Planning and Scoping - 14%
|
|
Compare and contrast governance, risk, and compliance concepts. |
- Regulatory compliance considerations
-
Payment Card Industry Data Security Standard (PCI DSS)
-
General Data Protection Regulation (GDPR)
- Location restrictions
-
Country limitations
-
Tool restrictions
-
Local laws
-
Local government requirements
- Privacy requirements
- Legal concepts
-
Service-level agreement (SLA)
-
Confidentiality
-
Statement of work
-
Non-disclosure agreement (NDA)
-
Master service agreement
- Permission to attack |
|
Explain the importance of scoping and organizational/customer requirements. |
- Standards and methodologies
-
MITRE ATT&CK
-
Open Web Application Security Project (OWASP)
-
National Institute of Standards and Technology (NIST)
-
Open-source Security Testing Methodology Manual (OSSTMM)
-
Penetration Testing Execution Standard (PTES)
-
Information Systems Security Assessment Framework (ISSAF)
- Rules of engagement
-
Time of day
-
Types of allowed/disallowed tests
-
Other restrictions
- Environmental considerations
-
Network
-
Application
-
Cloud
- Target list/in-scope assets
-
Wireless networks
-
Internet Protocol (IP) ranges
-
Domains
-
Application programming interfaces (APIs)
-
Physical locations
-
Domain name system (DNS)
-
External vs. internal targets
-
First-party vs. third-party hosted
- Validate scope of engagement
-
Question the client/review contracts
-
Time management
-
Strategy
- Unknown-environment vs. known-environment testing
|
|
Given a scenario, demonstrate an ethical hacking mindset by maintaining professionalism and integrity. |
- Background checks of penetration testing team
- Adhere to specific scope of engagement
- Identify criminal activity
- Immediately report breaches/criminal activity
- Limit the use of tools to a particular engagement
- Limit invasiveness based on scope
- Maintain confidentiality of data/information
- Risks to the professional
-
Fees/fines
-
Criminal charges
|
Information Gathering and Vulnerability Scanning - 22%
|
|
Given a scenario, perform passive reconnaissance. |
- DNS lookups
- Identify technical contacts
- Administrator contacts
- Cloud vs. self-hosted
- Social media scraping
-
Key contacts/job responsibilities
-
Job listing/technology stack
- Cryptographic flaws
-
Secure Sockets Layer (SSL) certificates
-
Revocation
- Company reputation/security posture
- Data
-
Password dumps
-
File metadata
-
Strategic search engine analysis/enumeration
-
Website archive/caching
-
Public source-code repositories
- Open-source intelligence (OSINT)
-
Tools
- Shodan
- Recon-ng
-
Sources
- Common weakness enumeration (CWE)
- Common vulnerabilities and exposures (CVE)
|
|
Given a scenario, perform active reconnaissance. |
- Enumeration
-
Hosts
-
Services
-
Domains
-
Users
-
Uniform resource locators (URLs)
- Website reconnaissance
-
Crawling websites
-
Scraping websites
-
Manual inspection of web links
- robots.txt
- Packet crafting
- Defense detection
-
Load balancer detection
-
Web application firewall (WAF) detection
-
Antivirus
-
Firewall
- Tokens
-
Scoping
-
Issuing
-
Revocation
- Wardriving
- Network traffic
-
Capture API requests and responses
-
Sniffing
- Cloud asset discovery
- Third-party hosted services
- Detection avoidance |
|
Given a scenario, analyze the results of a reconnaissance exercise. |
- Fingerprinting
-
Operating systems (OSs)
-
Networks
-
Network devices
-
Software
- Analyze output from:
-
DNS lookups
-
Crawling websites
-
Network traffic
-
Address Resolution Protocol (ARP) traffic
-
Nmap scans
-
Web logs
|
|
Given a scenario, perform vulnerability scanning. |
- Considerations of vulnerability scanning
-
Time to run scans
-
Protocols
-
Network topology
-
Bandwidth limitations
-
Query throttling
-
Fragile systems
-
Non-traditional assets
- Scan identified targets for vulnerabilities
- Set scan settings to avoid detection
- Scanning methods
-
Stealth scan
-
Transmission Control Protocol (TCP) connect scan
-
Credentialed vs. non-credentialed
- Nmap
-
Nmap Scripting Engine (NSE) scripts
-
Common options
- A
- sV
- sT
- Pn
- O
- sU
- sS
- T 1-5
- script=vuln
- p
- Vulnerability testing tools that facilitate automation |
Attacks and Exploits - 30%
|
|
Given a scenario, research attack vectors and perform network attacks. |
- Stress testing for availability
- Exploit resources
-
Exploit database (DB)
-
Packet storm
- Attacks
-
ARP poisoning
-
Exploit chaining
-
Password attacks
- Password spraying
- Hash cracking
- Brute force
- Dictionary
-
On-path (previously known as man-in-the-middle)
-
Kerberoasting
-
DNS cache poisoning
-
Virtual local area network (VLAN) hopping
-
Network access control (NAC) bypass
-
Media access control (MAC) spoofing
-
Link-Local Multicast Name Resolution (LLMNR)/NetBIOS Name Service (NBT-NS) poisoning
-
New Technology LAN Manager (NTLM) relay attacks
- Tools
|
|
Given a scenario, research attack vectors and perform wireless attacks. |
- Attack methods
-
Eavesdropping
-
Data modification
-
Data corruption
-
Relay attacks
-
Spoofing
-
Deauthentication
-
Jamming
-
Capture handshakes
-
On-path
- Attacks
-
Evil twin
-
Captive portal
-
Bluejacking
-
Bluesnarfing
-
Radio-frequency identification (RFID) cloning
-
Bluetooth Low Energy (BLE) attack
-
Amplification attacks [Near-field communication (NFC)]
-
WiFi protected setup (WPS) PIN attack
- Tools
-
Aircrack-ng suite
-
Amplified antenna
|
|
Given a scenario, research attack vectors and perform application-based attacks. |
- OWASP Top 10
- Server-side request forgery
- Business logic flaws
- Injection attacks
-
Structured Query Language (SQL) injection
- Blind SQL
- Boolean SQL
- Stacked queries
-
Command injection
-
Cross-site scripting
- Persistent
- Reflected
-
Lightweight Directory Access Protocol (LDAP) injection
- Application vulnerabilities
-
Race conditions
-
Lack of error handling
-
Lack of code signing
-
Insecure data transmission
-
Session attacks
- Session hijacking
- Cross-site request forgery (CSRF)
- Privilege escalation
- Session replay
- Session fixation
- API attacks
-
Restful
-
Extensible Markup Language-Remote Procedure Call (XML-RPC)
-
Soap
- Directory traversal
- Tools
-
Web proxies
- OWASP Zed Attack Proxy (ZAP)
- Burp Suite community edition
-
SQLmap
-
DirBuster
- Resources
|
|
Given a scenario, research attack vectors and perform attacks on cloud technologies. |
- Attacks
-
Credential harvesting
-
Privilege escalation
-
Account takeover
-
Metadata service attack
-
Misconfigured cloud assets
- Identity and accessmanagement (IAM)
- Federation misconfigurations
- Object storage
- Containerization technologies
-
Resource exhaustion
-
Cloud malware injection attacks
-
Denial-of-service attacks
-
Side-channel attacks
-
Direct-to-origin attacks
- Tools
-
Software development kit (SDK)
|
|
Explain common attacks and vulnerabilities against specialized systems. |
- Mobile
-
Attacks
- Reverse engineering
- Sandbox analysis
- Spamming
-
Vulnerabilities
- Insecure storage
- Passcode vulnerabilities
- Certificate pinning
- Using known vulnerable components
(i) Dependency vulnerabilities
(ii) Patching fragmentation
- Execution of activities using root
- Over-reach of permissions
- Biometrics integrations
- Business logic vulnerabilities
-
Tools
- Burp Suite
- Drozer
- Mobile Security Framework (MobSF)
- Postman
- Ettercap
- Frida
- Objection
- Android SDK tools
- ApkX
- APK Studio
- Internet of Things (IoT) devices
-
BLE attacks
-
Special considerations
- Fragile environment
- Availability concerns
- Data corruption
- Data exfiltration
-
Vulnerabilities
- Insecure defaults
- Cleartext communication
- Hard-coded configurations
- Outdated firmware/hardware
- Data leakage
- Use of insecure or outdated components
- Data storage system vulnerabilities
-
Misconfigurations—on-premises and cloud-based
- Default/blank username/password
- Network exposure
-
Lack of user input sanitization
-
Underlying software vulnerabilities
-
Error messages and debug handling
-
Injection vulnerabilities
- Single quote method
- Management interface vulnerabilities
-
Intelligent platform management interface (IPMI)
- Vulnerabilities related to supervisory control and data acquisition (SCADA)/Industrial Internet of Things (IIoT)/industrial control system (ICS)
- Vulnerabilities related to virtual environments
-
Virtual machine (VM) escape
-
Hypervisor vulnerabilities
-
VM repository vulnerabilities
- Vulnerabilities related to containerized workloads |
|
Given a scenario, perform a social engineering or physical attack. |
- Pretext for an approach
- Social engineering attacks
-
Email phishing
- Whaling
- Spear phishing
-
Vishing
-
Short message service (SMS) phishing
-
Universal Serial Bus (USB) drop key
-
Watering hole attack
- Physical attacks
-
Tailgating
-
Dumpster diving
-
Shoulder surfing
-
Badge cloning
- Impersonation
- Tools
-
Browser exploitation framework (BeEF)
-
Social engineering toolkit
-
Call spoofing tools
- Methods of influence
-
Authority
-
Scarcity
-
Social proof
-
Urgency
-
Likeness
-
Fear
|
|
Given a scenario, perform post-exploitation techniques. |
- Post-exploitation tools
-
Empire
-
Mimikatz
-
BloodHound
- Lateral movement
- Network segmentation testing
- Privilege escalation
- Upgrading a restrictive shell
- Creating a foothold/persistence
-
Trojan
-
Backdoor
- Bind shell
- Reverse shell
-
Daemons
-
Scheduled tasks
- Detection avoidance
-
Living-off-the-land techniques/fileless malware
- PsExec
- Windows Management Instrumentation (WMI)
- PowerShell (PS) remoting/Windows Remote Management (WinRM)
-
Data exfiltration
-
Covering your tracks
-
Steganography
-
Establishing a covert channel
- Enumeration
-
Users
-
Groups
-
Forests
-
Sensitive data
-
Unencrypted files
|
Reporting and Communication - 18%
|
|
Compare and contrast important components of written reports. |
- Report audience
-
C-suite
-
Third-party stakeholders
-
Technical staff
-
Developers
- Report contents (** not in a particular order)
-
Executive summary
-
Scope details
-
Methodology
- Attack narrative
-
Findings
- Risk rating (reference framework)
- Risk prioritization
- Business impact analysis
-
Metrics and measures
-
Remediation
-
Conclusion
-
Appendix
- Storage time for report
- Secure distribution
- Note taking
-
Ongoing documentation during test
-
Screenshots
- Common themes/root causes
-
Vulnerabilities
-
Observations
-
Lack of best practices
|
|
Given a scenario, analyze the findings and recommend the appropriate remediation within a report. |
- Technical controls
-
System hardening
-
Sanitize user input/parameterize queries
-
Implemented multifactor authentication
-
Encrypt passwords
-
Process-level remediation
-
Patch management
-
Key rotation
-
Certificate management
-
Secrets management solution
-
Network segmentation
- Administrative controls
-
Role-based access control
-
Secure software development life cycle
-
Minimum password requirements
-
Policies and procedures
- Operational controls
-
Job rotation
-
Time-of-day restrictions
-
Mandatory vacations
-
User training
- Physical controls
-
Access control vestibule
-
Biometric controls
-
Video surveillance
|
|
Explain the importance of communication during the penetration testing process. |
- Communication path
-
Primary contact
-
Technical contact
-
Emergency contact
- Communication triggers
-
Critical findings
-
Status reports
-
Indicators of prior compromise
- Reasons for communication
-
Situational awareness
-
De-escalation
-
Deconfliction
-
Identifying false positives
-
Criminal activity
- Goal reprioritization
- Presentation of findings |
|
Explain post-report delivery activities. |
- Post-engagement cleanup
-
Removing shells
-
Removing tester-created credentials
-
Removing tools
- Client acceptance
- Lessons learned
- Follow-up actions/retest
- Attestation of findings
- Data destruction process |
Tools and Code Analysis - 16%
|
|
Explain the basic concepts of scripting and software development. |
- Logic constructs
-
Loops
-
Conditionals
-
Boolean operator
-
String operator
-
Arithmetic operator
- Data structures
-
JavaScript Object Notation (JSON)
-
Key value
-
Arrays
-
Dictionaries
-
Comma-separated values (CSV)
-
Lists
-
Trees
- Libraries
- Classes
- Procedures
- Functions |
|
Given a scenario, analyze a script or code sample for use in a penetration test. |
- Shells
- Programming languages
-
Python
-
Ruby
-
Perl
-
JavaScript
- Analyze exploit code to:
-
Download files
-
Launch remote access
-
Enumerate users
-
Enumerate assets
- Opportunities for automation
-
Automate penetration testing process
- Perform port scan and then automate next steps based on results
- Check configurations and produce a report
-
Scripting to modify IP addresses during a test
-
Nmap scripting to enumerate ciphers and produce reports
|
Explain use cases of the following tools during the phases of a penetration test.
(**The intent of this objective is NOT to test specific vendor feature sets.) |
- Scanners
-
Nikto
-
Open vulnerability assessment scanner (Open VAS)
-
SQLmap
-
Nessus
-
Open Security Content Automation Protocol (SCAP)
-
Wapiti
-
WPScan
-
Brakeman
-
Scout Suite
- Credential testing tools
-
Hashcat
-
Medusa
-
Hydra
-
CeWL
-
John the Ripper
-
Cain
-
Mimikatz
-
Patator
-
DirBuster
- Debuggers
-
OllyDbg
-
Immunity Debugger
-
GNU Debugger (GDB)
-
WinDbg
-
Interactive Disassembler (IDA)
-
Covenant
-
SearchSploit
- OSINT
-
WHOIS
-
Nslookup
-
Fingerprinting Organization with Collected Archives (FOCA)
-
theHarvester
-
Shodan
-
Maltego
-
Recon-ng
-
Censys
- Wireless
-
Aircrack-ng suite
-
Kismet
-
Wifite2
-
Rogue access point
-
EAPHammer
-
mdk4
-
Spooftooph
-
Reaver
-
Wireless Geographic Logging Engine (WiGLE)
-
Fern
- Web application tools
-
OWASP ZAP
-
Burp Suite
-
Gobuster
-
w3af
- Social engineering tools
-
Social Engineering Toolkit (SET)
-
BeEF
- Remote access tools
-
Secure Shell (SSH)
-
Ncat
-
Netcat
-
ProxyChains
- Networking tools
- Misc.
-
SearchSploit
-
Responder
-
Impacket tools
-
Empire
-
Metasploit
-
mitm6
-
CrackMapExec
-
TruffleHog
-
Censys
- Steganography tools
-
Openstego
-
Steghide
-
Snow
-
Coagula
-
Sonic Visualiser
-
TinEye
- Cloud tools
-
Scout Suite
-
CloudBrute
-
Pacu
-
Cloud Custodian
|
Use this quick start guide to collect all the information about CompTIA PenTest+ (PT0-002) Certification exam. This study guide provides a list of objectives and resources that will help you prepare for items on the PT0-002 CompTIA PenTest+ exam. The Sample Questions will help you identify the type and difficulty level of the questions and the Practice Exams will make you familiar with the format and environment of an exam. You should refer this guide carefully before attempting your actual CompTIA PenTest Plus certification exam.