World-class preparation for the new PenTest+ exam
The CompTIA PenTest+ Study Guide: Exam PT0-001 offers comprehensive preparation for the newest intermediate cybersecurity certification exam. With expert coverage of Exam PT0-001 objectives, this book is your ideal companion throughout all stages of study; whether you’re just embarking on your certification journey or finalizing preparations for the big day, this invaluable resource helps you solidify your understanding of essential skills and concepts. Access to the Sybex online learning environment allows you to study anytime, anywhere with electronic flashcards, a searchable glossary, and more, while hundreds of practice exam questions help you step up your preparations and avoid surprises on exam day.
The CompTIA PenTest+ certification validates your skills and knowledge surrounding second-generation penetration testing, vulnerability assessment, and vulnerability management on a variety of systems and devices, making it the latest go-to qualification in an increasingly mobile world. This book contains everything you need to prepare; identify what you already know, learn what you don’t know, and face the exam with full confidence!
- Perform security assessments on desktops and mobile devices, as well as cloud, IoT, industrial and embedded systems
- Identify security weaknesses and manage system vulnerabilities
- Ensure that existing cybersecurity practices, configurations, and policies conform with current best practices
- Simulate cyberattacks to pinpoint security weaknesses in operating systems, networks, and applications
As our information technology advances, so do the threats against it. It’s an arms race for complexity and sophistication, and the expansion of networked devices and the Internet of Things has integrated cybersecurity into nearly every aspect of our lives. The PenTest+ certification equips you with the skills you need to identify potential problems—and fix them—and the CompTIA PenTest+ Study Guide: Exam PT0-001 is the central component of a complete preparation plan.
Table of Contents:
Introduction xxv
Assessment Test lvi
Chapter 1 Penetration Testing 1
What Is Penetration Testing? 2
Cybersecurity Goals 2
Adopting the Hacker Mind-Set 4
Reasons for Penetration Testing 5
Benefits of Penetration Testing 5
Regulatory Requirements for Penetration Testing 6
Who Performs Penetration Tests? 8
Internal Penetration Testing Teams 8
External Penetration Testing Teams 9
Selecting Penetration Testing Teams 9
The CompTIA Penetration Testing Process 10
Planning and Scoping 11
Information Gathering and Vulnerability Identification 11
Attacking and Exploiting 12
Reporting and Communicating Results 13
The Cyber Kill Chain 13
Reconnaissance 15
Weaponization 15
Delivery 16
Exploitation 16
Installation 16
Command and Control 16
Actions on Objectives 17
Tools of the Trade 17
Reconnaissance 19
Vulnerability Scanners 20
Social Engineering 21
Credential-Testing Tools 21
Debuggers 21
Software Assurance 22
Network Testing 22
Remote Access 23
Exploitation 23
Summary 23
Exam Essentials 24
Lab Exercises 25
Activity 1.1: Adopting the Hacker Mind-Set 25
Activity 1.2: Using the Cyber Kill Chain 25
Review Questions 26
Chapter 2 Planning and Scoping Penetration Tests 31
Scoping and Planning Engagements 35
Assessment Types 36
White Box, Black Box, or Gray Box? 36
The Rules of Engagement 38
Scoping Considerations: A Deeper Dive 40
Support Resources for Penetration Tests 42
Key Legal Concepts for Penetration Tests 45
Contracts 45
Data Ownership and Retention 46
Authorization 46
Environmental Differences 46
Understanding Compliance-Based Assessments 48
Summary 50
Exam Essentials 51
Lab Exercises 52
Review Questions 53
Chapter 3 Information Gathering 57
Footprinting and Enumeration 60
OSINT 61
Location and Organizational Data 64
Infrastructure and Networks 67
Security Search Engines 72
Active Reconnaissance and Enumeration 74
Hosts 75
Services 75
Networks, Topologies, and Network Traffic 81
Packet Crafting and Inspection 83
Enumeration 84
Information Gathering and Code 88
Information Gathering and Defenses 89
Defenses Against Active Reconnaissance 90
Preventing Passive Information Gathering 90
Summary 90
Exam Essentials 91
Lab Exercises 92
Activity 3.1: Manual OSINT Gathering 92
Activity 3.2: Exploring Shodan 93
Activity 3.3: Running a Nessus Scan 93
Review Questions 94
Chapter 4 Vulnerability Scanning 99
Identifying Vulnerability Management Requirements 102
Regulatory Environment 102
Corporate Policy 106
Support for Penetration Testing 106
Identifying Scan Targets 106
Determining Scan Frequency 107
Configuring and Executing Vulnerability Scans 109
Scoping Vulnerability Scans 110
Configuring Vulnerability Scans 111
Scanner Maintenance 117
Software Security Testing 119
Analyzing and Testing Code 120
Web Application Vulnerability Scanning 121
Developing a Remediation Workflow 125
Prioritizing Remediation 126
Testing and Implementing Fixes 127
Overcoming Barriers to Vulnerability Scanning 127
Summary 129
Exam Essentials 129
Lab Exercises 130
Activity 4.1: Installing a Vulnerability Scanner 130
Activity 4.2: Running a Vulnerability Scan 130
Activity 4.3: Developing a Penetration Test Vulnerability Scanning Plan 131
Review Questions 132
Chapter 5 Analyzing Vulnerability Scans 137
Reviewing and Interpreting Scan Reports 138
Understanding CVSS 142
Validating Scan Results 147
False Positives 147
Documented Exceptions 147
Understanding Informational Results 148
Reconciling Scan Results with Other Data Sources 149
Trend Analysis 149
Common Vulnerabilities 150
Server and Endpoint Vulnerabilities 151
Network Vulnerabilities 161
Virtualization Vulnerabilities 167
Internet of Things (IoT) 169
Web Application Vulnerabilities 170
Summary 172
Exam Essentials 173
Lab Exercises 174
Activity 5.1: Interpreting a Vulnerability Scan 174
Activity 5.2: Analyzing a CVSS Vector 174
Activity 5.3: Developing a Penetration Testing Plan 175
Review Questions 176
Chapter 6 Exploit and Pivot 181
Exploits and Attacks 184
Choosing Targets 184
Identifying the Right Exploit 185
Exploit Resources 188
Developing Exploits 189
Exploitation Toolkits 191
Metasploit 192
PowerSploit 198
Exploit Specifics 199
RPC/DCOM 199
PsExec 199
PS Remoting/WinRM 199
WMI 200
Scheduled Tasks and cron Jobs 200
SMB 201
RDP 202
Apple Remote Desktop 203
VNC 203
X-Server Forwarding 203
Telnet 203
SSH 204
Leveraging Exploits 204
Common Post-Exploit Attacks 204
Privilege Escalation 207
Social Engineering 208
Persistence and Evasion 209
Scheduled Jobs and Scheduled Tasks 209
Inetd Modification 210
Daemons and Services 210
Back Doors and Trojans 210
New Users 211
Pivoting 211
Covering Your Tracks 212
Summary 213
Exam Essentials 214
Lab Exercises 215
Activity 6.1: Exploit 215
Activity 6.2: Discovery 215
Activity 6.3: Pivot 216
Review Questions 217
Chapter 7 Exploiting Network Vulnerabilities 223
Conducting Network Exploits 226
VLAN Hopping 226
Network Proxies 228
DNS Cache Poisoning 228
Man-in-the-Middle 229
NAC Bypass 233
DoS Attacks and Stress Testing 234
Exploiting Windows Services 236
NetBIOS Name Resolution Exploits 236
SMB Exploits 240
Exploiting Common Services 240
SNMP Exploits 241
SMTP Exploits 242
FTP Exploits 243
Samba Exploits 244
Wireless Exploits 245
Evil Twins and Wireless MITM 245
Other Wireless Protocols and Systems 247
RFID Cloning 248
Jamming 249
Repeating 249
Summary 250
Exam Essentials 251
Lab Exercises 251
Activity 7.1: Capturing Hashes 251
Activity 7.2: Brute-Forcing Services 252
Activity 7.3: Wireless Testing 253
Review Questions 254
Chapter 8 Exploiting Physical and Social Vulnerabilities 259
Physical Facility Penetration Testing 262
Entering Facilities 262
Information Gathering 266
Social Engineering 266
In-Person Social Engineering 267
Phishing Attacks 269
Website-Based Attacks 270
Using Social Engineering Tools 270
Summary 273
Exam Essentials 274
Lab Exercises 275
Activity 8.1: Designing a Physical Penetration Test 275
Activity 8.2: Brute-Forcing Services 276
Activity 8.3: Using Beef 276
Review Questions 278
Chapter 9 Exploiting Application Vulnerabilities 283
Exploiting Injection Vulnerabilities 287
Input Validation 287
Web Application Firewalls 288
SQL Injection Attacks 289
Code Injection Attacks 292
Command Injection Attacks 293
Exploiting Authentication Vulnerabilities 293
Password Authentication 294
Session Attacks 295
Kerberos Exploits 298
Exploiting Authorization Vulnerabilities 299
Insecure Direct Object References 299
Directory Traversal 300
File Inclusion 301
Exploiting Web Application Vulnerabilities 302
Cross-Site Scripting (XSS) 302
Cross-Site Request Forgery (CSRF/XSRF) 305
Clickjacking 305
Unsecure Coding Practices 306
Source Code Comments 306
Error Handling 306
Hard-Coded Credentials 307
Race Conditions 308
Unprotected APIs 308
Unsigned Code 308
Application Testing Tools 308
Static Application Security Testing (SAST) 309
Dynamic Application Security Testing (DAST) 310
Mobile Tools 313
Summary 313
Exam Essentials 313
Lab Exercises 314
Activity 9.1: Application Security Testing Techniques 314
Activity 9.2: Using the ZAP Proxy 314
Activity 9.3: Creating a Cross-Site Scripting Vulnerability 315
Review Questions 316
Chapter 10 Exploiting Host Vulnerabilities 321
Attacking Hosts 325
Linux 325
Windows 331
Cross-Platform Exploits 338
Remote Access 340
SSH 340
NETCAT and Ncat 341
Proxies and Proxychains 341
Metasploit and Remote Access 342
Attacking Virtual Machines and Containers 342
Virtual Machine Attacks 343
Container Attacks 344
Physical Device Security 345
Cold-Boot Attacks 345
Serial Consoles 345
JTAG Debug Pins and Ports 346
Attacking Mobile Devices 347
Credential Attacks 348
Credential Acquisition 348
Offline Password Cracking 349
Credential Testing and Brute-Forcing Tools 350
Wordlists and Dictionaries 351
Summary 352
Exam Essentials 353
Lab Exercises 354
Activity 10.1: Dumping and Cracking the Windows SAM and Other Credentials 354
Activity 10.2: Cracking Passwords Using Hashcat 355
Activity 10.3: Setting Up a Reverse Shell and a Bind Shell 356
Review Questions 358
Chapter 11 Scripting for Penetration Testing 363
Scripting and Penetration Testing 364
Bash 365
PowerShell 366
Ruby 367
Python 368
Variables, Arrays, and Substitutions 368
Bash 370
PowerShell 371
Ruby 371
Python 372
Comparison Operations 372
String Operations 373
Bash 375
PowerShell 376
Ruby 377
Python 378
Flow Control 378
Conditional Execution 379
For Loops 384
While Loops 389
Input and Output (I/O) 394
Redirecting Standard Input and Output 394
Error Handling 395
Bash 395
PowerShell 396
Ruby 396
Python 396
Summary 397
Exam Essentials 397
Lab Exercises 398
Activity 11.1: Reverse DNS Lookups 398
Activity 11.2: Nmap Scan 398
Review Questions 399
Chapter 12 Reporting and Communication 405
The Importance of Communication 408
Defining a Communication Path 408
Communication Triggers 408
Goal Reprioritization 409
Recommending Mitigation Strategies 409
Finding: Shared Local Administrator Credentials 411
Finding: Weak Password Complexity 411
Finding: Plain Text Passwords 413
Finding: No Multifactor Authentication 413
Finding: SQL Injection 414
Finding: Unnecessary Open Services 415
Writing a Penetration Testing Report 415
Structuring the Written Report 415
Secure Handling and Disposition of Reports 417
Wrapping Up the Engagement 418
Post-Engagement Cleanup 418
Client Acceptance 419
Lessons Learned 419
Follow-Up Actions/Retesting 419
Attestation of Findings 419
Summary 420
Exam Essentials 420
Lab Exercises 421
Activity 12.1: Remediation Strategies 421
Activity 12.2: Report Writing 421
Review Questions 422
Appendix
Answers to Review Questions 425
Chapter 1: Penetration Testing 426
Chapter 2: Planning and Scoping Penetration Tests 427
Chapter 3: Information Gathering 429
Chapter 4: Vulnerability Scanning 431
Chapter 5: Analyzing Vulnerability Scans 433
Chapter 6: Exploit and Pivot 434
Chapter 7: Exploiting Network Vulnerabilities 436
Chapter 8: Exploiting Physical and Social Vulnerabilities 438
Chapter 9: Exploiting Application Vulnerabilities 440
Chapter 10: Exploiting Host Vulnerabilities 442
Chapter 11: Script for Penetration Testing 444
Chapter 12: Reporting and Communication 445
Index 447
