CompTIA PenTest+ Certification Exam Objectives 2.0 Information Gathering and Vulnerability Identification Flashcards
What is host enumeration?
Host enumeration is the process of gaining specific particulars regarding a defined host.
It is not enough to know that a server or wireless access point is present; instead, we need to expand the attack surface by identifying open ports, the base operating system, services that are running, and supporting applications
This is highly intrusive and is considered active reconnaissance
This can be done by running ping sweeps on the network and looking for responses that indicate a target is live and capable of responding.
What is network enumeration?
Network enumeration is a process that involves gathering information about a network such as the hosts, connected devices, along with usernames, group information and related data.
Using protocols like ICMP and SNMP, network enumeration offers a better view of the network for either protection or hacking purposes
What is domain enumeration?
Domain enumeration enumeration is the process of finding valid (resolvable) domains
This also includes sub-domain enumeration and is an essential part of the reconnaissance phase
Enumerating domains can reveal a lot of domains/subdomains which increases the chances of finding vulnerabilities
WHOIS is a domain registrar information site that can reveal much on domains
What is user enumeration?
This is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system
This is often a web application vulnerability, though it can also be found in any system that requires user authentication
What is group enumeration?
Enumerating groups and members in a group typically in Active Directory and/or SMB
This can reveal the structure of an organizations internal users and administrators
Why enumerate network shares?
Network shares are shared resources amongst a system sharing these resources amongst multiple hosts.
This is useful for lateral movement
What is packet crafting?
Packet crafting is a technique that allows probing firewall rules and find entry points into a targeted system or network.
This is done by manually generating packets to test network devices and behavior.
What is packet inspection and what is its purpose?
Packet inspection evaluates the data part and the header of a packet that is transmitted through an inspection point
This is used to confirm how data moves in and out of a network and what is being blocked
What is fingerprinting?
Fingerprinting is a group of information that can be used to detect the software, network protocols, operating systems or hardware devices.
This is used to correlate data sets to identify network services, operating system number & version, software applications, databases, configurations and more
What is cryptography and how does it correlate with certificate inspection?
Also known as SSL inspection is the process of intercepting and reviewing SSL-encrypted internet communication between the client and the server
This could also allow pentester/adversary to hide malicious content be hidden in the encrypted traffic.
What are some examples of wireless and wired eavesdropping?
Also known as a sniffing or snooping attack, which is the theft of information as it is transmitted over a network by a computer, smartphone, or another connected device.
What is de compilation?
This is also known reverse engineering, where we de compile program/code/executable s to confirm what the function is which can also reveal weaknesses
What is debugging?
Debugging is the process of finding and resolving bugs (defects or problems that prevent correct operation) within computer programs, software or systems.
Bugs in software can also lead to vulnerabilities
What is CERT?
Computer Emergency Response Team (CERT)
This is a group of information security experts responsible for the protection against, detection of and response to an organizations cybersecurity incidents
CERT also conduct ongoing public awareness campaigns and engage in research aimed at improving security systems
What is NIST?
National Institute Standards and Technology
NIST certification is important because it supports and develops measurement standards for a particular service or product.
The NIST Framework involves:
- Identify
- Protect
- Detect
- Respond
- Recover
What is JPCert?
JPCert is the first Computer Security Incident Response Team (CSIRT) established in Japan.
The organization coordinates with network service providers, security vendors, government agencies, as well as the industry associations
What is CAPEC?
Common Attack Pattern Enumeration and Classification
CAPEC provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enable capabilities
CAPEC was formed by MITRE and describes different attack patterns as descriptions of the common attributes and approaches employed by adversaries to exploit known weaknesses in cyber-enabled capabilities
What is full disclosure?
This is where independent researches often discover flaws in software that can be abused to cause unintended behavior, these flaws are called vulnerabilities.
Full disclosure is the practice of publishing analysis of these vulnerabilities as early as possible, without restriction.
What is CVE?
Common Vulnerabilities and Exposure
This is a list of publicly disclosed computer security flaws.
These CVEs are assigned an ID number.
CVE is overseen by the MITRE corporation with funding from the CISA
CVEs are brief as they do not include technical data, information about risks, impacts and fixes/
What is CWE?
Common Weakness Enumeration
This is a list of common software and hardware weakness types that have security ramifications
These weaknesses are flaws, faults, bugs or other errors in software or hardware implementation, code, design, or architecture that if left unaddressed could result in systems, networks or hardware being vulnerable to attack
What is a discovery scan?
A discovery scan identifies the operating system running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems
It uses nmap to perform basic TCP port scanning and runs additional scanner modules to gather more information about the hosts
What is a stealth scan?
-sS
Stealth scans are utilized to prevent the logging of a scan.
TCP SYN scans can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls
SYN scan is relatively unobtrusive and stealthy as it nevers completes the TCP connect`
What is a compliance scan?
Compliance scans are scans that focuses on the configuration settings being applied to a system.
Compliance scans assess adherence to a specific compliance framework.
What is container security and how is it applicable to pentesting?
A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.
This can be vulnerable as most cases show containers share the same library.
We can also conduct container analysis and vulnerability against said containers.
This scanning is done by scanning for vulnerabilities and metadata and also the images in Artifact Registry and Container registry.