CompTIA PenTest+ Practice Test (PT0-002)
Use the form below to configure your CompTIA PenTest+ Practice Test (PT0-002). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.

CompTIA PenTest+ PT0-002 Information
CompTIA PenTest+ (PT0-002) Exam
The CompTIA PenTest+ (PT0-002) certification is designed for cybersecurity professionals who specialize in penetration testing and vulnerability assessment. It validates hands-on skills in planning, conducting, and reporting penetration tests for organizations. This certification is vendor-neutral and focuses on real-world scenarios, making it relevant for security professionals working with various technologies and environments.
Exam Overview
The PT0-002 exam consists of a maximum of 85 questions, including multiple-choice and performance-based questions. Candidates have 165 minutes to complete the test. The exam costs $392 USD. A passing score is 750 on a scale of 100 to 900. The certification is valid for three years and can be renewed through CompTIA’s continuing education program.
Exam Content
The PT0-002 exam covers five main domains: planning and scoping, information gathering and vulnerability scanning, attacks and exploits, reporting and communication, and tools and code analysis. Planning and scoping include engagement rules, compliance, and risk assessment. Information gathering and vulnerability scanning focus on reconnaissance, fingerprinting, and scanning techniques. Attacks and exploits test knowledge of network, web, wireless, and physical attacks. Reporting and communication cover documentation, remediation, and risk communication. Tools and code analysis assess scripting, automation, and exploit development.
Who Should Take This Exam?
The CompTIA PenTest+ certification is ideal for cybersecurity professionals working as penetration testers, security analysts, vulnerability assessment analysts, or red team members. It is recommended for individuals with at least three to four years of hands-on cybersecurity experience. The certification is also useful for IT professionals who want to advance their careers in offensive security.
How to Prepare
Candidates should review the official CompTIA PenTest+ Exam Objectives and study materials provided by CompTIA. Practical experience with penetration testing tools such as Metasploit, Nmap, and Burp Suite is essential. Practice exams can help assess readiness and identify weak areas. Hands-on labs and ethical hacking courses can further strengthen skills.
Summary
The CompTIA PenTest+ (PT0-002) certification is a valuable credential for cybersecurity professionals specializing in penetration testing and vulnerability assessment. It validates hands-on skills in ethical hacking, exploit development, and security testing. This certification is ideal for those pursuing careers in offensive security and ethical hacking.
Scroll down to see your responses and detailed results
Free CompTIA PenTest+ PT0-002 Practice Test
Press start when you are ready, or press Change to modify any settings for the practice test.
- Questions: 15
- Time: Unlimited
- Included Topics:Planning and ScopingInformation Gathering and Vulnerability ScanningAttacks and ExploitsReporting and CommunicationTools and Code Analysis
While performing a security assessment for a company's wireless network, you notice an unverified access point with a network name mimicking that of the organization's officially used names for Wi-Fi connections. What technique would be most effective in confirming whether this access point is unauthorized and set up with malicious intent?
- You selected this option
Review the list of devices connected to the sanctioned network points to see if the dubious device is listed as a client.
- You selected this option
Intercept and scrutinize the data packets from the network point in question for inconsistencies with the organization's wireless security protocols.
- You selected this option
Interview staff members to verify whether they recognize or have connected to this network point to collect data on its authenticity.
- You selected this option
Change the network names used by the organization's official Wi-Fi to determine if the questionable access point adapts its broadcasted name in response.
Answer Description
Analyzing the traffic from the unverified access point for irregularities such as unfamiliar encryption standards or deceitful login prompts is the correct method to ascertain its legitimacy. This type of analysis provides concrete evidence, which is necessary in a professional penetration testing scenario. Adjusting network names of legitimate points does not directly reveal information about the unverified device and therefore is incorrect. Employee inquiries are not dependable for technical verification and could tip off an adversary if present. Checking the client list on authorized devices is generally not effective, as rogue devices may not show up there or could be set up to avoid such detection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are data packets in network communication?
What are wireless security protocols?
What is the significance of intercepting network traffic?
During an active reconnaissance phase, a penetration tester is examining a web application's URLs. Which component of a URL should be scrutinized to identify possible injection points that could be manipulated for exploitation?
- You selected this option
Hostname
- You selected this option
Path directories
- You selected this option
Query parameters
- You selected this option
Protocol
Answer Description
Query parameters within a URL typically represent the client's input or choices and can be points where SQL injection, Cross-Site Scripting (XSS), and other types of attacks might be possible. Such parameters are often appended after a question mark ('?') and can be manipulated to test for vulnerabilities in the processing of user input. It's crucial for penetration testers to identify and scrutinize these potential injection points. Hostnames, protocols, and path directories are generally static parts of the URL and, while important for reconnaissance, are not typically injection points.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are query parameters in a URL?
What types of injection attacks can occur through query parameters?
How do penetration testers identify vulnerabilities in query parameters?
A penetration test that involves credit card data must adhere to the Health Insurance Portability and Accountability Act (HIPAA) to satisfy compliance requirements.
- You selected this option
True
- You selected this option
False
Answer Description
The correct compliance standard for a penetration test involving credit card data is the Payment Card Industry Data Security Standard (PCI DSS), not the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is related to the protection of health information, not credit card data. Therefore, the statement is incorrect.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is PCI DSS and why is it important?
Can you explain HIPAA and what it covers?
What are the consequences of not complying with PCI DSS?
In the context of network security, what is the primary purpose of using a tool that employs the technique known as 'sniffing'?
- You selected this option
Broadcasting service set identifiers (SSIDs)
- You selected this option
Decrypting SSL/TLS traffic
- You selected this option
Monitoring and capturing network traffic
- You selected this option
Injecting traffic into the network
Answer Description
The correct answer is Monitoring and capturing network traffic. Sniffing is a technique that involves monitoring the network traffic flowing through a network, which can include capturing data packets to analyze their content for information gathering purposes. This is a key process during a penetration test to understand the network and identify potential vulnerabilities or data leakage. Decrypting SSL/TLS traffic is not the primary purpose, it's a separate process that can sometimes be associated with captured traffic if appropriate keys are available. Injecting traffic into the network relates to actions typically performed during active attacks or specific testing procedures, not passive information gathering like sniffing. Broadcasting service set identifiers (SSIDs) is part of wireless network operations, not a function of network sniffing.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the common tools used for network sniffing?
How does sniffing differ from other network techniques like spoofing?
What kind of information can be gathered through sniffing?
What is the primary purpose of using the Open Security Content Automation Protocol in the context of a penetration test?
- You selected this option
To decode encrypted files
- You selected this option
To standardize the way security software communicates information about public vulnerabilities and configuration issues
- You selected this option
To crack passwords and hashes
- You selected this option
To perform social engineering attacks
Answer Description
The correct answer is To standardize the way security software communicates information about public vulnerabilities and configuration issues. SCAP is designed to provide a standardized approach for maintaining the security of enterprise systems, which includes vulnerability and configuration checking. It does so by standardizing the way software communicates information about public vulnerabilities and configuration issues, thus it is highly relevant as a tool in penetration testing for automation and compliance checking. To perform social engineering attacks is incorrect because SCAP is about automating vulnerability checks, not manipulating human behavior. To decode encrypted files is incorrect because it deals with standardization of security-related information, not with decrypting or encryption tasks. To crack passwords and hashes is also incorrect as the aim of SCAP is not to attack or break into authentication systems, but to automate checking for known vulnerabilities and configuration issues.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does SCAP stand for and what are its components?
How does SCAP enhance efficiency in penetration testing?
Can SCAP be used for compliance checking, and how?
As a penetration tester, you have been tasked to assess the security of a company's wireless infrastructure. You decide to simulate an evil twin attack to test the network's resilience to credential theft. Which tool would you use to create a rogue access point that replicates the company's WPA2-Enterprise network in order to capture employee credentials?
- You selected this option
Implement Kismet for network detection and packet sniffing on the target wireless network.
- You selected this option
Deploy mdk4 to conduct a denial-of-service attack on the network, effectively disrupting the wireless services.
- You selected this option
Utilize Aircrack-ng to crack the WPA2 password and gain unauthorized access to sensitive information.
- You selected this option
Use EAPHammer to create the rogue access point and facilitate the attack to capture credentials.
Answer Description
EAPHammer is specifically designed for such a scenario, where it can be used to create a rogue access point that mimics the legitimate WPA2-Enterprise network. It can then capture credentials as employees unwittingly connect to this malicious access point, thinking it is the corporate network. The incorrect answers, while related to Wi-Fi security, do not provide the functionality to mimic WPA2-Enterprise networks for the purpose of capturing credentials through such an attack.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an evil twin attack?
How does EAPHammer work?
What are the risks of using EAPHammer or similar tools?
During a penetration test, you aim to demonstrate the impact of compromised data integrity on a network file system that contains critical operational data. Which attack method would BEST demonstrate the potential for data corruption in the network file system?
- You selected this option
Exploiting weak service configuration
- You selected this option
Implementing an ARP poisoning attack
- You selected this option
Overloading the system with excessive traffic
- You selected this option
Introducing malformed or non-standard data structures
Answer Description
The correct answer is 'Introducing malformed or non-standard data structures' because it directly leads to data corruption by breaking the expected data format, which could render files unusable or inaccessible. 'Overloading the system with excessive traffic' would lead to Denial of Service (DoS) rather than direct data corruption. 'Implementing an ARP poisoning attack' could lead to a Man-in-the-Middle (MiTM) scenario but may not corrupt data on the filesystem itself. 'Exploiting weak service configuration' might escalate privileges or lead to unauthorized access but does not specifically aim to corrupt data.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are malformed data structures?
How does data corruption affect a network file system?
What are common methods to prevent data corruption in network file systems?
As a penetration tester, you are contracted to assess the security of a multinational corporation's internal network. The corporation has multiple interconnected sites and relies heavily on cloud services. Which of the following is the most important initial step to ensure that your testing does not impact systems outside of the agreed scope?
- You selected this option
Define and discuss a detailed target list with the client, including IP ranges, domains, and specified cloud services that are to be included in the assessment.
- You selected this option
Assume all interconnected sites are in scope unless otherwise informed by the client in order to conduct a thorough test of the network.
- You selected this option
Begin testing on the client’s production cloud services to expose as many vulnerabilities as possible regardless of the scope to showcase due diligence.
- You selected this option
Start with an immediate vulnerability assessment of the IP ranges connected to their primary data center to look for potential entry points.
Answer Description
Defining a comprehensive target list that specifies in-scope assets such as IP ranges, domains, and which cloud services are included in the test is crucial for ensuring that the penetration test is contained within the agreed scope. Testing beyond the specified target list could lead to unauthorized access and potential legal issues. Answers that suggest starting the test immediately or bypassing the scope with the excuse of finding additional vulnerabilities neglect the need for a structured approach and undermine the importance of prior agreement on the engagement scope.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is defining a target list important in penetration testing?
What are the risks of testing outside the agreed scope?
What should be included in a detailed target list for a penetration test?
During a penetration test, you identify that a web application displays verbose error messages with stack traces when invalid input is submitted. What vulnerability does this improper error handling indicate?
- You selected this option
Information disclosure
- You selected this option
SQL injection
- You selected this option
Buffer overflow
- You selected this option
Input validation
Answer Description
Verbose error messages with stack traces can lead to information disclosure vulnerabilities. These detailed errors can provide an attacker with insights about the application's structure, backend technology, or potentially sensitive information in the stack trace which could facilitate further attacks. Incorrect options such as 'Buffer overflow' and 'SQL injection' are specific types of attacks that might be discovered through other means but are not directly associated with the presence of verbose error messages. 'Input validation' is not a vulnerability but a security measure to prevent vulnerabilities, thus it is also incorrect in this context.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does information disclosure mean in a cybersecurity context?
How can verbose error messages be prevented in web applications?
What is the significance of input validation in web security?
During a penetration test, you have successfully exploited a vulnerability on a Windows server and have gained access to the cmd.exe command shell. You want to upgrade this shell to have enhanced capabilities, including the ability to transfer files securely and manipulate the Windows Registry from your attack platform. Which of the following actions would BEST accomplish this?
- You selected this option
Initiate an SSH connection to the server to enable secure file transfers
- You selected this option
Deploy an additional cmd.exe shell for registry manipulation
- You selected this option
Use the cmd.exe shell to manually transfer files using FTP
- You selected this option
Generate a Meterpreter payload and execute it on the target system to upgrade the shell
- You selected this option
Open a PowerShell session to utilize its native features
- You selected this option
Connect to the server with a Telnet client to achieve persistent access
Answer Description
Upgrading from a basic cmd.exe command shell to a Meterpreter shell would provide the most versatile and powerful functionalities for a penetration test. Meterpreter, as part of the Metasploit framework, offers enhanced features including the ability to upload/download files, manipulate the Windows Registry, interact with the file system, and use advanced pivoting techniques. Other types of shells or access methods, such as a simple SSH or Telnet connection, would not offer the same level of functionality and control over the Windows environment that the Meterpreter shell provides.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Meterpreter?
What does it mean to upgrade a shell in penetration testing?
What is the Metasploit framework?
When conducting a vulnerability assessment, which method would best assist a penetration tester in evading detection by a network-based anomaly detection system?
- You selected this option
Sending ICMP echo requests at regular intervals
- You selected this option
Performing a full connect scan with default settings
- You selected this option
Conducting a fragmented packet scan
- You selected this option
Scanning using only the most common ports
Answer Description
Fragmented packet scanning is a technique used to split the crafted packets into smaller pieces, potentially evading detection by making the traffic appear less suspicious to anomaly detection systems that are expecting larger packets indicative of a scan or attack. On the other hand, performing a full connect scan without any modifications can be easily detected due to the establishment of a full TCP connection. While using common ports may help evade some simplistic forms of detection, it is less effective against anomaly detection systems. ICMP echo requests are typically used for simple host discovery and are not as effective for evading sophisticated detection systems.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a fragmented packet scan and how does it work?
What is the difference between a full connect scan and a half-open scan?
Why might using common ports be inadequate for evading detection?
During an active reconnaissance phase, a penetration tester is analyzing the URLs of a client's web application to determine entry points and possible vulnerabilities. Which of the following URL formats is MOST likely to be useful for identifying potential parameters for testing inputs or discovering hidden directories?
- You selected this option
- You selected this option
- You selected this option
- You selected this option
Answer Description
The correct answer is 'https://www.example.com/product.php?id=1234&category=tools'. This URL contains parameters ('id' and 'category'), which can be tested for vulnerabilities such as SQL injection, XSS, and more. A penetration tester could manipulate these parameters to see how the application responds, thereby potentially discovering security flaws.
The incorrect answers listed don't provide the same level of actionable information. The URL containing the 'mailto' protocol is typically used for email and does not usually have parameters that could be tested for web application vulnerabilities. The URL with 'https://www.example.com/privacy' is likely a static page and while it could contain potential endpoints for further investigation, it does not explicitly showcase parameters like the correct answer. Lastly, the URL 'ftp://ftp.example.com/resources' uses the FTP protocol, which is less likely to be the focus of this type of testing in comparison to HTTP(S), which directly interacts with web applications.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are URL parameters and how are they used in security testing?
What is SQL injection and why is it a concern for web applications?
What are common practices to secure web applications against parameter-based vulnerabilities?
What is the primary goal of utilizing the methodology outlined in the OSSTMM during a penetration testing engagement?
- You selected this option
To quantify the financial investment in security controls.
- You selected this option
To provide a scientific methodology for the accurate representation of operational security.
- You selected this option
To establish a comprehensive risk management framework.
- You selected this option
To facilitate the creation of new security technologies.
Answer Description
The primary goal of using the OSSTMM is to provide a scientific methodology for the accurate representation of operational security. The OSSTMM focuses on testing the operational security of physical locations, networks, and systems to ensure that the testing process is comprehensive and repeatable. This is important because it not only standardizes penetration testing across different environments but also ensures that the results are actionable and reliable. Option B is incorrect because, while risk management is a component of penetration testing, it is not the primary goal of the OSSTMM. Option C is incorrect because this methodology is not primarily about quantifying security spending. Option D is incorrect as its primary goal is not the generation of new security technologies.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does OSSTMM stand for?
What are the components of operational security tested by OSSTMM?
Why is standardization in penetration testing important?
Which principle of influence might an attacker leverage when they convince a victim that a limited number of security software licenses are available at a discount, prompting immediate action?
- You selected this option
Authority
- You selected this option
Scarcity
- You selected this option
Urgency
- You selected this option
Social proof
Answer Description
The principle of 'Scarcity' refers to the human tendency to value and desire something more when it is perceived as rare or dwindling in availability. In the context of social engineering, an attacker may use this principle to create a sense of urgency and prompt immediate decision-making, potentially leading to the victim taking an action they might not have taken under normal circumstances. This may manifest as limited time offers, exclusive access, or in this case, a limited number of available licenses which could lead to hasty purchases without proper verification.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some examples of how scarcity is used in marketing?
How does the principle of scarcity compare to urgency?
How can individuals protect themselves from falling for scarcity tactics?
During an internal security assessment, a penetration tester needs to identify live hosts without performing a full port scan, to reduce network congestion. Which of the following Nmap options would be most appropriate for the tester to use to simply ping the hosts?
- You selected this option
-sV
- You selected this option
-A
- You selected this option
-p
- You selected this option
-sn
Answer Description
The '-sn' option in Nmap is used to perform a host discovery, which simply pings the hosts without actually scanning any ports. This is the correct answer as it minimizes the amount of traffic and reduces the chance of causing network disruption. The '-sV' option executes a service version detection, which is more intrusive and creates more traffic, going beyond the requirement of just discovering live hosts. The '-A' option enables OS detection, version detection, script scanning, and traceroute, which would not only produce more traffic but also try to scan and fingerprint hosts, which is not needed in this scenario. The '-p' option specifies the target ports to scan, which does not directly relate to host discovery without port scanning.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Nmap and what are its primary uses?
What does the '-sn' option do in Nmap?
Why is minimizing network traffic important during a security assessment?
Neat!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.