1|Page
eLearnSecurity Junior Penetration Tester (eJPT)
Certification Exam | Latest Verified Questions and
Detailed Answers
OVERVIEW DESCRIPTION:
The eLearnSecurity Junior Penetration Tester (eJPT) exam is a practical, entry-level
certification that assesses foundational skills in network, web application, and host
penetration testing. Candidates are tested on their ability to perform scanning,
enumeration, exploitation, pivoting, privilege escalation, and basic web attacks (such as
SQL injection and LFI) within a browser-based Kali Linux environment. The exam
emphasizes a structured methodology—from information gathering and vulnerability
assessment to post-exploitation—and covers four core domains: Host and Network
Penetration Testing (including Metasploit and brute-forcing), Assessment Methodologies
(OSINT and scanning), Host and Network Auditing (enumeration and file transfers), and
Web Application Penetration Testing (using tools like Burp Suite).
DOMAIN 1: Host and Network Penetration Testing (35%)
QUESTION 1
After gaining a Meterpreter session on a Windows host, you want to route traffic
through this host to access a hidden internal subnet (172.16.5.0/24). Which Metasploit
command adds a route to that subnet via the current session?
A) route add 172.16.5.0 255.255.255.0 2
B) route add 172.16.5.0/24 2
C) autoroute -s 172.16.5.0/24
D) setg RHOSTS 172.16.5.0/24
CORRECT ANSWER: C
EXPERT RATIONALE: The autoroute command in Metasploit's post-exploitation
modules adds routes through a compromised session. Option C correctly specifies the
subnet using -s.
,2|Page
QUESTION 2
During a brute-force attack against SSH, you notice the target locks out after 5 failed
attempts. What is the most effective countermeasure to avoid account lockout while still
discovering a valid credential?
A) Increase the delay between attempts
B) Use a smaller password wordlist
C) Rotate source IP addresses with proxies
D) Switch to a dictionary attack instead of brute-force
CORRECT ANSWER: C
EXPERT RATIONALE: Rotating source IP addresses bypasses per-IP or per-account rate
limiting, preventing lockout. Increasing delay reduces speed but doesn't stop lockout.
QUESTION 3
You have a basic Python exploit that works on a vulnerable Linux service, but it
hardcodes a return address for a specific libc version. What modification is most likely
needed for it to work on the target?
A) Change the exploit’s payload to a bind shell
B) Replace the return address with a JMP ESP instruction
C) Dynamically locate the system() function address in the target’s libc
D) Convert the exploit to a Metasploit module
CORRECT ANSWER: C
EXPERT RATIONALE: Hardcoded return addresses break across different libc versions.
Dynamically resolving system() or using a ROP gadget from the target’s memory makes
the exploit portable.
QUESTION 4
In Metasploit, you have a reverse shell payload (windows/meterpreter/reverse_tcp).
Which option must match between the payload and the handler to receive the
connection?
A) PAYLOAD and SESSION
B) LHOST and RHOST
,3|Page
C) LPORT and RHOST
D) LHOST and LPORT
CORRECT ANSWER: D
EXPERT RATIONALE: The handler’s LHOST and LPORT must match the
payload’s LHOST and LPORT so the victim knows where to connect back.
QUESTION 5
After pivoting through a compromised host, you want to run Nmap on the internal
network. Which Metasploit module allows you to perform port scanning via the existing
Meterpreter session?
A) auxiliary/scanner/portscan/tcp
B) post/windows/gather/arp_scanner
C) auxiliary/scanner/portscan/ack
D) post/multi/manage/shell_to_meterpreter
CORRECT ANSWER: A
EXPERT RATIONALE: The auxiliary/scanner/portscan/tcp module can be routed
through a session when used with set SESSION <id>. It scans via the pivot host.
QUESTION 6
During a brute-force attack on FTP, you obtain the password for user "ftpuser". The
server allows anonymous login. What is the best next step after gaining credentials?
A) Run a vulnerability scanner against the FTP service
B) Log in and enumerate uploaded files and directory permissions
C) Immediately change the password to lock out the real user
D) Use the credentials to pivot to a different protocol
CORRECT ANSWER: B
EXPERT RATIONALE: Enumerating files and permissions can reveal sensitive data or
writable directories that allow backdoor uploads. This is standard post-brute-force
enumeration.
QUESTION 7
You modified a public exploit for a buffer overflow but it crashes the service without a
, 4|Page
shell. What is the most likely reason?
A) The payload size exceeds the buffer space
B) The target architecture is different from your test machine
C) The exploit uses a reverse shell but no listener was started
D) All of the above
CORRECT ANSWER: D
EXPERT RATIONALE: Any mismatch in payload size, architecture, or missing listener
can cause crashes or no shell. All three are common pitfalls when modifying exploits.
QUESTION 8
Which Metasploit post-exploitation module would you use to dump password hashes
from a Windows target?
A) post/windows/gather/hashdump
B) post/windows/gather/smart_hashdump
C) auxiliary/scanner/smb/smb_hashdump
D) post/linux/gather/hashdump
CORRECT ANSWER: B
EXPERT RATIONALE: smart_hashdump works across different Windows versions and can
handle LSASS protections better than the basic hashdump. It is the recommended module
for eJPT objectives.
QUESTION 9
While pivoting, you set up a SOCKS proxy using
Metasploit’s auxiliary/server/socks_proxy. Which tool can then be used through this
proxy without Metasploit integration?
A) Only Nmap with proxychains
B) Only web browsers
C) Any TCP-based tool configured with proxychains
D) Only Meterpreter scripts
CORRECT ANSWER: C
eLearnSecurity Junior Penetration Tester (eJPT)
Certification Exam | Latest Verified Questions and
Detailed Answers
OVERVIEW DESCRIPTION:
The eLearnSecurity Junior Penetration Tester (eJPT) exam is a practical, entry-level
certification that assesses foundational skills in network, web application, and host
penetration testing. Candidates are tested on their ability to perform scanning,
enumeration, exploitation, pivoting, privilege escalation, and basic web attacks (such as
SQL injection and LFI) within a browser-based Kali Linux environment. The exam
emphasizes a structured methodology—from information gathering and vulnerability
assessment to post-exploitation—and covers four core domains: Host and Network
Penetration Testing (including Metasploit and brute-forcing), Assessment Methodologies
(OSINT and scanning), Host and Network Auditing (enumeration and file transfers), and
Web Application Penetration Testing (using tools like Burp Suite).
DOMAIN 1: Host and Network Penetration Testing (35%)
QUESTION 1
After gaining a Meterpreter session on a Windows host, you want to route traffic
through this host to access a hidden internal subnet (172.16.5.0/24). Which Metasploit
command adds a route to that subnet via the current session?
A) route add 172.16.5.0 255.255.255.0 2
B) route add 172.16.5.0/24 2
C) autoroute -s 172.16.5.0/24
D) setg RHOSTS 172.16.5.0/24
CORRECT ANSWER: C
EXPERT RATIONALE: The autoroute command in Metasploit's post-exploitation
modules adds routes through a compromised session. Option C correctly specifies the
subnet using -s.
,2|Page
QUESTION 2
During a brute-force attack against SSH, you notice the target locks out after 5 failed
attempts. What is the most effective countermeasure to avoid account lockout while still
discovering a valid credential?
A) Increase the delay between attempts
B) Use a smaller password wordlist
C) Rotate source IP addresses with proxies
D) Switch to a dictionary attack instead of brute-force
CORRECT ANSWER: C
EXPERT RATIONALE: Rotating source IP addresses bypasses per-IP or per-account rate
limiting, preventing lockout. Increasing delay reduces speed but doesn't stop lockout.
QUESTION 3
You have a basic Python exploit that works on a vulnerable Linux service, but it
hardcodes a return address for a specific libc version. What modification is most likely
needed for it to work on the target?
A) Change the exploit’s payload to a bind shell
B) Replace the return address with a JMP ESP instruction
C) Dynamically locate the system() function address in the target’s libc
D) Convert the exploit to a Metasploit module
CORRECT ANSWER: C
EXPERT RATIONALE: Hardcoded return addresses break across different libc versions.
Dynamically resolving system() or using a ROP gadget from the target’s memory makes
the exploit portable.
QUESTION 4
In Metasploit, you have a reverse shell payload (windows/meterpreter/reverse_tcp).
Which option must match between the payload and the handler to receive the
connection?
A) PAYLOAD and SESSION
B) LHOST and RHOST
,3|Page
C) LPORT and RHOST
D) LHOST and LPORT
CORRECT ANSWER: D
EXPERT RATIONALE: The handler’s LHOST and LPORT must match the
payload’s LHOST and LPORT so the victim knows where to connect back.
QUESTION 5
After pivoting through a compromised host, you want to run Nmap on the internal
network. Which Metasploit module allows you to perform port scanning via the existing
Meterpreter session?
A) auxiliary/scanner/portscan/tcp
B) post/windows/gather/arp_scanner
C) auxiliary/scanner/portscan/ack
D) post/multi/manage/shell_to_meterpreter
CORRECT ANSWER: A
EXPERT RATIONALE: The auxiliary/scanner/portscan/tcp module can be routed
through a session when used with set SESSION <id>. It scans via the pivot host.
QUESTION 6
During a brute-force attack on FTP, you obtain the password for user "ftpuser". The
server allows anonymous login. What is the best next step after gaining credentials?
A) Run a vulnerability scanner against the FTP service
B) Log in and enumerate uploaded files and directory permissions
C) Immediately change the password to lock out the real user
D) Use the credentials to pivot to a different protocol
CORRECT ANSWER: B
EXPERT RATIONALE: Enumerating files and permissions can reveal sensitive data or
writable directories that allow backdoor uploads. This is standard post-brute-force
enumeration.
QUESTION 7
You modified a public exploit for a buffer overflow but it crashes the service without a
, 4|Page
shell. What is the most likely reason?
A) The payload size exceeds the buffer space
B) The target architecture is different from your test machine
C) The exploit uses a reverse shell but no listener was started
D) All of the above
CORRECT ANSWER: D
EXPERT RATIONALE: Any mismatch in payload size, architecture, or missing listener
can cause crashes or no shell. All three are common pitfalls when modifying exploits.
QUESTION 8
Which Metasploit post-exploitation module would you use to dump password hashes
from a Windows target?
A) post/windows/gather/hashdump
B) post/windows/gather/smart_hashdump
C) auxiliary/scanner/smb/smb_hashdump
D) post/linux/gather/hashdump
CORRECT ANSWER: B
EXPERT RATIONALE: smart_hashdump works across different Windows versions and can
handle LSASS protections better than the basic hashdump. It is the recommended module
for eJPT objectives.
QUESTION 9
While pivoting, you set up a SOCKS proxy using
Metasploit’s auxiliary/server/socks_proxy. Which tool can then be used through this
proxy without Metasploit integration?
A) Only Nmap with proxychains
B) Only web browsers
C) Any TCP-based tool configured with proxychains
D) Only Meterpreter scripts
CORRECT ANSWER: C
