VLAN hopping is a Layer 2 network attack vector critical to the CompTIA PenTest+ curriculum regarding network infrastructure exploits. It involves an attacker manipulating 802.1Q tagging to bypass network segmentation and access traffic on Virtual Local Area Networks (VLANs) to which they are not authorized. This allows the attacker to reach restricted subnets, servers, or endpoints that should be logically isolated. There are two primary mechanisms for executing this attack: Switch Spoofing and Double Tagging.

Switch Spoofing exploits the Dynamic Trunking Protocol (DTP). Many switches are configured by default to automatically negotiate trunk links. An attacker connects a device to a switch port and masquerades as a switch by sending DTP frames. If successful, the connection establishes a trunk link, granting the attacker access to all VLANs traversing that trunk. Remediation requires disabling DTP on all user-facing ports and statically configuring them as access ports.

Double Tagging exploits the way switches process the Native VLAN. The attacker crafts a packet with two VLAN tags: an outer tag matching the port's Native VLAN and an inner tag for the target victim VLAN. The first switch sees the Native VLAN tag, strips it (as per protocol), and forwards the packet. The next switch sees the remaining inner tag and forwards the traffic to the restricted target VLAN. While Double Tagging works even if DTP is disabled, it is generally a unidirectional attack—traffic flows to the target but cannot easily return to the attacker—making it useful for Denial of Service (DoS) or blind attacks rather than interactive shells. Mitigation involves ensuring the Native VLAN is an unused ID distinct from any user data VLANs.

In the context of the CompTIA PenTest+ certification, an On-path attack—formerly and commonly referred to as a Man-in-the-Middle (MITM) attack—is a critical exploit where an attacker secretly positions themselves between two communicating parties. The objective is to intercept, relay, and potentially alter the data flowing between a client and a server without either party suspecting interference. This attack vector severely compromises both the confidentiality and integrity of network traffic.

To successfully execute an On-path attack during an engagement, a penetration tester must first manipulate network protocols to redirect traffic through their control. On local networks (Layer 2), ARP Poisoning is the predominant technique. By flooding the network with forged ARP messages, the attacker links their MAC address with the IP address of a legitimate gateway, forcing victim traffic to route through the attacker’s machine. In wireless environments, an Evil Twin attack serves a similar purpose by mimicking a legitimate access point.

Once the attacker creates this bridge, they can employ tools such as Ettercap, Bettercap, Responder, or mitmproxy. These tools allow for passive sniffing to harvest credentials or active manipulation to inject malicious code. A specific, high-value technique is SSL Stripping, which forces a victim's browser to downgrade from a secure HTTPS connection to unencrypted HTTP, rendering encryption useless and exposing sensitive data like passwords and session tokens in cleartext.

For the PenTest+ exam, understanding remediation is just as vital as execution. Defenses include enforcing strict encryption standards like TLS 1.3 and utilizing HTTP Strict Transport Security (HSTS) to prevent protocol downgrades. Network-level defenses involve implementing Dynamic ARP Inspection (DAI) on switches and using Virtual Private Networks (VPNs) to tunnel traffic securely, preventing local attackers from deciphering the intercepted data streams.

Address Resolution Protocol (ARP) resolves IP addresses to Media Access Control (MAC) addresses on a local network. ARP Spoofing, also known as ARP Poisoning, is a specific On-Path (Man-in-the-Middle) attack where a malicious actor broadcasts falsified ARP messages over a Local Area Network (LAN).

The vulnerability stems from ARP being a stateless protocol; devices implicitly trust ARP replies even if they never sent a request. In a CompTIA PenTest+ scenario, an attacker typically uses tools like Ettercap, Bettercap, or Arpspoof to flood the network with "gratuitous ARP" packets. These packets falsely claim that the attacker's MAC address is associated with the IP address of a legitimate target, most commonly the default gateway.

Once the victim's ARP cache is "poisoned" with this forged entry, all traffic intended for the internet is routed through the attacker's machine at Layer 2. This allows the attacker to intercept sensitive data (credential harvesting), modify traffic in transit, or drop packets to cause a Denial of Service (DoS). Because this happens on the local link, it bypasses standard switch traffic isolation.

To identify this vulnerability during an engagement, a pentester analyzes network traffic using protocol analyzers like Wireshark, looking for duplicate MAC addresses mapped to different IPs or excessive ARP replies. Remediation strategies often involve implementing Dynamic ARP Inspection (DAI) on network switches or using static ARP entries for critical infrastructure.

DNS poisoning, often synonymous with DNS cache poisoning, is a pivotal concept within the "Attacks and Exploits" domain of the CompTIA PenTest+ certification. Fundamentally, this attack compromises the integrity of the Domain Name System (DNS) resolution process to redirect legitimate user traffic to malicious destinations controlled by the attacker.

The mechanism exploits the lack of authentication in traditional DNS queries. When a recursive DNS server receives a client request for a domain (e.g., example.com) and does not possess the record in its cache, it forwards the query to an upstream authoritative server. In a poisoning attack, the threat actor floods the recursive server with forged responses containing a malicious IP address. If the attacker's spoofed response matches the transaction ID and arrives before the legitimate response from the authoritative server, the DNS server accepts the fake record. This corrupted mapping is then stored (cached) for a specific Time-to-Live (TTL).

The impact of a successful poisoning attack is severe. Users attempting to access a legitimate site are silently routed to the attacker's server. This facilitates Man-in-the-Middle (MitM) attacks, allowing the penetration tester (or adversary) to harvest credentials via phishing pages that perfectly mimic the original site or deliver malware via drive-by downloads.

In the context of PenTest+, testers utilize tools like Ettercap, Bettercap, or Responder to demonstrate these vulnerabilities on local networks. Testers also examine local DNS poisoning, which involves modifying a compromised machine's `hosts` file. To remediate these vulnerabilities, the CompTIA curriculum emphasizes the implementation of DNSSEC (DNS Security Extensions), which adds cryptographic signatures to DNS records to verify their authenticity and integrity, alongside patching DNS software to prevent port prediction.

Service exploitation refers to the act of compromising a target system by taking advantage of vulnerabilities found in running applications, protocols, or daemons (services) listening on open ports. In the context of CompTIA PenTest+, this is a critical phase following reconnaissance and vulnerability scanning.

The process typically begins with enumeration, where a tester uses tools like Nmap to identify open ports and determine the specific version of the software running (e.g., vsftpd 2.3.4, SMBv1, or Apache Struts). Once the service and version are identified, the tester consults databases like CVE (Common Vulnerabilities and Exposures) or Exploit-DB to find known vulnerabilities associated with that specific version.

Common exploitation techniques include buffer overflows, where the attacker sends more data than the service's memory buffer can handle to overwrite execution pointers, and command injection, which tricks the service into executing operating system commands. A prominent example is the EternalBlue exploit, which targets vulnerabilities in the Windows SMB file-sharing protocol to execute arbitrary code remotely.

Successful service exploitation often results in Remote Code Execution (RCE), granting the attacker a shell on the machine. The impact depends heavily on the privileges associated with the exploited service; if a service runs as 'root' or 'SYSTEM,' the attacker gains total control immediately. If the service runs with low privileges, the attacker must then attempt privilege escalation. Mitigation strategies emphasized in PenTest+ include patch management, disabling unnecessary services, and applying the principle of least privilege.

Network protocol attacks exploit vulnerabilities and design flaws in the standard rules (protocols) that govern data exchange across networks. In the context of CompTIA PenTest+, particularly within Domain 3 (Attacks and Exploits), these attacks rely on the fact that many foundational protocols—such as ARP, DNS, DHCP, and IP—were designed for functionality and trust rather than security. Consequently, they often lack built-in authentication or encryption mechanisms.

A classic example is ARP Poisoning. The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses but verifies neither the request nor the response. Attackers can broadcast spoofed ARP messages to associate their MAC address with the IP address of a legitimate target, such as a default gateway. This enables a Man-in-the-Middle (MitM) or On-Path attack, allowing the attacker to intercept, modify, or stop traffic.

Similarly, attackers utilize DNS Spoofing or Cache Poisoning to corrupt the resolution of domain names, redirecting traffic from legitimate sites to malicious servers. Testers also frequently exploit Link-Local Multicast Name Resolution (LLMNR) and NetBIOS (NBT-NS) via tools like Responder. When a DNS lookup fails, Windows systems broadcast requests via these protocols; attackers answer these broadcasts to capture user NTLM hashes.

From a penetration testing perspective, successful execution of these attacks demonstrates critical risks to confidentiality and integrity. To mitigate these threats, pentesters recommend implementing defenses such as Dynamic ARP Inspection (DAI), DHCP snooping, DNSSEC, and disabling unnecessary legacy protocols to harden the network layer against manipulation.

Wireless network attacks constitute a critical segment of the CompTIA PenTest+ Attacks and Exploits domain, primarily focusing on exploiting the inherent vulnerabilities of radio frequency communication and authentication protocols. Because wireless signals are broadcasted, attackers can intercept data without physical network access, utilizing Wi-Fi adapters in 'monitor mode' to capture packets passively.

A dominant attack vector targets the WPA/WPA2 handshake. Pentesters frequently use **Deauthentication attacks**, sending spoofed management frames to forcibly disconnect a legitimate client. When the device attempts to reconnect, the attacker captures the **4-way handshake**. This captured handshake is then subjected to offline dictionary or brute-force attacks using tools like Aircrack-ng or Hashcat to recover the pre-shared key (PSK). Legacy vulnerabilities, such as Initialization Vector (IV) attacks against WEP, are also covered conceptually.

Attackers also exploit infrastructure via **Evil Twin** attacks, where a rogue Access Point (AP) broadcasts the same SSID as a legitimate network. By overpowering the legitimate signal, the attacker tricks victims into connecting to the malicious node, facilitating Man-in-the-Middle (MitM) attacks to harvest credentials or manipulate traffic. Furthermore, vulnerabilities in **Wi-Fi Protected Setup (WPS)** allow attackers to recover network passwords rapidly via PIN brute-forcing or Pixie Dust attacks.

The domain extends beyond Wi-Fi to include Bluetooth and RFID. **Bluejacking** involves sending unsolicited messages, while **Bluesnarfing** allows for the unauthorized theft of data from a device. Pentesters must also understand **RFID/NFC cloning** attacks, where proximity cards used for physical building access are copied or replayed using tools like the Proxmark3. Effective defense relies on implementing WPA3, using Enterprise authentication (802.1X), and disabling insecure convenience features like WPS.

In the context of CompTIA PenTest+, Bluetooth attacks target vulnerabilities in the IEEE 802.15.1 protocol (Classic Bluetooth) and Bluetooth Low Energy (BLE). The assessment methodology typically moves from reconnaissance to exploitation using Linux-based tools like 'hcitool', 'hciconfig', 'l2ping', and 'btscanner'.

Initial reconnaissance involves discovery. Testers scan for devices in 'discoverable' mode to obtain the unique 48-bit BD_ADDR. Even if a device is set to non-discoverable, attackers can deduce the MAC address through traffic sniffing or brute-forcing.

Three legacy but critical attacks define the syllabus:
1. Bluejacking: An annoyance or social engineering attack where unsolicited messages (often vCards) are sent to a device. It does not involve data theft but can be a vector for phishing.
2. Bluesnarfing: A confidentiality attack involving unauthorized data exfiltration. Attackers exploit the Object Exchange (OBEX) protocol to steal contacts, emails, and text messages without the user's knowledge.
3. Bluebugging: The most severe attack, granting the attacker total control. By establishing a backdoor, the attacker can listen to phone calls, forward calls, and send messages, effectively turning the device into a bug.

Modern testing also focuses on BLE attacks, such as 'BlueBorne'—an airborne attack vector requiring no pairing or discoverability to trigger buffer overflows—and 'Bleedingbit', which targets chipsets in enterprise access points. Additionally, BLE spoofing and jamming are common techniques to disrupt IoT devices. Mitigation strategies emphasized in PenTest+ include disabling Bluetooth when unused, rejecting unknown pairing requests, and enforcing Secure Simple Pairing (SSP) rather than legacy PINs.

In the context of CompTIA PenTest+, LLMNR/NBT-NS poisoning is a prevalent Man-in-the-Middle (MITM) attack technique utilized during the exploitation phase to capture credentials or gain unauthorized access. Windows environments rely on Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) as fallback protocols when standard DNS resolution fails. This usually happens when a user mistypes a server address (e.g., entering '\\printers' instead of '\\printer') or requests a host that does not exist in the DNS records.

Unlike DNS, which queries a specific authoritative server, these fallback protocols broadcast requests to the entire local subnet, effectively asking every machine if they are the requested host. The vulnerability lies in the fact that these protocols inherently trust any response.

Using tools like Responder or Inveigh, a penetration tester listens for these broadcast requests. When a victim broadcasts a query, the attacker's tool instantly spoofs a response, claiming to be the requested server. The victim's machine, accepting this spoofed identity, attempts to authenticate to the attacker to access resources. During this handshake, the victim sends their username and NTLMv2 password hash.

Once captured, the attacker has two primary vectors for exploitation: offline cracking and relaying. In offline cracking, the attacker uses tools like Hashcat to recover the plaintext password from the captured hash. Alternatively, in an SMB Relay attack, the attacker forwards the captured credentials to another machine on the network. If SMB signing is disabled and the victim has administrative privileges on the target, the attacker can execute code remotely without ever knowing the actual password. Mitigation requires disabling LLMNR via Group Policy, disabling NBT-NS on network adapters, and enforcing SMB signing.

In the context of CompTIA PenTest+ and the domain of Attacks and Exploits, a brute-force attack is a fundamental cryptanalytic method used to gain unauthorized access by guessing credentials through systematic trial and error. Unlike exploits that leverage logical vulnerabilities or software bugs, brute-forcing relies on raw computational power to attempt every possible combination of characters until the correct password or decryption key is identified.

Penetration testers must distinguish between online and offline variations. Online brute-force attacks target live services (e.g., SSH, RDP, or HTTP login forms) using automation tools like THC-Hydra, Medusa, or Ncrack. These attacks are distinctively 'noisy,' generating significant network traffic that often triggers Intrusion Detection Systems (IDS) or account lockout mechanisms. Conversely, offline attacks involve capturing hashed credentials (such as the /etc/shadow file or NTLM hashes) and cracking them locally. This method is generally preferred in authorized engagements as it is faster and stealthier, utilizing GPU-accelerated tools like Hashcat or John the Ripper without interacting with the live server.

The PenTest+ curriculum also differentiates between specific methodologies: a pure brute-force attack attempts all character combinations (aa, ab, ac...), which guarantees success mathematically but is time-prohibitive for complex passwords. Consequently, testers often utilize Dictionary Attacks (using lists of common words) or Hybrid Attacks (applying rules to modify dictionary words, such as leet speak substitution). Understanding these vectors is crucial for recommending mitigations, which include implementing account lockout policies, rate limiting, forcing complex passwords, using salts to negate Rainbow Tables, and deploying Multi-Factor Authentication (MFA).

In the realm of CompTIA PenTest+ and the domain of Attacks and Exploits, Password Spraying is a specific credential-harvesting technique designed to compromise accounts while evading detection mechanisms like account lockouts.

Unlike a traditional brute-force attack, which aggressively attempts a vast library of passwords against a single username, password spraying inverts the attack logic. In a spray attack, the threat actor utilizes a technique often referred to as "low-and-slow." They select a single, highly probable password—such as "Password123," "Company2024!," or "Welcome1"—and test it against a comprehensive list of valid usernames. Once the attacker has cycled through all users with that specific password, they may wait for a calculated period before attempting a second common password.

The primary motivation behind this methodology is to bypass account lockout policies. Most organizations configure Active Directory or identity providers to lock an account after three to five consecutive failed login attempts. Because password spraying only attempts one login per user per cycle, it rarely triggers these specific user-level thresholds, allowing the attacker to remain undetected by basic automated defenses.

From a penetration testing perspective, this attack is critical for assessing the human element of security and the robustness of password complexity enforcement. Testers often use tools like Hydra, Burp Suite, or Spray-AD after performing Open Source Intelligence (OSINT) to gather valid email addresses. Successful mitigation requires more than just complex passwords; it necessitates the implementation of Multi-Factor Authentication (MFA) and the configuration of SIEM (Security Information and Event Management) systems to detect "horizontal" spikes in failed authentication attempts across the network, rather than just vertical spikes on individual accounts.

In the context of CompTIA PenTest+ and the Attacks and Exploits domain, credential stuffing is an automated injection of breached username and password pairs in order to gain unauthorized access to user accounts. This attack vector relies heavily on the common bad habit of password reuse, where users utilize the same login credentials across multiple disparate services.

Unlike traditional brute-force attacks that attempt to guess passwords character-by-character, or dictionary attacks that try common words, credential stuffing utilizes specific credentials that are known to be valid on at least one system (obtained from data dumps on the dark web). Because the credentials act as a valid key for a different lock, the focus isn't on cracking a password, but rather on finding which other doors that specific key opens.

Attackers use automated tools—such as OpenBullet, Sentry MBA, or Burp Suite Intruder—often routed through proxy networks to simulate logins from various IP addresses, bypassing basic IP blocking. The goal is Account Takeover (ATO). For a penetration tester, simulating credential stuffing is vital to test the effectiveness of an organization's authentication controls.

The primary mitigations a PenTest+ candidate must identify include Multi-Factor Authentication (MFA), which stops the attack even if the password is correct, and rate limiting or CAPTCHA implementation to thwart automated bots. During an engagement, a penetration tester assesses whether the target's Web Application Firewall (WAF) or Intrusion Detection System (IDS) can identify and block the high-volume, rapid login attempts characteristic of this attack.

In the context of CompTIA PenTest+, a Pass-the-Hash (PtH) attack is a critical lateral movement technique where an attacker captures a password hash (typically NTLM) and uses it to authenticate to a remote server or service, bypassing the need to decrypt or crack the hash into a plaintext password. This exploit leverages the design of authentication protocols like NTLM, where the protocol accepts the hash itself as proof of identity during the challenge-response handshake.

The attack lifecycle generally begins after an attacker has compromised a machine and escalated privileges to a local administrator or SYSTEM level. Using post-exploitation tools such as Mimikatz, Metasploit, or Cobalt Strike, the attacker scrapes memory (specifically the LSASS process) or the SAM database to extract stored hashes. Once obtained, the attacker uses these hashes to authenticate against other systems in the network via SMB, WMI, or other protocols. If the compromised credentials belong to a user with administrative rights on other hosts—a common scenario with shared local admin passwords—the attacker can execute commands remotely and compromise the entire domain.

From a defensive perspective relevant to the exam, mitigation involves disabling NTLM in favor of Kerberos, using the 'Protected Users' Active Directory group, enabling Windows Defender Credential Guard to protect LSASS memory, and strictly limiting the overlap of administrative privileges across the network. For a penetration tester, demonstrating a PtH attack is a powerful way to highlight the risks of credential reuse and the importance of securing authentication subsystems.

In the context of the CompTIA PenTest+ certification, the Pass-the-Ticket (PtT) attack is a sophisticated post-exploitation technique used primarily for lateral movement within a Windows Active Directory (AD) environment. Unlike Pass-the-Hash, which relies on NTLM hashes, PtT targets the Kerberos authentication protocol.

The core mechanism involves an attacker seizing an existing Kerberos ticket—specifically a Ticket-Granting Ticket (TGT) or a Ticket-Granting Service (TGS)—from the Local Security Authority Subsystem Service (LSASS) memory of a compromised system. Because Kerberos uses these tickets as proof of identity, an attacker who extracts a valid ticket can "pass" it to the authentication system to gain access to network resources without ever needing the user's plaintext password.

Common tools used for this attack include Mimikatz (specifically the sekurlsa::tickets module) and Rubeus. Once a machine is compromised and local administrator or SYSTEM privileges are obtained, the pen tester can dump the cached tickets. These tickets are then injected into the current session, allowing the attacker to impersonate the user (often a Domain Admin) associated with that ticket.

Two notable variations often discussed in this domain are the "Golden Ticket" and "Silver Ticket" attacks. A Golden Ticket involves forging a TGT using the domain’s KRBTGT account hash, granting indefinite persistence and total control over the domain. A Silver Ticket involves forging a TGS for specific services on specific servers.

For a penetration tester, mastering PtT is crucial for demonstrating how a minor breach can escalate to a full domain compromise. Remediation strategies often focus on limiting the lifespan of TGTs, restricting privileged account logins to secure workstations, and implementing Windows Defender Credential Guard to protect the LSASS process.

In the context of CompTIA PenTest+, Kerberoasting is a critical post-exploitation technique used to extract service account credentials from Microsoft Active Directory (AD). It exploits the architecture of the Kerberos authentication protocol, specifically targeting Service Principal Names (SPNs).

The attack mechanism works as follows: Any authenticated user within a domain, regardless of their privilege level, can request a Ticket Granting Service (TGS) ticket for any service that has an SPN registered. The vulnerability lies in how the Domain Controller delivers this ticket. A portion of the TGS ticket is encrypted using the NTLM hash of the service account's password. When an attacker requests the ticket using tools like Rubeus, Mimikatz, or Invoke-Kerberoast, the Domain Controller provides this encrypted blob without verifying if the user has permissions to actually access the service application itself.

Once the attacker captures the ticket, they take it offline. Because the encryption key is derived solely from the service account's password, the attacker can use brute-force tools like Hashcat or John the Ripper to attempt to crack the hash. If the service account has a weak password, the attacker can recover the plaintext credentials.

This is a high-value attack vector because service accounts often hold elevated privileges (such as Domain Admin) and their passwords are rarely changed to avoid breaking application dependencies. To mitigate Kerberoasting, administrators should enforce long, complex passwords (over 25 characters) for all service accounts, making offline brute-force attempts computationally infeasible, or utilize Group Managed Service Accounts (gMSAs).

AS-REP Roasting is a credential theft technique targeting the Kerberos authentication protocol within Microsoft Active Directory environments. It is a critical concept for the CompTIA PenTest+ certification under the 'Attacks and Exploits' domain. The vulnerability arises when a user account has the property 'Do not require Kerberos preauthentication' enabled.

In a standard Kerberos exchange, a user must prove their identity before the Domain Controller (DC) issues a Ticket Granting Ticket (TGT). They do this by sending a timestamp encrypted with their password hash in the initial Authentication Service Request (AS-REQ). This step is called preauthentication.

However, if preauthentication is disabled for a specific account, the DC does not require this proof. An attacker—even one without domain credentials—can send a request for that user, and the DC will immediately respond with an AS-REP (Authentication Service Reply) message. Crucially, this message contains a part of the ticket encrypted with the target user's password hash.

The attacker captures this encrypted data and takes it offline. Using cracking tools like Hashcat or John the Ripper, they perform a brute-force or dictionary attack to reveal the plaintext password. Because the cracking happens offline, it does not interact with the DC, meaning it avoids triggering account lockout policies or generating failed login logs.

Penetration testers often use tools like Rubeus (Windows) or Impacket’s GetNPUsers.py (Linux) to identify vulnerable accounts and extract the hashes. Mitigation involves auditing Active Directory to ensure 'Do not require Kerberos preauthentication' is unchecked for all users.

In the context of the CompTIA PenTest+ certification, a Golden Ticket attack is a severe post-exploitation technique used to achieve indefinite persistence within a Windows Active Directory (AD) environment. It exploits the Kerberos authentication protocol by forging a Ticket Granting Ticket (TGT), effectively bypassing the standard authentication process.

At the heart of Kerberos is the Key Distribution Center (KDC), which uses a specific service account named KRBTGT to sign all valid TGTs. If a penetration tester or attacker gains administrative access to a Domain Controller and successfully dumps the password hash of the KRBTGT account (often using tools like Mimikatz), they possess the master key to the entire domain.

With the KRBTGT hash, the attacker can generate their own forged TGTs offline. These 'Golden Tickets' allow the attacker to masquerade as any user—even non-existent ones—and grant themselves membership in high-privilege groups such as Domain Admins or Enterprise Admins. This provides unrestricted access to every service, workstation, and file share in the domain.

What makes this attack particularly dangerous is its resilience. A Golden Ticket remains valid regardless of whether the impersonated user changes their password, as the ticket is validated against the KRBTGT hash, not the user's credentials. Furthermore, attackers can set the ticket's expiration date to 10 years or more. Unless defenders reset the KRBTGT password twice (to clear the password history), the attacker retains hidden, high-level access, allowing them to return to the network at will without triggering standard login alerts.

A Silver Ticket attack is a post-exploitation technique involving the forgery of Kerberos Ticket-Granting Service (TGS) tickets. Unlike a Golden Ticket, which requires the domain's KRBTGT hash to create a Ticket-Granting Ticket (TGT) for unrestricted domain access, a Silver Ticket targets specific services (such as MSSQL, CIFS, or HTTP) hosted on a specific server.

To execute this attack within a CompTIA PenTest+ scenario, a tester must obtain the NTLM hash of the service account running the target service. This hash is typically obtained via credential dumping or Kerberoasting. Using tools like Mimikatz, the attacker uses this hash to sign a forged TGS ticket. Because the service account validates the ticket using its own password hash, the attacker can define the user, groups, and privileges (e.g., Local Administrator) within the ticket arbitrarily.

A defining characteristic of the Silver Ticket is its stealth. The forgery process happens locally and bypasses the Domain Controller (DC) entirely. Consequently, no TGS-REQ or TGS-REP traffic occurs involving the DC, meaning no authentication logs are generated on the DC regarding this access. This makes the attack difficult to detect with standard centralized logging. The attack provides persistence and lateral movement capabilities limited to the specific service and host associated with the compromised account hash.

An NTLM Relay attack is a specific type of Man-in-the-Middle (MitM) exploit targeting the Microsoft NTLM authentication protocol. In the context of CompTIA PenTest+, this attack is a critical concept for lateral movement because it allows an attacker to gain unauthorized access to servers without ever knowing or cracking the victim's plaintext password.

The attack exploits the NTLM challenge-response mechanism. It typically begins with the attacker poisoning the local network using tools like **Responder** (via LLMNR/NBT-NS spoofing). When a victim client attempts to access a network resource, the attacker intercepts the request and forwards (relays) the authentication negotiation to a different target server on the network. The target server replies with a cryptographic 'challenge,' which the attacker relays back to the victim. The victim's machine encrypts this challenge using its password hash and sends the valid 'response' to the attacker. Finally, the attacker forwards this valid response to the target server. The server verifies the response is correct and authenticates the session, effectively granting the attacker access under the victim's identity.

A crucial prerequisite for NTLM relaying over SMB is that **SMB Signing** must be disabled or set to 'not required' on the target machine. If SMB signing is enforced, the server requires packet signatures derived from the user's session key (which the attacker does not possess), causing the attack to fail. Attackers often use tools like **ntlmrelayx** (part of Impacket) to automate this process, leading to Remote Code Execution (RCE), dumping local SAM hashes, or adding administrative users. Remediation involves enforcing SMB signing across the domain and disabling NTLM in favor of Kerberos.

Privilege escalation is a pivotal phase in the CompTIA PenTest+ framework, specifically within the Attacks and Exploits domain. It involves elevating access from a compromised low-level account to a higher-privileged one (vertical escalation) or accessing peer accounts (horizontal escalation).

In **Linux environments**, escalation often targets file permissions and kernel vulnerabilities. Testers hunt for executables with the **SUID** (Set User ID) bit set, which run with the owner's authority (often root). If these binaries have shell escape functionality, root access is trivial. Misconfigured **sudoers** files are another vector; running `sudo -l` might reveal that a user can execute commands like `vim` or `python` as root without a password. Additionally, attackers exploit writable **cron jobs** or unpatched kernel vulnerabilities (e.g., Dirty COW).

In **Windows systems**, techniques often exploit service configurations. **Unquoted Service Paths** occur when a service path contains spaces but lacks quotes, causing Windows to execute a malicious binary placed earlier in the file path (e.g., executing 'C:\Program.exe' instead of 'C:\Program Files\Service.exe'). **DLL Hijacking** involves placing a malicious Dynamic Link Library in a folder where an application searches for dependencies. Testers also look for **AlwaysInstallElevated** registry settings, which allow .msi files to install with system privileges. **Token manipulation**—stealing access tokens from high-privilege processes—is also common to impersonate administrators.

Ultimately, whether exploiting weak file permissions, kernel flaws, or stored credentials, the goal is obtaining root, Administrator, or SYSTEM level access to persist on the network and pivot to other targets.

Windows privilege escalation is the process where an attacker moves from a low-level account (such as a standard user or service account) to a high-level account, typically Administrator or NT AUTHORITY\SYSTEM. In the context of CompTIA PenTest+, this phase follows initial exploitation and requires a deep understanding of Windows architecture to identify misconfigurations, kernel vulnerabilities, and credential weaknesses.

A primary vector involves **Service and Registry Misconfigurations**. For example, 'Unquoted Service Paths' occur when a service path containing spaces is not enclosed in quotes. Windows interprets the space as a separator, potentially executing a malicious binary named 'C:\Program.exe' instead of the intended 'C:\Program Files\Service.exe'. Similarly, 'Insecure Service Permissions' allow users to modify a service's configuration, pointing the binary path (binPath) to a malicious executable that runs with SYSTEM privileges upon service restart.

**DLL Hijacking** is another common technique. It exploits the Windows DLL search order; if an application fails to load a specific DLL, an attacker can place a malicious DLL with the same name in a directory searched earlier (like the application's current folder), forcing the application to execute the attacker's code.

Attackers also target **Kernel Exploits** by enumerating missing patches using commands like `systeminfo` or automated enumeration scripts like **winPEAS** and **PowerUp**. If the OS is outdated, specific exploits (e.g., EternalBlue) can grant immediate SYSTEM access.

Finally, attackers leverage **Credential Dumping** and **Token Manipulation**. Tools like Mimikatz interact with the Local Security Authority Subsystem Service (LSASS) to retrieve cleartext passwords or NTLM hashes, or to steal access tokens from running processes to impersonate privileged users. Identifying vulnerabilities such as 'AlwaysInstallElevated' in the registry or weak file permissions on sensitive directories is essential for successful escalation.

Linux privilege escalation is a critical phase in the penetration testing lifecycle, falling under the 'Attacks and Exploits' domain of the CompTIA PenTest+ certification. It occurs after an attacker has established an initial foothold on a target Linux system, usually as a low-privileged user (such as 'www-data' or a limited service account). The objective is to elevate permissions to the 'root' user, granting full administrative control over the operating system.

There are several primary vectors for privilege escalation in Linux environments. First, **Kernel Exploits** involve leveraging vulnerabilities in an unpatched operating system kernel (e.g., Dirty COW) to execute arbitrary code with root privileges. Second, **Misconfigurations** are common targets; this includes checking `sudo` rights via `sudo -l`. If a user can run specific binaries as root without a password (such as text editors or scripting languages), they may utilize techniques documented in GTFOBins to spawn a root shell.

Third, **SUID/SGID executables** are files that run with the permissions of the file owner rather than the user. If a binary owned by root has the SUID bit set and contains a vulnerability or allows shell escapes, it leads to immediate escalation. Additionally, attackers look for **Weak File Permissions**, such as world-writable cron jobs or configuration files containing cleartext credentials.

To identify these flaws, penetration testers utilize enumeration scripts like **LinPEAS** or **LinEnum**. Mastery of this topic requires understanding Linux file permissions, the principle of least privilege, and how to audit systems for deviations from security baselines. Mitigation relies heavily on patch management, restricting sudo access, and removing unnecessary SUID bits.

Process injection is a critical defense evasion and persistence technique covered in the CompTIA PenTest+ curriculum under the Attacks and Exploits domain. It involves a threat actor executing arbitrary code within the address space of a separate, live process. By migrating malicious code into a legitimate process, attackers can camouflage their activities, making detection significantly harder for security controls like Antivirus (AV) and Endpoint Detection and Response (EDR) systems.

The primary objective is stealth. Security software often trusts system processes such as svchost.exe, notepad.exe, or explorer.exe. If malware runs as a standalone executable, it is easily flagged. However, if the malware injects itself into explorer.exe, the network traffic and behavior appear to originate from that trusted Windows component, effectively bypassing allowlists and behavioral monitoring.

The standard workflow for process injection generally follows a specific API sequence on Windows systems: first, the attacker retrieves a handle to the target process (OpenProcess); second, memory is reserved within the target process's virtual address space (VirtualAllocEx); third, the malicious payload, such as shellcode or the path to a malicious DLL, is written into that allocated memory (WriteProcessMemory); and finally, a new thread is created within the target process to execute the injected code (CreateRemoteThread).

Common variations include DLL Injection, where a process is forced to load a malicious Dynamic Link Library, and Process Hollowing, where a legitimate process is spawned in a suspended state, its memory is unmapped (hollowed out), and replaced with malicious code before resuming. For a penetration tester, understanding these mechanics is vital for simulating advanced persistent threats (APTs) and testing the resilience of host-based intrusion detection systems.

DLL hijacking is a critical exploitation technique covered in the CompTIA PenTest+ curriculum, specifically falling under the "Attacks and Exploits" domain. It leverages the specific search order Microsoft Windows uses to locate and load Dynamic Link Libraries (DLLs). A DLL is a shared library containing code and data used by multiple programs. When an executable requests a DLL without specifying an absolute path, Windows searches for the file in a pre-defined sequence: typically starting with the application's current directory, followed by system directories (System32), the Windows directory, the current working directory, and finally, the directories listed in the system's PATH environment variable.

The vulnerability exists when an application attempts to load a legitimate DLL that is missing from the application's directory or when the search order can be manipulated. An attacker exploits this by placing a malicious DLL with the exact name of the legitimate library (e.g., "user32.dll" or a proprietary library name) into a directory that Windows searches *before* locating the real file. When the application runs, it unknowingly loads the attacker's malicious code.

In penetration testing, this vector is primarily used for privilege escalation and persistence. If the vulnerable application runs with administrative or SYSTEM privileges, the malicious DLL inherits those elevated permissions, granting the attacker full control over the host. Pen testers utilize tools like Process Monitor (Procmon) to identify "NAME NOT FOUND" errors—indicating an application is searching for a missing DLL—and then craft payloads using tools like Metasploit msfvenom. Mitigation requires developers to use absolute paths for loading libraries and administrators to enforce Safe DLL Search Mode to restrict the search order.

Credential dumping is a critical post-exploitation technique emphasized in the CompTIA PenTest+ curriculum under the 'Attacks and Exploits' domain. It involves the unauthorized extraction of valid authentication information—such as usernames, cleartext passwords, NTLM hashes, or Kerberos tickets—from a compromised system's memory or file system. The primary objective is to facilitate privilege escalation or lateral movement, allowing the attacker to access additional resources or systems within the network.

Once a penetration tester gains administrative or SYSTEM-level access to a host, they typically target specific storage locations where the operating system caches credentials. On Windows systems, the primary targets are the Security Account Manager (SAM) database, which stores local user account hashes, and the Local Security Authority Subsystem Service (LSASS) process memory. The tool most synonymous with this technique is Mimikatz, which can scrape LSASS memory to retrieve plaintext passwords (if WDigest is enabled) or hashes. In an Active Directory environment, attackers seek the 'NTDS.dit' database on Domain Controllers, which contains the credentials for every user in the domain.

Successfully dumped credentials enable further attacks, such as 'Pass-the-Hash,' where an attacker uses a captured hash to authenticate to remote servers without cracking the password, or offline cracking using tools like Hashcat. Understanding credential dumping is essential for penetration testers to demonstrate the impact of a breach, showing how a single compromised endpoint can lead to total domain compromise. Mitigation strategies include enabling Windows Defender Credential Guard, restricting local administrator privileges, and monitoring for suspicious process injection into LSASS.exe.

In the context of CompTIA PenTest+ and the domain of Attacks and Exploits, Mimikatz is a premier open-source post-exploitation tool primarily utilized for credential dumping and privilege escalation on Windows systems. Its significance lies in its ability to manipulate the Local Security Authority Subsystem Service (LSASS) process to extract plain-text passwords, hashes, PINs, and Kerberos tickets directly from memory.

For the exam, candidates must understand specific attacks facilitated by Mimikatz. The most ubiquitous command, `sekurlsa::logonpasswords`, attempts to extract logon credentials. If protocols like WDigest are enabled, this yields cleartext passwords; otherwise, it retrieves NTLM hashes. These artifacts enable lateral movement techniques, specifically **Pass-the-Hash (PtH)**, where an attacker authenticates using the hash without cracking it, and **Pass-the-Ticket (PtT)**, which involves harvesting and reusing Kerberos tickets.

Furthermore, Mimikatz allows for persistence via the creation of **Golden Tickets** (forging a TGT using the domain's KRBTGT hash to become a domain admin with long-term validity) and **Silver Tickets** (forging service tickets). To function effectively, Mimikatz generally requires Debug privileges (`SeDebugPrivilege`), meaning the attacker needs Local Admin or SYSTEM access. It is often executed via PowerShell (e.g., Invoke-Mimikatz) or through C2 frameworks like Metasploit's Kiwi extension to operate purely in memory and evade antivirus detection. Understanding Mimikatz is essential for demonstrating the risks of weak credential management and the necessity of defenses like Windows Defender Credential Guard.

In the context of CompTIA PenTest+, token manipulation is a post-exploitation technique used primarily within Windows environments to elevate privileges or facilitate lateral movement without requiring a user's cleartext password. Windows uses access tokens, generated by the Local Security Authority (LSA) upon authentication, to describe the security context of a process or thread. These tokens contain the user's identity (Security Identifier or SID) and their assigned privileges.

Attackers use token manipulation to trick the operating system into believing they are a different user, often one with higher permissions like a Domain Administrator or NT AUTHORITY\SYSTEM. This is achieved by leveraging Windows API calls to steal, duplicate, or create tokens. A common method is 'Token Impersonation,' where an attacker identifies a process running as a high-value user, copies its access token, and applies it to their own thread. This allows the attacker to access resources—such as network shares or encrypted files—under the guise of the victimized account.

Prominent tools covered in the PenTest+ curriculum for this purpose include the Metasploit 'incognito' module, which automates the discovery and impersonation of tokens, and the 'Potato' family of exploits (e.g., RottenPotato, JuicyPotato), which coerce the SYSTEM account into authenticating to an attacker-controlled listener to steal its token. Mitigation strategies focus on the principle of least privilege to prevent the initial compromise required to manipulate memory, and Endpoint Detection and Response (EDR) solutions that monitor for suspicious API calls like DuplicateTokenEx or ImpersonateLoggedOnUser.

User Account Control (UAC) is a Windows security mechanism designed to limit application software to standard user privileges until an administrator authorizes an increase or elevation. In the context of CompTIA PenTest+, UAC bypass techniques are post-exploitation methods used by attackers to execute code with high integrity (administrative privileges) from a medium integrity context without triggering the visual consent prompt.

Most bypasses exploit 'auto-elevate' executables built into Windows, such as fodhelper.exe or eventvwr.exe. These binaries are signed by Microsoft and trusted to elevate without prompting the user if the account is already part of the Administrators group.

One prevalent technique relies on Registry Key Manipulation. Many auto-elevate binaries query specific registry keys in the HKEY_CURRENT_USER (HKCU) hive to locate shell commands or dependencies. Since the current user has write access to HKCU, a pentester can create or modify these keys to point to a malicious payload. When the trusted binary executes, it unwittingly runs the payload with elevated privileges.

Another common vector is DLL Hijacking or path interception. If a trusted, auto-elevating application attempts to load a DLL from a directory the user controls before checking System32, an attacker can plant a malicious DLL. The application then loads the attacker's code with high integrity.

To automate these attacks, penetration testers often utilize tools like UACME or specific Metasploit modules. Mitigation involves setting UAC to 'Always Notify' or, more effectively, ensuring users operate as standard users rather than administrators, thereby nullifying the split-token architecture these exploits abuse.

In the context of CompTIA PenTest+ and the domain of Attacks and Exploits, Living off the Land Binaries (LOLBins) refer to legitimate, native operating system executables that are repurposed by attackers to perform malicious actions. Rather than bringing external malware onto a system—which risks detection by antivirus software—an attacker utilizes tools already present on the target (usually Windows), effectively "living off the land."

The primary utility of LOLBins lies in evasion and persistence. Because these binaries are signed by the OS vendor (e.g., Microsoft) and are essential for system administration, they are trusted by default. Consequently, they often bypass application allow-listing policies (such as AppLocker) and evade signature-based detection mechanisms found in traditional antivirus solutions. For a penetration tester, leveraging LOLBins is essential to simulate sophisticated threat actors (APTs) who aim to blend in with normal administrative traffic to avoid triggering alerts in the Security Operations Center (SOC).

Common examples emphasized in the PenTest+ curriculum include:

1. **Certutil.exe:** Intended for certificate management, it is frequently exploited to download remote files (command and control payloads) or decode Base64-encoded malware.
2. **Bitsadmin.exe:** Used to manage Background Intelligent Transfer Service; attackers use it to download files or upload stolen data reliably.
3. **Wmic.exe:** Utilized for extensive system reconnaissance, process execution, and lateral movement across the network.
4. **Rundll32.exe:** Often used to load and execute malicious functions from dynamic-link libraries (DLLs).
5. **PowerShell:** While a shell rather than a single binary, it is the quintessential tool for executing memory-resident scripts without writing files to disk.

By utilizing these tools, penetration testers can execute "fileless" attacks and assess the efficacy of an organization's behavioral monitoring capabilities (such as EDR heuristics) rather than just their static file scanning defenses.

SQL injection (SQLi) is a prominent web security vulnerability whereby an attacker interferes with the queries an application makes to its database. It occurs when untrusted user input is concatenated directly into dynamic SQL commands without proper sanitization or parameterization. This allows an attacker to manipulate the query structure, tricking the database into executing malicious commands alongside legitimate ones.

In the context of CompTIA PenTest+, understanding the three main categories of SQLi is essential. **In-band SQLi** (Classic) is the most common, where the attacker uses the same communication channel to launch the attack and gather results, typically via 'UNION' operators or error messages. **Inferential SQLi** (Blind) involves the attacker sending data payloads and observing the server’s response behavior (such as time delays or boolean true/false responses) to reconstruct the database structure, as the application does not return data directly. **Out-of-band SQLi** relies on the database making a network connection (DNS or HTTP) to a server controlled by the attacker.

Attackers typically target input vectors like login forms, search bars, and URL parameters. For instance, injecting the payload `' OR '1'='1` into a login field can force the database to evaluate the query as true, bypassing authentication controls. The impact ranges from unauthorized access to sensitive data (PII, credentials) to complete data loss or administrative control over the database server. To remediate this, PenTest+ emphasizes the use of **prepared statements** (parameterized queries) and input validation. During engagements, testers may use automated tools like **SQLmap** or Burp Suite to identify and exploit these vulnerabilities to demonstrate risk.

Cross-Site Scripting (XSS) is a prevalent client-side injection vulnerability where malicious scripts are injected into trusted websites. In the context of CompTIA PenTest+, it is essential to understand that XSS targets the user's browser rather than the server infrastructure directly. The vulnerability arises when an application includes untrusted data in a webpage without proper validation or escaping, causing the browser to execute the input as code.

There are three primary types of XSS that a penetration tester must identify. Stored (Persistent) XSS occurs when the malicious payload is saved on the target server, such as in a database via a forum post. It is considered the most dangerous as it executes automatically whenever a user views the compromised page. Reflected (Non-Persistent) XSS happens when the malicious script is reflected off the web server, usually via a search result or error message, requiring the attacker to trick a victim into clicking a specific link. DOM-based XSS occurs entirely within the client-side Document Object Model, where the payload is executed as a result of modifying the DOM environment in the victim’s browser.

The impact of XSS is significant. Attackers commonly use it for session hijacking by stealing cookies (document.cookie), which allows them to take over user accounts. Other exploits include keylogging, phishing redirects, and website defacement. To mitigate XSS, PenTest+ guidelines emphasize a combination of strict input validation (sanitization) and context-aware output encoding, ensuring that user input is treated as content rather than executable code.

Cross-Site Request Forgery (CSRF), often referred to as XSRF or "Session Riding," is a critical web application vulnerability covered in the CompTIA PenTest+ curriculum under Attacks and Exploits. It occurs when an attacker tricks an authenticated user into executing unwanted actions on a web application where they are currently logged in. The vulnerability stems from the implicit trust a web application places in the user's web browser.

When a user authenticates to a site, the server typically issues a session cookie. Browsers automatically include this cookie in subsequent requests to that domain. An attacker exploits this behavior by crafting a malicious request—often embedded in a phishing email, a chat message, or a third-party website—that targets a specific action on the vulnerable application. For example, if a banking application uses a predictable URL structure for transfers, an attacker might embed a request in an HTML image tag (e.g., <img src="http://bank.com/transfer?to=attacker&amount=500">). If the victim loads the page containing this tag while logged into the bank, their browser executes the request using their valid session cookies, effectively performing the transfer without their consent.

From a penetration testing perspective, CSRF is distinct from Cross-Site Scripting (XSS); while XSS allows attackers to execute code (often to steal data), CSRF focuses on state-changing actions, such as changing passwords, modifying email addresses, or purchasing items. Testers identify this vulnerability by locating sensitive requests (POST or GET) that lack unique, unpredictable tokens (anti-CSRF tokens) or do not enforce strict SameSite cookie attributes. Mitigation requires the server to validate a specific, non-predictable token with every state-changing request to verify that the user intentionally initiated the action.