CompTIA Pentest+ Certification For Dummies
Book image
Explore Book Buy On Amazon
Welcome to the CompTIA PenTest+ Certification For Dummies online cheat sheet! Here, you'll find quick facts to remember on test day to help you answer questions found on the CompTIA PenTest+ certification exam. It includes some of the major concepts you need to know for the exam such as the phases of the penetration testing process, OSINT tools, exploitation tools, wireless cracking tools, Nmap command-line switches, and parts of the penetration test report.

penetration testing © Den Rise /

CompTIA PenTest+ penetration testing phases

You are expected to know and understand the different phases of the penetration testing process for the CompTIA PenTest+ certification exam. The following table outlines the key tasks performed during each phase.

Phase Tasks
1. Planning and scoping Define scope of test (types, IPs, internal, external)

Define rules of engagement

Written statement of work

Written authorization from a signing authority

2. Information gathering and vulnerability identification Passive reconnaissance + OSINT

Active reconnaissance (port scan, OS fingerprinting)

Vulnerability scan + analysis

3. Attack and exploit Social engineering

Exploit systems and network

Password cracking

Physical security

4. Reporting and communicating results Identify communication triggers

Create and deliver written report

Secure report

Post-engagement activities (cleanup, client acceptance)


Open-source intelligence (OSINT) tools

The PenTest+ certification exam will test your knowledge on the open-source intelligence (OSINT) tools used during the information gathering phase. Following, are some key OSINT tools and points to remember:

  • theHarvester: A tool you can use to perform passive information gathering to collect information such as employee names, email addresses, and subdomains. It can also discover hosts owned by an organization. You can use theHarvester to collect public information from Google, LinkedIn, Twitter, and Bing.
  • Shodan: A search engine that collects information on about a company’s systems connected to the Internet such as its servers and Internet of things (IoT) devices. When you perform a search in Shodan, you get a list of the target company’s publicly available servers and devices, along with the IP address, the services running, and the ports that are open on that system. You can also get a list of vulnerabilities for that system. A map view provides the physical location of those servers as well.
  • Maltego: OSINT software that shows a graphical representation of relationships between people, groups, web pages, and domains by analyzing online resources such as Facebook, Twitter, DNS, and Whois information. For example, you could create a graphic and add a website address to the graphic, then use Maltego to search for additional information such as Whois information, phone numbers, location information, and email addresses associated with that website.
  • Recon-ng: An OSINT tool built into Kali Linux that allows you to retrieve information such as contact names, email addresses, DNS information, and IP address information. Recon-ng uses the module concept similar to the Metasploit Framework, which is a modular penetration testing platform based on Ruby.
  • Censys: Censys is a browser-based search engine that identifies hosts on the Internet for a particular organization. In addition to identifying the hosts, Censys will also identify the services and ports that are open on those systems.
  • FOCA: Fingerprinting Organizations with Collected Archives (FOCA) is a tool used to scan documents to collect metadata that is typically hidden from the user. Some examples of document types that can be scanned by FOCA to extract metadata are Microsoft Office files, Open Office files, and PDF files.

Nmap command-line parameters

You are expected to be familiar with Nmap and some of the different Nmap switches for the CompTIA PenTest+ certification exam. Following, are the Nmap switches to be familiar with:

  • -sP: Used to do a ping sweep with Nmap and not do a port scan.
  • -sn: Also used to do a ping sweep with Nmap and not do a port scan.
  • -sS: Used to perform a SYN scan that does not establish a full connection with the port.
  • -sT: Used to perform a TCP connect scan.
  • -p: Used to specify the ports to be scanned.
  • -sV: Used to return the version of the software a port is associated with.
  • -O: Used to perform an operating system (OS) fingerprint to identify the OS of a system.
  • -Pn: Used to disable pings.
  • -T0: A paranoid scan used to try to avoid an intrusion detection system (IDS) by increasing the time between scan packets delivered. This is the slowest of scans.
  • -T4: An aggressive scan that increases the speed of the scan and assumes you have the bandwidth to do so. Use this scan if you are not worried about detection.

Common penetration testing tools

You are sure to get a few questions on the CompTIA PenTest+ certification exam that tests your knowledge of the different tools used by a penetration tester during a pentest. Following are a few examples of tools you should be familiar with before taking the PenTest+ certification exam:

  • Nmap: Used to perform a port scan on target systems to discover running services on the target.
  • Nikto: A web application vulnerability scanner used to identify vulnerabilities in a web application.
  • w3af: A web application attack and audit framework used to assess the security of a web application. Used to assess the security of a web application.
  • Nessus and OpenVAS: Nessus and OpenVAS are vulnerability scanners used to identify weaknesses in a system. Nessus is a commercial product that does have a free edition with some limitations, while OpenVAS is an open-source vulnerability scanner.
  • Hashcat, Medusa, and Hydra: Password-cracking tools used to crack password hashes. Medusa and Hydra can encapsulate the password attack into different protocols such as HTTP, FTP, MSSQL, POP3, RDP, and SSH.
  • John the Ripper: A common password cracking tool used to crack password hashes; also known as “John.”
  • Mimikatz: A post-exploitation tool used to steal the passwords off a Windows system after the system has been exploited.
  • Burp Suite: a web proxy tool that acts as a man-in-the-middle attack between the web browser and the web server. Burp Suite is used to assess the security of a web application.
  • SET and BeEF: The Social Engineering Toolkit (SET) is used to perform social engineering attacks via a user-friendly menu used to create the attacks. With SET you can perform spear-phishing attacks, a mass-mailer attack, an SMS–spoofing attack, and many more. The Browser Exploitation Framework (BeEF) is a tool that comes with Kali Linux that you can use in a social engineering attack to exploit someone’s web browser and gain full access to that user’s system when he or she accesses a malicious webpage set up by BeEF.
  • Netcat: Used to set up a listening port on a system that you can then connect to in order to gain access to the system. You can use Netcat to set up and connect to a bind shell or a reverse bind shell.

Wireless cracking tools

Knowing the different wireless penetration testing tools is important when performing a penetration test and critical to passing the PenTest+ certification exam. Following, is a summary of the critical wireless cracking tools to be familiar with:


Aircrack-ng is a suite of tools available on Kali Linux that allows you to exploit wireless networks. Following is a quick review of the tools that come with the Aircrack-ng suite:

  • Aircrack-ng: Used to crack encryption keys for WEP, WPA, and WPA2.
  • Airmon-ng: Used to place the wireless network card in monitor mode.
  • Aireplay-ng: Used to perform packet injection.
  • Airodump-ng: Used to capture wireless traffic.
  • Airbase-ng: Used to create a fake access point for a man-in-the-middle attack.


Kismet is a wireless network scanner that can be used to detect wireless networks and clients that are connected to the wireless networks. With Kismet you can see a number of details about the wireless network such as the SSID, channel, and MAC address of the wireless access point. You can also see the MAC addresses of clients connected and the number of packets being sent by the clients.


Wifite is an automated wireless testing tool that comes with Kali Linux. The big benefit of Wifite is that it automates a number of the wireless tools you can manually use yourself to crack WEP, WPA, or WPA2, and perform a WPS attack.


Reaver is a command-line tool in Kali Linux that allows you to perform a brute-force attack on the WPS pin of a wireless access point.

Meterpreter commands

You can use Metasploit to exploit a system and gain a Meterpreter session with the compromised system. Once you obtain the Meterpreter session, you can use any number of Meterpreter commands to perform post-exploitation tasks.

Following, are some common Meterpreter commands that can be used after obtaining a Meterpreter session:

  • sysinfo: Displays system information such as the computer name of the system you exploited.
  • getuid: Displays the user account you are connected to.
  • getpid: Displays the process you are connected to.
  • run winenum: Displays information about the system such as the IP settings, the ARP cache, and user accounts on the system.
  • hashdump: Retrieves a list of password hashes from the system. You can then use a password-cracking tool to crack the password hashes or use the password hash in a pass-the-hash attack. Note that hashdump does fail from time to time so you can use the run post/windows/gather/hashdump command instead.
  • migrate <process_id>: Jumps to a different process that is more reliable.
  • run vnc: Connects to the remote system with virtual network computing (VNC) and monitors the activity of the user on the target system.
  • webcam_list: Gets a list of webcams on the target system.
  • webcam_stream: Activates the webcam on the target system and views a live video stream from the eye of the target system’s webcam.

Parts of the penetration testing report

As you perform a penetration test, you should be documenting your actions and taking screenshots so that you can create a penetration test report that outlines your findings. You will be tested on your knowledge of the different sections of a pentest report on the PenTest+ certification exam. Following, are the different parts of a pentest report:

  • Title page and table of contents: The title page should contain a title for the report and the name of the company or person who performed the pentest and authored the report. The title page should also show a version number and date for the report. After the title page, the report should include a table of contents that specifies the page references for each of the other parts of the report.
  • Executive summary: The executive summary is a summary of the pentest for upper-level management or the executive team. It is typically written after the rest of the report has been written. The executive summary contains key information regarding the pentest that you would like to communicate to the executive team, such as the methodology used, the key tasks performed, and a high-level overview of your findings and recommendations.
  • Methodology: The methodology section of the report outlines the types of testing performed during the penetration test, the steps taken during each phase, and how the attacks were carried out.
  • Findings and remediation: The findings and remediation section of the report is used to discuss the security issues found and the remediation steps to take to fix each security issue. Each security issue should include a paragraph or two describing the security issue and a paragraph describing the remediation steps.
  • Conclusion: The conclusion is the last section in the report and should summarize the results as well as identify any parts of a typical penetration test that were not included in the assessment that the company may want to do in the future.

About This Article

This article is from the book:

About the book author:

Glen E. Clarke, A+, Network+, Security+, is an independent trainer and consultant. Ed Tetz, A+, MCSE, MCT, has written several guides to MCSE and other certifications. Timothy Warner, MCSE, MCT, A+, is an IT professional, technical trainer, and author.

This article can be found in the category: