Glen E. Clarke - CompTIA Pentest+ Certification For Dummies

10 Index

11 About the Author

12 Connect with Dummies

13 End User License Agreement

1 Chapter 1 TABLE 1-1 PCI DSS Best Practices Requirements

2 Chapter 2 TABLE 2-1 A Sample Pentest Schedule

3 Chapter 4TABLE 4-1 Values of the Access Vector (AV) MetricTABLE 4-2 Values of the Attack Complexity (AC) MetricTABLE 4-3 Values of the Authentication (Au) MetricTABLE 4-4 Values of the Confidentiality (C) MetricTABLE 4-5 Values of the Integrity (I) MetricTABLE 4-6 Values of the Availability (A) Metric

4 Chapter 5TABLE 5-1 Metasploit Exploit Rankings

5 Chapter 6TABLE 6-1 2.4 GHz Frequency RangesTABLE 6-2 Wireless Network Standards

6 Chapter 7TABLE 7-1 A Sample Race ConditionTABLE 7-2 Synchronized Logic to Prevent a Race Condition

7 Chapter 10TABLE 10-1 Comparison Operators in Different Scripting Languages

8 Appendix ATABLE A-1 PenTest+ Exam InformationTABLE A-2 CompTIA PenTest+ Exam Domains (PT0-002)

1 Chapter 1FIGURE 1-1: The adversary tier. FIGURE 1-2: The CompTIA penetration testing process.

2 Chapter 2FIGURE 2-1: Encrypting a file in Windows Explorer with Gpg4win.

3 Chapter 3FIGURE 3-1: Using Network Solutions to perform a Whois search.FIGURE 3-2: Performing a Whois search in Kali Linux.FIGURE 3-3: Using the-Harvester in Kali Linux to collect contact information.FIGURE 3-4: Using Shodan to identify systems and devices on the Internet.FIGURE 3-5: A sample recon-ng HTML report.FIGURE 3-6: Using Censys search to identify hosts and ports open.FIGURE 3-7: Using nslookup to resolve an FQDN to an IP address.FIGURE 3-8: Using nslookup to locate mail servers.FIGURE 3-9: Using dig to query DNS.FIGURE 3-10: Adding +shortin dig keeps the output clean.FIGURE 3-11: Retrieving the email server list with dig.FIGURE 3-12: Using netdiscover to identify hosts on the network.FIGURE 3-13: Using Nmap switch -sPto do a ping sweep.FIGURE 3-14: Performing a full connect scan with the -sTswitch.FIGURE 3-15: Identifying the version of software with the -sVswitch.FIGURE 3-16: Performing OS fingerprinting with Nmap switch -O.FIGURE 3-17: Using Zenmap to identify hosts on the network.

4 Chapter 4FIGURE 4-1: Choosing a vulnerability scan type in Nessus.FIGURE 4-2: Download the 64-bit Kali Linux edition.FIGURE 4-3: Installing Nessus on Kali Linux.FIGURE 4-4: Starting the Nessus daemon.FIGURE 4-5: Entering the activation code for Nessus.FIGURE 4-6: The Nessus main screen.FIGURE 4-7: Choosing a scan template.FIGURE 4-8: Credentials can be supplied to perform a scan within a security con...FIGURE 4-9: Plug-ins specify the types of checks to perform.FIGURE 4-10: Viewing the vulnerability scan results.FIGURE 4-11: Viewing the list of vulnerabilities for a host.FIGURE 4-12: Reading the details of a specific vulnerability.FIGURE 4-13: Viewing the remediation steps to a vulnerability.FIGURE 4-14: Determining if exploits exist for a vulnerability.FIGURE 4-15: Determining what exploit to use.FIGURE 4-16: CVSS base score metrics.

5 Chapter 5FIGURE 5-1: Identifying the tool to use to exploit a vulnerability.FIGURE 5-2: Metasploit has a number of preinstalled exploits.FIGURE 5-3: Searching for an exploit.FIGURE 5-4: Selecting an exploit.FIGURE 5-5: Using the show optionscommand to see a list of options.FIGURE 5-6: Verifying your settings.FIGURE 5-7: Running the exploit.FIGURE 5-8: You have shell access to the system.FIGURE 5-9: Setting up a reverse TCP listener.FIGURE 5-10: Taking a screenshot of the victim’s system.FIGURE 5-11: Using SET to clone a website.FIGURE 5-12: Viewing credentials collected using SET.FIGURE 5-13: Launching BeEF and the hook URL.FIGURE 5-14: Using the BeEF UI to execute exploits.FIGURE 5-15: Looking at the captured logon information.FIGURE 5-16: Using an exploit database.FIGURE 5-17: Looking at exploit details.FIGURE 5-18: SSL stripping to bypass HTTPS.FIGURE 5-19: Using SETH to capture RDP credentials.FIGURE 5-20: Cracking Windows passwords with John the Ripper.

6 Chapter 6FIGURE 6-1: Non-overlapping frequencies in the 2.4 GHz frequency range.FIGURE 6-2: A wireless access point is used to allow a wireless client to conne...FIGURE 6-3: A BSS is a wireless network with a single access point configured w...FIGURE 6-4: Wireless clients can roam the network when the network is an ESS co...FIGURE 6-5: Using Aireplay-ng to deauthenticate a wireless client.FIGURE 6-6: Discovering wireless networks with Airodump-ng.FIGURE 6-7: Capturing traffic on the wireless network.FIGURE 6-8: Associating with the access point.FIGURE 6-9: Using Aircrack-ng.FIGURE 6-10: Using wash to identify WPS devices.FIGURE 6-11: Using Reaver to crack WPS pin.FIGURE 6-12: Using Wifite to crack wireless networks.

7 Chapter 7FIGURE 7-1: Logon screens are great tools to attempt SQL injection attacks.FIGURE 7-2: An XSS attack in action.FIGURE 7-3: A CSRF/XSRF attack in action.FIGURE 7-4: A CSRF/XSRF attack is prevented by checking for synchronization tok...FIGURE 7-5: Directory traversal attacks navigate the file system.FIGURE 7-6: Logging into the DVWA site.FIGURE 7-7: The URL for the change password page.FIGURE 7-8: Viewing all data with SQL injection attack.FIGURE 7-9: Using SQL injection to view column information.FIGURE 7-10: Retrieving the list of usernames and password hashes.FIGURE 7-11: Cracking password hashes with John the Ripper.

8 Chapter 8FIGURE 8-1: Identifying vulnerabilities with Nessus.FIGURE 8-2: Searching Metasploit for an exploit.FIGURE 8-3: Exploiting a Windows system to get a meterpreter session.FIGURE 8-4: The core commands in a meterpreter session.FIGURE 8-5: Retrieving information about the current context.FIGURE 8-6: Using run winenumto enumerate the target system and network.FIGURE 8-7: Viewing the logs generated by the run winenumcommand.FIGURE 8-8: Gaining shell access from a meterpreter session.FIGURE 8-9: Retrieving the password hashes.FIGURE 8-10: Attaching to another process with the migratecommand.FIGURE 8-11: Using VNC to view a victim’s activity.FIGURE 8-12: Capturing keystrokes from the compromised system.FIGURE 8-13: Lateral movement from a compromised system.FIGURE 8-14: Dumping the hashes to use in pass the hash.FIGURE 8-15: Locating other systems with arp_scanner.FIGURE 8-16: Lateral movement with telnet.FIGURE 8-17: Viewing user accounts on a laterally compromised system.FIGURE 8-18: Creating a backdoor user account.FIGURE 8-19: Covering your tracks with the clearevcommand.

9 Chapter 9FIGURE 9-1: Using Nikto to do a web application vulnerability scan.FIGURE 9-2: Using w3af to perform different types of vulnerability checks on a ...FIGURE 9-3: Using SQLmap to automate SQL injection attacks.FIGURE 9-4: Inspecting the http post request.FIGURE 9-5: Using Hydra to crack credentials for the website.FIGURE 9-6: Using John the Ripper to crack password hashes.FIGURE 9-7: Using Wifite to automate wireless attacks.FIGURE 9-8: OWASP ZAP finds vulnerabilities in web applications.FIGURE 9-9: SET is a social engineering tool that makes it easy to create diffe...FIGURE 9-10: Using Nmap to locate systems (left) and then using Hydra to attemp...FIGURE 9-11: Using xHydra — the GUI version of Hydra.FIGURE 9-12: Cracking password hashes with John the Ripper.FIGURE 9-13: Dumping the hashes to use with a password cracker.FIGURE 9-14: Using Ncat (left) and Netcat (right) to create a bind shell.

10 Chapter 11FIGURE 11-1: Risk rating scores for vulnerabilities.

1 Cover

2 Title Page

3 Copyright

4 Table of Contents

5 Begin Reading

6 Appendix A: PenTest+ Exam Details

7 Appendix B: CompTIA PenTest+ Exam Reference Matrix

8 Appendix C: Lab Setup