Pentest+ Practice Exam Chapter 11 Physical Penetration Testing (Jonanthan Ammerman) Flashcards
Which cryptographic side-channel attack is used to retrieve encryption keys or other data remnants from an operating system and is accomplished by hard rebooting the target system and loading a lightweight OS controlled by the attacker, from which the pre-boot contents of system RAM are written to a file to be parsed later?
A. Cold boot attack
B. Timing attack
C. Replay attack
D. Power-monitoring attack
A. Cold boot attack
Explanation:
A cold boot attack relies on exploiting the slight delay in the volatility of RAM that can lead to data being recoverable even after a reboot. While RAM is meant to be volatile (that is, it is meant to degrade quickly), tests have observed cases where data can be recovered from RAM modules in anywhere from seconds to minutes.
Which physical hardware standard was designed to allow manufacturers to connect to completed embedded systems and printed circuit boards in order to facilitate debugging and other testing, but can be leveraged by attackers or penetration testers to obtain information or shell access to a given device to which they have physical access? A. JTAG B. 9-pin serial C. USB-c D. USB 3.0
A. JTAG
Explanation:
JTAG (named for the Joint Test Action Group, which cemented the standard) is an IEEE standard that defines a means of physical connection to physical hardware for debugging and other testing. B, C, and D are incorrect. B is incorrect because a 9-pin serial connection (using a DE-9 connector) is a communication interface used to transfer information to and from various devices, such as modems or terminals, and has no use from a debugging standpoint. C and D are incorrect because USB connectors are newer data transfer ports that can also provide power. While in some cases USB connections are used for debugging (in the case of many Android devices, for instance), these are specialized implementations of USB connectivity as USB was not explicitly designed to provide hardware debugging capabilities.
Which system access method is typically used by systems administrators to interact with systems that are locked up or unresponsive over the network, but can often be leveraged by an attacker with physical proximity to a system to obtain information or reset system passwords, such as by rebooting a Linux server into single-user mode? A. JTAG B. Multi-mode fiber C. IPMI D. Serial console
D. Serial console
Explanation:
A serial console connection is used to establish a direct, peer-to-peer connection between the server and another system. In practice, this often means a serial connection is used to troubleshoot a system when it is unavailable over a standard network.
A is incorrect because JTAG is an IEEE standard that defines a means of physical connection to physical hardware for debugging and other testing. B is incorrect because multi-mode fiber is a physical connection medium that uses pulses of light to transmit data. C is incorrect because IPMI (Intelligent Platform Management Interface) is a set of specifications for system consoles and subsystems that facilitates system management (such as remote console access) and monitoring of individual host system details.
Which technique used in physical penetration testing aims to obtain unauthorized access to a secured location, frequently by exploiting the helpfulness or kindness of legitimate employees? A. Shoulder surfing B. Pretexting C. Tailgating D. Waterholing
C. Tailgating (This is an incorrect answer by the textbook, if an employee knows they allow the pentester access, this would be piggybacking.
Tailgating is following an employee through a door without their knowledge.)
Which physical penetration testing practice is used to obtain unauthorized access to an area that has been cordoned off and, in the broadest sense, effectively describes methods used to entirely bypass access control mechanisms? A. Gatecrashing B. Fence jumping C. Lock picking D. Backdooring
B. Fence jumping
Explanation:
The technique described is called fence jumping and often literally involves climbing a fence or a wall. Rather than attempt to breach an access control point (typically guarded by security personnel, secured by access badge restrictions, or heavily monitored electronically), fence jumping breaches a barrier directly.
What is the practice of searching through a target’s trash in the hope of finding information that may be of value during a penetration test, such as passwords, usernames, or meeting information that can help when establishing a pretext for a physical penetration test?
A. Dumpster diving
B. Tailgating
C. Bumping
D. Waterholing
A. Dumpster diving
Explanation:
The technique described is dumpster diving. It is not at all uncommon for users to write down usernames and passwords or other sensitive information and subsequently simply throw the paper in the trash instead of shredding or otherwise destroying it as appropriate. Because of this, dumpster diving can often produce a wealth of information with value to a penetration tester.
Many devices used to deploy defense in depth in a physical environment rely on automated detection systems. Which of the following methods would be the best way for a physical penetration tester to attempt to bypass a temperature monitoring sensor?
A. Slowly covering the sensor with a thin sheet of cardboard
B. Cutting the power feed to the sensor device C. Having an associate spray the penetration tester with a CO2 fire extinguisher, letting the blast mask that person’s heat signature long enough to get past the sensor
D. Carrying a sheet of Styrofoam or other insulating material to block the penetration tester’s body from the scanner
A. Slowly covering the sensor with a thin sheet of cardboard
Explanation:
A is correct, although some caution is warranted here. Blocking sensors from outside of their line of site can be viable, but can also be difficult and lead to the penetration tester’s actions being discovered if a second sensor is watching the blind spot of the first.
Which penetration testing technique uses a high-gain antenna to pull information from employee RFID access cards, which may then be copied later to blank cards for use by a penetration tester? A. Badge cloning B. Replay attack C. Evil twin D. Shoulder surfing
A. Badge cloning
Explanation:
The practice described is badge cloning. More advanced badge cloning operations have been seen to leverage high-gain antennas, which can read at a distance of up to 10 meters (depending on the frequency in use by the badges at the facility), attached to a drone piloted outside of a facility close to the windows in an attempt to pull badge data from afar.
Which physical security mechanism serves as an access control point by using multiple sets of doors, which can both prevent unauthorized access to an inner boundary and contain an individual attempting to breach security after they pass through the first door? A. Badge scanner B. Mantrap C. Biometric reader D. Deadbolt
B. Mantrap
Explanation:
The mechanism described is a mantrap. With multiple sets of doors, ingress is slowed to a point such that personnel monitoring electronically could trip locks on the doors in question if something is determined to be amiss with the credentials or demeanor of the individual traversing the access point, effectively trapping them between two doors they cannot open. The security of the inner perimeter is maintained, and a suspicious or inadequately credentialed individual is locked in until security personnel can address the situation
Which physical security mechanism introduces a human element to a physical penetration testing scenario and is one of many reasons to establish a solid pretext before beginning a physical penetration testing engagement? A. Motion detectors B. Security guards C. Fences D. Third-party hardware hosting
B. Security guards
Explanation:
Security guards are the ever-present human element in an organization’s physical security posture. Guards generally are posted at access control points or patrol a perimeter boundary, serving as a deterrent to crime or unauthorized entry, but being human leaves them as susceptible to deception as anyone else. A well-developed and internalized pretext can go quite far in bypassing the security intended to be provided by a human guard.