On course completion, you will be able to achieve the following:
- Scope organizational/customer requirements.
- Define the rules of engagement.
- Footprint and gather intelligence.
- Evaluate human and physical vulnerabilities.
- Prepare the vulnerability scan.
- Scan logical vulnerabilities.
- Analyze scan results.
- Avoid detection and cover tracks.
- Exploit the LAN and cloud.
- Test wireless networks.
- Target mobile devices.
- Attack specialized systems.
- Perform web application-based attacks.
- Perform system hacking.
- Script and software development.
- Leverage the attack: pivot and penetrate.
- Communicate during the PenTesting process.
- Summarize report components.
- Recommend remediation.
- Perform post-report delivery activities.
This course prepares a student to take the CompTIA PenTest PT0-002 national certification exam.
Lesson 1: Scoping Organizational/Customer Requirements
Penetration testing is a proactive exercise that tests the strength of an organization’s security defenses. While there are many reasons why an organization might conduct a Penetration Test (PenTest), many times it is to provide due diligence and due care in meeting compliance requirements. Prior to beginning a PenTest exercise, you will need to devise a structured plan and outline the terms. Once you step into an organization to conduct the PenTest, it is essential that you and your team maintain a professional attitude at all times. In addition, if during testing your team discovers possible indications of an ongoing or previous compromise, you must immediately report the details to the appropriate stakeholder.
Lesson 2: Defining the Rules of Engagement
A structured PenTest will help ensure the organization has enacted best practices for handling customer data. The team needs to be aware of any environmental and location restrictions that will govern their behavior during the exercise. In addition, you’ll need to obtain a target list of in-scope assets. During the assessment, the team may be asked to conduct additional tests. However, it’s essential that the team is aware of the consequences of testing beyond the defined scope. Once you have gathered all relevant information, you’ll need to validate the scope of engagement so that all parties agree on the terms. Finally, prior to beginning the PenTest, the team must prepare several legal documents that outline the scope and terms of the project.
Lesson 3: Footprinting and Gathering Intelligence
Before actively launching any attacks, the PenTest team must complete a footprinting exercise. The goal of this activity is to gather as much information about the target as possible, that includes building a profile on the organization, network, and systems. In this lesson, we’ll see how to collect essential data, such as passwords and content within websites that can expose weaknesses. During this process, the team will find a great deal of information publicly available, which can be overwhelming. To aid in this discovery, the PenTest team can use powerful open-source intelligence tools (OSINT) such as Shodan, Maltego, and Recon-ng that can help ferret out information.
Lesson 4: Evaluating Human and Physical Vulnerabilities
Logical defenses such as access control lists, firewalls, and unified threat management systems have strengthened over the years. As a result, malicious actors have turned to a softer target, the human. That is why it’s essential that the PenTest includes social engineering so the team can test the strength of the human firewall, along with assessing the physical security aspects of the organization. In this lesson, we’ll learn how to set up a social engineering exploit and review various physical attacks such as dumpster diving, shoulder surfing, and cloning a badge. We’ll then cover some of the methods and tools used to achieve a successful attack, including the Social Engineering Toolkit (SET).
Lesson 5: Preparing the Vulnerability Scan
Once the team has completed a footprinting exercise, the next phase is to devise a strategy to assess the network for vulnerabilities. The team will need to plan the vulnerability scan, along with identifying key goals in assuring the organization has a solid security posture. The team will want to outline the types of scans to be run, along with any constraints that will impact testing. In addition, they will need to detect defenses that will influence the effectiveness of the scan. During this process, the team will utilize scanning tools such as Censys, an attack surface analyzer, along with tools such as Hping and Open Vulnerability Assessment Scanner (Open VAS).
Lesson 6: Scanning Logical Vulnerabilities
While scanning the network for vulnerabilities, the team will need to evaluate a variety of targets using several approaches. In this lesson, we’ll outline the various types of scans used to evaluate the health of network endpoints, devices, and applications. You’ll learn the different types of scans such as host discovery, TCP full connect, and web application scans. Part of this process may involve either actively scanning the network, or passively sniffing the traffic with the hopes of obtaining some interesting artifacts. Concurrently, the team will need to scope out wireless networks to assess whether the WLAN is vulnerable as well.
Lesson 7: Analyzing Scanning Results
During the PenTest, the team will scan a variety of devices, networks, and operating systems. In this lesson, we’ll learn how a thorough analysis of the network is necessary as it will dictate the next step in the process. We’ll discover how Network mapper (Nmap), a predominant method used to scan networks, has a variety of options to detect listening hosts, open ports, and operating systems. We’ll outline the basic capabilities of Nmap, along with how advanced features, such as the Nmap Scripting Engine (NSE), can help refine results and target specific services. Once they have gathered the scanning results, the next step is to evaluate the scans. We’ll then see how the team will use other resources, such as web logs, network traffic, and Domain Name System (DNS) to provide an accurate assessment of the target’s environment.
Lesson 8: Avoiding Detection and Covering Tracks
While actively scanning the network, the team will need to take steps to avoid detection. In this lesson, we’ll cover how to use a variety of techniques to conceal activity. We’ll outline methods such as spoofing and living off the land attacks that use fileless malware. In addition, you’ll see why the team might choose to employ more advanced techniques that include using steganography tools to hide and conceal in plain sight. Finally, we’ll see how the pentest team may need to attempt to establish a covert channel along with using Ncat, Secure Shell, and proxy chaining to provide remote access for further exploits.
Lesson 9: Exploiting the LAN and Cloud
After scanning for vulnerabilities, the team will then be armed with information that will allow them to move to the attack phase and test the strength of the LAN. One common step in active reconnaissance is to establish a connection by enumerating open ports, services, and Active Directory objects. There are many attacks a team can launch, such as MAC address spoofing and New Technology LAN manager (NTLM) relay attacks. To achieve this goal, the PenTest team has a number of exploit tools that they can use to launch an attack, such as mitm6, SearchSploit along with Exploit-DB. Today, many organizations house resources on the cloud. As a result, the team should be aware of possible threats such as injection, denial of service, or side channel attacks. To achieve this the team can use a variety of automated vulnerability and penetration testing tools such as cloud custodian, Pacu, and CloudBrute.
Lesson 10: Testing Wireless Networks
In addition to examining traffic on the wired Local Area Network (LAN), the team will also need to assess the security posture of the wireless LAN (WLAN). Wireless networks can fall victim to several different attacks. Attacks include relay, spoofing, and deauthentication attacks. In order to achieve this goal, the team will need to conduct a variety of tests to see if an attack using a rogue access point and other methods will be successful. To aid in this process, the team can use tools specific to wireless attacks that include Kismet, EAPhammer, and Spooftooph.
Lesson 11: Targeting Mobile Devices
Today, a large percentage of the world uses some type of mobile device. Many organizations provide corporate-owned or corporate-compliant devices for their employees. As a result, it’s essential to recognize mobile device vulnerabilities that include business logic, patching fragmentation, and weak passwords, along with insecure storage. Because of this, devices can fall victim to several attacks that can lead to data compromise, such as overreach of permissions and execution of activities using root. To prevent attacks, the team should test mobile devices using tools such as mobile security framework and Drozer.
Lesson 12: Attacking Specialized Systems
In addition to equipment that uses a standard operating system, there are also various specialized systems that are susceptible to attack. A thorough penetration test will include an assessment of the Internet of Things (IoT) devices, data storage systems, and virtualized environments. It’s important to recognize not only the vulnerabilities, but the possible attacks on these systems. In addition, you should be familiar with the tools used to test these devices.
Lesson 13: Web Application-Based Attacks
Web applications are widely used but are vulnerable to many different types of attacks. The OWASP Top Ten vulnerabilities list helps guide the PenTest by providing details on common vulnerabilities that exist in web applications. As a result, the PenTest team should assess the web applications for various web vulnerabilities that include session, application programming interface (API), and injection attacks. To achieve this goal, the PenTest team has several tools available to them, such as SearchSploit and WPScan, a WordPress security scanner.
Lesson 14: Performing System Hacking
As part of the ethical hacking exercise, the PenTest team will conduct system hacking and, once in, attempt to get deeper into the system. The team can use a variety of methods in order to gain access into the system, including the use of remote access tools in order to begin this process. They could also leverage exploit code in order to download files and enumerate users and assets. In addition, the team will also analyze code by using debuggers such as Interactive Disassembler (IDA), Covenant, and various Software development kits (SDK).
Lesson 15: Scripting and Software Development
Lesson 16: Leveraging the Attack: Pivot and Penetrate
A major part of the PenTest process is to gain access into a system. The team will need to launch several attacks, using a variety of methods and tools. These include hash cracking, brute force, and dictionary attacks, employing tools such as John the Ripper, word lists, and Hashcat.
Once the team has gained access into the system, the next step is to see how far they can go. The team may be able to move horizontally or vertically, with the goal of pivoting through the system and exploring exposed resources. After gaining access and then determining any further vulnerabilities, the next logical step is to attempt to maintain persistence. This is achieved by creating a backdoor, so that the team can revisit the system at a later date.
Lesson 17: Communicating During the PenTesting Process
Once engaged in a PenTesting exercise, it’s critical to keep the lines of communication open. The team will need to define the communication path, identify essential contacts, and recognize triggers that will prompt an alert or communication event. Because of the compliance requirements, many organizations will need an exact paper trail outlining the results of the PenTest. To aid in this process, many apps have built-in tools for reporting that will help the team distill the information as they ready the formal reports.
Lesson 18: Summarizing Report Components
Once the PenTest is complete, it’s time to report the findings to the stakeholders. It is important to recognize that each stakeholder will have different needs, and the report should be built accordingly. In the final report, there are several sections.
The team should include all essential information related to the PenTest within sections, such as business impact analysis, metrics, and measures, along with remediation suggestions. In addition, because of regulatory requirements, the organization will most likely need to maintain the report for a predefined period of time.
Lesson 19: Recommending Remediation
In addition to conducting the PenTest exercise, part of the team’s duties is to recommend any remediation controls. Controls include technical controls, such as patch and configuration management, cryptographic key rotation, and network segmentation. Administrative controls are also essential and include guidelines on password management and organizational policies and procedures. In addition, the team should outline any operational and physical controls as well.
Lesson 20: Performing Post-Report Delivery Activities
Once the PenTest is complete and all reporting is disseminated to the appropriate stakeholders, the team will need to ensure all traces of the test have been eradicated. That involves removing any shells, credentials, and tools, along with log files, data, and evidence of compromise. You will want to make sure the client has accepted the results; and then plan for the next test. Finally, the team will need to gather and review any lessons learned during the PenTest using a neutral facilitator.
All necessary course materials are included.
This course prepares a student to take the CompTIA PenTest PT0-002 national certification exam.