Random Flashcards
Windows file servers commonly hold sensitive files, databases, passwords and more. What common vulnerability is usually used against a windows file server to expose sensitive files, databases, and passwords?
These are commonly missing patches, enabling hackers to take advantage of the vulnerabilities
Which ports are commonly found for printers?
For this type of device, the following ports are often found:
- 515
- 631
- 9100
What term describes the amount of risk an organization is willing to accept?
This is called Risk Appetite
Your organization’s networks contain 4 subnets: 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0. Using NMAP, how can you scan all 4 subnets using a single command?
nmap -P 10.0.0-3.0
What is SOA used for? What is a common vulnerability?
SOA is used by enterprises to efficiently and cost-effectively integrate heterogeneous systems.SOA is most commonly vulnerable to a XML denial of service.
What is the first character that you should use to attempt breaking a valid SQL request?
Single Quote ( ‘ ) is what you should use when doing this.
What NMAP switch would a hacker use to attempt to see which ports are open on a targeted network?
-sO is the option used within Nmap to do this.
What technique does a vulnerability scanner use in order to detect a vulnerability on a specific service?
Analyzing the response received from the service when Probed.
What command could be used to list the running services from the Windows command prompt?
“sc query” is the command that does this
When are LM hashes not generated?
These are not generated when the password length exceeds 15 characters.
What type of malicious application does not require user intervention or another application to act as a host in order for it to replicate?
A Worm does not require this
What is not a step in the NIST SP 800-115 Methodology?
Reporting
Scoping is not a step in this methodology.
What must be developed in order to show security improvements over time?
Metrics must be developed to show these over time
What type of programming language is C# and ASP.NET?
These two languages are compiled languages, not scripting languages.
What tool can be used to scan a network to perform vulnerability checks and compliance auditing?
Nessus is the tool that can scan a network to perform these actions.
What should NOT be included in your final report for the assessment and provided to the organization?
Detailed list of incurred costs should not be a part of this, but rather a part of your invoicing.
What is a formal document that states what will and will not be performed during a penetration test?
Scope of work (SOW) is the document that states this.
What programming language is most vulnerable to buffer overflow attacks? Why?
C++ is most vulnerable to these type of attacks. Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon.
A pentester is trying to map the organization’s internal network. The analyst enters the following command (nmap -n -sS -T4 -p 80 10.0.3.0/24). What type of scan is this?
This type of scan is called a Stealth Scan
What is a pentest? What does it check for?
This is an authorized simulated cyber attack against a network or computer system. It checks for vulnerabilities.
Name 4 benefits of a pentest.
- Revealing vulns
- Ensuring Regulatory Compliance
- Maintaining Trust
- Identifying ROI
- Enhancing QA
- Supporting Risk management
- Protecting Organizational Reputation
- Plugging Security Holes before they can be exploited
- Testing Cyber-Defense Capabilities
What are the pentest steps?
- Planning
- Reconnaissance
- Scanning
- Gaining Access
- Maintaining Access
- Covering Tracks
- Analysis
- Reporting
What is the difference between an exploit and a payload?
These get you into a host/network while the other is the malicious code that you run on the host/network.
Think of the first as kicking a door open and the latter is throwing in a grenade.
What is the CHECK framework?
This was developed in the UK. Ensures that government agencies and public entities can contract with government-approved pen testers.
What is OSSTMM?
This Open Source Security Testing Methodology Manual. Framework for Security testing and analysis for operational security.
What is PTES?
This is the Penetration Testing Execution Standard. Basic Lexicon and guidelines for Pentests. The PTES Technical Guide provides specifics.
What is NIST-SP 800-115?
Technical guide to Information security Testing and Assessment. Developed by NIST. Practical Recommendations for designing, implementing, and maintaining pen test processes and procedures.
What is NAC?
This is a collection of protocols, policies, and hardware governing device connection.
What forms the basis of the SOW?
The scope forms the basis of this document.
What are the two type of assessments?
Objective based (what needs protection?) and Compliance Based (Industry or Government Mandate).
How is a compliance-based assessment usually assessed?
These are usually assessed using audits of Administrative, Technical, or physical controls.
What is the focus of Compliance-based assessments?
This type of assessment focuses on:
- Password Policies
- Data Isolation
- Key Management
What are some limitations of Client-based assessments?
Limitations of this type of assessment are:
- Network Access
- Storage Access
What is another name for Passive Reconnaissance?
Another name for this is OSINT Gathering, Open Source Intelligence Gathering
What is information gathering?
This is the process of identifying, discovering, and obtaining information that may have relevance to the penetration test.
What is OSINT?
This is information that is not private. Anyone can obtain without breaking the law.
What are some sources for OSINT?
Sources for this are:
- Whois
- Public Website
- Public Job Postings
- Google Search Results
- Online Blogs
- News Articles
- Social Media
- Info Gathered from DNS, Mail Records, & SSL/TLS Certs
What is Whois?
This is a protocol that supports querying of data related to entities who register public domains and other internet resources.
What do child domains imply?
These imply there could be less secure sub-domains or organizations.
What are two very popular querying tools?
nslookup and dig are tools that perform this function.
How would you query for MX records using dig?
dig comptia.org -q mx
Using Nslookup, what command would we use to obtain additional servers & information?
nslookup -type=all example.com
How do we view all of the options for Nslookup?
Type ‘nslookup’ to be taken the nslookup prompt and then type a question mark ‘?’ in the prompt field.
What do MX records do? What would it mean to compromise this?
These identify which server handles incoming mail. Compromising this would mean to compromise the lines of communication.
What do SPF records do?
This validates incoming mail from originating domain. Mitigates email spoofing in spam/phishing.
What is shodan?
This is a search engine that enables anyone to connect to public or improperly secured devices that allow remote access through the internet.
What does FOCA stand for? What does it do?
Fingerprinting Organizations with Collected Archives. This tool scans websites for security leaks. Discovers metadata hidden within website documents. Windows Based tool.
