Introduction xxxix
Assessment Test xxv
Chapter 1 Penetration Testing 1
What Is Penetration Testing? 2
Cybersecurity Goals 2
Adopting the Hacker Mindset 4
Ethical Hacking 5
Reasons for Penetration Testing 5
Benefits of Penetration Testing 6
Regulatory Requirements for Penetration Testing 7
Who Performs Penetration Tests? 8
Internal Penetration Testing Teams 8
External Penetration Testing Teams 9
Selecting Penetration Testing Teams 10
The CompTIA Penetration Testing Process 10
Planning and Scoping 11
Information Gathering and Vulnerability Scanning 11
Attacks and Exploits 12
Reporting and Communication 13
Tools and Code Analysis 13
The Cyber Kill Chain 14
Reconnaissance 15
Weaponization 16
Delivery 16
Exploitation 16
Installation 16
Command and Control 16
Actions on Objectives 17
Tools of the Trade 17
Reconnaissance 20
Vulnerability Scanners 21
Social Engineering 21
Credential Testing Tools 22
Debuggers and Software Testing Tools 22
Network Testing 23
Remote Access 23
Exploitation 24
Steganography 24
Cloud Tools 25
Summary 25
Exam Essentials 25
Lab Exercises 26
Activity 1.1: Adopting the Hacker Mindset 26
Activity 1.2: Using the Cyber Kill Chain 26
Review Questions 27
Chapter 2 Planning and Scoping Penetration Tests 31
Scoping and Planning Engagements 34
Assessment Types 35
Known Environments and Unknown Environments 35
The Rules of Engagement 37
Scoping Considerations- A Deeper Dive 39
Support Resources for Penetration Tests 42
Penetration Testing Standards and Methodologies 44
Key Legal Concepts for Penetration Tests 46
Contracts 46
Data Ownership and Retention 47
Permission to Attack (Authorization) 47
Environmental Differences and Location Restrictions 48
Regulatory Compliance Considerations 49
Summary 51
Exam Essentials 52
Lab Exercises 53
Review Questions 54
Chapter 3 Information Gathering 59
Footprinting and Enumeration 63
Osint 64
Location and Organizational Data 65
Infrastructure and Networks 68
Security Search Engines 74
Google Dorks and Search Engine Techniques 77
Password Dumps and Other Breach Data 77
Source Code Repositories 78
Passive Enumeration and Cloud Services 78
Active Reconnaissance and Enumeration 78
Hosts 79
Services 79
Networks, Topologies, and Network Traffic 85
Packet Crafting and Inspection 88
Enumeration 90
Information Gathering and Code 97
Avoiding Detection 99
Information Gathering and Defenses 99
Defenses Against Active Reconnaissance 100
Preventing Passive Information Gathering 100
Summary 100
Exam Essentials 101
Lab Exercises 102
Activity 3.1: Manual OSINT Gathering 102
Activity 3.2: Exploring Shodan 102
Activity 3.3: Running an Nmap Scan 103
Review Questions 104
Chapter 4 Vulnerability Scanning 109
Identifying Vulnerability Management Requirements 112
Regulatory Environment 112
Corporate Policy 116
Support for Penetration Testing 116
Identifying Scan Targets 117
Determining Scan Frequency 118
Active vs. Passive Scanning 120
Configuring and Executing Vulnerability Scans 121
Scoping Vulnerability Scans 121
Configuring Vulnerability Scans 122
Scanner Maintenance 129
Software Security Testing 131
Analyzing and Testing Code 131
Web Application Vulnerability Scanning 133
Developing a Remediation Workflow 138
Prioritizing Remediation 140
Testing and Implementing Fixes 141
Overcoming Barriers to Vulnerability Scanning 141
Summary 143
Exam Essentials 143
Lab Exercises 144
Activity 4.1: Installing a Vulnerability Scanner 144
Activity 4.2: Running a Vulnerability Scan 145
Activity 4.3: Developing a Penetration Test Vulnerability Scanning Plan 145
Review Questions 146
Chapter 5 Analyzing Vulnerability Scans 151
Reviewing and Interpreting Scan Reports 152
Understanding CVSS 156
Validating Scan Results 162
False Positives 162
Documented Exceptions 162
Understanding Informational Results 163
Reconciling Scan Results with Other Data Sources 164
Trend Analysis 164
Common Vulnerabilities 165
Server and Endpoint Vulnerabilities 166
Network Vulnerabilities 175
Virtualization Vulnerabilities 181
Internet of Things (IoT) 183
Web Application Vulnerabilities 184
Summary 186
Exam Essentials 187
Lab Exercises 188
Activity 5.1: Interpreting a Vulnerability Scan 188
Activity 5.2: Analyzing a CVSS Vector 188
Activity 5.3: Developing a Penetration Testing Plan 189
Review Questions 190
Chapter 6 Exploiting and Pivoting 195
Exploits and Attacks 198
Choosing Targets 198
Enumeration 199
Identifying the Right Exploit 201
Exploit Resources 204
Exploitation Toolkits 206
Metasploit 206
PowerSploit 212
BloodHound 213
Exploit Specifics 213
Rpc/dcom 213
PsExec 214
PS Remoting/WinRM 214
Wmi 214
Fileless Malware and Living Off the Land 215
Scheduled Tasks and cron Jobs 216
Smb 217
Dns 219
Rdp 220
Apple Remote Desktop 220
Vnc 220
Ssh 220
Network Segmentation Testing and Exploits 221
Leaked Keys 222
Leveraging Exploits 222
Common Post- Exploit Attacks 222
Cross Compiling 225
Privilege Escalation 226
Social Engineering 226
Escaping and Upgrading Limited Shells 227
Persistence and Evasion 228
Scheduled Jobs and Scheduled Tasks 228
Inetd Modification 228
Daemons and Services 229
Backdoors and Trojans 229
Data Exfiltration and Covert Channels 230
New Users 230
Pivoting 231
Covering Your Tracks 232
Summary 233
Exam Essentials 234
Lab Exercises 235
Activity 6.1: Exploit 235
Activity 6.2: Discovery 235
Activity 6.3: Pivot 236
Review Questions 237
Chapter 7 Exploiting Network Vulnerabilities 243
Identifying Exploits 247
Conducting Network Exploits 247
VLAN Hopping 247
DNS Cache Poisoning 249
On- Path Attacks 251
NAC Bypass 254
DoS Attacks and Stress Testing 255
Exploit Chaining 257
Exploiting Windows Services 257
NetBIOS Name Resolution Exploits 257
SMB Exploits 261
Identifying and Exploiting Common Services 261
Identifying and Attacking Service Targets 262
SNMP Exploits 263
SMTP Exploits 264
FTP Exploits 265
Kerberoasting 266
Samba Exploits 267
Password Attacks 268
Stress Testing for Availability 269
Wireless Exploits 269
Attack Methods 269
Finding Targets 270
Attacking Captive Portals 270
Eavesdropping, Evil Twins, and Wireless On- Path Attacks 271
Other Wireless Protocols and Systems 275
RFID Cloning 276
Jamming 277
Repeating 277
Summary 278
Exam Essentials 279
Lab Exercises 279
Activity 7.1: Capturing Hashes 279
Activity 7.2: Brute- Forcing Services 280
Activity 7.3: Wireless Testing 281
Review Questions 282
Chapter 8 Exploiting Physical and Social Vulnerabilities 287
Physical Facility Penetration Testing 290
Entering Facilities 290
Information Gathering 294
Social Engineering 294
In- Person Social Engineering 295
Phishing Attacks 297
Website- Based Attacks 298
Using Social Engineering Tools 298
Summary 302
Exam Essentials 303
Lab Exercises 303
Activity 8.1: Designing a Physical Penetration Test 303
Activity 8.2: Brute- Forcing Services 304
Activity 8.3: Using BeEF 305
Review Questions 306
Chapter 9 Exploiting Application Vulnerabilities 311
Exploiting Injection Vulnerabilities 314
Input Validation 314
Web Application Firewalls 315
SQL Injection Attacks 316
Code Injection Attacks 319
Command Injection Attacks 319
LDAP Injection Attacks 320
Exploiting Authentication Vulnerabilities 320
Password Authentication 321
Session Attacks 322
Kerberos Exploits 326
Exploiting Authorization Vulnerabilities 327
Insecure Direct Object References 327
Directory Traversal 328
File Inclusion 330
Privilege Escalation 331
Chapter 10 Exploiting Web Application Vulnerabilities 331
Cross- Site Scripting (XSS) 331
Request Forgery 334
Clickjacking 335
Unsecure Coding Practices 335
Source Code Comments 335
Error Handling 336
Hard- Coded Credentials 336
Race Conditions 337
Unprotected APIs 337
Unsigned Code 338
Steganography 340
Application Testing Tools 341
Static Application Security Testing (SAST) 341
Dynamic Application Security Testing (DAST) 342
Mobile Tools 346
Summary 346
Exam Essentials 347
Lab Exercises 347
Activity 9.1: Application Security Testing Techniques 347
Activity 9.2: Using the ZAP Proxy 348
Activity 9.3: Creating a Cross- Site Scripting Vulnerability 348
Review Questions 349
Attacking Hosts, Cloud Technologies, and Specialized Systems 355
Attacking Hosts 360
Linux 361
Windows 365
Cross- Platform Exploits 367
Credential Attacks and Testing Tools 368
Credential Acquisition 368
Offline Password Cracking 369
Credential Testing and Brute- Forcing Tools 371
Wordlists and Dictionaries 371
Remote Access 372
Ssh 372
NETCAT and Ncat 373
Metasploit and Remote Access 373
Proxies and Proxychains 374
Attacking Virtual Machines and Containers 374
Virtual Machine Attacks 375
Containerization Attacks 377
Attacking Cloud Technologies 379
Attacking Cloud Accounts 379
Attacking and Using Misconfigured Cloud Assets 380
Other Cloud Attacks 382
Tools for Cloud Technology Attacks 383
Attacking Mobile Devices 384
Attacking IoT, ICS, Embedded Systems, and SCADA Devices 389
Attacking Data Storage 392
Summary 393
Exam Essentials 395
Lab Exercises 396
Activity 10.1: Dumping and Cracking the Windows SAM and Other Credentials 396
Activity 10.2: Cracking Passwords Using Hashcat 397
Activity 10.3: Setting Up a Reverse Shell and a Bind Shell 398
Review Questions 400
Chapter 11 Reporting and Communication 405
The Importance of Communication 409
Defining a Communication Path 409
Communication Triggers 410
Goal Reprioritization 410
Recommending Mitigation Strategies 411
Finding: Shared Local Administrator Credentials 412
Finding: Weak Password Complexity 413
Finding: Plaintext Passwords 414
Finding: No Multifactor Authentication 414
Finding: SQL Injection 416
Finding: Unnecessary Open Services 416
Writing a Penetration Testing Report 416
Structuring the Written Report 417
Secure Handling and Disposition of Reports 420
Wrapping Up the Engagement 421
Post- Engagement Cleanup 421
Client Acceptance 421
Lessons Learned 421
Follow- Up Actions/Retesting 422
Attestation of Findings 422
Retention and Destruction of Data 422
Summary 423
Exam Essentials 423
Lab Exercises 424
Activity 11.1: Remediation Strategies 424
Activity 11.2: Report Writing 424
Review Questions 425
Chapter 12 Scripting for Penetration Testing 429
Scripting and Penetration Testing 431
Bash 432
PowerShell 433
Ruby 434
Python 435
Perl 435
JavaScript 436
Variables, Arrays, and Substitutions 438
Bash 439
PowerShell 440
Ruby 441
Python 441
Perl 442
JavaScript 442
Comparison Operations 444
String Operations 445
Bash 446
PowerShell 447
Ruby 448
Python 449
Perl 450
JavaScript 451
Flow Control 452
Conditional Execution 453
for Loops 458
while Loops 465
Input and Output (I/O) 471
Redirecting Standard Input and Output 471
Comma- Separated Values (CSV) 472
Error Handling 472
Bash 472
PowerShell 473
Ruby 473
Python 473
Advanced Data Structures 474
JavaScript Object Notation (JSON) 474
Trees 475
Reusing Code 475
The Role of Coding in Penetration Testing 476
Analyzing Exploit Code 476
Automating Penetration Tests 477
Summary 477
Exam Essentials 477
Lab Exercises 478
Activity 12.1: Reverse DNS Lookups 478
Activity 12.2: Nmap Scan 479
Review Questions 480
Appendix A Answers to Review Questions 485
Chapter 1: Penetration Testing 486
Chapter 2: Planning and Scoping Penetration Tests 487
Chapter 3: Information Gathering 489
Chapter 4: Vulnerability Scanning 491
Chapter 5: Analyzing Vulnerability Scans 493
Chapter 6: Exploiting and Pivoting 495
Chapter 7: Exploiting Network Vulnerabilities 497
Chapter 8: Exploiting Physical and Social Vulnerabilities 499
Chapter 9: Exploiting Application Vulnerabilities 501
Chapter 10: Attacking Hosts, Cloud Technologies, and Specialized Systems 503
Chapter 11: Reporting and Communication 505
Chapter 12: Scripting for Penetration Testing 506
Appendix B Solution to Lab Exercise 509
Solution to Activity 5.2: Analyzing a CVSS Vector 510
Index 511
