1. Home
  2. CompTIA
  3. PT0-002 Exam Syllabus

CompTIA PT0-002 Exam Topics

CompTIA PT0-002 Exam Overview :

Exam Name: CompTIA PenTest+ Certification Exam
Exam Code: PT0-002
Certifications: CompTIA PenTest+ Certification
Actual Exam Duration: 165 minutes
Expected no. of Questions in Actual Exam: 85
See Expected Questions: CompTIA PT0-002 Expected Questions in Actual Exam

CompTIA PT0-002 Exam Objectives :

Section Weight Objectives
1.0 Planning and Scoping 14% 1.1 Compare and contrast governance, risk, and compliance concepts.
• Regulatory compliance considerations
 - Payment Card Industry Data  
   Security Standard (PCI DSS)
 - General Data Protection  
   Regulation (GDPR)
• Location restrictions
 - Country limitations
 - Tool restrictions
 - Local laws
 - Local government requirements
  - Privacy requirements
• Legal concepts
 - Service-level agreement (SLA)
 - Confidentiality
 - Statement of work
 - Non-disclosure agreement (NDA)
 - Master service agreement
• Permission to attack

1.2 Explain the importance of scoping and organizational/customer requirements.
• Standards and methodologies
 - MITRE ATT&CK
 - Open Web Application  
   Security Project (OWASP)
 - National Institute of Standards  
   and Technology (NIST)
 - Open-source Security Testing  
   Methodology Manual (OSSTMM)
 - Penetration Testing  
   Execution Standard (PTES)
 - Information Systems Security  
   Assessment Framework (ISSAF)
• Rules of engagement
 - Time of day
 - Types of allowed/disallowed tests
 - Other restrictions
• Environmental considerations
 - Network
 - Application
 - Cloud
• Target list/in-scope assets
 - Wireless networks
 - Internet Protocol (IP) ranges
 - Domains
 - Application programming  
   interfaces (APIs)
 - Physical locations
 - Domain name system (DNS)
 - External vs. internal targets
 - First-party vs. third-party hosted
• Validate scope of engagement
 - Question the client/review contracts
 - Time management
 - Strategy
  - Unknown-environment vs.  
    known-environment testing
    
1.3 Given a scenario, demonstrate an ethical hacking mindset by maintaining professionalism and integrity.
• Background checks of penetration testing team
• Adhere to specific scope of engagement
• Identify criminal activity
• Immediately report breaches/criminal activity
• Limit the use of tools to a particular engagement
• Limit invasiveness based on scope
• Maintain confidentiality of data/information
• Risks to the professional
- Fees/fines
- Criminal charges
2.0 Information Gathering and Vulnerability Scanning 22% 2.1 Given a scenario, perform passive reconnaissance.
• DNS lookups
• Identify technical contacts
• Administrator contacts
• Cloud vs. self-hosted
• Social media scraping
 - Key contacts/job responsibilities
 - Job listing/technology stack
• Cryptographic flaws
 - Secure Sockets Layer (SSL) certificates
 - Revocation
• Company reputation/security posture
• Data
 - Password dumps
 - File metadata
 - Strategic search engine  
   analysis/enumeration
 - Website archive/caching
 - Public source-code repositories
• Open-source intelligence (OSINT)
 - Tools
  - Shodan
  - Recon-ng
 - Sources
  - Common weakness  
    enumeration (CWE)
  - Common vulnerabilities  
    and exposures (CVE)
    
2.2 Given a scenario, perform active reconnaissance.
• Enumeration
 - Hosts
 - Services
 - Domains
 - Users
 - Uniform resource locators (URLs)
• Website reconnaissance
 - Crawling websites
 - Scraping websites
 - Manual inspection of web links
  - robots.txt
• Packet crafting
 - Scapy
• Defense detection
 - Load balancer detection
 - Web application firewall  
   (WAF) detection
 - Antivirus
 - Firewall
• Tokens
 - Scoping
 - Issuing
 - Revocation
• Wardriving
• Network traffic
 - Capture API requests and responses
 - Sniffing
• Cloud asset discovery
• Third-party hosted services
• Detection avoidance

2.3 Given a scenario, analyze the results of a reconnaissance exercise.
• Fingerprinting
 - Operating systems (OSs)
 - Networks
 - Network devices
 - Software
• Analyze output from:
 - DNS lookups
 - Crawling websites
 - Network traffic
 - Address Resolution  
   Protocol (ARP) traffic
 - Nmap scans
 - Web logs
 
2.4 Given a scenario, perform vulnerability scanning.
• Considerations of vulnerability scanning
 - Time to run scans
 - Protocols
 - Network topology
 - Bandwidth limitations
 - Query throttling
 - Fragile systems
 - Non-traditional assets
• Scan identified targets for vulnerabilities
• Set scan settings to avoid detection
• Scanning methods
 - Stealth scan
 - Transmission Control  
   Protocol (TCP) connect scan
 - Credentialed vs. non-credentialed
• Nmap
 - Nmap Scripting Engine (NSE) scripts
 - Common options
•  -A
•  -sV
•  -sT
•  -Pn
•  -O
•  -sU
•  -sS
•  -T 1-5
•  -script=vuln
•  -p
• Vulnerability testing tools that facilitate automation
3.0 Attacks and Exploits 30% 3.1 Given a scenario, research attack vectors and perform network attacks.
• Stress testing for availability
• Exploit resources
 - Exploit database (DB)
 - Packet storm
• Attacks
 - ARP poisoning
 - Exploit chaining
 - Password attacks
  - Password spraying
  - Hash cracking
  - Brute force
  - Dictionary
 - On-path (previously known  
   as man-in-the-middle)
 - Kerberoasting
 - DNS cache poisoning
 - Virtual local area network  
   (VLAN) hopping
 - Network access control (NAC) bypass
 - Media access control (MAC) spoofing
 - Link-Local Multicast Name  
   Resolution (LLMNR)/NetBIOS-
   Name Service (NBT-NS) poisoning
 - New Technology LAN Manager  
   (NTLM) relay attacks
• Tools
 - Metasploit
 - Netcat
 - Nmap
 
3.2 Given a scenario, research attack vectors and perform wireless attacks.
• Attack methods
 - Eavesdropping
 - Data modification
 - Data corruption
 - Relay attacks
 - Spoofing
 - Deauthentication
 - Jamming
 - Capture handshakes
 - On-path
• Attacks
 - Evil twin
 - Captive portal
 - Bluejacking
 - Bluesnarfing
 - Radio-frequency identification  
   (RFID) cloning
 - Bluetooth Low Energy (BLE) attack
 - Amplification attacks [Near-
   field communication (NFC)]
 - WiFi protected setup (WPS) PIN attack
• Tools
 - Aircrack-ng suite
 - Amplified antenna
 
3.3 Given a scenario, research attack vectors and perform application-based attacks.
• OWASP Top 10
• Server-side request forgery
• Business logic flaws
• Injection attacks
 - Structured Query Language  
   (SQL) injection
  - Blind SQL
  - Boolean SQL
  - Stacked queries
 - Command injection
 - Cross-site scripting
  - Persistent
  - Reflected
 - Lightweight Directory Access  
   Protocol (LDAP) injection
• Application vulnerabilities
 - Race conditions
 - Lack of error handling
 - Lack of code signing
 - Insecure data transmission
 - Session attacks
  - Session hijacking
  - Cross-site request forgery (CSRF)
  - Privilege escalation
  - Session replay
  - Session fixation
• API attacks
 - Restful
 - Extensible Markup Language-
   Remote Procedure Call (XML-RPC)
 - Soap
• Directory traversal
• Tools
 - Web proxies
  - OWASP Zed Attack Proxy (ZAP)
  - Burp Suite community edition
 - SQLmap
 - DirBuster
• Resources
 - Word lists
 
3.4 Given a scenario, research attack vectors and perform attacks on cloud technologies.
• Attacks
 - Credential harvesting
 - Privilege escalation
 - Account takeover
 - Metadata service attack
 - Misconfigured cloud assets
  - Identity and access  
    management (IAM)
  - Federation misconfigurations
  - Object storage
  - Containerization technologies
 - Resource exhaustion
 - Cloud malware injection attacks
 - Denial-of-service attacks
 - Side-channel attacks
 - Direct-to-origin attacks
• Tools
 - Software development kit (SDK)
 
3.5 Explain common attacks and vulnerabilities against specialized systems.
• Mobile
 - Attacks
  - Reverse engineering
  - Sandbox analysis
  - Spamming
 - Vulnerabilities
  - Insecure storage
  - Passcode vulnerabilities
  - Certificate pinning
  - Using known  
    vulnerable components
  (i)   Dependency vulnerabilities
  (ii) Patching fragmentation
  - Execution of activities using root
  - Over-reach of permissions
  - Biometrics integrations
  - Business logic vulnerabilities
 - Tools
  - Burp Suite
  - Drozer
  - Mobile Security Framework (MobSF)
  - Postman
  - Ettercap
  - Frida
•  - Objection
•  - Android SDK tools
•  - ApkX
•  - APK Studio
• Internet of Things (IoT) devices
 - BLE attacks
 - Special considerations
•  - Fragile environment
•  - Availability concerns
•  - Data corruption
•  - Data exfiltration
 - Vulnerabilities
•  - Insecure defaults
•  - Cleartext communication
•  - Hard-coded configurations
•  - Outdated firmware/hardware
•  - Data leakage
•  - Use of insecure or  
    outdated components
• Data storage system vulnerabilities
 - Misconfigurations—on-premises  
   and cloud-based
  - Default/blank  
    username/password
  - Network exposure
 - Lack of user input sanitization
 - Underlying software vulnerabilities
 - Error messages and debug handling
 - Injection vulnerabilities
•  - Single quote method
• Management interface vulnerabilities
 - Intelligent platform  
   management interface (IPMI)
• Vulnerabilities related to supervisory  
   control and data acquisition (SCADA)/
   Industrial Internet of Things (IIoT)/
   industrial control system (ICS)
• Vulnerabilities related to  
   virtual environments
 - Virtual machine (VM) escape
 - Hypervisor vulnerabilities
 - VM repository vulnerabilities
• Vulnerabilities related to  
   containerized workloads
   
3.6 Given a scenario, perform a social engineering or physical attack.
• Pretext for an approach
• Social engineering attacks
 - Email phishing
•  - Whaling
•  - Spear phishing
 - Vishing
 - Short message service (SMS) phishing
 - Universal Serial Bus (USB) drop key
 - Watering hole attack
• Physical attacks
 - Tailgating
 - Dumpster diving
 - Shoulder surfing
 - Badge cloning
• Impersonation
• Tools
 - Browser exploitation  
   framework (BeEF)
 - Social engineering toolkit
 - Call spoofing tools
• Methods of influence
 - Authority
 - Scarcity
 - Social proof
 - Urgency
 - Likeness
 - Fear
 
3.7 Given a scenario, perform post-exploitation techniques.
• Post-exploitation tools
 - Empire
 - Mimikatz
 - BloodHound
• Lateral movement
 - Pass the hash
• Network segmentation testing
• Privilege escalation
 - Horizontal
 - Vertical
• Upgrading a restrictive shell
• Creating a foothold/persistence
 - Trojan
 - Backdoor
•  - Bind shell
•  - Reverse shell
 - Daemons
 - Scheduled tasks
• Detection avoidance
 - Living-off-the-land  
   techniques/fileless malware
•  - PsExec
•  - Windows Management  
    Instrumentation (WMI)
  - PowerShell (PS) remoting/Windows  
    Remote Management (WinRM)
 - Data exfiltration
 - Covering your tracks
 - Steganography
 - Establishing a covert channel
• Enumeration
 - Users
 - Groups
 - Forests
 - Sensitive data
 - Unencrypted files
4.0 Reporting and Communication 18% 4.1 Compare and contrast important components of written reports.
• Report audience
 - C-suite
 - Third-party stakeholders
 - Technical staff
 - Developers
• Report contents (** not  
   in a particular order)
 - Executive summary
 - Scope details
 - Methodology
  - Attack narrative
 - Findings
  - Risk rating (reference framework)
•  - Risk prioritization
•  - Business impact analysis
 - Metrics and measures
 - Remediation
 - Conclusion
 - Appendix
• Storage time for report
• Secure distribution
• Note taking
 - Ongoing documentation during test
 - Screenshots
• Common themes/root causes
 - Vulnerabilities
 - Observations
 - Lack of best practices
 
4.2 Given a scenario, analyze the findings and recommend the appropriate remediation within a report.
• Technical controls
 - System hardening
 - Sanitize user input/
   parameterize queries
 - Implemented multifactor  
   authentication
 - Encrypt passwords
 - Process-level remediation
 - Patch management
 - Key rotation
 - Certificate management
 - Secrets management solution
 - Network segmentation
• Administrative controls
 - Role-based access control
 - Secure software  
   development life cycle
 - Minimum password requirements
 - Policies and procedures
• Operational controls
 - Job rotation
 - Time-of-day restrictions
 - Mandatory vacations
 - User training
• Physical controls
 - Access control vestibule
 - Biometric controls
 - Video surveillance
 
4.3 Explain the importance of communication during the penetration testing process.
• Communication path
 - Primary contact
 - Technical contact
 - Emergency contact
• Communication triggers
 - Critical findings
 - Status reports
 - Indicators of prior compromise
• Reasons for communication
 - Situational awareness
 - De-escalation
 - Deconfliction
 - Identifying false positives
 - Criminal activity
• Goal reprioritization
• Presentation of findings

4.4 Explain post-report delivery activities.
• Post-engagement cleanup
 - Removing shells
 - Removing tester-created credentials
 - Removing tools
• Client acceptance
• Lessons learned
• Follow-up actions/retest
• Attestation of findings
• Data destruction process
5.0 Tools and Code Analysis 16% 5.1 Explain the basic concepts of scripting and software development.
• Logic constructs
 - Loops
 - Conditionals
 - Boolean operator
 - String operator
 - Arithmetic operator
• Data structures
 - JavaScript Object Notation (JSON)
 - Key value
 - Arrays
 - Dictionaries
 - Comma-separated values (CSV)
 - Lists
 - Trees
• Libraries
• Classes
• Procedures
• Functions

5.2 Given a scenario, analyze a script or code sample for use in a penetration test.
• Shells
 - Bash
 - PS
• Programming languages
 - Python
 - Ruby
 - Perl
 - JavaScript
• Analyze exploit code to:
 - Download files
 - Launch remote access
 - Enumerate users
 - Enumerate assets
• Opportunities for automation
 - Automate penetration testing process
  - Perform port scan and then  
    automate next  
    steps based on results
  - Check configurations  
    and produce a report
 - Scripting to modify IP addresses  
   during a test
 - Nmap scripting to enumerate  
   ciphers and produce reports
   
5.3 Explain use cases of the following tools during the phases of a penetration test.
• Scanners
 - Nikto
 - Open vulnerability assessment  
   scanner (Open VAS)
 - SQLmap
 - Nessus
 - Open Security Content  
   Automation Protocol (SCAP)
 - Wapiti
 - WPScan
 - Brakeman
 - Scout Suite
• Credential testing tools
 - Hashcat
 - Medusa
 - Hydra
 - CeWL
 - John the Ripper
 - Cain
 - Mimikatz
 - Patator
 - DirBuster
 - w3af
• Debuggers
 - OllyDbg
 - Immunity Debugger
 - GNU Debugger (GDB)
 - WinDbg
 - Interactive Disassembler (IDA)
 - Covenant
 - SearchSploit
• OSINT
 - WHOIS
 - Nslookup
 - Fingerprinting Organization  
   with Collected Archives (FOCA)
 - theHarvester
 - Shodan
 - Maltego
 - Recon-ng
 - Censys
• Wireless
 - Aircrack-ng suite
 - Kismet
 - Wifite2
 - Rogue access point
 - EAPHammer
 - mdk4
 - Spooftooph
 - Reaver
 - Wireless Geographic  
   Logging Engine (WiGLE)
 - Fern
• Web application tools
 - OWASP ZAP
 - Burp Suite
 - Gobuster
• Social engineering tools
 - Social Engineering Toolkit (SET)
 - BeEF
• Remote access tools
 - Secure Shell (SSH)
 - Ncat
 - Netcat
 - ProxyChains
• Networking tools
 - Wireshark
 - Hping
• Misc.
 - SearchSploit
 - Responder
 - Impacket tools
 - Empire
 - Metasploit
 - mitm6
 - CrackMapExec
 - TruffleHog
 - Censys
• Steganography tools
 - Openstego
 - Steghide
 - Snow
 - Coagula
 - Sonic Visualiser
 - TinEye
• Cloud tools
 - Scout Suite
 - CloudBrute
 - Pacu
 - Cloud Custodian
Official Information https://www.comptia.org/certifications/pentest

Updates in the CompTIA PT0-002 Exam Topics:

CompTIA PT0-002 exam questions and practice test are the best ways to get fully prepared. Study4exam's trusted preparation material consists of both practice questions and practice test. To pass the actual  CompTIA PenTest+ PT0-002  exam on the first attempt, you need to put in hard work on these questions as they cover all updated  CompTIA PT0-002 exam topics included in the official syllabus. Besides studying actual questions, you should take the  CompTIA PT0-002 practice test for self-assessment and actual exam simulation. Revise actual exam questions and remove your mistakes with the CompTIA PenTest+ Certification Exam PT0-002 exam practice test. Online and Windows-based formats of the PT0-002 exam practice test are available for self-assessment.