The CompTIA PenTest+ (PT0-003) validates the skills needed to plan, execute, and report on penetration tests. It bridges the gap between Security+ and OSCP, testing both conceptual and applied pen-testing methodology. Download the official CompTIA PenTest+ PT0-003 Exam Objectives for complete domain coverage.
PenTest+ Practice Quiz
1. A penetration tester is reviewing the document excerpt shown below before starting an external assessment. The document defines the testing window, source IPs, in-scope and out-of-scope assets, permitted techniques, and emergency contacts. What is this document commonly called in PT0-003 terminology?
Source IP allow-list: 203.0.113.44/32, 203.0.113.45/32
In-scope CIDRs: 10.50.0.0/22, app.acme-corp.com (prod)
Out-of-scope: payroll-db.acme.local, *.partners.acme.com
Permitted techniques: external recon, web app testing, password spraying (max 3 attempts/account/hour)
Forbidden: DoS, social engineering of C-suite, data exfil >100 MB
Emergency POC: soc@acme-corp.com / +1-555-0142
Signed: James Whitfield (CISO), 2026-05-25
Right answer (C): That's correct! The excerpt's content (testing window, source IP allow-list, scope boundaries, permitted/forbidden techniques, emergency POC) is the textbook structure of a Rules of Engagement (RoE) or authorization letter, which provides legal cover for the tester and operational guardrails.
Wrong answers:
- A): An NDA only covers confidentiality of information learned during the engagement; it does not list IP ranges, time windows, or permitted techniques as shown.
- B): The SOW describes deliverables, timelines, and pricing at a project level, not the technical testing boundaries shown in the excerpt.
- D): The MSA governs the overall commercial relationship and would not contain test-specific details such as source IPs or attack techniques.
2. The Rules of Engagement explicitly excluded the acme_payroll_prod database from testing. While running sqlmap against the in-scope shop application, the tester sees the output below showing that a UNION-based injection has dumped 12,481 employee records from the out-of-scope payroll database. What is the tester's required next step?
Right answer (B): That's correct! As soon as the sqlmap output revealed data from the out-of-scope acme_payroll_prod database, the tester must stop, preserve the dump as evidence, and immediately notify the client POC defined in the RoE so legal and compliance teams can handle the spillover.
Wrong answers:
- A): Continuing to exploit (e.g., dumping further tables) compounds the scope violation and exposes the tester to civil and possibly criminal liability under CFAA-style statutes.
- C): Ignoring 12,481 leaked PII records would be negligent and a breach of the tester's professional duty to disclose.
- D): Pivoting to
acme_shop_stagingis still unauthorized because the RoE only covered the production shop application and explicitly excluded other databases.
3. A tester compiled the intelligence sources shown in the table below during the first 48 hours of an engagement, and the "Traffic to Target?" column confirms no packets were sent to the client's infrastructure. Which PT0-003 reconnaissance category best describes the activities in this table?
Right answer (A): That's correct! Every row in the table uses third-party data sources (WHOIS, crt.sh, Shodan, LinkedIn, Google) that return target intelligence without ever touching the client's network — the textbook definition of passive reconnaissance / OSINT.
Wrong answers:
- B): Active reconnaissance directly probes the target with scans and banner grabbing, generating traffic that can be detected by IDS/IPS.
- C): Network scanning is a specific form of active recon using tools like Nmap to identify open ports and services.
- D): Fuzzing is an exploitation technique that sends malformed input to applications to find crashes, not a reconnaissance method.
4. A junior tester ran the command nmap -sS -sV -O -p- 192.168.1.0/24 and produced the output shown below. The scan took over 6 minutes and reported a high-numbered ephemeral port (49152) along with the standard services. Which statement most accurately describes what this single command accomplished against the /24 subnet?
Right answer (D): That's correct! The output line "Not shown: 65530 closed tcp ports" confirms all 65,535 ports were probed (-p-). The VERSION column proves -sV ran, the OS CPE/details lines prove -O ran, and -sS made it a half-open SYN stealth scan.
Wrong answers:
- A): A full TCP connect scan would use -sT instead of -sS, and this command also includes service versioning so OS-only is wrong.
- B): A UDP scan would require the -sU flag, which is not present in this command.
- C): Without -p- Nmap defaults to the top 1000 ports, but -p- explicitly tells it to scan every port from 1 to 65,535.
5. The Nmap output below shows a fileserver still running Windows Server 2008 R2 SP1 with SMBv1 enabled, and the smb-vuln-ms17-010 NSE script flagged it as VULNERABLE. The tester wants to gain SYSTEM-level RCE. Which public exploit should be attempted first based on this evidence?
Right answer (B): That's correct! The Nmap NSE script literally returned "VULNERABLE" for smb-vuln-ms17-010 — that is EternalBlue, the SMBv1 RCE leaked from the NSA and weaponized by WannaCry/NotPetya. exploit/windows/smb/ms17_010_eternalblue in Metasploit is the textbook follow-up.
Wrong answers:
- A): BlueKeep targets Remote Desktop Protocol on port 3389, not SMB on port 445.
- C): Heartbleed is an OpenSSL vulnerability affecting HTTPS services on port 443, not Windows SMB.
- D): Log4Shell is a Java deserialization flaw in the Log4j logging library, not present on a Windows SMB service.
6. The Burp Suite intercept below shows a login POST that the back end concatenates directly into a MySQL query, and a single-quote test on the username field returned a verbose SQL error. Given the response leaks query structure, which attack technique would be MOST effective to test for authentication bypass on this form?
Right answer (C): That's correct! The verbose SQL error on a single quote and the recovered concatenated query are the classic indicators of SQL injection. A payload like admin' OR '1'='1'-- in the username field will bypass authentication because the back end does not parameterize the query.
Wrong answers:
- A): ARP spoofing is a Layer 2 network attack that redirects local traffic and has no direct effect on web application login forms.
- B): DNS cache poisoning redirects users to malicious servers but does not bypass authentication on the legitimate application.
- D): A SYN flood is a denial-of-service attack that overwhelms a server and would not help in testing login security.
7. The network diagram shown below illustrates that the attacker has a Meterpreter session on the dual-homed DMZ web server "web01" but cannot route directly to 10.0.0.0/24 because only ports 80/443 are inbound through the edge firewall. The tester wants to run Nmap and exploit modules from their own Kali box against DC01, FILE01, and HRAPP. Which technique BEST achieves this pivot?
Right answer (A): That's correct! Running run autoroute -s 10.0.0.0/24 in the existing Meterpreter session, then auxiliary/server/socks_proxy, lets the tester wrap external tools with proxychains so that scans against DC01/FILE01/HRAPP are tunneled through web01 — exactly the pivot the diagram requires.
Wrong answers:
- B): Wireshark only passively captures traffic and does not allow active scanning or exploitation of internal hosts.
- C): Nikto is a web vulnerability scanner, not a network pivoting tool, and cannot route traffic through a compromised host.
- D): Brute-forcing SSH on the already-compromised web server is pointless since the tester already has access to it.
8. The Meterpreter session transcript shown below depicts a session running as SYSTEM on a Windows 10 host. The tester has loaded a Kiwi-style extension and is about to run sekurlsa::logonpasswords to dump NTLM hashes and cleartext WDigest credentials from LSASS memory. Which underlying tool provides this functionality?
Right answer (D): That's correct! The sekurlsa::logonpasswords command and the "kiwi" Meterpreter extension are signature features of Mimikatz — the industry-standard Windows credential dumper that extracts NTLM hashes, Kerberos tickets, and cached plaintext passwords from LSASS memory.
Wrong answers:
- A): Nmap is a network scanner used for host discovery and port scanning, not for post-exploitation credential harvesting.
- B): Burp Suite is a web application proxy for intercepting HTTP/HTTPS traffic, not for local Windows credential extraction.
- C): Wireshark is a network protocol analyzer that captures packets but cannot access the local SAM database or LSASS memory.
9. The shell transcript shown below depicts a www-data shell on a Linux box. /etc/crontab runs /opt/scripts/cleanup.sh as root every 5 minutes, but ls -la reveals the script has 0777 (world-writable) permissions. The tester plans to overwrite the script with a reverse shell payload and wait for cron to fire. Which class of attack does this misconfiguration enable?
Right answer (B): That's correct! The transcript shows a 0777 script executed by root via cron, so any user (including www-data, uid=33) can rewrite cleanup.sh and have it run as uid=0 within 5 minutes — a classic vertical privilege escalation from low-priv user to root.
Wrong answers:
- A): Horizontal privilege escalation moves to another account at the same privilege level, not from user to root.
- C): Pass-the-hash is a Windows-specific NTLM technique not applicable to this Linux cron job scenario.
- D): A man-in-the-middle attack intercepts network communications and has nothing to do with local privilege escalation via cron misconfiguration.
10. A PT0-003 deliverable contains the two report sections shown below. Section A is written in business-risk language with dollar figures and is aimed at non-technical leadership; Section B contains CVEs, CVSS scores, exploit modules, and patch KBs aimed at the security team. What are these two sections of a professional penetration test report conventionally called?
Right answer (A): That's correct! Section A is the executive summary (business risk, dollar impact, leadership audience) and Section B is the technical findings section (CVEs, CVSS, PoC modules, KBs). Pairing both is the PT0-003 standard for a professional report.
Wrong answers:
- B): A risk register is an ongoing risk management document, not a standard section of a penetration test report.
- C): The scope document is created before the engagement during planning, not as a report deliverable after testing.
- D): Threat models and attack trees are analysis tools representing a specific methodology, not the standard report structure.
Quiz Complete!
0/10Here's how you performed across PenTest+ domains:
Pass CompTIA PenTest+ on your first attempt!!
Get 75+ full-length practice questions, hands-on labs, and PBQs.
Start Practicing NowPenTest+ Domain Weights (PT0-003)
Pass CompTIA PenTest+ on Your First Attempt!!
Get complete practice with 75+ questions, hands-on PBQ simulations, virtual labs, and detailed domain breakdowns. An investment worth making!
Free PenTest+ Flashcards
What is the difference between black box, white box, and gray box penetration testing?
Click to flipBlack box: no prior knowledge (simulates external attacker). White box: full knowledge including source code, architecture, and credentials. Gray box: partial knowledge such as user credentials or network diagrams. Most real engagements are gray box.
Frequently Asked Questions
They serve different purposes. PenTest+ is a knowledge-based certification that validates broad pen-testing methodology and is DoD 8570/8140 approved. OSCP is fully hands-on and more respected in technical pentesting circles. Many practitioners hold both for compliance and practical credibility.
The PenTest+ (PT0-003) passing score is 750 on a 100 to 900 scale. The exam includes up to 85 questions mixing multiple-choice and performance-based questions with a 165-minute time limit.
CompTIA recommends holding Network+ and Security+ before attempting PenTest+, plus 3 to 4 years of hands-on information security experience. Familiarity with Linux command line, basic scripting in Python and Bash, and common exploitation frameworks like Metasploit is very helpful.
The CompTIA PenTest+ (PT0-003) exam voucher costs approximately $404 USD. CompTIA often offers bundle discounts that include a retake voucher. Third-party training providers and academic institutions may offer discounted vouchers as well.
PT0-003 covers five domains: Engagement Management (17%), Reconnaissance and Enumeration (17%), Attacks and Exploits (34%), Post-Exploitation and Lateral Movement (18%), and Reporting and Communication (14%). The Attacks and Exploits domain carries the most weight by far.
Yes. PenTest+ includes PBQs that simulate real-world scenarios such as analyzing tool output, interpreting scan results, writing exploit code snippets, and completing penetration testing tasks in a simulated environment. These appear at the beginning of the exam.
PenTest+ is valid for three years from the date you pass the exam. You can renew through CompTIA's Continuing Education (CE) program by earning 60 CEUs during the three-year cycle, or by passing a higher-level CompTIA certification.
Key tools include Nmap for scanning, Metasploit for exploitation, Burp Suite for web app testing, Wireshark for traffic analysis, Hashcat and John the Ripper for password cracking, Mimikatz for credential dumping, Gobuster for directory enumeration, and SQLmap for SQL injection automation.
Yes, there are no mandatory prerequisites for PenTest+. However, CompTIA strongly recommends having Security+ level knowledge and 3 to 4 years of experience. Jumping straight to PenTest+ without foundational knowledge will make the exam significantly harder.
PenTest+ qualifies you for roles such as penetration tester, vulnerability analyst, security consultant, red team operator, and security engineer. It meets DoD 8140 requirements for certain DCWF work roles, making it valuable for government and defense contractor positions.
PenTest+ is generally considered more hands-on and practical than CEH, which is more knowledge-based and theoretical. PenTest+ includes PBQs and focuses on methodology, while CEH covers a broader range of topics at a higher level. PenTest+ is also significantly less expensive than CEH.
CertLabz offers full-length PenTest+ practice exams with 75+ questions, hands-on virtual labs simulating real penetration testing environments, performance-based question practice, detailed domain breakdowns with progress tracking, and flashcards for key concepts. Plans start at just $10 per month.