CompTIA PenTest+ (PT0-003): Attacks and Exploits
Table of Contents
Click Here to Return To the CompTIA PenTest+ Course Page
Attacks and Exploits is 35% of the CompTIA PenTest+ (PT0-003) exam, the single largest domain. This module covers how you exploit network, host, web, wireless, cloud, and human targets. Build a home lab with intentionally vulnerable targets and practice every technique here hands-on. Reading is not enough for this domain.
This is where you turn the prioritized findings from vulnerability discovery into real access. You attack across many surfaces, so you learn the techniques, the tools, and when each one fits.
Network Attacks
Network attacks target protocols, traffic, and trust between hosts.
- Default credentials - admin/admin still works on more devices than you would believe
- On-path attacks - intercept and modify traffic between two parties (formerly called man-in-the-middle)
- VLAN hopping - reach a VLAN you should not have access to
- Relay attacks - capture and forward authentication to impersonate a user
- Packet crafting - build custom packets to test or exploit a protocol
You poison name resolution with Responder to capture hashes on a Windows network:
responder -I eth0 -wv
| Tool | Network attack use |
|---|---|
| Metasploit | Exploit framework with thousands of modules |
| Netcat | Raw connections, banner grabbing, simple shells |
| Nmap | Scanning plus NSE exploit scripts |
| Impacket | Python classes for SMB, Kerberos, and more |
| CrackMapExec | Sweep and exploit Active Directory at scale |
| Responder | Poison LLMNR/NBT-NS to capture credentials |
| Hydra | Brute force network logins |
Host-based Attacks
Once you land on a host, you escalate and harvest. Host attacks include privilege escalation, credential dumping, process hollowing, and shell escapes.
You dump cached Windows credentials with Mimikatz:
sekurlsa::logonpasswords
You abuse LOLbins (living-off-the-land binaries), legitimate signed tools already on the system, to avoid dropping malware. Other host tools include Rubeus for Kerberos, Evil-WinRM for remote shells, and PsExec for remote execution.
Web Application Attacks
Web apps are a huge attack surface. You must know the core injection and logic flaws:
| Attack | What it does |
|---|---|
| SQL injection | Inject SQL to read or modify the database |
| XSS | Inject script that runs in a victim’s browser |
| CSRF | Force a logged-in user to perform an unwanted action |
| SSRF | Make the server request a resource you choose |
| Deserialization | Abuse unsafe object parsing to run code |
| JWT manipulation | Tamper with JSON Web Tokens to forge access |
| API abuse | Exploit weak authorization on API endpoints |
You automate SQL injection testing with sqlmap:
sqlmap -u "https://app.example.com/item?id=1" --batch --dbs
You use Burp Suite and ZAP as intercepting proxies, Gobuster to brute force directories, and WPScan to attack WordPress.
Authentication Attacks
Credentials are the keys to the kingdom. You attack them many ways:
- Pass-the-hash - authenticate with a captured NTLM hash, no plaintext needed
- Pass-the-ticket - reuse a stolen Kerberos ticket
- Kerberos attacks - Kerberoasting and AS-REP roasting to crack service accounts
- Password spraying - try one common password against many accounts to avoid lockout
- Credential stuffing - reuse leaked username/password pairs
You crack captured hashes offline with hashcat:
hashcat -m 1000 hashes.txt rockyou.txt
You map Active Directory attack paths with BloodHound and crack with John the Ripper. For why strong, unique passwords break these attacks, see how to create strong passwords .
Wireless Attacks
Wireless extends the attack surface beyond the building walls.
- Wardriving - drive around mapping access points
- Evil twin - stand up a rogue access point that mimics a real one
- Deauthentication - kick clients off so they reconnect to your rogue AP or leak a handshake
- WPS PIN attacks - brute force the WPS PIN to recover the passphrase
You capture and crack a WPA handshake with Aircrack-ng:
aircrack-ng -w rockyou.txt -b AA:BB:CC:DD:EE:FF capture.cap
Kismet handles passive wireless discovery and monitoring.
Social Engineering Attacks
People are often the easiest target. You test phishing, vishing (voice), spearphishing (targeted), impersonation, and credential harvesting. You build campaigns with Gophish, payloads with the Social-Engineer Toolkit (SET), and proxy real login pages to defeat MFA with Evilginx.
Cloud-based Attacks
Cloud introduces new failure modes:
- Metadata service attacks - query the instance metadata endpoint to steal cloud credentials
- IAM misconfigurations - over-permissive roles let you escalate across the account
- Container escape - break out of a container to the host
- Supply chain attacks - poison a dependency or build pipeline
You enumerate and exploit AWS with Pacu, audit posture with Prowler, and review configuration with ScoutSuite.
Specialized Systems and Scripting
You explain attacks against mobile devices, AI systems, and OT. AI attacks include prompt injection and model manipulation, a fast-growing area covered in the state of AI cybersecurity in 2026 . OT attacks target the fragile ICS systems described in why OT and ICS security is broken .
You tie it together with scripting in PowerShell, Bash, and Python to automate attacks, plus breach and attack simulation tools to test defenses at scale.
Next Steps
You have your foothold. Move to Post-exploitation and Lateral Movement to maintain access, pivot deeper, and clean up. Revisit Vulnerability Discovery and Analysis to pick your next target, confirm your actions stay inside Engagement Management scope, and return to the CompTIA PenTest+ Course for the full path.
