CompTIA PenTest+ Study Guide
Domain 1: Planning and Scoping
Key Concepts
• Engagement Planning:
o Definition: The process of defining the scope, objectives, and rules of
engagement for a penetration test.
o Components: Goals, timelines, resources, and communication channels.
o Distinctions: Proper planning ensures alignment with client expectations and
legal boundaries.
• Legal and Compliance Considerations:
o Definition: Understanding and adhering to legal, regulatory, and ethical standards
relevant to penetration testing.
o Examples: GDPR, HIPAA, PCI DSS, and local laws.
o Distinctions: Different regions and industries have specific compliance
requirements; understanding these is crucial to avoid legal repercussions.
• Scope and Rules of Engagement:
o Definition: Determining the boundaries and constraints of a penetration test.
o Components: In-scope and out-of-scope systems, timeframes, testing
methodologies.
o Distinctions: A well-defined scope prevents unintended disruptions and ensures
focus on agreed-upon targets.
Practice Questions
1. What are the key components involved in planning a penetration test engagement?
2. How do legal and compliance considerations affect penetration testing?
3. Why is defining the scope and rules of engagement important in penetration testing?
Domain 2: Information Gathering and Vulnerability Identification
Key Concepts
• Information Gathering:
o Definition: The process of collecting data about the target system or network to
identify potential vulnerabilities.
o Techniques: Passive reconnaissance (e.g., OSINT) and active reconnaissance
(e.g., scanning).
, o Distinctions: Passive methods involve no direct interaction with the target,
minimizing detection risk, while active methods involve direct interactions and
can be more intrusive.
• Network and Host Scanning:
o Definition: Using tools to discover hosts, services, and open ports on a network.
o Tools: Nmap, Nessus, OpenVAS.
o Distinctions: Scanning can be intrusive and detectable, requiring careful timing
and execution to avoid detection.
• Vulnerability Scanning:
o Definition: Automated process of identifying known vulnerabilities in systems
and applications.
o Tools: Qualys, Nessus, OpenVAS.
o Distinctions: Vulnerability scanning identifies potential weaknesses, but does not
exploit them, unlike penetration testing.
Practice Questions
1. Describe the differences between passive and active reconnaissance.
2. What are the purposes of network and host scanning?
3. How does vulnerability scanning differ from penetration testing?
Domain 3: Attacks and Exploits
Key Concepts
• Exploitation Techniques:
o Definition: Methods used to take advantage of vulnerabilities to gain
unauthorized access.
o Types: Buffer overflow, SQL injection, cross-site scripting (XSS), social
engineering.
o Distinctions: Different vulnerabilities require specific exploitation techniques;
understanding these is key to successful penetration testing.
• Post-Exploitation:
o Definition: Activities conducted after gaining initial access to expand access and
maintain persistence.
o Activities: Privilege escalation, lateral movement, data exfiltration.
o Distinctions: Post-exploitation focuses on deeper access and long-term control
rather than initial access.
• Social Engineering:
Domain 1: Planning and Scoping
Key Concepts
• Engagement Planning:
o Definition: The process of defining the scope, objectives, and rules of
engagement for a penetration test.
o Components: Goals, timelines, resources, and communication channels.
o Distinctions: Proper planning ensures alignment with client expectations and
legal boundaries.
• Legal and Compliance Considerations:
o Definition: Understanding and adhering to legal, regulatory, and ethical standards
relevant to penetration testing.
o Examples: GDPR, HIPAA, PCI DSS, and local laws.
o Distinctions: Different regions and industries have specific compliance
requirements; understanding these is crucial to avoid legal repercussions.
• Scope and Rules of Engagement:
o Definition: Determining the boundaries and constraints of a penetration test.
o Components: In-scope and out-of-scope systems, timeframes, testing
methodologies.
o Distinctions: A well-defined scope prevents unintended disruptions and ensures
focus on agreed-upon targets.
Practice Questions
1. What are the key components involved in planning a penetration test engagement?
2. How do legal and compliance considerations affect penetration testing?
3. Why is defining the scope and rules of engagement important in penetration testing?
Domain 2: Information Gathering and Vulnerability Identification
Key Concepts
• Information Gathering:
o Definition: The process of collecting data about the target system or network to
identify potential vulnerabilities.
o Techniques: Passive reconnaissance (e.g., OSINT) and active reconnaissance
(e.g., scanning).
, o Distinctions: Passive methods involve no direct interaction with the target,
minimizing detection risk, while active methods involve direct interactions and
can be more intrusive.
• Network and Host Scanning:
o Definition: Using tools to discover hosts, services, and open ports on a network.
o Tools: Nmap, Nessus, OpenVAS.
o Distinctions: Scanning can be intrusive and detectable, requiring careful timing
and execution to avoid detection.
• Vulnerability Scanning:
o Definition: Automated process of identifying known vulnerabilities in systems
and applications.
o Tools: Qualys, Nessus, OpenVAS.
o Distinctions: Vulnerability scanning identifies potential weaknesses, but does not
exploit them, unlike penetration testing.
Practice Questions
1. Describe the differences between passive and active reconnaissance.
2. What are the purposes of network and host scanning?
3. How does vulnerability scanning differ from penetration testing?
Domain 3: Attacks and Exploits
Key Concepts
• Exploitation Techniques:
o Definition: Methods used to take advantage of vulnerabilities to gain
unauthorized access.
o Types: Buffer overflow, SQL injection, cross-site scripting (XSS), social
engineering.
o Distinctions: Different vulnerabilities require specific exploitation techniques;
understanding these is key to successful penetration testing.
• Post-Exploitation:
o Definition: Activities conducted after gaining initial access to expand access and
maintain persistence.
o Activities: Privilege escalation, lateral movement, data exfiltration.
o Distinctions: Post-exploitation focuses on deeper access and long-term control
rather than initial access.
• Social Engineering:
