Introduction xxvAssessment Test xxxixChapter 1 Penetration Testing 1What Is Penetration Testing? 2Cybersecurity Goals 2Adopting the Hacker Mindset 4Ethical Hacking 5Reasons for Penetration Testing 5Benefits of Penetration Testing 6Regulatory Requirements for Penetration Testing 7Who Performs Penetration Tests? 8Internal Penetration Testing Teams 8External Penetration Testing Teams 9Selecting Penetration Testing Teams 10The CompTIA Penetration Testing Process 10Planning and Scoping 11Information Gathering and Vulnerability Scanning 11Attacks and Exploits 12Reporting and Communication 13Tools and Code Analysis 13The Cyber Kill Chain 14Reconnaissance 15Weaponization 16Delivery 16Exploitation 16Installation 16Command and Control 16Actions on Objectives 17Tools of the Trade 17Reconnaissance 20Vulnerability Scanners 21Social Engineering 21Credential Testing Tools 22Debuggers and Software Testing Tools 22Network Testing 23Remote Access 23Exploitation 24Steganography 24Cloud Tools 25Summary 25Exam Essentials 25Lab Exercises 26Activity 1.1: Adopting the Hacker Mindset 26Activity 1.2: Using the Cyber Kill Chain 26Review Questions 27Chapter 2 Planning and Scoping Penetration Tests 31Scoping and Planning Engagements 34Assessment Types 35Known Environments and Unknown Environments 35The Rules of Engagement 37Scoping Considerations--A Deeper Dive 39Support Resources for Penetration Tests 42Penetration Testing Standards and Methodologies 44Key Legal Concepts for Penetration Tests 46Contracts 46Data Ownership and Retention 47Permission to Attack (Authorization) 47Environmental Differences and Location Restrictions 48Regulatory Compliance Considerations 49Summary 51Exam Essentials 52Lab Exercises 53Review Questions 54Chapter 3 Information Gathering 59Footprinting and Enumeration 63OSINT 64Location and Organizational Data 65Infrastructure and Networks 68Security Search Engines 74Google Dorks and Search Engine Techniques 77Password Dumps and Other Breach Data 77Source Code Repositories 78Passive Enumeration and Cloud Services 78Active Reconnaissance and Enumeration 78Hosts 79Services 79Networks, Topologies, and Network Traffic 85Packet Crafting and Inspection 88Enumeration 90Information Gathering and Code 97Avoiding Detection 99Information Gathering and Defenses 99Defenses Against Active Reconnaissance 100Preventing Passive Information Gathering 100Summary 100Exam Essentials 101Lab Exercises 102Activity 3.1: Manual OSINT Gathering 102Activity 3.2: Exploring Shodan 102Activity 3.3: Running an Nmap Scan 103Review Questions 104Chapter 4 Vulnerability Scanning 109Identifying Vulnerability Management Requirements 112Regulatory Environment 112Corporate Policy 116Support for Penetration Testing 116Identifying Scan Targets 117Determining Scan Frequency 118Active vs. Passive Scanning 120Configuring and Executing Vulnerability Scans 121Scoping Vulnerability Scans 121Configuring Vulnerability Scans 122Scanner Maintenance 129Software Security Testing 131Analyzing and Testing Code 131Web Application Vulnerability Scanning 133Developing a Remediation Workflow 138Prioritizing Remediation 140Testing and Implementing Fixes 141Overcoming Barriers to Vulnerability Scanning 141Summary 143Exam Essentials 143Lab Exercises 144Activity 4.1: Installing a Vulnerability Scanner 144Activity 4.2: Running a Vulnerability Scan 145Activity 4.3: Developing a Penetration Test Vulnerability Scanning Plan 145Review Questions 146Chapter 5 Analyzing Vulnerability Scans 151Reviewing and Interpreting Scan Reports 152Understanding CVSS 156Validating Scan Results 162False Positives 162Documented Exceptions 162Understanding Informational Results 163Reconciling Scan Results with Other Data Sources 164Trend Analysis 164Common Vulnerabilities 165Server and Endpoint Vulnerabilities 166Network Vulnerabilities 175Virtualization Vulnerabilities 181Internet of Things (IoT) 183Web Application Vulnerabilities 184Summary 186Exam Essentials 187Lab Exercises 188Activity 5.1: Interpreting a Vulnerability Scan 188Activity 5.2: Analyzing a CVSS Vector 188Activity 5.3: Developing a Penetration Testing Plan 189Review Questions 190Chapter 6 Exploiting and Pivoting 195Exploits and Attacks 198Choosing Targets 198Enumeration 199Identifying the Right Exploit 201Exploit Resources 204Exploitation Toolkits 206Metasploit 206PowerSploit 212BloodHound 213Exploit Specifics 213RPC/DCOM 213PsExec 214PS Remoting/WinRM 214WMI 214Fileless Malware and Living Off the Land 215Scheduled Tasks and cron Jobs 216SMB 217DNS 219RDP 220Apple Remote Desktop 220VNC 220SSH 220Network Segmentation Testing and Exploits 221Leaked Keys 222Leveraging Exploits 222Common Post-Exploit Attacks 222Cross Compiling 225Privilege Escalation 226Social Engineering 226Escaping and Upgrading Limited Shells 227Persistence and Evasion 228Scheduled Jobs and Scheduled Tasks 228Inetd Modification 228Daemons and Services 229Backdoors and Trojans 229Data Exfiltration and Covert Channels 230New Users 230Pivoting 231Covering Your Tracks 232Summary 233Exam Essentials 234Lab Exercises 235Activity 6.1: Exploit 235Activity 6.2: Discovery 235Activity 6.3: Pivot 236Review Questions 237Chapter 7 Exploiting Network Vulnerabilities 243Identifying Exploits 247Conducting Network Exploits 247VLAN Hopping 247DNS Cache Poisoning 249On-Path Attacks 251NAC Bypass 254DoS Attacks and Stress Testing 255Exploit Chaining 257Exploiting Windows Services 257NetBIOS Name Resolution Exploits 257SMB Exploits 261Identifying and Exploiting Common Services 261Identifying and Attacking Service Targets 262SNMP Exploits 263SMTP Exploits 264FTP Exploits 265Kerberoasting 266Samba Exploits 267Password Attacks 268Stress Testing for Availability 269Wireless Exploits 269Attack Methods 269Finding Targets 270Attacking Captive Portals 270Eavesdropping, Evil Twins, and Wireless On-Path Attacks 271Other Wireless Protocols and Systems 275RFID Cloning 276Jamming 277Repeating 277Summary 278Exam Essentials 279Lab Exercises 279Activity 7.1: Capturing Hashes 279Activity 7.2: Brute-ForcingServices 280Activity 7.3: Wireless Testing 281Review Questions 282Chapter 8 Exploiting Physical and Social Vulnerabilities 287Physical Facility Penetration Testing 290Entering Facilities 290Information Gathering 294Social Engineering 294In-Person Social Engineering 295Phishing Attacks 297Website-BasedAttacks 298Using Social Engineering Tools 298Summary 302Exam Essentials 303Lab Exercises 303Activity 8.1: Designing a Physical Penetration Test 303Activity 8.2: Brute-Forcing Services 304Activity 8.3: Using BeEF 305Review Questions 306Chapter 9 Exploiting Application Vulnerabilities 311Exploiting Injection Vulnerabilities 314Input Validation 314Web Application Firewalls 315SQL Injection Attacks 316Code Injection Attacks 319Command Injection Attacks 319LDAP Injection Attacks 320Exploiting Authentication Vulnerabilities 320Password Authentication 321Session Attacks 322Kerberos Exploits 326Exploiting Authorization Vulnerabilities 327Insecure Direct Object References 327Directory Traversal 328File Inclusion 330Privilege Escalation 331Exploiting Web Application Vulnerabilities 331Cross-Site Scripting (XSS) 331Request Forgery 334Clickjacking 335Unsecure Coding Practices 335Source Code Comments 335Error Handling 336Hard-Coded Credentials 336Race Conditions 337Unprotected APIs 337Unsigned Code 338Steganography 340Application Testing Tools 341Static Application Security Testing (SAST) 341Dynamic Application Security Testing (DAST) 342Mobile Tools 346Summary 346Exam Essentials 347Lab Exercises 347Activity 9.1: Application Security Testing Techniques 347Activity 9.2: Using the ZAP Proxy 348Activity 9.3: Creating a Cross-Site Scripting Vulnerability 348Review Questions 349Chapter 10 Attacking Hosts, Cloud Technologies, and Specialized Systems 355Attacking Hosts 360Linux 361Windows 365Cross-Platform Exploits 367Credential Attacks and Testing Tools 368Credential Acquisition 368Offline Password Cracking 369Credential Testing and Brute-Forcing Tools 371Wordlists and Dictionaries 371Remote Access 372SSH 372NETCAT and Ncat 373Metasploit and Remote Access 373Proxies and Proxychains 374Attacking Virtual Machines and Containers 374Virtual Machine Attacks 375Containerization Attacks 377Attacking Cloud Technologies 379Attacking Cloud Accounts 379Attacking and Using Misconfigured Cloud Assets 380Other Cloud Attacks 382Tools for Cloud Technology Attacks 383Attacking Mobile Devices 384Attacking IoT, ICS, Embedded Systems, and SCADA Devices 389Attacking Data Storage 392Summary 393Exam Essentials 395Lab Exercises 396Activity 10.1: Dumping and Cracking the Windows SAM and Other Credentials 396Activity 10.2: Cracking Passwords Using Hashcat 397Activity 10.3: Setting Up a Reverse Shell and a Bind Shell 398Review Questions 400Chapter 11 Reporting and Communication 405The Importance of Communication 409Defining a Communication Path 409Communication Triggers 410Goal Reprioritization 410Recommending Mitigation Strategies 411Finding: Shared Local Administrator Credentials 412Finding: Weak Password Complexity 413Finding: Plaintext Passwords 414Finding: No Multifactor Authentication 414Finding: SQL Injection 416Finding: Unnecessary Open Services 416Writing a Penetration Testing Report 416Structuring the Written Report 417Secure Handling and Disposition of Reports 420Wrapping Up the Engagement 421Post-Engagement Cleanup 421Client Acceptance 421Lessons Learned 421Follow-UpActions/Retesting 422Attestation of Findings 422Retention and Destruction of Data 422Summary 423Exam Essentials 423Lab Exercises 424Activity 11.1: Remediation Strategies 424Activity 11.2: Report Writing 424Review Questions 425Chapter 12 Scripting for Penetration Testing 429Scripting and Penetration Testing 431Bash 432PowerShell 433Ruby 434Python 435Perl 435JavaScript 436Variables, Arrays, and Substitutions 438Bash 439PowerShell 440Ruby 441Python 441Perl 442JavaScript 442Comparison Operations 444String Operations 445Bash 446PowerShell 447Ruby 448Python 449Perl 450JavaScript 451Flow Control 452Conditional Execution 453for Loops 458while Loops 465Input and Output (I/O) 471Redirecting Standard Input and Output 471Comma-SeparatedValues (CSV) 472Error Handling 472Bash 472PowerShell 473Ruby 473Python 473Advanced Data Structures 474JavaScript Object Notation (JSON) 474Trees 475Reusing Code 475The Role of Coding in Penetration Testing 476Analyzing Exploit Code 476Automating Penetration Tests 477Summary 477Exam Essentials 477Lab Exercises 478Activity 12.1: Reverse DNS Lookups 478Activity 12.2: Nmap Scan 479Review Questions 480Appendix A Answers to Review Questions 485Chapter 1: Penetration Testing 486Chapter 2: Planning and Scoping Penetration Tests 487Chapter 3: Information Gathering 489Chapter 4: Vulnerability Scanning 491Chapter 5: Analyzing Vulnerability Scans 493Chapter 6: Exploiting and Pivoting 495Chapter 7: Exploiting Network Vulnerabilities 497Chapter 8: Exploiting Physical and Social Vulnerabilities 499Chapter 9: Exploiting Application Vulnerabilities 501Chapter 10: Attacking Hosts, Cloud Technologies, and Specialized Systems 503Chapter 11: Reporting and Communication 505Chapter 12: Scripting for Penetration Testing 506Appendix B Solution to Lab Exercise 509Solution to Activity 5.2: Analyzing a CVSS Vector 510Index 511

MIKE CHAPPLE, Security+, CySA+, CISSP, is Teaching Professor of IT, Analytics, and Operations at the University of Notre Dame. He's a cybersecurity professional and educator with over 20 years of experience. Mike provides cybersecurity certification resources at his website, CertMike.com.DAVID SEIDL, Security+, CySA+, CISSP, PenTest+, is Vice President for Information Technology and CIO at Miami University. David co-led Notre Dame's move to the cloud, and has written multiple cybersecurity certification books.