CompTIA PenTest+ Study Guide

MIKE CHAPPLE, Security+, CySA+, CISSP, is Teaching Professor of IT, Analytics, and Operations at the University of Notre Dame. He's a cybersecurity professional and educator with over 20 years of experience. Mike provides cybersecurity certification resources at his website, CertMike.com. DAVID SEIDL, Security+, CySA+, CISSP, PenTest+, is Vice President for Information Technology and CIO at Miami University. David co-led Notre Dame's move to the cloud, and has written multiple cybersecurity certification books.

Introduction xxxix

Assessment Test xxv

Chapter 1 Penetration Testing 1

What Is Penetration Testing? 2

Cybersecurity Goals 2

Adopting the Hacker Mindset 4

Ethical Hacking 5

Reasons for Penetration Testing 5

Benefits of Penetration Testing 6

Regulatory Requirements for Penetration Testing 7

Who Performs Penetration Tests? 8

Internal Penetration Testing Teams 8

External Penetration Testing Teams 9

Selecting Penetration Testing Teams 10

The CompTIA Penetration Testing Process 10

Planning and Scoping 11

Information Gathering and Vulnerability Scanning 11

Attacks and Exploits 12

Reporting and Communication 13

Tools and Code Analysis 13

The Cyber Kill Chain 14

Reconnaissance 15

Weaponization 16

Delivery 16

Exploitation 16

Installation 16

Command and Control 16

Actions on Objectives 17

Tools of the Trade 17

Reconnaissance 20

Vulnerability Scanners 21

Social Engineering 21

Credential Testing Tools 22

Debuggers and Software Testing Tools 22

Network Testing 23

Remote Access 23

Exploitation 24

Steganography 24

Cloud Tools 25

Summary 25

Exam Essentials 25

Lab Exercises 26

Activity 1.1: Adopting the Hacker Mindset 26

Activity 1.2: Using the Cyber Kill Chain 26

Review Questions 27

Chapter 2 Planning and Scoping Penetration Tests 31

Scoping and Planning Engagements 34

Assessment Types 35

Known Environments and Unknown Environments 35

The Rules of Engagement 37

Scoping Considerations— A Deeper Dive 39

Support Resources for Penetration Tests 42

Penetration Testing Standards and Methodologies 44

Key Legal Concepts for Penetration Tests 46

Contracts 46

Data Ownership and Retention 47

Permission to Attack (Authorization) 47

Environmental Differences and Location Restrictions 48

Regulatory Compliance Considerations 49

Summary 51

Exam Essentials 52

Lab Exercises 53

Review Questions 54

Chapter 3 Information Gathering 59

Footprinting and Enumeration 63

Osint 64

Location and Organizational Data 65

Infrastructure and Networks 68

Security Search Engines 74

Google Dorks and Search Engine Techniques 77

Password Dumps and Other Breach Data 77

Source Code Repositories 78

Passive Enumeration and Cloud Services 78

Active Reconnaissance and Enumeration 78

Hosts 79

Services 79

Networks, Topologies, and Network Traffic 85

Packet Crafting and Inspection 88

Enumeration 90

Information Gathering and Code 97

Avoiding Detection 99

Information Gathering and Defenses 99

Defenses Against Active Reconnaissance 100

Preventing Passive Information Gathering 100

Summary 100

Exam Essentials 101

Lab Exercises 102

Activity 3.1: Manual OSINT Gathering 102

Activity 3.2: Exploring Shodan 102

Activity 3.3: Running an Nmap Scan 103

Review Questions 104

Chapter 4 Vulnerability Scanning 109

Identifying Vulnerability Management Requirements 112

Regulatory Environment 112

Corporate Policy 116

Support for Penetration Testing 116

Identifying Scan Targets 117

Determining Scan Frequency 118

Active vs. Passive Scanning 120

Configuring and Executing Vulnerability Scans 121

Scoping Vulnerability Scans 121

Configuring Vulnerability Scans 122

Scanner Maintenance 129

Software Security Testing 131

Analyzing and Testing Code 131

Web Application Vulnerability Scanning 133

Developing a Remediation Workflow 138

Prioritizing Remediation 140

Testing and Implementing Fixes 141

Overcoming Barriers to Vulnerability Scanning 141

Summary 143

Exam Essentials 143

Lab Exercises 144

Activity 4.1: Installing a Vulnerability Scanner 144

Activity 4.2: Running a Vulnerability Scan 145

Activity 4.3: Developing a Penetration Test Vulnerability Scanning Plan 145

Review Questions 146

Chapter 5 Analyzing Vulnerability Scans 151

Reviewing and Interpreting Scan Reports 152

Understanding CVSS 156

Validating Scan Results 162

False Positives 162

Documented Exceptions 162

Understanding Informational Results 163

Reconciling Scan Results with Other Data Sources 164

Trend Analysis 164

Common Vulnerabilities 165

Server and Endpoint Vulnerabilities 166

Network Vulnerabilities 175

Virtualization Vulnerabilities 181

Internet of Things (IoT) 183

Web Application Vulnerabilities 184

Summary 186

Exam Essentials 187

Lab Exercises 188

Activity 5.1: Interpreting a Vulnerability Scan 188

Activity 5.2: Analyzing a CVSS Vector 188

Activity 5.3: Developing a Penetration Testing Plan 189

Review Questions 190

Chapter 6 Exploiting and Pivoting 195

Exploits and Attacks 198

Choosing Targets 198

Enumeration 199

Identifying the Right Exploit 201

Exploit Resources 204

Exploitation Toolkits 206

Metasploit 206

PowerSploit 212

BloodHound 213

Exploit Specifics 213

Rpc/dcom 213

PsExec 214

PS Remoting/WinRM 214

Wmi 214

Fileless Malware and Living Off the Land 215

Scheduled Tasks and cron Jobs 216

Smb 217

Dns 219

Rdp 220

Apple Remote Desktop 220

Vnc 220

Ssh 220

Network Segmentation Testing and Exploits 221

Leaked Keys 222

Leveraging Exploits 222

Common Post- Exploit Attacks 222

Cross Compiling 225

Privilege Escalation 226

Social Engineering 226

Escaping and Upgrading Limited Shells 227

Persistence and Evasion 228

Scheduled Jobs and Scheduled Tasks 228

Inetd Modification 228

Daemons and Services 229

Backdoors and Trojans 229

Data Exfiltration and Covert Channels 230

New Users 230

Pivoting 231

Covering Your Tracks 232

Summary 233

Exam Essentials 234

Lab Exercises 235

Activity 6.1: Exploit 235

Activity 6.2: Discovery 235

Activity 6.3: Pivot 236

Review Questions 237

Chapter 7 Exploiting Network Vulnerabilities 243

Identifying Exploits 247

Conducting Network Exploits 247

VLAN Hopping 247

DNS Cache Poisoning 249

On- Path Attacks 251

NAC Bypass 254

DoS Attacks and Stress Testing 255

Exploit Chaining 257

Exploiting Windows Services 257

NetBIOS Name Resolution Exploits 257

SMB Exploits 261

Identifying and Exploiting Common Services 261

Identifying and Attacking Service Targets 262

SNMP Exploits 263

SMTP Exploits 264

FTP Exploits 265

Kerberoasting 266

Samba Exploits 267

Password Attacks 268

Stress Testing for Availability 269

Wireless Exploits 269

Attack Methods 269

Finding Targets 270

Attacking Captive Portals 270

Eavesdropping, Evil Twins, and Wireless On- Path Attacks 271

Other Wireless Protocols and Systems 275

RFID Cloning 276

Jamming 277

Repeating 277

Summary 278

Exam Essentials 279

Lab Exercises 279

Activity 7.1: Capturing Hashes 279

Activity 7.2: Brute- Forcing Services 280

Activity 7.3: Wireless Testing 281

Review Questions 282

Chapter 8 Exploiting Physical and Social Vulnerabilities 287

Physical Facility Penetration Testing 290

Entering Facilities 290

Information Gathering 294

Social Engineering 294

In- Person Social Engineering 295

Phishing Attacks 297

Website- Based Attacks 298

Using Social Engineering Tools 298

Summary 302

Exam Essentials 303

Lab Exercises 303

Activity 8.1: Designing a Physical Penetration Test 303

Activity 8.2: Brute- Forcing Services 304

Activity 8.3: Using BeEF 305

Review Questions 306

Chapter 9 Exploiting Application Vulnerabilities 311

Exploiting Injection Vulnerabilities 314

Input Validation 314

Web Application Firewalls 315

SQL Injection Attacks 316

Code Injection Attacks 319

Command Injection Attacks 319

LDAP Injection Attacks 320

Exploiting Authentication Vulnerabilities 320

Password Authentication 321

Session Attacks 322

Kerberos Exploits 326

Exploiting Authorization Vulnerabilities 327

Insecure Direct Object References 327

Directory Traversal 328

File Inclusion 330

Privilege Escalation 331

Chapter 10 Exploiting Web Application Vulnerabilities 331

Cross- Site Scripting (XSS) 331

Request Forgery 334

Clickjacking 335

Unsecure Coding Practices 335

Source Code Comments 335

Error Handling 336

Hard- Coded Credentials 336

Race Conditions 337

Unprotected APIs 337

Unsigned Code 338

Steganography 340

Application Testing Tools 341

Static Application Security Testing (SAST) 341

Dynamic Application Security Testing (DAST) 342

Mobile Tools 346

Summary 346

Exam Essentials 347

Lab Exercises 347

Activity 9.1: Application Security Testing Techniques 347

Activity 9.2: Using the ZAP Proxy 348

Activity 9.3: Creating a Cross- Site Scripting Vulnerability 348

Review Questions 349

Attacking Hosts, Cloud Technologies, and Specialized Systems 355

Attacking Hosts 360

Linux 361

Windows 365

Cross- Platform Exploits 367

Credential Attacks and Testing Tools 368

Credential Acquisition 368

Offline Password Cracking 369

Credential Testing and Brute- Forcing Tools 371

Wordlists and Dictionaries 371

Remote Access 372

Ssh 372

NETCAT and Ncat 373

Metasploit and Remote Access 373

Proxies and Proxychains 374

Attacking Virtual Machines and Containers 374

Virtual Machine Attacks 375

Containerization Attacks 377

Attacking Cloud Technologies 379

Attacking Cloud Accounts 379

Attacking and Using Misconfigured Cloud Assets 380

Other Cloud Attacks 382

Tools for Cloud Technology Attacks 383

Attacking Mobile Devices 384

Attacking IoT, ICS, Embedded Systems, and SCADA Devices 389

Attacking Data Storage 392

Summary 393

Exam Essentials 395

Lab Exercises 396

Activity 10.1: Dumping and Cracking the Windows SAM and Other Credentials 396

Activity 10.2: Cracking Passwords Using Hashcat 397

Activity 10.3: Setting Up a Reverse Shell and a Bind Shell 398

Review Questions 400

Chapter 11 Reporting and Communication 405

The Importance of Communication 409

Defining a Communication Path 409

Communication Triggers 410

Goal Reprioritization 410

Recommending Mitigation Strategies 411

Finding: Shared Local Administrator Credentials 412

Finding: Weak Password Complexity 413

Finding: Plaintext Passwords 414

Finding: No Multifactor Authentication 414

Finding: SQL Injection 416

Finding: Unnecessary Open Services 416

Writing a Penetration Testing Report 416

Structuring the Written Report 417

Secure Handling and Disposition of Reports 420

Wrapping Up the Engagement 421

Post- Engagement Cleanup 421

Client Acceptance 421

Lessons Learned 421

Follow- Up Actions/Retesting 422

Attestation of Findings 422

Retention and Destruction of Data 422

Summary 423

Exam Essentials 423

Lab Exercises 424

Activity 11.1: Remediation Strategies 424

Activity 11.2: Report Writing 424

Review Questions 425

Chapter 12 Scripting for Penetration Testing 429

Scripting and Penetration Testing 431

Bash 432

PowerShell 433

Ruby 434

Python 435

Perl 435

JavaScript 436

Variables, Arrays, and Substitutions 438

Bash 439

PowerShell 440

Ruby 441

Python 441

Perl 442

JavaScript 442

Comparison Operations 444

String Operations 445

Bash 446

PowerShell 447

Ruby 448

Python 449

Perl 450

JavaScript 451

Flow Control 452

Conditional Execution 453

for Loops 458 

while Loops 465

Input and Output (I/O) 471

Redirecting Standard Input and Output 471

Comma- Separated Values (CSV) 472

Error Handling 472

Bash 472

PowerShell 473

Ruby 473

Python 473

Advanced Data Structures 474

JavaScript Object Notation (JSON) 474

Trees 475

Reusing Code 475

The Role of Coding in Penetration Testing 476

Analyzing Exploit Code 476

Automating Penetration Tests 477

Summary 477

Exam Essentials 477

Lab Exercises 478

Activity 12.1: Reverse DNS Lookups 478

Activity 12.2: Nmap Scan 479

Review Questions 480

Appendix A Answers to Review Questions 485

Chapter 1: Penetration Testing 486

Chapter 2: Planning and Scoping Penetration Tests 487

Chapter 3: Information Gathering 489

Chapter 4: Vulnerability Scanning 491

Chapter 5: Analyzing Vulnerability Scans 493

Chapter 6: Exploiting and Pivoting 495

Chapter 7: Exploiting Network Vulnerabilities 497

Chapter 8: Exploiting Physical and Social Vulnerabilities 499

Chapter 9: Exploiting Application Vulnerabilities 501

Chapter 10: Attacking Hosts, Cloud Technologies, and Specialized Systems 503

Chapter 11: Reporting and Communication 505

Chapter 12: Scripting for Penetration Testing 506

Appendix B Solution to Lab Exercise 509

Solution to Activity 5.2: Analyzing a CVSS Vector 510

Index 511