CompTIA PenTest+ Certification PT0-001: Practice Test #2 (Total Seminars) Flashcards
Which of the following tools would be most appropriate when attempting to perform an LLMNR poisoning attack? A.Wireshark B.Responder C.tcpdump D.airodump-ng
B.Responder
Explanation
Correct Answer:
Responder is correct. Responder is a Python-based tool that simplifies the process of poisoning name resolution services. Responder is able to effectively target LLMNR, NBT-NS, and MDNS services.
Incorrect Answers:
Aircrack-ng is incorrect because airodump-ng is a component of the aircrack-ng suite used to capture raw frames in 802.11 Wi-Fi networks.
Wireshark is incorrect because Wireshark is a network protocol analyzer that sniffs out network traffic and displays the contents of packets going across a network. It is often used for general network troubleshooting or in software development but also has value in penetration testing, where it can be leveraged to verify network security implementations, or intercept plaintext communications.
Tcpdump is incorrect because tcpdump is another network protocol analyzer and is also used to troubleshoot networks, assist in software development, or for security purposes. Tcpdump is predominantly used as a command-line tool, although graphical interfaces for it exist.
Which of the following attack vectors is best defined as tricking an application into loading a malicious library file by exploiting the documented library search order paths? A.DLL Injection B.DLL hijacking C.Unquoted service path abuse D.LSASS Dumping
B.DLL hijacking
Explanation
Correct Answer:
DLL hijacking is correct. DLL hijacking occurs when an application is manipulated into loading a malicious DLL file by exploiting the documented search path for DLL files as followed by Windows. Compare this with DLL injection, explained next.DLL injection is incorrect because DLL injection is a technique wherein a running service is manipulated into loading a library file but rather than abusing the default DLL lookup paths as documented by Microsoft, as with DLL hijacking, this is accomplished through means such as the SetWindowsHookExA function in the Windows API, or through modification of registry values that define the standard DLLs loaded into user processes. In other words, hijacking relies on normal Windows behavior to trick an application into loading a malicious library, whereas injection forcibly causes the application in question to load a malicious library.
Incorrect Answers:
LSASS dumping is incorrect because LSASS dumping does not rely on getting a process to load a malicious library file. Rather, LSASS dumping occurs when an attacker obtains a memory dump of the LSASS.exe process on a Windows system. If the .dmp file produced is fed into Mimikatz or parsed manually, plaintext passwords can be retrieved for all user accounts on the system.
Unquoted service path abuse is incorrect because unquoted service path abuse becomes possible when a service managed via the Windows Service Control Manager has a space somewhere in the path to the executable and the path string is not encased with quotation marks. While this is likely to cause Windows to load library files that it would not otherwise load, the feature being exploited is the method Windows uses to find a service executable rather than the library search paths, making this answer incorrect.
Which of the following is the best potential use for SSL stripping in a penetration test?
A.Theft of user session cookies
B.Interception of usernames and passwords
C.Cracking the pre-shared key in use on their corporate wireless network
D.Tricking a user into connection to a malicious site rather than their intended destination in order to infect them with malware
B.Interception of usernames and passwords
Explanation
Correct Answer:
Interception of usernames and passwords is correct. SSL stripping is performed as part of a man-in-the-middle attack, and effectively results in victims connecting to target websites over HTTP, rather than HTTPS. The lack of SSL means that usernames, passwords, and other sensitive information will be transmitted in plaintext, which can then be sniffed as they travel over the network.
Incorrect Answers:
Tricking a user into connecting to a malicious site rather than their intended destination in order to infect them with malware is incorrect because redirecting a user to a (usually malicious) site they did not want to visit is typical of DNS cache poisoning or a watering hole attack.
Cracking the pre-shared key in use on their corporate wireless network is incorrect because cracking a pre-shared key is typically the goal of intercepting four-way handshakes in WPA and WPA2 networks.
Theft of user session cookies is incorrect because while theft of user sessions would be possible by intercepting response authenticated traffic between a target and a site to which the user is authenticated, that session would become invalidated once the user logged out. Interception of usernames and passwords would enable an attacker to log in freely without relying on the user’s session, making it a more effective use of traffic interception, and making session theft an incorrect answer.
Which port openings would be expected to be indicative of a Windows client that accepts remote graphical logins? (Choose two.) A.TCP/3389 B.TCP/5900 C.TCP/1521 D.TCP/443
A.TCP/3389
B.TCP/5900
Explanation
Correct Answers:
TCP/3389 and TCP5900 are correct. TCP/3389 is used for Microsoft’s native Remote Desktop Protocol, while TCP/5900 is used for VNC. Both of these services are used for graphical connectivity.
Incorrect Answers:
TCP/1521 is incorrect because TCP/1521 is a listener port for Oracle database listeners.
TCP/443 is incorrect because TCP/443 is used for HTTPS connections.
Which of the following resources would be best to consult if you encounter difficulty while data mining for a penetration test? A.the harvester B.OSINT Framework C.Shodan D.dig
B.OSINT Framework
Explanation
Correct Answer:
OSINT Framework is correct. The OSINT Framework is an excellent resource for guiding data-mining efforts. The tool focuses on broad-scale information collection from numerous sites and sources, such as social media networks, corporate information leaks, and public and private records and news releases. The OSINT Framework casts a wide net in its efforts in data collection and analysis, making it an excellent guide for the data-mining process relative to the other choices.
Incorrect Answers:
Shodan is incorrect because Shodan is an Internet of Things search engine used to find systems, services, and network devices exposed to the public internet. While some information can be collected from Shodan relevant to OSINT collection and data-mining efforts, it will generally be limited in scope, making this a poor answer compared to the other choices.
dig is incorrect because dig is a command for *nix operating systems used to perform DNS queries. As with Shodan, dig can produce useful information in the context of a penetration test, but it, too, will be somewhat limited in scope, making this a poor answer for this question.
The harvester is incorrect because the harvester is a python-based command-line tool used for both active and passive intelligence collection. It can provide a respectable amount of information when beginning collection efforts, but it has limitations in the sites it is able to query and the sorts of information it is designed to collect (generally IP ranges, subdomain names, and email addresses related to a given domain). The harvester is a less effective choice for data mining efforts than the OSINT Framework and an incorrect answer to this question.
Which of the following are dictated by Nessus policies? (Choose two.) A.Configuration values B.Plugins in use C.Remediation details D.Vulnerability information
A.Configuration values
B.Plugins in use
Explanation
Correct Answers:
Plugins in use and configuration values are correct. Nessus policies dictate the plugins used for a scan and the associated configuration values.
Incorrect Answers:
Vulnerability information and remediation are incorrect. Vulnerability information and remediation details are components of the output of a Nessus scan, rather than facets defined before the scan takes place.
Which of the following are examples of establishing daemon-based persistence? (Choose two.)
A.Modifying an application that users of the compromised system are known to use frequently such that it establishes a reverse shell callback on launch
B.Modifying the BootExecute registry key value to establish a bound shell on the victim system at boot time
C.Copying the attacking system public SSH key info ~/.ssh/authorized_hosts
D.Creating a cronjob that attempts to establish a reverse shell to the attacking system every 15 minutes
B.Modifying the BootExecute registry key value to establish a bound shell on the victim system at boot time
D.Creating a cronjob that attempts to establish a reverse shell to the attacking system every 15 minutes
Explanation
Correct Answers:
Creating a cronjob that attempts to establish a reverse shell to the attacking system every 15 minutes and modifying the BootExecute registry key value to establish a bound shell on the victim system at boot time are correct. The abuse of system-executed services such as cron (which will execute user-defined cron jobs as defined in the cron table just in the context of the user in question) and certain Windows registry keys to provide readily available shells is the defining feature of daemon-based persistence methods. In the case of creating a cronjob that attempts to establish a reverse shell to the attacking system every 15 minutes, persistence is maintained by the cron daemon; even if the reverse shell is killed manually, the cron daemon will attempt to reestablish it every 15 minutes. With modifying the BootExecute registry key value to establish a bound shell on the victim system at boot time, persistence is achieved on a Windows system by establishing a bound shell whenever the server reboots, as the Session Manager (smss.exe) executes the programs listed in the Data field of the BootExecute key at boot time.
Incorrect Answers:
Copying the attacking system’s public SSH key into ~/.ssh/authorized_hosts is incorrect because the use of SSH key-based persistence abuses a feature of SSH for persistence, rather than exploiting automated services. Modifying an application that users of the compromised system are known to use frequently, such that it establishes a reverse shell callback on launch is incorrect because modifying a frequently used application is not exploitation of an automated process, as it requires user interaction to provide shell access rather than such access being provided in the background and invisibly to the user.
Which of the following files would _not_ be a target of interest for remote system discovery per MITRE's ATT&CK framework? A.C:\Windows\System32\Drives\etc\hosts B./etc/hosts C.~/.bash_history D./etc/passwd
D./etc/passwd
Explanation
Correct Answer:
/etc/passwd is correct. While still useful for local enumeration of user and system accounts, the /etc/passwd file is the least likely choice to contain any information regarding remote systems, servers, or networks. Since the question asked which file would not be of interest for remote system discovery, B is the correct answer. All of the files listed in the other choices contain information that could be of value in the enumeration of additional remote systems.
Incorrect Answers:
/etc/hosts and C:\Windows\System32\Drivers\etc\hosts are incorrect because system hosts files (/etc/hosts and C:\Windows\System32\Drivers\etc\hosts in *nix and Windows operating system families, respectively) serve to map hostnames to IP addresses. Since one of the functions provided by the hosts file is name resolution, it is frequently used to eliminate the need for a name lookup for other services and functions for target systems with which the initial host regularly interacts. This makes hosts files a particularly valuable source of information for remote systems that are commonly accessed by users or services on a given host, and further makes both of these choices incorrect answers. ~/.bash_history is incorrect because ~/.bash_history contains all of the commands entered by a user within their bash sessions. If the user connects to remote servers via SSH, SFTP, or other protocols, this information would be collected in the history file, which can then inform a penetration tester of other likely targets for attack or lateral movement. Since this can directly reveal remote systems, it is an incorrect answer.
You are asked to perform penetration testing of a web application from the perspective of an insider threat as both an end user and an application administrator. What is the minimum level of access to environment assets required? A.Restricted access B.User-level access C.Limited access D.Privileged-level access
D.Privileged-level access
Explanation
Correct Answer:
Privileged-level access is correct. Because the client has requested testing of the web application in question from both the user and administrator contexts, the best-fit answer in this case is privileged-level access because a valid account will be required for scans of the application in the context of an administrative user.
Incorrect Answers:
User-level access is incorrect because user-level access will not meet the client’s specific request for testing as both a user and an administrator because end users are generally not granted administrative rights.
Restricted is incorrect because restricted access is a nonsense term here, as it seems related to the topic at hand without being a relevant term in the context of the question.
Limited is incorrect because limited access provides nothing to the tester beyond initial connectivity to the target in question; because the client requires testing in the context of both a user and an administrator, this cannot be correct.
Web fuzzing is a data validation technique used to identify flaws in websites or web applications. Which of the following is not a practice commonly used in web fuzzing?
A.Sending HTTP request methods such as HEAD or POST where another method is expected
B.Tampering with URL parameters
C.Feeding garbage or unexcepted data to a user input point to elicit error messages or other information
D.Inspection of website source data to check for potentially exploitable errors or warnings
D.Inspection of website source data to check for potentially exploitable errors or warnings
Explanation
Correct Answer:
Inspection of website source data to check for potentially exploitable errors or warning is correct. While it is common to inspect a website’s source page to check for exploitable errors or warnings, this is not a practice that can be defined as fuzzing, which at its most basic level feeds unexpected data to a website or web application to attempt to elicit an unexpected system response.
Incorrect Answers:
Feeding garbage or unexpected data to a user data input point to elicit error messages or other information is incorrect because feeding garbage or unexpected data to elicit error messages or other information is essentially the definition of web fuzzing. Indeed, tampering with URL parameters and sending HTTP request methods such as HEAD or POST where another method is expected - tampering with URL parameters and sending unexpected HTTP request methods-are themselves specific examples of this task.
Which powerful reconnaissance framework is written in Python and features its own pseudo-shell environment, making it very similar in appearance to the Metasploit framework? A.Maltego B.recon-ng C.Shodan D.the harvester
B.recon-ng
Explanation
Correct Answer:
Recon-ng is correct. recon-ng is a powerful Python-based reconnaissance framework and features its own shell environment.
Incorrect Answers:
Shodan and Maltego are incorrect because Shodan and Maltego are not generally run from a command line, barring the use of Shodan’s API or Maltego’s limited command-line interface; although there is no explicit mention of a command line in the question, it does refer to a shell environment. Be vigilant for such clues during the exam.
The harvester is incorrect as well because, although the harvester is written in Python and is run from a command line, it lacks a native shell environment, making this an incorrect answer.
Which stage of threat modeling consists of matching up known threats, threat actors, and vulnerabilities to the relevant parts of an organization's architecture, according to Microsoft's published guidance on threat modeling? A.Identify threats B.Decompose the application C.Document the threats D.Architecture overview
C.Document the threats
Explanation
Correct Answer:
Document the threats is correct. The definition provided best describes the fifth step of Microsoft’s threat modeling process the documentation of threats. This step consists of matching threats, threat actors, and vulnerabilities to possible targets within the organization’s own architecture.
Incorrect Answers:
Identify threats is incorrect because identifying threats is the fourth step in Microsoft’s threat modeling process and is marked by the categorization of external and internal threats to an organization. The determination of where threats are found, how they can be exploited, and the identification of agents capable of exploiting them are crucial steps that can greatly aid the process of bolstering an organization’s defense posture
Architecture overview is incorrect because an architecture overview is the second step in the process and is defined by a granular analysis of the various technologies in use in an organization’s architecture as well as the method by which they are implemented. Architecture overview is a critical step in threat modeling, as it makes the identification of threats much more manageable later in the process.
Decompose the application is incorrect because decomposing the application is the third step and consists of a granular breakdown and analysis of the technologies used by an organization, marked by scrutiny of entry points (such as network ports or protocols) and trust boundaries between interconnected systems. The goal in this step is to develop a security profile that categorizes areas of the architecture that may be susceptible to a general type of vulnerability. Refer to Microsoft’s guidance on improving web application security at https://msdn.microsoft.com/en-us/library/ff648644.aspx for further details on their threat modeling process.
The amount and kinds of risk an organization is willing to accept in its information environment are collectively known as which of the following terms? A.Severity ratings B.Risk appetite C.Tolerance to impact D.Risk acceptance
B.Risk appetite
Explanation
Correct Answer:
Risk appetite is correct. Risk appetite refers to the total amount and kinds of risk an organization will tolerate in its networks.
Incorrect Answers:
Severity ratings is incorrect because severity ratings are used to define the gravity of vulnerabilities identified in an organization’s network.
Tolerance to impact is incorrect because tolerance to impact refers to the ability of an organization to withstand the effects of events or occurrences that adversely affect their business assets.
Risk acceptance is incorrect because risk acceptance is defined as an organization’s understanding and acceptance of the likelihood and impact of a specific threat on its systems or networks. While all of these answers influence an organization’s risk appetite, the terms are only related to risk appetite rather than synonymous with it, making them incorrect.
Which of the following is not a vulnerability scanner a penetration tester might use? A.Nexpose B.QualysGuard C.hashcat D.Nessus
C.hashcat
Explanation
Correct Answer:
Hashcat is correct because Hashcat is not a vulnerability scanner. Hashcat is a free and open-source password-cracking and -recovery tool that leverages system CPUs or GPUs, rather than a commercially available vulnerability scanner. Hashcat can attack via brute force and dictionary attacks, in addition to other more advanced techniques, and is able to recognize and crack over 200 hash types.
Incorrect Answers:
The other choices are incorrect because Nexpose, QualysGuard, and Tenable Nessus are all commercially available vulnerability scanners.
Nexpose is available from Rapid7 and sports multiple features, such as remediation reports and integration with Metasploit Pro.
QualysGuard is a cloud-based vulnerability scanner available from Qualys that can provide numerous services such as policy compliance monitoring and web application scanning.
Nessus is a vulnerability scanner available from Tenable that features a plugin-based approach to scanning, ensuring that the needs of many businesses and industries can be met.
Which of the following tools can be used to generate encoded payloads for inclusion in exploits or to embed them in other executables? A.msfdb B.msf-pattern_create C.msfconsole D.msfvenom
D.msfvenom
Explanation
Correct Answer:
msfvenom is correct. msfvenom is used to generate and encode payloads, generally in the form of hex-encoded snippets of machine code, that will then be interpreted by the targeted program as the instruction pointer moves along the stacks. None of the other choices are used to generate shellcode or other payloads.
Incorrect Answers:
msfdb is incorrect because msfdb is used to create, destroy, and start postgresql databases and the associated service for use with the Metasploit Framework.
msf-pattern_create is incorrect because msf-pattern_create is used to generate strings of text characters, which are useful when attempting to identify the buffer offset necessary to overwrite the instruction pointer in a program for the purposes of a buffer overflow attack.
mfsconsole is incorrect because msfconsole is used to initialize the Metasploit Framework environment within a terminal window.
Which of the following are possible goals of communication made during a penetration test for the purposes of deconfliction?
A.Clearly identifying actions that are the result of testing activity rather than the result of actions taken by system accounts or other users
B.Identififcation of the root causes of unexpected behavior that may occur during the course of a penetration test
C.All of the answers are correct
D.Notifying the client that you have reason to believe you have discovered evidence of a previous compromise of their network
C.All of the answers are correct
Explanation
All of the answers are correct. All of the examples listed are descriptions of various goals of deconfliction. Deconfliction is the process by which the root causes of unexpected system behavior are identified by comparing the actions taken by a penetration tester and those of other users or system accounts, whether authorized or not.The other choices are incorrect as individual answers. All of these are scenarios that are appropriately described as examples of deconfliction communication. As such, the best answer is “all of the answers are correct.”
Which of the following applications is most likely to be useful in exploit development? (Choose two.) A.Patator B.WinDBG C.Mimikatz D.OllyDBG
B.WinDBG
D.OllyDBG
Explanation
Correct Answers:
OllyDBg and WinDBG are correct. OllyDBG and WinDBG are debugging tools used in software development, or in the information security context, to create exploits.
Incorrect Answers:
Patator is incorrect because Patator is a multiprotocol login brute-force tool able to attack FTP, SSH, SMTP, HTTP/HTTPS, and several other protocols. Since it is unable to assist in program debugging or provide other features necessary for the development of exploits, this answer is incorrect.
Mimikatz is incorrect because Mimikatz is a tool used to extract passwords and Kerberos tickets from memory, in addition to running pass-the-hash or pass-the-ticket attacks and building golden tickets. As with Patator, Mimikatz is unable to provide program debugging functionality or other features required for exploit development, making this answer incorrect.
Which of the following are methods of VLAN hopping? (Choose two.) A.Switch spoofing B.NAC bypass C.Double tagging D.MAC flapping
A.Switch spoofing
C.Double tagging
Explanation
Correct Answer:
Double tagging is correct because double tagging is a VLAN hopping method wherein traffic is tagged as belonging to an unauthorized, target VLAN in addition to the originating VLAN. The traffic is then forwarded to the intended target by the next switch as if it originated from the unauthorized VLAN. This technique can be mitigated by ensuring that devices are not left on the default VLAN (VLAN 1), changing the native VLAN on all trunk ports to an otherwise unused VLAN, and by requiring explicit tagging of the native VLAN on all trunk ports.
Switch spoofing is correct because switch spoofing is a VLAN hopping technique wherein one masquerades as a trunking switch by using the VLAN tagging and trunking protocols found in IEEE 802.1Q (Dynamic Trunking Protocol). By communicating via those protocols over the network, the attacking system can gain access to other different VLANs. This technique requires that the Dynamic Trunking Protocol (DTP) is enabled on the switch, and can be further mitigated by explicitly declaring ports not intended for trunking traffic to be designated as access ports only.
Incorrect Answers:
MAC flapping is incorrect because MAC flapping occurs when multiple hosts on a switch are claiming the same MAC address; this can occur as part of a network-based attack on a system or subnet.
NAC bypass is incorrect because NAC (Network Access Control) bypasses are a broad category of network-based attack; VLAN hopping is itself an example of a NAC bypass.
Which of the following Group Policy attributes is most likely to allow privilege escalation when found in files on a target Windows system? A.cpassword B.changeLogon C.neverExpires D.acctDisabled
A.cpassword
Explanation:
Correct Answer:
Cpassword is correct. The cpassword attribute found in Group Policy Objects is a glaring security vulnerability due chiefly to the use of a static encryption key for all such entries as well as the open publication of the key used by Microsoft on its documentation pages. If a cpassword attribute is found in a Group Policy Object (found in the SYSVOL directory), it is as good as storing a password in plaintext. The cpassword attribute can be found in a number of files, including SYSVOL\Groups.xml, Services\Services.xml, ScheduledTasks\ScheduledTasks.xml, Printers\Printers.xml, Drives\Drives.xml, and DataSources\DataSources.xml.
Incorrect Answers:
The other choices are incorrect. The attributes changeLogon, neverExpires, and acctDisabled are typically found in the same locations as cpassword, but they do not represent a security flaw in and of themselves. Rather, they represent the status of the associated account, indicative of whether the account user must change their password at login, whether or not the password expires, and if the account is disabled, respectively.
Which of the following are examples of phone-based phishing? (Choose two.) A.Spear phshing B.Baiting C.Voice phishing D.SMS Phishing
C.Voice phishing
D.SMS Phishing
Explanation
Correct Answers:
SMS phishing and voice phishing are correct. SMS phishing and voice phishing (or vishing) are phishing vectors that rely on the use of phones.
Incorrect Answers:
Spear phishing is incorrect because spear phishing is a tightly targeted phishing attack that focuses on specific individuals who may have information or access to systems or resources desired by a penetration tester in the context of a security assessment.
Baiting is incorrect because baiting is a motivating factor defined by its use of means that tempt or entice a target into performing a given action.
While developing an SOW with a client in the United States, you are informed that any penetration testers who will be engaging in testing activity on a specific range of subnets are required by law to be U.S. citizens. Which of the following is the most likely reason for this limitation?
A.Local government regulation
B.Recent network-based attakcs from outside of the US
C.Company policy
D.Export control technician
D.Export control technician
Explanation
Correct Answer:
Export control restriction is correct. Export controls in the United States regulate and restrict the release of information deemed critical to foreign policy or national security to non-U.S. citizens. This information could be nearly anything: software, manufactured products, performed services, and other technologies are possible candidates for export control. In the given example, it would be reasonable to conclude that the subnet in question houses or passes data that is subject to export control restriction.
Incorrect Answers:
Company policy is incorrect because company policies are unlikely to result in an arbitrary limitation on a service provider’s nationality; while there are varying degrees of conscientiousness demonstrated by the leadership of different companies, all are ultimately concerned with their financial bottom line at the end of the day. A company’s policy is therefore unlikely to be concerned with something as arbitrary as an employee or contractor’s nationality over their ability to perform the work required.
Recent network-based attacks from outside of the United States is incorrect because network attack attempts are a concern regardless of their nation of origin, and so would not necessitate an arbitrary restriction on an employee or contractor’s nationality.
Local government regulation is incorrect because local government regulations are often legitimate concerns but would not be applicable when discussing nationality requirements; that necessarily implies a national-level regulation.
Which SCADA system component is placed strategically in the network, close to the process being managed, and converts sensor signals to digital data that is then relayed to a supervisory system? A.Communication infrastructure B.Human-machine-interface (HMI) C.Remote terminal Unit (RTU) D.Supervisory workstation
C.Remote terminal Unit (RTU)
Explanation
Correct Answer:
Remote terminal unit (RTU) is correct. A remote terminal unit (RTU) is placed strategically in a SCADA network close to the device being managed, and it converts sensor signals to digital data that is then relayed to a supervisory workstation.
Incorrect Answers:
Communication infrastructure is incorrect because SCADA communication infrastructure connects devices and facilitates their communications using SCADA protocols such as DNP3 and ModBus.
Human-machine interface (HMI) is incorrect because a human-machine interface (HMI) is an operator application (usually a graphical interface) on the supervisory workstation that allows operators to monitor and manage a supervisory control system.
Supervisory workstation is incorrect because a supervisory workstation is a computer or console that forms the core of the SCADA network, gathering data from and sending commands to connected devices such as programmable logic controllers (PLCs) or RTUs.
Which of the following commands will display general firewall configuration rules on a target system running the appropriate firewall service? (Choose two.) A.'ufw list' B.'netsh firewall show config' C.'netsh advfirewall show rule name=all' D.'iptables -S'
C.’netsh advfirewall show rule name=all’
D.’iptables -S’
Explanation
Correct Answers:
‘iptables -S and netsh advfirewall firewall show rule name=all are correct. On a Linux system running iptables, the command iptables -S will display currently loaded firewall configuration rules. Similarly, the command netsh advfirewall show rule name=all` will do the same on a Windows host.
Incorrect Answers:
netsh firewall show config is incorrect because the command listed here will only display the running state of the firewall on a Windows host; while this is valuable information, it does not give granular rules as stated in the question.
ufw list is incorrect because list is not a valid subcommand for ufw, which serves as a more easily accessible frontend for iptables on Linux hosts. ufw status will return the firewall state and loaded rules if the firewall service is running.
Which Python-based tool allows users to craft packets and decode data with extreme precision, and is often used itself to create more refined tools? A.scapy B.hping3 C.Responder D.BeEF
A.scapy
Explanation
Correct Answer:
Scapy is correct. Scapy is an interactive, Python-based packet manipulation program that is able to forge and decode packets for a wide range of protocols. Its versatility enables users to handcraft packets with relative ease, enabling tool development or quicker testing efforts where other tools are not quite able to meet the tester’s needs.
Incorrect Answers:
Responder is incorrect because, although Responder is a Python-based tool, it enables users to poison name resolution services rather than design, craft, send, and decode packets.
Hping3 is incorrect because, while hping3 is a command-line TCP/IP packet analyzer and assembler, it is written in C and lacks much of the functionality and granularity found in scapy.
BeEF is incorrect because BeEF is a Ruby-based framework developed by The BeEF Project designed to assist penetration tests by focusing on client-side attack vectors.
Which of the following general privilege escalation vectors is applicable to Windows hosts? (Choose two.) A.DLL Hijacking B.Unattended installation artifacts C.SUID/GUID program abuse D.Insecure sudo use
A.DLL Hijacking
B.Unattended installation artifacts
Explanation
Correct Answers:
Unattended installation and DLL hijacking are correct. The collection of artifacts from unattended operating system installations and DLL hijacking are both categories of privilege escalation techniques that target Windows operating systems.
Incorrect Answers:
SUID/GUID program abuse and insecure sudo access are incorrect. SUID/GUID program abuse and insecure sudo access are privilege escalation vectors used in attacking *nix operating system families.
Which of the following is not an organization that conducts vulnerability research and publishes its findings to the public? A.JPCERT B.CAPEC C.NIST D.MITRE
B.CAPEC
Explanation
Correct Answer:
CAPEC is correct. CAPEC (Common Attack Pattern Enumeration and Classification) is a vulnerability research resource that assists security teams, educators, and penetration testers by detailing and classifying various types of attacks so that they may be better understood.
Incorrect Answers:
The other choices are incorrect because they are all organizations that conduct vulnerability research and publish their findings.
Which of the following are goals an organization may have in attempting to identify lessons learned from a penetration test? (Choose two.)
A.Identification of patterns within tye types of vulnerabiltiies discovered in the organizations networks
B.Determining target for retesting
C.Identification of broader knowledge that can be inferred from the findings of a penetration test
D.Cleanup of artifacts and remmants of the penetration test from the systems and servers
A.Identification of patterns within tye types of vulnerabiltiies discovered in the organizations networks
C.Identification of broader knowledge that can be inferred from the findings of a penetration test
Explanation
Correct Answers:
Identification of patterns within the types of vulnerabilities discovered in the organization’s networks and identification of broader knowledge that can be inferred from the findings of a penetration test are correct. The debriefing that follows a penetration test primarily serves to identify patterns within the types of vulnerabilities discovered during a penetration test (so as to determine what blind spots an organization may have in its security posture) and to infer broader, more general conclusions from the specific findings of the engagement.
Incorrect Answers:
Cleanup of artifacts and remnants of the penetration test from the systems and servers is incorrect because cleaning up of artifacts and other remnants of a penetration test is handled during post-engagement cleanup rather than while attempting to identify lessons learned.
Determining targets for retesting is incorrect because the need for retesting is determined in response to an identified need, or in response to issues raised between a client and the penetration testing team, such as the unavailability of a system designated to be in scope for a significant period of the penetration test.
Which nmap flag will redirect output to a file in the native, XML, and grep-friendly formats all at once? A.'-oX' B.'-oA' C.'-oG' D.'-oN'
B.’-oA’
Explanation
Correct Answer:
-oA’ is correct. The -oA flag will redirect nmap output to a file in the native, XML, and grep-friendly formats all at once.
Incorrect Answers:
-oN is incorrect because the -oN flag will only save scan results in the standard output format.
-oG is incorrect because -oG will only save scan results in a grep-able format.
-oX is incorrect because -oX will only save scan results in XML format.
Which of the following is most likely to be the lowest risk method to attempt to obtain sensitive information that has been disposed of improperly?
A.Establishing a pretext as a fire safety inspector and physically entering a building during business hours
B.Picking a side entrance lock after business hours, before cleaning services show up
C.Slipping the receptionist a bride to gain entry to the building
D.Rifling through the organizations trash bags before they are collected by waste management
D.Rifling through the organizations trash bags before they are collected by waste management
Explanation
Correct Answer:
Rifling through the organization’s trash bags before they are collected by waste management is correct. Employees often write down usernames and passwords, simply throwing them out when they do not need them anymore. Going through a company’s trash or dumpster diving can produce functional credentials, daily schedules for employees, or other information of value in a penetration test. Note that while it is certainly feasible to go through the trash in place, this approach leaves one open to discovery, as the tester would be sitting in plain sight in a dumpster. This is generally unusual behavior and would draw unwanted attention. A much more secure method of execution would be to assemble a small team of maybe two or three people, pile into a pickup truck or car, and load trash bags into the vehicle to be searched offsite. This approach ensures the tester or testers have sufficient time to adequately search the entirety of the bags, in addition to minimizing the window of opportunity for their actions to be discovered.
Incorrect Answers:
Establishing a pretext as a fire safety inspector and physically entering a building during business hours is incorrect because while people are often the weakest link in security programs, going in with a pretext is still necessarily going in blind; a penetration tester will be almost guaranteed to not know the mindsets of personnel, the level of training they have received, or the efficacy of that training in shaping any given employee’s response to potential security threats.
Picking a side entrance lock after business hours, before cleaning services show up is incorrect because picking a lock is almost certainly to trip alarms, cameras, or other physical security barriers, greatly increasing the chance of discovery.
Slipping the receptionist a bribe to gain entry to the building is incorrect because as with establishing a pretext, a penetration tester will have no idea how receptive an employee might be to such an offer. In fact, a savvy employee may seemingly accept the offer, open an access point for the penetration tester, then immediately contact security personnel or the police while another employee tails them. Any human interaction increases risk, as does any interaction with physical security measures. Of the choices given, dumpster diving is the best approach to minimizing exposure to these variables.
Which category of vulnerability was number one on the OWASP Top 10 for 2017 and impacts many computer components such as databases, LDAP, and operating systems? A.Injection B.Insecure deserialization C.Cross-site scripting D.Broken authentication
A.Injection
Explanation
Correct Answer:
Injection was the number one vulnerability for web applications in 2017, and in fact has been since 2010. This can impact SQL and NoSQL databases, LDAP, and operating systems, among other information system components.
Incorrect Answers:
The other choices are incorrect. Cross-site scripting (XSS), insecure deserialization, and broken authentication were number 7, number 8, and number 2, respectively, in 2017.
