Professional Documents
Culture Documents
ISBN: 978-1-26-427490-1
MHID: 1-26-427490-4
The material in this eBook also appears in the print version of this
title: ISBN: 978-1-26-427489-5, MHID: 1-26-427489-0.
Glossary
Index
CONTENTS
Acknowledgments
Introduction
Chapter 1 Planning and Engagement
Governance, Risk, and Compliance
Regulatory and Compliance Considerations
Testing Limitations
Time-Based Limitations
Asset Scope Limitations
Tool Limitations
Allowed and Disallowed Tests
Contracts and Documentation
Master Services Agreement
Nondisclosure Agreement
Statement of Work
Rules of Engagement
Permission to Test
Scope and Requirements
Standards
Environmental Considerations for Scoping
Target Selection
Contract Review
Communication Planning
Professionalism and Integrity
Communication
Integrity
Risks to the Tester
Chapter Review
Questions
Answers
References
Chapter 2 Information Gathering and Vulnerability
Scanning
Passive Reconnaissance
DNS Recon
OSINT
Search Engines
Active Reconnaissance
Host Enumeration
Service Identification and Fingerprinting
Web Content Enumeration
User Enumeration
Defense Detection and Detection Avoidance
Vulnerability Scanning and Analysis
Credentialed vs. Noncredentialed Scanning
Compliance and Configuration Auditing
Vulnerability Research Sources
Chapter Review
Questions
Answers
References
Chapter 3 Network-Based Attacks
Name Resolution Exploits
DNS Spoofing and Cache Poisoning
Attacking LLMNR and NetBIOS
Password Attacks
Brute-Force and Dictionary Attacks
Password Spraying
Hash Cracking
Stress Testing Applications and Protocols
Network Packet Manipulation
Analyzing and Inspecting Packets
Forge and Decode Packets
Layer 2 Attacks
Attacking the Spanning Tree Protocol
VLAN Hopping
Bypassing Network Access Controls
Researching an Attack
An Attack on FTP
An Attack on Samba and NFS
Chapter Review
Questions
Answers
Chapter 4 Wireless and RF Attacks
802.11 Wireless
Wireless Networking Overview
Wireless Testing Equipment
Attacking Wireless
Attacking Bluetooth
Bluetooth Specifications
Device Discovery
Bluetooth Attacks
RFID and NFC
Chapter Review
Questions
Answers
References
Chapter 5 Web and Database Attacks
OWASP Top Ten
Injection Attacks
Command Injection
SQL Injection
LDAP Injection
Cross-Site Scripting
Cross-Site Request Forgery
Attacking Authentication and Session Management
Brute-Force Login Pages
Session Management Testing
Data Exposure and Insecure Configuration
Weak Access Controls
Exposing Sensitive Data
Directory and Path Traversals
Sensitive Data Exposure
Inclusion Attacks
Race Conditions
Chapter Review
Questions
Answers
Chapter 6 Attacking the Cloud
Account and Privilege Attacks
Credential Harvesting
Privesc
Account Takeover
Password Spraying
Misconfigured Cloud Assets
Identity and Access Management
Federation
Object Storage
Containerization Technologies
Cloud-Centric Attacks
Denial of Service
Cloud Malware Injection
Side-Channel Attacks
Software Development Kits
Chapter Review
Questions
Answers
Chapter 7 Specialized and Fragile Systems
Mobile Devices
Testing Concepts
Mobile Hardware
Mobile Operating Systems Overview
Mobile Applications Overview
Testing iOS
Testing Android
Virtual and Containerized Systems
Other Nontraditional Systems
SCADA and Industrial Control Systems
Embedded Systems
Chapter Review
Questions
Answers
Chapter 8 Social Engineering and Physical Attacks
Physical Security and Social Engineering
Pretexting and Impersonation
Methods of Influence
Social Engineering and Physical Attacks
Phishing Attacks
Other Web Attacks
Social Engineering Tools
Dumpster Diving
USB Dropping
Shoulder Surfing
Tailgating
Badges
Basic Physpen Tools
Countermeasures
Chapter Review
Questions
Answers
References
Chapter 9 Post-Exploitation
Enumeration
Discovery
Credential Access
Privilege Escalation
Linux Privilege Escalation
Windows Privilege Escalation
Covert Channels and Data Exfiltration
SSH Tunneling
Shell Types
Command and Control
Data Exfiltration
Lateral Movement
Living Off the Land
Passing the Hash
RPC/DCOM
Remote Desktop Protocol
WinRM
Maintaining Persistence
Windows
Linux
Covering Your Tracks
Clearing Command History
Timestomping
File Deletion
Chapter Review
Questions
Answers
Chapter 10 Post-Engagement Activities
The Anatomy of a Pentest Report
Reporting Audience
Report Contents
Storage and Secure Distribution
Attestations
Findings, Recommendations, and Analysis
Recommendations
Common Themes and Root Causes
Post-Engagement Activities
Cleanup
Client Acceptance
Lessons Learned
Retesting and Follow-up
Chapter Review
Questions
Answers
References
Chapter 11 Tools and Code Analysis
Logic Constructs
Conditionals
Loops
Boolean Operators
Arithmetic and String Operators
Data Structures
Key Values and Keys
Arrays, Dictionaries, and Lists
Trees
CSV, XML, and JSON
Other Programming Concepts
Procedures
Functions
Classes
Libraries
Practical Examples
Bash
Python
Perl
Ruby
JavaScript
PowerShell
Specialized Examples
Bash Shells
Bash Automation
PowerShell Shells
PowerShell: Enumerating AD Users and
Computers
Python Port Scanner
Python Encoding
Using Python to Upgrade to a Fully Interactive
Shell
Using Perl to Modify IP Addresses in a File
Perl Reverse Shell
JavaScript Downloader
Chapter Review
Questions
Answers
Chapter 12 Tools Inventory
Appendix A Objective Map
Objective Map: Exam PT0-002
Appendix B About the Online Content
System Requirements
Your Total Seminars Training Hub Account
Privacy Notice
Single User License Terms and Conditions
TotalTester Online
Other Book Resources
Performance-Based Questions
Downloadable Content
Technical Support
Glossary
Index
ACKNOWLEDGMENTS
End-of-Chapter Questions
At the end of each chapter, you’ll find review questions that cover
the material you learned in that particular chapter. These questions
are designed to help you test your understanding of the subject
matter as it is presented within the book. They are not designed to
evaluate your specific preparedness for the exam. For each question
there is an answer and explanation as to why it is the right answer.
You should find the answers to the end-of-chapter questions a little
more definitive than the answers on the CompTIA PenTest+ exam.
Some of those answers could swing either way, or you may find that
none of the answers provided is the best choice for the question. A
test-taking strategy you can use for the CompTIA PenTest+ exam
(and the practice questions provided) is the process of elimination.
The questions are multiple choice (with the exception of some of the
performance-based questions you may be asked), so you should be
able to narrow down your selection to maximize your potential for
getting the correct answer.
Compliance Concepts
You should have a basic understanding of a few common GRC
concepts when discussing the penetration test with your clients.
These may be mentioned in standards and regulations or internal
policies, and you will need to be aware of how they affect your
decisions about penetration testing.
Confidentiality is the concept of limiting access to data based on
need to know. Companies and individuals who own and process data
are frequently held responsible by regulations and standards for
preventing unauthorized disclosure of the data. As a pentester, you
will typically be contractually responsible for safeguarding the
secrets of your client as well. We’ll talk more about this later in this
chapter when we address contracts and documentation.
Privacy is not the same as confidentiality. Privacy is a legal concept
that addresses what rights an individual has to control how their
personal information is used, collected, and disclosed. Standards and
regulations can define these rights and therefore the rules under
which a company handles this data.
That brings us to data types. Each standard or regulation defines
what it considers to be protected data. Ask your client about what
data they consider important, but also what data they have that is
considered to be protected data by the regulations and industry
standards they follow. Then, make sure you know how to recognize
this data when you see it during a pentest. For this chapter, we’ll talk
about three types of data you may see during compliance-based
penetration tests.
Personally identifiable information (PII) or personal
information is generally data that allows identification of one
individual over other individuals. It is often considered to be a single
piece of data (such as a Social Security number or other national
identifier) or a combination of data (such as a name and postal
address). This information is considered sensitive due to legal
requirements surrounding privacy. The specifics of each standard or
regulation will define what is considered personal data.
Protected health information (PHI) is similar to PII, but it
applies to data that was created or used in a health care context.
This may apply to medical diagnoses, provider visit details, or other
attributes that define an individual’s health or health care. As with
PII, individual regulations will define what constitutes PHI. For
example, the U.S. Health Insurance Portability and Accountability Act
defines 18 specific pieces of information that classify as PHI,
including e-mail addresses, bank account numbers, last name plus
first initial, biometric identifiers, and treatment dates, among others.
Cardholder data (CHD) is often specific to Payment Card Industry
Data Security Standards (PCI-DSS). This is a type of PII that is
specifically related to cardholders. Protected data may include
account numbers, authentication data for financial transactions using
payment cards, and other customer data either alone or in
combination. Identifying this data when it is stored or transmitted
during a penetration test may be central requirements during
compliance-based pentesting efforts.
GDPR
The General Data Protection Regulation 2016/679, or GDPR, is a law
passed within the European Union (EU) that imposes data privacy
and security obligations on organizations that target or collect data
related to people in the EU.2 It’s important to note that this applies
to anyone, even if they are outside of the EU, as long as they
process personal data of people in the EU or offer goods and
services to people in the EU. As of the time of this writing, the law
was retained in the United Kingdom after Brexit.
Personal data is defined by GDPR as data that can be used to
distinguish one individual from other individuals, either directly or
with the use of additional information.3 A nonexhaustive list provided
by GDPR lists identifiers that may be used alone or in combination
with one another to describe personal data. Such information, when
captured in testing artifacts, may need to be anonymized or
removed when stored or used in reports in order to meet the terms
of the law. However, GDPR does not define what form testing must
take or how frequently it must occur.
NOTE Performing work for an organization that is subject to GDPR
may also require a discussion with your legal counsel in order to
confirm whether additional contract language is required during test
planning. Pentesters should also discuss whether they need to
observe any special procedures when accessing, storing, or
transmitting protected information during the course of testing.
PCI-DSS
In an effort to combat financial crime, the major payment card
brands (Visa, MasterCard, American Express, Discover, and JCB)
established the Payment Card Industry Security Standards Council
(PCI-SSC)5 to define a series of rules that businesses that process
payments using payment cards should follow in order to better
secure card data and transactions. The resulting standard is called
PCI-DSS.
NOTE Information in this chapter applies to PCI-DSS version 3.2.1.
For the most up-to-date version of the standard, you should refer to
the standards directly in the PCI-SSC document library:
https://www.pcisecuritystandards.org/document_library
Testing Limitations
Other limitations may apply when you are scoping a pentest, such as
testing windows and time frames, what tools you are allowed to use,
assets you are not allowed to test, and methods you are allowed to
use during testing. Some of these limitations are imposed by city,
state, or country laws. Others may be imposed by the organization
being tested. As a pentester, you should ask what limitations apply
as part of scoping. That may mean consulting with legal counsel
when operating in an unfamiliar geography or having a discussion
with stakeholders about the effect on the test resulting from such
limitations. As these limitations affect what you are able to test, they
may affect the results of your testing, so you will need to document
those impacts in your reporting and contracts. Let’s look at three
examples.
Time-Based Limitations
Assume your client wishes to limit you to testing between the hours
of 8 P.M. and 6 A.M. when no users are active. Their goal is for you to
explore the impact of a compromised computer inside their network.
Since no users are logged in, you will not likely have success with
social engineering efforts simulating a business e-mail compromise
or attacks that rely on user interaction. Since your test can’t examine
the impact of those kinds of attacks, the report results must reflect
that. What if no business transactions occur at this time? You
wouldn’t be able to get an accurate assessment of the security of
those transactions within this limitation either.
There are often perfectly good reasons for a client to request
limitations for testing. In some cases, testing may be limited to
business hours instead. Security staff may rotate based on a follow-
the-sun rotation, and the client may desire to test responses of
specific staff. Clients may have limited staff and want to engage in
known behavior only during business hours to avoid paying
overtime. A peak sales event may coincide with the contract for
pentest being signed, and the pentest dates or times may need to
be shifted to avoid disruption of the business-critical event. Don’t
immediately reject time-based limitations. Instead, discuss them
with your client so that the impact of the decision to limit testing is
mutually understood.
Let’s switch this for a minute and think about other time-based
limitations. What if your customer wants you to perform a remote
pentest against 6,000 Internet-facing web applications and only has
budget for three days of penetration testing effort from one tester?
Their objective is to assess the risk that an Internet-based attacker
can achieve access to their network via their web applications. This
kind of time limitation may affect how thorough you are able to be
and affect the number or type of findings you are able to identify. Is
that enough time to identify software dependencies that might result
in access if a third-party software is compromised? Is that even
enough time to inventory the sites and possible injection points for
basic web application testing? During scoping, you may need to limit
what tests are performed, renegotiate the target scope, or ask for
more system access to get closer to the customer’s goals.
NOTE It is worth noting that thoroughness (depth and breadth) of
testing are directly affected by the pentester’s skill, the amount of
information about the targets that is given to the pentester by the
client, and the amount of time granted for testing. These concepts
bear special consideration during scoping, budgeting, and client
expectation setting.
Tool Limitations
You may be required to use a limited toolset during a pentest. In
some cases, local laws will forbid the use of certain kinds of tools or
tests. In other cases, clients may require that testers use an
approved list of client tools. Sometimes, the pentester may choose
to limit tools used in the interest of time or budget for the work
being purchased. Each of these bears discussion during scoping to
examine the impact to testing, test results, cost of the test, and
resource planning.
Consider the case where you are asked to perform a pentest that
involves gaining physical access into an access-controlled facility in a
state where you do not live or normally work. The client’s objective
is to validate the security of the locks, doors, windows, and security
cameras they have chosen to secure their data center. With some
research, you find that the locks are trivial to pick with a set of lock
picks, and a Slim Jim would likely gain access through one or more
sliding windows. However, you are not a licensed locksmith in that
locale, and possession of those tools is against the law for anyone
without a license. In this case, you may not legally be able to
practically prove these weaknesses by performing the attack, but
only present your research in the report unless you are able to
partner with a licensed locksmith for that locale.
Here’s another scenario. Let’s assume that the client is not a highly
secured enterprise, but they want to know how they do against the
biggest and the best. They want you to throw every trick in the book
at them, but their budget is limited. Development of custom exploits
is certainly possible, but it would be time consuming and require the
attention of your best pentesters. To keep the client happy and stay
within budget, the pentester might choose to limit attacks to not
include proprietary exploits, but offer to test using other techniques
designed to simulate an advanced attack.
EXAM TIP The test might include questions that will ask which
document or contract should be referenced or used, given a certain
scenario. Make sure to understand the differences between the
types.
This type of service agreement may also cover other items, such as
corporate social responsibility, business ethics, network and facility
access, or any other term critical for all future agreements. Often, an
MSA is used in fields that tend to be open ended and support an
organization’s functional areas, like manufacturing, sales, accounting
and finance, and so on.
Nondisclosure Agreement
The nondisclosure agreement (NDA) is a confidentiality agreement
that protects a business’s competitive advantage by protecting its
proprietary information and intellectual property. It is in a company’s
best interest to execute an NDA during a pentest, especially when
outsourcing the work to an external service vendor. In the event the
organization is compromised, the vendor is obligated to maintain the
secrecy of the privileged information it might obtain during the
pentest.
Statement of Work
The statement of work (SOW) is a formal document that is routinely
employed in the field of project management, which outlines project-
specific work to be executed by a service vendor for an organization.
An SOW can also be a provision found in the MSA. It explains the
problem to be solved, the work activities, the project deliverables,
and the timeline for when the work is to be completed. The
statement of work typically addresses the following subjects:
Rules of Engagement
The rules of engagement (RoE) document puts into writing the
guidelines and constraints regarding the execution of a pentest—
most importantly, what is and is not authorized for testing; for
example, whether or not brute force is an allowed tactic, whether
brute-force counts are limited by password lockout policies,
automated fuzzing versus manual exploitation, etc. The RoE can be
part of the SOW or treated as a separate deliverable. This document
requires sign-off from the service vendor, as well as the client, to
show that the baseline expectations have been set and agreed upon,
but it is not always subject to the same legal review as an MSA or an
SOW. Cloud service provider approvals may also need to be added
as an appendix to the RoE, if applicable.
This document elaborates on certain subjects defined in the SOW,
such as scope, location, applicable industry standards, and timelines.
Communication and escalation paths are also defined so the pentest
team knows who to contact and how in the event of an issue. This
may include expectations for the customer as well. The RoE is
established before starting a pentest. Examples of RoEs can be
found in Appendix B of the NIST Special Publication 800-115
document hosted at https://www.nist.gov and in section 2.4 of the
OSSTMM hosted at https://www.isecom.org/OSSTMM.3.pdf.
Permission to Test
Documents that grant permission to test must be signed by
someone with authority over the assets being tested. This authority
must be legally able to bless the terms of testing on behalf of the
asset owners in all contracts and documentation. These documents
should grant permission for testing activities to occur and set clear
expectations that penetration testers are not held liable for system
instability or crashes and that the tester will perform due diligence to
avoid damage to systems as part of testing. Pentesters must do their
own due diligence to verify that the person who is requesting the
testing has the authority over tested assets in order to approve the
test or that additional permission has been acquired.
Standards
The strategy or methodology used for penetration testing will
depend on the organization’s rationale for the assessment, which
could be driven based on the organizational threat model. Simply
put, this is how you plan to approach the task of testing the security
objectives of your client. This covers details such as how much
information you are given about the target environment prior to
testing, your vectors of attack, the types of systems you will target,
and what methods of attack you will employ within your testing
limitations. Several industry-recognized standards offer testing
methodologies that can be used as part of a valid testing strategy.
Let’s talk about a few of these.
MITRE ATT&CK
MITRE ATT&CK is not a holistic pentest methodology, but rather a
knowledge base of attacker actions created from a survey of publicly
reported attacker activities. The objective is to catalog these actions
using standardized reference criteria (tactics, techniques, and
subtechniques) so that different groups can discuss and document
them in the same terms. Pentesters can use ATT&CK to make threat
actor emulation plans9 and may be asked to provide an ATT&CK-
labeled attack tree or labels inside of a report.
ATT&CK is organized into matrices of attack components. Each
matrix is designed to address attacker activities in different operating
platforms. The Enterprise matrix addresses attacks for Windows,
Linux, macOS, network-specific attacks, and cloud and container
technologies. There are also matrices for mobile and industrial
control system (ICS) platforms.
Within each matrix, attacks are categorized by tactic. Tactics attempt
to describe an attacker’s high-level objective for using that method
of attack. These were originally designed to follow the phases of
attack described by Lockheed-Martin’s Cyber Kill Chain, a method of
describing attacks at a high level. To see how this works, consider
the Initial Access tactic in the ATT&CK Enterprise Matrix. This tactic
describes attacks that an attacker might use to gain a foothold on a
system. Another tactic, Credential Access, describes activities an
attacker might perform to gather usernames or passwords.
———
Updated editions will replace the previous one—the old editions will
be renamed.
1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside the
United States, check the laws of your country in addition to the terms
of this agreement before downloading, copying, displaying,
performing, distributing or creating derivative works based on this
work or any other Project Gutenberg™ work. The Foundation makes
no representations concerning the copyright status of any work in
any country other than the United States.
• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”
• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.
1.F.
1.F.4. Except for the limited right of replacement or refund set forth in
paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO
OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.
Please check the Project Gutenberg web pages for current donation
methods and addresses. Donations are accepted in a number of
other ways including checks, online payments and credit card
donations. To donate, please visit: www.gutenberg.org/donate.
Most people start at our website which has the main PG search
facility: www.gutenberg.org.