CompTIA PenTest+ Certification Exam Objectives 2.0 Information Gathering and Vulnerability Identification Flashcards
What is host enumeration?
Host enumeration is the process of gaining specific particulars regarding a defined host.
It is not enough to know that a server or wireless access point is present; instead, we need to expand the attack surface by identifying open ports, the base operating system, services that are running, and supporting applications
This is highly intrusive and is considered active reconnaissance
This can be done by running ping sweeps on the network and looking for responses that indicate a target is live and capable of responding.
What is network enumeration?
Network enumeration is a process that involves gathering information about a network such as the hosts, connected devices, along with usernames, group information and related data.
Using protocols like ICMP and SNMP, network enumeration offers a better view of the network for either protection or hacking purposes
What is domain enumeration?
Domain enumeration enumeration is the process of finding valid (resolvable) domains
This also includes sub-domain enumeration and is an essential part of the reconnaissance phase
Enumerating domains can reveal a lot of domains/subdomains which increases the chances of finding vulnerabilities
WHOIS is a domain registrar information site that can reveal much on domains
What is user enumeration?
This is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system
This is often a web application vulnerability, though it can also be found in any system that requires user authentication
What is group enumeration?
Enumerating groups and members in a group typically in Active Directory and/or SMB
This can reveal the structure of an organizations internal users and administrators
Why enumerate network shares?
Network shares are shared resources amongst a system sharing these resources amongst multiple hosts.
This is useful for lateral movement
What is packet crafting?
Packet crafting is a technique that allows probing firewall rules and find entry points into a targeted system or network.
This is done by manually generating packets to test network devices and behavior.
What is packet inspection and what is its purpose?
Packet inspection evaluates the data part and the header of a packet that is transmitted through an inspection point
This is used to confirm how data moves in and out of a network and what is being blocked
What is fingerprinting?
Fingerprinting is a group of information that can be used to detect the software, network protocols, operating systems or hardware devices.
This is used to correlate data sets to identify network services, operating system number & version, software applications, databases, configurations and more
What is cryptography and how does it correlate with certificate inspection?
Also known as SSL inspection is the process of intercepting and reviewing SSL-encrypted internet communication between the client and the server
This could also allow pentester/adversary to hide malicious content be hidden in the encrypted traffic.
What are some examples of wireless and wired eavesdropping?
Also known as a sniffing or snooping attack, which is the theft of information as it is transmitted over a network by a computer, smartphone, or another connected device.
What is de compilation?
This is also known reverse engineering, where we de compile program/code/executable s to confirm what the function is which can also reveal weaknesses
What is debugging?
Debugging is the process of finding and resolving bugs (defects or problems that prevent correct operation) within computer programs, software or systems.
Bugs in software can also lead to vulnerabilities
What is CERT?
Computer Emergency Response Team (CERT)
This is a group of information security experts responsible for the protection against, detection of and response to an organizations cybersecurity incidents
CERT also conduct ongoing public awareness campaigns and engage in research aimed at improving security systems
What is NIST?
National Institute Standards and Technology
NIST certification is important because it supports and develops measurement standards for a particular service or product.
The NIST Framework involves:
- Identify
- Protect
- Detect
- Respond
- Recover
What is JPCert?
JPCert is the first Computer Security Incident Response Team (CSIRT) established in Japan.
The organization coordinates with network service providers, security vendors, government agencies, as well as the industry associations
What is CAPEC?
Common Attack Pattern Enumeration and Classification
CAPEC provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enable capabilities
CAPEC was formed by MITRE and describes different attack patterns as descriptions of the common attributes and approaches employed by adversaries to exploit known weaknesses in cyber-enabled capabilities
What is full disclosure?
This is where independent researches often discover flaws in software that can be abused to cause unintended behavior, these flaws are called vulnerabilities.
Full disclosure is the practice of publishing analysis of these vulnerabilities as early as possible, without restriction.
What is CVE?
Common Vulnerabilities and Exposure
This is a list of publicly disclosed computer security flaws.
These CVEs are assigned an ID number.
CVE is overseen by the MITRE corporation with funding from the CISA
CVEs are brief as they do not include technical data, information about risks, impacts and fixes/
What is CWE?
Common Weakness Enumeration
This is a list of common software and hardware weakness types that have security ramifications
These weaknesses are flaws, faults, bugs or other errors in software or hardware implementation, code, design, or architecture that if left unaddressed could result in systems, networks or hardware being vulnerable to attack
What is a discovery scan?
A discovery scan identifies the operating system running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems
It uses nmap to perform basic TCP port scanning and runs additional scanner modules to gather more information about the hosts
What is a stealth scan?
-sS
Stealth scans are utilized to prevent the logging of a scan.
TCP SYN scans can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls
SYN scan is relatively unobtrusive and stealthy as it nevers completes the TCP connect`
What is a compliance scan?
Compliance scans are scans that focuses on the configuration settings being applied to a system.
Compliance scans assess adherence to a specific compliance framework.
What is container security and how is it applicable to pentesting?
A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.
This can be vulnerable as most cases show containers share the same library.
We can also conduct container analysis and vulnerability against said containers.
This scanning is done by scanning for vulnerabilities and metadata and also the images in Artifact Registry and Container registry.
What is dynamic application security testing?
Also known as DAST.
This is a program which communicates with a web application through the web front-end to identify potential security vulnerabilities in the web application and architectural weaknesses.
This is typically used in a black box test where static code is not provided therefore can not be analyzed.
The difference here is the source code is actually running (dynamic) and assist with querying strings, headers, fragments, verbs (GET/POST/PUT) and DOM injections
What is static application security testing?
Also known as SAST
This is static analysis of a web application as a testing methodology that analyzes source code to find security vulnerabilities that make your organizations application susceptible to attack.
SAST scans an application before the code is compiled and is usually utilized in a white box test
When running vulnerability scans, what are some considerations?
Time to run scans - Some customers may not want you scan during peak business hours as this could hinder bandwidth and performance
Protocols used
Network Topology
Query throttling - This refers to scanning in increments to mitigate performance issues
Fragile systems/non-traditional systems - Keep this in mind as legacy systems can have all the above issues more so (typically)
What are some considerations when conducting asset categorization?
The point or categorizing assets is typically due to confirming what systems contain what data/purpose.
This helps establish what kinds of classified information exist in the company and where it resides.
Doing this can assist in assigning the criticality of a system
What is the purpose of prioritizing vulnerabilities?
This is primarily done based on the risk level of the vulnerability and what system it is on
We can determine the risk level by utilizing the Common Vulnerability Scoring System (CVSS) which rates criticality of a vulnerability from 1 to 10 (10 being the most criticial)
Some would argue a medium vulnerability would be prioritized before an internal asset with a high vulnerability.
This is due to the probability of the vulnerability being exploited.
What is vulnerability mapping to potential exploits?
Vulnerability mapping is an activity carried out to identify security flaws which can result in the compromise of a system.
This step typically follows after the tester/adversary has adequately conducted information gathering and enumeration of the target network or host.
What is cross-compiling mode?
Cross compiling is used to create executable code for a platform/architecture other than the one on which the compiler is running.
An example of this would be a compiler that runs on a PC but generates code that runs on an Android smartphone
This is necessary to compile code for multiple platforms from one development
What is exploit modification?
Also known as exploit customization, where a publicly known exploit may need to be customized in order to successfully attack a system.
The pentester/hacker should be able to customize these exploits to successfully deploy to different operating systems and successfully compromise them
What is exploit chaining?
An exploit chain is an attack that involves multiple exploits or attacks that are chained together to fully compromise a device.
In these attacks hackers/pentesters cannot use a single exploit to compromise their target but instead can combine a series of exploits that ultimately lead to malware getting installed on a device, which can lead to the loss of critical and sensitive data.
What is proof of concept for exploit development?
A PoC exploit is a non-harmful attack against a computer or network.
PoC exploits are not meant to cause harm, but to show security weaknesses within software.
This can assist companies patch and remediate before an actual attack
What is social engineering?
Social engineering is the psychological manipulation of people into performing actions or divulging information
This comes in some of the following forms:
Baiting - Enticing victims into inadvertently compromising their security
Honey trap - Creating a fake source/website that entices people to visit in order to harvest credentials/PII
Pretexting - This involves a situation created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that would not normally give away (Dressing up a service provider in order to gain access to confidential areas)
What is credential brute forcing?
A brute force attack consist of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.
The attacker systematically checks all possible passwords and passphrases until the correct one is found
What is a dictionary attack?
A dictionary attack uses a preselected library of words and phrases to guess possible passwords.
It operates under the assumption that users tend to pull from a basic list of passwords, BUT there are exceptions to this, we can narrow down a wordlist by enumerating users
What is a rainbow table and attack?
A rainbow table is a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes.
A rainbow table attack is when a pentester/hacker matches the hash function
What is an ICS and what are some weaknesses associated with this system?
Industrial Control Systems
These systems lack authentication controls which can result in remote code execution, provide unauthorized access or assist potential cyber criminals in triggering a DoS attack, rendering the equipment unusable
ICS cannot ensure proper authentication, encryption, trust chaining and secure boots.
What is a SCADA and what are some associated weaknesses?
Supervisory Control and Data Acquisition
These systems collect data that help plant supervisors make critical decisions based on real-time information through a Human Machine Interface (HMI)
HMIs can be modified to gain control over processes and/or steal critical information
What are IoT devices and what are some weaknessess/vulnerabilities associated with these devices?
Internet of Thing
The vulnerabilities associated with these devices can be default/weak password protection, lack of regular patches and updates, insecure interfaces, insufficient data protection,
Also, IoT are sometimes not accounted for as they may not be utilized daily
What are embedded systems and what are some vulnerabilities associated with them?
Am embedded system is a computer system, or combination of a computer processes, that has a dedicated function within a larger mechanical or electronical
This can be mobile phones, video game consoles, DVD players and GPS’
Vulnerabilities associated with these devices include:
Programming errors
Web-Based vulnerabilities
Weak access controls or authentication
What is a Point of Sale System and what are some vulnerabilities associated with these devices?
These are systems that allow customers to pay for their purchases.
A POS system is the hardware and software used to record financial transactions.
Often times, these systems have default vendor credentials, malware can be installed to infiltrate. stealing retailer credentials etc
What are bio-metric systems and what are some vulnerabilities associated with these systems?
Biometrics (typically scanners) are hardware used to capture the biometrics for verification of identity.
These scans match against the saved database to approve or deny access to the system.
These systems may be vulnerable to spoofing, denial of service, identity theft.
What are RTOS and what are some vulnerabilities associated with these systems?
Real-time operating system is an OS intended to server-real time applications that process data as it comes in, typically without buffer delays
These a typically found in robotics, cameras, and communication systems.
These systems process data quickly, which can aid adversaries with inputting malicious data quickly without many controls to mitigate
