Lesson 1 of CompTIA PenTest+ provides an overview of the course’s objectives and introduces key concepts related to organizational penetration testing. The lesson begins by defining organizational pen testing and emphasizes its role in assessing cyber health and resiliency while reducing overall risk.

Students are familiarized with the CompTIA process, acknowledging compliance requirements, and exploring standards and methodologies associated with pen testing, such as PCI DSS, GDPR, and other privacy laws.

The lesson further highlights the importance of professionalism in the field, including conducting background checks of the team, maintaining confidentiality, and avoiding potential legal implications.

In Lesson 2 of CompTIA PenTest+, the focus is on introducing the objectives and key considerations for conducting a penetration testing engagement. The lesson starts by assessing environmental factors that may impact the scope of the project. This involves defining the project scope, identifying in-scope assets, and understanding any restrictions that need to be taken into account. The rules of engagement are outlined, providing specific details on how the penetration testing will be carried out, including the chosen type and strategy for the assessment. Validating the scope of the engagement is crucial to ensure that all relevant areas are covered.

Additionally, the lesson emphasizes the importance of preparing legal documents to protect both parties involved. This includes ensuring confidentiality and obtaining permission from the appropriate stakeholders before commencing the penetration testing.

Lesson 3 of CompTIA Network+ covers the installation and configuration of switched networks, including hubs, bridges, switches, network topologies, and network types. It provides knowledge on setting up and managing these components effectively for efficient network operations.

Lesson 4 of CompTIA PenTest+ covers social engineering, physical attacks, and tools used to launch social engineering attacks. Topics include phishing, pharming, and baiting the victim, exploiting physical security, and discovering the Social Engineering Toolkit (SET) to spoof a call. The lesson emphasizes the importance of understanding human psychology and the potential risks associated with social engineering attacks.

Lesson 5 of CompTIA PenTest+ introduces the concept of planning vulnerability scans as part of the penetration testing process. It covers the importance of understanding vulnerabilities and the lifecycle of a vulnerability.

The lesson teaches how to perform active reconnaissance and run scans effectively. Students learn to detect defense mechanisms like load balancers, firewalls, and antivirus software. Moreover, they are introduced to various scanning tools and their utilization in analyzing the attack surface, crafting packets, and evaluating web tools.

Overall, this lesson equips learners with essential skills and knowledge to efficiently conduct vulnerability scans during penetration testing engagements.

Lesson 6 of CompTIA PenTest+ covers various topics related to network scanning and vulnerability assessment. The lesson begins with an introduction to scanning identified targets and recognizing the different types of scans. It then moves on to assessing vulnerable web applications and automating vulnerability scanning.

The next section of the lesson is focused on evaluating network traffic, including sniffing using Wireshark, scanning with Nessus, and gathering ARP traffic. Finally, the lesson concludes with an introduction to uncovering wireless assets, such as war driving open access points and amplifying the Wi-Fi signal.

Lesson 7 of CompTIA PenTest+ introduces Nmap and NSE (Nmap Scripting Engine), focusing on network discovery and enumeration techniques. The lesson covers the fundamentals of Nmap, including scripting capabilities, and delves into the process of enumerating network hosts. Students learn how to detect intriguing hosts, fingerprint operating systems, and analyze output from scans. Moreover, the lesson explores examining network traffic, evaluating DNS and web logs, and uncovering vulnerable web servers.

By the end of this lesson, students gain essential skills in using Nmap as a powerful tool for conducting penetration testing, allowing them to identify potential vulnerabilities and weaknesses within target networks.

In Lesson 8 of CompTIA PenTest+, the focus is on evading detection and establishing covert channels. The lesson begins with the concept of flying under the radar and bypassing Network Access Control (NAC) measures. It covers techniques such as living off the land and covering tracks to avoid leaving traces of unauthorized activity.

Additionally, the lesson delves into tidying logs and entries and erasing or shredding evidence to hide the attacker’s actions. The next section introduces the use of steganography to hide and conceal data. It explains standard stego tools and alternate methods of masking, including synthesizing images.

Lastly, the lesson explores the establishment of covert channels, enabling remote access through methods like Secure Shell, Netcat, Ncat, WinRM, and PSExec, as well as the use of proxies to maintain anonymity.

Lesson 9 of CompTIA PenTest+ covers a wide range of topics related to network enumeration and attack techniques. The lesson starts by introducing the concept of enumerating hosts and indexing the network, followed by cataloging Windows and Linux systems. The lesson then covers attacking LAN protocols, including moving between VLANs, launching an on-path attack, and spoofing LAN protocols. Poisoning LLMNR and NBT-NS is also discussed as a way of obtaining the hash. The lesson also covers chaining exploits, comparing exploit tools, and testing with Metasploit.

The last part of the lesson focuses on cloud vulnerabilities, including configuring cloud assets, understanding storage vulnerabilities, and controlling identity and access management. The lesson concludes with exploring cloud-based attacks, such as attacking the cloud, harvesting credentials, and denying service, and auditing the cloud.

In lesson 10 of CompTIA PenTest+, the focus is on wireless attacks. The lesson begins with an introduction to different types of wireless attacks and how to secure wireless transmissions. The course then covers topics such as gathering signals, cracking passwords and PINs, and launching on-path or relay attacks. It also explores how to deceive clients with an evil twin. The lesson concludes with an introduction to wireless tools and techniques for attacking WLANs and recovering keys.

Lesson 11 of CompTIA PenTest+ focuses on mobile device vulnerabilities and their recognition. The lesson begins with a discussion on comparing deployment models and identifying vulnerabilities in mobile devices. It delves into launching attacks on mobile devices, comparing various attack methods, and specifically explores hacking a Bluetooth signal. Additionally, the lesson provides insights into assessment tools for mobile devices, outlining a framework for evaluating and examining the code using Postman for thorough assessment and testing.

In lesson 12 of CompTIA PenTest+, students learn how to identify attacks on the Internet of Things (IoT), discover the IoT, outline vulnerabilities, and trigger an attack. They also learn how to recognize other vulnerable systems by understanding data storage systems, securing control systems, and identifying vulnerabilities. Finally, the lesson covers virtual machine vulnerabilities, outlining virtual environments, recognizing vulnerabilities, and attacking a virtual environment.

In Lesson #13 of CompTIA PenTest+, the focus is on recognizing web vulnerabilities and understanding the OWASP Top 10, which highlights common web application security risks. The lesson covers several important topics, including exposing sensitive data, improper error handling, missing input validation, and code signing and verification. It delves into session attacks such as hijacking session credentials, crafting request forgery attacks, escalating privilege, and upgrading a non-interactive shell.

Additionally, the lesson explores exploiting business logic flaws and planning injection attacks, specifically identifying SQL injection vulnerabilities, traversing files using invalid input, injecting code, and executing XSS attacks. The use of various tools for these purposes is also discussed, including an overview of tools and exploiting a browser with BeEF.

Lesson 14 of CompTIA PenTest+ covers various topics related to system hacking and remote access tools. The lesson begins with an introduction to system hacking, followed by a discussion of running with .NET and .NET Framework. The lesson also covers managing Windows with PowerShell and discovering tools for system hacking. Next, the lesson introduces the use of remote access tools, including exploring with Netcat, monitoring with Ncat, and communicating within a secure shell. The lesson concludes with a discussion of analyzing exploit code and various techniques for downloading, launching, and exploiting programs to enumerate users and assets.

Lesson 15 of CompTIA PenTest+ covers various scripting and coding methodologies used in penetration testing. The lesson starts with an introduction to analyzing scripts and code samples, followed by a discussion on automating tasks using scripting. The lesson then covers specific scripting languages such as Bash shell, PowerShell cmdlets, Python, Ruby, and Perl. Additionally, the lesson delves into the data structure types of Python, recognizing other data constructs, and defining object-oriented programming. The lesson concludes with a discussion on automating penetration testing by scanning ports, acquiring scripts and tools, and reviewing and breaking down scripts for better automation.

In Lesson 16 of CompTIA PenTest+, the focus is on testing credentials and moving throughout the system. The lesson covers topics such as upgrading a restrictive Linux shell, obtaining the hash, escalating privilege, gaining control in Windows, and escalating privileges in Linux.

It also explores creating a foothold, advanced persistent threats (APTs), bypassing restrictions, using backdoors and Trojans, employing reverse and bind shells, and comparing services and daemons. Finally, the lesson discusses scheduling tasks and maintaining persistence.

Lesson 17 of CompTIA PenTest+ focuses on effective communication during penetration testing. The lesson begins by defining the communication path, emphasizing the importance of outlining this path to facilitate smooth interactions with clients and their counterparts. Students learn about establishing contacts and understanding their roles within the communication process. Communication triggers are introduced as essential events that prompt communication during the testing process. Providing situational awareness and recognizing criminal activity are highlighted to ensure effective response to potential security breaches. Moreover, students are taught to identify false positives to avoid unnecessary alarms.

In terms of reporting, the lesson emphasizes the use of built-in tools for generating reports, enabling testers to present their findings professionally. Students also learn how to share findings with the Dradis tool and build comprehensive reports with Nessus, enhancing their ability to communicate their penetration testing results effectively.

Lesson 18 of CompTIA PenTest+ covers best practices for reporting the results of penetration testing. The lesson begins by discussing how to identify the audience for the report, including senior management, third-party stakeholders, technical staff, and developers. The report’s contents are then listed, including the executive summary, scope details, methodology, attack narrative, risk appetite, risk rating, business impact analysis, metrics and measures, remediation suggestions, and final report sections.

The lesson also covers best practices for storing and securing reports, taking notes, ongoing documentation during tests, grabbing screenshots, recognizing common themes and root causes, identifying vulnerabilities, providing observations, and summarizing writing and handling reports.

Lesson 19 of CompTIA PenTest+ covers various technical, administrative, and physical controls that can be employed to secure a system. The technical controls discussed include hardening the system, sanitizing user input, implementing multifactor authentication, encrypting passwords, remediating at the process-level, managing and applying patches, rotating keys, controlling certificate processes, providing secret solutions, and segmenting the network.

The administrative and operational controls include implementing policies and procedures, employing role-based access control, enforcing minimum password requirements, securing the development life cycle, managing organizational mobile devices, implementing people security controls, and outlining other operational considerations. Finally, physical controls such as controlling access to buildings, employing biometric controls, and utilizing video surveillance are also discussed.

Lesson 20 of CompTIA PenTest+ covers post-engagement cleanup and follow-up actions. In the post-engagement cleanup section, the lesson discusses removing shells, deleting test credentials, eliminating tools, and destroying test data. In the follow-up actions section, the lesson covers gaining the client’s acceptance, confirming the findings, planning the retest, and reviewing lessons learned.

This lesson emphasizes the importance of properly closing out a penetration testing engagement to maintain the integrity of the process and ensure the client’s satisfaction.