CompTIA Pentest+ Beta Notes

Chapter 1 Objective 1.1 Scope Definition Regulations, Frameworks, and Standards Privacy: Ensure compliance with privacy laws (e.g., GDPR, HIPAA). Notes Security: Adhere to security standards (e.g., ISO/IEC 27001, NIST). Notes Rules of Engagement Exclusions Define what systems, networks, or data are off-limits. Example: Exclude the production environment to avoid disruptions. Test Cases Specify the scenarios and conditions under which the testing will occur. Example: Testing for SQL injection vulnerabilities in the login module....

Chapter 2 Objective 2.1 Active and Passive Reconnaissance Active Reconnaissance → Actively interacts with the target system or network to gather information. Methods: Port scanning, ping sweeps, banner grabbing, social engineering. Risks: High detection risk, potential legal issues. Importance: Provides detailed and actionable information about the target’s systems and vulnerabilities. Passive Reconnaissance → Gathers information about the target without directly interacting with the target system or network. Methods: OSINT, WHOIS lookup, DNS enumeration, social media monitoring, website analysis....

Chapter 3 Objective 3.1 Container Scans Purpose: Assess security of containerized applications and environments. Techniques: Sidecar Scans: Utilize a sidecar container to monitor and analyze the security of a main container. Example: A sidecar container running a security tool to check for vulnerabilities in a main application container. Application Scans Purpose: Identify vulnerabilities in applications at different stages of development and deployment. Techniques: Dynamic Application Security Testing (DAST): Test running applications for vulnerabilities by simulating attacks....

Chapter 4 Objective 4.1 Target Prioritization High-Value Asset Identification Definition: Determining which assets are most critical to the organization and thus warrant higher priority for security efforts. Examples: Financial databases Intellectual property repositories Critical infrastructure systems Purpose: Focus resources on protecting assets that, if compromised, would have the most significant impact on the organization. Descriptors and Metrics Common Vulnerability Scoring System (CVSS) Base Score: Definition: A numerical score that represents the severity of a vulnerability....

Chapter 5 Objective 5.1 Scheduled Tasks/Cron Jobs Function: Automating tasks to run at specified times. Use Case: Setting up periodic execution of malicious scripts or commands. Example: Creating a cron job to regularly execute a script that maintains a backdoor connection. Service Creation Function: Creating system services that run with elevated privileges. Use Case: Establishing persistence by installing malicious services. Example: Creating a Windows service that launches a reverse shell upon system startup....