Attacking Hosts, Cloud Technologies, and Specialized Systems Flashcards
Scott wants to crawl his penetration testing target’s website and then build a word list using the data he recovers to help with his password cracking efforts. Which of the following tools should he use?
A. DirBuster
B. CeWL
C. OLLY
D. Grep‐o‐matic
Answer:
B. The Customer Wordlist Generator, or CeWL, is a tool designed to spider a website and then build a word list using the files and web pages that it finds. The word list can then be used to help with password cracking.
Michelle wants to attack the underlying hypervisor for a virtual machine. What type of attack is most likely to be successful?
A. Container escape
B. Compromise the administrative interface
C. Hypervisor DoS
D. VM escape
Answer:
B. The most practical answer is to compromise the administrative interface for the underlying hypervisor. Although VM escape would be a useful tool, very few VM escape exploits have been discovered, and each has been quickly patched. That means that penetration testers can’t rely on one being available and unpatched when they encounter a VM host and should instead target administrative rights and access methods.
Jeff identifies the IP address contained in content delivery network (CDN) configuration for his target organization. He knows that that server’s content is replicated by the CDN, and that if he is able to conduct a denial‐of‐service attack on the host he will be able to take down his target’s web presence. What type of attack is Jeff preparing to conduct?
A. side ‐channel attack
B. Direct‐to‐origin attack
C. Federation misconfiguration attack
D. Metadata service attack
Answer:
B. Jeff is preparing a direct‐to‐origin attack, which targets the underlying system or resource behind a load balancer, CDN, or other similar system. If he can create a denial‐of‐service condition, the front‐end network or systems will not have the ability to get updates or data from it, allowing him to bypass the protections and resilience a load balancer or content delivery network provides. A side‐channel attack in most cloud environments will focus on taking advantage of being on the same physical hardware. Federation misconfiguration attacks attempt to take advantage of an insecure configuration in the federation linkages between two organizations, and metadata service attacks leverage native services provided by cloud providers intended to allow easy queries about systems and running inside their environment such as hostnames, IP addresses, or other metadata about the instances.
Claire knows that her target organization leverages a significant number of IoT devices and that she is likely to need to use one or more of them as pivot points for her penetration test. Which of the following is not a common concern when conducting a penetration test involving IoT devices?
A. Impacts to availability
B. Fragile environments
C. Data leakage
D. Data corruption
Answer:
C. Although IoT devices may leak data due to the use of insecure protocols or data storage, that’s a concern for the defender. Pentesters should actively be looking for that sort of opportunity! Claire knows that IoT devices may fail when scanned or compromised, and that this can cause issues. They may also be part of a fragile environment that may not be designed to handle scans, or where delayed responses or downtime may cause issues for her client. She also knows that data corruption may occur if devices are not behaving properly due to a penetration test and that in environments where IoT data is critical that this could be a real issue. Claire should carefully discuss this with her client and ensure that they understand the risks and how to constrain them if testing IoT devices is important to the pentest.
Susan wants to use a web application vulnerability scanner to help map an organization’s web presence and to identify existing vulnerabilities. Which of the following tools is best suited to her needs?
A. Paros
B. CUSpider
C. Patator
D. w3af
Answer:
D. The Web Application Attack and Audit Framework (w3af) is a web application testing and exploit tool that can spider the site and test applications and other security issues that may exist there. The Paros proxy is an excellent web proxy tool often used by web application testers, but it isn’t a full‐fledged testing suite like w3af. CUSpider and other versions of Spider are tools used to find sensitive data on systems, and Patator is a brute‐force tool.
Madhuri has discovered that the organization she is conducting a penetration test against makes extensive use of industrial control systems to manage a manufacturing plant. Which of the following components is least likely to respond to her normal penetration testing tools like Nmap and Metasploit?
A. RTUs
B. Field devices
C. PLCs
D. Master stations
Answer:
B. Field devices are controlled by remote terminal units (RTUs) or programmable logic controllers (PLCs), which are likely to connect to a network and accept commands from a master station or operator station. Field devices are often controlled via digital or analog commands from the RTUs and PLCs, and are thus not likely to use protocols or access methods that are supported by normal penetration testing tools.
Ben wants to conduct a penetration test against a service that uses containers hosted by a cloud service provider. Which of the following targets is not typically part of the scope for a penetration test against a containerized environment?
A. The application
B. APIs used by the containers
C. Databases used by the containers
D. The underlying containerization service
Answer:
D. Attacking the underlying cloud hosting provider’s containerization service is typically prohibited by terms of service from the provider, and is thus unlikely to be part of the scope for a penetration test of a cloud‐hosted containerization service. The application running in the container, the APIs used by the containers, and databases they access are more likely to be part of the engagement.
Jocelyn wants to conduct a resource exhaustion attack against her penetration testing target, which uses an autoscaling service architecture that leverages a content delivery network. What technique is most likely to help her succeed?
A. BLE attack
B. Direct‐to‐origin attack
C. IPMI attack
D. VM escape attack
Answer:
B. If Jocelyn wants to successfully cause a denial‐of‐service condition, her best bet is a direct‐to‐origin attack. Exhausting the resources for the source or origin server for the service is far more likely to be successful than attempting to take on the resources of a cloud‐hosted content delivery network. BLE attacks are used against devices that use Bluetooth’s low energy mode. IPMI is a set of interface specifications for remote management and monitoring for computer systems and isn’t typically a target for a resource exhaustion attack. A VM escape attack might be useful if Jocelyn had already compromised a host and wanted to gain further access, but again it isn’t a useful way to attack a service like the one that is described.
Isabelle wants to gain access to a cloud infrastructure as a service environment. Which of the following is not a common technique to gain this type of access for a penetration test?
A. Acquire an inadvertently exposed key through a public code repository.
B. Use a brute‐force tool against a harvested credential that requires two‐factors.
C. Acquire an inadvertently exposed key through a misconfigured object store.
D. Probe for incorrectly assigned permissions for a service or system.
Answer:
B. Brute‐forcing multifactor is the only item on this list that is not a common method of attempting to gain access to a cloud environment. Multifactor authentication is designed to be resistant to brute force, meaning that other means would be necessary to access an account that uses it.
Charleen wants to use an cloned image of a phone to see if she can access it using brute‐force passcode‐breaking techniques. Which of the following techniques will allow her to do this without an automatic wipe occurring if “wipe after 10 passcode attempts” is set for the device?
A. Reverse engineering
B. Containerization
C. Sandbox analysis
D. Rainbow tables
Answer:
C. Charleen could place the device image in a controlled sandbox and make passcode attempts against it, resetting the device each time it wipes itself, allowing her to make many attempts. She could also run many copies in parallel to allow even faster brute‐force attempts. Reverse engineering is used to analyze binaries and code and does not suit this purpose. Containerization is used to place applications in a virtualized environment, and rainbow tables are used to attack hashed passwords and aren’t useful for this purpose, either.
Charleen has determined that the organization she is testing uses certificate pinning for their web application. What technique is most likely to help her overcome this so that she can conduct an on‐path attack?
A. Social engineering
B. Reverse engineering
C. Using a flaw in object storage security
D. Data exfiltration
Answer:
A. Persuading a user to add an additional certificate to the system or device’s certificate store is the only option from this list that will help to defeat certificate pinning. Reverse engineering might be useful to determine what system is pinned if the certificate store isn’t available and the application is. Object storage security issues may provide access to data or a place to drop data, but there’s nothing in the question to indicate that this would be a viable solution, and data exfiltration is a term that describes getting data out of an organization.
Charleen wants to perform static code analysis of the mobile application her target installed on the device in her possession. Which of the following tools should she select?
A. Objection
B. MobSF
C. Frida
D. Burp Suite
Answer:
B. MobSF is the only tool listed that provides static code analysis capabilities. Objection and Frida are used for JavaScript and library injection, and Burp Suite is an application testing suite.
Alice is conducting a penetration test of an organization’s AWS infrastructure. What tool should she select from the following list if she wants to exploit AWS?
A. Pacu
B. Cloud Custodian
C. CloudBrute
D. BashAWS
Answer:
A. Pacu is a dedicated AWS exploitation and penetration testing framework. Cloud Custodian is a useful management tool that can be used to identify misconfigurations, CloudBrute is a cloud enumeration tool, and BashAWS was made up for this question.
What type of attack focuses on accessing the underlying hardware in a shared cloud environment in order to gain information about other virtualized systems running on it?
A. Direct‐to‐origin attack
B. Watering hole attack
C. Side‐channel attack
D. Object storage attack
Answer:
C. Side‐channel attacks attempt to gain information about other systems by gathering data from an underlying system or infrastructure rather than directly from the running virtual system itself. Direct‐to‐origin attacks attempt to identify the source system that powers a content delivery network or other scaling service to allow denial‐of‐service or resource exhaustion attacks to apply to a smaller, less capable target. Watering hole attacks are a social engineering attack that leverages a frequently used website to host malware as part of an attack. An object storage attack focuses on services like S3 in AWS and often looks for improperly set permissions or other flaws that can be leveraged.
Isaac wants to test for insecure S3 storage buckets belonging to his target organization. What process can he use to test for this type of insecure configuration?
A. Navigate to the bucket’s URL using a web browser.
B. Use APKX to automatically validate known buckets by name.
C. Use a fuzzer to generate bucket names and test them using the fuzzer’s testing capability.
D. Conduct a direct‐to‐origin attack to find the original bucket source URL.
Answer:
A. One of the simplest techniques to validate if a bucket is accessible is to simply navigate to the bucket’s URL. If it provides a file listing, the bucket is not configured securely. APKX is an Android APK extractor tool. Fuzzers are used for software testing, not for bucket security testing, and direct‐to‐origin attacks attempt to bypass content delivery networks, load balancers, and similar tools to allow attacks directly against source systems for denial‐of‐service or resource exhaustion attacks.