Part of Logical Learning

CompTIA PenTest+ — Ethical Hacking Lab

A Logical Learning module: penetration testing methodology, Cornell note outlines, and a hands-on Nmap reconnaissance lab aligned with PenTest+ (PT0-002) exam objectives.

Concept Overview

What Is Penetration Testing?

Penetration testing — commonly known as pentesting — is the authorized simulation of cyberattacks against computer systems to evaluate their security posture. The practice is governed by established methodologies including the Penetration Testing Execution Standard (PTES), which defines seven phases from pre-engagement interactions through exploitation and reporting (PTES, 2014). The National Institute of Standards and Technology's Special Publication 800-115 provides technical guidance for information security testing and assessment, emphasizing that penetration testing should be part of a comprehensive security assessment program (NIST, 2008). CompTIA's PenTest+ certification validates the skills required to plan and scope engagements, conduct passive and active reconnaissance, perform vulnerability analysis, execute attacks, and communicate findings — making it the industry-recognized credential for intermediate-level penetration testers (CompTIA, 2025).

The PenTest+ (PT0-002) exam covers six domains: Engagement Management (13%), Reconnaissance and Enumeration (21%), Vulnerability Discovery and Analysis (17%), Attacks and Exploits (21%), Post-Exploitation and Lateral Movement (13%), and Reporting and Communication (15%) (CompTIA, 2025). The OWASP Testing Guide provides complementary methodologies for web application security testing, while the Open Source Security Testing Methodology Manual (OSSTMM) offers a scientific methodology for operational security testing (OWASP, 2023; Herzog, 2010). Understanding these frameworks is essential for penetration testers who must operate within legal boundaries, maintain ethical standards, and produce actionable reports that drive remediation.

Study Tool

PenTest+ Cornell Note Outline

CompTIA PenTest+ (PT0-002) — Cornell Study Notes
Domain 1: Engagement Management 13%
Cue Questions
  • What is scope creep?
  • Rules of engagement?
  • Authorization forms?
Notes
Planning and scoping penetration test engagements. Defining rules of engagement, testing windows, and target selection. Legal and ethical compliance — ensuring authorization letters (written permission), mandatory reporting, and adherence to regulations. Collaboration with stakeholders through peer reviews, escalation paths, and risk articulation. Creating penetration test reports with executive summaries, findings, and remediation recommendations.
Summary

Engagement management establishes the legal, ethical, and logistical foundation for every penetration test.

Domain 2: Reconnaissance and Enumeration 21%
Cue Questions
  • Passive vs. active recon?
  • OSINT tools?
  • Nmap flags?
Notes
Passive reconnaissance — gathering information without directly interacting with the target (WHOIS, DNS records, social media, Shodan, Google dorking). Active reconnaissance — directly probing the target (port scanning with Nmap, service enumeration, banner grabbing). Network enumeration — identifying live hosts, open ports, running services, and operating systems. Tools: Nmap, Netcat, Recon-ng, theHarvester, Maltego, Amass.
Summary

Reconnaissance is the largest exam domain — master OSINT techniques and Nmap scanning to build a complete target profile.

Domain 3: Vulnerability Discovery and Analysis 17%
Cue Questions
  • Nessus vs. OpenVAS?
  • CVE scoring?
  • False positives?
Notes
Vulnerability scanning using tools like Nessus, OpenVAS, and Nikto. Analyzing scan results to identify true vulnerabilities vs. false positives. CVSS (Common Vulnerability Scoring System) for risk prioritization. Web application vulnerability scanning — SQL injection, XSS, CSRF, directory traversal. Correlating vulnerabilities with exploit databases (Exploit-DB, CVE).
Summary

Vulnerability discovery bridges reconnaissance and exploitation — accurate analysis prevents wasted effort on false positives.

Domain 4: Attacks and Exploits 21%
Cue Questions
  • Metasploit modules?
  • Web app attacks?
  • Wireless attacks?
Notes
Network-based attacks — ARP poisoning, MITM, relay attacks, VLAN hopping. Web application attacks — SQL injection (SQLi), cross-site scripting (XSS), command injection, SSRF. Wireless attacks — WPA cracking (aircrack-ng), evil twin, deauthentication. Social engineering — phishing, pretexting, baiting. Cloud-based attacks — misconfigured S3 buckets, SSRF to metadata services. Tools: Metasploit, Burp Suite, SQLmap, Hydra, John the Ripper, Hashcat.
Summary

Attacks and exploits is the highest-weighted domain — hands-on practice with Metasploit and Burp Suite is essential.

Domain 5: Post-Exploitation and Lateral Movement 13%
Cue Questions
  • Persistence mechanisms?
  • Privilege escalation?
  • Data exfiltration?
Notes
Establishing persistence — backdoors, scheduled tasks, registry modifications. Privilege escalation — local (kernel exploits, misconfigurations) and domain (Kerberoasting, Pass-the-Hash). Lateral movement — pivoting through networks using SSH tunneling, PsExec, RDP. Data exfiltration — identifying sensitive data, staging, and extraction methods. Cleanup — removing artifacts, restoring systems to pre-test state.
Summary

Post-exploitation demonstrates real-world impact — showing what an attacker could access after initial compromise.

Domain 6: Reporting and Communication 15%
Cue Questions
  • Executive summary?
  • Risk ratings?
  • Remediation timeline?
Notes
Report structure — executive summary (for leadership), technical findings (for IT teams), remediation recommendations. Risk rating methodology — critical, high, medium, low, informational. Evidence documentation — screenshots, command output, proof-of-concept. Communication during testing — escalation for critical findings, status updates. Post-engagement — debrief meetings, lessons learned, retest recommendations.
Summary

A penetration test is only as valuable as its report — clear communication turns technical findings into organizational action.

Hands-On Lab

Live Lab — Nmap Reconnaissance

Lab 1: Nmap Network Reconnaissance

Objective: Perform host discovery and service enumeration against a target network to identify attack surfaces.

Prerequisites: Kali Linux VM, target network (recommend TryHackMe or HackTheBox free labs)

Step 1: Host Discovery
kali@kali:~$
# Discover live hosts on the network nmap -sn 192.168.1.0/24

The -sn flag performs a ping sweep without port scanning, identifying which hosts are alive on the subnet.

Step 2: TCP SYN Scan (Stealth Scan)
kali@kali:~$
# Scan top 1000 ports with SYN scan nmap -sS -T4 192.168.1.105

SYN scan (-sS) sends SYN packets without completing the TCP handshake — faster and harder to detect than a full connect scan.

Step 3: Service Version Detection
kali@kali:~$
# Enumerate services and versions on open ports nmap -sV -sC -p 22,80,443,3306 192.168.1.105

-sV probes open ports to determine service/version info. -sC runs default NSE scripts for additional enumeration.

Step 4: OS Detection
kali@kali:~$
# Attempt OS fingerprinting nmap -O --osscan-guess 192.168.1.105

-O enables OS detection using TCP/IP stack fingerprinting. --osscan-guess provides more aggressive guessing when results are uncertain.

Step 5: Full Output to File
kali@kali:~$
# Save comprehensive scan results nmap -sS -sV -sC -O -oA pentest_scan 192.168.1.105

-oA outputs in all formats (normal, XML, grepable) for documentation and report generation.

Lab Questions (Cornell-Style Cues)

  1. Which ports were open on the target? What services were running?
  2. What OS did Nmap detect? How confident was the fingerprint?
  3. Based on the services found, what potential attack vectors exist?
  4. How would you document these findings in a penetration test report?
Industry Resources

Industry Leaders in Pentesting

Offensive Security

Creators of Kali Linux and the OSCP certification — the gold standard for hands-on penetration testing skills.

Visit OffSec
EC-Council

Home of the Certified Ethical Hacker (CEH) certification — one of the most recognized credentials in ethical hacking worldwide.

Visit EC-Council
SANS Institute

Offers the GPEN certification and world-class cybersecurity training through immersive, expert-led courses.

Visit SANS
TryHackMe

Beginner-friendly, gamified hands-on labs for learning penetration testing and cybersecurity fundamentals step by step.

Visit TryHackMe
HackTheBox

Advanced penetration testing labs and challenges for experienced practitioners seeking real-world exploitation scenarios.

Visit HackTheBox
References

APA 7 Reference List

Support This Research

Support Open-Source Cybersecurity Education

Your contribution funds lab environments, study materials, and student access to hands-on pentesting resources.

GoFundMe — Support Open-Source Teaching & Research