CompTIA Pentest Study Guide PDF
CompTIA Pentest Study Guide PDF
CompTIA Pentest Study Guide PDF
Introduction
● Welcome to the Course!
o Domain 1: Planning and Scoping
▪ Planning an engagement
▪ Key legal concepts
▪ Scoping an engagement
▪ Compliance-based assessments
o Domain 2: Information Gathering and Vulnerability Identification
▪ Information gathering techniques
▪ Vulnerability scanning
▪ Analyzing scan results
▪ Preparing for exploitation
▪ Weaknesses in specialized systems
o Domain 3: Attacks and Exploits
▪ Social engineering attacks
▪ Exploiting vulnerabilities
● Network-based
● Wireless and RF-based
● Application-based
● Local host-based
● Physical security
▪ Post-exploitation techniques
o Domain 4: Penetration Testing Tools
▪ Use Nmap for information gathering
▪ Know the use case for various tools
▪ Analyze tool output or data
▪ Analyze basic scripts
● Bash, Python, Ruby, and Powershell
o Domain 5: Reporting and Communication
▪ Report writing and best practices
▪ Post-report delivery activities
▪ Recommending mitigations
▪ Importance of communication in testing
https://www.DionTraining.com 1
CompTIA Pentest+ (Study Notes)
…verifies that candidates have the knowledge and skills required to plan and scope an
assessment, understand legal and compliance requirements, perform vulnerability scanning and
penetration testing, analyze data, and effectively report and communicate results.
-CompTIA.org
o Exam Description
▪ CompTIA Pentest+ covers:
● White hat hacking tools and techniques
● Legal and compliance requirements
● Information gathering, vulnerability scanning, exploitation, and
reporting results
o The Five Domains
o Exam Details
▪ Up to 85 questions in 165 minutes
▪ Requires a 750 out of 900 (83.33%)
▪ Recommended Experience:
● CompTIA Network+ and/or Security+
● 3-4 years of hands-on InfoSec
▪ Cost: $346 (US Dollars)
▪ Released: July 31, 2018
https://www.DionTraining.com 2
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 3
CompTIA Pentest+ (Study Notes)
o Pentest Methodology
https://www.DionTraining.com 4
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 5
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 6
CompTIA Pentest+ (Study Notes)
o RoE: Transparency
▪ Who will know about the pentest?
▪ Will the organization provide resources to the testers (white box test)?
o RoE: Boundaries
▪ What will be tested?
▪ Is social engineering allowed to be used?
▪ What about physical security testing?
▪ How invasive can the pentest be?
● Legal Concepts
o Local and National Restrictions
▪ Laws and regulations regarding cybercrime vary from country to country,
check the local laws before conducting an assessment
Consult your attorney before performing any penetration testing work to ensure you are within
the legal bounds for the countries laws where you are operating
https://www.DionTraining.com 7
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 8
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 9
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 10
CompTIA Pentest+ (Study Notes)
Less technical knowledge is required to perform attacks because of the increased sophistication of hacking tools
https://www.DionTraining.com 11
CompTIA Pentest+ (Study Notes)
● Target Selection
o Target Selection
▪ Internal or External
▪ First-party or Third-party hosted
▪ Physical
▪ Users
▪ SSIDs
▪ Applications
o Internal or External
▪ Internal focuses on targets inside the firewall
● Can be on-site or off-site
● Logically internal
▪ External focuses on publicly facing targets
● Webservers in the DMZ
● Outside the protected LAN
https://www.DionTraining.com 12
CompTIA Pentest+ (Study Notes)
o First-party or Third-party
▪ Are the targets hosted by the organization or by a third-party service
provider?
▪ DionTraining.com is hosted by Thinkific and might be outside the
penetration test scope
o Physical
▪ Are we contracted to test physical security?
▪ Should we attempt to break into the facility?
o Users
▪ Is social engineering authorized?
▪ Are particular users being targeted or not considered part of the
assessment?
o Wireless and SSIDs
▪ Is wireless pentesting being conducted?
▪ Are any SSID’s out of scope?
● Guest or public networks
o Applications
▪ Are we focused on a particular application?
▪ Is a particular application mission critical and cannot be targeted?
● Credit card processing system
● Health care systems
● Other Scoping Considerations
o Whitelist vs Blacklist
▪ Will your pentest systems be put on a list?
▪ Whitelist will allow you access, but blacklist will prevent your system
from connecting
o Security Exceptions
▪ Intrusion Prevention System (IPS)
▪ Web Application Firewall (WAF)
▪ Network Access Control
▪ Certificate Pinning
● Required if the organization relies on digital certificates as part of
their security
▪ Company policies
o Risk
▪ What is the risk tolerance of the organization?
▪ Avoidance
● Actions taken to eliminate risk completely
▪ Transference
● Risk is moved to another entity
▪ Mitigation
https://www.DionTraining.com 13
CompTIA Pentest+ (Study Notes)
o Schedule
▪ Will the timing of the penetration test be known by the organization’s
defenders?
▪ Will it be performed during peak or off-peak hours?
▪ What about holidays?
▪ Scope Creep
● Condition when a client requests additional services after the SOW
and project scope have been agreed to and signed
● How will scope be contained?
● Document any changes to the scope of test
● Recommend signing a change order to SOW
https://www.DionTraining.com 14
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 15
CompTIA Pentest+ (Study Notes)
o Job Postings
System Administrator II
Government Contractors, LLC
o Resumes
o Reconnaissance Tools
▪ Nslookup
▪ Traceroute
▪ Ping
▪ Whois
https://www.DionTraining.com 16
CompTIA Pentest+ (Study Notes)
▪ Domain Dossier
▪ Email Dossier
▪ Google
▪ Social Networking
▪ Discover.sh
▪ Maltego
o Putting It All Together…
▪ You’ve collected examples of emails, names, phone numbers, servers’
addresses, documents, presentations, and more
▪ Use the emails to draft potential spearphishing emails to be more
realistic
● Use target’s PDF, Word, Excel, and PowerPoint files to embed
malware
● Use real employee names, positions, and writing styles to mimic
real email traffic
o Taking It Further…
▪ Use domain name squatting
● Targeting titancipher.com by using titancypher.com
● Make the site look as close to the original as possible but host
malware there
▪ Identify any subdomains (developer sites, mail servers, etc.) for
exploitation
● Scanning and Enumeration
o Scanning
▪ Actively connecting to the system and get a response to identify open
ports and services
o Types of Scanning
▪ Hosts
▪ Systems
▪ Networks
▪ Computers
▪ Mobile Devices
▪ Applications
▪ Printers
o Enumeration
▪ Actively connecting to the systems to determine open shares, user
accounts, software versions, and other detailed info
o Types of Enumeration
▪ Hosts
▪ Networks
▪ Domains
https://www.DionTraining.com 17
CompTIA Pentest+ (Study Notes)
▪ Users/Groups
▪ Network shares
▪ Web pages
▪ Applications
▪ Services
▪ Tokens
▪ Social networks
o How Do We Scan and Enumerate?
▪ Use specialized scanning/enumeration tools and public information
sources
● Fingerprinting
o Fingerprinting
▪ Identification of the operating system, service, software versions being
used by a host
o Banner Grabbing
▪ Manual enumeration and fingerprinting
▪ Use telnet or Netcat to connect to target host
▪ Commonly used for FTP, SSH, Telnet, & HTTP
o Packet Crafting
▪ Also known as packet manipulation
▪ Sending modified packet headers to gather information from a system or
host
▪ Tools:
● Nmap
● Netcat (nc)
● Ncat (ncat)
● Hping
o Packet Inspection
▪ Manual enumeration performed by analyzing the captured packets to
determine information
● Cryptographic Inspection
o Cryptographic Inspection
▪ Determine the encryption is being used during your information
gathering
▪ Do they have web servers with SSL or TLS?
▪ What about Wireless Networks using WEP, WPA, WPA2, or a WPS
handshake?
▪ Are files encrypted on the network shares?
o Certificate Inspection
▪ Web-servers will identify the type of encryption they support (SSL 2.0,
SSL 3.0, or TLS)
https://www.DionTraining.com 18
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 19
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 20
CompTIA Pentest+ (Study Notes)
o Stealth Scan
▪ Conducts scans by sending a SYN packet and then analyzing the response
▪ If SYN/ACK is received, the destination is trying to establish the
connection (port is open) and the scanner sends a packet with RST
o Compliance Scan
▪ Used to identify vulnerabilities that may affect compliance with
regulations or policies
▪ Commonly setup as a scanning template in your vulnerability scanner
(PCI-DSS)
o QualysGuard Vulnerability Scanner
o Tenable’s Nessus Vulnerability Scanner
o Rapid7’s Nexpose
o OpenVAS (Open-source Scanner)
o Nikto (Web Application Scanner)
● Scanning Considerations
o When Do You Run the Scans?
▪ Scanning the systems can take up valuable resources and slow down the
network
▪ Are you trying to be sneaky?
▪ When is the best time to run the scans?
o What Protocols Will Be Used?
▪ Each protocol scanned takes time/resources
▪ Will you scan every port and services?
▪ Consult scope of assessment and objectives
o Where Do You Scan From?
▪ Network topology is important, are you inside or outside the network?
▪ PCI-DSS requires both internal and external scanning to be performed
https://www.DionTraining.com 21
CompTIA Pentest+ (Study Notes)
o Bandwidth Limitations
▪ How much bandwidth is dedicated to the scan?
▪ Throttle the queries if needed
● Nmap –T option sets the timing
o Fragile or Non-Traditional Systems
▪ Should we scan these?
▪ Should we exempt these?
● Application and Container Scans
o Application Scanning
▪ Dynamic Analysis
● Occurs while a program is running
● Program is run in a sandbox and changed noted
▪ Static Analysis
● Performed in a non-runtime environment
● Inspects programming code for flaws/vulnerabilities
● Line by line inspection can be performed
o Containers
▪ Containers are like micro virtual machines
▪ Each container is built from the base Operating System image with
unique applications run on top of them
▪ Requires less resources than a typical VM
▪ Docker, Puppet, and Vagrant are examples
o Containers Require Security
▪ Containers still contain applications which can contain vulnerabilities
▪ Still need to be scanned for vulnerabilities
▪ If an OS vulnerability is found, it will apply to multiple containers
(all based on same OS) and can lead to a large level of exploitation
https://www.DionTraining.com 22
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 23
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 24
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 25
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 26
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 27
CompTIA Pentest+ (Study Notes)
● This is your boss’s boss and I need you to send me the quarterly
financials…
o Interrogation
▪ Interviews used by law enforcement, military, or intelligence agencies
▪ Pentesters won’t generally use this technique…
o Impersonation
▪ Act of pretending to be someone else in order to gain access or gather
information
o Shoulder Surfing
▪ Reading the screen of another user
▪ Looking at a user entering a PIN or password
o USB Key Drop
▪ Pentester loads up a USB with malware, backdoors, or a keylogger
▪ Drop the USB drive in the parking lot near the organization
● Motivation Factors
o Authority
▪ People are more willing to comply with a request when they think it is
coming from someone in authority
● CEO or manager
● Important client
● Government agencies
● Financial institutions
o Urgency
▪ Humans want to please others by nature…
▪ We want to be helpful…
▪ I only have a few minutes before the big presentation, can you print this
for me?
o Social Proof
▪ Social engineering through Facebook or Twitter can be useful
● Lots of Likes or Shares add to social proof
● People are more likely to click the link
▪ We crave social group interaction and have a need to be included
▪ Sometimes we don't fully understand what the inclusion means for us or
why we are performing an action
o Scarcity
▪ Technique that works well to get people to act fast
▪ Signup now for a special offer… supplies are limited!
o Likeability
▪ Social engineers are friendly and likeable
● People will want to help them
▪ Find common ground and shared interests
https://www.DionTraining.com 28
CompTIA Pentest+ (Study Notes)
o Fear
▪ If you don’t do _____ then ______ will happen
Use threats or demands
▪ Anti-virus scams & Ransomware are examples
● Physical Security Attacks
o Piggybacking/Tailgating
▪ Occurs when a pentester follows an authorized individual into a secure
location
▪ Authorized person may or may not be complicit
o Fence Jumping
▪ Fences provide a physical security boundary for the organization
▪ Pentester can go over (or under) a fence to avoid a checkpoint
o Dumpster Diving
▪ Pentester looks through the trash of an organization
▪ Looking for paperwork, disks, USB drives, badges, files, manuals
o Lock Picking
▪ Many areas that the pentester needs access to are locked
▪ Learning lock picking is a valuable skill
for a pentester who focuses on physical security
o Lock Bypass
▪ Pentester could jam a lock or bypass it by manipulating the locking
function
▪ Stop a door from being shut fully by inserting a spacer or wedge
o Egress Sensor
▪ Door will automatically unlock and open when a person approaches
▪ Sensors could be tricked to allow the door to be opened
▪ Some of these “fail open” when power is lost
o Badge Cloning
▪ Identification badges are required by many organizations
▪ Snap a photo using a digital camera and reproduce the security badge
● Works visually but won’t make it past a reader
▪ Badge cloners can reproduce magnetic swipe
or RFID badges
● Network-based Vulnerabilities
o NETBIOS Name Service
▪ Often called WINS on Windows systems
▪ NetBIOS Name Service (NBNS) is part of the NetBIOS-over-TCP protocol
suite
▪ Serves much the same purpose as DNS to translate human-readable
names to IP addresses using a 16-character (ASCII) name
▪ NETBIOS name is the host name of a system
https://www.DionTraining.com 29
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 30
CompTIA Pentest+ (Study Notes)
▪ DNS Poisoning
https://www.DionTraining.com 31
CompTIA Pentest+ (Study Notes)
o ARP Spoofing
▪ Attacker sends falsified ARP messages over the local area network
▪ Results in the attacker’s MAC being associated with the IP of a valid
computer
o Replay
▪ Attack occurs when valid data is captured by an attacker and is repeated
or delayed
▪ For example, they could capture a wireless authentication handshake and
replay it to gain access to the wireless network as an authenticated client
o Relay
▪ Attack occurs when the attacker is able to become the man-in-the-middle
and acts as a middle man in a communication session
o SSL Stripping
▪ Attack where a website’s encryption is tricked into presenting the user
with a HTTP connection instead of a HTTPS connection
o Downgrade
▪ Attack that attempts to have a client or server abandon a higher security
mode to use a lower security mode
▪ TLS 1.2 is more secure than SSL 2.0
● Downgrade attack will cause session to attempt to establish an
SSL 2.0 connection
o Denial of Service
▪ Called a stress test in penetration testing
https://www.DionTraining.com 32
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 33
CompTIA Pentest+ (Study Notes)
o Fragmentation Attack
▪ Attacker exploits a network by using datagram fragmentation
mechanisms against it
▪ A small amount of keying material is obtained from the packet then
attempts to send ARP and/or LLC packets with known content to the
access point (AP)
▪ If the packet is successfully echoed back by the AP then a larger amount
of keying information can be obtained from the returned packet
o Credential Harvesting
▪ Attack that focuses on collecting usernames and passwords from its
victims
▪ In wireless, this is usually performed by creating a fake Captive Portal
▪ ESPortalV2 can be used to setup a fake portal and redirect all WiFi
devices connected to the portal for authentication
o WPS Implementation Weakness
▪ Wi-Fi Protected Setup (WPS) uses a push button configuration method to
setup devices
▪ Uses an 8-digit WPS Pin to configure them
▪ Can be easily brute force attacked because the PIN is authenticated by
breaking it in two
▪ Reaver and Bully are common attack tools
o Bluetooth Attacks
▪ Bluejacking
● Sending unsolicited messages over Bluetooth to Bluetooth-
enabled devices such as mobile phones, PDAs, or laptops
▪ Bluesnarfing
● Theft of information from a wireless device through a Bluetooth
connection
o RFID Cloning
▪ Attacker captures the Radio Frequency (RF) signal from a badge or device
and can copy it for reuse
o Jamming
▪ Wireless denial of service attack that prevents devices from
communicating with each other by occupying taking over frequency
o Repeating
▪ Used to capture the existing wireless signal and rebroadcast it to extend
the range
▪ If not properly configured by the network administrators, this can be an
attack vector
https://www.DionTraining.com 34
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 35
CompTIA Pentest+ (Study Notes)
o Authentication
▪ Credential brute forcing
▪ Session hijacking
● Attacks the web session control mechanism by taking over a
session by guessing session token
▪ Redirect
● Sends user to login page to capture credentials
▪ Default credentials
▪ Weak credentials
● Easy to crack using dictionary or brute force
o Kerberos Authentication
▪ Kerberos is a system of tickets that grant devices permission to
communicate over a non-secure network and identify themselves
▪ Golden Tickets
● Kerberos Ticket-Granting Tickets (TGT)
● Can be used to access any Kerberos service
▪ Silver Tickets
● Kerberos Ticket Granting Service (TGS) tickets
● Can only be used for a specific Kerberos service
o Parameter Pollution (Authorization)
▪ HTTP parameters are modified in order to conduct a malicious attack
o Insecure Direct Object Reference (Authorization)
▪ Application provides direct access to an object based on the user-
supplied input
o Cross-Site Scripting (XSS)
▪ Attacker embeds malicious scripting commands on a trusted website
▪ Victim in this case is user not the server
● Stored/persistent
o Data provided by attacker is saved on server
https://www.DionTraining.com 36
CompTIA Pentest+ (Study Notes)
● Reflected
o Non-persistent, activated through link on site
● DOM
o Document Object Model (DOM) is vulnerable
o Victim’s browser is exploited (client-side XSS)
o Cross-Site Request Forgery
▪ Attacker forces a user to execute actions on web server which they
authenticated
▪ Attacker cannot see web server’s response but this attack can be used to
have victim transfer funds, change their password, and more.
o Clickjacking
▪ Attack that uses multiple transparent layers to trick a user into clicking on
a button or link on a page when they were intending to click on the actual
page
▪ Conceals hyperlinks under legitimate clickable content
o Security Misconfiguration
▪ Attacks that rely on the application or server using insecure settings
▪ Directory traversal
● Attack that allows access to restricted directories and for
command execution outside of the webserver’s root directory
o http://testsite.com/get.php?f=/var/www/html/get.php
▪ Cookie Manipulation
● DOM-based cookie manipulation that allows a script to write data
into the value of a client-stored cookie
o File Inclusion
▪ Attack that includes a file into a targeted application by exploiting a
dynamic file inclusion mechanism
https://www.DionTraining.com 37
CompTIA Pentest+ (Study Notes)
▪ Hidden elements
● HTML forms often use hidden elements
o Fields using <INPUT TYPE=HIDDEN>
● Could allow sensitive data to be stored in the DOM
▪ Lack of code signing
● Without code signing it is easy for an attacker to modify the code
and it go unnoticed
https://www.DionTraining.com 38
CompTIA Pentest+ (Study Notes)
▪ The ‘s’ in the permissions indicates the program is run as the user or the
group
▪ Could allow a program to be used for privilege escalation
o Sticky Bit
▪ Used for shared folders like /tmp
▪ Allows users to create files, read, and execute files owned by other users
▪ Attack cannot remove files owned by others
https://www.DionTraining.com 39
CompTIA Pentest+ (Study Notes)
o Unsecure SUDO
▪ SUDO is a program for Unix/Linux systems
▪ Allows users to run programs with the privileges of another user
▪ By default, the other user is ‘root’
▪ Works like “Run as Administrator” on Windows
o Ret2libc
▪ An attack technique that relies on overwriting the program stack to
create a new stack frame that calls the system function
▪ Stands for “return to library call”
▪ You receive a CSV file as output showing which accounts are vulnerable
https://www.DionTraining.com 40
CompTIA Pentest+ (Study Notes)
o Kerberoasting
▪ Any domain user account that has a service principal name (SPN) set can
have a service ticket (TGS)
▪ Ticket can be requested by any user in the domain and allows for offline
cracking of the service account plaintext password
o Credentials in LSASS
▪ Local Security Authority Subsystem Service
▪ Process in Windows that enforces the security policy of the system
▪ Verifies users when logging on to a computer or server
▪ Performs password changes
▪ Creates access token (ie, Kerberos)
o Unattended Installation
▪ Clear text credentials of Preboot Execution Environment (PXE) could be
captured using network sniffers
o SAM Database
▪ Security Account Manager is a database file that stores the user
passwords in Windows as a LM hash or NTLM hash
▪ File is used to authenticate local users and remote users
▪ Passwords can be cracked offline if the SAM file is stolen
o DLL Hijacking
▪ Dynamic Link Library (DLL) provides a method for sharing code and allows
a program to upgrade its functionality without requiring re-linking or re-
compiling of the application
▪ Hijacking is a technique used to load a malicious DLL in the place of an
accepted DLL
https://www.DionTraining.com 41
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 42
CompTIA Pentest+ (Study Notes)
▪Virtual Machines
● Escaping the VM sandbox can lead to exploit of the underlying
hardware and puts other hosted VMs are risk
▪ Container
● Share a common operating system
If you can compromise that system, you can compromise every
container that relies upon it
o Physical Service Security
▪ Cold boot attack
▪ JTAG debug
▪ Serial console
o Cold Boot Attack
▪ A side channel attack where an attacker has physical access to the system
▪ User is able to retrieve the encryption keys from a running operating
system after using a cold reboot to restart the machine
o JTAG Debug
▪ JTAG is a standard for verifying designs and testing printed circuit boards
● Diagnostic connection
▪ Port use for debugging, probing, and programming
▪ With breakpoints setup, the JTAG can be used to read registers from
motherboard and read arbitrary memory locations
o Serial Console
▪ Many network devices still have serial console connections (routers and
switches)
▪ If attacker can get physical access to the device then they can connect to
the device over the serial port
▪ Lower security enabled (if any) on these ports
● Lateral Movement
o Lateral Movement
https://www.DionTraining.com 43
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 44
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 45
CompTIA Pentest+ (Study Notes)
▪ Shell (Linux)
https://www.DionTraining.com 46
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 47
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 48
CompTIA Pentest+ (Study Notes)
o Nmap -O
▪ Enables OS detection by using fingerprinting of the TCP/UDP packet
received
o Nmap -Pn
▪ Skips the host discovery
▪ Treats all hosts in the range as online
o Nmap –iL
▪ Scan targets from a text file
o Nmap –T
▪ Sets the timing for the scan
● T0 – Paranoid (one port every five minutes)
● T1 – Sneaky (one port every 15 seconds)
● T2 – Polite
● T3 - Normal
● T4 - Aggressive
● T5 - Insane
o Nmap Output
▪ -oN Normal output format
● nmap -oN outputfile.txt target
▪ -oG Grepable output format
● nmap -oG outputfile.txt target
▪ -oX XML output format
● nmap -oX outputfile.xml target
▪ -oA Combined format with all of the above
● nmap -oA outputfile target
● Nmap Usage (Demo)
o Nmap Demo Environment
▪ Start all our scans from the Kali Linux CLI
https://www.DionTraining.com 49
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 50
CompTIA Pentest+ (Study Notes)
o Decompilation
▪ Reversing an executable into human readable code
▪ Tools
● IDA, Hopper, Immunity debugger, APK Studio, APKX
o Forensics
▪ Tools used to collect and analyze digital evidence for crimes and analysis
▪ Tools
● foremost, FTK, EnCase, Tableau
o Debugging
▪ Process of finding and resolving defects in a computer program
▪ Tools
● Ollydbg, Immunity debugger, GDB, WinDBG, IDA Pro, APK Studio,
APKX
o Software Assurance
▪ Fuzzing
● Peach and AFL
▪ Security Testing
● Static Application Security Testing (SAST)
● Dynamic Application Security Testing (DAST)
● Findsecbugs, SonarQube, and YASCA (Yet Another Source Code
Analyzer)
● Scanners
o Scanners
▪ Nessus, OpenVAS, Nikto, SQLmap
o Nessus
https://www.DionTraining.com 51
CompTIA Pentest+ (Study Notes)
o OpenVAS
o Nikto
▪ Open-source web server scanner that identifies outdated versions and
server misconfigurations such as multiple index files, and HTTP server
options
▪ Run as a Perl script with the target IP
o SQLmap
▪ Open-source pentest tool to automate detecting\exploiting SQL injection
flaws
● Credential Testing Tools
o Credential Testing Tools
▪ Hashcat, Medusa, Hydra, CeWL, John the Ripper, Cain and Abel,
Mimikatz, Patator, Dirbuster, W3AF
o Hashcat
▪ One of the fastest password recovery tools
▪ Runs on:
● Linux
● OS X
● Windows
▪ Replies on CPU or GPU to crack passwords
o Hydra
▪ Brute-force network log-on cracking tool
▪ Repeatedly attempts to login to a system
o Medusa
▪ Brute-force password attack tool
https://www.DionTraining.com 52
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 53
CompTIA Pentest+ (Study Notes)
o WinDBG
▪ Debugger for Windows (created by Microsoft)
o IDA (Interactive Disassembler)
▪ Generates assembly language code from executable code
▪ Graphical user interface and supports executables from multiple
operating systems
● Software Assurance
o Software Assurance
▪ Findbugs and Findsecbugs, Peach, AFL, SonarQube, YASCA
o Findbugs and Findsecbugs
▪ Used to conduct security audits of Java apps before deployment
o Peach
▪ Automated security testing platform to identify vulnerabilities by
conducting fuzzing
o AFL (American Fuzzy Lop)
▪ Open-source, text-based security fuzzer that requires nearly no
configuration to operate
o SonarQube
▪ Open-source platform that performs automatic static code reviews to
find vulnerabilities and bugs in over 20 programming languages
o YASCA (Yet Another Source Code Analyzer)
▪ Open-source software code scanner that uses plug-ins to add languages
and features
● OSINT
o OSINT
▪ Whois, Nslookup, Foca, The Harvester, Shodan, Maltego, Recon-NG,
Censys
o Whois
▪ Query and response protocol for internet resources
o Nslookup
▪ Command-line tool for querying DNS
o Foca
▪ Fingerprinting Organizations with Collected Archives (FOCA)
▪ Used to find metadata and hidden info in docs
o The Harvester
▪ Gathers emails, subdomains, hosts, employee names, open ports, and
banners
o Shodan
▪ Search engine that lets you find webcams, routers, servers, and more on
the internet
https://www.DionTraining.com 54
CompTIA Pentest+ (Study Notes)
o The Maltego
▪ Commercial software for conducting open-source intelligence and
visually connecting the relationships
o Recon-NG
▪ Open-source web reconnaissance framework written in Python
o Censys
▪ Search engine for hosts and networks across the internet with data about
their configuration
▪ Contains search interface, report builder, and SQL engine
● Wireless
o Wireless
▪ Aircrack-NG, Kismet, WiFite
o Aircrack-NG
▪ Wireless hacking suite that consists of scanner, packet sniffer, and
password cracker
o Kismet
▪ Wireless hacking suite that consists of scanner, packet sniffer, and IDS
o WiFite
▪ Automated wireless attack tool
▪ Menu-driven Python script
● Web Proxies
o Web Proxies
▪ OWASP ZAP, Burp Suite
o OWASP ZAP
▪ Open-source web application security scanner
▪ Can be used as a proxy to manipulate traffic running through it (even
https)
o Burp Suite
▪ Graphical tool for web application security
▪ Allows for the interception, inspection, and modification of raw traffic
passing through it
● Social Engineering Tools
o Social Engineering Tools
▪ SET, BeEF
o Social Engineer Toolkit (SET)
▪ Open-source penetration testing framework for social engineering
o BeEF (Browser Exploitation Framework)
▪ Pentest tool focused on the web browser
▪ Used to hook a web browser for launching command modules and
attacks
https://www.DionTraining.com 55
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 56
CompTIA Pentest+ (Study Notes)
● Miscellaneous Tools
o Miscellaneous Tools
▪ Searchsploit, Powersploit, Responder, Impacket, Empire, Metasploit
Framework (MSF)
o Searchsploit
▪ Command-line search tool for the Exploit-DB
▪ Allows for offline searches through local repo
o Powersploit
▪ Collection of Microsoft PowerShell modules for use in penetration testing
▪ Considered a post-exploitation framework
o Responder
▪ LLMNR, NBT-NS, and MDNA poisoner
▪ Used to answer specific queries based on name suffix on the network
o Impacket
▪ Collection of Python classes for working with network protocols
▪ Focused on low-level program access for SMB and MSRPC protocol
implementation
o Empire
▪ PowerShell and Python post-exploitation agent
o Metasploit Framework (MSF)
▪ Open-source framework that provides scanners, payloads, and other
tools
● Intro to Programming
o What is programming?
▪ Creating a sequence of instructions to tell a computer how to perform a
specific task
▪ Instructions are stored as a program or script
o What is a script?
▪ Short program that is used to automate tasks
o What kinds of questions can I expect on test day?
▪ Given a scenario, analyze a basic script (Bash, Python, Ruby, and
PowerShell)
● Logic and Common operations
● Encoding/decoding
● I/O
● Error handling
● Variables, Arrays, Substitutions
● Programming Concepts
o Comments
▪ Bash, Python, Ruby, and PowerShell all use a # to signify the code is
commented
https://www.DionTraining.com 57
CompTIA Pentest+ (Study Notes)
o Variable
● Variables are used to represent any value and can be changed
during the execution of the program
o Constants
▪ Constants are used to define a set value across the entire program and
cannot be changed
https://www.DionTraining.com 58
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 59
CompTIA Pentest+ (Study Notes)
o Comparisons
o IF
▪ Conditional statement used to execute a portion of the code
only IF the condition is true
https://www.DionTraining.com 60
CompTIA Pentest+ (Study Notes)
o Loops
▪ For, Do While, and While commands are used to repeat code for a given
amount of time
https://www.DionTraining.com 61
CompTIA Pentest+ (Study Notes)
o String Operations
▪ These commands are used to manipulate data that is of the string format
(like words)
https://www.DionTraining.com 62
CompTIA Pentest+ (Study Notes)
o Input/Output (Files)
▪ Functions used to input and output data from files
o Error Handling
▪ Functions used to input and output data from files
https://www.DionTraining.com 63
CompTIA Pentest+ (Study Notes)
o Encoding/Decoding
▪ Various encoding standards are used in programming
▪ ASCII (American Standard Code for Information Interchange)
▪ ISO/IEC 10646 (Universal Coded Character Set)
▪ Unicode
● UTF-8
● UTF-16
● UTF-32
● BASH Sample Script
https://www.DionTraining.com 64
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 65
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 66
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 67
CompTIA Pentest+ (Study Notes)
o Goal Reprioritization
▪ Have the goals of the assessment changed?
▪ Has any new information been found that might affect the goal or
desired end state?
o Communication Paths
▪ How will the pentest team communicate with the organization?
● Phone, text, chat, email, white paper, etc.
▪ Who at the organization can they contact?
o CEO/CSO/CTO or System Admins
● Report Writing
o Normalization of Data
▪ Teams collect a lot of data during a test
▪ Each tool collects and store data differently
▪ All the data must be aggregated, normalized, and correlated in order for
it to “make sense”
▪ Normalization
● Process of combining data from multiple sources and in different
formats into a common and consistent event format
o Written Report of Findings
▪ Executive Summary
▪ Methodology
▪ Findings and Remediation
● Consider the risk appetite
▪ Metrics and Measures
● Including risk ratings
▪ Conclusion
o How Long Do I Keep the Report?
▪ How long should the report be stored?
▪ Depends on your organization
▪ POA&M is often created from a penetration tester’s final report
▪ Might have limits on how long to retain the data and the report based on
the contract because of privacy and sensitivity concerns
o Handling and Disposal
▪ Data from the assessment should always be handled with due diligence
and care
▪ Findings and recommendations are sensitive in nature and should be
treated as confidential
● Mitigation Strategies
o Mitigation Strategies
▪ Report should contain a list of not just findings, but recommendations on
how to mitigate a vulnerability
https://www.DionTraining.com 68
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 69
CompTIA Pentest+ (Study Notes)
https://www.DionTraining.com 70
CompTIA Pentest+ (Study Notes)
Conclusion
● CompTIA Pentest+
o Domain 1: Planning and Scoping
▪ Planning an engagement
▪ Key legal concepts
▪ Scoping an engagement
▪ Compliance-based assessments
o Domain 2: Information Gathering and Vulnerability Identification
▪ Information gathering techniques
▪ Vulnerability scanning
▪ Analyzing scan results
▪ Preparing for exploitation
▪ Weaknesses in specialized systems
o Domain 3: Attacks and Exploits
▪ Social engineering attacks
▪ Exploiting vulnerabilities
● Network-based
● Wireless and RF-based
● Application-based
● Local host-based
● Physical security
▪ Post-exploitation techniques
o Domain 4: Penetration Testing Tools
▪ Use Nmap for information gathering
▪ Know the use case for various tools
▪ Analyze tool output or data
▪ Analyze basic scripts
● Bash, Python, Ruby, and Powershell
o Domain 5: Reporting and Communication
▪ Report writing and best practices
▪ Post-report delivery activities
▪ Recommending mitigations
▪ Importance of communication in testing
o Are You Ready?
▪ Take the practice exam in this course
▪ Did you score at least 85% or higher?
▪ If you need more practice, take additional practice exams to hone your
skills
https://www.DionTraining.com 71