CompTIA PenTest+ Study Guide. Sybex

Exam PT0-001

Mike Chapple & David Seidl

Penetration Testing
Planning and Scoping Penetration Tests
Information Gathering
Vulnerability Scanning
Analyzing Vulnerability Scans 
Exploit and Pivot
Exploiting Network Vulnerabilities
Exploiting Physical and Social Vulnerabilities
Exploiting Application Vulnerabilities
Exploiting Host Vulnerabilities
Scripting for Penetration Testing
Reporting and Communication

e-books shop
e-books shop
Purchase Now !
Just with Paypal



Book Details
 Price
 3.00 USD
 Pages
 521 p
 File Size
 34,054 KB
 File Type
 PDF format
 ISBN
 978-1-119-50422-1
 978-1-119-50425-2 (ebk.)
 978-1-119-50424-5 (ebk.)
 Copyright   
 2019 by John Wiley & Sons, Inc  

About the Author
Mike Chapple, PhD, Security+, CISSP, CISA, PenTest+,
CySA+, is an associate teaching professor of IT, analytics, and
operations at the University of Notre Dame. He is also the
academic director of the University’s master’s program in
business analytics.
Mike is a cybersecurity professional with over 20 years of
experience in the field. Prior to his current role, Mike served
as senior director for IT service delivery at Notre Dame, where
he oversaw the University’s cybersecurity program, cloud computing
efforts, and other areas. Mike also previously served as
chief information officer of Brand Institute and an information security researcher with the
National Security Agency and the U.S. Air Force.
Mike is a frequent contributor to several magazines and websites and is the author or
coauthor of more than 25 books, including CISSP Official (ISC)2 Study Guide, CISSP
Official (ISC)2 Practice Tests, CompTIA CySA+ Study Guide: Exam CS0-001, and
CompTIA CySA+ Practice Tests: Exam CS0-001, all from Wiley, and Cyberwarfare:
Information Operations in a Connected World (Jones and Bartlett, 2014).
Mike offers free study groups for the PenTest+, CySA+, Security+, CISSP, and SSCP certifications
at his website, certmike.com.

David Seidl, CISSP, PenTest+, CySA+, GCIH, GPEN, is
the senior director for campus technology services at the
University of Notre Dame. As the senior director for CTS,
David is responsible for Amazon AWS cloud operations, virtualization,
enterprise storage, platform and operating system
support, database and ERP administration and services, identity
and access management, application services, enterprise
content management, digital signage, labs, lecterns, and academic
printing and a variety of other services and systems.
During his over 22 years in information technology, David
has served in a variety of leadership, technical, and information security roles, including
leading Notre Dame’s information security team as director of information security. He has
written books on security certification and cyberwarfare, including coauthoring CompTIA
CySA+ Study Guide: Exam CS0-001, CompTIA CySA+ Practice Tests: Exam CS0-001,
and CISSP (ISC)2 Official Practice Tests from Wiley and Cyberwarfare: Information
Operations in a Connected World (Jones and Bartlett, 2014).
David holds a bachelor’s degree in communication technology and a master’s degree in
information security from Eastern Michigan University.

Acknowledgments
Books like this involve work from many people, and as authors, we truly appreciate the
hard work and dedication that the team at Wiley shows. We would especially like to thank
Senior Acquisitions Editor Kenyon Brown. We have worked with Ken on multiple projects
and consistently enjoy our work with him.
We also greatly appreciated the editing and production team for the book, including
Jim Compton, our developmental editor, whose prompt and consistent oversight got this
book out the door, and Christine O’Connor, our production editor, who guided us through
layouts, formatting, and final cleanup to produce a great book. We’d also like to thank our
technical editor, Jeff Parker, who provided us with thought-provoking questions and technical
insight throughout the process. We would also like to thank the many behind-thescenes
contributors, including the graphics, production, and technical teams who make the
book and companion materials into a finished product.
Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonderful
opportunities, advice, and assistance throughout our writing careers.
Finally, we would like to thank our families, friends, and significant others who support
us through the late evenings, busy weekends, and long hours that a book like this requires
to write, edit, and get to press.

Table of Contents
Introduction xxv
Assessment Test lvi
Chapter 1 Penetration Testing 1
What Is Penetration Testing? 2
Cybersecurity Goals 2
Adopting the Hacker Mind-Set 4
Reasons for Penetration Testing 5
Benefits of Penetration Testing 5
Regulatory Requirements for Penetration Testing 6
Who Performs Penetration Tests? 8
Internal Penetration Testing Teams 8
External Penetration Testing Teams 9
Selecting Penetration Testing Teams 9
The CompTIA Penetration Testing Process 10
Planning and Scoping 11
Information Gathering and Vulnerability Identification 11
Attacking and Exploiting 12
Reporting and Communicating Results 13
The Cyber Kill Chain 13
Reconnaissance 15
Weaponization 15
Delivery 16
Exploitation 16
Installation 16
Command and Control 16
Actions on Objectives 17
Tools of the Trade 17
Reconnaissance 19
Vulnerability Scanners 20
Social Engineering 21
Credential-Testing Tools 21
Debuggers 21
Software Assurance 22
Network Testing 22
Remote Access 23
Exploitation 23
Summary 23
Exam Essentials 24
Lab Exercises 25
Activity 1.1: Adopting the Hacker Mind-Set 25
Activity 1.2: Using the Cyber Kill Chain 25
Review Questions 26
Chapter 2 Planning and Scoping Penetration Tests 31
Scoping and Planning Engagements 35
Assessment Types 36
White Box, Black Box, or Gray Box? 36
The Rules of Engagement 38
Scoping Considerations: A Deeper Dive 40
Support Resources for Penetration Tests 42
Key Legal Concepts for Penetration Tests 45
Contracts 45
Data Ownership and Retention 46
Authorization 46
Environmental Differences 46
Understanding Compliance-Based Assessments 48
Summary 50
Exam Essentials 51
Lab Exercises 52
Review Questions 53
Chapter 3 Information Gathering 57
Footprinting and Enumeration 60
OSINT 61
Location and Organizational Data 64
Infrastructure and Networks 67
Security Search Engines 72
Active Reconnaissance and Enumeration 74
Hosts 75
Services 75
Networks, Topologies, and Network Traffic 81
Packet Crafting and Inspection 83
Enumeration 84
Information Gathering and Code 88
Information Gathering and Defenses 89
Defenses Against Active Reconnaissance 90
Preventing Passive Information Gathering 90
Summary 90
Exam Essentials 91
Lab Exercises 92
Activity 3.1: Manual OSINT Gathering 92
Activity 3.2: Exploring Shodan 93
Activity 3.3: Running a Nessus Scan 93
Review Questions 94
Chapter 4 Vulnerability Scanning 99
Identifying Vulnerability Management Requirements 102
Regulatory Environment 102
Corporate Policy 106
Support for Penetration Testing 106
Identifying Scan Targets 106
Determining Scan Frequency 107
Configuring and Executing Vulnerability Scans 109
Scoping Vulnerability Scans 110
Configuring Vulnerability Scans 111
Scanner Maintenance 117
Software Security Testing 119
Analyzing and Testing Code 120
Web Application Vulnerability Scanning 121
Developing a Remediation Workflow 125
Prioritizing Remediation 126
Testing and Implementing Fixes 127
Overcoming Barriers to Vulnerability Scanning 127
Summary 129
Exam Essentials 129
Lab Exercises 130
Activity 4.1: Installing a Vulnerability Scanner 130
Activity 4.2: Running a Vulnerability Scan 130
Activity 4.3: Developing a Penetration Test
Vulnerability Scanning Plan 131
Review Questions 132
Chapter 5 Analyzing Vulnerability Scans 137
Reviewing and Interpreting Scan Reports 138
Understanding CVSS 142
Validating Scan Results 147
False Positives 147
Documented Exceptions 147
Understanding Informational Results 148
Reconciling Scan Results with Other Data Sources 149
Trend Analysis 149
Common Vulnerabilities 150
Server and Endpoint Vulnerabilities 151
Network Vulnerabilities 161
Virtualization Vulnerabilities 167
Internet of Things (IoT) 169
Web Application Vulnerabilities 170
Summary 172
Exam Essentials 173
Lab Exercises 174
Activity 5.1: Interpreting a Vulnerability Scan 174
Activity 5.2: Analyzing a CVSS Vector 174
Activity 5.3: Developing a Penetration Testing Plan 175
Review Questions 176
Chapter 6 Exploit and Pivot 181
Exploits and Attacks 184
Choosing Targets 184
Identifying the Right Exploit 185
Exploit Resources 188
Developing Exploits 189
Exploitation Toolkits 191
Metasploit 192
PowerSploit 198
Exploit Specifics 199
RPC/DCOM 199
PsExec 199
PS Remoting/WinRM 199
WMI 200
Scheduled Tasks and cron Jobs 200
SMB 201
RDP 202
Apple Remote Desktop 203
VNC 203
X-Server Forwarding 203
Telnet 203
SSH 204
Leveraging Exploits 204
Common Post-Exploit Attacks 204
Privilege Escalation 207
Social Engineering 208
Persistence and Evasion 209
Scheduled Jobs and Scheduled Tasks 209
Inetd Modification 210
Daemons and Services 210
Back Doors and Trojans 210
New Users 211
Pivoting 211
Covering Your Tracks 212
Summary 213
Exam Essentials 214
Lab Exercises 215
Activity 6.1: Exploit 215
Activity 6.2: Discovery 215
Activity 6.3: Pivot 216
Review Questions 217
Chapter 7 Exploiting Network Vulnerabilities 223
Conducting Network Exploits 226
VLAN Hopping 226
Network Proxies 228
DNS Cache Poisoning 228
Man-in-the-Middle 229
NAC Bypass 233
DoS Attacks and Stress Testing 234
Exploiting Windows Services 236
NetBIOS Name Resolution Exploits 236
SMB Exploits 240
Exploiting Common Services 240
SNMP Exploits 241
SMTP Exploits 242
FTP Exploits 243
Samba Exploits 244
Wireless Exploits 245
Evil Twins and Wireless MITM 245
Other Wireless Protocols and Systems 247
RFID Cloning 248
Jamming 249
Repeating 249
Summary 250
Exam Essentials 251
Lab Exercises 251
Activity 7.1: Capturing Hashes 251
Activity 7.2: Brute-Forcing Services 252
Activity 7.3: Wireless Testing 253
Review Questions 254
Chapter 8 Exploiting Physical and Social Vulnerabilities 259
Physical Facility Penetration Testing 262
Entering Facilities 262
Information Gathering 266
Social Engineering 266
In-Person Social Engineering 267
Phishing Attacks 269
Website-Based Attacks 270
Using Social Engineering Tools 270
Summary 273
Exam Essentials 274
Lab Exercises 275
Activity 8.1: Designing a Physical Penetration Test 275
Activity 8.2: Brute-Forcing Services 276
Activity 8.3: Using BeEF 276
Review Questions 278
Chapter 9 Exploiting Application Vulnerabilities 283
Exploiting Injection Vulnerabilities 287
Input Validation 287
Web Application Firewalls 288
SQL Injection Attacks 289
Code Injection Attacks 292
Command Injection Attacks 293
Exploiting Authentication Vulnerabilities 293
Password Authentication 294
Session Attacks 295
Kerberos Exploits 298
Exploiting Authorization Vulnerabilities 299
Insecure Direct Object References 299
Directory Traversal 300
File Inclusion 301
Exploiting Web Application Vulnerabilities 302
Cross-Site Scripting (XSS) 302
Cross-Site Request Forgery (CSRF/XSRF) 305
Clickjacking 305
Unsecure Coding Practices 306
Source Code Comments 306
Error Handling 306
Hard-Coded Credentials 307
Race Conditions 308
Unprotected APIs 308
Unsigned Code 308
Application Testing Tools 308
Static Application Security Testing (SAST) 309
Dynamic Application Security Testing (DAST) 310
Mobile Tools 313
Summary 313
Exam Essentials 313
Lab Exercises 314
Activity 9.1: Application Security Testing Techniques 314
Activity 9.2: Using the ZAP Proxy 314
Activity 9.3: Creating a Cross-Site Scripting Vulnerability 315
Review Questions 316
Chapter 10 Exploiting Host Vulnerabilities 321
Attacking Hosts 325
Linux 325
Windows 331
Cross-Platform Exploits 338
Remote Access 340
SSH 340
Netcat and Ncat 341
Proxies and Proxychains 341
Metasploit and Remote Access 342
Attacking Virtual Machines and Containers 342
Virtual Machine Attacks 343
Container Attacks 344
Physical Device Security 345
Cold-Boot Attacks 345
Serial Consoles 345
JTAG Debug Pins and Ports 346
Attacking Mobile Devices 347
Credential Attacks 348
Credential Acquisition 348
Offline Password Cracking 349
Credential Testing and Brute-Forcing Tools 350
Wordlists and Dictionaries 351
Summary 352
Exam Essentials 353
Lab Exercises 354
Activity 10.1: Dumping and Cracking the Windows SAM
and Other Credentials 354
Activity 10.2: Cracking Passwords Using Hashcat 355
Activity 10.3: Setting Up a Reverse Shell
and a Bind Shell 356
Review Questions 358
Chapter 11 Scripting for Penetration Testing 363
Scripting and Penetration Testing 364
Bash 365
PowerShell 366
Ruby 367
Python 368
Variables, Arrays, and Substitutions 368
Bash 370
PowerShell 371
Ruby 371
Python 372
Comparison Operations 372
String Operations 373
Bash 375
PowerShell 376
Ruby 377
Python 378
Flow Control 378
Conditional Execution 379
For Loops 384
While Loops 389
Input and Output (I/O) 394
Redirecting Standard Input and Output 394
Error Handling 395
Bash 395
PowerShell 396
Ruby 396
Python 396
Summary 397
Exam Essentials 397
Lab Exercises 398
Activity 11.1: Reverse DNS Lookups 398
Activity 11.2: Nmap Scan 398
Review Questions 399
Chapter 12 Reporting and Communication 405
The Importance of Communication 408
Defining a Communication Path 408
Communication Triggers 408
Goal Reprioritization 409
Recommending Mitigation Strategies 409
Finding: Shared Local Administrator Credentials 411
Finding: Weak Password Complexity 411
Finding: Plain Text Passwords 413
Finding: No Multifactor Authentication 413
Finding: SQL Injection 414
Finding: Unnecessary Open Services 415
Writing a Penetration Testing Report 415
Structuring the Written Report 415
Secure Handling and Disposition of Reports 417
Wrapping Up the Engagement 418
Post-Engagement Cleanup 418
Client Acceptance 419
Lessons Learned 419
Follow-Up Actions/Retesting 419
Attestation of Findings 419
Summary 420
Exam Essentials 420
Lab Exercises 421
Activity 12.1: Remediation Strategies 421
Activity 12.2: Report Writing 421
Review Questions 422
Appendix Answers to Review Questions 425
Chapter 1: Penetration Testing 426
Chapter 2: Planning and Scoping Penetration Tests 427
Chapter 3: Information Gathering 429
Chapter 4: Vulnerability Scanning 431
Chapter 5: Analyzing Vulnerability Scans 433
Chapter 6: Exploit and Pivot 434
Chapter 7: Exploiting Network Vulnerabilities 436
Chapter 8: Exploiting Physical and Social Vulnerabilities 438
Chapter 9: Exploiting Application Vulnerabilities 440
Chapter 10: Exploiting Host Vulnerabilities 442
Chapter 11: Script for Penetration Testing 444
Chapter 12: Reporting and Communication 445
Index 447


Bookscreen
e-books shop

Introduction
The CompTIA PenTest+ Study Guide: Exam PT0-001 provides accessible explanations
and real-world knowledge about the exam objectives that make up the PenTest+ certification.
This book will help you to assess your knowledge before taking the exam, as well as
provide a stepping stone to further learning in areas where you may want to expand your
skill set or expertise.
Before you tackle the PenTest+ exam, you should already be a security practitioner.
CompTIA suggests that test-takers should have intermediate-level skills based on their
cybersecurity pathway. You should also be familiar with at least some of the tools and techniques
described in this book. You don’t need to know every tool, but understanding how
to use existing experience to approach a new scenario, tool, or technology that you may not
know is critical to passing the PenTest+ exam.

CompTIA
CompTIA is a nonprofit trade organization that offers certification in a variety of IT areas,
ranging from the skills that a PC support technician needs, which are covered in the A+
exam, to advanced certifications like the CompTIA Advanced Security Practitioner, or
CASP, certification. CompTIA divides its exams into three categories based on the skill
level required for the exam and what topics it covers, as shown in the following table:
 Beginner/Novice   Intermediate   Advanced 
 IT Fundamentals
 A+
 Network+
 Security+
 CySA+
 PenTest+
 CASP
CompTIA recommends that practitioners follow a cybersecurity career path that begins
with the IT fundamentals and A+ exam and proceeds to include the Network+ and Security+
credentials to complete the foundation. From there, cybersecurity professionals may choose
the PenTest+ and/or Cybersecurity Analyst+ (CySA+) certifications before attempting the
CompTIA Advanced Security Practitioner (CASP) certification as a capstone credential.
The CySA+ and PenTest+ exams are more advanced exams, intended for professionals
with hands-on experience who also possess the knowledge covered by the prior exams.
CompTIA certifications are ISO and ANSI accredited, and they are used throughout
multiple industries as a measure of technical skill and knowledge. In addition, CompTIA
certifications, including the Security+ and the CASP, have been approved by the U.S. government
as Information Assurance baseline certifications and are included in the State
Department’s Skills Incentive Program.

The PenTest+ Exam
The PenTest+ exam is designed to be a vendor-neutral certification for penetration testers. It
is designed to assess current penetration testing, vulnerability assessment, and vulnerability
management skills with a focus on network resiliency testing. Successful test-takers will
prove their ability plan and scope assessments, handle legal and compliance requirements,
and perform vulnerability scanning and penetration testing activities using a variety of
tools and techniques, and then analyze the results of those activities.
It covers five major domains:
1. Planning and Scoping
2. Information Gathering and Vulnerability Identification
3. Attacks and Exploits
4. Penetration Testing Tools
5. Reporting and Communication
These five areas include a range of subtopics, from scoping penetration tests to performing
host enumeration and exploits, while focusing heavily on scenario-based learning.
The PenTest+ exam fits between the entry-level Security+ exam and the CompTIA
Advanced Security Practitioner (CASP) certification, providing a mid-career certification
for those who are seeking the next step in their certification and career path while specializing
in penetration testing or vulnerability management.
The PenTest+ exam is conducted in a format that CompTIA calls “performance-based
assessment.” This means that the exam uses hands-on simulations using actual security
tools and scenarios to perform tasks that match those found in the daily work of a security
practitioner. There may be multiple types of exam questions, such as multiple-choice, fillin-
the-blank, multiple-response, drag-and-drop, and image-based problems.
CompTIA recommends that test-takers have three or four years of information security–
related experience before taking this exam and that they have taken the Security+ exam or
have equivalent experience, including technical, hands-on expertise. The exam costs $346
in the United States, with roughly equivalent prices in other locations around the globe.
More details about the PenTest+ exam and how to take it can be found at

Study and Exam Preparation Tips
A test preparation book like this cannot teach you every possible security software package,
scenario, and specific technology that may appear on the exam. Instead, you should
focus on whether you are familiar with the type or category of technology, tool, process, or
scenario presented as you read the book. If you identify a gap, you may want to find additional
tools to help you learn more about those topics
Additional resources for hands-on exercises include the following:
■■ Exploit-Exercises.com provides virtual machines, documentation, and challenges covering
a wide range of security issues at https://exploit-exercises.com/.
■■ Hacking-Lab provides capture-the-flag (CTF) exercises in a variety of fields at
■■ The OWASP Hacking Lab provides excellent web application–focused exercises at
■■ PentesterLab provides a subscription-based access to penetration testing exercises at
■■ The InfoSec Institute provides online capture-the-flag activities with bounties for written
explanations of successful hacks at http://ctf.infosecinstitute.com/.
Since the exam uses scenario-based learning, expect the questions to involve analysis
and thought rather than relying on simple memorization. As you might expect, it is impossible
to replicate that experience in a book, so the questions here are intended to help you
be confident that you know the topic well enough to think through hands-on exercises.

Taking the Exam
Once you are fully prepared to take the exam, you can visit the CompTIA website to purchase
your exam voucher:
CompTIA partners with Pearson VUE’s testing centers, so your next step will be to
locate a testing center near you. In the United States, you can do this based on your address
or your zip code, while non-U.S. test-takers may find it easier to enter their city and country.
You can search for a test center near you at
Now that you know where you’d like to take the exam, simply set up a Pearson VUE
testing account and schedule an exam:
On the day of the test, take two forms of identification, and make sure to show up with
plenty of time before the exam starts. Remember that you will not be able to take your notes,
electronic devices (including smartphones and watches), or other materials in with you.

After the PenTest+ Exam
Once you have taken the exam, you will be notified of your score immediately, so you’ll
know if you passed the test right away. You should keep track of your score report with
your exam registration records and the email address you used to register for the exam. If
you’ve passed, you’ll receive a handsome certificate, similar to the one shown here:
Loading...
DMCA.com Protection Status