Hashcat is designed for high-speed password cracking with GPU support; it is the fastest tool for NTLM hashes when a compatible GPU is available.

Why this answer

Hashcat (Option B) is the best choice because it is specifically designed for GPU-accelerated password cracking, supporting NTLM hashes with the -m 1000 mode. It leverages OpenCL or CUDA to parallelize cracking across thousands of GPU cores, making it significantly faster than CPU-based tools for large hash dumps. John the Ripper can use GPUs but requires additional configuration and is generally slower for NTLM hashes, while Ophcrack is limited to LM hashes and cannot handle NTLM hashes at all.

Exam trap

The trap here is that candidates often assume John the Ripper is the universal cracking tool due to its popularity, overlooking that Hashcat is the industry standard for GPU-accelerated NTLM cracking because of its optimized kernel and native support for the NTLM hash mode (-m 1000).

How to eliminate wrong answers

Option A is wrong because John the Ripper, while capable of GPU acceleration via the 'john --devices' flag, is primarily CPU-optimized and requires manual setup for OpenCL, resulting in slower performance compared to Hashcat's native GPU pipeline for NTLM hashes. Option C is wrong because Ophcrack is designed exclusively for LM hashes using rainbow tables and cannot process NTLM (NT hash) dumps, making it completely unsuitable for this task.

634
MCQhard

A penetration tester is conducting a wireless assessment and needs to capture the four-way handshake to perform offline WPA cracking. Which tool is best suited for capturing the handshake?

A.aircrack-ng
B.aireplay-ng
C.Airmon-ng
D.airodump-ng
AnswerD

airodump-ng captures raw 802.11 frames, including handshakes.

Why this answer

Airodump-ng (option D) is the correct tool for capturing the four-way handshake because it passively monitors wireless traffic and can save captured packets to a file (e.g., .cap or .pcap). The four-way handshake occurs during the WPA/WPA2 authentication process between a client and an access point, and airodump-ng's ability to filter on a specific channel and BSSID allows the tester to isolate and record the handshake frames for offline cracking.

Exam trap

The trap here is that candidates confuse airodump-ng (capture tool) with aircrack-ng (cracking tool) or aireplay-ng (injection tool), leading them to pick a tool that cannot actually capture the handshake.

How to eliminate wrong answers

Option A (aircrack-ng) is wrong because it is a WEP/WPA key cracking tool that uses captured handshake files, not a packet capture tool; it cannot capture the handshake itself. Option B (aireplay-ng) is wrong because it is used for packet injection and replay attacks (e.g., deauthentication attacks to force a client to reconnect), not for passively capturing the handshake. Option C (airmon-ng) is wrong because it is a utility to enable or disable monitor mode on a wireless interface, not a packet capture tool; it prepares the interface for capture but does not capture frames.

635
Multi-Selecteasy

A penetration tester is reviewing Python code for a web application and finds the following snippet: import sqlite3 def get_user(username): conn = sqlite3.connect('users.db') cursor = conn.cursor() query = "SELECT * FROM users WHERE username = '" + username + "'" cursor.execute(query) return cursor.fetchall() Which TWO of the following vulnerabilities are present in this code? (Select TWO.)

Select 2 answers
A.Improper error handling
B.SQL injection
C.Cross-site scripting (XSS)
D.Command injection
E.Path traversal
AnswersA, B

No try-except block is present, so exceptions may leak stack traces.

Why this answer

Option A is correct because the code concatenates user input directly into an SQL query, allowing SQL injection. Option E is correct because the code does not handle exceptions; if the database query fails, unhandled exceptions could reveal sensitive information. Options B, C, and D are not present because there is no output to a browser (XSS), no system command execution (command injection), and no file path manipulation (path traversal).

636
MCQmedium

A penetration tester is testing a web application that has input validation blocking single quotes. The tester wants to perform a SQL injection attack. Which of the following techniques would be MOST effective to bypass the filter?

A.Using URL encoding for the single quote (%27)
B.Using double quotes instead of single quotes
C.Using a second-order SQL injection
D.Using a payload without quotes, such as numeric injection
AnswerD

If the input is used in a numeric context (e.g., WHERE id=5), quoting is not needed, allowing injection without single quotes.

Why this answer

Option D is correct because numeric injection does not require quotes at all, directly bypassing the single-quote filter. When the vulnerable parameter expects a numeric value (e.g., an ID), the tester can inject SQL logic like `OR 1=1` without any quotes, making it the most effective technique against input validation that blocks single quotes.

Exam trap

The trap here is that candidates often assume URL encoding or alternative quote characters will bypass the filter, but they overlook that the filter operates on the decoded input or that SQL syntax strictly requires single quotes for string delimiters.

How to eliminate wrong answers

Option A is wrong because URL encoding (%27) is typically decoded by the web server before the input reaches the application, so the filter still sees the single quote and blocks it. Option B is wrong because double quotes are not interchangeable with single quotes in SQL; string literals in SQL (e.g., MySQL, PostgreSQL) require single quotes, so double quotes would not close the string and would likely cause a syntax error or be treated as identifiers. Option C is wrong because second-order SQL injection relies on storing malicious input (often containing quotes) in the database and later executing it; the initial injection still needs to bypass the filter to store the payload, so it does not solve the immediate problem of the single-quote filter.

637
MCQeasy

During the scoping phase of a penetration test, a client wants to test a third-party API that is integral to their web application. However, they do not have permission from the third-party provider. Which of the following should the tester do first?

A.Proceed with testing the API but restrict the test to read-only operations
B.Exclude the third-party API from the scope and document the limitation
C.Contact the third-party provider directly to obtain permission
D.Include the API in the scope and note the legal risks in the report
AnswerB

This is the correct approach. The scope should clearly state what is in and out of bounds. The client can then seek permission separately if desired.

Why this answer

Option B is correct because testing a third-party API without explicit permission from the provider violates legal and ethical boundaries, potentially constituting unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA). The penetration tester must first document this limitation in the scope to ensure the client understands the risk and to maintain the test's legality. Proceeding without permission could lead to liability for both the tester and the client.

Exam trap

The trap here is that candidates may assume 'read-only' testing is safe or that direct contact with the third party is proactive, but the exam emphasizes that scope limitations must be documented and that the client, not the tester, is responsible for obtaining permissions.

How to eliminate wrong answers

Option A is wrong because restricting testing to read-only operations does not grant legal permission; any interaction with the third-party API without authorization, even read-only, can still be considered unauthorized access and may violate the provider's terms of service or applicable laws. Option C is wrong because the tester should not contact the third-party provider directly, as this is the client's responsibility; the tester lacks the contractual relationship to negotiate permissions and doing so could breach confidentiality or scope agreements.

638
MCQhard

Refer to the exhibit. A penetration tester reviews this S3 bucket policy. The bucket contains sensitive data. Which of the following best describes the security issue?

A.The policy allows only specific users to read objects
B.The policy allows anyone with an IP in the 10.0.0.0/8 range to read objects
C.The policy allows anonymous write access
D.The policy allows any AWS principal to read objects
AnswerB

Overly permissive and misconfigured.

Why this answer

Option A is correct because the policy allows anyone with an IP in the 10.0.0.0/8 range to read objects, which is overly permissive and ineffective since private IPs are not routable on the internet. Option B is wrong because condition restricts IP. Option C is wrong because principal is any.

Option D is wrong because action is GetObject only.

639
MCQeasy

A penetration tester is reviewing a Bash script that contains the following command: 'openssl s_client -connect target:443 -servername target 2>/dev/null | openssl x509 -noout -text'. What is the primary purpose of this command?

A.Extract the SSL certificate in text form.
B.Perform a man-in-the-middle attack.
C.Test for weak cipher suites.
D.Verify the certificate's revocation status.
AnswerA

Correct. 'openssl s_client' establishes a connection, and piping to 'openssl x509 -noout -text' outputs the certificate details.

Why this answer

The command uses `openssl s_client` to establish a TLS connection to `target:443` and then pipes the certificate output to `openssl x509 -noout -text`, which decodes and prints the certificate in human-readable text form. The primary purpose is to retrieve and display the SSL/TLS certificate details (e.g., issuer, subject, validity dates, SANs) for inspection, not to attack or test cipher suites.

Exam trap

The trap here is that candidates may confuse certificate retrieval with cipher suite testing or assume any use of `openssl s_client` implies an attack, when in fact the command is a standard diagnostic tool for inspecting certificate content.

How to eliminate wrong answers

Option B is wrong because the command does not intercept or modify traffic between two parties; it simply connects to the server and displays its certificate, which is a normal client operation, not a man-in-the-middle attack. Option C is wrong because testing for weak cipher suites requires specifying cipher lists or using tools like `sslscan` or `nmap --script ssl-enum-ciphers`; this command only retrieves the certificate and does not enumerate or test cipher negotiation.

640
MCQeasy

A penetration tester is using a vulnerability scanner that reports a 'Critical' severity for an 'SMBv1 vulnerability' on a Windows server. Which of the following is the correct remediation recommendation?

A.Apply the latest Windows security patches
B.Disable SMBv1 on the server
C.Enable SMB signing
D.Enable SMB encryption
AnswerB

Disabling the insecure protocol is the most effective remediation.

Why this answer

The correct remediation for an SMBv1 vulnerability is to disable SMBv1 on the server. SMBv1 is a legacy protocol that lacks modern security features and is known to be exploited by malware like EternalBlue (used in WannaCry). Disabling SMBv1 eliminates the attack surface without affecting SMBv2 or SMBv3, which are secure and still functional.

Exam trap

The trap here is that candidates assume patching (Option A) is sufficient for all vulnerabilities, but for SMBv1, the protocol itself is deprecated and must be disabled rather than just patched.

How to eliminate wrong answers

Option A is wrong because applying the latest Windows security patches only addresses specific CVEs but does not remove the inherently insecure SMBv1 protocol; patches can be bypassed or incomplete, whereas disabling SMBv1 is the definitive fix. Option C is wrong because enabling SMB signing provides integrity and authentication for SMB traffic but does not mitigate the SMBv1 protocol's fundamental vulnerabilities, such as buffer overflow exploits. Option D is wrong because enabling SMB encryption protects data in transit but does not disable or patch the SMBv1 protocol itself, leaving the server still vulnerable to SMBv1-specific attacks.

641
MCQhard

During an internal test, a penetration tester discovers a web application that is vulnerable to Server-Side Template Injection (SSTI). The application uses a template engine that does not sandbox user input. Which of the following payloads would be MOST effective to achieve remote code execution on the server?

A.{{7*7}}
B.<script>alert('xss')</script>
C.${7*7}
D.{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
AnswerD

Correct. This payload exploits Python object chaining to execute system commands, achieving remote code execution.

Why this answer

Option D is correct because it exploits Python's object model to access the `os` module via `__class__.__init__.__globals__`, bypassing the template engine's lack of sandboxing. This allows the attacker to execute arbitrary system commands like `id` on the server, achieving remote code execution (RCE). The payload is specific to Jinja2 or similar Python-based template engines that expose built-in objects.

Exam trap

The trap here is that candidates confuse SSTI with simple template injection tests (like `{{7*7}}`) or XSS, failing to recognize that the correct payload must chain object introspection to access system commands for RCE.

How to eliminate wrong answers

Option A is wrong because `{{7*7}}` is a simple math expression that only tests for SSTI vulnerability (returning 49) but does not achieve RCE. Option B is wrong because `<script>alert('xss')</script>` is a Cross-Site Scripting (XSS) payload, not an SSTI payload, and it targets client-side execution, not server-side RCE. Option C is wrong because `${7*7}` is a Java Expression Language (EL) injection syntax, not applicable to Python-based template engines; it would not execute in a Jinja2 context and does not lead to RCE.

642
MCQhard

During a penetration test, a tester gains access to a Linux system and runs 'sudo -l', which reveals that the user can run /usr/bin/python with root privileges without a password. Which resource should the tester consult to find a method to escalate privileges using this configuration?

A.PayloadsAllTheThings
B.GTFOBins
C.HackTricks
D.Exploit-DB
AnswerB

GTFOBins lists techniques for abusing binaries to escalate privileges.

Why this answer

GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions. It provides techniques for privilege escalation using binaries like python. GTFOBins is specifically for Unix privilege escalation.

643
MCQmedium

A penetration tester is using an Nmap NSE script to enumerate SMB shares on a target Windows server. The script runs without errors but returns no shares, even though the server has shares configured. Which is the MOST likely cause?

A.The script requires administrative credentials
B.The target is running Windows 10 with SMB signing enabled
C.The script is not being run with the correct arguments
D.The target is blocking ICMP traffic
AnswerA

SMB share enumeration typically requires valid credentials, without which the script cannot enumerate shares.

Why this answer

The Nmap SMB enumeration scripts (e.g., smb-enum-shares.nse) by default attempt to connect as a guest or anonymous user. On modern Windows servers, especially those with default security configurations, anonymous access to SMB shares is disabled. The script requires valid administrative credentials to list all shares, as the SMB protocol restricts share enumeration to authenticated users with appropriate privileges.

Exam trap

The trap here is that candidates assume Nmap scripts run with full default access, overlooking that SMB enumeration on modern Windows requires explicit authentication, not just a null session.

How to eliminate wrong answers

Option B is wrong because SMB signing, while a security feature, does not prevent enumeration of shares; it only ensures packet integrity and authentication, and the Nmap script can handle signed connections. Option C is wrong because the script runs without errors and returns no shares, indicating it executed correctly but lacked the necessary permissions; incorrect arguments would typically cause a syntax error or unexpected behavior, not a silent empty result.

644
MCQeasy

Which document, often signed before a penetration test, protects the tester from legal liability if the tester's actions are perceived as malicious by third parties?

A.Statement of Work
B.Get-out-of-jail letter
C.Non-Disclosure Agreement
D.Rules of Engagement
AnswerB

Correct. This letter provides legal authorization.

Why this answer

A get-out-of-jail letter (authorization letter) confirms that the tester has permission to conduct the test.

645
Drag & Dropmedium

Drag and drop the steps to perform a password cracking attack using John the Ripper into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password cracking requires hash acquisition, type identification, running the tool, and using results for further attacks.

646
MCQmedium

A penetration tester is analyzing a Python script that uses the 'subprocess' module to execute shell commands. The tester notices that the script passes user-supplied input directly to the shell without any sanitization or validation. Which vulnerability class is most likely present in this script?

A.Command injection
B.SQL injection
C.Path traversal
D.Buffer overflow
AnswerA

Untrusted input passed directly to a shell interpreter allows attackers to execute arbitrary system commands, which is the definition of command injection.

Why this answer

The script uses the `subprocess` module to execute shell commands with user-supplied input passed directly to the shell without sanitization. This allows an attacker to inject arbitrary shell metacharacters (e.g., `;`, `|`, `&&`) to execute unintended commands, which is the classic definition of command injection. The vulnerability arises because the input is concatenated into a command string rather than passed as a list of arguments, bypassing the shell's argument separation.

Exam trap

The trap here is that candidates may confuse command injection with SQL injection because both involve untrusted input, but the key differentiator is the execution context—shell commands versus database queries—and the specific module (`subprocess`) indicates shell execution, not database interaction.

How to eliminate wrong answers

Option B is wrong because SQL injection requires the input to be passed to a database query (e.g., via SQL statements), not to a shell command via the `subprocess` module. Option C is wrong because path traversal involves manipulating file paths to access restricted directories (e.g., using `../`), which is unrelated to executing arbitrary shell commands through the `subprocess` module.

647
MCQeasy

A penetration tester wants to perform DNS brute-force enumeration to discover subdomains of a target domain. Which tool is specifically designed for this purpose?

A.nmap
B.dnsrecon
C.Wireshark
D.Hydra
AnswerB

Dnsrecon is a DNS enumeration tool that includes brute-force functionality to discover subdomains. It is specifically designed for this task.

Why this answer

B is correct because dnsrecon is a specialized DNS enumeration tool that includes a brute-force mode for discovering subdomains. It uses a wordlist to query DNS servers for common subdomain names, leveraging the DNS protocol's inherent structure to map out a target's domain hierarchy without relying on zone transfers.

Exam trap

The trap here is that candidates often confuse nmap's general DNS script (e.g., dns-brute.nse) with a dedicated tool, but the question specifically asks for a tool 'designed for this purpose,' and dnsrecon is purpose-built for DNS enumeration, whereas nmap's script is an add-on.

How to eliminate wrong answers

Option A is wrong because nmap is a network scanning tool focused on port discovery and service fingerprinting, not DNS-specific brute-force enumeration; while it can perform DNS queries via scripts, it lacks the dedicated subdomain brute-force functionality of dnsrecon. Option C is wrong because Wireshark is a packet analyzer used for capturing and inspecting network traffic, not for actively generating DNS queries to enumerate subdomains.

648
MCQmedium

A penetration tester has completed the test and is preparing the final report. The client requested a risk rating for each vulnerability. Which of the following frameworks is MOST commonly used to standardize vulnerability severity ratings in penetration testing reports?

A.OWASP Top 10
B.CVSS
C.CVE
D.NIST SP 800-115
AnswerB

Correct. CVSS provides a standardized and widely accepted severity score for vulnerabilities.

Why this answer

CVSS (Common Vulnerability Scoring System) is the industry-standard framework for assigning numeric severity scores (0-10) to vulnerabilities based on metrics like attack vector, complexity, and impact. Penetration testers use CVSS scores to provide consistent, quantitative risk ratings that clients can compare across findings. OWASP Top 10 is a list of web application risk categories, not a scoring system, and CVE is a vulnerability identifier database, not a rating framework.

Exam trap

The trap here is that candidates confuse OWASP Top 10 (a risk categorization list) with a scoring framework, or mistake CVE (an identifier system) for a severity rating system, when CVSS is the only option that provides a standardized numerical severity scale for individual vulnerabilities.

How to eliminate wrong answers

Option A is wrong because OWASP Top 10 is a periodic awareness document that ranks broad categories of web application security risks (e.g., injection, broken authentication), not a framework for assigning individual vulnerability severity scores. Option C is wrong because CVE (Common Vulnerabilities and Exposures) is a dictionary of unique identifiers for publicly known vulnerabilities, with no scoring or rating mechanism—it simply names and describes the flaw.

649
MCQhard

A penetration tester is analyzing a malicious script found on a compromised Linux server. The script uses obfuscation techniques including base64 encoding and variable substitution. Which tool or method is most effective for deobfuscating the script to understand its functionality?

A.Use a Python emulator like Unicorn
B.Analyze packet captures with Wireshark
C.Disassemble with IDA Pro
D.Run the script with 'bash -x' in a sandbox
AnswerD

'bash -x' prints each command before execution, revealing the deobfuscated actions in a controlled environment.

Why this answer

For deobfuscating shell scripts, running the script in a sandboxed environment with static analysis (e.g., using 'set -x' or a debugger) is most effective. IDA Pro is for binary analysis, Wireshark for network packets, and Nmap for scanning.

650
Multi-Selectmedium

You are enumerating a Linux system for privilege escalation vectors. Which TWO conditions below could be exploited to escalate privileges? (Select TWO.)

Select 2 answers
A.Unquoted service path
B.User has SeImpersonatePrivilege
C.SUID binary owned by root
D.AlwaysInstallElevated registry key set to 1
E.World-writable script executed by a cron job
AnswersC, E

SUID binaries run with the owner's privileges, often root.

Why this answer

Writable cron scripts and SUID binaries are common Linux privesc vectors.

651
MCQmedium

During a penetration test, a tester discovers a web application that uses JavaScript to load API endpoints dynamically. Which technique would be most effective for discovering hidden API endpoints?

A.Analyzing JavaScript files for API endpoints
B.Performing a DNS zone transfer
C.Running a Nikto scan
D.Using Nmap to scan for open ports and services
AnswerA

JavaScript files often contain API URLs, parameters, and authentication tokens that can be discovered through static analysis or runtime inspection.

Why this answer

JavaScript analysis involves inspecting JavaScript files for hardcoded API endpoints, secrets, and other useful information, making it effective for discovering hidden API endpoints.

652
MCQeasy

A penetration testing firm is hired to assess a mobile banking application. The client wants to test both Android and iOS versions, but only the production environment. Which of the following is the MOST important scoping consideration to include in the rules of engagement?

A.Requiring jailbroken/rooted devices for testing
B.Specifying the number of concurrent users during testing
C.Defining the test window to avoid peak hours
D.Excluding the backend API from testing
AnswerA

Rooting/jailbreaking enables deep testing that is often necessary for comprehensive mobile app security assessments.

Why this answer

Requiring jailbroken or rooted devices is the most important scoping consideration because mobile banking applications often implement runtime integrity checks (e.g., MagiskHide, Frida detection) that prevent the app from running on compromised devices. Without explicit authorization to bypass these controls, the penetration tester cannot perform deep dynamic analysis, such as hooking API calls or inspecting encrypted local storage, which is essential for a thorough security assessment of the production environment.

Exam trap

The trap here is that candidates often confuse operational scheduling (Option C) with technical feasibility, overlooking that without a jailbroken/rooted device, the tester cannot bypass runtime integrity checks and thus cannot perform the most critical parts of the mobile app assessment.

How to eliminate wrong answers

Option B is wrong because specifying the number of concurrent users is irrelevant for a mobile application penetration test; load testing is a performance concern, not a security scoping consideration, and the rules of engagement focus on authorization boundaries, not throughput metrics. Option C is wrong because defining the test window to avoid peak hours is an operational consideration to minimize business impact, but it is not the most important scoping factor; the core technical constraint for mobile app testing is the device's integrity state, as production apps often refuse to run on jailbroken/rooted devices, making authorization to use such devices a prerequisite for any meaningful testing.

653
MCQmedium

A penetration tester is preparing a report and wants to include proof-of-concept code to demonstrate a vulnerability. Which of the following is the best practice for including such code?

A.Include fully automated exploit scripts that could be used for attacks.
B.Include code that extracts sensitive data to prove impact.
C.Provide code that demonstrates the vulnerability in a responsible manner without destructive payloads.
D.Omit code and only describe the vulnerability verbally.
AnswerC

Responsible disclosure shows exploitability without damage.

Why this answer

Proof-of-concept code should prove the vulnerability is exploitable without causing harm to the client's environment.

654
MCQeasy

Which of the following tools is most commonly used for passive reconnaissance by querying certificate transparency logs to discover subdomains?

A.crt.sh
B.Censys
C.theHarvester
D.Shodan
AnswerA

crt.sh is a website and API that queries certificate transparency logs, making it a primary tool for passive subdomain discovery via certificates.

Why this answer

crt.sh is a certificate transparency log search tool that can be used to find subdomains by querying SSL/TLS certificates issued for a domain.

655
MCQmedium

During a web application test, a penetration tester intercepts requests between the browser and server and modifies them in real time. Which Burp Suite tool is designed for this purpose?

A.Repeater
B.Sequencer
C.Intruder
D.Proxy
AnswerD

Burp Proxy intercepts traffic between browser and server.

Why this answer

Burp Proxy intercepts and allows modification of HTTP/HTTPS requests.

656
MCQmedium

A penetration tester discovers that a previously reported vulnerability from a prior test has not been remediated. How should this be communicated in the current report?

A.Only mention it in the executive summary, referencing the past report.
B.Include it as a recurring finding and note the lack of remediation.
C.Omit the finding to avoid repetition.
D.Reduce the severity rating because it was already reported.
AnswerB

This provides accountability and highlights the need for action.

Why this answer

Option B is correct because penetration testing standards (e.g., PTES, OWASP) require that previously identified vulnerabilities that remain unpatched be documented as recurring findings with explicit reference to the prior report. This ensures the client understands the risk persists and can track remediation progress over time. Including the finding with a note on lack of remediation maintains the integrity of the current risk assessment and supports compliance with reporting frameworks like NIST SP 800-115.

Exam trap

The trap here is that candidates mistakenly think repeating a finding is redundant or that the executive summary is sufficient, but CompTIA expects the finding to be fully documented in the technical body of the report with a clear note on recurrence.

How to eliminate wrong answers

Option A is wrong because relegating a recurring vulnerability solely to the executive summary omits the technical details, evidence, and risk context needed for the technical audience to act on the finding. Option C is wrong because omitting the finding violates the principle of full disclosure and could lead to legal liability if the client assumes the vulnerability was fixed. Option D is wrong because reducing the severity rating based solely on prior reporting is a logical fallacy; the risk to the environment remains unchanged unless compensating controls have been verified.

657
MCQeasy

Which penetration testing standard provides a methodology that includes pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting?

A.OSSTMM
B.NIST SP 800-115
C.OWASP Testing Guide
D.PTES
AnswerD

Correct. PTES includes all phases from pre-engagement to reporting.

Why this answer

The Penetration Testing Execution Standard (PTES) is the only standard among the options that explicitly defines a full penetration testing methodology with the phases listed: pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. PTES provides a structured, seven-phase framework designed specifically for penetration testers, making it the correct choice for this question.

Exam trap

The trap here is that candidates often confuse the OWASP Testing Guide (Option C) as a general penetration testing standard because it is widely known, but it is strictly limited to web application security and does not cover the full lifecycle of a penetration test as defined in the question.

How to eliminate wrong answers

Option A is wrong because the Open Source Security Testing Methodology Manual (OSSTMM) focuses on operational security metrics and channel-based testing (e.g., human, physical, wireless, telecommunications, and data networks) rather than a sequential penetration testing methodology with the specific phases listed. Option B is wrong because NIST SP 800-115 is a technical guide for information security testing and assessment, but it does not prescribe a formal penetration testing methodology with phases like pre-engagement interactions or post-exploitation; it is more of a general assessment framework. Option C is wrong because the OWASP Testing Guide is specifically focused on web application security testing and does not cover the full scope of a penetration test, including pre-engagement interactions, threat modeling in the context of network or system testing, or post-exploitation activities beyond web applications.

658
MCQmedium

A penetration tester is performing a man-in-the-middle attack on a network using ARP spoofing. What is the primary purpose of ARP spoofing?

A.To assign a fake IP address to the attacker's device
B.To associate the attacker's MAC address with the IP address of a legitimate host
C.To modify the routing table of the target
D.To poison the DNS cache of the target
AnswerB

This redirects traffic destined for that IP to the attacker.

Why this answer

ARP spoofing works by sending forged ARP replies to associate the attacker's MAC address with the IP address of a legitimate host (e.g., the default gateway). This causes traffic destined for that IP to be sent to the attacker instead, enabling interception and manipulation of network communications.

Exam trap

The trap here is that candidates confuse ARP spoofing with IP address spoofing or DNS poisoning, but the exam specifically tests that ARP spoofing manipulates MAC-to-IP mappings at Layer 2, not IP addresses or higher-layer caches.

How to eliminate wrong answers

Option A is wrong because ARP spoofing does not assign a fake IP to the attacker; the attacker retains their own IP and instead manipulates the IP-to-MAC mapping on other hosts. Option C is wrong because ARP spoofing operates at Layer 2 (Data Link) and does not modify routing tables, which are Layer 3 constructs managed by protocols like RIP or OSPF. Option D is wrong because DNS cache poisoning targets the DNS resolver's cache (Layer 7), whereas ARP spoofing targets the ARP cache (Layer 2) to redirect traffic at the network access layer.

659
MCQmedium

A penetration tester gains a shell on a Linux server and needs to pivot to an internal network. The tester's attack machine can reach the compromised server but not the internal network. Which tool can create a SOCKS proxy on the compromised server?

A.Chisel
B.SSH -L
C.Meterpreter
D.Netcat
AnswerA

Chisel creates SOCKS proxies or tunnels for pivoting.

Why this answer

Chisel can create a SOCKS proxy over SSH or TCP tunneling.

660
Multi-Selectmedium

A penetration tester is analyzing the results of a vulnerability scan. Which of the following findings indicate that a vulnerability is likely exploitable? (Choose two.)

Select 2 answers
A.The vulnerability is classified as 'critical' by the scanner
B.CVSS base score of 4.0
C.The vulnerability has been patched by the vendor
D.Public exploit code is available online
E.Multiple hosts share the same vulnerability
AnswersA, D

Critical severity often indicates that exploitation is likely and impact is high.

Why this answer

Option A is correct because a 'critical' classification by the scanner typically indicates a high-severity vulnerability with a CVSS base score of 9.0 or higher, which often corresponds to remotely exploitable flaws that can lead to complete compromise. Scanners like Nessus or OpenVAS assign critical severity based on factors such as attack vector, complexity, and impact, making such vulnerabilities highly likely to be exploitable in practice.

Exam trap

CompTIA often tests the distinction between vulnerability severity and exploitability, where candidates mistakenly assume a medium CVSS score (e.g., 4.0) or widespread presence (multiple hosts) implies the vulnerability is easily exploitable, ignoring that exploitability requires a working exploit or low attack complexity.

661
MCQmedium

A penetration tester is conducting an internal network test. During the engagement, the tester discovers a critical vulnerability that could be exploited to gain domain admin privileges. According to best practices, how should the tester communicate this finding to the client?

A.Immediately notify the client's point of contact via a secure channel
B.Only communicate it if the client asks for a status update
C.Wait until the end of the test to include it in the formal report
D.Exploit the vulnerability to demonstrate impact and then fix it before reporting
AnswerA

Timely communication of critical risks is essential.

Why this answer

Option A is correct because critical findings should be communicated immediately to allow the client to take urgent action, rather than waiting for the formal report. Option B is too slow. Option C delays communication.

Option D is inappropriate as testers should not remediate without authorization.

662
MCQmedium

During a penetration test, the tester captured an NTLM hash using Responder and wants to pass the hash to gain access to a remote Windows system. Which tool would be most appropriate to perform a pass-the-hash attack?

A.John the Ripper
B.CrackMapExec
C.pth-winexe
D.Hashcat
AnswerC

pth-winexe enables pass-the-hash authentication to Windows.

Why this answer

pth-winexe allows authenticating to Windows systems using an NTLM hash without the plaintext password.

663
Multi-Selectmedium

A penetration tester is performing active reconnaissance on a target web application. Which TWO tools are specifically designed for directory and file enumeration? (Select TWO.)

Select 2 answers
A.Wappalyzer
B.Feroxbuster
C.Nmap
D.Gobuster
E.WhatWeb
AnswersB, D

Feroxbuster is a fast, recursive directory brute-forcing tool.

Why this answer

Gobuster and Feroxbuster are both tools specifically designed for directory and file brute-forcing on web servers.

664
MCQeasy

Which of the following should be included in the appendix section of a penetration testing report?

A.Raw tool output and scan results
B.Remediation steps for each finding
C.Executive summary
D.Key findings and overall risk rating
AnswerA

Correct. Raw output is typically placed in an appendix.

Why this answer

Appendices contain supporting details like scope, methodology, and raw tool output.

665
Multi-Selectmedium

A penetration tester has obtained a meterpreter session on a Windows target. The tester wants to escalate privileges to SYSTEM and then dump password hashes. Which two meterpreter commands should the tester use in sequence? (Choose TWO.)

Select 2 answers
A.getuid
B.getsystem
C.shell
D.hashdump
E.sysinfo
AnswersB, D

getsystem attempts to elevate to SYSTEM privileges.

Why this answer

First, use getsystem to attempt privilege escalation to SYSTEM (via token stealing or other techniques). Then, use hashdump to dump the SAM database hashes. getuid shows current user, sysinfo shows system info.

666
MCQmedium

A penetration tester is tasked with performing active reconnaissance on an internal network. The tester wants to identify live hosts and their open ports efficiently while minimizing noise. Which Nmap scan type should be used first to quickly discover which hosts are online?

A.nmap -sS -sV 192.168.1.0/24
B.nmap -A 192.168.1.0/24
C.nmap -sn 192.168.1.0/24
D.nmap -sT 192.168.1.0/24
AnswerC

Correct. Ping sweep quickly identifies live hosts.

Why this answer

Option C is correct because the `-sn` flag (ping scan) sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default to determine if hosts are online without performing port scans. This minimizes network noise and quickly identifies live hosts on the subnet, which is the first step in active reconnaissance before deeper scanning.

Exam trap

The trap here is that candidates often choose a full port scan (like `-sS` or `-sT`) for host discovery, not realizing that `-sn` is the dedicated, low-noise method for identifying live hosts without scanning ports.

How to eliminate wrong answers

Option A is wrong because `-sS` (SYN stealth scan) combined with `-sV` (version detection) performs a full port scan and service fingerprinting on every host, generating excessive traffic and noise for initial host discovery. Option B is wrong because `-A` enables aggressive scanning (OS detection, version detection, script scanning, traceroute), which is heavy and inappropriate for a quick live-host discovery phase. Option D is wrong because `-sT` (TCP connect scan) completes the full three-way handshake for each port, creating more noise and connection logs than a simple ping sweep.

667
MCQmedium

You are performing a vulnerability scan on an internal network using an authenticated scanner. Which of the following is a primary benefit of authenticated scanning compared to unauthenticated scanning?

A.It eliminates false positives entirely
B.It reduces network traffic
C.It provides more accurate identification of vulnerabilities that require credentials
D.It avoids detection by intrusion detection systems
AnswerC

With valid credentials, the scanner can log in and assess the system more thoroughly.

Why this answer

Authenticated scanning provides deeper insight by checking for missing patches, misconfigurations, and vulnerabilities that require valid credentials to detect, such as local privilege escalation issues.

668
MCQmedium

A penetration tester is analyzing a Ruby script that uses the 'metasploit-framework' gem. The script includes a line: `Msf::Simple::Framework.create` and then calls `run_single('use exploit/multi/handler')`. What is the primary purpose of this script?

A.Automate a port scan across multiple targets
B.Set up a Metasploit payload handler to catch reverse shells
C.Create a Metasploit resource script for automated attacks
D.Load and execute a local exploit against a specified target
AnswerB

The multi/handler module is a generic payload handler that listens for incoming connections from exploited systems.

Why this answer

The script uses `Msf::Simple::Framework.create` to instantiate a Metasploit Framework instance and then calls `run_single('use exploit/multi/handler')` to load the multi/handler module. This module is specifically designed to listen for incoming connections from payloads (e.g., reverse shells) that have been executed on a target, making the script's primary purpose to set up a handler to catch reverse shells.

Exam trap

The trap here is that candidates may confuse the `use exploit/multi/handler` command with a generic exploit or attack automation, when in fact it is purely a listener for incoming reverse connections, not an active exploit or scanning tool.

How to eliminate wrong answers

Option A is wrong because the script does not include any port scanning logic or calls to modules like `auxiliary/scanner/portscan`; it only loads a handler module. Option C is wrong because the script directly executes a Metasploit command via `run_single` rather than writing or generating a resource script (`.rc` file) for later automated execution.

669
MCQhard

Refer to the exhibit. A penetration tester used a vulnerability scanner and obtained the above result. What is the BEST way to represent this finding in the report to ensure the client can reproduce and fix it?

A.Include only the URL and parameter name.
B.Include the full request with the exact payload and evidence.
C.Provide the exact error message from the database.
D.List the vulnerability scanner used and its version.
AnswerB

This allows the client to replicate the issue and test the fix.

Why this answer

Option D is correct because the report should include the full request details, including payload and evidence. Option A is wrong because the URL and parameter are not enough to show exploitation. Option B is wrong because the scanner name is not critical.

Option C is wrong because the error message is evidence, not the fix.

670
Multi-Selecthard

A penetration tester has gained initial access to a Linux server and wants to establish persistence. Which THREE of the following methods are commonly used for persistence on Linux systems?

Select 3 answers
A.Installing an SSH authorized_key for the attacker
B.Adding a cron job that executes a reverse shell
C.Using schtasks to create a scheduled task
D.Modifying the Windows Registry Run key
E.Creating a systemd service that runs on boot
AnswersA, B, E

SSH keys allow persistent remote access.

Why this answer

Cron jobs, SSH authorized_keys, and systemd services are common persistence mechanisms.

671
Multi-Selectmedium

A penetration tester is using Metasploit to pivot from a compromised host to an internal network. Which THREE Metasploit features can facilitate pivoting?

Select 3 answers
A.Exploit/multi/handler
B.Metasploit route command
C.SSH local port forwarding
D.Autoroute post module
E.Metasploit socks proxy
AnswersB, D, E

Adds routing through a compromised host.

Why this answer

The 'route' command adds routes through a session, and Metasploit's socks proxy (auxiliary/server/socks4a) can be used. Autoroute is a post module. Exploit/multi/handler is for reverse shells, not directly for pivoting.

Port forwarding via SSH is external to Metasploit.

672
MCQhard

A penetration tester discovers that a web application uses a vulnerable Java deserialization endpoint. The classpath includes the Apache Commons Collections library. Which attack technique is most likely to achieve remote code execution?

A.Java deserialization of untrusted data (RCE via Commons Collections).
B.SQL injection.
C.Cross-site scripting.
D.Command injection.
AnswerA

The presence of Commons Collections provides known gadget chains (e.g., ysoserial) that can achieve code execution during deserialization, making this the direct attack vector.

Why this answer

The correct answer is A because the presence of the Apache Commons Collections library in the classpath, combined with a vulnerable Java deserialization endpoint, enables the classic 'gadget chain' attack. Attackers craft a malicious serialized object that, when deserialized, invokes methods in Commons Collections (e.g., InvokerTransformer) to execute arbitrary system commands, achieving remote code execution (RCE). This is a well-documented exploit chain (e.g., CVE-2015-7501) that directly leverages the library's reflection-based classes.

Exam trap

The trap here is that candidates may confuse deserialization attacks with other input-based attacks like SQLi or XSS, failing to recognize that the specific vulnerability is the unsafe deserialization of Java objects using a known gadget library (Commons Collections) to achieve server-side RCE.

How to eliminate wrong answers

Option B is wrong because SQL injection targets database queries via input manipulation, not Java deserialization of objects; it does not exploit the deserialization endpoint or the Commons Collections library. Option C is wrong because cross-site scripting (XSS) injects client-side scripts into web pages, not server-side code execution via deserialization; it cannot achieve RCE through Java object deserialization.

673
MCQeasy

A penetration tester is hired to assess the security of a company's internal network. The client provides the tester with full network diagrams, credentials, and source code. Which type of penetration test is being performed?

A.Grey box
B.Black box
C.Red team
D.White box
AnswerD

Correct. White box testing provides full knowledge.

Why this answer

White box testing provides the tester with full knowledge and credentials, which matches the scenario.

674
MCQmedium

A penetration tester is performing active reconnaissance on a web application and wants to discover hidden directories and files. Which tool would be most effective for brute-forcing directory names based on a wordlist?

A.Gobuster
B.Nikto
C.theHarvester
D.WPScan
AnswerA

Gobuster is designed for directory/file brute-forcing with wordlists.

Why this answer

Gobuster is a tool used for directory/file brute-forcing using wordlists. Dirb is similar but older; gobuster is more modern and flexible.

675
MCQhard

A penetration tester uses the CVSS base score to rate a vulnerability. The tester finds that the vulnerability has a high CVSS score but the affected system is isolated from the internet and has no sensitive data. Which approach should the tester take when assigning an overall severity rating?

A.Increase the severity because the system is isolated and may be overlooked.
B.Adjust the severity lower to reflect the reduced business impact.
C.Remove the finding from the report since the system is isolated.
D.Use the CVSS score as the final severity rating.
AnswerB

The risk is lower because the system is isolated and data is not sensitive.

Why this answer

CVSS is a good starting point but should be adjusted based on business context such as impact and likelihood in the specific environment.

Page 8

Page 9 of 14

Page 10
CompTIA PenTest+ PT0-002 PT0-002 Questions 601–675 | Page 9/14 | Courseiva