Chap 1 - Penetration testing

Question 1

Assuming no significant changes in an organization’s cardholder data environment, how often does PCI DSS require that a merchant accepting credit cards conduct penetration testing?

• Monthly
• Semiannually
• Annually
• Biannually

Answer 1

Annually

PCI DSS requires that organizations conduct both internal and external penetration tests on at least an annual basis. Organizations must also conduct testing after any significant change in the cardholder data environment.

Question 2

Which one of the following is not a benefit of using an internal penetration testing team?

• Contextual knowledge
• Cost
• Subject matter expertise
• Independence

Answer 2

Independence

The use of internal testing teams may introduce conscious or unconscious bias into the penetration testing process. This lack of independence is one reason organizations may choose to use an external testing team.

Question 3

Which one of the following is not a reason to conduct periodic penetration tests of systems and applications?

• Changes in the environment
• Cost
• Evolving threats
• New team members

Answer 3

Cost

Repeating penetration tests periodically does not provide cost benefits to the organization. In fact, it incurs costs. However, penetration tests should be repeated because they can detect issues that arise due to changes in the tested environment and the evolving threat landscape. The use of new team members also increases the independence and value of subsequent tests.

Question 4

Rich recently got into trouble with a client for using an attack tool during a penetration test that caused a system outage. During what stage of the penetration testing process should Rich and his clients have agreed on the tools and techniques that he would use during the test?

• Planning and Scoping
• Information Gathering and Vulnerability Scanning
• Attacking and Exploiting
• Reporting and Communication Results

Answer 4

Planning and Scoping

During the Planning and Scoping phase, penetration testers and their clients should agree on the rules of engagement for the test. This should result in a written statement of work that clearly outlines the activities authorized during the penetration test.

Question 5

Which one of the following steps of the Cyber Kill Chain does not map to the Attacking and Exploiting stage of the penetration testing process?

• Weaponization
• Reconnaissance
• Installation
• Actions on Objectives

Answer 5

Reconnaissance

The Reconnaissance stage of the Cyber Kill Chain maps to the Information Gathering and Vulnerability Scanning step of the penetration testing process. The remaining six steps of the Cyber Kill Chain all map to the Attacking and Exploiting phase of the penetration testing process.

Question 6

Cyber Kill Chain

Answer 6

7 stages:

1. Reconnaissance: Attackers gather information about potential targets to identify vulnerabilities. This can involve scanning networks, researching employees on social media, and analyzing publicly available data.
2. Weaponization: In this phase, attackers create or acquire a malicious payload (e.g., malware) that can exploit the identified vulnerabilities. This often includes pairing the payload with an exploit to facilitate delivery.
3. Delivery: The attacker transmits the malicious payload to the target through various methods, such as phishing emails, malicious links, or compromised websites.
4. Exploitation: Upon successful delivery, the attacker exploits a vulnerability in the target’s system to execute the malicious code.
5. Installation: After exploiting the system, the attacker installs malware or other tools that allow them to maintain access and control over the compromised system.
6. Command and Control (C2): The attacker establishes a communication channel to remotely control the compromised system, enabling further actions.
7. Actions on Objectives: Finally, the attacker executes their primary goal, which may include data exfiltration, disruption of services, or other malicious activities.

Some models have expanded this framework to include an eighth stage: Monetization, where attackers seek to profit from their actions, such as selling stolen data or demanding ransom

Question 7

Beth recently conducted a phishing attack against a penetration testing target in an attempt to gather credentials that she might use in later attacks. What stage of the penetration testing process is Beth in?

• Planning and Scoping
• Attacking and Exploiting
• Information Gathering and Vulnerability Scanning
• Reporting and Communication

Answer 7

Attacking and Exploiting

While Beth is indeed gathering information during a phishing attack, she is conducting an active social engineering attack. This moves beyond the activities of Information Gathering and Vulnerability Scanning and moves into the realm of Attacking and Exploiting.

Question 8

Which one of the following security assessment tools is not commonly used during the Information Gathering and Vulnerability Scanning phase of a penetration test?

• Nmap
• Nessus
• Metasploit
• Nslookup

Answer 8

Metasploit

Nmap is a port scanning tool used to enumerate open network ports on a system. Nessus is a vulnerability scanner designed to detect security issues on a system. Nslookup is a DNS information‐gathering utility. All three of these tools may be used to gather information and detect vulnerabilities. Metasploit is an exploitation framework used to execute and attack and would be better suited for the Attacking and Exploiting phase of a penetration test.

Question 9

Metasploit

Answer 9

Metasploit is a widely-used open-source framework designed for penetration testing and security assessment. Developed initially by H.D. Moore in 2003, it allows security professionals to find, exploit, and validate vulnerabilities in systems and networks. The framework has evolved significantly since its inception, being rewritten in Ruby in 2007 and later acquired by Rapid7 in 2009, which enhanced its capabilities and support.

Key Features of Metasploit
* Penetration Testing: Metasploit is primarily utilized for ethical hacking, enabling security teams to simulate attacks on their systems to identify weaknesses before malicious actors can exploit them.
* Modular Architecture: The framework consists of various modules that perform specific tasks. These include:
* Exploits: Code that takes advantage of vulnerabilities in systems or applications.
* Payloads: Code executed after an exploit successfully breaches a system, allowing further actions like gaining control or extracting data.
* Auxiliary Modules: Tools for tasks not directly related to exploitation, such as scanning and sniffing.
* Community Contributions: Metasploit boasts a large repository of over 2,300 exploits and nearly 500 payloads, contributed by a community of users and developers. This extensive database allows users to quickly find the tools they need for specific vulnerabilities.
* Integration with Other Tools: Metasploit can integrate with various reconnaissance tools (like Nmap) to gather information about potential targets, making it easier to identify vulnerabilities.

Question 10

During what phase of the Cyber Kill Chain does an attacker steal information, use computing resources, or alter information without permission?

• Weaponization
• Installation
• Actions on Objectives
• Command and Control

Answer 10

Actions on Objectives

The attacker carries out their original intentions to violate the confidentiality, integrity, and/or availability of information or systems during the Actions on Objectives stage of the Cyber Kill Chain.

Question 11

Which one of the following is not an open source intelligence gathering tool?

• WHOIS
• Nslookup
• Nessus
• FOCA

Answer 11

Nessus

Whois and Nslookup are tools used to gather information about domains and IP addresses. FOCA is used to harvest information from files. All three of those tools are OSINT tools. Nessus is a commercial vulnerability scanner.

Question 12

FOCA

Answer 12

FOCA, which stands for Fingerprinting Organizations with Collected Archives, is a powerful open-source tool used in cybersecurity for metadata extraction and organization fingerprinting. It is particularly effective in gathering hidden information from documents that are publicly accessible on the internet.

Key Features of FOCA
* Metadata Extraction: FOCA specializes in analyzing various document types, including Microsoft Office files, PDFs, and Open Office documents. It retrieves metadata that can reveal sensitive information such as user names, software versions, email addresses, and more.
* Document Scanning: The tool can search for documents across multiple search engines, including Google, Bing, and DuckDuckGo. This capability allows it to compile a comprehensive list of potentially vulnerable files associated with a target organization.
* Network Infrastructure Mapping: FOCA can map the network infrastructure of an organization by analyzing the metadata of the collected documents. This includes identifying servers, IP addresses, and other network components that may be exposed through the metadata.
* Advanced Analysis Techniques: Beyond basic metadata extraction, FOCA supports various analysis techniques such as DNS snooping, searching for common files, and identifying technologies used within an organization.
* Customization Options: Users can customize their searches to focus on specific file types or metadata elements, making FOCA adaptable to different reconnaissance needs.

Question 13

Aircrack-ng

Answer 13

Aircrack-ng is a comprehensive suite of tools designed for assessing the security of WiFi networks. It enables users to monitor, attack, test, and crack wireless network security protocols, specifically focusing on WEP and WPA/WPA2 encryption standards.

Key Features of Aircrack-ng
* Packet Sniffer: Aircrack-ng includes tools like airodump-ng, which captures packets from wireless networks. This is essential for gathering information about network traffic and connected devices.
* WEP and WPA/WPA2 Cracking: The suite supports various methods for recovering encryption keys. It can perform dictionary attacks on WEP (Wired Equivalent Privacy) and WPA/WPA2 (Wi-Fi Protected Access) keys, allowing users to test the strength of their network passwords.
* Network Monitoring: Tools such as airmon-ng enable users to set their wireless adapters into monitor mode, allowing them to capture all WiFi traffic in the vicinity, regardless of the network.
* Traffic Injection: With tools like aireplay-ng, users can inject packets into the network. This can be used for various attacks, including deauthentication attacks that force clients to disconnect from their access points.
* Fake Access Point Creation: The suite allows users to create rogue access points using tools like airbase-ng, which can be used to intercept traffic from unsuspecting clients.

Question 14

Which one of the following tools is not a password‐cracking utility?

• OWASP ZAP
• Cain and Abel
• Hashcat
• John the Ripper

Answer 14

OWASP ZAP

Cain and Abel, Hashcat, and John the Ripper are all password‐cracking utilities. OWASP ZAP is a web proxy tool.

Question 15

OWASP ZAP

Answer 15

OWASP ZAP (Zed Attack Proxy) is an open-source web application security scanner developed by the Open Web Application Security Project (OWASP). It is designed to help security professionals and developers identify vulnerabilities in web applications through various testing methodologies.

Key Features of OWASP ZAP
* Intercepting Proxy: ZAP functions as a proxy between the user’s browser and the web application, allowing it to intercept, analyze, and modify HTTP requests and responses in real-time. This feature is essential for debugging and manual testing.
* Active and Passive Scanning: ZAP offers both active and passive scanning capabilities. Passive scanning analyzes traffic without altering it, identifying vulnerabilities based on existing data. Active scanning, on the other hand, actively probes the application, sending crafted requests to uncover vulnerabilities like SQL injection and cross-site scripting (XSS).
* Fuzzing: The tool includes a fuzzing feature that allows users to send large volumes of malformed requests to test how the application handles unexpected input. This helps identify potential weaknesses in input validation.
* Spidering: ZAP can automatically crawl web applications to map their structure and discover hidden endpoints. It includes specialized spiders for traditional HTML as well as AJAX-heavy applications, ensuring comprehensive coverage.
* Extensibility: Users can enhance ZAP’s functionality through a marketplace of add-ons developed by the community. These add-ons can provide additional scanning capabilities, reporting features, and integration with other tools.
* WebSocket Testing: ZAP supports testing for WebSocket vulnerabilities, allowing it to analyze real-time communication between clients and servers, which is critical for modern web applications

Question 16

Hashcat

Answer 16

Hashcat is a powerful open-source password recovery tool designed for cracking hashed passwords. It is recognized for its speed and versatility, enabling users to perform various types of attacks against password hashes using both CPU and GPU resources.

Key Features of Hashcat
* Multi-Platform Support: Hashcat is compatible with multiple operating systems, including Windows, Linux, and macOS, making it accessible to a wide range of users.
Support for Numerous Hash Algorithms: The tool supports over 300 hashing algorithms, including popular ones like MD5, SHA1, and WPA/WPA2. This extensive compatibility allows it to be used in various scenarios where different hashing methods are employed.

• Various Attack Modes: Hashcat offers several attack modes to crack passwords effectively:

1. Brute-Force Attack: Attempts all possible combinations of characters.
2. Dictionary Attack: Uses a list of potential passwords (wordlist) to find matches.
3. Mask Attack: Targets specific patterns in passwords.
4. Hybrid Attack: Combines dictionary and brute-force methods.
5. Rule-Based Attack: Applies predefined rules to modify words in a dictionary

• GPU Acceleration: Hashcat can utilize the parallel processing power of GPUs, significantly speeding up the password cracking process compared to traditional CPU-based methods
• Open Source and Community Driven: Initially proprietary, Hashcat was released as open-source software in 2015 under the MIT License. This transition allows for community contributions and enhancements.

Question 17

Cain and Abel

Answer 17

Cain & Abel is a password recovery tool specifically designed for Microsoft Windows operating systems. Developed by Massimiliano Montoro, it provides a variety of functionalities aimed at recovering lost passwords and enhancing network security.

Key Features
* Password Recovery: Cain & Abel can recover various types of passwords through multiple methods, including:
* Network Sniffing: Captures network packets to extract passwords transmitted over the network.
* Cracking Techniques: Utilizes dictionary attacks, brute-force methods, and cryptanalysis attacks (including rainbow tables) to recover hashed passwords.
* VoIP Recording: The tool can record Voice over IP (VoIP) conversations, which can be useful for security audits and monitoring.
* Wireless Network Key Recovery: It can recover keys for wireless networks, assisting in the management of Wi-Fi security.
* Password Decoding: Cain & Abel can decode scrambled passwords and reveal hidden password fields in applications.
* ARP Spoofing: The application includes features for ARP (Address Resolution Protocol) poisoning, allowing it to intercept network traffic and perform man-in-the-middle attacks.
* Support for Multiple Hash Algorithms: It supports cracking a wide range of hash types, including LM, NTLM, MD5, SHA-1, and more.

Question 18

John the Ripper

Answer 18

John the Ripper is a widely-used open-source password cracking tool designed for security professionals and ethical hackers. Developed initially in 1996 by the Openwall Project, it is primarily used to identify weak passwords through various cracking techniques.

Key Features
* Cross-Platform Compatibility: John the Ripper runs on multiple operating systems, including Unix, Linux, macOS, and Windows, making it versatile for different environments.
* Support for Multiple Hash Algorithms: The tool can crack a wide range of password hash types, including those used in Unix/Linux systems (like DES, MD5, and SHA), Windows (LM and NTLM), and various database systems. This extensive support allows users to test passwords across different platforms and applications.
* Cracking Techniques: John the Ripper employs several methods for password cracking:

1. Brute-Force Attacks: Attempts all possible combinations of characters to find the correct password.
2. Dictionary Attacks: Uses a list of potential passwords (wordlists) to find matches against hashed passwords.
3. Incremental Mode: A comprehensive brute-force method that tries every possible combination without predefined limits.

• Automatic Hash Detection: The tool can automatically detect the type of hash used for passwords, simplifying the process for users who may not know the specific hash format.
• Customizable Cracking Modes: Users can configure John the Ripper to use different modes based on their needs, including single crack mode, wordlist mode, and incremental mode. This flexibility makes it suitable for both quick tests and more exhaustive cracking efforts

Question 19

Which one of the following vulnerability scanners is specifically designed to test the security of web applications against a wide variety of attacks?

• OpenVAS
• Nessus
• SQLmap
• Nikto

Answer 19

Nikto

Nikto is an open source web application security assessment tool. SQLmap does test web applications, but it only tests for SQL injection vulnerabilities. OpenVAS and Nessus are general‐purpose vulnerability scanners. Although they can detect web application security issues, they are not specifically designed for that purpose.

Question 20

OpenVAS

Answer 20

OpenVAS (Open Vulnerability Assessment System) is an open-source vulnerability scanning and management tool designed to identify security issues in computer systems and networks. Developed by Greenbone Networks, OpenVAS provides comprehensive features for vulnerability assessment, making it a valuable resource for security professionals.

Key Features
* Vulnerability Scanning: OpenVAS scans networks, hosts, and applications to detect known vulnerabilities, misconfigurations, and potential security weaknesses. It supports both authenticated and unauthenticated testing to provide a thorough assessment of security postures.
* Plugin-Based Architecture: The tool utilizes a plugin system that allows it to perform a wide range of vulnerability checks. This architecture enables users to update and add new plugins regularly, keeping the tool aligned with emerging threats.
* Compliance Auditing: OpenVAS can assess compliance with various security standards and regulations, such as PCI DSS and HIPAA, helping organizations ensure they meet required security benchmarks.
* Detailed Reporting: After scans, OpenVAS generates comprehensive reports that detail identified vulnerabilities, their severity levels, and recommendations for remediation. This helps organizations prioritize their response efforts effectively.
* Network Discovery: The tool assists in identifying all devices connected to a network, maintaining an accurate inventory of assets that need protection.
* User-Friendly Interface: OpenVAS offers a web-based graphical user interface (Greenbone Security Assistant) that simplifies the configuration of scans, viewing results, and managing settings.

Question 21

SQLMap

Answer 21

SQLMap is a powerful open-source penetration testing tool designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications. Developed in Python, SQLMap provides a user-friendly command-line interface, making it accessible for both beginners and experienced security testers.

Key Features
* Automated SQL Injection Detection: SQLMap can automatically identify vulnerable parameters in web applications, significantly speeding up the testing process.
* Support for Multiple Database Systems: It supports a wide range of database management systems (DBMS), including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, and Microsoft Access, among others.
* Comprehensive Exploitation Capabilities: SQLMap can perform various types of SQL injection attacks, including:

1. Blind SQL Injection: Extracts data without direct feedback from the application.
2. Error-Based SQL Injection: Utilizes error messages returned by the database to infer information.
3. Union-Based SQL Injection: Combines results from multiple SELECT statements to extract data.
4. Time-Based Blind SQL Injection: Uses time delays to infer data presence based on response times.

• Data Retrieval and Enumeration: The tool can retrieve database schema information, including tables, columns, and user privileges. It allows users to dump entire databases or specific entries based on their needs.
• File System Access: SQLMap can interact with the underlying file system of the database server, enabling users to read and write files directly if the database is compromised.
• Custom Query Execution: Users can execute arbitrary SQL statements against the database, providing flexibility for advanced testing scenarios.
  Integration with Other Tools: SQLMap can be integrated with other security tools like Metasploit for enhanced capabilities in penetration testing.

Question 22

Which one of the following debugging tools does not support Windows systems?

• GDB
• OllyDbg
• WinDbg
• IDA

Answer 22

GDB

OLLYDBG, WinDBG, and IDA are all debugging tools that support Windows environments. GDB is a Linux‐specific debugging tool

Question 23

GDB

Answer 23

GDB, or the GNU Debugger, is a powerful debugging tool (Linux only) used primarily for programs written in C, C++, and other programming languages. It allows developers to inspect the execution of their programs, control their execution flow, and diagnose issues effectively.

Key Features
* Program Control: GDB enables users to start and stop programs, set breakpoints (which pause execution at specified points), and step through code line by line to observe behavior.
* Variable Inspection: Users can examine the values of variables at various points during execution, which helps in understanding how data changes over time.
* Memory Examination: GDB allows for direct inspection of memory, enabling developers to check the contents of specific memory addresses.
* Backtrace: In the event of a crash, GDB can provide a backtrace that shows the function call stack leading to the error, making it easier to identify the source of problems.
* Remote Debugging: GDB supports remote debugging, allowing it to debug applications running on different machines or embedded systems via a network connection.
* Scripting Support: GDB can be scripted using Python and other languages, which allows for automation of debugging tasks and customization of its functionality.

Question 24

OllyDbg

Answer 24

OllyDbg is a powerful, user-friendly debugger specifically designed for analyzing and manipulating Windows applications at the assembly level. Developed by Oleh Yuschuk, it is primarily used for reverse engineering, malware analysis, and debugging executable files when source code is not available.

Key Features
* Disassembly and Debugging: OllyDbg provides a detailed disassembly of binary files, allowing users to inspect the underlying assembly code. It can trace registers, recognize procedures, API calls, and constants, making it easier to understand how a program operates.
* Breakpoints: Users can set both hardware and software breakpoints to pause execution at specific points in the code. This feature is essential for analyzing program behavior and identifying bugs.
* Memory Inspection: OllyDbg allows users to inspect and modify memory contents in real-time. This capability is crucial for understanding how data is manipulated during program execution.
* User-Friendly Interface: The interface is designed to be intuitive, with features like syntax highlighting, comments, labels, bookmarks, and search functions that enhance usability.
* Plugin Support: The functionality of OllyDbg can be extended through third-party plugins, allowing users to customize their debugging experience and add new features.
* Compatibility: While primarily focused on 32-bit applications, OllyDbg has a beta version for 64-bit applications (OllyDbg 2.0), although it has limited features compared to its 32-bit counterpart.

Question 25

WinDbg

Answer 25

WinDbg (Windows Debugger) is a multipurpose debugger developed by Microsoft for the Windows operating system. It is primarily used for debugging user-mode applications, device drivers, and the operating system itself in kernel mode. WinDbg is a powerful tool for developers and IT professionals to analyze and troubleshoot software issues, particularly those related to crashes and performance problems.

Key Features
* Kernel and User-Mode Debugging: WinDbg can debug both user-mode applications and kernel-mode drivers, making it versatile for various debugging scenarios.
* Crash Dump Analysis: It is commonly used to analyze crash dump files generated after system failures (commonly known as Blue Screen of Death). This post-mortem debugging helps identify the root cause of crashes.
* Symbol File Support: WinDbg can automatically load debugging symbol files (PDB files) from a server, which simplifies the debugging process by correlating symbols with source code.
* Time Travel Debugging (TTD): One of the notable features of WinDbg is TTD, which allows users to record a live process and then debug it by stepping backward and forward in time. This feature provides a unique way to analyze program behavior leading up to an issue.
* Scripting Capabilities: WinDbg supports scripting in JavaScript and other languages, enabling users to automate tasks and extend its functionality.
* Enhanced User Interface: The latest versions of WinDbg offer modern visuals, improved navigation, and a dark theme option, making it more user-friendly compared to earlier iterations.
* Command-Line Interface: While it has a graphical user interface (GUI), WinDbg also supports command-line operations, allowing for flexible use in different environments.

Question 26

IDA

Answer 26

IDA (Interactive Disassembler) is a powerful disassembler and decompiler developed by Hex-Rays, widely used in the field of reverse engineering. It allows users to analyze binary files, including executables and libraries, by converting machine code back into a human-readable assembly language format. IDA Pro is particularly valuable for security researchers, malware analysts, and software developers who need to understand how software operates at a low level.

Key Features
* Disassembly: IDA automatically disassembles executable files, providing a detailed view of the assembly code. It supports various file formats and processor architectures, making it versatile for different applications.
* Code Analysis: The tool offers advanced code analysis features, allowing users to navigate through functions, variables, and control flow. This helps in understanding the logic and structure of the analyzed code.
* Debugging Capabilities: IDA Pro includes debugging features that enable users to run programs in a controlled environment, inspect memory, and set breakpoints to analyze program behavior during execution.
* Graphical Representation: IDA provides graphical views of the control flow of programs, making it easier to visualize complex interactions within the code.
* Scripting and Automation: Users can extend IDA’s functionality through scripting using Python or its built-in scripting language, allowing for automation of repetitive tasks or custom analysis workflows.
* Decompiler Integration: IDA Pro includes a decompiler that translates assembly code back into high-level C-like pseudocode, which is helpful for understanding the logic of the original program without needing the source code.

Question 27

What is the final stage of the Cyber Kill Chain?

• Weaponization
• Installation
• Actions on Objectives
• Command and Control

Answer 27

Actions on Objectives

During the Actions on Objectives stage, the attacker carries out the activities that were the purpose of the attack. As such, it is the final stage in the chain.

Question 28

Which one of the following activities assumes that an organization has already been compromised?

• Penetration testing
• Threat hunting
• Vulnerability scanning
• Software testing

Answer 28

Threat hunting

Threat hunting assumes that an organization has already been compromised and searches for signs of successful attacks.

Question 29

Alan is creating a list of recommendations that his organization can follow to remediate issues identified during a penetration test. In what phase of the testing process is Alan participating?

• Planning and Scoping
• Reporting and Communication
• Attacking and Exploiting
• Information Gathering and Vulnerability Scanning

Answer 29

Reporting and Communication

During the final stage of a penetration test, Reporting and Communication, the testers provide mitigation strategies for issues identified during the test.