Оглавление
Glen E. Clarke. CompTIA PenTest+ Certification For Dummies
CompTIA® PenTest+® Certification For Dummies® To view this book's Cheat Sheet, simply go to www.dummies.com and search for “CompTIA PenTest+ Certification For Dummies Cheat Sheet” in the Search box. Table of Contents
List of Tables
List of Illustrations
Guide
Pages
Introduction
About This Book
Conventions Used in This Book
Foolish Assumptions
How This Book Is Organized
Pre-assessment
Part 1: Planning and Information Gathering
Part 2: Exploiting Systems
Part 3: Post-Exploitation and Reporting
Appendixes
Practice exam
Icons Used in This Book
Beyond the Book
Where to Go from Here
Pre-Assessment
Questions
Answers
Planning and Information Gathering
Introduction to Penetration Testing
Penetration Testing Overview
Reasons for a pentest
Who should perform a pentest
Internal staff
External third party
Qualified pentesters
How often a pentest should be performed
Regular schedule
After major changes
Other considerations
Defining Penetration Testing Terminology
Types of assessments
Pentest strategies
Threat actors and threat models
Capabilities and intent
Threat actor
Adversary tier
Threat modeling
Looking at CompTIA’s Penetration Testing Phases
Planning and scoping
Information gathering and vulnerability identification
Information gathering
Vulnerability identification
Attacks and exploits
Reporting and communication
Reviewing Key Concepts
Prep Test
Answers
Planning and Scoping
Understanding Key Legal Concepts
Written authorization
Contracts
Disclaimers
Scoping the Project
General questions
Web application testing questions
Wireless network testing questions
Physical security testing questions
Social engineering testing questions
Testing questions for IT staff
Identifying the Rules of Engagement
Target audience and reason for the pentest
Communication escalation path
Resources and requirements
Confidentiality of findings
Known versus unknown
Support for the pentester
Budget
Impact analysis and remediation timelines
Defining Targets for the Pentest
Internal and external targets
First-party versus third-party hosted
Other targets
Target considerations
Verifying Acceptance to Risk
Scheduling the Pentest and Managing Scope Creep
Scheduling
Scope creep
Conducting Compliance-based Assessments
Reviewing Key Concepts
Prep Test
Answers
Information Gathering
Looking at Information-Gathering Tools and Techniques
Passive information gathering
OPEN-SOURCE INTELLIGENCE (OSINT) GATHERING
Browsing Internet resources
Using Google hacking
Referencing online cybersecurity sources
Passive information-gathering tools
WHOIS
THEHARVESTER
SHODAN
MALTEGO
RECON-NG
CENSYS
FOCA
Active information gathering
nslookup
dig
Understanding Scanning and Enumeration
Passive scanning
Packet inspection
Eavesdropping
Active scanning
Ping sweep (-sP)
Full connect scan (-sT)
Port selection (-p)
SYN scan (-sS)
Service identification (-sV)
OS fingerprinting (-O)
Disabling ping (-Pn)
Target input file (-iL)
Timing (-T)
Output parameters
Packet crafting
Other scanning considerations
Enumeration
Lab Exercises
Exercise 3-1: Conduct a Whois Search
Exercise 3-2: Use theHarvester to collect email addresses
Exercise 3-3: Use Shodan to discover systems on the Internet
Exercise 3-4: Use recon-ng for OSINT information gathering
Exercise 3-5: Use dig for DNS profiling
Exercise 3-6: Use Nmap to port scan
Reviewing Key Concepts
Prep Test
Answers
Vulnerability Identification
Understanding Vulnerabilities
Types of vulnerability scans
Credentialed versus non-credentialed scans
CONTAINER SECURITY AND VIRTUALIZATION
Application scans
Vulnerability scan considerations
Timing of the scans
Protocols used
Network topology
Bandwidth limitations
Query throttling
Fragile systems/non-traditional assets
Performing a Vulnerability Scan
Installing Nessus
Running Nessus
Using other vulnerability scanners
Nikto
Sqlmap
Analyzing Vulnerability Results
Mapping vulnerabilities to exploits
Understanding the CVSS base score
Exploitability metrics
ACCESS VECTOR (AV)
ATTACK COMPLEXITY (AC)
AUTHENTICATION (AU)
Impact metrics
CONFIDENTIALITY (C)
INTEGRITY (I)
AVAILABILITY (A)
Prioritizing activities
Severity level
Vulnerability exposure
Criticality of the system
Statement of work
Considerations for analyzing scan results
Asset categorization
Adjudication
Prioritization of vulnerabilities
Common themes
Types of Weaknesses in Specialized Systems
Lab Exercises
Exercise 4-1: Download and install Nessus
Exercise 4-2: Perform a vulnerability scan
Exercise 4-3: Perform a web application vulnerability scan with Nessus
Reviewing Key Concepts
Prep Test
Answers
Attacks and Exploits
Exploiting Systems
Exploiting Systems with Metasploit
Starting Metasploit
Searching for an exploit
Using an exploit
Running the exploit
Setting the payload
Using msfvenom
Phase 1: Create the malicious program
Phase 2: Set up a listener on your system
Phase 3: Trick users into running the program
Understanding Social Engineering
Phishing
Shoulder surfing
USB key drop
Other forms of social engineering
Motivation techniques
Using SET to perform an attack
Phase 1: Set up the cloned site
Phase 2: Trick the victim into visiting the fake site
Phase 3: Check the harvester file for passwords
Using BeEF to perform an attack
Phase 1: Start BeEF
Phase 2: Create the malicious site
Phase 3: Attack client systems
Looking at Attacks on Physical Security
Types of physical security controls
Exploiting physical security
Piggybacking/tailgating
Dumpster diving
Badge cloning
Fence jumping
Attacks on locks
Common Attack Techniques
Password cracking
Dictionary attacks
Credential brute forcing
Hybrid
Rainbow tables
Using exploits
Exploit database
Proof-of-concept development (exploit development)
Cross-compiling code
Exploit modification
Exploit chaining
Deception
Exploiting Network-Based Vulnerabilities
Common network-based exploits
Man-in-the-middle (MiTM) attacks
ARP spoofing
Capture, replay, and relay
SSL stripping and downgrade
Using SETH to perform a MiTM attack
Other common attacks
DNS cache poisoning
Pass the hash
DoS/stress test
NAC bypass
VLAN hopping
Exploiting Local Host Vulnerabilities
Operating system vulnerabilities
Unsecure service and protocol configurations
Privilege escalation
Linux-specific
Windows-specific
Exploitable services
Unsecure file/folder permissions
Keylogger
Scheduled tasks
Kernel exploits
Default account settings
Sandbox escape
Physical device security
Lab Exercises
Exercise 5-1: Exploit an SMB service with Metasploit
Exercise 5-2: Use the Meterpreter exploit payload
Exercise 5-3: Conduct a MiTM attack with SETH
Exercise 5-4: Use SET for credential harvesting
Phase 1: Set up the cloned site
Phase 2: Trick the victim into visiting the fake site
Phase 3: Check the harvester file for passwords
Exercise 5-5: Use BeEF to exploit a web browser
Phase 1: Start BeEF
Phase 2: Create the malicious site
Phase 3: Attack client systems
Reviewing Key Concepts
Prep Test
Answers
Exploiting Wireless Vulnerabilities
Understanding Wireless Terminology
Wireless concepts
Wireless agencies
Wireless LAN frequencies
Wireless equipment and configuration
Wireless network card
Wireless access point
The SSID
Wireless clients
Types of wireless networks
Ad hoc mode
Infrastructure mode
Introducing Wireless Standards
802.11a
802.11b
802.11g
802.11n
802.11ac
Looking at Wireless Configuration and Troubleshooting
Reviewing the Basic Service Set
Designing a multi-access point WLAN
Troubleshooting wireless networks
Implementing Wireless Security Practices
General security practices
Change the SSID
Disable SSID broadcasting
Restrict by MAC
Enable encryption
Use certificate-based security
Encryption protocols
WEP
WPA
WPA2
Exploiting Wireless Vulnerabilities
Looking at 802.11 wireless vulnerabilities
Evil twin, karma attack, and downgrade attack
Deauthentication attacks
Fragmentation attacks
Credential harvesting
Looking at RF-based vulnerabilities
Cracking WEP encryption
Stage 1: Verify wireless NIC
Stage 2: Discover networks with Airodump-ng
Stage 3: Capture traffic with Airodump-ng
Stage 4: Associate with access point and replay traffic
Stage 5: Crack the WEP key
Cracking WPS implementation weakness
Cracking WPA/WPA2 encryption keys
Stage 1: Verify wireless NIC
Stage 2: Discover networks with Airodump-ng
Stage 3: Perform deauthentication attack
Stage 4: Crack the WPA/WPA2 key
Using Wifite to hack wireless networks
Exploiting Bluetooth devices
Stage 1: View your Bluetooth adapter
Stage 2: Retrieve data using Bluesnarfer
Lab Exercises
Exercise 6-1: Crack WEP encryption
Exercise 6-2: Crack the WPS pin
Exercise 6-3: Crack the WPA/WPA2 encryption key
Exercise 6-4: Test Bluetooth devices
Reviewing Key Concepts
Prep Test
Answers
Exploiting Application-Based Vulnerabilities
Looking at Common Application-Based Attacks
Injection attacks
SQL
HTML
Command
Code
Authentication
Credential brute-forcing
Session hijacking
Redirect
Default credentials
Weak credentials
Kerberos exploits
Authorization
Parameter pollution
Insecure direct object reference
XSS and CSRF/XSRF
Cross-site scripting (XSS)
STORED/PERSISTENT
REFLECTED
DOM
Cross-site request forgery (CSRF/XSRF)
CSRF/XSRF URL
PREVENTING CSRF/XSRF
Understanding Application Security Vulnerabilities
Clickjacking
Security misconfiguration
Directory traversal
Cookie manipulation
File inclusion
Identifying Unsecure Coding Practices
Comments in source code
Lack of error handling
Overly verbose error handling
Hard-coded credentials
Race conditions
Unauthorized use of functions/unprotected APIs
Hidden elements/sensitive information in the DOM
Lack of code signing
Secure Coding Best Practices
Validation
Sanitization
Escaping
Parameterized queries
Lab Exercises
Exercise 7-1: Perform a CSRF attack
Exercise 7-2: Perform a SQL injection
Exercise 7-3: Perform a command injection attack
Exercise 7-4: Perform a reflected XSS attack
Exercise 7-5: Perform a persistent XSS attack
Exercise 7-6: Reset the DVWA
Reviewing Key Concepts
Prep Test
Answers
Post-Exploitation and Reporting
Understanding Post-Exploitation Actions
Common Post-Exploitation Tasks
Understanding the context
Collecting information
Obtaining a shell
Retrieving password hashes
Disabling the antivirus software
Migrating to a different process
Taking screenshots
Taking remote control
Capturing keystrokes
Enabling the webcam
Performing Lateral Movement
PS remoting/WinRM
Using PsExec
Using PsExec with pass the hash
Using RDP
Using RPC/DCOM
Using remote services
WORKING WITH METERPRETER SESSIONS
Other techniques for lateral movement
Maintaining Access (Persistence)
New user creation
Planting backdoors and trojans
Other techniques for maintaining access
Covering Your Tracks
Lab Exercises
Exercise 8-1: Exploit a system and collect information
Exercise 8-2: Record keystrokes
Exercise 8-3: Obtain password hashes
Exercise 8-4: Move laterally
Exercise 8-5: Create a backdoor account
Exercise 8-6: Cover your tracks
Reviewing Key Concepts
Prep Test
Answers
Common Penetration Testing Tools
Understanding Use Cases for Common Pentest Tools
Reconnaissance
Enumeration
Vulnerability scanning
Credential attacks
Persistence
Configuration compliance
Evasion
Decompilation and debugging
Forensics
Software assurance
Looking at Common Pentest Tools
Scanners
Nmap
Nikto and w3af
Nessus
OpenVAS
SQLmap
Credential testing tools
Hashcat
Medusa and Hydra
CeWL
John the Ripper
Cain and Abel
Mimikatz
patator and DirBuster
Debuggers
Software assurance
Open-source intelligence (OSINT)
Wireless
Aircrack-ng
Kismet
Wifite
Web proxies
OWASP ZAP
Burp Suite
Social engineering tools
SET
BeEF
Remote access tools
Networking tools
Wireshark
hping3
Mobile tools
Miscellaneous tools
Analyzing Tool Output
Password cracking
Pass the hash
Setting up a bind shell
Getting a reverse shell
Proxying a connection
Uploading a web shell
Create the reverse shell PHP web page
Create the listener on a pentest system
Injections
Lab Exercises
Exercise 9-1: Crack passwords with John the Ripper
Exercise 9-2: Locate web servers
Exercise 9-3: Scan web applications for vulnerabilities
Exercise 9-4: Use Hydra for password cracking over RDP
Exercise 9-5: Use Hydra to crack website credentials
Exercise 9-6: Use CeWL to create a wordlist
Exercise 9-7: Use Netcat/Ncat to create a bind shell
Reviewing Key Concepts
Prep Test
Answers
Analyzing Script Functionality
Reviewing Scripting Concepts
Variables and arrays
Looping and flow control
If statements
APPLICATION LOGIC
Loops
Comparisons
Common operations
Encoding/decoding
Input and output
String operations and substitutions
Error handling
Using Bash Scripting
Variables and arrays
Working with variables
Using arrays
Looping and flow control
If statements
For loop
While loop
Executing the script
Error handling
Input and output
Understanding Python Scripting
Variables and arrays
Working with variables
Using arrays
Looping and flow control
If statements
For loop
While loop
Executing the script
Error handling
Input and output
Working with Ruby Scripting
Variables and arrays
Working with variables
Using arrays
Looping and flow control
If statements
Do loops
For loop
Executing the script
Error handling
Input and output
Coding in PowerShell Scripting
Variables and arrays
Working with variables
Using arrays
Looping and flow control
If statements
Do loops
For next loop
Executing the script
Error handling
Input and output
Lab Exercises
Exercise 10-1: Review Bash script
Exercise 10-2: Review Python script
Exercise 10-3: Review PowerShell script
Reviewing Key Concepts
Prep Test
Answers
Reporting and Communication
Communicating During a PenTest
Communication triggers
Critical findings
Stages
Indicators of prior compromise
Reasons for communication
Findings and Remediations
Shared local administrator credentials
Weak password complexity
Plain text passwords
No multifactor authentication
SQL injection
Unnecessary open services
Focusing Your Remediation Strategies
Writing and Handling the Pentest Report
Normalization of data
Risk appetite
Report structure
Title page and table of contents
Executive summary
Methodology
Findings and remediation
Conclusion
Secure handling and disposition of reports
Format
Storage time
Delivering the Report and Post-Report Activities
Post-engagement cleanup
Client acceptance
Administrative tasks
Follow-up actions and retesting
Attestation of findings
Lessons learned
Lab Exercises
Exercise 11-1: Create a pentest report
Exercise 11-2: Encrypt the pentest report
Reviewing Key Concepts
Prep Test
Answers
Appendixes
PenTest+ Exam Details
CompTIA PenTest+ Certification and Why You Need It
Checking Out the Exam and Its Objectives
Using This Book to Prepare for the Exam
Making Arrangements to Take the Exam
The Day the Earth Stood Still: Exam Day
Arriving at the exam location
Taking the exam
How does CompTIA set the pass level?
CompTIA PenTest+ Exam Reference Matrix
2018 PenTest+ Exam Objectives — PT0-001
Lab Setup
Setting Up the Virtual Machines
Obtaining the Software Needed
VMware Workstation
Windows Server 2012/2016/2019
Windows 7
Kali Linux
Metasploitable2
Index. Numbers
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
About the Author
Dedication
Author’s Acknowledgments
WILEY END USER LICENSE AGREEMENT
