CompTIA PenTest+ Certification Exam Objectives 3.0 Attacks and Exploits Flashcards

1
Q

What is spear phishing?

A

Spear phishing is an email or electronic communication scam targeted towards a specific individual, organization or business.

Typically intended to steal data for malicious purposes, but may also be utilized to install malware on a targets computer via a malicious attachment or link!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is SMS phishing?

A

Also known as smishing

This is the act of committing text message fraud to try to lure victims into revealing account information or installing malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is voice phishing?

A

Also known as vishing

This is the use of telephony to conduct phishing attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is whaling?

A

Whaling occurs when an attacker utilizes spear phishing methods to go after a large, high profile target, such as suite, but this could also include Administrators of systems.

This depends heavily on compelling the target, usually under the guise of some urgency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a BEC?

A

Business Email Compromise

This is a special type of phishing attack that are designed to impersonate senior executives and trick employees, customers or vendors into wiring payment for goods or services to alternate bank accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is interrogation in relations to pentesting/hacking?

A

This would be interrogating a specific target in orded to gain or be pointed into the right direction of confidential information.

This may be a receptionist of the target company to acquire information such as when employees are present in the building, shift information etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is impersonation in social engineering?

A

This is impersonating someone in order to trick targets into providing information or assisting with gaining access to authorized spaces within the target organization

This could be dressing up and a plumber or ISP worker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is shoulder surfing?

A

Should surfing is a type of social engineering technique used to obtain information such as personal identification numbers, passwords and other confidential data by looking over the victims shoulder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is USB Key Drop technique?

A

This technique includes leaving a USB device for people to find and plug into their computers.

When plugged into a computer, it injects keystrokes to command to the computer to give a hacker remote access to the victims computer

This preys on a victims curiosity, if a pentest does this tactic, they would typically configure the USB to simply send them an email to let them know which ass clown plugged in a rando USB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

IN social engineering, how is authority used?

A

Authority can be used to pretend you are a person of authority in order to make a organizations employee perform an unauthorized task.

OR this could be claiming you are someone who works with a person of authority and it was requested a certain task be completed.

This could be pretending to be from legal department and/or organizational

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

In social engineering, how is scarcity used?

A

This would be emailing a target organizations employee claiming something must be completed today or only 1 iPhone is left to win, therefore click this link

ACT NOW

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In social engineering, how is social proof used?

A

This occurs in social situations when people are unable to determine the appropriate mode of behavior.

If you see a group of people doing something, maybe you should too?

This can lead to a shitload of people making mistaken choices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

In social engineering, how is likeness utilized?

A

This is where an adversary/pentester would use their likable influence to create a interpersonal relationship in hopes that the target will comply with poor decisions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is NETBIOS and how is this exploited?

A

NETBIOS is an acronym for Network Basic Input/Out System.

NETBIOS provides services related to session layer of the OSI model, allowing applications on separate computers to communicate over a LAN

Traditionally, NETBIOS operates on 137/TCP, 138/UDP 139/TCP

NetBIOS can reveal much information about a system such as computer name, contents of the remote name cache (inlcuding IP addresses), a list of local NetBIOS names, a list of names resolved by broadcast, contents of the session table with thew destination IP addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is LLMNR and what are some vulnerabilities associated with this?

A

Link-Local Multicast Name Resolution

This is a protocol based on the Domain Name System packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.
This can be found in windows and utilizes UDP port 5355

LLMNR can be vulnerable to spoofing/man-in-the-middle attacks.
When requests are intercepted the adversary/tester can say “I know where that server is, in fact, I am that server” allowing the attacker to capture whatever traffic comes next.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is SMB and what are some vulnerabilities associated with this?

A

Server Message Block is a communication protocol for providing shared access to files, printers and serial ports between nodes on a network.

It also provides authentication mechanisms.

SMBv1 has been known to be vulnerable to Eternal Blue as SMB mishandles specially crafted packets from remote attackers, allowing remote execution of arbitrary code on the target computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is SNMP and what are some weaknesses associated with this?

A

Simple Network Management Protocol

SNMP is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior

Operates on Ports 161 and 162

There are three versions of SNMP:
SNMPv1 (Unencrypted)
SNMPv2 (Unecnrypted)
SNMPv3 (Encrypted and requires authentication)

So using SNMP1 and SNMPv2 can be insecure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is SMTP and what are some weaknesses associated with this?

A

Simple Mail Transfer Protocol

SMTP is an Internet Standard communication protocol for electronic mail transmission.

Mail servers and other message transfers agents use SMTP to send and receive mail messages and utilizes port 25

Weaknesses associated with SMTP:

  • Unauthorized access to your emails and data leakage
  • Spam and Phishing
  • Malware
  • DoS Attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is FTP?

A

File Transfer Protocol

FTP is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network.

FTP is built on a client-server model architecture using separate control and data connections between the client and the server

Uses port 21 for control and 20 for data transfer

Weaknesses associated with FTP:
FTP Lacks security as it is a non-secure way to transfer data
Encryption isnt a given
FTP can be vulnerable to attack
Compliance is an issue
Its difficult to monitor activity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is DNS Cache Poisoning?

A

Also known as DNS Spoofing

DNS Cache Poisoning is the act of entering false information into a DNS cache, so that DNS queries return an incorrect response and users are directed to the wrong websites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is PtH?

A

Pass the Hash

This attack is a technique whereby an attacker captures a password hash (as opposed to password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.

The threat actor doesnt need to decrypt the hash to obtain a plain text password.

PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated.

Attackers commonly obtain hashes by scraping a systems active memory and other techniques.

While this can occur on Linux/Unix systems this is most prevalent in Windows SSO, NT Lan Manager (NTLM), Kerberos, and other authentication protocols.

Windows stores hashes in the Security Accounts Manager (SAM) and Local Security Authority Subsystem (LSASS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is ARP Spoofing?

A

ARP Spoofing is a type of attack in which a malicious actor sends falsified ARP messages over a local area network.

This results in the linking of an attackers MAC address with the IP address of a legitimate computer or server on the network.

Once the attackers MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP Address

ARP Spoofing can enable malicious parties to intercept, modify or even stop data in-transit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is a replay attack?

A

A replay attack occurs when a cybercriminal eavesdrops on a secure network communication, intercepts it and then fraudulently delays or resends it to misdirect the receiver into doing what the hacker wants.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is a relay attack?

A

An attacker intercepts communication between two parties and then, without viewing or manipulating it, relays it to another device.

For example, a thief could capture the radios signal from your vehicles key fob and relay it to an accomplice who could use it to open your car door.

The main difference between a MITM and a relay attack is neither the sender nor to receiver need to have initiated any communication between the two.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is SSL Stripping?

A

SSL stripping is a technique by which a website is downgraded from https to http.
In other words, the attack is used to circumvent the security which is enforced by SSL certificates on https sites. This is also known as SSL downgrading

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is a NAC and how is it bypassed?

A

A Network Access Control

NACs operate on wired and wireless networks by finding and identifying the different devices that are connected to and can access the existing system

NACs restrict unauthorized access to internal networks based on identity and security posture

NACs can be bypassed by spoofing a device that has previously authenticated to the NAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is VLAN Hopping?

A

VLAN Hopping a computer security exploit, a method of attacking networked resources on a virtual LAN.

The basic concept behind all VLAN hopping attack is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible

This can be achieved my switch spoofing and double tagging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is a karma attack?

A

A karma attack is an attack that exploits a behavior of some Wi-Fi devices, combines with the lack of access point authentication in numerous WiFi protocols.

This attack is a variant of the evil twin attack.

A hacker tricks you in joining a WiFi network under their control, these fake access points are configured to resemble legitimate access points such as Starbucks Wireless when the real one is just Starbucks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is a de-authentication attack?

A

Deauthentication attack is a disruptive technique against wireless connections.

These attacks represent fraudulent requests that interfere with the communication between routers and devices.

This attack focuses on 802.11-based wireless networks
as they require deauthentication frames whenever users terminate connections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are fragmentation attacks?

A

Fragmentation occurs when IP datagrams are broken apart in small packets, then transmitted across a network, and finally reassembled into the original datagram as port of normal communications.

An attacker can employ IP fragmentation to target communications systems, as well as security components.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is a credential harvesting attack?

A

Credential harvesting comes in many forms, but the goal remains the same, obtain end user credentials.

This can be done with:
Man-in-the-middle attacks
DNS Poisoning
Phishing

This can also be done with CSRF when a user authenticates into a fake website created by a naughty mf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is bluejacking?

A

Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers

33
Q

What is bluesnarfing?

A

Bluesnarfing is the unauthorized access of information from a wireless device through Bluetooth connection

34
Q

What is RFID Cloning?

A

This is the act of utilizing a device that copies the data from one RFID tag and imprints it on another, allowing multiples of the same tag to be created and is used to access buildings/rooms as an ‘authorized’ user

35
Q

What is a SQL Injection?

A

Also known as SQLi

This is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not tended to be displayed

To test, use a single ‘ or there are Boolean SQL Injections like so:
http://www.estore.com/items/items.asp?itemid=999 or 1=1

We see 1=1 which is a true statement so the dumbass
database believes this is valid.

http://www.estore.com/items/iteams.asp?itemid=999; DROP TABLE (This would delete part of the database)

THIS CAN BE MITIGATED WITH INPUT VALIDATION AND SERIALIZED PARAMETRIZED, essentially the Web app/DB should be configured to know what to expect and where

36
Q

What is a HTML injection?

A

HTML injection is a vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.,

This could result in a users session cookie and/or modifications to the web page

The following example shows a snippet of vulnerable code that allows an invalidated input to be used to create dynamic HTML in the page context:

var userposition=location.href.indexOf("user=");
var user=location.href.substring(userposition+5);
document.getElementById("Welcome").innerHTML=" Hello, "+user;

The following example shows vulnerable code using the document.write() function:

var userposition=location.href.indexOf("user=");
var user=location.href.substring(userposition+5);
document.write("<h1>Hello, " + user +"</h1>");
37
Q

What is a command injection?

A

This is an attack which the goal is execution of arbitrary commands on the host operating system via a vulnerable application

Example would be:
system(“cd /var/yp && make &> /dev/null”);
or ‘cat /etc/passwd’ into the web application in hopes the local file on the backend system is exposed

38
Q

What is a code injection attack?

A

A code injection attack consist of injecting code that is then intercepted/executed by the application.

Code injection is different from command injection due to being limited by the functionality of the injected language itself.

If an attacker is able to inject PHP code into an application and have it executed, they are only limited by what PHP code is capable of.

Example:
The URL below passes a page name to the include() function.
http://testsite.com/index.php?page=contact.php

39
Q

What is session hijacking?

A

Session hijacking is an attack where a user session is taken over by an attacker.

A sessions when you log into a service, and ends when you logout, but if an attacker knows session ID (session key) this session can be HIJACKED

Session Hijacks can be achieved by some of the following methods:

  • Predictable session token
  • Session sniffing
  • Client Side attacks (XSS, malicious JavaScript Codes, Trojans etc)
  • Man-in-the-middle attack
40
Q

What is a redirect attack?

A

Also known as URL Redirection

This is a vulnerability which allows an attacker to force users of an application to an untrusted external site.

This attack is most often performed by delivering a link to a victim, who then clicks the link and is redirected to the malicious site.

41
Q

What is Kerberos?

A

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner

This has known vulnerabilities such as Kerberoasting and Golden ticket

Kerberoasting which is a post exploitation attack that extracts service account credential hashes from Active Directory for offline cracking.

A Golden Ticket Attack is a kind of attack that targets the access control privileges of a Windows environment where AD is in use.

A golden ticket is used by adversaries to take over key distribution service of a legit user

42
Q

What is parameter pollution?

A

HTTP Parameter Pollution (HPP) is a web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information.

Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways.

By exploiting this, an attacker may be able to bypass input validation, trigger application errors or modify internal variable values.

Example:
/index.aspx?page=select 1&page=2,3

43
Q

What is insecure direct object reference?

A

IDOR occurs when an application provides direct access to objects based on user-supplied input.

As a result of this, attackers can bypass authorization and access resources in the system directly, for example database records or files.

Example:

The following line is your invoice:
http://foo.bar/somepage?invoice=12345

But what if we do the following and the database provides?
http://foo.bar/somepage?invoice=12346

This is not or invoice, but if the DB does not require authentication to view this invoice, we have exploited IDOR

44
Q

What is Stored XSS?

A

Stored XSS attacks are where the injected script is permanently stored on the target services, such as in a database, in a message forum, visitor log, comment field, etc.

The victim then retrieves the malicious script (unknowingly) from the server where it requested the stored information.

This is also referred to as Persistent XSS

45
Q

What is reflected XSS?

A

Reflected XSS attacks are those where the injected scripted is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input send to the server as part of the request

Also known as Non-Persistent XSS

46
Q

What is DOM?

A

Document Object Model

DOM is a programming API for HTML and XML documents.

It defines the logical structure of documents and the way a document is accessed and manipulated.

This can be vulnerable when a website contains JavaScript that takes an attacker-controllable value known as a source and passes it into a dangerous function, known as sink

47
Q

What is CSRF?

A

Cross-Site Request Forgery

CSRF is an attacker that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

This can be achieved with the help of social engineering (such as sending a link) posing as a known site to the victim user.

48
Q

What is clickjacking?

A

This is the malicious practice of manipulating a website users activity by concealing hyperlinks beneath legitimate clickable content, therefore the user performs actions of which they are unaware

49
Q

What is a path/directory traversal?

A

This attack aims to access files and directories that are stored outside the web root folder.

By manipulating variables that reference files with “dot-dot-slash (../../../../) sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system includiing application source code or configuration and critical file systems.

50
Q

What is cookie manipulation?

A

Also known as cookie poisoning is the act of manipulating or forging a cookie (a small piece of data created and stored in a users browser that keeps track of important information regarding his or her session information for a particular site) for the purpose of bypassing security measures or sending false information to a server.

An attacker using cookie manipulation can gain unauthorized access to a users account on the particular site the cookie was created for, or potentially tricking a server into accepting a new version of the original intercepted cookie with modified values.

51
Q

What is LFI?

A

Local File Inclusion

This allows an attacker to read (and sometimes execute) files on the victim machine.

This can lead to the attacker gaining access to sensitive information if the web server is misconfigured and running with high privileges

52
Q

What is RFI?

A

Remote File Inclusion

This allows an attacker to be able to execute code hosted on remote host

53
Q

Why are comments in source code sometimes a vulnerability?

A

If an adversary can view the comments of a source code, it can reveal the function of each part of the code and can provide an excessive amount of information regarding the application

54
Q

What is improper error handling in coding?

A

Improper handling of errors can lead to detailed internal error messages such as stack traces, database dumps, and error codes displayed to the user (hacker)

These messages reveal implementation details that should never be revealed.

Such details can provide important clues on potential flaws in the site and such messages are also disturbing to normal users

55
Q

What are race condition in coding?

A

A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions.

If a application/program is still process one request and another one comes in during this process, this can lead to manipulation of the original request

56
Q

What is code signing and why is it important in software development?

A

Code singing is the process of digitally signing executable s and scripts to confirm the software author and protects the integrity of the code.

This typically employs the use of a cryptographic hash to validate authenticity

57
Q

What is a SUID and how can it be utilized in pentest?

A

A SUID bit is a flag on a file which states that whoever runs the file will have the privileges of the owner of the file.

So if you are a lower privilege user and run an executable owned by root, the code/executable runs with privileges of the root user.

This is only for Linux ELF executable, meaning this is worthless for Bash shell scripts, a Python script etc.

We can look at a files permissions with ‘ls -la’, if there is a ‘x’ then it is a SUID bit set.

This can be utilized in privilege escalations

To find all binaries with SUID permissions type the following:
‘find / -perm -u=s -type f 2>/dev/null’

58
Q

What is unsecure sudo?

A

This is where non-root users have the ability to execute commands that would TYPICALLY be reserved for the root user.

This includes:
SSH
ARP
Telnet
TCPDUMP
FIND
Service
59
Q

What is Ret2Libc?

A

A ret2libc attack is one in which the attacker does not require any shellcode to take control of a target, vulnerable process.

The purpose of this is a method of exploiting a bugger overflow on a system that has a non-executable stack, it is very similar to a standard buffer overflow, in that the return address is changed to point to a new location that we can control

60
Q

What is a stickybit?

A

A sticky bit is a permission that is a set on a file or directory that lets only the owner of the file/directory or the root user to delete or rename the file.

61
Q

What is cPassword?

A

cPassword is a component of Windows Active Directory Group Policy Preferences that allows administrators to set passwords via Group Policy.

62
Q

What are unattended installations in Windows?

A

An unattended installation is the traditional method of deploying Windows OS.

Unattended installation can lead to sets of insecure permissions for Users and Default User directories

63
Q

In Windows, what is a SAM database?>

A

Security Account Manager is a database file that stores users passwords/hashes.

It can be used to authenticate local and remote users

This can lead to overly permissive Access Control Lists on multiple system files including the SAM database.

An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges

64
Q

What is DLL Hijacking?

A

DLL Hijacking is a method on injecting malicious code into an application by exploiting the way some Windows applications search and load Dynamic Link Libraries (DLL)

Only M$ is susceptible to DLL hijacks

By replacing a required DLL file with an infected version and placing it within the search parameters of an application, the infected file will be call upon when the application loads, activating its malicious operations

65
Q

What are unquoted service paths?

A

When a service is created whose executable path contains spaces and isnt enclose within quotes, this leads to a vulnerability known as unquoted service path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is

66
Q

What are keyloggers?

A

This is a computer program that records every keystroke made by a computer user, especially used to gain fraudulent access to passwords and other confidential information

67
Q

What are scheduled tasks?

A

Task Scheduler is a component of Windows that allows predefined actions to be automatically executed whenever a certain set of conditions is met

This can be utilized for persistence by a adversary/pentester

68
Q

What is a sandbox and sandbox escape?

A

A sandbox is a tightly controlled environment in which semi-trusted programs or scripts can be safely ran in memory,

Sandbox’s are used to be a safeguard, but sometimes these can be exploited to allow malicious code to be executed from the sandbox to the outer system

69
Q

What is a VM escape?

A

A Virtual Machine escape is the process of a program breaking out of the virtual machine on which it is running and interacting with the host operating system.

70
Q

What is a cold boot attack?

A

A cold boot attack is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computers random access memory by performing a hard reset of the target machine

71
Q

What is a JTAG Debug?

A

JTAG is a common hardware interface that provides your computer with a way to communicate directly with the chips on a board.

72
Q

What is RPC?

A

Remote Procedure Call

RPC is when a computer program causes a procedure to execute in a different address space (commonly on another computer on a shared network) which is coded as it were a normal (local) procedure call, without the programmer explicitly coding the details for the remote interaction

73
Q

What is DCOM?

A

Distributed Component Object Model

DCOM is a programming construct that allows a computer to run programs over the network on a different computer as if the program was running locally.

74
Q

What is PsExec?

A

PsExec is a portable tool from Microsoft that lets you run processes remotely using any users credentials.

You can use PsExec to not only manage processes on the remote computer but also redirect an applications console output to your local computer, making it appear as though the process is running locally.,

75
Q

What is WMI?

A

Windows Management Instrumentation

WMI is the infrastructure for management data and operations on Windows based OS.

You can write WMI scripts or applications to automate administrative tasks on remote computers but WMI also supplies management data to other parts if the operating system and products

76
Q

What is VNC?

A

Virtual Network Computing

VNC is a graphical desktop sharing system that uses Remote Frame Buffer protocol (RFB) to remotely control another computer.

It transmits the keyboard and mouse input from one computer to another, relaying the graphical screen updates over a network

77
Q

What is X11 forwarding?

A

X11 forwarding is what gives you the ability to run GUIs from a server on your own local machine.

78
Q

What is RSH?

A

Remote shell is a command line computer program that can execute shell commands as another user, and on another computer across a computer network.

The remote system to which rsh connects runs the rsh daemon.

Operates on port 514