CompTIA PenTest+ Certification For Dummies

Prepare for the CompTIA PenTest+ certification  CompTIA's PenTest+ Certification is an essential certification to building a successful penetration testing career. Test takers must pass an 85-question exam to be certified, and this book—plus the online test bank—will help you reach your certification goal. CompTIA PenTest+ Certification For Dummies includes a map to the exam’s objectives and helps you get up to speed on planning and scoping, information gathering and vulnerability identification, attacks and exploits, penetration testing tools and reporting, and communication skills. Pass the PenTest+ Certification exam and grow as a Pen Testing professional Learn to demonstrate hands-on ability to Pen Test Practice with hundreds of study questions in a free online test bank Find test-taking advice and a review of the types of questions you'll see on the exam Get ready to acquire all the knowledge you need to pass the PenTest+ exam and start your career in this growing field in cybersecurity!

Table of Contents:
Introduction 1 About This Book 1 Conventions Used in This Book 2 Foolish Assumptions 2 How This Book is Organized 3 Pre-assessment 3 Part 1: Planning and Information Gathering 3 Part 2: Exploiting Systems 3 Part 3: Post-Exploitation and Reporting 3 Appendixes 3 Practice exam 4 Icons Used in This Book 4 Beyond the Book 5 Where to Go from Here 5 Pre-assessment 7 Questions 7 Answers 11 Part 1: Planning and Information Gathering 13 Chapter 1: Introduction to Penetration Testing 15 Penetration Testing Overview 16 Reasons for a pentest 16 Who should perform a pentest 18 How often a pentest should be performed 20 Defining Penetration Testing Terminology 21 Types of assessments 22 Pentest strategies 22 Threat actors and threat models 23 Looking at CompTIA’s Penetration Testing Phases 25 Planning and scoping 26 Information gathering and vulnerability identification 26 Attacks and exploits 27 Reporting and communication 28 Reviewing Key Concepts 29 Prep Test 30 Answers 32 Chapter 2: Planning and Scoping 33 Understanding Key Legal Concepts 33 Written authorization 34 Contracts 34 Disclaimers 35 Scoping the Project 36 General questions 37 Web application testing questions 37 Wireless network testing questions 38 Physical security testing questions 38 Social engineering testing questions 38 Testing questions for IT staff 39 Identifying the Rules of Engagement 39 Target audience and reason for the pentest 40 Communication escalation path 40 Resources and requirements 41 Budget 44 Impact analysis and remediation timelines 44 Defining Targets for the Pentest 45 Internal and external targets 45 First-party versus third-party hosted 46 Other targets 46 Target considerations 46 Verifying Acceptance to Risk 48 Scheduling the Pentest and Managing Scope Creep 49 Scheduling 49 Scope creep 50 Conducting Compliance-based Assessments 51 Reviewing Key Concepts 52 Prep Test 54 Answers 57 Chapter 3: Information Gathering 59 Looking at Information-Gathering Tools and Techniques 60 Passive information gathering 60 Active information gathering 69 Understanding Scanning and Enumeration 73 Passive scanning 73 Active scanning 74 Enumeration 82 Lab Exercises 84 Exercise 3-1: Conduct a Whois Search 84 Exercise 3-2: Use theHarvester to collect email addresses 84 Exercise 3-3: Use Shodan to discover systems on the Internet 85 Exercise 3-4: Use recon-ng for OSINT information gathering 85 Exercise 3-5: Use dig for DNS profiling 86 Exercise 3-6: Use Nmap to port scan 86 Reviewing Key Concepts 87 Prep Test 88 Answers 91 Chapter 4: Vulnerability Identification 93 Understanding Vulnerabilities 93 Types of vulnerability scans 94 Vulnerability scan considerations 97 Performing a Vulnerability Scan 99 Installing Nessus 99 Running Nessus 103 Using other vulnerability scanners 107 Analyzing Vulnerability Results 108 Mapping vulnerabilities to exploits 111 Understanding the CVSS base score 112 Prioritizing activities 116 Considerations for analyzing scan results 117 Types of Weaknesses in Specialized Systems 119 Lab Exercises 121 Exercise 4-1: Download and install Nessus 121 Exercise 4-2: Perform a vulnerability scan 122 Exercise 4-3: Perform a web application vulnerability scan with Nessus 124 Reviewing Key Concepts 124 Prep Test 125 Answers 127 Part 2: Attacks and Exploits 129 Chapter 5: Exploiting Systems 131 Exploiting Systems with Metasploit 131 Starting Metasploit 132 Searching for an exploit 133 Using an exploit 134 Running the exploit 136 Setting the payload 137 Using msfvenom 139 Understanding Social Engineering 141 Phishing 141 Shoulder surfing 142 USB key drop 142 Other forms of social engineering 143 Motivation techniques 143 Using SET to perform an attack 144 Using BeEF to perform an attack 147 Looking at Attacks on Physical Security 150 Types of physical security controls 151 Exploiting physical security 151 Common Attack Techniques 153 Password cracking 153 Using exploits 154 Deception 156 Exploiting Network-Based Vulnerabilities 157 Common network-based exploits 157 Man-in-the-middle (MiTM) attacks 158 Other common attacks 161 Exploiting Local Host Vulnerabilities 163 Operating system vulnerabilities 163 Unsecure service and protocol configurations 164 Privilege escalation 164 Default account settings 167 Sandbox escape 167 Physical device security 168 Lab Exercises 168 Exercise 5-1: Exploit an SMB service with Metasploit 169 Exercise 5-2: Use the Meterpreter exploit payload 170 Exercise 5-3: Conduct a MiTM attack with SETH 172 Exercise 5-4: Use SET for credential harvesting 173 Exercise 5-5: Use BeEF to exploit a web browser 174 Reviewing Key Concepts 177 Prep Test 178 Answers 180 Chapter 6: Exploiting Wireless Vulnerabilities 181 Understanding Wireless Terminology 181 Wireless concepts 182 Wireless equipment and configuration 184 Types of wireless networks 185 Introducing Wireless Standards 185 802.11a 186 802.11b 186 802.11g 186 802.11n 186 802.11ac 187 Looking at Wireless Configuration and Troubleshooting 187 Reviewing the Basic Service Set 187 Designing a multi-access point WLAN 188 Troubleshooting wireless networks 189 Implementing Wireless Security Practices 190 General security practices 190 Encryption protocols 192 Exploiting Wireless Vulnerabilities 193 Looking at 802.11 wireless vulnerabilities 193 Looking at RF-based vulnerabilities 196 Cracking WEP encryption 197 Cracking WPS implementation weakness 202 Cracking WPA/WPA2 encryption keys 204 Using Wifite to hack wireless networks 207 Exploiting Bluetooth devices 208 Lab Exercises 210 Exercise 6-1: Crack WEP encryption 210 Exercise 6-2: Crack the WPS pin 211 Exercise 6-3: Crack the WPA/WPA2 encryption key 211 Exercise 6-4: Test Bluetooth devices 211 Reviewing Key Concepts 212 Prep Test 213 Answers 216 Chapter 7: Exploiting Application-Based Vulnerabilities 217 Looking at Common Application-Based Attacks 217 Injection attacks 218 Authentication 222 Authorization 224 XSS and CSRF/XSRF 226 Understanding Application Security Vulnerabilities 231 Clickjacking 231 Security misconfiguration 231 File inclusion 234 Identifying Unsecure Coding Practices 234 Comments in source code 234 Lack of error handling 235 Overly verbose error handling 235 Hard-coded credentials 235 Race conditions 235 Unauthorized use of functions/unprotected APIs 237 Hidden elements/sensitive information in the DOM 237 Lack of code signing 237 Secure Coding Best Practices 238 Validation 238 Sanitization 238 Escaping 238 Parameterized queries 239 Lab Exercises 239 Exercise 7-1: Perform a CSRF attack 239 Exercise 7-2: Perform a SQL injection 243 Exercise 7-3: Perform a command injection attack 248 Exercise 7-4: Perform a reflected XSS attack 249 Exercise 7-5: Perform a persistent XSS attack 250 Exercise 7-6: Reset the DVWA 251 Reviewing Key Concepts 252 Prep Test 253 Answers 256 Part 3: Post-Exploitation and Reporting 259 Chapter 8: Understanding Post-Exploitation Actions 261 Common Post-Exploitation Tasks 261 Understanding the context 264 Collecting information 265 Obtaining a shell 266 Retrieving password hashes 267 Disabling the antivirus software 267 Migrating to a different process 267 Taking screenshots 268 Taking remote control 268 Capturing keystrokes 268 Enabling the webcam 269 Performing Lateral Movement 270 PS remoting/WinRM 272 Using PsExec 272 Using PsExec with pass the hash 273 Using RDP 276 Using RPC/DCOM 276 Using remote services 277 Other techniques for lateral movement 281 Maintaining Access (Persistence) 282 New user creation 283 Planting backdoors and trojans 284 Other techniques for maintaining access 285 Covering Your Tracks 285 Lab Exercises 287 Exercise 8-1: Exploit a system and collect information 287 Exercise 8-2: Record keystrokes 288 Exercise 8-3: Obtain password hashes 288 Exercise 8-4: Move laterally 289 Exercise 8-5: Create a backdoor account 290 Exercise 8-6: Cover your tracks 290 Reviewing Key Concepts 291 Prep Test 292 Answers 295 Chapter 9: Common Penetration Testing Tools 297 Understanding Use Cases for Common Pentest Tools 297 Reconnaissance 298 Enumeration 298 Vulnerability scanning 298 Credential attacks 299 Persistence 299 Configuration compliance 300 Evasion 300 Decompilation and debugging 300 Forensics 300 Software assurance 301 Looking at Common Pentest Tools 301 Scanners 302 Credential testing tools 304 Debuggers 311 Software assurance 312 Open-source intelligence (OSINT) 313 Wireless 314 Web proxies 315 Social engineering tools 317 Remote access tools 318 Networking tools 319 Mobile tools 320 Miscellaneous tools 320 Analyzing Tool Output 321 Password cracking 321 Pass the hash 324 Setting up a bind shell 326 Getting a reverse shell 327 Proxying a connection 328 Uploading a web shell 328 Injections 330 Lab Exercises 330 Exercise 9-1: Crack passwords with John the Ripper 330 Exercise 9-2: Locate web servers 331 Exercise 9-3: Scan web applications for vulnerabilities 331 Exercise 9-4: Use Hydra for password cracking over RDP 332 Exercise 9-5: Use Hydra to crack website credentials 332 Exercise 9-6: Use CeWL to create a wordlist 335 Exercise 9-7: Use Netcat/Ncat to create a bind shell 335 Reviewing Key Concepts 336 Prep Test 338 Answers 341 Chapter 10: Analyzing Script Functionality 343 Reviewing Scripting Concepts 344 Variables and arrays 344 Looping and flow control 345 Common operations 347 Error handling 349 Using Bash Scripting 350 Variables and arrays 351 Looping and flow control 352 Executing the script 354 Error handling 354 Input and output 354 Understanding Python Scripting 355 Variables and arrays 356 Looping and flow control 357 Executing the script 358 Error handling 359 Input and output 359 Working with Ruby Scripting 360 Variables and arrays 360 Looping and flow control 362 Executing the script 363 Error handling 363 Input and output 364 Coding in PowerShell Scripting 365 Variables and arrays 365 Looping and flow control 366 Executing the script 368 Error handling 369 Input and output 369 Lab Exercises 370 Exercise 10-1: Review Bash script 370 Exercise 10-2: Review Python script 371 Exercise 10-3: Review PowerShell script 372 Reviewing Key Concepts 373 Prep Test 374 Answers 376 Chapter 11: Reporting and Communication 377 Communicating During a PenTest 377 Communication triggers 378 Reasons for communication 379 Findings and Remediations 380 Shared local administrator credentials 381 Weak password complexity 381 Plain text passwords 381 No multifactor authentication 382 SQL injection 382 Unnecessary open services 383 Focusing Your Remediation Strategies 383 Writing and Handling the Pentest Report 384 Normalization of data 385 Risk appetite 385 Report structure 385 Secure handling and disposition of reports 388 Delivering the Report and Post-Report Activities 388 Post-engagement cleanup 389 Client acceptance 389 Administrative tasks 389 Lab Exercises 390 Exercise 11-1: Create a pentest report 390 Exercise 11-2: Encrypt the pentest report 390 Reviewing Key Concepts 391 Prep Test 392 Answers 395 Part 4: Appendixes 397 Appendix A: PenTest+ Exam Details 399 Appendix B: CompTIA PenTest+ Exam Reference Matrix 405 Appendix C: Lab Setup 425 Index 429

About the Author :
Glen E. Clarke has authored many certification books on topics such as A+, Network+, Security+, CCENT, and CCNA, among others. As an independent trainer and consultant, he creates and delivers courses on such certifications as Windows, SQL Server, A+, and Exchange Server. Glen holds a number of networking, programming, and IT security certifications.