top of page

CompTIA PenTest+ Sample Questions for PT0-003 Exam Readiness

  • CertiMaan
  • Oct 24
  • 11 min read

Updated: Nov 22

Get exam-ready with this comprehensive collection of CompTIA PenTest+ sample questions tailored for the PT0-003 certification. These practice materials are designed to simulate real-world penetration testing scenarios, helping candidates build hands-on skills in vulnerability assessment, attack techniques, and report generation. Whether you’re an aspiring penetration tester or a cybersecurity analyst, these sample questions and PT0-003 practice exams will boost your confidence and knowledge. With updated PenTest+ dumps and expert-verified mock tests, this guide is perfect for mastering the latest exam objectives and preparing for success in the growing field of cybersecurity testing and compliance.



CompTIA PenTest+ Sample Questions List :


1. A penetration tester identifies an exposed corporate directory containing first and last names and phone numbers for employees. Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?

  1. Smishing

  2. Impersonation

  3. Tailgating

  4. Whaling

2. Which of the following is most important when communicating the need for vulnerability remediation to a client at the conclusion of a penetration test?

  1. Articulation of cause

  2. Articulation of impact

  3. Articulation of escalation

  4. Articulation of alignment

3. A penetration tester needs to confirm the version number of a client's web application server. Which of the following techniques should the penetration tester use?

  1. SSL certificate inspection

  2. URL spidering

  3. Banner grabbing

  4. Directory brute forcing

4. During an assessment, a penetration tester runs the following command: setspn.exe -Q / Which of the following attacks is the penetration tester preparing for?

  1. LDAP injection

  2. Pass-the-hash

  3. Kerberoasting

  4. Dictionary

5. A penetration tester is working on an engagement in which a main objective is to collect confidential information that could be used to exfiltrate data and perform a ransomware attack. During the engagement, the tester is able to obtain an internal foothold on the target network. Which of the following is the next task the tester should complete to accomplish the objective?

  1. Initiate a social engineering campaign.

  2. Perform credential dumping.

  3. Compromise an endpoint.

  4. Share enumeration.

6. A penetration tester wants to use multiple TTPs to assess the reactions (alerted, blocked, and others) by the client??s current security tools. The threat-modeling team indicates the TTPs in the list might affect their internal systems and servers. Which of the following actions would the tester most likely take?

  1. Use a BAS tool to test multiple TTPs based on the input from the threat-modeling team.

  2. Perform an internal vulnerability assessment with credentials to review the internal attack surface.

  3. Use a generic vulnerability scanner to test the TTPs and review the results with the threat-modeling team.

  4. Perform a full internal penetration test to review all the possible exploits that could affect the systems.

7. Which of the following is a term used to describe a situation in which a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee?

  1. Badge cloning

  2. Shoulder surfing

  3. Tailgating

  4. Site survey

8. During a web application assessment, a penetration tester identifies an input field that allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt, presenting a text box when browsing to the page going forward. Which of the following types of attacks is this an example of?

  1. SQL injection

  2. SSRF

  3. XSS

  4. Server-side template injection

9. During a penetration test, a tester attempts to pivot from one Windows 10 system to another Windows system. The penetration tester thinks a local firewall is blocking connections. Which of the following command-line utilities built into Windows is most likely to disable the firewall?

  1. certutil.exe

  2. bitsadmin.exe

  3. msconfig.exe

  4. netsh.exe

10. During an engagement, a penetration tester needs to break the key for the Wi-Fi network that uses WPA2 encryption. Which of the following attacks would accomplish this objective?

  1. ChopChop

  2. Replay

  3. Initialization vector

  4. KRACK

11. During a penetration test, the tester uses a vulnerability scanner to collect information about any possible vulnerabilities that could be used to compromise the network. The tester receives the results and then executes the following command: snmpwalk -v 2c -c public 192.168.1.23 Which of the following is the tester trying to do based on the command they used?

  1. Bypass defensive systems to collect more information.

  2. Use an automation tool to perform the attacks.

  3. Script exploits to gain access to the systems and host.

  4. Validate the results and remove false positives.

12. In a cloud environment, a security team discovers that an attacker accessed confidential information that was used to configure virtual machines during their initialization. Through which of the following features could this information have been accessed?

  1. IAM

  2. Block storage

  3. Virtual private cloud

  4. Metadata services

13. During a security assessment, a penetration tester needs to exploit a vulnerability in a wireless network's authentication mechanism to gain unauthorized access to the network. Which of the following attacks would the tester most likely perform to gain access?

  1. KARMA attack

  2. Beacon flooding

  3. MAC address spoofing

  4. Eavesdropping

14. During an assessment, a penetration tester obtains an NTLM hash from a legacy Windows machine. Which of the following tools should the penetration tester use to continue the attack?

  1. Responder

  2. Hydra

  3. BloodHound

  4. CrackMapExec

15. A penetration tester gains initial access to a target system by exploiting a recent RCE vulnerability. The patch for the vulnerability will be deployed at the end of the week. Which of the following utilities would allow the tester to reenter the system remotely after the patch has been deployed? (Select two).

  1. schtasks.exe

  2. rundll.exe

  3. cmd.exe

  4. chgusr.exe

  5. sc.exe

16. Which of the following post-exploitation activities allows a penetration tester to maintain persistent access in a compromised system?

  1. Creating registry keys

  2. Installing a bind shell

  3. Executing a process injection

  4. Setting up a reverse SSH connection

17. A penetration tester needs to collect information over the network for further steps in an internal assessment. Which of the following would most likely accomplish this goal?

  1. ntlmrelayx.py -t 192.168.1.0/24 -1 1234

  2. nc -tulpn 1234 192.168.1.2

  3. responder.py -I eth0 -wP

  4. crackmapexec smb 192.168.1.0/24

18. A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool: PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 111/tcp open rpcbind 2049/tcp open nfs Based on the output, which of the following services provides the best target for launching an attack?

  1. Database

  2. Remote access

  3. Email

  4. File sharing

19. Which of the following components should a penetration tester include in an assessment report?

  1. User activities

  2. Customer remediation plan

  3. Key management

  4. Attack narrative

20. A penetration tester is developing the rules of engagement for a potential client. Which of the following would most likely be a function of the rules of engagement?

  1. Testing window

  2. Terms of service

  3. Authorization letter

  4. Shared responsibilities

21. During an engagement, a penetration tester wants to enumerate users from Linux systems by using finger and rwho commands. However, the tester realizes these commands alone will not achieve the desired result. Which of the following is the best tool to use for this task?

  1. Nikto

  2. Burp Suite

  3. smbclient

  4. theHarvester

22. A penetration tester gains access to a Windows machine and wants to further enumerate users with native operating system credentials. Which of the following should the tester use?

  1. route.exe print

  2. netstat.exe -ntp

  3. net.exe commands

  4. strings.exe -a

23. During a penetration test, a tester captures information about an SPN account. Which of the following attacks requires this information as a prerequisite to proceed?

  1. Golden Ticket

  2. Kerberoasting

  3. DCShadow

  4. LSASS dumping

24. During a penetration testing engagement, a tester targets the internet-facing services used by the client. Which of the following describes the type of assessment that should be considered in this scope of work?

  1. Segmentation

  2. Mobile

  3. External

  4. Web

25. During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command: findstr /SIM /C:"pass" .txt .cfg *.xml Which of the following is the penetration tester trying to enumerate?

  1. Configuration files

  2. Permissions

  3. Virtual hosts

  4. Secrets

26. A penetration tester is conducting a vulnerability scan. The tester wants to see any vulnerabilities that may be visible from outside of the organization. Which of the following scans should the penetration tester perform?

  1. SAST

  2. Sidecar

  3. Unauthenticated

  4. Host-based

27. A penetration tester is compiling the final report for a recently completed engagement. A junior QA team member wants to know where they can find details on the impact, overall security findings, and high-level statements. Which of the following sections of the report would most likely contain this information?

  1. Quality control

  2. Methodology

  3. Executive summary

  4. Risk scoring

28. A penetration tester discovers data to stage and exfiltrate. The client has authorized movement to the tester's attacking hosts only. Which of the following would be most appropriate to avoid alerting the SOC?

  1. Apply UTF-8 to the data and send over a tunnel to TCP port 25.

  2. Apply Base64 to the data and send over a tunnel to TCP port 80.

  3. Apply 3DES to the data and send over a tunnel UDP port 53.

  4. Apply AES-256 to the data and send over a tunnel to TCP port 443.

29. A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes. Which of the following steps should the tester take next?

  1. Enable monitoring mode using Aircrack-ng.

  2. Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes.

  3. Run KARMA to break the password.

  4. Research WiGLE.net for potential nearby client access points.

30. A penetration tester executes multiple enumeration commands to find a path to escalate privileges. Given the following command: find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null Which of the following is the penetration tester attempting to enumerate?

  1. Attack path mapping

  2. API keys

  3. Passwords

  4. Permission

31. A penetration tester downloads a JAR file that is used in an organization's production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit. Which of the following describes the tester's activities?

  1. SAST

  2. SBOM

  3. ICS

  4. SCA

32. A penetration tester gains access to a host but does not have access to any type of shell. Which of the following is the best way for the tester to further enumerate the host and the environment in which it resides?

  1. ProxyChains

  2. Netcat

  3. PowerShell ISE

  4. Process IDs

33. A penetration tester is getting ready to conduct a vulnerability scan as part of the testing process. The tester will evaluate an environment that consists of a container orchestration cluster. Which of the following tools should the tester use to evaluate the cluster?

  1. Trivy

  2. Nessus

  3. Grype

  4. Kube-hunter

34. A penetration tester is performing network reconnaissance. The tester wants to gather information about the network without causing detection mechanisms to flag the reconnaissance activities. Which of the following techniques should the tester use?

  1. Sniffing

  2. Banner grabbing

  3. TCP/UDP scanning

  4. Ping sweeps

35. During a vulnerability assessment, a penetration tester configures the scanner sensor and performs the initial vulnerability scanning under the client's internal network. The tester later discusses the results with the client, but the client does not accept the results. The client indicates the host and assets that were within scope are not included in the vulnerability scan results. Which of the following should the tester have done?

  1. Rechecked the scanner configuration.

  2. Performed a discovery scan.

  3. Used a different scan engine.

  4. Configured all the TCP ports on the scan.

36. During an external penetration test, a tester receives the following output from a tool: test.comptia.org info.comptia.org vpn.comptia.org exam.comptia.org Which of the following commands did the tester most likely run to get these results?

  1. nslookup -type=SOA comptia.org

  2. amass enum -passive -d comptia.org

  3. nmap -Pn -sV -vv -A comptia.org

  4. shodan host comptia.org

37. A tester completed a report for a new client. Prior to sharing the report with the client, which of the following should the tester request to complete a review?

  1. A generative AI assistant

  2. The customer's designated contact

  3. A cybersecurity industry peer

  4. A team member

38. During the reconnaissance phase, a penetration tester collected the following information from the DNS records: A-----> www A-----> host TXT --> vpn.comptia.org SPF---> ip =2.2.2.2 Which of the following DNS records should be in place to avoid phishing attacks using spoofing domain techniques?

  1. MX

  2. SOA

  3. DMARC

  4. CNAME

39. A penetration tester obtains password dumps associated with the target and identifies strict lockout policies. The tester does not want to lock out accounts when attempting access. Which of the following techniques should the tester use?

  1. Credential stuffing

  2. MFA fatigue

  3. Dictionary attack

  4. Brute-force attack

40. During an engagement, a penetration tester needs to break the key for the Wi-Fi network that uses WPA2 encryption. Which of the following attacks would accomplish this objective?

  1. ChopChop

  2. Replay

  3. Initialization vector

  4. KRACK

41. A penetration tester gains access to a Windows machine and wants to further enumerate users with native operating system credentials. Which of the following should the tester use?

  1. route.exe print

  2. netstat.exe -ntp

  3. net.exe commands

  4. strings.exe -a

42. A penetration tester assesses an application allow list and has limited command-line access on the Windows system. Which of the following would give the penetration tester information that could aid in continuing the test?

  1. mmc.exe

  2. icacls.exe

  3. nltest.exe

  4. rundll.exe

43. During an assessment, a penetration tester manages to get RDP access via a low-privilege user. The tester attempts to escalate privileges by running the following commands: Import-Module .\PrintNightmare.ps1 Invoke-Nightmare -NewUser "hacker" -NewPassword "Password123!" -DriverName "Print" The tester attempts to further enumerate the host with the new administrative privileges by using the runas command. However, the access level is still low. Which of the following actions should the penetration tester take next?

  1. Log off and log on with "hacker".

  2. Attempt to add another user.

  3. Bypass the execution policy.

  4. Add a malicious printer driver.

44. A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services. Which of the following commands should the tester use?

  1. nmap -sU -sW -p 1-65535 example.com

  2. nmap -sU -sY -p 1-65535 example.com

  3. nmap -sU -sT -p 1-65535 example.com

  4. nmap -sU -sN -p 1-65535 example.com

45. During a penetration test, the tester gains full access to the application's source code. The application repository includes thousands of code files. Given that the assessment timeline is very short, which of the following approaches would allow the tester to identify hard- coded credentials most effectively?

  1. Run TruffleHog against a local clone of the application

  2. Scan the live web application using Nikto

  3. Perform a manual code review of the Git repository

  4. Use SCA software to scan the application source code

46. A penetration tester established an initial compromise on a host. The tester wants to pivot to other targets and set up an appropriate relay. The tester needs to enumerate through the compromised host as a relay from the tester's machine. Which of the following commands should the tester use to do this task from the tester's host?

  1. attacker_host$ nmap -sT | nc -n 22

  2. attacker_host$ mknod backpipe p attacker_host$ nc -l -p 8000 | 0 80 | tee backpipe

  3. attacker_host$ nc -nlp 8000 | nc -n attacker_host$ nmap -sT 127.0.0.1 8000

  4. attacker_host$ proxychains nmap -sT

47. Which of the following describes the process of determining why a vulnerability scanner is not providing results?

  1. Root cause analysis

  2. Secure distribution

  3. Peer review

  4. Goal reprioritization

48. During a security assessment for an internal corporate network, a penetration tester wants to gain unauthorized access to internal resources by executing an attack that uses software to disguise itself as legitimate software. Which of the following host-based attacks should the tester use?

  1. On-path

  2. Logic bomb

  3. Rootkit

  4. Buffer overflow


FAQs


1. What is the CompTIA PenTest+ PT0-003 certification exam?

It is an intermediate-level certification that validates your skills in penetration testing, vulnerability assessment, and managing network security risks.

2. How do I become CompTIA PenTest+ PT0-003 certified?

To earn the certification, you must register for and pass the PT0-003 exam, which tests hands-on penetration testing and ethical hacking skills.

3. What are the prerequisites for the CompTIA PenTest+ PT0-003 exam?

There are no mandatory prerequisites, but CompTIA recommends Network+ and Security+ certifications or equivalent cybersecurity experience.

4. How much does the CompTIA PenTest+ PT0-003 certification cost?

The exam costs $392 USD, though fees may vary depending on region or testing center.

5. How many questions are in the CompTIA PenTest+ PT0-003 exam?

The exam has 85 performance-based and multiple-choice questions.

6. What topics are covered in the CompTIA PenTest+ PT0-003 exam?

It covers planning, information gathering, vulnerability scanning, exploits, post-exploitation, and reporting.

7. How difficult is the CompTIA PenTest+ PT0-003 certification exam?

It’s considered moderately difficult and requires hands-on penetration testing experience and strong networking knowledge.

8. How long does it take to prepare for the CompTIA PenTest+ PT0-003 exam?

Most candidates take 10–12 weeks to prepare, depending on their cybersecurity background.

9. What jobs can I get after earning the CompTIA PenTest+ PT0-003 certification?

You can work as a Penetration Tester, Security Analyst, Vulnerability Assessor, or Ethical Hacker.

10. How much salary can I earn with a CompTIA PenTest+ PT0-003 certification?

Professionals with this certification typically earn between $90,000–$120,000 annually, depending on experience and job role.


Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
CertiMaan Logo

​​

Terms Of Use     |      Privacy Policy     |      Refund Policy    

   

 Copyright © 2011 - 2025  Ira Solutions -   All Rights Reserved

Disclaimer:: 

The content provided on this website is for educational and informational purposes only. We do not claim any affiliation with official certification bodies, including but not limited to Pega, Microsoft, AWS, IBM, SAP , Oracle , PMI, or others.

All practice questions, study materials, and dumps are intended to help learners understand exam patterns and enhance their preparation. We do not guarantee certification results and discourage the misuse of these resources for unethical purposes.

PayU logo
Razorpay logo
bottom of page