All Practice Exams
100+ Free PJPT Practice Questions
Practical Junior Penetration Tester practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
Which CrackMapExec command performs a Pass-the-Hash attack against an entire subnet?
A
B
C
D
to track
Same family resources
Explore More TCM Security Practical Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: PJPT Exam
$249
Exam Cost
TCM Security
48 + 48 hrs
Pentest + Report Time
TCM Security
1 free
Retake Included
TCM Security
DC compromise
Pass Requirement
TCM Security
12 months
Course Access Included
TCM Security
No proctor
Exam Monitoring
TCM Security
The PJPT from TCM Security is an affordable, practical junior penetration testing certification priced at $249 (including a free retake and 12 months of course access). Candidates have 48 hours to conduct an internal Active Directory pentest and 48 hours to write a professional report. The exam requires compromising the Domain Controller using real AD attack techniques. This practice exam tests theoretical knowledge; the actual PJPT requires live exploitation in a virtual lab environment.
Sample PJPT Practice Questions
Try these sample questions to test your PJPT exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1Which protocol does LLMNR use when a DNS query fails to resolve a hostname on a local network?
A.UDP multicast on port 5355
B.TCP unicast on port 53
C.UDP broadcast on port 137
D.TCP multicast on port 5355
Explanation: LLMNR (Link-Local Multicast Name Resolution) uses UDP multicast on port 5355 to resolve hostnames when DNS fails. It sends a multicast query to all hosts on the local link, allowing any host to respond. This is exploitable because an attacker can respond to these broadcasts and capture NTLMv2 hashes.
2Which tool is the standard choice for performing LLMNR/NBT-NS poisoning to capture NTLMv2 hashes?
A.Responder
B.Wireshark
C.Metasploit
D.Netcat
Explanation: Responder is the primary tool for LLMNR/NBT-NS poisoning. It listens on the local network and automatically responds to LLMNR and NBT-NS broadcast queries, impersonating the requested host. When victims connect, Responder captures their NTLMv2 challenge-response hashes which can then be cracked offline.
3What type of hash does Responder capture during LLMNR poisoning attacks?
A.NTLM v1 hash
B.Kerberos TGT
C.NTLMv2 challenge-response hash
D.MD5 password hash
Explanation: Responder captures NTLMv2 challenge-response hashes during LLMNR poisoning. When the victim machine attempts to authenticate, it sends an NTLMv2 hash. These hashes can be cracked offline using tools like Hashcat or John the Ripper. They cannot be used directly for Pass-the-Hash (PTH) attacks, unlike NTLM hashes.
4What is the primary prerequisite for a successful SMB relay attack?
A.SMB signing must be disabled on the target
B.The target must have SMB signing enabled
C.The attacker must have physical access to the network switch
D.The victim must be using a non-Windows operating system
Explanation: SMB relay attacks require that SMB signing be disabled on the target machine. When SMB signing is disabled, the server does not validate the integrity of SMB messages, allowing an attacker to relay authentication attempts from one host to another. You can check for SMB signing with tools like Nmap or CrackMapExec.
5When performing an SMB relay attack, which Responder configuration change is required before relaying?
A.Disable HTTP and SMB servers in Responder so only hashes are captured for relaying
B.Enable HTTP and SMB servers in Responder
C.Enable LDAP poisoning in Responder
D.Set Responder to WPAD mode
Explanation: When performing an SMB relay attack, you must disable the SMB and HTTP servers in Responder's configuration. If these servers are enabled, Responder will capture hashes locally rather than forwarding them for relay. The relay tool (ntlmrelayx) handles the relay; Responder should only poison name resolution, not terminate the authentication.
6Which Impacket tool is used to relay captured NTLM authentication to another host during an SMB relay attack?
A.psexec.py
B.secretsdump.py
C.ntlmrelayx.py
D.GetUserSPNs.py
Explanation: ntlmrelayx.py from the Impacket suite is the tool used to perform SMB relay attacks. It receives the relayed authentication from Responder and forwards it to target hosts where SMB signing is disabled. If the relayed credentials belong to a local admin, it can dump SAM hashes or execute commands on the target.
7What is Kerberoasting and what does it exploit?
A.Requesting TGS tickets for service accounts with SPNs and cracking them offline
B.Brute-forcing the KRBTGT account password to forge tickets
C.Intercepting Kerberos traffic between client and KDC using a MITM attack
D.Exploiting a vulnerability in the Kerberos pre-authentication mechanism
Explanation: Kerberoasting exploits the fact that any authenticated domain user can request a TGS (Ticket Granting Service) ticket for any service account that has a Service Principal Name (SPN) registered. The TGS ticket is encrypted with the service account's NTLM password hash. Attackers request these tickets and crack them offline to recover the plaintext password.
8Which Impacket script is used to perform Kerberoasting by requesting TGS tickets for all service accounts?
A.GetUserSPNs.py
B.GetNPUsers.py
C.ticketer.py
D.secretsdump.py
Explanation: GetUserSPNs.py from the Impacket suite queries Active Directory for all accounts with Service Principal Names (SPNs) and requests TGS tickets for them. The output includes the Kerberos hashes in a format ready for offline cracking with Hashcat (mode 13100) or John the Ripper.
9What Hashcat mode is used to crack Kerberoasted TGS ticket hashes?
A.Mode 1000 (NTLM)
B.Mode 5600 (NetNTLMv2)
C.Mode 13100 (Kerberos TGS-REP etype 23)
D.Mode 18200 (Kerberos AS-REP etype 23)
Explanation: Hashcat mode 13100 is used to crack Kerberos TGS-REP type 23 (RC4-HMAC encrypted) hashes obtained through Kerberoasting. The format is $krb5tgs$23$*. Mode 18200 is for AS-REP Roasting, mode 5600 is for NTLMv2, and mode 1000 is for NTLM hashes.
10What is Pass-the-Hash (PTH) and which authentication protocol does it exploit?
A.Replaying a Kerberos ticket; it exploits Kerberos authentication
B.Passing a password hash through DNS to authenticate to SMB shares
C.Using an NTLM hash directly to authenticate without knowing the plaintext password; exploits NTLM authentication
D.Cracking NTLM hashes using rainbow tables to recover plaintext passwords
Explanation: Pass-the-Hash (PTH) is an attack that uses a captured NTLM hash to authenticate to remote services without cracking the hash to get the plaintext password. It works because NTLM authentication requires only the password hash (not the plaintext) to compute the correct response. Tools like CrackMapExec, Impacket's psexec.py, and Mimikatz can perform PTH.
About the PJPT Practice Questions
Verified exam format metadata for Practical Junior Penetration Tester is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.