CompTIA PenTest+ (PT0-001) Practice Certifications Exams (Jason DIon 2 of 6) Flashcards
You are conducting a wireless penetration test against an organization. You have identified that they are using WEP encryption on their wireless access points. You are impatient and do not want to wait to collect enough packets to find a repeated initialization vector. You decide to extract part of the key material from one of the packets and use it to send an ARP request to the AP. Which of the following exploits did you utilize in this attack? A.Deuthentication attack B.Downgrade attack C.Fragmentation attack D.Karma attack
C.Fragmentation attack
Explanation:
OBJ-3.3: A fragmentation attack obtains the pseudorandom generation algorithm (PRGA) of network packets used in WEP. The PRGA can be used to craft encrypted packets that you can inject into the access point. These injected packets can speed up cracking the WEP password; otherwise, it might take a while to receive enough packets to get the repeated IV. In a fragmentation attack, you extract part of the key material from at least one packet and use this to send an ARP request to the AP. If successful, the AP responds with more of the key material in the packet echoed back to you. You repeat this process many times until around 1500 bytes of the PRGA is captured, at which point you can then use a packet crafting tool to begin the injection process.
A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system’s kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network?
A.Manually review the syslog servers log’s
B.Conduct a service discovery scan on the network
C.Conduct an OS fingerprinting scan across the network
D.Conduct a packet capture of data traversing the server network
C.Conduct an OS fingerprinting scan across the network
Explanation:
OBJ-2.1: By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Manually review the Syslog server’s log would take too long, and would not find servers that don’t send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn’t indicate running Linux or Windows as the underlying server.
During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords? A.Rainbow table attack B.Brute force attack C.Cognitive password attack D.Birthday attack
C.Cognitive password attack
Explanation:
OBJ-2.4: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this password type can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin’s email account was hacked because a high schooler used the “reset my password” feature on Yahoo’s email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).
You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server’s backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the website owner to remediate this discovered vulnerability? (SELECT THREE)
A.Whitelist all specific IP blocks that use this application
B.Rename the URL to a more obscure name
C.Require two-factor authentication for access for the application
D.Conduct a penetration test against the organizations IP space
E.Change the username and default password
F.Require an alphanumeric passphrase for the applications default password
A.Whitelist all specific IP blocks that use this application
C.Require two-factor authentication for access for the application
E.Change the username and default password
Explanation
OBJ-5.3: First, you should change the username and default password since using default credentials is extremely insecure. Second, you should implement a whitelist for any specific IP blocks with access to this application’s administrative web frontend since it should only be a few system administrators and power users. Next, you should implement two-factor authentication to access the application since two-factor authentication provides more security than a simple username and password combination. You should not rename the URL to a more obscure name since security by obscurity is not considered a good security practice. You also should not require an alphanumeric passphrase for the application’s default password. Since it is a default password, you can not change the password requirements without the vendor conducting a software update to the application. Finally, while it may be a good idea to conduct a penetration test against the organization’s IP space to identify other vulnerabilities, it will not positively affect remediating this identified vulnerability.
A cybersecurity analyst conducts proactive threat hunting on a network by correlating and searching the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Query: “mimikatz” NOT “EventCode=4658” NOT “EventCode=4689” EventCode=10 | stats count by _time, SourceImage, TargetImage, GrantedAccess
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on? A.Processor consumption B.Unatuhorized software C.Irregular peer-to-peer communication D.Data exfiltration
B.Unatuhorized software
Explanation
OBJ-4.2: This is a difficult question, but you should see a keyword in the query, “mimikatz.” Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. It is definitely considered unauthorized software and should be immediately alerted upon if discovered in your network. Data exfiltration is the process by which an attacker takes data that is stored inside of a private network and moves it to an external network. Processor consumption is an IoC that monitors the per-process percentage of CPU time to show what causes the problem. Irregular peer-to-peer communication occurs when hosts within a network establish connections over unauthorized ports or data transfers.
A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much information can be gathered from the store’s public webserver. The analyst opens up the terminal on his Kali Linux workstation and uses netcat to gather some information.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[root@kali] nc test.diontraining.com 80
HEAD / HTTP/1.1
HTTP/1.1 200 OK Date: Sun, 12 Jun 2020 14:12:45 AST Server: Apache/2.0.46 (Unix) (Red Hat/Linux) Last-modified: Thu, 16 Apr 2009 11:20:14 PST ETgag: “1986-69b-123a4bc6” Accept-Ranges: bytes Content-Length: 6485 Connection: close Content-Type: text/html -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What type of action did the analyst perform, based on the command and response above? A.SQL Injection B.Banner Grabbing C.Querying the Whois database D.Cross-site scripting
B.Banner Grabbing
Explanation:
OBJ-4.2: The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command “nc test.diontraining.com 80” was used to establish a connection to a target web server using netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the webserver. In this example, the server software version (Apache 2.0.46) and the operating system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A query to the WHOIS database would return information on the website owner, not the server’s operating system.
You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the Apache server's logs if your organization uses the default naming convention? A.apache_log B.access_log C.httpd_log D.http_log
B.access_log
Explanation: OBJ-2.3: On Apache web servers, the logs are stored in a file named access_log. By default, the file can be located at /var/log/httpd/access_log. This file records all requests processed by the Apache server. The WebSphere Application Server uses the httpd_log file for z/OS, which is a very outdated server from the early 2000s. The http_log file is actually a header class file in C used by the Apache web server's pre-compiled code that provides the logging library but does not contain any actual logs itself. The file called apache_log is actually an executable program that parses Apache log files within in Postgres database.
What should administrators perform to reduce a system's attack surface and remove unnecessary software, services, and insecure configuration settings? A.Hardening B.Harvesting C.Stealthing D.Windowing
A.Hardening
Explanation:
OBJ-5.3: Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services. Windows is the use of windows for the simultaneous display of more than one item on a screen. Harvesting is the process of gathering data, normally user credentials. Stealthing is a made-up term in this question.
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation? A.Service level agreement B.Memorandum of understanding C.Rules of engagement D.Acceptable use policy
C.Rules of engagement
Explanation:
OBJ-1.1: While the contract documents’ network scope will define what will be tested, the rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees’ use of company equipment and internet services.
Your organization's networks contain 4 subnets: 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0. Using nmap, how can you scan all 4 subnets using a single command? A.nmap -Pn 10.0.0.0/25 B.nmap -Pn 10.0.0.0,1.0.2.0,3.0 C.nmap -Pn 10.0.0.0/23 D.nmap -Pn 10.0.0-3.0
D.nmap -Pn 10.0.0-3.0
Explanation:
OBJ-4.1: The simplest way to scan multiple subnets adjacent to each other is to use the -Pn tells the command to conduct a host-only scan of every IP in this target space without using ping. Using the dash (-) in the IP address means to scan “this network through this network.” So, 10.0.0-3.0 will scan every IP from 10.0.0.0 through 10.0.3.255.
You are conducting a network-based exploit against a Windows-based network. After running Responder in Kali Linux for about 15 minutes, you see the following output on your screen:
To validate if your attack was successful, you also analyze a Wireshark packet capture of this attack. A portion of that Wireshark packet capture is shown here:
Based on the output and packet capture above, which of the following types of exploits did you use?
A.Pass the hash attack
B.FTP Exploit
C.LLMNR Exploit
D.DNS cache poisoning
C.LLMNR Exploit
Explanation:
OBJ-3.2: Windows computers do not rely on DNS for name resolution within the internal networks. Instead, they rely on NetBIOS Name Service (NBNS) queries. Since Windows Vista, though, NBNS queries have been replaced with the Link-Local Multicast Name Resolution (LLMNR) protocol. The Responder tool in Kali Linux is used to conduct NBNS, LLMNR, and DNS name resolution exploits. In this example, Responder is being used to answer the Windows host asking for name resolution for the system called “wpad” but provides the IP for the Kali Linux machine instead of the correct IP. The first highlighted section shows the LLMNR query for the host “wpad” being sent by the Windows 7 host and answered by the Kali host running Responder. The last highlighted section shows the Windows 7 host getting the wpad.dat file by providing their credentials to the Kali host. There are several clues in this question to the right answer. First, the question mentions that you waited 15 minutes. Within Windows networks, the older NetBIOS system, each Windows machine would send out a broadcast message with its IP and WINS name every 10-15 minutes. Some of this functionality remains within LLMNR, too. But, the easier clue to identify is from the Wireshark packet capture. It clearly shows the protocol being used in lines 1212 through 1216 as LLMNR during the query and response. For this question, I was even nice enough to highlight that portion is red, but don’t expect the exam to be nearly as kind!
You are conducting a penetration test against an organization's Windows network. You have dumped the hash of their krbtgt account from the server's memory and used it to create golden tickets. Which of the following types of privilege escalation have you performed? A.Insecure sudo B.DLL Hijacking C.cPassword extraction D.Kerboroasting
D.Kerboroasting
Explanation:
OBJ-3.5: Kerberoasting is the dumping of the hash of the krbtgt (kerberos ticket-granting ticket) from a server’s memory using a domain-based user account. This is then used to create new golden tickets that allow any domain user to request the Ticket Granting Ticket from a domain service account. This can be cracked offline to reveal the plaintext password of the account. Many Windows services run with administrative privileges, and most system administrators don’t frequently change these passwords. This can lead to an attacker gaining access to a domain for a long period of time.
You are analyzing the following network utilization report because you suspect one of the servers has been compromised.
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
IP Address Name Uptime Historical Current
192.168.20.2 web01 7D 12H 32M 06S 42.6 GB 44.1 GB
192.168.20.3 webdev02 4D 07H 12M 45S 1.95 GB 2.13 GB
192.168.20.4 dbsvr01 12D 02H 46M 14S 3.15 GB 24.6 GB
192.168.20.5 marketing01 2D 17H 18M 41S 5.2 GB 4.9 GB
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further? A.web01 B.webdev02 C.dbsrv01 D.marketing01
C.dbsrv01
Explanation:
OBJ-3.7: Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.
Your company has just announced a change to an “API first” model of software development. As a cybersecurity analyst, you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. Which of the following is the primary basis for an attack against this vulnerability?
A. Accepting serialized objects from objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution
B.Lack of input validation cloud allow for a SQL attack
C.Lack of input validation could lead to a cross-site scripting attack
D. Insufficient logging and monitoring makes it impossible to detect when insecure deserialization vulnerabilities are exploited
A. Accepting serialized objects from objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution
Explanation:
OBJ-2.4: When implementing an API, objects in memory from one computer can be serialized and passed to another for deserialization. If the API user is malicious, they may create a fictitious object, appropriately serialize it, and then send it through the API for execution. The only model for defeating this approach is to allow the API to be exposed to trusted sources or to not serialize anything with potentially executable source code (i.e., non-primitive data types). Cross-site scripting and SQL attacks are not a concern for an API first model. While stuffiest logging and monitoring would prevent an analyst from detecting if a deserialization vulnerability was exploited, these alone would not be the basis for an attack against deserialization.
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? A.Use of insecure functions B.Insecure object reference C.Improper error handling D.Insufficient logging and monitoring
C.Improper error handling
Explanation:
OBJ-2.3: This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allows the attacker to execute code or perform an injection attack. One famous example of an improper error handling vulnerability is Apple’s GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allow attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.
During your reconnaissance, you have determined that your client’s employees all use iPhones that connect back to the corporate network over a secure VPN connection. Which of the following methods would MOST likely be the best method for exploiting these?
A.Identify a jailbroken device for easy exploitation
B.Use web-based exploits against the devices web interfaces
C.USe social eningeering to trick a user into opening a malicious APK
D.Use a too like ICSSPLOIT to target specific vulnerabilities
A.Identify a jailbroken device for easy exploitation
Explanation:
OBJ-2.5: When targeting mobile devices, you must first determine if the company uses iPhones or Android-based devices. If they are using an iPhone, it becomes much more difficult to attack since iPhone users can only install trusted apps from the App Store. If the user has jailbroken their phone, they can sideload apps and other malware. After identifying a jailbroken device, you can use social engineering to trick the user into installing your malicious code and then take control of their device.
Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place? A.Social engineering B.Phishing C.Session hijacking D.Privilege escalation
D.Privilege escalation
Explanation:
OBJ-3.5: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question’s details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.
You are watching as a penetration tester is conducting an engagement against Dion Training’s network. You see the following commands and output in their terminal:
-=-=-=-=-=-=- # find / -perm +4000 -user root -type f -print /usr/sbin/exim4 /usr/bin/sudo /usr/bin/passwd /usr/games/mahjong
# chmod 4111 /usr/bin/sudo -=-=-=-=-=-=-
Which of the following vulnerabilities is the penetration tester trying to exploit? A.Unquoted service path vulnerability B.Unsecure SUDO vulnerability C.Sticky bit vulnerability D.Kernel vulnerability
B.Unsecure SUDO vulnerability
Explanation:
OBJ-3.5: This penetration tester is attempting to exploit an unsecure SUDO vulnerability. First, they ran the find command and specified that it should look for permissions that follow the numerical representation of the SUID bit permission (+4000). It also looked for any files owned by the root user and were considered regular files (f), then it displays them to the screen. There were 4 files found in this example, one of which was the /usr/bin/sudo file. Next, the penetration tester attempted to perform a chmod against the /usr/bin/sudo file and set its permissions to 4111. If they were successful, this would change the permissions to allow the user, the group, and everyone else on this computer to execute the sudo command. When the sudo command is run, because it has the SUID bit set, the user can run the command as the root user. For this reason, the /usr/bin/sudo should have its permissions set to 4411 and not 4111.
The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant’s security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems?
A.Automated patch deployment
B.Log consolidation
C.Intrusion prevention system
D.Anti-virus software
C.Intrusion prevention system
Explanation:
OBJ-2.5: Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won’t prevent an issue and therefore isn’t the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.
What role does the red team perform during a tabletop exercise (TTX)? A.Adversary B.Cybersecurity analyst C.System Administrator D.Network defender
A.Adversary
Explanation:
OBJ-1.3: The red team acts as the adversary, attempting to penetrate the network or exploit it as a rogue internal attacker. The red team might be selected members of in-house security staff, a third-party company, or a consultant contracted to perform the role. The blue team operates the security system with a focus on detecting and repelling the red team. The blue team usually consists of system administrators, cybersecurity analysts, and network defenders.
You are working as a server administrator at Dion Training. You unlock the server room door using your proximity badge and walk through the door. Before the door shuts, another person walks in behind you. What social engineering technique did this person utilize? A.Spoofing B.Tailgating C.Shoulder surfing D.Impersonation
B.Tailgating
Explanation:
OBJ-3.6: Tailgating (or piggybacking) is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint. This might be done without the target’s knowledge or might be a means for an insider to allow access to someone without recording it in the building’s entry log. Another technique is to persuade someone to hold a door open for them.
You are attempting to exploit a network-based vulnerability against a Windows server. You configure Metasploit with the following options below and enter the run command.
Which of the following types of exploits are you attempting?
A.Credential brute forcing
B.Sandbox escape
C.Pass the hash
D.Credentials harvesting
C.Pass the hash
Explanation:
OBJ-4.3: A pass the hash attacks is a network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on. When authenticating with a username and password, the password is hashed once you type it in. Therefore, the computer doesn’t recognize a difference between the password and the hash itself. So, if you use psexec to send the hash to the system directly, it can be used to authenticate you as that user without actually knowing the user’s password. The key to answering this question is identifying that the smbpass parameter is being set to a password hash of a specified user.
A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first?
A.HArdening the DEV_SERVER7 server
B.Logically isolate the PAYROLL_DB server from the production network
C.Conduct a Nessus scan of the FIREFLY server
D.Conduct a data criticality and prioritization analysis
D.Conduct a data criticality and prioritization analysis
Explanation:
OBJ-2.3: While the payroll server could be assumed to holds PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and Dion, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn’t contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don’t know which data they should focus on protecting or where the attacker is currently.
What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system?
A.You should accept the risk if the residual risk is low enough
B.You should ignore any remaining risk
C.You should continue to apply additional controls until there is zero risk
D.You should remove the current controls since they are not completely effective
A.You should accept the risk if the residual risk is low enough
Explanation:
OBJ-1.3: In most cases, you will be unable to remove all risk. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.