CompTIA Pentest+ (Answered) 2023/2024

CompTIA Pentest+ (Answered) 2023/2024 Methodology __ is a system of methods used in a particular area of study or activity. Pentest Methodology __: 1. Planning & Scoping 2. Info Gathering & Vulnerability ID 3. Attacks & Exploits 4. Reporting & Communication NIST SP 800-115 Methodology __: 1. Planning 2. Discovery 3. Attack 4. Reporting Planning a Penetration Test __, Questions to ask: ▪ Why Is Planning Important? ▪ Who is the Target Audience? ▪ Budgeting ▪ Resources and Requirements ▪ Communication Paths ▪ What is the End State? ▪ Technical Constraints ▪ Disclaimers Planning a Penetration Test - Budgeting __: ▪ Controls many factors in a test ▪ If you have a large budget, you can perform a more in-depth test __● Increased timeline for testing __● Increased scope __● Increased resources (people, tech, etc.) Planning a Penetration Test - Resources and Requirements __: ▪ What resources will the assessment require? ▪ What requirements will be met in the testing? __● Confidentiality of findings __● Known vs. unknown vulnerabilities __● Compliance-based assessment Planning a Penetration Test - Communication Paths __: ▪ Who do we communicate with about the test? ▪ What info will be communicated and when? ▪ Who is a trusted agent if testing goes wrong? Planning a Penetration Test - What is the End State? __: ▪ What kind of report will be provided after test? ▪ Will you provide an estimate of how long remediations would take? Planning a Penetration Test - Technical Constraints __: ▪ What constraints limited your ability to test? ▪ Provide the status in your report __● Tested __● Not Tested __● Can't Be Tested Planning a Penetration Test - Disclaimers __: ▪ Point-in-Time Assessment __● Results were accurate when the pentest occurred ▪ Comprehensiveness __● How complete was the test? __● Did you test the entire organization or only specific objectives? Rules of Engagement (RoE) __ are detailed guidelines and constraints regarding the execution of information security testing. The __ is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions. Rules of Engagement (RoE) Overview __: ▪ Timeline ▪ Locations ▪ Time restrictions ▪ Transparency ▪ Test boundaries RoE: Timeline __: ▪ How long will the test be conducted? _● A week, a month, a year ▪ What tasks will be performed and how long will each be planned for? RoE: Locations __: ▪ Where will the testers be located? _● On-site or remote location ▪ Does organization have numerous locations? ▪ Does it cross international borders? RoE: Time Restrictions __: ▪ Are there certain times that aren't authorized? ▪ What about days of the week? ▪ What about holidays? RoE: Transparency __: ▪ Who will know about the pentest? ▪ Will the organization provide resources to the testers (white box test)? RoE: Boundaries __: ▪ What will be tested? ▪ Is social engineering allowed to be used? ▪ What about physical security testing? ▪ How invasive can the pentest be? Legal Concepts (1) __ are laws and regulations regarding cyber-crime vary from country to country, check the local laws before conducting an assessment. Legal Concepts (2) __ refers to consulting your attorney before performing any penetration testing work to ensure you are within the legal bounds for the countries laws where you are operating. Crimes and Criminal Procedure __: ▪ Hacking is covered under United States Code, Title 18, Chapter 47, Sections 1029 and 1030 § 1029 Fraud & related activity w/ access devices __: ▪ Prosecute those who knowingly and with intent to defraud produce, use, or traffic in one or more counterfeit access devices. ▪ Access devices can be an application or hardware that is created specifically to generate any type of access credentials § 1030 Fraud and related activity with computers __: ▪ Covers just about any computer or device connected to a network ▪ Mandates penalties for anyone who accesses a computer in an unauthorized manner or exceeds one's access rights ▪ Can be used to prosecute employees using capability and accesses provided by their company to conduct fraudulent activity Obtain Written Authorization __: ▪ White hat hackers always get permission ▪ This is your get out of jail free card... ▪ Penetration tests can expose confidential information so permission must be granted ▪ Third-party authorization when necessary __● Ex: from a Cloud service provider Third-Party Authorization __: ▪ If servers and services are hosted in the cloud, you must request permission from the provider prior to conducting a penetration test __● Ex: from a Cloud service provider Pentest Contracts __: ▪ Statement of Work (SOW) ▪ Master Service Agreement (MSA) ▪ Non-Disclosure Agreement (NDA) Statement of Work (SOW) __ is a formal document stating scope of what will be performed during a penetration test. ▪ Clearly states what tasks are to be accomplished during an engagement Master Service Agreement (MSA) __ is a contract where parties agree to most of the terms that will govern future actions. ▪ High level contract between a service provider and a client that specifies details of the business arrangement Non-Disclosure Agreement (NDA) __ is a legal contract outlining confidential material or information that will be shared during the assessment and what restrictions are placed on it. ▪ Agreement that defines confidential material and restrictions on use and sharing sensitive information with other parties Corporate Policies __: ▪ What do corporate policies allow you to do? ▪ Have employees waived their privacy? ▪ What policies should be tested? __●Password strength/reuse __● Bring Your Own Device (BYOD) __● Encryption __● Update frequency Export Restrictions __: ▪ Wassenaar Agreement precludes the transfer of technologies considered "dual-use" ▪ Strong encryption falls under this restriction ▪ Penetration testing tools could be considered surveillance tools and fall under these rules Penetration Testing Strategies __: ▪ Black Box ▪ Gray Box ▪ White Box Black Box (No Knowledge Test) __: ▪ No prior knowledge of target or network ▪ Simulates an outsider attack ▪ Only focuses on what external attacks see and ignores the insider threat ▪ Takes more time and is much more expensive White Box (Full Knowledge Test) __: ▪ Full knowledge of network, systems, and the infrastructure ▪ Spend more time probing vulnerabilities and less time gathering information ▪ Tester is given support resources from the organization Gray Box (Partial Knowledge Test) __: ▪ Partial knowledge of target ▪ Can be used as an internal test to simulate an insider attack with minimal knowledge ▪ Can also be used to decrease the information gathering stage so more time can be spent on identifying vulnerabilities EX: IP Range provided or Company Emails for Phishing White Box Support Resources Generally provided only for a white box penetration test __● Architectural diagrams __● Sample application requests __● SDK documentation __● SOAP project files __● Swagger document __● WSDL/WADL __● XSD White Box Architectural Diagrams __: ▪ Network diagrams, software flow charts, physical maps of organizational facilities ▪ Assists the tester in mapping out network topologies, location of switch closets, and where key information systems are located White Box Sample Application Requests __: ▪ Generally used for testing web applications or other applications developed by organization White Box SDK Documentation __: ▪ Software Developer's Kit (SDK) provides a set of tools, libraries, documentation, code samples, processes, or guides to allow faster development of a new app on a platform ▪ SDK provides code libraries for use White Box SOAP Project File __: ▪ Simple Objective Access Protocol (SOAP) is a messaging protocol specification for exchanging structured information in the implementation of web services ▪ SOAP project files are created from WSDL files or a single service call White Box Swagger Document __: ▪ Open-source framework with a large system of tools to help design, build, document, test, and standardize REST Web Services ▪ Representational State Transfer (REST) has been replacing SOAP in most web applications in recent years ▪ REST is a web application architectural style based on HTTP White Box WSDL __: ▪ Web Services Description Language __● XML-based interface definition language used for describing the functionality offered by a web service such as a SOAP server __● Flexible and allows binding options __● Not useful for REST services with WSDL 1.1 White Box WADL __: ▪ Web Application Description Language __● XML-based machine-readable description of HTTP-based web services __● Easier to write than WSDL but not as flexible __● Typically used for REST services White Box XML Schema Definition (XSD) __: ▪ World Wide Web Consortium (W3C) recommendation that specifies how to formally describe elements in an Extensible Markup Language (XML) document Types of Pentest Assessments __: ▪ Goal-based Pentests ▪ Objective-based ▪ Premerger ▪ Supply Chain ▪ Red Team Goal-based Pentests Assessment __: ▪ Specific goals are defined before testing starts ▪ Pentester may attempt to find many unique methods to achieve thespecific goals Objective-based Assessment (1) __: ▪ Objective-based pentests seek to ensure the information remains secure ▪ Testing occurs using all methods and more accurately simulates a real attack ▪ Compliance-based ▪ Risk-based compliance assessment that is required to ensure policies or Objective-based Assessment (2) __: ▪ Objective-based pentests seek to ensure the information remains secure regulations are being followed properly ▪ Regulations and policies provide checklists, for example the PCI-DSS compliance assessment ▪ Objectives are clearly defined ▪ Focus is on password policies, data isolation, limited network/storage access, and key management Premerger Assessment __: ▪ Before two companies perform a merger, it is common to conduct penetration tests on them to identify weaknesses being inherited ▪ Can be a part of the due diligence efforts Supply Chain Assessment __: ▪ Pentest may be required of your suppliers to ensure they are meeting their cybersecurity requirements ▪ Can be required prior to allowing an interconnection between the supplier's systems and your organization's systems ▪ Minimize risk by purchasing only from trusted vendors Red Team __ is a Penetration test conducted by internal pentesters of an organization during security exercise to ensure defenders (blue team) can perform their jobs adequately Threat Actors __: ▪ Advanced Persistent Threat (APT) ▪ Hacktivist ▪ Insider Threat ▪ Script Kiddies Threat Actors - Tiers of Adversaries __: ▪ Not all threat actors are created equal ▪ Some are structured, some are unstructured ▪ Some are more skilled than others Threat Actors - Advanced Persistent Threat (APT) __: ▪ Group with great capability and intent to hack a particular network or system ▪ Target organizations for business or political motives and usually funded by nation states ▪ Conduct highly covert hacks over long periods of time Threat Actors - Hacktivist __: ▪ Conduct activities against governments, corporations, or individuals ▪ Can be an individual or member of a group Threat Actors - Insider Threat __: ▪ Already have authorized user access to the networks, making them extremely dangerous ▪ May be a skilled or unskilled attacker ▪ Might be a former or current employee Threat Actors - Script Kiddies __: ▪ Low-skilled attackers who use other's tools ▪ Use freely available vulnerability assessment and hacking tools to conduct attacks Threat Actors - What is the Intent? __: ▪ Greed or monetary gain ▪ Power, revenge, or blackmail ▪ Thrills, reputation, or recognition ▪ Espionage or political motivation Threat Actors - Threat Modeling __: ▪ What threat are you trying to emulate? ▪ Will you use open-source and openly available tools like a script kiddie, or create custom hacks like an Advanced Persistent Threat? ▪ Will you be given insider knowledge or perform a white box penetration test? Tiers of Adversaries __: 1 - Little Money & Rely on off-the-shell tools/known exploits 2 - Little Money & invested in own tools against known vulners 3 - Invests Lots of money to find vulners to steal for profit 4 - Organized, Technical, proficient, funded, working in teams 5 - Nation states investing tons of money to finding/creating vulners 6 - Nation stats investing tons to carry out military ops Target Selection __: ▪ Internal or External ▪ First-party or Third-party hosted ▪ Physical ▪ Users ▪ SSIDs ▪ Applications Target Selection - Internal __ focuses on targets inside the firewall ● Can be on-site or off-site ● Logically internal Target Selection - External __ focuses on publicly facing targets ● Webservers in the DMZ ● Outside the protected LAN Target Selection - First-party or Third-party __: ▪ Are the targets hosted by the organization or by a third-party service provider? ▪ DionT is hosted by Thinkific and might be outside the penetration test scope Target Selection - Physical __: ▪ Are we contracted to test physical security? ▪ Should we attempt to break into the facility? Target Selection - Users __: ▪ Is social engineering authorized? ▪ Are particular users being targeted or not considered part of the assessment? Target Selection - Wireless and SSIDs __: ▪ Is wireless pentesting being conducted?