Domain 1: Planning & Scoping

Question 1

What are the 5 Domains covered in the Pentest+ Exam?

Answer 1

1. Planning & Scoping
2. Information Gathering & Vulnerability Identification
3. Attacks & Exploits
4. Penetration Testing Tools
5. Reporting and Communication

Question 2

What is a methodology?

Answer 2

This is a system of Methods used in a particular area of study or activity.

ie. Systematic approach

Question 3

What are the steps to the pentest methodology?

Answer 3

This has 4 steps:

1. Planning & Scoping
2. Info Gathering & Vulnerability Identification
3. Attacks and Exploits
4. Reporting & Communication

Question 4

Are the steps for the ethical hackers methodology and pentest methodology the same?

Answer 4

No, these two methodologies have different steps.

Question 5

What is NIST 800-115?

Answer 5

This is a US government recommended methodology on how pentesting should be done.

Question 6

What are the steps to NIST 800-115?

Answer 6

This includes the steps:

1. Planning
2. Discovery
3. Attack (additional discovery)
4. Reporting

Question 7

What are the three factors that go into planning a penetration test? Or any project?

Answer 7

These three factors go into this:

1. Time
2. Cost
3. Quality

Question 8

What are good questions to ask about the target?

Answer 8

What does the business do?

What are their objectives?

Question 9

When planning a penetration test, what are several important considerations? Name 4.

Answer 9

When planning this, important considerations include:

1. Who is the target audience?
2. Budgeting
3. Resources and Requirements
4. Communication Paths
5. What is the End-state?
6. Technical Constraints
7. Disclaimers

Question 10

What are two key disclaimers to include for a pentest?

Answer 10

These are needed during a pentest:

1. Point-in-Time Assessment
2. Comprehensiveness (How complete, Which parts of the org?).

Question 11

What are Rules of Engagement (ROE)?

Answer 11

These are the ground rules that both organizations are going to play by.

Question 12

What are the 5 key areas of ROE?

Answer 12

This is made up of 5 key areas:

1. Timeline
2. Locations
3. Time restrictions
4. Transparency
5. Test Boundaries

Question 13

With respect to legal restrictions, what should you always do before conducting a penetration test?

Answer 13

Because of this, you should always consult your attorney before conducting any penetration test.

Question 14

Under what US code is Hacking covered?

Answer 14

This is covered under US code, Title 18, Chapter 47, Sections 1029 & 1030. (Crimes & Criminal Procedure)

Question 15

Do black hat hackers obtain written information?

Answer 15

No, these types of hackers do not obtain written information.

Question 16

If you’re asked to conduct a penetration test on servers in the cloud that a company does not own, what is needed?

Answer 16

To conduct a penetration test on in this scenario, you’ll need third-party authorization.

Question 17

What does SOW stand for?

Answer 17

This stands for Statement of Work

Question 18

What does MSA stand for?

Answer 18

This stands for Master Service Agreement

Question 19

What does NDA stand for?

Answer 19

This stands for Non-Disclosure Agreement

Question 20

What does the SOW involve?

Answer 20

This is a formal document that includes the scope of what will be performed during the penetration test.

Question 21

What does the MSA involve?

Answer 21

This is the contract where parties agree to the most of the terms that will cover future actions

Question 22

What does an NDA involve?

Answer 22

This is a legal contract that outlines confidential material or information That will shared during the assessment and what restrictions are placed on it.

Question 23

what is the WASSENAAR agreement? What would be an example?

Answer 23

This precludes the transfer of technology considered ‘dual-use’. Encryption falls under this restriction.

Question 24

What are the three testing strategies within pentesting?

Answer 24

There are three testing strategies:

1. Black-box
2. White-Box
3. Gray-Box

Question 25

What are some characteristics of Black-box pentesting?

Answer 25

These are some characteristics of this type of pentesting:

• No prior knowledge of target or network
• Simulates outsider attack
• Only focuses on what external attackers see and ignores insider threat
• takes more time and is much more expensive

Question 26

What are some characteristics of White-Box Testing?

Answer 26

This type of tests has the following characteristics:

• full knowledge of network, systems, and the infrastructure
• Spend more time probing vulnerabilities and less time gathering information
• Tester is given support resources from the the organization

Question 27

What is another name for a White-box test?

Answer 27

This is also called a ‘full-knowledge’ test.

Question 28

What is another name for Gray box testing?

Answer 28

This is also know as a partial knowledge test

Question 29

What are some characteristics of Gray-box pentesting?

Answer 29

This type of test has the following characteristics:

• Partial knowledge of target (may include for example, IP ranges)
• Can be used as an internal test to simulate an insider attack with minimal knowledge
• Can also be used to decrease the information gathering stage so more time can be spent on identifying vulnerabilities

Question 30

When are support resources provided?

Answer 30

These are generally only provided during a white-box penetration test.

Question 31

What is an architectural diagram? What is it’s purpose?

Answer 31

These can be network diagrams, software flow charts, or physical maps. It’s purpose is to assist the tester in mapping out network topologies, locations of switch closets, and locate key information.

Question 32

What is a sample application request?

Answer 32

This is used when doing web app or software testing. This will provide sample input and expected output.

Question 33

What is SDK documentation?

Answer 33

This is a Software Development Kit and it provides a set of tools, libraries, documentation, code samples, processes, or guides to allow faster development of a new app or platform.

Question 34

What does SOAP stand for?

Answer 34

This stands for Simple Objective Access Protocol.

Question 35

Where are SOAP project files created?

Answer 35

These files are created from WSDL files or a single service call.

Question 36

What is SOAP?

Answer 36

This is a messaging protocol specific for the exchange of structured information in the development of web services.

Question 37

What is Swagger Documents?

Answer 37

This is an open sourced framework with a large system of tools to help design, build, document, test, & Standardize REST web services.

Question 38

What is REST ?

Answer 38

Representational State Transfer has been replacing SOAP in most web applications in recent years. It is a web application architectural style based on HTTP. Allows a lot less communication between server and web client.

Question 39

What does WSDL stand for? What does it do?

Answer 39

Web Services Description Language. Used for describing the functionality offered by a particular web service such as a SOAP server. It is flexible and allows binding options. NOT useful for web REST services with WSDL 1.1.

Question 40

What does WADL stand for? What is it used for?

Answer 40

Web Application Description Language. XML based machine readable description of HTTP-based web services. Easier to write than WSDL, but not as flexible. Typically used for REST Services.

Question 41

What does XSD stand for? What is it?

Answer 41

XML Schema Definition. Is a W3C recommendation that specifies on how to formally describe elements within XML documents. Allows you to push boundaries of Web Application.

Question 42

What is a goal-based pentest?

Answer 42

This type of test has a specific goal in mind that is outlined prior to the test

Question 43

What is an objective based pentest?

Answer 43

This type of pentest Seeks to ensure information remains secure.

Question 44

What is complianced based assessment?

Answer 44

This type of assessment is to ensure policies or regulations are being followed properly

Question 45

What does it mean to conduct a redteam pentest?

Answer 45

This type of test is conducted by internal pentesters during a security exercises.

Question 46

How would you describe Advanced Persistent Threats?

Answer 46

• Great Capability and intent
• Target orgs for business or political motives
• Highly covert over long-periods of time

Question 47

What is the concept of threat modeling?

Answer 47

This concept asks Who are you trying to emulate?

Question 48

How many tiers of adversaries are there?

Answer 48

There are 6 of these

Question 49

How is the tier of adversaries structured?

Answer 49

This is structured in a way that is positively correlated as the tier number increase. More money, more time, more skill the higher the tier.

Question 50

What are some considerations for target selection? Name 4

Answer 50

This involves the following considerations:

• Internal or External
• First-party or third-party hosted
• Physical
• users
• SSIDs
• Applications

Question 51

What is tolerance to impact?

Answer 51

This is the impact of operations during a pentest.