PT0-001 CompTIA PenTest+ Certification Exam
Opis
Egzamin PT0-001: CompTIA PenTest+ Certification Exam sprawdza, czy kandydaci posiadają wiedzę i umiejętności wymagane do zaplanowania i wykonania testu podatności, rozumieją istniejące wymagania ze strony prawnej jak i innych regulacji, przeprowadzenia automatycznego skanowania w poszukiwaniu podatności, przeprowadzania testów penetracyjnych, analizy danych oraz efektywnego raportowania i przekazywania wyników testów wraz z rekomendacjami naprawy i zabezpieczenia odnalezionych podatności i niezgodności z regulacjami.
PT0-001: CompTIA PenTest+ Certification Exam jest jedynym egzaminem dotyczącym testów penetracyjnych przeprowadzany w centrach testowych Pearson VUE, który oparty jest zarówna na zadaniach praktycznych w których oceniany jest realny efekt ich wykonania i pytań wielokrotnego wyboru. Ma to szczególne znaczenie przez fakt, że osoby z tym tytułem certyfikowanego pentestera powinny przede wszystkim wykazać się posiadanymi umiejętnościami praktycznymi i w takim przypadku sam egzamin testowy byłby niewystarczający.
Przebieg egzaminu:
Egzamin dostępny w języku Angielskim.
Maksymalny czas trwania egzaminu: 165 minut
Pytania typu test wyboru oraz praktyczne zadania do wykonana.
W przypadku pytań wielokrotnego wyboru należy się spodziewać pytań o następującej formie:
- jedna prawidłowa odpowiedź
- wiele prawidłowych odpowiedzi
- odpowiedzi do ręcznego uzupełnienia
- https://www.youtube.com/watch?v=Nq9LnfAkOcM
Maksymalna liczba pytań: 85
Gdzie
Egzamin zdawany za pośrednictwem centrów testowych Pearson VUE
Wymagania
Pozytywny wynik egzaminu co oznaczą wynik minimum na poziomie 750 punktów, maksymalnie można zdobyć 900.
Cena
349 USDZagadnienia
Listę domen wiedzy i ich procentowy udział w pytaniach egzaminacyjnych podczas egzaminu PT0-001: CompTIA PenTest+ Certification Exam
Planning and Scoping – 15%
Explain the importance of planning for an engagement.
- Understanding the target audience
- Rules of engagement
- Communication escalation path
- Resources and requirements
- Confidentiality of findings
- Known vs. unknown
- Budget
- Impact analysis and
- remediation timelines
- Disclaimers
- Point-in-time assessment
- Comprehensiveness
- Technical constraints
- Support resources
- WSDL/WADL
- SOAP project file
- SDK documentation
- Swagger document
- XSD
- Sample application requests
- Architectural diagrams
Explain key legal concepts.
- Contracts
- SOW
- MSA
- NDA
- Environmental differences
- Export restrictions
- Local and national government restrictions
- Corporate policies
- Written authorization
- Obtain signature from proper signing authority
- Third-party provider authorization when necessary
Explain the importance of scoping an engagement properly.
- Types of assessment
- Goals-based/objectives-based
- Compliance-based
- Red team
- Special scoping considerations
- Premerger
- Supply chain
- Target selection
- Targets
- Internal
- On-site vs. off-site
- External
- First-party vs. third-party hosted
- Physical
- Users
- SSIDs
- Applications
- Internal
- Considerations
- White-listed vs. black-listed
- Security exceptions
- IPS/WAF whitelist
- NAC
- Certificate pinning
- Company’s policies
- Targets
- Strategy
- Black box vs. white box vs. gray box
- Risk acceptance
- Tolerance to impact
- Scheduling
- Scope creep
- Threat actors
- Adversary tier
- APT
- Script kiddies
- Hacktivist
- Insider threat
- Capabilities
- Intent
- Threat models
- Adversary tier
Explain the key aspects of compliance-based assessments.
- Compliance-based assessments, limitations, and caveats
- Rules to complete assessment
- Password policies
- Data isolation
- Key management
- Limitations
- Limited network access
- Limited storage access
- Clearly defined objectives based on regulations
Information Gathering and Vulnerability Identification – 22%
Given a scenario, conduct information gathering using appropriate techniques.
- Scanning
- Enumeration
- Hosts
- Networks
- Domains
- Users
- Groups
- Network shares
- Web pages
- Applications
- Services
- Tokens
- Social networking sites
- Packet crafting
- Packet inspection
- Fingerprinting
- Cryptography
- Certificate inspection
- Eavesdropping
- RF communication monitoring
- Sniffing
- Wired
- Wireless
- Decompilation
- Debugging
- Open Source Intelligence Gathering
- Sources of research
- CERT
- NIST
- JPCERT
- CAPEC
- Full disclosure
- CVE
- CWE
- Sources of research
Given a scenario, perform a vulnerability scan.
- Credentialed vs. non-credentialed
- Types of scans
- Discovery scan
- Full scan
- Stealth scan
- Compliance scan
- Container security
- Application scan
- Dynamic vs. static analysis
- Considerations of vulnerability scanning
- Time to run scans
- Protocols used
- Network topology
- Bandwidth limitations
- Query throttling
- Fragile systems/non-traditional assets
Given a scenario, analyze vulnerability scan results.
- Asset categorization
- Adjudication
- False positives
- Prioritization of vulnerabilities
- Common themes
- Vulnerabilities
- Observations
- Lack of best practices
Explain the process of leveraging information to prepare for exploitation.
- Map vulnerabilities to potential exploits
- Prioritize activities in preparation for penetration test
- Describe common techniques to complete attack
- Cross-compiling code
- Exploit modification
- Exploit chaining
- Proof-of-concept development (exploit development)
- Social engineering
- Credential brute forcing
- Dictionary attacks
- Rainbow tables
- Deception
Explain weaknesses related to specialized systems.
- ICS
- SCADA
- Mobile
- IoT
- Embedded
- Point-of-sale system
- Biometrics
- Application containers
- RTOS
Attacks and Exploits – 30%
Compare and contrast social engineering attacks.
- Phishing
- Spear phishing
- SMS phishing
- Voice phishing
- Whaling
- Elicitation
- Business email compromise
- Interrogation
- Impersonation
- Shoulder surfing
- USB key drop
- Motivation techniques
- Authority
- Scarcity
- Social proof
- Urgency
- Likeness
- Fear
Given a scenario, exploit network-based vulnerabilities.
- Name resolution exploits
- NETBIOS name service
- LLMNR
- SMB exploits
- SNMP exploits
- SMTP exploits
- FTP exploits
- DNS cache poisoning
- Pass the hash
- Man-in-the-middle
- ARP spoofing
- Replay
- Relay
- SSL stripping
- Downgrade
- DoS/stress test
- NAC bypass
- VLAN hopping
Given a scenario, exploit wireless and RF-based vulnerabilities.
- Evil twin
- Karma attack
- Downgrade attack
- Deauthentication attacks
- Fragmentation attacks
- Credential harvesting
- WPS implementation weakness
- Bluejacking
- Bluesnarfing
- RFID cloning
- Jamming
- Repeating
Given a scenario, exploit application-based vulnerabilities.
- Injections
- SQL
- HTML
- Command
- Code
- Authentication
- Credential brute forcing
- Session hijacking
- Redirect
- Default credentials
- Weak credentials
- Kerberos exploits
- Authorization
- Parameter pollution
- Insecure direct object reference
- Cross-site scripting (XSS)
- Stored/persistent
- Reflected
- DOM
- Cross-site request forgery (CSRF/XSRF)
- Clickjacking
- Security misconfiguration
- Directory traversal
- Cookie manipulation
- File inclusion
- Local
- Remote
- Unsecure code practices
- Comments in source code
- Lack of error handling
- Overly verbose error handling
- Hard-coded credentials
- Race conditions
- Unauthorized use of functions/unprotected APIs
- Hidden elements
- Sensitive information in the DOM
- Lack of code signing
Given a scenario, exploit local host vulnerabilities.
- OS vulnerabilities
- Windows
- Mac OS
- Linux
- Android
- iOS
- Unsecure service and protocol configurations
- Privilege escalation
- Linux-specific
- SUID/SGID programs
- Unsecure SUDO
- Ret2libc
- Sticky bits
- Windows-specific
- Cpassword
- Clear text credentials in LDAP
- Kerberoasting
- Credentials in LSASS
- Unattended installation
- SAM database
- DLL hijacking
- Exploitable services
- Unquoted service paths
- Writable services
- Unsecure file/folder permissions
- Linux-specific
- – Keylogger
- – Scheduled tasks
- – Kernel exploits
- Default account settings
- Sandbox escape
- Shell upgrade
- VM
- Container
- Physical device security
- Cold boot attack
- JTAG debug
- Serial console
Summarize physical security attacks related to facilities.
- Piggybacking/tailgating
- Fence jumping
- Dumpster diving
- Lock picking
- Lock bypass
- Egress sensor
- Badge cloning
Given a scenario, perform post-exploitation techniques.
- Lateral movement
- RPC/DCOM
- PsExec
- WMI
- Scheduled tasks
- PS remoting/WinRM
- SMB
- RDP
- Apple Remote Desktop
- VNC
- X-server forwarding
- Telnet
- SSH
- RSH/Rlogin
- RPC/DCOM
- Persistence
- Scheduled jobs
- Scheduled tasks
- Daemons
- Back doors
- Trojan
- New user creation
- Covering your tracks
Penetration Testing Tools – 17%
Given a scenario, use Nmap to conduct information gathering exercises.
- SYN scan (-sS) vs. full connect scan (-sT)
- Port selection (-p)
- Service identification (-sV)
- OS fingerprinting (-O)
- Disabling ping (-Pn)
- Target input file (-iL)
- Timing (-T)
- Output parameters
- oA
- oN
- oG
- oX
Compare and contrast various use cases of tools.
(**The intent of this objective is NOT to test specific vendor feature sets.)
- Use cases
- Reconnaissance
- Enumeration
- Vulnerability scanning
- Credential attacks
- Offline password cracking
- Brute-forcing services
- Persistence
- Configuration compliance
- Evasion
- Decompilation
- Forensics
- Debugging
- Software assurance
- Fuzzing
- SAST
- DAST
- Tools
- Scanners
- Nikto
- OpenVAS
- SQLmap
- Nessus
- Credential testing tools
- Hashcat
- Medusa
- Hydra
- Cewl
- John the Ripper
- Cain and Abel
- Mimikatz
- Patator
- Dirbuster
- W3AF
- Debuggers
- OLLYDBG
- Immunity debugger
- GDB
- WinDBG
- IDA
- Software assurance
- Findbugs/findsecbugs
- Peach
- Dynamo
- AFL
- SonarQube
- YASCA
- OSINT
- Whois
- Nslookup
- Foca
- Theharvester
- Shodan
- Maltego
- Recon-NG
- Censys
- Wireless
- Aircrack-NG
- Kismet
- WiFite
- Web proxies
- OWASP ZAP
- Burp Suite
- Social engineering tools
- SET
- BeEF
- Remote access tools
- SSH
- NCAT
- NETCAT
- Proxychains
- Networking tools
- Wireshark
- Hping
- Mobile tools
- Androzer
- APKX
- APK studio
- MISC
- Searchsploit
- Powersploit
- Responder
- Impacket
- Empire
- Metasploit framework
- Scanners
Given a scenario, analyze tool output or data related to a penetration test.
- Password cracking
- Pass the hash
- Setting up a bind shell
- Getting a reverse shell
- Proxying a connection
- Uploading a web shell
- Injections
Given a scenario, analyze a basic script (limited to Bash, Python, Ruby, and PowerShell).
- Logic
- Looping
- Flow control
- I/O
- File vs. terminal vs. network
- Substitutions
- Variables
- Common operations
- String operations
- Comparisons
- Error handling
- Arrays
- Encoding/decoding
Reporting and Communication – 16%
Given a scenario, use report writing and handling best practices.
- Normalization of data
- Written report of findings and remediation
- Executive summary
- Methodology
- Findings and remediation
- Metrics and measures
- Risk rating
- Conclusion
- Risk appetite
- Storage time for report
- Secure handling and disposition of reports
Explain post-report delivery activities.
- Post-engagement cleanup
- Removing shells
- Removing tester-created credentials
- Removing tools
- Client acceptance
- Lessons learned
- Follow-up actions/retest
- Attestation of findings
Given a scenario, recommend mitigation strategies for discovered vulnerabilities.
- Solutions
- People
- Process
- Technology
- Findings
- Shared local administrator credentials
- Weak password complexity
- Plain text passwords
- No multifactor authentication
- SQL injection
- Unnecessary open services
- Remediation
- Randomize credentials/LAPS
- Minimum password requirements/password filters
- Encrypt the passwords
- Implement multifactor authentication
- Sanitize user input/parameterize queries
- System hardening
Explain the importance of communication during the penetration testing process.
- Communication path
- Communication triggers
- Critical findings
- Stages
- Indicators of prior compromise
- Reasons for communication
- Situational awareness
- De-escalation
- De-confliction
- Goal reprioritization
Dodatkowe informacje
Jak się przygotować:
Przed przystąpieniem do egzaminu PT0-001: CompTIA PenTest+ Certification Exam zaleca się posiadanie już certyfikacji CompTIA Network+ i Security+ lub równoważnej wiedzy oraz minimum 3-4 letniego praktycznego doświadczenia z zakresu bezpieczeństwa informacji.
Sugerowane
Jak w przypadku wszystkich egzaminów i certyfikacji CompTIA udział w autoryzowanym szkoleniu nie jest wymagany a jedynie jest krokiem sugerowanym.
Udział w następującym szkoleniu stacjonarnym:
CompTIA PenTest+ Prep Course
lub alternatywnie szkolenie do samodzielnej nauki w trybie online z serii CompTIA CertMaster https://certification.comptia.org/training/certmaster
Wysoce rekomendowane
Upewnienie się, że wszystkie przedstawione zagadnienia egzaminacyjne są Ci bardzo dobrze znane zarówno od strony teoretycznej jak i praktycznej. Poza zagadnieniami egzaminacyjnymi publikowanymi na naszej stronie zawsze aktualna lista zagadnień jest dostępna tutaj https://certification.comptia.org/training/exam-objectives
Dodatkowe zasoby pozwalające na lepsze przygotowanie się do egzaminu PenTest+
- Darmowe webinaria związane z CompTIA PenTest+ https://www.comptia.org/about-us/newsroom/press-releases/2018/08/17/comptia-offers-free-webinar-and-live-demo-on-penetration-testing
- Porównanie certyfikacji CompTIA PenTest+ vs EC-Council CEH https://certification.comptia.org/it-career-news/post/view/2018/08/08/how-does-comptia-pentest-compare-to-ceh
- Oficjalny PenTest+ Study Guide https://certification.comptia.org/training/self-study/books/pentest-pt0-001-study-guide
- Omówienie ścieżki certyfikacyjne w obszarze cyberbezpieczeństwa według CompTIA https://certification.comptia.org/it-career-news/post/view/2016/10/11/introducing-the-comptia-cybersecurity-career-pathway
- Dlaczego warto rozważyć karierę zawodową w obszarze bezpieczeństwa IT https://certification.comptia.org/it-career-news/post/view/2016/10/03/why-you-should-consider-a-career-in-cybersecurity
- 5 najczęściej poszukiwanych specjalizacji zawodowych w obszarze bezpieczeństwa IT https://certification.comptia.org/it-career-news/post/view/2016/10/04/5-cybersecurity-job-roles-to-look-for
- CompTIA Cybersecurity HUB http://www.mylanderpages.com/CompTIA/cybersecurityhub
- Opracowania
- Wsazówki i porady
- Narzędzia