These study notes are provided for students of CompTIA Pentest+ exam. If you notice any problems with the notes, please let me know via email (joseph@ripplesoftware.ca). General Pentesting Engagement Scoping Information Gathering Vulnerability Scanning Exploitation Process Pentest Tools Exploit Specifics Post Exploit Communication Processes
If you are studying for CompTia Security+ you are welcome to download and use these following notes which I built while studying for the exam. If you notice any problems with the notes, please let me know!
[ Introduction On July 10th, Apple released a “Rapid Security Response” to fix a code execution flaw in the Webkit browser component found in iOS, iPadOS, and macOS Ventura. Although this, update was pulled back the subsequent remediation, was released in quick succession on July 12th. In fact, Apple has long held a reputation as a leader in user privacy and security. Their commitment to protecting user data and maintaining robust defense mechanisms against cyber threats has made the tech giant synonymous with trust and reliability in an era of rapid digitization. After the release of their new VR wearable “Vision Pro”, Apple has also promised they won’t share eye focus movement due to security risks, marking another instance where Apple seems dedicated to their user’s security. Admittedly, Apple’s products often carry a premium price tag, reflecting the advanced security and privacy features they offer. Yet, in the increasingly hostile…
Introduction What is a DoS attack? Do they have the potential to impact our organization negatively? If so, to what degree do we need to worry about DoS attacks, and how can an organization prevent or mitigate their impact? This pillar article is designed to equip you with a core understanding of what DoS attacks are, the motives of adversaries that launch them, and strategies for defending an organization against this increasingly common threat to IT security. The “CIA Triad” stands for Confidentiality, Integrity, and Availability, which are the fundamental principles of information security that need to be protected. DoS attacks primarily disrupt the Availability of IT services – that is they prevent IT systems and services from functioning properly causing downtime. This can result in financial losses, negatively impact an organization’s operations and reputation, impose legal and regulatory liabilities, and cause data loss, reduced productivity, or loss of competitive…
Why is user awareness training important for IT security? Phishing operations represent 41% of cyber breach incidents according to the IBM X-Force report. Deloitte estimates phishing to be the initial attack vector in 91% of cyber breaches. These estimates put phishing at the forefront of corporate attack surface because they identify phishing as the most successful method used by attackers to compromise a system and gain initial access to a victim’s network. In response, organizations need to increase their resilience against phishing and other types of social engineering attacks. By testing their staff’s ability to effectively identify phishing attempts and malspam and providing educational material, an organization can identify potential weaknesses and reduce the chance that an employee will fall prey to an attack. Of course, secondary cybersecurity measures should be in place to detect and respond to a successful phishing attack, user awareness training is a good practice…
@0x0SojalSec tweeted out a pure genius one-liner for automated SQL Injection pentesting and it while it was mind-blowing, it is also useful to dissect into the various elements. Along the way we can learn some great tools for command line penetration testing! Check out the original tweet or the image below: This is a great example of how automated toolkits can provide do a lot of work that doesn’t cost a lot of time. So, let’s disect the command and learn 5 great command line tools from @0x0SojalSec’s sorcery that will certainly prove useful on a pen-testing engagement. #1 – subfinder Subfinder is a command line tool from ProjectDiscovery.io that accepts a top-level domain and will return a set of subdomains from historical DNS records. Whenever relying on historical DNS records, the output is only as good as the service’s repository of historical data, but ProjectDiscovery’s service is top notch. …
Nessus is an enterprise vulnerability scanner that can perform external and internal credentialed scans and can support a continuous vulnerability management program. Nessus favors ease of use as compared to granular control over scanning which allows quick and efficient scanning configuration. Nessus comes with many pre-configured scans for PCI-DSS compliance, OVAL, and SCAP scanning, and many scans for novel threats such as Solarigate, CISA threat advisories, Log4Shell, Ransomware attacks, and more. Watch the video below to get the full scoop on how Nessus can support enterprise vulnerability management.
What is Snyk? It’s classified as an SCA (software composition analysis) security tool meaning it scans your source code for use of known vulnerabilities in functions, libraries, packages, and can also scan entire docker images, cloud servers, and IaC (Infrastructure as Code) deployments for vulnerabilities. Watch the video below for a summary and demo on how Snyk’s can contribute to your DevSecOps program.
From the defender’s perspective ransomware is the biggest threat in the modern cybersecurity landscape. From a criminal perspective it’s a highly lucrative form of cybercrime, and perpetrators face only negligible chances of being prosecuted with less than 20 arrests reported in 2020 [1]. The highest amount of ransom ever paid by a single company for a single incident is $40 million US dollars [2][3], however, the cost of a ransomware attack is not limited to ransom payments. Companies can incur millions more in remediation costs, service downtime, legal settlements, higher insurance premiums, and potentially suffer long-term deleterious effects to their brand reputation [4]. One report estimates that 74% of ransomware payments go to Russian backed groups; more than $400 million USD in 2021 [5]. Another report from blockchain research group Chainalysis suggests that nearly $700 million USD in ransomware ransom was paid in 2020 [6] [7]. Not all ransomware strains…
In an MSNBC interview posted to YouTube on February 24th, 2022, approximately 24 hours after the initial invasion of Ukraine by Russian military forces, Leon Panetta former US Secratary of Defence and former head of the CIA was asked whether now is a good time for the US to use offensive cyber-war against Russia. Rather that address the question directly, Panetta addressed the greater context of the invasion for Ukrainian national security. The question is worth addressing though. So, is now a good time for counter forces to launch a cyber offensive? Is now the time for offensive cyber-attack? It Depends. That is the short and true answer. Here comes the why. Probably the most effective use of cyber weapons in warfare is when they are purposed for for gathering information, aka spying. The most advanced forms of cyber weapons (known as advanced persistent threats or APT for short) are…
We Have All Heard This Story Before It’s no doubt that ransomware is is the biggest threat in the modern cybersecurity landscape. The highest amount of ransom ever paid by a single company for a single incident is $40 million US dollars. Companies can incur millions more in remediation costs, service downtime, legal settlements, higher insurance premiums, and potentially suffer long-term deleterious effects to their brand reputation. Blockchain research group Chainalysis suggests that nearly $700 million USD in ransomware ransom was paid in 2020. Defenders have all been hearing this story for years, and know how to secure against ransomware right? The most common initial access vector is phishing so staff training sessions educating our staff on how to spot a deceptive url is required to keep the bad guys out. Installing endpoint security products and keeping them updated, and of course keep bulletproof backups right? Well, yes and no….
What Is “Fake Ransomware”? The term “fake ransomware” might conjure up some feelings of relief. After all, if the ransomware is fake, then it must not have encrypted files, right? However, the term has been used to refer to a few different variants of a true ransomware attack. Firstly, it has been used to describe ransomware that does not encrypt files, but instead attempts to trick the victim into thinking their files are encrypted while demanding a payment to recover them. Secondly, the term has also been used to refer to ransomware that does in fact encrypt your files, but does not offer a decryption key if ransom is paid. This is much more nefarious and destructive than the first type; a real sucker punch. And most recently, the term has been used to refer to a case where ransomware was deployed by a company against itself to cover up…