CompTIA Pentest+ PT0-003: Complete Penetration Testing Guide

Explore the structured penetration testing process, including planning and scoping, information gathering and vulnerability scanning, exploitation, maintaining access, covering tracks, and reporting to stakeholders.

Explore PCI DSS, the payment card industry data security standard, and how to protect card data in transit and at rest through secure infrastructure, access controls, and regular penetration testing.

Explore the GDPR framework and other privacy laws, including consent, cookies, restricted data collection, and breach notification within 72 hours, to protect consumer data globally.

Identify and compare major penetration testing frameworks, including OWASP, NIST, and open source security testing methodology manual, and explore OWASP top ten evolution to protect web applications.

Explore structured penetration testing frameworks, including PTES, ISAF, and MITRE ATT&CK, detailing seven PTES stages—from pre-engagement to report—and tactics like initial access, persistence, credential access, and threat modeling.

Define the project scope with stakeholders and identify assets, IP addresses, and domains for penetration testing. Plan on-site or off-site testing, assess cloud resources and authorization, and consider restrictions.

Define the rules of engagement, establish scope, timelines, and communication plans. Validate restrictions, objectives, and testing strategies across compliance, red team, blue team, and known or unknown environments.

Prepare legal documents to safeguard data confidentiality, require a non-disclosure agreement, and secure formal permission, defining scope and contracts (MSA, SOW, and SLA) for pen testing.

Discover the target by footprinting and reconnaissance, gathering information through passive and active methods, including domain, IP, and DNS data from online sources and social platforms.

Explore the nmap scripting engine to extend scans with scripts for malware discovery, host and protocol discovery, and vulnerabilities, using --script, filtering results, and Kali Linux and Metasploitable lab practice.

Use nmap to identify operating system services with the smb os discovery script on 192.168.1.0, then save results and enable service version discovery with -sV.

This lecture covers banner grabbing, distinguishes active and passive methods, and shows how to use tools like wget, netcat, nikto, and nmap on Kali Linux to identify banners.

Identify usable IP protocols on a target by performing protocol enumeration with nmap -sO, uncovering open IPv4, IPv6, ICMP, TCP, UDP, GRE, and IGMP. Analyze captures with Wireshark.

Explore service discovery through full connection and stealth scans, using the three-way handshake and flag-based scans to identify running services and their versions with nmap.

Enumerate DNS records such as MX, NS, TXT, A, and PTR to map domains to IP addresses and reveal mail servers, SPF, DKIM, and DMARC configurations.

learn os fingerprinting using passive and active techniques, with nmap and smb os discovery to identify the target's operating system (Windows 11) and guide tool selection.

Perform enumeration with nmap to identify Linux hosts, map the shared financial records folder, and access the bank accounts file using net view and net use in a pentest+ lab.

Perform dns enumeration and reconnaissance using nslookup and dig, conduct whois lookups, ip address research, and analyze dns records such as A, MX, NS, and CNAME.

Map attack paths by enumerating devices such as servers, clients, routers, and firewalls to identify targets, then use Maltego and BloodHound to visualize internal network relationships.

Perform manual enumeration with the Osint framework to collect domain data, whois and DNS records, emails, and WordPress core, plugin, and theme details; check robots.txt, sitemap, and web.archive.org history.

Execute Windows manual enumeration to reveal users, groups, system information, network shares, IP addresses, ARP, and routing data using cmd, PowerShell, WMI, and net tools.

Learn how SNMP centralizes network management with agents and a management station, stores device data in a MIB database, and enumerates devices using SNMP walk and read-write communities.

Document enumeration findings by recording hostnames, IP addresses, open ports, services, and versions with screenshots and timestamps; store nmap outputs in preferred formats and map the network.

explore document enumeration in penetration testing, and map findings to proper categories while generating nmap outputs for different formats (normal, xml, grippable) and updating records with timestamps.

Explore directory enumeration for web applications, mapping root directories, menus, and hidden directories using dir V, dir Buster, dir search, and puff in Kali Linux.

Enumerate users by extracting emails and usernames with the harvester tool from multiple sources. Build a user list using Nmap Kerberos enumeration, login page responses, and Maltego.

Enumerate nearby wireless networks to map ssids, bssids, channel, signal strength, and security status, including rogue and open networks, using tools like inSSIDer, airmon, and global wireless mapping sites.

Identify sensitive data from public code repositories such as GitHub, including language, comments, and config files, to reveal usernames, passwords, and host details for penetration testing.

Explore Google hacking techniques to gather target information using search operators, file types, inurl, and site filters, and leverage the Google hacking database for enumeration.

Learn to gather evidence from archived pages and image search to understand a target's history, using Google cache, Wayback Machine, archive.org, and image search tools.

Identify and gather website information for penetration testing, including open ports, technologies, and vulnerabilities, using Nmap, DirBuster, Metasploit, and Maltego, and assess subdomains and robots.txt for extended reach.

Explore ssl and tls certificates, how validity, wildcard coverage, and certificate authorities affect secure connections; learn to verify certificates via ocsp, stapling, and renewal or revocation practices.

Explore how to use nslookup, dig, and whois to gather domain and DNS information, perform interactive lookups, view A and MX records, and identify name servers.

Learn to use open source intelligence tools for reconnaissance, including metadata discovery with metafile and FOCA, harvester, Recon ng, Maltego, and Shodan to gather publicly available target information.

Use harvester to gather email addresses from target domains via open source intelligence tools, with google as source, then review results and downloadable pdf files.

Explore vulnerability discovery techniques through scanning and reconnaissance, using tools like Metasploit and Aircrack-ng, plus Nicto, Openvas, Truffle Hog, BloodHound, Tenable, and Nessus to identify network, wireless, and Linux vulnerabilities.

Explore vulnerability scanning types, including authenticated and unauthenticated scans, and active, passive, and automated assessment approaches. Learn how using credentials reveals system configuration, installed software, permissions, and access controls.

Examine container scanning to identify vulnerabilities in images, configurations, runtimes, and network interactions using the Docker engine and image repositories, with guidance on compliance checks.

Master web application scans across static, dynamic, and interactive testing, including software composition analysis, using tools like Nikto, ZAP proxy, and Burp scanner to address OWASP top ten issues.

Scan for clear text vulnerabilities using a chrome-based vulnerability scanner on the target 192.168.0.45, review the reports, and note the CVE to guide remediation.

Identify active devices and open ports, analyze running services and versions, and prioritize vulnerabilities using CVSS, CVE, and resources like MITRE and NVD, with Nmap and Nessus.

Identify targets on a private network by performing an nmap-based scan to discover devices and open ports, and review vulnerabilities with tools like Nikto, OpenVAS, and Nessus.

Scan every network host for vulnerabilities and outdated software with OpenVAS, using credential and non-credential modes; map AD with BloodHound; and analyze ICS traffic via span port mirroring.

Practice metasploit with kali linux to initialize the database, import targets, perform nmap scans, identify smb and ldap services, and exploit zero logon to gain meterpreter access.

Explore secret scanning to detect credentials, API keys, encryption keys, and cloud keys in code, configuration files, logs, and scripts using truffle hog across GitHub, GitLab, S3, and Docker images.

Explore wireless scanning as a pentester by assessing signal strength, channel, and hidden SSIDs, and evaluating vulnerabilities in WEP, WPA, WPA2, and WPA3 with four‑way handshake capture.

Use aircrack-ng tools such as airmon-ng and airodump-ng to discover hidden networks, set monitor mode, and identify hidden ssids and rogue access points in a lab environment.

Locate a rogue wireless access point using aircrack-ng tools. Enable monitor mode, run airodump-ng to list nearby networks with bssid, essid, and channel, and identify the rogue point.

Analyze reconnaissance and enumeration outputs to identify vulnerabilities, then select public exploits using Metasploit, Exploit DB, Divi, and GitHub, and validate results with scripting and tools like Nmap.

Analyze reconnaissance scanning and enumeration outputs to identify vulnerabilities and validate results. Learn to select public exploits and use scripting to verify findings with metasploit, exploit databases, and GitHub sources.

Explore physical security concepts essential for penetration testing, including tailgating and piggybacking, site survey, USB drops, RFID cloning, lock picking, and documenting vulnerabilities to breach restricted areas.

Explore how social engineering manipulates the human mind using authority, urgency, social proof, scarcity, likeness, and fear to trick users into revealing credentials or installing malware.

Train staff with ongoing social engineering campaigns to reveal vulnerabilities, enforce organizational policies, and deploy physical and technical controls—recognizing human vulnerability and that there is no patch for this risk.

Set up the social engineering toolkit, craft a spear phishing attack with a payload and listener, and simulate a mass email campaign to deliver a Windows reverse TCP Meterpreter payload.

Analyze scan outputs to prioritize and prepare attacks by identifying high-value assets, end-of-life systems, default configurations, vulnerable encryption, and exploit choices within scope.

Prioritize targets after network scans and vulnerability assessments by evaluating scope, potential payoff, and impact, then build a threat model to rank vulnerabilities and plan exploitation order.

Identify and prioritize value assets per CSA guidance, covering customer data, intellectual property, authentication systems, financial systems, and critical infrastructure, and base assessment on information value and mission essential functions.

End-of-life software and systems lack vendor support and patches, increasing security risk from unpatched vulnerabilities; retire and remove such systems, or prioritize testing and scanning if removal isn't possible.

Identify and mitigate default configurations, credentials, and permissions that create soft targets by checking all devices, changing default usernames and passwords, switching http to https, and reporting findings with remediations.

Identify and assess running services after configuration changes using nmap, netcat, openbox, and metasploit to discover versions and prioritize web, database, file, email, and remote access services.

Identify vulnerable encryption methods such as md5, sha1, des, 3des, rc2/rc5, rc4, wap, and blowfish in a pentest context, assess whether each is secure, and document findings and remediations.

Explore defensive capabilities in penetration testing, including load balancer, firewalls, anti-malware, and siem and soar. Learn to test by bypassing rules, performing ddos, http tunneling, and obfuscation.

Define the scope to determine goals, targets, attack vectors, environment, and tools, then select capabilities accordingly. Create a roadmap, map hosts, prioritize tools, and execute the penetration testing.

Select exploits for a discovered vulnerability using CVEs and Exploit DB with Metasploit, then set lhost and lport and customize payloads for a reverse shell.

Outline a low level diagram of hosts and nodes, include methods, vulnerability scanners, and tools, then map the attack path from stage one to stage three with attack vectors.

Practice customizing exploits using a two-server scenario in Metasploit, selecting incorrect host and port settings, launching the MSF core PowerShell exploit, and validating a session on server two.

Identify legacy operating systems and hardware across a network, apply remediation to replace them, and use nmap and metasploit to assess end-of-life status for reporting.

Demonstrates exploiting default configurations with Responder in a live Kali Linux lab to capture hashes from domain name service and netbios queries and crack credentials for remote access.

Explore scripting automation for penetration testing across Windows and Linux using PowerShell, Bash, Python, and other languages; leverage breach and attack simulation tools.

Explore web application attack types, from brute force and injection to session hijacking, and learn tools like Burp Suite, ZAP Proxy, and SQLMap, plus OWASP top ten guidance.

Explain brute force attack and its types: simple, dictionary, hybrid, and reverse—and how tools like Go-buster and Der Buster reveal hidden files and directories on web servers.

Explore collision attacks in hashing, including chosen-prefix and birthday attacks, understanding hash functions, fixed output size, determinism, and resistance. Compare MD5, SHA-1, SHA-2, and SHA-3, and recommend SHA-3 for hashing.

Explore the directory traversal attack, where dot-dot paths reach restricted files like system32 or passwd. Learn encoding techniques, null bytes, and how labs illustrate bypass methods using practical tools.

Explore how request forgery attacks exploit authenticated sessions through cross-site and server-side techniques, leveraging crafted requests and stolen cookies to perform unauthorized actions such as password changes.

Examine how deserialization attacks exploit manipulated serialized data to execute payloads, gain shells, or escalate privileges by finding the entry point and triggering remote code execution.

Explore injection attacks and their types—SQL injection, cross-site scripting, template injection, and HTML injection—and how malicious input manipulates queries, scripts, and templates to exfiltrate data or compromise systems.

Analyze an activity on injection attacks, showing how SQL injection via URL parameters in a PHP and MySQL school portal can alter attendance and grades, and outline prevention approaches.

Learn how insecure direct object references allow attackers to access or modify objects by tampering url or request parameters, bypassing authorization if the server fails to validate access.

Learn how session hijacking uses stolen session cookies and IDs to impersonate users and bypass authentication, and compare session fixation and replay attacks, with ZAP proxy and Burp Suite.

The lecture explains how arbitrary code execution occurs when input is not sanitized, enabling command execution, memory overflow, injection, and deserialization attacks on the target device.

Explore local and remote file inclusion, and how attackers manipulate include functions to access unauthorized files and execute harmful scripts.

Learn how RESTful API mediates client-server requests and how API abuse exploits interfaces like XML RPC and SOAP, including parameter tampering, data theft, DoS, authentication attacks, and injections.

Explore how json web tokens are manipulated to secure authentication and access control, focusing on signing header, payload, and signature, and identify vulnerabilities like signature forgery and none algorithm attacks.

Explore cloud based attack overview, types, and risks across SaaS, PaaS, and IaaS. Identify tools like pacu, docker bench, kube hunter, prowler, and scout suite used for cloud security testing.

Identify how metadata service attacks exploit cloud instance metadata to reveal identities, roles, and temporary credentials via SSRF or misconfiguration.

Assess access management misconfigurations in cloud environments by verifying IAM policies, enforcing least privilege, and securing identity federation and MFA to prevent unauthorized data access to databases and s3 buckets.

Explore how third-party integrations in cloud environments create attack vectors, and enforce secure configurations, monitoring, and NIST/ISO-based protections for APIs, data transfer, storage, use, and third-party software.

Expose how resource misconfiguration in cloud environments causes data exposure, covering network segmentation and controls, storage bucket permissions, CDN and cross-origin resource sharing, and default open versus secure postures.

Identify how logs expose credentials, api keys, personal and payment data, and error messages; examine causes like default configurations, insecure storage, and insecure channels for pentest analysis.

Explore image and artifact tampering risks in container environments, including Docker images, registries, and supply chain attacks, with insider threats and malicious code injections.

Investigate supply chain attacks that target third-party software and dependencies, and learn how the Slsa framework mitigates threats across sources and builds, including dependency confusion and code injection.

Explore how workload runtime attacks exploit vulnerabilities in VMs, containers, and cloud workloads to gain access, escalate privileges, execute code, or disrupt services via side-channel, container breakout, or DoS.

Explore container escape attacks, how runtime vulnerabilities, misconfigurations, and kernel flaws enable host or peer container access, and leverage Docker bench and Cube Hunter to assess CIS benchmarks.

Examine how trust relationships between users, services, and intercloud environments can be exploited to gain unauthorized access, with techniques like credential theft, privilege escalation, and cross-account access.

Explore enterprise attack techniques, from sniffing network traffic with tcpdump and wireshark, on-path attacks, credential dumping, privilege escalation, and sql injection, using nmap, netcat, John the Ripper, and Hashcat.

Learn passive and active network attacks, on-path (man-in-the-middle) attacks, and credential-based exploits, and practice with tools like Nmap, Wireshark, Hydra, and John the Ripper in labs.

Identify and mitigate default credentials across routers, switches, web apps, databases, and IoT devices; learn secure storage and encrypted transmission practices for penetration testing readiness.

Demonstrate on-path attack techniques by acting as a man-in-the-middle between client and server, intercepting traffic with netcat, and using spoofing, dns poisoning, arp spoofing, and mac address spoofing.

Explore misconfigured services exploited through weak permissions, unquoted paths, and dll hijacking. Use nmap to identify services and versions, then apply exploits to gain unauthorized access and escalate privileges.

Learn how relay attacks intercept and relay client–server sessions to act on the client’s behalf, using on path attack and pass the hash or pass the ticket in Kerberos.

Explore intrusion detection system evasion techniques used to bypass firewalls, IPS, and IDS, including fragmentation, unusual data, TTL evasion, and packet crafting with tools like Scapy and Kali Linux.

Explore authentication attack types, from MFA fatigue and pass-the-hash to Kerberos, LDAP injection, OpenID Connect, SAML attacks, and learn tools to perform these authentication attacks.

Explore authentication attack types and the underlying methods, including something you know, something you have, something you are, and location-based restrictions, plus multi-factor authentication and OTP.

Explore tools for authentication attacks, including crackmapexec, responder, Hashcat, John the Ripper, Hydra, BloodHound, Medusa, and Burp Suite for post-exploitation and password cracking.

Explore how multifactor authentication fatigue arises when attackers repeatedly prompt authenticator challenges, exploiting OTPs and organizational policy to create user frustration and security risk.

Explore pass-the-hash attacks, where a username and hash authenticate without the password, and learn how hashes are stored, dumped, cracked, and mitigated by Windows Defender credential guard and UAC.

Understand pass-the-ticket attacks, where Kerberos issues and uses a ticket granting ticket and session key. An attacker who steals a TGT can impersonate a user to access services.

Discover pass-the-token attacks in cloud environments using Azure AD tokens and PRT cookies. Learn how attackers dump tokens with mimikatz and gain admin access.

Explore Kerberos attacks in active directory environments, including pass the ticket, ticket dumping, and Kerberos roasting to obtain NTLM hashes. Identify SPN targets, and study delegation and golden ticket techniques.

Learn how dictionary attacks perform offline password cracking by using a password dictionary with tools like hashcat or John the Ripper to crack hashes without interacting with the target.

Explore how brute force attacks crack passwords by enumerating all combinations, from four digit pins to complex alphanumerics, and learn tools like crunch, Hydra, and John the Ripper.

Explore mask attacks in hash cracking: combine known and unknown parts with hashcat masks (lower, upper, digits, symbols) to crack MD5 hashes through efficient pattern guessing.

Learn how password spraying uses a single password across many accounts to bypass weak user credentials, evading repeated lockouts and exploiting default passwords, a key brute-force technique for pentesters.

Inspect how credential stuffing uses stolen credentials from one site to access others by reusing the same username and password, often from the dark web.

Explore OpenID Connect attacks within the OAuth framework, focusing on authentication and authorization flows, social login scenarios, and client side and server side request forgery with token theft vulnerabilities.

Explore security assertion markup language (saml) attacks targeting saml-based single sign-on, including assertion tampering, on-path and replay attacks, and token-based abuse between identity providers and service providers.

Learn host-based attack techniques with Windows and Linux tools, covering privilege escalation, credential dumping, bypassing security tools, and payloads, including process hollowing and service path injection—supported by hands-on labs.

Explore credential dumping and how stored credentials from SAM, LSASS, Active Directory, Kerberos, and Linux /etc/passwd and /etc/shadow are retrieved.

Bypass network and host defenses to exploit a target, using obfuscation and living off the land. Leverage built-in tools like PowerShell to evade signatures and enable lateral movement.

Practice configuring security audit policies by disabling per-user audit settings and confirming all audit policies are disabled in a hands-on lab.

Identify and remediate misconfigured endpoints to prevent attacker access, using the seat belt to scan credentials, processes, network information, and user data for privilege escalation risks.

Learn how payload obfuscation hides malicious payloads from security tools using encoding, polymorphism, packing, multi-stage payloads, and steganography to bypass antivirus defenses on target machines.

Explore user controlled access bypass (uac bypass), how misconfigurations enable parameter tampering, insecure direct object references, forced browsing, cross-site scripting, and directory traversal, and how pentesters assess these weaknesses.

Discover how to identify restricted shells and bypass them to escape to a full command line, using env and echo $0, and explore privilege escalation techniques on Linux shells.

Learn how library injection attacks enable privilege escalation by injecting malicious DLLs or shared objects into running processes across Windows, Linux, and macOS, loading via LoadLibrary, ldpreload, or ptrace.

Master nmap for network discovery, live hosts detection, and target enumeration. Learn how to perform a 0/24 subnet scan, use ping sweep, and interpret reverse DNS and syn ping options.

Explore stealth scanning techniques to bypass firewalls, IDs and IPS, including sparse scanning with delays, timing patterns, TCP idle scanning with zombie hosts, and packet fragmentation for host discovery.

Learn to use nmap for port scanning from single ports to ranges, identify open, closed, and filtered ports, and apply techniques like syn half-open, tcp connect, and udp scans.

Explore fingerprinting and enumeration with nmap to discover active hosts, identify open ports, services and versions, and detect operating systems on target networks.

Explore Nmap scripting and the Lua script engine to scan for vulnerabilities, enumerate targets, and run FTP related scripts across top ports.

Explore how network access control protects internal networks by requiring device authorization. See attackers spoof SSIDs and use a trusted-looking wireless access point to bypass NAC.

Examines living off the land attacks and fileless malware using PowerShell and WMI to install backdoors, dump credentials with Mimikatz, and cover tracks by removing logs.

Explore how attackers manipulate logs and timestamps to cover tracks, alter log entries, clear history, and shred evidence using meterpreter, Windows CLI, Linux commands, and fileless techniques.

Explore steganography techniques to hide and conceal data within images, audio, or text using tools like stag hide and snow, including alternate data streams and carrier files.

Explore covert channels for data exfiltration, including how ssh creates a secure channel to transmit and receive data, and how scp and ssh sessions enable file transfers.

Use netcat, ncat, and winrm to establish covert channels, transmit files, and remotely manage targets with client/server modes and powershell-based tools.

Understand how proxy servers mediate between the client, attacker, and victim, enabling proxy chaining across multiple nodes, with Tor and Kali Linux masking the source IP and encrypting data.

Explore LAN-based network attacks at layer two, where data travels in frames identified by MAC addresses, and insider threats capture data while exploiting vulnerabilities in web apps and servers.

Test how software and hardware perform under extreme load. Learn to simulate traffic and use tools like Kali Linux LVD to identify bottlenecks and defend against DDoS and failures.

Secure wireless transmission builds an encrypted tunnel with eap and tls between the client and the authentication server (Radius/AAA) to protect credentials and defend against MITM and relay attacks.

Explore Bluetooth attack vectors such as bluejacking, bluesnarfing, and blueborne, including Bluetooth Low Energy and frequency hopping risks, and review protection via pin-based pairing.

Explore RFID and NFC attack methods, from tag-reader interactions to frequency manipulation that can bypass authentication in car remotes. Encryption and two-factor authentication mitigate these threats.

explains how arp works in local networks, how arp poisoning hijacks arp tables to intercept traffic, and how vlan, dhcp snooping, and dynamic arp inspection prevent it.

Learn ARP spoofing with the arpspoof tool: configure the interface, identify the target with arp -a and ping, execute the spoof, and stop with Ctrl+C.

Explore mac table overflow (mac flooding) attacks that exhaust a switch’s mac table, turning it into a hub, and protect with dhcp snooping, port security, and dynamic arp inspection.

Explore mac addresses and mac spoofing in Kali Linux, showing how to view and spoof a mac address with macchanger, and discuss mac filtering.

Discover VLAN basics and how misconfigurations enable VLAN hopping through switch spoofing and double tagging, with prevention by changing the native VLAN and avoiding native VLAN on user devices.

Explore online and offline password attacks, including hash cracking with dictionary, brute force, rainbow table, and precomputed hashes, using tools such as Hashcat, John the Ripper, and Cain and Abel.

Demonstrates cracking linux password hashes with John the Ripper, extracting hashes from shadow and passwd files, and using Hydra to brute-force ssh, ftp, smtp, and pop3 with word lists.

Demonstrates kerberoasting in a lab: deploy vpn, enumerate with Nmap and smb/kerberos findings, brute-force kerberos usernames, crack hashes with hashcat, and access shares via smb.

Learn how on path attacks intercept and manipulate data between source and target, including ARP and DNS poisoning, rogue access points, replay and man-in-the-middle attacks, and SSL strip/downgrade methods.

Explore LLMNR and NBNS poisoning in a local area network, and how responder on Kali Linux enables the attack, including basic enumeration with nmap and nbtscan.

Implement a strong password policy with mixed case, digits, and symbols; enforce periodic changes, failed-login lockouts, and two-factor authentication to defend against password spraying and credential stuffing.

Demonstrates using netcat to create bind and reverse shells, establish backdoors, transfer files, and escalate privileges through command injection on a Kali Linux and Metasploitable setup.

Explore exploit resources such as exploit db and packet storm, study CVEs and remote code execution, and learn exploit chaining, privilege escalation, and keylogging concepts.