Use this quick start guide to collect all the information about CREST Registered Penetration Tester (CRT) Certification exam. This study guide provides a list of objectives and resources that will help you prepare for items on the CRT CREST Registered Penetration Tester exam. The Sample Questions will help you identify the type and difficulty level of the questions and the Practice Exams will make you familiar with the format and environment of an exam. You should refer this guide carefully before attempting your actual CREST Registered Penetration Tester certification exam.
The CREST Registered Penetration Tester certification is mainly targeted to those candidates who want to build their career in Penetration Testing domain. The CREST Registered Penetration Tester (CRT) exam verifies that the candidate possesses the fundamental knowledge and proven skills in the area of CREST Registered Penetration Tester.
CREST Registered Penetration Tester Exam Summary:
| Exam Name | CREST Registered Penetration Tester (CRT) |
| Exam Code | CRT |
| Exam Price | $400 (USD) |
| Duration | 150 mins |
| Number of Questions | 120 |
| Passing Score | 60% |
| Books / Training | CREST Training Providers |
| Schedule Exam | Pearson VUE |
| Sample Questions | CREST Registered Penetration Tester Sample Questions |
| Practice Exam | CREST CRT Certification Practice Exam |
CREST CRT Exam Syllabus Topics:
| Topic | Details |
|---|---|
Core Technical Skills (PT002) |
|
| Using Tools and Interpreting Outputs |
- Can use a variety of tools during a penetration test, selecting the most appropriate tool to meet a particular requirement. - Can interpret and understand the output of tools, including those used for port scanning, vulnerability scanning, enumeration, exploitation and traffic capture. |
| OS Fingerprinting | - Understands active and passive operating system fingerprinting techniques and can demonstrate their use during a penetration test. |
Internet Information Gathering and Reconnaissance (PT003) |
|
| DNS |
- Understands the Domain Name Service (DNS) including queries and responses, zone transfers, and the structure and purpose of records, including:
- Can demonstrate how a DNS server can be queried to obtain the information detailed in these records. |
Networks (PT004) |
|
| Network Connections |
- Can use common network connections that could be required during a penetration test:
|
| VLAN Tagging |
- Understands VLAN tagging (IEEE 802.1Q). - Understands the security implications of VLAN tagging. - Can connect a specific VLAN given the VLAN ID from both Linux and Windows systems. - Can identify and analyse VLAN tagged traffic on a network. |
| IPv4 |
- Basic understanding of how the IPv4 protocol works. - Ability to configure interfaces with IP addresses both statically and using DHCP. - Can perform host discovery using ARP and ICMP. - Ability to understand and configure IP routing. - Ability to perform standard penetration testing activities including network mapping, port scanning, and service exploitation. - Awareness of common protocols that use IPv4 e.g. ICMP, IGMP, TCP, UDP. - Awareness of IPsec. |
| Network Mapping |
- Can demonstrate the mapping of a network using a range of tools, such as traceroute, traceroute and ping, and by querying active searches, such as DNS and SNMP servers. - Can present the map as a logical network diagram, detailing all discovered subnets and interfaces, including routers, switches, hosts and other devices. - Can accurately identify all hosts on a target network that meet a defined set of criteria, e.g. to identify all FTP servers or Cisco routers. |
| Network Devices |
- Analysing the configuration of the following types of network equipment:
|
| Network Filtering |
- Understands network traffic filtering and where this may occur in a network. - Understands the devices and technology that implement traffic filtering, such as firewalls, and can advise on their configuration. - Can demonstrate methods by which traffic filters can be bypassed. |
| Traffic Analysis |
- Can intercept and monitor network traffic, capturing it to disk in a format required by analysis tools (e.g. PCAP). - Understands and can demonstrate how network traffic can be analysed to recover user account credentials and detect vulnerabilities that may lead to the compromise of a target device. - Can analyse network traffic stored in PCAP files. |
| TCP |
- Understands how TCP works and its relationship with IP protocols and higher level protocols. - Understands different TCP connection states. - Understands and can demonstrate active techniques for discovery of TCP services on a network, such as:
|
| UDP |
- Understands how UDP works and its relationship with IP protocols and higher level protocols. - Understands different UDP connection states. - Understands and can demonstrate active techniques for discovery of UDP services on a network. |
| Service Identification |
- Can identify the network services offered by a host by banner inspection. - Can state the purpose of an identified network service and determine its type and version. - Understands the methods associated with unknown service identification, enumeration and validation. - Evaluation of unknown services and protocols. |
| Host Discovery | - Can identify targets on common networks using active and passive fingerprinting techniques and can demonstrate their use. |
Network Services (PT005) |
|
| Unencrypted Services |
- Understands how unencrypted services can be exploited. - Can identify unencrypted services on the network and capture sensitive data. - Is aware of common unencrypted services including:
|
| TLS / SSL |
- Understands the use of TLS and SSL in protecting data in transit. - Is aware of SSL and TLS protocols and their common weaknesses. - Understands the components of cipher suites and their roles. - Understands the role of certificates in SSL and TLS. - Can identify insecure configurations. |
| Name Resolution Services |
- Understands and can demonstrate the use of the following name resolution services:
- Understands the security attributes of the above protocols and technologies.
|
| Management Services |
- Understands and can demonstrate the use of the following network management services:
- Understands the security attributes of the above protocols and technologies. |
| Desktop Access |
- Is aware of common protocols used to provide remote access to desktop services including:
- Understands the security attributes of the above protocols and technologies. |
| IPsec | - Enumeration and fingerprinting of devices running IPsec services. |
| FTP |
- Understands FTP and can demonstrate how a poorly configured FTP server can be exploited, e.g. the downloading of arbitrary files, the uploading and over-writing of files, and the modification of file system permissions. - Understands the security implications of anonymous FTP access - Understands FTP access control. |
| TFTP |
- Understands TFTP and can demonstrate how a poorly configured TFTP server can be exploited, e.g. the downloading of arbitrary files. the uploading over-writing of files. - Understands and can exploit TFTP within a Cisco environment. |
| SNMP |
- Understands the difference between versions 1, 2c, and 3. - Can enumerate information from targets including:
- Understands the MIB structure pertaining to the identification of security vulnerabilities. |
| SSH |
- Understands SSH and its associated security attributes, including the different versions of the protocol, version fingerprinting and how the service can be used to provide a number of remote access services. - Can demonstrate how trust relationships can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the use, creation or modification of -- /.ssh/authorized_keys files. - Understands authentication mechanisms used by SSH. |
| NFS |
- Understands NFS and its associated security attributes and can demonstrate how exports can be identified. - Can demonstrate how a poorly configured NFS service can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the creation of SUID-root files, the modification of files and file system permissions, and UID/GID manipulation. - Understands the concepts of root squashing, nosuid and noexec options - Understands how NFS exports can be restricted at both a host and file level |
| SMB |
- Is aware of common SMB implementations including:
- Can identify and analyse accessible SMB shares. |
| LDAP |
- Is aware of common LDAP implementations including:
- Can enumerate LDAP directories and extract arbitrary data including:
|
| Berkeley R* Services |
- Understands the Berkeley r-services and their associated security attributes and can demonstrate how trust relationships can:
- Can perform user enumeration using the rwho and rusers services. |
| X |
- Understands X and its associated security attributes, and can demonstrate how insecure sessions can be exploited, e.g.. by obtaining screen shots, capturing keystrokes and injecting commands into open terminals. - Understands X authentication mechanisms. - Understands the difference between host based and user based access control. |
| Finger |
- Understands how finger daemon derives the information that it returns, and hence how it can be abused. - Enumeration of usernames. |
| RPC Services |
- Can perform RPC service enumeration. - Is aware of common RPC services. - Is aware of and can exploit recent or commonly-found RPC service vulnerabilities. |
| NTP |
- Understands the function of NTP and the importance of it for logging and authentication. - Can extract information about the target network from NTP services. |
| SMTP and Mail Servers |
- Understands and can demonstrate valid username discovery via EXPN and VRFY. - Awareness of recent vulnerabilities in mail server applications (e.g. Postfix and Exchange) and the ability to exploit them if possible - Understands mail relaying. |
Microsoft Windows Security Assessment (PT006) |
|
| Windows Reconnaissance |
- Can identify Windows hosts on a target network. - Can identify forests, domains, domain controllers, domain members and workgroups. - Can enumerate accessible Windows shares. - Can identify and analyse internal browse lists. |
| Windows Network Enumeration |
- Can perform user and group enumeration on target systems and domains, using various protocols and methods including:
- Can obtain other information, such as password policies. |
| Active Directory Enumeration |
- Can enumerate information from Active Directory including:
|
| Windows Passwords |
- Understands password policies, including complexity requirements and lock-out. - Understands how to avoid causing a denial of service by locking-out accounts. - Understands Windows password hashing algorithms, the merits of each algorithm, and their associated security attributes. - Understands how passwords are stored and protected and can demonstrate how they can be recovered. - Understands and can demonstrate off-line password cracking using dictionary and brute- force attacks, including the use of rainbow tables. |
| Windows Processes |
- Can identify running processes and exploit vulnerabilities to escalate privileges. - Understands and can exploit DLL loading mechanisms to escalate privileges. |
| Windows File Permissions |
- Understands and can demonstrate the manipulation of file system permissions on Windows operating systems. - Understands how insecure file system permissions can be exploited to escalate privileges and/or gain further access to a host. - Can identify files with insecure or "unusual" permissions that can be exploited. |
| Registry |
- Understands and can demonstrate the detection and manipulation of weak registry ACLs. - Can extract data from registry keys. |
| Windows Remote Exploitation | - Understands and can demonstrate the remote exploitation of Windows operating system and third-party software application vulnerabilities. |
| Windows Local Exploitation |
- Understands and can demonstrate the local exploitation of Windows operating system and third-party software application vulnerabilities. - Understands and can demonstrate local privilege escalation techniques, e.g. through the manipulation of insecure file system or service permissions |
| Windows Post Exploitation |
- Understands and can perform common post exploitation activities, including:
|
| Windows Patch Management |
- Understands common windows patch management strategies, including:
|
| Windows Desktop Lockdown |
- Understands and can demonstrate techniques to break out of a locked down Windows desktop or Citrix environment. - Can perform privilege escalation techniques from a desktop environment. |
| Common Windows Applications | - Knowledge of significant vulnerabilities in common windows applications for which there is public exploit code available. |
Linux / UNIX Security Assessment (PT007) |
|
| Linux / UNIX Reconnaissance | - Can identify Linux / UNIX hosts on a network. |
| Linux / UNIX Network Enumeration |
- Can demonstrate and explain the enumeration of data from a variety of common network services on various platforms including:
- Is aware of legacy user enumeration techniques such as rusers, rwho and finger. |
| Linux / UNIX Passwords |
- Understands users, groups and password policies, including complexity requirements and lock out. - Understands how to avoid causing a denial of service by locking out accounts. - Understands the format of the passwd, shadow, group and gshadow files. - Understands UNIX password hashing algorithms and their associated security attributes. - Understands how passwords are stored and protected and can demonstrate how they can be recovered. - Understands and can demonstrate off-line password cracking using dictionary and brute force attacks. - Can demonstrate the recovery of password hashes when given physical access to a Linux / UNIX host. |
| Linux / UNIX File Permissions |
- Understands and can demonstrate the manipulation of file system permission on Linux and UNIX operating systems. - Understands how insecure file system permissions can be exploited to escalate privileges and/or gain further access to a host. - Can find "interesting' files on an operating system, e.g. those with insecure or "unusual" permissions, or containing user account passwords. |
| Linux / UNIX Processes |
- Can identify running processes on Linux / UNIX hosts and exploit vulnerabilities to escalate privileges. - Understands and can exploit shared library loading mechanisms to escalate privileges. |
| Linux / UNIX Remote Exploitation |
- Understands and can demonstrate the remote exploitation of Linux and UNIX systems including:
|
| Linux / UNIX Local Exploitation |
- Understands and can demonstrate the local exploitation of Solaris, Linux and *BSD operating system vulnerabilities. - Understands and can demonstrate Local privilege escalation techniques, e.g. through the manipulation of insecure file system permissions. |
| Linux / UNIX Post Exploitation |
- Understands and can demonstrate common post-exploitation activities, including:
|
Web Technologies (PT008) |
|
| Web Servers |
- Can identify web servers on a target network and can remotely determine their type and version. - Understands the various mechanisms web servers use for hosting applications, including:
- Understands and can demonstrate the remote exploitation of web servers. |
| Web Application Frameworks |
- Can identify common application frameworks and technologies, including:
- Is aware of and can exploit vulnerabilities in common application frameworks and technologies. |
| Common Web Applications | - Can identify common web applications and exploit well-known vulnerabilities. |
| Web Protocols |
- Understands and can demonstrate the use of web protocols, including:
- Understands all HTTP methods and response codes. |
| Mark Up Languages |
- Understands common web mark up languages, including:
|
| Web Application Reconnaissance |
- Can use spidering tools and understands their relevance in a web application test for discovering linked content. - Understands and can demonstrate forced browsing techniques to discover default or unlinked content. - Can identify functionality within client-side code. |
| Information Gathering |
- Can gather information from a web site and application mark up or application code, including:
- Can gather information about a web site and application from the error messages it generates. |
| Web Authentication |
- Understands common authentication mechanisms and their security issues, including:
- Understands common authentication vulnerabilities, including:
|
| Web Authorisation | - Understands common pitfalls associated with the design and implementation of application authorisation mechanisms. |
| Input Validation |
- The importance of input validation as part of a defensive coding strategy. - How input validation can be implemented and the differences between allow list, deny list and data sanitisation. - Understands the need for server side validation and the flaws associated with client-side validation. |
| Cross Site Scripting |
- Understands cross site scripting (XSS) and can demonstrate the launching of a successful XSS attack. - Understands the difference between persistent, reflected and DOM based XSS. - Can use XSS to perform arbitrary JavaScript execution to obtain sensitive information from other users. |
| SQL Injection |
- Determine the existence of an SQL injection condition in a web application. - Determine the existence of a blind SQL injection condition in a web application. - Can exploit SQL injection to execute arbitrary SQL commands in a database. |
| Mail Injection |
- Can demonstrate the ability to identify, explain and prove the existence of the following types of mail related injection in a web application:
|
| OS Command Injection | - Can demonstrate the ability to identify, explain and prove the existence of OS command injection in a web application. |
| Sessions |
- Can identify the session control mechanism used within a web application. - Can identify the session ID in a web application. - Understands the security implications of session IDs exposed in URLs. - Can harvest and analyse a number of session identifiers for weaknesses. |
| Cookies |
- Understands how cookies work in a web application. - Understands cookie attributes and how they can affect the security of a web application. |
| Session Hijacking | - Understands and can exploit session hijacking vulnerabilities. |
| Cross Site Request Forgery |
- Understands and can exploit CSRF vulnerabilities. - Understands the role of sessions in CSRF attacks. |
| Web Cryptography |
- Understands how cryptography can be used to protect data in transit and data at rest, both on the server and client side. - Understands the concepts of TLS and can determine whether a TLS-enabled web server has been configured in compliance with best practice (i.e. it supports recommended ciphers and key lengths). - Identification and exploitation of Encoded values (e.g. Base64). - Identification and exploitation of Cryptographic values (e.g. MD5 hashes). |
| Parameter Manipulation | - Understands parameter manipulation techniques, particularly the use of client- side proxies. |
| Directory Traversal | - Understands and can identify directory traversal vulnerabilities within applications. |
| File Uploads |
- Understands and can identify common vulnerabilities with file upload capabilities within applications. - Understands the role of MIME types in relation to file upload features. - Can generate malicious payloads in a variety of common file formats. |
| Web Application Logic Flaws | - Can assess and exploit vulnerabilities within the functional logic, function access control and business logic of an application. |
Databases (PT009) |
|
| SQL Relational Databases |
- Can use SQL to interact with relational databases and extract information, e.g. SQLite, PostgreSQL. - Understands common connection and authentication methods to connect to SQL databases. - Can recognise common database connection string formats, e.g. JDBC, ODBC. - Understands and can demonstrate the remote exploitation of common SQL databases. - Understands and can demonstrate how access can be gained to a database through the use of default accounts credentials and insecure passwords. - Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible). |
| Microsoft SQL Server |
- Understands and can demonstrate the remote exploitation of Microsoft SQL Server. - Understands and can demonstrate how access can be gained to a Microsoft SQL server through the use of default accounts credentials and insecure passwords. - Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible). - Following the compromise of Microsoft SQL server, can execute system commands, escalate privileges, read/write from/to the file system, and/or gain further access to a host. |
| Oracle RDBMS |
- Understands and can demonstrate the remote exploitation of an Oracle RDBMS instance. - Understands the security attributes of the Oracle TNS Listener service. - Understands and can demonstrate how access can be gained to an Oracle RDBMS through the use of default accounts credentials and insecure passwords. - Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible). - Can demonstrate how the software version and patch status can be obtained from an Oracle database. - Following the compromise of an Oracle database, can execute system commands, escalate privileges, read/write from/to the file system, and/or gain further access to a host. |
| MySQL |
- Understands and can demonstrate the remote exploitation of an MySQL database. - Understands and can demonstrate how access can be gained to an MySQL database through the use of default accounts credentials and insecure passwords. - Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible). - Can demonstrate how the software version and patch status can obtained from an MySQL database. - Following the compromise of an MySQL database, can execute system commands, escalate privileges, read/write from/to the file system, and/or gain further access to a host. |
| PostgreSQL |
- Understands and can demonstrate the remote exploitation of a PostgreSQL database. - Understands and can demonstrate how access can be gained to a PostgreSQL database through the use of default accounts credentials and insecure passwords. - Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible). - Can demonstrate how the software version and patch status can be obtained from an PostgreSQL database. - Following the compromise of a PostgreSQL database server can execute system commands, escalate privileges, read/write from/to the file system and/or gain further access to a host. |
To ensure success in CREST Registered Penetration Tester certification exam, we recommend authorized training course, practice test and hands-on experience to prepare for CREST Registered Penetration Tester (CRT) exam.