Senior Acquisitions Editor: Kenyon Brown
Development Editor: Adaobi Obi Tulton
Technical Editor: S. Russ Christy
Production Editor: Amy Odum
Copy Editor: Kim Wimpsett
Editorial Manager: Pete Gaughan
Production Manager: Kathleen Wisor
Executive Editor: Jim Minatel
Proofreader: Kathryn Duggan
Indexer: Ted Laux
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: © Jeremy Woodhouse/Getty Images, Inc.
Copyright © 2019 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-54284-1
ISBN: 978-1-119-54289-6 (ebk.)
ISBN: 978-1-119-54285-8 (ebk)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 019938095
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CompTIA and PenTest+ are trademarks or registered trademarks of The Computing Technology Industry Association, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
10 9 8 7 6 5 4 3 2 1
This book is dedicated to my husband, William Panek, and to my daughters,
Alexandria and Paige. Thank you all for your love and support. I love you
all more than anything!
—CMP
I would like to thank my husband and best friend, Will, because without him I would not be where I am today—thank you! I would also like to express my love to my two daughters, Alexandria and Paige, who have always shown nothing but love and support. Thank you all!
The authors would like to thank everyone on our Sybex team, especially our development editor, Adaobi Obi Tulton, who helped make this the best book possible, and S. Russell Christy, who is the technical editor. It’s always important to have the very best technical guru supporting you. We want to thank Amy Odum, who was our production editor and Kim Wimpsett, copyeditor.
Special thanks goes out to our acquisitions editor, Kenyon Brown. Finally, we also want to thank everyone else behind the scenes who helped make this book possible. We thank you all for your hard work and dedication.
Crystal Panek holds the following certifications: MCP, MCP+I, MCSA, MCSA+ Security and Messaging, MCSE-NT (3.51 & 4.0), MCSE 2000, 2003, 2012/2012 R2, 2016, MCSE+Security and Messaging, MCDBA, MCTS, MCITP.
For many years she trained as a contract instructor teaching at such places as MicroC, Stellacon Corporation and the University of New Hampshire. She then became the vice-president for a large IT training company and for 15 years she developed training materials and courseware to help thousands of students get through their certification exams. She currently works on a contract basis creating courseware for several large IT training facilities.
She currently resides in New Hampshire with her husband and two daughters. In her spare time, she likes to camp, hike, shoot trap and skeet, golf, bowl, and snowmobile.
S. Russell Christy is a technical trainer from Memphis, Tennessee, covering a wide variety of products specializing in computer maintenance and network and security; Microsoft Office applications; and web and print design. For over 20 years he has deployed new desktops and operating systems, servers, network hardware and software, while simultaneously troubleshooting various hardware and software issues.
Mr. Christy holds a bachelor's degree in business administration from the University of Memphis. He has additionally gained industry certifications in CompTIA A+, CompTIA Network+, CompTIA Server+, CompTIA Security+, CompTIA CySA+, Cisco CCNA CyberOps, MTA Windows Server Administration Fundamentals, Network Fundamentals, Security Fundamentals, and Windows OS Fundamentals, and Adobe Education Trainer.
CompTIA PenTest+ Practice Tests: Exam PT0-001 is a companion to the CompTIA PenTest+ Study Guide: Exam PT0-001. This book will help you test your knowledge before you take the PenTest+ exam. We have provided you with over 1,000 questions that cover the concepts of the CompTIA PenTest+ certification exam objectives. This book will help prepare you to take the CompTIA PenTest+ (PT0-001) exam.
Use this book as a guide to help you determine what you need to focus more on prior to taking the actual exam.
Before you attempt to take the PenTest+ exam, you should already be a practicing security practitioner. CompTIA suggests that test-takers should have an intermediate-level skill level based on their cybersecurity pathway. You should also be familiar with some of the tools and techniques that are covered in this book.
CompTIA is a nonprofit trade organization that offers certification in a variety of Information Technology areas. The certifications range from the A+ exam which is the skills needed to become a PC support technician to more advanced certifications like the CompTIA Advanced Security Practitioner (CASP). With the ever increasing number of cyberattacks and new connected devices, the need for skilled cybersecurity professionals is rapidly growing. The CompTIA Cybersecurity Career Pathway will help IT professionals achieve cybersecurity mastery.
The CompTIA CySA+ and CompTIA PenTest+ exams are considered to be more advanced exams and are intended for professionals with hands-on experience who also possess the knowledge covered by the previous exams from the Career Pathway.
CompTIA certifications are ISO and ANSI accredited, and are used within a multitude of industries as a gauge of an individual’s technical skills and knowledge.
CompTIA certifications help individuals create outstanding careers in the Information Technology field and allows companies to have knowledgeable and well-trained employees. In this day and age, certifications are deemed very important in the IT world. Employers that are looking to hire or promote need to make sure that the candidate has the skills needed for the position and certification offers proof of those skills.
The CompTIA PenTest+ is for cybersecurity professionals whose job deals with penetration testing and vulnerability management.
Here is a list of a few positions that utilize the CompTIA PenTest+:
On July 31, 2018, CompTIA launched the PenTest+ certification. This cybersecurity certification is designed for IT professionals who need to identify, exploit, report and manage vulnerabilities on a network.
The CompTIA PenTest+ exam is the only penetration testing exam given at a Pearson VUE testing center that includes both performance-based questions and multiple-choice questions in order to ensure that the candidates have the skills and knowledge necessary to perform tasks on systems.
The PenTest+ exam is unique in that it requires candidates to demonstrate their hands-on ability and knowledge to test devices in traditional desktops and servers as well as new environments such as the cloud and mobile.
After completing the PenTest+ exam successful candidates will have the skills required to customize and perform assessments and to efficiently report any findings. Candidates will also be able to communicate and recommend strategies to improve the overall state of IT security for a network.
The PenTest+ exam is designed to be a vendor-neutral certification for penetration testers. It is designed to measure current penetration testing, vulnerability assessment, and vulnerability management skills focusing on network resiliency testing. Successful candidates will prove their ability plan and scope assessments, know how to handle legal and compliance requirements, and to perform vulnerability scanning and penetration testing activities using a range of tools and techniques, as well as then analyzing the results.
This book is broken down into the following exam objectives:
These five areas include a range of subtopics, from scoping penetration tests to performing host enumeration and exploits.
CompTIA recommends that candidates have three or four years of information security–related experience before taking this exam. While there are no required prerequisites, CompTIA recommends that candidates have already taken the Security+ exam or have equivalent experience. The exam costs $349 USD.
More information regarding the PenTest+ exam and how to take it can be found at: https://certification.comptia.org/certifications/pentest.
Once you are prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher:
https://store.comptia.org/p/CompTIAPENTEST
Once you have your voucher number you will need to contact Pearson VUE. CompTIA has partnered with Pearson VUE which has testing center locations worldwide. To locate the nearest testing center to you and to schedule your exam go to: https://home.pearsonvue .com/comptia.
Pearson VUE requires that candidates sign into their system in order to schedule exams. If you have an account, just sign in. If you do not have an account, you will need to create one.
On the day of the exam make sure to take two forms of identification and make sure to show up earlier than the exam start time to give yourself enough time to sign in. Remember that you will not be able to bring in any notes, electronic devices or other materials in with you. Either please leave them in your vehicle or the testing center will have a secure location for you to store your belongings.
Once you have completed the exam, you will know your score immediately. The testing center will hand you a copy of your score report and sign you out of the testing center. You should maintain your copy of the score report along with your exam registration records and the email address you used to register for the exam.
CompTIA certifications must be renewed periodically. To renew your certification, you must either pass the most current version of the exam, earn a qualifying higher-level CompTIA or industry certification, or complete sufficient continuing education activities to earn enough Continuing Education Units (CEUs) to renew it. At the time this book was written, if using CEUs to renew the PenTest+ certification, it would cost you 60 CEUs.
CompTIA provides additional information on renewals at:
https://certification.comptia.org/continuing-education/how-to-renew
When you sign up to renew your certification, you will be asked to agree to the Continuing Education (CE) program’s Code of Ethics, pay your renewal fee, and to submit the materials required for your chosen renewal method.
This book is organized into seven chapters.
Each chapter covers an exam objective with a variety of questions that can help you test your understanding of the PenTest+ exam objectives. The final two chapters are practice exams that can act as timed practice exams to help determine if you are ready to take the PenTest+ exam.
We recommend taking the practice exams to help identify where you may need to spend more time studying.
As you work through some of the questions in this book, you may encounter tools and technology that you are unfamiliar with. If you find that you are having difficulties, we recommend spending some extra time with books and materials that will help you delve deeper into the subject of interest. This will help fill in any gaps and help you be more prepared to take the exam.
This book has been written to cover PenTest+ exam objectives. The table below lists the domains measured by this exam and the extent to which they are represented.
| Exam Objective | Percentage of Exam |
| 1.0 Planning and Scoping | 15% |
| 2.0 Information Gathering and Vulnerability Identification | 22% |
| 3.0 Attacks and Exploits | 30% |
| 4.0 Penetration Testing Tools | 17% |
| 5.0 Reporting and Communication | 16% |
| Total | 100% |
The following objective map for the CompTIA PenTest+ certification exam will enable you to find where each objective is covered in the book.
| Objective | Chapter |
| 1.0 Planning and Scoping | |
| 1.1 Explain the importance of planning for an engagement. | Chapter 1 |
| Understanding the target audience, Rules of Engagement, Communication escalation path, Resources and requirements, Confidentiality of findings, Known vs. Unknown, Budget, Impact analysis and remediation timelines, Disclaimers, Point-in-time assessment, Comprehensiveness, Technical constraints, Support resource, Web Services Description Language/Web Application Description Language (WSDL/WADL), Simple Object Access Protocol (SOAP) project file, Software Development Kit (SDK) documentation, Swagger document, XML Schema Document (XSD), Sample application requests, Architectural diagrams | |
| 1.2 Explain key legal concepts. | Chapter 1 |
| Contracts, Statement of Work (SOW), Master Service Agreement (MSA), Non-Disclosure Agreement (NDA), Environmental differences, Export restrictions, Local and national government restrictions, Corporate policies, Written authorization, Obtain signature from proper signing authority, Third-party provider authorization when necessary | |
| 1.3 Explain the importance of scoping an engagement properly. | Chapter 1 |
| Types of assessment, goals-based/objectives-based, compliance-based, red team, special scoping considerations, premerger, supply chain, target selection, targets, internal, on-site vs. off-site, external, first-party vs. third-party hosted, physical users, service set identifier (SSID), applications, considerations, white-listed vs. black-listed, security exceptions, intrusion prevention system/web application firewall (IPS/WAF) whitelist, network access control (NAC), certificate pinning, company’s policies, strategy, black box vs. White box vs. Gray box, risk acceptance, tolerance to impact, scheduling, scope creep, threat actors, adversary tier, advanced persistent threat (APT), script kiddies, hacktivist, insider threat, capabilities, intent, threat models | |
| 1.4 Explain the key aspects of compliance-based assessments. | Chapter 1 |
| Compliance-based assessments, limitations and caveats, Rules to complete assessment, password policies, data isolation, key management, limitations, limited network access, limited storage access, clearly defined objectives, based on regulations | |
| 2.0 Information Gathering and Vulnerability Identification | |
| 2.1 Given a scenario, conduct information gathering using appropriate techniques. | Chapter 2 |
| Scanning, enumeration, hosts, networks, domains, users, groups, network shares, web pages, applications, services, tokens, social networking sites, packet crafting, packet inspection, fingerprinting, cryptography, certificate inspection, eavesdropping, radio frequency (RF) communication monitoring, sniffing, wired, wireless, decompilation, debugging, open-source intelligence gathering, sources of research, computer emergency response team (cert), national institute of standards and technology (NIST), japan computer emergency response team (JPCERT), common attack patterns enumeration classification (CAPEC), full disclosure, common vulnerabilities exposures (CVE), common weakness enumeration (CWE) | |
| 2.2 Given a scenario, perform a vulnerability scan. | Chapter 2 |
| Credentialed vs. noncredentialed, types of scans, discovery scan, full scan, stealth scan, Compliance scan, Container security, application scan, dynamic vs. static analysis, Considerations of vulnerability scanning, time to run scans, Protocols used, Network topology, Bandwidth limitations, query throttling, fragile systems/nontraditional assets | |
| 2.3 Given a scenario, analyze vulnerability scan results. | Chapter 2 |
| Asset categorization, adjudication, false positives, prioritization of vulnerabilities, common themes, vulnerabilities, observations, lack of best practices | |
| 2.4 Explain the process of leveraging information to prepare for exploitation. | Chapter 2 |
|
Map vulnerabilities to potential exploits, prioritize activities in preparation for penetration test, describe common techniques to complete attack, cross-compiling code, exploit modification, exploit chaining, proof-of-concept development (exploit development), social engineering, credential brute forcing, dictionary attacks, rainbow tables, deception |
|
| 2.5 Explain weaknesses related to specialized systems. | Chapter 2 |
| Industrial control systems (ICS), supervisory control and data acquisition (SCADA), mobile, internet of things (IOT), embedded, point-of-sale system, biometrics, application containers, real-time operating system (RTOS) | |
| 3.0 Attacks and Exploits | |
| 3.1 Compare and contrast social engineering attacks. | Chapter 3 |
| Phishing, spear phishing, short message service (SMS) phishing, voice phishing, whaling, elicitation, business email compromise, interrogation, impersonation, shoulder surfing, universal serial bus (USB) key drop, motivation techniques, authority, scarcity, social proof, urgency, likeness, fear | |
| 3.2 Given a scenario, exploit network-based vulnerabilities. | Chapter 3 |
| Name resolution exploits, network basic input/output system (NETBIOS) name service, link-local multicast name resolution (LLMNr), server message block (SMB) exploits, simple network management protocol (SNMP) exploits, simple mail transfer protocol (SMTP) exploits, file transfer protocol (FTP) exploits, domain name service (DNS) cache poisoning, pass the hash, man-in-the-middle, address resolution protocol (ARP) spoofing, replay, relay, secure sockets layer (SSL) stripping, downgrade, denial of service (DOS)/stress test, network access control (NAC) bypass, virtual local area network (VLAN) hopping | |
| 3.3 Given a scenario, exploit wireless and RF-based vulnerabilities. | Chapter 3 |
| Evil twin, karma attack, downgrade attack, deauthentication attacks, fragmentation attacks, credential harvesting, Wi-Fi protected setup (WPS) implementation weakness, bluejacking, bluesnarfing, radio frequent id (RFID) cloning, jamming, repeating | |
| 3.4 Given a scenario, exploit application-based vulnerabilities. | Chapter 3 |
| Injections, structured query language (SQL), hypertext markup language (HTML), command, code, authentication, credential brute forcing, session hijacking, redirect, default credentials, weak credentials, kerberos exploits, authorization, parameter pollution, insecure direct object reference, cross-site scripting (XSS), stored/persistent, reflected, document object model (DOM), cross-site request forgery (CSRF/XSRF), clickjacking, security misconfiguration, directory traversal, cookie manipulation, file inclusion, local, remote, unsecure code practices, comments in source code, lack of error handling, overly verbose error handling, hard-coded credentials, race conditions, unauthorized use of functions/unprotected application programming interface (API), hidden elements, sensitive information in the document object model (DOM), lack of code signing | |
| 3.5 Given a scenario, exploit local host vulnerabilities. | Chapter 3 |
| Operating system (OS) vulnerabilities, windows, mac operating system (OS), Linux, Android, iPhone operating system (iOS), unsecure service and protocol configurations, privilege escalation, Linux-specific, set user id/set group id (SUID/SGID) programs, unsecure sudo, ret2libc, sticky bits, windows-specific, cpassword, clear text credentials in lightweight directory access protocol (LDAP), kerberoasting, credentials in local security authority subsystem service (LSASS), unattended installation, security account manager (SAM) database, dynamic link library (DLL) hijacking, exploitable services, unquoted service paths, writable services, unsecure file/folder permissions, keylogger, scheduled tasks, kernel exploits, default account settings, sandbox escape, shell upgrade, virtual machine (VM), container, physical device security, cold boot attack, joint test action group (JTAG) debug, serial console | |
| 3.6 Summarize physical security attacks related to facilities. | Chapter 3 |
| Piggybacking/tailgating, fence jumping, Dumpster diving, lock picking, lock bypass, egress sensor, badge cloning | |
| 3.7 Given a scenario, perform post-exploitation techniques. | Chapter 3 |
| Lateral movement, remote procedure call/ distributed component object model (RPC/DCOM), PsExec, Windows management instrumentation (WMI), scheduled tasks, PowerShell (PS) remoting/WinRM, server message block (SMB), remote desktop protocol (RDP), Apple remote desktop, virtual network connection (VNC), X-server forwarding, Telnet, secure shell (SSH), remote shell (RSH)/Rlogin, persistence, scheduled jobs, scheduled tasks, daemons, back doors, trojan, new user creation, covering your tracks | |
| 4.0 Penetration Testing Tools | |
| 4.1 Given a scenario, use Nmap to conduct information gathering exercises. | Chapter 4 |
| Synchronize (SYN) scan (-sS) vs. full connect scan (-sT), Port selection (-p), Service identification (-sV), OS fingerprinting (-O, disabling ping (-Pn), target input file (-iL), timing (-T), output parameters, -oA (all), -oN (normal), -oG (greppable/searchable), -oX (XML output) | |
| 4.2 Compare and contrast various use cases of tools. | Chapter 4 |
| Use cases, reconnaissance, enumeration, vulnerability scanning, credential attacks, offline password cracking, brute-forcing services, persistence, configuration compliance, evasion, decompilation, forensics, debugging, software assurance, fuzzing, static application security testing (SAST), dynamic application security testing (DAST), tools, scanners, Nikto, OpenVAS, SQLmap, Nessus, credential testing tools, Hashcat, Medusa, Hydra, CeWL, John the Ripper, Cain and Abel, Mimikatz, Patator, Dirbuster, Web Application Attack and Audit Framework (W3AF), debuggers, OLLYDBG, immunity debugger, GNU Project Debugger (GDB), WinDBG, IDA, software assurance, findbugs/findsecbugs, Peach, AFL, SonarQube, YASCA, open source intelligence (OSINT), whois, nslookup, foca, TheHarvester, Shodan, Maltego, Recon-NG, Censys, Wireless, Aircrack-NG, Kismet, WiFite, Web proxies, OWASP ZAP, Burp Suite, Social Engineering Tools (SET), Browser Exploitation Framework (BeEF), remote access tools, secure shell (SSH), NCAT, NETCAT, proxychains, networking tools, Wireshark, Hping, mobile tools, Drozer, APKX, APK studio, MISC, searchsploit, powersploit, responder, impacket, empire, metasploit framework | |
| 4.3 Given a scenario, analyze tool output or data related to a penetration test. | Chapter 4 |
| Password cracking, pass the hash, setting up a bind shell, setting a reverse shell, proxying a connection, uploading a web shell, injections | |
| 4.4 Given a scenario, analyze a basic script (limited to Bash, Python, Ruby, and PowerShell). | Chapter 4 |
| Logic, looping, flow control, input/output (I/O), file vs. terminal vs. network, substitutions, variables, common operations, string operations, comparisons, error handling, arrays, encoding/decoding | |
| 5.0 Reporting and Communication | |
| 5.1 Given a scenario, use report writing and handling best practices. | Chapter 5 |
| Normalization of data, written report of findings and remediation, executive summary, methodology, findings and remediation, metrics and measures, risk rating, conclusion, risk appetite, storage time for report, secure handling and disposition of reports | |
| 5.2 Explain post-report delivery activities. | Chapter 5 |
| Post-engagement cleanup, removing shells, removing tester-related credentials, removing tools, client acceptance, lessons learned, follow-up actions/retest, attestation of findings | |
| 5.3 Given a scenario, recommend mitigation strategies for discovered vulnerabilities. | Chapter 5 |
| solutions, people, process, technology, findings, shared local administrator credentials, weak password complexity, plain text passwords, no multifactor authentication, Structured Query Language (SQL) injection, unnecessary open services, remediation, randomize credentials/ local administrator password solution (LAPS), minimum password requirements/password filters, encrypt the passwords, implement multifactor authentication, sanitize user input/parameterize queries, system hardening | |
| 5.4 Explain the importance of communication during the penetration testing process. | Chapter 5 |
| Communication path, communication triggers, critical findings, stages, indicators of prior compromise, reasons for communication, situational awareness, de-escalation, de-confliction, goal reprioritization | |