World-class preparation for the new PenTest+ exam The CompTIA PenTest+ Study Guide: Exam PT0-001 offers comprehensive preparation for the newest intermediate cybersecurity certification exam. With expert coverage of Exam PT0-001 objectives, this book is your ideal companion throughout all stages of study; whether you’re just embarking on your certification journey or finalizing preparations for the big day, this invaluable resource helps you solidify your understanding of essential skills and concepts. Access to the Sybex online learning environment allows you to study anytime, anywhere with electronic flashcards, a searchable glossary, and more, while hundreds of practice exam questions help you step up your preparations and avoid surprises on exam day. The CompTIA PenTest+ certification validates your skills and knowledge surrounding second-generation penetration testing, vulnerability assessment, and vulnerability management on a variety of systems and devices, making it the latest go-to qualification in an increasingly mobile world. This book contains everything you need to prepare; identify what you already know, learn what you don’t know, and face the exam with full confidence! Perform security assessments on desktops and mobile devices, as well as cloud, IoT, industrial and embedded systems  Identify security weaknesses and manage system vulnerabilities Ensure that existing cybersecurity practices, configurations, and policies conform with current best practices Simulate cyberattacks to pinpoint security weaknesses in operating systems, networks, and applications As our information technology advances, so do the threats against it. It’s an arms race for complexity and sophistication, and the expansion of networked devices and the Internet of Things has integrated cybersecurity into nearly every aspect of our lives. The PenTest+ certification equips you with the skills you need to identify potential problems—and fix them—and the CompTIA PenTest+ Study Guide: Exam PT0-001 is the central component of a complete preparation plan. 

Table of Contents:
Introduction xxv Assessment Test lvi Chapter 1 Penetration Testing 1 What Is Penetration Testing? 2 Cybersecurity Goals 2 Adopting the Hacker Mind-Set 4 Reasons for Penetration Testing 5 Benefits of Penetration Testing 5 Regulatory Requirements for Penetration Testing 6 Who Performs Penetration Tests? 8 Internal Penetration Testing Teams 8 External Penetration Testing Teams 9 Selecting Penetration Testing Teams 9 The CompTIA Penetration Testing Process 10 Planning and Scoping 11 Information Gathering and Vulnerability Identification 11 Attacking and Exploiting 12 Reporting and Communicating Results 13 The Cyber Kill Chain 13 Reconnaissance 15 Weaponization 15 Delivery 16 Exploitation 16 Installation 16 Command and Control 16 Actions on Objectives 17 Tools of the Trade 17 Reconnaissance 19 Vulnerability Scanners 20 Social Engineering 21 Credential-Testing Tools 21 Debuggers 21 Software Assurance 22 Network Testing 22 Remote Access 23 Exploitation 23 Summary 23 Exam Essentials 24 Lab Exercises 25 Activity 1.1: Adopting the Hacker Mind-Set 25 Activity 1.2: Using the Cyber Kill Chain 25 Review Questions 26 Chapter 2 Planning and Scoping Penetration Tests 31 Scoping and Planning Engagements 35 Assessment Types 36 White Box, Black Box, or Gray Box? 36 The Rules of Engagement 38 Scoping Considerations: A Deeper Dive 40 Support Resources for Penetration Tests 42 Key Legal Concepts for Penetration Tests 45 Contracts 45 Data Ownership and Retention 46 Authorization 46 Environmental Differences 46 Understanding Compliance-Based Assessments 48 Summary 50 Exam Essentials 51 Lab Exercises 52 Review Questions 53 Chapter 3 Information Gathering 57 Footprinting and Enumeration 60 OSINT 61 Location and Organizational Data 64 Infrastructure and Networks 67 Security Search Engines 72 Active Reconnaissance and Enumeration 74 Hosts 75 Services 75 Networks, Topologies, and Network Traffic 81 Packet Crafting and Inspection 83 Enumeration 84 Information Gathering and Code 88 Information Gathering and Defenses 89 Defenses Against Active Reconnaissance 90 Preventing Passive Information Gathering 90 Summary 90 Exam Essentials 91 Lab Exercises 92 Activity 3.1: Manual OSINT Gathering 92 Activity 3.2: Exploring Shodan 93 Activity 3.3: Running a Nessus Scan 93 Review Questions 94 Chapter 4 Vulnerability Scanning 99 Identifying Vulnerability Management Requirements 102 Regulatory Environment 102 Corporate Policy 106 Support for Penetration Testing 106 Identifying Scan Targets 106 Determining Scan Frequency 107 Configuring and Executing Vulnerability Scans 109 Scoping Vulnerability Scans 110 Configuring Vulnerability Scans 111 Scanner Maintenance 117 Software Security Testing 119 Analyzing and Testing Code 120 Web Application Vulnerability Scanning 121 Developing a Remediation Workflow 125 Prioritizing Remediation 126 Testing and Implementing Fixes 127 Overcoming Barriers to Vulnerability Scanning 127 Summary 129 Exam Essentials 129 Lab Exercises 130 Activity 4.1: Installing a Vulnerability Scanner 130 Activity 4.2: Running a Vulnerability Scan 130 Activity 4.3: Developing a Penetration Test Vulnerability Scanning Plan 131 Review Questions 132 Chapter 5 Analyzing Vulnerability Scans 137 Reviewing and Interpreting Scan Reports 138 Understanding CVSS 142 Validating Scan Results 147 False Positives 147 Documented Exceptions 147 Understanding Informational Results 148 Reconciling Scan Results with Other Data Sources 149 Trend Analysis 149 Common Vulnerabilities 150 Server and Endpoint Vulnerabilities 151 Network Vulnerabilities 161 Virtualization Vulnerabilities 167 Internet of Things (IoT) 169 Web Application Vulnerabilities 170 Summary 172 Exam Essentials 173 Lab Exercises 174 Activity 5.1: Interpreting a Vulnerability Scan 174 Activity 5.2: Analyzing a CVSS Vector 174 Activity 5.3: Developing a Penetration Testing Plan 175 Review Questions 176 Chapter 6 Exploit and Pivot 181 Exploits and Attacks 184 Choosing Targets 184 Identifying the Right Exploit 185 Exploit Resources 188 Developing Exploits 189 Exploitation Toolkits 191 Metasploit 192 PowerSploit 198 Exploit Specifics 199 RPC/DCOM 199 PsExec 199 PS Remoting/WinRM 199 WMI 200 Scheduled Tasks and cron Jobs 200 SMB 201 RDP 202 Apple Remote Desktop 203 VNC 203 X-Server Forwarding 203 Telnet 203 SSH 204 Leveraging Exploits 204 Common Post-Exploit Attacks 204 Privilege Escalation 207 Social Engineering 208 Persistence and Evasion 209 Scheduled Jobs and Scheduled Tasks 209 Inetd Modification 210 Daemons and Services 210 Back Doors and Trojans 210 New Users 211 Pivoting 211 Covering Your Tracks 212 Summary 213 Exam Essentials 214 Lab Exercises 215 Activity 6.1: Exploit 215 Activity 6.2: Discovery 215 Activity 6.3: Pivot 216 Review Questions 217 Chapter 7 Exploiting Network Vulnerabilities 223 Conducting Network Exploits 226 VLAN Hopping 226 Network Proxies 228 DNS Cache Poisoning 228 Man-in-the-Middle 229 NAC Bypass 233 DoS Attacks and Stress Testing 234 Exploiting Windows Services 236 NetBIOS Name Resolution Exploits 236 SMB Exploits 240 Exploiting Common Services 240 SNMP Exploits 241 SMTP Exploits 242 FTP Exploits 243 Samba Exploits 244 Wireless Exploits 245 Evil Twins and Wireless MITM 245 Other Wireless Protocols and Systems 247 RFID Cloning 248 Jamming 249 Repeating 249 Summary 250 Exam Essentials 251 Lab Exercises 251 Activity 7.1: Capturing Hashes 251 Activity 7.2: Brute-Forcing Services 252 Activity 7.3: Wireless Testing 253 Review Questions 254 Chapter 8 Exploiting Physical and Social Vulnerabilities 259 Physical Facility Penetration Testing 262 Entering Facilities 262 Information Gathering 266 Social Engineering 266 In-Person Social Engineering 267 Phishing Attacks 269 Website-Based Attacks 270 Using Social Engineering Tools 270 Summary 273 Exam Essentials 274 Lab Exercises 275 Activity 8.1: Designing a Physical Penetration Test 275 Activity 8.2: Brute-Forcing Services 276 Activity 8.3: Using Beef 276 Review Questions 278 Chapter 9 Exploiting Application Vulnerabilities 283 Exploiting Injection Vulnerabilities 287 Input Validation 287 Web Application Firewalls 288 SQL Injection Attacks 289 Code Injection Attacks 292 Command Injection Attacks 293 Exploiting Authentication Vulnerabilities 293 Password Authentication 294 Session Attacks 295 Kerberos Exploits 298 Exploiting Authorization Vulnerabilities 299 Insecure Direct Object References 299 Directory Traversal 300 File Inclusion 301 Exploiting Web Application Vulnerabilities 302 Cross-Site Scripting (XSS) 302 Cross-Site Request Forgery (CSRF/XSRF) 305 Clickjacking 305 Unsecure Coding Practices 306 Source Code Comments 306 Error Handling 306 Hard-Coded Credentials 307 Race Conditions 308 Unprotected APIs 308 Unsigned Code 308 Application Testing Tools 308 Static Application Security Testing (SAST) 309 Dynamic Application Security Testing (DAST) 310 Mobile Tools 313 Summary 313 Exam Essentials 313 Lab Exercises 314 Activity 9.1: Application Security Testing Techniques 314 Activity 9.2: Using the ZAP Proxy 314 Activity 9.3: Creating a Cross-Site Scripting Vulnerability 315 Review Questions 316 Chapter 10 Exploiting Host Vulnerabilities 321 Attacking Hosts 325 Linux 325 Windows 331 Cross-Platform Exploits 338 Remote Access 340 SSH 340 NETCAT and Ncat 341 Proxies and Proxychains 341 Metasploit and Remote Access 342 Attacking Virtual Machines and Containers 342 Virtual Machine Attacks 343 Container Attacks 344 Physical Device Security 345 Cold-Boot Attacks 345 Serial Consoles 345 JTAG Debug Pins and Ports 346 Attacking Mobile Devices 347 Credential Attacks 348 Credential Acquisition 348 Offline Password Cracking 349 Credential Testing and Brute-Forcing Tools 350 Wordlists and Dictionaries 351 Summary 352 Exam Essentials 353 Lab Exercises 354 Activity 10.1: Dumping and Cracking the Windows SAM and Other Credentials 354 Activity 10.2: Cracking Passwords Using Hashcat 355 Activity 10.3: Setting Up a Reverse Shell and a Bind Shell 356 Review Questions 358 Chapter 11 Scripting for Penetration Testing 363 Scripting and Penetration Testing 364 Bash 365 PowerShell 366 Ruby 367 Python 368 Variables, Arrays, and Substitutions 368 Bash 370 PowerShell 371 Ruby 371 Python 372 Comparison Operations 372 String Operations 373 Bash 375 PowerShell 376 Ruby 377 Python 378 Flow Control 378 Conditional Execution 379 For Loops 384 While Loops 389 Input and Output (I/O) 394 Redirecting Standard Input and Output 394 Error Handling 395 Bash 395 PowerShell 396 Ruby 396 Python 396 Summary 397 Exam Essentials 397 Lab Exercises 398 Activity 11.1: Reverse DNS Lookups 398 Activity 11.2: Nmap Scan 398 Review Questions 399 Chapter 12 Reporting and Communication 405 The Importance of Communication 408 Defining a Communication Path 408 Communication Triggers 408 Goal Reprioritization 409 Recommending Mitigation Strategies 409 Finding: Shared Local Administrator Credentials 411 Finding: Weak Password Complexity 411 Finding: Plain Text Passwords 413 Finding: No Multifactor Authentication 413 Finding: SQL Injection 414 Finding: Unnecessary Open Services 415 Writing a Penetration Testing Report 415 Structuring the Written Report 415 Secure Handling and Disposition of Reports 417 Wrapping Up the Engagement 418 Post-Engagement Cleanup 418 Client Acceptance 419 Lessons Learned 419 Follow-Up Actions/Retesting 419 Attestation of Findings 419 Summary 420 Exam Essentials 420 Lab Exercises 421 Activity 12.1: Remediation Strategies 421 Activity 12.2: Report Writing 421 Review Questions 422 Appendix Answers to Review Questions 425 Chapter 1: Penetration Testing 426 Chapter 2: Planning and Scoping Penetration Tests 427 Chapter 3: Information Gathering 429 Chapter 4: Vulnerability Scanning 431 Chapter 5: Analyzing Vulnerability Scans 433 Chapter 6: Exploit and Pivot 434 Chapter 7: Exploiting Network Vulnerabilities 436 Chapter 8: Exploiting Physical and Social Vulnerabilities 438 Chapter 9: Exploiting Application Vulnerabilities 440 Chapter 10: Exploiting Host Vulnerabilities 442 Chapter 11: Script for Penetration Testing 444 Chapter 12: Reporting and Communication 445 Index 447