CompTIA PenTest + Certification Boot Camp (PT0-002)

Description

Duration: 5 days

About the Course

The CompTIA PenTest+ Certification assesses the most up-to-date penetration testing, and vulnerability assessment and management skills necessary to determine the resiliency of the network against attacks. The CompTIA PenTest+ certification exam will verify successful candidates have the knowledge and skills required to:

  • Plan and scope a penetration testing engagement
  • Understand legal and compliance requirements
  • Perform vulnerability scanning and penetration testing using appropriate tools and
  • techniques, and then analyze the results
  • Produce a written report containing proposed remediation techniques, effectively
  • communicate results to the management team, and provide practical recommendations

Audience Profile

The CompTIA PenTest+ will certify the successful candidate has the knowledge and skills required to plan and scope a penetration testing engagement including vulnerability scanning, understand legal and compliance requirements, analyze results, and produce a written report with remediation techniques.

Learning Objectives

Planning and Scoping – Includes updated techniques emphasizing governance, risk, and compliance concepts, scoping and organizational/customer requirements, and demonstrating an ethical hacking mindset.

Information Gathering and Vulnerability Scanning – Includes updated skills on performing vulnerability scanning and passive/active reconnaissance, vulnerability management, as well as analyzing the results of the reconnaissance exercise.

Attacks and Exploits – Includes updated approaches to expanded attack surfaces, researching social engineering techniques, performing network attacks, wireless attacks, application-based attacks and attacks on cloud technologies, and performing post-exploitation techniques.

Reporting and Communication – Expanded to focus on the importance of reporting and communication in an increased regulatory environment during the pen testing process through analyzing findings and recommending appropriate remediation within a report.

Tools and Code Analysis – Includes updated concepts of identifying scripts in various software deployments, analyzing a script or code sample, and explaining use cases of various tools used during the phases of a penetration test. It is important to note that no scripting and coding is required.

Certification Exam

This training course prepares students for the CompTIA PenTest+ PT0-002 Exam.

Prerequisites

Network+, Security+ or equivalent knowledge. Minimum of 3-4 years of hands-on information security or related experience. While there is no required prerequisite, PenTest+ is intended to follow CompTIA Security+ or equivalent experience and has a technical, hands-on focus.

What’s included?

  • Authorized Courseware
  • Intensive Hands on Skills Development with an Experienced Subject Matter Expert
  • Hands-on practice on real Servers and extended lab support 1.800.482.3172
  • Examination Vouchers & Onsite Certification Testing- (excluding Adobe and PMP Boot Camps)
  • Academy Code of Honor: Test Pass Guarantee
  • Optional: Package for Hotel Accommodations, Lunch and Transportation

With several convenient training delivery methods offered, The Academy makes getting the training you need easy. Whether you prefer to learn in a classroom or an online live learning virtual environment, training videos hosted online, and private group classes hosted at your site. We offer expert instruction to individuals, government agencies, non-profits, and corporations. Our live classes, on-sites, and online training videos all feature certified instructors who teach a detailed curriculum and share their expertise and insights with trainees. No matter how you prefer to receive the training, you can count on The Academy for an engaging and effective learning experience.

Methods

  • Instructor Led (the best training format we offer)
  • Live Online Classroom – Online Instructor Led
  • Self-Paced Video

Speak to an Admissions Representative for complete details

StartFinishPublic PricePublic EnrollPrivate PricePrivate Enroll
12/20/202112/24/2021
01/10/202201/14/2022
01/31/202202/04/2022
02/21/202102/25/2022
03/14/202203/18/2022
04/04/202204/08/2022
04/25/202204/29/2022
05/16/202205/20/2022
06/06/202206/10/2022
06/27/202207/01/2022
07/18/202207/22/2022
08/08/202208/12/2022
08/29/202209/02/2022
09/19/202209/23/2022
10/10/202210/14/2022
10/31/202211/04/2022
11/21/202211/25/2022
12/12/202212/16/2022

Curriculum

1.0 Planning and Scoping

1.1 Explain the importance of planning for an engagement.

• Understanding the target audience
• Rules of engagement
• Communication escalation path
• Resources and requirements
– Confidentiality of findings
– Known vs. unknown
• Budget
• Impact analysis and remediation timelines
• Disclaimers
– Point-in-time assessment
– Comprehensiveness
• Technical constraints
• Support resources
– WSDL/WADL
– SOAP project file
– SDK documentation
– Swagger document
– XSD
– Sample application requests
– Architectural diagrams

1.2 Explain key legal concepts.

• Contracts
– SOW
– MSA
– NDA
• Environmental differences
– Export restrictions
– Local and national government restrictions
– Corporate policies
• Written authorization
– Obtain signature from proper signing authority
– Third-party provider authorization when necessary

1.3 Explain the importance of scoping an engagement properly

• Types of assessment
– Goals-based/objectives-based
– Compliance-based
– Red team
• Special scoping considerations
– Premerger
– Supply chain
• Target selection
– Targets
– Internal
– On-site vs. off-site
– External
– First-party vs. third-party hosted
– Physical
– Users
– SSIDs
– Applications
– Considerations
– Allow list vs. deny list
– Security exceptions
– IPS/WAF allow list
– NAC
– Certificate pinning
– Company’s policies
• Strategy
– Unknown environment vs. known environment vs. partially known environment
• Risk acceptance
• Tolerance to impact
• Scheduling
• Scope creep
• Threat actors
– Adversary tier
– APT
– Script kiddies
– Hacktivist
– Insider threat
– Capabilities
– Intent
– Threat models

1.4 Explain the key aspects of compliance-based assessments. 

• Compliance-based assessments, limitations and caveats
– Rules to complete assessment
– Password policies
– Data isolation
– Key management
– Limitations
– Limited network access
– Limited storage access
• Clearly defined objectives based on regulations

2.0 Information Gathering and Vulnerability Identification

2.1 Given a scenario, conduct information gathering using appropriate techniques.

• Scanning
• Enumeration
– Hosts
– Networks
– Domains
– Users
– Groups
– Network shares
– Web pages
– Applications
– Services
– Tokens
– Social networking sites
• Packet crafting
• Packet inspection
• Fingerprinting
• Cryptography
– Certificate inspection
• Eavesdropping
– RF communication monitoring
– Sniffing
– Wired
– Wireless
• Decompilation
• Debugging
• Open Source Intelligence Gathering
– Sources of research
– CERT
– NIST
– JPCERT
– CAPEC
– Full disclosure
– CVE
– CWE

2.2 Given a scenario, perform a vulnerability scan.

• Credentialed vs. non-credentialed
• Types of scans
– Discovery scan
– Full scan
– Stealth scan
– Compliance scan
• Container security
• Application scan
– Dynamic vs. static analysis
• Considerations of vulnerability scanning
– Time to run scans
– Protocols used
– Network topology
– Bandwidth limitations
– Query throttling
– Fragile systems/non-traditional assets

2.3 Given a scenario, analyze vulnerability scan results.

• Asset categorization
• Adjudication
– False positives
• Prioritization of vulnerabilities
• Common themes
– Vulnerabilities
– Observations
– Lack of best practices

2.4 Explain the process of leveraging information to prepare for exploitation.

• Map vulnerabilities to potential exploits
• Prioritize activities in preparation for penetration test
• Describe common techniques to complete attack
– Cross-compiling code
– Exploit modification
– Exploit chaining
– Proof-of-concept development (exploit development)
– Social engineering
– Credential brute forcing
– Dictionary attacks
– Rainbow tables
– Deception

2.5 Explain weaknesses related to specialized systems.

• ICS
• SCADA
• Mobile
• IoT
• Embedded
• Point-of-sale system
• Biometrics
• Application containers
• RTOS

3.0 Attacks and Exploits

3.1 Compare and contrast social engineering attacks.

• Phishing
– Spear phishing
– SMS phishing
– Voice phishing
– Whaling
• Elicitation
– Business email compromise
• Interrogation
• Impersonation
• Shoulder surfing
• USB key drop
• Motivation techniques
– Authority
– Scarcity
– Social proof
– Urgency
– Likeness
– Fear

3.2 Given a scenario, exploit network-based vulnerabilities.

• Name resolution exploits
– NETBIOS name service
– LLMNR
• SMB exploits
• SNMP exploits
• SMTP exploits
• FTP exploits
• DNS cache poisoning
• Pass the hash
• On-path attack (previously known as man-in-the-middle attack)
– ARP spoofing
– Replay
– Relay
– SSL stripping
– Downgrade
• DoS/stress test
• NAC bypass
• VLAN hopping

3.3 Given a scenario, exploit wireless and RF-based vulnerabilities.

• Evil twin
– Karma attack
– Downgrade attack
• Deauthentication attacks
• Fragmentation attacks
• Credential harvesting
• WPS implementation weakness
• Bluejacking
• Bluesnarfing
• RFID cloning
• Jamming
• Repeating

3.4 Given a scenario, exploit application-based vulnerabilities.

• Injections
– SQL
– HTML
– Command
– Code
• Authentication
– Credential brute forcing
– Session hijacking
– Redirect
– Default credentials
– Weak credentials
– Kerberos exploits
• Authorization
– Parameter pollution
– Insecure direct object reference
• Cross-site scripting (XSS)
– Stored/persistent
– Reflected
– DOM
• Cross-site request forgery (CSRF/XSRF)
• Clickjacking
• Security misconfiguration
– Directory traversal
– Cookie manipulation
• File inclusion
– Local
– Remote
• Unsecure code practices
– Comments in source code
– Lack of error handling
– Overly verbose error handling
– Hard-coded credentials
– Race conditions
– Unauthorized use of functions/unprotected APIs
– Hidden elements
– Sensitive information in the DOM
– Lack of code signing

3.5 Given a scenario, exploit local host vulnerabilities.

• OS vulnerabilities
– Windows
– Mac OS
– Linux
– Android
– iOS
• Unsecure service and protocol configurations
• Privilege escalation
– Linux-specific
– SUID/SGID programs
– Unsecure SUDO
– Ret2libc
– Sticky bits
– Windows-specific
– Cpassword
– Clear text credentials in LDAP
– Kerberoasting
– Credentials in LSASS
– Unattended installation
– SAM database
– DLL hijacking
– Exploitable services
– Unquoted service paths
– Writable services
– Unsecure file/folder permissions
– Keylogger
– Scheduled tasks
– Kernel exploits
• Default account settings
• Sandbox escape
– Shell upgrade
– VM
– Container
• Physical device security
– Cold boot attack
– JTAG debug
– Serial console

3.6 Summarize physical security attacks related to facilities.

• Piggybacking/tailgating
• Fence jumping
• Dumpster diving
• Lock picking
• Lock bypass
• Egress sensor
• Badge cloning

3.7 Given a scenario, perform post-exploitation techniques.

• Lateral movement
– RPC/DCOM
– PsExec
– WMI
– Scheduled tasks
– PS remoting/WinRM
– SMB
– RDP
– Apple Remote Desktop
– VNC
– X-server forwarding
– Telnet
– SSH
– RSH/Rlogin
• Persistence
– Scheduled jobs
– Scheduled tasks
– Daemons
– Back doors
– Trojan
– New user creation
• Covering your tracks

4.0 Penetration Testing Tools

4.1 Given a scenario, use Nmap to conduct information gathering exercises.

• SYN scan (-sS) vs. full connect scan (-sT)
• Port selection (-p)
• Service identification (-sV)
• OS fingerprinting (-O)
• Disabling ping (-Pn)
• Target input file (-iL)
• Timing (-T)
• Output parameters
-oA
-oN
-oG
-oX

4.2 Compare and contrast various use cases of tools.
(**The intent of this objective is NOT to test specific vendor feature sets.)

• Use cases
– Reconnaissance
– Enumeration
– Vulnerability scanning
– Credential attacks
– Offline password cracking
– Brute-forcing services
– Persistence
– Configuration compliance
– Evasion
– Decompilation
– Forensics
– Debugging
– Software assurance
– Fuzzing
– SAST
– DAST
• Tools
– Scanners
– Nikto
– OpenVAS
– SQLmap
– Nessus
– Credential testing tools
– Hashcat
– Medusa
– Hydra
– Cewl
– John the Ripper
– Cain and Abel
– Mimikatz
– Patator
– Dirbuster
– W3AF
– Debuggers
– OLLYDBG
– Immunity debugger
– GDB
– WinDBG
– IDA
– Software assurance
– Findbugs/findsecbugs
– Peach
– AFL
– SonarQube
– YASCA
– OSINT
– Whois
– Nslookup
– Foca
– Theharvester
– Shodan
– Maltego
– Recon-NG
– Censys
– Wireless
– Aircrack-NG
– Kismet
– WiFite
– Web proxies
– OWASP ZAP
– Burp Suite
– Social engineering tools
– SET
– BeEF
– Remote access tools
– SSH
– NCAT
– NETCAT
– Proxychains
– Networking tools
– Wireshark
– Hping
– Mobile tools
– Drozer
– APKX
– APK studio
– MISC
– Searchsploit
– Powersploit
– Responder
– Impacket
– Empire
– Metasploit framework

4.3 Given a scenario, analyze tool output or data related to a penetration test.

• Password cracking
• Pass the hash
• Setting up a bind shell
• Getting a reverse shell
• Proxying a connection
• Uploading a web shell
• Injections

4.4 Given a scenario, analyze a basic script (limited to Bash, Python, Ruby, and PowerShell).

• Logic
– Looping
– Flow control
• I/O
– File vs. terminal vs. network
• Substitutions
• Variables
• Common operations
– String operations
– Comparisons
• Error handling
• Arrays
• Encoding/decoding

5.0 Reporting and Communication

5.1 Given a scenario, use report writing and handling best practices.

• Normalization of data
• Written report of findings and remediation
– Executive summary
– Methodology
– Findings and remediation
– Metrics and measures
– Risk rating
– Conclusion
• Risk appetite
• Storage time for report
• Secure handling and disposition of reports

5.2 Explain post-report delivery activities.

• Post-engagement cleanup
– Removing shells
– Removing tester-created credentials
– Removing tools
• Client acceptance
• Lessons learned
• Follow-up actions/retest
• Attestation of findings

5.3 Given a scenario, recommend mitigation strategies for discovered vulnerabilities.

• Solutions
– People
– Process
– Technology
• Findings
– Shared local administrator credentials
– Weak password complexity
– Plain text passwords
– No multifactor authentication
– SQL injection
– Unnecessary open services

• Remediation
– Randomize credentials/LAPS
– Minimum password requirements/password filters
– Encrypt the passwords
– Implement multifactor authentication
– Sanitize user input/parameterize queries
– System hardening

5.4 Explain the importance of communication during the penetration testing process.

• Communication path
• Communication triggers
– Critical findings
– Stages
– Indicators of prior compromise
• Reasons for communication
– Situational awareness
– De-escalation
– De-confliction
• Goal reprioritization