CompTIA Pentest+ Certification For Dummies. Glen E. Clarke
Чтение книги онлайн.

Читать онлайн книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke страница 13

Название: CompTIA Pentest+ Certification For Dummies

Автор: Glen E. Clarke

Издательство: John Wiley & Sons Limited

Жанр: Учебная литература

Серия:

isbn: 9781119867296

isbn:

СКАЧАТЬ Nikto is an example of a web application vulnerability scanner. See Chapter 9.

      12 D. Hashcat is a command-line tool in Kali Linux that can be used to crack the password hash. See Chapter 9.

      13 C. Hydra is a tool used to crack passwords and can be used to crack passwords of a remote system using protocols such as RDP. See Chapter 9.

      14 B. You can tell that the script was created in Python because of the comparison operator being used (==). PowerShell and Bash use -eq as the comparison operator. Also notice the use of the print statement (instead of echo) and the fact variables do not use $ in front of them. See Chapter 10.

      15 D. If you notice evidence that a system has been hacked into already, you should halt the penetration test and discuss the finding with the stakeholders right away. See Chapter 11.

      Planning and Information Gathering

      Learn the basics of penetration testing and penetration testing terminology.

      Explore the four major phases to CompTIA’s penetration testing process: planning and scoping; information gathering and vulnerability identification; attacks and exploits; and reporting and communication.

      Understand the importance of planning for the penetration test and how not planning properly can result in crashing the customer’s systems or network and triggering intrusion detection systems, and create legal problems.

      Learn how to scope the project, identify rules of engagement, define targets, and handle scope creep.

      Discover the tools you can use to uncover information about the organization or company for which you are conducting a pentest, such as email addresses and phone numbers of employees, public IP addresses, target systems, and open ports.

      Find out the difference between passive and active information gathering.

      Learn how to perform vulnerability scans to identify the weaknesses that exist within your target systems and how to exploit them.

      Introduction to Penetration Testing

      EXAM OBJECTIVES

      Bullet Understanding penetration testing

      Bullet Knowing penetration testing terminology

      Bullet Being familiar with CompTIA’s penetration testing phases

      The CompTIA PenTest+ certification exam is designed to test your knowledge of performing penetration tests either for third-party clients or for the company that employs you as a security professional. Although the fun part of penetration testing is diving in and trying to bypass the security controls put in place to help protect company assets, you have much work to do before that can happen. You have to make sure you take the time to prepare, which includes defining the goals and restrictions for the penetration test.

      In this chapter, you learn about the basics of penetration testing, starting with an overview of penetration testing and penetration testing terminology. You then learn the four major phases to CompTIA’s penetration testing process: planning and scoping; information gathering and vulnerability identification; attacks and exploits; and reporting and communication.

      From a company’s point of view, the ultimate goal of a penetration test is to have an ethical person perform attacks on different assets to determine whether those assets could be penetrated, and if the attacks are successful, what remediation steps a company could take to prevent a real attack from being successful.

      Fortheexam For the PenTest+ certification exam, remember that remediation steps within the report are a must for any successful penetration test.

      A key point to remember is that the person performing the penetration test — the pentester — is taking the mindset of a hacker and following the process a hacker takes. This involves much planning, as only 10 to 15 percent of the penetration test is actually performing the attacks. Like hacking, penetration testing is 85 percent preparation so that by the time the attack is performed, the hacker or pentester is quite sure the attack will be successful. You can compare this process to robbing a bank. A bank robber will spend the most time planning the robbery. When it comes time to rob the bank, the actual act of robbing the bank is done in minutes (or so I hear).

      Reasons for a pentest

      Why would a company conduct a penetration test? The purpose of a penetration test is to obtain a real-world picture of the effectiveness of the security controls put in place to protect the company’s assets. Instead of taking the word of the security team that configured the security of the environment, you can put the security to the test by having someone take the steps a hacker would take and see if the security holds up. In performing such a test, the pentester can also obtain a list of steps the company could take to prevent real attacks from being successful.

      Another reason to perform penetration testing is to be in compliance with regulations. Depending on the industry a company services, organizations may be governed by regulations that require penetration testing to be performed on a regular basis to ensure the security of the organization. For example, companies that collect and store sensitive payment card information are governed by the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS has strict requirements for activities that must be performed to help keep sensitive payment card information secure. Check out “Best Practices for Maintaining PCI DSS Compliance” and “Penetration Testing Guidance” at www.pcisecuritystandards.org to learn more about PCI DSS compliance requirements.

СКАЧАТЬ