Graphic designed and created by Brendon Clarke.
FIGURE 1-2: The CompTIA penetration testing process.
Reviewing Key Concepts
This chapter highlights a number of concepts and terminology related to penetration testing that you should be familiar with when preparing for the CompTIA PenTest+ certification exam. Following is a quick review of some of the key points to remember from this chapter:
Two reasons to conduct a penetration test are to better secure the company assets, or to be compliant with regulations governing your organization.
You can have a penetration test performed by internal staff or an external third party. If internal staff is used, be sure those conducting the penetration test are not members of the team responsible for managing or configuring the systems being tested.
You should perform a penetration test annually and be sure to test external and internal assets.
You can follow several different strategies when performing a penetration test. You can do a black box test, for which the pentester is given no information about the target environment. You can do a white box test, for which the pentester is given all of the information about the environment being tested. Or you can do a gray box test, for which limited information is given to the pentester to ensure the test is focused and timely.
A threat actor is someone or something that may perform an attack on your systems or environment.
The four phases to the CompTIA penetration testing process are: planning and scoping, information gathering and vulnerability identification, attacks and exploits, and reporting and communication.
Prep Test
1. Bob is using nmap to discover ports that are open on the systems. What form of information gathering is Bob performing?
(A) Vulnerability identification
(B) Active information gathering
(C) Vulnerability scanning
(D) Passive information gathering
2. What type of penetration test involves the tester being given no information about the target environment?
(A) Black box
(B) White box
(C) Gray box
(D) Red box
3. What type of reconnaissance involves the tester querying the DNS to discover the DNS names and IP addresses used by the customer?
(A) Vulnerability identification
(B) Active information gathering
(C) Vulnerability scanning
(D) Passive information gathering
4. Which of the following represents a reason to perform a penetration test annually?
(A) Cost
(B) Time
(C) Compliance
(D) Know-how
5. Lisa performed a penetration test on your organization and is creating the report. What should Lisa be sure to communicate within the report?
(A) How good she is at hacking
(B) Remediation steps
(C) Signed authorization
(D) Resources used
6. Which of the following is critical to perform during the planning and scoping phase of the penetration test?
(A) Port scan
(B) Vulnerability scan
(C) Summary of remediation steps
(D) Obtain written authorization
7. What type of penetration test involves giving the tester only the IP addresses of the servers that you wish to be tested?
(A) Black box
(B) White box
(C) Gray box
(D) Red box
8. What is the third phase of the CompTIA penetration testing process?
(A) Attacks and exploits
(B) Reporting and communication
(C) Planning and scoping
(D) Information gathering and vulnerability identification
9. What threat actor has limited knowledge of the attacks being performed and typically just runs prebuilt tools to perform the attack?
(A) APT
(B) Script kiddie
(C) Hacktivist
(D) Insider threat
10. You are part of the team within your organization that performs the attacks during the penetration test. What is the name for your team?
(A) Blue team
(B) Black team
(C) White team
(D) Red team
Answers
1 B. Bob is performing active reconnaissance, or active information gathering, when using a port scanner to discover ports that are open on a system. See “Information gathering and vulnerability identification.”
2 A. A black box test is when the pentester is given no knowledge of the environment being tested. Review “Pentest strategies.”
3 D. Passive reconnaissance, or passive information gathering, is when the pentester uses public Internet resources to discover information about his or her target. Check out “Information gathering and vulnerability identification.”
4 C. Organizations may be governed by regulations that force a company to perform penetration tests on a regular basis in order to be compliant. Peruse “Reasons for a pentest.”
5 B. The purpose of the penetration test is to better the security of the organization. Therefore, it is critical the report contains remediation steps on how to improve the security of vulnerable systems. Take a look at “Reporting and communication.”
6 D. It is imperative that you get written authorization to perform the penetration test before doing any testing. Also, be sure to get written authorization from an authorized party such as the business owner or an upper-level manager. It is not enough to get authorization from