Comments on the CompTIA Pentest+ Exam PT0-002

I just passed the Pentest+ PT0-002 exam on January 6, 2023.  I had taken and failed the PT0-001 when the certification was first introduced three years ago.  Of the four CompTIA cybersecurity certifications, Sec+, CySA+, Pentest+, and CASP+, this exam is the hardest of the four. or at least the second hardest.  CASP+ does have the dreaded and difficult Linux Forensic Simulation.  Pentest+ does not, gratefully.  Pentest+ is definitely harder than CEH v11, which I took recently in 2022.  It rivals the CISSP in difficulty, but the viewpoint of the Pentest+ is definitely from a cybersecurity admin. analyst, technician, red-teamer, or pen-tester.  This is a very technical exam.

Many of the questions require you to be able to read a piece of code or script an know what it is doing.  I cannot emphasize strongly enough; you need to know the fundamentals of using BASH, HTML, Powershell, PHP, Python, and Ruby.  You need to be able to recognize which of these languages was used to create the code sample or script used in the exam question.  Set up a Kali Linux computer or virtual machine, and get very familiar with the included applications.  The other area you must have a firm grasp on is knowing which hacking tools and applications to use for given tasks or situations.  You must know nMap inside and out.  Your best bet is to spend as many hours as you can working in lab environments like TryHackMe, which actually has a Pentest+ path.

The PT0-002 starts off with four very challenging Performance Based Questions.

Again, my recommendation is to read through the questions first, to engage your subconscious mind in the process of solving these questions, but do all the multiple choice questions first, the return for the PBQs at the end.


The first PBQ showed me an output screen from an nMap scan.  There were two parts to this question.  The first required that I recreate the scanner commands that created the shown output, using a bunch of drag and drop commands.  To pass this part you do need to know your nMap commands and what they do.  The second part is identifying vulnerabilities or exploits that would work against this target.

Here is a list of nMap Commands to learn for this question and many other multiple choice exam questions.

-A aggressive scanning

Pinging – the capital P in a command indicates some type of ping sweep useful for device enumeration
-PA TCP ACK scan
-PU UDP ping scan
-PR ARP scan
-PS TCP SYN scan
-PE ICMP Echo scan
-PP ICMP Timestamp Ping
-PM Address Mask Ping
-PS TCP SYN ping scan

Scanning – the lower case s in a command indicates some sort of port scanning
-sC enable Nmap Scripting Engine for advanced discovery
-sI idle scan
-sF FIN scan
-sM Maimon scan (FIN/ACK)
-sn ping scan icmp (no port scanning)
-sN null scan no flags
-sS stealth scan SYN scan half open (hides from logs)
-sU UDP scan
-sT TCP Connect Full Open scan (checks all ports, leaves tracks)
-sX Xmas or Inverse TCP Flag scan set FIN PSH URG flags

OS discovery
-O <target> operating system discovery
-6 -O <target> OS discovery IPv6 fingerprintingOutput
-oG output in greppable format
-oX output in XML format
-oN output in normal format

–script smb-os-discovery.nse OS discovery
–enip-info – <port44818> device type, vendor ID, serial number, IP address
–smb-os-discovery – <port 445> OS machine name, domain name, netbios, workgroup. system time.
–netbus-info <port 12345> connects to a Netbus server for applications, user ID, password, email address

PBQ 2 – Complete a script

The second PBQ shows a partially completed script.  You will need to complete the missing parts from a drag and drop list.  You need to distinguish the scripting language being used in order to select the correct code snippets from the list.  For this one you need to know the differences between BASH, Powershell, Python, and Ruby.  This one might be the easiest of the bunch, but only if you can identify scripting languages and components.

PBQ 3 – Attack a remote subnet

You have compromised a server with access to a remote subnet.  You would like to connect to that subnet.  This is an exercise where you need to choose commands to set up a reverse shell and listener, I believe.  Those of you who have seen this question, feel free to add your comments, as I think this could use more information.

PBQ 4 – Malicious HTTP Commands

You are part of a pen-testing team that has discover a long list (12-15 items) of malicious HTTP code, commands, and attacks.  This is a two part question, don’t forget the second part.  Looking at the code samples, you have to identify the type of attack or vulnerability from one drop down list, and choose the correct remediation from the second drop down list.  Knowing some HTTP  code and web based exploits are essential for this question.



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at


  1. Mike Oxlong  February 19, 2023

    Bob, I want to start by thanking you for your article on the CASP, it helped me tremendously in passing it a couple months back. Due to requirements in my degree, I’ve had to back track and pick up the PenTest+, which I passed today.

    The PBQs are by far the most difficult part of the exam. As Bob says, you need to be very well versed in NMAP as well as the syntax and fixes for common attacks. TryHackMe is a great resource for familiarizing yourself with these.

    To study, I had access to both CompTIA’s course as well as Udemy (Jason Dion). My best advice would be to use as many resources as you can and truly understand why the right answer is the right answer and why the wrong answer is wrong when doing your practice. However, I must say, none of these resources had questions that were very similar in format to the exam.

    In closing, this exam is very technical and you will struggle if you are a policy guy. Immerse yourself and know that there is no such thing as too much practice. Good Luck!

  2. bobwyzguy  February 20, 2023

    Thanks Mike for your comments. It is gratifying to know that I helped you in your quest in some small way.. You are officially the first to comment on this article, so thanks again.

  3. Kristopher  March 7, 2023

    Hey Bob,
    PBQ #4 you have here is the exact question from the CASP 004 exam that I got. Any insight on this?

  4. bobwyzguy  March 10, 2023

    Perhaps. CompTIA has 4 cybersecurity exams, the Security+, CySA+, Pentest+ and the CASP+. I believe that the questions pools for these respective exams overlap, which is to say that some of these question will appear on any or even all of these exams. Of course this is a guess based on my own testing experience taking all of these exams, some multiple times. CompTIA is not telling.

    With the PBQs, I know that they often do not change from exam version to exam version. These questions are harder to engineer, functionally, in the exam. I would make sense that they might also use the same PBQs on different exams.

    And I know PBQs are often different for different test takers on different days. There are slightly different versions of the same PBQ, too. The scenario is the same, but the question (mission) is different, and the answers are different.

    There is still only 1 Linux Forensic Simulation, and that is for CASP+ as this point, but we might expect to see something else like it in CySA or PenTest some day.


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.