Overview
Domain 3 of the CompTIA PenTest+ (PT0-002) exam focuses on identifying, researching, and executing network, wireless, application, and cloud-based attacks. It also covers post-exploitation and physical/social engineering techniques. Mastering this domain is crucial for hands-on penetration testing roles. For foundational concepts, review our Security+ Network Security guide.
3.1 Network Attacks
Network attacks involve exploiting weaknesses in network configurations, services, or protocols to gain unauthorized access or disrupt services. Testers must understand common vectors and tools used to simulate real-world attacks. See also: Network Security Fundamentals.
⚙️ Tools
- Metasploit – A framework for developing and executing exploits.
- Nmap – Port scanner for network discovery and security auditing.
- Netcat – Utility for debugging and investigating the network.
- Wireshark – Network protocol analyzer for traffic inspection.
🛠 Techniques
- ARP Poisoning, DNS Cache Poisoning, VLAN Hopping
- Password attacks: spraying, brute force, hash cracking, dictionary
- Kerberoasting and NTLM relay attacks
- Exploitation chaining for complex attack paths
- LLMNR/NBT-NS Spoofing to capture credentials on local networks
- Man-in-the-Middle (MITM) attacks using session hijacking
External Resources: MITRE ATT&CK Framework | Metasploit Unleashed
3.2 Wireless Attacks
Wireless attacks target flaws in Wi-Fi protocols, encryption, or user behavior. These attacks can range from passive eavesdropping to active impersonation of access points and clients. Learn more about wireless security in our Network Security guide.
⚙️ Tools
- Aircrack-ng – Toolkit for monitoring, attacking, and cracking wireless traffic.
- Amplified antenna – Enhances range for sniffing or attacking wireless signals.
- Wifite – Automated wireless attack tool.
🛠 Techniques
- Eavesdropping, deauthentication, handshake capture
- Evil twin and rogue access point creation
- Bluetooth attacks: Bluejacking, Bluesnarfing, BLE attacks
- RFID cloning, NFC-based amplification attacks
- Exploitation of WPS using PIN brute-forcing
External Resources: Wi-Fi Alliance Security | SANS Wireless Pentesting
3.3 Application-Based Attacks
Application attacks target vulnerabilities in web applications, APIs, and software. These are among the most common attack vectors in modern penetration testing. See Application Security fundamentals for background.
⚙️ Tools
- Burp Suite – Web application security testing platform.
- OWASP ZAP – Free web app security scanner.
- SQLMap – Automated SQL injection tool.
- Nikto – Web server vulnerability scanner.
🛠 Techniques
- Cross-Site Scripting (XSS) – Reflected, Stored, DOM-based
- SQL Injection – Classic, Blind, Time-based
- CSRF (Cross-Site Request Forgery), SSRF (Server-Side Request Forgery)
- Directory traversal, File inclusion (LFI/RFI), XXE (XML External Entity)
- Command injection, LDAP injection, Template injection
- Insecure deserialization, Race conditions
External Resources: OWASP Top 10 | PortSwigger Web Security Academy
3.4 Cloud-Based Attacks
Cloud environments introduce unique attack surfaces including misconfigurations, insecure APIs, and identity/access management flaws. Review Cloud Architecture security for foundational concepts.
⚙️ Tools
- Pacu – AWS exploitation framework.
- ScoutSuite – Multi-cloud security auditing tool.
- CloudBrute – Cloud enumeration tool for AWS, Azure, GCP.
🛠 Techniques
- Misconfigured storage: Public S3 buckets, Azure Blob storage
- IAM privilege escalation and role assumption attacks
- Metadata service exploitation (IMDS attacks)
- Container escape and Kubernetes misconfigurations
- API key exposure and credential harvesting
- Serverless function injection and Lambda abuse
External Resources: Cloud Security Alliance | AWS Security Best Practices
3.5 Post-Exploitation Techniques
Post-exploitation occurs after initial access is gained, focusing on maintaining access, escalating privileges, and achieving mission objectives. See Incident Response to understand defender perspective.
⚙️ Tools
- Mimikatz – Credential extraction tool for Windows.
- Cobalt Strike – Adversary simulation and red team framework.
- BloodHound – Active Directory attack path mapping.
- PowerShell Empire – Post-exploitation agent framework.
🛠 Techniques
- Privilege escalation: Vertical and horizontal movement
- Credential harvesting: Password dumps, token impersonation
- Persistence mechanisms: Backdoors, scheduled tasks, registry modifications
- Lateral movement: PsExec, WMI, PowerShell remoting
- Data exfiltration: DNS tunneling, ICMP tunneling, encrypted channels
- Covering tracks: Log deletion, timestamp manipulation, process hiding
External Resources: MITRE ATT&CK: Privilege Escalation | Payloads All The Things
3.6 Social Engineering & Physical Attacks
Social engineering exploits human psychology rather than technical vulnerabilities. Physical attacks target on-premises security controls. Both are critical components of comprehensive penetration testing.
⚙️ Tools & Techniques
- Phishing campaigns: GoPhish, Social-Engineer Toolkit (SET)
- Pretexting: Creating false scenarios to extract information
- Vishing & Smishing: Voice and SMS phishing
- Physical access: Tailgating, badge cloning, lock picking
- USB drop attacks: Rubber Ducky, BadUSB exploits
- Dumpster diving and OSINT reconnaissance
🎯 Common Social Engineering Vectors
- Email-based attacks: Spear phishing, whaling, business email compromise (BEC)
- Authority exploitation: Impersonating IT support, executives, vendors
- Urgency and scarcity tactics to bypass rational thinking
- Watering hole attacks targeting specific user groups or organizations
- Insider threats and disgruntled employee exploitation
External Resources: Social-Engineer.org | MITRE: Phishing for Information
📚 Study Tips & Resources
Practice Environments: Set up your own lab using HackTheBox, TryHackMe, or VulnHub.
Related Study Guides: Review Security+ objectives and CySA+ security operations for complementary knowledge.
Official Resources: CompTIA PenTest+ Exam Objectives (PT0-002)