CompTIA PenTest+ (PT0-001) Practice Certifications Exams (Jason Dion 4 of 6) Flashcards
Which of the following secure coding best practices ensures special characters like , /, and ‘ are not accepted from the user via a web form? A.Session management B.Input validation C.Error handling D.Output encoding
B.Input validation
Explanation:
OBJ-5.3: Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page.
An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue?
A.The user doesnt have a PDF reader installed on their computer
B.The attachment is using a double file extension to mask its identity
C.The file contains an embedded link to a malicious website
D.The email is a form of spam and should be deleted
B.The attachment is using a double file extension to mask its identity
Explanation:
OBJ-2.4: The message contains a file attachment hoping that the user will execute or open it. The attachment’s nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.
A penetration tester wants to build a workstation that will be used to brute force hash digests. Which of the following is the BEST option to ensure sufficient power and speed to crack them? A.Multi-core CPU B.Dedicated GPU C.Integrated GPU D.7200-RPM HDD
B.Dedicated GPU
Explanation:
OBJ-4.2: Dedicated GPUs are designed to conduct complex mathematical functions extremely quickly. If you want to build a system to perform cracking of a password, hash, or encryption algorithm, it is important to have a high-speed, dedicated GPU. The reason to use a GPU instead of a CPU for password cracking is that it is much faster for this mathematically intensive type of work. Cracking passwords, hashes, and encryption is a lot like mining cryptocurrency in that using dedicated GPUs will give you the best performance.
Consider the following REGEX search string:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following strings would NOT be included in the output of this search? A.205.255.255.001 B.37.259.129.207 C.1.2.3.4 D.001.02.3.40
B.37.259.129.207
Explanation:
OBJ-4.4: The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).”. For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a “.”. Since the period is treated as a special character in a REGEX operator, the escape character () is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected. Now, on exam day, if you received a question like this, you can try to figure out the pattern as explained above, or you can take the logical shortcut. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don’t be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn’t a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn’t be an output of this complex-looking command, you should guess that one!
Your company has just hired a contractor to attempt to exploit a weakness in your network to identify all their vulnerabilities. This person has been permitting to perform these actions and only conduct their actions within the contract's scope of work. Which of the following will be conducted by the contractor? A.Penetration testing B.Social engineering C.Hactivism D.Vulnerability scanning
A.Penetration testing
Explanation;
OBJ-1.3: Penetration testing is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit. Penetration testers only do this with permission of the organization that owns the system, network, or web application and within the bounds of their scope of work. The person will not attempt to exploit a weakness during vulnerability scanning. Social engineering may be used as part of a penetration test, but it does not adequately describe the scenario provided. Hacktivism is when someone is hacking an organization without permission based on their own morals and values.
A facility would like to verify each individual’s identity before allowing access to its server room and datacenter. Additionally, the building should ensure that users do not tailgate behind other users. What solution would BEST meet these requirements?
A.Implement a biometric reader at the datacenter entrance and require passage through a mantrap
B.Implement a security guard at the facility entrace and a keypad at the data center entrance
C.Implement a CCTV camera and a proximity reader at the data center entrance
D>Implement a biometric reader at the facility entrace and a proximity card at the data center entrace
A.Implement a biometric reader at the datacenter entrance and require passage through a mantrap
Explanation:
OBJ-5.3: A biometric reader would read the employee’s fingerprints. A mantrap is most often used in physical security to separate non-secure areas from secure areas and prevent unauthorized access.
What is the proper threat classification for a security breach that employs brute-force methods to compromise, degrade, or destroy systems? A.Attrition B.Improper usage C.Impersonation D.Losss or theft of equipment
A.Attrition
Explanation:
OBJ-2.4: Attrition attacks employ brute-force methods to compromise, degrade, or destroy systems, networks, or services. An impersonation attack occurs when the attacker gains control of an employee’s account and uses it to convince other employees to perform fraudulent actions. Improper usage occurs when an employee or other authorized user utilizes the systems or networks not as intended or designed. The loss or theft of equipment usually relates to a smartphone, tablet, or laptop is lost or stolen, and then the data on it becomes compromised.
Your company has been contracted to develop an Android mobile application for a major bank. You have been asked to verify the security of the Java function’s source code below:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
int verifyAdmin(String password) {
if (password.equals("mR7HCS14@31")) {
return 0;
}
return 1;
}
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following vulnerabilities exist in this application’s authentication function based solely on the source code provided?
A.The function is vulnerable to a buffer overflow attack
B.The function is vulnerable to an SQL injection attack
C.THe function is using parameterized queries
D.The function is using hard-coded credentials to verify the password entered by the user
D.The function is using hard-coded credentials to verify the password entered by the user
Explanation
OBJ-3.4: The function uses hard-coded credentials in the function, which is an insecure practice that can lead to compromise. The password for the application is shown in the source code as mR7HCS14@31. Even if this was obfuscated using encoding or encryption, it is a terrible security practice to include hard-coded credentials in the application since an attacker can reverse-engineer them. In this case, it could be used to rob the bank or its customers! There is no evidence of a SQL injection or buffer overflow attack vulnerability based on the code being shown. In fact, this code doesn’t even show any SQL or ability to connect to an SQL database. We cannot see the variable initiation in this code, either, so we cannot determine if it is vulnerable to a buffer overflow attack. Finally, a parameterized query is a security feature, not a vulnerability, and this source code does not show any evidence of parameterized queries being used.
You have been contracted to conduct a compliance-based assessment for an organization. What is the MOST important thing for you to understand?
A.The organizations industry
B.The organizations tolerance to impact
C.The organizations policies
D.The organizations architectural diagrams
A.The organizations industry
Explanation:
OBJ-1.4: The organization’s industry is the most important thing to consider and understand when conducting a compliance-based assessment. Compliance-based assessments are government or industry required assessments based on a particular compliance framework. For example, if you are conducting an assessment of a credit card processor, then PCI-DSS would be important to consider. If you are assessing a federal government IT system, then you should consider FEDRAMP. If you are conducting an assessment of a military or military contractor network, you should consider the DISA STIG for those systems.
A company has implemented the capability to send all log files to a central location by utilizing an encrypted channel. The log files are sent to this location to be reviewed. A recent exploit has caused the company’s encryption to become insecure. What would be required to resolve the exploit?
A.Configure the firewall to block port 22
B.Utilize an FTP service
C.Send all log files through SMTP
D.Install recommended updates
D.Install recommended updates
Explanation:
OBJ-5.3: If the encryption is insecure, then we must look for encryption software updates or patches. If they are available, we must install them.
You have been hired to conduct a compliance-based, external network penetration test for an organization. During the engagement planning, you determined that the client has an IPS protecting their network. You have requested to have your source IP whitelisted in the IPS during the engagement. The client states that they do not want to whitelist your source IP. Which of the following should you tell the client?
A.The organization cannot rely solely on the IPS because its signatures need to be constantly updated to prevent vulnerabilities and exploitation
B.Whitelisting the source IP is required since a third-party developed the IPS and therefore, would need to approve the penetration test if the IP is note whitelisted
C.Whitelsiting the source IP will allow us to focus on the discovery of security issues within your system instead of relying solely on the effectiveness of the IPS
C.Whitelisting the source IP is necessary to prevent flooding the IPS and Syslog server with false positives
D.Whitelisting the source IP is necessary to prevent flooding the IPS and Syslog server with false positives during the engagement
C.Whitelisting the source IP is necessary to prevent flooding the IPS and Syslog server with false positives
Explanation:
OBJ-1.4: If the source IP is not whitelisted, the penetration tester will have to waste a lot of time and resources trying to bypass it to test the rest of the systems in the exam’s scope. Instead, the source IP should be whitelisted. The final report should indicate which vulnerabilities found would be a lower risk due to the IPS already installed as a mitigating control.
Which of the following lateral movement techniques provides an HTTP Simple Access Object Protocol (SOAP) standard for specific remote management services on Windows systems? A.PsExec B.Scheduled tasks C.WMI D.WinRM
D.WinRM
Explanation:
OBJ-3.7: Windows Remote Management (WinRM) is a technology that provides an HTTP Simple Object Access Protocol (SOAP) standard for specific remote management services on Windows systems. These remote management services enable you to issue commands to remote systems without using an interactive shell.
Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks? A.Directory traversals B.Faulty input validation C.Output encoding D.File inclusions
B.Faulty input validation
Explanation:
OBJ-5.3: A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website’s running process. The file is either constructed to be malicious or manipulated to serve the attacker’s malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker’s site.
You are working as part of a DevSecOps team at Dion Training on a new practice exam web application. You need to conduct static analysis of the code as part of your software assurance responsibilities. Which of the following tools should you utilize? A.APK Studio B.YASCA C.Hydra D.FOCA
B.YASCA
Explanation:
OBJ-4.2: YASCA (Yet Another Source Code Analyzer) is an open-source software assurance static test (SAST) program that inspects the source code for security vulnerabilities, code quality, and performance. FOCA, Hydra, and APK studio are not categorized as SAST tools. FOCA (Fingerprinting and Organization with Collected Archives) is a network infrastructure mapping tool that analyzes metadata from many file types to enumerate users, folders, software and OS information, and other information. Hydra is a free network login password cracking tool that is included with Kali Linux. It supports several authentication protocols. APK Studio is a cross-platform IDE for reverse engineering Android applications.
During a penetration test, which of the following should you perform if your goal is to conduct a successful smishing attack?
A.Send targetd emails with a malicious attachment to the sales team
B.Send a text message with a malicious link to the organizations executives
C.Send a targeted email with a malicious attachment to the organizations CEO
D.Call the CTOs assistant using a pretext to gather information about their schedule
B.Send a text message with a malicious link to the organizations executives
Explanation
OBJ-3.1: Smishing (SMS phishing) is a phishing attack in which the attacker entices their victim through SMS text messages. If the messages are sent by text message, then the attack is considered smishing.
You are reviewing the logs in your IDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?
A.SYN Flood
B.UDP Probe
C.Remote host cannot find the right service port
D.Port scan
D.Port scan
Explanation
OBJ-3.2: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in a range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn’t send them to unused ports, and a UDP probe will not send SYN packets.
A small business network was recently infected by a piece of malware from a USB drive that copied sensitive data from a computer, infected the system, and then spread across the network by infecting other systems. Which of the following actions could have prevented this type of attack from occurring?
A.Enabling full disk encryption
B.Disabling AutoRun on the computer
C.Replacing the default credentials on the system
D.Enforcing the use of complex passwords
B.Disabling AutoRun on the computer
Explanation
OBJ-5.3: The Windows AutoRun feature is turned on by default on most Windows versions, allowing programs to run from an external device as soon as it is attached to a computer. Malware can exploit the AutoRun feature and allow it to spread its payload from your external USB device to a computer. For this reason, users should disable the AutoRun feature.
What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network? A.Network sniffing B.Application security testing C.Social Engineering D.Vulnerability scanning
C.Social Engineering
Explanation
OBJ-3.1: Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included in the organization. The other three options focus solely on technical controls. Therefore adding end-user training would not affect these technology options.
Which of the following phase of a penetration test are not usually conducted by a real attacker? A.Reconnaissance B.Gaining access C.Reporting D.Covering tracks
C.Reporting
Explanation:
OBJ-1.1: While a penetration test closely mirrors the same attack process used by a real attacker, the reporting phase is used only by penetration testers. The reporting phase is where the information gathered during testing and analysis is shared with stakeholders. Normally, this includes the vulnerabilities detected, vulnerabilities exploited, sensitive data accessed, length of access maintained, and recommendations for remediation.
Your company failed a recent security audit. The IT Directory has issued a new policy dictating that all workstations must be locked when not in use for more than 2 minutes. A password must be entered before booting up the operating system, and that the hard drive is fully encrypted. You have been asked to configure the corporate workstations to enforce these new security measures. Which THREE of the following should you configure FIRST? A.Enable a UEFI password B.Enable BitLocker C.Require multifactor authentication D.Enable strong passwords E.Enable a screen lock F.Require the use smart cards
A.Enable a UEFI password B.Enable BitLocker E.Enable a screen lock Explanation OBJ-5.3: These requirements can be met by enabling BitLocker to encrypt the hard drive, enable a UEFI password to require a password to be entered before booting an operating system, and enabling a screen lock that turns on after 2 minutes of inactivity.
Jason is conducting a penetration test against Dion Training’s Windows-based network. He wants to laterally move to another host and execute an exploit he previously trick a user into downloading to the C:\Windows\temp directory on the workstation with an IP of 192.168.1.50. He types the following into his terminal:
-=-=-=-=-=-=-
PS C:\Users\jason> $obj = [activator]::CreateInstance([type]::GetTypeFromProgID(“MMC20.Application”,”192. 168.1.50”))
Based on these commands, what type of post-exploitation lateral movement did Jason utilize? A.Scheduled tasks B.PsExec C.RPC/DCOM D.WMIC
C.RPC/DCOM
Explanation
OBJ-3.7: Remote Procedure Call (RPC) enables inter-process communication between local and remote processes on Windows. Distributed Component Object Model (DCOM) enables the communication between software components over a network. DCOM applications use RPC as a transport mechanism for client requests. Flaws in DCOM can enable you to execute code on a remote system by assuming user privileges. For example, a DCOM application commonly used to initiate lateral movement is MMC20.Application. This enables users to execute Microsoft Management Console (MMC) snap-in operations on a Windows computer. The MMC20.application includes an ExecuteShellCommand() method that allows for a command’s remote execution using a remote computer’s shell. In this example, the first command told PowerShell on Jason’s machine to select the MMMC snap-in on the remote computer with the IP address of 192.168.1.50. The second command then started the exploit on the remote system with a null current working directory, null parameters passed to the exploit.exe command and started it with a window state of 7. Ultimately, this would launch the exploit.exe program on the remote machine using the local administrator account.
Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach?
A.Require data masking for any information stored in the datastore
B.Require data at rest encryption on all endpoints
C.Require a VPN to be utilized for all telework employees
D.Require all new employees to sign an NDA
B.Require data at rest encryption on all endpoints
Explanation
OBJ-5.3: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. While requiring a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop’s loss caused it. Even if a VPN had been used, the same data breach would have still occurred if the employee copied the database to the machine. Remember on exam day that many options are good security practices, but you must select the option that solves the issue or problem in the question being asked. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.
You have just concluded a two-month engagement that targeted Dion Training’s network. You have a detailed list of findings and have prepared your report for the company. Which of the following reasons explains why you must keep your report confidential and secure?
A.The findings contain privileged information about their customers
B.The findings could be used by attackers to exploit the clients systems
C.The findings included may contain company intellectual property
D.The findings could hurt the companys reputation if disclosed
B.The findings could be used by attackers to exploit the clients systems
Explanation
OBJ-5.1: To further reinforce the SOW, NDA, and any other legal documentation in effect, the client is likely to include confidentiality provisions within the engagement plan. This ensures that the information discovered during the penetration test is shared only with the appropriate entities. For example, if a penetration tester finds a major code injection vulnerability in the company’s public-facing website, the organization may require them to keep this information confidential to minimize the risk of it being exploited by an attacker.
You are working at the service desk and just received the following email from an end-user who believes it is suspicious:
From: user@diontraining.com
To: abuse@diontraining.com
Subject: You won a free iPhone!
You have won a brand new iPhone!
Just click the following link to provide your address so we can ship it out to you this afternoon: (http://www.freephone.io:8080/winner.php)
*******
How should you classify this email? A.Spearphishing B.Malware C.Phishing D.SPoofing
C.Phishing
Explanation
OBJ-3.1: This is an example of a phishing campaign. Phishing refers to obtaining user authentication or financial information through a fraudulent request for information. Phishing is specifically associated with emailing users with a link to a faked site (or some other malware that steals the information they use to try to authenticate). Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. In this example, the specific user wasn’t clearly targeted by their name or by their association with a particular store, company, or website.
