PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free PNPT Practice Questions

TCM Security Practical Network Penetration Tester practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which technique allows an attacker to maintain persistence on a Domain Controller even after a password reset, by leveraging the KRBTGT account?

A
B
C
D
to track
Same family resources

Explore More TCM Security Practical Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

TCM Security Practical IoT Pentest Associate (PIPA)

Practice Questions

TCM Security Practical Junior Penetration Tester (PJPT)

Practice Questions

TCM Security Practical Malware Research Professional (PMRP)

Practice Questions

TCM Security Practical Mobile Pentest Associate (PMPA)

Practice Questions

TCM Security Practical OSINT Research Professional (PORP)

Practice Questions

TCM Security Practical SOC Analyst Associate (PSAA)

Practice Questions
2026 Statistics

Key Facts: PNPT Exam

$499

Exam Cost (includes retake + training)

TCM Security

5 days

Pentest Engagement Window

TCM Security

2 days

Report Submission Window

TCM Security

15 min

Live Debrief Duration

TCM Security

Zero flags

No CTF Elements — Real Pentest

TCM Security

1 free

Retake Included

TCM Security

The PNPT from TCM Security is a practical penetration testing certification covering 5 domains: OSINT/External Recon (20%), External Exploitation (20%), Active Directory Attacks (35%), AV Evasion/Lateral Movement (15%), and Report Writing (10%). The exam gives 5 full days for the pentest plus 2 days to write a professional report, followed by a mandatory live 15-minute verbal debrief with TCM Security assessors. All tools are permitted — including Metasploit and AI tools. Cost is $499 with one free retake. Primary prep: Practical Ethical Hacking (PEH) course by Heath Adams (TheCyberMentor). This practice exam covers the conceptual knowledge; actual PNPT requires hands-on exploitation.

Sample PNPT Practice Questions

Try these sample questions to test your PNPT exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which tool is most commonly used in the PNPT exam to perform LLMNR/NBT-NS poisoning to capture NTLMv2 hashes?
A.Wireshark
B.Responder
C.tcpdump
D.Ettercap
Explanation: Responder (by Laurent Gaffie) poisons LLMNR, NBT-NS, and MDNS broadcasts, presenting itself as the requested host to capture NTLMv2 hashes from Windows clients. It is the go-to tool for this attack in the TCM PEH course and the PNPT exam.
2LLMNR (Link-Local Multicast Name Resolution) operates on which UDP port?
A.5353
B.137
C.5355
D.445
Explanation: LLMNR uses UDP port 5355. It is a protocol used by Windows hosts to resolve hostnames when DNS fails, making it a target for poisoning attacks. NBT-NS uses UDP 137, mDNS uses UDP 5353, and SMB uses TCP 445.
3After capturing an NTLMv2 hash with Responder, which tool and hashcat mode combination would you use to crack it offline?
A.John the Ripper with --format=ntlmv2
B.hashcat -m 1000
C.hashcat -m 13100
D.hashcat -m 5600
Explanation: hashcat mode 5600 (-m 5600) is specifically designed for NTLMv2 (NetNTLMv2) hashes captured by Responder. Mode 1000 is for NTLM hashes (from SAM/NTDS), and mode 13100 is for Kerberoastable TGS tickets.
4Which condition MUST be met on the target network for an SMB relay attack to succeed instead of simply capturing and cracking hashes?
A.SMB signing must be disabled or not required on target hosts
B.The attacker must be on the same VLAN as the domain controller
C.The target must be running Windows XP or older
D.NTLM authentication must be completely disabled in the domain
Explanation: SMB relay attacks require that SMB signing is disabled or not required on the target relay hosts. When SMB signing is enforced, relayed authentication packets are rejected because they cannot be re-signed. Domain controllers have SMB signing required by default.
5Which Impacket tool is used to execute the SMB relay attack by relaying captured NTLMv2 hashes to other hosts in the network?
A.secretsdump.py
B.psexec.py
C.ntlmrelayx.py
D.wmiexec.py
Explanation: ntlmrelayx.py (part of the Impacket suite) performs NTLM relay attacks. It works in conjunction with Responder (run with HTTP/SMB servers disabled) to relay captured authentication attempts to target hosts, potentially dumping SAM databases or executing commands.
6What does Pass-the-Hash (PtH) allow an attacker to do without knowing the plaintext password?
A.Forge Kerberos service tickets using the NTLM hash
B.Enumerate Active Directory users via LDAP using the hash
C.Crack the NTLM hash offline using rainbow tables
D.Authenticate to Windows systems using the NTLM hash directly
Explanation: Pass-the-Hash exploits the fact that Windows NTLM authentication accepts the hash itself as proof of identity. Tools like crackmapexec, Impacket psexec.py, and mimikatz sekurlsa::pth can authenticate directly with the NTLM hash without needing the plaintext password.
7Which mimikatz command is used to dump credentials (NTLM hashes and cleartext passwords) from LSASS memory on a compromised Windows host?
A.mimikatz # privilege::debug
B.mimikatz # lsadump::sam
C.mimikatz # sekurlsa::logonpasswords
D.mimikatz # kerberos::list
Explanation: sekurlsa::logonpasswords dumps all authentication credentials cached in LSASS memory, including NTLM hashes and potentially cleartext passwords (if WDigest is enabled). privilege::debug must be run first to obtain SeDebugPrivilege. lsadump::sam dumps the local SAM database from registry hives.
8Kerberoasting targets service accounts that have which attribute set in Active Directory?
A.AccountNotDelegated
B.msDS-SupportedEncryptionTypes
C.ServicePrincipalName (SPN)
D.UserAccountControl DONT_REQ_PREAUTH
Explanation: Kerberoasting targets accounts with a Service Principal Name (SPN) registered. Any authenticated domain user can request a TGS ticket for these accounts; the ticket is encrypted with the service account's password hash, which can then be cracked offline.
9Which tool from the Impacket suite is used to perform Kerberoasting from a Linux machine without needing an interactive session?
A.GetNPUsers.py
B.kerbrute
C.secretsdump.py
D.GetUserSPNs.py
Explanation: GetUserSPNs.py requests TGS tickets for accounts with SPNs registered, outputting the hashes in a format ready for offline cracking with hashcat (-m 13100). GetNPUsers.py is used for AS-REP Roasting (accounts without pre-auth).
10What hashcat mode is used to crack Kerberoasting TGS-REP hashes?
A.18200
B.5600
C.1000
D.13100
Explanation: Hashcat mode 13100 is used for Kerberos 5 TGS-REP etype 23 (RC4-HMAC) tickets obtained through Kerberoasting. Mode 18200 is for AS-REP Roasting (Kerberos 5 AS-REP etype 23), mode 5600 is for NTLMv2, and mode 1000 is for NTLM.

About the PNPT Practice Questions

Verified exam format metadata for TCM Security Practical Network Penetration Tester is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.