CompTIA PenTest+ Practice Test Chapter 3 Attacks and Exploits (Sybex: Panek, Crystal, Tracy) Flashcards
You are conducting a black box penetration test for a client. You have used reconnaissance tools to create a list of employee email addresses within the target organization. You craft an email addressed to all of the employees warning them that they must change their password within 24 hours or they will lose access. When they click the link provided in the email, they are redirected to your own website where their credentials are captured to a text file. What kind of exploit did you use?
A.Phishing
B.Vishing
C.Smishing
D.Whaling
A.Phishing
Explanation:
A phishing attack was used in this scenario because the malicious email was sent indiscriminately to all the employees within the organization.
You are performing a gray box penetration test for a medium-sized organization. You have used reconnaissance techniques to identify a help desk employee and a payroll employee. You craft an email to the payroll employee that appears to come from the help desk employee directing the payroll employee to reset her password. When she clicks the link provided in the email, she is redirected to your own website where her credentials are captured to a text file. What kind of exploit did you use?
A.Phishing
B.Interrogation
C.Spear phishing
D.Whaling
C.Spear phishing
Explanation:
A spear phishing attack was used in this scenario because the malicious email was specifically crafted for a specific employee. A generic phishing attack, on the other hand, would have been sent indiscriminately to a large group of employees within the organization.
You are performing a black box penetration test for a medium-sized organization. You have used reconnaissance techniques to identify the CEO’s email address as well as the email address belonging to a help desk employee. You craft an email to the CEO that appears to come from the help desk employee directing the CEO to reset her password. When she clicks the link provided in the email, she is redirected to your own website where her credentials are captured to a text file. What kind of exploit did you use?
A.Smishing
B.Vishing
C.Spear phishing
D.Whaling
D.Whaling
Explanation:
A whaling attack is essentially a form of spear phishing attack that is aimed specifically at C-suite employees, such as the CEO, CFO, COO, CIO, and so on. A standard spear phishing attack, on the other hand, would have been sent to a lower-level employee within the organization.
You are performing a black box penetration test for a medium-sized organization that sells imported clothing. You have used reconnaissance techniques to identify a key software developer. You send this employee a personalized text message containing a Bitly URL that points to your own website where you capture information to a text file. What kind of exploit did you use in this scenario?
A.Phishing
B.Smishing
C.Vishing
D.Whaling
B.Smishing
Explanation:
A SMS phishing attack (also called a smishing attack) was used in this scenario. A smishing attack leverages text messaging instead of email to conduct a phishing exploit.
You are performing a black box penetration test for a small organization that wholesales imported electronic devices in the United States. You have used reconnaissance techniques to identify a receptionist’s phone number as well as the organization’s printer vendor. You call this receptionist, pretending to be a sales rep from the vendor. You ask the receptionist for information about their printers, workstations, operating systems, and so on, to learn more about the organization’s network infrastructure. What kind of exploit did you use in this scenario?
A.Smishing
B.Vishing
C.Spear phishing
D.Whaling
B.Vishing
Explanation:
A voice phishing attack (also called a vishing attack) was used in this scenario. A vishing attack leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information.
Which social engineering technique involves questioning an employee using intimidation to gather information?
A.Phishing
B.Smishing
C.Impersonation
D.Interrogation
D.Interrogation
Explanation:
Interrogation involves questioning an employee of the target organization, using fear as a motivation to gather information. Interrogation is not a technique that is typically used by penetration testers.
You are performing a black box penetration test for a large financial organization. Using reconnaissance techniques, you have identified the vendor that services the vending machines within the organization’s main headquarters. You dress in a similar uniform as the vendor’s employees. You also purchase a hand truck and several cases of soda pop. The receptionist of the target organization allows you to enter and directs you to the break room. What kind of exploit did you use in this scenario?
A.Impersonation
B.Smishing
C.Vishing
D.Elicitation
A.Impersonation
Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor.
You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance techniques, you have identified the vendor that services the printers within the organization’s headquarters. You dress in a similar uniform as that vendor’s employees. You also purchase a toolkit containing tools commonly used by printer repair technicians. The receptionist of the target organization allows you to enter and directs you to a troublesome printer. While “working” on that printer, you chat with nearby employees to gather information. Which exploits did you use in this scenario? (Choose two.)
A.Impersonation B.Whaling C.Phishing D.Interrogation E.Elicitation
A.Impersonation
E.Elicitation
Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used elicitation techniques to gather sensitive information from employees.
You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance techniques, you have identified the vendor that services the printers within the organization’s headquarters. You dress in a similar uniform as that vendor’s employees. You also purchase a toolkit containing tools commonly used by printer repair technicians. The receptionist of the target organization allows you to enter and directs you to a troublesome printer. While “working” within the organization, you discretely watch employees as they type, trying to gather sensitive information. Which exploits did you use in this scenario? (Choose two.)
A. Shoulder surfing B.Phishing C.Impersonation D.Interrogation E.Elicitation
A. Shoulder surfing
C.Impersonation
Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used shoulder-surfing techniques to gather sensitive information from employees.
You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance and phishing techniques, you have compromised the password for an employee’s email account. You use this account to question other employees in an attempt to gather sensitive information and documents. Which exploits did you use in this scenario? (Choose two.) A.Shoulder surfing B.Phishing C.Impersonation D.Interrogation D.Elicitation
C.Impersonation
E.Elicitation
Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain the trust of the target organization’s employees. In this scenario, the employees trusted the tester because emails appeared to be coming from another employee. The tester leveraged this trust to elicit sensitive information from those employees. This is sometimes called business email compromise.
You have been hired to conduct a black box penetration test for a client. You purchase a small flash drive and load it with malware that installs a keylogger on the victim’s computer and sends the information it captures to you. You walk in the client’s front door and ask the receptionist for directions to a nearby sports venue. While you are speaking, you deliberately drop the drive on the floor and then leave. Which exploit was used in this scenario?
A.Shoulder surfing
B.USB key drop
C.Phishing
D.Elicitation
B.USB key drop
Explanation:
In a USB key drop exploit, some type of malware is usually loaded on a flash drive. That drive is then deliberately left somewhere that an employee of the target organization will likely find it. The goal is for the employee to plug it in to see what it contains. When this happens, the malware is automatically loaded on the victim’s computer.
Which exploit sends emails indiscriminately to a large number of the target organization’s employees, anticipating that a percentage of them will click the malicious link contained in the message?
A.Phishing
B.Spear phishing
C.SMS phishing
D.Whaling
A.Phishing
Explanation:
In a standard phishing exploit, email messages are sent indiscriminately to a large number of individuals, hoping that a percentage of them will click the malicious link contained in the message.
Which exploit relies on text messaging to deliver phishing messages?
A.Elicitation
B.Spear phishing
C.SMS phishing
D.Whaling
C.SMS phishing
Explanation
A SMS phishing attack (also called a smishing attack) leverages text messaging instead of email to conduct a phishing exploit.
Which exploit relies on a telephone call to convince someone to reveal sensitive information?
A.Vishing
B.Spear phishing
C.Phishing
D.Whaling
A.Vishing
Explanation:
A voice phishing attack (also called a vishing attack) leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information.
Which exploits require the penetration tester to first conduct extensive reconnaissance to identify specific, high-value individuals to target within the organization? (Choose two.)
A.Spear phishing B.Phishing C.USB key drop D.Whaling E.SMS phishing
A.Spear phishing
D.Whaling
Explanation:
Both spear phishing and whaling require the penetration tester to conduct extensive research to identify high-value target individuals within the organization.
Which social engineering technique is least likely to be used during a penetration test?
A.Interrogation
B.Impersonation
C.Shoulder surfing
D.USB key drop
A.Interrogation
Explanation:
Interrogation involves questioning an employee of the target organization, using fear as a motivation to gather information. Interrogation is not a technique that is typically used by penetration testers because it would likely result in criminal charges against the tester as well as civil litigation.
You have been hired to conduct a black box penetration test for a client. You purchase a small flash drive and load it with malware that sends information to you. Using reconnaissance techniques, you have identified the vendor that services the heating and air conditioning within the organization’s headquarters. You dress in a similar uniform as that vendor’s employees and purchase the tools they commonly use. The receptionist of the target organization allows you to enter and directs you to the mechanical room. You deliberately leave the flash drive on a user’s chair as you walk by an open cubicle. Which exploits were used in this scenario? (Choose two.)
A.Elicitation B.Impersonation C.Shoulder surfing D.USB key drop E.Business email compromise
B.Impersonation
D.USB key drop
Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used a USB key drop exploit, hoping that the user would insert the flash drive into their computer and install the malware it contains.
You have been hired to conduct a black box penetration test for a client. You walk into the organization’s main entrance and ask the receptionist for information about current job openings. You watch the keystrokes she types on her computer in hopes of capturing sensitive information that you can use to gain access to the internal network. What kind of exploit was used in this scenario?
A.Spear phishing B.Impersonation C.Shoulder surfing D.USB key drop E.Business email compromise
C.Shoulder surfing
Explanation:
The penetration tester used shoulder surfing techniques in this scenario. In shoulder surfing, the tester observes information that employees type or display on their computers in an attempt to gather sensitive information. For example, the tester may use shoulder surfing to gather usernames, passwords, email addresses, phone numbers, file server share names, and so on.
You have been hired to conduct a gray box penetration test for a client. You managed to walk by just as she was logging on to her email account and watch the keystrokes she typed on her computer. Later that evening, after the employee has gone home for the day, you log on to her email account and send requests for information to other employees. Which exploits were used in this scenario? (Choose two.)
A.Spear phishing B.Whaling C.USB key drop D.Shoulder surfing E.Business email compromise
D.Shoulder surfing
E.Business email compromise
Explanation:
The penetration tester used shoulder surfing and business email compromise techniques in this scenario. In shoulder surfing, the tester observes information that employees type or display on their computers in an attempt to gather sensitive information. In this example, the tester used shoulder surfing to gather the employee’s email username and passwords. The tester then used the compromised account to gather information from other employees. This is called business email compromise.
You are performing reconnaissance as a part of a black box penetration test. You notice that the employees of the target organization commonly congregate at a particular outdoor restaurant for lunch. You begin frequenting the same restaurant for lunch and make friends with several of the target organization’s employees. After you gain their trust, they begin to share information about their jobs, computers, bosses, customers, projects, and so on. What type of exploit occurred in this scenario?
A.Whaling
B.Elicitation
C.Interrogation
D.Phishing
B.Elicitation
Explanation:
This is an example of elicitation. By gaining the employees’ trust, the tester was able to elicit sensitive information from them about their employer.
A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be the director of operations. The email asks the employee to reply with sensitive internal information. What motivation factor did the penetration tester use in this scenario?
A.Authority
B.Scarcity
C.Social proof
D.Likeness
A.Authority
Explanation:
By masquerading as an upper-level manager, the penetration tester in this example utilized an appeal to authority to coerce the employee into divulging sensitive information.
A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be an agent with the Federal Bureau of Investigations (FBI). The email indicates that the employee’s manager is being investigated for embezzlement and asks the employee to reply with sensitive internal information. What motivation factor did the penetration tester use in this scenario?
A.Likeness
B.Scarcity
C.Social proof
D.Authority
D.Authority
Explanation:
By masquerading as an FBI agent, the penetration tester in this example utilized authority (and possibly fear) as a motivation factor to coerce the employee into divulging sensitive information.
A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be a fellow employee who has forgotten her password. The email indicates she has a presentation in a few minutes and can’t access her presentation files on a shared network drive. She asks the employee to “loan” her his username and password so she can log on and get the files. What motivation factor did the penetration tester use in this scenario?
A.Fear
B.Urgency
C.Authority
D.Scarcity
B.Urgency
Explanation:
By masquerading as a fellow employee in great distress in this scenario, the penetration tester is using urgency to motivate the employee to give up his username and password. She may also be using likeability as a factor.
A penetration tester sends a phishing email to the employees of the target organization. The link in the email leads to a fake website that lists more than 1,000 reviews with an average rating of 4.9 stars. What motivation factor did the penetration tester use in this scenario?
A.Social proof
B.Urgency
C.Scarcity
D.Authority
A.Social proof
Explanation:
The penetration tester is using social proof as a motivating factor. Because it appears that more than 1,000 people have had a positive experience with the website, most of the employees will probably trust the site, even if it asks them to divulge sensitive information.