CompTIA PenTest+ Certification For Dummies

Glen E. Clarke has authored many certification books on topics such as A+, Network+, Security+, CCENT, and CCNA, among others. As an independent trainer and consultant, he creates and delivers courses on such certifications as Windows, SQL Server, A+, and Exchange Server. Glen holds a number of networking, programming, and IT security certifications.

Introduction 1

About This Book 1

Conventions Used in This Book 2

Foolish Assumptions 2

How This Book is Organized 3

Pre-assessment 3

Part 1: Planning and Information Gathering 3

Part 2: Exploiting Systems 3

Part 3: Post-Exploitation and Reporting 3

Appendixes 3

Practice exam 4

Icons Used in This Book 4

Beyond the Book 5

Where to Go from Here 5

Pre-assessment 7

Questions 7

Answers 11

Part 1: Planning and Information Gathering 13

Chapter 1: Introduction to Penetration Testing 15

Penetration Testing Overview 16

Reasons for a pentest 16

Who should perform a pentest 18

How often a pentest should be performed 20

Defining Penetration Testing Terminology 21

Types of assessments 22

Pentest strategies 22

Threat actors and threat models 23

Looking at CompTIA’s Penetration Testing Phases 25

Planning and scoping 26

Information gathering and vulnerability identification 26

Attacks and exploits 27

Reporting and communication 28

Reviewing Key Concepts 29

Prep Test 30

Answers 32

Chapter 2: Planning and Scoping 33

Understanding Key Legal Concepts 33

Written authorization 34

Contracts 34

Disclaimers 35

Scoping the Project 36

General questions 37

Web application testing questions 37

Wireless network testing questions 38

Physical security testing questions 38

Social engineering testing questions 38

Testing questions for IT staff 39

Identifying the Rules of Engagement 39

Target audience and reason for the pentest 40

Communication escalation path 40

Resources and requirements 41

Budget 44

Impact analysis and remediation timelines 44

Defining Targets for the Pentest 45

Internal and external targets 45

First-party versus third-party hosted 46

Other targets 46

Target considerations 46

Verifying Acceptance to Risk 48

Scheduling the Pentest and Managing Scope Creep 49

Scheduling 49

Scope creep 50

Conducting Compliance-based Assessments 51

Reviewing Key Concepts 52

Prep Test 54

Answers 57

Chapter 3: Information Gathering 59

Looking at Information-Gathering Tools and Techniques 60

Passive information gathering 60

Active information gathering 69

Understanding Scanning and Enumeration 73

Passive scanning 73

Active scanning 74

Enumeration 82

Lab Exercises 84

Exercise 3-1: Conduct a Whois Search 84

Exercise 3-2: Use theHarvester to collect email addresses 84

Exercise 3-3: Use Shodan to discover systems on the Internet 85

Exercise 3-4: Use recon-ng for OSINT information gathering 85

Exercise 3-5: Use dig for DNS profiling 86

Exercise 3-6: Use Nmap to port scan 86

Reviewing Key Concepts 87

Prep Test 88

Answers 91

Chapter 4: Vulnerability Identification 93

Understanding Vulnerabilities 93

Types of vulnerability scans 94

Vulnerability scan considerations 97

Performing a Vulnerability Scan 99

Installing Nessus 99

Running Nessus 103

Using other vulnerability scanners 107

Analyzing Vulnerability Results 108

Mapping vulnerabilities to exploits 111

Understanding the CVSS base score 112

Prioritizing activities 116

Considerations for analyzing scan results 117

Types of Weaknesses in Specialized Systems 119

Lab Exercises 121

Exercise 4-1: Download and install Nessus 121

Exercise 4-2: Perform a vulnerability scan 122

Exercise 4-3: Perform a web application vulnerability scan with Nessus 124

Reviewing Key Concepts 124

Prep Test 125

Answers 127

Part 2: Attacks and Exploits 129

Chapter 5: Exploiting Systems 131

Exploiting Systems with Metasploit 131

Starting Metasploit 132

Searching for an exploit 133

Using an exploit 134

Running the exploit 136

Setting the payload 137

Using msfvenom 139

Understanding Social Engineering 141

Phishing 141

Shoulder surfing 142

USB key drop 142

Other forms of social engineering 143

Motivation techniques 143

Using SET to perform an attack 144

Using BeEF to perform an attack 147

Looking at Attacks on Physical Security 150

Types of physical security controls 151

Exploiting physical security 151

Common Attack Techniques 153

Password cracking 153

Using exploits 154

Deception 156

Exploiting Network-Based Vulnerabilities 157

Common network-based exploits 157

Man-in-the-middle (MiTM) attacks 158

Other common attacks 161

Exploiting Local Host Vulnerabilities 163

Operating system vulnerabilities 163

Unsecure service and protocol configurations 164

Privilege escalation 164

Default account settings 167

Sandbox escape 167

Physical device security 168

Lab Exercises 168

Exercise 5-1: Exploit an SMB service with Metasploit 169

Exercise 5-2: Use the Meterpreter exploit payload 170

Exercise 5-3: Conduct a MiTM attack with SETH 172

Exercise 5-4: Use SET for credential harvesting 173

Exercise 5-5: Use BeEF to exploit a web browser 174

Reviewing Key Concepts 177

Prep Test 178

Answers 180

Chapter 6: Exploiting Wireless Vulnerabilities 181

Understanding Wireless Terminology 181

Wireless concepts 182

Wireless equipment and configuration 184

Types of wireless networks 185

Introducing Wireless Standards 185

802.11a 186

802.11b 186

802.11g 186

802.11n 186

802.11ac 187

Looking at Wireless Configuration and Troubleshooting 187

Reviewing the Basic Service Set 187

Designing a multi-access point WLAN 188

Troubleshooting wireless networks 189

Implementing Wireless Security Practices 190

General security practices 190

Encryption protocols 192

Exploiting Wireless Vulnerabilities 193

Looking at 802.11 wireless vulnerabilities 193

Looking at RF-based vulnerabilities 196

Cracking WEP encryption 197

Cracking WPS implementation weakness 202

Cracking WPA/WPA2 encryption keys 204

Using Wifite to hack wireless networks 207

Exploiting Bluetooth devices 208

Lab Exercises 210

Exercise 6-1: Crack WEP encryption 210

Exercise 6-2: Crack the WPS pin 211

Exercise 6-3: Crack the WPA/WPA2 encryption key 211

Exercise 6-4: Test Bluetooth devices 211

Reviewing Key Concepts 212

Prep Test 213

Answers 216

Chapter 7: Exploiting Application-Based Vulnerabilities 217

Looking at Common Application-Based Attacks 217

Injection attacks 218

Authentication 222

Authorization 224

XSS and CSRF/XSRF 226

Understanding Application Security Vulnerabilities 231

Clickjacking 231

Security misconfiguration 231

File inclusion 234

Identifying Unsecure Coding Practices 234

Comments in source code 234

Lack of error handling 235

Overly verbose error handling 235

Hard-coded credentials 235

Race conditions 235

Unauthorized use of functions/unprotected APIs 237

Hidden elements/sensitive information in the DOM 237

Lack of code signing 237

Secure Coding Best Practices 238

Validation 238

Sanitization 238

Escaping 238

Parameterized queries 239

Lab Exercises 239

Exercise 7-1: Perform a CSRF attack 239

Exercise 7-2: Perform a SQL injection 243

Exercise 7-3: Perform a command injection attack 248

Exercise 7-4: Perform a reflected XSS attack 249

Exercise 7-5: Perform a persistent XSS attack 250

Exercise 7-6: Reset the DVWA 251

Reviewing Key Concepts 252

Prep Test 253

Answers 256

Part 3: Post-Exploitation and Reporting 259

Chapter 8: Understanding Post-Exploitation Actions 261

Common Post-Exploitation Tasks 261

Understanding the context 264

Collecting information 265

Obtaining a shell 266

Retrieving password hashes 267

Disabling the antivirus software 267

Migrating to a different process 267

Taking screenshots 268

Taking remote control 268

Capturing keystrokes 268

Enabling the webcam 269

Performing Lateral Movement 270

PS remoting/WinRM 272

Using PsExec 272

Using PsExec with pass the hash 273

Using RDP 276

Using RPC/DCOM 276

Using remote services 277

Other techniques for lateral movement 281

Maintaining Access (Persistence) 282

New user creation 283

Planting backdoors and trojans 284

Other techniques for maintaining access 285

Covering Your Tracks 285

Lab Exercises 287

Exercise 8-1: Exploit a system and collect information 287

Exercise 8-2: Record keystrokes 288

Exercise 8-3: Obtain password hashes 288

Exercise 8-4: Move laterally 289

Exercise 8-5: Create a backdoor account 290

Exercise 8-6: Cover your tracks 290

Reviewing Key Concepts 291

Prep Test 292

Answers 295

Chapter 9: Common Penetration Testing Tools 297

Understanding Use Cases for Common Pentest Tools 297

Reconnaissance 298

Enumeration 298

Vulnerability scanning 298

Credential attacks 299

Persistence 299

Configuration compliance 300

Evasion 300

Decompilation and debugging 300

Forensics 300

Software assurance 301

Looking at Common Pentest Tools 301

Scanners 302

Credential testing tools 304

Debuggers 311

Software assurance 312

Open-source intelligence (OSINT) 313

Wireless 314

Web proxies 315

Social engineering tools 317

Remote access tools 318

Networking tools 319

Mobile tools 320

Miscellaneous tools 320

Analyzing Tool Output 321

Password cracking 321

Pass the hash 324

Setting up a bind shell 326

Getting a reverse shell 327

Proxying a connection 328

Uploading a web shell 328

Injections 330

Lab Exercises 330

Exercise 9-1: Crack passwords with John the Ripper 330

Exercise 9-2: Locate web servers 331

Exercise 9-3: Scan web applications for vulnerabilities 331

Exercise 9-4: Use Hydra for password cracking over RDP 332

Exercise 9-5: Use Hydra to crack website credentials 332

Exercise 9-6: Use CeWL to create a wordlist 335

Exercise 9-7: Use Netcat/Ncat to create a bind shell 335

Reviewing Key Concepts 336

Prep Test 338

Answers 341

Chapter 10: Analyzing Script Functionality 343

Reviewing Scripting Concepts 344

Variables and arrays 344

Looping and flow control 345

Common operations 347

Error handling 349

Using Bash Scripting 350

Variables and arrays 351

Looping and flow control 352

Executing the script 354

Error handling 354

Input and output 354

Understanding Python Scripting 355

Variables and arrays 356

Looping and flow control 357

Executing the script 358

Error handling 359

Input and output 359

Working with Ruby Scripting 360

Variables and arrays 360

Looping and flow control 362

Executing the script 363

Error handling 363

Input and output 364

Coding in PowerShell Scripting 365

Variables and arrays 365

Looping and flow control 366

Executing the script 368

Error handling 369

Input and output 369

Lab Exercises 370

Exercise 10-1: Review Bash script 370

Exercise 10-2: Review Python script 371

Exercise 10-3: Review PowerShell script 372

Reviewing Key Concepts 373

Prep Test 374

Answers 376

Chapter 11: Reporting and Communication 377

Communicating During a PenTest 377

Communication triggers 378

Reasons for communication 379

Findings and Remediations 380

Shared local administrator credentials 381

Weak password complexity 381

Plain text passwords 381

No multifactor authentication 382

SQL injection 382

Unnecessary open services 383

Focusing Your Remediation Strategies 383

Writing and Handling the Pentest Report 384

Normalization of data 385

Risk appetite 385

Report structure 385

Secure handling and disposition of reports 388

Delivering the Report and Post-Report Activities 388

Post-engagement cleanup 389

Client acceptance 389

Administrative tasks 389

Lab Exercises 390

Exercise 11-1: Create a pentest report 390

Exercise 11-2: Encrypt the pentest report 390

Reviewing Key Concepts 391

Prep Test 392

Answers 395

Part 4: Appendixes 397

Appendix A: PenTest+ Exam Details 399

Appendix B: CompTIA PenTest+ Exam Reference Matrix 405

Appendix C: Lab Setup 425

Index 429