I just passed the Pentest+ PT0-002 exam on January 6, 2023. I had taken and failed the PT0-001 when the certification was first introduced three years ago. Of the four CompTIA cybersecurity certifications, Sec+, CySA+, Pentest+, and CASP+, this exam is the hardest of the four. or at least the second hardest. CASP+ does have the dreaded and difficult Linux Forensic Simulation. Pentest+ does not, gratefully. Pentest+ is definitely harder than CEH v11, which I took recently in 2022. It rivals the CISSP in difficulty, but the viewpoint of the Pentest+ is definitely from a cybersecurity admin. analyst, technician, red-teamer, or pen-tester. This is a very technical exam.
Many of the questions require you to be able to read a piece of code or script an know what it is doing. I cannot emphasize strongly enough; you need to know the fundamentals of using BASH, HTML, Powershell, PHP, Python, and Ruby. You need to be able to recognize which of these languages was used to create the code sample or script used in the exam question. Set up a Kali Linux computer or virtual machine, and get very familiar with the included applications. The other area you must have a firm grasp on is knowing which hacking tools and applications to use for given tasks or situations. You must know nMap inside and out. Your best bet is to spend as many hours as you can working in lab environments like TryHackMe, which actually has a Pentest+ path.
The PT0-002 starts off with four very challenging Performance Based Questions.
Again, my recommendation is to read through the questions first, to engage your subconscious mind in the process of solving these questions, but do all the multiple choice questions first, the return for the PBQs at the end.
PBQ1 – NMAP OUTPUT
The first PBQ showed me an output screen from an nMap scan. There were two parts to this question. The first required that I recreate the scanner commands that created the shown output, using a bunch of drag and drop commands. To pass this part you do need to know your nMap commands and what they do. The second part is identifying vulnerabilities or exploits that would work against this target.
Here is a list of nMap Commands to learn for this question and many other multiple choice exam questions.
-A aggressive scanning
Pinging – the capital P in a command indicates some type of ping sweep useful for device enumeration
-PA TCP ACK scan
-PU UDP ping scan
-PR ARP scan
-PS TCP SYN scan
-PE ICMP Echo scan
-PP ICMP Timestamp Ping
-PM Address Mask Ping
-PS TCP SYN ping scan
Scanning – the lower case s in a command indicates some sort of port scanning
-sC enable Nmap Scripting Engine for advanced discovery
-sI idle scan
-sF FIN scan
-sM Maimon scan (FIN/ACK)
-sn ping scan icmp (no port scanning)
-sN null scan no flags
-sS stealth scan SYN scan half open (hides from logs)
-sU UDP scan
-sT TCP Connect Full Open scan (checks all ports, leaves tracks)
-sX Xmas or Inverse TCP Flag scan set FIN PSH URG flags
-O <target> operating system discovery
-6 -O <target> OS discovery IPv6 fingerprintingOutput
-oG output in greppable format
-oX output in XML format
-oN output in normal format
–script smb-os-discovery.nse OS discovery
–enip-info – <port44818> device type, vendor ID, serial number, IP address
–smb-os-discovery – <port 445> OS machine name, domain name, netbios, workgroup. system time.
–netbus-info <port 12345> connects to a Netbus server for applications, user ID, password, email address
PBQ 2 – Complete a script
The second PBQ shows a partially completed script. You will need to complete the missing parts from a drag and drop list. You need to distinguish the scripting language being used in order to select the correct code snippets from the list. For this one you need to know the differences between BASH, Powershell, Python, and Ruby. This one might be the easiest of the bunch, but only if you can identify scripting languages and components.
PBQ 3 – Attack a remote subnet
You have compromised a server with access to a remote subnet. You would like to connect to that subnet. This is an exercise where you need to choose commands to set up a reverse shell and listener, I believe. Those of you who have seen this question, feel free to add your comments, as I think this could use more information.
PBQ 4 – Malicious HTTP Commands
You are part of a pen-testing team that has discover a long list (12-15 items) of malicious HTTP code, commands, and attacks. This is a two part question, don’t forget the second part. Looking at the code samples, you have to identify the type of attack or vulnerability from one drop down list, and choose the correct remediation from the second drop down list. Knowing some HTTP code and web based exploits are essential for this question.