CompTIA PenTest+ (PT0-001) Practice Certification Exams (Jason Dions 1of6) Flashcards
Dion Training hosts its new web applications on AWS Lambda. You have been contracted to perform a penetration test against this new web application. What target type would this engagement be classified as?
A.On-Site
B.Internal
C.First-party hosted
D.Third-party hosted
D.Third-party hosted
Explanation:
OBJ-1.3: Third-party hosted target types are used when a vendor or partner of the client organization hosts the targeted network or system. In this scenario, Dion Training uses AWS Lambda for hosting its web application. Therefore, this is classified as a third-party hosted target type. This is important to consider before beginning the assessment since the third-party also must consent and agree to the penetration test since they host the systems involved.
You are planning an engagement with a new client. Which target type should be selected to simulate an APT?
A.Internal
B.On-site
C.Third-party hosted
D.External
D.External
Explanation:
OBJ-1.3: An advanced persistent threat (APT) is a threat that uses multiple attack vectors to gain unauthorized access to sensitive resources. APTs are often funded by nation-states and used for intelligence-gathering operations against the government, military, and commercial networks. In general, APT attacks as an external target type.
Which of the following directly impacts the budgetary requirements of a penetration test?
A.Scope
B.Compliance
C.Schedule
D.Tolerance to Impact
A.Scope
Explanation:
OBJ-1.1: The scope has a direct impact on the budgetary requirements of a penetration test. If the scope is smaller, the budget required will be lower. If the scope is larger, then the budget also needs to be larger to support it. The scope can drive the cost, but often a fixed budget is already provided by an organization. In this case, the budget will remain constant, but the scope will shrink to fit within the resources available.
An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store’s IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions?
A.There are no new risks due to the install and the company has a stronger physical security posture
B.These devices should be isolated from the rest of the enterprise network
C.These devices should be scanned for viruses before installation
D.These devices are insecure and should be isolated from the internet
B.These devices should be isolated from the rest of the enterprise network
Explanation:
OBJ-1.3: While the physical security posture of the company has definitely been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store’s network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don’t necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn’t protect them long-term.
What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software?
A.XCCDF
B.CPE
C.CCE
D.CVE
D.CVE
Explanation:
OBJ-2.1: The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.
Which of the following is a special type of embedded operating system that uses a predictable and consistent scheduler? A.Mobile B.IoT C.RTOS D.PoS
C.RTOS
Explanation:
OBJ-2.5: A real-time operating system (RTOS) is a special type of embedded OS. An RTOS ideal for embedded systems because they tend to have strict requirements for when a task should be completed and do not have particularly taxing workloads. An RTOS uses a predictable and consistent scheduler, unlike a general-purpose OS like Windows or macOS.
Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company?
A.WHOIS looksups
B.Banner grabbing
C.BGP Looking Glass
D. Registrar Checks
B.Banner grabbing
Explanation:
OBJ-2.1: Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization’s remote host.
David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? A.MySQL B.RDP C.LDAP D.IMAP
B.RDP
Explanation:
OBJ-2.5: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn’t supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.
Which of the following is the most difficult to confirm with an external vulnerability scan? A.Cross-site Scripting (XSS) B.Cross-site Request Forgery (XSRF/CSRF) C.Blind SQL Injection D.Unpatched web server
C.Blind SQL Injection
Explanation:
OBJ-2.2: Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. The banner information can usually identify unpatched servers.
A coworker is conducting open-source intelligence gathering for an upcoming penetration test against Dion Training. You look over their shoulder and saw them enter the following URL, https://www.google.com/search?q=password+filetype%3Axls+site%3Adiontraining.com&pws=0&filter=p. Which of the following is true about the results of this search? (SELECT THREE)
A.All search filters are deactivated
B.Returns only files hosted at diontraining.com
C.Returns only Microsoft Excel spreadsheets
D.Find sites related to diontraining.com
E.Excludes Microsoft Excel Spreadsheets
F.Personalization is turned off
B.Returns only files hosted at diontraining.com
C.Returns only Microsoft Excel spreadsheets
F.Personalization is turned off
Explanation:
OBJ-2.1: The above example searches for files with the name “password” in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ‘:’) and (+) limits the results to files hosted on diontraining.com (site%3Adiontraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the “related:” term to the query. To deactivate all filters from the search, the “filter=0” should be used. To deactivate the directory filtering function, the “filter=p” is used.
Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital’s enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital’s elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend?
A.Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack
B.Recommend isolation of the elevator control system from the rest of the production network through the change control process
C.Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists
D.Recommend immediate disconnection of the elevators control system from the enterprise network
B.Recommend isolation of the elevator control system from the rest of the production network through the change control process
Explanation:
OBJ-2.5: The best recommendation is to conduct the elevator control system’s logical or physical isolation from the rest of the production network and the internet. This should be done through the change control process that brings the appropriate stakeholders together to discuss the best way to mitigate the vulnerability to the elevator control system that defines the business impact and risk of the decision. Sudden disconnection of the PLCs from the rest of the network might have disastrous results (i.e., sick and injured trapped in an elevator) if there were resources that the PLCs were dependent on in the rest of the network. Replacement of the elevators may be prohibitively expensive, time-consuming, and likely something that the hospital would not be able to justify to mitigate this vulnerability. Attempting further exploitation of the buffer overflow vulnerability might inadvertently trap somebody in an elevator or cause damage to the elevators themselves.
An organization is currently accepting bids for a contract that will involve penetration testing and reporting. The organization is asking all bidders to provide proof of previous penetration testing and reporting experience. One contractor decides to print out a few reports from some previous penetration tests that they performed. What could have occurred as a result of this contractor’s actions?
A.The contractor will have their bid accepted with a special pay bonus because of their excellent work on previous pentests
B.The contractor may have inadvertently exposed numerous vulnerabilities they have found at other companies on previous assessments
C.The organization accepting the bids will want to use the reports as an example of the format for all bidders to use in the future
D.The company accepting the bids will hire the contractor because of the quality of the reports he submitted with this bid
B.The contractor may have inadvertently exposed numerous vulnerabilities they have found at other companies on previous assessments
Explanation:
OBJ-1.2: Pentesters should never disclose any information from previous penetration tests to anyone outside of the assessed organization since this could expose the vulnerability found. This non-disclosure is usually outlined in the original contract and scope of work. If the contractor wishes to provide a sample report, then the report should be created specifically for the contract and only include information from a sample/test network, not a previous customer’s assessment. This could also be in breach of the NDA between the pentester and the organization, as well.
Dion Training has contracted you to conduct a penetration test of its web application hosted within AWS Lamba. Part of the assessment will include stress testing the web application using a simulated DDoS attack. Which of the following entities would be the proper signing authority for this penetration test?
A.Dion Training’s representative since they hired you
B.Amazon’s representative since they host the servers
C.Both organizations representatives since one is your client and the other hosts the servers
D.Neither organizations representatives since your are simulating a DDoS
C.Both organizations representatives since one is your client and the other hosts the servers
Explanation:
OBJ-1.2: Written authorization documents help control the amount of liability incurred by the penetration tester. You must ensure you have the correct authorization in place before beginning your engagement. You ALWAYS need written authorization from your client. If the client uses a third-party service provider, then you may need to also get proper authorization from them in writing too. During your engagement planning, you should contact the third-party service provider to determine if written consent is required. In the case of Amazon, there are a handful of services that do not require prior authorization before conducting a penetration test on behalf of your client. DoS and DDoS attacks and simulations do require written authorization from both your client and Amazon. If you do not have this, you could be held liable for any negative consequences to Amazon and its client’s servers or even be charged with criminal computer hacking.
During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft’s regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS?
A.Replace the Windows POS terminals with standard Windows systems
B.Build a custom OS image that includes the patch
C.Identify, implement and document compensating controls
D.Remove the POS terminals from the network until the vendor releases a patch
C.Identify, implement and document compensating controls
Explanation
OBJ-1.4: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.
You are working as a penetration tester and have discovered a new method of exploiting a vulnerability within the Windows 10 operating system. You conduct some research online and discover that a security patch against this particular vulnerability doesn’t exist yet. Which type of threat would this BEST be categorized as?
A.Zero-day
B.DDoS
C.Brute force
D.Spoofing
A.Zero-day
Explanation:
OBJ-1.3: A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited, and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability, hence the term zero-day.
You have been contracted to perform a web application assessment. You believe the best way to exploit the application is to provide it a specially crafted XML file. The application normally allows users to import XML-based files and then parses them during ingestion. Which of the following support resources should you request from the organization before starting your assessment?
A.Soap Project File
B.Architectural diagrams
C,Authorization to use a fuzzer
D.An XSD file
D.An XSD file
Explanation:
OBJ-1.1: Since the scenario states that you will create a specially crafted XML file for the assessment, you will need to know the XML file structure the web application expects. An XML Schema Definition (XSD) is a recommendation that enables developers to define the structure and data types for XML documents. If the company provides this support resource to you, you will know the exact format expected by the application, which can save you a lot of time, and the organization a lot of expense during the assessment.
A project manager is tasked with the planning of a new network installation. The customer requires that everything discussed in the meetings is installed and configured when a network engineer arrives onsite. Which document should the project manager provide the customer?
A.Acceptable Use Policy
B.Service Level Agreement
C.Statement of Work
D.Security Policy
C.Statement of Work
Explanation:
OBJ-1.2: A Statement of Work (SOW) is a document that outlines all the work that is to be performed, as well as the agreed-upon deliverables and timelines.
An organization wants to get an external attacker’s perspective on their security status. Which of the following services should they purchase?
A.Vulnerability Scan
B.Asset Management
C.Pentest
D.Patch Management
C.Pentest
Explanation:
OBJ-1.4: Penetration tests provide an organization with an external attacker’s perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.
Which of the following rules of engagement provides the scope and limitation of the penetration test?
A.Timeline
B.Location of the team
C.Temporal restrictions
D.Test boundaries
D.Test boundaries
Explanation:
OBJ-1.1: The test boundaries are used to define the acceptable actions and scope used during an engagement. For example, it will define whether servers, endpoints, or both will be in the scope of the attack. It may also dictate whether only technical means may be used for exploitation or if social engineering can also be utilized.
Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What type of activity occurred based on the output above?
A.Port scan targeting 10.10.3.2
B.Fragmentation attack targeting 10.10.3.6
C.Denial of service attack targeting 10.10.3.6
D.Port scan targeting 10.10.3.6
D.Port scan targeting 10.10.3.6
Explanation:
OBJ-2.1: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making “Port scan targeting 10.10.3.6” the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions.
A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?
A.Perform an unauthenticated vulnerability scan on all servers in the environment
B.Perform a scan for the specific vulnerability on all web servers
C.Perform a web vulnerability scan on all servers in the environment
D.Perform an authenticated scan on all web servers in the environment
B.Perform a scan for the specific vulnerability on all web servers
Explanation:
OBJ-2.2: Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope. It would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs. Performing unauthenticated vulnerability scans on all servers is also too large in scope (all servers) while also being less effective (unauthenticated scan).
What is the BEST explanation for why consumer-based IoT devices are less secure than traditional desktops and servers?
A.IoT devices are unable to received patches and updates
B.IoT devices focus convenience more than security
C.IoT devices are not powerful enough to support encryption
D.IoT devices are only used in low security cases
B.IoT devices focus convenience more than security
Explanation:
OBJ-2.5: IoT device manufacturers are more focused on making the devices convenient to use instead of ensuring they have strong security. The other options are incorrect and not true. IoT devices can receive patches and updates through an over-the-air firmware update if a manufacturer creates the patches. IoT devices are powerful these days, and they can support encryption and other security features if manufacturers would add them to their code. IoT devices are not just used in low-security use cases, either. For example, IoT devices are often used as life-saving devices in hospitals or security systems in our homes. Unfortunately, IoT devices are notoriously lax when it comes to security. Some IoT systems may even allow a user full remote control of a device.
A cybersecurity analyst is applying for a new job with a penetration testing firm. He received the job application as a secured Adobe PDF file, but unfortunately, the firm locked the file with a password so the potential employee cannot fill in the application. Instead of asking for an unlocked copy of the document, the analyst decides to write a script in Python to attempt to unlock the PDF file by using passwords from a list of commonly used passwords until he can find the correct password or attempts every password in his list. Based on this description, what kind of cryptographic attack did the analyst perform?
A.Man-in-the-middle attack
B.Brute-force attack
C.Dictionary attack
D.Session hijacking
C.Dictionary attack
Explanation:
OBJ-2.4: A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. The key to answering this question is that they were using passwords from a list. In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. A dictionary attack is a specific form of a brute-force attack that uses a list. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver. A man-in-the-middle attack (MITM), also known as a hijack attack, is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.
You just completed an nmap scan against a workstation and received the following output:
-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- # nmap diontraining012
Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining012 (192.168.14.61) Not shown: 997 filtered ports
PORT STATE
135/tcp open
139/tcp open
445/tcp open
Based on these results, which of the following operating system is most likely being run by this workstation?
A.Ubuntu
B.macOS
C.CentOS
D.Windows
D.Windows
Explanation:
OBJ-2.1: The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows. Since Windows 2000, the NetBIOS file and print sharing has been running over these ports on all Windows systems by default.
Which of the following is NOT a valid reason to conduct reverse engineering?
A.To commit industrial espionage
B.To determine how a piece of malware operates
C.TO allow the software developer to spot flaws in their source code
D.To allow an attacker to exploit vulnerabilities in an executable
C.TO allow the software developer to spot flaws in their source code
Explanation:
OBJ-2.1: If a software developer has a copy of their source code, there is no need to reverse engineer it since they can directly examine the code. Doing this is known as static code analysis, not reverse engineering. Reverse engineering is the process of analyzing a system’s or application’s structure to reveal more about how it functions. In malware, examining the code that implements its functionality can provide you with information about how the malware propagates and its primary directives. Reverse engineering is also used to conduct industrial espionage since it can allow a company to figure out how a competitor’s application works and develop its own version. An attacker might use reverse engineering of an application or executable to identify a flaw or vulnerability in its operation and then exploit that flaw as part of their attack.
A system administrator wants to verify that external IP addresses cannot collect software versioning from servers on the network. Which of the following should the system administrator do to confirm the network is protected?
A.Analyze packet captures
B.Utilize netstat to locate active connections
C.Use nmap to query known ports
D.Review the ID3 logs on the network
A.Analyze packet captures
Explanation:
OBJ-2.1: Captured packets show you the information that was traveling through certain files, etc. Packet sniffers detail the information they’ve received, so working through those shows if the external network shows or details software versions.
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst?
A.Web application vulnerability scan
B.Database vulnerability scan
C.Port scan
D.Network Vulnerability Scan
A.Web application vulnerability scan
Explanation:
OBJ-2.2: Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn’t contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.
A coworker is conducting open-source intelligence gathering for an upcoming penetration test against Dion Training. You look over their shoulder and saw them enter the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search?
A.Returns no useful results from an attacker
B.Returns all web pages containing the text diontraining.com
C.Returns all web pages containing an email address affiliated with diontraining.com
D.Returns all web pages hosted at diontraining.com
C.Returns all web pages containing an email address affiliated with diontraining.com
Explanation:
OBJ-2.1: Google interprets this statement as @diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear-phishing campaign. To return all web pages hosted at diontraining.com, you should use the “site:” modifier in the query. To return all web pages with the text diontraining.com, enter “diontraining.com” into the Google search bar with no modifiers to return those results.
During the analysis of data as part of ongoing security monitoring activities, which of the following is NOT a good source of information to validate the results of an analyst’s vulnerability scans of the network’s domain controllers?
A.Log files
B.SIEM systems
C.Configuration management systems
D.DMARC and DKIM
B.SIEM systems
Explanation:
OBJ-2.1: Vulnerability scans should never take place in a vacuum. Analysts should correlate scan results with other information sources, including logs, SIEM systems, and configuration management systems. DMARC (domain-based message authentication, reporting, and conformance) and DKIM (domain keys identified mail) are configurations performed on a DNS server to verify whether an email is sent by a third-party are verified to send it on behalf of the organization. For example, if you are using a third-party mailing list provider, they need your organization to authorize them to send an email on your behalf by setting up DMARC and DKIM in your DNS records. While this is an important security configuration, it would not be a good source of information to validate the results of an analyst’s vulnerability scans on a domain controller.
An attacker is using a precomputed table of values to attempt to crack your Windows password. What type of password attack is this?
A.Rainbow Table
B.Dictionary
C.Hybrid
D.Brute-force
A.Rainbow Table
Explanation:
OBJ-2.4: A rainbow table is a tool for speeding up attacks against Windows passwords by precomputing possible hashes. A rainbow table is used to authenticate users by comparing the hash value of the entered password against the one stored in the rainbow table. Using a rainbow table makes password cracking a lot faster and easier for an attacker.
Which of the following weaknesses exist in WPS enabled wireless networks?
A.Utilizes TKIP to secure the authentication handshake
B.Utilizes a 24-bit initialization vector
C.Brute force occurs within 11,000 combinations
D.Utilizes a 40-bit encryption key
C.Brute force occurs within 11,000 combinations
Explanation:
OBJ-3.3: The most prominent attack against WPS enabled wireless networks involves brute-forcing the 8-digit PIN that client uses to enroll their devices without knowing the pre-shared key. WPS checks each half of the PIN individually, reducing the number of possible combinations from a maximum of 100,000,000 to only 11,000. This only takes a few minutes to crack on most modern computers, as long as the WAP doesn’t have a lockout after a certain number of failures. The lockout mechanism may also be triggered based on the client’s MAC, so you can often spoof MAC to bypass this defense.
Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to “click here” to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following social engineering principles is being utilized as a part of this phishing campaign?
A.Intimidation
B.Familiarity
C.Consensus
D.Urgency
B.Familiarity
Explanation:
OBJ-3.1: Familiarity is a social engineering technique that relies on assuming a widely known organization’s persona. For example, in the United States, nearly 25% of Americans have a Bank of America account. For this reason, phishing campaigns often include emails pretending to be from Bank of America since 1 in 4 people who receive the email in the United States are likely to have an account. This makes them familiar with the bank name and is more likely to click on the email link. This email appears to be untargeted since it was sent to both customers and non-customers of this particular bank; it is best classified as phishing. Spear phishing requires the attack to be more targeted and less widespread.
A hacker successfully modified the sale price of items purchased through your company’s web site. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items’ sale price?
A.SQL injection
B.Changing hidden form values
C.Buffer overflow attack
D.Cross-site scripting
B.Changing hidden form values
Explanation:
OBJ-3.4: Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items’ price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer’s boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.
You are planning to exploit a network-based vulnerability against a Windows server. As part of your planning, you use the auxiliary scanner in Metasploit against the network and receive the following results:
-=-=-=-=-=-
[+] 192.168.1.2 community string: ‘public’ info: ‘GSM7224 L2 Managed Gigabit Switch’
[+] 192.168.1.199 community string: ‘public’ info: ‘HP ETHERNET MULTI-ENVIRONMENT’
[+] 192.168.1.2 community string: ‘private’ info: ‘GSM7224 L2 Managed Gigabit Switch’
[+] 192.168.1.199 community string: ‘private’ info: ‘HP ETHERNET MULTI-ENVIRONMENT’
[] Validating scan results from 2 hosts…
[] Host 192.168.1.199 provides READ-WRITE access with community ‘internal’
[] Host 192.168.1.199 provides READ-WRITE access with community ‘private’
[] Host 192.168.1.199 provides READ-WRITE access with community ‘public’
[] Host 192.168.1.2 provides READ-WRITE access with community ‘private’
[] Host 192.168.1.2 provides READ-ONLY access with community ‘public’
[] Scanned 256 of 256 hosts (100% complete)
[] Auxiliary module execution completed
-=-=-=-=-=-
Based on the output above, which of the following exploits are you preparing to use?
A.SNMP Exploit
B.FTP Exploit
C.SMB Exploit
D.SMTP Exploit
A.SNMP Exploit
Explanation:
OBJ-3.2: SNMP provides a lot of information about different target devices on the network. Based on the output shown, you should identify that this is an SNMP scan based on the “community string” keyword. From your Network+ and Security+ studies, you should remember that SNMP uses community strings as a basic authentication mechanism before allowing you to access a network device’s statistics. In this scan, two devices are found on this network with default public and private community strings. This makes these devices vulnerable to an SNMP attack for further exploitation.
Which of the following a characteristic of a Blind SQL Injection vulnerability?
A.Administrator of the vulnerable application cannot see the request to the webserver
B.Application properly filters the user input but it is still vulnerable to code injection in a blind attack
C.Administrator of the affected application does not see an error message during a successful attack
D.An attacker cannot see any of the display errors with information about the injection during a blind attack
D.An attacker cannot see any of the display errors with information about the injection during a blind attack
Explanation:
OBJ-3.4: Blind SQL injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the application’s response. This attack is often used when the web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.
Which of the following scan types are useful for probing firewall rules?
A.TCP SYN
B.TCP ACK
C.TCP RST
D.XMAS TREE
B.TCP ACK
Explanation:
OBJ-3.2: TCP ACK scans can be used to determine what services are allowed through a firewall. An ACK scan sends TCP packets with only the ACK bit set. Whether ports are open or closed, the target is required to respond with an RST packet. Firewalls that block the probe usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered. A TCP SYN scan can sometimes be used to determine what ports are filtered. Still, if the firewall is configured to drop packets for disallowed ports instead of sending an RST packet, then a TCP SYN scan will not be able to determine if a firewall was there or if the port was simply unavailable. A target sends a TCP RST packet in response to a TCP ACK scan, but a TCP RST is not a valid type of scan itself. An XMAS Tree scan will set the FIN, PSH, and URG flags in the TCP packet. This is a noisy type of scan and not useful for probing firewall rules.
Which of the following type of threats did the Stuxnet attack rely on to cross an airgap between a business and an industrial control system network?
A.Directory traversal
B.Cross-site scripting
C.Removable media
D.Session hijacking
C.Removable media
Explanation:
OBJ-3.1: Airgaps are designed to remove connections between two networks to create a physical segmentation between them. The only way to cross an airgap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an airgap.
What type of wireless security measure can easily be defeated by a hacker by spoofing their network interface card’s hardware address?
A.MAC filtering
B.WEP
C.Disable SSID broadcast
D.WPS
A.MAC filtering
Explanation:
OBJ-3.2: Wireless access points can utilize MAC filtering to ensure only known network interface cards are allowed to connect to the network. If the hacker changes their MAC address to a trusted MAC address, they can easily bypass this security mechanism. MAC filtering is considered a good security practice as part of a larger defense-in-depth strategy, but it won’t stop a skilled hacker for long. MAC addresses are permanently burned into the network interface card by the manufacturer and serve as the device’s physical address. WEP is the Wired Equivalent Privacy encryption standard, which is considered obsolete in modern wireless networks. WEP can be broken using a brute force attack within just a few minutes by an attacker. Another security technique is to disable the SSID broadcast of an access point. While this prevents the SSID broadcast, a skilled attacker can still find the SSID using discovery scanning techniques. WPS is the WiFi Protected Setup. WPS is used to connect and configure wireless devices to an access point easily.
During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization’s AAA services manager?
A.SMS should be encrypted to be secure
B.SMS messages may be accessible to attackers via VoIP or other systems
C.SMS should be paired with a third factor
D.SMS is a costly method of providing a second factor of authentication
B.SMS messages may be accessible to attackers via VoIP or other systems
Explanation:
OBJ-3.4: NIST’s SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.
Sarah is conducting a penetration test against Dion Training’s Windows-based network. This engagement aims to simulate an advanced persistent threat and demonstrate persistence for 30 days without their system administrators identifying the intrusion. Which of the following commands should Sarah use to run a script that beacons back to her computer every 20 minutes?
A.schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM
B.(crontab -l; echo “/20 * * * * /tmp/beacon”)| crontab -
C.schtasks /create /tn beacon /tr /tmp/beacon /sc MINUTE /mo 20 /ru SYSTEM
D.(crontab -l; echo “ * /20 * * * /tmp/beacon”)| crontab -
A.schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM
Explanation:
OBJ-3.7: A scheduled task or scheduled job is an instance of execution, like initiating a process or running of a script, that the system performs on a set schedule. Once the task executes, it can prompt the user for interaction or run silently in the background; it all depends on what the task is set up to do. Scheduled tasks in Windows use the schtasks command. The correct answer for this persistence is to enter the command “schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM” that will create a task called “beacon” that runs the script at “C:\temp\beacon.bat every 20 minutes as the SYSTEM level user. The other variant of schtasks is incorrect because it used a Linux-based file directory structure to reference the script location and would fail to run in Windows. The crontab options are used in Linux, not in Windows.
Which attack utilizes a wireless access point made to look as if it belongs to the network to eavesdrop on the wireless traffic?
A.Evil Twin
B.Rogue Access Point
C.WEP Attack
D.Wardriving
A.Evil Twin
Explanation:
OBJ-3.3: An evil twin is meant to mimic a legitimate hotspot provided by a nearby business, such as a coffee shop that provides free Wi-Fi access to its patrons. The evil twin is the wireless LAN equivalent of the phishing scam. This type of attack may be used to steal the passwords of unsuspecting users by monitoring their connections or phishing, which involves setting up a fraudulent web site and luring people there.
You are conducting a penetration test against an organization. You created an evil twin of their wireless network. Many of the organization’s laptops are now connected to your evil twin access point. You want to capture all of the victim’s web browsing traffic in an unencrypted format during your attack. Which of the following exploits should you utilize to meet this goal?
A>Perform a deauthentication attack
B.Perform an SSL downgrade attack
C.Perform a man-in-the-middle attack
D.Perform an SSL stripping attack
D.Perform an SSL stripping attack
Explanation:
OBJ-3.3: An SSL stripping attack, also known as an HTTP downgrade attack, forces the client to communicate with the webserver in plain text (unencrypted) over HTTP instead of HTTPS. Both SSL downgrade and SSL stripping attacks are used to force the victim into using a weaker encryption mechanism (SSL downgrade to SSL-based HTTPS) or no encryption (SSL stripping to HTTP) for its web traffic.
A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO)
A.Encryption B.Network access Control C.Port security D.Authentication E.Physical accessibility F.MAC filtering
A.Encryption
E.Physical accessibility
Explanation:
OBJ-3.3: Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on wired and wireless networks. Port security is only applicable to wired networks.
Fail to Pass Systems recently installed a break and inspect appliance that allows their cybersecurity analysts to observe HTTPS traffic entering and leaving their network. Consider the following output from a recorded session captured by the appliance:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
POST /www/default.php HTTP/1.1
HOST: .123
Content-Length: 147
Cache-Control: no-cache
Origin: chrome-extension://ghwjhwrequsds
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Content-Type: multipart/form-data; boundary=—-
WebKitFormBoundaryaym16ehT29q60rUx
Accept:/
Accept-Language: zh, en-us; q=0.8, en; q=0.6
Cookie: security=low; PHPSESSID=jk3j2kdso8x73kdjhehakske
——WebKitFormBoundaryaym16ehT29q60rUx
Content-Disposition: form-data; name=”q”
cat /etc/passwd
- —–WebKitFormBoundaryaym16ehT29q60rUx
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following statements is true?
A.The /etc/passwd file was just downloaded through a webshell by an attacker
B.This is a normal request from a host to your web server in the DMZ
C.A request to issue the command “cat /etc/passwd” occurred but additional analysis is required to verify if the file was downloaded
D.The web browser used in the attack was Microsoft Edge
C.A request to issue the command “cat /etc/passwd” occurred but additional analysis is required to verify if the file was downloaded
Explanation:
OBJ-3.2: This is a post request to run the “cat /etc/passwd” command from an outside source. It is not known from the evidence provided if this command were successful or not, but it should be analyzed further as this is not what would be expected, normal traffic. While the browser’s default language was configured for Chinese (zh), this is easily changed and cannot be used to draw authoritative conclusions about the threat actor’s true location or persona. The User-Agent used is listed as Mozilla, which is used by both Firefox and Google Chrome. For an in-depth analysis of the full attack this code snippet was taken from, please visit https://www.rsa.com/content/dam/en/solution-brief/asoc-threat-solution-series-webshells.pdf. This 6-page article is definitely worth your time to look over and learn how a remote access web shell is used as an exploit.
You are conducting a static analysis of an application’s source code and see the following:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
String query = “SELECT * FROM courses WHERE courseID=’” + request.getParameter(“id”) + “’ AND certification=’”+ request.getParameter(“certification”)+”’”;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
If an attacker wanted to get a complete copy of the courses table and was able to substitute arbitrary strings for “id” and “certification”, which of the following strings allow this to occur?
A. id = “1’ OR ‘1’==’1” and certification = “cysa’ OR ‘1’==’1”
B.id = “1’ OR ‘1==1” and certification = “cysa’ OR ‘1==’1”
C.id = “1’ OR ‘1’==’1”
D.certification = “cysa’ OR ‘1”==’1”
A. id = “1’ OR ‘1’==’1” and certification = “cysa’ OR ‘1’==’1”
Explanation:
OBJ-3.4: ID and certification must be crafted so that when substituted for the “.getparameter” fields, the SQL statement formed is still complete and will return a Boolean value of true for the ENTIRE statement every time it is evaluated. The AND in the middle of the WHERE clause indicates that both the courseID and certification portion must be true to be true in every case. When this occurs, the entire table of courses would be returned. The only string that would ensure both halves of the WHERE clause always return true would be
While conducting a penetration test of an organization’s web applications, you attempt to insert the following script into the search form on the company’s web site:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
alert(“This site is vulnerable to an attack!”)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, “This site is vulnerable to an attack!” Based on this response, what vulnerability have you uncovered in the web application?
A.Buffer Overflow
B.Cross-site request forgery
C.Distributed denial of service
D.Cross-site scripting
D.Cross-site scripting
Explanation:
OBJ-3.4: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. A buffer overflow is an anomaly that occurs when a program overruns the buffer’s boundary and overwrites adjacent memory locations while writing data to a buffer.
Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for their username and password. Simultaneously, your security team has noticed a large increase in the number of compromised user accounts on the system.
What type of attack is most likely the cause of both of these events?
A.SQL Injection
B.Cross-site scripting
C.Cross-site request forgery
D.Rootkit
B.Cross-site scripting
Explanation:
OBJ-3.4: This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website’s HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to compromise other accounts further. A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. An XSS will allow an attacker to execute arbitrary JavaScript within the victim’s browser (such as creating pop-ups). A CSRF would allow an attack to induce a victim to perform actions they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to control a computer system without being detected. SQL injection is the placement of malicious code in SQL statements via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or SQL injection.
Christina is conducting a penetration test against Dion Training’s network. The goal of this engagement is to conduct data exfiltration of the company’s exam database without detection. Christina enters the following command into the terminal:
-=-=-=-=-=-=-
C:\database\exams.db>c:\Users\Christina\Desktop\beachpic.png:exams.db
-=-=-=-=-=-=-
Next, Christina emailed the beachpic.png file to her personal email account. Which of the following techniques did she use to exfiltrate the file?
A.NTFS Encryption
B.Alternate data streams
C.Unquoted service path
D.DLL Hijacking
C.Unquoted service path
Explanation:
OBJ-3.7: An alternate data stream (ADS) is a feature of Microsoft’s NT File System (NTFS) that enables multiple data streams for a single file name by forking one or more files to another. ADS can be abused by hiding one file into another, as shown in this scenario. Once received in her email, she could access the database by opening the file as “beachpic.png:exams.db”.
You are attempting to exploit a network-based vulnerability against a RedHat Linux server. You execute the following commands and receive the results below:
-=-=-=-=-=-
[pentest@DionTraining]# ./bysin support DionTraining RedHat
Sendmail <8.12.8 crackaddr() exploit by bysin
from the l33tsecurity crew
Resolving address... Address found
Connecting... Connected!
Sending exploit... Exploit sent!
Waiting for root prompt…
[pentest@DionTraining]# telnet localhost 2525 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. whoami root -=-=-=-=-=-
Based on the output above, which of the following exploits are you preparing to use?
A.SNMP Exploit
B.FTP Exploit
C.SMB Exploit
D.SMTP Exploit
D.SMTP Exploit
Explanation:
OBJ-3.2: If you see a question like this, don’t let it confuse you. Look for keywords and phrases that you recognize to answer the question. As you look at the command issued in the first line, you may not recognize it. That is because this is an older exploit script that is being run with the parameters of support (the user account we are trying to exploit), DionTraining (our penetration testing machine’s name), and RedHat (our target/victim server). Ignoring this line, look at the second line where you see a keyword that you should recognize: Sendmail. Sendmail is a service that runs on Linux machines to “send mail” using the SMTP protocol over port 25. This is the key to answering this question. As you continue through the script, you see it performed a DNS name resolution from RedHat to the server’s IP, connected to the server, and successfully sent the exploit. This exploit conducts a buffer overflow against a vulnerable Sendmail server resulting in the server providing a remote callback to a listening port on the attacker’s machine (port 2525). This is why the attacker then telnets into their localhost over port 2525 and runs the whoami command to determine what user they are connected to the victimized server as. In this case, they are reported as the root user, which means this SMTP exploit was successful.:
During a penetration test, which of the following should you perform if your goal is to conduct a successful vishing attack?
A.Send a text message with a malicious link to the organizations executives
B.Send targeted emails with a malicious link attachment to the organizations CEO
D.Call the CTOs assistant using a pretext tot gather information about their schedule
D.Call the CTOs assistant using a pretext tot gather information about their schedule
Explanation:
OBJ-3.1: Vishing (voice phishing) is a phishing attack in which an attacker entices their victim through a traditional telephone system or IP-based voice communications like Voice over IP (VoIP). If the attack is being carried out using the attacker’s voice over a telephone, it is usually considered vishing.
A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output:
- =-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-
10. 1.1.1 - - [10/Jan/2020:13:23:51 +0000] “POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1” 200 143 “https://10.1.1.2/” “USERAGENT “
10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] “GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1” 200 941 “-“ “USERAGENT”
- 1.1.1 - - [10/Jan/2020:16:12:31 +0000] “POST /vpns/portal/scripts/newbm.pl HTTP/1.1” 200 143 “https://10.1.1.2/” “USERAGENT”
- =-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-
What type of attack was most likely being attempted by the attacker?
A.SQL injection
B.Directory traversal
C.XML Injection
D.Password spraying
B.Directory traversal
OBJ-3.4: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user’s passwords by attempting a compromised password against multiple user accounts.
You are conducting a social engineering attack against an organization as part of an engagement. You walk into the break room and see a couple of system administrators talking about the previous weekend’s football game. You listen for a moment as the two argue over whose team was better. You notice that one of the guys is about your age and talks really fast. You walk over and immediately start talking fast, backing up this guy’s claims about his team, and joking around with him. After they are done talking about football, you comment about how Linux servers are so much better than Windows to see his response as you try to figure out the server types used at this organization. What type of social engineering principle is being exploited here?
A.Authority
B.Scarcity
C.Intimidation
D.Likeness
D.Likeness
Explanation:
OBJ-3.1: Likeness is the social engineering motivational technique that relies on people being more willing to help people who look and sounds like themselves. In this scenario, the social engineer started talking sports and acting like the victim he sought to exploit. He then started making jokes about different server types to see if he could gain some information from the victim.
A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002 and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?
A.Rainbow table
B.Dictionary
C.Hybrid
D.Brute-force
D.Brute-force
Explanation:
OBJ-3.4: Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. It will take more time if it is larger, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.
You are conducting a wireless penetration test against an organization. You have been monitoring the WPA2 encrypted network for almost an hour but have been unable to successfully capture a handshake. Which of the following exploits should you use to increase your chances of capturing a handshake?
A.Fragmentation Attack
B.Deauthentication Attack
C.Karma Attack
D.Downgrade attack
B.Deauthentication Attack
Explanation:
OBJ-3.3: Deauthentication attacks are used in the service of an evil twin, replay, cracking, denial of service, and other attacks. All 802.11 Wi-Fi protocols include a management frame that a client can use to announce that it wishes to terminate a connection with an access point. The victim’s device will be kicked off the access point by spoofing the victim’s MAC address and sending the deauthentication frame to the access point. If the user is still using the network, the wireless adapter will automatically reconnect by sending a handshake to the access point. This allows the attacker to capture the handshake during the reconnection.
You are conducting a social engineering attack against an organization as part of an engagement. You spoof your caller ID to appears to be from within the company, then you call up the company and ask to speak with the CIO’s assistant. When they answer the phone, you tell them that you are from the IT department and that you detected a malicious intruder has taken over their account and is encrypting data all over the next. You offer to help them stop the attack quickly, but they first need to give you their password. The victim says they won’t give that information to your over the phone, to which you respond, “Ok, fine, but when the boss finds out that you could have stopped this attack and chose to ignore me, don’t say I didn’t warn you.” What type of social engineering principle is being exploited here?
A.Authority
B.Scarcity
C.Fear
D.Trust
C.Fear
Explanation:
OBJ-3.1: Fear is a visceral emotion that can motivate people to act in ways they normally would not. In this scenario, the social engineer tries to convince the victim that their actions must be taken immediately, or bad consequences might occur. This is an attempt to cause fear and anxiety in the victim to hand over their password.
How is it possible to determine if an executable file is a shell script read by Bash?
A.The file must end with .sh
B.The first line starts with !#/bin/bash
C./bin/bash has to be run in debug mode
D.Only if you are logged in as root
B.The first line starts with !#/bin/bash
Explanation:
OBJ-4.4: The first line of the script should start with #!/bin/bash. Most shell scripts will end with a .sh by convention, but it is not required. Remember, in Linux, file extensions are only useful to the end-user, but the operating system completely ignores them.
Which of the following tools provides a penetration tester with PowerShell scripts that can maintain persistence and cover their tracks?
A.Powersploit
B.Responder
C.Empire
D.Searchsploit
A.Powersploit
Explanation:
OBJ-4.2: Powersploit is a series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Searchsploit is a tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to possibly recover sensitive information such as user names and passwords.
What popular open-source port scanning tool is commonly used for host discovery and service identification?
A.Nmap
B.dd
C.Services.msc
D.Nessus
A.Nmap
Explanation:
OBJ-4.2: The world’s most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disk, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.
A software assurance laboratory performs a dynamic assessment on an application by automatically generating random data sets and inputting them to cause an error or failure condition. Which of the following is the laboratory performing?
A.Fuzzing
B.Stress Testing
C.User Acceptance Testing
D.Security Regression Testing
A.Fuzzing
Explanation:
OBJ-4.2: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system’s stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.
Which of the following tools is a post-exploitation framework that would allow a penetration tester to run PowerShell agents without requiring the use of powershell.exe?
A.Powersploit
B.Responder
C.Empire
D.Searchsploit
C.Empire
Explanation:
OBJ-4.2: Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Powersploit is a series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. Searchsploit is a tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to possibly recover sensitive information such as user names and passwords.
Which of the following tools is considered a web application scanner?
A.Nessus
B.Qualys
C.OpenVAS
D.ZAP
D.ZAP
Explanation:
OBJ-4.2: OWASP Zed Attack Proxy (ZAP) is the world’s most widely used web application scanner. It is free, open-source, and provided by the Open Web Application Security Project (OWASP). Nessus, Qualys, and OpenVAS are all classified as infrastructure vulnerability scanners.
If you cannot ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to elicit a response from a host using TCP, what tool would you use?
A.Hping
B.Traceroute
C.Ptunnel
D.Broadcast ping
A.Hping
Explanation:
OBJ-4.2: Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command but offered far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. Hping also allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols. Hping does not support IPv6, though, so the NMAP creators have created Nping to fill this gap and serve as an updated variant of Hping. Traceroute and tracert are computer network diagnostic commands for displaying the route and measuring packets’ transit delays across an Internet Protocol network. Traceroute uses ICMP and not TCP. Broadcast ping is simply pinging the subnet’s broadcast IP using the ping command, but if a regular ping does not work, neither will a broadcast ping. Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. Ptunnel is used as a covert channel, not to elicit a response from a host using TCP.
A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output:
-=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-
[443] [https-get-form] host: diontraining.com login: jason password: password
[443] [https-get-form] host: diontraining.com login: jason password: CompTIACySA+
[443] [https-get-form] host: diontraining.com login: jason password: 123456
[443] [https-get-form] host: diontraining.com login: jason password: qwerty
[443] [https-get-form] host: diontraining.com login: jason password: abc123
[443] [https-get-form] host: diontraining.com login: jason password: password1
[443] [https-get-form] host: diontraining.com login: jason password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: jason password: C0mpT1@P@$$w0rd
-=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-
What type of attack was most likely being attempted by the attacker?
A.Password spraying
B.Impersonation
C.Credential stuffing
D.Brute force
D.Brute force
Explanation:
OBJ-4.3: This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user’s password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraudulent purposes. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack for their own purposes.
What tool can be used as an exploitation framework during your penetration tests?
A.Nmap
B.Metasploit
C.Nessus
D.Autopsy
B.Metasploit
Explanation:
OBJ-4.1: The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. Autopsy is used in digital forensic investigations.
You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack’s target?
A.389
B.3389
C.443
D.21
C.443
Explanation:
OBJ-4.3: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).
You are working as part of a penetration testing team targeting Dion Training’s website. Which of the following tools should you use to attempt an XSS or injection attack against their website?
A.BeEF
B.Androzer
C.Netcat
D.Nikto
A.BeEF
Explanation:
OBJ-4.2: BeEF (Browser Exploitation Framework) is a penetration testing tool included with Kali Linux that focuses on web browsers. BeEF can be used for XSS and injection attacks against a website. Netcat is an open-source networking utility for debugging and investigating the network, and that can be used to create TCP/UDP connections and investigate them. Nikto is an open-source web server scanner that searches for potentially harmful files, checks for outdated web server software, and looks for problems with some web server software versions. Androzer is a security testing framework for Android apps and devices.
You are a cybersecurity analyst who has been given the output from a system administrator’s Linux terminal. Based on the output provided, which of the following statements is correct?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- BEGIN OUTPUT ———————--------- # nmap win2k16.local Nmap scan report for win2k16 (192.168.2.15) Host is up (0.132452s latency) Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# nc win2k16.local 80 220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1)
# nc win2k16.local 22 SSH-2.0-OpenSSH_7.2 Debian-2
——————————
END OUTPUT
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
A.Your email server is running on a non standard port
B.Your email server has been compromised
C.Your organization has a vulnerable version of the SSH server software installed
D.Your web server has been compromised
A.Your email server is running on a non standard port
Explanation:
OBJ-4.1: As shown in the nmap scans’ output, only two standard ports being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.
You are working as part of a penetration testing team conducting engagement against Dion Training’s network. You have been given a list of targets to scan in nmap in a text file called servers.txt. Which of the following Nmap commands should you use to find all the servers from the list with ports 80 and 443 enabled and save the results in an XML formatted file called results.txt for importing into your team’s report generation software?
A.nmap -p80,443 -sL servers.txt -oX results.txt
B.nmap -p80,443 -iL servers.txt -oX results.txt
C.nmap -p80,443 -oL servers.txt -oG results,txt
D.nmap -p80,443 -sL servers.txt -oG results.txt
B.nmap -p80,443 -oL servers.txt -oX results.txt
Explanation:
OBJ-4.1: The command (nmap -p80,443 -iL servers.txt -oG results.txt) will only perform a nmap scan against ports 80 and 443. The -iL option will scan each of the listed server’s IP addresses. The -oX option will save the results in an XML format to the file results.txt while still displaying the normal results to the shell. The option of -sL will only list the servers to scan, and it will not actually scan them. The option of -oG is for outputting the results to a file in a greppable format.
An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only name servers?
A.locate type=ns
B.request type=ns
C.set type=ns
D.transfer type=ns
C.set type=ns
Explanation:
OBJ-4.2: The “set type=ns” tells nslookup only reports information on name servers. If you used “set type=mx” instead, you would receive information only about mail exchange servers.
Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement?
A.Forensic analysis report
B.Chain of custody
C.Trends analysis report
D.Lessons learned report
D.Lessons learned report
Explanation:
OBJ-5.2: The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details. A trend analysis report describes whether behaviors have increased, decreased, or stayed the same over time. The chain of custody report is the chronological documentation or paper trail that records the custody, control, transfer, analysis, and disposition of physical or electronic evidence.
Why must you have an established communication path and a client’s trusted point of contact during a penetration test?
A.To report indicators of compromise
B.To report non-exploitable vulnerabilities
C.To report a change in payment methods
D.To report bypassing the firewall
A.To report indicators of compromise
Explanation:
OBJ-5.4: If an indicator of a previous compromise is found during a penetration test, the team should pause their work and immediately inform the client’s trusted point of contact. The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance. The trusted agents and communication paths should be determined when planning the engagement.
Your company is concerned about the possibility of theft of sensitive information from their systems. The IT Director has directed that access to all USB storage devices be blocked on all corporate workstations to prevent this. The workstation should still use other USB devices, like scanners, printers, keyboards, and mice. Which of the following command-line tools should you use to install a Group Policy (GPO) to all workstations across the network to disable the use of USB storage devices?
A.gpresults
B.diskpart
C.gpupdate
D.sfc
C.gpupdate
Explanation:
OBJ-5.3: The gpupdate command refreshes a computer’s local Group Policy, as well as any Active Directory-based group policies. This command works on Windows 10, 8, 7, Vista, and XP. The gpupdate command can be used to restrict access to USB removable storage devices (like USB thumb drives and hard drives). In some organizations, USB storage devices are blocked for security reasons to prevent security leakage of confidential data and the penetration of viruses into the internal corporate network.
Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST?
A.Application whitelist
B.Intrusion Detection System
C.Anti-malware solution
D.Host-based firewall
A.Application whitelist
Explanation:
OBJ-5.3: Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation against a zero-day virus. An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server. Still, again, it wouldn’t prevent infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security. Since the threat is a zero-day virus, an anti-malware solution will not detect it using its signature database.
You want to install a perimeter device on the network to ensure FTP commands are not being sent out over port 25. Which of the following devices would allow for deep packet inspection to catch this type of activity?
A.Layer 7 Firewall
B.Web Proxy
C.Layer 3 Switch
D.Protocol Analyzer
A.Layer 7 Firewall
Explanation:
OBJ-5.3: Layer 7 firewalls are application-filtering firewalls. FTP traffic does not usually travel over port 25 and should travel over port 21. Using a Layer 7 firewall, the device can perform a deep packet inspection (DPI) to identify which application or protocol is actually being used to send traffic over a given port.
During a penetration test, you find a hash value related to malware associated with an APT. What best describes what you have found?
A.Indicator of compromise
B.Botnet
C.SQL Injection
D.XSRF
A.Indicator of compromise
Explanation:
OBJ-5.4: An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers’ domain names. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. A botnet consists of many Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection.
Judith is conducting a vulnerability scan of her data center. She notices that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the hypervisor’s management interface be exposed to ensure the best security of the virtualization platform?
A.External zone
B.Internal Zone
C.DMZ
D.Management Network
D.Management Network
Explanation:
OBJ-5.3: The management interface should only be exposed to an isolated or dedicated network used for the management and configuration of the network device and platforms only. This would also help reduce the likelihood of an attack against the virtualization platform or the hypervisor itself. The external zone (internet), internal zone (LAN), or DMZ should not have the management interface exposed to them.
Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext?
A.Full packet capture
B.Netflow capture
C.SIEM Event log monitoring
D.Software design documentation review
A.Full packet capture
Explanation:
OBJ-5.3: Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network. A SIEM event log being monitored might detect that an authentication event has occurred. Still, it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext. A software design documentation may also reveal the designer’s intentions for authentication when they created the application, but this only provides an ‘as designed’ approach for a given software and does not provide whether the ‘as-built’ configuration was implemented securely.
A network administrator updated an Internet server to evaluate some new features in the current release. A week after the update, the Internet server vendor warns that the latest release may have introduced a new vulnerability, and a patch is not available for it yet. Which of the following should the administrator do to mitigate this risk?
A.Enable the host-based firewall on the Internet server
B.Enable HIPS to protect the server until the patch is released
C.Utilize WAF to restrict malicious activity to the Internet server
D.Downgrade the server and defer the new feature testing
D.Downgrade the server and defer the new feature testing
Explanation:
OBJ-5.3: Since the vendor stated that the new version introduces vulnerabilities in the environment, it is better to downgrade the server to the older and more secure version until a patch is available.
Why must you have an established communication path and a client’s trusted point of contact during a penetration test?
A.To change the scope of work
B.To report critical findings
C.To receive written authorization
D.To report a list of critical findings
B.To report critical findings
Explanation:
OBJ-5.4: If an indicator of a previous compromise is found during a penetration test, the team should immediately inform the client’s trusted point of contact unless the scope of work states otherwise. The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance. The trusted agents and communication paths should be determined when planning the engagement.
Dion Training conducts weekly vulnerability scanning of their network and patches any identified issues within 24 hours. Which of the following best describes the company’s risk response strategy?
A.Avoidance
B.Transference
C.Acceptance
D.Mitigation
D.Mitigation
Explanation:
OBJ-5.1: Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing the activity that is risk-bearing. Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.
What should NOT be included in your final report for the assessment and provided to the organization?
A.Executive summary
B.Methodology used
C.Findings and recommendations
D.Detailed list of cost incurred
D.Detailed list of cost incurred
Explanation:
OBJ-5.1: A detailed list of costs incurred is not required as part of the final report but instead would be included as part of your invoicing. Your report should contain an executive summary, your methodology used in the assessment, and your findings and prioritized recommendations.
What term describes the amount of risk an organization is willing to accept?
A.Risk appetite
B.Risk mitigation
C.RIsk acceptance
D.Risk avoidance
A.Risk appetite
Explanation:
OBJ-5.1: Risk appetite describes how much risk an organization is willing to accept. This is a crucial factor both in designing the assessment and determining the recommended mitigations. Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a data center. Risk mitigation refers to applying security controls to reduce the risk of a known vulnerability. Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization’s assets. Risk acceptance is the act of accepting the identified risk and not taking additional actions to reduce the risk because the risk is low enough. Risk acceptance should only be done once an organization’s risk tolerance is defined and communicated amongst the decision-makers.
Why must you have an established communication path and a client’s trusted point of contact during a penetration test?
A.To provide published vulnerability updates
B.To inform them of a security patch update
C.To report that a production server is unresponsive
D.To provide a summary of daily events
C.To report that a production server is unresponsive
Explanation:
OBJ-5.4: If a server becomes unresponsive during a penetration test, the team should pause their work and immediately inform the client’s trusted point of contact. The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance. The trusted agents and communication paths should be determined when planning the engagement.
Which of the following would NOT be useful in defending against a zero-day threat?
A.Segmentation
B.Patching
C.Threat Intelligence
D.Whitelisting
B.Patching
Explanation:
OBJ-5.3: While patching is a great way to combat threats and protect your systems, it is not effective against zero-day threats. By definition, a zero-day threat is a flaw in the software, hardware, or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. This attack has no time (or days) between the time the vulnerability is discovered and the first attack, and therefore no patch would be available to combat it. Using segmentation, whitelisting, and threat intelligence, a cybersecurity analyst, can put additional mitigations in place to protect the network even if a zero-day attack was successful.
You are working as part of a penetration testing team during an engagement. A coworker just entered “sudo systemctl stop DionTrainingApp” in the shell of a Linux server the team exploited. What action is your coworker performing with this command?
A.To enable persistence on the server
B.To enumerate the running services on the server
C.To remove persistence on the server
D.To shutdown the running service on the server
C.To remove persistence on the server
Explanation:
OBJ-5.2: This scenario uses the systemctl command to remove persistence from a Linux server within its shell. The systemd tool is an init system and system manager that has widely become the new standard for Linux distributions. The systemctl is part of systemd. The systemctl is used to manage services, check their status, change their status, and work with the configuration files. By entering “sudo systemctrl stop DionTrainingApp” in the shell, the system will stop the service known as DionTrainingApp. This will remove any persistence gained by running the DionTrainingApp service, which is just a fictional service name used in this example to hide the penetration tester’s persistence tools. This service could be named anything the penetration tester deems appropriate during the service’s installation.
