Post-Exploitation and Lateral Movement for CompTIA PenTest+

This page covers the Post-Exploitation and Lateral Movement domain of the CompTIA PenTest+ certification. Master Cybersecurity offers 55 practice questions in this domain, drawn from the same content we use across our timed exam simulations. Below are five sample questions with full answer explanations.

Sample Practice Questions

Question 1

A penetration tester established an initial compromise on a host. The tester wants to pivot to other targets and set up an appropriate relay. The tester needs to enumerate through the compromised host as a relay from the tester's machine. Which of the following commands should the tester use to do this task from the tester's host?
A. attacker_host$ nmap -sT | nc -n 22B. attacker_host$ mknod backpipe p attacker_host$ nc -l -p 8000 | 0 80 | tee backpipeC. attacker_host$ nc -nlp 8000 | nc -n attacker_host$ nmap -sT 127.0.0.1 8000D. attacker_host$ proxychains nmap -sT ExplanationThe correct answer is: D. attacker_host$ proxychains nmap -sT .

proxychains in front of an Nmap TCP-connect scan against the internal CIDR is the cleanest way to enumerate through a relay because proxychains routes each connection through an existing SOCKS or HTTP proxy, typically a Meterpreter portfwd, an SSH dynamic forward, or a chisel or ligolo-ng SOCKS endpoint set up earlier on the compromised host. The first option pipes Nmap output text into nc on port 22, which makes no sense as a relayed scan. The second option, the named pipe and backpipe construction, is a single-target proxy hack rather than a way to enumerate a CIDR. The third option binds locally and then runs nmap against 127.0.0.1, which scans the attacker's own host instead of the target subnet. Only proxychains with a SOCKS pivot delivers a true relayed enumeration.

Question 2

A tester obtains access to an endpoint subnet and wants to move laterally in the network. Given the following output: Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?
A. responder -I eth0 -dwv ntlmrelayx.py -smb2support -tf B. msf > use exploit/windows/smb/ms17_010_psexec msf > msf > runC. hydra -L administrator -P /path/topasswdlist smb: //D. nmap --script smb-brute.nse -p 445 ExplanationThe correct answer is: A. responder -I eth0 -dwv ntlmrelayx.py -smb2support -tf .

Running Responder in analyse mode together with ntlmrelayx with SMB2 signing support is a passive-then-relay approach. Responder listens for LLMNR, NBT-NS, and mDNS broadcasts and captures the resulting NTLM authentication, which ntlmrelayx then forwards to a target that does not enforce SMB signing, granting code execution or hash material without ever brute-forcing or sending exploit traffic to the target. Using the EternalBlue MS17-010 psexec module fires a known IDS signature and also crashes vulnerable hosts, so it is anything but quiet. Hydra against SMB generates large numbers of failed logons and triggers account lockouts and event log floods. The smb-brute Nmap script likewise produces noisy authentication failures. Among the choices, only the Responder plus ntlmrelayx workflow stays passive on the wire while still yielding lateral movement.

  • Question 3

    During an internal penetration test, a tester compromises a Windows OS-based endpoint and bypasses the defensive mechanism on that system. The tester also discovers the endpoint is part of an Active Directory local domain. The tester’s main goal is to leverage credentials to authenticate into other systems within the Active Directory environment. Which of the following steps should the tester take to complete the goal?
    1. A. Use Mimikatz to collect information about the accounts and try to authenticate in other systems.
    2. B. Use hasheat to crack a password for the local user on the compromised endpoint.
    3. C. Use Evil-WinRM to access other systems in the network within the endpoint credentials.
    4. D. Use Metasploit to create and execute a payload and try to upload the payload into other systems.
    Explanation

    The correct answer is: A. Use Mimikatz to collect information about the accounts and try to authenticate in other systems..

    On a domain-joined Windows host where defenses have already been bypassed, Mimikatz is the canonical way to harvest the credentials needed for lateral movement, including LSASS-cached plaintext passwords, NTLM hashes, Kerberos TGTs, and DPAPI material. Those credentials feed directly into Pass-the-Hash, Pass-the-Ticket, or Overpass-the-Hash to authenticate to other systems in the AD environment without ever cracking anything. hashcat is an offline cracker; it produces clear-text passwords from hashes you already have, but it does nothing to collect the hashes from the compromised endpoint. Evil-WinRM is a remote shell client that needs valid credentials in hand first, so it is what comes after this step, not before. Metasploit payload uploads are noisy and do not address the goal of reusing existing AD credentials. Mimikatz is the right first move.

  • Question 4

    A penetration tester gains access to a Linux computer system. The tester then attempts to enumerate user accounts, including the directories and user default shell. Which of the following commands should the tester use to enumerate user accounts?
    1. A. cat /etc/shadow
    2. B. ls /var/usr
    3. C. ls /home
    4. D. cat /etc/passwd
    Explanation

    The correct answer is: D. cat /etc/passwd.

    On Linux, /etc/passwd is the world-readable file that lists every local account along with its UID, GID, GECOS comment, home directory, and default login shell, which is exactly what the question asks for. /etc/shadow holds the hashed passwords and aging fields but it is root-readable only and does not contain shell or home directory information in a low-privilege context. /var/usr is not a standard path and listing it returns no useful account data. /home only shows directories that happen to exist under that mount, which omits service accounts, system users, accounts whose homes live elsewhere, and tells you nothing about default shells. cat /etc/passwd remains the canonical first step for enumerating accounts and their shells on any Unix system.

  • Question 5

    While performing a penetration testing exercise, a tester executes the following command: PS c:\tools> c:\hacks\PsExec.exe \\server01.comptia.org -accepteula cmd.exe Which of the following best explains what the tester is trying to do?
    1. A. Test connectivity using PSExec on the server01 using CMD.exe.
    2. B. Perform a lateral movement attack using PsExec.
    3. C. Send the PsExec binary file to the server01 using CMD.exe.
    4. D. Enable CMD.exe on the server01 through PsExec.
    Explanation

    The correct answer is: B. Perform a lateral movement attack using PsExec..

    The Sysinternals PsExec command shown opens cmd.exe on the remote server using SMB and the named pipes that PsExec creates and then pivots execution there, which is the canonical lateral movement pattern with that tool. Testing connectivity would normally use ping, Test-NetConnection, or a smbclient null session and would not bother launching cmd.exe. Sending the PsExec binary to the remote box is a file transfer task that uses copy or net use, not the call shown which executes a binary remotely. Enabling cmd.exe on the remote host is not a meaningful action because cmd.exe ships with Windows by default. The intent here is unmistakably lateral movement to server01 via PsExec under the named pipe IPC$ pattern.

    • Other CompTIA PenTest+ domains

    Practice all 55 Post-Exploitation and Lateral Movement questions · Browse CompTIA PenTest+