CompTIA PenTest+

CompTIA PenTest+ domain 3: Attacks and exploits

March 8, 2022 by Howard Poston

Understanding attacks and exploits

The third domain of CompTIA’s PenTest+ exam focuses on the attacks and exploits that a pentester may use to gain initial access to an organization’s environment and to take advantage of a successful exploit. Due to the number of potential techniques, this is the largest of the PenTest+ domains.

Pentesting attacks and exploits career skills

To succeed at this portion of the exam, candidates must clearly understand how software, computers and networks can be attacked. This same knowledge is valuable for blue team members because knowledge of how attacks work is essential to developing effective defenses against these threats.

What’s covered in PenTest+ domain 3 of the exam?

Domain 3 of the PenTest+ exam accounts for 30% of a candidate’s score on the test. This domain is broken up into the following seven sections.

Given a scenario, research attack vectors and perform network attacks

The first section of this domain explores how an organization can be attacked at the network level. The topics covered in this section include:

  • Stress testing for availability: pentesters may need to perform a Distributed Denial of Service (DDoS) or similar attack for availability and resiliency testing.
  • Exploit resources: candidates should be familiar with resources for network attacks such as exploit database (DB) and packet storm.
  • Attacks: tests knowledge of common attacks, including ARP poisoning, password attacks and others.
  • Tools: tests knowledge of network exploit tools such as Metasploit, Netcat and Nmap.

Given a scenario, research attack vectors and perform wireless attacks

Many organizations have wireless networks, and these networks often have weaker security than their wired counterparts. This section of the PenTest+ exam tests knowledge of the following:

  • Attack methods: tests knowledge of wireless attack methods such as deauthentication, jamming, and eavesdropping.
  • Attacks: candidates should be familiar with common mobile attacks, including evil twins, bluejacking, and captive portals.
  • Tools: important tools for wireless attacks include aircrack-ng and amplified antennas.

Given a scenario, research attack vectors and perform application-based attacks

Attacks against web applications and APIs are one of the most common ways an attacker can gain initial access to an organization’s environment. Topics tested in this section include:

  • OWASP top Ten: PenTest+ candidates should have comprehensive knowledge of the vulnerabilities listed in the OWASP Top Ten List.
  • Server-side request forgery (SSRF): SSRF vulnerabilities allow an attacker to force a server to make HTTP requests on its behalf.
  • Business logic flaws: pentesters should identify cases where the implementation of a network, service etc., does not match plans or its intended purpose.
  • Injection attacks: injection vulnerabilities exploit poor user input validation and can be exploited via SQL, command, LDAP injection and cross-site scripting (XSS) attacks.
  • Application vulnerabilities: PenTest+ also tests knowledge of application vulnerabilities not listed in OWASP, such as race conditions, lack of code signing and session attacks.
  • API attacks: in addition to web application vulnerabilities, candidates are expected to be familiar with APIs and common attacks against them.
  • Directory traversal: directory traversal attacks take advantage of a user’s ability to specify a file to open, edit or execute to access files outside of the intended directory.
  • Tools: candidates should be familiar with common tools for web application attacks, such as web proxies, SQLmap and DirBustern.
  • Resources: tests knowledge of finding and using common attack resources, such as word lists for password attacks.

Given a scenario, research attack vectors and perform attacks on cloud technologies

Companies are increasingly adopting cloud-based infrastructure but often, cloud security lags. This section tests a candidate’s knowledge of how to test cloud security, including:

  • Attacks: test knowledge of common attacks on cloud environments, such as credential harvesting, metadata service attacks and exploitation of misconfigured cloud assets.
  • Tools: candidates should be familiar with software development kits (SDKs) for cloud attacks.

Explain common attacks and vulnerabilities against specialized systems

During a pentest, a candidate may encounter a variety of specialized systems. PenTest+ evaluates knowledge of the following:

  • Mobile: tests knowledge of mobile-specific attack vectors, vulnerabilities and security testing tools.
  • Internet of things (IoT) devices: discusses vulnerabilities, attack vectors and special considerations for IoT device security testing.
  • Data storage system vulnerabilities: discusses potential attack vectors against data storage systems, such as poor input validation and injection vulnerabilities.
  • Management interface vulnerabilities: the candidate should be familiar with intelligent platform management interfaces (IPMIs).
  • SCADA/IIoT/ICS: explores vulnerabilities unique to specialized systems used in operational technology (OT) environments.
  • Virtual environments: discusses vulnerabilities specific to virtualized environments, including VM escape and vulnerabilities in hypervisors and VM repositories.
  • Containerized workloads: tests knowledge of security and exploitation of containerized workloads.s

Given a scenario, perform a social engineering or physical attack

Social engineering is a technique commonly used by cybercriminals to steal sensitive data or deliver malware. This section tests knowledge of the following:

  • Pretext for an approach: the candidate should be familiar with developing a plausible pretext for a social engineering attack.
  • Social engineering attacks: tests knowledge of common social engineering attacks using email, voice, SMS and other media.
  • Physical attacks: tests knowledge of physical attacks, such as tailgating and dumpster diving.
  • Impersonation: candidates should be familiar with techniques for impersonation in social engineering.
  • Tools: tests familiarity with social engineering tools such as the browser exploitation framework (BeEF) and social engineering toolkit (SET).
  • Methods of influence: tests knowledge of the six methods of influence used in social engineering.

Given a scenario, perform post-exploitation techniques

After gaining access to an environment, a pentester leverages that access to work toward their eventual goals. In this section, knowledge of the following topics is tested:

  • Post-exploitation tools: covers post-exploitation tools such as Empire, Mimikatz and BloodHound.
  • Lateral movement: tests knowledge of techniques for lateral movement through a target network, such as passing the hash.
  • Network segmentation testing: discusses methods for testing if a target network is properly segmented to prevent lateral movement.
  • Privilege escalation: tests familiarity with techniques for horizontal and vertical privilege escalation.
  • Upgrading a restricted shell: tests the ability to upgrade a restrictive shell on a compromised system.
  • Persistence: discusses methods for creating a foothold on a compromised system, including trojans, backdoors, daemons, and scheduled tasks.
  • Detection avoidance: evaluates the ability to avoid detection via covert channels, steganography, and other techniques.
  • Enumeration: tests knowledge of techniques for enumerating users, groups, forests, sensitive data, and unencrypted files once inside a target network.

For more information on the PenTest+ exam, see the full CompTIA PenTest+ (PT0-002) exam objectives.


Posted: March 8, 2022
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.

Leave a Reply

Your email address will not be published.