COMPTIA PENTEST+ – PRACTICE QUESTIONS AND CORRECT ANSWERS
(VERIFIED ANSWERS) PLUS RATIONALES 2026 Q&A | INSTANT DOWNLOAD
PDF.
Core Domains
Planning and Scoping
Information Gathering and Vulnerability Scanning
Attacks and Exploits
Reporting and Communication
Tools and Code Analysis
Legal and Compliance Frameworks
Exploitation of Web Applications and Mobile Devices
Post-Exploitation Techniques
Introduction
This comprehensive practice assessment is designed to evaluate a candidate’s
proficiency in the various domains of penetration testing. The purpose of this exam is
,to ensure that the individual possesses the technical knowledge and analytical skills
required to plan, scope, and manage a vulnerability assessment and penetration test.
The questions follow a rigorous multiple-choice and scenario-based structure,
mirroring the complexity found in professional environments. There is a significant
emphasis on real-world application, ethical decision-making, and the ability to
interpret technical data to provide actionable business recommendations. Success on
this assessment indicates readiness for professional-grade security assessments and
official certification.
SECTION ONE: QUESTIONS 1–100
1. A penetration tester has been hired to perform a black-box assessment. Which
of the following is the most important document to sign before any technical
work begins?
A. Master Service Agreement (MSA)
B. Non-Disclosure Agreement (NDA)
C. Rules of Engagement (RoE)
D. Statement of Work (SoW)
🟢 C. Rules of Engagement (RoE)
,🔴 RATIONALE: The Rules of Engagement (RoE) document establishes the
technical boundaries, timelines, and authorized activities for the assessment,
protecting both the tester and the client.
2. Which of the following Nmap flags is used to perform a TCP SYN scan?
A. -sT
B. -sU
C. -sS
D. -sA
🟢 C. -sS
🔴 RATIONALE: The -sS flag initiates a SYN scan, often referred to as a "half-open"
scan because it does not complete the three-way handshake.
3. During an internal assessment, a tester discovers a Windows machine with an
open port 445. Which protocol is most likely associated with this port?
A. SSH
B. SMB
C. RDP
D. SNMP
, 🟢 B. SMB
🔴 RATIONALE: Port 445 is the standard port for Server Message Block (SMB) over
TCP, commonly used for file and printer sharing in Windows environments.
4. A tester wants to intercept traffic between a client and a gateway using ARP
poisoning. Which tool is best suited for this task?
A. Wireshark
B. BetterCAP
C. Nikto
D. Hydra
🟢 B. BetterCAP
🔴 RATIONALE: BetterCAP is a comprehensive tool specifically designed for man-in-
the-middle (MITM) attacks, including ARP spoofing and DNS poisoning.
5. While reviewing a web application, a tester notices that user input is reflected
back in the page without sanitization. Which vulnerability is most likely present?
A. SQL Injection
B. Cross-Site Scripting (XSS)
(VERIFIED ANSWERS) PLUS RATIONALES 2026 Q&A | INSTANT DOWNLOAD
PDF.
Core Domains
Planning and Scoping
Information Gathering and Vulnerability Scanning
Attacks and Exploits
Reporting and Communication
Tools and Code Analysis
Legal and Compliance Frameworks
Exploitation of Web Applications and Mobile Devices
Post-Exploitation Techniques
Introduction
This comprehensive practice assessment is designed to evaluate a candidate’s
proficiency in the various domains of penetration testing. The purpose of this exam is
,to ensure that the individual possesses the technical knowledge and analytical skills
required to plan, scope, and manage a vulnerability assessment and penetration test.
The questions follow a rigorous multiple-choice and scenario-based structure,
mirroring the complexity found in professional environments. There is a significant
emphasis on real-world application, ethical decision-making, and the ability to
interpret technical data to provide actionable business recommendations. Success on
this assessment indicates readiness for professional-grade security assessments and
official certification.
SECTION ONE: QUESTIONS 1–100
1. A penetration tester has been hired to perform a black-box assessment. Which
of the following is the most important document to sign before any technical
work begins?
A. Master Service Agreement (MSA)
B. Non-Disclosure Agreement (NDA)
C. Rules of Engagement (RoE)
D. Statement of Work (SoW)
🟢 C. Rules of Engagement (RoE)
,🔴 RATIONALE: The Rules of Engagement (RoE) document establishes the
technical boundaries, timelines, and authorized activities for the assessment,
protecting both the tester and the client.
2. Which of the following Nmap flags is used to perform a TCP SYN scan?
A. -sT
B. -sU
C. -sS
D. -sA
🟢 C. -sS
🔴 RATIONALE: The -sS flag initiates a SYN scan, often referred to as a "half-open"
scan because it does not complete the three-way handshake.
3. During an internal assessment, a tester discovers a Windows machine with an
open port 445. Which protocol is most likely associated with this port?
A. SSH
B. SMB
C. RDP
D. SNMP
, 🟢 B. SMB
🔴 RATIONALE: Port 445 is the standard port for Server Message Block (SMB) over
TCP, commonly used for file and printer sharing in Windows environments.
4. A tester wants to intercept traffic between a client and a gateway using ARP
poisoning. Which tool is best suited for this task?
A. Wireshark
B. BetterCAP
C. Nikto
D. Hydra
🟢 B. BetterCAP
🔴 RATIONALE: BetterCAP is a comprehensive tool specifically designed for man-in-
the-middle (MITM) attacks, including ARP spoofing and DNS poisoning.
5. While reviewing a web application, a tester notices that user input is reflected
back in the page without sanitization. Which vulnerability is most likely present?
A. SQL Injection
B. Cross-Site Scripting (XSS)
