CompTIA PenTest+ (PT0-003) Full Course & Practice
Exam
1. Which document should be signed before a penetration test to ensure the client's sensitive information
remains confidential?
Rules of Engagement (RoE)
Non-Disclosure Agreement (NDA) Statement of Work (SOW)
Service Level Agreement (SLA): An NDA is a legal document that ensures any sensitive information accessed by the
penetration tester during the engagement remains confidential. RoE defines the testing boundaries and acceptable method
while the SOW outlines the specific tasks and deliverables. The SLA pertains to service performance and uptime.
2. Which technique uses detailed information about a company's publicly available systems and services
without interacting with them directly?: - WHOIS Lookup
3. Which of the following tools is commonly used to automate exploit devel- opment and execution against a
vulnerable target system?
Hydra
John the Ripper
Metasploit sqlmap:
Metasploit
4. Which of the following techniques is the best to maintain access to a compromised system after a
reboot or if the initial exploit is closed? Clear system logs
Schedule a cron job Escalate privileges
Use PsExec for lateral movement: Schedule a cron job
5. In which section of a penetration test report should a non-technical summa- ry of key findings and their
business impact be included?
Scope and Methodology Findings and
Evidence Executive Summary
Remediation Recommendations: Executive Summary
6. Which regulation enforces strict rules on data protection within the EU, including requirements like
obtaining permission for data processing and performing data impact assessments?: GDPR
7. Why is it important for penetration testers to understand and operate within regulations such as GDPR and
GLBA?: To ensure legal compliance and protect sensitive data
, CompTIA PenTest+ (PT0-003) Full Course & Practice
Exam
8. Which type of assessment focuses on evaluating the security of wireless networks, identifying vulnerabilities
like weak encryption and rogue access points?: Wireless assessment
9. What term describes specific areas or elements that are off-limits during a penetration test, often to avoid
business disruption or exposing sensitive data?: Exclusions
10. In the Shared Responsibility Model, which party is responsible for securing the operating system and
applications in a cloud environment?: Customer
11.Which of the following categories in the MITRE ATT&CK framework focus- es on techniques used to
maintain access in a target system?: Persistence
12.Which of the following OWASP Top 10 vulnerabilities involves improper enforcement of user
permissions, allowing unauthorized individuals from seeing data or altering functionality?: Broken Access
Control
13.Which control group in the OWASP MASVS ensures the security of data in transit and at rest using
cryptographic methods?: MASVS-CRYPTO
14.Which phase of the PTES framework involves gaining knowledge about the target system using both
passive and active techniques?: Information Gathering
15.Which STRIDE element involves exploiting weaknesses in a system's au- thentication process to assume
another user's identity?: Spoofing
16.Which tool or method best allows testers to retrieve old versions of web- sites to gather potentially sensitive
information that may have been removed from a current site?: Wayback Machine
17.Which tool is commonly used to analyze captured network packets and filter them based on protocols, IP
addresses, and port numbers?: Wireshark
18.Which technique involves sending requests to open ports to retrieve in- formation about the software and
version running on the system?: Banner Grabbing
19.Which Nmap scan type is commonly referred to as a "half-open" scan because it does not complete the
TCP handshake?: SYN Scan
20.Which tool or method allows testers to collect data from a website's markup code and potentially uncover
sensitive details such as server types or internal names?: HTML Scraping
21.Which of the following is the BEST reason why job boards like Indeed or Glassdoor are valuable for
penetration testers during OSINT?: The BEST reason is that job boards list roles, required skills, and technologies
in use, which
gives direct insight into the organization's infrastructure, aiding in targeting specific vulnerabilities.
, CompTIA PenTest+ (PT0-003) Full Course & Practice
Exam
22.Which of the following is a common cause of information disclosure, often revealing sensitive details such as
database dumps or server file paths? Error messages
DNS misconfiguration Password
spraying
Social engineering: Error messages
23.What command in Linux is used to perform DNS lookups to retrieve information about a domain's
IP addresses?
nslookup dig
ping traceroute: dig
24.What role do Certificate Transparency logs play in enhancing digital cer- tificate security?: Detect rogue
certificates
25.Which search engine operator restricts results to a specific website or domain?: site
26.Which transport layer protocol is faster but less reliable than TCP and is often used to identify potential
denial-of-service vulnerabilities?: UDP
27.Which type of DNS query attempts to replicate DNS records between DNS servers?: Zone transfer
28.Which tool is commonly used for directory enumeration by brute-forcing possible URLs to uncover hidden
directories on a web server?: DirBuster
29.What command is used in Windows environments to display a list of shared resources on a local
network?: net /view
30.Which Linux file contains a list of all user accounts and their hashed passwords?: /etc/shadow
31.Which tool is primarily used to gather email addresses, subdomains, and IP addresses from public sources
during the reconnaissance phase?: theHar- vester
32.Which tool provides a graphical interface to map relationships between domains, email addresses, and IP
addresses?: Maltego
33.Which of the following command examples can be used to perform a reverse DNS lookup in dig?: dig
-x 8.8.8.8
34.Which command saves the captured network packets to a file for later analysis using tcpdump?:
tcpdump -w capture.pcap
35.Which tool is used for capturing and attempting to gain access to the WPA/WPA2 keys during wireless
network testing?
Aircrack-ng
WiGLE
Exam
1. Which document should be signed before a penetration test to ensure the client's sensitive information
remains confidential?
Rules of Engagement (RoE)
Non-Disclosure Agreement (NDA) Statement of Work (SOW)
Service Level Agreement (SLA): An NDA is a legal document that ensures any sensitive information accessed by the
penetration tester during the engagement remains confidential. RoE defines the testing boundaries and acceptable method
while the SOW outlines the specific tasks and deliverables. The SLA pertains to service performance and uptime.
2. Which technique uses detailed information about a company's publicly available systems and services
without interacting with them directly?: - WHOIS Lookup
3. Which of the following tools is commonly used to automate exploit devel- opment and execution against a
vulnerable target system?
Hydra
John the Ripper
Metasploit sqlmap:
Metasploit
4. Which of the following techniques is the best to maintain access to a compromised system after a
reboot or if the initial exploit is closed? Clear system logs
Schedule a cron job Escalate privileges
Use PsExec for lateral movement: Schedule a cron job
5. In which section of a penetration test report should a non-technical summa- ry of key findings and their
business impact be included?
Scope and Methodology Findings and
Evidence Executive Summary
Remediation Recommendations: Executive Summary
6. Which regulation enforces strict rules on data protection within the EU, including requirements like
obtaining permission for data processing and performing data impact assessments?: GDPR
7. Why is it important for penetration testers to understand and operate within regulations such as GDPR and
GLBA?: To ensure legal compliance and protect sensitive data
, CompTIA PenTest+ (PT0-003) Full Course & Practice
Exam
8. Which type of assessment focuses on evaluating the security of wireless networks, identifying vulnerabilities
like weak encryption and rogue access points?: Wireless assessment
9. What term describes specific areas or elements that are off-limits during a penetration test, often to avoid
business disruption or exposing sensitive data?: Exclusions
10. In the Shared Responsibility Model, which party is responsible for securing the operating system and
applications in a cloud environment?: Customer
11.Which of the following categories in the MITRE ATT&CK framework focus- es on techniques used to
maintain access in a target system?: Persistence
12.Which of the following OWASP Top 10 vulnerabilities involves improper enforcement of user
permissions, allowing unauthorized individuals from seeing data or altering functionality?: Broken Access
Control
13.Which control group in the OWASP MASVS ensures the security of data in transit and at rest using
cryptographic methods?: MASVS-CRYPTO
14.Which phase of the PTES framework involves gaining knowledge about the target system using both
passive and active techniques?: Information Gathering
15.Which STRIDE element involves exploiting weaknesses in a system's au- thentication process to assume
another user's identity?: Spoofing
16.Which tool or method best allows testers to retrieve old versions of web- sites to gather potentially sensitive
information that may have been removed from a current site?: Wayback Machine
17.Which tool is commonly used to analyze captured network packets and filter them based on protocols, IP
addresses, and port numbers?: Wireshark
18.Which technique involves sending requests to open ports to retrieve in- formation about the software and
version running on the system?: Banner Grabbing
19.Which Nmap scan type is commonly referred to as a "half-open" scan because it does not complete the
TCP handshake?: SYN Scan
20.Which tool or method allows testers to collect data from a website's markup code and potentially uncover
sensitive details such as server types or internal names?: HTML Scraping
21.Which of the following is the BEST reason why job boards like Indeed or Glassdoor are valuable for
penetration testers during OSINT?: The BEST reason is that job boards list roles, required skills, and technologies
in use, which
gives direct insight into the organization's infrastructure, aiding in targeting specific vulnerabilities.
, CompTIA PenTest+ (PT0-003) Full Course & Practice
Exam
22.Which of the following is a common cause of information disclosure, often revealing sensitive details such as
database dumps or server file paths? Error messages
DNS misconfiguration Password
spraying
Social engineering: Error messages
23.What command in Linux is used to perform DNS lookups to retrieve information about a domain's
IP addresses?
nslookup dig
ping traceroute: dig
24.What role do Certificate Transparency logs play in enhancing digital cer- tificate security?: Detect rogue
certificates
25.Which search engine operator restricts results to a specific website or domain?: site
26.Which transport layer protocol is faster but less reliable than TCP and is often used to identify potential
denial-of-service vulnerabilities?: UDP
27.Which type of DNS query attempts to replicate DNS records between DNS servers?: Zone transfer
28.Which tool is commonly used for directory enumeration by brute-forcing possible URLs to uncover hidden
directories on a web server?: DirBuster
29.What command is used in Windows environments to display a list of shared resources on a local
network?: net /view
30.Which Linux file contains a list of all user accounts and their hashed passwords?: /etc/shadow
31.Which tool is primarily used to gather email addresses, subdomains, and IP addresses from public sources
during the reconnaissance phase?: theHar- vester
32.Which tool provides a graphical interface to map relationships between domains, email addresses, and IP
addresses?: Maltego
33.Which of the following command examples can be used to perform a reverse DNS lookup in dig?: dig
-x 8.8.8.8
34.Which command saves the captured network packets to a file for later analysis using tcpdump?:
tcpdump -w capture.pcap
35.Which tool is used for capturing and attempting to gain access to the WPA/WPA2 keys during wireless
network testing?
Aircrack-ng
WiGLE
