CompTIA PT0-002 Certification Exam is a certification program that provides the necessary knowledge and skills to professionals looking to advance their career in penetration testing. CompTIA PenTest+ Certification certification is designed for professionals who want to claim a mastery over the concepts and techniques of penetration testing, security testing, and vulnerability analysis. CompTIA PenTest+ Certification certification is meant for security analysts, vulnerability assessment and management specialists, security consultants, and ethical hackers.
CompTIA PT0-002 (CompTIA PenTest+ Certification) exam is an internationally recognized certification exam for professionals who want to specialize in penetration testing. PT0-002 exam is designed to test an individual’s knowledge and skills in identifying vulnerabilities and conducting penetration testing of computer systems, networks, and applications. The PT0-002 certification exam involves hands-on scenarios where professionals must demonstrate their ability to conduct complex penetration testing tasks.
| Topic |
Details |
Planning and Scoping – 15%
|
| Explain the importance of planning for an engagement. |
– Understanding the target audience
– Rules of engagement
– Communication escalation path
– Resources and requirements
- Confidentiality of findings
- Known vs. unknown
– Budget
– Impact analysis and remediation timelines
– Disclaimers
- Point-in-time assessment
- Comprehensiveness
– Technical constraints
– Support resources
- WSDL/WADL
- SOAP project file
- SDK documentation
- Swagger document
- XSD
- Sample application requests
- Architectural diagrams
|
| Explain key legal concepts. |
– Contracts
– Environmental differences
- Export restrictions
- Local and national government restrictions
- Corporate policies
– Written authorization
- Obtain signature from proper signing authority
- Third-party provider authorization when necessary
|
| Explain the importance of scoping an engagement properly. |
– Types of assessment
- Goals-based/objectives-based
- Compliance-based
- Red team
– Special scoping considerations
– Target selection
- Targets
1. Internal
– On-site vs. off-site
2. External
3. First-party vs. third-party hosted
4. Physical
5. Users
6. SSIDs
7. Applications
- Considerations
1. White-listed vs. black-listed
2. Security exceptions
– IPS/WAF whitelist
– NAC
– Certificate pinning
– Company’s policies
– Strategy
- Black box vs. white box vs. gray box
– Risk acceptance
– Tolerance to impact
– Scheduling
– Scope creep
– Threat actors
- Adversary tier
1. APT
2. Script kiddies
3. Hacktivist
4. Insider threat
- Capabilities
- Intent
- Threat models
|
| Explain the key aspects of compliance-based assessments. |
– Compliance-based assessments, limitations and caveats
- Rules to complete assessment
- Password policies
- Data isolation
- Key management
- Limitations
1. Limited network access
2. Limited storage access
– Clearly defined objectives based on regulations
|
Information Gathering and Vulnerability Identification – 22%
|
| Given a scenario, conduct information gathering using appropriate techniques. |
– Scanning
– Enumeration
- Hosts
- Networks
- Domains
- Users
- Groups
- Network shares
- Web pages
- Applications
- Services
- Tokens
- Social networking sites
– Packet crafting
– Packet inspection
– Fingerprinting
– Cryptography
– Eavesdropping
- RF communication monitoring
- Sniffing
1. Wired
2. Wireless
– Decompilation
– Debugging
– Open Source Intelligence Gathering
- Sources of research
1. CERT
2. NIST
3. JPCERT
4. CAPEC
5. Full disclosure
6. CVE
7. CWE
|
| Given a scenario, perform a vulnerability scan. |
– Credentialed vs. non-credentialed
– Types of scans
- Discovery scan
- Full scan
- Stealth scan
- Compliance scan
– Container security
– Application scan
- Dynamic vs. static analysis
– Considerations of vulnerability scanning
- Time to run scans
- Protocols used
- Network topology
- Bandwidth limitations
- Query throttling
- Fragile systems/non-traditional assets
|
| Given a scenario, analyze vulnerability scan results. |
– Asset categorization
– Adjudication
– Prioritization of vulnerabilities
– Common themes
- Vulnerabilities
- Observations
- Lack of best practices
|
| Explain the process of leveraging information to prepare for exploitation. |
– Map vulnerabilities to potential exploits
– Prioritize activities in preparation for penetration test
– Describe common techniques to complete attack
- Cross-compiling code
- Exploit modification
- Exploit chaining
- Proof-of-concept development (exploit development)
- Social engineering
- Credential brute forcing
- Dictionary attacks
- Rainbow tables
- Deception
|
| Explain weaknesses related to specialized systems. |
– ICS
– SCADA
– Mobile
– IoT
– Embedded
– Point-of-sale system
– Biometrics
– Application containers
– RTOS |
Attacks and Exploits – 30%
|
| Compare and contrast social engineering attacks. |
– Phishing
- Spear phishing
- SMS phishing
- Voice phishing
- Whaling
– Elicitation
- Business email compromise
– Interrogation
– Impersonation
– Shoulder surfing
– USB key drop
– Motivation techniques
- Authority
- Scarcity
- Social proof
- Urgency
- Likeness
- Fear
|
| Given a scenario, exploit network-based vulnerabilities. |
– Name resolution exploits
- NETBIOS name service
- LLMNR
– SMB exploits
– SNMP exploits
– SMTP exploits
– FTP exploits
– DNS cache poisoning
– Pass the hash
– Man-in-the-middle
- ARP spoofing
- Replay
- Relay
- SSL stripping
- Downgrade
– DoS/stress test
– NAC bypass
– VLAN hopping
|
| Given a scenario, exploit wireless and RF-based vulnerabilities. |
– Evil twin
- Karma attack
- Downgrade attack
– Deauthentication attacks
– Fragmentation attacks
– Credential harvesting
– WPS implementation weakness
– Bluejacking
– Bluesnarfing
– RFID cloning
– Jamming
– Repeating
|
| Given a scenario, exploit application-based vulnerabilities. |
– Injections
– Authentication
- Credential brute forcing
- Session hijacking
- Redirect
- Default credentials
- Weak credentials
- Kerberos exploits
– Authorization
- Parameter pollution
- Insecure direct object reference
– Cross-site scripting (XSS)
- Stored/persistent
- Reflected
- DOM
– Cross-site request forgery (CSRF/XSRF)
– Clickjacking
– Security misconfiguration
- Directory traversal
- Cookie manipulation
– File inclusion
– Unsecure code practices
- Comments in source code
- Lack of error handling
- Overly verbose error handling
- Hard-coded credentials
- Race conditions
- Unauthorized use of functions/unprotected APIs
- Hidden elements
1. Sensitive information in the DOM
- Lack of code signing
|
| Given a scenario, exploit local host vulnerabilities. |
– OS vulnerabilities
- Windows
- Mac OS
- Linux
- Android
- iOS
– Unsecure service and protocol configurations
– Privilege escalation
- Linux-specific
1. SUID/SGID programs
2. Unsecure SUDO
3. Ret2libc
4. Sticky bits
- Windows-specific
1. Cpassword
2. Clear text credentials in LDAP
3. Kerberoasting
4. Credentials in LSASS
5. Unattended installation
6. SAM database
7. DLL hijacking
- Exploitable services
1. Unquoted service paths
2. Writable services
- Unsecure file/folder permissions
- Keylogger
- Scheduled tasks
- Kernel exploits
– Default account settings
– Sandbox escape
- Shell upgrade
- VM
- Container
– Physical device security
- Cold boot attack
- JTAG debug
- Serial console
|
| Summarize physical security attacks related to facilities. |
– Piggybacking/tailgating
– Fence jumping
– Dumpster diving
– Lock picking
– Lock bypass
– Egress sensor
– Badge cloning |
| Given a scenario, perform post-exploitation techniques. |
– Lateral movement
- RPC/DCOM
1. PsExec
2. WMI
3. Scheduled tasks
- PS remoting/WinRM
- SMB
- RDP
- Apple Remote Desktop
- VNC
- X-server forwarding
- Telnet
- SSH
- RSH/Rlogin
– Persistence
- Scheduled jobs
- Scheduled tasks
- Daemons
- Back doors
- Trojan
- New user creation
– Covering your tracks
|
Penetration Testing Tools – 17%
|
| Given a scenario, use Nmap to conduct information gathering exercises. |
– SYN scan (-sS) vs. full connect scan (-sT)
– Port selection (-p)
– Service identification (-sV)
– OS fingerprinting (-O)
– Disabling ping (-Pn)
– Target input file (-iL)
– Timing (-T)
– Output parameters
|
| Compare and contrast various use cases of tools. |
– Use cases
- Reconnaissance
- Enumeration
- Vulnerability scanning
- Credential attacks
1. Offline password cracking
2. Brute-forcing services
- Persistence
- Configuration compliance
- Evasion
- Decompilation
- Forensics
- Debugging
- Software assurance
1. Fuzzing
2. SAST
3. DAST
– Tools
- Scanners
1. Nikto
2. OpenVAS
3. SQLmap
4. Nessus
- Credential testing tools
1. Hashcat
2. Medusa
3. Hydra
4. Cewl
5. John the Ripper
6. Cain and Abel
7. Mimikatz
8. Patator
9. Dirbuster
10. W3AF
- Debuggers
1. OLLYDBG
2. Immunity debugger
3. GDB
4. WinDBG
5. IDA
- Software assurance
1. Findbugs/findsecbugs
2. Peach
3. AFL
4. SonarQube
5. YASCA
- OSINT
1. Whois
2. Nslookup
3. Foca
4. Theharvester
5. Shodan
6. Maltego
7. Recon-NG
8. Censys
- Wireless
1. Aircrack-NG
2. Kismet
3. WiFite
- Web proxies
1. OWASP ZAP
2. Burp Suite
- Social engineering tools
1. SET
2. BeEF
- Remote access tools
1. SSH
2. NCAT
3. NETCAT
4. Proxychains
- Networking tools
1. Wireshark
2. Hping
- Mobile tools
1. Drozer
2. APKX
3. APK studio
- MISC
1. Searchsploit
2. Powersploit
3. Responder
4. Impacket
5. Empire
6. Metasploit framework
|
| Given a scenario, analyze tool output or data related to a penetration test. |
– Password cracking
– Pass the hash
– Setting up a bind shell
– Getting a reverse shell
– Proxying a connection
– Uploading a web shell
– Injections |
| Given a scenario, analyze a basic script (limited to Bash, Python, Ruby, and PowerShell). |
– Logic
– I/O
- File vs. terminal vs. network
– Substitutions
– Variables
– Common operations
- String operations
- Comparisons
– Error handling
– Arrays
– Encoding/decoding
|
Reporting and Communication – 16%
|
| Given a scenario, use report writing and handling best practices. |
– Normalization of data
– Written report of findings and remediation
- Executive summary
- Methodology
- Findings and remediation
- Metrics and measures
1. Risk rating
- Conclusion
– Risk appetite
– Storage time for report
– Secure handling and disposition of reports
|
| Explain post-report delivery activities. |
– Post-engagement cleanup
- Removing shells
- Removing tester-created credentials
- Removing tools
– Client acceptance
– Lessons learned
– Follow-up actions/retest
– Attestation of findings
|
| Given a scenario, recommend mitigation strategies for discovered vulnerabilities. |
– Solutions
- People
- Process
- Technology
– Findings
- Shared local administrator credentials
- Weak password complexity
- Plain text passwords
- No multifactor authentication
- SQL injection
- Unnecessary open services
– Remediation
- Randomize credentials/LAPS
- Minimum password requirements/password filters
- Encrypt the passwords
- Implement multifactor authentication
- Sanitize user input/parameterize queries
- System hardening
|
