CompTIA PenTest+ Study Guide — Ch. 1 Notes

Here are my notes for the first chapter of CompTIA PenTest+ Study Guide, 2nd Edition, by MikeMike Chapple and David Seidl. If you’re interested in the other resources I’m using to prepare for this exam, check out my story — Preparing for CompTIA PenTest+.

CompTIA PenTest+ objectives covered:

Full exam objectives for PT0–002 can be found here.

  • 1.3 Given a scenario, demonstrate an ethical hacking mindset by maintaining professionalism and integrity.

• Background checks of penetration testing team • Adhere to specific scope of engagement • Identify criminal activity • Immediately report breaches/ criminal activity • Limit the use of tools to a particular engagement • Limit invasiveness based on scope • Maintain confidentiality of data/information • Risks to the professional — Fees/fines — Criminal charges

Exam Essentials

  • Know how the CIA and DAD triads describe the goals of cybersecurity professionals and attackers.
  • Be able to name several important benefits of penetration testing.
  • Understand that penetration testing may be conducted to meet regulatory requirements.
  • Describe how both internal and external teams may conduct penetration tests.
  • Know the four phases of the penetration testing process.
  • Describe the tools used by penetration testers.

Notes from the book:

Requirement 6.5 includes a listing of common vulnerabilities, such as SQL injection, buffer overflow, insecure cryptographic storage, insecure communications, improper error handling, cross‐site scripting, improper access controls, cross‐site request forgery, broken authentication, and other “high‐risk” vulnerabilities.

Organizations that must comply with PCI DSS should also read the detailed Information Supplement: Penetration Testing Guidance available from the PCI Security Standards Council at www.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf. This document covers in great detail how organizations should interpret these requirements.

There’s a bit of tricky language surrounding the use of the words internal and external when it comes to penetration tests. If you see these words used on the exam (or in real life!), be sure that you understand the context. Internal penetration tests may refer either to tests conducted by internal teams (as described in this section) or to tests conducted from an internal network perspective. The latter tests are designed to show what activity a malicious insider could engage in and may be conducted by either internal or external teams. Similarly, an external penetration test may refer to a test that is conducted by an external team or a test that is conducted from an external network perspective.

If you are subject to regulatory requirements that include penetration testing, be sure to understand how those requirements impact your selection of a testing team.

If you look at CompTIA’s PenTest+ Certification Exam Objectives document, you’ll find that there are actually five domains of material covered by the exam. The four domains shown in Figure 1.3 each map to one of the stages of the penetration testing process. Domain 5 is titled “Tools and Code Analysis” and includes coverage of the many tools used during all stages of the penetration testing process.

As you plan your cybersecurity certification journey, you should know that there is significant overlap between the material covered in this domain and the material covered in Domain 2 (which is Vulnerability Management) of the Cybersecurity Analyst+ (CySA+) exam. There is also quite a bit of overlap between the basic security concepts and tools covered by both exams. If you successfully pass the PenTest+ exam, you might want to consider immediately moving on to the CySA+ exam because you’ll already have mastered about a third of the material covered on that test.

My Notes

The true test of a hacker’s ability is how well a hacker synthesizes the information provided by hacking tools to pinpoint potential weaknesses.

Penetration tests are authorized, legal attempts to defeat an organization’s security controls and perform unauthorized activities.

Goals of Cyber Security: Confidentiality, Integrity, Availability (CIA Triad)

Attackers seek to undermine the CIA triad with the DAD triad: Disclosure, Alteration, Denial

Cyber security defenders need to defend against ALL possible threats, while attackers only need to find a single vulnerability. Defenders need to win every time, attackers only need to win once.

Pentesters must adopt the “hacker mindset.” To think like an attacker to hack into systems, to think like a criminal. Find holes in the security controls put in place, or find areas where security was overlooked.

Although pentesters are hackers in that they use hacking tools and techniques, pentesters are guided by a code of ethics, professionalism and integrity that regulate activity. Pentesters who exceed the bounds of ethical hacking could get arrested!

Why conduct penetration tests? There’s no better way to find problems in your security posture than to try and “break” it. An organization gets a greater insight into their defenses by taking on the hacker mindset to find vulnerabilities. Also, if a penetration test is conducted by folks with similar knowledge and skills as real attackers and can’t get a foothold, you can be reasonably assured your current defenses are adequate. If a pentester, however, can penetrate defenses then that provides a blueprint for security remediation.

Threat hunting: adopting a hacker’s mindset but not to attack, but search for evidence/artifacts of a successful attack. Threat hunters act under the presumption of compromise, assuming a successful attack has occurred and then finding evidence. They also attempt to analyze the factors that lead to such a compromise to remediate deficiencies.

Pentests also satisfy regulatory requirements. The biggest example is Payment Card Industry Data Security Standard (PCI DSS). Such regulations often supply specific checklists of what is to be tested, and how often. Generally, pentests need to be conducted at least annually or after a significant change in infrastructure or application upgrade or modification.

Penetration tests can be either internal or external. Internal teams are employed by the organization they are testing. Typically internal teams have contextual knowledge of the organization which improves effectiveness of tests. Also, it is generally cheaper. However, internal teams can have both conscious and unconscious biases, as well as a lack of independence, that make it more difficult to find security flaws.

External teams are hired outside of the organization and generally have highly talented attackers and greater independence. However, they are usually pretty expensive, but you may get higher fidelity test results.

Penetration tests must be recurring. Vulnerabilities may be introduced as organizations grow and change. Also, attack techniques evolve and change over time.

CompTIA penetration testing stages: Planning and Scoping; Information Gathering and Vulnerability Scanning; Attacking and Exploiting; Reporting and Communicating Results

Planning and Scoping: Work with clients to understand what exactly is being tested, what are the rules of engagement, and what is the scope of the work. Also, need proper documentation stating authorization to hack the client.

Information Gathering and Vulnerability Scanning: This is the recon phase, gather as much information as possible to plan attacks.

Attacks and Exploits: This is fun stuff! Execute the attack plan to get as deeply into the network as possible (NOTE: must stay within the agreed boundaries and adhere to the rules of engagement.)

Reporting and Communication: This is were your findings are reported so the client can fix the security issues you found.

The Cyber Kill Chain: Reconnaissance > Weaponization > Delivery > Exploitation > Installation > Command & Control > Actions on Objectives

Tools of the Trade: The rest of the chapter outlines, at a high level, tools that are typically used for various aspects of a pentest. I’ll omit the specific tools here for brevity, but refer to the book or the official exam objectives (link above) to see the full list.

Reconnaissance tools: These tools focus on Open Source Intelligence (OSINT) to comb through public information.

Vulnerability Scanners: After finding targets through recon, these tools help find vulnerabilities in the targets.

Social Engineering (SE) tools: These tools helps gather credentials from users.

Credential Testing Tools: If unable to harvest credentials through SE, these tools brute force or reverse-engineer hashed passwords.

Debuggers and Software Testing Tools: These provide insight into software to be able to reverse engineer code to deliver malicious code.

Network Testing tools: these tools help identify and exploit flaws in networks.

Remote Access tools: After gaining initial access, an attacker needs a way to establish persistence via remote access.

Exploitation tools: These tools use a variety of exploits to automate compromising systems and escalating privileges.

Steganography: These tools hide and extract data within certain media files or binaries.

Cloud Tools: These tools focus on cloud services.

Thanks for using my notes to help with your studies!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jon Headley

Jon Headley

From Electrical Engineering to officer in the Air Force to copier salesman to network engineer to python developer to cybersecurity…where will I go next?