Chap 6 - Exploiting and Pivoting

Question 1

Alice discovers a rating that her vulnerability scanner lists as 9.3 out of 10 on its severity scale. The service that is identified runs on TCP 445. What type of exploit is Alice most likely to use on this service?

A. SQL injection
B. SMB exploit
C. CGI exploit
D. MIB exploit

Answer 1

SMB exploit

TCP 445 is a service port typically associated with SMB services.

Question 2

Charles has recently completed a vulnerability scan of a system and needs to select the best vulnerability to exploit from the following listing:

1. Ruby on Rails Action Pack Remote Code Execution Vulnerability (Windows), 7.5 (high), 80 percent, 10.0.2.7, 3000/tcp
2. Open SSH Denial of Service And User Enumeration Vulnerabilities (Windows) , 7.8 (High), 80 percent, 10.0.2.7, 22/tcp
3. MySQL/MariaDB weak password, 9.0 (High), 95 percent, 10.0.2.7, 3306/ tcp

A. The Ruby on Rails vulnerability
B. The OpenSSH vulnerability
C. The MySQL vulnerability
D. None of these; he should find another target

Answer 2

The Ruby on Rails vulnerability

The Ruby on Rails vulnerability is the only vulnerability that specifically mentions remote code execution, which is most likely to allow Charles to gain access to the system.

Question 3

Charles has recently completed a vulnerability scan of a system and needs to select the best vulnerability to exploit from the following listing:

1. Ruby on Rails Action Pack Remote Code Execution Vulnerability (Windows), 7.5 (high), 80 percent, 10.0.2.7, 3000/tcp
2. Open SSH Denial of Service And User Enumeration Vulnerabilities (Windows) , 7.8 (High), 80 percent, 10.0.2.7, 22/tcp
3. MySQL/MariaDB weak password, 9.0 (High), 95 percent, 10.0.2.7, 3306/ tcp

If Charles selects the Ruby on Rails vulnerability, which of the following methods cannot be used to search for an existing Metasploit vulnerability?

A. CVE
B. BID
C. MSF
D. EDB

Answer 3

MSF

Metasploit searching supports multiple common vulnerability identifier systems, including CVE, BID, and EDB, but MSF was made up for this question. It may sound familiar, as the Metasploit console command is msfconsole.

Question 4

BID

Answer 4

BID (Bugtraq ID) is a unique identifier assigned to vulnerabilities listed in the Bugtraq vulnerability database, maintained by Symantec. It is used to categorize and reference vulnerabilities, often in conjunction with CVE IDs, for efficient tracking and remediation

Question 5

EDB

Answer 5

EDB (Exploit Database) is a comprehensive, public resource for information about vulnerabilities and exploits. It includes exploit code, shellcode, security research papers, and even a “Google Hacking Database” for advanced search techniques useful in penetration testing. This resource is widely used to identify and study potential vulnerabilities and their practical exploitation methods

Question 6

Matt wants to pivot from a Linux host to other hosts in the network but is unable to install additional tools beyond those found on a typical Linux server. How can he leverage the system he is on to allow vulnerability scans of those remote hosts if they are firewalled against inbound connections and protected from direct access from his penetration testing workstation?

A. SSH tunneling
B. Netcat port forwarding
C. Enable IPv6
D. Modify browser plug‐ins

Answer 6

SSH tunneling

Matt can safely assume that almost any modern Linux system will have SSH, making SSH tunneling a legitimate option. If he connects outbound from the compromised system to his and creates a tunnel allowing traffic in, he can use his own vulnerability scanner through the tunnel to access the remote systems.

Question 7

After gaining access to a Windows system, Fred uses the following command:

SchTasks /create /SC Weekly /TN “Antivirus” /TR “C:\Users\SSmith\av.exe” /ST 09:00
What has he accomplished?

A. He has set up a weekly antivirus scan.
B. He has set up a job called “weekly.”
C. He has scheduled his own executable to run weekly.
D. Nothing; this command will only run on Linux.

Answer 7

He has scheduled his own executable to run weekly.

Fred has used the scheduled tasks tool to set up a weekly run of av.exe from a user directory at 9 a.m. It is fair to assume in this example that Fred has gained access to SSmith’s user directory and has placed his own av.exe file there and is attempting to make it look innocuous if administrators find it.

Question 8

After gaining access to a Linux system through a vulnerable service, Cassandra wants to list all of the user accounts on the system and their home directories. Which of the following locations will provide this list?

A. /etc/shadow
B. /etc/passwd
C. /var/usr
D. /home

Answer 8

/etc/passwd

On most Linux systems, the /etc/passwd file will contain a list of users as well as their home directories. Capturing both /etc/passwd and /etc/shadow are important for password cracking, making both desirable targets for penetration testers.

Question 9

/etc/passwd

Answer 9

The /etc/passwd file is a fundamental configuration file on Linux systems that contains information about user accounts.

It typically includes
* username
* user ID (UID)
* group ID (GID)
* home directory
* shell
* other details

it does not store passwords directly; hashed passwords are kept in the more secure /etc/shadow file

Question 10

/etc/shadow

Answer 10

The /etc/shadow file on Linux systems contains hashed passwords and associated account details for user authentication. It is protected by permissions to restrict access to non-privileged users, and gaining access typically requires root privileges

Question 11

A few days after exploiting a target with the Metasploit Meterpreter payload, Robert loses access to the remote host. A vulnerability scan shows that the vulnerability that he used to exploit the system originally is still open. What has most likely happened?

A. A malware scan discovered Meterpreter and removed it.
B. The system was patched.
C. The system was rebooted.
D. Meterpreter crashed.

Answer 11

The system was rebooted.

Meterpreter is a memory‐resident tool that injects itself into another process. The most likely answer is that the system was rebooted, thus removing the memory‐resident Meterpreter process. Robert can simply repeat his exploit to regain access, but he may want to take additional steps to ensure continued access.

Question 12

Meterpreter

Answer 12

Meterpreter is a powerful payload used in the Metasploit framework, operating as a memory-resident tool via DLL injection to avoid leaving traces on disk. It provides advanced capabilities like privilege escalation, file system access, network pivoting, and executing additional scripts, all while maintaining stealth by running entirely in memory

It will be removed if the system is rebooted!

Question 13

Angela wants to exfiltrate data from a Windows system she has gained access to during a penetration test. Which of the following exfiltration techniques is least likely to be detected?

A. Send it via outbound HTTP as plaintext to a system she controls.
B. Hash the data, then send the hash via outbound HTTPS.
C. Use PowerShell to base64‐encode the data, then post to a public HTTPS‐accessible code repository.
D. Use PowerShell to base64‐encode the data, then use an SSH tunnel to transfer the data to a system she controls.

Answer 13

Use PowerShell to base64‐encode the data, then post to a public HTTPS‐accessible code repository.

Encoding data will make it less likely that intrusion prevent and data loss prevention systems will identify acquired data, meaning that encoding is a useful technique. Sending the data to a public repository like GitHub is less likely to look unusual than an internal system opening a SSH tunnel to a previously unknown system. Sending via HTTP instead of HTTPS will make inspection of the outbound, unencoded data trivial for defenders, and hashing the data will not leave it in a recoverable state when it arrives.

Question 14

Ian’s penetration test rules of engagement specify that he cannot add tools to the systems he compromises in a specific target environment. What techniques will he have to use to meet this requirement?

A. Compromise using a fileless malware package, then cover his tracks and clean up any files he uses.
B. Compromise using a known exploit and dropper from Metasploit, then use living‐off‐the‐land techniques.
C. Compromise using a fileless malware package, then use living‐off‐the‐land techniques.
D. Compromise using a known exploit and dropper from Metasploit, then clean up the dropped files and only use system utilities for further work.

Answer 14

Compromise using a fileless malware package, then use living‐off‐the‐land techniques.

A combination of fileless malware and living‐off‐the‐land techniques that use native tools and utilities will help Ian to ensure that he meets the rules of engagement of the penetration test he is conducting. Even cleaning up files will violate those rules, meaning that Ian should not add tools even if he is confident in his ability to clean them up after he is done. A Metasploit dropper leaves files behind, which means both answers that use this do not meet the requirements.

Question 15

What built‐in Windows server administration tool can allow command‐line PowerShell access from other systems?

A. VNC
B. PowerSSHell
C. PSRemote
D. RDP

Answer 15

PSRemote

PSRemote, or PowerShell Remote, provides command‐line access from remote systems. Once you have established a remote trust relationship using valid credentials, you can use PowerShell commands for a variety of exploit and information gathering activities, including use of dedicated PowerShell exploit tools.

Question 16

PSRemote

Answer 16

PSRemote, also known as PowerShell Remoting, is a built-in Windows feature that enables administrators to execute PowerShell commands remotely over the network. It relies on Windows Remote Management (WinRM) and requires establishing a trusted relationship between systems to perform tasks like configuration management, exploitation, or information gathering

Question 17

John wants to retain access to a Linux system. Which of the following is not a common method of maintaining persistence on Linux servers?

A. Scheduled tasks
B. Cron jobs
C. Trojaned services
D. Modified daemons

Answer 17

Scheduled tasks

The Windows task schedule is used for scheduled tasks. On Linux, cron jobs are set to start applications and other events on time. Other common means of creating persistent access to Linux systems include modifying system daemons, replacing services with Trojaned versions, or even simply creating user accounts for later use.

Question 18

Tim has selected his Metasploit exploit and set his payload as cmd/unix/generic. After attempting the exploit, he receives the following output. What went wrong?

• msf exploit (unix/misc/distcc_exec) > exploit
• [ - ] Exploit failed: the following options failed to validate colon RHOST
• [ * ] Exploit completed comma but no session was created.

A. The remote host is firewalled.
B. The remote host is not online.
C. The host is not routable.
D. The remote host was not set.

Answer 18

The remote host was not set.

Metasploit needs to know the remote target host, known as rhost, and this was not set. Tim can set it by typing set rhost [ip address] with the proper IP address. Some payloads require lhost, or local host, to be set as well, making it a good idea to use the show options command before running an exploit.

Question 19

Cameron runs the following command via an administrative shell on a Windows system he has compromised. What has he accomplished?

$command = ‘cmd /c powershell.exe -c Set-WSManQuickConfig
-Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted
-Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force’

A. He has enabled PowerShell for local users.
B. He has set up PSRemoting.
C. He has disabled remote command‐line access.
D. He has set up WSMan.

Answer 19

He has set up PSRemoting.

Cameron has enabled PowerShell remote access, known as PSRemoting, and has configured it to allow unencrypted sessions using basic auth. This configuration should worry any Windows administrator who finds it!

Question 20

Mike discovers a number of information exposure vulnerabilities while preparing for the exploit phase of a penetration test. If he has not been able to identify user or service information beyond vulnerability details, what priority should he place on exploiting them?

A. High priority; exploit early.
B. Medium priority; exploit after other system and service exploits have been attempted.
C. Low priority; only exploit if time permits.
D. Do not exploit; information exposure exploits are not worth conducting.

Answer 20

High priority; exploit early.

Although it may seem odd, exploiting information gathering exploits early can help provide useful information for other exploits. In addition, most information gathering exploits leave very little evidence and can provide information on service configurations and user accounts, making them a very useful tool in a situation like the scenario described.

Question 21

Jacob wants to capture user hashes on a Windows network. Which tool would not gather these from broadcast messages?

A. Metasploit
B. Responder
C. Impacket
D. Wireshark

Answer 21

Impacket

Metasploit’s SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts. Impacket doesn’t build this capability in but provides a wide range of related tools, including the ability to authenticate with hashes once you have captured them. If you’re wondering about encountering this type of question on the exam, remember to eliminate the answers you are sure of to reduce the number of remaining options. Here, you can likely guess that Metasploit has a module for this, and Wireshark is a packet capture tool, so capturing broadcast traffic may require work but would be possible. Now you’re down to a 50/50 chance!

Question 22

Responder

Answer 22

Responder is a penetration testing tool used to exploit vulnerabilities in NetBIOS, LLMNR, and Multicast DNS (mDNS) protocols. It acts as a rogue responder to capture authentication hashes or credentials by spoofing legitimate responses to broadcasted or multicast queries on the network. This tool is commonly used to gather NTLM hashes, enabling further attacks such as relay or brute force

Question 23

Impacket

Answer 23

Impacket is a collection of Python-based tools and libraries used for network protocol implementations, commonly leveraged during penetration tests. It includes utilities for actions such as dumping secrets from remote machines, creating WMI persistence, and handling authentication processes for protocols like SMB and MS-SQL. Key tools include psexec.py for remote command execution and wmiexec.py for running WMI-based commands without installing an agent on the target system

Question 24

Madhuri has been asked to run BloodHound as part of her penetration testing efforts. What will she be able to do with the tool?

A. Visualize Active Directory environments.
B. Capture encrypted network traffic.
C. Visualize network traffic flows.
D. Find encrypted files in network share drives.

Answer 24

Visualize Active Directory environments.

BloodHound ingests Active Directory forest or tree data and displays, allowing penetration testers to visualize the data and analyze it by looking for elements like privileged accounts. It does not capture encrypted network traffic, visualize network flows, or search for encrypted files on shared drives.

Question 25

Ben is performing a penetration test as part of a PCI DSS engagement. What technique is he most likely to use as part of network segmentation testing?

A. Testing for 802.1q trunking on the Internet connection
B. Testing for physical segmentation of networks
C. Firewall rule validation between segments
D. Antimalware rule validation between segments

Answer 25

Firewall rule validation between segments

PCI‐DSS network segmentation assessments typically focus on ensuring that traffic cannot go from a lower‐security segment to a higher‐security segment. Thus, Ben will be validating firewall rules preventing this. Trunking at the ISP connection and physical segmentation testing are not common tests for this type of engagement, and antimalware tools are more likely to search for malware than to apply differing rules between network segments.

Question 26

BloodHound

Answer 26

BloodHound is an exploitation toolkit designed to help penetration testers map and analyze Active Directory (AD) environments. It uses graph theory to identify potential attack paths and privilege escalation opportunities by mapping relationships, permissions, and trust within an AD network. BloodHound is often employed to pinpoint security vulnerabilities in complex AD configurations, facilitating lateral movement and privilege escalation during an engagement​.