CompTIA PenTest+ (PT0-002) Study Notes PDF

Summary

These study notes cover the CompTIA PenTest+ (PT0-002) course. It outlines the stages of penetration testing, recommended prerequisites, five key domains, and important exam details. The summary also discusses risk management, including inherent risk, residual risk, and risk handling strategies.

Full Transcript

CompTIA PenTest+
(PT0-002) Study Notes

Welcome to the PenTest+ (PT0-002) Course
Welcome
o CompTIA PenTest+ Certification
▪ Considered an intermediate-level certification for technical professionals
who conduct penetration testing and vulnerability management in
on-premise, cloud, and hybrid environments in their careers

o Penetration Testing/Vulnerability Assessment Stages
▪ Planning and scoping
▪ Reconnaissance
▪ Scanning
▪ Enumeration
▪ Attack
▪ Exploitation
▪ Reporting
▪ Communication

o Recommended Prerequisites
▪ Intermediate-level security professionals with at least 3 to 4 years of
broad hands-on experience
▪ Security+ and CySA+ certified (not a strict requirement)
Knowledge from the CompTIA Security+ exam is considered
assumed knowledge
o Computer security
o Security analysis
o Penetration testing

o Five Domains
▪ Domain 1: Planning and Scoping (14%)
Focused on techniques that emphasize governance, risk, and
compliance concepts, scoping and organizations or customer
requirements, and demonstrating an ethical hacking mindset

▪ Domain 2: Information Gathering and Vulnerability Scanning (22%)
Focused on your ability to conduct vulnerability scanning, passive
reconnaissance, active reconnaissance, vulnerability
management, and analyzing various types of scanning and
-1-

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

enumeration results

▪ Domain 3: Attacks and Exploits (30%)
Focused on your ability to research social engineering techniques,
perform network attacks, conduct wireless attacks, perform
application-based attacks, conduct attacks on cloud technologies,
and perform post-exploitation techniques against the expanded
attack surfaces that exist in a typical enterprise network

▪ Domain 4: Reporting and Communication (18%)
Focused on your ability to document the findings from a
penetration test, analyze the results, and recommend appropriate
remediations for the identified vulnerabilities in a well-written
report to meet business and regulatory compliance requirements

▪ Domain 5: Tools and Code Analysis (16%)
Focused on your ability to identify the proper tool to be used
during each phase of a penetration test based on a given use case,
and your ability to identify and analyze scripts or code samples
and their intended effects in several programming and scripting
languages, such as Python, Ruby, Perl, JavaScript, PowerShell, and
Bash

▪ You don’t have to be an expert in any of these programming and scripting
languages
▪ Domains and their objectives will not be presented in order
▪ You will get a mixture of questions from across all five domains and the
21 objectives

o About the Exam
▪ 165 minutes to answer up to 90 questions (~70-90)
▪ Multiple-choice, multiple-select, PBQs
▪ 3-5 PBQs, 80-85 multiple-choice/multiple-select questions
▪ Score at least 750 out of 900 points to pass (80-85%)

o Exam Voucher
▪ Get your exam voucher at store.comptia.org for regular pricing

-2-

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ Save 10% and get access to our searchable video library when you get
your exam voucher at diontraining.com/vouchers

o Four Tips
▪ Closed captions are available
▪ You can adjust the playback speed
▪ Download and print this study guide
▪ Join our Facebook group at facebook.com/groups/diontraining
If you don’t have Facebook, you can email us at
[email protected]

Exam Tips
o Tips and Tricks
▪ There will not be any trick questions on test day
▪ Be on the lookout for distractors or red herrings
▪ Pay close attention to words that are in different formats
▪ Base your answers on your studies instead of personal work experience
▪ Choose the answer that is correct for the highest number of situations
▪ Recognize, not memorize
▪ Most tool-based questions require you to know the ‘why’ behind using
such tools

-3-

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

Planning an Engagement
Planning an Engagement
o Engagement
▪ A singular penetration testing project planned and scoped by the
requesting client and the performing analysts

o Domain 1: Planning and Scoping
▪ Objective 1.1
Compare and contrast governance, risk, and compliance concepts
▪ Objective 1.2
Explain the importance of scoping and organizational/customer
requirements
▪ Objective 1.3
Given a scenario, demonstrate an ethical hacking mindset by
maintaining professionalism and integrity

o Penetration Tester
▪ An authorized threat actor who tries to identify the ways
an unauthorized intruder could damage a network

Risk
o Risk
▪ The probability that a threat will be realized

▪ Cybersecurity Analyst
Minimizes vulnerabilities
▪ Penetration Tester
Finds and exploits vulnerabilities

o Vulnerability
▪ Any weakness in the system design or implementation

o Threat
▪ Anything that could cause harm, loss, damage, or compromise to
information technology systems

-4-

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Risk Management
▪ Finds ways to minimize the likelihood of a certain outcome from
occurring and to achieve the desired outcomes

o Risk Types
▪ Inherent Risk
Occurs when a risk is identified but no mitigation factors are
applied
There will always be some inherent risk some attackers will try to
exploit

▪ Residual Risk
Occurs when a risk is calculated after applying mitigations and
security controls

▪ Risk Exception
Created risk due to an exemption being granted or failure to
comply with corporate policy
Mitigations
o Track exceptions
o Measure potential impact
o Implement compensating controls

Risk Handling
o Risk Avoidance
▪ Stops a risky activity or chooses a less risky alternative
▪ Eliminates the hazards, activities, and exposures with potential negative
effects

-5-

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Risk Transfer
▪ Passes the risk to a third party, such as an insurance company

o Risk Mitigation
▪ Minimizes the risk to an acceptable level which an organization can
accept

o Risk Acceptance
▪ Accepts the current level of risk and the costs associated with it if that
risk were realized

o Risk Appetite
▪ The amount of risk an organization is willing to accept in pursuit of its
objectives
▪ Also called risk attitude and risk tolerance

▪ Risk appetite vs Risk tolerance
Risk appetite
o Overall generic level of risk the organization is willing to
accept

Risk Tolerance
o Specific maximum risk the organization is willing to take
about a specific identified risk

o There will always be tradeoffs in choosing which risk handling action to take
▪ The higher the security, the higher the cost, and often, the lower the
usability

Controls
o Categories
▪ Compensative
Used in place of a primary access control measure to mitigate a
given risk
Example: dual control

-6-

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ Corrective
Reduces the effect of an undesirable event or attack
Examples: fire extinguishers and antivirus solutions

▪ Detective
Detects an ongoing attack and notifies the proper personnel
Examples: alarm systems, closed circuit television systems, and
honeypots

▪ Deterrent
Discourages any violation of security policies, both by attackers
and insiders
Example: surveillance camera sign

▪ Directive
Forces compliance with the security policy and practices within
the organization
Example: Acceptable Use Policy (AUP)

▪ Preventive
Prevents or stops an attack from occurring
Examples: password protection, security badges, antivirus
software, and intrusion prevention systems

▪ Recovery
Recovers a device after an attack
Examples: Disaster Recovery Plans (DRPs), backups, and continuity
of operations plans

o Defense in depth
▪ Layers various access controls for additional security

o Broad Categories
▪ Administrative (Managerial)
Manages personnel and assets through security policies,
standards, procedures, guidelines, and baselines
Examples: proper data classification and labeling, supervision of
personnel, and security awareness training

-7-

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ Logical (Technical)
Implemented through hardware or software and used to prevent
or restrict access to a system
Examples: firewalls, intrusion detection systems, intrusion
prevention systems, authentication schemes, encryption, new
protocols, auditing or monitoring software, and biometrics

o Auditing
▪ One-time evaluation of a security posture

o Monitoring
▪ Ongoing process that continually evaluates the
system or its users
▪ Organizations should automate the process as
much as is practical
▪ Continuous monitoring includes:
Change management
Configuration management
Log monitoring
Status report analysis

▪ Physical
Protects the organization’s personnel and facilities
Examples: fences, locks, security badges, proximity cards for entry
into the building, guards, access control vestibules, biometrics,
and other means of securing the facility

PenTest Methodologies
o Methodology
▪ A system of methods used in a particular area of study or activity

o Methodology (PenTest)
▪ The systematic approach a pentester uses before, during, and after a
penetration test, assessment, or engagement
▪ Penetration tests use the same steps taken by threat actors or hackers

-8-

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o NIST Special Publication 800-115
▪ Technical Guide to Information Security Testing and Assessment

o Adversary Emulation
▪ Mimics the tactics, techniques, and procedures of a real-world threat
actor in a penetration test

MITRE ATT&CK Framework
▪ A knowledge base that is maintained by the MITRE Corporation for the
listing and explaining common adversary tactics and techniques observed
in the real world (attack.mitre.org)

-9-

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ Maps out each threat actor’s methodology during different types of
attacks
▪ It is a great way to visualize an adversary’s techniques, capabilities, and
capacities

Penetration Standards
o Open Web Application Security Project (OWASP)
▪ Provides community-led software projects, education, and training, and
has become the source for securing the web (owasp.org)

▪ OWASP Web Security Testing Guide
A comprehensive guide to testing the security of web applications
and web services

▪ OWASP Top 10
A standard awareness document for developers and web
application security

o Open-Source Security Testing Methodology Manual (OSSTMM)
▪ Provides a methodology for a thorough security test
▪ Open-source and free to disseminate and use
▪ Latest version (Ver.3) was released in 2010
- 10 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ OSSTMM Audit
Used to create an accurate measurement of security at an
operational level in an organization, void of assumptions and
anecdotal evidence

o Information Systems Security Assessment Framework (ISSAF)
▪ A comprehensive guide when conducting a penetration test that links
individual penetration testing steps with the relevant penetration testing
tools
▪ Created by the Open Information Systems Security Group (OISSG)
▪ Last updated in 2015

o Penetration Testing Execution Standard (PTES)
▪ Developed to cover everything related to a penetration test
▪ Aims to provide a common language and scope for performing
penetration tests

- 11 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

Planning a Test

o Who is the target audience?
▪ The scope will be vastly different because of different sizes, missions, and
operations

o What is the objective?
▪ Understanding the target audience and their budget can help design a
better engagement that most efficiently and effectively meets the
objectives

o What resources will be required?
▪ Adjust the scope based on the available resources
▪ Consider what resources will be needed and the cost associated with
them
- 12 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Is this a compliance-based assessment?
▪ Most organizations or legislative bodies provide checklists for testers to
utilize which ensures all the appropriate devices have been scanned to
the appropriate level

o Who will we communicate with and how often?
▪ You will need a trusted agent inside the organization that you can
communicate with

o What product will be required to be presented at the end of the assessment?
▪ Report requirements are negotiable and should be discussed during
planning

o Are there technical constraints placed upon the engagement?
▪ Any limitations or constraints must be understood during the planning
phase so that the assessment can be properly scoped
▪ Ensure the organization understands the assessment is just a snapshot of
their current security posture

o How comprehensive will the penetration test need to be?
▪ The more comprehensive it is, the longer the duration and the larger the
scope
▪ Determine which parts of the organization will be included in the
assessment

- 13 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

Legal Concepts
o Written Permission
▪ Prevents a penetration tester, also known as an ethical hacker or
authorized hacker, from going to prison

▪ Ensure the client is aware that certain types of testing during the
engagement may cause damage to their systems or the information they
contain

o Statement of Work (SOW)
▪ A formal document that details the tasks to be performed
during an engagement

▪ The statement of work will usually contain the list of deliverables
Final report
Responsibilities of the penetration tester and the client
Schedule
Timelines for payments

o Master Service Agreement (MSA)
▪ A specialized type of contract that is used to govern future transactions
and agreements

o Service-Level Agreement (SLA)
▪ A commitment between a service provider (pentester) and a client,
commonly used for security as a service type of products or penetration
testing services

- 14 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Non-Disclosure Agreement (NDA)
▪ A legal document that stipulates that the parties will not share
confidential information, knowledge, or materials with unauthorized
third parties
▪ Ask clients to also sign your own version of an NDA

o Confidentiality
▪ The principle and practice of keeping sensitive information private unless
the data owner or custodian gives explicit consent to have it shared to a
third party
▪ Gain a clear understanding of what data is sensitive to the organization
and how to best protect it

Regulatory Compliance

o Health Insurance Portability and Accountability Act (HIPAA)
▪ Affects healthcare providers, facilities, insurance companies, and medical
data clearing houses

o Health Care and Education Reconciliation Act of 2010
▪ Affects both healthcare and educational organizations

o Sarbanes-Oxley (SOX)
▪ Affects publicly traded U.S. corporations
▪ Enacted by congress as the Public Company Accounting Reform and
Investor Protection Act of 2002
▪ Failure to follow can result in senior leadership receiving jail time for non-
compliance

- 15 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Gramm-Leach-Bliley Act of 1999 (GLBA)
▪ Affects banks, mortgage companies, loan offices, insurance companies,
investment companies, and credit card providers
Directly affects the security of personal identifiable information
Prohibits sharing financial information with any third parties
Provides guidelines for securing that financial information

o Federal Information Security Management Act of 2002 (FISMA)
▪ Affects federal agencies
▪ Replaced and strengthened the Computer Security Act of 1987

o Federal Privacy Act of 1974
▪ Affects any U.S. government computer system that collects, stores, uses,
or disseminates personally identifiable information
▪ Federal Privacy Act does not apply to private corporations
o Family Educational Rights and Privacy Act (FERPA)
▪ Protects the privacy of student education records

o Economic Espionage Act of 1996
▪ Affects organizations with trade secrets and anyone who tries to use
encryption for criminal activities

o Children’s Online Privacy Protection Act (COPPA)
▪ Imposes certain requirements on websites owner and online services that
are directed to children under 13 years of age
▪ The fine from the Federal Trade Commission (FTC) is about $40,000 per
violation

o General Data Protection Regulation (GDPR)
▪ Places specific requirements on how consumer data of the residents of
the European Union and Britain must be protected
▪ Personal data cannot be collected, processed, or retained without
informed consent
▪ “The right to be forgotten”
▪ GDPR applies globally to all companies and organizations that perform
business with European Union citizens
▪ Failure to comply with GDPR's requirements can lead to fees or fines
levied against the organization

- 16 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ A GDPR checklist can be found at gdpr.eu

o Payment Card Industry Data Security Standard (PCI-DSS)
▪ An agreement any organization which collects, stores, or processes credit
card customer information must abide by
▪ PCI-DSS is a standard, and technically not a regulation

▪ Cardholder Data Protection
Create and maintain a secure infrastructure using dedicated
appliances and software to monitor and prevent attacks
Employ best practices, such as changing default passwords and
training users not to fall victim of phishing campaigns
Continuously monitor for vulnerabilities and use updated
antimalware protections
Provide strong access control mechanisms and utilize the concept
of least privilege

▪ Requires a consistent process of assessment, remediation, and reporting

▪ Qualified Security Assessor (QSA)
Designation for authorized independent security organizations
that are certified to the PCI-DSS standards

▪ Report on Compliance (ROC)
Details an organization’s security posture, environment, systems,
and protection of cardholder data

- 17 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ Level 2, 3, and 4 merchants can conduct a self-test to prove active efforts
of securing infrastructure

▪ PCI-DSS also requires regular vulnerability scans to be conducted

Professionalism
o A penetration tester must be aware of the laws that deal with hacking, since
penetration testing is effectively hacking

o Consult with an attorney before accepting and attempting a penetration testing
assignment

o Section 1029
▪ Focused on fraud and relevant activity with access devices
o Section 1030
▪ Focused on fraud and related activity wit-h computers, which is loosely
defined to include any device connected to a network
▪ Also covers the act of exceeding one’s access rights

o Written Permission
▪ Secure a written permission from the target organization
▪ Your get out of jail free card

o Cloud Providers
▪ Gain permissions from the target organization, as well as from the cloud
provider

o Confidentiality
▪ You are responsible for protecting the confidential information you will
find
▪ You are also responsible for protecting the information about network
vulnerabilities
▪ Each member should have a background check conducted on them

o Termination
▪ Stop immediately upon discovering a real attack or scanning the wrong
target

- 18 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Fees, Fines, and Criminal Charges
▪ During planning, think about the possible scenarios
▪ Make sure the process is clearly understood by those who need to be
involved
▪ The thing that separates penetration testers from malicious actors is
permission

- 19 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

Scoping an Engagement
Scoping an Engagement
o Scope
▪ The combined objectives and requirements needed to complete an
engagement
▪ The scope of the project should be first agreed upon

o Domain 1: Planning and Scoping
▪ Objective 1.1
Compare and contrast governance, risk, and compliance concepts
▪ Objective 1.2
Explain the importance of scoping and organizational/customer
requirements
▪ Objective 1.3
Given a scenario, demonstrate an ethical hacking mindset by
maintaining professionalism and integrity

Defining the Scope
o Proper scoping process ensures a cost-effective penetration test
▪ All parties must have a clear understanding of the test’s goals and
objectives

o Other Factors to Consider
▪ Wireless location area network
▪ VPN connection
▪ Cloud migration

o Cloud Services
▪ Software as a Service (SaaS)
The service provider provides the client organization with a
complete solution
▪ Infrastructure as a Service (IaaS)
The service provider provides dynamic allocation of additional
resources without requiring clients to buy the hardware and
underlying operating systems

- 20 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ Platform as a Service (PaaS)
The service provider provides the client organization with the
hardware and software needed for a specific service to operate

o Application Programming Interface (API)
▪ A type of software intermediary that allows two applications to talk to
each other

o Identify any web or mobile applications that may become part of the scope
▪ Local network
▪ Cloud server
▪ Web or mobile applications

Adversary Emulation
o Adversary Emulation
▪ A specialized type of penetration testing that involves trying to mimic the
tactics, techniques, and procedures of a real-world threat actor

o Threat Actor
▪ The generic term used to describe unauthorized hackers who wish to
harm networks or steal secure data

o Script Kiddie
▪ The least skilled type of attacker who uses freely available tools on
the Internet or in openly available security toolsets that penetration
testers might also use
▪ Script kiddies conduct their attacks for profit, to gain credibility, or
just for laughs

o Insider Threat
▪ People who have authorized access to an organization’s network,
policies, procedures, and business practices

▪ Prevention
Data loss prevention
Internal defenses
SIEM search

- 21 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ Competitor
A rogue business that attempts to conduct cyber espionage
against an organization

▪ Organized Crime
A category of threat actor that is focused on hacking and
computer fraud in order to receive financial gains
Organized crime hackers are well-funded and can use
sophisticated tools

▪ Hacktivist
A politically motivated hacker who targets governments,
corporations, and individuals to advance their own political
ideologies or agendas

▪ Nation-State/Advanced Persistent Threat (APT)
A group of attackers with exceptional capability, funding, and
organization with an intent to hack a network or system
Nation states conduct highly covert attacks over long periods of
time

Plausible deniability
False flag attack
o Uses the TTPs of a different nation state in order to
implicate them in an attack

o Each threat actor conducts these attacks for different reasons and motivations
▪ Use threat actor knowledge to conduct threat modeling and emulation
Simulating an APT attack involves developing own custom code
and exploits
Emulating a script kiddie involves the use open-source tools to
conduct the attacks
Modeling an insider threat would require some internal
knowledge about the target

- 22 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

Target List
o Internal Target
▪ Inside the organization’s firewall and requires testers to be on-site, gain
access through a VPN, or exploit a user’s computer inside the
organizational network

o External Target
▪ Can be accessed directly from across the Internet

o First-party and Third-party Hosted Assets
▪ Must be informed if allowed to attack first-party hosted servers only or
also assets hosted by a third-party

o If physical assessment will be in scope, determine which locations are covered by
the scope of the assessment

o On-Site Asset
▪ Any asset that is physically located where an attack is being carried out

o Off-Site Asset
▪ Any asset that provides a service for a company not necessarily located at
the same place
▪ Employee-owned devices may also be categorized as an off-site location

- 23 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Users tend to be the easiest attack vector to go after

o Negotiate which network is included and excluded in the scope of the
engagement
▪ IP addresses or ranges
▪ Associated domains or subdomains
▪ DNS servers

o Autonomous System Number (ASN)
▪ A unique identifier that defines a group of one or more IP prefixes run by
one or more network operators that maintain a single, clearly defined
routing policy

o A web application and its associated APIs could be used for either public facing
applications or only be used internal to the organization
▪ Determine any mission-critical web applications

Identifying Restrictions
o Ensure the organization understands the exact operational impact of the risk
tolerance and restrictions
▪ Risk tolerance will also impact the schedule and timing of a penetration
test

o Scope Creep
▪ Occurs when a client starts asking for more services than what is listed in
the statement of work

▪ Prevention
Addendum to the contract
Prearranged cost for expansion

o Location
▪ The location of the client, the pentester, or the in-scope third-party
hosted services will also have restrictions
▪ Consult with your lawyer before accepting a contract and ensure you can
legally perform the services

- 24 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Regulations
▪ U.S. Export Administration Regulations (EAR)
▪ Wassenaar Arrangement
Outlaws the exportation of a technology that can be used both in
a regular commercial setting and as a weapon

Many penetration testing tools are also considered surveillance
tools under the Wassenaar Agreement

o Encryption
o Wireshark
▪ A powerful open-source protocol analysis tool that
can decrypt many different types of encryption
protocols

Rules of Engagement
o Rules of Engagement (ROE)
▪ The ground rules that both the organization and the penetration tester
must abide by

o Timeline
▪ Used to represent a series of events that transpire within a discrete
period

o Locations
▪ All authorized locations should be listed in the ROE, especially those that
cross international borders

o Time Restrictions
▪ Used to specify certain times that a penetration tester is authorized or
unauthorized to conduct their exploits and attacks
▪ Explain the importance of conducting the penetration test during normal
business hours

o Transparency

- 25 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ Trusted Agent
An in-house staff member who will be designated as a monitor in
the organization during the assessment
The trusted agent can also provide the penetration testers with
resources

o Boundaries
▪ Used to refer to what systems may be targeted or what techniques can
be utilized

Assessment Types
o Goal-Based Assessment
▪ A type of assessment with a specific goal in mind

o Objective-Based Assessment
▪ A type of assessment where the tester seeks to ensure that the
information remains secure
▪ Objective-based assessment is more like a real attack

o Compliance-Based Assessment
▪ A type of assessment that focuses on finding out if policies and
regulations are being properly followed
Examples: PCI-DSS, GDPR, HIPAA, Sarbanes-Oxley, GLBA

o Premerger Assessment
▪ A type of assessment that is conducted before two companies merge
with each other in a period of time known as due diligence

o Supply Chain Assessment
▪ A type of assessment that occurs when a company requires its suppliers
to ensure that they meet a given level of cybersecurity requirements
▪ Get permission from the owner of the network (organization’s supplier)
before engagement

o Red Team Assessment

- 26 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ A type of assessment against the organizational network that is executed
by their own internal penetration testers

o Testing Strategies
▪ Unknown Environment
An assessment where the penetration tester has no prior
knowledge of the target organization or their network
The penetration tester will spend a lot of time in the information
gathering and vulnerability scanning phase

▪ Partially-Known Environment
The most common type of assessment which entails partial
knowledge of the target organization and its information systems
This decreases the time spent in the information gathering phase
to spend more time identifying potential vulnerabilities

▪ Known Environment
A test where the penetration tester is given all the details about
the organization, network, systems, and the underlying
infrastructure
The penetration tester can spend more time probing for
vulnerabilities and exploits

Validating the Scope
o Key Areas
▪ The scope and the in-scope target assets
▪ What is excluded from the scope and considered out of bounds
▪ What strategy will be used

- 27 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ What the timeline will be for any testing
▪ Any restrictions or applicable laws that will apply to the engagement
▪ Any third-party service providers, services, or off-site locations that are
being considered
▪ The proper communication channels to use during the assessment to
provide updates to key stakeholders

o Allowed List
▪ Authorized targets
o Excluded List
▪ Unauthorized targets

o Think about any possible security exceptions that may need to be utilized as
contingencies

Limitations and Permission
o If there is an unauthorized disclosure by accident, your company may be held
liable

o Contractual Documents
▪ Statement of Work
▪ Master Service Agreement
▪ Service-Level Agreement
▪ Non-Disclosure Agreement

▪ In your contracts and final documentation, always include any disclaimers
and liability limitations to protect yourself and your company

o During Engagement
▪ Always maintain your professionalism as a penetration tester
▪ Your team will be limited to performing only what are considered
allowable tests
▪ Limit the invasiveness of the engagement based upon the agreed upon
scope
▪ Limit the use of specific tools to specific types of engagements
▪ Better to ask permission than to beg forgiveness in penetration testing
Passive Reconnaissance
- 28 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

Passive Reconnaissance
o Reconnaissance
▪ Focuses on gathering as much information about the target as possible,
and can either be passive or active in nature

o Domain 2: Information Gathering and Vulnerability Scanning
▪ Objective 2.1
Given a scenario, perform passive reconnaissance

Information Gathering
o Reconnaissance
▪ Learning about an organization in a systematic attempt to locate, gather,
identify, and record information about the targets

o Footprinting
▪ Figuring out exactly what types of systems the organization uses to be
able to attack them in the next phase of the assessment

o Passive Reconnaissance
▪ Attempts to gain information about targeted computers and networks
without actively engaging with those systems
Online research
Social engineering
Dumpster diving
Email harvesting

▪ Gather and catalog all reconnaissance findings for others to review and
use

▪ Large penetration testing teams often assign different roles to different
members

Open-Source Intelligence (OSINT)

- 29 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Open-Source Intelligence (OSINT)
▪ The collection and analysis of data gathered from publicly available
sources to produce actionable intelligence
Social media
Blogs
Newspapers
Government records
Academic/professional publications
Job listing
Metadata
Website information

o Check out the company’s investor relations site or page on its main site
o Understand the culture of a target company by checking blogs and social media

o Key Details
▪ Roles different employees have
▪ Different teams and departments
▪ Contact information
▪ Technical aptitude and security training
▪ Employee and managerial mindset

Social Media Scraping
o Start with the organization’s own social media profiles and accounts
▪ Some employees even publish their own personally identifiable
information

o LinkedIn
o Monster
o Indeed
o ZipRecruiter
o Glassdoor

OSINT Tools

- 30 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Open-source intelligence tools find actionable intelligence from various publicly
available sources
▪ Public websites
▪ Whois database
▪ DNS servers

o Metagoofil
▪ A Linux-based tool that can search the metadata associated with public
documents located on a target’s website

o Metadata
▪ The data about the data in the file

o Fingerprinting Organizations with Collected Archives (FOCA)
▪ Used to find metadata and hidden information in collected documents
from an organization

o The Harvester
▪ A program for gathering emails, subdomains, hosts, employee names,
email addresses, PGP key entries, open ports, and service banners from
servers

o Recon-ng
▪ Uses a system of modules to add additional features and functions for
your use
▪ It is a cross-platform web reconnaissance framework

o Shodan
▪ A website search engine for web cameras, routers, servers, and other
devices that are considered part of the Internet of things

o Censys
▪ A website search engine used for finding hosts and networks across the
Internet with data about their configuration

o Maltego

- 31 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ A piece of commercial software used for conducting open-source
intelligence that visually helps connect those relationships
▪ It can automate the querying of public sources of data and then compare
it with other info from various sources

DNS Information
o Domain Name System (DNS)
▪ A system that helps network clients find a website using human readable
hostnames instead of numeric IP addresses

o Address (A) Record
▪ Links a hostname to an IPv4 address

o AAAA Record
▪ Links a hostname to an IPv6 address

o Canonical Name (CNAME) Record
▪ Points a domain to another domain or subdomain

o Mail Exchange (MX) Record
▪ Directs emails to a mail server

o Start of Authority (SOA) Record
▪ Stores important information about a domain or zone

o Pointer (PTR) Record
▪ Correlates an IP address with a domain name

o Text (TXT) Record
▪ Adds text into the DNS

o Service (SRV) Record
▪ Specifies a host and port for a specific service

o Nameserver (NS) Record
▪ Indicates which DNS nameserver has the authority
o Pull up and look at all the DNS records to check for relevant information

- 32 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ Focus on MX, TXT, and SRV records to check for email and third-party
SaaS solutions

o Name Server Lookup (nslookup)
▪ A cross-platform tool used to query the DNS to provide the mapping
between domain names and IP addresses or other DNS records

o Whois
▪ A command line tool on Linux, which is also a website, that is a query and
response protocol for Internet resources
▪ Whois is not nearly as valuable as before, but still helpful to be reviewed

Public Repositories
o Public Source Code Repositories
▪ Websites that allow developers to work together in an agile way to
create software very quickly
▪ Private files can sometimes be mistakenly classified as public for anyone
to find
▪ Example: GitHub, Bitbucket, SourceForge
▪ Public source code repositories contain a lot of valuable data

o Website Archives/Caches
▪ Wayback Machine
▪ Deleted data can still exist somewhere on the Internet

o Image Search

Search Engine Analysis
o Google Hacking
▪ Open-source intelligence technique that uses Google search operators to
locate vulnerable web servers and applications
Quotes
o Use double quotes to specify an exact phrase and make a
search more precise

NOT

- 33 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Use the minus sign in front of a word or quoted phrase to
exclude results that contain that string

AND/OR
o Use these logical operators to require both search terms
(AND) or to require either search term (OR)

Scope
o Different keywords that can be used to select the scope of
the search, such as site, filetype, related, allintitle, allinurl,
or allinanchor

URL Modifiers
o Modifiers that can be added to the results page to affect
the results, such as &pws=0, &filter=0, and &tbs=li:1

o Google Hacking Database (GHDB)
▪ Provides a database of search strings optimized for locating vulnerable
websites and services

URL Analysis
o URL Analysis
▪ Activity that is performed to identify whether a link is already flagged on
an existing reputation list, and if not, to identify what malicious script or
activity might be coded within in

▪ Importance
Resolving percent encoding
Assessing redirection of the URL
Showing source code for scripts in URL

o HTTP Method
▪ A set of request methods to indicate the desired action to be performed
for a given resource
▪ A request contains a method, a resource, a version number, the header,
and the body of the request
▪ Methods

- 34 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

GET
o The principal method used with HTTP and is used to
retrieve a resource

POST
o Used to send data to the server for processing by the
requested resource

PUT
o Creates or replaces the requested resource

DELETE
o Used to remove the requested resource

HEAD
o Retrieves the headers for a resource only and ignores the
body

▪ Data submitted via a URL is delimited by the (?) character

▪ Query Parameters
Usually formatted as one or more name=value pairs with
ampersands (&) delimiting each pair

▪ A (#) is used to indicate a fragment or anchor ID and it’s not processed by
the webserver

o HTTP Response Codes
▪ The header value returned by a server when a client requests a URL

▪ Codes
200
o Indicates a successful GET or POST request (OK)

201
o Indicates where a PUT request has succeeded in creating a
resource
3xx

- 35 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Any code in this range indicates that a redirect has
occurred by the server

4xx
o Any code in this range indicates an error in the client
request

o 400
▪ Indicates that a request could not be parsed by the
server

o 401
▪ Indicates that a request did not supply
authentication credentials

o 403
▪ Indicates that a request did not have sufficient
permissions

o 404
▪ Indicates that a client has requested a non-existent
resource

5xx
o Any code in this range indicates a server-side issue

o 500
▪ Indicates a general error on the server-side of the
application

o 502
▪ Indicates a bad gateway has occurred when the
server is acting as a proxy

o 503
▪ Indicates an overloading of the server is causing
service unavailability
o 504

- 36 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ Indicates a gateway timeout which means there’s
an issue with the upstream server

o Percent Encoding
▪ A mechanism to encode 8-bit characters that have specific meaning in
the context of URLs, also known as URL encoding

▪ Unreserved Characters
a-z, A-Z, 0-9, (-), (.), (_), (~)

▪ Reserved Characters
(:), (/), (?), (#), ([), (]), (@), (!), ($), (&), (‘), ((), ()), (*), (+), (,), (;), (=)

▪ A URL cannot contain unsafe characters
Null string termination, carriage return, line feed, end of file, tab,
space, and (\), (), ({), (})

▪ Percent encoding allows a user-agent to submit any safe or unsafe
character (or binary data) to the server within the URL

▪ Warning
Percent encoding can be misused to obfuscate the nature of a
URL (encoding unreserved characters) and submit malicious input
as a script or binary or to perform directory traversal

- 37 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

Some really tricky attackers may double encode the URL by
encoding the percent sign

Cryptographic Flaws
o Cryptographic Inspection
▪ Checks validity of certificates or potential vulnerabilities to exploit within
the target servers

o Cipher Suite
▪ Defines the algorithm supported by the client and server when
requesting to use encryption and hashing
▪ Example:
ECDHE_RSA_AES128_GCM_SHA256
TLS_AES_256_GCM_SHA384

▪ Cybersecurity professionals need to understand how to read these cipher
suites

o To test a web server to see its cipher suite, visit ssllabs.com

o Encryption Algorithms
▪ ChaCha20
▪ RSA
▪ AES
▪ GCM
▪ CBC

o SSL 2 and SSL 3 are now considered insecure

o Digital Certificates
▪ Falsified digital certificates can also be used to trick the target
organization’s users
▪ Identify other potential targets or servers in digital certificate fields
Subject Alternative Name (SAN) Field
o Allows the use of digital certificates with other domains in
addition to the main domain

- 38 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

Wildcard
o Allows the use of the same public key certificate and have
it displayed as valid across all subdomains

o A revoked certificate affects all other subdomains

o Look into the SAN field or the Wildcard to check for other domains or
subdomains

o Certificate Revocation List (CRL)
▪ An online list of digital certificates revoked by the certificate authority

o Online Certificate Status Protocol (OCSP)
▪ Determines the revocation status of a digital certificate using its serial
number
▪ OCSP Responder

o With CRL and OCSP, the client validates the certificate

o Certificate Pinning
▪ A method of trusting digital certificates that bypass the CA hierarchy and
chain of trust

▪ HTTP Public Key Pinning
allows a website to resist impersonation attacks

o Certificate Stapling
▪ Allows a web server to perform certificate status check
▪ Eliminates the need for additional connection at the time of the request

o HTTP Strict Transport Security (HSTS)
▪ Allows a web server to notify web browsers to only request using HTTPS
and not HTTP

- 39 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

CWE & CVE
o A penetration tester needs to keep updated with the latest techniques and
vulnerabilities
▪ CVEs
▪ CWEs
▪ Security Blogs
▪ Podcasts

o Computer Emergency Response Team (CERT) - cisa.gov/uscert
▪ Maintained by the United States federal government and lists all of the
different known vulnerabilities that they have identified in the wild as
well as those self-reported by industry partners

o JPCERT - jpcert.or.jp
▪ Japan’s version of the Computer Emergency Response Team

o National Vulnerability Database (NVD) - nvd.nist.gov
▪ Provided by the National Institute for Standards and Technology (NIST)
which displays all of the latest vulnerabilities and assigns them each a
CVE number

o Common Vulnerabilities and Exposures (CVE) - cve.org
▪ Common database used worldwide that references known vulnerabilities

o Common Weakness Enumeration (CWE) – cwe.mitre.org
▪ A community-developed list of the different types of software
weaknesses and the details of those weaknesses

o Common Attack Pattern Enumeration and Classification (CAPEC) -
capec.mitre.org
▪ Help to understand and identify a particular attack so that security
researchers may better understand the different attack patterns

o Full Disclosure
▪ a mailing list from the makers of Nmap

o Understand the key terms like CVE and CWE and how they may link a
vulnerability to a potential exploit

- 40 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

Active Reconnaissance
Active Reconnaissance
o Active Reconnaissance
▪ Engaging with the targeted systems or networks to gather information
about their vulnerabilities

o Domain 2: Information Gathering and Vulnerability Scanning
▪ Objective 2.2
Given a scenario, perform active reconnaissance
▪ Objective 2.3
Given a scenario, analyze the results of a reconnaissance exercise

Scanning and Enumeration
o Scanning
▪ Actively connecting to a system and getting a response to identify hosts,
opens ports, services, users, domain names, and URLs used by a given
organization
Discovery Scan
o Ping Scan
▪ Identifies what hosts are online in a given network
o Port Scan
▪ Identifies whether the ports on those hosts are
open or closed
Enumeration
o Enumeration digs deep into target systems and links
identified components into known vulnerabilities

Nmap/Zenmap
o Nmap
▪ Requires exact syntax
o Zenmap
▪ Provides dropdown menu

o Ping scan
o Quick scan
o Intense scan

- 41 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

o Fingerprinting
▪ The identification of an operating system, a service, or a specific software
version that is in use by a host, a system, or a network

o Banner Grabbing
▪ Using a program like Netcat, wget, or telnet to connect to a given port
that is running a service

▪ Scanning
More generic
▪ Enumeration
More in depth
▪ Fingerprinting
Most detailed

Other Enumeration
o Host
▪ Any server, workstation, client, which can also include mobile devices,
tablets, and IoT devices, or even a networking device like a switch, router,
or access point
▪ We can enumerate the hosts using command line-based Windows tools
to learn more about the target network

▪ “Living off the land”
Using the default tools available on a regular user's workstation

▪ Commands
net
o A suite of tools that can be used to perform operations on
groups, users, account policies, network shares, and more

arp
o Used when enumerating a Windows host
o Address Resolution Protocol (ARP) Cache
▪ Provides a list of all the other machine’s MAC
addresses that have recently communicated with
the host you are currently on

- 42 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

ipconfig
o Determines the IP address of the machine you are
currently on

o ipconfig /displaydns
▪ Displays any DNS names that have recently been
resolved

▪ BASH command line tools for Linux hosts or servers
finger
o Used to view a user's home directory, their login, and their
current idle time

uname -a
o Shows the OS’s name, version, and other relevant details
displayed to the terminal

env
o Gives a list of all of the environment variables on a Linux
system

o Services
▪ Can be enumerated to provide us with additional details about a given
host
▪ Conducting an intensive scan using Nmap returns information about the
services running on a host’s open ports

o Domains
▪ Active Directory (AD)
A database that stores, organizes, and enables access to other
objects under its control

▪ Many Windows attacks rely on trying to bypass the Kerberos
authentication in a domain environment
The first domain is always considered the root domain
o Domains or subdomains underneath the root domain are
considered children

- 43 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
 CompTIA PenTest+
(PT0-002) Study Notes

▪ Organizational Unit (OU)
Used within a domain to group similar objects (i.e., computers,
groups, or even users) together

▪ User
Used to represent a person or process that will access a given
resource in the domain

▪ Group
A collection of users

▪ Domain Enumeration
PowerShell
o Living off the land
o Get-NetDomain
▪ Lists the current logged in user’s domain
o Get-NetLoggedon
▪ Lists of all the users who are logged into a given
computer

Nmap, Metasploit
o Own tools

o Users
▪ Get-NetGroupMember
Lists the domain members belonging to a given group

▪ net user
Lists all the users on the machine

▪ net groups
Lists the groups on the machine

o URLs
▪ You can use various tools to gain more details about the web server or
applications running on valid URLs

- 44 -

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0