Attacking Hosts, Cloud Technologies , and Specialized Systems Flashcards

1
Q

Scott wants to crawl his penetration testing target’s website and then build a word list using the data he recovers to help with his pasword cracking efforts. Which of the following tools should he use?

a. DirBuster
b. CeWL
c. OLLY
d. Grep-o-matic

A

b. The Customer Wordlist Generator, or CeWL, is a tool designed to spider a website and then build a word list using the files and webpages that it finds. The word list can then be used to help with password cracking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Michelle wants to attack the underlying hypervisor for a virtual machine. What type of attack is most likely to be successful?

a. Container escape
b. Compromise the administrative interface
c. Hypervisor DoS
d. VM escape

A

b. The most practical answer is to compromise the administrative interface for the underlying hypervisor. Although VM escape would be a useful tool, very few VM escape exploits have been discovered, and each has been quickly patched. That means that penetration testers can’t rely on one being available and unpatched when they encounter a VM host and should instead target administrative rights and access methods.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Jeff identifies the IP address contained in content delivery network (CDN) configuration for his target organization. He knows that that server’s content is replicated by the CDN, and that if he is able to conduct a denial-of-service attack on the host he will be able to take down his target’s web presence. What type of attack is Jeff preparing to conduct?

a. A side-channel attack
b. A direct-to-origin attack
c. A federation misconfiguration attack
d. A metadata service attack

A

b. Jeff is preparing a direct-to-origin attack, which targets the underlying system or resource behind a load balancer, CDN or other similar system. If he can create a denial-of-service condition, the front-end network or systems will not have the ability to get updates or data from it, allowing him to bypass the protections and resilience a load balancer or content delivery network provides. A side-channel attack in most cloud environments will focus on taking advantage of being on the same physical hardware. Federation misconfiguration attacks attempt to take advantage of an insecure configuration in the federation linkages between two organizations, and metadata service attacks leverage native services provided by cloud providers intended to allow easy queries about systems and running inside their environment such as hostnames, IP addresses, or other metadata about the instances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Claire knows that her target organization leverages a significant number of IoT devices and that she is likely to need to use one or more of them as pivot points for her penetration test. Which of the following is not a common concern when conducting a penetration test involving IoT devices?

a. Impacts to availability
b. Fragile environments
c. Data leakage
d. Data corruption

A

c. Although IoT devices may leak data due to the use of insecure protocols or data storage, that’s a concern for the defender. Pentester’s should actively be looking for that sort of opportunity! Claire knows that IoT devices may fail when scanned or compromised, and that this can cause issues. They may also be part of a fragile environment that may not be designed to handle scans, or where delayed responses or downtime may cause issues for her client. She also knows that data corruption may occur if devices are not behaving properly due to a penetration test and that in environments where IoT data is critical that this could be a real issue. Claire should carefully discuss this with her client and ensure that they understand the risks and how to constrain them if testing IoT devices is important to the pentest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Susan wants to use a web application vulnerability scanner to help map an organization’s web presence and to identify existing vulnerabilities. Which of the following tools is best suited to her needs?

a. Paros
b. CUSpider
c. Patator
d.w3af

A

d. The Web Application Attack and Audit Framework (w3af) is a web application testing and exploit tool that can spider the site and test applications and other security issues that may exist there. The Paros proxy is an excellent web proxy tool often used by web application testers, but it isn’t a full-fledged testing suite like w3af. CUSpider and other versions of Spider are tools used to find sensitive data on systems, and Patator is a brute-force tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Madhuri has discover that the organization she is conducting a penetration test against makes extensive use of industrial control system to manage a manufacturing plant. Which of the following components is least likely to respond to her normal penetration testing tools like Nmap and Metasploit?

a. RTUs
b. Field devices
c. PLCs
d. Master stations

A

b. Field devices are controlled by remote terminal units (RTUs) or programmable logic controllers (PLCs), which are likely to connect to a network and accept commands from a master station or operator station. Field devices are often controlled via digital or analog commands from the RTUs and PLCs, and are thus not likely to use protocols or access methods that are supported by normal penetration testing tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Ben wants to conduct a penetration test against a service that uses containers hosted by a cloud service provider. Which of the following targets is not typically part of the scope for a penetration test against a containerized environment?

a. The application
b. APIs used by the containers
c. Databases used by the containers
d. The underlying containerization service

A

d. Attacking the underlying cloud hosting provider’s containerization service is typically prohibited by terms of service from the provider, and is thus unlikely to be part of the scope for a penetration test of a cloud-hosted containerization service. The application running in the container, the APIs used by the containers, and databases they access are more likely to be part of the engagement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Isabelle wants to gain access to a cloud infrastructure as a service environment. Which of the following is not a common technique to gain this type of access for a penetration test?

a. Acquire an inadvertently exposed key through a public code repository.
b. Use a brute-force tool against a harvested credential that requires two-factors
c. Acquire an inadvertently exposed key through a misconfigured object store.
d. Probe for incorrectly assigned permissions for a service or system.

A

b. Brute-forcing multifactor is the only item on this list that is not a common method of attempting to gain access to a cloud environment. Multifactor authentication is designed to be resistant to brute force, meaning that other means would be necessary to access an account that uses it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Jocelyn wants to conduct a resource exhaustion attack against her penetration testing target, which uses an autoscaling service architecture that leverages a content delivery network. What technique is most likely to help her succeed?

a. A BLE attack
b. A direct-to-origin attack
c. An IPMI attack
d. A VM escape attack

A

b. If Jocelyn wants to successfully cause a denial-of-service condition, her best bet is a direct-to-origin attack. Exhausting the resources for the source or origin server for the service is far more likely to be successful than attempting to take on the resources of a cloud-hosted content delivery network. BLE attacks are used against devices that use Bluetooth’s low energy mode. IPMI is a set of interface specifications for remote management and monitoring for computer systems and isn’t typically a target for a resource exhaustion attack. A VM escape attack might be useful if Jocelyn had already compromised a host and wanted to gain further access, but again it isn’t a useful way to attack a service like the one that is described.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Charleen has been tasked with the components of a penetration test that deal with mobile devices at a large client organization. She has been given a standard corporate device to test that uses the organization’s base configuration for devices that are issued to employees. As part of her team, you’ve been asked to provide input on the penetration testing process. Answer each of the following questions based on your knowledge about mobile device attacks, vulnerabilities, and analysis tools.

Charleen wants to use a cloned image of a phone to see if she can access it using brute-force passcode-breaking techniques. Which of the following techniques will allow her to do this without an automatic wipe occurring if “wipe after 10 passcode attempts” is set for the device.

a. Revers engineering
b. Containerization
c. Sandbox analysis
d. Rainbow tables

A

c. Charleen could place the device image in a controlled sandbox and make passcode attempts against it, resetting the device each time it wipes itself, allowing her to make many attempts. She could also run many copies in parallel to allow even faster brute-force attempts. Reverse engineering is used to analyze binaries and code and does not suit this purpose. Containerization is used to place applications in a virtualized environment, and rainbow tables are used to attack hashed passwords and aren’t useful for this purpose either.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Charleen has been tasked with the components of a penetration test that deal with mobile devices at a large client organization. She has been given a standard corporate device to test that uses the organization’s base configuration for devices that are issued to employees. As part of her team, you’ve been asked to provide input on the penetration testing process. Answer each of the following questions based on your knowledge about mobile device attacks, vulnerabilities, and analysis tools.

Charleen has determined that the organization she is testing uses certificate pinning for their web application. What technique is most likely to help her overcome this so that she can conduct an on-path attack?

a. Social engineering
b. Reverse engineering
c. Using a flaw in object storage security
d. Data exfiltration

A

a. Persuading a user to add an additional certificate to the system or device’s certificate store is the only option from this list that will help to defeat certificate pinning. Reverse engineering might be useful to determine what system is pinned if the certificate store isn’t available and the application is. Object storage security issues may provide access to data or a place to drop data, but there’s nothing in the question to indicate that this would be a viable solution, and data exfiltration is a term that describes getting data out of an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Charleen has been tasked with the components of a penetration test that deal with mobile devices at a large client organization. She has been given a standard corporate device to test that uses the organization’s base configuration for devices that are issued to employees. As part of her team, you’ve been asked to provide input on the penetration testing process. Answer each of the following questions based on your knowledge about mobile device attacks, vulnerabilities, and analysis tools.

Charleen wants to perform static code analysis of the mobile application her target installed on the device in her possession. Which of the following tools should she select?

a. Objection
b. MobSF
c. Frida
d. Burp Suite

A

b. MobSF is the only tool listed that provides static code analysis capabilities. Objection and Frida are used for JavaScript and library injection, and Burp Suite is an application testing suite.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Alice is conducting a penetration test of an organization’s AWS infrastructure. What tool should she select from the following list if she wants to exploit AWS?

a. Pacu
b. Cloud Custodian
c. CloudBrute
d. BashAWS

A

a. Pacu is a dedicated AWS exploitation and penetration testing framework. Cloud Custodian is a useful management tool that can be used to identify misconfigurations, CloudBrute is a cloud enumeration tool, and BashAWS was made up for this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What type of attack focuses on accessing the underlying hardware in a shared cloud environment in order to gain information about other virtualized systems running on it?

a. A direct-to-origin attack
b. A watering hole attack
c. A side-channel attack
d. An object storage attack

A

c. Side-channel attacks attempt to gain information about other systems by gathering data from an underlying system or infrastructure rather than directly from the running virtual system itself. Direct-to-origin attacks attempt to identify the source system that powers a content delivery network or other scaling service to allow denial-of-service or resource exhaustion attacks to apply to a smaller, less capable target. Watering hole attacks are a social engineering attack that leverages a frequently used website to host malware as part of an attack. An object storage attack focuses on services like S3 in AWS and often looks for improperly set permissions or other flaws that can be leveraged.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Isaac wants to test for insecure S3 storage buckets belonging to his target organization. What process can he use to test for this type of insecure configuration?

a. Navigate to the bucket’s URL using a web browser
b. Use APKX to automatically validate known buckets by name
c. Use a fuzzer to generate bucket names and test them using the fuzzer’s testing capability
d. Conduct a direct-to-origin attack to find the original bucket source URL

A

a. One of the simplest techniques to validate if a bucket is accessible is to simply navigate to the bucket’s URL. If it provides a file listing, the bucket is not configured securely. APKX is an Android APK extractor too. Fuzzers are used for software testing, not for bucket security testing, and direct-to-origin attacks attempt to bypass content delivery networks, load balancers, and similar tools to allow attacks directly against source systems for denial-of-service or resource exhaustion attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Joselyn wants to conduct a credential harvesting attack against an organization. What technique is she most likely to employ to accomplish the attack?

a. Vulnerability scanning
b. Capturing data from other systems on the same physical host
c. Sending a phishing email
d. Using an SDK to access service configuration data

A

c. Credential harvesting can take many forms, but one of the most common options is to use a phishing attack to obtain credentials that can be used to access accounts and systems belonging to a target organization. Simply conducting vulnerability scanning will not result in credentials being obtained, capturing data from other systems on a shared underlying system is a side-channel attack and is unlikely to result in acquiring credentials, and SDKs may provide some useful information but are unlikely to directly provide credentials.

17
Q

Simone has been asked to check for IPMI interfaces on servers at her target organization. Where is she most likely to find IPMI interfaces to probe?

a. In the organization’s DMZ
b. In a privae data center VLAN
c. In the organization’s workstation VLAN
d. On the organization’s Wi-Fi network

A

b. Most organizations recognize that IPMI interfaces need additional protection and place them on a private VLAN in their data center. Additional access controls like VPN requirements or bastion hosts are also commonly used. IPMI interfaces should not be exposed in a DMZ or a workstation VLAN, let alone on a Wi-Fi network.

18
Q

Selah wants to use a brute-force attack against the SSH service provided by one of her targets. Which of the following tools is not designed to brute-force services like this?

a. Patator
b. Hydra
c. Medusa
d. Minotaur

A

d. Patator, Hydra, and Medusa are all useful brute-forcing tools. Minotaur may bee a great name for a penetration testing tool, but the authors of this book aren’t aware of any tool named Minotaur that is used by penetration testers!

19
Q

After compromising a remote host, Cameron uses SSH to connect to port 4444 from his penetration testing workstation. What type of remote shell has he set up?

a. A reverse shell
b. A root shell
c. A bind shell
d. A bind shell

A

c. Cameron has set up a bind shell, which connects a shell to a service port. A reverse shell would have initiated a connection from the compromised host to his penetration testing workstation (or another system Cameron has access to). The question does not provide enough information to determine if the shell might be a root shell, and blind shell is not a common penetration testing term.

20
Q

Jim wants to crack the hashes from a password file he recovered during a penetration test. Which of the following methods will typically be fastest?

a. John the Ripper
b. Rainbow Road
c. Hashcat
d. CeWL

A

c. Hash cat would be the fastest when taking advantage of a powerful graphic card, and John the Ripper will typically be the slowest of the password cracking methods listed. CeWL is a word list or dictionary generator and isn’t a password cracker, and Rainbow Road is not a penetration testing tool.