Comptia Pentest+

Question 1

What is Threat Hunting?

Answer 1

Threat hunters use the attacker mindset to search the organization’s technology infrastructure for the artifacts of a successful attack. They ask themselves what a hacker might do and what type of evidence they might leave behind and then go in search of that evidence.

Question 2

How would you describe WHOIS tools?

Answer 2

WHOIS tools gather information from public records about domain ownership. WHOIS allows you to search databases of registered users of domains and IP address blocks and can provide useful information about an organization or individual based on their registration information.

Question 3

How would you describe FOCA?

Answer 3

FOCA (Fingerprinting Organizations with Collected Archives) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats. FOCA scans using a search engine—either Google, Bing, or DuckDuckGo—and then compiles metadata information from files like Microsoft Office documents, PDF files, and other file types like SVG and InDesign files

Question 4

How would you describe Hping?

Answer 4

Hping is a command‐line tool that allows testers to artificially generate network traffic.

Question 5

What is Metadata?

Answer 5

Metadata is not the data itself that’s contained within the file though such as the report you wrote for your college English class but instead it is data about the data in that file. Metadata provides information such as the author, the company who created it, title and subject

Question 6

What is Certificate Pinning?

Answer 6

This means that if the certificate changes, the remote system will no longer be recognized and the client shouldn’t be able to visit it. Pinning can cause issues, particularly if an organization uses data loss prevention (DLP) proxies that intercept traffic. Pinning can work with this if the interception proxy is also added to the pinning list, called a pinset.

Question 7

How would you describe Master Service Agreement (MSA) ?

Question 8

How would you describe MITRE ATT&CK Framework ?

Answer 8

MITRE provides the ATT&CK Framework (which stands for Adversarial Tactics, Techniques, and Common Knowledge), a knowledgebase of adversary tactics and techniques. The ATT&CK matrices include detailed descriptions, definitions, and examples for the complete threat life cycle from initial access through execution, persistence, privilege escalation, and exfiltration. At each level, it lists techniques and components, allowing threat assessment modeling to leverage common descriptions and knowledge.

Question 9

How would you describe Statement of Work (SOW) ?

Answer 9

document that defines the purpose of the work, what work will be done, what deliverables will be created, the timeline for the work to be completed, the price for the work, and any additional terms and conditions that cover the work.

Question 10

How would you describe GLBA?

Answer 10

GLBA, the Gramm–Leach–Bliley Act, regulates how financial institutions handle personal information of individuals. It requires companies to have a written information security plan that describes processes and procedures intended to protect that information, and covered entities must also test and monitor their efforts.

Question 11

How would you describe Rules of Engagement (ROE) ?

Answer 11

The scope of engagement (ROE) is a document that outlines the scope, objectives, and limitations of a penetration testing engagement. One of the most important aspect that should be included in the ROE is the testing restrictions, which is a list of specific systems, networks, or devices that are out-of-bounds for the testers.

Question 12

How would you describe methodology in Pentesting?

Answer 12

In terms of penetration testing, it refers to the systematic approach that a penetration tester is going to use before, during and after a test, assessment or engagement. A methodology is simply a structured approach to penetration testing. There are different penetration testing methodologies available.

Question 13

What is Metagoofil?

Answer 13

Metagoofil is a Linux-based tool that can search the metadata associated with public documents located on a target’s website. This tool relies on the Python scripting language to locate metadata with the different types of files including Microsoft Word, Excel, PowerPoint.

Question 14

What is Censys?

Answer 14

Censys is a website search engine used for finding hosts and networks across the Internet with data about their configuration. Much like Shodan, Censys is a security‐oriented search engine. When you dig into a host in Censys, you will also discover GeoIP information if it is available, a comprehensive summary of the services the host exposes, and drill‐down links for highly detailed information

Question 15

What is Maltego?

Answer 15

Maltego is a piece of commercial software used for conducting open-source intelligence that visually helps connect those relationship. It can automate the querying of public sources of data and then compare it with other info from various sources

Question 16

How would you describe CWE?

Answer 16

The Common Weakness Enumeration (CWE) is another community‐developed list. CWE tackles a broad range of software weaknesses and breaks them down by research concepts, development concepts, and architectural concepts.

Question 17

How would you describe Wardriving?

Answer 17

Gathering information about wireless networks can involve a technique known as wardriving. Wardriving is the process of scanning for wireless networks while mobile (usually in a car), but walking through open areas is a common process too—although some might insist on calling it warwalking.

Question 18

How is Service Identification performed?

Answer 18

Service identification is usually done in one of two ways: either by connecting and grabbing the banner or connection information provided by the service or by comparing its responses to the signatures of known services.

Question 19

Describe Service Identification and Port Scanning.

Answer 19

Service identification is one of the most common tasks that a penetration tester will perform while conducting active reconnaissance. Identifying services provides a list of potential targets, including vulnerable services and those you can test using credentials you have available, or even just to gather further information from. Service identification is often done using a port scanners.

 Port scanning tools are designed to send traffic to remote systems and then gather responses that provide information about the systems and the services they include. That makes them one of the most frequently used tools in a pentester's toolkit, and thus something you'll see featured throughout the exam.

Question 20

How is Operating System Fingerprinting performed?

Answer 20

Using nmap -O

The ability to identify an operating system based on the network traffic that it sends is known as operating system fingerprinting, and it can provide useful information when performing reconnaissance. This is typically done using TCP/IP stack fingerprinting techniques that focus on comparing responses to TCP and UDP packets sent to remote hosts. Differences in how operating systems and even operating system versions respond, what TCP options they support, the order in which they send packets, and a host of other details can often provide a good guess at what OS the remote system is running

Question 21

How would you describe NMAP?

Answer 21

Nmap is the most commonly used command‐line vulnerability scanner and is a free, open source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. In addition, it provides support for operating system fingerprinting, service identification, and many other capabilities. Nmap scanned 1,000 of the most commonly used ports as part of its default scan.

Question 22

Describe the below NMAP flags:

-p-

-sA

-sT

-sU

-sS

-T0 - T5

-Pn

-O

-IL

-oX

-oN

-oA

-oG

Answer 22

-p- == including the full 1–65535 range, or specifying by port names like ‐p http.

-sA == used to conduct a TCP ACK scan and is most frequently used to test firewall rulesets. This can help determine whether a firewall is stateful, but it can’t determine whether a port is open or closed.

-sT == performs a TCP connect scan and uses a system call to do so, allowing you to use it on systems where you don’t have the privileges to craft raw packets. It also supports IPv6 scans, which don’t work with a SYN scan.

-sU == performs a UDP scan, allowing you to identify UDP‐based services, but it does not perform a TCP scan.

-sS == perform a TCP SYN (stealth) scan, which is frequently used because it is very fast and is considered stealthier than a connect scan since it does not complete a TCP handshake, although this is increasingly more likely to be detected by modern firewalls and security systems.

-T0 - T5 == impacted speed. T0 is very slow, whereas T5 is very aggressive. 0 will run an exceptionally slow scan, whereas 5 is an very fast scan. Some testers will use a paranoid or a sneaky setting to attempt to avoid intrusion detection systems or to avoid using bandwidth. As you might suspect, ‐T3, or normal, is the default speed for Nmap scans.

-O = OS detection using the -O flag

-Pn == Disabling Ping

-IL – Input from a target file

-oX == output in XML format

-oN == output in normal / txt format

-oG == greppable format

-oA == all output mode (XML, Normal, Greppable)