CompTIA PenTest pt0-002
cyber
·
1.0 Planning and Scoping
1.1 Compare and contrast governance, risk, and compliance concepts
- Regulatory compliance considerations
- Payment Card Industry Data Security Standard(PCI DSS)
- General Data Protection Regulation(GDPR)
- Location restrictions
- Country limitations
- Tool restractions
- Local laws
- Local government requirements
- Legal concepts
- Service-level agreement(SLA)
- Confidentiality
- Statement of work
- Non-disclosure agreement(NDA)
- Master service agreement
- Permission to attack
1.2 Explain the importance of scoping and organizational/customer requirements
- Standards and methodologies
- MITRE ATT&CK
- Open Web Application Security Project(OWASP)
- National Institute of Standards and Technology(NIST)
- Open-source Security Testing Methodology Manual(OSSTMM)
- Penetration Testing Execution Standard(PTES)
- Information Systems Security Assessment Framework(ISSAF)
- Rules of engagement
- Time of day
- Types of allowed/disallowed tests
- Other restrictions
- Environmental considerations
- Network
- Application
- Cloud
- Target list/in-scope assets
- Wireless networks
- Internet Protocol(IP) ranges
- Domains
- Application programming interfaces(APIs)
- Physical locations
- Domain name system(DNS)
- External vs. internal targets
- First-party vs. third-party hosted
- Validate scope of engagement
- Question the client/review contracts
- Time management
- Strategy
- Unknown-environment vs. known-environment testing
1.3 Given a scenario, demonstrate an ethical hacking by maintaining professionalism and integrity
- Background checks of penetration testing team
- Adhere to specific scope of engagement
- Identify criminal activity
- Immediately report breaches/criminal activity
- Limit the use of tools to a particular engagement
- Limit invasiveness based on scope
- Maintain confidentiality of data/information
- Risk to the professional
- Fees/fines
- Criminal charges
- DNS lookup
- Identify technical contacts
- Administrator contacts
- Cloud vs. self-hosted
- Social media scrapping
- Key contacts/job responsibilities
- job listing/technology stack
- Cryptographic flaws
- Secure Socket Layer(SSL) certificates
- Revocation
- Company reputation/security posture
- Data
- Password dumps
- File metadata
- Strategic search engine analysis/enumeration
- Website archive/caching
- Public source-code repositories
- Open-source intelligence(OSINT)
- Tools
- Sources
- Common weakness enumeration(CWE)
- Common vulnerabilities and exposures(CVE)
- Enumeration
- Hosts
- Services
- Domains
- Users
- Uniform resources locators(URLs)
- Website reconnaissance
- Crawling websites
- Scraping websites
- Manual inspections of web links
- Packet crafting
- Defense detection
- Load balancer detection
- Web application firewall (WAF) detection
- Antivirus
- Firewall
- Tokens
- Scoping
- Issuing
- Revocation
- Wardriving
- Network traffic
- Capture API requests and responses
- Sniffing
- Cloud asset discovery
- Third-party hosted services
- Detection avoidance
2.3 Given a scenario, analyze the result of a reconnaissance exercise
- Fingerprinting
- Operating systems(OSs)
- Networks
- Network devices
- Software
- Analyze output from
- DNS lookups
- Crawling websites
- Network traffic
- Address Resolution Protocol(ARP) traffic
- Nmap scans
- Web logs
- Considerations of vulnerability scanning
- Time to run scans
- Protocols
- Network topology
- Bandwidth limitations
- Query throttling
- Fragile systems
- Non-tradisional assets
- Scan identified targets for vulnerabilities
- Set scan settings to avoid detection
- Scanning methods
- Stealth scan
- Transmission Control Protocol(TCP) vs. non-credentialed
- Nmal
- Nmap Scripting Engine(NSE) scripts
- Common options
- A
- sV
- sT
- Pn
- O
- sU
- sS
- Y 1-5
- script=vuln
- p
- Vulnerability testing tools that facilitate automation
3.0 Attacks and Exploits
- Stress testing for availability
- Exploit resources
- Exploit database(DB)
- Packet storm
- Attacks
- ARP poisoning
- Exploit chaining
- Password attacks
- Password spraying
- Hash cracking
- Brute force
- Dictionary
- On-path(previously known as man-in-the middle)
- Kerberoasting
- DNS cache poisoning
- Virtual local area network(VLAN) hopping
- Network access control(NAC)bypass
- Media access control(MAC) spoofing
- Link-local Multicast Name Resolution(LLMNR)/NetBIOS-Name Service(NBT-NS) poisoning
- New Technology LAN Manager(NTLM) relay attacks
- Tools
- Attack methods
- Eavesdropping
- Data modifications
- Data corruption
- Relay attacks
- Spoofing
- Deauthentication
- Jamming
- Capture handshakes
- On-path
- Attacks
- Evil-twin
- Captive portal
- Bluejacking
- Bluesnarfing
- Radio-frequency identification(RFID) cloning
- Bluetooth Low Energy(BLE) attack
- Amplification attacks(Near field communication(NFC))
- WiFi protected setup (WPS) PIN attack
- Tools
- Aircrack-ng suite
- Amplified antenna
- OWASP Top 10
- Server-side request forgery
- Business logic flaws
- Injection attacks
- Structured Quesry Language(SQL) injection
- Blind SQL
- Boolean SQL
- Stacked queries
- Command injection
- Cross-site scripting
- Lightweight Directory Access Protocol(LDAP) injection
- Application vulnerabilities
- Race conditions
- Lack of error handling
- Lack of code signing
- Insecure data transmission
- Session attacks
- Session hijacking
- Cross-site request forgery(CSRF)
- Privilege escalation
- Session fixation
- API attacks
- Restful
- Extensible Markup Language-Remote Procedure Call(XML-RPC)
- Soap
- Directory traversal
- Tools
- Web proxies
- OWASP Zed Attack Proxy(ZAP)
- Burp Suite community edition
- SQLmap
- DirBuster
- Resources
- Attacks
- Credential harvesting
- Privilege escalation
- Account takeover
- Metadata service attack
- Misconfigured cloud assets
- Identity and access management(IAM)
- Federation misconfigurations
- Object storage
- Containerization technologies
- Resource exhaustion
- Cloud malware injection attacks
- Denial-of-service attacks
- Side-channel attacks
- Direct-to-origin attacks
- Tools
- Software development kit(SDK)
3.5 Explain common attacks and vulnerabilities against specialized systems
- Mobile
- Attacks
- Reverse engineering
- Sandbox analysis
- Spamming
- Vulnerabilities
- Insecure storage
- Passcode vulnerabilities
- Certificate pinning
- Using known vulnerable components: Dependency vulnerabilities, Patching fragmentation
- Execution of activities using root
- Over-reach of permissions
- Biometrics integrations
- Business logic vulnerabilities
- Tools
- Burp Suit
- Drozer
- Mobile Security Framework(MobSF)
- Postman
- Ettercap
- Frida
- Objection
- Android SDK tools
- ApkX
- APK Studio
- Internet of Things(IoT) devices
- BLE attacks
- Special considerations
- Fragile environments
- Availability concerns
- Data corruption
- Data exfiltration
- Vulnerabilities
- Insecure defaults
- Cleartext communication
- Hard-coded configuration
- Outdated firmware/hardware
- Data leakage
- Use of insecure or outdated components
- Data storage system vulnerabilidties
- Misconfigurations–on-premises and cloud-based
- Default/blank username/password
- Network exposure
- Lack of user input sanitizations
- Underlying software vulnerabilities
- Error messages and debug handling
- Injection vulnerabilities
- Management interface vulnerabilities
- Intelligent platform management interface(IPMI)
- Vulnerabilities related to supervisory control and data acquisition(SCADA)/Industrial Internet of Things(IIoT)/industrial control system(ICS)
- Vulnerabilities related to virtual environments
- Virtual machine(VM) escape
- Hypervisor vulnerabilities
- VM repository vulnerabilities
- Vulnerabilities related to containerized workloads
- Pretext for an approach
- Social engineering attacks
- Email phishing
- Vishing
- Short message service(SMS) phishing
- Universal Serial Bus(USB) drop key
- Watering hole attack
- Physical attacks
- Tailgating
- Dumpster diving
- Shoulder surfing
- Badge cloning
- Impersonation
- Tools
- Browser exploitation framework(BeEF)
- Social engineering toolkit
- Call spoofing tools
- Methods of influence
- Authority
- Scarcity
- Social proof
- Urgency
- Likeness
- Fear
3.7 Given a scenario, perform post-exploitation techniques
- Post-exploitation tools
- Empire
- Mimikatz
- BloodHound
- Lateral movement
- Network segmentation testing
- Privilege escalation
- Upgrading a restrictive shell
- Creating a foothold/persistence
- Trojan
- Backdoor
- Daemons
- Scheduled tasks
- Detection avoidance
- Living-off-the-land techniques/fileless malware
- PsExec
- Windows Management Instrumentation(WMI)
- PowerShell(PS) remoting/Windows Remote Management(WinRM)
- Data exfiltration
- Covering your tracks
- Steganography
- Establishing a covert channel
- Enumeration
- Users
- Groups
- Forests
- Sensitive data
- Unencrypted files
4.0 Reporting and Communication
4.1 Compare and contrast importing components of written reports
- Report audience
- C-suite
- Third-party stakeholders
- Technical staff
- Developers
- Report contents(not in a particular order)
- Executive summary
- Scope details
- Methodology
- Findings
- Risk rating(reference framework)
- Risk prioritization
- Business impact analysis
- Matrics and measures
- Remediation
- Conclusion
- Appendix
- Storage time for report
- Secure distribution
- Note taking
- Ongoing documentation during test
- Screenshots
- Common themes/root causes
- Vulnerabilities
- Observations
- Lack of best practices
- Technical controls
- System hardening
- Sanitize user input/parameterize queries
- Implemented multifactor authentication
- Encrypt passwords
- Process-level remediation
- Patch management
- Key rotation
- Certificate management
- Secrets management solutions
- Network segmentation
- Administrative controls
- Role-based access control
- Secure software development life cycle
- Minimum password requirements
- Policies and procedures
- Operational controls
- Job rotation
- Time-of-day restrictions
- Mandatory vacations
- User training
- Physical controls
- Access control vestibule
- Biometric controls
- Video surveillance
4.3 Explain the importance of communication during the penetration testing process
- Communication path
- Primary contact
- Technical contact
- Emergency contact
- Communication triggers
- Critical findings
- Status reports
- Indicators of prior compromise
- Reasons for communication
- Situational awareness
- De-escalation
- Deconfliction
- Identifying fasle positives
- Criminal activity
- Goal reprioritization
- Presentation of findings
4.4 Explain post-report delivery activities
- Post-engagement cleanup
- Removing shells
- Removing tester-created credentials
- Removing tools
- Client acceptance
- Lesson learned
- Follow-up actions/retest
- Attestation of findings
- Data destruction process
5.1 Explain the basic concepts of scripting and software development
- Logic constructs
- Loop
- Conditionals
- Boolean operator
- String operator
- Arithmetic operator
- Data structures
- JavaScripts Object Notation(JSON)
- Key value
- Arrays
- Dictionaries
- Comma-separated values(CSV)
- Lists
- Trees
- Libraries
- Classes
- Procedures
- Functions
5.2 Given a scenario, analyze a script or code sample for use in a penetration test
- Shell
- Programming languages
- Python
- Ruby
- Perl
- JavaScript
- Analyze exploit code to
- Download files
- Launch remote access
- Enumerate users
- Enumerate assets
- Opportunities for automation
- Automate penetration testing process
- Perform port scan and then automate next steps based on results
- Check configurations and produce a report
- Scripting to modify to IP addresses during a test
- Nmap scripting to enumerate ciphers and produce reports
- Scanners
- Nikto
- Open vulnerability assessment scanner(Open VAS)
- SQLmap
- Nessus
- Open Security Content Automation(SCAP)
- Wapiti
- WPScan
- Brakeman
- Scout Suite
- Credential testing tools
- Hashcat
- Medusa
- Hydra
- CeWl
- John the Ripper
- Cain
- Mimikatz
- Patator
- DirBuster
- Debuggers
- OllyDbg
- Immunity Debugger
- GNU Debugger(GDB)
- WinDbg
- Interactive Disassembler(IDA)
- Covenant
- SearchSploit
- OSINT
- WHOIS
- Nslookup
- Fingerprinting Organization with Collected Archives(FOCA)
- theHarvest
- Shadon
- Maltego
- Recon-ng
- Censys
- Wireless
- Aircrack-ng suite
- Kismet
- Wifite2
- Rogue access point
- EAPHammer
- mdk4
- Spooftooph
- Reaver
- Wireless Geographic Logging Engine(WiGLE)
- Fern
- Web application tools
- OWASP ZAP
- Burp Suite
- Gobuster
- w3af
- Social engineering tools
- Social Engineering Toolkit(SET)
- BeEF
- Remote access tools
- Secure Shell(SHH)
- Ncat
- Netcat
- ProxyChains
- Networking tools
- Misc.
- SearchSploit
- Responder
- Impacket tools
- Empire
- Metasploit
- mitm6
- CrackMapExec
- TruffleHog
- Censys
- Steganography tools
- Openstego
- Steghide
- Snow
- Coagula
- Sonic Visualiser
- TinEye
- Cloud tools
- Scout Suite
- CloudBrute
- Pacu
- Cloud Custodian
Reference
CompTIA