CompTIA PenTest+ Practice Test Chapter 3 Attacks and Exploits (Sybex: Panek, Crystal, Tracy) Flashcards
1
Q
You are conducting a black box penetration test for a client. You have used reconnaissance tools to create a list of employee email addresses within the target organization. You craft an email addressed to all of the employees warning them that they must change their password within 24 hours or they will lose access. When they click the link provided in the email, they are redirected to your own website where their credentials are captured to a text file. What kind of exploit did you use?
A.Phishing
B.Vishing
C.Smishing
D.Whaling
A
A.Phishing
Explanation:
A phishing attack was used in this scenario because the malicious email was sent indiscriminately to all the employees within the organization.
2
Q
You are performing a gray box penetration test for a medium-sized organization. You have used reconnaissance techniques to identify a help desk employee and a payroll employee. You craft an email to the payroll employee that appears to come from the help desk employee directing the payroll employee to reset her password. When she clicks the link provided in the email, she is redirected to your own website where her credentials are captured to a text file. What kind of exploit did you use?
A.Phishing
B.Interrogation
C.Spear phishing
D.Whaling
A
C.Spear phishing
Explanation:
A spear phishing attack was used in this scenario because the malicious email was specifically crafted for a specific employee. A generic phishing attack, on the other hand, would have been sent indiscriminately to a large group of employees within the organization.
3
Q
You are performing a black box penetration test for a medium-sized organization. You have used reconnaissance techniques to identify the CEO’s email address as well as the email address belonging to a help desk employee. You craft an email to the CEO that appears to come from the help desk employee directing the CEO to reset her password. When she clicks the link provided in the email, she is redirected to your own website where her credentials are captured to a text file. What kind of exploit did you use?
A.Smishing
B.Vishing
C.Spear phishing
D.Whaling
A
D.Whaling
Explanation:
A whaling attack is essentially a form of spear phishing attack that is aimed specifically at C-suite employees, such as the CEO, CFO, COO, CIO, and so on. A standard spear phishing attack, on the other hand, would have been sent to a lower-level employee within the organization.
4
Q
You are performing a black box penetration test for a medium-sized organization that sells imported clothing. You have used reconnaissance techniques to identify a key software developer. You send this employee a personalized text message containing a Bitly URL that points to your own website where you capture information to a text file. What kind of exploit did you use in this scenario?
A.Phishing
B.Smishing
C.Vishing
D.Whaling
A
B.Smishing
Explanation:
A SMS phishing attack (also called a smishing attack) was used in this scenario. A smishing attack leverages text messaging instead of email to conduct a phishing exploit.
5
Q
You are performing a black box penetration test for a small organization that wholesales imported electronic devices in the United States. You have used reconnaissance techniques to identify a receptionist’s phone number as well as the organization’s printer vendor. You call this receptionist, pretending to be a sales rep from the vendor. You ask the receptionist for information about their printers, workstations, operating systems, and so on, to learn more about the organization’s network infrastructure. What kind of exploit did you use in this scenario?
A.Smishing
B.Vishing
C.Spear phishing
D.Whaling
A
B.Vishing
Explanation:
A voice phishing attack (also called a vishing attack) was used in this scenario. A vishing attack leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information.
6
Q
Which social engineering technique involves questioning an employee using intimidation to gather information?
A.Phishing
B.Smishing
C.Impersonation
D.Interrogation
A
D.Interrogation
Explanation:
Interrogation involves questioning an employee of the target organization, using fear as a motivation to gather information. Interrogation is not a technique that is typically used by penetration testers.
7
Q
You are performing a black box penetration test for a large financial organization. Using reconnaissance techniques, you have identified the vendor that services the vending machines within the organization’s main headquarters. You dress in a similar uniform as the vendor’s employees. You also purchase a hand truck and several cases of soda pop. The receptionist of the target organization allows you to enter and directs you to the break room. What kind of exploit did you use in this scenario?
A.Impersonation
B.Smishing
C.Vishing
D.Elicitation
A
A.Impersonation
Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor.
8
Q
You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance techniques, you have identified the vendor that services the printers within the organization’s headquarters. You dress in a similar uniform as that vendor’s employees. You also purchase a toolkit containing tools commonly used by printer repair technicians. The receptionist of the target organization allows you to enter and directs you to a troublesome printer. While “working” on that printer, you chat with nearby employees to gather information. Which exploits did you use in this scenario? (Choose two.)
A.Impersonation B.Whaling C.Phishing D.Interrogation E.Elicitation
A
A.Impersonation
E.Elicitation
Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used elicitation techniques to gather sensitive information from employees.
9
Q
You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance techniques, you have identified the vendor that services the printers within the organization’s headquarters. You dress in a similar uniform as that vendor’s employees. You also purchase a toolkit containing tools commonly used by printer repair technicians. The receptionist of the target organization allows you to enter and directs you to a troublesome printer. While “working” within the organization, you discretely watch employees as they type, trying to gather sensitive information. Which exploits did you use in this scenario? (Choose two.)
A. Shoulder surfing B.Phishing C.Impersonation D.Interrogation E.Elicitation
A
A. Shoulder surfing
C.Impersonation
Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used shoulder-surfing techniques to gather sensitive information from employees.
10
Q
You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance and phishing techniques, you have compromised the password for an employee’s email account. You use this account to question other employees in an attempt to gather sensitive information and documents. Which exploits did you use in this scenario? (Choose two.) A.Shoulder surfing B.Phishing C.Impersonation D.Interrogation D.Elicitation
A
C.Impersonation
E.Elicitation
Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain the trust of the target organization’s employees. In this scenario, the employees trusted the tester because emails appeared to be coming from another employee. The tester leveraged this trust to elicit sensitive information from those employees. This is sometimes called business email compromise.
11
Q
You have been hired to conduct a black box penetration test for a client. You purchase a small flash drive and load it with malware that installs a keylogger on the victim’s computer and sends the information it captures to you. You walk in the client’s front door and ask the receptionist for directions to a nearby sports venue. While you are speaking, you deliberately drop the drive on the floor and then leave. Which exploit was used in this scenario?
A.Shoulder surfing
B.USB key drop
C.Phishing
D.Elicitation
A
B.USB key drop
Explanation:
In a USB key drop exploit, some type of malware is usually loaded on a flash drive. That drive is then deliberately left somewhere that an employee of the target organization will likely find it. The goal is for the employee to plug it in to see what it contains. When this happens, the malware is automatically loaded on the victim’s computer.
12
Q
Which exploit sends emails indiscriminately to a large number of the target organization’s employees, anticipating that a percentage of them will click the malicious link contained in the message?
A.Phishing
B.Spear phishing
C.SMS phishing
D.Whaling
A
A.Phishing
Explanation:
In a standard phishing exploit, email messages are sent indiscriminately to a large number of individuals, hoping that a percentage of them will click the malicious link contained in the message.
13
Q
Which exploit relies on text messaging to deliver phishing messages?
A.Elicitation
B.Spear phishing
C.SMS phishing
D.Whaling
A
C.SMS phishing
Explanation
A SMS phishing attack (also called a smishing attack) leverages text messaging instead of email to conduct a phishing exploit.
14
Q
Which exploit relies on a telephone call to convince someone to reveal sensitive information?
A.Vishing
B.Spear phishing
C.Phishing
D.Whaling
A
A.Vishing
Explanation:
A voice phishing attack (also called a vishing attack) leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information.
15
Q
Which exploits require the penetration tester to first conduct extensive reconnaissance to identify specific, high-value individuals to target within the organization? (Choose two.)
A.Spear phishing B.Phishing C.USB key drop D.Whaling E.SMS phishing
A
A.Spear phishing
D.Whaling
Explanation:
Both spear phishing and whaling require the penetration tester to conduct extensive research to identify high-value target individuals within the organization.
16
Q
Which social engineering technique is least likely to be used during a penetration test?
A.Interrogation
B.Impersonation
C.Shoulder surfing
D.USB key drop
A
A.Interrogation
Explanation:
Interrogation involves questioning an employee of the target organization, using fear as a motivation to gather information. Interrogation is not a technique that is typically used by penetration testers because it would likely result in criminal charges against the tester as well as civil litigation.
17
Q
You have been hired to conduct a black box penetration test for a client. You purchase a small flash drive and load it with malware that sends information to you. Using reconnaissance techniques, you have identified the vendor that services the heating and air conditioning within the organization’s headquarters. You dress in a similar uniform as that vendor’s employees and purchase the tools they commonly use. The receptionist of the target organization allows you to enter and directs you to the mechanical room. You deliberately leave the flash drive on a user’s chair as you walk by an open cubicle. Which exploits were used in this scenario? (Choose two.)
A.Elicitation B.Impersonation C.Shoulder surfing D.USB key drop E.Business email compromise
A
B.Impersonation
D.USB key drop
Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used a USB key drop exploit, hoping that the user would insert the flash drive into their computer and install the malware it contains.
18
Q
You have been hired to conduct a black box penetration test for a client. You walk into the organization’s main entrance and ask the receptionist for information about current job openings. You watch the keystrokes she types on her computer in hopes of capturing sensitive information that you can use to gain access to the internal network. What kind of exploit was used in this scenario?
A.Spear phishing B.Impersonation C.Shoulder surfing D.USB key drop E.Business email compromise
A
C.Shoulder surfing
Explanation:
The penetration tester used shoulder surfing techniques in this scenario. In shoulder surfing, the tester observes information that employees type or display on their computers in an attempt to gather sensitive information. For example, the tester may use shoulder surfing to gather usernames, passwords, email addresses, phone numbers, file server share names, and so on.
19
Q
You have been hired to conduct a gray box penetration test for a client. You managed to walk by just as she was logging on to her email account and watch the keystrokes she typed on her computer. Later that evening, after the employee has gone home for the day, you log on to her email account and send requests for information to other employees. Which exploits were used in this scenario? (Choose two.)
A.Spear phishing B.Whaling C.USB key drop D.Shoulder surfing E.Business email compromise
A
D.Shoulder surfing
E.Business email compromise
Explanation:
The penetration tester used shoulder surfing and business email compromise techniques in this scenario. In shoulder surfing, the tester observes information that employees type or display on their computers in an attempt to gather sensitive information. In this example, the tester used shoulder surfing to gather the employee’s email username and passwords. The tester then used the compromised account to gather information from other employees. This is called business email compromise.
20
Q
You are performing reconnaissance as a part of a black box penetration test. You notice that the employees of the target organization commonly congregate at a particular outdoor restaurant for lunch. You begin frequenting the same restaurant for lunch and make friends with several of the target organization’s employees. After you gain their trust, they begin to share information about their jobs, computers, bosses, customers, projects, and so on. What type of exploit occurred in this scenario?
A.Whaling
B.Elicitation
C.Interrogation
D.Phishing
A
B.Elicitation
Explanation:
This is an example of elicitation. By gaining the employees’ trust, the tester was able to elicit sensitive information from them about their employer.
21
Q
A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be the director of operations. The email asks the employee to reply with sensitive internal information. What motivation factor did the penetration tester use in this scenario?
A.Authority
B.Scarcity
C.Social proof
D.Likeness
A
A.Authority
Explanation:
By masquerading as an upper-level manager, the penetration tester in this example utilized an appeal to authority to coerce the employee into divulging sensitive information.
22
Q
A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be an agent with the Federal Bureau of Investigations (FBI). The email indicates that the employee’s manager is being investigated for embezzlement and asks the employee to reply with sensitive internal information. What motivation factor did the penetration tester use in this scenario?
A.Likeness
B.Scarcity
C.Social proof
D.Authority
A
D.Authority
Explanation:
By masquerading as an FBI agent, the penetration tester in this example utilized authority (and possibly fear) as a motivation factor to coerce the employee into divulging sensitive information.
23
Q
A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be a fellow employee who has forgotten her password. The email indicates she has a presentation in a few minutes and can’t access her presentation files on a shared network drive. She asks the employee to “loan” her his username and password so she can log on and get the files. What motivation factor did the penetration tester use in this scenario?
A.Fear
B.Urgency
C.Authority
D.Scarcity
A
B.Urgency
Explanation:
By masquerading as a fellow employee in great distress in this scenario, the penetration tester is using urgency to motivate the employee to give up his username and password. She may also be using likeability as a factor.
24
Q
A penetration tester sends a phishing email to the employees of the target organization. The link in the email leads to a fake website that lists more than 1,000 reviews with an average rating of 4.9 stars. What motivation factor did the penetration tester use in this scenario?
A.Social proof
B.Urgency
C.Scarcity
D.Authority
A
A.Social proof
Explanation:
The penetration tester is using social proof as a motivating factor. Because it appears that more than 1,000 people have had a positive experience with the website, most of the employees will probably trust the site, even if it asks them to divulge sensitive information.
25
A penetration tester sends a phishing email to the employees of the target organization. The email purports to be offering iPads for an absurdly low price. However, there are only 25 left at this price. The link in the email leads to a fake website that uses a drive-by-download script that drops a keylogger on the employee’s computer. What motivation factor did the penetration tester use in this scenario?
A.Fear
B.Social proof
C.Authority
D.Scarcity
D.Scarcity
Explanation:
The penetration tester is using scarcity as a motivating factor. By asserting that there are only a small number of devices available at the steeply discounted price, the employees are motivated to make a purchase before supplies run out.
26
You are performing reconnaissance as a part of a black box penetration test. You notice that the employees of the target organization commonly congregate at a particular outdoor restaurant for lunch. You hire several young, physically attractive consultants to help with the penetration test. You send them to the same restaurant for lunch and have them make friends with several of the target organization’s employees. They gain the employees’ trust, and the employees begin to share information about their jobs, computers, bosses, customers, projects, and so on. Which motivation factor was used in this scenario?
A.Authority
B.Scarcity
C.Social proof
D.Likeness
D.Likeness
Explanation:
The penetration tester is using likeness as a motivating factor. By hiring young, friendly, and physically attractive assistants, the penetration tester is able to coerce employees of the target organization into revealing sensitive information about their employer.
27
During a penetration test, you send an email to the CFO of the target organization. The email claims that the webcam on the CFO’s laptop has been clandestinely used to record him viewing pornography. The email threatens to post this video and notify his family, his employer, and the police if he doesn’t respond with certain sensitive information about his company. Which motivation factor was used in this scenario?
A.Fear
B.Social proof
C.Authority
D.Scarcity
A.Fear
Explanation:
The penetration tester is using fear as a motivating factor. Whether the claim is true or not, the CFO knows that such a revelation could damage his family and career. It could also expose him to prosecution. This could potentially motivate him to divulge sensitive information.
28
A penetration tester sends an email to a sales rep of the target organization, claiming to be the CEO of one of the organization’s most important clients. The email asks the employee to create a VPN account to allow the CEO access to certain files on the organization’s network. The email threatens to terminate the business relationship if this doesn’t happen. What motivation factor did the penetration tester use in this scenario?
A.Likeness
B.Social proof
C.Authority
D.Scarcity
C.Authority
Explanation:
The penetration tester is using authority (and probably urgency along with fear) as a motivating factor. The sales rep may be inclined to create the VPN connection to prevent the supposed loss of an important client.
29
A penetration tester sends an email to an employee of the target organization, claiming to be a sales rep on the road. She claims in the email that her VPN connection from her hotel is running extremely slow and that she can’t access her client’s data. If she doesn’t get the data, she will lose the sale. The message asks the employee to email her a copy of the files. What motivation factor did the penetration tester use in this scenario?
A.Social proof
B.Urgency
C.Scarcity
D.Authority
B.Urgency
Explanation:
The penetration tester is using urgency (and possibly likeness) as a motivating factor. The employee will probably comply with the request out of a desire to be seen as a “team player.” This type of attack can be made even more effective by conducting reconnaissance beforehand and identifying the names of real sales reps working for the organization.
30
A penetration tester sends email to an employee of the target organization, claiming to be a sales rep on the road. She claims in the email that she forgot her VPN password and now it is locked because she tried too many wrong ones. She asks the employee for his VPN username and password so she can log on and update the customer database with a huge new order. She mentions in the email that one of the target employee’s coworkers has done this for her in the past and it wasn’t a big deal. What motivation factors did the penetration tester use in this scenario? (Choose two.)
```
A.Social proof
B.Urgency
C.Scarcity
D.Authority
E.Fear
```
A.Social proof
B.Urgency
Explanation:
The penetration tester is using two motivation factors in this example. She is using urgency and social proof as motivating factors. Because it is a huge order, the employee probably feels a sense of urgency to comply. The penetration tester also employs social proof by mentioning the name of a familiar co-worker. This probably helps the employee feel more comfortable with giving the penetration tester his username and password.
31
Which motivation factor gets people to act quickly due to a sense of limited supply?
A.Social proof
B.Likeness
C.Scarcity
D.Authority
C.Scarcity
Explanation:
People can be motivated to act quickly when they believe something they want is in limited supply. This is called scarcity. They don’t want to miss out on an opportunity, product, deal, or service that will soon become unavailable.
32
Which motivation factor gets people to act because they believe that “everyone else is doing it”?
A.Social proof
B.Fear
C.Scarcity
D.Authority
A.Social proof
Explanation:
People can be motivated to act if they think that everyone else is doing the same thing. This is called social proof. The (flawed) assumption is that if everyone else is doing something, it must be the right thing to do.
33
Which motivation factor gets people to act because someone with clout wants them to?
A.Likeness
B.Social proof
C.Authority
D.Scarcity
C.Authority
Explanation:
People are naturally motivated by a respect for authority. When they believe someone in authority wants them to do something, they will frequently comply, especially if the request is coupled with a sense of urgency.
34
Which motivation factor gets people to act quickly because they believe someone needs help?
A.Social proof
B.Urgency
C.Scarcity
D.Authority
B.Urgency
Explanation:
Many people are naturally motivated to help others in distress. This is called urgency. When they believe someone needs help, they may bend or break the rules to help the person out.
35
Which motivation factor gets people to act because they want to please the person making a request of them?
A.Likeness
B.Social proof
C.Authority
D.Scarcity
A.Likeness
Explanation:
Most people will help someone they perceive to be a friend. This is called likeness. When someone they believe to be a friend needs help, they may bend or break the rules to help the person out.
36
Which motivation factor gets people to act because they worry about the consequences of not acting?
A.Social proof
B.Fear
C.Scarcity
D.Authority
B.Fear
Explanation:
Most people will respond to a request to act if they are made to fear the consequences of failing to act. This is one of the most basic human motivations.
37
THIS IS DEBATABLE, PIGGYBACKING IS WHEN THE REAL EMPLOYEE IS AWARE THEY ARE LETTING YOU IN, TAILGAITING WOULD BE SLIPPING IN WITHOUT THE REAL EMPLOYEES KNOWLEDGE AKA SLIPPING IN THE CLOSING DOOR
A penetration tester enters the target organization’s physical facility by walking behind an employee and grabbing the authentication-protected door before it shuts all of the way. What is this technique called?
A.Piggybacking
B.Tailgating
C.Lock bypass
D.Badge cloning
A.Piggybacking
Explanation:
Piggybacking occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person’s knowledge or consent.
38
A penetration tester enters the target organization’s physical facility by striking up a conversation with an employee in the parking lot and walking with her through a door that uses a proximity badge reader to control access. The employee uses her badge to open the door and holds it open for the penetration tester. What is this technique called?
A.Piggybacking
B.Tailgating
C.Lock bypass
D.Badge cloning
A.Piggybacking
Explanation:
.Piggybacking occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens with the authorized person’s knowledge and/or consent.
39
A penetration tester waits in the target organization’s parking lot until she sees a large group of employees returning from lunch. She inserts herself quietly at the back of the group. The first person in the group uses his badge to unlock a secured door. The penetration tester is able to move through the door with the rest of the group. What is this technique called?
A.Piggybacking
B.Tailgating
C.Lock bypass
D.Badge cloning
B.Tailgating
Explanation:
Piggybacking occurs when an intruder tags along with one or more authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person’s knowledge or consent.
40
As a penetration tester approaches the main entrance to the target organization’s physical facility, she notices that a turnstile is used to control access. She carefully steps over the turnstile instead of walking through it. What is this technique called?
A.Piggybacking
B.Tailgating
C.Lock bypass
D.Fence jumping
D.Fence jumping
Explanation:
Fence jumping occurs when an unauthorized person simply jumps over a physical barrier designed to control access. In this scenario, the penetration tester simply steps over the turnstile that is designed to prevent unauthorized people from entering.
41
A penetration tester rifles through the target organization’s garbage and finds an optical disc. He reads the disc on his laptop and finds that it contains several very sensitive files from human resources. What kind of exploit occurred in this scenario?
A.Dumpster diving
B.Tailgating
C.Fence jumping
D.Egress sensor bypass
A.Dumpster diving
Explanation:
Dumpster diving occurs when an attacker searches through the target organization’s garbage looking for sensitive information.
42
A penetration tester impersonates a vending machine repair person to gain physical access to the target organization’s facility. Once inside, he notices that the door to the server room uses a simple pushbutton door lock that doesn’t use any kind of electronic authentication. Which physical security attack could he use to gain access to the server room?
A.Lock picking
B.Tailgating
C.Fence jumping
D.Egress sensor bypass
A.Lock picking
Explanation:
Because the server room is protected by a relatively unsophisticated locking mechanism, the penetration tester could pick the lock to gain access, assuming he has the necessary lock-picking skills. Note that this would have to be done in an area without surveillance or foot traffic as it may take some time to complete.
43
A penetration tester impersonates a heating and cooling repair person to gain physical access to the target organization’s facility. Once inside, she requests access to the server room to investigate a problem with the cold air return. As she is leaving the server room, she surreptitiously places a piece of strong tape over the door locking tab, allowing her to return into the room later without authorization. What is this technique called?
A.Lock picking
B.Lock bypass
C.Fence jumping
D.Badge cloning
B.Lock bypass
Explanation:
Lock bypass occurs when an attacker prevents a door’s locking mechanism from working. For example, this could be done by placing tape over the locking tab, as was done in this scenario.
44
The exterior double glass door to a facility has a motion sensor installed that automatically unlocks the door when someone is leaving the facility. To gain unauthorized access to the facility, a penetration tester sprays a can of air duster in the center crack between the doors to trigger the motion sensor and unlock the door. What is this technique called?
A.Lock picking
B.Tailgating
C.Fence jumping
D.Egress sensor bypass
D.Egress sensor bypass
Explanation:
Egress sensor bypass occurs when an attacker manipulates an egress sensor to unlock a door. In this scenario, the moving compressed air from the air duster is much colder and denser than the surrounding air, causing the egress sensor to think someone is exiting the building and unlock the door.
45
While waiting in line at a food truck behind an employee of the target organization, a penetration tester steals her access badge and makes a copy of its RFID signature on a fake access badge. What is this technique called?
A.Egress sensor bypass
B.Lock bypass
C.Badge cloning
D.Fence jumping
C.Badge cloning
Explanation:
Badge cloning occurs when an attacker makes a copy of a valid access badge in order to enter a facility. By copying a valid badge’s RFID signature, the penetration tester in this scenario can use the fake badge to access the target organization’s facility using the authorized employee’s credentials.
46
A penetration tester waits in the target organization’s parking lot early in the morning until she sees an employee heading toward the front door. She walks up behind the employee while clumsily carrying several large boxes. She asks the employee to hold the door for her and is able to enter the facility. What is this technique called?
A.Piggybacking
B.Tailgating
C.Lock bypass
D.Badge cloning
A.Piggybacking
Explanation:
Tailgating occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This occurs with the authorized person’s knowledge and/or consent. In this example, the authorized employee held the door open for the penetration tester.
47
A penetration tester observes that many employees of the target organization congregate outside the back door of the facility at 10 a.m. and 2 p.m. to smoke cigarettes. The next day, the tester joins the group and pretends to smoke with them. When the group finishes smoking, the tester walks through the back door behind the group. What is this technique called?
A.Piggybacking
B.Tailgating
C.Lock bypass
D.Badge cloning
A.Piggybacking
Explanation:
Piggybacking occurs when an intruder tags along with one or more an authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person’s knowledge or consent.
48
A target organization’s facility is surrounded by a tall chain-link fence topped with barbed wire. A penetration tester observes that a remote section of the fence is overgrown with shrubbery.
Late at night, she uses bolt cutters to cut a slit in the fence that she can slip through at a later time. What is this technique called?
A.Egress sensor bypass
B.Lock bypass
C.Badge cloning
D.Fence jumping
D.Fence jumping
Explanation:
Fence jumping occurs when an unauthorized person simply jumps over or cuts through a physical barrier designed to control access. In this scenario, the tester penetrated the physical fence barrier by cutting a hole in it.
49
A penetration tester observes that the target organization’s garbage is picked up early in the morning every Tuesday. Late Monday night, she climbs into the organization’s garbage receptacle and gathers discarded documents, optical discs, and storage devices such as flash drives. What kind of exploit occurred in this scenario?
A.Dumpster diving
B.Tailgating
C.Fence jumping
D.Egress sensor bypass
A.Dumpster diving
Explanation:
Dumpster diving occurs when an attacker searches through the target organization’s garbage looking for sensitive information.
50
What tools are required, at a minimum, to pick a lock? (Choose two.)
A.A diagram of the inner locking mechanism
B.A can of spray lubricant
C.A tension wrench
D.A lock pick tool
C.A tension wrench
D.A lock pick tool
Explanation:
At a minimum, you need a tension wrench and a lock pick tool to pick a lock. The tension wrench is used to apply rotational pressure to the lock (in the unlock direction). The lock pick tool is used to release each of the pins within the lock.
51
A penetration tester impersonates a heating and cooling repair person to gain physical access to the target organization’s facility. Once inside, she requests access to the server room to investigate a problem with the cold air return. As she is leaving the server room, she surreptitiously places a small wooden wedge into the door jam, preventing the door from closing completely. This allows her to return into the room later without authorization. What is this technique called?
A.Lock picking
B.Lock bypass
C.Fence jumping
D.Badge cloning
B.Lock bypass
Explanation:
Lock bypass occurs when an attacker prevents a door’s locking mechanism from working. In this example, this was done by placing a wooden wedge in the door jamb, preventing the door from closing completely and preventing the locking mechanism from engaging.
52
Which of the following features of an egress sensor can be manipulated to allow a penetration tester to enter a building without authorization?
A.Emergency fail open
B.Automatic locking
C.Automatic unlocking via motion sensor for egress D.Automatic unlocking via light sensor for egress
A.Emergency fail open
Explanation:
Most automatically locking door systems have some type of emergency fail open mechanism. The idea behind this is that if there is an emergency of some sort, such as a fire, then the doors must automatically unlock to prevent people from being trapped inside or preventing emergency personnel from entering. If you can figure out what fail open mechanism is used, you may be able to manually trigger it to open a locked door.
53
A penetration tester rummages through the target organization’s garbage and finds a discarded access badge. She replicates a new badge with her picture using the discarded badge as a model. She uses a device to read the discarded badge’s magnetic stripe and replicate it on the fake badge. Which techniques were used by the tester in this scenario? (Choose two.)
```
A.Lock picking
B.Dumpster diving
C.Fence jumping
D.Badge cloning
E.Lock bypass
```
B.Dumpster diving
D.Badge cloning
Explanation:
In this scenario, dumpster diving was used to find the discarded access badge. Then badge cloning was used to create a fake badge.
54
Using reconnaissance, a penetration tester learns that the target organization’s employees use RFID access badges to unlock doors within the facility. Using the company’s website, he identifies high-level employees within the organization. Then he waits in the parking lot until he sees one of these individuals heading toward the front doors. He walks behind them into the reception area with a small RFID reader hidden in his coat. He captures the RFID signature from the individual’s badge and then creates his own fake access badge and encodes it with that RFID signature. What is this technique called?
A.Piggybacking
B.Tailgating
C.Lock bypass
D.Badge cloning
D.Badge cloning
Explanation:
Badge cloning occurs when an attacker makes a copy of a valid access badge to enter a facility. By copying a valid badge’s RFID signature, the penetration tester in this scenario can use the fake badge to access the target organization’s facility using the authorized employee’s credentials. Because he carefully selected a high-level employee’s badge for cloning, he may be able to access more sensitive areas of the facility.
55
A penetration tester is performing a gray box test for a client. During a network scan, she notices a host that has TCP port 139 open. She suspects this is a Windows system, so she runs the NBTSTAT command and discovers key information about the host. Which protocol on the remote host allowed the tester to gather this information?
A.NetBIOS
B.SNMP
C.NAC
D.SMTP
A.NetBIOS
Explanation:
NetBIOS is a transport protocol used by Windows systems to share resources, such as shared folders or printers. Once an attacker identifies that port 139 is open on a device, NBTSTAT can be used to footprint the device. For example, you could discover the device’s computer name and identify whether it is a workstation or a server. All of this information can be gathered without any kind of authentication.
56
During the information gathering phase of a gray box penetration test, you run the NBTSTAT -c command on the local network. One of the lines in the output reads as follows:
Name Type Host Address Life [sec] ------------------------------------------------------------ DEV-1 <20> UNIQUE 10.0.0.3 517
What do you know about the DEV-1 host?
A.It is a server.
B.It is a workstation.
C.It is a router.
D.It is a wireless device.
A.It is a server.
Explanation:
NBTSTAT identifies NetBIOS servers with an ID of <20>. Based on this output, you know that DEV-1 is most likely a Windows server (or a Linux server running the Samba service).
57
During the information gathering phase of a gray box penetration test, you run the NBTSTAT -c command on the local network. One of the lines in the output reads as follows:
Name Type Host Address Life [sec] ------------------------------------------------------------ PROD-9 <00> UNIQUE 10.0.0.132 517 What do you know about the PROD-9 host?
A.It is a server.
B.It is a workstation.
C.It is a router.
D.It is a wireless device.
B.It is a workstation.
Explanation:
NBTSTAT identifies NetBIOS workstations with an ID of <00>. Based on this output, you know that PROD-9 is most likely a Windows workstation (or a Linux workstation running the Samba service).
58
Which of the following are true of the Link-Local Multicast Name Resolution (LLMNR) protocol? (Choose two.)
A.It is commonly used in the absence of a DNS server.
B.It is not supported by Linux hosts.
C.It is not supported by Windows hosts.
D.It is used only by routers, not by workstations or servers.
E.It allows the IPv6 host to resolve hostnames on the same local link.
A.It is commonly used in the absence of a DNS server.
E.It allows the IPv6 host to resolve hostnames on the same local link.
Explanation:
The LLMNR protocol is loosely based on the DNS packet format and allows IPv4 and IPv6 hosts to perform name resolution for other hosts on the same local network without a DNS server. It is supported by both Windows and Linux hosts.
59
Which of the following describe the security risks associated with using the LLMNR protocol? (Choose two.)
A.Data is transmitted as clear text.
B.It lacks security controls.
C.A malicious host can advertise itself as any host it wants to.
D.It can be used to facilitate a DDoS attack.
E.It creates excessive network traffic.
B.It lacks security controls.
C.A malicious host can advertise itself as any host it wants to.
Explanation:
The LLMNR protocol has many security vulnerabilities that can be exploited in a penetration test. For example, it lacks security controls such as authentication. Because of this, a malicious host on the network can advertise itself as any host it wants to.
60
What are the functions of the Server Message Block (SMB) protocol? (Choose two.)
A.To share files on the network
B.To transfer email messages between mail transfer agents (MTAs)
C.To share printers on the network
D.To map IP addresses to MAC addresses
E.To transfer email messages to a mail user agent (MUA)
A.To share files on the network
C.To share printers on the network
Explanation:
The Server Message Block (SMB) protocol is used to share files and printers between hosts on a network.
61
Which of the following exploits are facilitated by weaknesses in the SMB protocol? (Choose two.)
```
A.Distributed denial of service (DDoS)
B.Fraggle
C.Teardrop
D.EternalBlue
E.WannaCry
```
D.EternalBlue
E.WannaCry
Explanation:
The EternalBlue and WannaCry exploits are facilitated by weaknesses in the SMB protocol. The EternalBlue exploit takes advantage of the fact that SMBv1 mishandles exploit packets, allowing attackers to remotely execute malicious code on the system running the SMB protocol. WannaCry is a form of ransomware that uses EternalBlue to gain access to vulnerable systems and install itself.
62
Which ports are used by the SMB protocol? (Choose two.)
```
A.53
B.80
C.139
D.443
E.445
```
C.139
E.445
Explanation:
The SMB protocol uses TCP ports 139 and 445. A system with these two ports open is most likely a Windows host running SMB or a Linux host running Samba (which is an open source implementation of the SMB service).
63
Which of the following are vulnerabilities associated with the SNMPv1 protocol? (Choose two.)
A.The community string is valid for every SNMPv1 node.
B.The community string is transmitted as clear text.
C.The community string uses the weak RC2 cipher.
D.No authentication is required to communicate with an SNMPv1 host.
E.The Management Information Base (MIB) is stored in unencrypted format.
A.The community string is valid for every SNMPv1 node.
B.The community string is transmitted as clear text.
Explanation:
The SNMPv1 protocol is an older protocol that uses the concept of a community string instead of a password. The same community string is used to authenticate to every SNMPv1 host in the network. By convention, most SNMPv1 administrators set the community string to a value of public. Even if a unique community string were used, it was easy to discover because it was transmitted as clear text on the network.
64
Which port is used by the SNMP protocol?
A.UDP 161
B.TCP 23
C.TCP 389
D.UDP 88
A.UDP 161
Explanation:
The SNMP protocol runs on UDP port 161.
65
What is the function of the Simple Mail Transfer Protocol (SMTP)?
A.To share files on the network
B.To transfer email messages between mail transfer agents (MTAs)
C.To map IP addresses to MAC addresses
D.To transfer email messages to a mail user agent (MUA)
B.To transfer email messages between mail transfer agents (MTAs)
Explanation:
The SMTP protocol is used to transfer email messages between mail transfer agents (MTAs).
66
During a gray box penetration test, you discover an open SMTP service running on an older database server. You want to use this SMTP service to send phishing emails to users within the organization. What is this exploit called?
A.Distributed denial of service
B.SMTP relay
C.Fraggle
D.Teardrop
B.SMTP relay
Explanation:
Leveraging an open SMTP service to send unauthorized email messages is called SMTP relay. Most new systems have provisions in place to prevent this from happening, but many older server systems do not.
67
During a gray box penetration test, you discover an open SMTP service running on an older database server. You want to use this SMTP service to send whaling emails to the organization’s CEO and CFO. How can you do this remotely from your laptop?
A.Telnet to the SMTP server’s IP address on port 25 and create the messages.
B.Use physical security exploits to gain access to the server console where you can create the messages. C.Use impersonation to trick the server administrator into revealing its Remote Desktop password.
D.None of the above.
A.Telnet to the SMTP server’s IP address on port 25 and create the messages.
Explanation:
One way to leveraging an open SMTP service to send unauthorized email messages is to connect to the SMTP server’s IP address on port 25 using a Telnet client. Once the connection has been established, you can use the command-line interface to create and send the messages.
68
Which ports are used by an FTP server? (Choose two.)
```
A.20
B.21
C.22
D.23
D.25
```
A.20
B.21
Explanation:
By default, an FTP server uses two ports: 20 and 21. Port 20 is used to transfer data between the FTP server and the FTP client. Port 21 is used to send commands between the FTP client and the FTP server.
69
While performing a black box penetration test, you identify a significant amount of FTP data being transferred between an unknown internal host on the target network and hosts on the Internet on ports 20 and 21. How could you exploit this traffic to gain access to systems on the target network?
A.Conduct a distributed denial-of-service (DDoS) attack.
B.Conduct a land attack.
C.Capture the FTP traffic with a sniffer.
D.Use anonymous FTP access to upload a keylogger to the FTP server.
C.Capture the FTP traffic with a sniffer.
Explanation:
One of the key weaknesses with the FTP protocol is the fact that it transmits all data between the FTP server and the FTP client as clear text, including authentication credentials. By sniffing the FTP traffic, you may be able to capture FTP usernames and passwords. Some FTP server implementations leverage existing network user accounts and passwords to authenticate FTP connections. So, by capturing FTP authentication credentials, you could potentially be capturing internal network user accounts and passwords too.
70
You are conducting a gray box penetration test. You want to capture C-level executives’ authentication credentials. To accomplish this, you set up a fake internal web server that looks exactly like the web server used to manage employee time-off and reimbursement requests. You inject a fake DNS record into the organization’s DNS server that redirects traffic from the real server to your fake server. What is this exploit called?
A.DNS poisoning
B.ARP poisoning
C.Phishing
D.Whaling
A.DNS poisoning
Explanation:
This is an example of DNS poisoning. This exploit leverages the trust users have in a URL that appears to be valid. Because users enter a valid URL, they have no idea than an exploit is being conducted. However, the DNS server itself has been reconfigured to resolve the domain name in URL to the IP address of the malicious server.
71
Which of the following is a mechanism that can be used to defend against DNS poisoning attacks?
A.Implement DNSSEC.
B.Close port 53 in the DNS server’s host firewall.
C.Disable ICMP forwarding in your router configuration.
D.Use SSH for DNS queries.
A.Implement DNSSEC.
Explanation:
One way to defend against DNS poisoning is to implement DNSSEC. DNSSEC signs each DNS request with a digital signature to ensure authenticity. This makes it difficult to insert poisoned records.
72
A penetration tester is conducting a gray box penetration test. She crafts a Trojan horse exploit that flushes the DNS cache on the local workstation and replaces it with malicious name resolution entries that point to a fake web server. When clients within the organization try to resolve hostnames, the malicious entries from the local DNS cache are used. What is this exploit called?
A.DNS poisoning
B.ARP poisoning
C.DNS cache poisoning
D.Man-in-the-middle
C.DNS cache poisoning
Explanation:
This is an example of DNS cache poisoning. Instead of compromising a heavily protected DNS server, the penetration tester simply compromises the DNS cache on relatively less secure workstations. The net effect is the same. Malware is a common delivery vehicle for DNS cache poisoning exploits.
73
A penetration tester is conducting a gray box penetration test. She notices that one of the branch offices of the organization uses a caching-only DNS server to handle name resolution requests. She sends a bogus reply to a name resolution request from the caching-only DNS server, using a spoofed source address in the reply packets. The bogus name resolution records point users to a fake web server that is used to harvest authentication credentials. What is this exploit called?
A.DNS poisoning
B.ARP poisoning
C.DNS cache poisoning
D.Man-in-the-middle
C.DNS cache poisoning
Explanation:
This is also an example of DNS cache poisoning. Instead of poisoning the local DNS cache on workstations, the cache of the caching-only DNS server has been poisoned in this scenario. The poisoned records will remain in the cache until the TTL value is reached.
74
While performing a gray-box penetration test, the tester discovers that several Linux workstations in the network have not been joined to the organization’s Active Directory domain, even though they have the Samba service installed. To access shared folders on Windows servers, these workstations use NT LAN Manager (NTLM) connections. The tester captures hashed user credentials as they are passed between workstations and servers and then reuses them later to establish new authenticated sessions with the file servers. What is this exploit called?
A.ARP poisoning
B.Fraggle attack
C.NAC bypass
D.Pass the hash
D.Pass the hash
Explanation:
This is an example of a pass-the-hash exploit. In this exploit, the tester captures hashed NTLM user credentials and then reuses them to authenticate at a later point in time to a Windows system. Because NTLM authentication uses hashed credentials, the tester doesn’t need to know the victim’s actual username and password. The hashed credentials are sufficient to create a new authenticated session.
75
During a gray box penetration test, the tester sends a fake ARP broadcast message on the local network segment. As a result, her laptop’s MAC address is now mapped to the IP address of another valid computer on the segment.
What is this exploit called?
A.DNS cache poisoning
B.ARP spoofing
C.Pass the hash
D.Replay attack
B.ARP spoofing
Explanation:
This is an example of ARP spoofing. In this exploit, the tester sends a fake ARP broadcast on the network segment that maps the IP address of a legitimate network host to her MAC address. As a result, all traffic addressed to the legitimate host gets redirected to the tester’s system.
76
An ARP spoofing attack is categorized as which type of exploit?
A.Denial of service (DoS)
B.Man-in-the-middle
C.Distributed denial of service (DDoS)
D.VLAN hopping
B.Man-in-the-middle
Explanation:
An ARP spoofing attack is classified as a man-in-the-middle attack.
77
During a black box penetration test, the tester parks in the target organizations parking lot and captures wireless network signals emanating from the building with his laptop. By doing this, he is able to capture the handshake process used by an authorized wireless client as it connects to the network. He later resends this handshake on the wireless network, allowing his laptop to connect to the wireless network as that authorized client. What kind of exploit is this?
A.DNS cache poisoning
B.ARP spoofing
C.Pass the hash
D.Replay attack
D.Replay attack/
Explanation:
This is an example of a replay attack. The tester captures valid handshake data from the wireless network and they replays it later to authenticate his laptop to the wireless network.
78
A replay attack is commonly categorized as which type of exploit?
A.Denial of service (DoS)
B.NAC bypass
C.Distributed denial of service (DDoS)
D.Man-in-the-middle
D.Man-in-the-middle
Explanation:
A replay attack is also classified as a man-in-the-middle attack.
79
During a gray box penetration test, the tester is able to intercept packets being transmitted from a client to a server. The tester’s workstation poses as the server to the client. The tester is able to modify the data in the packets and then send it on to the server. The tester’s workstation poses as the client to the server. What kind of exploit is this?
A.Relay attack
B.DNS cache spoofing
C.Pass the hash
D.Replay attack
A.Relay attack
Explanation:
This is an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server.
80
During a gray box penetration test, the tester is able to intercept packets being transmitted from a client to a server. The tester’s workstation poses as the server to the client. The tester views the data in the packets but does not modify it before forwarding the data on to the server. What kind of exploit is this?
A.Relay attack
B.DNS cache spoofing
C.Pass the hash
D.Replay attack
A.Relay attack
Explanation:
This is also an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server. In a relay attack, the man-in-the-middle may or may not modify the data being transmitted between the two hosts.
81
Which type of exploit fools a web server into presenting a user’s web browser with an HTTP connection instead of an HTTPS connection as the user originally requested?
A.SSL stripping
B.Relay attack
C.NAC bypass
D.Cross-site scripting
A.SSL stripping
Explanation:
In an SSL stripping attack, a user sends an HTTPS request to a web server. This is done to ensure that communications between the server and the browser are encrypted. However, the exploit fools the web server into thinking the user wants a standard HTTP connection, and an unencrypted session is established. Unless the user is watching carefully, the user may not realize that this has happened.
82
What is the best way to defend against an SSL stripping attack?
A.Update the virus definitions on user’s workstations.
B.Implement a network intrusion detection (NID) device.
C.Implement a strict HSTS policy that prevents a user’s browser from opening a page unless an HTTPS connection has been used.
D.Reconfigure all browsers to require TLS sessions.
C.Implement a strict HSTS policy that prevents a user’s browser from opening a page unless an HTTPS connection has been used.
Explanation:
The best way to defend against an SSL stripping attack is to implement an HTTP Strict Transport Security (HSTS) policy that prevents a user’s browser from opening a web page unless an HTTPS connection has been used to transfer the page from the web server to the client.
83
During a gray box penetration test, the tester acts as a man-in-the-middle between a web server and an end user’s workstation. When the user’s browser requests a page from the web server using TLS 1.2, the tester alters the request and specifies that SSL 2.0 be used instead to protect the session. What kind of exploit has occurred in this scenario?
A.SSL stripping
B.Downgrade
C.NAC bypass
D.Replay attack
B.Downgrade
Explanation:
In this example, a downgrade man-in-the-middle attack has occurred because SSL 2.0 is less secure than TLS 1.2. Unless the user is exceptionally vigilant, they will likely not notice that SSL is being used to protect the session instead of TLS.
84
During a gray box penetration test, the tester wants to implement a downgrade man-in-the-middle attack to reduce the security of web browser sessions from TLS to SSL. What exploit can the attacker use to trick client workstations into thinking her workstation is the web server and vice versa?
A.ARP spoofing
B.Replay attack
C.Pass the Hash
D.SYN attack
A.ARP spoofing
Explanation:
By sending fake ARP messages, the tester’s workstation can fool client workstations into thinking it is the web server by associating the server’s IP address with her workstation’s MAC address. Likewise, the server can be fooled into thinking her workstation is the end user’s workstation by doing the same thing, sending a fake ARP message to the server mapping the client’s IP address to her workstation’s MAC address.
85
During a gray box penetration test, the tester decides to stress test the target organization’s file server by sending it a flood of half-open TCP connections that never actually get completed. What kind of exploit is this?
A.Denial of service (DoS)
B.Distributed denial of service (DDoS)
C.Replay attack
D.NAC bypass
A.Denial of service (DoS)
Explanation:
By flooding the server with half-open TCP connections that never get completed, the tester makes it such that it doesn’t have enough resources to service legitimate network requests. Because only one host was used to conduct the stress test, this is an example of standard denial-of-service (DoS) attack.
86
During a gray box penetration test, the tester decides to stress test a critical network router. She sends thousands of ping requests addressed to all of the hosts on the subnet. However, she spoofs the source address of the requests to the IP address of the network router. As a result, the router is flooded with ICMP echo response traffic that it didn’t initiate, making it difficult for it to respond to legitimate network requests. What kind of exploit is this?
A.Denial of service (DoS)
B.Distributed denial of service (DDoS)
C.Replay attack
D.NAC bypass
B.Distributed denial of service (DDoS)
Explanation:
By flooding the router with bogus ICMP traffic, the tester makes it difficult for the router to service legitimate network requests. Because multiple hosts were used to conduct the stress test, this is an example of standard distributed denial of service (DDoS) attack.
87
Which of the following prevents unauthorized or unhealthy devices from connecting to a network, even if they connect to the wired or wireless network properly?
A.Network Access Control (NAC)
B.WPA2-PSK
C.Virtual LANs (VLANs)
D.Spanning Tree Protocol (STP)
A.Network Access Control (NAC)
Explanation:
Network access control (NAC) systems require network hosts to meet security policy requirements before being allowed to access the network, even if they have properly been connected to a network jack or associated with an access point. Unauthorized or unhealthy devices are usually placed on an isolated remediation network until they are authorized or until they are brought into compliance. After doing so, they are allowed to connect to the actual network segment.
88
During a gray box penetration test, you try to connect your laptop to the target’s wireless network. However, the target has implemented a NAC that is blocking your laptop from connecting to the production network. What can you do?
A.Run a brute-force decryption attack to defeat the IPSec encryption that protects the production network.
B.Spoof your laptop with the MAC address of an authorized device.
C.Plug your laptop into a wired jack.
D.Create an evil twin access point.
B.Spoof your laptop with the MAC address of an authorized device.
Explanation:
One way to conduct a NAC bypass exploit is to spoof the tester’s system with the MAC address of an authorized device. As long as the tester’s system meets the organization security policy requirements, the NAC system should allow it to access the production network.
89
Which types of network devices are commonly whitelisted in many NAC implementations? (Choose two.)
```
A.Laptops
B.Desktops
C.Servers
D.VOIP phones
E.SCADA Devices
```
D.VOIP phones
E.SCADA Devices
Explanation:
VoIP phones and SCADA devices typically cannot be configured in a manner that allows them to meet the security policy requirements of a NAC system. For example, you usually can’t install antimalware software on a VoIP phone or a SCADA device. Therefore, these systems are commonly whitelisted in NAC implementations, allowing them to bypass the requirements applied to other systems.
90
Which method is commonly used to hop between VLANs?
A.Double-tagging
B.Brute-force attacks
C.MAC address spoofing
D.DNS poisoning
A.Double-tagging
Explanation:
Double-tagging of VLAN tags is allowed in the 802.1q specification. This allows a host to “hop” between VLANs.
91
You are performing a gray box penetration test. To capture information from multiple VLANs, you have configured the network board in your computer to emulate a trunk port on a network switch. Your goal is to get the real switch to forward traffic from all VLANs to your device. What is this exploit called?
A.MAC address spoofing
B.Double-tagging
C.Switch spoofing
D.Evil twin
C.Switch spoofing
Explanation:
This is an example of a switch spoofing exploit that is used for VLAN hopping. In a switch spoofing exploit, the tester network board is reconfigured to emulate a trunk port on a network switch. By doing this, the real switch will think it needs to forward traffic from all VLANs to the tester’s device.
92
Which wireless exploit uses a special wireless device to listen for SSID requests from other wireless devices and then impersonate the requested access point?
A.Karma attack
B.Deauth attack
C.Downgrade attack
D.Rogue access point
A.Karma attack
Explanation:
In a Karma attack, the tester uses a special wireless device to listen for SSID requests from other devices and then respond as if it were the requested access point. Victims think they are connected to a legitimate network, but they are actually connected directly to the tester. The tester typically forwards victims’ traffic to the Internet, so everything seems normal. This allows the tester to inspect the victim’s traffic and capture sensitive information.
93
You are performing a black box penetration test. You want to perform an evil twin attack to capture wireless user data. Which of the following tasks would you need to complete? (Choose two.)
A.Implement a fragmentation attack.
B.Send deauth frames to deauthenticate wireless clients.
C.Reconnect wireless clients to an access point with the same SSID as the target organization.
D.Use a brute-force attack to break the WPS pin.
B.Send deauth frames to deauthenticate wireless clients.
C.Reconnect wireless clients to an access point with the same SSID as the target organization.
Explanation:
In a typical evil twin attack, the tester first conducts a deauthentication attack to disconnect victims’ wireless devices from the real network. These devices then automatically reconnect to the tester’s wireless access point that has been configured with the same SSID as the target organization. The tester will likely boost the gain on the evil twin’s radios because most wireless network interfaces will default to the access point with the strongest signal.
94
Which wireless encryption key cracking exploit involves extracting a small amount of keying material from captured wireless packets and then sending ARP frames to the access point?
A.Repeating attack
B.Downgrade attack
C.Deauth attack
D.Fragmentation attack
D.Fragmentation attack
Explanation:
In a fragmentation wireless attack, a small amount of keying material is extracted from a captured packet. Then, an ARP packet is sent with known content to the access point. If the packet is echoed back by the AP, then even more keying information can be obtained from the returned packet. If this process is repeated over and over, the entire wireless key can be exposed.
95
Which wireless exploit could be carried out by creating a fake captive portal for a wireless network that captures victims’ usernames and passwords?
A.Repeating attack
B.Credential harvesting
C.Bluesnarfing
D.Jamming attack
B.Credential harvesting
Explanation:
In a credential harvesting attack, a fake website that looks like a legitimate website is used to capture victims’ usernames and passwords. In the context of a wireless exploit, this could be accomplished using a fake captive portal that looks like a legitimate captive portal that captures victims’ information.
96
Which wireless exploit involves using a brute-force attack to crack an eight-digit pin?
A.Fragmentation attack
B.Credential harvesting
C.Bluejacking
D.WPS cracking
D.WPS cracking
Explanation:
Many wireless devices use a Wi-Fi Protected Setup (WPS) system to make connecting to the wireless network easier. However, most WPS implementations have a key weakness in that they use a simple eight-digit pin for authenticating wireless devices. Because of its short length, the pin can be cracked quite quickly, allowing a penetration tester to easily connect to a target wireless network.
97
Which wireless exploit involves sending unsolicited messages over a Bluetooth connection to a wireless device?
A.Deauth attack
B.Bluesnarfing
C.Bluejacking
D.WPS Cracking
C.Bluejacking
Explanation:
In a bluejacking wireless exploit, unsolicited messages are sent over a Bluetooth connection to wireless devices, such as a mobile phone.
98
Which wireless exploit involves creating an unauthorized connection with a Bluetooth device, such as a mobile phone, and stealing information from it?
A.Deauth attack
B.Bluesnarfing
C.Bluejacking
D.WPS cracking
B.Bluesnarfing
Explanation:
In a bluesnarfing wireless exploit, an unauthorized Bluetooth connection is established with a wireless device, such as a mobile phone. That connection is then used to steal information from that device.
99
A penetration tester learns that the target organization’s employees use RFID access badges to unlock doors within the facility. She identifies a restaurant where employees of the organization commonly gather for lunch. The next day, she sits at a table near a group of employees in the restaurant with a small, hidden RFID reader. She captures the RFID signature from the employees’ badges and then creates fake access badges using the RFID signatures. What is this technique called?
A.WPS cracking
B.Credential harvesting
C.Jamming
D.RFID cloning
D.RFID cloning
Explanation:
In RFID cloning, the penetration tester captures the RFID signature from a legitimate RFID device and then copies it to a fake device. This is commonly done to copy an RFID access badge.
100
Which wireless exploit is more of a stress test designed to prevent users from being able to use a wireless network?
A.Karma attack
B.Deauth attack
C.Downgrade attack
D.Jamming attack
D.Jamming attack
Explanation:
In a jamming attack, the penetration tester transmits a radio signal in the 2.4 GHz and/or 5 GHz frequency ranges that is powerful enough to disrupt the legitimate wireless signal. This disruption prevents users from using the wireless network. As such, this exploit can be classified as a network stress test or denial-of-service attack.
101
A penetration tester impersonates a vending machine repair person to gain access to the target organization’s facility. While inside, the tester hides a wireless device behind a vending machine that captures the organization’s wireless network radio signal and rebroadcasts it with high gain towards the parking lot. Which wireless exploit did the tester employ in this scenario?
A.Karma attack
B.Repeating attack
C.Downgrade attack
D.Jamming attack
B.Repeating attack
Explanation:
In a repeating attack, the penetration tester captures the target organization’s wireless network radio signal and rebroadcasts it with high gain to extend its range. In this scenario, the organization’s wireless network can now be accessed by the penetration tester from the parking lot.
102
A penetration tester is searching for vulnerabilities within a web application used by the target organization. In the login page, she enters the following string of text in the Password field:
UNION SELECT Username, Password FROM Users;
What type of exploit is being used in this example?
A.SQL injection
B.HTML injection
C.Command injection
D.Code injection
A.SQL injection
Explanation:
This is an example of a SQL injection attack. Instead of entering a password into the Password field, the tester inserts a SQL statement. If the web application in this example was poorly written, then it is possible that it would pull usernames and passwords for every user in the hypothetical database. The UNION SELECT statement is used to combine two unrelated SELECT queries to retrieve data from different database tables. A well-written application will use input validation to prevent SQL statements from being submitted within a user form. The same principles apply to HTML injection, command injection, and code injection attacks.
103
A penetration tester reviews social media accounts owned by the target organization’s CIO and makes a list of possible passwords such as her spouse’s name, pet’s name, favorite sports teams, and so on. The tester tries to log on to the CIO’s account using one possible password after another, trying to find one that works. What type of authentication exploit is this?
A.Credential brute-forcing
B.Session hijacking
C.Redirect attack
D.Password cracking
A.Credential brute-forcing
Explanation:
This is an example of a credential brute-forcing attack. In a true brute-force attack, all possible letter, number, and special character combinations would be tried one after another until the right one is found. However, by creating a list of likely passwords based on the user’s personal interests, the probability of success is greatly increased.
104
During a gray box penetration test, the tester uses Wireshark to sniff the network traffic between an employee’s web browser and a website and is able to capture the session cookie. The tester is then able to impersonate the victim without capturing the user’s actual authentication credentials. What type of authentication exploit was used in this scenario?
A.Kerberos exploit
B.Session hijacking
C.Redirect attack
D.Password cracking
B.Session hijacking
Explanation:
This is an example of session hijacking. The tester was able to exploit the session key (the cookie) to gain access to the user’s session. This type of exploit can be used for web applications where an HTTP cookie is used to maintain a session. Even though the site may have used TLS/SSL to encrypt authentication credentials, the session cookie is many times not encrypted. If it is captured, it allows the tester to hijack the user’s session.
105
During a gray box penetration test, the tester uses phishing emails to send users to a logon page that looks like the target organization’s human resources self-service page. The fake page is used to capture employees’ credentials. What type of authentication exploit was used in this scenario?
A.Kerberos exploit
B.Session hijacking
C.Redirect attack
D.Credential brute forcing
C.Redirect attack
Explanation:
This is an example of a redirect attack because users are redirected to a fake website by the phishing emails.
106
During a black box penetration test, the tester discovers that the organization’s wireless access point has been configured with an administrative username of admin and a password of Admin. The tester gains administrative access to the access point. What kind of authentication exploit occurred in this scenario?
A.Weak credentials exploit
B.Redirect attack
C.Default credentials attack
D.Credential brute-forcing
C.Default credentials attack
Explanation:
This is an example of a default credentials attack. Most network devices, including access points, routers, firewalls, and so on, come from the factory preconfigured with default administrative credentials. These defaults are well documented on the Internet. If the administrator forgets to change them, then the tester can use them to gain administrative access to the device.
107
The network administrator for an organization that is the target of a penetration test configured her network firewall with an administrative username of admin and a password of password. Which authentication exploit is this device vulnerable to?
A.Weak credentials exploit
B.Redirect attack
C.Session hijacking
D.Kerberos exploit
A.Weak credentials exploit
Explanation:
This device is vulnerable to a weak credentials exploit because the administrative username and password are easy to guess.
108
During a gray box penetration test, the tester is able to run an exploit that enables her to receive a ticket-granting ticket (TGT) from the key distribution center (KDC) in the organization’s Active Directory domain. What kind of authentication exploit occurred in this scenario?
A.Credential brute-forcing exploit
B.Redirect attack
C.Session hijacking
D.Kerberos exploit
D.Kerberos exploit
Explanation:
This is an example of a Kerberos exploit. Receiving a ticket-granting ticket (TGT) allows the user to obtain additional ticket-granting service (TGS) tickets, which grant access to specific network services. Because it allows users to get other TGS tickets, the TGT is sometimes referred to as a golden ticket. Because the TGS ticket can be used only to access a specific network service, it is sometimes referred to as a silver ticket
109
Which authorization exploits modify a parameter in an HTTP request to gain unauthorized access to information? (Choose two.)
```
A.Parameter pollution
B.Insecure direct object reference exploit
C.Cross-site scripting attack
D.Cross-site request forgery
E.Redirect attack
```
A.Parameter pollution
B.Insecure direct object reference exploit
Explanation:
In both a parameter pollution exploit and an insecure direct object reference exploit, the penetration tester modifies a parameter in an HTTP request to gain unauthorized access to information. For example, after authenticating to a web application, the tester could modify the /search?q= parameter in a URL to trick the application into supplying information that the user account shouldn’t be able to see.
110
Which form of a cross-site scripting (XSS) attack leverages an older, vulnerable web browser being run locally on the victim’s computer?
A/Stored/persistent
B.Clickjacking
C.Reflected
D.Document Object Model (DOM)
D.Document Object Model (DOM)
Explanation:
In a DOM XSS exploit, the attacker exploits weaknesses in the victim’s web browser. Typically, outdated browsers are most susceptible to this type of exploit. This is considered to be a client-side XSS attack.
111
Which forms of a cross-site scripting (XSS) attack are considered to be a server-side exploits? (Choose two.)
```
A.Stored/persistent
B.Reflected
C.Document Object Model (DOM)
D.Clickjacking
E.Directory transversal
```
A.Stored/persistent
B.Reflected
Explanation:
Both the stored/persistent and reflected XSS exploits are considered server-side exploits because the malicious scripts are embedded on a server. When the user views the web page, the malicious scripts run, allowing the attacker to capture information or perform other actions.
112
During a gray box penetration test, the tester notices that the organization’s human resources self-service web application uses Active Directory user accounts for authentication. It also includes a “Remember me” option on the login page. The tester sends an email message to high-level employees within the organization with the subject line “Check out this funny picture.” When the email is opened, hidden HTML code actually sends an HTTP request to the self-service web application that changes the user’s password. The attack relies on the saved session cookie from the site to work. What type of authentication exploit is this?
A.Cross-site scripting (XSS)
B.Cross-site request forgery (CSRF)
C.Clickjacking
D.Credential brute forcing
B.Cross-site request forgery (CSRF)
Explanation:
This is an example of a cross-site request forgery (CSRF). Because the session cookie from the website was saved locally, the user is perpetually logged on to the site. Therefore, the HTTP request to change the user’s password contained in the email message didn’t require authentication to execute. The penetration tester can now log on to Active Directory as a high-level employee.
113
Which authentication exploit utilizes transparent layers within the same web page to trick a user into clicking a button or link when they thought they were just clicking the top-level layer of the page?
A.File inclusion
B.Cross-site request forgery (CSRF)
C.Clickjacking
D.Cookie manipulation
C.Clickjacking
Explanation:
In a clickjacking exploit, the tester adds transparent layers to a web page in an attempt to fool a user into clicking a hidden button or link on a transparent layer. This allows the tester to hijack user clicks and send them to a different website (such as a credential harvesting site).
114
Which security misconfiguration on a web server would allow an end user accessing the site with a web browser to navigate through the web server’s file system?
A.Directory transversal
B.Cookie manipulation
C.File inclusion
D.Weak credentials
A.Directory transversal
Explanation:
If the directory transversal has been allowed in the web server’s configuration, then it could potentially expose the file system of the web server to users accessing the site in a web browser, including directories outside of the web server’s root directory. For example, the Apache web server can be run in a chroot jail to prevent users from accessing directories outside of the web server’s directories.
115
Which security misconfiguration would allow a script run by the user’s web browser to write data to a client-side cookie?
A.Directory transversal
B.Cookie manipulation
C.Cross-site request forgery (XSRF)
D.Clickjacking
B.Cookie manipulation
Explanation:
Cookie manipulation is a client-side security misconfiguration that allows a script running within a browser to write data to a client-side cookie.
116
A penetration tester is trying to exploit a web application used by the target organization. He uses a form field in the web application to upload a malicious executable to the web server. Which of the following describe this kind of exploit? (Choose two.)
```
A.Cookie manipulation
B.Directory transversal
C.Local file inclusion
D.Cross-site scripting (XSS)
E.Remote File Inclusion
```
C.Local file inclusion
E.Remote File Inclusion
Explanation:
File inclusion is an exploit that allows a tester to upload a file (usually containing malicious code) into a web application. The file could be local, or it could be located on a remote website. This is really a form of injection attack and just as with any injection attack, input validation on the part of the web application developer is the key to preventing it.
117
Which of the following are examples of unsecure coding practices? (Choose Two)
A.Including comments in the source code
B.Checking input fields for properly formatted information
C.Including subroutines for handling error conditions
D.Digitally signing the code
E.Providing verbose error messages
A.Including comments in the source code
E.Providing verbose error messages
Explanation:
While commenting an application’s source code is a best practice for programmers, it can also create security vulnerability because it provides an attacker (or penetration tester) who views the source code with extensive information about how the application works. Likewise, providing overly verbose error messages may be a best practice while programming the application, but leaving them in the released application can provide an attacker with valuable information.
118
Which of the following are examples of unsecure coding practices? (Choose Two)
A.Removing comments from the source code before release
B.Checking input fields for properly formatted information
C.Lack of error handling routines
D.Lack of code signing
E.Removing overly verbose error messages
C.Lack of error handling routines
D.Lack of code signing
Explanation:
The programmer should be sure to include routines that tell the application what to do should it encounter an error condition. For example, many buffer overflow attacks exploit applications that don’t know how to respond when they receive more information than they were expecting. Likewise, all applications should have their code digitally signed. This will expose any unauthorized modifications made to the code.
119
A web application programmer has included the username and password required to access a database instance within the application’s PHP code. This is an example of which unsecure code practice?
A.Comments in source code
B.Race conditions
C.Unauthorized use of functions/unprotected APIs
D.Hard-coded credentials
D.Hard-coded credentials
Explanation:
The programmer in this scenario has used hard-coded credentials. If an attacker (or a penetration tester) were to view the application’s source code, they would have access to the database authentication credentials.
120
A web application developer included the following HTML code within a form page:
This is an example of which unsecure code practice?
A.Comments in source code
B.Hidden elements
C.Unauthorized use of functions/unprotected APIs
D.Race conditions
C.Unauthorized use of functions/unprotected APIs
Explanation:
The programmer in this scenario has used hidden elements in the HTML code. This is an unsecure coding practice that can result in sensitive information being stored in the user’s browser (the DOM).
121
While performing a gray box penetration test, you have discovered that the target organization uses many different operating systems on their computers. You’ve fingerprinted Windows, Mac OS, and Linux systems. You even found one UNIX server system. In addition, employees are bringing their mobile devices to work and connecting them to the organization’s wireless network, so you found many Android and iOS devices. At this point in the test, you need to identify operating system vulnerabilities that exist with high-value devices. What should you do?
A.Research the Common Vulnerabilities and Exposures (CVE) database.
B.Research the Common Attack Pattern, Enumeration and Classification (CAPEC) database.
C.Research the Computer Emergency Response Team (CERT) website.
D.Post a question on a penetration testing forum.
A.Research the Common Vulnerabilities and Exposures (CVE) database.
Explanation:
An effective way to discover vulnerabilities associated with a specific version of an operating system is to consult the Common Vulnerabilities and Exposures (CVE) database. The CVE database can be accessed at http://cve.mitre.org. It contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor discovers a vulnerability with their product, they add an entry to the CVE database. This database contains vulnerability information for Windows, Mac OS, Linux, UNIX, Android, and iOS operating systems.
122
Which of the following are considered unsecure services or protocols? (Choose two.)
```
A.LDAPS
B.SSH
C.FTP
D.Telnet
E.HTTPS
```
C.FTP
D.Telnet
Explanation:
FTP and Telnet are considered to be unsecure services and protocols. This is because they transfer data, including authentication credentials, over the network as clear text. This information can be easily captured using a packet sniffer.
123
Which of the following would be considered an unsecure service or protocol configuration? (Choose two.)
A.Using SSHv1 instead of SSHv2
B.Using SNMPv3 instead of SNMPv1
C.Using WPA2 instead of WEP
D.Using SSL 2.0 instead of TLS 1.2
A.Using SSHv1 instead of SSHv2
D.Using SSL 2.0 instead of TLS 1.2
Explanation:
While SSHv1 uses encrypted data transmissions, it is not considered to be as secure as SSHv2. However, many older Linux or UNIX systems may still be configured to use SSHv1. Likewise, TLS 1.2 is considered to be more secure than SSL 2.0.
124
You need to use privilege escalation on a Linux system during a penetration test. Which features of the operating system can be used to allow an executable to be run with superuser-level permissions? (Choose two.)
```
A.Running it as administrator
B.Assigning the SGID special permission
C.Assigning the SUID special permission
D.Running it from a child BASH shell session
E.Assign the sticky bit permission
```
B.Assigning the SGID special permission
C.Assigning the SUID special permission
Explanation:
Assigning an executable on Linux the SUID permission allows it to run with the permissions of the file’s owner. If the owner is the root user, then it will execute with root’s superuser permissions. Likewise, assigning an executable the SGID permission allows it to run with the permissions of the owning group. If the owning group is the root group, then it runs with the root group’s permissions.
125
Which Linux special permission, when assigned to a directory, prevents users from deleting files they do not own, even if they have write and execute permissions to the directory?
A.SGID
B.SUID
C.Sticky bit
D.Ret2libc
C.Sticky bit
Explanation:
When the sticky bit permission is assigned to a directory on a Linux system, then users can delete files only within the directory for which they are the owner, even if they have write and execute permissions to that directory.
126
Which program can you use as a standard user on a Linux system to execute programs as root?
A.sudo
B.ps
C.top
D.nice
A.sudo
Explanation:
On Linux, a standard user can run an executable using the sudo program to elevate privileges and run the executable as the root user (or any other user on the system, if desired).
127
Which Linux exploit causes the return address of a subroutine to be replaced by the address of a subroutine that is already present in a process’s’ memory?
A.SGID
B.Sticky bit
C.Ret2libc
D.Unsecure sudo
C.Ret2libc
Explanation:
On Linux system, the Ret2libc exploit causes the return address of a subroutine to be replaced by the address of a subroutine that is already present in a processes’ memory.
128
Which of the following refers to the name of the attribute that stores passwords in a Windows Group Policy Preference item?
A.cPassword
B.TGT
C.TGS
D.LSASS
A.cPassword
Explanation:
On a Windows system, cPassword is the name of the attribute that stores passwords in a Group Policy Preference item. Whenever a preference requires a user’s password to be saved, it gets stored within this attribute in encrypted format. However, the password can be easily decrypted by any authenticated user in the domain.
129
During a penetration test, you discover that an administrator is using clear-text LDAP on port 388 to update user accounts in their LDAP-compliant directory service, including user credentials. What should you recommend the client do to fix this?
A.Recommend they discontinue using LDAP clients to manage user accounts.
B.Recommend they use SSL-enabled LDAP on port 636.
C.Recommend they switch to a non-LDAP directory service.
D.Recommend they use SSH-enabled LDAP on port 22.
B.Recommend they use SSL-enabled LDAP on port 636.
Explanation:
You should recommend they use LDAPS on port 636 to manage user accounts. LDAPS is secured with SSL. Standard LDAP on port 389 transmits data on the network as clear text. This means the administrative user credentials you submit to access the directory service itself as well as any credentials of the users being managed are transmitted as clear text.
130
During a gray box penetration test, the tester logs on to the target organization’s domain and requests a service principle name (SPN) for registered service. A ticket is received, and the tester takes it offline and attempts to crack its encryption. What is this exploit called?
A.Sandbox escape
B.Kerberoasting
C.DLL hijacking
D.Cold boot attack
B.Kerberoasting
Explanation:
The penetration tester in this scenario is using an exploit Kerberoasting. Any valid domain user can request an SPN for a registered service. The Kerberos ticket received as a result can be taken offline and cracked, potentially exposing the service account password. This can allow privilege escalation because it’s not uncommon for the service account to have administrator-level permissions to the local server.
131
Which of the following is a service that runs on a Windows system and enforces the security policy of the system?
A.LSASS
B.Key distribution center (KDC)
C.Group Policy Object (GPO)
D.LDAP
A.LSASS
Explanation:
The Local Security Authority Subsystem Service (LSASS) is a process that runs on a Windows system to enforce the security policy on the system. It verifies users that log on to the system, manages user password changes, creates access tokens, and makes entries to the Security log.
132
Which Windows feature could potentially allow authentication credentials to be transferred as clear text over a network connection?
A.Unattended installations via PXE
B.JTAG debug
C.Remote Desktop
D.Domain join
A.Unattended installations via PXE
Explanation:
Running unattended installations over the network using the Preboot Execution Environment (PXE) could potentially result in authentication credentials being transferred as clear text. During the unattended install, a special file called the answers file is used to automate the installation process. If the answers file contains user account information to be created on the system during the install, that information is transferred as clear text.
133
What is stored in the SAM database on a Windows system?
A.Security log entries
B.Digital signatures associated with each application installed on the system
C.Group Policy settings
D.Hashed account passwords
D.Hashed account passwords
Explanation:
The SAM database on a Windows system contains hashed passwords for local accounts. It is located in C:\Windows\System32\config\ by default. If a copy of this file can be made, it can be cracked using a number of different tools available on the Internet to expose the passwords it contains.
134
During a gray box penetration test, the tester creates a phishing campaign that tricks users into downloading a Trojan horse application that quietly replaces a key dynamic link library file on the local system with a modified version that loads a keylogger when executed. What is this type of exploit called?
A.JTAG debug
B.Cold boot attack
C.cPassword
D.DLL hijacking
D.DLL hijacking
Explanation:
This is an example of a DLL hijacking exploit. The malicious DLL likely contains the same functions that the original DLL did, allowing applications that rely on it to function correctly. However, it can also contain malicious code that executes when the DLL is loaded.
135
Which of the following are ways in which services on a Windows system can be exploited? (Choose two.)
A.Using unquoted service paths
B.Replacing executables for writable services
C.Implementing a cold boot attack
D.Compromising credentials in LSASS
A.Using unquoted service paths
B.Replacing executables for writable services
Explanation;
Using unquoted paths to services is one way that services can be exploited on a Windows system. By not quoting paths to services, any spaces in a directory name won’t be processed correctly and can cause a malicious service executable located deliberately in the resulting unquoted directory path to be loaded instead of the correct service executable. In addition, writeable service executable files can be replaced with malicious executables with the same file name.
136
Which of the following issues could enable a penetration tester to execute a DLL hijacking exploit on a Windows system?
A.Failure to install the latest Windows updates
B.Using out-of-date virus definitions
C.Using unsecure file and folder permissions
D.Failure to configure user account restrictions in Group Policy
C.Using unsecure file and folder permissions
Explanation:
To implement a DLL hijacking exploit, the penetration tester needs to have read/write permissions to the target file system. Using unsecure file and folder permission can make this task much easier to accomplish.
137
Which of the following techniques can be used to help retain persistence for an exploit on a Windows system? (Choose two.)
```
A.Using scheduled tasks
B.Using cold boot attacks
C.Implementing Kerberoasting
D.Using DLL hijacking
E.Looking for kernel exploits
```
A.Using scheduled tasks
D.Using DLL hijacking
Explanation:
DLL hijacking and scheduled tasks can both help retain persistence for an exploit on a Windows system. DLL hijacking causes the exploit contained in the malicious DLL to be loaded every time a linked application is started. Using scheduled tasks ensures that an exploit is run on a regular basis.
138
What is the best way to defend against kernel exploits?
A.Update the system’s antivirus definitions.
B.Install the latest operating system updates.
C.Use secure file and folder permissions.
D.Implement user account restrictions in Group Policy.
B.Install the latest operating system updates. |
Explanation;
The best defense a system administrator has against kernel exploits is to keep their operating systems updated with the latest patches from the vendor. The Common Vulnerabilities and Exposures (CVE) database contains vulnerability information for known Windows, Mac OS, Linux, UNIX, Android, and iOS operating system kernels.
139
During a gray box penetration test, the tester discovers that one of the organization’s firewalls has been configured with an administrative username of admin and a password of Admin. The tester gains administrative access to the firewall and opens holes in it. What kind of authentication exploit occurred in this scenario?
A.Weak credentials exploit
B.Redirect attack
C.Default account settings exploit
D.Credential brute-forcing
C.Default account settings exploit
Explanation:
The penetration tester in this scenario exploited the firewall administrator’s failure to modify the default account settings on the firewall device. Most network devices, including access points, routers, firewalls, and so on, come from the factory preconfigured with default administrative credentials. These default account settings are well documented on the Internet. If the administrator forgets to change them, then the tester can use them to gain administrative access to the device.
140
Which of the following are examples of sandbox escape exploits? (Choose three.)
```
A.Cold boot attacks
B.Shell upgrade
C.Virtual machine (VM) escape
D.Container escape
E.Ret2libc
F.JTAG debug
```
B.Shell upgrade
C.Virtual machine (VM) escape
D.Container escape
Explanation:
Shell upgrade, VM escape, and container escape are all examples of sandbox escape exploits.
141
During a penetration test, the tester gains physical access to a Windows server system and reboots it from a flash drive that has a Linux distribution installed on it. She is able to bypass security and copy key files from the server to the flash drive for later cracking and analysis. What type of exploit occurred in this scenario?
A.Cold boot attack
B.Shell upgrade exploit
C.VM escape exploit
D.JTAG debug exploit
A.Cold boot attack
Explanation:
The tester implemented a cold boot attack. By booting to Linux from the flash drive, she was able to bypass many of the Windows security mechanisms and access key files.
142
A penetration tester connects a special device to a diagnostic port implemented in the motherboard by the manufacturer and is able to capture data from system registers. What type of exploit occurred in this scenario?
A.Cold boot attack
B.Shell upgrade exploit
C.VM escape exploit
D.JTAG debug exploit
D.JTAG debug exploit
Explanation:
The tester implemented a cold boot attack. By booting to Linux from the flash drive, she was able to bypass many of the Windows security mechanisms and access key files.
143
What are the risks of enabling serial console connections on network devices such as routers and switches?
A.Network administrators tend to not secure them properly.
B.They are prone to data emanation.
C.It is easy for attackers to connect to them.
D.It is easy for attackers to sniff data from them.
B.They are prone to data emanation.
Explanation:
The risk associated with enabled serial console connections on network devices is the fact that network administrators tend to not secure them properly. Because they can be accessed only with a direct point-to-point connection, they don’t configure them to require authentication. Using impersonation, this makes it easy for a penetration tester to access the device, as long as they can get physical access to it.
144
Which of the following is used on Windows system to allow you to remotely execute code on another Windows system somewhere else in the network?
A.RPC/DCOM
B.X-server
C.RSH
D.Rlogin
A.RPC/DCOM
Explanation:
Remote Procedure Call (RPC)/Distributed Component Object Model (DCOM) is used on Windows systems and allows you to remotely execute code on a different Windows system.
145
Which of the following is a utility that can be used on Windows systems that allows you to establish command-line access to the console of a remote Windows system, much like the older Telnet client?
A.PsExec
B.VNC
C.RSH
D.Rlogin
A.PsExec
Explanation:
PsExec is a command-line utility that is installed by default on Windows systems that lets you interactively execute processes on other Windows systems.
146
Which of the following provides an infrastructure for managing Windows systems over the network from a centralized location?
A.SMB
B.VNC
C,WMI
D.RDP
C,WMI
Explanation:
Windows Management Instrumentation is an infrastructure provided by Microsoft for centrally managing Windows systems over a network connection.
147
Which of the following Windows features can be used to remotely manage Windows systems over a network connection? (Choose two.)
```
A.SMB
B.Telnet
C.PS Remoting
D.WinRM
E.SSH
```
C.PS Remoting
D.WinRM
Explanation;
PowerShell (PS) Remoting allows you to run PowerShell cmdlets remotely on other Windows systems in your network environment. Windows Remote Management (WinRM) is a system that allows Windows administrators to manage remote systems using the WS Management protocol.
148
Which of the following can be used to remotely manage Windows systems over a network connection using a graphical user interface?
A.SMB
B.RDP
C.PS Remoting
D.PsExec
B.RDP
Explanation:
The Remote Desktop Protocol (RDP) is used on Windows systems to display the graphical desktop of a remote Windows host on the local system over a network connection. It provides full point-and-click interactivity. It can even be used to transmit sounds from the remote system to the local system and to share files between systems.
149
Which of the following can be used to remotely manage Macintosh systems over a network connection using a graphical user interface?
```
A.Rlogin
B.RDP
C.ARD
D.PsExec
E.RSH
```
C.ARD
Explanation:
The Apple Remote Desktop (ARD) can be used to remotely manage Macintosh systems over a network connection using a graphical user interface.
150
Which of the following can be used to remotely manage Windows, Macintosh, or Linux systems over a network connection using a graphical user interface (as long as the necessary software is installed)?
```
A.VNC
B.RDP
C.ARD
D.WMI
E.RSH
```
A.VNC
Explanation:
Virtual Network Computing (VNC) connections can be used to remotely manage Windows, Macintosh, or Linux systems over a network connection using a graphical user interface, as long as the necessary software is installed on both the local and remote systems.
151
Which of the following can be used to remotely manage Linux systems over a network connection using a graphical user interface?
```
A.X11 forwarding
B.RDP
C.ARD
D.WMI
E.SMB
```
A.X11 forwarding
Explanation:
X11 forwarding can be used to remotely manage Linux systems over a network connection using a graphical user interface.
152
Why should you avoid using utilities such as Telnet, rlogin, and rsh when conducting a penetration test?
A.They transfer data slowly.
B.They provide only a command-line interface.
C.They transmit data as clear text over the network.
D.They are no longer supported by modern operating systems.
C.They transmit data as clear text over the network.
Explanation:
Utilities such as Telnet, rlogin, and rsh should be avoided when conducting a penetration test because they transmit data as clear text over the network. This makes it much easier for defenders to see what you are doing during the test, and you will likely get caught.
153
Which of the following techniques can be used to establish persistence during a penetration test that involves Linux systems?
A.Enable WMI.
B.Schedule jobs using cron to run exploit scripts or start daemons.
C.Task Scheduler to run exploit executables or scripts.
D.Use PS remoting.
B.Schedule jobs using cron to run exploit scripts or start daemons.
Explanation:
One technique that can be used to establish persistence during a penetration test involving Linux systems is to schedule jobs using cron to run exploit scripts or start daemons. This ensures these jobs happen automatically without intervention once you have left the system.
154
Which of the following tools can be used to automatically run tasks on a Windows system without your intervention? (Choose two.)
```
A.WMI
B.at
C.Task Scheduler
D.PS remoting
E.cron
```
B.at
C.Task Scheduler
Explanation:
In the graphical environment, you can use Task Scheduler to automatically run tasks (such as exploits executables or services) without your intervention. You can also use the at command from the command prompt to accomplish the same thing.
155
Which of the following is a type of malware that provides a useful function but secretly performs malicious actions when it is run?
A.Backdoor
B.Trojan
C.Daemon
D.Worm
B.Trojan
Explanation:To ensure persistence of the compromise, you could create a backdoor into the system or create a user account for yourself.
A Trojan is a type of malware that provides a useful function but secretly performs malicious actions when it is run. For example, it may provide an entertaining game that the user enjoys playing. However, in the background, it could be running a keylogger, creating a backdoor, or even making the system a zombie in a botnet.
156
You are performing a gray box penetration test. You have successfully compromised a target computer system. What techniques could you employ to ensure persistence? (Choose two.)
```
A.Create a backdoor.
B.Create a user account.
C.Disable the syslog daemon.
D.Install a Telnet service.
E.Enable the Samba daemon.
```
A.Create a backdoor.
B.Create a user account.
Explanation:
To ensure persistence of the compromise, you could create a backdoor into the system or create a user account for yourself.
157
You are performing a gray box penetration test. You have successfully compromised a target computer system. You now need to cover your tracks to hide the evidence of your actions. Which techniques could you employ? (Choose two.)
A.Create a text file in the administrator’s home directory named Youvebeenhacked.txt.
B.Delete all entries from all log files.
C.Hide any files that you copied to the system.
D.Alter log entries created when you compromised the system.
C.Hide any files that you copied to the system.
D.Alter log entries created when you compromised the system.
Explanation:
In the process of covering your tracks, you should consider taking actions such as removing or hiding any files you copied to the system. You could also consider altering any log entries that were created when you compromised the system. However, there are two things to keep in mind when modifying log files. First, make sure the scope of work for the penetration test allows you to modify log files. Sometimes it will not be allowed. Second, you should not delete all the log entries. This would be a dead giveaway to a defender that you have compromised the system.
158
A penetration tester runs the chkconfig --del command at the end of an engagement. What is the reason the tester may have done this?
A.To check for persistence
B.To enable persistence
C.To remove the persistence
D.To report persistence
C.To remove the persistence
Explanation:
Chkconfig is a tool for managing which run levels a service will run at. Chkconfig can be used to view or change the run level of a service. Using chkconfig --del will set the named service to not run at the current run level and will remove the persistence.
159
Which of the following should be used if a penetration tester is attempting to achieve persistence by compromising a Windows server?
A.net session server | dsquery -user | net use c$
B.powershell && set-executionpolicy unrestricted
C.reg save HKLM\System\CurrentControlSet\Services\Sv.reg
D.schtasks.exe /create/tr "powershell.exe" Sv.ps1 /run
C.reg save HKLM\System\CurrentControlSet\Services\Sv.reg
Explanation:
reg save saves a copy of specified subkeys, entries, and values of the registry in a specified file. A file with the .reg file extension is a registration file used by the Windows Registry. These files can contain hives, keys, and values.
160
A client has requested that a wireless penetration test be done. Which scoping target information will most likely be needed before testing can start?
A.The bands and frequencies of the wireless devices used by the client
B.The preferred wireless access point vendor of the client
C.The number of wireless devices owned by the client
D.The physical location and network ESSIDs to be tested
A.The bands and frequencies of the wireless devices used by the client
Explanation:
In this scenario, the penetration tester would need to receive the bands and frequencies used by the client’s wireless devices to proceed with the wireless penetration test. Wireless devices may operate on a number of bands and frequencies, and knowing the exact bands and frequencies would allow a penetration tester to conduct the wireless penetration test as requested.
161
Which one of the following is an instance of a spear phishing attack?
A.Targeting the CFO with an SMS attack
B.Targeting the HR team with an email attack
C.Targeting random users with a USB key drop
D.Targeting an organization with a watering hole attack
A.Targeting the CFO with an SMS attack
Explanation:
Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Spear phishing is aimed at specific individuals rather than a broader group. SMS phishing (or smishing) is phishing via SMS messages. SMS stands for Short Message Service. It is a way to send and receive text messages or short emails with a cell phone. An SMS attack is an attempt to obtain personal information by tricking the individual with a text message or by getting them to go to a fake website and enter personal information. In this scenario, you want to target one particular individual rather than a group.
162
Fuck this question lol, so wrong.\
greghrt
163
A penetration tester is running a phishing test and receives a shell from an internal computer that is running the Windows 10 operating system. The tester decides that he wants to use Mimikatz to perform credential harvesting. The tester wants to allow for credential caching. Which of the following registry changes would allow this?
A.reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG-DWORD /d 0
B.reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1
C.reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1
D.reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1
D.reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1
Explanation:
Using reg add adds a new subkey or entry into the registry. The syntax is as follows: reg add /v /t /d KeyName specifies the full path of the subkey or entry to be added. /v specifies the name of the registry entry to be added under the specified subkey. /t specifies the type for the registry entry. /d specifies the data for the new registry entry. Penetration testers often focus on using the easiest attack vector to achieve their objectives. One common attack method is a tool called Mimikatz. It can steal cleartext credentials from the memory of compromised Windows systems. When the WDigest Authentication protocol is enabled, plaintext passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows 10.
164
An evil twin has been successfully deployed by a penetration tester and is beginning to see some victim traffic. What would be the next step that the tester would want to take to capture all of the unencrypted web traffic from the victim?
A.Harvest the user credentials to decrypt traffic.
B.Implement a certification authority (CA) attack by impersonating trusted Cas.
C.Implement an HTTP downgrade attack.
D.Perform a man-in-the-middle attack.
C.Implement an HTTP downgrade attack.
Explanation;
A downgrade attack is a form of attack in which a tester forces a network channel to switch to a less secure or unprotected data transmission standard. Downgrading the protocol is one component of a man-in-the-middle type attack and is used to intercept encrypted traffic. Downgrade attacks work by causing the client and server to use a less-secure protocol. In this scenario, since you are trying to capture all unencrypted web traffic, you would want to implement an HTTP downgrade attack.
165
A penetration tester has been asked by a client to review a new web application for availability. Which of the following types of attacks should the tester utilize?
A.TCP SYN flood
B.SQL injection
C.Cross-site scripting (XSS)
D.XMAS scan
A.TCP SYN flood
Explanation:
A TCP SYN flood (also known as an SYN flood) is a form of denial-of-service (DDoS) attack in which a tester sends a succession of SYN requests to the target’s system in an attempt to consume enough server resources to make the system unresponsive to genuine traffic. This exploits part of the normal TCP three-way handshake and consumes resources on the targeted server and renders it unresponsive.
166
A web application has been developed to target browsers and permit access into different banking accounts. This application takes a few dollars from one account and sends it to a foreign account. What type of attack has just occurred?
A.Cross-site scripting
B.Flash cookie exploitation
C.Header manipulation
D.SQL injection
A.Cross-site scripting
Explanation:
In a cross-site scripting (XSS) attack, an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party. In this scenario, the attacker has developed an application that will target web browsers and permit access to a user’s banking information in the process, stealing money and transferring it to another account.
167
Several employees of an organization were recently victims of a phishing attack. They received an email that appeared to come from the company president. The email stated that the employees would receive disciplinary action if they did not do as the emailed instructed and click a link in the message. What principles of social engineering did the attacker use?
A.Authority
B.Fear
C.Scarcity
D.Social proof
A.Authority
Explanation:
Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker used the social engineering principle of authority. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.
168
A penetration tester is conducting a scan of a web application. During the review of the scan results, which of the following vulnerabilities would be the most critical and should be prioritized for exploitation?
A.Clickjacking
B.Expired certificate
C.Fill path disclosure
D.Stored cross-site scripting (XSS)
D.Stored cross-site scripting (XSS)
Explanation:
Stored cross-site scripting (XSS) is the most dangerous type of cross-site scripting. Web applications that allow users to store data are potentially exposed to this type of attack. Stored XSS occurs when a web application gathers input from a user which might be malicious and then stores that input in a data store for later use
169
A penetration tester is conducting ARP spoofing against a switch. Which of the following should the tester trick to get the most information?
A.The MAC address of the client
B.The MAC address of the domain controller
C.The MAC address of the web server
D.The MAC address of the gateway
D.The MAC address of the gateway
Explanation:
ARP spoofing is a technique in which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Normally, the goal is to associate the attacker’s Media Access Control (MAC) address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.
170
A penetration tester is trying to perform a man-in-the-middle (MITM) attack on a computer. The computer’s network configuration is as follows:
```
IP: 192.168.10.25
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.10.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
```
Which of the following commands should the malicious user execute to perform the MITM attack?
A.arpspoof -c both -r -t 192.168.10.1 192.168.10.25
B.arpspoof -c both -t 192.168.10.25 192.168.1.253
C.arpspoof -t 192.168.10.25 192.168.10.254
D.arpspoof -r -t 192.168.1.253 192.168.10.25
C.arpspoof -t 192.168.10.25 192.168.10.254
Explanation:
A man-in-the-middle attack intercepts a communication between two systems. ARP stands for Address Resolution Protocol, and it allows the network to translate IP addresses into MAC addresses. In this scenario, the attacker wants to perform a man-in-the-middle attack; it is done by performing arpspoof -t . The -t switch specifies a particular host to ARP poison.
171
During a black box assessment on a web-based application, a penetration tester is provided only with a URL to a login page. The following is the code and output:
```
import requests
from BeautifulSoup import BeautifulSoup
request = requests.get ("https://
www.willpanek.com/admin")
respHeaders, respBody = request [0], request [1]
if respHeader.statuscode = 200:
soup = BeautifulSoup (respBody)
soup = soup.FindAll ("div", {"type":
"hidden"})
print respHeader.StatusCode, StatusMessage
else:
print respHeader.StatusCode, StatusMessage
Output: 200 OK
```
What is the penetration tester trying to do?
A.Analyze the HTTP response code.
B.Horizontally escalate privileges.
C.Scrape the page for hidden fields.
D.Search for HTTP headers.
C.Scrape the page for hidden fields.
Explanation:
Web scraping automatically extracts data and presents it in a format that a tester can easily make sense of. In this scenario, Python is being used as the scraping language compared to a powerful library called BeautifulSoup. BeautifulSoup is a Python package for parsing HTML and XML documents. It creates a parse tree for parsed pages that can be used to extract data from HTML, which is useful for web scraping. Beautiful Soup helps a tester pull particular content from a web page, remove the HTML markup, and save the information. It is a tool for web scraping that helps clean up and parse the documents that have been pulled down from the Web.
172
During a web application penetration test, a penetration tester observes that the content security policy header is missing. What type of attack would the tester most likely perform next?
A.A clickjacking attack
B.A command injection attack
C.A directory traversal attack
D.A remote file inclusion attack
A.A clickjacking attack
Explanation:
Clickjacking is when a tester uses multiple transparent layers to trick a user into clicking a button or link on another page when they were intending to click the top-level page. The tester is “hijacking” clicks and routing them to another page. In web browsers, clickjacking is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking a button that appears to perform another function.
173
A penetration tester is attempting a physical security assessment and wants to use an “under-the-door tool” during the test. Which of the following intrusion techniques should the tester attempt?
A.Egress sensor triggering
B.Lock bumping
C.Lock bypass
D.Lock picking
C.Lock bypass
Explanation:
Lock bypass is simply that. Bypassing locks without picking them. In this scenario, the tester is attempting a physical security assessment with the use an under-the-door tool, which goes underneath a door and pulls open a door handle from the inside.
174
A penetration tester is conducting a test on a web application and discovers that the user login process sends FROM field data by using the HTTP GET method. To reduce the risk of exposing sensitive data, the HTML form should be sent by using which of the following?
A.The HTTP OPTIONS method
B.The HTTP POST method
C.The HTTP PUT method
D.The HTTP TRACE method
B.The HTTP POST method
Explanation:
Forms in HTML can use either method="POST" or method="GET" (default) in the element. The method specified determines how form data is submitted to the server. With GET, the parameters remain in the browser history because they become part of the URL. With POST, parameters are not saved in browser history. GET is less secure compared to POST because data sent is part of the URL.
175
The chief financial officer (CFO) receives an email from the chief executive officer (CEO) indicating that a new vendor needs to be issued a wire transfer. However, neither the CFO nor the CEO knows who this new vendor is. The CEO claimed that he never sent the email requesting the transfer. What type of motivation technique is the attacker attempting?
```
A.Principle of authority
B.Principle of fear
C.Principle of likeness
D.Principle of scarcity
E.Principle of social proof
```
A.Principle of authority
Explanation:
Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker is using the social engineering principle of authority. They were hoping that by the CFO receiving an email from the CEO, there would be no questions asked and the transfer would take place. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.
176
You are a penetration tester and looking at performing a Kerberoasting attack. Given the following situations, in which one would you perform a Kerberoasting attack?
A.The tester compromised a Windows device and dumps the Local Security Authority (LSA) secrets.
B.The tester needs to retrieve the Security Account Manager (SAM) database and crack the password hashes.
C.The tester compromised a user account that has limited privileges and needs to target other accounts for lateral movement.
D.The tester compromised an account and needs to dump hashes and plaintext passwords from the system.
A.The tester compromised a Windows device and dumps the Local Security Authority (LSA) secrets.
Explanation:
Kerberoasting is a technique that relies on requesting service tickets for service account service principal names (SPNs). The tickets are encrypted with the password of the service account associated with the SPN, meaning that once a tester has obtained the service tickets by using a tool like Mimikatz, the tester can crack the tickets to obtain the service account password using offline cracking tools. Kerberoasting is a four-step process: Scan Active Directory for user accounts with service principal names (SPNs) set. Request service tickets using the SPNs. Extract the service tickets from memory and save to a file. Conduct an offline brute-force attack against the passwords in the service tickets.
177
You are a penetration tester, and while conducting a test, you are trying to maintain persistence on a Windows system that has limited privileges. What registry key should you use?
A.HKEY_CLASSES_ROOT
B.HKEY_CURRENT_CONFIG
C.HKEY_CURRENT_USER
D.HKEY_LOCAL_MACHINE
C.HKEY_CURRENT_USER
Explanation:
If a tester has access to a Windows workstation or server, then they can use PowerSploit, which provides the toolkit needed to maintain persistence and to perform further reconnaissance. The testing will want to exploit the HKEY_CURRENT_USER registry hive. The HKEY_CURRENT_USER hive is meant to be available only to the currently logged on user. So, when a different Windows user logs onto the system, a different copy of the HKEY_CURRENT_USER registry hive is loaded. The HKEY_CURRENT_USER registry hive is saved locally as the file NTUSER.DAT or USER.DAT when a user logs off. This registry hive can be opened in Notepad, and the encrypted login ID and password can be easily located. If the user has a roaming profile, then the NTUSER .DAT file will be saved on every workstation the user logged onto.
178
A penetration tester is monitoring a WPA2-PSK secured wireless network and is attempting to capture a handshake between a client and an access point. Even though the tester is monitoring the correct channel, he has been unsuccessful. Which type of attack would help the tester to obtain the handshake?
A.A deauthentication attack
B.A fragmentation attack
C.A karma attack
D.A SSID broadcast flood
A.A deauthentication attack
Explanation:
Wi-Fi Protected Access 2 – Pre-Shared Key (WPA2-PSK) is a method of securing a network using WPA2 with the use of the optional Pre-Shared Key (PSK) authentication. To encrypt a network with WPA2-PSK, you provide a router with a plain English passphrase between 8 and 63 characters long. Wi-Fi deauthentication attacks are a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point. A tester can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim.
179
A penetration tester has successfully captured the administrator credentials of a remote Windows machine. The tester is now attempting to access the system by using PsExec. However, the tester is denied permission. What shares must be accessible for a successful PsExec connection?
A.ADMIN$ and C$
B.ADMIN$ and IPC$
C.ADMIN$ and SERVICES
D.IPC$ and C$
C.ADMIN$ and SERVICES
Explanation:
PsExec is a tool designed to allow penetration testers to run programs on remote systems via SMB on port 445. That makes it an extremely useful tool. PsExec’s ability to run processes remotely requires that both the local and remote computers have file and print sharing (i.e., the Workstation and Server services) enabled and the default Admin$ share, which is a hidden share that maps to the \windows directory.
180
A penetration tester has run the following command on a Linux file system:
Chmod 4111 /usr/bin/sudo
What issues can be manipulated now?
A.The kernel vulnerabilities
B.The misconfigured sudo
C.The sticky bits
D.The unquoted service path
B.The misconfigured sudo
Explanation:
Chmod is a command and system call that is used to change the access permissions of file system objects (files and directories). Chmod 4111 (chmod a+rwx,u-rw,g-rw, o-rw,ug+s,+t,g-s,-t) sets permissions so that (U)ser / owner can’t read, can’t write, and can execute. (G)roup can’t read, can’t write and can execute. (O)thers can’t read, can’t write, and can execute. sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. In this scenario. the command chmod 4111 /usr/bin/sudo will misconfigure sudo.
181
A security administrator is trying to encrypt communication by using the Subject Alternative Name (SAN) attribute of a certificate. What is a reason why the administrator should take advantage of SAN?
A.Can protect multiple domains
B.Does not require a trusted certificate authority (CA)
C.Protects unlimited subdomain
D.Provides extended site validation
D.Provides extended site validation
Explanation:
Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called SANs and include email addresses, IP addresses, URLs, DNS names, directory names, and other names followed by a value. Using SAN provides extended site validation.
182
A security analyst is reviewing the logs for a web application. The analyst finds a suspicious request. The request shows the following URL: http://www.companysite .com/about.php?i=../../../etc/passwd. What is this request attempting?
A.Cross-site scripting
B.Directory traversal
C.Remote file inclusion
D.User enumeration
B.Directory traversal
Explanation:
In this scenario, the .. operators are the revealing giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server. A directory traversal attack is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.
183
You and a colleague are discussing different types of attacks that can take place. One type of an attack is where communications between two parties are intercepted and forwarded and neither party is aware that an interception even took place. What type of attack is being discussed?
A.A man-in-the-middle attack
B.A spear phishing attack
C.A transitive access attack
D.A URL hijacking attack
A.A man-in-the-middle attack
Explanation:
A man-in-the-middle attack happens when communication between two parties is intercepted by an outside entity. Man-in-the-middle attacks are a common kind of cybersecurity attack that allows an attacker to eavesdrop on the communication between two targets. The attack takes place in between two legitimately communicating hosts, allowing the attacker to “listen” to a conversation.
184
A penetration tester has successfully exploited an application vulnerability and now needs to remove the command history from the Linux session. Which command will remove the command history?
A.$ cat history /clear
B.$ history -c
C.$ history --remove
D.$ rm -f ./history
B.$ history -c
Explanation:
The bash history keeps a record of all commands executed by a tester on the Linux command line. This allows the tester to easily run previously executed commands by using the up and down arrow keys to scroll through the command history file. The main reason for removing command-line history from the Linux terminal is to prevent another user from using the tester’s previous commands. To delete or clear all the entries from bash history, use the history command with the -c option: $ history -c.
185
A help desk technician receives a phone call from someone claiming to be an employee. This person has been locked out of an account and is requesting assistance to unlock it. The help desk asks for proof of identity before access will be granted. What type of attack was the caller trying to perform?
A.Impersonation
B.Interrogation
C.Phishing
D.Shoulder surfing
A.Impersonation
Explanation:
Impersonation involves disguising oneself as another person to gain access to facilities or resources. This may be as simple as claiming to be a staff member or as intricate as wearing a uniform and presenting a fake company ID. In this scenario, the attacker called the help desk technician pretending to be an employee.
186
A penetration tester has recently finished a test that revealed that a legacy web application is vulnerable to SQL injections. The client indicates that remediating the vulnerability would require an architectural change and that management does not want to risk anything happening to the current application. Which of the following conditions would minimize the SQL injection risk while providing a low-effort and short-term solution? (Choose two.)
A.Identify and remove the dynamic SQL from the stored procedures.
B.Identify and remove the inline SQL statements from the code.
C.Identify and sanitize all user inputs.
D.Identify the source of malicious input and block the IP address.
E.Use a blacklist validation for the SQL statements.
F.Use a whitelist validation for the SQL statements.
E.Use a blacklist validation for the SQL statements.
F.Use a whitelist validation for the SQL statements.
Explanation:
Given this scenario, the client will want to use a blacklist and whitelist validation for the SQL statements. SQL injection is a common attack route that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. SQL injections are one of the most common web hacking techniques. Blacklist validation tests the external input against a set of known malicious inputs. Whitelist validation tests an external input against a set of known, approved input. With whitelist input validation, the application knows exactly what is wanted and rejects other input.
187
A penetration tester runs the following from an exploited machine: python -c 'import pty; pty.spawn("/bin/bash")' What action is the tester performing?
A.Creating a sandbox
B.Capturing the credentials
C.Removing the Bash history
D.Upgrading the shell
D.Upgrading the shell
```
Explanation:
The pty module lets a penetration tester spawn a pseudoterminal that can fool commands like su into thinking they are being executed in a proper terminal. To upgrade the shell, just run the command shown. su is a Unix command that stands for substitute user. It is used by a computer user to execute commands with the privileges of another user account. When executed, it invokes a shell without changing the current working directory or the user environment.
```
188
Which of the following types of physical security attacks does a mantrap utilize?
A.Impersonation
B.Lock picking
C.Piggybacking
D.Shoulder surfing
C.Piggybacking
Explanation:
Piggybacking attacks rely on following employees in through secured doors or other entrances. Higher-security organization may use mantraps to prevent piggybacking and tailgating. A properly implemented mantrap will allow only one person through at a time, and that person will have to unlock two doors, only one of which can be unlocked and opened at a time.
189
A penetration tester has used Social Engineer Toolkit (SET) to make a copy of a company’s cloud-hosted web mail portal and then sends an email to try to obtain the CEO’s login credentials. This is an example of what type of attack?
A.An elicitation attack
B.An impersonation attack
C.A spear phishing attack
D.A whaling attack
C.A spear phishing attack
Explanation:
The Social Engineer Toolkit (SET) provides a framework for automating the social engineering process, including sending spear phishing messages, hosting fake websites, and collecting credentials. Social engineering plays an important role in many attacks. SET is a menu-driven social engineering attack system. In this scenario, the penetration tester is attempting a spear phishing attack.
190
A penetration tester is testing the penetration of a client’s network and managed to obtain access to a laptop. What would be the tester’s next step to obtain credentials from the laptop?
A.Brute force the user’s password.
B.Conduct a LLMNR/NETBIOS-NS query.
C.Leverage the BeEF framework to capture credentials.
D.Perform an ARP spoofing poisoning.
B.Conduct a LLMNR/NETBIOS-NS query.
Explanation:
Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NetBIOS-NS) poisoning can provide penetration testers with the ability to obtain a man-in-the-middle position, broadening their ability to gain access and information. One of the most commonly targeted services in a Windows network is NetBIOS. NetBIOS is commonly used for file sharing.
191
You are a penetration tester and have found a vulnerability in the client’s domain controller. The vulnerability is that null sessions are enabled on the domain controller. What type of attack can be performed to take advantage of this vulnerability?
A.Attempt a pass-the-hash attack to relay credentials.
B.Attempt password brute forcing to log into the host.
C.Attempt RID cycling to enumerate users and groups.
D.Attempt session hijacking to impersonate a system account.
C.Attempt RID cycling to enumerate users and groups.
Explanation:
One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are guessed, targeted password-based attacks can then be attempted. A RID cycling attack attempts to enumerate user accounts through null sessions. If a tester specifies a password file, it will automatically attempt to brute force the user accounts when it’s finished enumerating. So, in this scenario, attempting RID cycling will be the next step the tester should try.
192
A penetration tester has been asked to assess a client’s physical security by gaining access to its corporate office. The tester is looking for a method that will allow him to enter the building during both business hours and after hours. What would be the most effective method for the tester to attempt?
A.Badge cloning
B.Lock picking
C.Using a lock bypass
D.Piggybacking
A.Badge cloning
Explanation:
With badge cloning, the tester can clone the badge of a staff member to gain entry into the facility. One of the most common techniques is to clone radio-frequency identification (RFID) tags. Given this scenario of trying to obtain access both during business hours and after hours, badge cloning is the best option.
193
The president of an organization reported that he has been receiving a number of phone calls from someone claiming to be with the help desk department. This individual is asking for the CEO to verify his network authentication credentials because his computer is broadcasting across the network. What type of attack is taking place?
A.Impersonation
B.Interrogation
C.Vishing
D.Whaling
C.Vishing
Explanation:
Vishing (voice phishing) is social engineering over the phone system. Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Vishing works like phishing but is carried out using voice technology. A vishing attack can be conducted by voice email, voice over IP (VoIP), or landline or cellular telephone. In this scenario, since the CEO is receiving telephone calls, this is a vishing attack.
194
A penetration tester has found a few unquoted service paths during a test of a client’s network. How can the tester use these vulnerabilities to his advantage?
A.By attempting to crack the service account passwords
B.By attempting DLL hijacking attacks
C.By attempting to locate weak file and folder permissions
D.By attempting privilege escalation attacks
D.By attempting privilege escalation attacks
Explanation:
Privilege escalation attacks are frequently categorized into two major types: vertical and horizontal. Vertical escalation attacks focus on testers gaining higher privileges. Horizontal escalation attacks move sideways to other accounts or services that have the same level of privileges. An unquoted service path is a vulnerability in Windows. When a service is started, Windows tries to locate it. Usually services are well-defined with quotation marks. But, there are times when a service path might contain spaces or are not surrounded by quotation marks. Testers can use the unquoted service paths to escalate privileges.
195
What type of attack is being carried out when a target is being sent unsolicited messages through Bluetooth?
A.Bluesnarfing
B.Bluesniping
C.Bluejacking
D.War chalking
C.Bluejacking
Explanation:
Bluejacking is when an attacker sends unsolicited messages over Bluetooth devices. Bluejacking is a hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius. First, a hacker scans their surroundings with a Bluetooth-enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices.
196
A tester discovers the following log entry on a server:
Dec 23 2018 00:22:16 httpd[2342]: GET /app2/prod/proc/process.php?input=change;cd%20../../../etc;cat%20shadow
What type of attack was being attempted?
A.Buffer overflow
B.Command injection
C.Cross-site scripting
D.Password attack
B.Command injection
Explanation:
In this scenario, a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via vulnerable applications. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.
197
You and a colleague are discussing different types of attacks. One such attack is a client-side attack that is used to manipulate an HTML iframe with JavaScript code via a web browser.
What type of attack is this describing?
A.Buffer overflow
B.Cross-site scripting (XSS)
C.Man-in-the-middle (MITM)
D.SQL injection (SQLi)
B.Cross-site scripting (XSS)
Explanation:
Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page. In this scenario, the attacker is attempting to manipulate an HTML iframe with JavaScript code using a web browser.
198
A user has noticed that their machine has been acting unpredictably over the past week. They have been experiencing slowness and input lag. The user has found a few text files that appear to contain bits of their emails and some instant messenger conversations. The user runs a virus scan where nothing is detected. What type of malware maybe affecting this machine?
A.Backdoor
B.Keylogger
C.Ransomware
D.Rootkit
B.Keylogger
Explanation:
A keylogger is software and hardware that can be useful as part of an ongoing exploitation process. Capturing keystrokes provides insight into the actions taken by users, and it can be a valuable source of credentials and other confidential information. A keylogger is software that tracks or logs the keys struck on a keyboard. This is usually done with malicious intent to collect account information, credit card numbers, usernames, passwords, and other private data.
199
You and a colleague are discussing race condition exploitation. Which one of the following is an example of race condition?
A.Cross-site request forgery (XSRF)
B.Hard-coded credentials
C.SQL injection (SQLi)
D.Time of check to time of use (TOCTTOU)
D.Time of check to time of use (TOCTTOU)
Explanation:
Race conditions occur when the security of a code segment depends upon the sequence of events occurring within the system. The time-of-check-to-time-of-use (TOCTTOU) issue is a race condition that occurs when a program checks access permissions too far in advance of a resource request.
200
You are a penetration tester, and you are looking to start a session hijacking attack against a client’s web application. What information is important to obtain to ensure that your attack will be a success?
A.A session cookie
B.A session ticket
C.A username
D.A user password
A.A session cookie
Explanation:
Websites use HTTP cookies to keep sessions over time. If a tester is able to get a copy of the user’s session cookie, then they can use that cookie to impersonate the user’s browser and hijack the authenticated session. Attackers who are able to acquire the session cookie used to authenticate a user’s web session can hijack that session and take charge of the user’s account. Cookies used for authentication should always be securely created and transmitted only over secure, encrypted communications channels.
