Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free EC-Council LPT Master Practice Questions

Pass your EC-Council Licensed Penetration Tester (Master) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
EC-Council does not publicly report LPT Master pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which technique disables Event Tracing for Windows in the current process to evade EDR sensors that consume ETW events?

A
B
C
D
to track
Same family resources

Explore More EC-Council Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CEH

Practice Questions
1 blog

CND

Practice Questions

EC-Council CEH Practical (312-50 Practical, 6-hr Cyber Range)

Practice Questions

EC-Council Certified Application Security Engineer (CASE .NET 312-95 / Java 312-96)

Practice Questions

EC-Council Certified Blockchain Professional (CBP)

Practice Questions

EC-Council Certified Chief Information Security Officer (CCISO 712-50)

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCEH v13 in 2026: A 12-Week Study System That Balances Theory, Labs, and Exam Speed15 min read
2026 Statistics

Key Facts: EC-Council LPT Master Exam

24 hr

Practical Exam

Three 6-hour Cyber Range sessions

90%

LPT Master Pass

70%+ earns CPENT

$999-$2199

Exam Fee

Varies by training package

0 MCQ

On Official Exam

Fully practical Cyber Range

3 yrs

Validity

Renew via ECE credits or retest

9

Domains

Per CPENT v2 / LPT Master scope

The EC-Council Licensed Penetration Tester (Master) is the elite-tier outcome of the CPENT v2 Cyber Range exam: 24 hours of practical testing delivered as three 6-hour sessions, with 90% required for the LPT Master designation and 70%+ earning the CPENT credential. The exam fee bundles range from roughly $999 to $2199 depending on training package, and the credential is delivered through EC-Council's ASPEN-proctored Cyber Range. It validates expert skills in Active Directory attacks (BloodHound, Kerberoasting, DCSync), IoT and OT/SCADA pentesting, binary exploitation with ROP, cloud pentesting across AWS/Azure/GCP/Kubernetes, advanced web exploitation, wireless and RFID attacks, multi-level pivoting, and professional report writing. These 100 multiple-choice questions are conceptual prep — the official exam itself is fully practical with no MCQs.

Sample EC-Council LPT Master Practice Questions

Try these sample questions to test your EC-Council LPT Master exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1A pentester captures TGS tickets for service accounts to crack offline. Which hashcat mode is used to crack a Kerberos 5 TGS-REP etype 23 (RC4-HMAC) hash extracted with GetUserSPNs.py?
A.-m 13100
B.-m 18200
C.-m 5600
D.-m 1000
Explanation: Kerberos 5 TGS-REP etype 23 (RC4-HMAC) hashes from a Kerberoasting attack are cracked with hashcat mode -m 13100. Impacket's GetUserSPNs.py with the -request flag outputs the $krb5tgs$23$* format consumed by this mode.
2Which Impacket script forces a domain controller to replicate the krbtgt account hash so an attacker can later forge Golden Tickets?
A.psexec.py
B.secretsdump.py
C.wmiexec.py
D.GetADUsers.py
Explanation: secretsdump.py with a Domain Admin or DCSync-privileged account performs a DRSUAPI GetNCChanges call to dump the krbtgt NTLM hash (and all other account hashes) from NTDS.dit remotely. The resulting krbtgt hash is the input to ticketer.py for Golden Ticket forgery.
3In BloodHound, which Cypher query returns all users that have a path to the Domain Admins group via ACL-based edges?
A.MATCH p=(u:User)-[*1..]->(g:Group {name:'DOMAIN ADMINS@CORP.LOCAL'}) RETURN p
B.MATCH (u:User) WHERE u.admincount=true RETURN u
C.MATCH p=shortestPath((u:User)-[r*1..]->(g:Group)) WHERE g.name CONTAINS 'DOMAIN ADMINS' AND ALL(rel IN r WHERE type(rel) IN ['GenericAll','WriteDacl','GenericWrite','WriteOwner','AllExtendedRights','ForceChangePassword','AddMember']) RETURN p
D.MATCH (u:User)-[:MemberOf]->(g:Group) RETURN u
Explanation: Restricting the relationship list to ACL-abuse edges (GenericAll, WriteDacl, GenericWrite, WriteOwner, AllExtendedRights, ForceChangePassword, AddMember) returns only attack paths that exploit AD object permissions, not membership-based control. shortestPath() ensures BloodHound returns the most efficient path per source.
4Which Mimikatz command extracts cleartext credentials, NTLM hashes, and Kerberos tickets from LSASS memory on a Windows host?
A.lsadump::dcsync /user:krbtgt
B.sekurlsa::logonpasswords
C.kerberos::list /export
D.privilege::debug
Explanation: sekurlsa::logonpasswords parses LSASS memory and emits cleartext (when WDigest is enabled or via TsPkg/CredSSP), NTLM, SHA1, and DPAPI material plus Kerberos tickets for every active logon session. It requires SeDebugPrivilege, typically obtained with privilege::debug first.
5An attacker holds the krbtgt NTLM hash. Which Rubeus command forges a Golden Ticket for the user 'Administrator' and injects it into the current session?
A.Rubeus.exe asktgt /user:Administrator /rc4:<hash> /domain:corp.local /ptt
B.Rubeus.exe golden /user:Administrator /id:500 /domain:corp.local /sid:<DomainSID> /krbtgt:<krbtgthash> /ptt
C.Rubeus.exe kerberoast /user:Administrator /ptt
D.Rubeus.exe s4u /user:Administrator /msdsspn:cifs/dc01 /ptt
Explanation: The 'golden' action forges a TGT signed by the krbtgt key. /user, /id (RID 500 for Administrator), /domain, /sid, and /krbtgt are required; /ptt injects the resulting ticket into the current LSA session. From there any Kerberos-enabled service is reachable.
6Which Active Directory pre-authentication setting, when disabled on a user account, allows the AS-REP Roasting attack to succeed against that account?
A.Smart card is required for interactive logon
B.Do not require Kerberos preauthentication (DONT_REQ_PREAUTH)
C.Account is sensitive and cannot be delegated
D.Trusted for delegation
Explanation: When DONT_REQ_PREAUTH (UAC bit 0x400000) is set, the KDC returns an AS-REP encrypted with the user's password key without first validating any timestamp. An attacker requests an AS-REP for that user and cracks the encrypted blob offline (hashcat -m 18200).
7Which technique uses a forged service ticket signed with a service account's NTLM hash, bypassing the KDC entirely to impersonate any user against that service?
A.Golden Ticket
B.Silver Ticket
C.Pass-the-Hash
D.Overpass-the-Hash
Explanation: A Silver Ticket is a forged TGS encrypted with the target service account's NTLM hash. Because TGS validation is performed locally by the service (PAC checks are often skipped), the KDC never sees the request and no replication trail is created.
8After exfiltrating NTDS.dit and the SYSTEM hive, which secretsdump.py command extracts all account hashes offline?
A.secretsdump.py -ntds NTDS.dit -system SYSTEM LOCAL
B.secretsdump.py -just-dc-user Administrator corp.local/admin@dc01
C.secretsdump.py -outputfile dump LOCAL
D.secretsdump.py -hashes :<lmhash>:<nthash> dc01
Explanation: The LOCAL target with -ntds and -system tells secretsdump to parse the on-disk database using the bootkey from the SYSTEM hive, producing the full DOMAIN.user:RID:LM:NT format without touching the network. This is the standard offline Domain Controller post-exploitation flow.
9An LPT engagement reveals that 'AlwaysInstallElevated' is set to 1 in both HKLM and HKCU. What is the impact?
A.User Account Control prompts are silently dismissed
B.Any MSI package launched by a low-privilege user runs as NT AUTHORITY\SYSTEM
C.The Windows Installer service is disabled
D.Only signed installer packages are allowed
Explanation: When both HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and the matching HKCU value are 1, msiexec.exe installs every package with elevated privileges. An attacker drops a malicious MSI built with msfvenom (-f msi) and runs msiexec /quiet /qn /i evil.msi to obtain SYSTEM.
10A pentester wants to abuse SeImpersonatePrivilege on a Windows service account. Which tool family chains a coerced authentication to a local NTLM relay producing a SYSTEM token?
A.PowerView
B.Potato exploits (RottenPotato/JuicyPotato/PrintSpoofer/GodPotato)
C.PowerSploit Get-PassHashes
D.Empire stager
Explanation: Potato-family exploits trigger a privileged process to authenticate to a local listener (via DCOM, RPC, or Print Spooler), then relay that NTLM authentication and impersonate the resulting SYSTEM token. SeImpersonatePrivilege is the prerequisite, granted by default to most Windows service accounts.

About the EC-Council LPT Master Exam

EC-Council's Licensed Penetration Tester (Master) is the elite-tier credential earned by scoring 90% or higher on the CPENT v2 Cyber Range exam. The exam runs 24 hours across three 6-hour sessions and tests advanced Windows AD attacks, IoT firmware exploitation, OT/SCADA pentesting, binary analysis and exploitation, cloud pentesting (AWS/Azure/GCP/Kubernetes), wireless and RFID attacks, web exploitation, multi-level pivoting, and professional report writing.

Assessment

The official LPT Master exam is fully practical: three 6-hour Cyber Range sessions (24 hours total) where candidates compromise live network ranges spanning Windows AD, IoT, OT/SCADA, cloud, web, and binary-exploitation scenarios, then submit a professional pentest report. These 100 multiple-choice questions are conceptual prep aligned with the CPENT v2 / LPT Master domain weights.

Time Limit

24 hours practical (3 x 6-hour sessions)

Passing Score

90% (LPT Master); 70%+ earns CPENT

Exam Fee

~$999-$2199 (EC-Council Cyber Range)

EC-Council LPT Master Exam Content Outline

10%

Advanced Windows Attacks

BloodHound, Kerberoasting, AS-REP Roasting, Golden/Silver Ticket, DCSync, NTDS.dit, Mimikatz, NTLM relay, AD CS ESC1/ESC8, unconstrained delegation, RBCD, AMSI/ETW bypass

10%

IoT Penetration Testing

Firmware extraction with binwalk, emulation via firmadyne/QEMU, JTAGulator, Bus Pirate, Zigbee KillerBee, BLE btlejack, secure-boot bypass via SPI, hard-coded credentials (CWE-798)

10%

OT/SCADA Penetration Testing

Modbus TCP function codes, DNP3 time-sync attacks, Siemens S7comm with snap7, Allen-Bradley EtherNet/IP CIP, Purdue model, IEC 62443, safe scanning, Wireshark mbtcp dissector

10%

Binary Analysis & Exploitation

Buffer overflows, NX/ASLR/canary/RELRO mitigations, ROP/ret2libc with pwntools, msfvenom shellcode, gdb with GEF, info-leak chaining, boofuzz fuzzing, heap exploitation

10%

Cloud Penetration Testing

AWS Pacu, CloudGoat IAM privesc, IMDSv1/IMDSv2 SSRF, Azure ROADtools/MicroBurst, GCP gcp_scanner, Kubernetes peirates, RBAC abuse, Sigstore/Cosign supply chain

10%

Wireless & RFID Pentesting

WPA2 PMKID hashcat -m 22000, WPA3 SAE Dragonblood, aircrack-ng deauth, EAPHammer rogue AP, Proxmark3 RFID badge cloning, MIFARE Classic Crypto-1, OpenBTS GSM

15%

Web Application Exploitation

Advanced SQLi (UNION/blind/time/OOB), SSRF with 169.254.169.254 metadata, JWT alg=none and key confusion, SAML XSW, SSTI Jinja2 RCE, web cache deception, HTTP/2 desync

15%

Privilege Escalation & Lateral Movement

Linux privesc (CVE-2021-3156 sudo, CVE-2022-0847 Dirty Pipe, capabilities), Windows privesc (fodhelper UAC bypass, AlwaysInstallElevated, Potato exploits, token impersonation)

10%

Multi-Level Pivoting & Reporting

Chisel, ligolo-ng, sshuttle, proxychains SOCKS pivots, multi-hop nested pivots, NIST SP 800-115, PTES, OSSTMM, CVSS v3.1 scoring, executive summary, reproducible PoC

How to Pass the EC-Council LPT Master Exam

What You Need to Know

  • Passing score: 90% (LPT Master); 70%+ earns CPENT
  • Assessment: The official LPT Master exam is fully practical: three 6-hour Cyber Range sessions (24 hours total) where candidates compromise live network ranges spanning Windows AD, IoT, OT/SCADA, cloud, web, and binary-exploitation scenarios, then submit a professional pentest report. These 100 multiple-choice questions are conceptual prep aligned with the CPENT v2 / LPT Master domain weights.
  • Time limit: 24 hours practical (3 x 6-hour sessions)
  • Exam fee: ~$999-$2199

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

EC-Council LPT Master Study Tips from Top Performers

1Memorize hashcat modes: -m 1000 NTLM, -m 5600 NetNTLMv2, -m 13100 Kerberos TGS-REP RC4 (Kerberoasting), -m 18200 Kerberos AS-REP RC4 (AS-REP Roasting), -m 22000 WPA2 PMKID/EAPOL
2Learn Modbus function codes cold: 0x01 read coils, 0x02 read discrete inputs, 0x03 read holding registers, 0x04 read input registers, 0x05 write single coil, 0x06 write single register, 0x0F/0x10 write multiples
3Practice ROP chain construction with pwntools' ROP() class, leak libc with format strings or info-leak gadgets, then call execve('/bin/sh', 0, 0) or one_gadget
4Build muscle memory for BloodHound Cypher queries: ACL-abuse paths to Domain Admins, kerberoastable users (hasspn=true), unconstrained-delegation hosts, and shortestPath() filtered by edge type
5Run timed Cyber Range simulations under the real 6-hour-session pressure; the LPT Master is as much an endurance test as a technical one
6Write reports as you exploit, not after — capture commands, screenshots, and CVSS v3.1 base vectors for every finding before pivoting onward

Frequently Asked Questions

What is the EC-Council Licensed Penetration Tester (Master)?

The EC-Council LPT Master is the elite-tier outcome of the CPENT v2 Cyber Range exam. Candidates score 70% or higher to earn the CPENT credential and 90% or higher to earn the LPT Master designation. The exam validates expert practical skills in Active Directory exploitation, IoT, OT/SCADA, cloud, binary exploitation, web, wireless, and pivoting.

How long is the LPT Master exam and what is the passing score?

The exam is fully practical and runs 24 hours total, delivered as three 6-hour sessions on the EC-Council Cyber Range. Candidates need 70% or higher to earn the CPENT credential, and 90% or higher to receive the LPT Master designation. There are no multiple-choice questions on the official exam; candidates compromise hosts, pivot through segmented networks, and submit a professional pentest report.

How much does the LPT Master exam cost?

The cost ranges from approximately $999 to $2199 USD depending on the training and voucher package selected. EC-Council bundles the CPENT v2 course, ASPEN access, and exam attempts in different tiers. Direct exam-only pricing is offered to candidates who qualify via the experience-based eligibility application.

What topics does the LPT Master cover?

The exam covers Advanced Windows Attacks (BloodHound, Kerberoasting, DCSync, AD CS), IoT Penetration Testing, OT/SCADA Penetration Testing, Binary Analysis and Exploitation, Cloud Penetration Testing (AWS, Azure, GCP, Kubernetes), Wireless and RFID Pentesting, Web Application Exploitation, Privilege Escalation and Lateral Movement, and Multi-Level Pivoting plus Professional Reporting.

Are these 100 multiple-choice questions like the real LPT Master exam?

No — the official LPT Master exam has no multiple-choice questions and is 100% practical on the EC-Council Cyber Range. These 100 MCQs are conceptual prep aligned with the CPENT v2 / LPT Master domain weights and are designed to reinforce the tools, commands, attack paths, and reporting concepts you will need to execute live during the exam.

What is the difference between CPENT and LPT Master?

CPENT and LPT Master are earned from the same Cyber Range exam. A score of 70% or higher earns the Certified Penetration Testing Professional (CPENT) credential. A score of 90% or higher earns the Licensed Penetration Tester (Master) designation in addition to CPENT. Both are 3-year credentials renewed via ECE credits or retest.

How should I prepare for the LPT Master?

Build deep hands-on reps in BloodHound and Kerberos abuse, pwntools/gdb binary exploitation, IoT firmware analysis with binwalk and firmadyne, cloud pentesting with Pacu and CloudGoat, wireless attacks with aircrack-ng, and multi-hop pivoting with Chisel and ligolo-ng. Practice writing professional pentest reports with CVSS v3.1 scoring and executive summaries. Run timed Cyber Range simulations before scheduling the real exam.