CompTIA PenTest+ Certification Exam Objectives 3.0 Attacks and Exploits Flashcards
What is spear phishing?
Spear phishing is an email or electronic communication scam targeted towards a specific individual, organization or business.
Typically intended to steal data for malicious purposes, but may also be utilized to install malware on a targets computer via a malicious attachment or link!
What is SMS phishing?
Also known as smishing
This is the act of committing text message fraud to try to lure victims into revealing account information or installing malware.
What is voice phishing?
Also known as vishing
This is the use of telephony to conduct phishing attacks.
What is whaling?
Whaling occurs when an attacker utilizes spear phishing methods to go after a large, high profile target, such as suite, but this could also include Administrators of systems.
This depends heavily on compelling the target, usually under the guise of some urgency.
What is a BEC?
Business Email Compromise
This is a special type of phishing attack that are designed to impersonate senior executives and trick employees, customers or vendors into wiring payment for goods or services to alternate bank accounts
What is interrogation in relations to pentesting/hacking?
This would be interrogating a specific target in orded to gain or be pointed into the right direction of confidential information.
This may be a receptionist of the target company to acquire information such as when employees are present in the building, shift information etc
What is impersonation in social engineering?
This is impersonating someone in order to trick targets into providing information or assisting with gaining access to authorized spaces within the target organization
This could be dressing up and a plumber or ISP worker
What is shoulder surfing?
Should surfing is a type of social engineering technique used to obtain information such as personal identification numbers, passwords and other confidential data by looking over the victims shoulder
What is USB Key Drop technique?
This technique includes leaving a USB device for people to find and plug into their computers.
When plugged into a computer, it injects keystrokes to command to the computer to give a hacker remote access to the victims computer
This preys on a victims curiosity, if a pentest does this tactic, they would typically configure the USB to simply send them an email to let them know which ass clown plugged in a rando USB
IN social engineering, how is authority used?
Authority can be used to pretend you are a person of authority in order to make a organizations employee perform an unauthorized task.
OR this could be claiming you are someone who works with a person of authority and it was requested a certain task be completed.
This could be pretending to be from legal department and/or organizational
In social engineering, how is scarcity used?
This would be emailing a target organizations employee claiming something must be completed today or only 1 iPhone is left to win, therefore click this link
ACT NOW
In social engineering, how is social proof used?
This occurs in social situations when people are unable to determine the appropriate mode of behavior.
If you see a group of people doing something, maybe you should too?
This can lead to a shitload of people making mistaken choices
In social engineering, how is likeness utilized?
This is where an adversary/pentester would use their likable influence to create a interpersonal relationship in hopes that the target will comply with poor decisions
What is NETBIOS and how is this exploited?
NETBIOS is an acronym for Network Basic Input/Out System.
NETBIOS provides services related to session layer of the OSI model, allowing applications on separate computers to communicate over a LAN
Traditionally, NETBIOS operates on 137/TCP, 138/UDP 139/TCP
NetBIOS can reveal much information about a system such as computer name, contents of the remote name cache (inlcuding IP addresses), a list of local NetBIOS names, a list of names resolved by broadcast, contents of the session table with thew destination IP addresses
What is LLMNR and what are some vulnerabilities associated with this?
Link-Local Multicast Name Resolution
This is a protocol based on the Domain Name System packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.
This can be found in windows and utilizes UDP port 5355
LLMNR can be vulnerable to spoofing/man-in-the-middle attacks.
When requests are intercepted the adversary/tester can say “I know where that server is, in fact, I am that server” allowing the attacker to capture whatever traffic comes next.
What is SMB and what are some vulnerabilities associated with this?
Server Message Block is a communication protocol for providing shared access to files, printers and serial ports between nodes on a network.
It also provides authentication mechanisms.
SMBv1 has been known to be vulnerable to Eternal Blue as SMB mishandles specially crafted packets from remote attackers, allowing remote execution of arbitrary code on the target computer
What is SNMP and what are some weaknesses associated with this?
Simple Network Management Protocol
SNMP is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior
Operates on Ports 161 and 162
There are three versions of SNMP:
SNMPv1 (Unencrypted)
SNMPv2 (Unecnrypted)
SNMPv3 (Encrypted and requires authentication)
So using SNMP1 and SNMPv2 can be insecure
What is SMTP and what are some weaknesses associated with this?
Simple Mail Transfer Protocol
SMTP is an Internet Standard communication protocol for electronic mail transmission.
Mail servers and other message transfers agents use SMTP to send and receive mail messages and utilizes port 25
Weaknesses associated with SMTP:
- Unauthorized access to your emails and data leakage
- Spam and Phishing
- Malware
- DoS Attacks
What is FTP?
File Transfer Protocol
FTP is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network.
FTP is built on a client-server model architecture using separate control and data connections between the client and the server
Uses port 21 for control and 20 for data transfer
Weaknesses associated with FTP: FTP Lacks security as it is a non-secure way to transfer data Encryption isnt a given FTP can be vulnerable to attack Compliance is an issue Its difficult to monitor activity
What is DNS Cache Poisoning?
Also known as DNS Spoofing
DNS Cache Poisoning is the act of entering false information into a DNS cache, so that DNS queries return an incorrect response and users are directed to the wrong websites.
What is PtH?
Pass the Hash
This attack is a technique whereby an attacker captures a password hash (as opposed to password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.
The threat actor doesnt need to decrypt the hash to obtain a plain text password.
PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated.
Attackers commonly obtain hashes by scraping a systems active memory and other techniques.
While this can occur on Linux/Unix systems this is most prevalent in Windows SSO, NT Lan Manager (NTLM), Kerberos, and other authentication protocols.
Windows stores hashes in the Security Accounts Manager (SAM) and Local Security Authority Subsystem (LSASS)
What is ARP Spoofing?
ARP Spoofing is a type of attack in which a malicious actor sends falsified ARP messages over a local area network.
This results in the linking of an attackers MAC address with the IP address of a legitimate computer or server on the network.
Once the attackers MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP Address
ARP Spoofing can enable malicious parties to intercept, modify or even stop data in-transit.
What is a replay attack?
A replay attack occurs when a cybercriminal eavesdrops on a secure network communication, intercepts it and then fraudulently delays or resends it to misdirect the receiver into doing what the hacker wants.
What is a relay attack?
An attacker intercepts communication between two parties and then, without viewing or manipulating it, relays it to another device.
For example, a thief could capture the radios signal from your vehicles key fob and relay it to an accomplice who could use it to open your car door.
The main difference between a MITM and a relay attack is neither the sender nor to receiver need to have initiated any communication between the two.
What is SSL Stripping?
SSL stripping is a technique by which a website is downgraded from https to http.
In other words, the attack is used to circumvent the security which is enforced by SSL certificates on https sites. This is also known as SSL downgrading
What is a NAC and how is it bypassed?
A Network Access Control
NACs operate on wired and wireless networks by finding and identifying the different devices that are connected to and can access the existing system
NACs restrict unauthorized access to internal networks based on identity and security posture
NACs can be bypassed by spoofing a device that has previously authenticated to the NAC
What is VLAN Hopping?
VLAN Hopping a computer security exploit, a method of attacking networked resources on a virtual LAN.
The basic concept behind all VLAN hopping attack is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible
This can be achieved my switch spoofing and double tagging
What is a karma attack?
A karma attack is an attack that exploits a behavior of some Wi-Fi devices, combines with the lack of access point authentication in numerous WiFi protocols.
This attack is a variant of the evil twin attack.
A hacker tricks you in joining a WiFi network under their control, these fake access points are configured to resemble legitimate access points such as Starbucks Wireless when the real one is just Starbucks
What is a de-authentication attack?
Deauthentication attack is a disruptive technique against wireless connections.
These attacks represent fraudulent requests that interfere with the communication between routers and devices.
This attack focuses on 802.11-based wireless networks
as they require deauthentication frames whenever users terminate connections.
What are fragmentation attacks?
Fragmentation occurs when IP datagrams are broken apart in small packets, then transmitted across a network, and finally reassembled into the original datagram as port of normal communications.
An attacker can employ IP fragmentation to target communications systems, as well as security components.
What is a credential harvesting attack?
Credential harvesting comes in many forms, but the goal remains the same, obtain end user credentials.
This can be done with:
Man-in-the-middle attacks
DNS Poisoning
Phishing
This can also be done with CSRF when a user authenticates into a fake website created by a naughty mf