My Notes for PenTest+ (2024)

15 min readFeb 3, 2024

These are notes I’ve collected throughout my studies, compiled together here in a manner hopefully deemed coherent and simple. I do not take credit for any of it, as the information is all over the internet and not designed or created by me; some of these are copy/paste from open sources. I merely aim to summarise or simplify the content required to pass the PenTest+ certification exam. These notes may be edited/updated as I go.

Web Application Testing:

SQL Injection: When input validation and the least privilege principle are not properly implemented, attackers can exploit vulnerabilities in the website by injecting malicious code to “trick” the website into granting the attacker access. This includes using “OR ‘1’=’1'” in a login form in place of legitimate login credentials.
Cross-Site Scripting (XSS): When input validation fails while using a browser, an attacker can use XSS to inject a script in the website, such as via the search box, where the victim will input a search term that redirects the browser input to the attacker. The attacker can then gain access to session cookies and use that to capture and exploit sensitive information.
Cross-Site Request Forgery (CSRF): Have you ever gotten a phishing email with a fake link leading to a page that looks legitimate? Yep, that’s what this is. A user clicks the link while already authenticated, and it redirects to the attacker’s website where malicious content is hidden and the victim unknowingly submits the attacker’s requests for them. Attackers use this method to exploit authentication and manipulate trusted access.

Wireless Security

Assessing and Securing Wireless Networks:

Site Surveys: Conduct site surveys to analyze signal strength and identify potential interference.
Vulnerability Scanning: Use tools to scan for vulnerabilities in wireless networks.
Penetration Testing: Simulate attacks to identify and address security weaknesses.
Rogue AP Detection: Monitor for unauthorized access points that may pose security risks.
Policy Enforcement: Establish and enforce security policies to guide wireless network usage.

Wireless Security Best Practices:

Unique SSIDs and Strong Passwords: Assign distinct names and use complex, unique passwords for wireless networks.
Regularly Update Firmware: Keep router firmware up to date to patch security vulnerabilities.
Disable WPS (Wi-Fi Protected Setup): Avoid potential vulnerabilities associated with WPS.
Segment Wireless Networks: Isolate guest networks from internal networks for added security.
Implement MAC Address Filtering: Restrict network access based on MAC addresses.

Encryption Protocols:

WPA3 (Wi-Fi Protected Access 3): The latest standard, enhancing encryption strength and protection against offline brute-force attacks.
WPA2 (Wi-Fi Protected Access 2): Commonly used, providing strong security with AES encryption.
WPA (Wi-Fi Protected Access): Legacy protocol, less secure than WPA2 or WPA3.

Advanced Exploitation Techniques:

Buffer Overflow Attacks: Overloading a program’s buffer to overflow and execute arbitrary code. Exploit software vulnerabilities to compromise system integrity.
Privilege Escalation: Elevating user privileges to gain unauthorized access. Exploit weaknesses to escalate from a lower to a higher privilege level.
Post-Exploitation Activities: Actions taken after gaining initial access to a system. Maintain persistence, exfiltrate data, or move laterally within the network.

Active Directory Security:

Lateral Movement: Progressing through a network horizontally after initial access. Move from one system to another without detection.
Domain Privilege Escalation: Elevating privileges within the Active Directory domain. Gain higher-level access to sensitive resources.
Defense Mechanisms: Protective measures against Active Directory attacks.

Scripting and Automation:

Automating tasks for efficiency in penetration testing. Enhances efficiency, consistency, and scalability in penetration testing workflows.

Scripting for Reconnaissance: Automate data gathering and analysis. Python scripts for scanning and extracting information about target systems.
Scripting for Exploitation: Automate the execution of penetration testing exploits. Using scripts to streamline and enhance the process of exploiting vulnerabilities.
Scripting for Post-Exploitation: Automate activities after gaining initial access. Developing scripts for maintaining persistence, privilege escalation, or data exfiltration.

IoT Security:

Challenges:

Diversity of Devices: Vast array of interconnected devices with varying security capabilities.
Limited Resources: IoT devices often have constrained resources for robust security measures.

Vulnerabilities:

Insecure Communication: Lack of secure protocols for data transmission.
Weak Authentication: Insufficient authentication mechanisms on IoT devices.

Testing Methodologies:

Device Enumeration: Identify and catalog IoT devices on the network.
Traffic Analysis: Analyze communication between IoT devices for vulnerabilities.
Firmware Analysis: Assess security in embedded software of IoT devices.

Unique Risks:

Physical Security: Devices may be physically accessible, posing additional risks.
Protocol Insecurities: Many IoT devices use protocols with known vulnerabilities.

Network Protocol Analysis

Definition: Examination of data traffic to understand network communication.
Objective: Identify anomalies, detect potential security threats, and troubleshoot network issues.
Tools: Wireshark and tcpdump are commonly used for capturing and analyzing packet-level data.
Benefits: Provides insights into network behavior, aiding in security assessments and performance optimization.

Cryptography Concepts in Penetration Testing

Encryption Algorithms:

Definition: Methods for securing data by converting it into unreadable form.
Role in Penetration Testing: Assess and exploit vulnerabilities in encryption implementations.

Hashing Functions:

Definition: Converts data into a fixed-size hash value.
Role in Penetration Testing: Assess password security, verify data integrity, and identify vulnerabilities in hash algorithms.

Digital Signatures:

Definition: Verification mechanism for the authenticity and integrity of digital messages or documents.
Role in Penetration Testing: Evaluate the robustness of digital signature implementations, ensuring secure communication.

Incident Response and Handling:

Incident Response Procedures:

Definition: Predefined steps to manage and mitigate security incidents.
Role: Minimize damage, contain threats, and facilitate recovery.

Handling Security Incidents:

Definition: Immediate response to detected security breaches.
Objectives: Identify, contain, eradicate, recover, and learn from incidents.

Best Practices for Mitigation and Recovery:

Timely Detection: Swiftly identify and respond to security incidents.
Communication Protocols: Establish clear lines of communication during incident response.
Forensic Analysis: Conduct thorough analysis to understand the incident’s scope and impact.
Documentation: Document incident details, response actions, and lessons learned for future improvements.

Compliance and Reporting:

Regulatory Compliance Frameworks:

Definition: Standards and regulations guiding security practices.
Examples: PCI DSS, HIPAA, GDPR
Role in Penetration Testing: Ensure adherence to industry-specific regulations.

Generating Comprehensive Reports:

Findings: Summarize identified vulnerabilities and weaknesses.
Recommendations: Provide actionable steps to address issues.
Risk Assessments: Evaluate potential impacts and prioritize remediation efforts.

Importance:

Legal Compliance: Avoid penalties and legal consequences.
Effective Communication: Communicate security posture to stakeholders.
Continuous Improvement: Use findings for ongoing security enhancements.

PenTesting Methodologies

OWASP Testing Guide: Provides detailed guidance on conducting security testing activities, covering aspects such as vulnerability identification, testing techniques, and best practices.
NIST SP 800–115: Serves as a technical guide for information security testing and assessment. Offers procedures and recommendations for conducting security testing, including penetration testing and vulnerability assessments.
PTES (Penetration Testing Execution Standard): Breaks down the testing process into well-defined stages, covering everything from pre-engagement activities and intelligence gathering to reporting. PTES provides a structured methodology for penetration testers.
OSSTMM (Open Source Security Testing Methodology Manual): Provides a framework for conducting security testing and analysis. Focuses on operational security and aims to standardize security testing methodologies. Covers a wide range of areas, including information security metrics, methodologies for security testing, and guidelines for penetration testing.
Cobalt Strike: An advanced threat emulation framework designed for red teaming and post-exploitation activities. Offers a range of tools for lateral movement, privilege escalation, and interactive communication with compromised systems.
Lockheed Martin Cyber Kill Chain: Outlines the stages of a cyber attack, providing a model for understanding, preventing, and responding to security incidents. The stages include reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives, and exfiltration. This framework assists in identifying and disrupting attacks at various stages.
AlienVault OTX (Open Threat Exchange): A collaborative threat intelligence platform that allows security professionals to share and access information about malicious activities and indicators of compromise in real-time.
MITRE ATT&CK: A comprehensive knowledge base that catalogs tactics, techniques, and procedures employed by threat actors during cyber campaigns. It provides a framework for understanding and categorizing the various stages of an attack, allowing organizations to align their defenses with known adversarial behavior. Widely used for threat intelligence, detection, and red teaming, MITRE ATT&CK enhances cybersecurity strategies by providing a detailed reference for adversary behavior.
ISSAF Standard (Information Systems Security Assessment Framework): A standardized framework that offers guidance for conducting security assessments, including penetration testing and vulnerability assessments. ISSAF provides a structured approach, covering aspects such as information gathering, threat modeling, and risk management. This framework assists security professionals in performing comprehensive and systematic security assessments to identify and mitigate risks in information systems.
Nmap Scripting Engine (NSE): A scripting framework that extends the capabilities of the Nmap network scanning tool. NSE allows the development and execution of custom scripts for tasks such as network discovery, vulnerability detection, and exploitation. (Not a formal methodology)

PenTesting Process

Pre-engagement Activities:

Objective: Define scope, goals, and rules of engagement.
Key Tasks: Establish communication, agree on testing parameters, and obtain necessary approvals.

Information Gathering:

Objective: Gather intelligence on the target system or network.
Key Tasks: Identify potential targets, enumerate services, and collect publicly available information.

Threat Modeling:

Objective: Assess potential threats and vulnerabilities.
Key Tasks: Analyze attack vectors, prioritize risks, and determine likely adversary tactics.

Vulnerability Analysis:

Objective: Identify and assess vulnerabilities in the target environment.
Key Tasks: Scan for vulnerabilities, conduct manual testing, and analyze results.

Exploitation:

Objective: Actively attempt to exploit identified vulnerabilities.
Key Tasks: Employ penetration testing tools and techniques to gain unauthorized access.

Post-exploitation:

Objective: Assess the impact of successful exploits and maintain access.
Key Tasks: Privilege escalation, lateral movement, and establishing persistence.

Reporting:

Objective: Communicate findings, risks, and recommendations to stakeholders.
Key Tasks: Document vulnerabilities, provide remediation guidance, and highlight potential impacts.

Cleanup and Remediation:

Objective: Assist in resolving identified vulnerabilities and improving security.
Key Tasks: Collaborate with stakeholders to address and mitigate discovered weaknesses.

Types of Vulnerabilities

Reverse Shell Types

TCP Reverse Shell:

Description: Involves a connection initiated by the target to the attacker’s machine over the Transmission Control Protocol (TCP).
Objective: Offers a reliable and connection-oriented communication channel.
Appearance: Command Prompt or Terminal Interface on the attacker’s machine, indicating a connection from the target system.

HTTP Reverse Shell:

Description: Utilizes the Hypertext Transfer Protocol (HTTP) for communication.
Objective: Conceals malicious traffic within legitimate HTTP requests, making detection more challenging.
Appearance: Interaction may occur through a web-based interface or command-line interface, embedded within legitimate HTTP traffic.

DNS Reverse Shell:

Description: Exploits the Domain Name System (DNS) to establish communication.
Objective: Encodes commands and data within DNS queries, often bypassing traditional security measures.
Appearance: Typically lacks a traditional command prompt; communication may manifest as encoded DNS queries with commands concealed within.

UDP Reverse Shell:

Description: Uses the User Datagram Protocol (UDP) for communication.
Objective: Offers a connectionless communication method, potentially suitable for scenarios with intermittent connectivity.
Appearance: Similar to TCP, but communication is connectionless and may appear as a command-line interface on the attacker’s machine.

WebSocket Reverse Shell:

Description: Leverages the WebSocket protocol to enable bidirectional communication.
Objective: Provides a full-duplex communication channel suitable for real-time interactions
Appearance: May display a command prompt or terminal interface, showcasing bidirectional communication established via the WebSocket protocol.

Scripting Attacks

Cross-Site Scripting (XSS):

Description: Injecting malicious scripts into web applications.]
Objective: Exploiting trust in a user’s browser to execute malicious code.
Appearance: Unwanted pop-ups, defaced web pages, or injected content altering the appearance and behavior of a website.

SQL Injection:

Description: Manipulating SQL queries to extract, modify, or delete data.
Objective: Exploiting vulnerabilities in database interactions for unauthorized access.
Appearance: Unauthorized access to sensitive data, altered database records, or error messages revealing database structure.

Command Injection:

Description: Injecting malicious commands into input fields.
Objective: Executing unauthorized commands on a system or application server.
Appearance: Execution of unexpected commands, potentially leading to system compromise or unauthorized access.

Cross-Site Request Forgery (CSRF):

Description: Forcing a user to perform an unwanted action without their consent.
Objective: Exploiting the trust a website has in a user’s browser.
Appearance: Unintended actions performed on a website on behalf of an authenticated user without their consent.

JavaScript Code Injection:

Description: Injecting malicious JavaScript code into a web application.
Objective: Executing unauthorized actions within the context of a user’s session.
Appearance: Malicious code executing within a web application, altering its behavior or stealing sensitive information.

Remote File Inclusion (RFI) and Local File Inclusion (LFI):

Description: Including remote or local files in a web page’s execution.
Objective: Reading or executing files for unauthorized access or manipulation.
Appearance: Inclusion of unintended files, potentially revealing sensitive information or executing arbitrary code.

PowerShell Injection:

Description: Injecting malicious PowerShell scripts.
Objective: Exploiting PowerShell for post-exploitation activities in Windows environments.
Appearance: Execution of malicious PowerShell scripts, leading to post-exploitation activities on Windows systems.

XPath Injection:

Description: Manipulating XPath queries in XML-based applications.
Objective: Exploiting vulnerabilities to gain unauthorized access or modify data.
Appearance: Unauthorized access or modification of XML-based data, potentially leading to data exposure or manipulation.

Dom-Based Web Vulnerabilities

Definition: Vulnerabilities that arise from the manipulation of the Document Object Model (DOM) within a web application.
Characteristics: Exploitation involves injecting malicious code that manipulates the DOM, leading to unexpected behaviors or security risks.

Common Types:

DOM XSS (Cross-Site Scripting): Injecting malicious scripts that directly manipulate the DOM.
DOM Clobbering: Overwriting or manipulating existing DOM objects.
DOM Redirection: Forcing the browser to navigate to a different page.
Impact: Can result in unauthorized access, data exposure, or manipulation within the client-side environment.
Mitigation: Implementing secure coding practices, input validation, and using frameworks that prevent DOM manipulation vulnerabilities.

SQL Injections

Classic SQL Injection:

Description: Injecting malicious SQL code through user input fields.
Objective: Unauthorized access or manipulation of a database.
Appearance: Unexpected output on the web application, such as displaying sensitive information or modified content due to injected SQL queries.

Blind SQL Injection:

Description: Exploiting SQL vulnerabilities without direct feedback.
Objective: Extracting information through true/false conditions.
Appearance: No direct feedback on the web application, but potential impact is revealed through alterations in behavior or data.

Time-Based Blind SQL Injection:

Description: Delays in SQL query execution to determine if conditions are true.
Objective: Extracting information based on time delays.
Appearance: Delays in web application responses, indicating successful injection based on time-dependent conditions.

Error-Based SQL Injection:

Description: Exploiting error messages to gather information about the database.
Objective: Obtaining details that aid in further exploitation.
Appearance: Error messages displayed on the web application, revealing details about the database structure or query execution.

Union-Based SQL Injection:

Description: Leveraging the UNION SQL operator to combine results from different queries.
Objective: Extracting data from other database tables.
Appearance: Concatenated data from different tables or sources displayed on the web application.

Out-of-Band SQL Injection:

Description: Utilizing alternative channels to extract data, such as DNS requests.
Objective: Bypassing network restrictions and exfiltrating data.
Appearance: Indirect indicators, such as abnormal DNS requests or other out-of-band communication channels, signaling successful data exfiltration.

Cross-Site Request Forgery (CSRF) Vulnerabilities:

Definition: Exploitable weaknesses where an attacker tricks a user’s browser into performing unintended actions on a trusted website.

Stored CSRF:

Description: Malicious requests stored on the server, affecting subsequent users.
Impact: Can lead to unauthorized actions being performed on behalf of unsuspecting users.
Appearance: Malicious requests stored on the server, not visible to users.

Reflected CSRF:

Description: Malicious requests crafted within a URL or parameters.
Impact: Immediate execution of unauthorized actions when the victim clicks on a crafted link.
Appearance: Malicious requests crafted within a URL or parameters.

Blind CSRF (CSRF Without Token):

Description: Exploiting absence or weak protection of anti-CSRF tokens.
Impact: Allows unauthorized actions without proper token validation.
Appearance: Absence or weak protection of anti-CSRF tokens.

CSRF with Malicious File Upload:

Description: Exploiting CSRF to upload malicious files to a target server.
Impact: Can lead to the compromise of server resources and unauthorized access.
Appearance: Exploiting CSRF to upload malicious files to a target server.

Cross-Site Scripting (XSS) Vulnerabilities:

Reflected XSS:

Description: Injecting malicious scripts through user input, reflected immediately in the response.
Impact: Executes in the context of the victim’s browser upon interaction.
Appearance: Modified URL with injected script parameters, leading to immediate execution in the victim’s browser upon visiting the manipulated URL.

Stored (Persistent) XSS:

Description: Injecting malicious scripts into a web application, stored for later retrieval by other users.
Impact: Can affect multiple users who view the compromised content.
Appearance: Malicious script code embedded in user-generated content, such as comments or forum posts, affecting subsequent users who view the compromised content.

DOM-Based XSS:

Description: Manipulating the Document Object Model (DOM) to execute malicious scripts.
Impact: Allows attackers to alter page content dynamically, affecting user interactions.
Appearance: JavaScript code altering the Document Object Model (DOM) and dynamically modifying the appearance or behavior of a web page.

Self-XSS (User-Induced):

Description: Tricking users into executing malicious code on their behalf.
Impact: Exploits user trust to perform unintended actions.
Appearance: Social engineering techniques convincing users to input malicious code into the browser’s console or address bar, exploiting their trust.

Multipart/Form-data XSS:

Description: Injecting XSS payloads through file uploads or other form-data submissions.
Impact: Exploits handling of user-provided data in form submissions.
Appearance: Malicious script code embedded within file uploads or form submissions, exploiting how the application processes user-provided data.

PenTesting Contracts

SOW (Statement of Work):

Purpose: Formalizes the scope, deliverables, and expectations for a project.
Content: Specifies project objectives, timelines, resources, and acceptance criteria.

MSA (Master Service Agreement):

Purpose: Establishes the overarching terms and conditions for a long-term business relationship.
Content: Outlines legal and commercial aspects, such as payment terms, confidentiality, and dispute resolution.

ROE (Rules of Engagement):

Purpose: Defines the scope, limitations, and rules for a specific activity, often in security assessments.
Content: Specifies permitted activities, systems to be tested, and any constraints on the engagement.

SLA (Service Level Agreement):

Purpose: Sets expectations regarding service quality, performance, and responsibilities between a service provider and a client.
Content: Defines agreed-upon service levels, response times, and potential penalties for non-compliance.

NDA (Non-Disclosure Agreement):

Purpose: Protects confidential information by outlining the terms under which it can be shared.
Content: Specifies what information is confidential, the duration of confidentiality, and the consequences of breach.

PTA (Penetration Testing Agreement):

Purpose: Formalizes the terms and conditions for a penetration testing engagement.
Content: Outlines scope, rules of engagement, responsibilities, and legal considerations related to the penetration testing activity.

PenTesting Techniques

Scripts: Automation tools in various languages for tasks like information gathering.
Reverse Shells: Initiates a shell from a target back to the attacker for control.
Exploits: Code leveraging vulnerabilities to gain unauthorized access or control.
Payloads: Malicious components delivered by exploits, achieving specific objectives.
Trojans: Malicious programs disguised as legitimate software.
Web Shells: Scripts on web servers for remote access and control.
Post-exploitation Tools: Used after initial access for exploration and manipulation.

PenTesting Tools

Metasploit: An open-source penetration testing framework that aids security professionals in identifying and exploiting vulnerabilities within computer systems. It provides a comprehensive set of tools for penetration testing, including payload generation, exploitation, and post-exploitation modules.
Cheat Sheet
Wireshark: A widely-used network protocol analyzer that allows users to capture and analyze data on a network in real-time. It facilitates the examination of network traffic, aiding in the detection of anomalies, security threats, and the troubleshooting of network-related issues.
Cheat Sheet
Burp Suite: A web application security testing tool used for scanning, crawling, and analyzing web applications. Burp Suite assists in identifying vulnerabilities such as SQL injection and cross-site scripting (XSS) through various modules like Proxy, Scanner, and Repeater.
Cheat Sheet
Hydra: A password-cracking tool that automates the process of trying various password combinations in order to gain unauthorized access to protected systems. It supports a wide range of protocols and services, making it a versatile tool for penetration testers.
Cheat Sheet
Python Basics: Fundamental concepts and syntax of the Python programming language. Understanding Python basics is crucial for individuals involved in penetration testing, as Python is commonly used for scripting and automation in security assessments.
Cheat Sheet
Learn Python
Python for Pentesters: Building upon Python Basics, this involves the application of Python programming specifically in the context of penetration testing. It encompasses the development of custom scripts and tools for automating tasks, exploiting vulnerabilities, and enhancing the efficiency of security assessments.
Cheat Sheet
Learn Python for Pentesters
Nmap: an open-source network scanning tool used for network discovery and security auditing. It identifies active hosts, open ports, and services on target systems through various scanning techniques, making it a key asset in network reconnaissance and vulnerability assessment during penetration testing.
Cheat Sheet
Aircrack-ng: Specialized in wireless security, Aircrack-ng is employed for assessing and securing Wi-Fi networks by testing vulnerabilities and conducting packet analysis.
Cheat Sheet
Nessus: A widely used vulnerability scanner that aids in identifying potential security flaws within systems and networks, assisting in the proactive mitigation of risks.
Cheat Sheet
John the Ripper: A powerful password-cracking tool that supports various password hash algorithms, aiding in the identification of weak or compromised passwords.
Cheat Sheet
Sqlmap: Specifically designed for SQL injection detection and exploitation during penetration testing, Sqlmap helps assess and strengthen the security of database-driven web applications.
Cheat Sheet
OWASP ZAP (Zed Attack Proxy): An open-source security tool for finding vulnerabilities in web applications, ZAP assists in automated and manual testing of application security.
Cheat Sheet
Netcat: A versatile networking utility used for reading from and writing to network connections, making it valuable for tasks such as banner grabbing, port scanning, and establishing reverse shells.
Cheat Sheet
Hashcat: An advanced password recovery tool designed for efficiently cracking password hashes using various attack methods, including dictionary attacks and brute-force techniques.
Cheat Sheet
Snort: An open-source intrusion detection and prevention system (IDPS) that analyzes network traffic for suspicious patterns and activities, aiding in the detection of potential security threats.
Cheat Sheet
BloodHound: Active Directory analysis tool for mapping permissions, revealing attack paths, and assessing security risks, particularly useful in penetration testing for understanding vulnerabilities and planning security improvements.
Cheat Sheet
Acunetix: A web application security scanner that identifies vulnerabilities in web applications and provides detailed reports to facilitate effective remediation.
Cheat Sheet
Social Engineering Toolkit (SET): A toolkit for performing social engineering attacks, SET helps penetration testers simulate real-world attacks involving human interaction to assess an organization’s security awareness.
Cheat Sheet

Where To Study for The PenTest+ Certification

Exam Discount Vouchers

CompTIA Academic Store
Professor Messer
Women Cybersecurity Society
DionTraining
For CertMike, use the discount code CERTMIKE10 at the CompTIA store
BlackGirlsHack
For Pearson, use the discount code PEARSON10 at the CompTIA store