Page 1 of 88
eJPT eLearnSecurity Junior Penetration Tester Exam
Actual Test Questions and Correct Answers With
Rationales LATEST THIS YEAR
Below is a summarized exam coverage for the eLearnSecurity Junior Penetration Tester (eJPT)
certification exam, followed by 200 randomized, scenario-based MCQs directly aligned with the exam.
No subtopics or domain headings are used—just questions, answers, and concise rationales. Questions
are based on the official eJPT objectives (information gathering, scanning, enumeration, exploitation,
web attacks, post-exploitation, pivoting, and reporting), common tools (Nmap, Metasploit, Burp Suite,
Netcat, Wireshark, Python, Bash), and practical pentesting scenarios.
Summarized Exam Coverage – eJPT (eLearnSecurity Junior Penetration Tester)
Information gathering (OSINT, DNS reconnaissance, WHOIS, Google dorks, Shodan), network scanning
(Nmap, masscan, ping sweeps, port scanning, OS/version detection), enumeration (NetBIOS, SNMP,
SMTP, FTP, SSH, SMB, LDAP, RPC), vulnerability assessment, exploitation (Metasploit, manual exploits,
buffer overflow basics, web attacks – SQLi, XSS, LFI/RFI, CSRF, command injection), password attacks
(hydra, John the Ripper, hash cracking, dictionary attacks), client-side attacks, post-exploitation
(Meterpreter, shell upgrade, persistence, privilege escalation, lateral movement, pivoting), traffic
analysis (Wireshark, tcpdump), basic scripting (Python, Bash, PowerShell), and report writing.
1. An eJPT candidate is performing passive reconnaissance on a target domain. Which of the following is
considered passive OSINT?
A) Port scanning with Nmap
B) Searching Shodan for the target IP
C) Performing a DNS zone transfer
D) Enumerating SMB shares with enum4linux
Answer: B – Shodan queries are passive (no direct interaction). Zone transfers, Nmap scans, and SMB
enumeration are active.
2. A penetration tester runs nmap -sS -p- 192.168.1.10 and receives no response. The most likely cause
is:
, Page 2 of 88
A) A firewall is dropping all packets
B) The target is offline
C) The tester is not root
D) The syntax is incorrect
Answer: A – -sS (SYN scan) is stealthy; if all ports show filtered, a firewall is likely dropping the probes.
3. During enumeration, a tester finds an open SMB port (445) on a Windows target. Which tool is most
appropriate to list shares?
A) smbclient
B) hydra
C) sqlmap
D) nikto
Answer: A – smbclient -L //target lists SMB shares without authentication.
4. A web application has a login form. The tester suspects SQL injection. Which payload is most reliable
for testing error-based injection?
A) ' OR '1'='1' --
, Page 3 of 88
B) '; DROP TABLE users; --
C) ' AND 1=CONVERT(int, @@version) --
D) ' OR 1=1#
Answer: C – This forces a conversion error that reveals database version information.
5. After gaining a low-privilege shell, the tester wants to escalate to SYSTEM on Windows. Which tool is
specifically designed for privilege escalation enumeration?
A) LinEnum
B) PowerUp
C) Mimikatz
D) nc.exe
Answer: B – PowerUp is a PowerShell script for Windows privilege escalation enumeration.
6. A tester finds an open SSH port (22) with version OpenSSH 4.3. Which action is most appropriate?
A) Immediately try to brute-force credentials
B) Search for a known exploit (e.g., CVE-2006-5051)
, Page 4 of 88
C) Move to another port
D) Use Metasploit’s ssh_login module
Answer: B – OpenSSH 4.3 is old and may have known vulnerabilities; research first.
7. A penetration tester captures a NTLMv2 hash from a Windows target. Which tool is used to crack it
offline?
A) John the Ripper
B) Hydra
C) Ncrack
D) Hashcat
Answer: D – Hashcat is the fastest offline password cracker; John can also crack NTLMv2.
8. During a web application test, the tester sees file.php?page=about.php. Which attack is most likely
possible?
A) SQL injection
B) Local File Inclusion (LFI)
eJPT eLearnSecurity Junior Penetration Tester Exam
Actual Test Questions and Correct Answers With
Rationales LATEST THIS YEAR
Below is a summarized exam coverage for the eLearnSecurity Junior Penetration Tester (eJPT)
certification exam, followed by 200 randomized, scenario-based MCQs directly aligned with the exam.
No subtopics or domain headings are used—just questions, answers, and concise rationales. Questions
are based on the official eJPT objectives (information gathering, scanning, enumeration, exploitation,
web attacks, post-exploitation, pivoting, and reporting), common tools (Nmap, Metasploit, Burp Suite,
Netcat, Wireshark, Python, Bash), and practical pentesting scenarios.
Summarized Exam Coverage – eJPT (eLearnSecurity Junior Penetration Tester)
Information gathering (OSINT, DNS reconnaissance, WHOIS, Google dorks, Shodan), network scanning
(Nmap, masscan, ping sweeps, port scanning, OS/version detection), enumeration (NetBIOS, SNMP,
SMTP, FTP, SSH, SMB, LDAP, RPC), vulnerability assessment, exploitation (Metasploit, manual exploits,
buffer overflow basics, web attacks – SQLi, XSS, LFI/RFI, CSRF, command injection), password attacks
(hydra, John the Ripper, hash cracking, dictionary attacks), client-side attacks, post-exploitation
(Meterpreter, shell upgrade, persistence, privilege escalation, lateral movement, pivoting), traffic
analysis (Wireshark, tcpdump), basic scripting (Python, Bash, PowerShell), and report writing.
1. An eJPT candidate is performing passive reconnaissance on a target domain. Which of the following is
considered passive OSINT?
A) Port scanning with Nmap
B) Searching Shodan for the target IP
C) Performing a DNS zone transfer
D) Enumerating SMB shares with enum4linux
Answer: B – Shodan queries are passive (no direct interaction). Zone transfers, Nmap scans, and SMB
enumeration are active.
2. A penetration tester runs nmap -sS -p- 192.168.1.10 and receives no response. The most likely cause
is:
, Page 2 of 88
A) A firewall is dropping all packets
B) The target is offline
C) The tester is not root
D) The syntax is incorrect
Answer: A – -sS (SYN scan) is stealthy; if all ports show filtered, a firewall is likely dropping the probes.
3. During enumeration, a tester finds an open SMB port (445) on a Windows target. Which tool is most
appropriate to list shares?
A) smbclient
B) hydra
C) sqlmap
D) nikto
Answer: A – smbclient -L //target lists SMB shares without authentication.
4. A web application has a login form. The tester suspects SQL injection. Which payload is most reliable
for testing error-based injection?
A) ' OR '1'='1' --
, Page 3 of 88
B) '; DROP TABLE users; --
C) ' AND 1=CONVERT(int, @@version) --
D) ' OR 1=1#
Answer: C – This forces a conversion error that reveals database version information.
5. After gaining a low-privilege shell, the tester wants to escalate to SYSTEM on Windows. Which tool is
specifically designed for privilege escalation enumeration?
A) LinEnum
B) PowerUp
C) Mimikatz
D) nc.exe
Answer: B – PowerUp is a PowerShell script for Windows privilege escalation enumeration.
6. A tester finds an open SSH port (22) with version OpenSSH 4.3. Which action is most appropriate?
A) Immediately try to brute-force credentials
B) Search for a known exploit (e.g., CVE-2006-5051)
, Page 4 of 88
C) Move to another port
D) Use Metasploit’s ssh_login module
Answer: B – OpenSSH 4.3 is old and may have known vulnerabilities; research first.
7. A penetration tester captures a NTLMv2 hash from a Windows target. Which tool is used to crack it
offline?
A) John the Ripper
B) Hydra
C) Ncrack
D) Hashcat
Answer: D – Hashcat is the fastest offline password cracker; John can also crack NTLMv2.
8. During a web application test, the tester sees file.php?page=about.php. Which attack is most likely
possible?
A) SQL injection
B) Local File Inclusion (LFI)
