CompTIA PenTest+ Practice Test Chapter 3 Attacks and Exploits (Sybex: Panek, Crystal, Tracy) Flashcards

Question 1

Q

You are conducting a black box penetration test for a client. You have used reconnaissance tools to create a list of employee email addresses within the target organization. You craft an email addressed to all of the employees warning them that they must change their password within 24 hours or they will lose access. When they click the link provided in the email, they are redirected to your own website where their credentials are captured to a text file. What kind of exploit did you use?

A.Phishing
B.Vishing
C.Smishing
D.Whaling

Answer

A

A.Phishing

Explanation:
A phishing attack was used in this scenario because the malicious email was sent indiscriminately to all the employees within the organization.

Question 2

Q

You are performing a gray box penetration test for a medium-sized organization. You have used reconnaissance techniques to identify a help desk employee and a payroll employee. You craft an email to the payroll employee that appears to come from the help desk employee directing the payroll employee to reset her password. When she clicks the link provided in the email, she is redirected to your own website where her credentials are captured to a text file. What kind of exploit did you use?

A.Phishing
B.Interrogation
C.Spear phishing
D.Whaling

Answer

A

C.Spear phishing

Explanation:
A spear phishing attack was used in this scenario because the malicious email was specifically crafted for a specific employee. A generic phishing attack, on the other hand, would have been sent indiscriminately to a large group of employees within the organization.

Question 3

Q

You are performing a black box penetration test for a medium-sized organization. You have used reconnaissance techniques to identify the CEO’s email address as well as the email address belonging to a help desk employee. You craft an email to the CEO that appears to come from the help desk employee directing the CEO to reset her password. When she clicks the link provided in the email, she is redirected to your own website where her credentials are captured to a text file. What kind of exploit did you use?

A.Smishing
B.Vishing
C.Spear phishing
D.Whaling

Answer

A

D.Whaling

Explanation:
A whaling attack is essentially a form of spear phishing attack that is aimed specifically at C-suite employees, such as the CEO, CFO, COO, CIO, and so on. A standard spear phishing attack, on the other hand, would have been sent to a lower-level employee within the organization.

Question 4

Q

You are performing a black box penetration test for a medium-sized organization that sells imported clothing. You have used reconnaissance techniques to identify a key software developer. You send this employee a personalized text message containing a Bitly URL that points to your own website where you capture information to a text file. What kind of exploit did you use in this scenario?

A.Phishing
B.Smishing
C.Vishing
D.Whaling

Answer

A

B.Smishing

Explanation:
A SMS phishing attack (also called a smishing attack) was used in this scenario. A smishing attack leverages text messaging instead of email to conduct a phishing exploit.

Question 5

Q

You are performing a black box penetration test for a small organization that wholesales imported electronic devices in the United States. You have used reconnaissance techniques to identify a receptionist’s phone number as well as the organization’s printer vendor. You call this receptionist, pretending to be a sales rep from the vendor. You ask the receptionist for information about their printers, workstations, operating systems, and so on, to learn more about the organization’s network infrastructure. What kind of exploit did you use in this scenario?

A.Smishing
B.Vishing
C.Spear phishing
D.Whaling

Answer

A

B.Vishing

Explanation:
A voice phishing attack (also called a vishing attack) was used in this scenario. A vishing attack leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information.

Question 6

Q

Which social engineering technique involves questioning an employee using intimidation to gather information?

A.Phishing
B.Smishing
C.Impersonation
D.Interrogation

Answer

A

D.Interrogation

Explanation:
Interrogation involves questioning an employee of the target organization, using fear as a motivation to gather information. Interrogation is not a technique that is typically used by penetration testers.

Question 7

Q

You are performing a black box penetration test for a large financial organization. Using reconnaissance techniques, you have identified the vendor that services the vending machines within the organization’s main headquarters. You dress in a similar uniform as the vendor’s employees. You also purchase a hand truck and several cases of soda pop. The receptionist of the target organization allows you to enter and directs you to the break room. What kind of exploit did you use in this scenario?

A.Impersonation
B.Smishing
C.Vishing
D.Elicitation

Answer

A

A.Impersonation

Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor.

Question 8

Q

You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance techniques, you have identified the vendor that services the printers within the organization’s headquarters. You dress in a similar uniform as that vendor’s employees. You also purchase a toolkit containing tools commonly used by printer repair technicians. The receptionist of the target organization allows you to enter and directs you to a troublesome printer. While “working” on that printer, you chat with nearby employees to gather information. Which exploits did you use in this scenario? (Choose two.)

A.Impersonation 
B.Whaling 
C.Phishing 
D.Interrogation 
E.Elicitation

Answer

A

A.Impersonation
E.Elicitation

Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used elicitation techniques to gather sensitive information from employees.

Question 9

Q

You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance techniques, you have identified the vendor that services the printers within the organization’s headquarters. You dress in a similar uniform as that vendor’s employees. You also purchase a toolkit containing tools commonly used by printer repair technicians. The receptionist of the target organization allows you to enter and directs you to a troublesome printer. While “working” within the organization, you discretely watch employees as they type, trying to gather sensitive information. Which exploits did you use in this scenario? (Choose two.)

A. Shoulder surfing 
B.Phishing 
C.Impersonation 
D.Interrogation 
E.Elicitation

Answer

A

A. Shoulder surfing
C.Impersonation

Explanation:

Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used shoulder-surfing techniques to gather sensitive information from employees.

Question 10

Q

You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance and phishing techniques, you have compromised the password for an employee’s email account. You use this account to question other employees in an attempt to gather sensitive information and documents. Which exploits did you use in this scenario? (Choose two.) 
A.Shoulder surfing 
B.Phishing
C.Impersonation 
D.Interrogation 
D.Elicitation

Answer

A

C.Impersonation
E.Elicitation

Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain the trust of the target organization’s employees. In this scenario, the employees trusted the tester because emails appeared to be coming from another employee. The tester leveraged this trust to elicit sensitive information from those employees. This is sometimes called business email compromise.

Question 11

Q

You have been hired to conduct a black box penetration test for a client. You purchase a small flash drive and load it with malware that installs a keylogger on the victim’s computer and sends the information it captures to you. You walk in the client’s front door and ask the receptionist for directions to a nearby sports venue. While you are speaking, you deliberately drop the drive on the floor and then leave. Which exploit was used in this scenario?

A.Shoulder surfing
B.USB key drop
C.Phishing
D.Elicitation

Answer

A

B.USB key drop

Explanation:
In a USB key drop exploit, some type of malware is usually loaded on a flash drive. That drive is then deliberately left somewhere that an employee of the target organization will likely find it. The goal is for the employee to plug it in to see what it contains. When this happens, the malware is automatically loaded on the victim’s computer.

Question 12

Q

Which exploit sends emails indiscriminately to a large number of the target organization’s employees, anticipating that a percentage of them will click the malicious link contained in the message?

A.Phishing
B.Spear phishing
C.SMS phishing
D.Whaling

Answer

A

A.Phishing

Explanation:
In a standard phishing exploit, email messages are sent indiscriminately to a large number of individuals, hoping that a percentage of them will click the malicious link contained in the message.

Question 13

Q

Which exploit relies on text messaging to deliver phishing messages?

A.Elicitation
B.Spear phishing
C.SMS phishing
D.Whaling

Answer

A

C.SMS phishing

Explanation
A SMS phishing attack (also called a smishing attack) leverages text messaging instead of email to conduct a phishing exploit.

Question 14

Q

Which exploit relies on a telephone call to convince someone to reveal sensitive information?

A.Vishing
B.Spear phishing
C.Phishing
D.Whaling

Answer

A

A.Vishing

Explanation:
A voice phishing attack (also called a vishing attack) leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information.

Question 15

Q

Which exploits require the penetration tester to first conduct extensive reconnaissance to identify specific, high-value individuals to target within the organization? (Choose two.)

A.Spear phishing 
B.Phishing 
C.USB key drop 
D.Whaling 
E.SMS phishing

Answer

A

A.Spear phishing
D.Whaling

Explanation:
Both spear phishing and whaling require the penetration tester to conduct extensive research to identify high-value target individuals within the organization.

Question 16

Q

Which social engineering technique is least likely to be used during a penetration test?

A.Interrogation
B.Impersonation
C.Shoulder surfing
D.USB key drop

Answer

A

A.Interrogation

Explanation:
Interrogation involves questioning an employee of the target organization, using fear as a motivation to gather information. Interrogation is not a technique that is typically used by penetration testers because it would likely result in criminal charges against the tester as well as civil litigation.

Question 17

Q

You have been hired to conduct a black box penetration test for a client. You purchase a small flash drive and load it with malware that sends information to you. Using reconnaissance techniques, you have identified the vendor that services the heating and air conditioning within the organization’s headquarters. You dress in a similar uniform as that vendor’s employees and purchase the tools they commonly use. The receptionist of the target organization allows you to enter and directs you to the mechanical room. You deliberately leave the flash drive on a user’s chair as you walk by an open cubicle. Which exploits were used in this scenario? (Choose two.)

A.Elicitation 
B.Impersonation 
C.Shoulder surfing 
D.USB key drop 
E.Business email compromise

Answer

A

B.Impersonation
D.USB key drop

Explanation:
Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used a USB key drop exploit, hoping that the user would insert the flash drive into their computer and install the malware it contains.

Question 18

Q

You have been hired to conduct a black box penetration test for a client. You walk into the organization’s main entrance and ask the receptionist for information about current job openings. You watch the keystrokes she types on her computer in hopes of capturing sensitive information that you can use to gain access to the internal network. What kind of exploit was used in this scenario?

A.Spear phishing 
B.Impersonation 
C.Shoulder surfing 
D.USB key drop 
E.Business email compromise

Answer

A

C.Shoulder surfing

Explanation:
The penetration tester used shoulder surfing techniques in this scenario. In shoulder surfing, the tester observes information that employees type or display on their computers in an attempt to gather sensitive information. For example, the tester may use shoulder surfing to gather usernames, passwords, email addresses, phone numbers, file server share names, and so on.

Question 19

Q

You have been hired to conduct a gray box penetration test for a client. You managed to walk by just as she was logging on to her email account and watch the keystrokes she typed on her computer. Later that evening, after the employee has gone home for the day, you log on to her email account and send requests for information to other employees. Which exploits were used in this scenario? (Choose two.)

A.Spear phishing
B.Whaling 
C.USB key drop 
D.Shoulder surfing 
E.Business email compromise

Answer

A

D.Shoulder surfing
E.Business email compromise

Explanation:
The penetration tester used shoulder surfing and business email compromise techniques in this scenario. In shoulder surfing, the tester observes information that employees type or display on their computers in an attempt to gather sensitive information. In this example, the tester used shoulder surfing to gather the employee’s email username and passwords. The tester then used the compromised account to gather information from other employees. This is called business email compromise.

Question 20

Q

You are performing reconnaissance as a part of a black box penetration test. You notice that the employees of the target organization commonly congregate at a particular outdoor restaurant for lunch. You begin frequenting the same restaurant for lunch and make friends with several of the target organization’s employees. After you gain their trust, they begin to share information about their jobs, computers, bosses, customers, projects, and so on. What type of exploit occurred in this scenario?

A.Whaling
B.Elicitation
C.Interrogation
D.Phishing

Answer

A

B.Elicitation

Explanation:
This is an example of elicitation. By gaining the employees’ trust, the tester was able to elicit sensitive information from them about their employer.

Question 21

Q

A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be the director of operations. The email asks the employee to reply with sensitive internal information. What motivation factor did the penetration tester use in this scenario?

A.Authority
B.Scarcity
C.Social proof
D.Likeness

Answer

A

A.Authority

Explanation:
By masquerading as an upper-level manager, the penetration tester in this example utilized an appeal to authority to coerce the employee into divulging sensitive information.

Question 22

Q

A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be an agent with the Federal Bureau of Investigations (FBI). The email indicates that the employee’s manager is being investigated for embezzlement and asks the employee to reply with sensitive internal information. What motivation factor did the penetration tester use in this scenario?

A.Likeness
B.Scarcity
C.Social proof
D.Authority

Answer

A

D.Authority

Explanation:
By masquerading as an FBI agent, the penetration tester in this example utilized authority (and possibly fear) as a motivation factor to coerce the employee into divulging sensitive information.

Question 23

Q

A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be a fellow employee who has forgotten her password. The email indicates she has a presentation in a few minutes and can’t access her presentation files on a shared network drive. She asks the employee to “loan” her his username and password so she can log on and get the files. What motivation factor did the penetration tester use in this scenario?

A.Fear
B.Urgency
C.Authority
D.Scarcity

Answer

A

B.Urgency

Explanation:
By masquerading as a fellow employee in great distress in this scenario, the penetration tester is using urgency to motivate the employee to give up his username and password. She may also be using likeability as a factor.

Question 24

Q

A penetration tester sends a phishing email to the employees of the target organization. The link in the email leads to a fake website that lists more than 1,000 reviews with an average rating of 4.9 stars. What motivation factor did the penetration tester use in this scenario?

A.Social proof
B.Urgency
C.Scarcity
D.Authority

Answer

A

A.Social proof

Explanation:
The penetration tester is using social proof as a motivating factor. Because it appears that more than 1,000 people have had a positive experience with the website, most of the employees will probably trust the site, even if it asks them to divulge sensitive information.

Question 25

Q

A penetration tester sends a phishing email to the employees of the target organization. The email purports to be offering iPads for an absurdly low price. However, there are only 25 left at this price. The link in the email leads to a fake website that uses a drive-by-download script that drops a keylogger on the employee’s computer. What motivation factor did the penetration tester use in this scenario?

A.Fear
B.Social proof
C.Authority
D.Scarcity

Answer

A

D.Scarcity

Explanation:
The penetration tester is using scarcity as a motivating factor. By asserting that there are only a small number of devices available at the steeply discounted price, the employees are motivated to make a purchase before supplies run out.

Question 26

Q

You are performing reconnaissance as a part of a black box penetration test. You notice that the employees of the target organization commonly congregate at a particular outdoor restaurant for lunch. You hire several young, physically attractive consultants to help with the penetration test. You send them to the same restaurant for lunch and have them make friends with several of the target organization’s employees. They gain the employees’ trust, and the employees begin to share information about their jobs, computers, bosses, customers, projects, and so on. Which motivation factor was used in this scenario?

A.Authority
B.Scarcity
C.Social proof
D.Likeness

Answer

A

D.Likeness

Explanation:
The penetration tester is using likeness as a motivating factor. By hiring young, friendly, and physically attractive assistants, the penetration tester is able to coerce employees of the target organization into revealing sensitive information about their employer.

Question 27

Q

During a penetration test, you send an email to the CFO of the target organization. The email claims that the webcam on the CFO’s laptop has been clandestinely used to record him viewing pornography. The email threatens to post this video and notify his family, his employer, and the police if he doesn’t respond with certain sensitive information about his company. Which motivation factor was used in this scenario?

A.Fear
B.Social proof
C.Authority
D.Scarcity

Answer

A

A.Fear

Explanation:
The penetration tester is using fear as a motivating factor. Whether the claim is true or not, the CFO knows that such a revelation could damage his family and career. It could also expose him to prosecution. This could potentially motivate him to divulge sensitive information.

Question 28

Q

A penetration tester sends an email to a sales rep of the target organization, claiming to be the CEO of one of the organization’s most important clients. The email asks the employee to create a VPN account to allow the CEO access to certain files on the organization’s network. The email threatens to terminate the business relationship if this doesn’t happen. What motivation factor did the penetration tester use in this scenario?

A.Likeness
B.Social proof
C.Authority
D.Scarcity

Answer

A

C.Authority

Explanation:
The penetration tester is using authority (and probably urgency along with fear) as a motivating factor. The sales rep may be inclined to create the VPN connection to prevent the supposed loss of an important client.

Question 29

Q

A penetration tester sends an email to an employee of the target organization, claiming to be a sales rep on the road. She claims in the email that her VPN connection from her hotel is running extremely slow and that she can’t access her client’s data. If she doesn’t get the data, she will lose the sale. The message asks the employee to email her a copy of the files. What motivation factor did the penetration tester use in this scenario?

A.Social proof
B.Urgency
C.Scarcity
D.Authority

Answer

A

B.Urgency

Explanation:
The penetration tester is using urgency (and possibly likeness) as a motivating factor. The employee will probably comply with the request out of a desire to be seen as a “team player.” This type of attack can be made even more effective by conducting reconnaissance beforehand and identifying the names of real sales reps working for the organization.

Question 30

Q

A penetration tester sends email to an employee of the target organization, claiming to be a sales rep on the road. She claims in the email that she forgot her VPN password and now it is locked because she tried too many wrong ones. She asks the employee for his VPN username and password so she can log on and update the customer database with a huge new order. She mentions in the email that one of the target employee’s coworkers has done this for her in the past and it wasn’t a big deal. What motivation factors did the penetration tester use in this scenario? (Choose two.)

A.Social proof 
B.Urgency 
C.Scarcity 
D.Authority 
E.Fear

Answer

A

A.Social proof
B.Urgency

Explanation:
The penetration tester is using two motivation factors in this example. She is using urgency and social proof as motivating factors. Because it is a huge order, the employee probably feels a sense of urgency to comply. The penetration tester also employs social proof by mentioning the name of a familiar co-worker. This probably helps the employee feel more comfortable with giving the penetration tester his username and password.

Question 31

Q

Which motivation factor gets people to act quickly due to a sense of limited supply?

A.Social proof
B.Likeness
C.Scarcity
D.Authority

Answer

A

C.Scarcity

Explanation:
People can be motivated to act quickly when they believe something they want is in limited supply. This is called scarcity. They don’t want to miss out on an opportunity, product, deal, or service that will soon become unavailable.

Question 32

Q

Which motivation factor gets people to act because they believe that “everyone else is doing it”?

A.Social proof
B.Fear
C.Scarcity
D.Authority

Answer

A

A.Social proof

Explanation:
People can be motivated to act if they think that everyone else is doing the same thing. This is called social proof. The (flawed) assumption is that if everyone else is doing something, it must be the right thing to do.

Question 33

Q

Which motivation factor gets people to act because someone with clout wants them to?

A.Likeness
B.Social proof
C.Authority
D.Scarcity

Answer

A

C.Authority

Explanation:
People are naturally motivated by a respect for authority. When they believe someone in authority wants them to do something, they will frequently comply, especially if the request is coupled with a sense of urgency.

Question 34

Q

Which motivation factor gets people to act quickly because they believe someone needs help?

A.Social proof
B.Urgency
C.Scarcity
D.Authority

Answer

A

B.Urgency

Explanation:
Many people are naturally motivated to help others in distress. This is called urgency. When they believe someone needs help, they may bend or break the rules to help the person out.

Question 35

Q

Which motivation factor gets people to act because they want to please the person making a request of them?

A.Likeness
B.Social proof
C.Authority
D.Scarcity

Answer

A

A.Likeness

Explanation:
Most people will help someone they perceive to be a friend. This is called likeness. When someone they believe to be a friend needs help, they may bend or break the rules to help the person out.

Question 36

Q

Which motivation factor gets people to act because they worry about the consequences of not acting?

A.Social proof
B.Fear
C.Scarcity
D.Authority

Answer

A

B.Fear

Explanation:
Most people will respond to a request to act if they are made to fear the consequences of failing to act. This is one of the most basic human motivations.

Question 37

Q

THIS IS DEBATABLE, PIGGYBACKING IS WHEN THE REAL EMPLOYEE IS AWARE THEY ARE LETTING YOU IN, TAILGAITING WOULD BE SLIPPING IN WITHOUT THE REAL EMPLOYEES KNOWLEDGE AKA SLIPPING IN THE CLOSING DOOR

A penetration tester enters the target organization’s physical facility by walking behind an employee and grabbing the authentication-protected door before it shuts all of the way. What is this technique called?

A.Piggybacking
B.Tailgating
C.Lock bypass
D.Badge cloning

Answer

A

A.Piggybacking

Explanation:
Piggybacking occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person’s knowledge or consent.

Question 38

Q

A penetration tester enters the target organization’s physical facility by striking up a conversation with an employee in the parking lot and walking with her through a door that uses a proximity badge reader to control access. The employee uses her badge to open the door and holds it open for the penetration tester. What is this technique called?

A.Piggybacking
B.Tailgating
C.Lock bypass
D.Badge cloning

Answer

A

A.Piggybacking

Explanation:
.Piggybacking occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens with the authorized person’s knowledge and/or consent.

Question 39

Q

A penetration tester waits in the target organization’s parking lot until she sees a large group of employees returning from lunch. She inserts herself quietly at the back of the group. The first person in the group uses his badge to unlock a secured door. The penetration tester is able to move through the door with the rest of the group. What is this technique called?

A.Piggybacking
B.Tailgating
C.Lock bypass
D.Badge cloning

Answer

A

B.Tailgating

Explanation:
Piggybacking occurs when an intruder tags along with one or more authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person’s knowledge or consent.

Question 40

Q

As a penetration tester approaches the main entrance to the target organization’s physical facility, she notices that a turnstile is used to control access. She carefully steps over the turnstile instead of walking through it. What is this technique called?

A.Piggybacking
B.Tailgating
C.Lock bypass
D.Fence jumping

Answer

A

D.Fence jumping

Explanation:
Fence jumping occurs when an unauthorized person simply jumps over a physical barrier designed to control access. In this scenario, the penetration tester simply steps over the turnstile that is designed to prevent unauthorized people from entering.

Question 41

Q

A penetration tester rifles through the target organization’s garbage and finds an optical disc. He reads the disc on his laptop and finds that it contains several very sensitive files from human resources. What kind of exploit occurred in this scenario?

A.Dumpster diving
B.Tailgating
C.Fence jumping
D.Egress sensor bypass

Answer

A

A.Dumpster diving

Explanation:
Dumpster diving occurs when an attacker searches through the target organization’s garbage looking for sensitive information.

Question 42

Q

A penetration tester impersonates a vending machine repair person to gain physical access to the target organization’s facility. Once inside, he notices that the door to the server room uses a simple pushbutton door lock that doesn’t use any kind of electronic authentication. Which physical security attack could he use to gain access to the server room?

A.Lock picking
B.Tailgating
C.Fence jumping
D.Egress sensor bypass

Answer

A

A.Lock picking

Explanation:
Because the server room is protected by a relatively unsophisticated locking mechanism, the penetration tester could pick the lock to gain access, assuming he has the necessary lock-picking skills. Note that this would have to be done in an area without surveillance or foot traffic as it may take some time to complete.

Question 43

Q

A penetration tester impersonates a heating and cooling repair person to gain physical access to the target organization’s facility. Once inside, she requests access to the server room to investigate a problem with the cold air return. As she is leaving the server room, she surreptitiously places a piece of strong tape over the door locking tab, allowing her to return into the room later without authorization. What is this technique called?

A.Lock picking
B.Lock bypass
C.Fence jumping
D.Badge cloning

Answer

A

B.Lock bypass

Explanation:
Lock bypass occurs when an attacker prevents a door’s locking mechanism from working. For example, this could be done by placing tape over the locking tab, as was done in this scenario.

Question 44

Q

The exterior double glass door to a facility has a motion sensor installed that automatically unlocks the door when someone is leaving the facility. To gain unauthorized access to the facility, a penetration tester sprays a can of air duster in the center crack between the doors to trigger the motion sensor and unlock the door. What is this technique called?

A.Lock picking
B.Tailgating
C.Fence jumping
D.Egress sensor bypass

Answer

A

D.Egress sensor bypass

Explanation:
Egress sensor bypass occurs when an attacker manipulates an egress sensor to unlock a door. In this scenario, the moving compressed air from the air duster is much colder and denser than the surrounding air, causing the egress sensor to think someone is exiting the building and unlock the door.

Question 45

Q

While waiting in line at a food truck behind an employee of the target organization, a penetration tester steals her access badge and makes a copy of its RFID signature on a fake access badge. What is this technique called?

A.Egress sensor bypass
B.Lock bypass
C.Badge cloning
D.Fence jumping

Answer

A

C.Badge cloning

Explanation:
Badge cloning occurs when an attacker makes a copy of a valid access badge in order to enter a facility. By copying a valid badge’s RFID signature, the penetration tester in this scenario can use the fake badge to access the target organization’s facility using the authorized employee’s credentials.

Question 46

Q

A penetration tester waits in the target organization’s parking lot early in the morning until she sees an employee heading toward the front door. She walks up behind the employee while clumsily carrying several large boxes. She asks the employee to hold the door for her and is able to enter the facility. What is this technique called?

A.Piggybacking
B.Tailgating
C.Lock bypass
D.Badge cloning

Answer

A

A.Piggybacking

Explanation:
Tailgating occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This occurs with the authorized person’s knowledge and/or consent. In this example, the authorized employee held the door open for the penetration tester.

Question 47

Q

A penetration tester observes that many employees of the target organization congregate outside the back door of the facility at 10 a.m. and 2 p.m. to smoke cigarettes. The next day, the tester joins the group and pretends to smoke with them. When the group finishes smoking, the tester walks through the back door behind the group. What is this technique called?

A.Piggybacking
B.Tailgating
C.Lock bypass
D.Badge cloning

Answer

A

A.Piggybacking

Explanation:
Piggybacking occurs when an intruder tags along with one or more an authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person’s knowledge or consent.

Question 48

Q

A target organization’s facility is surrounded by a tall chain-link fence topped with barbed wire. A penetration tester observes that a remote section of the fence is overgrown with shrubbery.
Late at night, she uses bolt cutters to cut a slit in the fence that she can slip through at a later time. What is this technique called?

A.Egress sensor bypass
B.Lock bypass
C.Badge cloning
D.Fence jumping

Answer

A

D.Fence jumping

Explanation:
Fence jumping occurs when an unauthorized person simply jumps over or cuts through a physical barrier designed to control access. In this scenario, the tester penetrated the physical fence barrier by cutting a hole in it.

Question 49

Q

A penetration tester observes that the target organization’s garbage is picked up early in the morning every Tuesday. Late Monday night, she climbs into the organization’s garbage receptacle and gathers discarded documents, optical discs, and storage devices such as flash drives. What kind of exploit occurred in this scenario?

A.Dumpster diving
B.Tailgating
C.Fence jumping
D.Egress sensor bypass

Answer

A

A.Dumpster diving

Explanation:
Dumpster diving occurs when an attacker searches through the target organization’s garbage looking for sensitive information.

Question 50

Q

What tools are required, at a minimum, to pick a lock? (Choose two.)

A.A diagram of the inner locking mechanism
B.A can of spray lubricant
C.A tension wrench
D.A lock pick tool

Answer

A

C.A tension wrench
D.A lock pick tool

Explanation:
At a minimum, you need a tension wrench and a lock pick tool to pick a lock. The tension wrench is used to apply rotational pressure to the lock (in the unlock direction). The lock pick tool is used to release each of the pins within the lock.

Question 51

Q

A penetration tester impersonates a heating and cooling repair person to gain physical access to the target organization’s facility. Once inside, she requests access to the server room to investigate a problem with the cold air return. As she is leaving the server room, she surreptitiously places a small wooden wedge into the door jam, preventing the door from closing completely. This allows her to return into the room later without authorization. What is this technique called?

A.Lock picking
B.Lock bypass
C.Fence jumping
D.Badge cloning

Answer

A

B.Lock bypass

Explanation:
Lock bypass occurs when an attacker prevents a door’s locking mechanism from working. In this example, this was done by placing a wooden wedge in the door jamb, preventing the door from closing completely and preventing the locking mechanism from engaging.

Question 52

Q

Which of the following features of an egress sensor can be manipulated to allow a penetration tester to enter a building without authorization?

A.Emergency fail open
B.Automatic locking
C.Automatic unlocking via motion sensor for egress D.Automatic unlocking via light sensor for egress

Answer

A

A.Emergency fail open

Explanation:
Most automatically locking door systems have some type of emergency fail open mechanism. The idea behind this is that if there is an emergency of some sort, such as a fire, then the doors must automatically unlock to prevent people from being trapped inside or preventing emergency personnel from entering. If you can figure out what fail open mechanism is used, you may be able to manually trigger it to open a locked door.

Question 53

Q

A penetration tester rummages through the target organization’s garbage and finds a discarded access badge. She replicates a new badge with her picture using the discarded badge as a model. She uses a device to read the discarded badge’s magnetic stripe and replicate it on the fake badge. Which techniques were used by the tester in this scenario? (Choose two.)

A.Lock picking 
B.Dumpster diving 
C.Fence jumping
D.Badge cloning 
E.Lock bypass

Answer

A

B.Dumpster diving
D.Badge cloning

Explanation:
In this scenario, dumpster diving was used to find the discarded access badge. Then badge cloning was used to create a fake badge.

Question 54

Q

Using reconnaissance, a penetration tester learns that the target organization’s employees use RFID access badges to unlock doors within the facility. Using the company’s website, he identifies high-level employees within the organization. Then he waits in the parking lot until he sees one of these individuals heading toward the front doors. He walks behind them into the reception area with a small RFID reader hidden in his coat. He captures the RFID signature from the individual’s badge and then creates his own fake access badge and encodes it with that RFID signature. What is this technique called?

A.Piggybacking
B.Tailgating
C.Lock bypass
D.Badge cloning

Answer

A

D.Badge cloning

Explanation:
Badge cloning occurs when an attacker makes a copy of a valid access badge to enter a facility. By copying a valid badge’s RFID signature, the penetration tester in this scenario can use the fake badge to access the target organization’s facility using the authorized employee’s credentials. Because he carefully selected a high-level employee’s badge for cloning, he may be able to access more sensitive areas of the facility.

Question 55

Q

A penetration tester is performing a gray box test for a client. During a network scan, she notices a host that has TCP port 139 open. She suspects this is a Windows system, so she runs the NBTSTAT command and discovers key information about the host. Which protocol on the remote host allowed the tester to gather this information?

A.NetBIOS
B.SNMP
C.NAC
D.SMTP

Answer

A

A.NetBIOS

Explanation:
NetBIOS is a transport protocol used by Windows systems to share resources, such as shared folders or printers. Once an attacker identifies that port 139 is open on a device, NBTSTAT can be used to footprint the device. For example, you could discover the device’s computer name and identify whether it is a workstation or a server. All of this information can be gathered without any kind of authentication.

Question 56

Q

During the information gathering phase of a gray box penetration test, you run the NBTSTAT -c command on the local network. One of the lines in the output reads as follows:

Name Type Host Address Life [sec] ———————————————————— DEV-1 <20> UNIQUE 10.0.0.3 517

What do you know about the DEV-1 host?

A.It is a server.
B.It is a workstation.
C.It is a router.
D.It is a wireless device.

Answer

A

A.It is a server.

Explanation:
NBTSTAT identifies NetBIOS servers with an ID of <20>. Based on this output, you know that DEV-1 is most likely a Windows server (or a Linux server running the Samba service).

Question 57

Q

During the information gathering phase of a gray box penetration test, you run the NBTSTAT -c command on the local network. One of the lines in the output reads as follows:

Name Type Host Address Life [sec] ———————————————————— PROD-9 <00> UNIQUE 10.0.0.132 517 What do you know about the PROD-9 host?

A.It is a server.
B.It is a workstation.
C.It is a router.
D.It is a wireless device.

Answer

A

B.It is a workstation.

Explanation:
NBTSTAT identifies NetBIOS workstations with an ID of <00>. Based on this output, you know that PROD-9 is most likely a Windows workstation (or a Linux workstation running the Samba service).

Question 58

Q

Which of the following are true of the Link-Local Multicast Name Resolution (LLMNR) protocol? (Choose two.)

A.It is commonly used in the absence of a DNS server.
B.It is not supported by Linux hosts.
C.It is not supported by Windows hosts.
D.It is used only by routers, not by workstations or servers.
E.It allows the IPv6 host to resolve hostnames on the same local link.

Answer

A

A.It is commonly used in the absence of a DNS server.
E.It allows the IPv6 host to resolve hostnames on the same local link.

Explanation:
The LLMNR protocol is loosely based on the DNS packet format and allows IPv4 and IPv6 hosts to perform name resolution for other hosts on the same local network without a DNS server. It is supported by both Windows and Linux hosts.

Question 59

Q

Which of the following describe the security risks associated with using the LLMNR protocol? (Choose two.)

A.Data is transmitted as clear text.
B.It lacks security controls.
C.A malicious host can advertise itself as any host it wants to.
D.It can be used to facilitate a DDoS attack.
E.It creates excessive network traffic.

Answer

A

B.It lacks security controls.
C.A malicious host can advertise itself as any host it wants to.

Explanation:
The LLMNR protocol has many security vulnerabilities that can be exploited in a penetration test. For example, it lacks security controls such as authentication. Because of this, a malicious host on the network can advertise itself as any host it wants to.

Question 60

Q

What are the functions of the Server Message Block (SMB) protocol? (Choose two.)

A.To share files on the network
B.To transfer email messages between mail transfer agents (MTAs)
C.To share printers on the network
D.To map IP addresses to MAC addresses
E.To transfer email messages to a mail user agent (MUA)

Answer

A

A.To share files on the network
C.To share printers on the network

Explanation:
The Server Message Block (SMB) protocol is used to share files and printers between hosts on a network.

Question 61

Q

Which of the following exploits are facilitated by weaknesses in the SMB protocol? (Choose two.)

A.Distributed denial of service (DDoS) 
B.Fraggle 
C.Teardrop 
D.EternalBlue 
E.WannaCry

Answer

A

D.EternalBlue
E.WannaCry

Explanation:
The EternalBlue and WannaCry exploits are facilitated by weaknesses in the SMB protocol. The EternalBlue exploit takes advantage of the fact that SMBv1 mishandles exploit packets, allowing attackers to remotely execute malicious code on the system running the SMB protocol. WannaCry is a form of ransomware that uses EternalBlue to gain access to vulnerable systems and install itself.

Question 62

Q

Which ports are used by the SMB protocol? (Choose two.)

A.53 
B.80 
C.139 
D.443 
E.445

Answer

A

C.139
E.445

Explanation:
The SMB protocol uses TCP ports 139 and 445. A system with these two ports open is most likely a Windows host running SMB or a Linux host running Samba (which is an open source implementation of the SMB service).

Question 63

Q

Which of the following are vulnerabilities associated with the SNMPv1 protocol? (Choose two.)

A.The community string is valid for every SNMPv1 node.
B.The community string is transmitted as clear text.
C.The community string uses the weak RC2 cipher.
D.No authentication is required to communicate with an SNMPv1 host.
E.The Management Information Base (MIB) is stored in unencrypted format.

Answer

A

A.The community string is valid for every SNMPv1 node.
B.The community string is transmitted as clear text.

Explanation:
The SNMPv1 protocol is an older protocol that uses the concept of a community string instead of a password. The same community string is used to authenticate to every SNMPv1 host in the network. By convention, most SNMPv1 administrators set the community string to a value of public. Even if a unique community string were used, it was easy to discover because it was transmitted as clear text on the network.

Question 64

Q

Which port is used by the SNMP protocol?

A.UDP 161
B.TCP 23
C.TCP 389
D.UDP 88

Answer

A

A.UDP 161

Explanation:
The SNMP protocol runs on UDP port 161.

Answer 65

A

B.To transfer email messages between mail transfer agents (MTAs)

Explanation:
The SMTP protocol is used to transfer email messages between mail transfer agents (MTAs).

Answer 66

A

B.SMTP relay

Explanation:
Leveraging an open SMTP service to send unauthorized email messages is called SMTP relay. Most new systems have provisions in place to prevent this from happening, but many older server systems do not.

Answer 67

A

A.Telnet to the SMTP server’s IP address on port 25 and create the messages.

Explanation:
One way to leveraging an open SMTP service to send unauthorized email messages is to connect to the SMTP server’s IP address on port 25 using a Telnet client. Once the connection has been established, you can use the command-line interface to create and send the messages.

Answer 68

A

A.20
B.21

Explanation:
By default, an FTP server uses two ports: 20 and 21. Port 20 is used to transfer data between the FTP server and the FTP client. Port 21 is used to send commands between the FTP client and the FTP server.

Answer 69

A

C.Capture the FTP traffic with a sniffer.

Explanation:
One of the key weaknesses with the FTP protocol is the fact that it transmits all data between the FTP server and the FTP client as clear text, including authentication credentials. By sniffing the FTP traffic, you may be able to capture FTP usernames and passwords. Some FTP server implementations leverage existing network user accounts and passwords to authenticate FTP connections. So, by capturing FTP authentication credentials, you could potentially be capturing internal network user accounts and passwords too.

Answer 70

A

A.DNS poisoning

Explanation:
This is an example of DNS poisoning. This exploit leverages the trust users have in a URL that appears to be valid. Because users enter a valid URL, they have no idea than an exploit is being conducted. However, the DNS server itself has been reconfigured to resolve the domain name in URL to the IP address of the malicious server.

Answer 71

A

A.Implement DNSSEC.

Explanation:
One way to defend against DNS poisoning is to implement DNSSEC. DNSSEC signs each DNS request with a digital signature to ensure authenticity. This makes it difficult to insert poisoned records.

Answer 72

A

C.DNS cache poisoning

Explanation:
This is an example of DNS cache poisoning. Instead of compromising a heavily protected DNS server, the penetration tester simply compromises the DNS cache on relatively less secure workstations. The net effect is the same. Malware is a common delivery vehicle for DNS cache poisoning exploits.

Answer 73

A

C.DNS cache poisoning

Explanation:
This is also an example of DNS cache poisoning. Instead of poisoning the local DNS cache on workstations, the cache of the caching-only DNS server has been poisoned in this scenario. The poisoned records will remain in the cache until the TTL value is reached.

Answer 74

A

D.Pass the hash

Explanation:
This is an example of a pass-the-hash exploit. In this exploit, the tester captures hashed NTLM user credentials and then reuses them to authenticate at a later point in time to a Windows system. Because NTLM authentication uses hashed credentials, the tester doesn’t need to know the victim’s actual username and password. The hashed credentials are sufficient to create a new authenticated session.

Answer 75

A

B.ARP spoofing

Explanation:
This is an example of ARP spoofing. In this exploit, the tester sends a fake ARP broadcast on the network segment that maps the IP address of a legitimate network host to her MAC address. As a result, all traffic addressed to the legitimate host gets redirected to the tester’s system.

Answer 76

A

B.Man-in-the-middle

Explanation:
An ARP spoofing attack is classified as a man-in-the-middle attack.

Answer 77

A

D.Replay attack/

Explanation:
This is an example of a replay attack. The tester captures valid handshake data from the wireless network and they replays it later to authenticate his laptop to the wireless network.

Answer 78

A

D.Man-in-the-middle

Explanation:
A replay attack is also classified as a man-in-the-middle attack.

Answer 79

A

A.Relay attack

Explanation:
This is an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server.

Answer 80

A

A.Relay attack

Explanation:
This is also an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server. In a relay attack, the man-in-the-middle may or may not modify the data being transmitted between the two hosts.

Answer 81

A

A.SSL stripping

Explanation:
In an SSL stripping attack, a user sends an HTTPS request to a web server. This is done to ensure that communications between the server and the browser are encrypted. However, the exploit fools the web server into thinking the user wants a standard HTTP connection, and an unencrypted session is established. Unless the user is watching carefully, the user may not realize that this has happened.

Answer 82

A

C.Implement a strict HSTS policy that prevents a user’s browser from opening a page unless an HTTPS connection has been used.

Explanation:
The best way to defend against an SSL stripping attack is to implement an HTTP Strict Transport Security (HSTS) policy that prevents a user’s browser from opening a web page unless an HTTPS connection has been used to transfer the page from the web server to the client.

Answer 83

A

B.Downgrade

Explanation:
In this example, a downgrade man-in-the-middle attack has occurred because SSL 2.0 is less secure than TLS 1.2. Unless the user is exceptionally vigilant, they will likely not notice that SSL is being used to protect the session instead of TLS.

Answer 84

A

A.ARP spoofing

Explanation:
By sending fake ARP messages, the tester’s workstation can fool client workstations into thinking it is the web server by associating the server’s IP address with her workstation’s MAC address. Likewise, the server can be fooled into thinking her workstation is the end user’s workstation by doing the same thing, sending a fake ARP message to the server mapping the client’s IP address to her workstation’s MAC address.

Answer 85

A

A.Denial of service (DoS)

Explanation:
By flooding the server with half-open TCP connections that never get completed, the tester makes it such that it doesn’t have enough resources to service legitimate network requests. Because only one host was used to conduct the stress test, this is an example of standard denial-of-service (DoS) attack.

Answer 86

A

B.Distributed denial of service (DDoS)

Explanation:
By flooding the router with bogus ICMP traffic, the tester makes it difficult for the router to service legitimate network requests. Because multiple hosts were used to conduct the stress test, this is an example of standard distributed denial of service (DDoS) attack.

Answer 87

A

A.Network Access Control (NAC)

Explanation:
Network access control (NAC) systems require network hosts to meet security policy requirements before being allowed to access the network, even if they have properly been connected to a network jack or associated with an access point. Unauthorized or unhealthy devices are usually placed on an isolated remediation network until they are authorized or until they are brought into compliance. After doing so, they are allowed to connect to the actual network segment.

Answer 88

A

B.Spoof your laptop with the MAC address of an authorized device.

Explanation:
One way to conduct a NAC bypass exploit is to spoof the tester’s system with the MAC address of an authorized device. As long as the tester’s system meets the organization security policy requirements, the NAC system should allow it to access the production network.

Answer 89

A

D.VOIP phones
E.SCADA Devices

Explanation:
VoIP phones and SCADA devices typically cannot be configured in a manner that allows them to meet the security policy requirements of a NAC system. For example, you usually can’t install antimalware software on a VoIP phone or a SCADA device. Therefore, these systems are commonly whitelisted in NAC implementations, allowing them to bypass the requirements applied to other systems.

Answer 90

A

A.Double-tagging

Explanation:
Double-tagging of VLAN tags is allowed in the 802.1q specification. This allows a host to “hop” between VLANs.

Answer 91

A

C.Switch spoofing

Explanation:
This is an example of a switch spoofing exploit that is used for VLAN hopping. In a switch spoofing exploit, the tester network board is reconfigured to emulate a trunk port on a network switch. By doing this, the real switch will think it needs to forward traffic from all VLANs to the tester’s device.

Answer 92

A

A.Karma attack

Explanation:
In a Karma attack, the tester uses a special wireless device to listen for SSID requests from other devices and then respond as if it were the requested access point. Victims think they are connected to a legitimate network, but they are actually connected directly to the tester. The tester typically forwards victims’ traffic to the Internet, so everything seems normal. This allows the tester to inspect the victim’s traffic and capture sensitive information.

Answer 93

A

B.Send deauth frames to deauthenticate wireless clients.
C.Reconnect wireless clients to an access point with the same SSID as the target organization.

Explanation:
In a typical evil twin attack, the tester first conducts a deauthentication attack to disconnect victims’ wireless devices from the real network. These devices then automatically reconnect to the tester’s wireless access point that has been configured with the same SSID as the target organization. The tester will likely boost the gain on the evil twin’s radios because most wireless network interfaces will default to the access point with the strongest signal.

Answer 94

A

D.Fragmentation attack

Explanation:
In a fragmentation wireless attack, a small amount of keying material is extracted from a captured packet. Then, an ARP packet is sent with known content to the access point. If the packet is echoed back by the AP, then even more keying information can be obtained from the returned packet. If this process is repeated over and over, the entire wireless key can be exposed.

Answer 95

A

B.Credential harvesting

Explanation:
In a credential harvesting attack, a fake website that looks like a legitimate website is used to capture victims’ usernames and passwords. In the context of a wireless exploit, this could be accomplished using a fake captive portal that looks like a legitimate captive portal that captures victims’ information.

Answer 96

A

D.WPS cracking

Explanation:

Many wireless devices use a Wi-Fi Protected Setup (WPS) system to make connecting to the wireless network easier. However, most WPS implementations have a key weakness in that they use a simple eight-digit pin for authenticating wireless devices. Because of its short length, the pin can be cracked quite quickly, allowing a penetration tester to easily connect to a target wireless network.

Answer 97

A

C.Bluejacking

Explanation:
In a bluejacking wireless exploit, unsolicited messages are sent over a Bluetooth connection to wireless devices, such as a mobile phone.

Answer 98

A

B.Bluesnarfing

Explanation:
In a bluesnarfing wireless exploit, an unauthorized Bluetooth connection is established with a wireless device, such as a mobile phone. That connection is then used to steal information from that device.

Answer 99

A

D.RFID cloning

Explanation:
In RFID cloning, the penetration tester captures the RFID signature from a legitimate RFID device and then copies it to a fake device. This is commonly done to copy an RFID access badge.

Answer 100

A

D.Jamming attack

Explanation:
In a jamming attack, the penetration tester transmits a radio signal in the 2.4 GHz and/or 5 GHz frequency ranges that is powerful enough to disrupt the legitimate wireless signal. This disruption prevents users from using the wireless network. As such, this exploit can be classified as a network stress test or denial-of-service attack.

Answer 101

A

B.Repeating attack

Explanation:
In a repeating attack, the penetration tester captures the target organization’s wireless network radio signal and rebroadcasts it with high gain to extend its range. In this scenario, the organization’s wireless network can now be accessed by the penetration tester from the parking lot.

Answer 102

A

A.SQL injection

Explanation:
This is an example of a SQL injection attack. Instead of entering a password into the Password field, the tester inserts a SQL statement. If the web application in this example was poorly written, then it is possible that it would pull usernames and passwords for every user in the hypothetical database. The UNION SELECT statement is used to combine two unrelated SELECT queries to retrieve data from different database tables. A well-written application will use input validation to prevent SQL statements from being submitted within a user form. The same principles apply to HTML injection, command injection, and code injection attacks.

Answer 103

A

A.Credential brute-forcing

Explanation:
This is an example of a credential brute-forcing attack. In a true brute-force attack, all possible letter, number, and special character combinations would be tried one after another until the right one is found. However, by creating a list of likely passwords based on the user’s personal interests, the probability of success is greatly increased.

Answer 104

A

B.Session hijacking

Explanation:
This is an example of session hijacking. The tester was able to exploit the session key (the cookie) to gain access to the user’s session. This type of exploit can be used for web applications where an HTTP cookie is used to maintain a session. Even though the site may have used TLS/SSL to encrypt authentication credentials, the session cookie is many times not encrypted. If it is captured, it allows the tester to hijack the user’s session.

Answer 105

A

C.Redirect attack

Explanation:
This is an example of a redirect attack because users are redirected to a fake website by the phishing emails.

Answer 106

A

C.Default credentials attack

Explanation:
This is an example of a default credentials attack. Most network devices, including access points, routers, firewalls, and so on, come from the factory preconfigured with default administrative credentials. These defaults are well documented on the Internet. If the administrator forgets to change them, then the tester can use them to gain administrative access to the device.

Answer 107

A

A.Weak credentials exploit

Explanation:
This device is vulnerable to a weak credentials exploit because the administrative username and password are easy to guess.

Answer 108

A

D.Kerberos exploit

Explanation:
This is an example of a Kerberos exploit. Receiving a ticket-granting ticket (TGT) allows the user to obtain additional ticket-granting service (TGS) tickets, which grant access to specific network services. Because it allows users to get other TGS tickets, the TGT is sometimes referred to as a golden ticket. Because the TGS ticket can be used only to access a specific network service, it is sometimes referred to as a silver ticket

Answer 109

A

A.Parameter pollution
B.Insecure direct object reference exploit

Explanation:
In both a parameter pollution exploit and an insecure direct object reference exploit, the penetration tester modifies a parameter in an HTTP request to gain unauthorized access to information. For example, after authenticating to a web application, the tester could modify the /search?q= parameter in a URL to trick the application into supplying information that the user account shouldn’t be able to see.

Answer 110

A

D.Document Object Model (DOM)

Explanation:
In a DOM XSS exploit, the attacker exploits weaknesses in the victim’s web browser. Typically, outdated browsers are most susceptible to this type of exploit. This is considered to be a client-side XSS attack.

Answer 111

A

A.Stored/persistent
B.Reflected

Explanation:
Both the stored/persistent and reflected XSS exploits are considered server-side exploits because the malicious scripts are embedded on a server. When the user views the web page, the malicious scripts run, allowing the attacker to capture information or perform other actions.

Answer 112

A

B.Cross-site request forgery (CSRF)

Explanation:
This is an example of a cross-site request forgery (CSRF). Because the session cookie from the website was saved locally, the user is perpetually logged on to the site. Therefore, the HTTP request to change the user’s password contained in the email message didn’t require authentication to execute. The penetration tester can now log on to Active Directory as a high-level employee.

Answer 113

A

C.Clickjacking

Explanation:
In a clickjacking exploit, the tester adds transparent layers to a web page in an attempt to fool a user into clicking a hidden button or link on a transparent layer. This allows the tester to hijack user clicks and send them to a different website (such as a credential harvesting site).

Answer 114

A

A.Directory transversal

Explanation:
If the directory transversal has been allowed in the web server’s configuration, then it could potentially expose the file system of the web server to users accessing the site in a web browser, including directories outside of the web server’s root directory. For example, the Apache web server can be run in a chroot jail to prevent users from accessing directories outside of the web server’s directories.

Answer 115

A

B.Cookie manipulation

Explanation:
Cookie manipulation is a client-side security misconfiguration that allows a script running within a browser to write data to a client-side cookie.

Answer 116

A

C.Local file inclusion
E.Remote File Inclusion

Explanation:
File inclusion is an exploit that allows a tester to upload a file (usually containing malicious code) into a web application. The file could be local, or it could be located on a remote website. This is really a form of injection attack and just as with any injection attack, input validation on the part of the web application developer is the key to preventing it.

Answer 117

A

A.Including comments in the source code
E.Providing verbose error messages

Explanation:
While commenting an application’s source code is a best practice for programmers, it can also create security vulnerability because it provides an attacker (or penetration tester) who views the source code with extensive information about how the application works. Likewise, providing overly verbose error messages may be a best practice while programming the application, but leaving them in the released application can provide an attacker with valuable information.

Answer 118

A

C.Lack of error handling routines
D.Lack of code signing

Explanation:
The programmer should be sure to include routines that tell the application what to do should it encounter an error condition. For example, many buffer overflow attacks exploit applications that don’t know how to respond when they receive more information than they were expecting. Likewise, all applications should have their code digitally signed. This will expose any unauthorized modifications made to the code.

Answer 119

A

D.Hard-coded credentials

Explanation:
The programmer in this scenario has used hard-coded credentials. If an attacker (or a penetration tester) were to view the application’s source code, they would have access to the database authentication credentials.

Answer 120

A

C.Unauthorized use of functions/unprotected APIs

Explanation:
The programmer in this scenario has used hidden elements in the HTML code. This is an unsecure coding practice that can result in sensitive information being stored in the user’s browser (the DOM).

Answer 121

A

A.Research the Common Vulnerabilities and Exposures (CVE) database.

Explanation:
An effective way to discover vulnerabilities associated with a specific version of an operating system is to consult the Common Vulnerabilities and Exposures (CVE) database. The CVE database can be accessed at http://cve.mitre.org. It contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor discovers a vulnerability with their product, they add an entry to the CVE database. This database contains vulnerability information for Windows, Mac OS, Linux, UNIX, Android, and iOS operating systems.

Answer 122

A

C.FTP
D.Telnet

Explanation:
FTP and Telnet are considered to be unsecure services and protocols. This is because they transfer data, including authentication credentials, over the network as clear text. This information can be easily captured using a packet sniffer.

Answer 123

A

A.Using SSHv1 instead of SSHv2
D.Using SSL 2.0 instead of TLS 1.2

Explanation:
While SSHv1 uses encrypted data transmissions, it is not considered to be as secure as SSHv2. However, many older Linux or UNIX systems may still be configured to use SSHv1. Likewise, TLS 1.2 is considered to be more secure than SSL 2.0.

Answer 124

A

B.Assigning the SGID special permission
C.Assigning the SUID special permission

Explanation:
Assigning an executable on Linux the SUID permission allows it to run with the permissions of the file’s owner. If the owner is the root user, then it will execute with root’s superuser permissions. Likewise, assigning an executable the SGID permission allows it to run with the permissions of the owning group. If the owning group is the root group, then it runs with the root group’s permissions.

Answer 125

A

C.Sticky bit

Explanation:
When the sticky bit permission is assigned to a directory on a Linux system, then users can delete files only within the directory for which they are the owner, even if they have write and execute permissions to that directory.

Answer 126

A

A.sudo

Explanation:
On Linux, a standard user can run an executable using the sudo program to elevate privileges and run the executable as the root user (or any other user on the system, if desired).

Answer 127

A

C.Ret2libc

Explanation:
On Linux system, the Ret2libc exploit causes the return address of a subroutine to be replaced by the address of a subroutine that is already present in a processes’ memory.

Answer 128

A

A.cPassword

Explanation:
On a Windows system, cPassword is the name of the attribute that stores passwords in a Group Policy Preference item. Whenever a preference requires a user’s password to be saved, it gets stored within this attribute in encrypted format. However, the password can be easily decrypted by any authenticated user in the domain.

Answer 129

A

B.Recommend they use SSL-enabled LDAP on port 636.

Explanation:
You should recommend they use LDAPS on port 636 to manage user accounts. LDAPS is secured with SSL. Standard LDAP on port 389 transmits data on the network as clear text. This means the administrative user credentials you submit to access the directory service itself as well as any credentials of the users being managed are transmitted as clear text.

Answer 130

A

B.Kerberoasting

Explanation:
The penetration tester in this scenario is using an exploit Kerberoasting. Any valid domain user can request an SPN for a registered service. The Kerberos ticket received as a result can be taken offline and cracked, potentially exposing the service account password. This can allow privilege escalation because it’s not uncommon for the service account to have administrator-level permissions to the local server.

Answer 131

A

A.LSASS

Explanation:
The Local Security Authority Subsystem Service (LSASS) is a process that runs on a Windows system to enforce the security policy on the system. It verifies users that log on to the system, manages user password changes, creates access tokens, and makes entries to the Security log.

Answer 132

A

A.Unattended installations via PXE

Explanation:
Running unattended installations over the network using the Preboot Execution Environment (PXE) could potentially result in authentication credentials being transferred as clear text. During the unattended install, a special file called the answers file is used to automate the installation process. If the answers file contains user account information to be created on the system during the install, that information is transferred as clear text.

Answer 133

A

D.Hashed account passwords

Explanation:
The SAM database on a Windows system contains hashed passwords for local accounts. It is located in C:\Windows\System32\config\ by default. If a copy of this file can be made, it can be cracked using a number of different tools available on the Internet to expose the passwords it contains.

Answer 134

A

D.DLL hijacking

Explanation:
This is an example of a DLL hijacking exploit. The malicious DLL likely contains the same functions that the original DLL did, allowing applications that rely on it to function correctly. However, it can also contain malicious code that executes when the DLL is loaded.

Answer 135

A

A.Using unquoted service paths
B.Replacing executables for writable services

Explanation;
Using unquoted paths to services is one way that services can be exploited on a Windows system. By not quoting paths to services, any spaces in a directory name won’t be processed correctly and can cause a malicious service executable located deliberately in the resulting unquoted directory path to be loaded instead of the correct service executable. In addition, writeable service executable files can be replaced with malicious executables with the same file name.

Answer 136

A

C.Using unsecure file and folder permissions

Explanation:
To implement a DLL hijacking exploit, the penetration tester needs to have read/write permissions to the target file system. Using unsecure file and folder permission can make this task much easier to accomplish.

Answer 137

A

A.Using scheduled tasks
D.Using DLL hijacking

Explanation:
DLL hijacking and scheduled tasks can both help retain persistence for an exploit on a Windows system. DLL hijacking causes the exploit contained in the malicious DLL to be loaded every time a linked application is started. Using scheduled tasks ensures that an exploit is run on a regular basis.

Answer 138

A

B.Install the latest operating system updates. |

Explanation;
The best defense a system administrator has against kernel exploits is to keep their operating systems updated with the latest patches from the vendor. The Common Vulnerabilities and Exposures (CVE) database contains vulnerability information for known Windows, Mac OS, Linux, UNIX, Android, and iOS operating system kernels.

Answer 139

A

C.Default account settings exploit

Explanation:
The penetration tester in this scenario exploited the firewall administrator’s failure to modify the default account settings on the firewall device. Most network devices, including access points, routers, firewalls, and so on, come from the factory preconfigured with default administrative credentials. These default account settings are well documented on the Internet. If the administrator forgets to change them, then the tester can use them to gain administrative access to the device.

Answer 140

A

B.Shell upgrade
C.Virtual machine (VM) escape
D.Container escape

Explanation:
Shell upgrade, VM escape, and container escape are all examples of sandbox escape exploits.

Answer 141

A

A.Cold boot attack

Explanation:
The tester implemented a cold boot attack. By booting to Linux from the flash drive, she was able to bypass many of the Windows security mechanisms and access key files.

Answer 142

A

D.JTAG debug exploit

Explanation:
The tester implemented a cold boot attack. By booting to Linux from the flash drive, she was able to bypass many of the Windows security mechanisms and access key files.

Answer 143

A

B.They are prone to data emanation.

Explanation:
The risk associated with enabled serial console connections on network devices is the fact that network administrators tend to not secure them properly. Because they can be accessed only with a direct point-to-point connection, they don’t configure them to require authentication. Using impersonation, this makes it easy for a penetration tester to access the device, as long as they can get physical access to it.

Answer 144

A

A.RPC/DCOM

Explanation:
Remote Procedure Call (RPC)/Distributed Component Object Model (DCOM) is used on Windows systems and allows you to remotely execute code on a different Windows system.

Answer 145

A

A.PsExec

Explanation:
PsExec is a command-line utility that is installed by default on Windows systems that lets you interactively execute processes on other Windows systems.

Answer 146

A

C,WMI

Explanation:
Windows Management Instrumentation is an infrastructure provided by Microsoft for centrally managing Windows systems over a network connection.

Answer 147

A

C.PS Remoting
D.WinRM

Explanation;
PowerShell (PS) Remoting allows you to run PowerShell cmdlets remotely on other Windows systems in your network environment. Windows Remote Management (WinRM) is a system that allows Windows administrators to manage remote systems using the WS Management protocol.

Answer 148

A

B.RDP

Explanation:
The Remote Desktop Protocol (RDP) is used on Windows systems to display the graphical desktop of a remote Windows host on the local system over a network connection. It provides full point-and-click interactivity. It can even be used to transmit sounds from the remote system to the local system and to share files between systems.

Answer 149

A

C.ARD

Explanation:
The Apple Remote Desktop (ARD) can be used to remotely manage Macintosh systems over a network connection using a graphical user interface.

Answer 150

A

A.VNC

Explanation:
Virtual Network Computing (VNC) connections can be used to remotely manage Windows, Macintosh, or Linux systems over a network connection using a graphical user interface, as long as the necessary software is installed on both the local and remote systems.

Answer 151

A

A.X11 forwarding

Explanation:
X11 forwarding can be used to remotely manage Linux systems over a network connection using a graphical user interface.

Answer 152

A

C.They transmit data as clear text over the network.

Explanation:
Utilities such as Telnet, rlogin, and rsh should be avoided when conducting a penetration test because they transmit data as clear text over the network. This makes it much easier for defenders to see what you are doing during the test, and you will likely get caught.

Answer 153

A

B.Schedule jobs using cron to run exploit scripts or start daemons.

Explanation:
One technique that can be used to establish persistence during a penetration test involving Linux systems is to schedule jobs using cron to run exploit scripts or start daemons. This ensures these jobs happen automatically without intervention once you have left the system.

Answer 154

A

B.at
C.Task Scheduler

Explanation:
In the graphical environment, you can use Task Scheduler to automatically run tasks (such as exploits executables or services) without your intervention. You can also use the at command from the command prompt to accomplish the same thing.

Answer 155

A

B.Trojan

Explanation:To ensure persistence of the compromise, you could create a backdoor into the system or create a user account for yourself.
A Trojan is a type of malware that provides a useful function but secretly performs malicious actions when it is run. For example, it may provide an entertaining game that the user enjoys playing. However, in the background, it could be running a keylogger, creating a backdoor, or even making the system a zombie in a botnet.

Answer 156

A

A.Create a backdoor.
B.Create a user account.

Explanation:
To ensure persistence of the compromise, you could create a backdoor into the system or create a user account for yourself.

Answer 157

A

C.Hide any files that you copied to the system.
D.Alter log entries created when you compromised the system.

Explanation:
In the process of covering your tracks, you should consider taking actions such as removing or hiding any files you copied to the system. You could also consider altering any log entries that were created when you compromised the system. However, there are two things to keep in mind when modifying log files. First, make sure the scope of work for the penetration test allows you to modify log files. Sometimes it will not be allowed. Second, you should not delete all the log entries. This would be a dead giveaway to a defender that you have compromised the system.

Answer 158

A

C.To remove the persistence

Explanation:
Chkconfig is a tool for managing which run levels a service will run at. Chkconfig can be used to view or change the run level of a service. Using chkconfig –del will set the named service to not run at the current run level and will remove the persistence.

Answer 159

A

C.reg save HKLM\System\CurrentControlSet\Services\Sv.reg

Explanation:
reg save saves a copy of specified subkeys, entries, and values of the registry in a specified file. A file with the .reg file extension is a registration file used by the Windows Registry. These files can contain hives, keys, and values.

Answer 160

A

A.The bands and frequencies of the wireless devices used by the client

Explanation:
In this scenario, the penetration tester would need to receive the bands and frequencies used by the client’s wireless devices to proceed with the wireless penetration test. Wireless devices may operate on a number of bands and frequencies, and knowing the exact bands and frequencies would allow a penetration tester to conduct the wireless penetration test as requested.

Answer 161

A

A.Targeting the CFO with an SMS attack

Explanation:
Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Spear phishing is aimed at specific individuals rather than a broader group. SMS phishing (or smishing) is phishing via SMS messages. SMS stands for Short Message Service. It is a way to send and receive text messages or short emails with a cell phone. An SMS attack is an attempt to obtain personal information by tricking the individual with a text message or by getting them to go to a fake website and enter personal information. In this scenario, you want to target one particular individual rather than a group.

Answer 162

A

D.reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1

Explanation:
Using reg add adds a new subkey or entry into the registry. The syntax is as follows: reg add /v /t /d KeyName specifies the full path of the subkey or entry to be added. /v specifies the name of the registry entry to be added under the specified subkey. /t specifies the type for the registry entry. /d specifies the data for the new registry entry. Penetration testers often focus on using the easiest attack vector to achieve their objectives. One common attack method is a tool called Mimikatz. It can steal cleartext credentials from the memory of compromised Windows systems. When the WDigest Authentication protocol is enabled, plaintext passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows 10.

Answer 163

A

C.Implement an HTTP downgrade attack.

Explanation;
A downgrade attack is a form of attack in which a tester forces a network channel to switch to a less secure or unprotected data transmission standard. Downgrading the protocol is one component of a man-in-the-middle type attack and is used to intercept encrypted traffic. Downgrade attacks work by causing the client and server to use a less-secure protocol. In this scenario, since you are trying to capture all unencrypted web traffic, you would want to implement an HTTP downgrade attack.

Answer 164

A

A.TCP SYN flood

Explanation:
A TCP SYN flood (also known as an SYN flood) is a form of denial-of-service (DDoS) attack in which a tester sends a succession of SYN requests to the target’s system in an attempt to consume enough server resources to make the system unresponsive to genuine traffic. This exploits part of the normal TCP three-way handshake and consumes resources on the targeted server and renders it unresponsive.

Answer 165

A

A.Cross-site scripting

Explanation:
In a cross-site scripting (XSS) attack, an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party. In this scenario, the attacker has developed an application that will target web browsers and permit access to a user’s banking information in the process, stealing money and transferring it to another account.

Answer 166

A

A.Authority

Explanation:
Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker used the social engineering principle of authority. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.

Answer 167

A

D.Stored cross-site scripting (XSS)

Explanation:
Stored cross-site scripting (XSS) is the most dangerous type of cross-site scripting. Web applications that allow users to store data are potentially exposed to this type of attack. Stored XSS occurs when a web application gathers input from a user which might be malicious and then stores that input in a data store for later use

Answer 168

A

D.The MAC address of the gateway

Explanation:
ARP spoofing is a technique in which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Normally, the goal is to associate the attacker’s Media Access Control (MAC) address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.

Answer 169

A

C.arpspoof -t 192.168.10.25 192.168.10.254

Explanation:
A man-in-the-middle attack intercepts a communication between two systems. ARP stands for Address Resolution Protocol, and it allows the network to translate IP addresses into MAC addresses. In this scenario, the attacker wants to perform a man-in-the-middle attack; it is done by performing arpspoof -t . The -t switch specifies a particular host to ARP poison.

Answer 170

A

C.Scrape the page for hidden fields.

Explanation:
Web scraping automatically extracts data and presents it in a format that a tester can easily make sense of. In this scenario, Python is being used as the scraping language compared to a powerful library called BeautifulSoup. BeautifulSoup is a Python package for parsing HTML and XML documents. It creates a parse tree for parsed pages that can be used to extract data from HTML, which is useful for web scraping. Beautiful Soup helps a tester pull particular content from a web page, remove the HTML markup, and save the information. It is a tool for web scraping that helps clean up and parse the documents that have been pulled down from the Web.

Answer 171

A

A.A clickjacking attack

Explanation:
Clickjacking is when a tester uses multiple transparent layers to trick a user into clicking a button or link on another page when they were intending to click the top-level page. The tester is “hijacking” clicks and routing them to another page. In web browsers, clickjacking is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking a button that appears to perform another function.

Answer 172

A

C.Lock bypass

Explanation:
Lock bypass is simply that. Bypassing locks without picking them. In this scenario, the tester is attempting a physical security assessment with the use an under-the-door tool, which goes underneath a door and pulls open a door handle from the inside.

Answer 173

A

B.The HTTP POST method

Explanation:
Forms in HTML can use either method=”POST” or method=”GET” (default) in the element. The method specified determines how form data is submitted to the server. With GET, the parameters remain in the browser history because they become part of the URL. With POST, parameters are not saved in browser history. GET is less secure compared to POST because data sent is part of the URL.

Answer 174

A

A.Principle of authority

Explanation:
Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker is using the social engineering principle of authority. They were hoping that by the CFO receiving an email from the CEO, there would be no questions asked and the transfer would take place. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.

Answer 175

A

A.The tester compromised a Windows device and dumps the Local Security Authority (LSA) secrets.

Explanation:
Kerberoasting is a technique that relies on requesting service tickets for service account service principal names (SPNs). The tickets are encrypted with the password of the service account associated with the SPN, meaning that once a tester has obtained the service tickets by using a tool like Mimikatz, the tester can crack the tickets to obtain the service account password using offline cracking tools. Kerberoasting is a four-step process: Scan Active Directory for user accounts with service principal names (SPNs) set. Request service tickets using the SPNs. Extract the service tickets from memory and save to a file. Conduct an offline brute-force attack against the passwords in the service tickets.

Answer 176

A

C.HKEY_CURRENT_USER

Explanation:
If a tester has access to a Windows workstation or server, then they can use PowerSploit, which provides the toolkit needed to maintain persistence and to perform further reconnaissance. The testing will want to exploit the HKEY_CURRENT_USER registry hive. The HKEY_CURRENT_USER hive is meant to be available only to the currently logged on user. So, when a different Windows user logs onto the system, a different copy of the HKEY_CURRENT_USER registry hive is loaded. The HKEY_CURRENT_USER registry hive is saved locally as the file NTUSER.DAT or USER.DAT when a user logs off. This registry hive can be opened in Notepad, and the encrypted login ID and password can be easily located. If the user has a roaming profile, then the NTUSER .DAT file will be saved on every workstation the user logged onto.

Answer 177

A

A.A deauthentication attack

Explanation:
Wi-Fi Protected Access 2 – Pre-Shared Key (WPA2-PSK) is a method of securing a network using WPA2 with the use of the optional Pre-Shared Key (PSK) authentication. To encrypt a network with WPA2-PSK, you provide a router with a plain English passphrase between 8 and 63 characters long. Wi-Fi deauthentication attacks are a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point. A tester can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim.

Answer 178

A

C.ADMIN$ and SERVICES

Explanation:
PsExec is a tool designed to allow penetration testers to run programs on remote systems via SMB on port 445. That makes it an extremely useful tool. PsExec’s ability to run processes remotely requires that both the local and remote computers have file and print sharing (i.e., the Workstation and Server services) enabled and the default Admin$ share, which is a hidden share that maps to the \windows directory.

Answer 179

A

B.The misconfigured sudo

Explanation:
Chmod is a command and system call that is used to change the access permissions of file system objects (files and directories). Chmod 4111 (chmod a+rwx,u-rw,g-rw, o-rw,ug+s,+t,g-s,-t) sets permissions so that (U)ser / owner can’t read, can’t write, and can execute. (G)roup can’t read, can’t write and can execute. (O)thers can’t read, can’t write, and can execute. sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. In this scenario. the command chmod 4111 /usr/bin/sudo will misconfigure sudo.

Answer 180

A

D.Provides extended site validation

Explanation:
Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called SANs and include email addresses, IP addresses, URLs, DNS names, directory names, and other names followed by a value. Using SAN provides extended site validation.

Answer 181

A

B.Directory traversal

Explanation:
In this scenario, the .. operators are the revealing giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server. A directory traversal attack is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

Answer 182

A

A.A man-in-the-middle attack

Explanation:
A man-in-the-middle attack happens when communication between two parties is intercepted by an outside entity. Man-in-the-middle attacks are a common kind of cybersecurity attack that allows an attacker to eavesdrop on the communication between two targets. The attack takes place in between two legitimately communicating hosts, allowing the attacker to “listen” to a conversation.

Answer 183

A

B.$ history -c

Explanation:
The bash history keeps a record of all commands executed by a tester on the Linux command line. This allows the tester to easily run previously executed commands by using the up and down arrow keys to scroll through the command history file. The main reason for removing command-line history from the Linux terminal is to prevent another user from using the tester’s previous commands. To delete or clear all the entries from bash history, use the history command with the -c option: $ history -c.

Answer 184

A

A.Impersonation

Explanation:
Impersonation involves disguising oneself as another person to gain access to facilities or resources. This may be as simple as claiming to be a staff member or as intricate as wearing a uniform and presenting a fake company ID. In this scenario, the attacker called the help desk technician pretending to be an employee.

Answer 185

A

E.Use a blacklist validation for the SQL statements.
F.Use a whitelist validation for the SQL statements.

Explanation:
Given this scenario, the client will want to use a blacklist and whitelist validation for the SQL statements. SQL injection is a common attack route that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. SQL injections are one of the most common web hacking techniques. Blacklist validation tests the external input against a set of known malicious inputs. Whitelist validation tests an external input against a set of known, approved input. With whitelist input validation, the application knows exactly what is wanted and rejects other input.

Answer 186

A

D.Upgrading the shell

Explanation:
The pty module lets a penetration tester spawn a pseudoterminal that can fool commands like su into thinking they are being executed in a proper terminal. To upgrade the shell, just run the command shown. su is a Unix command that stands for substitute user. It is used by a computer user to execute commands with the privileges of another user account. When executed, it invokes a shell without changing the current working directory or the user environment.

Answer 187

A

C.Piggybacking

Explanation:
Piggybacking attacks rely on following employees in through secured doors or other entrances. Higher-security organization may use mantraps to prevent piggybacking and tailgating. A properly implemented mantrap will allow only one person through at a time, and that person will have to unlock two doors, only one of which can be unlocked and opened at a time.

Answer 188

A

C.A spear phishing attack

Explanation:
The Social Engineer Toolkit (SET) provides a framework for automating the social engineering process, including sending spear phishing messages, hosting fake websites, and collecting credentials. Social engineering plays an important role in many attacks. SET is a menu-driven social engineering attack system. In this scenario, the penetration tester is attempting a spear phishing attack.

Answer 189

A

B.Conduct a LLMNR/NETBIOS-NS query.

Explanation:
Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NetBIOS-NS) poisoning can provide penetration testers with the ability to obtain a man-in-the-middle position, broadening their ability to gain access and information. One of the most commonly targeted services in a Windows network is NetBIOS. NetBIOS is commonly used for file sharing.

Answer 190

A

C.Attempt RID cycling to enumerate users and groups.

Explanation:
One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are guessed, targeted password-based attacks can then be attempted. A RID cycling attack attempts to enumerate user accounts through null sessions. If a tester specifies a password file, it will automatically attempt to brute force the user accounts when it’s finished enumerating. So, in this scenario, attempting RID cycling will be the next step the tester should try.

Answer 191

A

A.Badge cloning

Explanation:
With badge cloning, the tester can clone the badge of a staff member to gain entry into the facility. One of the most common techniques is to clone radio-frequency identification (RFID) tags. Given this scenario of trying to obtain access both during business hours and after hours, badge cloning is the best option.

Answer 192

A

C.Vishing

Explanation:
Vishing (voice phishing) is social engineering over the phone system. Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Vishing works like phishing but is carried out using voice technology. A vishing attack can be conducted by voice email, voice over IP (VoIP), or landline or cellular telephone. In this scenario, since the CEO is receiving telephone calls, this is a vishing attack.

Answer 193

A

D.By attempting privilege escalation attacks

Explanation:
Privilege escalation attacks are frequently categorized into two major types: vertical and horizontal. Vertical escalation attacks focus on testers gaining higher privileges. Horizontal escalation attacks move sideways to other accounts or services that have the same level of privileges. An unquoted service path is a vulnerability in Windows. When a service is started, Windows tries to locate it. Usually services are well-defined with quotation marks. But, there are times when a service path might contain spaces or are not surrounded by quotation marks. Testers can use the unquoted service paths to escalate privileges.

Answer 194

A

C.Bluejacking

Explanation:
Bluejacking is when an attacker sends unsolicited messages over Bluetooth devices. Bluejacking is a hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius. First, a hacker scans their surroundings with a Bluetooth-enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices.

Answer 195

A

B.Command injection

Explanation:
In this scenario, a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via vulnerable applications. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Answer 196

A

B.Cross-site scripting (XSS)

Explanation:
Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page. In this scenario, the attacker is attempting to manipulate an HTML iframe with JavaScript code using a web browser.

Answer 197

A

B.Keylogger

Explanation:
A keylogger is software and hardware that can be useful as part of an ongoing exploitation process. Capturing keystrokes provides insight into the actions taken by users, and it can be a valuable source of credentials and other confidential information. A keylogger is software that tracks or logs the keys struck on a keyboard. This is usually done with malicious intent to collect account information, credit card numbers, usernames, passwords, and other private data.

Answer 198

A

D.Time of check to time of use (TOCTTOU)

Explanation:
Race conditions occur when the security of a code segment depends upon the sequence of events occurring within the system. The time-of-check-to-time-of-use (TOCTTOU) issue is a race condition that occurs when a program checks access permissions too far in advance of a resource request.

Answer 199

A

A.A session cookie

Explanation:
Websites use HTTP cookies to keep sessions over time. If a tester is able to get a copy of the user’s session cookie, then they can use that cookie to impersonate the user’s browser and hijack the authenticated session. Attackers who are able to acquire the session cookie used to authenticate a user’s web session can hijack that session and take charge of the user’s account. Cookies used for authentication should always be securely created and transmitted only over secure, encrypted communications channels.