Chap 7 - Exploiting Network Vulnerabilities

Question 1

Charles wants to deploy a wireless intrusion detection system. Which of the following tools is best suited to that purpose?

A. WiFite
B. Kismet
C. Aircrack‐ng
D. SnortiFi

Answer 1

Kismet

Kismet is specifically designed to act as a wireless IDS in addition to its other wireless packet capture features. WiFite is designed for wireless network auditing. Aircrack‐ng provides a variety of attack tools in addition to its capture and injection capabilities for wireless traffic. SnortiFi was made up for this question.

Question 2

Kismet

Answer 2

Kismet is a wireless network detector, sniffer, and intrusion detection system. It is used for capturing and analyzing Wi-Fi traffic, identifying access points, detecting hidden networks, and logging raw packets for further analysis. Kismet is a valuable tool for penetration testers conducting wireless network assessments

Question 3

WiFite

Answer 3

WiFite is an automated wireless auditing tool used for testing the security of Wi-Fi networks. It simplifies the process of testing and attacking wireless networks by integrating multiple tools and automating tasks like capturing handshakes, cracking WEP and WPA keys, and targeting vulnerable networks based on their encryption methods. WiFite is particularly useful for penetration testers focusing on wireless security

Question 4

Chris is conducting an on‐site penetration test. The test is a gray‐box test, and he is permitted on‐site but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress.

Which of the following NAC systems would be the easiest for Chris to bypass?

A. A software client‐based system
B. A DHCP proxy
C. A MAC address filter
D. None of the above

Answer 4

A MAC address filter

If the NAC system relies only on MAC filtering, Chris only needs to determine the hardware address of a trusted system. This may be accessible simply by looking at a label on a laptop or desktop, or he may be able to obtain it via social engineering or technical methods.

Question 5

Chris is conducting an on‐site penetration test. The test is a gray‐box test, and he is permitted on‐site but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress.

If Chris wants to set up a false AP, which tool is best suited to his needs?

A. Aircrack‐ng
B. Kismet
C. Wireshark
D. WiFite2

Answer 5

Aircrack‐ng

Aircrack‐ng has fake‐AP functionality built in, with tools that will allow Chris to identify valid access points, clone them, disassociate a target system, and then allow on‐path attacks.

Question 6

Chris is conducting an on‐site penetration test. The test is a gray‐box test, and he is permitted on‐site but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress.

Once Chris has gained access to the network, what technique can he use to gather additional credentials?

A. ARP spoofing to allow an on‐path attack
B. Network sniffing using Wireshark
C. SYN floods
D. All of the above

Answer 6

ARP spoofing to allow an on‐path attack

Chris can use ARP spoofing to represent his workstation as a legitimate system that other devices are attempting to connect to. As long as his responses are faster, he will then receive traffic and can conduct on‐path attacks. Network sniffing is useful after this to read traffic, but it isn’t useful for most traffic on its own on a switched network. SYN floods are not useful for gaining credentials; thus, both options C and D are incorrect.

Question 7

What attack technique can allow the pentester visibility into traffic on VLANs other than their native VLAN?

A. MAC spoofing
B. Dot1q spoofing
C. ARP spoofing
D. Switch spoofing

Answer 7

Switch spoofing

Switch spoofing relies on a switch interface that is configured as either dynamic desirable, dynamic auto, or trunk mode, allowing an attacker to generate dynamic trunk protocol messages. The attacker can then access traffic from all VLANs.

Question 8

Dot1q spoofing

Answer 8

Dot1q spoofing, also known as VLAN hopping, is a network attack technique that exploits improper configuration of 802.1Q VLAN tagging to send traffic to unauthorized VLANs. The two primary methods of VLAN hopping are:

Double Tagging: The attacker sends packets with two VLAN tags. The outer tag is stripped by the first switch, and the second tag (intended for another VLAN) is processed by the next switch, redirecting the traffic to the targeted VLAN.

Switch Spoofing: The attacker configures their device to imitate a trunk port, allowing it to communicate with all VLANs on the switch.

Mitigation involves:
* disabling unused switch ports
* explicitly configuring access ports (not leaving them as dynamic)
* using private VLANs or VLAN Access Control Lists (VACLs)

Question 9

What type of Bluetooth attack attempts to send unsolicited messages via Bluetooth devices?

A. Bluesnarfing
B. Bluesniping
C. Bluejacking
D. Bluesending

Answer 9

Bluejacking

Bluejacking is an attack technique that attempts to send unsolicited messages via Bluetooth. Bluesnarfing attempts to steal information, whereas bluesniping is a term for long‐distance Bluetooth attacks. Bluesending is not a common term used for Bluetooth attacks as of this writing.

Question 10

Bluesnarfing

Answer 10

Bluesnarfing is a Bluetooth attack that involves unauthorized access to data on a Bluetooth-enabled device, such as contacts, messages, or files. Unlike Bluejacking, Bluesnarfing exploits vulnerabilities to gain access to sensitive information without the user’s knowledge

Question 11

Bluejacking

Answer 11

Bluejacking is a Bluetooth attack where unsolicited messages are sent to nearby Bluetooth-enabled devices. It exploits the Bluetooth messaging feature but does not involve accessing or compromising the target device’s data

Question 12

Bluesniping

Answer 12

Bluesniping is a long-range Bluetooth attack using directional antennas to intercept or exploit Bluetooth connections beyond their typical range. It targets vulnerabilities in Bluetooth implementations to gain unauthorized access to devices or data

Question 13

Cassandra wants to attack a WPS‐enabled system. What attack technique can she use against it?

A. WPSnatch
B. Pixie dust
C. WPSmash
D. e‐Lint gathering

Answer 13

Pixie dust

Pixie dust attacks use brute force to identify the key for vulnerable WPS‐enabled routers due to poor key selection practices. The other options are made up.

Question 14

Pixie dust

Answer 14

Pixie Dust refers to an attack that exploits vulnerabilities in the Wi-Fi Protected Setup (WPS) protocol, specifically in its use of weak PINs. This offline attack takes advantage of predictable or poorly implemented randomization in WPS PIN generation, allowing attackers to brute-force the PIN and gain access to a network. Mitigation involves disabling WPS on routers to prevent exploitation​.

Question 15

As part of a penetration test Mariana uses a tool that uses the same username and password from a list on many target systems and then uses the next username and password from its list. Which of the following terms best describes the attack she is using?

A. Brute force
B. Dictionary
C. Hash cracking
D. Password spraying

Answer 15

Password spraying

Mariana is conducting a password spraying attack. Password spraying attacks use the same credentials against many systems, then try the next credential pairing. Hash cracking attempts to identify the original password that resulted in a given captured hash. Dictionary attacks use a word list along with a set of rules to modify those words to attempt a brute‐force attack. A brute‐force attack involves repeated tries using an algorithm or process to attempt to log in. When a question like this has multiple potentially correct answers, remember to answer with the most specific answer rather than a broad answer.

Question 16

Ian wants to drop a tool on a compromised system that will allow him to set up reverse shell. Which of the following tools should he select?

A. Aircrack‐ng
B. Nmap
C. Netcat
D. Censys

Answer 16

Netcat

Netcat is the only tool from this list that can be used as a reverse shell. It can also be used for basic port scanning and a variety of other network attacks and testing purposes. Aircrack‐ng is used for network penetration testing, nmap is a port scanner, and Censys is a search engine that can be used for open source intelligence work.

Question 17

Censys

Answer 17

Censys is an open-source search engine and data platform that provides detailed information about internet-facing systems and devices. It scans the internet to collect data on exposed services, open ports, SSL certificates, and other system details. Penetration testers and researchers use Censys for reconnaissance and to identify potential vulnerabilities in network

Question 18

What drives the use of deauthentication attacks during penetration tests?

A. The desire to capture handshakes
B. Bluejacking attacks
C. Network stress or load testing
D. RFID cloning attacks

Answer 18

The desire to capture handshakes

Deauthenticating a system will result in reauthentication, creating the possibility of capturing handshakes from a target. Bluejacking, network stress testing, and RFID cloning attacks do not rely on deauthentication.

Question 19

Which of the following tools will not allow Alice to capture NTLM v2 hashes over the wire for use in a pass‐the‐hash attack?

A. Responder
B. Mimikatz
C. Ettercap
D. Metasploit

Answer 19

Mimikatz

Unlike the other options listed here, Mimikatz pulls hashes from the Local Security Authority Subsystem Service (LSASS) process. Since the question specifically notes “over the wire,” Mimikatz is the only tool that cannot be used for that.

Question 20

Mimikatz

Answer 20

Mimikatz is a post-exploitation tool designed to extract plaintext passwords, hashes, PINs, and Kerberos tickets from memory on Windows systems. It is widely used in penetration testing to demonstrate vulnerabilities in Windows authentication mechanisms, such as credential dumping or Pass-the-Hash attacks. Mitigation includes enabling Credential Guard, applying security patches, and minimizing local administrative rights

Question 21

Ettercap

Answer 21

Ettercap is a network security tool used for man-in-the-middle (MITM) attacks and traffic analysis. It supports sniffing live connections, filtering packets, and injecting content into active sessions. Penetration testers often use Ettercap to intercept and manipulate communications on a local area network (LAN), making it a valuable tool for testing network security

Question 22

For what type of activity would you use the tools HULK, LOIC, HOIC, and SlowLoris?

A. DDoS
B. SMB hash capture
C. DoS
D. Brute‐force SSH

Answer 22

DoS

All of these tools are denial‐of‐service tools. Although some of them have been used for DDoS attacks, they are not DDoS tools on their own.

Question 23

HULK

Answer 23

HULK (HTTP Unbearable Load King) is a denial-of-service (DoS) attack tool designed to overwhelm web servers with HTTP requests, exploiting server vulnerabilities to create resource exhaustion

Question 24

LOIC

Answer 24

LOIC (Low Orbit Ion Cannon) is an open-source network stress testing and denial-of-service (DoS) tool. It floods a target server with TCP, UDP, or HTTP requests, overwhelming its resources and potentially causing service disruptions. Mitigation includes deploying intrusion detection/prevention systems (IDS/IPS), rate limiting, and DoS protection tools to detect and block malicious traffic.

Question 25

HOIC

Answer 25

HOIC (High Orbit Ion Cannon) is an open-source tool for conducting HTTP-based denial-of-service (DoS) attacks. It works by overwhelming web servers with a flood of HTTP requests, often leading to service disruptions. To defend against such attacks, organizations can use rate limiting, web application firewalls (WAFs), and advanced DoS protection mechanisms

Question 26

SlowLoris

Answer 26

SlowLoris is a type of denial-of-service (DoS) attack that targets web servers by opening many partial HTTP connections and keeping them alive to exhaust server resources. This is achieved by sending incomplete HTTP headers at regular intervals, preventing the server from closing the connections and making it unavailable to legitimate users. Mitigation includes configuring timeouts for incomplete connections and using tools like web application firewalls (WAFs) to detect and block such attacks​

Question 27

During a penetration test, Mike uses double tagging to send traffic to another system. What technique is he attempting?

A. RFID tagging
B. Tag nesting
C. Meta tagging
D. VLAN hopping

Answer 27

VLAN hopping

Mike is using nested tags inside a packet to attempt to hop VLANs. If he is successful, his packets will be delivered to the target system, but he will not see any response.

Question 28

Isaac wants to use arpspoof to execute an on‐path attack between target host 10.0.1.5 and a server at 10.0.1.25, with a network gateway of 10.0.1.1. What commands does he need to run to do this? (Choose two.)

A. arpspoof -i eth0 -t 10.0.1.5 -r 10.0.1.25
B. arpspoof -i eth0 -t 10.0.1.5 -r 10.0.1.1
C. arpspoof -i eth0 -t 255.255.255.255 -r 10.0.1.25
D. arpspoof -i eth0 -t 10.0.1.25 -r 10.0.1.5

Answer 28

A. arpspoof -i eth0 -t 10.0.1.5 -r 10.0.1.25
D. arpspoof -i eth0 -t 10.0.1.25 -r 10.0.1.5

Explanation

To fully execute an on‐path attack, Isaac needs to spoof both the server and the target so that they each think that his PC is the system they are sending to. Spoofing the gateway (10.0.1.1) or the broadcast address (255.255.255.255) will not serve his purposes.

Question 29

Jessica wants to list the domain password policy for a Windows domain as she prepares for a password attack against domain member systems. What net command can she use to do this?

A. net view /domainpolicy
B. net accounts /domain
C. net /viewpolicy
D. net domain /admin

Answer 29

net accounts /domain

The Windows net commands can display a wealth of information about a local domain, and the password policy can be reviewed by using the net accounts /domain command.

Question 30

Cynthia attempted a DNS poisoning attack. After her attempt, she does not see any traffic from her target system. What most likely happened to cause the attack to fail?

A. The DNS information was incorrect.
B. The injection was too slow.
C. The DNS cache was not refreshed.
D. The client did not receive a trusted response.

Answer 30

The injection was too slow.

Cynthia’s response needs to arrive before the legitimate DNS server. If her timing isn’t right, the legitimate response will be accepted.

Question 31

Elle wants to clone an RFID entry access card. Which type of card is most easily cloned using inexpensive cloning devices?

A. Low‐frequency 125 to 134.2 KHz card
B. Medium‐frequency 400 to 451 KHz card
C. High‐frequency 13.56 MHz card
D. Ultra‐high‐frequency 865 to 928 MHz card

Answer 31

Low‐frequency 125 to 134.2 KHz card

Low‐frequency RFID cards are often used for entry access cards, and are easily cloned using inexpensive commodity cloning devices. Medium‐frequency cards in the 400 to 451 KHz range do not exist, whereas high‐frequency cards are more likely to be cloned using a phone’s NFC capability. Ultra‐high‐frequency cards are less standardized, making cloning more complex.