Glen E. Clarke

Penetration testing, also known as ethical hacking, involves an information technology (IT) professional using the techniques a hacker uses to bypass the security controls of a network and its system. A security control is a protection element, such as permissions or a firewall, that is designed to keep unauthorized individuals out of a system or network.

The second category of pentesting tools that appears in the CompTIA PenTest+ objectives is credential testing tools. Credential testing tools help you crack passwords for user accounts on a system. There are a number of password cracking tools out there, but these are the tools the PenTest+ exam wants you to be familiar with.

Active information gathering for a pentest involves polling the target systems to find out about the systems that are up and running, the ports that are open, and the software being used. This involves communicating with the systems and potentially being detected. For the PenTest+ certification exam, remember the difference between active and passive information gathering.

The first category of tools that appears in the CompTIA PenTest+ objectives is scanners. A number of different types of scanners exist—some scanners will scan for open ports, while other scanners are designed to find vulnerabilities within a system. Nmap Nmap is a common network scanner used by pentesters to locate systems on the network and determine the ports that are open on those systems.

When you are conducting a penetration test, it is important to take a methodological approach to information gathering and divide the task up into two parts: passive information gathering and active information gathering. Passive information gathering should come first. It involves collecting public information from the internet about the company being assessed — without invoking any kind of communication with the target systems.

Take a look at some penetration testing terminology you need to be familiar with for the CompTIA PenTest+ certification exam. Types of assessments The CompTIA PenTest+ certification objectives reference some key terms in regard to the different types of assessments that can be performed. The following are some common types of pentest assessments: Goals-based/objectives-based: This type of assessment is focused on a specific purpose.

For the PenTest+ certification exam, you are expected to have an understanding of the basics of pentest report writing, including familiarity with the different sections of the report, what goes into the report, and how to securely store and transmit the report.At the completion of a pentest, the pentest report is a valuable asset for a business.

Social engineering from a security standpoint refers to the deliberate use of deception to try to trick a user into compromising system security through social contact such as an email message, a text message, or a phone call. Social engineering attacks are a common way to test the effectiveness of a company’s security education program.