CompTIA PenTest+ Certification Exam Objectives 2.0 Information Gathering and Vulnerability Identification

Question 1

What is host enumeration?

Answer 1

Host enumeration is the process of gaining specific particulars regarding a defined host.

It is not enough to know that a server or wireless access point is present; instead, we need to expand the attack surface by identifying open ports, the base operating system, services that are running, and supporting applications

This is highly intrusive and is considered active reconnaissance

This can be done by running ping sweeps on the network and looking for responses that indicate a target is live and capable of responding.

Question 2

What is network enumeration?

Answer 2

Network enumeration is a process that involves gathering information about a network such as the hosts, connected devices, along with usernames, group information and related data.

Using protocols like ICMP and SNMP, network enumeration offers a better view of the network for either protection or hacking purposes

Question 3

What is domain enumeration?

Answer 3

Domain enumeration enumeration is the process of finding valid (resolvable) domains

This also includes sub-domain enumeration and is an essential part of the reconnaissance phase

Enumerating domains can reveal a lot of domains/subdomains which increases the chances of finding vulnerabilities

WHOIS is a domain registrar information site that can reveal much on domains

Question 4

What is user enumeration?

Answer 4

This is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system

This is often a web application vulnerability, though it can also be found in any system that requires user authentication

Question 5

What is group enumeration?

Answer 5

Enumerating groups and members in a group typically in Active Directory and/or SMB

This can reveal the structure of an organizations internal users and administrators

Question 6

Why enumerate network shares?

Answer 6

Network shares are shared resources amongst a system sharing these resources amongst multiple hosts.

This is useful for lateral movement

Question 7

What is packet crafting?

Answer 7

Packet crafting is a technique that allows probing firewall rules and find entry points into a targeted system or network.

This is done by manually generating packets to test network devices and behavior.

Question 8

What is packet inspection and what is its purpose?

Answer 8

Packet inspection evaluates the data part and the header of a packet that is transmitted through an inspection point

This is used to confirm how data moves in and out of a network and what is being blocked

Question 9

What is fingerprinting?

Answer 9

Fingerprinting is a group of information that can be used to detect the software, network protocols, operating systems or hardware devices.

This is used to correlate data sets to identify network services, operating system number & version, software applications, databases, configurations and more

Question 10

What is cryptography and how does it correlate with certificate inspection?

Answer 10

Also known as SSL inspection is the process of intercepting and reviewing SSL-encrypted internet communication between the client and the server

This could also allow pentester/adversary to hide malicious content be hidden in the encrypted traffic.

Question 11

What are some examples of wireless and wired eavesdropping?

Answer 11

Also known as a sniffing or snooping attack, which is the theft of information as it is transmitted over a network by a computer, smartphone, or another connected device.

Question 12

What is de compilation?

Answer 12

This is also known reverse engineering, where we de compile program/code/executable s to confirm what the function is which can also reveal weaknesses

Question 13

What is debugging?

Answer 13

Debugging is the process of finding and resolving bugs (defects or problems that prevent correct operation) within computer programs, software or systems.

Bugs in software can also lead to vulnerabilities

Question 14

What is CERT?

Answer 14

Computer Emergency Response Team (CERT)
This is a group of information security experts responsible for the protection against, detection of and response to an organizations cybersecurity incidents

CERT also conduct ongoing public awareness campaigns and engage in research aimed at improving security systems

Question 15

What is NIST?

Answer 15

National Institute Standards and Technology
NIST certification is important because it supports and develops measurement standards for a particular service or product.

The NIST Framework involves:

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

Question 16

What is JPCert?

Answer 16

JPCert is the first Computer Security Incident Response Team (CSIRT) established in Japan.

The organization coordinates with network service providers, security vendors, government agencies, as well as the industry associations

Question 17

What is CAPEC?

Answer 17

Common Attack Pattern Enumeration and Classification
CAPEC provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enable capabilities

CAPEC was formed by MITRE and describes different attack patterns as descriptions of the common attributes and approaches employed by adversaries to exploit known weaknesses in cyber-enabled capabilities

Question 18

What is full disclosure?

Answer 18

This is where independent researches often discover flaws in software that can be abused to cause unintended behavior, these flaws are called vulnerabilities.

Full disclosure is the practice of publishing analysis of these vulnerabilities as early as possible, without restriction.

Question 19

What is CVE?

Answer 19

Common Vulnerabilities and Exposure

This is a list of publicly disclosed computer security flaws.

These CVEs are assigned an ID number.

CVE is overseen by the MITRE corporation with funding from the CISA

CVEs are brief as they do not include technical data, information about risks, impacts and fixes/

Question 20

What is CWE?

Answer 20

Common Weakness Enumeration

This is a list of common software and hardware weakness types that have security ramifications

These weaknesses are flaws, faults, bugs or other errors in software or hardware implementation, code, design, or architecture that if left unaddressed could result in systems, networks or hardware being vulnerable to attack

Question 21

What is a discovery scan?

Answer 21

A discovery scan identifies the operating system running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems

It uses nmap to perform basic TCP port scanning and runs additional scanner modules to gather more information about the hosts

Question 22

What is a stealth scan?

Answer 22

-sS

Stealth scans are utilized to prevent the logging of a scan.

TCP SYN scans can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls

SYN scan is relatively unobtrusive and stealthy as it nevers completes the TCP connect`

Question 23

What is a compliance scan?

Answer 23

Compliance scans are scans that focuses on the configuration settings being applied to a system.

Compliance scans assess adherence to a specific compliance framework.

Question 24

What is container security and how is it applicable to pentesting?

Answer 24

A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.

This can be vulnerable as most cases show containers share the same library.

We can also conduct container analysis and vulnerability against said containers.

This scanning is done by scanning for vulnerabilities and metadata and also the images in Artifact Registry and Container registry.

Question 25

What is dynamic application security testing?

Answer 25

Also known as DAST.

This is a program which communicates with a web application through the web front-end to identify potential security vulnerabilities in the web application and architectural weaknesses.

This is typically used in a black box test where static code is not provided therefore can not be analyzed.

The difference here is the source code is actually running (dynamic) and assist with querying strings, headers, fragments, verbs (GET/POST/PUT) and DOM injections

Question 26

What is static application security testing?

Answer 26

Also known as SAST

This is static analysis of a web application as a testing methodology that analyzes source code to find security vulnerabilities that make your organizations application susceptible to attack.

SAST scans an application before the code is compiled and is usually utilized in a white box test

Question 27

When running vulnerability scans, what are some considerations?

Answer 27

Time to run scans - Some customers may not want you scan during peak business hours as this could hinder bandwidth and performance

Protocols used

Network Topology

Query throttling - This refers to scanning in increments to mitigate performance issues

Fragile systems/non-traditional systems - Keep this in mind as legacy systems can have all the above issues more so (typically)

Question 28

What are some considerations when conducting asset categorization?

Answer 28

The point or categorizing assets is typically due to confirming what systems contain what data/purpose.

This helps establish what kinds of classified information exist in the company and where it resides.

Doing this can assist in assigning the criticality of a system

Question 29

What is the purpose of prioritizing vulnerabilities?

Answer 29

This is primarily done based on the risk level of the vulnerability and what system it is on

We can determine the risk level by utilizing the Common Vulnerability Scoring System (CVSS) which rates criticality of a vulnerability from 1 to 10 (10 being the most criticial)

Some would argue a medium vulnerability would be prioritized before an internal asset with a high vulnerability.

This is due to the probability of the vulnerability being exploited.

Question 30

What is vulnerability mapping to potential exploits?

Answer 30

Vulnerability mapping is an activity carried out to identify security flaws which can result in the compromise of a system.

This step typically follows after the tester/adversary has adequately conducted information gathering and enumeration of the target network or host.

Question 31

What is cross-compiling mode?

Answer 31

Cross compiling is used to create executable code for a platform/architecture other than the one on which the compiler is running.

An example of this would be a compiler that runs on a PC but generates code that runs on an Android smartphone

This is necessary to compile code for multiple platforms from one development

Question 32

What is exploit modification?

Answer 32

Also known as exploit customization, where a publicly known exploit may need to be customized in order to successfully attack a system.

The pentester/hacker should be able to customize these exploits to successfully deploy to different operating systems and successfully compromise them

Question 33

What is exploit chaining?

Answer 33

An exploit chain is an attack that involves multiple exploits or attacks that are chained together to fully compromise a device.

In these attacks hackers/pentesters cannot use a single exploit to compromise their target but instead can combine a series of exploits that ultimately lead to malware getting installed on a device, which can lead to the loss of critical and sensitive data.

Question 34

What is proof of concept for exploit development?

Answer 34

A PoC exploit is a non-harmful attack against a computer or network.

PoC exploits are not meant to cause harm, but to show security weaknesses within software.

This can assist companies patch and remediate before an actual attack

Question 35

What is social engineering?

Answer 35

Social engineering is the psychological manipulation of people into performing actions or divulging information

This comes in some of the following forms:
Baiting - Enticing victims into inadvertently compromising their security
Honey trap - Creating a fake source/website that entices people to visit in order to harvest credentials/PII
Pretexting - This involves a situation created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that would not normally give away (Dressing up a service provider in order to gain access to confidential areas)

Question 36

What is credential brute forcing?

Answer 36

A brute force attack consist of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.

The attacker systematically checks all possible passwords and passphrases until the correct one is found

Question 37

What is a dictionary attack?

Answer 37

A dictionary attack uses a preselected library of words and phrases to guess possible passwords.

It operates under the assumption that users tend to pull from a basic list of passwords, BUT there are exceptions to this, we can narrow down a wordlist by enumerating users

Question 38

What is a rainbow table and attack?

Answer 38

A rainbow table is a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes.

A rainbow table attack is when a pentester/hacker matches the hash function

Question 39

What is an ICS and what are some weaknesses associated with this system?

Answer 39

Industrial Control Systems

These systems lack authentication controls which can result in remote code execution, provide unauthorized access or assist potential cyber criminals in triggering a DoS attack, rendering the equipment unusable

ICS cannot ensure proper authentication, encryption, trust chaining and secure boots.

Question 40

What is a SCADA and what are some associated weaknesses?

Answer 40

Supervisory Control and Data Acquisition
These systems collect data that help plant supervisors make critical decisions based on real-time information through a Human Machine Interface (HMI)

HMIs can be modified to gain control over processes and/or steal critical information

Question 41

What are IoT devices and what are some weaknessess/vulnerabilities associated with these devices?

Answer 41

Internet of Thing

The vulnerabilities associated with these devices can be default/weak password protection, lack of regular patches and updates, insecure interfaces, insufficient data protection,

Also, IoT are sometimes not accounted for as they may not be utilized daily

Question 42

What are embedded systems and what are some vulnerabilities associated with them?

Answer 42

Am embedded system is a computer system, or combination of a computer processes, that has a dedicated function within a larger mechanical or electronical

This can be mobile phones, video game consoles, DVD players and GPS’

Vulnerabilities associated with these devices include:
Programming errors
Web-Based vulnerabilities
Weak access controls or authentication

Question 43

What is a Point of Sale System and what are some vulnerabilities associated with these devices?

Answer 43

These are systems that allow customers to pay for their purchases.

A POS system is the hardware and software used to record financial transactions.

Often times, these systems have default vendor credentials, malware can be installed to infiltrate. stealing retailer credentials etc

Question 44

What are bio-metric systems and what are some vulnerabilities associated with these systems?

Answer 44

Biometrics (typically scanners) are hardware used to capture the biometrics for verification of identity.

These scans match against the saved database to approve or deny access to the system.

These systems may be vulnerable to spoofing, denial of service, identity theft.

Question 45

What are RTOS and what are some vulnerabilities associated with these systems?

Answer 45

Real-time operating system is an OS intended to server-real time applications that process data as it comes in, typically without buffer delays

These a typically found in robotics, cameras, and communication systems.

These systems process data quickly, which can aid adversaries with inputting malicious data quickly without many controls to mitigate