Attacks and Exploits for CompTIA PenTest+

Sample Practice Questions

1. Question 1

   A penetration tester wants to send a specific network packet with custom flags and sequence numbers to a vulnerable target. Which of the following should the tester use?
   1. A. tcprelay
   2. B. Bluecrack
   3. C. Scapy
   4. D. tcpdump
   Explanation

   The correct answer is: C. Scapy.

   Scapy is a Python-based packet manipulation library that lets the tester forge arbitrary frames at every layer of the stack, including custom TCP flag combinations, sequence numbers, IP options, and payloads, which makes it the right tool when the requirement is a hand-crafted packet sent to a vulnerable target. tcpreplay (sometimes typed as tcprelay) replays previously captured pcap traffic but does not provide an interactive way to set new flag values or sequence numbers. Bluecrack is a Bluetooth PIN cracking utility and has nothing to do with TCP/IP packet crafting. tcpdump captures and decodes traffic but does not generate or transmit custom packets. Scapy's build-and-send semantics, exemplified by IP()/TCP(flags='S', seq=...) constructs, are the canonical answer for bespoke packet generation in penetration testing.

2. Question 2

   A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent: Which of the following should the tester recommend in the report to best prevent this type of vulnerability?
   1. A. Drop all excessive file permissions with chmod o-rwx.
   2. B. Ensure the requests application access logs are reviewed frequently.
   3. C. Disable the use of external entities.
   4. D. Implement a WAF to filter all incoming requests.
   Explanation

   The correct answer is: C. Disable the use of external entities..

   Returning the contents of /etc/passwd in response to a crafted payload is the signature of XML External Entity (XXE) injection when the payload contains an external DTD pointing at a local file URI, so the recommended fix is to disable external entity resolution in the XML parser, typically by setting features such as disallow-doctype-decl or load-external-dtd to false. Stripping permissions on the file system with chmod o-rwx might harden the host but would not stop the parser from reading anything its own service account can read, which on Linux includes /etc/passwd. Reviewing access logs is detective rather than preventive and does nothing to close the parser-level flaw. Putting a WAF in front of the application is a compensating control that may catch known signatures but is easily bypassed with encoded or polyglot DTDs and does not address the root cause inside the parser configuration.

3. Question 3

   A penetration tester needs to test a very large number of URLs for public access. Given the following code snippet: Which of the following changes is required?
   1. A. The condition on line 6
   2. B. The method on line 5
   3. C. The import on line 1
   4. D. The delimiter in line 3
   Explanation

   The correct answer is: A. The condition on line 6.

   When the goal is to bulk-test URLs for public access, the success criterion is the server returning an HTTP 2xx (or sometimes 3xx) response for an unauthenticated request, so the conditional that decides whether a URL counts as accessible needs to be on the response status code. Adjusting that condition on line 6 ensures the test correctly classifies open versus closed URLs. Changing the HTTP method on line 5 to something like HEAD versus GET is an optimization choice that does not change the fundamental access decision logic. Swapping the import on line 1 changes the request library used but does not alter the accessibility check. Modifying the delimiter on line 3 affects only how the input file is parsed into URLs and does not impact the response evaluation. The accessibility logic lives in the status-code condition on line 6.

4. Question 4

   During a penetration test, a tester captures information about an SPN account. Which of the following attacks requires this information as a prerequisite to proceed?
   1. A. Golden Ticket
   2. B. Kerberoasting
   3. C. DCShadow
   4. D. LSASS dumping
   Explanation

   The correct answer is: B. Kerberoasting.

   Kerberoasting requires an SPN-bearing account as its prerequisite because the attack works by requesting a TGS for a service identified by its Service Principal Name from the KDC; the resulting ticket is encrypted with a key derived from the service account's password, which the attacker then cracks offline with hashcat or john. Without an SPN the attack has no ticket to request. A Golden Ticket is forged from the krbtgt account hash and does not depend on knowing other SPN accounts. DCShadow registers a rogue domain controller to inject directory changes and depends on replication rights, not SPN enumeration. LSASS dumping extracts cached credentials from a host's memory and again does not need SPN information. The SPN is uniquely the prerequisite for a Kerberoasting workflow.

5. Question 5

   While performing an internal assessment, a tester uses the following command: crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@ Which of the following is the main purpose of the command?
   1. A. To perform a pass-the-hash attack over multiple endpoints within the internal network
   2. B. To perform common protocol scanning within the internal network
   3. C. To perform password spraying on internal systems
   4. D. To execute a command in multiple endpoints at the same time
   Explanation

   The correct answer is: C. To perform password spraying on internal systems.

   Running CrackMapExec against an SMB CIDR range with a user.txt list and a single fixed password (Summer123@) is the textbook signature of password spraying. Spraying inverts the traditional brute force ratio by trying one password against many accounts, which dodges per-account lockout policies that would trip if you hammered one user with many guesses. A pass-the-hash attack would supply an NT hash through the -H flag, not a cleartext password, and would typically target a smaller set of admin-likely hosts. Common protocol scanning is what tools like nmap or netexec --shares do without credentials; the use of credentials here is the giveaway that authentication is the goal. Executing a command across endpoints would use the -x or -X switches with cmd.exe or PowerShell payloads, which are absent. The combination of many usernames, one password, and the smb module makes this unmistakably a spray.

Other CompTIA PenTest+ domains

• Engagement Management (36 questions)
• Post-Exploitation and Lateral Movement (55 questions)
• Reconnaissance and Enumeration (58 questions)
• Vulnerability Discovery and Analysis (38 questions)