Pocket Prep CompTIA Pentest+ Flashcards
Alex is writing a python script to test multiple credentials against a login page.
How would Alex loop the credential testing function? A. user = user++ user.connect(target) B. if user in creds: connect (target,user) C, user = creds connect user, target D.for user in creds: connect(target,user)
D.for user in creds:
connect(target,user)
Explanation:
A simple method of iterating a list is the “for loop”.
The above code will run the “connect)target,user)” function for each user found in the “creds” array
Which of the following describes the process of deconfliction?
A.A change management process for remediating vulnerabilities
B.A communication process of sorting out pentesters artifacts from real compromise
C.A risk assessment process
D.A vulnerability scanning process with limited impact
B.A communication process of sorting out pentesters artifacts from real compromise
Explanation:
Communication with the client provides the ability for deconfliction, which is the process of sorting out pentesters artifacts from real world compromise.
This limits the risk of the pentester becoming the scapegoat in case of business impact
Alex is preparing for a pentest, but the client has a network access control in place that would prevent most, if not all, of Alex’s packets during testing.
What can be done to enable the testing?
A,.Devices behind the firewall can be execluded from the testing scope
B.Alex can test out of office hours
C.The client can disable the firewall
D.The client can make a security exception in the NAC
D.The client can make a security exception in the NAC
Explanation:
Sometimes a security exception at the network layer is needed to enable a pentester to complete their tests
During reconnaissance, Ryan identified a service running on the remote host with an older version.
Where would Ryan look for an exploit for this version? A.Kali Linux website B.Exploit-DB Website C.SANS Website D.OWASP Website
B.Exploit-DB Website
Explanation:
Exploit DB is a huge database with extensive lists of exploits for many different kinds of software.
They maintain up-to-date lists of exploits and POCs for older and newer version of software
Alex is asked to perform a pentest against a web application.
Part of her task involves software assurance.
She has identified 11 dynamic parameters on the web app that need testing.
Which method should she start with? A.Directory traversal B.Spear Phishing C.Fuzzing D.Code Injection
C.Fuzzing
Explanation:
In this type of testing Alex is evaluating how well a website or web application processes and filters-user supplied input.
Web fuzzing is a technique used to provide invalid or random data as inputs to form fields, URL parameters and so forth in an effort to elicit an error and an unintentional response that could identify a potential injection flaw
In what situation would a goal re prioritization likely occur?
A.When a critical target is successfully exploited
B.When new systems are added to the environment
C.Every time the scope changes
D.If third-party malware or traces of compromise are found during testing
D.If third-party malware or traces of compromise are found during testing
Explanation:
During the pentest you may discover malware, malicious binaries, or services running on servers that neither you nor the client created.
These indicators of prior compromise should be brought to the clients attention immediately, because goal reprioritzation may be necessary to properly plan and address the new problem
Where would a regular vulnerability can be mandated within an organization? A.In the legal disclaimers B.In the corporate policy C.In the corporate goals D.In a change management procedure
B.In the corporate policy
Explanation:
Even though it is not a regulatory requirement, many organizations mandate vulnerability scanning in their corporate policy
Through reconnaissance, Alex has identified a group of top-ranking managers in his targeted organization.
His next move is to send all of them a specially crafted email that contains a malicious attachment in the form of an Excel financial report.
What type of attack is Alex using? A.Spear phishing B.XSS C.CSRF D.Whaling
D.Whaling
Explanation:
Whaling is a spoofed-email attack that is used to target members of an organization that have credentials and access to the types of resources that could cause catastrophic damage to a business if compromised
Alex is preparing the remediation section of her report.
The issue in question is an authentication service open to the Internet.
This is at risk of brute-force attacks and Alex needs to address it.
Which suggestion would best fir the given situation?
A.Using cookies
B.Implementation of multifactor authentication methods
C.Changing the default service port to one less frequently used
D.Enabling PAM (Password Authentication Manager)
B.Implementation of multifactor authentication methods
Explanation:
Adding a pin from a third-party device or a private key along with password would apply an additional layer of security to the authentication mechanism
During a pentest, Erik notices that the website manages sessions using session tokens.
However, he believes that those tokens could be a potential weakness and would like to test the entropy or weak attributes.
Witihn Burp Suite Pro, which plugin would be able to perform the analysis? A.Burp Decoder B.Burp Sequencer C.Burp Repeater D.Burp Intruder
B.Burp Sequencer
Explanation:
Burp Sequencer is a tool for analyzing the quality of randomness in a sample of data items.
You can use it to test an applications session tokens or other important data items that are intended to be unpredictable, such as anti-CSRF tokens, password reset tokens, etc.
Burp Intruder is a tool for automating customized attacks against web applications.
It is extremely powerful and configurable, and can be used to perform a huge range of tasks, from simple brute-force guessing of web directories through to active exploitation of complex blind SQL injection vulnerabilities
Burp Repeater is a simple tool for manually manipulating and reissuing individual HTTP Websocket messages and analyzing responses.
You can use Repeater for all kinds of purposes, such as changing parameter values to test for input-based vulnerabilities, issuing requests in a specific sequence to test for logic flaws and reissuing requests from Burp Scanner issues to manually verify reported issues
Burp Decoder is a simple tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms.
It is capable of intelligently recognizing several encoding formats using heuristic techniques
Jenny is performing a pentest and she managed to gain access to a Windows host.
What tool should she consider using in order to extract credentials from the Windows host? A.netcat B.Mimicatz C.PowerShell D.WMIC
B.Mimicatz
Explanation:
Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs and Kerberos tickets.
Other useful attacks it enables are pass-the-hash, pass-the-ticket or building Golden Kerberos tickets.
This makes post-exploitation lateral movement within a network easy for attackers.
Wrong Answers:
Netcat is a computer networking utility for reading and writing to network connections using TCP or UDP.
The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts.
The Windows Management Instrumentation Command line (WMIC) is a software utility that allows user to perform Windows Management Instrumentation (WMI) operations with a command prompt
PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language
What is the downside of injection malicious code into a legitimate service using Meterpreter?
A.The malicious code is easily detected
B.The malicious code might be spotted by AV
C,The malicious code will likely not survive a reboot
D.It is impossible to control the malicious code once its injected into a legitimate service
C,The malicious code will likely not survive a reboot
Explanation:
Having the malicious code injected into a service (legitimate or not) would mean that the code would be ran from that services memory space, but it would not ensure persistence.
If the machine is rebooted, the service will be restarted, but the malicious code will not be executed
When would be an appropriate time for system hardening to take place?
A.At the initial system setup
B.Before any pentest engagement
C.After every pentest that find critical vulnerabilities
D.When the system is initially deployed and on a regular basis after that
D.When the system is initially deployed and on a regular basis after that
Explanation:
Administrators should initially setup the host with system hardening in mind.
They should repeat this process on a periodic basis and configure the systems as business needs change
What type of attack is the following request?
‘https://target.com/login.php?user=James&pass=test’or’1’=’1
A.Credentials brute-force
B.Cross-site scripting
C.Weak credentials attack
D.SQL Injection attack
D.SQL Injection attack
Explanation:
SQL Injection is a method where a malicious user can create a true statement using OR 1=1 and pass it in the username or password field of the HTML form page
Alex is a about to conduct a pentest.
This client has informed her that a large percentage of their services are hosted in an AWS cloud.
What requirements would have to be fulfilled before Alex proceeds with the test?
A.A third-party authorization
B.The pentest should be declined due to the third party
C.An NDA with the third-party provider
D,A new pentest agreement with the third-party provider
A.A third-party authorization
Explanation:
In cases where a third-party provider is involved, additional authorization would be required by that particular provider
Kayla is pentesting a web application.
She managed to find a search parameter and, after poking around, she got the following message from the server.
‘You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near “’”.
What kind of potential vulnerability has Kayla found?
A.Sensitivbe Data Exposure
B.Directory Traversal
C.Cross-Site Scripting (XSS)
D.SQL Injection
D.SQL Injection
Explanation:
A SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.
It generally allows an attacker to view data that they are not normally able to retrieve.
This error message is usually generated by the SQL server, suggesting that the intial request did reach the SQL server and was executed.
However, due to the way the request was structured, the output produced an error.
It is likely that a properly structured SQL query will succeed in extracted data from the database.
Incorrect Answers:
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Directory Traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files
Sensitive Data exposure differs from a data breach, in which an attacker accesses and steals information
Patrick has gained access to a corporate WIFi network.
He is using Kali Linux and going to execute a man-in-the-middle attack.
Which of the following is his best choice to execute this attack? A.Nmap B.Ettercap C.Nikto D.Aircrack-ng
B.Ettercap
Explanation:
Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN.
It can be used for computer network protocol analysis and security auditing.
It runs on various UNix-like operating systems including Linux, Mac OS X, BSD and Solaris and on Microsoft Windows.
It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols and includes many features for the network and host analysis
Your client needs to verify the successful implementation of limited network access and limited storage access for part of their environment.
What sort of assessment would that be? A.Compliance-driven assessment B. Goal-based assessment C.Vulnerability Scanning D.Black box assessment
A.Compliance-driven assessment
Explanation:
Limited network access and limited storage access are common conditions in PCI compliance, for example.
This usually applies to specific systems involved in transactions processing to other specific services
In Burp Suite Pro, when you want to replay a request but change some of the parameters, which module will you use? A.Extender B.Sequencer C.Scanner D.Repeater
D.Repeater
Explanation:
Using the Repeater, you can replay any specific request and be able to change all of its properties as well as the type of the request:
GET/POST, etc.
The Extender is used to add extensions to your Burp setup
Burp Sequencer is a tool for analyzing the quality of randomness in a same of data items
Burp Scanner is a tool for performing automated scans of web sites
John is listing out his findings in the pentest report.
For each finding, John has provided in the following:
Finding ID, Vulnerability, Risk Rating, Remediation, Reference
A.Source
B.Exploit
C.Impact
D.Results
C.Impact
Explanation:
For each finding, the pentest report should also include the impact of it,
This could include the criticality level (low, medium, high and critical)
Which of the following is mandatory for a compliance scan?
A.Involve a compliance officer
B.Scan all registered ports
C.Test the environment against the security standards
D.Sign an NDA
C.Test the environment against the security standards
Explanation:
Compliance-based assessments audit an organizations ability to follow and implement a given set of security standards in an environment.
Many industry standards affect and regulate the way sensitive data may be protected, stored and processed within an information system
Apart from criticality of the impacted system, what other measures should be considered when prioritizing mitigation actions?
A.Whether a POC is available for free on the internet
B.OS of the vulnerable system
C.Difficulty of remediating the vulnerability
D.How long it takes to exploit the vulnerability
C.Difficulty of remediating the vulnerability
Explanation:
If fixing a vulnerability will require a very large commitment of human or financial resources, that needs to be considered when prioritizing mitigation steps
George went through the following path of exploitation to successfully gain access to a targeted host:
He initially scanned the host, found a vulnerable DB service leaking some credential information and used those creds to authenticate to the DB.
Using the DB access, he managed to create a backdoor on the system and finally obtained access to it.
What is this string of attacks called? A.Exploit Chaining B.Black Box Testing C.White Box Testing D.Vulnerability Scanning
A.Exploit Chaining
Explanation:
Exploit chaining is the process of using multiple exploit methods and techniques in a sequence in order to successfully exploit the host
While testing, Rob was able to exploit a SQL Injection on the clients website.
He was able to generate a POC,
Should Rob inform the client of the vulnerability at this stage, or should he wait and present it in the final report?
A.All findings are listed in the final report, there is no need to contact the client during the testing
B.SQL Injection is not critical enough to be communicated to the customer before the final report
C. Its a good practice to communicate critical findings in a timely manner; Rob should contact his client and share his finding
D.All findings, large or small should be reported as soon as they are identified
C. Its a good practice to communicate critical findings in a timely manner; Rob should contact his client and share his finding
Explanation:
High criticality findings are usually reported to the client the moment they are discovered.
The client might need to take some action or provide some guidance on future tests on those vulnerabilities
Findings with low, medium or informational classification are usually only reported in the final report.
Those would not require immediate response from the client