Cybrary Practice Exam Flashcards
You have ran an automated scan against the network at InterConn and found a number of vulnerabilities.
In an instance of LibreOffice Writer, you copy the vulnerabilities and look them up on https://cve.mitre.org/cve/ to see if you can find anything already reported on them.
For one of the vulnerabilities the response comes back
CVE-2019-17554
With a Date Entry created:
20191014
What from the above Data entry created is NOT indicated? (CHOOSE THREE)
A.Discovered B.Shared with vendor C.Reserved D.Disclosed publicly E.Allocated
A.Discovered
B.Shared with vendor
D.Disclosed publicly
Explanation:
The entry does NOT indicate the vulnerability is discovered, publicly disclosed or shared with the vendor.
According to CVE:
‘CVE IDs are used by cybersecurity product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE IDs.
This date does not indicate when the vulnerability was discovered, shared with the affected vendor, publicly disclosed or updated in CVE.
That information may or may not be included in the description or references of a CVE Entry or in the enhanced information for the CVE Entry that is provided in the U.S. National Vulnerability Database (NVD).”
The “Date Entry Created” date in a CVE Entry indicates when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Entry was published on the CVE List.
“A CVE Entry is marked as “RESERVED” when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details of it are not yet populated. A CVE Entry can change from the RESERVED state to being populated, or Allocated, at any time based on a number of factors both internal and external to the CVE List. Once the CVE Entry is populated with details on the CVE List, it will become available in the U.S. National Vulnerability Database (NVD)”.
This particular entry has been allocated because all of the information has been populated. It is also reserved because it has been assigned to a particular vulnerability.
Common Vulnerabilities and Exposure (CVE) is a list of common identifiers for publicly known cybersecurity vulnerabilities. With a standardized description for each vulnerability or exposure, they are more of a dictionary than a database. CVE helps provide rankings on discovered vulnerabilities, but does not provide security compliance standards.
Objective:
Information Gathering and Vulnerability Identification
Sub-Objective:
Given a scenario, analyze vulnerability scan results.
References:
CompTIA PenTest+ Cert Guide, Chapter 3: Information Gathering and Vulnerability Identification, Understanding How to Analyze Vulnerability Scan Results
A penetration tester wants to run an Nmap script that will use MSRPC to enumerate user accounts on a target. Which script would be best for this scenario?
A.smb-enum-shares.nse
B.http-enum.nse
C.smb-enum-services.nse
D.smb-enum-users.nse
D.smb-enum-users.nse
Explanation:
The smb-enum-users.nse script enumerates all user accounts on a remote system. It uses the Microsoft Remote Procedure Call (MSRPC) protocol to perform the reconnaissance. MSRPC is a Microsoft client-server protocol that allows one program to request services of another machine without prior knowledge of the specific details of that machine’s internal network. From a pen test perspective, the information gained by using this protocol allows testers to build out an internal network and footprint specific users that exists on a remote system.
The smb-enum-shares.nse script retrieves information about remote shares. This technique can even display private files which is an opportunity for data exfiltration or malware propagation.
The smb-enum-services.nse script discovers services running on a remote system. The enumeration results, which can only be produced when running the scan from a privileged account, can also list service status (active or inactive).
The http-enum.nse script enumerates directories used by web applications and servers. It is an intelligent, highly accurate script capable of pattern recognition to identify specific version of web applications while avoiding false positive results.
Which of these options is NOT a risk management process?
A.Taking a new business risk B.Monitoring an existing risk C.Accepting the current level of risk D.Determining the organization’s tolerance for risk E.Taking action to reduce risk F.Calculating the current level of risk
A.Taking a new business risk
Explanation:
Taking a business risk is not a risk management process. It is the reason for risk management. All business activities carry some level of risk that must be faced to achieve rewards. Risk management is the attempt to ensure the business will benefit from potentially risky activities, such as managing customers’ financial data or acquiring new computer systems, without too much harm.
Determining the current level of risk faced by an organization, judging the organization’s appetite or tolerance for risk, accepting the current level of risk, and taking action to mitigate or avoid risk are all part of a risk management program.
Risk mitigation includes a combination of these strategies:
Risk monitoring, by continually gauging the current risks faced by the organization Risk avoidance, by modifying or stopping an activity or process that generates risk Risk reduction, by implementing countermeasures to protect against risk (such as cybersecurity) Risk sharing, by spreading the impact of the risk to another entity (such as hiring an outside firm to provide cybersecurity to the organization) Risk transference, by shifting the impact of the risk to another entity (such as buying insurance)
Compliance liability, which is defined by such federal regulations as GLBA, PCI-DSS, and HIPAA / HITECH, cannot be shared or transferred away from the organization. Organizations governed by these laws are always responsible for complying with their mandates. They cannot share or transfer this risk.
In a workstation you just gained remote access to, you find the following code:
super_list = [12, 21, 95, 45, 8, 100]
for number in super_list:
if number % 2 != 0:
print(number)
What is the first output?
A.45
B.21
C.12
D.95
B.21
Explanation:
The first output of this code is 21. This code determines which numbers within the list are odd. The for loop loops through the numbers within the list. The if statement then determines whether or not the number is evenly divisible by two. If it is not (meaning that the number is an odd number), then the number prints.
The first output is not 12 because 12 is an even number.
The first output is not 95, which will be the second output.
The first output is not 45, which will be the third output.
The code will provide output as follows: 21, 95, 45.
A penetration tester performs a security assessment for your company. When you examine the final report, seven vulnerabilities are listed. Four of the vulnerabilities are critical. However, your company does not have the resources to remediate all of the vulnerabilities listed in the report at the moment. You need to suggest which vulnerabilities should be addressed.
What should you recommend?
A.Implement the remediation for the most critical vulnerability first.
B.Implement the cheapest remediations first.
C.Implement the remediations that are easiest to implement first.
D.Implement the remediations that affect the most assets first.
A.Implement the remediation for the most critical vulnerability first.
Explanation:
You should recommend that the company implement the remediation for the most critical vulnerability first. The criticality of a vulnerability is based on a number of factors, including ease to exploit, value of affected asset, exposure of affected asset, and so on. Critical vulnerabilities should be handled first if there are limited resources available.
You should not implement the cheapest remediations first. Although this would allow your resources to be stretched, it would not ensure that the most critical vulnerabilities are addressed. The most critical vulnerabilities are those most likely to be exploited and most likely to cost the most if exploited.
You should not implement the remediations that affect the most assets first. While these remediations would seem like a logical choice because of the number of affected assets, these may not be the most critical. The most critical vulnerabilities should always have priority.
You should not implement the remediations that are easiest to implement first. Just because they are easy is not reason enough to implement them first. Often the easiest remediations are not addressing the most critical vulnerabilities. Always address the most critical first.
You are working for a contracting company that was employed by the federal government. Which organization’s publications are likely to be most closely related to your security compliance standards?
A.NIST
B.CVE
C.JPCERT
D.US-CERT
A.NIST
Explanation:
The National Institute of Standards and Technology (NIST) is an agency of the U.S Department of Commerce. Its main focus is to promote innovation and assessing organizations in the risk they encounter. Their publications will be most closely related to your security compliance standards.
Japan Computer Emergency Response Team (JPCERT) coordinates with Japanese network service providers, security vendors, and government agencies to provide incident response. They also gather and disseminate technical information on computer security incidents and vulnerabilities and security fixes, and other security information, as well as issue alerts and warnings.
The U.S. Computer Emergency Readiness Team (US-CERT) is an organization that was established by the U.S. Department of Homeland Security to analyze and reduce cyber threats and vulnerabilities, disseminate cyber threat warning information, and coordinate incident response activities. However, they do not provide security compliance standards.
Common Vulnerabilities and Exposure (CVE) is a list of common identifiers for publicly known cybersecurity vulnerabilities. With a standardized description for each vulnerability or exposure, they are more of a dictionary than a database. CVE helps provide rankings on discovered vulnerabilities, but does not provide security compliance standards.
A penetration tester has been hired to perform a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five of them identified as critical. The client does not have the resources to immediately remediate all vulnerabilities. Which of the following would be the BEST suggestion for the client?
A.Implement the least impactful of the critical vulnerabilities’ remediations first, and then address other critical vulnerabilities
B.Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long time.
C.Identify the issues that can be remediated most quickly and address them first.
D.Apply easy compensating controls for critical vulnerabilities to minimize the risk, and then reprioritize remediation.
B.Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long time.
Explanation:
The client should fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long time. Correcting the most critical vulnerability would prevent an attacker from remotely compromising a system easily and possibly obtaining full control.
If the startup firm corrected the least impactful, quickest, or easiest vulnerabilities, then an attacker might be able to control and steal vulnerable information because the most critical vulnerabilities may not be handled.
Which of the following attacks can be prevented by properly shredding all sensitive documents?
A.Fence Jumping
B.Dumpster Diving
C.Tailgating
D.Piggybacking
B.Dumpster Diving
Explanation:
Dumpster diving occurs when someone goes through the trash in the dumpster looking for printed matter that might be helpful in an attack, such as network diagrams, phone lists, and organizational charts. It is best addressed by shredding all sensitive documents.
Piggybacking cannot be prevented by shredding all sensitive documents. Piggybacking is a social engineering attack that involves entering a facility which you are not authorized to enter by doing so when an authorized person opens the door using their credentials stored on a key card.
Fence jumping cannot be prevented by shredding all sensitive documents. This can only be done by making the fence tall enough to discourage a determined attacker. Another option is to have the top of the fence strung with razor wire.
Tailgating cannot be prevented by shredding all sensitive documents. Often you will see the terms piggybacking and tailgating used synonymously. However, there is a subtle difference between the two. Piggybacking implies that the person who has opened the door with their credentials knows the individual following them in through the secure door. Tailgating means that an individual following through the door is unknown by the person with credentials.
You want to share the results of your Nmap with other members of your team. Which parameter stores scan results in Normal, XML, and Grep-able formats?
A.-oG
B.-oA
C.-oX
D.-oN
B.-oA
Explanation:
The -oA parameter of the Nmap stores outputs in Normal, XML, and Grep-able output formats all at once. The following exhibit shows an example of this command:
The -oX parameter of the Nmap command changes the output behavior to an XML output. XML is easily parsed by software, which makes it preferred for many applications. The following is an example of this command:
The -oN parameter of the Nmap command changes the output behavior to a normal output. It is meant for human users to read, and the output will be analyzed. The following is an example of this command:
The -oG parameter of the Nmap command changes the output behavior to a Grep-able output. This format is easy to manipulate with simple Unix tools. The following is an example of this command:
Which of the following is NOT likely to be carried out after a penetration test is completed?
A.Remove the tools installed during the test.
B.Remove accounts created for the test.
C.Disable all services used during the test.
D.Remove shells created during the test.
C.Disable all services used during the test.
Explanation:
Disabling all services used during the test is NOT likely to be carried out after a penetration test is completed. You should only disable those services that were explicitly enabled for the penetration test. All other services will likely be valid services running in the enterprise.
You should perform the following actions after completing a penetration test:
Remove shells created during the test. Remove accounts created for the test. Remove the tools installed during the test.
Recently you heard of an organization that suffered a man-in-the-middle attack leveraging fake certificates. You would like to use a technique that always verifies that the name on the certificate matches the name of the system attempting to use the certificate. What is this technique called?
A.DNSSEC
B.OCSP
C.certificate pinning
D.wildcard certificates
C.certificate pinning
Explanation:
Certificate pinning is a technique performed by a software client to authenticate public keys and help protect against man-in-the-middle attacks. It verifies that the CA name and/or the host name matches that on the certificate.
Domain Name System Security Extension (DNSSEC) is a form of DNS that makes additional checks of name resolutions. DNSSEC adds two important features to the DNS protocol, but does not prevent certificate issues.
Data origin authentication Data integrity protection
Wildcard certificates are used to certify the identity of devices and users in multiple sub-domains of a domain. It is not used to enhance certificate security.
Online Certificate Status Protocol (OCSP) is an Internet protocol used to check the status of a certificate in real time, as opposed to using CRLs. It does not address the certificate issues described in the scenario.
To perform network reconnaissance, you use Nmap to perform a SYN scan. After completing this scan, you want to create more custom packets and gain more control over the traffic you are sending. Which tool should you use to do this?
A.DNSrecon
B.Scapy
C.Metasploit
D.Recon-ng
B.Scapy
Explanation:
Scapy is a program in which enables users to create, adjust, modify, and send network packets. It allows the user to gain more control over the packets being sent.
Recon-ng is a tool built to conduct the initial phase in reconnaissance of an offensive security exercise. With Recon-ng you can configure options, perform recon and output results to different report types.
Metasploit is a framework used in penetration testing that probes systematic vulnerabilities on networks and servers.
DNSrecon is a tool used for DNS-oriented information gathering. It can perform various enumerations, such as zone transfers, domain brute force, and wildcard resolution.
You are attempting to execute an SNMP sweep. After identifying the correct SNMP community string, you find that several live systems do not respond.
Which of the following is NOT a reason a device may not respond?
A.The system is firewalled.
B.The system is offline.
C.An incorrect community string is being used.
D.The TCP three-way handshake is not completing.
D.The TCP three-way handshake is not completing.
Explanation:
Simple Network Management Protocol (SNMP) does not use the TCP protocol. Therefore, a failure of the three-way handshake is not a possible reason a device may not respond. SNMP uses UDP, not TCP.
Valid reasons why a system may not respond are:
An incorrect community string is being used. The system is offline. The system is firewalled. The SNMP service is disabled.
You want to engage a pen testing company for a series of tests to be performed over the next two years. You do not want to negotiate with the company for each individual test. What type of document could you execute?
A.NDA
B.SOW
C.MSA
D.Rules of Engagement
C.MSA
Explanation:
A master services agreement (MSA) is used to set parameters for ongoing tests, each with their own SOW. Having a MSA on file means that penetration testers do not need to renegotiate terms for every test with established clients, and that companies can quickly create new SOWs with an established pen testing organization.
The statement of work (SOW) defines a number of details concerning a pen test, and must be unique to every pen test performed. It includes:
Timelines, including the report delivery schedule Scope of the work to be performed Location of the work (geographic location or network location) Technical and nontechnical requirements Cost of the penetration tests Payment schedule
The non-disclosure agreement (NDA), which is signed by the tester, requires the tester to keep all company information private. It does not address the details of individual tests.
The rules of engagement specifies allowed actions and allowed targets for an individual test. Its parameters are more specific than those contained in a MSA.
A network security analyst for the U.S Department of Defense (DoD) is looking to gain information about a foreign adversary. What method should be used FIRST to collect and analyze information on this target?
A.Packet crafting
B.OSINT
C.Vulnerability Scanning
D.Port Scanning
B.OSINT
Explanation:
Open source intelligence (OSINT) refers to information collection without the need for any covert methods. This is often a good first step in reconnaissance or threat hunting. Typically, the information could be found on the Internet, and this type of collection can often start with a simple Google search.
Vulnerability scanning is running a tool against a target to see what vulnerabilities, or weaknesses, it may hold. A scanner will often actually use a tool like Nmap to perform the port scan process.
Packet crafting is the process of generating packets to test network devices. Packets are crafted to test IDS, TCP, Firewall, etc. It also helps to find inconsistencies and poor network protocol implementations.
Port scanning is a method to look for open, closed, or filtered ports. An open port represents an avenue into a network. That’s why it’s important to close any unnecessary or unused ports as part of the system hardening process.
You performed a pen test for a retail organization that processes credit card information. During the test you identified several sensitive credit card items were stored with other data that was widely available to users. What concept required by PCI-DSS would rectify this situation?
A.intrusion prevention systems
B.next generation firewalls
C.network segmentation
D.key management
C.network segmentation
Explanation:
Network segmentation, also referred to as data isolation, is one of the key requirements of PCI-DSS and calls for sensitive credit card data, such as PANs, to be stored apart from other sensitive items. In this way, if there is a breach, not every sensitive item can be readily available.
In general, when dealing with any compliance-based pen test, the penetration tester should verify the presence of the following best practices:
Data isolation Secure key management Proper password policies
While next generation firewalls and intrusion prevention systems are certainly an advisable addition to any network holding sensitive data, it is not one of the requirements of PCI-DSS. The main goals of the PCI-DSS standard are as follows:
Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
Your company carries out a penetration test on a regular basis. You are currently reviewing the report from the most recent penetration test. However, you recognize most of the findings as those that were reported in the last penetration test report. What does this indicate?
A.Different tools were used to perform the most recent penetration test.
B.The appropriate mitigations for the vulnerabilities were not deployed after the last penetration test.
C.The current penetration test was not properly completed.
D.A different contractor was used to perform the most recent penetration test.
B.The appropriate mitigations for the vulnerabilities were not deployed after the last penetration test.
Explanation:
If you recognize most of the findings in the report as those that were reported in the last penetration test report, then the appropriate mitigations for the vulnerabilities were not deployed after the last penetration test. If the mitigations had been deployed, the majority, if not all, of those vulnerabilities should be absent from the most recent report.
Using a different contractor or different tools would not cause the same vulnerabilities to show up. Often different contractors and tools are used to increase the likelihood that all vulnerabilities are discovered.
Discovering many of the same vulnerabilities as the last penetration test is not an indication that the penetration test was not properly completed. An improperly completed test is likely to show few to no vulnerabilities.
After completing a penetration test and reviewing the results, it is important for a company to ensure that mitigations are deployed for the vulnerabilities reported in the findings section. Failure to do so is negligent and can result in legal issues. Companies should implement a time frame wherein all mitigations should be implemented.
You want to detect the services running on a targeted host. Which of the following is the correct Nmap command?
A.nmap -sU -T4 192.168.1.1
B.nmap -sV-T4 192.168.1.1
C.nmap -sS -T4 192.168.1.1
D.nmap -sT -T4 192.168.1.1
B.nmap -sV-T4 192.168.1.1
Explanation:
The Nmap service identification command uses the -sV parameter. This gives information on which services are running, including mail or DNS server services. This could help determine the exploits to which a server could be vulnerable.
The -sS parameter of the Nmap command performs a SYN scan. It is an active scan which sends a TCP SYN packet, and does not require a full connection. Depending on the response (or lack thereof), you can determine the status of a port. The following graphic is an example of this command:
The -sT parameter of the Nmap command performs a TCP connect scan. It establishes a full TCP connection with the target. It is the default Nmap scan type when no command is specified. It should only be used when the user does not have permission to read/write raw packets. The following exhibit shows this command:
The -sU parameter of the Nmap command performs a UDP scan. It is used to enumerate DNS, SNMP, or DHCP servers, all of which require UDP packets for communication. The following exhibit shows this command:
A large retail company has hired a white-hat hacker to perform testing in order to detect vulnerabilities in the system. What technique would this hacker use to gather information in the most discreet manner possible?
A.Passive reconnaissance
B.OSINT
C.Active reconnaissance
D.Topology
A.Passive reconnaissance
Explanation:
Passive reconnaissance is a method of gathering information without interacting with the system, leaving little or no trace. This may include activities such gleaning information from publicly available resources.
Active reconnaissance is a method which requires the tester to interact with a target system in order to gain information. This method can be very helpful, but there is risk of detection.
While open source intelligence (OSINT) may be used in passive reconnaissance. it is not a type of reconnaissance method. A webpage can be used to gather more information about a target. For example, the tester can search a public website for key company employee’s names and positions, employee emails and other contact information, technical job openings which may reveal the type of network equipment or other valuable information. These are all details which aid the tester in passive reconnaissance and exploitation.
The network topology is a byproduct that will be learned about during the process of reconnaissance but it is not a reconnaissance technique itself.
The board is discussing the benefits of having a pen test performed. One of the members is concerned that the danger of the pen tester leaking information may outweigh the benefits of the test. What document could help allay these fears?
A.Permission to test document
B.SOW
C.NDA
D.MSA
C.NDA
Explanation:
The non-disclosure agreement (NDA), signed by the tester, requires the tester to keep all company information private.
The permission to test document is a critical document that explicitly authorizes you to attempt to penetrate the client’s network, system, or devices. These documents typically include the dates for which the permission is valid, the locations and types of systems to be penetrated, and the full title of the person authorized to grant permission. Its purpose is not to address confidentiality.
A master services agreement (MSA) is used to set parameters for ongoing tests, each with their own SOW. Having a MSA on file means that penetration testers do not need to renegotiate terms for every test with established clients, and that companies can quickly create new SOWs with an established pen testing organization.
The statement of work (SOW) defines a number of details concerning a pen test, and must be unique to every pen test performed. It includes:
Timelines, including the report delivery schedule Scope of the work to be performed Location of the work (geographic location or network location) Technical and nontechnical requirements Cost of the penetration tests Payment schedule
- occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver
- occurs when IP addresses and host names are given out with the goal of traffic diversion
- occurs when a hacker tries all possible values for such variables as user names and passwords
- occurs when a combination of Internet Protocol (IP) spoofing and Internet Control Message Protocol (ICMP) messages saturates a network
A. Brute force attack
B. DNS poisoning
C. Man-in-the-middle attack
D. Smurf
- C
- B
- A
- D
The attacks should be matched with the descriptions in the following manner:
Brute force attack - occurs when a hacker tries all possible values for such variables as user names and passwords DNS poisoning - occurs when IP addresses and host names are given out with the goal of traffic diversion Man-in-the-middle attack - occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver Smurf - occurs when a combination of Internet Protocol (IP) spoofing and Internet Control Message Protocol (ICMP) messages saturates a network
DNS poisoning is similar to ARP poisoning. With ARP poisoning, an attacker sends fake (“spoofed”) Address Resolution Protocol (ARP) messages on a network with the goal of traffic diversion.
You want to employ a Linux distribution mainly aimed at network security monitoring. Which Linux distribution would BEST support network security monitoring?
A.Skadi
B.DEFT
C.ADIA
D.Security onion
D.Security onion
Explanation:
Security Onion is a Linux distribution mainly aimed at network security monitoring. It also has other advanced forensic analysis tools.
The answer is not Skadi. Skadi is an all-in-one solution for parsing collected data. This makes the data easily searchable and allows for the searching through multiple hosts simultaneously.
The answer is not Appliance for Digital Investigation and Analysis (AIDA). AIDA is an appliance with many tools aimed for digital investigation/acquisition. It is VMware-based.
The answer is not the Digital Evidence and Forensics Toolkit (DEFT). This tool is a Linux distribution mainly aimed for the collection of computer forensic evidence.
After being engaged by a client, you executed a SOW to perform a pen test. During the test, you were asked by the client to test an additional system that was not included in the original SOW. The original SOW was not revised and signed, and a new SOW was not executed. If you tested the additional system, what has occurred?
A.corruption of results
B.test dilution
C.task bleed
D.scope creep
D.scope creep
Explanation:
Pen tests are planned and carried out as formal projects. In project management, scope creep occurs when the original project plan is not followed precisely. It typically indicates the addition of tasks or initiatives not included in the original plan scope.
Usually when things are added to the project’s scope, it can be because the client is really happy with how it’s going. But it is essential that when this occurs, the original SOW is updated or a new one is executed to document the additional work. Also, do not be afraid to ask for additional funding when tasks are added to your scope.
Task bleed and test dilution are not terms used when discussing project management and pen tests.
You need to perform a penetration test. You have decided to use an automated vulnerability scanner. What should you check for when the test is complete?
A.False positives
B.Speed and frequency
C.People’s feelings
D.Detection
A.False positives
Explanation:
A.False positives