PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free eCPPT Practice Questions

eCPPT Certified Professional Penetration Tester v3 practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which crackmapexec module checks whether SMB signing is disabled on hosts in a subnet (a prerequisite for NTLM relay attacks)?

A
B
C
D
to track
Same family resources

Explore More INE Security (eLearnSecurity) Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

eJPT Junior Penetration Tester

Practice Questions

INE eCDFP Certified Digital Forensics Professional

Practice Questions

INE eMAPT Mobile Application Penetration Tester

Practice Questions

INE eWPT Web Application Penetration Tester

Practice Questions

INE eWPTX Web Application Penetration Tester eXtreme

Practice Questions
2026 Statistics

Key Facts: eCPPT Exam

30%

Active Directory Domain Weight

INE Security

5 machines

Target Hosts in Exam Lab

INE Security

24 hours

Practical Exam Window

INE Security

3 years

Certification Validity

INE Security

1 free

Retake Within 14 Days

INE Security

100%

Practical (No MCQ Component)

INE Security

The eCPPT v3 from INE Security is a practical penetration testing certification covering six domains: Active Directory Pentesting (30%), Exploitation & Post-Exploitation (25%), Initial Access (15%), Web App Pentesting (15%), Recon (10%), and Exploit Development (5%). The exam involves 5 target machines including an AD environment in a 24-hour lab. Results are auto-graded. One free retake within 14 days. Certification valid 3 years. This practice exam tests conceptual knowledge; actual eCPPT requires hands-on exploitation.

Sample eCPPT Practice Questions

Try these sample questions to test your eCPPT exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which nmap flag enables OS detection during a host discovery scan?
A.-O
B.-sC
C.-A
D.-sV
Explanation: -O enables OS detection by analyzing TCP/IP stack fingerprints. This is a key recon step in any penetration test to identify target operating systems and tailor exploitation approaches accordingly.
2Which nmap scan type sends SYN packets and never completes the TCP handshake, making it stealthier than a full connect scan?
A.nmap -sU
B.nmap -sF
C.nmap -sT
D.nmap -sS
Explanation: The SYN scan (-sS) sends a SYN packet and waits for SYN/ACK; it resets the connection before completing the handshake. This avoids full TCP connections and is less likely to be logged by applications, making it the default and most popular nmap scan type.
3During service enumeration with nmap, which flag runs default NSE scripts against discovered open ports?
A.-sV
B.--script=all
C.-sC
D.-p-
Explanation: -sC runs nmap's default script collection (equivalent to --script=default). These scripts perform service identification, banner grabbing, and common vulnerability checks, providing valuable recon data beyond basic port state detection.
4An attacker uses `rpcclient -U '' -N <IP>` against a Windows target. What is the purpose of this command?
A.Perform an LDAP query against Active Directory
B.Attempt null-session SMB enumeration via RPC
C.Brute-force the Administrator account password
D.Enumerate SNMP community strings
Explanation: rpcclient with an empty username (-U '') and no password (-N) attempts a null session, which on misconfigured Windows hosts allows unauthenticated enumeration of domain users, groups, shares, and policies via MS-RPC. This is a classic initial recon technique.
5Which tool is specifically designed to enumerate SMB shares, sessions, and users on Windows targets during reconnaissance?
A.enum4linux
B.gobuster
C.nikto
D.masscan
Explanation: enum4linux is a Linux-based tool that wraps smbclient and rpcclient to enumerate Windows SMB/CIFS information including users, groups, shares, password policy, and OS details. It is a staple tool for initial Windows target reconnaissance.
6Which tool is used to perform username enumeration against a Kerberos service to identify valid domain accounts without authentication?
A.ldapsearch
B.hydra
C.kerbrute
D.crackmapexec
Explanation: kerbrute uses the Kerberos pre-authentication mechanism to enumerate valid usernames. By sending AS-REQ packets, it can determine whether a username exists based on the KDC error response (KDC_ERR_C_PRINCIPAL_UNKNOWN vs other responses), without needing a password.
7During web application recon, a penetration tester runs `gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt`. What is the primary purpose of this command?
A.Brute-force login credentials on the web application
B.Perform DNS subdomain enumeration
C.Discover hidden directories and files on the web server
D.Scan for open ports on the target IP
Explanation: gobuster in 'dir' mode performs directory and file brute-forcing by requesting paths from a wordlist against the target URL. This reveals hidden endpoints, admin panels, configuration files, and backup directories not linked from the application.
8A tester discovers a host running an outdated CMS. Which tool is purpose-built to enumerate WordPress plugins, themes, and user accounts?
A.sqlmap
B.dirbuster
C.nikto
D.wpscan
Explanation: wpscan is a WordPress-specific security scanner that enumerates installed plugins, themes, users, and known vulnerabilities in the WordPress core and its components. It supports authenticated scanning and API integration for CVE data, making it the standard tool for WordPress recon.
9Which nmap script category is most useful for enumerating SMB shares, sessions, and vulnerabilities on Windows hosts?
A.--script=http-*
B.--script=smb-*
C.--script=ftp-*
D.--script=ssh-*
Explanation: The smb-* NSE script category includes scripts like smb-enum-shares, smb-enum-users, smb-vuln-ms17-010 (EternalBlue), and smb-os-discovery. These scripts provide comprehensive SMB enumeration and vulnerability detection against Windows targets.
10A penetration tester executes `smbclient -L //192.168.1.10 -N`. What does this command accomplish?
A.Authenticates to SMB with a null password and lists available shares
B.Downloads all files from the default SMB share
C.Brute-forces SMB credentials using a wordlist
D.Enables SMB signing on the target host
Explanation: smbclient -L lists shares on the target host, and -N suppresses the password prompt, attempting a null authentication. This allows unauthenticated enumeration of available SMB shares on misconfigured targets, a key initial access recon step.

About the eCPPT Practice Questions

Verified exam format metadata for eCPPT Certified Professional Penetration Tester v3 is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.