PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CPTE Practice Questions

Pass your Mile2 Certified Penetration Testing Engineer (CPTE) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which command in Meterpreter enables keylogging on a compromised Windows system to capture keystrokes including usernames and passwords?

A
B
C
D
to track
Same family resources

Explore More Mile2 Cybersecurity Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Mile2 Certified AI Cybersecurity Officer (CAICSO)

Practice Questions

Mile2 Certified Cloud Security Officer (CCSO)

Practice Questions

Mile2 Certified Digital Forensics Examiner (CDFE)

Practice Questions

Mile2 Certified Disaster Recovery Engineer (CDRE)

Practice Questions

Mile2 Certified Information Systems Risk Manager (CISRM)

Practice Questions

Mile2 Certified Information Systems Security Officer (CISSO)

Practice Questions
2026 Statistics

Key Facts: CPTE Exam

100 MCQ

Exam Format

Mile2

70%

Passing Score

Mile2

2 hours

Time Limit

Mile2

13 modules

Course Domains

Mile2

3 years

Validity Period

Mile2

DoD 8140

ANSI/ANAB Accredited (C)PTE-A)

Mile2

Mile2 CPTE is a 100-question, 2-hour MCQ exam requiring 70% to pass. The standard version is unproctored via Mile2's LMS; the C)PTE-A accredited version adds live proctoring and is ANSI/DoD 8140 recognized. The exam covers the 5 key penetration testing elements: Information Gathering, Scanning, Enumeration, Exploitation, and Reporting — implemented across 13 detailed course modules.

Sample CPTE Practice Questions

Try these sample questions to test your CPTE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which document formally defines the scope, rules of engagement, and legal authorization for a penetration test before any testing begins?
A.Statement of Work (SOW)
B.Rules of Engagement (ROE) document
C.Non-Disclosure Agreement (NDA)
D.Penetration Test Authorization Form
Explanation: The Rules of Engagement (ROE) document formally defines what systems are in scope, what testing techniques are permitted, timing constraints, and emergency contacts. It protects both the tester and the client and must be signed before any active testing begins. Without an ROE, the tester has no legal authorization to proceed.
2A penetration tester performs passive reconnaissance by querying WHOIS records. Which piece of information is most commonly retrievable from a WHOIS lookup?
A.Registered domain owner, registrar, and name servers
B.Open TCP ports on the target server
C.SSL certificate chain details
D.Active directory domain controller hostname
Explanation: WHOIS databases contain domain registration records including the registrant's name, organization, contact email, registrar name, registration/expiration dates, and authoritative name servers. This is passive reconnaissance that requires no direct connection to the target infrastructure.
3Which Nmap flag performs a SYN scan (also called a half-open scan) that is less likely to appear in application logs because it does not complete the TCP three-way handshake?
A.-sT
B.-sU
C.-sS
D.-sV
Explanation: Nmap's -sS flag performs a TCP SYN scan. Nmap sends a SYN packet and waits for SYN-ACK (open) or RST (closed). When a SYN-ACK is received, Nmap sends RST rather than completing the handshake, so many application-layer logs do not record a full connection. It is the default scan type when run as root.
4During banner grabbing, a tester connects to port 25 on a mail server and receives the banner '220 mail.target.com ESMTP Postfix'. What protocol is running on port 25?
A.POP3
B.IMAP
C.SMTP
D.HTTPS
Explanation: Port 25 is the standard port for SMTP (Simple Mail Transfer Protocol), used for server-to-server email transfer. The '220' response code is the SMTP service-ready greeting, and 'ESMTP' indicates Extended SMTP capabilities. Postfix is a commonly deployed open-source SMTP mail transfer agent.
5A tester uses Nmap with the command 'nmap -sV -O 192.168.1.1'. What does the -O flag do?
A.Enables operating system detection
B.Outputs results in XML format
C.Performs an OSINT lookup
D.Sets the scan to use the default port list only
Explanation: The -O flag in Nmap enables OS fingerprinting, which analyzes TCP/IP stack characteristics such as TTL values, window size, and TCP options in responses to make probabilistic guesses about the target operating system and version. This requires root/administrator privileges.
6Which tool is purpose-built for automated vulnerability scanning and is commonly used in CPTE labs to identify known CVEs on target systems without manual exploitation?
A.Wireshark
B.Metasploit Framework
C.OpenVAS / Greenbone
D.Netcat
Explanation: OpenVAS (now marketed as Greenbone Vulnerability Management) is a full-featured automated vulnerability scanner that maintains a feed of Network Vulnerability Tests (NVTs) mapped to CVEs. It scans target systems and produces reports of identified vulnerabilities with severity ratings, making it ideal for the vulnerability assessment phase of a pen test.
7In the Metasploit Framework, which command is used to search for exploit modules related to a specific CVE or keyword?
A.use <module>
B.search <keyword>
C.show exploits
D.info <module>
Explanation: The 'search' command in Metasploit's msfconsole allows testers to find modules by CVE number, platform, type, or keyword. For example, 'search cve:2017-0144' finds EternalBlue-related modules. This is the primary discovery command before selecting a module with 'use'.
8After exploiting a Windows system with Metasploit, the tester has a Meterpreter session. Which command checks the current privilege level of the session?
A.getuid
B.whoami
C.sysinfo
D.ps
Explanation: In a Meterpreter session, 'getuid' returns the current user context under which the session is running (e.g., 'Server username: NT AUTHORITY\SYSTEM'). This tells the tester whether privilege escalation is needed. 'whoami' is a Windows shell command, not a Meterpreter built-in command.
9Which privilege escalation technique exploits misconfigured Windows services where a low-privileged user can modify the service binary path?
A.Token impersonation
B.DLL hijacking
C.Unquoted service path exploitation
D.Pass-the-hash
Explanation: Unquoted service path exploitation occurs when a Windows service's binary path contains spaces and is not enclosed in quotation marks. Windows will attempt to execute each potential path component in order, so an attacker can place a malicious executable at an earlier path location to run code as the service's privileged account (often SYSTEM).
10A tester wants to capture NTLMv2 hashes on a network by responding to broadcast name resolution queries. Which tool is specifically designed for LLMNR/NBT-NS poisoning?
A.Responder
B.Wireshark
C.Ettercap
D.Hydra
Explanation: Responder (by Laurent Gaffie) is the de facto tool for LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) poisoning. It listens for broadcast name resolution requests, responds with the attacker's IP, and captures NTLMv2 hashes when Windows clients attempt to authenticate. The captured hashes can then be cracked offline.

About the CPTE Exam

The Mile2 CPTE (Certified Penetration Testing Engineer) validates practical penetration testing knowledge across the full engagement lifecycle: from scoping and reconnaissance through exploitation, post-exploitation, and professional report writing. It covers 13 domains including Metasploit, PowerShell attacks, web exploitation, evasion, and IoT/mobile hacking.

Questions

100 scored questions

Time Limit

2 hours

Passing Score

70% (70/100)

Exam Fee

Contact Mile2 for current pricing (Mile2 Cybersecurity Institute)

CPTE Exam Content Outline

~8%

Pentest Methodology & Ethics

Rules of engagement, test types (black/grey/white-box), scope definition, legal authorization, and engagement lifecycle

~10%

Information Gathering & Reconnaissance

OSINT tools (WHOIS, Shodan, theHarvester, Google dorking), DNS zone transfers, certificate transparency, and passive vs active recon

~8%

Detecting Live Systems

Host discovery with ARP scanning, ICMP probing, and Nmap sweep techniques

~10%

Banner Grabbing & Enumeration

Nmap service detection, enum4linux, SNMP enumeration, SMB null sessions, and protocol-specific probing

~10%

Automated Vulnerability Assessment

OpenVAS, Nessus, Nikto; CVSS v3.1 scoring, severity ratings, and finding prioritization

~12%

System Exploitation

Metasploit Framework, Meterpreter, credential dumping (Mimikatz), privilege escalation (SUID, getsystem, unquoted service path)

~10%

Post-Exploitation & Lateral Movement

Pivoting, Pass-the-Hash, Golden Ticket, keylogging, persistence mechanisms, and cleanup

~8%

Evasion Techniques

IP fragmentation, polymorphic encoding, protocol tunneling, PowerShell obfuscation, and AV evasion

~8%

Hacking with PowerShell

Fileless execution (IEX/DownloadString), execution policy bypass, Base64 encoding, and living-off-the-land

~8%

Networks & Sniffing

ARP poisoning, LLMNR/NBT-NS poisoning (Responder), VLAN hopping, Scapy packet crafting, Wireshark analysis

~10%

Web Application Attacks

SQLi, XSS, file upload, path traversal, open redirect, Burp Suite, Gobuster directory brute-forcing, clickjacking

~6%

Mobile & IoT Hacking

Android ADB/APKTool, OWASP IoT Top 10, UART hardware access, evil twin attacks, default credential exploitation

~5%

Penetration Test Reporting

Report structure (executive summary, scope, findings, PoC, remediation), risk ratings, and cleanup documentation

How to Pass the CPTE Exam

What You Need to Know

  • Passing score: 70% (70/100)
  • Exam length: 100 questions
  • Time limit: 2 hours
  • Exam fee: Contact Mile2 for current pricing

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CPTE Study Tips from Top Performers

1Master Nmap scan types: -sS (SYN), -sU (UDP), -sX (Xmas), -sA (ACK), -sV (version), -O (OS detection), -sC (default scripts)
2Learn the full Metasploit workflow: search → use → set RHOSTS/LHOST/LPORT → set payload → run → Meterpreter commands (getuid, getsystem, hashdump, keyscan_start)
3Understand the difference between black-box, grey-box, and white-box testing and the purpose of Rules of Engagement documents
4Practice SQL injection UNION technique, XSS payload types (reflected vs stored), and file upload webshell attacks — these are heavily tested web domains
5Know privilege escalation vectors: SUID binaries (find / -perm -4000), unquoted service paths, weak service permissions, and sudo -l enumeration
6Memorize key ports: 21 FTP, 22 SSH/SFTP, 25 SMTP, 80 HTTP, 139/445 SMB, 443 HTTPS, 3306 MySQL, 3389 RDP, 5432 PostgreSQL, 27017 MongoDB

Frequently Asked Questions

What is the Mile2 CPTE exam format?

The Mile2 CPTE is a 100-question multiple-choice exam with a 2-hour time limit. The passing score is 70% (70 correct answers). The standard version is unproctored and taken online from the candidate's Mile2 LMS account. The ANSI/DoD 8140 accredited version (C)PTE-A) includes live proctor supervision and is recognized under NSA CNSSI-4013.

What are the prerequisites for the CPTE exam?

There are no mandatory prerequisite certifications for the CPTE. Mile2 recommends completing the C)PEH (Certified Professional Ethical Hacker) first, along with solid TCP/IP networking knowledge and basic Linux command-line experience. Candidates with CompTIA Security+ and Network+ backgrounds are well-positioned for the CPTE.

What domains does the CPTE cover?

The CPTE covers 13 course modules: Business & Technical Logistics of Pen Testing; Information Gathering; Detecting Live Systems; Banner Grabbing & Enumeration; Automated Vulnerability Assessment; Hacking an OS; Advanced Assessment & Exploitation; Evasion Techniques; Hacking with PowerShell; Networks & Sniffing; Hacking Web Technologies; Mobile & IoT Hacking; and Report Writing. The curriculum is built around the 5 key elements: Information Gathering, Scanning, Enumeration, Exploitation, and Reporting.

What tools should I know for the CPTE exam?

Focus on Nmap (scan types, NSE scripts, OS detection), Metasploit Framework (msfconsole, msfvenom, Meterpreter), Hydra (brute-forcing), Responder (LLMNR/NBT-NS poisoning), Hashcat (offline cracking), Burp Suite (web proxy), SQLmap (SQL injection), Gobuster (directory brute-forcing), Nikto (web scanning), OpenVAS (vulnerability assessment), Wireshark (packet analysis), and PowerShell attack techniques.

How does the CPTE compare to CEH or OSCP?

CPTE is a knowledge-based MCQ exam comparable in format to EC-Council CEH. Both test penetration testing concepts via multiple choice. OSCP (and similar practical certifications) require hands-on lab exploitation. CPTE's 13-module curriculum and DoD 8140 recognition make it valuable for candidates in government/defense contexts seeking a structured knowledge-based pen testing credential.

Is the Mile2 CPTE DoD 8140 approved?

The ANSI/ANAB-accredited version of the CPTE (C)PTE-A) is recognized for DoD 8140 (formerly 8570) requirements. Mile2 has received NSA validation for CNSSI-4013 training standards. Candidates seeking DoD-recognized credentials should select the proctored C)PTE-A exam version, not the standard unproctored version.