Free Sample — 15 Practice Questions
Preview 15 of 220 real practice questions from the Comptia PT0-003 study guide.
Question 19
A penetration tester uses the Intruder tool from the Burp Suite Community Edition while assessing a web application. The tester notices the test is taking too long to complete.
Which of the following tools can the tester use to accelerate the test and achieve similar results?
A. TruffleHog
B. Postman
C. Wfuzz
D. WPScan
Show Answer
Correct Answer: C
Explanation:
Burp Suite Community Edition’s Intruder is deliberately throttled, making large-scale fuzzing and brute-force tests slow. Wfuzz is a dedicated, command-line web fuzzing tool designed for speed and automation, allowing similar payload-based attacks (parameter fuzzing, directory brute-forcing, etc.) much faster. The other options target different use cases: TruffleHog scans for secrets, Postman is an API testing client, and WPScan is specific to WordPress.
Question 34
During a penetration test, a junior tester uses Hunter.io for an assessment and plans to review the information that will be collected. Which of the following describes the information the junior tester will receive from the Hunter.io tool?
A. A collection of email addresses for the target domain that is available on multiple sources on the internet
B. DNS records for the target domain and subdomains that could be used to increase the external attack surface
C. Data breach information about the organization that could be used for additional enumeration
D. Information from the target's main web page that collects usernames, metadata, and possible data exposures
Show Answer
Correct Answer: A
Explanation:
Hunter.io is an OSINT email enumeration platform. It discovers and verifies email addresses associated with a target domain by aggregating data from publicly available sources on the internet. It does not primarily provide DNS records, breach data, or webpage scraping details.
Question 46
During a penetration test, the tester identifies several unused services that are listening on all targeted internal laptops:
Which of the following technical controls should the tester recommend to reduce the risk of compromise?
A. Multifactor authentication
B. Patch management
C. System hardening
D. Network segmentation
Show Answer
Correct Answer: C
Explanation:
The risk comes from unnecessary services listening on hosts, which increases the attack surface. System hardening specifically involves disabling unused services, closing unnecessary ports, and securely configuring systems. MFA, patch management, and network segmentation do not directly address the presence of unnecessary listening services on individual laptops.
Question 28
As part of an engagement, a penetration tester needs to scan several hundred public-facing URLs for dangerous files or outdated web server versions. Which of the following should the tester use?
A. Nmap
B. ZAP
C. BloodHound
D. Nikto
Show Answer
Correct Answer: D
Explanation:
Nikto is a web server vulnerability scanner designed to scan many public-facing URLs for dangerous files, misconfigurations, and outdated web server versions. Nmap focuses on ports/services, ZAP targets in-depth web app testing, and BloodHound is for Active Directory analysis.
Question 29
A penetration tester wants to download sensitive files stored on the client's file server and runs the following scan:
Which of the following TCP ports should the penetration tester target as a next step?
Show Answer
Correct Answer: D
Explanation:
The goal is to download files from a file server, so a file transfer service is the most relevant target. Port 990 is used for FTPS (FTP over SSL/TLS), which is commonly enabled on file servers for secure file transfers. Given the scan indicates this service is available, it is the logical next step compared to FTP (21), SFTP (22), or HTTP (80).
Question 36
A penetration tester is getting ready to conduct a vulnerability scan to evaluate an environment that consists of a container orchestration cluster. Which of the following tools would be best to use for this purpose?
A. NSE
B. Nessus
C. CME
D. Trivy
Show Answer
Correct Answer: D
Explanation:
The environment is a container orchestration cluster, which requires tooling that understands container images, Kubernetes components, and cloud‑native configurations. Trivy is purpose‑built for this use case, providing vulnerability scanning for container images, Kubernetes clusters, manifests, and related infrastructure. Nessus is a general network vulnerability scanner, NSE is a scripting engine for Nmap, and CME targets Active Directory environments, making them less suitable here.
Question 22
A tester compromises a shared host that is manually audited every week due to the absence of a SIEM.
Which of the following is the best way to reduce the chances of being detected?
A. Modify files located in the /var/log directory.
B. Use the clear command to remove recent terminal activity.
C. Perform commands under one of the developer accounts.
D. Disable all logging services on the host.
Show Answer
Correct Answer: C
Explanation:
In an environment without a SIEM and only weekly manual audits, the goal is to blend in and avoid obvious anomalies. Modifying or deleting logs (/var/log), clearing terminal history, or disabling logging services are all highly suspicious actions that auditors commonly check for. Performing actions under an existing, legitimate developer account allows activity to appear routine and consistent with normal usage, significantly reducing the chance of detection during manual review.
Question 9
A penetration testing company is defining the rules of engagement with a client. Which of the following should the company include?
A. Non-disclosure agreement
B. Escalation process
C. URL list
D. Authorization letter
Show Answer
Correct Answer: B
Explanation:
Rules of engagement define how the penetration test is conducted and managed, including communication and response procedures. An escalation process specifies who to contact and how to handle critical findings or outages during testing, making it a core ROE element. An authorization letter is a separate pre-engagement legal permission, not part of the ROE itself.
Question 37
A penetration tester successfully gains access to a Linux system and then uses the following command:
find / -type f -ls > /tmp/recon.txt
Which of the following best describes the tester's goal?
A. Permission enumeration
B. Secrets enumeration
C. User enumeration
D. Service enumeration
Show Answer
Correct Answer: A
Explanation:
The command `find / -type f -ls` recursively lists every regular file on the system with detailed metadata similar to `ls -l`, including permissions, ownership, and inode information, and saves it to a file. This is primarily used to enumerate file permissions and ownership across the system, which is permission enumeration—not secrets, users, or services.
Question 5
A company's incident response team determines that a breach occurred because a penetration tester left a web shell. Which of the following should the penetration tester have done after the engagement?
A. Enable a host-based firewall on the machine
B. Remove utilized persistence mechanisms on client systems
C. Revert configuration changes made during the engagement
D. Turn off command-and-control infrastructure
Show Answer
Correct Answer: B
Explanation:
A web shell is a persistence mechanism left behind on a compromised system. After a penetration test, the tester must clean up all artifacts introduced during the engagement, including removing any persistence mechanisms such as web shells, backdoors, or accounts. Failing to do so can enable real attackers to exploit them later. The other options do not directly address removing the cause of the breach.
Question 10
A penetration tester wants to verify whether passwords from a leaked password list can be used to access an SSH server as a legitimate user.
Which of the following is the most appropriate tool for this task?
A. BloodHound
B. Responder
C. Burp Suite
D. Hydra
Show Answer
Correct Answer: D
Explanation:
The task is to test whether known or leaked passwords can authenticate to an SSH service. Hydra is specifically designed for online password attacks against network services such as SSH, FTP, and HTTP, making it the most appropriate tool. BloodHound is for Active Directory relationship analysis, Responder is for poisoning and credential capture on local networks, and Burp Suite targets web application testing rather than SSH authentication.
Question 21
A penetration tester gains initial access to a Windows workstation on a client’s network. The tester wants to determine the next target but does not want to install software on the workstation.
Which of the following is the best tool to list potential targets?
A. mmc.exe
B. Netstat
C. Mimikatz
D. explorer.exe
E. CME
Show Answer
Correct Answer: B
Explanation:
Netstat is a native Windows, living-off-the-land utility that requires no software installation. By examining active connections and routing information (e.g., netstat -ano or -r), a tester can identify other hosts the workstation communicates with, such as servers or domain controllers, making it the best option for discovering potential next targets. The other options do not directly enumerate network targets or require external tools.
Question 17
A penetration tester reviews the following output:
Which of the following most likely describes the function of this system?
A. Enterprise mail server
B. Honeypot
C. Stand-alone web server
D. Domain Controller
Show Answer
Correct Answer: B
Explanation:
The system presents conflicting characteristics that would not occur on a legitimate production server. A Windows Domain Controller would not expose a Debian-branded OpenSSH service, nor would it typically rely on SSH at all. This kind of OS/service mismatch is a classic indicator of a deliberately misrepresented system designed to attract attackers, which most closely aligns with a honeypot rather than a real domain controller or a normal web/mail server.
Question 50
A penetration tester is conducting a vulnerability scan. The tester wants to see any vulnerabilities that may be visible from outside of the organization. Which of the following scans should the penetration tester perform?
A. SAST
B. Sidecar
C. Unauthenticated
D. Host-based
Show Answer
Correct Answer: C
Explanation:
The tester wants to identify vulnerabilities visible from outside the organization, which means scanning without any credentials or internal access. An unauthenticated scan shows what an external attacker can see. SAST is source code analysis, sidecar relates to container architectures, and host-based scans require internal agents, so they do not fit this scenario.
Question 41
A penetration tester creates the following Python script that can be used to enumerate information about email accounts on a target mail server:
Which of the following logic constructs would permit the script to continue despite failure?
A. Add a do/while loop.
B. Add an iterator.
C. Add a try/except block.
D. Add an if/else conditional.
Show Answer
Correct Answer: C
Explanation:
In Python, failures such as connection errors or authentication errors raise exceptions. Wrapping the risky operations in a try/except block allows the script to catch those exceptions, handle them, and continue executing instead of terminating. An if/else cannot handle exceptions, an iterator only controls looping, and Python has no native do/while construct.