CompTIA Pentest+ Chapter 6 Questions Flashcards
Elicitation is the process of ________
A.Extracting meaningful information from a target
B.Extracting information from a target
C.Using solicited information to aid in a pentest
D.Making a target do what you want them to
A.Extracting meaningful information from a target
Explanation:
Elicitation is the process of extracting meaningful information from a target, not just any type of information.
Chaining these types of attacks together can help an attacker get the information they desire
There are different motivational techniques that pentesters can emulate for social engineering attacks
During a pentest, the customer requests that a specific email template be used to entice their employees to try and buy something in response to a specific sale just for their organization.
This type of motivational technique is known as what? A.Authority B.Likeness C.Scarcity D.Social Proof
C.Scarcity
Select two types of social engineering attacks that use URLs to send targets to web pages for further attacks against computer network A.Vanishing B.SMS Phishing C.Spear phishing D.Pretexting
B.SMS Phishing
C.Spear phishing
Explanation:
An employee gets out of the car and notices a USB drive lying on the parking lot.
The drive appears to be new and has “My music files” written on the side of it in small font.
The employee takes the drive into work and attempts to play one of the music files.
The antivirus software alerts the user about potential malware after the computer started acting a little strange.
This type of social engineering method is commonly known as what? A.Luring B.Shoulder surfing C.Waterholing D.Baiting
D.Baiting
Explanation:
Baiting is the correct answer and is a tactic used to lure victims into doing something for a tangible award.
The Social Engineer Toolkit (SET) is a Python based framework that can do which of the following? (Select all that apply) A.Send emails to targets B.Scan IP Addresses C.Produce SMS attacks D.Engage in Wi-Fi calling
A.Send emails to targets
C.Produce SMS attacks
Explanation:
SET helps facilitate various types of social engineering attacks.
Two types of attacks it can be used for are email and SMS-basesd social engineering attacks
Scanning IP addresses and making WiFi phone calls are not features found in SET
Many types of countermeasures can help organizations prepare for and mitigate potential social engineering attacks.
Which of the following are valid countermeasures for social engineering attacks? (Select all that apply) A.Training B.Cameras C.Shredders D.All of the above
D.All of the above
Explanation:
The correct answer is all of the above.
All of these options help mitigate physical and electronic methods of social engineering attacks
Criminal impersonation is governed by state laws, and is a crime that involve identity theft, impersonating an office or legal counsel, and many other avenues of attack that involve a plot to defraud another by pretending to be someone you are not.
Which two documents could you consult to determine if social engieering attack you would like to use during an engagement is approved by the organization? (Select all that apply) A.Rule of enhancement(RoE) B.Rules of engagement (RoE) C.Statement of work (SOW) D.Service Level Agreement (SLA)
B.Rules of engagement (RoE)
C.Statement of work (SOW)
Explanation:
Before engaging in a social engineering attack, it is best to ensure that the organization undergoing this type of assessment approves any and all web, email, SMS, etc., templates prior to executing the test.
The RoE and SOW are two documents that can provide guidance on what may or may not be allowed during a social engineering attack.
A service level agreement defines the quality, availability and responsibilities of the agreeing parties but will most likely not cover the details of how social engineering attack should be carried out or the list of authorized targets for the assessment.
The Rules of Enhancement is not a valid document and is an incorrect answer
Alice owns a very profitable consultant firm that handles a great deal of privacy information for her clients.
The company has over 50 employees but outsources their IT services to another company.
One afternoon while Alice was t lunch, her receptionist received a phone call from a person calaiming to be from the IT service provider and saying that they are trying to work on a service ticket for Alice and they need her personal cell phone number in order to ask some questions of a private nature.
The receptionist knows that Alice doesnt have any computer problem.
What type of social engineering attack did Alice's receptionist receive? A.Spear phishing B.Whaling C.Baiting D.Vishing
D.Vishing
Explanation:
This is a common examp[le of vishing, or voice phishing, where the attacker attempts to play the role of another person who has an urgent matter to discuss or requires the immediate attention of a target in order to pressure the victim into providing the information request.
Spear phishing and whaling are types of attacks carried out via email
Baiting is a motivational technique to get someone to do something for a reward