Оглавление
Glen E. Clarke. CompTIA Pentest+ Certification For Dummies
CompTIA® Pentest+® Certification For Dummies® Table of Contents
List of Tables
List of Illustrations
Guide
Pages
Introduction
About This Book
Conventions Used in This Book
Foolish Assumptions
How This Book Is Organized
Pre-assessment
Part 1: Planning and Information Gathering
Part 2: Attacks and Exploits
Part 3: Post-Exploitation and Reporting
Appendixes
Practice exam
Icons Used in This Book
Beyond the Book
Where to Go from Here
Pre-Assessment
Questions
Answers
Planning and Information Gathering
Introduction to Penetration Testing
Penetration Testing Overview
Reasons for a pentest
Who should perform a pentest
Internal staff
External third party
Qualified pentesters
How often a pentest should be performed
Regular schedule
After major changes
Other considerations
Defining Penetration Testing Terminology
Types of assessments
Pentest strategy
Threat actors and threat models
Capabilities and intent
Threat actor
Adversary tier
Threat modeling
Looking at CompTIA’s Penetration Testing Phases
Planning and scoping
Information gathering and vulnerability identification
Information gathering
Vulnerability identification
Attacks and exploits
Reporting and communication
Identifying Testing Standards and Methodologies
MITRE ATT&CK
Open Web Application Security Project (OWASP)
OWASP Top 10 (2017)
OWASP Top 10 (2021)
National Institute of Standards and Technology (NIST)
OSSTMM, PTES, and ISSAF
Reviewing Key Concepts
Prep Test
Answers
Planning and Scoping
Understanding Key Legal Concepts
Written authorization
Contracts and agreements
Disclaimers
Scoping the Project
Target list/in-scope assets
General questions
Web application testing questions
Wireless network testing questions
Physical security testing questions
Social engineering testing questions
Testing questions for IT staff
Identifying the Rules of Engagement (RoE)
Environmental considerations
Target audience and reason for the pentest
Communication escalation path
Resources and requirements
Confidentiality of findings
Known versus unknown
Support for the pentester
Budget
Impact analysis and remediation timelines
Defining Targets for the Pentest
Internal and external targets
First-party versus third-party hosted
Other targets
Target considerations
Verifying Acceptance to Risk
Scheduling the Pentest and Managing Scope Creep
Scheduling
Scope creep
Conducting Compliance-based Assessments
Considerations with compliance-based assessments
Restrictions with compliance-based assessments
Validate scope of engagement
Maintaining professionalism and integrity
Risks to the professional
Reviewing Key Concepts
Prep Test
Answers
Information Gathering
Looking at Information-Gathering Tools and Techniques
Passive information gathering/passive reconnaissance
Website reconnaissance
OPEN-SOURCE INTELLIGENCE (OSINT) GATHERING
Social media scraping
Using Google hacking
Referencing online cybersecurity sources
Types of data
Cryptographic flaws
Passive information-gathering tools
WHOIS
theHarvester
SHODAN
MALTEGO
RECON-NG
CENSYS
FOCA
DNS LOOKUPS/PROFILING
nslookup
dig
Active information gathering/active reconnaissance
Understanding Scanning and Enumeration
Passive scanning
Packet inspection
Eavesdropping
Active scanning
Ping sweep (-sP or -sn)
Full connect scan (-sT)
Port selection (-p)
SYN scan (-sS)
Service identification (-sV)
OS fingerprinting (-O)
UDP scan (-sU)
Disabling ping (-Pn)
Target input file (-iL)
Timing (-T)
Miscellaneous options (-A)
Output parameters
Packet crafting
Other scanning considerations
Enumeration
Analyze the results of a reconnaissance exercise
Detection Methods and Tokens
Defense detection
Security tokens
Lab Exercises
Exercise 3-1: Conduct a Whois Search
Exercise 3-2: Use theHarvester to collect email addresses
Exercise 3-3: Use Shodan to discover systems on the Internet
Exercise 3-4: Use recon-ng for OSINT information gathering
Exercise 3-5: Use dig for DNS profiling
Exercise 3-6: Use Nmap to port scan
Reviewing Key Concepts
Prep Test
Answers
Vulnerability Identification
Understanding Vulnerabilities
Types of vulnerability scans
Credentialed versus non-credentialed scans
Application scans
Vulnerability scan considerations
Timing of the scans
Protocols used
Network topology
Bandwidth limitations
Query throttling
Fragile systems/non-traditional assets
Performing a Vulnerability Scan
Installing Nessus
Running Nessus
Using other vulnerability scanners
Nikto
SQLmap
Analyzing Vulnerability Results
Mapping vulnerabilities to exploits
Understanding the CVSS base score
Exploitability metrics
ACCESS VECTOR (AV)
ATTACK COMPLEXITY (AC)
AUTHENTICATION (AU)
Impact metrics
CONFIDENTIALITY (C)
INTEGRITY (I)
AVAILABILITY (A)
Prioritizing activities
Severity level
Vulnerability exposure
Criticality of the system
Statement of work
Considerations for analyzing scan results
Asset categorization
Adjudication
Prioritization of vulnerabilities
Common themes
Attacks and Weaknesses in Specialized Systems
Mobile devices
Attacks
Vulnerabilities
Tools
Cloud technologies
Attacks
Tools
Internet of things (IoT) devices
Special considerations
Vulnerabilities
Data storage system vulnerabilities
Underlying software vulnerabilities
Management interface vulnerabilities
Vulnerabilities related to SCADA, IIoT, and ICS
Vulnerabilities related to virtual environments and containers
Lab Exercises
Exercise 4-1: Download and install Nessus
Exercise 4-2: Perform a vulnerability scan
Exercise 4-3: Perform a web application vulnerability scan with Nessus
Reviewing Key Concepts
Prep Test
Answers
Attacks and Exploits
Exploiting Systems
Exploiting Systems with Metasploit
Starting Metasploit
Searching for an exploit
Using an exploit
Running the exploit
Setting the payload
Using msfvenom
Phase 1: Create the malicious program
Phase 2: Set up a listener on your system
Phase 3: Trick users into running the program
Using exploit resources
Understanding Social Engineering
Email phishing
USB key drop
Other forms of social engineering
Methods of influence
Using SET to perform an attack
Phase 1: Set up the cloned site
Phase 2: Trick the victim into visiting the fake site
Phase 3: Check the harvester file for passwords
Using BeEF to perform an attack
Phase 1: Start BeEF
Phase 2: Create the malicious site
Phase 3: Attack client systems
Call spoofing tools
Pretexting
Looking at Attacks on Physical Security
Types of physical security controls
Exploiting physical security
Piggybacking/tailgating
Dumpster diving
Shoulder surfing
Badge cloning
Fence jumping
Attacks on locks
Common Attack Techniques
Password cracking
Dictionary attacks
Credential brute forcing
Hybrid
Rainbow tables
Password spraying
Hash cracking
Using exploits
Exploit database
Proof-of-concept development (exploit development)
Cross-compiling code
Exploit modification
Exploit chaining
Deception
Exploiting Network-Based Vulnerabilities
Common tools used for network-based attacks
Common network-based exploits
Man-in-the-middle (MiTM) attacks
ARP poisoning
Capture, replay, and relay
SSL stripping and downgrade
Using SETH to perform a MiTM attack
Other common attacks
DNS cache poisoning
Pass the hash
DoS/stress testing
NAC bypass
VLAN hopping
MAC spoofing
Exploiting Local-Host Vulnerabilities
Operating system vulnerabilities
Unsecure service and protocol configurations
Privilege escalation
Linux-specific
Windows-specific
Exploitable services
Unsecure file/folder permissions
Keylogger
Scheduled tasks
Kernel exploits
Default account settings
Sandbox escape
Physical device security
Lab Exercises
Exercise 5-1: Exploit an SMB service with Metasploit
Exercise 5-2: Use the meterpreter exploit payload
Exercise 5-3: Conduct a MiTM attack with SETH
Exercise 5-4: Use SET for credential harvesting
Phase 1: Set up the cloned site
Phase 2: Trick the victim into visiting the fake site
Phase 3: Check the harvester file for passwords
Exercise 5-5: Use BeEF to exploit a web browser
Phase 1: Start BeEF
Phase 2: Create the malicious site
Phase 3: Attack client systems
Reviewing Key Concepts
Prep Test
Answers
Exploiting Wireless Vulnerabilities
Understanding Wireless Terminology
Wireless concepts
Wireless agencies
Wireless LAN frequencies
Wireless equipment and configuration
Wireless network card
Wireless access point
The SSID
Wireless clients
Types of wireless networks
Ad hoc mode
Infrastructure mode
Introducing Wireless Standards
802.11a
802.11b
802.11g
802.11n
802.11ac
Looking at Wireless Configuration and Troubleshooting
Reviewing the Basic Service Set
Designing a multi-access point WLAN
Troubleshooting wireless networks
Implementing Wireless Security Practices
General security practices
Change the SSID
Disable SSID broadcasting
Restrict by MAC
Enable encryption
Use certificate-based security
Encryption protocols
WEP
WPA
WPA2
WPA3
Exploiting Wireless Vulnerabilities
Understanding attack methods and tools
Looking at 802.11 wireless vulnerabilities
Evil twin, karma attack, and downgrade attack
Captive portal
Deauthentication attacks
Fragmentation attacks
Credential harvesting
Looking at RF-based vulnerabilities
Cracking WEP encryption
Stage 1: Verify wireless NIC
Stage 2: Discover networks with Airodump-ng
Stage 3: Capture traffic with Airodump-ng
Stage 4: Associate with access point and replay traffic
Stage 5: Crack the WEP key
WPS pin attack
Cracking WPA/WPA2 encryption keys
Stage 1: Verify wireless NIC
Stage 2: Discover networks with Airodump-ng
Stage 3: Perform deauthentication attack
Stage 4: Crack the WPA/WPA2 key
Using Wifite to hack wireless networks
Exploiting Bluetooth devices
Stage 1: View your Bluetooth adapter
Stage 2: Retrieve data using Bluesnarfer
Lab Exercises
Exercise 6-1: Crack WEP encryption
Exercise 6-2: Crack the WPS pin
Exercise 6-3: Crack the WPA/WPA2 encryption key
Exercise 6-4: Test Bluetooth devices
Reviewing Key Concepts
Prep Test
Answers
Exploiting Application-Based Vulnerabilities
Looking at Common Application-Based Attacks
Injection attacks
SQL injection attack
TYPES OF SQL INJECTION ATTACKS
PROTECTING AGAINST SQL INJECTION ATTACKS
HTML injection attack
Command injection attack
Code injection attack
LDAP injection and XML injection attacks
Authentication attacks
Credential brute-forcing
Session attacks and session hijacking
Redirect
Default credentials
Weak credentials
Kerberos exploits
Authorization attacks
Parameter pollution
Insecure direct object reference
XSS and CSRF/XSRF attacks
Cross-site scripting (XSS)
STORED/PERSISTENT
REFLECTED
DOM
Cross-site request forgery (CSRF/XSRF)
CSRF/XSRF URL
PREVENTING CSRF/XSRF
Server-side request forgery (SSRF)
Understanding Application Security Vulnerabilities
Clickjacking
Security misconfiguration
Directory traversal
Cookie manipulation
File inclusion
Privilege escalation
Session replay and session fixation
Common Coding Mistakes
Business logic flaws
Comments in source code
Lack of error handling
Overly verbose error handling
Hard-coded credentials
Race conditions
Unauthorized use of functions/unprotected APIs
Hidden elements/sensitive information in the DOM
Insecure data transmission
Lack of code signing
Secure Coding Best Practices
Validation
Sanitization
Escaping
Parameterized queries
Common Tools and Resources
Common tools
Common resources
Lab Exercises
Exercise 7-1: Perform a CSRF attack
Exercise 7-2: Perform a SQL injection
Exercise 7-3: Perform a command injection attack
Exercise 7-4: Perform a reflected XSS attack
Exercise 7-5: Perform a persistent XSS attack
Exercise 7-6: Reset the DVWA
Reviewing Key Concepts
Prep Test
Answers
Post-Exploitation and Reporting
Understanding Post-Exploitation Actions
Common Post-Exploitation Tasks
Understanding the context
Collecting information
Obtaining a shell
Retrieving password hashes
Disabling the antivirus software
Migrating to a different process
Privilege escalation and restrictive shells
Taking screenshots
Taking remote control
Capturing keystrokes
Enabling the webcam
Network segmentation testing
Performing Lateral Movement
PS remoting/WinRM
Using PsExec
Using PsExec with pass the hash
Using RDP
Using RPC/DCOM
Using remote services
WORKING WITH METERPRETER SESSIONS
Other techniques for lateral movement
Maintaining Access (Persistence)
New user creation
Planting backdoors and trojans
Other techniques for maintaining access
Detection avoidance
Covering Your Tracks
Lab Exercises
Exercise 8-1: Exploit a system and collect information
Exercise 8-2: Record keystrokes
Exercise 8-3: Obtain password hashes
Exercise 8-4: Move laterally
Exercise 8-5: Create a backdoor account
Exercise 8-6: Cover your tracks
Reviewing Key Concepts
Prep Test
Answers
Common Penetration Testing Tools
Understanding Use Cases for Common Pentest Tools
Reconnaissance
Enumeration
Vulnerability scanning
Credential attacks
Persistence
Configuration compliance
Evasion
Decompilation and debugging
Forensics
Software assurance
Looking at Common Pentest Tools
Scanners
Nmap
Nikto and w3af
Nessus
OpenVAS
SQLmap
Open Security Content Automation Protocol (OSCAP)
Wapiti
WPScan
Brakeman
Scout Suite
Credential testing tools
Hashcat
Medusa and Hydra
CeWL
John the Ripper
Cain and Abel
Mimikatz
Patator and DirBuster
Debuggers
Software-assurance tools
Open-source intelligence (OSINT) tools
Wireless tools
Aircrack-ng suite
Kismet
Wifite
Wifite2
Other wireless tools
Web application tools/web proxies
OWASP ZAP
Burp Suite
Gobuster
Social engineering tools
SET
BeEF
Remote access tools
Networking tools
Wireshark
hping3
Mobile tools
Steganography tools
Steghide
Other steganography tools
Cloud tools
Miscellaneous tools
Analyzing Tool Output
Password cracking
Pass the hash
Setting up a bind shell
Getting a reverse shell
Proxying a connection
Uploading a web shell
Create the reverse shell PHP web page
Create the listener on a pentest system
Injections
Lab Exercises
Exercise 9-1: Crack passwords with John the Ripper
Exercise 9-2: Locate web servers
Exercise 9-3: Scan web applications for vulnerabilities
Exercise 9-4: Use Hydra for password cracking over RDP
Exercise 9-5: Use Hydra to crack website credentials
Exercise 9-6: Use CeWL to create a wordlist
Exercise 9-7: Use Netcat/Ncat to create a bind shell
Exercise 9-8: Using Responder and John the Ripper to capture and crack password hashes
Reviewing Key Concepts
Prep Test
Answers
Analyzing Script Functionality
Reviewing Scripting Concepts
Variables and arrays
Looping and flow control
If statements
APPLICATION LOGIC
Loops
Comparisons
Understanding operators
Data structures
Parts of software and scripts
Common operations
Encoding/decoding
Input and output
String operations and substitutions
Error handling
Using Bash Scripting
Variables and arrays
Working with variables
Using arrays
Looping and flow control
If statements
For loop
While loop
Executing the script
Error handling
Input and output
Understanding Python Scripting
Variables and arrays
Working with variables
Using arrays
Looping and flow control
If statements
For loop
While loop
Executing the script
Error handling
Input and output
Working with Ruby Scripting
Variables and arrays
Working with variables
Using arrays
Looping and flow control
If statements
Do loops
For loop
Executing the script
Error handling
Input and output
Coding in PowerShell Scripting
Variables and arrays
Working with variables
Using arrays
Looping and flow control
If statements
Do loops
For next loop
Executing the script
Error handling
Input and output
Code Examples and Automation
Analyze exploit code
Performing a ping sweep
Performing a port scan
Download files
Launch remote access
USING SOCKETS
USING WinRM
Enumerate users
Enumerate assets
Opportunities for automation
Lab Exercises
Exercise 10-1: Review Bash script
Exercise 10-2: Review Python script
Exercise 10-3: Review PowerShell script
Reviewing Key Concepts
Prep Test
Answers
Reporting and Communication
Communicating During a PenTest
Understanding communication paths
Communication triggers
Critical findings
Status reports
Indicators of prior compromise
Reasons for communication
Goal reprioritization and presentation of findings
Findings and Remediations
Shared local administrator credentials
Weak password complexity
Plain text passwords
No multifactor authentication
SQL injection
Unnecessary open services
Focusing Your Remediation Strategies
Recommending the Appropriate Remediation Strategy
Common technical controls
Common administrative controls
Common operational controls
Common physical controls
Writing and Handling the Pentest Report
Common themes/root causes
Notetaking and normalization of data
Risk appetite
Report audience
Report structure
Title page and table of contents
Executive summary
Scope details
Methodology
Findings and remediation
BUSINESS IMPACT ANALYSIS
Conclusion
Appendix
Secure handling and distribution of reports
Format
Storage time
Secure distribution
Delivering the Report and Post-Report Activities
Post-engagement cleanup
Client acceptance
Administrative tasks
Follow-up actions and retesting
Attestation of findings
Lessons learned
Data destruction process
Lab Exercises
Exercise 11-1: Create a pentest report
Exercise 11-2: Encrypt the pentest report
Reviewing Key Concepts
Prep Test
Answers
Appendixes
PenTest+ Exam Details
CompTIA PenTest+ Certification and Why You Need It
Checking Out the Exam and Its Objectives
Using This Book to Prepare for the Exam
Steps to Prepare for the Exam
Making Arrangements to Take the Exam
The Day the Earth Stood Still: Exam Day
Arriving at the exam location
Testing online (from home or work)
Taking the exam
How does CompTIA set the pass level?
CompTIA PenTest+ Exam Reference Matrix
2021 PenTest+ Exam Objectives — PTO-002
Lab Setup
Setting Up the Virtual Machines
Obtaining the Software Needed
VMware Workstation
Windows Server 2012/2016/2019
Windows 7
Kali Linux
Metasploitable2
Index. A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
About the Author
Dedication
Author’s Acknowledgments
WILEY END USER LICENSE AGREEMENT
