prep

Question 1

Why perform a penetration test?

Answer 1

A pentest gives you information about your systems vulnerabilities, how probable a successful attack against your infrastructure is, and how you can protect yourself against potential security breaches in the future

Question 2

What is a pentest vs vuln asssessment?

Answer 2

With vulnerability testing, one is simply scanning for any weaknesses that may reside in any component of the IT Infrastructure. In a pentest, a full-scale cyber-attack or series of cyber-attacks is launched with explicit permission from the client (or whoever is requesting it) in order to specifically find any types or kinds of gaps that have not yet been discovered by the IT security staff.

Question 3

What are some of the most common network security vulnerabilities that a pentester comes across?

Answer 3

The usage of extremely weak passwords in the network security tools themselves, which include the routers, firewalls, network intrusion devices and so on. Very often, business entities are in a rush to deploy these kinds of technologies, and they forget to create a robust and secure password. This leads to them using the insecure default one set up by the vendor
Implementing security patches on the wrong servers and related network components. There are also times when a security patch is installed on the right machine but not configured properly, thus leaving it wide open to a cyber-attack
The misconfiguration of network devices, as described previously
The use of infected portable media devices (primarily USB drives) and inserting them into a server and other related network components
The lack of a coherent network security policy; even if one was implemented, compliance is still a huge issue

Question 4

What network ports are commonly examined in a pentesting exercise, and what tool can be used for this?

Answer 4

HTTPS (Port #443)
FTP (Port #’s 20 & 21)
NTP (Port #123)
SSH (Port #22)
HTTP (Port #80)
Telnet (Port #23)
SMTP (Port #25)

Question 5

What are some ways to avoid brute force attacks?

Answer 5

Can stop authentication after a certain amount of attempts and lock the account

Question 6

What is the difference between asymmetric and symmetric encryption?

Answer 6

Symmetric encryption uses the same key for decryption and encryption. Asymmetric uses 2 different keys (a public and private key)

Question 7

What is a cookie?

Answer 7

A piece of information received from a web server and stored in a web browser which can be ready anytime laters

Question 8

What are the types of cookies?

Answer 8

Session cookies - temporary and last in the session only, and persistent cookies - which are stored on the hard disk drives and last till its expiry or the manual removal of it

Question 9

How does SSL/TLS work?

Answer 9

Steps

1. User initiates the connection by typing the website address. The browser initiates SSL/TLS communication by sending a message to the websites server
2. The website’s server sends back the public key or certificate to the user’s browser
3. User’s browser checks for the public key or certificate. If it is ok, it creates a symmetric key and sends it back to the website’s server. If the certificate is not ok, the communication fails
4. On receiving the symmetric key, the website’s server sends the keys and encrypted requested data
5. User’s browser decrypts the content by using a symmetric key and completes the ssl/tls handshake. The user is able to see content and now a connection is established

Question 10

What is sql injection

Answer 10

1. occurs when an attack is able to inject sql queries via input data of an application
2. successful attack allows an attacker to access and manipulate the backend db

Question 11

how to prevent sql injection

Answer 11

1. use parameterized queries
2. alternatively, input could be validated before being used in queries
3. don’t concatenate user-controllable input with application sql to form the query sent to the database
4. apply white-list validation on all user input

Question 12

what is broken authentication?

Answer 12

occurs when an application improperly verifies the identity of a user
this can lead to the exposure of resources or functionality to unintended actors, possibly providing attacks with sensitive information

Question 13

how do you prevent broken authentication

Answer 13

• beware of insufficient or missing authentication checks that may allow a user to access functionality without supplying correct credentials
• don’t expose session IDs in the url
• implement multi factor authentication
• don’t use user ids or predictable sequential values as session ids. Instead, use a secure server-side session manager that generates a random session id with high entropy

Question 14

what is sensitive data exposure

Answer 14

• vulnerability where developers expose sensitive user data to unauthorized people like hackers or other 3rd parties
• usually occurs when developers don’t pay attention to where and how data is being used within their application and systems

Question 15

how do you prevent sensitive data exposure?

Answer 15

• identify where and how data is used and combined
• prevent sending unnecessary data to users
• secure GDPR, PCI, and PII data through encryption

Question 16

what are XML External Entities (XXE)

Answer 16

• xxe injection can be used on web applications that parse xml input
• an attacker is able to submit xml that can make use of references to external entities
• this attack occurs when the xml processes the input

an attacker can be able to read arbitrary files from the server, perform internal port scanning originating from the server and cause of system impacts like a denial of service

Question 17

how can you prevent XML External Entities (XXE)

Answer 17

• sanitize user input through filtering or validation
• xml parsers should disable support for external entities (DTD)
• never trust user input
• apply application wide filters or sanitization on all user-provided input
• apply white-list input validation
• disable external entities (DTD) completely

Question 18

what is broken access control

Answer 18

occurs when users can perform functions they have not been authorized for or when resources can be accessed by unauthorized users

caused by functional level access controls are missing when access checks have not been implemented or when a protection mechanism exists but it not properly configured

Question 19

how can you prevent broken access control

Answer 19

• protect all business functions using a role based authorization mechanism, server side
• authorization should be implemented using centralized authorization routines
• deny access by default
• implement authorization using a role based mechanism

Question 20

what are the 3 types of xss?

Answer 20

persistent/stored, reflected, DOM

Question 21

what is stored/persistent xss?

Answer 21

steps

1. attacker discovers a website having a vulnerability that enables a script injection
2. attacker injects the website with a malicious script that steals each visitor’s session cookies
3. for each visit to the website, the malicious script is activated
4. visitor’s session cookie is sent to attacker

Question 22

what is dom based xss

Answer 22

vulnerability where developers introduce xss on the client after the page has been loaded, through a change in the DOM environment

Question 23

What are the phases in the penetration testing lifecycle?

Answer 23

The main phases are planning & reconnaissance, where the goals, timeline and scope are defined and initial information is gathered, Enumeration where active scans and tests are performed to identify any vulnerabilites, exploitation, where access is gained through vulnerabilities discovered while performing enumeration, post-exploitation where there is an effort in order to maintain the access previously gained through new users or backdoors and elevate the current privileges and reporting, where all of the findings, risk ratings and relevant remediations are added to a final report. Afterwards a cleanup is necessary to remove any new user accounts, backdoors or exploits

Question 24

How would you rate vulnerabilities during a penetration test?

Answer 24

In order to rate a vulnerability, a risk matrix is used and a risk level is calculated based on the likelihood and consequence of a given issue.

Question 25

What is DNS?

Answer 25

The Domain Name System (DNS) is a service used to translate domain names to the numerical IP addresses needed for locating and identifying computer services, for example 142.250.69.196 is translated to www.google.com. It runs on port 53.

Question 26

What is ARP?

Answer 26

The Address Resolution Protocol (ARP) is used for discovering the MAC address associated with a given internet layer address, typically an IPv4 address.

Question 27

What is RDP?

Answer 27

The Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection. It runs on port 3389.

Question 28

What is a MAC address?

Answer 28

The media access control (MAC) address is a unique identifier assigned to a network interface that is required to be able to communicate with the rest of the network.

Question 29

What is a firewall and how does it work?

Answer 29

A firewall is a network security device that has the ability to either monitor or filter incoming or outgoing network traffic based on pre-defined rules.

Question 30

What is the difference between an IDS and an IPS?

Answer 30

The main difference between them is that IDS is a monitoring system, while IPS is a control system. IDS doesn’t alter the network packets in any way, whereas IPS prevents the packet from delivery based on the contents of the packet, much like how a firewall prevents traffic by IP address.

Question 31

What is the difference between encoding, hashing and encrypting?

Answer 31

Encoding takes a clear-text string and turns it into an encoded string, which can easily be decoded, it is used to preserve the usability of the information, an example is base64. Hashing takes a clear-text string and turns it into a hash, which will always be the same length, regardless of the clear text string used, it is a one-way operation and therefore it cannot be reversed, it is used to validate the integrity of information or to store sensitive data, an example is MD5. Encryption takes a clear-text string and turns it into an encrypted string through the use of a key, it can be reverse by knowing the algorighm used and the key, it is used to secure confidential information, an example is RSA.

Question 32

What is salting and what is it used for

Answer 32

Salting is a technique used to add random data that is used as an additional input when hashing data. Salting makes it harder for attackers to crack a hash as the is appended to the password before it is hashed, creating a much longer hash.

Question 33

In what format are Windows and Linux hashes stored

Answer 33

Windows hashes are stored using NTLM and they used to be stored with LM. Linux passwords are normally hashed using the SHA-256 or SHA-512, in older versions they are hashed with Blowfish or DES.

Question 34

Where are Windows and Linux hashes stored, how can you retrieve them?

Answer 34

Linux hashes are stored in /etc/shadow, they used to be stored under /etc/passwd and they can still be stored there if required. In Windows, NTLM hashes are stored in the SAM hive, the boot key which is stored in the SYSTEM hive is required to obtain them. These are stored in C:\Windows\System32\config.

Question 35

What are SUID and sudo?

Answer 35

SUID is a Unix file permission that can allow users to run a command or a script with the as the owner of the file, rather than as the user executing it. sudo is Unix feature that allows users to run scripts or commands as another user, by default the root user.

Question 36

What is Kerberos and how does it perform authentication?

Answer 36

Kerberos is an authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. When authenticating, Kerberos uses symmetric encryption and a trusted third party which is called a Key Distribution Center (KDC). At the moment of the authentication, Kerberos stores a specific ticket for that session on the user’s machine and any Kerberos aware service will look for this ticket instead of prompting the user to authenticate through a password.

Question 37

How can DNS and ARP be exploited by attackers?

Answer 37

ARP spoofing or ARP cache poisoning is an attack by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker’s MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. The attack can only be used on networks that use ARP, and requires attacker have direct access to the local network segment to be attacked. DNS spoofing, also referred to as DNS cache poisoning, is a form of of attack in which corrupt Domain Name System data is introduced into the DNS resolver’s cache, causing the name server to return an incorrect IP address, it can be exploited by attackers and allow them to receive information that was not intended for them.

Question 38

What is buffer overflow?

Answer 38

Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations. Attackers can intentionally feed input that the buffer cannot store, and overwrite areas that hold executable code, replacing it with their own code, therefore executing arbitrary code on the target system. There are two main types of buffer overflows: stack based, more common and easier to perform and heap based, less common and harder to perform.

Question 39

What is the difference between bruteforce and dictionary attacks?

Answer 39

Bruteforce attacks tries a list of possible passwords that are generated during the attack based on pre-defined rules, whereas dictionary attack use a list of known or commonly used passwords stored in a file.

Question 40

What is a golden ticket attack?

Answer 40

A golden ticket attack allows an attacker to create a Kerberos authentication ticket from a compromised service account, called krbtgt. By using the NTLM hash of the compromised account an attacker can create fraudulent golden tickets. These tickets appear pre-authorized to perform whatever action the attackers want without any real authentication.

Question 41

What is a common misconfiguration of FTP and SMB?

Answer 41

A common misconfiguration of FTP is the anonymous login, which if enabled can allow any user to authenticate to the server without the need to enter credentials. A common misconfiguration of SMB is null session authentication , which can allow any user to authenticate to an SMB share by providing a null username and password.

Question 42

What is the Secure cookie flag

Answer 42

The secure flag ensures that cookie information is only transmitted over an HTTPS channel.

Question 43

What is CSRF, what does it entail and how can it be prevented?

Answer 43

Cross-site request forgery (CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform by using maliciously crafted web requests. It can allow an attacker to cause a victim user to carry out an unintended action, for example changing their email address, password or transferring funds. This can result in a full compromise of the victim’s account. CSRF attacks can be prevented through the use of CSRF tokens, which ensures the request made by the end user is genuine and makes it impossible for attackers to craft a malicious HTTP request for the end user to execute. To be effective, CSRF tokens need to be unpredictable, tied to the user’s session and validated upon every user action is executed.

Question 44

How would you remotely access a service that can only be accessed from within an internal network?

Answer 44

Port forwarding is a technique used to redirect a communication request from one address and port number combination to another. For example, if port 80 is only accessible from within the internal network but port 443 is accessible remotely, a port forward rule can be created to forward all incoming traffic on port 443 to port 80.

Question 45

If you were able to obtain an NTLM hash but could not decrypt it, how would you use this knowledge to obtain access to the target host?

Answer 45

Pass the hash is a hacking technique that allows an attacker to authenticate to a remote server by using the NTLM or LM hash of a user’s password, instead of requiring the plaintext password.

Question 46

What is the HTTPOnly flag

Answer 46

The HTTPOnly flag ensures that cookie information can only be accessed by the web server and not by client-side scripts, this limits the damage that XSS could to to a victim user.

Question 47

How does a vpn work?

Answer 47

• A VPN uses cryptography to extend a private network over a public one, like the internet
  
  • The extension is made by performing a protected connection to a private network (such as your office or home network)