CompTIA PenTest+ Certification Exam Objectives Planning and Scoping 1.0

Question 1

What are rules of engagement when discussing penetration test?

Answer 1

Rules of engagement (RoE) is a document that deals with the manner in which the pentest is to be conducted.

This includes:

• Type and scope of testing
• Client contact details
• Client IT notifications
• Sensitive data handling (This may be part of the NDA as well)
• Status meeting and reports

Question 2

What is a WSDL?

Answer 2

Web Services Description Language (WSDL)
WSDL is a XML-based interface description (XML-File Format) language that is used for describing the functionality offered by a web service.

WSDL describes services as collections of network endpoints or ports.

The goal of a WSDL is to provide a simple way for service providers to describe the basic format of request to their systems regardless of the underlying run-time implementation

Question 3

What is a WADL?

Answer 3

Web Application Description Language

A WADL is a machine readable XML description of HTTP-based web services

WADL models the resources provided by a service and the relationships between them

WADL is intended to simplify the reuse of web services that are based on the existing HTTP architecture of the web

Often used with Representation State Transfer (REST) Web Services

It is platform and language independent and aims to promote reuse of applications beyond the basic use in a web browser

This is often used to integrate a complex enterprise system with several other other complex enterprise systems maintained by several companies

Question 4

What is a SOAP File?

Answer 4

Simple Object Access Protocol

API Standard that relies on XML and related schemas.

Governed by XSD documents

Soap file/projects can be created from a WSDL file or single service call.

You can use these files/projects to test every aspect of your SOAP services, verify the services support commonly;y used standards, create functional and load tests

Why the fuck is the part of this certification?

Question 5

What is a SDK document?

Answer 5

Software Development Kit

An SDK is a collection of software development tools in one install-able package

This can be utilized by a pentester by assisting with understanding when/where objects are in use which can assist with testing applications and services

This provides a set of tools, libraries, relevant documentation, code samples, processes and or guides that allow developers to create software applications on a specific platform

Question 6

What is a swagger document?

Answer 6

This is basically API documentation that is in a technical content deliverable format.

This contains instructions about how to effectively use and integrate with APIs.

It is a concise reference manual containing all the information required to work with the API, with details about functions, classes, return types, arguments and more

Specifies the list of resources that are available on the REST API and the operations that can be called on those resources.

It also specifies the list of parameters to an operation, including the name and type of parameters, whether the parameters are required or optional, and information about acceptable values for those parameters

Question 7

What is an XSD?

Answer 7

XML Schema Definition

This is a World Wide Web Consortium (W3C) recommendation that specifies how to formally describe the elements in an Extensible Markup Language document

This specifies how to define elements within an XML document adheres to the description of the element in which the content is to be placed.

May also be used for generating XML documents that can be treated as programming objtects.

Question 8

What is an architectural diagram and how may it be used by pentesters?

Answer 8

This is a diagram of a system that is used to abstract the overall outline of the software systems and the relationships, constraints and boundaries between components.

It is an important tool as it provides an overall view of the physical development of the software system and its evolution roadmap

This would be provided to pentesters with a whitebox pentest.
This would assist the pentester with an overall view of the systems within an organization, the systems purpose and how they communicate

Question 9

What is a SOW?

Answer 9

Statement of work

This is a key document that includes the scope, deliverables, price, completion date, location of work, payment schedule etc.

Question 10

What is a MSA?

Answer 10

Master Service Agreement

This is similar to an SOW, but encompasses larger details.
This would be a contract between two or more paties that establish what terms and condition will govern all current and future activities rather than one project/test like an SOW

Question 11

What is a NDA?

Answer 11

Non-Disclosure Agreement

This is important legal framework used to protect sensitive and confidential information from being made available by the recipient of that important

This is utilized in pentests to ensure no findings are shared publicly, fucking duh

Question 12

What are export restrictions and how do they relate to pentesting?

Answer 12

Export restrictions are federal laws that prohibit the unlicensed export of information for reasons of national security of protections of trade

This must be confirmed when working with companies internationally

Question 13

What is written authorization and why is it vital for penetration testing?

Answer 13

Written authorization is essentially documented permission from the stakeholders, this can be provided by executives and an organizations legal department.

This is vital as hacking is considered illegal so once written authorization is provided, get it fucking poppin

Question 14

What is third-party authorization and why does it matter?

Answer 14

This is when an organization that requests a penetration test uses third party services and those third party services have been included in the scope of the pentest.

This primarily refers to cloud service providers as it is their infrastructure so they must be aware AND approve pentesting activity prior to commencing .

Question 15

What is a goal based assessment?

Answer 15

This is NOT a compliance based assessment.

A goal based pentest assessment simulate real-world, covert, multi-phase attacks the same as would be performed by actual persistent hackers.

This is requested because an organization wants it, not because of compliance/government regulations.

This is utilized by organizations to test their teams/controls on their ability to detect and respond to the attack in hopes of identifying weaknesses and potential damages a real attack would cause

Question 16

What is a compliance based penetration test?

Answer 16

These are assessments that are government/industry mandated based on a compliance framework the entire organization operates under.

Examples of this would be:
PCI-DSS Payment Card Industry Data Security Standard

HIPPA - Health Insurance Portability Accountability (Health Care)

FISMA Federal Information Security Modernization (Used for companies that have contractual relationship with Uncle Sam)

Question 17

What is a premerger and why would a penetration test be utilized?

Answer 17

A pre-merger is the phase before two companies merge.

Often times the acquiring organization will test the security controls of the bought organization to ensure they are not also merging with existing vulnerabilities

Question 18

What is a supply chain penetration test?

Answer 18

This is testing all organizations that share a supply chain.

If one organization is compromised, what data did they have that belonged to your organization?
This is make sure all bases are covered

Question 19

What is an internal pentest and why?

Answer 19

Internal pentest is an assessment on internal assets/organization employees.

This can be utilized to see how far an attacker can laterally move through a network once an external breach has occurred.

This also encompasses targeting employees with social engineering tactics

There is onsite pentesting, where pentesters are actually performing this test on organizations property

There is offsite where this would be remote

Question 20

What is a physical pentest?

Answer 20

This would be testing physical perimeter security, intrusion alarms, motion detectors, locks, sensors, cameras, mantraps and other physical barriers to gain unauthorized physical access to sensitive areas

Question 21

What is a wireless pentest?

Answer 21

This would be identifying wireless networks (SSIDs) and examining the connections between all devices connected to the businesses wifi.

These devices include but not limited to:
Laptops
Tablets
Smartphones 
IoT devices

Question 22

What are some security exceptions and why do they matter in a pentest?

Answer 22

They matter because these devices can hinder pentesters from obtaining the meant.
If a firewall is blocking connection to an internal syste that is in the scope of work, the pentesters typically will not be able to verify configurations/vulnerabilities of the system and will hinder a proper pentest

Some examples of security exceptions:
IPS/WAF allow lists?
Network Access Control (NAC)
Certificate Pinning
Company policies

Question 23

What is certificate pinning?

Answer 23

This is when an application forces clients to validate the servers certificate against a known copy.

After pinning the servers certificate inside your app, your client should check the basic validity of the cert

Typically, the public certification is pinned.

Question 24

What are the different environmental strategies in pentesting?

Answer 24

Unknown Environment (Black Box- no information on environment is provided)
Partially Known Environment (Gray Box - some information is provided)
Known Environment (White box- much information is known/given to the testers)

Question 25

What is risk acceptance?

Answer 25

This refers to a formal and documented decision by an appropriate stakeholder to not remediate a level of risks that exceeds an organization risk appetite/tolerance

Some examples for content include:
Legacy systems
Certain services with old passwords
Hard-coded credentials in programs

Question 26

What is tolerance to impact?

Answer 26

This refers to a metric that indicates the degree to which your organization required its information to be protected against a confidentiality leak or compromised data integrity

This knowledge is critical to preventing an organization from protecting data too much (overspending) or not protecting it enough to satisfy the organizations needs and requirements

Question 27

What is a scope creep?

Answer 27

A scope creep refers to how a projects requirements tend to increase over a project lifecycle

In pentesting, this would be going beyond the original agreed upon scope of what was to be performed/tested

Question 28

What is an APT?

Answer 28

Advanced persistent threat is a stealthy actor, typically a nation state or state-sponsored group, in which gains unauthorized access to a computer network and remains undetected for an extended period of time

Question 29

What is a script kiddie?

Answer 29

A script kiddie, or skid,is a relatively unskilled individual who uses scripts or programs such as a web shell, developed by others to attack computer systems and networks and deface websites

Question 30

What is a hacktivist?

Answer 30

This is a person who gains unauthorized access to computer files or networks in order to further social or political ends

Question 31

What is threat modeling?

Answer 31

Threat modeling is a structured process of identifying security requirements, pinpointing security threats and potential vulnerabilities, quantify threats and vulnerability criticality, prioritize remediations.

Question 32

What are some compliance-based assessment requirements/limitations?

Answer 32

Password policies
Data isolation
Key management
Rules to complete assessments (Quarterly for PCI DSS)
Limited network access
Limited network storage