Planning and Scoping - 14%
|
Compare and contrast governance, risk, and compliance concepts. |
- Regulatory compliance considerations
-
Payment Card Industry Data Security Standard (PCI DSS)
-
General Data Protection Regulation (GDPR)
- Location restrictions
-
Country limitations
-
Tool restrictions
-
Local laws
-
Local government requirements
- Privacy requirements
- Legal concepts
-
Service-level agreement (SLA)
-
Confidentiality
-
Statement of work
-
Non-disclosure agreement (NDA)
-
Master service agreement
- Permission to attack |
Explain the importance of scoping and organizational/customer requirements. |
- Standards and methodologies
-
MITRE ATT&CK
-
Open Web Application Security Project (OWASP)
-
National Institute of Standards and Technology (NIST)
-
Open-source Security Testing Methodology Manual (OSSTMM)
-
Penetration Testing Execution Standard (PTES)
-
Information Systems Security Assessment Framework (ISSAF)
- Rules of engagement
-
Time of day
-
Types of allowed/disallowed tests
-
Other restrictions
- Environmental considerations
-
Network
-
Application
-
Cloud
- Target list/in-scope assets
-
Wireless networks
-
Internet Protocol (IP) ranges
-
Domains
-
Application programming interfaces (APIs)
-
Physical locations
-
Domain name system (DNS)
-
External vs. internal targets
-
First-party vs. third-party hosted
- Validate scope of engagement
-
Question the client/review contracts
-
Time management
-
Strategy
- Unknown-environment vs. known-environment testing
|
Given a scenario, demonstrate an ethical hacking mindset by maintaining professionalism and integrity. |
- Background checks of penetration testing team
- Adhere to specific scope of engagement
- Identify criminal activity
- Immediately report breaches/criminal activity
- Limit the use of tools to a particular engagement
- Limit invasiveness based on scope
- Maintain confidentiality of data/information
- Risks to the professional
-
Fees/fines
-
Criminal charges
|
Information Gathering and Vulnerability Scanning - 22%
|
Given a scenario, perform passive reconnaissance. |
- DNS lookups
- Identify technical contacts
- Administrator contacts
- Cloud vs. self-hosted
- Social media scraping
-
Key contacts/job responsibilities
-
Job listing/technology stack
- Cryptographic flaws
-
Secure Sockets Layer (SSL) certificates
-
Revocation
- Company reputation/security posture
- Data
-
Password dumps
-
File metadata
-
Strategic search engine analysis/enumeration
-
Website archive/caching
-
Public source-code repositories
- Open-source intelligence (OSINT)
-
Tools
- Shodan
- Recon-ng
-
Sources
- Common weakness enumeration (CWE)
- Common vulnerabilities and exposures (CVE)
|
Given a scenario, perform active reconnaissance. |
- Enumeration
-
Hosts
-
Services
-
Domains
-
Users
-
Uniform resource locators (URLs)
- Website reconnaissance
-
Crawling websites
-
Scraping websites
-
Manual inspection of web links
- robots.txt
- Packet crafting
- Defense detection
-
Load balancer detection
-
Web application firewall (WAF) detection
-
Antivirus
-
Firewall
- Tokens
-
Scoping
-
Issuing
-
Revocation
- Wardriving
- Network traffic
-
Capture API requests and responses
-
Sniffing
- Cloud asset discovery
- Third-party hosted services
- Detection avoidance |
Given a scenario, analyze the results of a reconnaissance exercise. |
- Fingerprinting
-
Operating systems (OSs)
-
Networks
-
Network devices
-
Software
- Analyze output from:
-
DNS lookups
-
Crawling websites
-
Network traffic
-
Address Resolution Protocol (ARP) traffic
-
Nmap scans
-
Web logs
|
Given a scenario, perform vulnerability scanning. |
- Considerations of vulnerability scanning
-
Time to run scans
-
Protocols
-
Network topology
-
Bandwidth limitations
-
Query throttling
-
Fragile systems
-
Non-traditional assets
- Scan identified targets for vulnerabilities
- Set scan settings to avoid detection
- Scanning methods
-
Stealth scan
-
Transmission Control Protocol (TCP) connect scan
-
Credentialed vs. non-credentialed
- Nmap
-
Nmap Scripting Engine (NSE) scripts
-
Common options
- A
- sV
- sT
- Pn
- O
- sU
- sS
- T 1-5
- script=vuln
- p
- Vulnerability testing tools that facilitate automation |
Attacks and Exploits - 30%
|
Given a scenario, research attack vectors and perform network attacks. |
- Stress testing for availability
- Exploit resources
-
Exploit database (DB)
-
Packet storm
- Attacks
-
ARP poisoning
-
Exploit chaining
-
Password attacks
- Password spraying
- Hash cracking
- Brute force
- Dictionary
-
On-path (previously known as man-in-the-middle)
-
Kerberoasting
-
DNS cache poisoning
-
Virtual local area network (VLAN) hopping
-
Network access control (NAC) bypass
-
Media access control (MAC) spoofing
-
Link-Local Multicast Name Resolution (LLMNR)/NetBIOS Name Service (NBT-NS) poisoning
-
New Technology LAN Manager (NTLM) relay attacks
- Tools
|
Given a scenario, research attack vectors and perform wireless attacks. |
- Attack methods
-
Eavesdropping
-
Data modification
-
Data corruption
-
Relay attacks
-
Spoofing
-
Deauthentication
-
Jamming
-
Capture handshakes
-
On-path
- Attacks
-
Evil twin
-
Captive portal
-
Bluejacking
-
Bluesnarfing
-
Radio-frequency identification (RFID) cloning
-
Bluetooth Low Energy (BLE) attack
-
Amplification attacks [Near-field communication (NFC)]
-
WiFi protected setup (WPS) PIN attack
- Tools
-
Aircrack-ng suite
-
Amplified antenna
|
Given a scenario, research attack vectors and perform application-based attacks. |
- OWASP Top 10
- Server-side request forgery
- Business logic flaws
- Injection attacks
-
Structured Query Language (SQL) injection
- Blind SQL
- Boolean SQL
- Stacked queries
-
Command injection
-
Cross-site scripting
- Persistent
- Reflected
-
Lightweight Directory Access Protocol (LDAP) injection
- Application vulnerabilities
-
Race conditions
-
Lack of error handling
-
Lack of code signing
-
Insecure data transmission
-
Session attacks
- Session hijacking
- Cross-site request forgery (CSRF)
- Privilege escalation
- Session replay
- Session fixation
- API attacks
-
Restful
-
Extensible Markup Language-Remote Procedure Call (XML-RPC)
-
Soap
- Directory traversal
- Tools
-
Web proxies
- OWASP Zed Attack Proxy (ZAP)
- Burp Suite community edition
-
SQLmap
-
DirBuster
- Resources
|
Given a scenario, research attack vectors and perform attacks on cloud technologies. |
- Attacks
-
Credential harvesting
-
Privilege escalation
-
Account takeover
-
Metadata service attack
-
Misconfigured cloud assets
- Identity and accessmanagement (IAM)
- Federation misconfigurations
- Object storage
- Containerization technologies
-
Resource exhaustion
-
Cloud malware injection attacks
-
Denial-of-service attacks
-
Side-channel attacks
-
Direct-to-origin attacks
- Tools
-
Software development kit (SDK)
|
Explain common attacks and vulnerabilities against specialized systems. |
- Mobile
-
Attacks
- Reverse engineering
- Sandbox analysis
- Spamming
-
Vulnerabilities
- Insecure storage
- Passcode vulnerabilities
- Certificate pinning
- Using known vulnerable components
(i) Dependency vulnerabilities
(ii) Patching fragmentation
- Execution of activities using root
- Over-reach of permissions
- Biometrics integrations
- Business logic vulnerabilities
-
Tools
- Burp Suite
- Drozer
- Mobile Security Framework (MobSF)
- Postman
- Ettercap
- Frida
- Objection
- Android SDK tools
- ApkX
- APK Studio
- Internet of Things (IoT) devices
-
BLE attacks
-
Special considerations
- Fragile environment
- Availability concerns
- Data corruption
- Data exfiltration
-
Vulnerabilities
- Insecure defaults
- Cleartext communication
- Hard-coded configurations
- Outdated firmware/hardware
- Data leakage
- Use of insecure or outdated components
- Data storage system vulnerabilities
-
Misconfigurations—on-premises and cloud-based
- Default/blank username/password
- Network exposure
-
Lack of user input sanitization
-
Underlying software vulnerabilities
-
Error messages and debug handling
-
Injection vulnerabilities
- Single quote method
- Management interface vulnerabilities
-
Intelligent platform management interface (IPMI)
- Vulnerabilities related to supervisory control and data acquisition (SCADA)/Industrial Internet of Things (IIoT)/industrial control system (ICS)
- Vulnerabilities related to virtual environments
-
Virtual machine (VM) escape
-
Hypervisor vulnerabilities
-
VM repository vulnerabilities
- Vulnerabilities related to containerized workloads |
Given a scenario, perform a social engineering or physical attack. |
- Pretext for an approach
- Social engineering attacks
-
Email phishing
- Whaling
- Spear phishing
-
Vishing
-
Short message service (SMS) phishing
-
Universal Serial Bus (USB) drop key
-
Watering hole attack
- Physical attacks
-
Tailgating
-
Dumpster diving
-
Shoulder surfing
-
Badge cloning
- Impersonation
- Tools
-
Browser exploitation framework (BeEF)
-
Social engineering toolkit
-
Call spoofing tools
- Methods of influence
-
Authority
-
Scarcity
-
Social proof
-
Urgency
-
Likeness
-
Fear
|
Given a scenario, perform post-exploitation techniques. |
- Post-exploitation tools
-
Empire
-
Mimikatz
-
BloodHound
- Lateral movement
- Network segmentation testing
- Privilege escalation
- Upgrading a restrictive shell
- Creating a foothold/persistence
-
Trojan
-
Backdoor
- Bind shell
- Reverse shell
-
Daemons
-
Scheduled tasks
- Detection avoidance
-
Living-off-the-land techniques/fileless malware
- PsExec
- Windows Management Instrumentation (WMI)
- PowerShell (PS) remoting/Windows Remote Management (WinRM)
-
Data exfiltration
-
Covering your tracks
-
Steganography
-
Establishing a covert channel
- Enumeration
-
Users
-
Groups
-
Forests
-
Sensitive data
-
Unencrypted files
|
Reporting and Communication - 18%
|
Compare and contrast important components of written reports. |
- Report audience
-
C-suite
-
Third-party stakeholders
-
Technical staff
-
Developers
- Report contents (** not in a particular order)
-
Executive summary
-
Scope details
-
Methodology
- Attack narrative
-
Findings
- Risk rating (reference framework)
- Risk prioritization
- Business impact analysis
-
Metrics and measures
-
Remediation
-
Conclusion
-
Appendix
- Storage time for report
- Secure distribution
- Note taking
-
Ongoing documentation during test
-
Screenshots
- Common themes/root causes
-
Vulnerabilities
-
Observations
-
Lack of best practices
|
Given a scenario, analyze the findings and recommend the appropriate remediation within a report. |
- Technical controls
-
System hardening
-
Sanitize user input/parameterize queries
-
Implemented multifactor authentication
-
Encrypt passwords
-
Process-level remediation
-
Patch management
-
Key rotation
-
Certificate management
-
Secrets management solution
-
Network segmentation
- Administrative controls
-
Role-based access control
-
Secure software development life cycle
-
Minimum password requirements
-
Policies and procedures
- Operational controls
-
Job rotation
-
Time-of-day restrictions
-
Mandatory vacations
-
User training
- Physical controls
-
Access control vestibule
-
Biometric controls
-
Video surveillance
|
Explain the importance of communication during the penetration testing process. |
- Communication path
-
Primary contact
-
Technical contact
-
Emergency contact
- Communication triggers
-
Critical findings
-
Status reports
-
Indicators of prior compromise
- Reasons for communication
-
Situational awareness
-
De-escalation
-
Deconfliction
-
Identifying false positives
-
Criminal activity
- Goal reprioritization
- Presentation of findings |
Explain post-report delivery activities. |
- Post-engagement cleanup
-
Removing shells
-
Removing tester-created credentials
-
Removing tools
- Client acceptance
- Lessons learned
- Follow-up actions/retest
- Attestation of findings
- Data destruction process |
Tools and Code Analysis - 16%
|
Explain the basic concepts of scripting and software development. |
- Logic constructs
-
Loops
-
Conditionals
-
Boolean operator
-
String operator
-
Arithmetic operator
- Data structures
-
JavaScript Object Notation (JSON)
-
Key value
-
Arrays
-
Dictionaries
-
Comma-separated values (CSV)
-
Lists
-
Trees
- Libraries
- Classes
- Procedures
- Functions |
Given a scenario, analyze a script or code sample for use in a penetration test. |
- Shells
- Programming languages
-
Python
-
Ruby
-
Perl
-
JavaScript
- Analyze exploit code to:
-
Download files
-
Launch remote access
-
Enumerate users
-
Enumerate assets
- Opportunities for automation
-
Automate penetration testing process
- Perform port scan and then automate next steps based on results
- Check configurations and produce a report
-
Scripting to modify IP addresses during a test
-
Nmap scripting to enumerate ciphers and produce reports
|
Explain use cases of the following tools during the phases of a penetration test.
(**The intent of this objective is NOT to test specific vendor feature sets.) |
- Scanners
-
Nikto
-
Open vulnerability assessment scanner (Open VAS)
-
SQLmap
-
Nessus
-
Open Security Content Automation Protocol (SCAP)
-
Wapiti
-
WPScan
-
Brakeman
-
Scout Suite
- Credential testing tools
-
Hashcat
-
Medusa
-
Hydra
-
CeWL
-
John the Ripper
-
Cain
-
Mimikatz
-
Patator
-
DirBuster
- Debuggers
-
OllyDbg
-
Immunity Debugger
-
GNU Debugger (GDB)
-
WinDbg
-
Interactive Disassembler (IDA)
-
Covenant
-
SearchSploit
- OSINT
-
WHOIS
-
Nslookup
-
Fingerprinting Organization with Collected Archives (FOCA)
-
theHarvester
-
Shodan
-
Maltego
-
Recon-ng
-
Censys
- Wireless
-
Aircrack-ng suite
-
Kismet
-
Wifite2
-
Rogue access point
-
EAPHammer
-
mdk4
-
Spooftooph
-
Reaver
-
Wireless Geographic Logging Engine (WiGLE)
-
Fern
- Web application tools
-
OWASP ZAP
-
Burp Suite
-
Gobuster
-
w3af
- Social engineering tools
-
Social Engineering Toolkit (SET)
-
BeEF
- Remote access tools
-
Secure Shell (SSH)
-
Ncat
-
Netcat
-
ProxyChains
- Networking tools
- Misc.
-
SearchSploit
-
Responder
-
Impacket tools
-
Empire
-
Metasploit
-
mitm6
-
CrackMapExec
-
TruffleHog
-
Censys
- Steganography tools
-
Openstego
-
Steghide
-
Snow
-
Coagula
-
Sonic Visualiser
-
TinEye
- Cloud tools
-
Scout Suite
-
CloudBrute
-
Pacu
-
Cloud Custodian
|