Crucial Exams - Practice Questions Flashcards
https://crucialexams.com/exams/comptia/pentest/pt0-002/practice-tests-practice-questions
As part of an internal security assessment, you are required to scan a network segment that contains older, production-critical systems known for their fragility in terms of network traffic handling. Your objective is to identify vulnerabilities without causing system disruptions. Which scanning method would be most appropriate for this scenario?
- Credentialed scan
- TCP connect scan
- Non-credentialed scan
- Stealth scan
Credentialed scan
A credentialed scan is the appropriate choice when dealing with fragile systems. This method uses valid access credentials to perform a more in-depth and safer examination of the target systems, reducing the risk of causing disruptions which may occur with more aggressive uncredentialed scans that can overwhelm sensitive systems. A non-credentialed scan can risk causing issues with fragile systems due to the more intrusive nature of the probing. A stealth scan’s main purpose is to avoid detection, and while it can be less noisy on the network, it might still cause a fragile system to become unstable. Transmission Control Protocol (TCP) connect scans are more intrusive as they establish a full TCP connection, potentially leading to system instability.
When attempting to identify vulnerabilities in a thick client application that interacts with a web service backend, which feature of the Burp Suite community edition should a penetration tester use to MOST effectively analyze and manipulate the HTTP/S traffic between the client and the server?
- Repeater
- Proxy
- Intruder
- Scanner
Proxy
The correct answer is the Proxy feature. The Proxy feature in Burp Suite acts as an interception proxy, which allows the penetration tester to view, modify, and resend HTTP/S requests and responses passing through it. This is essential for testing thick client applications that communicate with a web service backend, as it enables the tester to analyze the traffic for potential vulnerabilities. The Scanner feature is not available in the community edition, which is why it’s an incorrect answer, and Intruder and Repeater are features that are best suited for other types of testing such as automated attacks and manual request resending respectively, rather than initial traffic analysis and interception.
You are conducting a penetration test against an AWS environment and require a tool that can efficiently identify IAM weaknesses and escalate privileges. What is the BEST tool to perform this task while also offering the ability to automate the exploitation of several discovered vulnerabilities?
- Metasploit
- Pacu
- OWASP ZAP
- Scout Suite
Pacu
Pacu is designed as an open-source AWS exploitation framework, providing penetration testers with the ability to simulate an adversary that has obtained credentials to an AWS account. For IAM weaknesses and privilege escalation, Pacu is especially potent due to its specialized modules that automate the exploitation of vulnerabilities. It can aid in revealing misconfigurations that could lead to privilege escalation or other security issues within AWS services. While tools like Scout Suite and OWASP ZAP are powerful in their respective domains (configuration auditing and web application security testing), they are not specialized for IAM weakness identification and exploitation in AWS environments. Metasploit is a versatile penetration testing tool, but it is not cloud-centric like Pacu and does not offer the same in-depth functionality for AWS IAM exploitation.
During the information gathering phase of a penetration test, you are tasked with using strategic search engine analysis to uncover potential leads about an organization’s internet-facing infrastructure. Which of the following search queries could reveal the existence of sensitive documents that the company did not intend to make public?
- example.com:2087 -site:example.com
- intitle:index.of server at example.com
- site:example.com filetype:pdf confidential
- link:example.com -site:example.com
site:example.com filetype:pdf confidential
The search query ‘site:example.com filetype:pdf confidential’ is correct because it explicitly looks for PDF files on the domain ‘example.com’ that contain the keyword ‘confidential’. This type of search is commonly used by penetration testers to find sensitive documents that might have been inadvertently exposed. The use of ‘filetype’ refines the search to a specific type of document, increasing the chances of finding documents with potentially sensitive information. Conversely, the other options do not apply the same level of specificity or relevance to finding sensitive documents unintentionally made public.
Scout Suite
Scout Suite is a multi-cloud security auditing tool that assesses the configuration of cloud environments to identify potential security risks. It supports major cloud providers such as AWS, Azure, Google Cloud Platform, and others. The tool allows penetration testers to evaluate cloud configurations for misconfigurations and vulnerabilities, enabling better security postures
As a penetration tester, you have been tasked to assess the security of a company’s wireless infrastructure. You decide to simulate an evil twin attack to test the network’s resilience to credential theft. Which tool would you use to create a rogue access point that replicates the company’s WPA2-Enterprise network in order to capture employee credentials?
- Use EAPHammer to create the rogue access point and facilitate the attack to capture credentials.
- Deploy mdk4 to conduct a denial-of-service attack on the network, effectively disrupting the wireless services.
- Implement Kismet for network detection and packet sniffing on the target wireless network.
- Utilize Aircrack-ng to crack the WPA2 password and gain unauthorized access to sensitive information.
Use EAPHammer to create the rogue access point and facilitate the attack to capture credentials.
EAPHammer is specifically designed for such a scenario, where it can be used to create a rogue access point that mimics the legitimate WPA2-Enterprise network. It can then capture credentials as employees unwittingly connect to this malicious access point, thinking it is the corporate network. The incorrect answers, while related to Wi-Fi security, do not provide the functionality to mimic WPA2-Enterprise networks for the purpose of capturing credentials through such an attack.
EAP Hammer
- tool designed to conduct targeted wireless network attacks
- particularly against WPA2 Enterprise networks
- automates attacks such as rogue access point (EAP-based) creation, credential harvesting, and network impersonation
- identify weaknesses in enterprise wireless configurations
Which method of using search engines for passive reconnaissance is most likely to yield comprehensive insight into potential vulnerabilities within a target organization’s web applications?
- Looking up the main company website to analyze the business’ profile and obtain general contact information.
- Reviewing the company’s public financial reports to identify budget allocations for cybersecurity.
- Searching the company’s social media feeds for general technology updates or event announcements.
- Using advanced search engine queries with operators to find exposed sensitive information or misconfigurations.
Using advanced search engine queries with operators to find exposed sensitive information or misconfigurations.
By using advanced search engine queries, such as those involving site:, filetype:, inurl:, or intext: operators, a penetration tester can discover sensitive information that may be inadvertently exposed on public websites. This can include configuration files, user credentials, or revealing error messages. This type of strategic search can uncover a wide array of vulnerabilities or misconfigurations more effectively than basic company details or generic searches, which tend to yield only surface-level information. The incorrect answers focus on specific narrow aspects that are less likely to provide a broad view of potential vulnerabilities across web applications.
During a security audit of an application stack, you notice the application is utilizing an outdated open source component known for its critical vulnerabilities that have been patched in subsequent releases. Exploiting these vulnerabilities could lead attackers to compromise the hosting server. Which type of vulnerability does this scenario BEST describe?
- Patching fragmentation
- Dependency vulnerabilities
- Race conditions
- System misconfigurations
Dependency vulnerabilities
The scenario describes a dependency vulnerability, which occurs when an application relies on external components, libraries, or frameworks with known security issues that are not patched or updated. Attackers might exploit these vulnerabilities to breach systems if the dependencies are outdated and contain unfixed security flaws. Patching fragmentation refers to the inconsistent application of patches across systems, often seen in organizations with complex environments where some systems remain unpatched. Thus, a system using an outdated and vulnerable component is primarily at risk from dependency vulnerabilities.
During a penetration test, who should you primarily reach out to for discussing specific technical details of the vulnerabilities found?
- C-suite executive
- Third-party stakeholder
- Emergency contact
- Technical contact
The technical contact is the individual within the client organization who possesses the detailed technical knowledge required to understand and act upon the technical aspects of the findings in a penetration test. Other options may have roles in the process, but the technical contact is the go-to for vulnerability discussions, making Answer A correct.
You are conducting a security audit on a web page and have found a section where user input is dynamically inserted into the document without proper sanitation. To confirm the existence of this client-side security flaw, you intend to inject code that creates a dialog box displaying ‘Test’. Which of the following JavaScript snippets would be correctly executed to demonstrate the vulnerability?
- alert(‘Test’);
- aler’t(‘Test’);
- confirm(‘Test’);
- Alert(‘Test’);
alert(‘Test’);
The correct answer is snippet A, alert(‘Test’);, which is a standard method in JavaScript for invoking a dialog box with specified text content. This method is suitable for testing the insertion of malicious scripts, as it should only trigger when JavaScript is executed within the client’s browser context. Snippet B, Alert(‘Test’);, is incorrect due to the use of a capital ‘A’ in ‘Alert’, which is not recognized in JavaScript due to case sensitivity. Snippet C, aler’t(‘Test’);, contains a misplaced single quote, resulting in invalid syntax, thus, the script would not run. Snippet D, confirm(‘Test’);, would indeed create a dialog box but one that asks for confirmation (OK/Cancel) and is typically used to demonstrate a different form of interaction than just providing an alert.
During the planning phase of a penetration test for a retailer that processes payment cards, it is essential to ensure that the testing activities comply with PCI DSS requirements. Which of the following activities during the penetration test requires special consideration to maintain PCI DSS compliance?
- Notifying Visa and Mastercard before starting the penetration test.
- Inserting a hardware keylogger into point-of-sale systems.
- Performing wireless network sniffing in areas where cardholder data is transmitted.
- Social engineering employees to reveal sensitive information.
Performing wireless network sniffing in areas where cardholder data is transmitted.
Performing wireless network sniffing in areas where cardholder data is transmitted requires special consideration. According to PCI DSS Requirement 4.1, strong encryption must be used during the transmission of cardholder data over open, public networks to safeguard transmission security. A penetration tester must ensure that they have permission and the proper segmentation checks in place so that they do not inadvertently capture or decrypt cardholder data, which would violate PCI DSS. Social engineering employees to reveal sensitive information isn’t directly restricted by PCI DSS during a pen test; it’s an accepted testing technique if agreed upon in the scope. Inserting a hardware keylogger into point-of-sale systems is not against PCI DSS as long as it’s permitted and controlled as part of the pen test, and there isn’t a requirement for notifying the card schemes in advance of a penetration test.
Which PCI DSS requirements should you know?
- Annual and Quarterly Testing
- Scope of Testing: Test the entire cardholder data environment (CDE), including external, public-facing perimeters and LAN-to-LAN attack surfaces; Validate network segmentation to confirm systems are isolated and scope is reduced
- Vulnerability Scanning & Mitigation: both internal and external vulnerability scans quarterly and after significant changes.
- Segmentation Testing
BurpSuite Modules to know
Repeater: This module allows testers to manually edit and replay HTTP/S requests to observe server responses. It’s useful for testing specific inputs and analyzing the resulting behavior
Scanner: Available in the professional version, the scanner automates the discovery of vulnerabilities in web applications by identifying issues like SQL injection or cross-site scripting
Intruder: This module is used to automate customized attacks, such as brute force, by sending a series of payloads to a target. It provides flexibility in testing various scenarios and input combinations
Main Features of BurpSuite
Web Application Testing Toolset: Burp Suite is a comprehensive web application vulnerability scanning and penetration testing toolkit that includes features like vulnerability scanning and request interception
Interception Proxy: This tool can intercept HTTP/S traffic between a web browser and a web server, enabling manual manipulation of requests for testing security defenses
Versions: Available in a community edition (free) and a professional edition (paid), with the professional edition offering enhanced automation and scanning features
Usage Contexts: While primarily associated with web application security, it is also referenced in the textbook in relation to testing mobile application backends and APIs
A penetration tester is tasked with evaluating the security of a mobile application. The tester wants to analyze the behavior of the application in a controlled environment to observe how it interacts with system resources and other applications. Which of the following is the BEST method to accomplish this goal?
- Leveraging a mobile security framework for static code analysis
- Deploying the application on a segmented area of the production network
- Using a mobile device emulator
- Running the application on a jailbroken device with monitoring tools
Using a mobile device emulator
Using a mobile device emulator creates a virtual mobile device on which the application can be safely run and analyzed. This allows the penetration tester to observe the application’s behavior under different conditions without risking the integrity of a physical device or the production environment. The other options either are not as relevant for analysis on a mobile application (a and c) or are general tools for mobile security testing but not specifically designed for behavioral analysis in a controlled environment like an emulator (d).
As a penetration tester, you’re tasked with testing the strength of password hashes. Which tool would you use to perform brute-force attacks against various hash types in a scalable and effective manner?
- John the Ripper
- Aircrack-ng
- Hashcat
- Wireshark
Hashcat
Hashcat is known for its capability to perform brute-force and dictionary attacks against various types of hashes, making it an essential tool for penetration testers when assessing password security. It is chosen for its efficiency and broad support of hash types.
John the Ripper: While also a hash-cracking tool, it is generally less scalable compared to Hashcat.
During an internal security assessment, a penetration tester needs to identify live hosts without performing a full port scan, to reduce network congestion. Which of the following Nmap options would be most appropriate for the tester to use to simply ping the hosts?
- -p
- -sV
- -sn
- -A
-sn
The ‘-sn’ option in Nmap is used to perform a host discovery, which simply pings the hosts without actually scanning any ports. This is the correct answer as it minimizes the amount of traffic and reduces the chance of causing network disruption. The ‘-sV’ option executes a service version detection, which is more intrusive and creates more traffic, going beyond the requirement of just discovering live hosts. The ‘-A’ option enables OS detection, version detection, script scanning, and traceroute, which would not only produce more traffic but also try to scan and fingerprint hosts, which is not needed in this scenario. The ‘-p’ option specifies the target ports to scan, which does not directly relate to host discovery without port scanning.
A WPS PIN attack requires an attacker to physically access the WPS button on a router to initiate the brute-force process.
- True
- False
False
The correct answer is false because a WPS PIN attack can be performed remotely. Attackers do not need physical access to the router; instead, they exploit the WPS PIN feature to gain access to the network by using software tools that attempt to brute-force the WPS PIN, which is an 8-digit number. Such attacks often exploit the fact that the PIN is validated in two halves, which reduces the number of attempts needed to guess the correct PIN.
As a penetration tester in the initial stage of assessing a target organization’s external IT infrastructure, you need to gather intelligence on potentially vulnerable Internet-facing services without triggering security alerts. Which of the following tools would effectively enable passive reconnaissance to identify exposed services and devices, including specific versions and configurations, from publicly available information?
- Nmap
- CeWL
- theHarvester
- SQLmap
theHarvester
The correct answer is theHarvester. It is specifically designed to gather publicly available information such as email accounts, subdomain names, virtual hosts, open ports, and banners from different public sources like search engines and PGP key servers. This makes it suitable for passive reconnaissance. Nmap is typically employed for active scanning and could inadvertently set off security alarms if used inappropriately. SQLmap is an automatic SQL injection and database takeover tool, which is not intended for initial reconnaissance. CeWL creates custom wordlists from a given URL, useful for creating targeted password lists, but does not serve the purpose of identifying services and devices.
During the preliminary phase of a penetration test, you are given a list of web applications owned by the client company that are to be assessed. The client has emphasized the importance of staying within the boundaries of the scoped engagement. Which of the following actions BEST ensures that the penetration test aligns with the client’s requirements?
- Consult the penetration testing team’s standard checklist for application assessments before starting.
- Begin testing with automated scanning tools to quickly identify potential vulnerabilities in the web applications.
- Immediately start a manual assessment of the first web application on the list to understand its functionality.
- Review the contract and scope of work documents to confirm the web applications and types of tests that are authorized.
Review the contract and scope of work documents to confirm the web applications and types of tests that are authorized.
Reviewing the contract and scope of work documents provided by the client ensures that the penetration tester understands which web applications are included in the engagement and what types of tests can be performed. This helps avoid any unauthorized actions and ensures that the engagement is carried out professionally and ethically. The other options, although potentially useful, do not guarantee adherence to the engagement’s limitations and could lead to actions outside the agreed scope.
During an active reconnaissance phase, a penetration tester is analyzing the URLs of a client’s web application to determine entry points and possible vulnerabilities. Which of the following URL formats is MOST likely to be useful for identifying potential parameters for testing inputs or discovering hidden directories?
- user@example.com?subject=Inquiry
- https://www.example.com/product.php?id=1234&category=tools
- https://www.example.com/privacy
- ftp://ftp.example.com/resources
https://www.example.com/product.php?id=1234&category=tools
The correct answer is ‘https://www.example.com/product.php?id=1234&category=tools’. This URL contains parameters (‘id’ and ‘category’), which can be tested for vulnerabilities such as SQL injection, XSS, and more. A penetration tester could manipulate these parameters to see how the application responds, thereby potentially discovering security flaws.
The incorrect answers listed don’t provide the same level of actionable information. The URL containing the ‘mailto’ protocol is typically used for email and does not usually have parameters that could be tested for web application vulnerabilities. The URL with ‘https://www.example.com/privacy’ is likely a static page and while it could contain potential endpoints for further investigation, it does not explicitly showcase parameters like the correct answer. Lastly, the URL ‘ftp://ftp.example.com/resources’ uses the FTP protocol, which is less likely to be the focus of this type of testing in comparison to HTTP(S), which directly interacts with web applications.
During a penetration test, you have obtained access to a suspect’s computer where you suspect secret information is being transmitted using image files. To confirm your suspicions, you decide to analyze these image files for potential hidden data. Which tool would assist you in uncovering data hidden using steganographic techniques?
Aircrack-ng
Wireshark
Snow
Steghide
Gobuster
OWASP ZAP
Steghide
The correct answer is Steghide. It is a steganography program that is able to hide data in various kinds of image- and audio-files. The presence of a tool like Steghide on a suspect’s computer might suggest that the individual is using steganography to conceal data. The other options listed are also tools used in penetration testing, but they do not specialize in steganography like Steghide. Gobuster is for enumerating files and directories on web servers, Snow is a tool for hiding text in whitespace, and OWASP ZAP is for finding vulnerabilities in web applications. So although these are related to the fields of cybersecurity and penetration testing, they would not typically be used for detecting steganographic data.
Snow
Snow is another steganography tool that utilizes whitespace in text files to hide data. By embedding information in spaces and tabs within the text, it allows for concealed data storage
Steghide
Steghide is a steganography tool used for embedding hidden data within image or audio files and retrieving that data when needed. It supports encryption and compression of the embedded data, making it a useful tool for securely hiding information
GoBuster
Gobuster is a tool designed for brute-forcing web paths, DNS subdomains, and virtual host names on target systems. It is commonly used for discovering hidden directories, files, and subdomains during penetration testing
aka enumerating files and directories on web servers
Creating a scenario in which the attacker pretends to be a member of the IT department to gain access to sensitive information is an example of pretexting.
True
False
True
The correct answer is true. Pretexting is a social engineering technique where the attacker creates a fictitious scenario or assumes a false identity to manipulate a target into divulging information or gaining unauthorized access. In this case, the attacker is pretending to be a member of the IT department, which is a typical example of pretexting. The goal is to establish trust or authority to elicit sensitive information from the victim.
When conducting a penetration test, you are to evaluate the security posture of both the public-facing (external) applications and the internal network infrastructure of an organization. Assuming that all legal permissions and access rights are in place, which approach would BEST align with the penetration testing strategy to comprehensively assess the security of both external and internal targets within the confines of the test scope?
- Exclusive external testing of the perimeter networks and public IP addresses
- Purely passive reconnaissance of both external and internal assets
- Full knowledge testing using source code analysis and network sniffing for both external and internal targets
- A combination of network-based tests for the internal infrastructure and application-based tests for the public-facing applications
A combination of network-based tests for the internal infrastructure and application-based tests for the public-facing applications
Choosing a combination of network-based and application-based tests specifically tailored for the respective environments is the best approach to comprehensively assess the security of both external (public-facing applications) and internal targets (internal network infrastructure). Network-based tests are suitable for evaluating the internal infrastructure, while application-based tests target public-facing applications. These two approaches complement each other by providing coverage for the different types of assets. Full knowledge testing is more aligned with white-box testing, which might not be as effective for external targets without prior knowledge. Passive reconnaissance is usually a preliminary step and doesn’t actively test security controls. External testing only does not provide coverage for internal network infrastructure vulnerabilities.
As a penetration tester, you are tasked with gathering intelligence about a target company’s technology stack without alerting them to your activities. Which of the following methods would provide insight into the technology stack without directly engaging with the target’s systems or networks?
- Establishing a connection to the target’s network to monitor outgoing traffic
- Performing DNS lookups to identify all the subdomains of the company
- Conducting a scan of the target’s IP address space to detect running services
- Reviewing the target company’s job listings for technology skill requirements
Reviewing the target company’s job listings for technology skill requirements
Reviewing job listings can provide insight into the technology stack a company uses based on the skills and experience they are seeking in candidates. This method is passive because it does not require any interaction with the target’s systems. DNS lookups involve queries to DNS servers, which may still be considered passive, but it does not yield technology stack information directly. Attempting to connect to the target’s network or scanning their IP addresses are active reconnaissance methods that could potentially alert the target to the presence of a reconnaissance activity.
During a penetration test, you discover evidence suggesting that an employee has been engaging in illegal activities using the company’s network. Which of the following actions aligns best with professional conduct and legal responsibilities?
- Confront the employee directly to investigate the matter further.
- Immediately notify the primary or emergency contact designated by the client to relay your findings confidentially.
- Turn off the affected systems to prevent any further illegal activity.
- Ignore the findings as they are beyond the scope of the penetration test
Immediately notify the primary or emergency contact designated by the client to relay your findings confidentially.
When encountering potential criminal activity during a penetration test, the tester must communicate this information to the primary or emergency contact within the organization as outlined in the communication plan. It is crucial to handle the situation with confidentiality and let the appropriate parties within the organization manage the legal response. Directly confronting the individual or ignoring the findings are not adhering to professional and ethical standards, and turning off the affected system could hinder further investigation by the appropriate authorities.
As part of a penetration testing team, you are tasked with evaluating the security of a large financial corporation’s mobile banking app. The app employs certificate pinning to secure HTTPS traffic. Which of the following techniques could you leverage to bypass the certificate pinning and analyze the encrypted traffic?
- Setting up a proxy and using a Frida script to bypass the application’s certificate pinning while the traffic routes through the proxy.
- Generating a new certificate pair for the server and replacing the pinned certificate within the app’s configuration.
- Cloning the server’s actual certificate and using it in a MitM position to bypass the pinning mechanism.
- Installing an unauthorized version of the app containing a rogue certificate instead of the pinned certificate.
Setting up a proxy and using a Frida script to bypass the application’s certificate pinning while the traffic routes through the proxy.
Modifying the network traffic routing to pass through a proxy would allow an attacker to analyze the encrypted traffic if the attacker can install their own certificate authority on the device and trust it to intercept SSL/TLS communications. Since the mobile banking app employs certificate pinning, this would typically prevent the proxy from intercepting the traffic; however, combining it with a Frida script to hook into the application and bypass the pinning check can successfully enable the interception of network traffic. Frida is a dynamic code instrumentation toolkit that allows testers to change the behavior of apps at runtime.
Installing a rogue application version would be possible if the attacker could create one but does not directly solve the challenge of bypassing certificate pinning. Generating a new certificate pair does not bypass pinning, as the app is programmed to only trust a specific certificate. Cloning the server’s actual certificate is not practical without access to the server’s private key, and the application would still recognize it as non-pinned. Spoofing DNS records would not affect HTTPS traffic in this context, as certificate pinning is designed to resist this kind of attack.
As a penetration tester, you are authorized to test an application’s API that employs scoped access tokens. When you request a token from the authorization server specifying a particular scope, you receive a token with broader privileges than expected. What should your next course of action be to ethically continue the test according to the rules of engagement?
- Inform the client and request a token with the correct scope.
- Manually adjust the scope in the token to match the intended permissions and proceed with testing.
- Continue testing using the received token but avoid accessing the functionalities that are outside the initial scope.
- Use the broader scoped token to test additional functionalities since it will provide a more comprehensive security assessment.
Inform the client and request a token with the correct scope.
The correct answer is to inform the client and request a token with the correct scope, as per the test’s rules of engagement. Accidentally receiving a token that grants broader access than intended can lead to testing systems that are out of scope, which might be against the policies and potentially illegal. While tempting, using the broader scoped token without authorization would be unethical and potentially a violation of the agreed-upon rules. Continuing with the received token without notifying the client or attempting to limit its privileges on your own are both incorrect actions that could lead to adverse outcomes.
Ask Bash
A penetration tester is conducting an assessment against a web application and has observed that session tokens are not rotated after login. Which type of attack could the penetration tester employ to take advantage of this vulnerability?
- Session fixation
- Cross-site request forgery (CSRF)
- Session replay
- Cross-site scripting (XSS)
Session fixation
In a session fixation attack, the attacker sets a known session ID on an application before the victim logs in, and due to the lack of session rotation upon authentication, the attacker can use this predefined session ID to hijack the session once the victim has logged in. Session rotation is a critical security measure that involves changing the session token after a user logs in to prevent session fixation attacks. The incorrect answers, while they are related to session management in various ways, do not directly exploit the lack of session rotation post-authentication.
Session Fixation
Session fixation is a type of session hijacking attack where an attacker exploits web applications that reuse the same session ID across user sessions instead of expiring them. The attacker can then use this fixed session ID to access a victim’s account by:
- Obtaining an old session ID via malware, eavesdropping, or log theft.
- Getting the victim to authenticate with the application using the old session ID.
- Using the same session ID to impersonate the victim.
Session Replay
A session replay attack occurs when an attacker captures and reuses a user’s authentication credentials (like cookies or tokens) to impersonate the user and gain unauthorized access to a system. This type of attack often exploits insecure session handling and unencrypted communication channels.
XSFR
Cross-site request forgery (XSRF), also known as CSRF, is an attack that tricks a user into performing actions on a web application where they are authenticated. It typically involves the attacker embedding a malicious link or script in a way that causes the user’s browser to execute unauthorized actions on the target application.
XSS
Cross-site scripting (XSS) is a web application vulnerability that allows an attacker to embed malicious scripts into a web page, which then execute on the browsers of users who visit the page. These attacks can be reflected (user input directly returned in a web response), stored (malicious input stored on a server), or DOM-based (script execution through the manipulation of the Document Object Model on the client side).
A penetration tester is tasked with enumerating group memberships on a compromised system to identify potential targets for lateral movement. Which of the following commands should the tester execute to find the BEST information about group memberships that could help in identifying privileged accounts?
- net accounts /domain
- net localgroup administrators
- net share
- net user /add
net localgroup administrators
The net localgroup administrators command displays a list of all the members of the administrators group on a local or remote system. This group typically has the highest level of privileges, and knowing its members is vital for strategizing lateral movement and privilege escalation. The other commands do not provide direct insights into the privileged accounts that are part of the administrators group.
After completing a penetration test, you are in the process of post-engagement cleanup. What is the BEST action to take to ensure that no backdoors or remote access methods remain accessible to potential attackers?
- Check for updates on all the software installed on the systems
- Remove all reverse shells and backdoors installed during the testing
- Uninstall all penetration testing tools from the client’s systems
- Change all passwords used during the penetration testing engagement
Remove all reverse shells and backdoors installed during the testing
The correct answer is to remove all reverse shells and backdoors that were installed during the testing process. This action ensures that no unauthorized entry points remain, which could be exploited by an attacker. Simply uninstalling tools doesn’t guarantee that access methods created by those tools are also removed. Changing all passwords could be a prudent post-engagement action but it may not remove any shells that were installed. Checking for updates is important, but it focuses on patch management rather than the removal of intentionally installed access methods.
mitm6
Mitm6 is a tool used to exploit Windows DNS servers by responding to DHCPv6 messages with a link-local IPv6 address and an attacker-controlled system as the default DNS server. This allows attackers to perform man-in-the-middle (on-path) attacks, redirecting traffic to arbitrary destinations.
What is the primary purpose of the penetration testing tool known as ‘mitm6’?
- It performs man-in-the-middle attacks on IPv6 networks.
- t acts as a packet analyzer for inspecting network traffic.
- It operates as a proxy server to forward requests between clients and servers.
- It functions as a vulnerability scanner to identify security weaknesses.
It performs man-in-the-middle attacks on IPv6 networks.
Mitm6 is specifically designed to exploit weaknesses in the configuration and use of IPv6 networks to carry out man-in-the-middle (MITM) attacks. These attacks can intercept and manipulate traffic to gain unauthorized access to data flows between clients and servers. The incorrect answers provided are related to penetration testing but do not accurately depict the primary function of ‘mitm6’. A packet analyzer is used to capture and analyze network traffic, a vulnerability scanner is meant to identify and report potential security holes, and a proxy server is used to redirect client requests to the server.
During a penetration test, you are writing a Python script to automate the extraction of subdomains from a lengthy DNS enumeration tool output. You decide to use a string operator to check if a specific subdomain exists within a line of the output before adding it to your list. Which of the following string operators would allow you to perform this check?
- %
- +=
- in
- ==
in
The in operator in Python can be used to check if a particular substring exists within a string. This is why it is the correct choice. The += operator is used to append a value to an existing variable, typically used in loops for concatenation or arithmetic operations but doesn’t check the existence of a substring. The == operator compares two values for equality, which is not useful when looking for a substring within a larger string. % is the modulus operator in arithmetic operations and can be used as a string formatting operator in Python, but it does not check for substring existence either.
What type of information is primarily returned by querying Shodan?
- Usernames and passwords for compromised accounts
- Complete source code of web applications
- IP addresses, device types, and services
- GPS coordinates of mobile devices
IP addresses, device types, and services
Shodan is designed to provide information about devices connected to the internet, such as the types of devices, their IP addresses, and the services they are running. This information is essential for penetration testers to locate potential targets and understand their network landscape. The correct answer is ‘IP addresses, device types, and services’. The other options either do not directly relate to the primary information obtained from Shodan queries or only partially describe the vast data Shodan could return, but not as its primary set of information.
During a recent penetration testing engagement for a financial firm, you discovered that an employee’s credentials were used to access sensitive client data during a time when the employee was on a mandatory vacation. This finding should prompt which of the following recommendations in your final report?
- Advise additional system hardening techniques to ensure that the employee’s credentials cannot be misused during their mandatory vacation period.
- Recommend reinforcing the use of mandatory vacations as an operational control, along with auditing account activity during such periods to uncover potential unauthorized access or internal threats.
- Suggest implementing job rotation so that no single employee has exclusive access to sensitive client data for an extended period.
- Propose enhanced user training focused on security best practices to prevent employees from sharing their credentials.
Recommend reinforcing the use of mandatory vacations as an operational control, along with auditing account activity during such periods to uncover potential unauthorized access or internal threats.
The correct answer involves implementing mandatory vacations as an operational control. Mandatory vacations can potentially reveal fraudulent activities and are part of a good security strategy, as unauthorized access during an employee’s absence may indicate account misuse or compromise. Mentioning system hardening ignores the operational control aspect related to employee absence. While job rotation is an operational control, it does not directly address the issue of detecting unauthorized access during an employee’s absence. Similarly, user training is always beneficial but does not directly relate to the specific situation presented in the question.
A client, operating a multinational corporation, requires a penetration test for their network infrastructure. However, due to strict data sovereignty laws, they insist that any discovered data must not leave the country of origin. The penetration test is to be performed remotely from your location in another country. Which of the following approaches would BEST align with the client’s data sovereignty restrictions?
- Utilize a jump box located within the client’s country to conduct tests and analyze results
- Instantiating a VPN to the client’s network to ensure a secure connection for testing
- Limit the scope to include only the testing of public-facing services to avoid data sovereignty complications
- Encrypting all test results to prevent unauthorized access while transmitting data back to your location
Utilize a jump box located within the client’s country to conduct tests and analyze results
The correct answer is ‘Utilize a jump box located within the client’s country to conduct tests and analyze results,’ because it addresses the data sovereignty issue by ensuring that any testing and resulting data remain within the country, adhering to local laws while still allowing the penetration tester to perform their duties from a remote location. Instantiating a VPN would not ensure compliance with data sovereignty as the data might transit through other jurisdictions. Encrypting all test results has merit for securing the data but doesn’t prevent data from leaving the country. Testing only public-facing services may still risk violating data sovereignty laws if any resulting data is stored or analyzed outside the target country.
During a penetration test, you perform an initial port scan using Nmap against the target web server. The scan results show that ports 80 (http) and 443 (https) are open. To expedite the testing process, which script should be executed next to further examine these services and look for potential vulnerabilities, while maintaining a degree of stealth?
- Execute an aggressive Nessus vulnerability scan on the entire target network to identify all potential vulnerabilities regardless of service.
- Use the sqlmap tool to automatically attempt SQL injection attacks on the web server’s database services.
- Run the Nmap script engine (NSE) with the http-enum script to locate directories that might reveal the web server’s configuration and content.
- Launch a brute force attack on the SSH service using Hydra to identify weak credentials that may be used to access the system.
Run the Nmap script engine (NSE) with the http-enum script to locate directories that might reveal the web server’s configuration and content.
The correct option automates testing for common vulnerabilities on web servers after an initial port scan shows that web services are available. The script provided by Nmap for http-enum can be used to enumerate potential files and directories on the web server, which is a logical next step when ports 80 and 443 are open. The incorrect options either are not designed for analyzing web vulnerabilities directly (such as a DNS enumeration script or a brute force attack script on an SSH service), or they do not maintain a degree of stealth (like launching a full-scale aggressive vulnerability scan which can be noisy and alert a network’s intrusion detection systems).
During a penetration test for a client subject to the PCI DSS, you identify a service running on a system within the cardholder data environment that does not appear to be necessary for the processing, storage, or transmission of cardholder data. According to PCI DSS requirements, what is the BEST action to take?
- Recommend the disabling of unnecessary services to comply with the principle of least functionality.
- Perform a comprehensive asset inventory to confirm the presence of the service across the network.
- Advocate for stronger encryption methods for stored cardholder data to offset any risks introduced by the service.
- Suggest enhancing the intrusion detection system to monitor the unauthorized service closely.
- Review the terms within the Service Level Agreements (SLAs) regarding the operation of unauthorized services
Recommend the disabling of unnecessary services to comply with the principle of least functionality.
Choosing to ‘Recommend the disabling of unnecessary services to comply with the principle of least functionality’ is correct as it aligns with PCI DSS Requirement 2.2.2, which states that services and protocols not directly needed to perform the device’s specified function should be disabled. Simply encrypting cardholder data, performing asset inventory, or enhancing intrusion detection would not directly address the specific issue of unnecessary services running. While reviewing existing SLAs can be part of compliance checks, it does not address the immediate concern of extraneous services that could pose a security risk.
During the reconnaissance phase of a penetration test, you decide to use WiGLE to gather information about wireless networks in the vicinity of your target organization. You are particularly interested in identifying Wi-Fi access points that may belong to the target organization or could provide a vector for further penetration. Which of the following actions would be the most effective first step in using WiGLE to locate potential target access points?
- Search for networks using the SSID associated with the target organization.
- Deploy a rogue access point near the target location to capture traffic.
- Perform a brute-force attack on the target’s VPN infrastructure.
- Conduct social engineering to obtain the target’s Wi-Fi passphrase
Search for networks using the SSID associated with the target organization.
To identify and analyze potential target wireless networks using WiGLE, the most effective first step is to search for networks based on the SSID that is known or suspected to be associated with the target organization. This first step assumes preliminary information has been gathered about the organization, such as their naming conventions for network resources. Incorrect choices involve actions either not applicable to WiGLE or less efficient initial steps.
