At any time, you can change the study mode, and alternate between the practice mode and the exam mode. In practice mode, you can configure for example the number of questions or tests, and other parameters to help you study.
Randomized | 10 Questions per Test | 20 Minutes | 70% to pass|
To re-configure your study mode again and change - for example - the number of tests, whether you have random questions and all other configuration parameters.
?Simulator Configuration
Auto-scroll: You can use the automatic scrolling of the questionnaire that occurs as soon as you answer one or all of the answers to a question correctly. Auto scrolling is activated if you answer a single answer, or as soon as you answer all the mandatory answers. Learning Mode: During learning mode you can get a real time result for your answer.
Free Test
Question: / 10
20:00Min. left
?Restart the current test
To restart the current test by clearing all your answers and the time used up to now. Warning: all answers will be lost.
Question: / 10
0.0(0 Votes)
Quiz
Question 1/101/10
Reconnaissance and Enumeration
Reconnaissance and Enumeration
Reconnaissance and Enumeration
You are conducting an external reconnaissance engagement for a financial services company. You need to identify web servers, mail servers, and DNS information without sending traffic directly to the target. Which of the following OSINT techniques would be most appropriate as a first step?
Select the answer:Select the answer
1 correct answer
A.
Run Nmap SYN scan against all class B subnets
B.
Query public DNS records and use WHOIS lookups
C.
Perform a Metasploit port scan
D.
Launch a Nessus vulnerability scan
Explanation: Passive reconnaissance using WHOIS and DNS queries is the appropriate first step in external recon because it gathers information without generating traffic to the target that could trigger detection. OSINT techniques like WHOIS lookups reveal domain registrant information, nameservers, and IP ranges. DNS queries can identify mail servers (MX records), web servers (A/AAAA records), and domain structure. This passive approach establishes the engagement scope before any active testing. Nmap SYN scans, Metasploit scans, and Nessus vulnerability scans are all active techniques that generate detectable traffic and should only be performed after proper scoping and rules of engagement are established. The scope documentation should specify which systems are authorized for testing and which passive techniques are permitted.
Right Answer: B
Quiz
Question 2/102/10
Engagement Management
Engagement Management
Engagement Management
During an authorized penetration test, you discover unauthorized access by an unknown threat actor to the client's systems. What is your primary responsibility under rules of engagement?
Select the answer:Select the answer
1 correct answer
A.
Immediately cease testing and report findings to the client contact
B.
Continue testing to complete the engagement scope
C.
Attempt to trace the threat actor's identity
D.
Launch a counter-attack to isolate the threat actor
Explanation: When discovering unauthorized access during an authorized penetration test, the immediate responsibility is to cease testing and notify the client contact per rules of engagement. This discovery represents an actual security incident that falls outside the scope of authorized penetration testing. Continuing the test could interfere with incident response efforts or obscure forensic evidence. Attempting to trace or counter-attack the threat actor exceeds the penetration tester's authority and could constitute unauthorized computer access. The rules of engagement document should explicitly address escalation procedures for discovered incidents. Client notification allows their incident response team to activate appropriate incident handling procedures. The penetration test can resume after the incident is investigated and the environment is secured, if appropriate.
Right Answer: A
Quiz
Question 3/103/10
Attacks and Exploits
Attacks and Exploits
Attacks and Exploits
You've identified a web application running an outdated version of Apache Struts vulnerable to CVE-2017-5645. The application processes user input through a vulnerable component. Which exploitation technique would be most effective to achieve remote code execution?
Select the answer:Select the answer
1 correct answer
A.
SQL injection against the database backend
B.
Cross-site scripting to steal session cookies
C.
Object deserialization attack via OGNL injection
D.
Cross-site request forgery to modify user data
Explanation: CVE-2017-5645 in Apache Struts is a critical vulnerability that exploits OGNL (Object-Graph Navigation Language) expression injection. This vulnerability allows arbitrary object instantiation and method execution through deserialization of untrusted data. The affected component processes user input without proper validation, permitting attackers to inject malicious OGNL expressions that execute arbitrary code on the server. The exploitation involves crafting a specially formatted request that triggers the vulnerable code path. SQL injection targets database queries but doesn't exploit this specific Struts vulnerability. XSS and CSRF attacks are client-side attack vectors that don't directly lead to RCE in this scenario. Understanding CVE details and exploitation mechanics is critical for penetration testers identifying vulnerable components and their proper exploitation paths.
Right Answer: C
Quiz
Question 4/104/10
Vulnerability Discovery and Analysis
Vulnerability Discovery and Analysis
Vulnerability Discovery and Analysis
You run a Nessus scan against a client's internal network and receive output showing multiple CVSS 7.5 vulnerabilities. Before reporting these findings, what additional verification should you perform?
Select the answer:Select the answer
1 correct answer
A.
Report all findings immediately without verification
B.
Manually verify findings by attempting exploitation
C.
Cross-reference with Nessus plugin documentation and verify exploitability
D.
Assume all findings are false positives
Explanation: Vulnerability scanning tools like Nessus generate both accurate findings and false positives. Before reporting, penetration testers must verify scan results to ensure accuracy and relevance. Verifying exploitability involves reviewing the Nessus plugin documentation, checking affected software versions against systems in the environment, and optionally attempting limited manual verification where appropriate. This prevents reporting non-vulnerable systems and maintains credibility with the client. Reporting all findings without verification wastes client resources on non-existent issues. Assuming all are false positives misses actual vulnerabilities. Manual exploitation attempts must be conducted carefully within rules of engagement to avoid system disruption. Verification also helps prioritize remediation efforts by confirming actual exposure and impact.
Right Answer: C
Quiz
Question 5/105/10
Post-exploitation and Lateral Movement
Post-exploitation and Lateral Movement
Post-exploitation and Lateral Movement
After gaining initial access to a Linux web server, you discover the server is part of an internal network. The web server has access to a database server on an internal subnet. What is the appropriate next step for demonstrating lateral movement capability?
Select the answer:Select the answer
1 correct answer
A.
Exfiltrate all data from the web server immediately
B.
Establish persistence and enumerate the internal network
C.
Perform a denial-of-service attack on the database
D.
Attempt password brute-force on all visible services
Explanation: After initial compromise, the proper methodology involves establishing persistence to maintain access, then enumerating internal network topology and services. This demonstrates the real-world impact of the initial compromise and the risk of lateral movement. Establishing persistence might involve creating backdoor accounts or scheduling tasks depending on the engagement scope and rules of engagement. Enumeration techniques include checking network configuration, identifying services accessible from the compromised host, and discovering additional targets. This information gathering phase precedes actual lateral movement attempts. Immediate data exfiltration without demonstrating the attack chain provides incomplete security posture assessment. DoS attacks and brute-force attacks may be within scope but only after proper enumeration. The goal is demonstrating realistic attack paths an adversary would take.
Right Answer: B
Quiz
Question 6/106/10
Reconnaissance and Enumeration
Reconnaissance and Enumeration
Reconnaissance and Enumeration
You're preparing an Nmap command for a client engagement. The rules of engagement permit full port scanning with service identification. Which Nmap arguments would provide efficient service identification while minimizing scan time?
Select the answer:Select the answer
1 correct answer
A.
nmap -p- -sV --script vuln target
B.
nmap -p 1-1000 -sS -sV target
C.
nmap -p- -sS -sV target
D.
nmap -sU -p- target
Explanation: The command "nmap -p- -sS -sV target" efficiently scans all 65535 ports using SYN stealth scanning and enables service version detection. The "-p-" argument scans all ports without limiting to the top 1000. The "-sS" flag uses the SYN stealth scan which completes the three-way handshake efficiently without establishing full connections. The "-sV" flag probes open ports to determine service versions. This combination provides comprehensive port coverage with version information necessary for vulnerability correlation. The "-script vuln" argument in option A adds unnecessary network load and slowdown. Option B limits to only the top 1000 ports, potentially missing services on non-standard ports. Option D uses UDP scanning which is slower and unnecessary for TCP service identification. Efficient scanning within rules of engagement requirements balances thoroughness with operational constraints.
Right Answer: C
Quiz
Question 7/107/10
Engagement Management
Engagement Management
Engagement Management
You've completed your penetration test and discovered 47 vulnerabilities across the client's infrastructure. Your rules of engagement specify that you must deliver findings within 48 hours of test completion. The client requests a meeting before you finalize the report. What is the most appropriate action?
Select the answer:Select the answer
1 correct answer
A.
Deliver only high-severity findings immediately and delay low-severity items
B.
Request a rules of engagement amendment to extend the deadline
C.
Schedule the meeting within the 48-hour window and deliver the complete report on time
D.
Provide verbally only without written documentation
Explanation: Meeting timeline commitments in the rules of engagement is critical for professional penetration testing engagements. The 48-hour delivery deadline should be honored with a complete, comprehensive report. Scheduling a preliminary meeting to discuss findings before formal delivery can be accommodated within this timeline without compromising the deadline. This approach allows real-time discussion of critical findings while ensuring formal documentation is delivered as promised. Delivering only partial findings compromises the completeness of the engagement assessment. Requesting deadline amendments suggests poor planning and professionalism. Verbal-only communication lacks the documentation necessary for compliance and remediation tracking. The best practice involves preparing the complete report and scheduling a pre-delivery meeting to discuss findings, answering questions, and addressing concerns. This maintains professional commitments while ensuring client satisfaction and engagement closure.
Right Answer: C
Quiz
Question 8/108/10
Attacks and Exploits
Attacks and Exploits
Attacks and Exploits
During a Metasploit-based exploitation, you gain a meterpreter shell on a Windows server. You need to escalate privileges from a standard domain user to SYSTEM. Which technique would be most appropriate given Windows security mechanisms?
Select the answer:Select the answer
1 correct answer
A.
Run "getsystem" command to auto-escalate privileges
B.
Manually create a new administrator account
C.
Perform UAC bypass using a recognized technique
D.
Steal NTLM hashes and crack them offline
Explanation: The "getsystem" command in Metasploit meterpreter automatically attempts multiple privilege escalation techniques appropriate to the target Windows version and configuration. This includes named pipe impersonation, token duplication, and other methods depending on system configuration. The command intelligently selects escalation vectors without requiring manual technique selection. Creating administrative accounts may trigger security alerts and leaves obvious traces. UAC bypass techniques work on some systems but fail on hardened systems with UAC enabled. NTLM hash cracking requires compromising hashes first and doesn't provide the immediate privilege elevation needed for continued access. The "getsystem" approach automates the process and increases success probability. If getsystem fails, the penetration tester can then investigate alternative vectors such as kernel exploits or service misconfigurations.
Right Answer: A
Quiz
Question 9/109/10
Vulnerability Discovery and Analysis
Vulnerability Discovery and Analysis
Vulnerability Discovery and Analysis
Your Nessus scan identified a service running on TCP port 8080. The plugin detected it as Apache Tomcat 7.0.94 with a CVSS score of 8.1. When you manually connect, the banner shows Tomcat 9.0.50. What does this likely indicate?
Select the answer:Select the answer
1 correct answer
A.
Nessus is always incorrect about service versions
B.
The service is hiding its true version with a banner
C.
The system has been updated since the scan
D.
There are two Tomcat instances running
Explanation: Services frequently present misleading banners to confuse attackers and vulnerability scanners. Tomcat and other web servers can be configured to display custom banners or omit version information entirely. The discrepancy between Nessus's detection (7.0.94) and the manual banner (9.0.50) suggests the newer version is displaying a fake banner while an older vulnerable version still runs. Alternatively, the system was updated but the scanner's cached data hasn't been refreshed. Investigating this discrepancy involves checking running processes, reviewing startup scripts, and testing actual exploits against suspected vulnerable versions. Nessus detections are generally reliable for vulnerability logic but can be defeated by proper banner manipulation. This scenario demonstrates why penetration testers must verify scanner results through multiple methods. The CVSS 8.1 score suggests a serious vulnerability worth investigating further despite the banner discrepancy.
Right Answer: B
Quiz
Question 10/1010/10
Post-exploitation and Lateral Movement
Post-exploitation and Lateral Movement
Post-exploitation and Lateral Movement
You've established persistence on a compromised Linux system. You need to move laterally to a database server on an internal subnet. The compromised host has network connectivity but you cannot interact directly due to firewall rules. Which technique would most effectively enable lateral movement?
Select the answer:Select the answer
1 correct answer
A.
Set up a reverse SSH tunnel back to your attack machine
B.
Perform port forwarding through the compromised host
C.
Deploy a socks proxy through the meterpreter session
D.
All options achieve lateral movement equally
Explanation: A SOCKS proxy established through an existing meterpreter or reverse shell provides the most flexible lateral movement capability. The proxy on the compromised host redirects traffic through that system, bypassing the firewall that prevents direct connection. Tools like proxychains can route any application's traffic through the SOCKS proxy. This technique supports multiple simultaneous connections and various attack tools without requiring modification of individual tools. SSH tunneling works for specific port forwarding but is less flexible for complex scanning and exploitation. Direct port forwarding requires knowing specific ports in advance. The SOCKS proxy approach allows reconnaissance and exploitation of internal targets as if they were directly accessible. This is particularly effective for enumerating database servers, internal web applications, and additional network segments. The compromised host acts as an application-layer proxy forwarding all traffic appropriately.
CompTIA Pentest+ Practice test unlocks all online simulator questions
Thank you for choosing the free version of the CompTIA Pentest+ practice test! Further deepen your knowledge on CompTIA Simulator; by unlocking the full version of our CompTIA Pentest+ Simulator you will be able to take tests with over 200 constantly updated questions and easily pass your exam. 98% of people pass the exam in the first attempt after preparing with our 200 questions.
What to expect from our CompTIA Pentest+ practice tests and how to prepare for any exam?
The CompTIA Pentest+ Simulator Practice Tests are part of the CompTIA Database and are the best way to prepare for any CompTIA Pentest+ exam. The CompTIA Pentest+ practice tests consist of 200 questions and are written by experts to help you and prepare you to pass the exam on the first attempt. The CompTIA Pentest+ database includes questions from previous and other exams, which means you will be able to practice simulating past and future questions. Preparation with CompTIA Pentest+ Simulator will also give you an idea of the time it will take to complete each section of the CompTIA Pentest+ practice test . It is important to note that the CompTIA Pentest+ Simulator does not replace the classic CompTIA Pentest+ study guides; however, the Simulator provides valuable insights into what to expect and how much work needs to be done to prepare for the CompTIA Pentest+ exam.
CompTIA Pentest+ Practice test therefore represents an excellent tool to prepare for the actual exam together with our CompTIA practice test . Our CompTIA Pentest+ Simulator will help you assess your level of preparation and understand your strengths and weaknesses. Below you can read all the quizzes you will find in our CompTIA Pentest+ Simulator and how our unique CompTIA Pentest+ Database made up of real questions:
Info quiz:
Quiz name:CompTIA Pentest+
Total number of questions:200
Number of questions for the test:50
Pass score:80%
You can prepare for the CompTIA Pentest+ exams with our mobile app. It is very easy to use and even works offline in case of network failure, with all the functions you need to study and practice with our CompTIA Pentest+ Simulator.
Use our Mobile App, available for both Android and iOS devices, with our CompTIA Pentest+ Simulator . You can use it anywhere and always remember that our mobile app is free and available on all stores.
Our Mobile App contains all CompTIA Pentest+ practice tests which consist of 200 questions and also provide study material to pass the final CompTIA Pentest+ exam with guaranteed success.
Our CompTIA Pentest+ database contain hundreds of questions and CompTIA Tests related to CompTIA Pentest+ Exam. This way you can practice anywhere you want, even offline without the internet.