๐ŸŽฏ COMPTIA PENTEST+ ยท PT0-003

CompTIA PenTest+
Practice Test

// Penetration Testing Certification Prep // Rontechmedia ยท PracticeTest360.com //

90
Questions
165
Minutes
750
Pass Score

โš  Disclaimer

This practice test is provided by Rontechmedia for educational and exam preparation purposes only. This is an unofficial, third-party study resource and is not affiliated with, endorsed by, or sponsored by CompTIA. CompTIAยฎ and PenTest+ยฎ are registered trademarks of the Computing Technology Industry Association.

  • Questions are original study materials created for preparation purposes only.
  • This test does not guarantee passing the actual CompTIA PenTest+ exam.
  • Content is based on publicly available CompTIA PT0-003 exam objectives.
  • Always verify information against official CompTIA documentation.

โ„น Exam Format

  • 90 questions across 5 domains (multiple-choice & performance-based)
  • 165-minute countdown timer โ€” auto-submits on expiry
  • Scoring on the 100โ€“900 scale โ€” passing score is 750
  • Instant explanations and real-time domain performance tracking

๐Ÿ“– Study Guide Included

Comprehensive Study Guide covering all 5 PT0-003 domains โ€” engagement management, recon, vulnerability discovery, attacks, and post-exploitation โ€” available from the Home screen.

CompTIA PenTest+
PT0-003 Practice Test

Intermediate-level penetration testing certification prep. Covers engagement planning, reconnaissance, vulnerability analysis, exploitation techniques, and post-exploitation across 90 scenario-based questions. Requires 3โ€“4 years hands-on experience.

โฑ 165 Minutes
โ“ 90 Questions
โœ… Passing: 750/900
๐Ÿ”ข Scale: 100โ€“900
๐Ÿ“… PT0-003 (Dec 2024)
๐Ÿ›ก๏ธ DoD 8140 Approved
Exam Domains
1. Engagement Management
13%
~12 questions
2. Reconnaissance & Enumeration
21%
~19 questions
3. Vulnerability Discovery & Analysis
17%
~15 questions
4. Attacks & Exploits
35%
~32 questions
5. Post-Exploitation & Lateral Movement
14%
~12 questions

๐ŸŽฏ CompTIA PenTest+ PT0-003 Study Guide

Full coverage of all five exam domains. Expand each section for key topics, tools, methodologies, and exam tips. Intermediate-level โ€” assumes Security+ knowledge.

13%Domain 1: Engagement Management
โ–ผ

Covers the legal, contractual, and operational aspects of running a penetration test engagement โ€” scoping, rules of engagement, authorization documents, compliance, communication, and final reporting. Getting this right keeps you out of jail and ensures client satisfaction.

Scoping & Rules of Engagement (RoE)
Penetration Test Types (Black/Gray/White Box)
Authorization Documents (SoW, NDA, MSA)
Legal Compliance (CFAA, GDPR, PCI-DSS)
Engagement Planning & Kickoff
Target Selection & Testing Windows
Mandatory Reporting & Escalation Paths
Report Writing (Executive Summary, Technical Findings)
Remediation Recommendations & Retesting
Risk Ratings (CVSS, DREAD, Custom Scoring)

Exam Tips

  • Black-box = no prior knowledge (simulates external attacker). Gray-box = partial knowledge (insider threat). White-box = full knowledge (code review, source access). Know when each is appropriate.
  • Rules of Engagement define what can be tested, when, how, and what's off-limits. Must be agreed in writing BEFORE testing begins. No authorization = illegal.
  • Statement of Work (SoW) defines deliverables and timeline. MSA (Master Services Agreement) is the overarching contract. NDA protects confidential findings.
  • If you discover a critical finding mid-engagement (active breach, child exploitation material), you must halt and escalate immediately per the predefined escalation path.
  • CVSS (Common Vulnerability Scoring System) rates vulnerability severity on a 0โ€“10 scale. Know Base, Temporal, and Environmental score components.
21%Domain 2: Reconnaissance & Enumeration
โ–ผ

Covers passive and active information gathering techniques โ€” OSINT, DNS enumeration, service/port scanning, web application fingerprinting, and wireless/network discovery. Know your tools and when to use passive vs. active recon.

Passive Recon (OSINT, Shodan, WHOIS, Google Dorking)
Active Recon (Nmap, Netcat, Banner Grabbing)
DNS Enumeration (Zone Transfer, Subfinder, dnsrecon)
Port & Service Scanning (Nmap flags, Masscan)
Web Application Fingerprinting (Wappalyzer, Nikto)
OSINT Tools (Maltego, Recon-ng, theHarvester)
Social Engineering Recon (LinkedIn, email harvesting)
Wireless Enumeration (Airodump-ng, Wi-Fi scanning)
Network Mapping & Topology Discovery
Cloud Recon (AWS/Azure exposed storage, API discovery)

Exam Tips

  • Passive recon gathers info WITHOUT touching the target (search engines, social media, WHOIS, Shodan). Active recon DOES touch the target (scanning, probing) โ€” leaves logs and may alert defenders.
  • Key Nmap flags: -sS (SYN/stealth scan), -sV (version detection), -O (OS detection), -A (aggressive: OS+version+scripts+traceroute), -p- (all 65535 ports), -Pn (skip host discovery).
  • DNS Zone Transfer (AXFR) attempts to retrieve the entire DNS zone โ€” if misconfigured, reveals all subdomains/IPs. Command: dig axfr @nameserver domain.com
  • Google Dorking: site:target.com filetype:pdf, inurl:admin, intitle:"index of", site:target.com ext:sql โ€” finds exposed files and admin panels.
  • theHarvester: collects email addresses, subdomains, IPs from public sources. Recon-ng: modular OSINT framework. Maltego: visual link analysis and relationship mapping.
17%Domain 3: Vulnerability Discovery & Analysis
โ–ผ

Covers automated and manual vulnerability scanning, credentialed vs. non-credentialed scans, vulnerability analysis, CVE/CVSS scoring, web application vulnerability identification, and wireless/cloud vulnerability assessment.

Vulnerability Scanning (Nessus, OpenVAS, Qualys)
Credentialed vs. Non-Credentialed Scans
CVE, CVSS, NVD, Exploit Databases
Web Vuln Scanning (Burp Suite, OWASP ZAP)
OWASP Top 10 (SQLi, XSS, IDOR, SSRF, etc.)
Manual Vulnerability Analysis
False Positives vs. True Positives
Wireless Vulnerabilities (WEP/WPA2/WPA3 weaknesses)
Cloud Misconfigurations (S3 buckets, IAM, exposed APIs)
Prioritizing Vulnerabilities for Exploitation

Exam Tips

  • Credentialed scans authenticate to the target โ€” produce fewer false positives and detect more vulnerabilities (patch levels, installed software). Non-credentialed simulate an external attacker perspective.
  • CVSS Base Score components: Attack Vector (Network/Adjacent/Local/Physical), Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality/Integrity/Availability Impact.
  • OWASP Top 10 priorities for PT0-003: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection (SQLi, etc.), A04 Insecure Design, A05 Security Misconfiguration. Memorize the current top 10.
  • False positive = scanner reports a vulnerability that doesn't exist. False negative = a real vulnerability not detected. Manual validation reduces false positives.
35%Domain 4: Attacks & Exploits
โ–ผ

The largest domain at 35%. Covers network attacks, web application exploitation, social engineering, wireless attacks, cloud exploitation, and the use of exploitation frameworks. This is where the "hands-on" knowledge matters most.

Metasploit Framework (msfconsole, msfvenom)
SQL Injection (Union-based, Blind, Error-based)
Cross-Site Scripting (Reflected, Stored, DOM)
Password Attacks (Hashcat, John the Ripper, Hydra)
Man-in-the-Middle (ARP Poisoning, SSL Stripping)
Buffer Overflow Basics
Social Engineering (Phishing, Vishing, SET toolkit)
Wireless Attacks (Evil Twin, Deauth, PMKID)
Cloud Exploitation (SSRF, Lambda injection, IAM abuse)
API & Web Service Attacks (Broken Object Level Auth)

Exam Tips

  • Metasploit workflow: search โ†’ use โ†’ show options โ†’ set RHOSTS/LHOST/etc. โ†’ run. msfvenom generates payloads: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x LPORT=y -f exe.
  • SQLi UNION attack: determine column count with ORDER BY, then inject: ' UNION SELECT NULL, username, password FROM users--. Blind SQLi uses True/False responses or time delays (SLEEP()).
  • Stored XSS is more dangerous than Reflected XSS because the payload is saved on the server and executes for every victim who views the page. DOM XSS is client-side and never reaches the server.
  • ARP Poisoning sends fake ARP replies to associate the attacker's MAC with a legitimate IP, redirecting traffic. Tools: arpspoof, Ettercap, Bettercap.
  • WPA2 cracking: capture handshake with airodump-ng โ†’ crack with hashcat/aircrack-ng against wordlist. PMKID attack doesn't require capturing a full handshake.
14%Domain 5: Post-Exploitation & Lateral Movement
โ–ผ

Covers what happens after initial access โ€” maintaining persistence, escalating privileges, moving laterally across the network, dumping credentials, exfiltrating data, and covering tracks. Also covers reporting and cleanup.

Privilege Escalation (Windows & Linux techniques)
Credential Harvesting (Mimikatz, Pass-the-Hash)
Lateral Movement (PsExec, WMI, SMB)
Persistence Mechanisms (Scheduled Tasks, Registry, Cron)
Pivoting & Tunneling (SSH tunnels, Proxychains)
Data Exfiltration Techniques
Covering Tracks (Log clearing, Timestomping)
Meterpreter Post-Exploitation Modules
Active Directory Attacks (Kerberoasting, DCSync, BloodHound)
Cleanup & Restoring System State

Exam Tips

  • Mimikatz extracts plaintext passwords and NTLM hashes from Windows LSASS memory. Pass-the-Hash uses an NTLM hash directly to authenticate without knowing the plaintext password.
  • Kerberoasting: request Kerberos TGS tickets for service accounts, extract them, crack offline. No special privileges needed โ€” any domain user can request service tickets.
  • BloodHound maps Active Directory relationships and attack paths graphically, identifying the shortest path from a compromised user to Domain Admin.
  • Windows privesc techniques: unquoted service paths, weak service permissions, DLL hijacking, AlwaysInstallElevated, token impersonation. Linux: SUID/SGID binaries, sudo -l, writable cron jobs, kernel exploits.
  • Pivoting routes traffic through a compromised host to reach otherwise inaccessible network segments. SSH local port forwarding: ssh -L localport:targethost:targetport user@pivot. Proxychains routes tool traffic through the pivot.
QUESTION 1 OF 90
ENGAGEMENT MGMT
// Q.001
// Explanation

โ— PASS
820
// Scaled Score ยท 100โ€“900 //
Passing Score: 750 | CompTIA PenTest+ PT0-003
Domain Performance

// Answer Review

๐ŸŒ PracticeTest360.com
// Practice Test by Rontechmedia ยท Unofficial Study Resource ยท Not affiliated with CompTIA //