CompTIA PenTest pt0-002

1.0 Planning and Scoping

1.1 Compare and contrast governance, risk, and compliance concepts

• Regulatory compliance considerations
  • Payment Card Industry Data Security Standard(PCI DSS)
  • General Data Protection Regulation(GDPR)
• Location restrictions
  • Country limitations
  • Tool restractions
  • Local laws
  • Local government requirements
    • Privacy requirements
• Legal concepts
  • Service-level agreement(SLA)
  • Confidentiality
  • Statement of work
  • Non-disclosure agreement(NDA)
  • Master service agreement
• Permission to attack

1.2 Explain the importance of scoping and organizational/customer requirements

• Standards and methodologies
  • MITRE ATT&CK
  • Open Web Application Security Project(OWASP)
  • National Institute of Standards and Technology(NIST)
  • Open-source Security Testing Methodology Manual(OSSTMM)
  • Penetration Testing Execution Standard(PTES)
  • Information Systems Security Assessment Framework(ISSAF)
• Rules of engagement
  • Time of day
  • Types of allowed/disallowed tests
  • Other restrictions
• Environmental considerations
  • Network
  • Application
  • Cloud
• Target list/in-scope assets
  • Wireless networks
  • Internet Protocol(IP) ranges
  • Domains
  • Application programming interfaces(APIs)
  • Physical locations
  • Domain name system(DNS)
  • External vs. internal targets
  • First-party vs. third-party hosted
• Validate scope of engagement
  • Question the client/review contracts
  • Time management
  • Strategy
    • Unknown-environment vs. known-environment testing

1.3 Given a scenario, demonstrate an ethical hacking by maintaining professionalism and integrity

• Background checks of penetration testing team
• Adhere to specific scope of engagement
• Identify criminal activity
• Immediately report breaches/criminal activity
• Limit the use of tools to a particular engagement
• Limit invasiveness based on scope
• Maintain confidentiality of data/information
• Risk to the professional
  • Fees/fines
  • Criminal charges

2.0 Information Gathering and Vulnerability Scanning

2.1 Given a scenario, perform passive reconnaissance

• DNS lookup
• Identify technical contacts
• Administrator contacts
• Cloud vs. self-hosted
• Social media scrapping
  • Key contacts/job responsibilities
  • job listing/technology stack
• Cryptographic flaws
  • Secure Socket Layer(SSL) certificates
  • Revocation
• Company reputation/security posture
• Data
  • Password dumps
  • File metadata
  • Strategic search engine analysis/enumeration
  • Website archive/caching
  • Public source-code repositories
• Open-source intelligence(OSINT)
  • Tools
    • Shodan
    • Recon-ng
  • Sources
    • Common weakness enumeration(CWE)
    • Common vulnerabilities and exposures(CVE)

2.2 Given a scenario, perform active reconnaissance

• Enumeration
  • Hosts
  • Services
  • Domains
  • Users
  • Uniform resources locators(URLs)
• Website reconnaissance
  • Crawling websites
  • Scraping websites
  • Manual inspections of web links
    • robots.txt
• Packet crafting
  • Scapy
• Defense detection
  • Load balancer detection
  • Web application firewall (WAF) detection
  • Antivirus
  • Firewall
• Tokens
  • Scoping
  • Issuing
  • Revocation
• Wardriving
• Network traffic
  • Capture API requests and responses
  • Sniffing
• Cloud asset discovery
• Third-party hosted services
• Detection avoidance

2.3 Given a scenario, analyze the result of a reconnaissance exercise

• Fingerprinting
  • Operating systems(OSs)
  • Networks
  • Network devices
  • Software
• Analyze output from
  • DNS lookups
  • Crawling websites
  • Network traffic
  • Address Resolution Protocol(ARP) traffic
  • Nmap scans
  • Web logs

2.4 Given a scenario, perform vulnerability scanning

• Considerations of vulnerability scanning
  • Time to run scans
  • Protocols
  • Network topology
  • Bandwidth limitations
  • Query throttling
  • Fragile systems
  • Non-tradisional assets
• Scan identified targets for vulnerabilities
• Set scan settings to avoid detection
• Scanning methods
  • Stealth scan
  • Transmission Control Protocol(TCP) vs. non-credentialed
• Nmal
  • Nmap Scripting Engine(NSE) scripts
  • Common options
    • A
    • sV
    • sT
    • Pn
    • O
    • sU
    • sS
    • Y 1-5
    • script=vuln
    • p
  • Vulnerability testing tools that facilitate automation

3.0 Attacks and Exploits

3.1 Given a scenario, research attack vectors and perform network attacks

• Stress testing for availability
• Exploit resources
  • Exploit database(DB)
  • Packet storm
• Attacks
  • ARP poisoning
  • Exploit chaining
  • Password attacks
    • Password spraying
    • Hash cracking
    • Brute force
    • Dictionary
  • On-path(previously known as man-in-the middle)
  • Kerberoasting
  • DNS cache poisoning
  • Virtual local area network(VLAN) hopping
  • Network access control(NAC)bypass
  • Media access control(MAC) spoofing
  • Link-local Multicast Name Resolution(LLMNR)/NetBIOS-Name Service(NBT-NS) poisoning
  • New Technology LAN Manager(NTLM) relay attacks
• Tools
  • Metasploit
  • Netcat
  • Nmap

3.2 Given a scenario, research attack vectors and perform wireless attacks

• Attack methods
  • Eavesdropping
  • Data modifications
  • Data corruption
  • Relay attacks
  • Spoofing
  • Deauthentication
  • Jamming
  • Capture handshakes
  • On-path
• Attacks
  • Evil-twin
  • Captive portal
  • Bluejacking
  • Bluesnarfing
  • Radio-frequency identification(RFID) cloning
  • Bluetooth Low Energy(BLE) attack
  • Amplification attacks(Near field communication(NFC))
  • WiFi protected setup (WPS) PIN attack
• Tools
  • Aircrack-ng suite
  • Amplified antenna

3.3 Given a scenario, research attack vectors and perform application-based attacks

• OWASP Top 10
• Server-side request forgery
• Business logic flaws
• Injection attacks
  • Structured Quesry Language(SQL) injection
    • Blind SQL
    • Boolean SQL
    • Stacked queries
  • Command injection
  • Cross-site scripting
    • Persistent
    • Reflected
  • Lightweight Directory Access Protocol(LDAP) injection
• Application vulnerabilities
  • Race conditions
  • Lack of error handling
  • Lack of code signing
  • Insecure data transmission
  • Session attacks
    • Session hijacking
    • Cross-site request forgery(CSRF)
    • Privilege escalation
    • Session fixation
  • API attacks
    • Restful
    • Extensible Markup Language-Remote Procedure Call(XML-RPC)
    • Soap
  • Directory traversal
  • Tools
    • Web proxies
      • OWASP Zed Attack Proxy(ZAP)
      • Burp Suite community edition
    • SQLmap
    • DirBuster
  • Resources
    • Word lists

3.4 Given a scenario, research attack vector and perform attacks on cloud technologies

• Attacks
  • Credential harvesting
  • Privilege escalation
  • Account takeover
  • Metadata service attack
  • Misconfigured cloud assets
    • Identity and access management(IAM)
    • Federation misconfigurations
    • Object storage
    • Containerization technologies
  • Resource exhaustion
  • Cloud malware injection attacks
  • Denial-of-service attacks
  • Side-channel attacks
  • Direct-to-origin attacks
• Tools
  • Software development kit(SDK)

3.5 Explain common attacks and vulnerabilities against specialized systems

• Mobile
  • Attacks
    • Reverse engineering
    • Sandbox analysis
    • Spamming
  • Vulnerabilities
    • Insecure storage
    • Passcode vulnerabilities
    • Certificate pinning
    • Using known vulnerable components: Dependency vulnerabilities, Patching fragmentation
    • Execution of activities using root
    • Over-reach of permissions
    • Biometrics integrations
    • Business logic vulnerabilities
  • Tools
    • Burp Suit
    • Drozer
    • Mobile Security Framework(MobSF)
    • Postman
    • Ettercap
    • Frida
    • Objection
    • Android SDK tools
    • ApkX
    • APK Studio
• Internet of Things(IoT) devices
  • BLE attacks
  • Special considerations
    • Fragile environments
    • Availability concerns
    • Data corruption
    • Data exfiltration
  • Vulnerabilities
    • Insecure defaults
    • Cleartext communication
    • Hard-coded configuration
    • Outdated firmware/hardware
    • Data leakage
    • Use of insecure or outdated components
• Data storage system vulnerabilidties
  • Misconfigurations–on-premises and cloud-based
    • Default/blank username/password
    • Network exposure
  • Lack of user input sanitizations
  • Underlying software vulnerabilities
  • Error messages and debug handling
  • Injection vulnerabilities
    • Single quote method
• Management interface vulnerabilities
  • Intelligent platform management interface(IPMI)
• Vulnerabilities related to supervisory control and data acquisition(SCADA)/Industrial Internet of Things(IIoT)/industrial control system(ICS)
• Vulnerabilities related to virtual environments
  • Virtual machine(VM) escape
  • Hypervisor vulnerabilities
  • VM repository vulnerabilities
• Vulnerabilities related to containerized workloads

3.6 Given a scenario, perform a social engineering or physical attack

• Pretext for an approach
• Social engineering attacks
  • Email phishing
    • Whaling
    • Spear phishing
  • Vishing
  • Short message service(SMS) phishing
  • Universal Serial Bus(USB) drop key
  • Watering hole attack
• Physical attacks
  • Tailgating
  • Dumpster diving
  • Shoulder surfing
  • Badge cloning
• Impersonation
• Tools
  • Browser exploitation framework(BeEF)
  • Social engineering toolkit
  • Call spoofing tools
• Methods of influence
  • Authority
  • Scarcity
  • Social proof
  • Urgency
  • Likeness
  • Fear

3.7 Given a scenario, perform post-exploitation techniques

• Post-exploitation tools
  • Empire
  • Mimikatz
  • BloodHound
• Lateral movement
  • Pass the hash
• Network segmentation testing
• Privilege escalation
  • Horizontal
  • Vertical
• Upgrading a restrictive shell
• Creating a foothold/persistence
  • Trojan
  • Backdoor
    • Bind shell
    • Reverse shell
  • Daemons
  • Scheduled tasks
• Detection avoidance
  • Living-off-the-land techniques/fileless malware
    • PsExec
    • Windows Management Instrumentation(WMI)
    • PowerShell(PS) remoting/Windows Remote Management(WinRM)
  • Data exfiltration
  • Covering your tracks
  • Steganography
  • Establishing a covert channel
• Enumeration
  • Users
  • Groups
  • Forests
  • Sensitive data
  • Unencrypted files

4.0 Reporting and Communication

4.1 Compare and contrast importing components of written reports

• Report audience
  • C-suite
  • Third-party stakeholders
  • Technical staff
  • Developers
• Report contents(not in a particular order)
  • Executive summary
  • Scope details
  • Methodology
    • Attack narrative
  • Findings
    • Risk rating(reference framework)
    • Risk prioritization
    • Business impact analysis
  • Matrics and measures
  • Remediation
  • Conclusion
  • Appendix
• Storage time for report
• Secure distribution
• Note taking
  • Ongoing documentation during test
  • Screenshots
• Common themes/root causes
  • Vulnerabilities
  • Observations
  • Lack of best practices

4.2 Given a scenario, analyze the findings and recommend the appropriate remediation within a report

• Technical controls
  • System hardening
  • Sanitize user input/parameterize queries
  • Implemented multifactor authentication
  • Encrypt passwords
  • Process-level remediation
  • Patch management
  • Key rotation
  • Certificate management
  • Secrets management solutions
  • Network segmentation
• Administrative controls
  • Role-based access control
  • Secure software development life cycle
  • Minimum password requirements
  • Policies and procedures
• Operational controls
  • Job rotation
  • Time-of-day restrictions
  • Mandatory vacations
  • User training
• Physical controls
  • Access control vestibule
  • Biometric controls
  • Video surveillance

4.3 Explain the importance of communication during the penetration testing process

• Communication path
  • Primary contact
  • Technical contact
  • Emergency contact
• Communication triggers
  • Critical findings
  • Status reports
  • Indicators of prior compromise
• Reasons for communication
  • Situational awareness
  • De-escalation
  • Deconfliction
  • Identifying fasle positives
  • Criminal activity
• Goal reprioritization
• Presentation of findings

4.4 Explain post-report delivery activities

• Post-engagement cleanup
  • Removing shells
  • Removing tester-created credentials
  • Removing tools
• Client acceptance
• Lesson learned
• Follow-up actions/retest
• Attestation of findings
• Data destruction process

5.0 Tools and Code Analysis

5.1 Explain the basic concepts of scripting and software development

• Logic constructs
  • Loop
  • Conditionals
  • Boolean operator
  • String operator
  • Arithmetic operator
• Data structures
  • JavaScripts Object Notation(JSON)
  • Key value
  • Arrays
  • Dictionaries
  • Comma-separated values(CSV)
  • Lists
  • Trees
• Libraries
• Classes
• Procedures
• Functions

5.2 Given a scenario, analyze a script or code sample for use in a penetration test

• Shell
  • Bash
  • PS
• Programming languages
  • Python
  • Ruby
  • Perl
  • JavaScript
• Analyze exploit code to
  • Download files
  • Launch remote access
  • Enumerate users
  • Enumerate assets
• Opportunities for automation
  • Automate penetration testing process
    • Perform port scan and then automate next steps based on results
    • Check configurations and produce a report
  • Scripting to modify to IP addresses during a test
  • Nmap scripting to enumerate ciphers and produce reports

5.3 Explain use cases of the following tools during the phases of a penetration test

• Scanners
  • Nikto
  • Open vulnerability assessment scanner(Open VAS)
  • SQLmap
  • Nessus
  • Open Security Content Automation(SCAP)
  • Wapiti
  • WPScan
  • Brakeman
  • Scout Suite
• Credential testing tools
  • Hashcat
  • Medusa
  • Hydra
  • CeWl
  • John the Ripper
  • Cain
  • Mimikatz
  • Patator
  • DirBuster
• Debuggers
  • OllyDbg
  • Immunity Debugger
  • GNU Debugger(GDB)
  • WinDbg
  • Interactive Disassembler(IDA)
  • Covenant
  • SearchSploit
• OSINT
  • WHOIS
  • Nslookup
  • Fingerprinting Organization with Collected Archives(FOCA)
  • theHarvest
  • Shadon
  • Maltego
  • Recon-ng
  • Censys
• Wireless
  • Aircrack-ng suite
  • Kismet
  • Wifite2
  • Rogue access point
  • EAPHammer
  • mdk4
  • Spooftooph
  • Reaver
  • Wireless Geographic Logging Engine(WiGLE)
  • Fern
• Web application tools
  • OWASP ZAP
  • Burp Suite
  • Gobuster
  • w3af
• Social engineering tools
  • Social Engineering Toolkit(SET)
  • BeEF
• Remote access tools
  • Secure Shell(SHH)
  • Ncat
  • Netcat
  • ProxyChains
• Networking tools
  • Wireshark
  • Hping
• Misc.
  • SearchSploit
  • Responder
  • Impacket tools
  • Empire
  • Metasploit
  • mitm6
  • CrackMapExec
  • TruffleHog
  • Censys
• Steganography tools
  • Openstego
  • Steghide
  • Snow
  • Coagula
  • Sonic Visualiser
  • TinEye
• Cloud tools
  • Scout Suite
  • CloudBrute
  • Pacu
  • Cloud Custodian

Reference

CompTIA