Random

Question 1

Windows file servers commonly hold sensitive files, databases, passwords and more. What common vulnerability is usually used against a windows file server to expose sensitive files, databases, and passwords?

Answer 1

These are commonly missing patches, enabling hackers to take advantage of the vulnerabilities

Question 2

Which ports are commonly found for printers?

Answer 2

For this type of device, the following ports are often found:

• 515
• 631
• 9100

Question 3

What term describes the amount of risk an organization is willing to accept?

Answer 3

This is called Risk Appetite

Question 4

Your organization’s networks contain 4 subnets: 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0. Using NMAP, how can you scan all 4 subnets using a single command?

Answer 4

nmap -P 10.0.0-3.0

Question 5

What is SOA used for? What is a common vulnerability?

Answer 5

SOA is used by enterprises to efficiently and cost-effectively integrate heterogeneous systems.SOA is most commonly vulnerable to a XML denial of service.

Question 6

What is the first character that you should use to attempt breaking a valid SQL request?

Answer 6

Single Quote ( ‘ ) is what you should use when doing this.

Question 7

What NMAP switch would a hacker use to attempt to see which ports are open on a targeted network?

Answer 7

-sO is the option used within Nmap to do this.

Question 8

What technique does a vulnerability scanner use in order to detect a vulnerability on a specific service?

Answer 8

Analyzing the response received from the service when Probed.

Question 9

What command could be used to list the running services from the Windows command prompt?

Answer 9

“sc query” is the command that does this

Question 10

When are LM hashes not generated?

Answer 10

These are not generated when the password length exceeds 15 characters.

Question 11

What type of malicious application does not require user intervention or another application to act as a host in order for it to replicate?

Answer 11

A Worm does not require this

Question 12

What is not a step in the NIST SP 800-115 Methodology?
​
Reporting

Answer 12

Scoping is not a step in this methodology.

Question 13

What must be developed in order to show security improvements over time?

Answer 13

Metrics must be developed to show these over time

Question 14

What type of programming language is C# and ASP.NET?

Answer 14

These two languages are compiled languages, not scripting languages.

Question 15

What tool can be used to scan a network to perform vulnerability checks and compliance auditing?

Answer 15

Nessus is the tool that can scan a network to perform these actions.

Question 16

What should NOT be included in your final report for the assessment and provided to the organization?

Answer 16

Detailed list of incurred costs should not be a part of this, but rather a part of your invoicing.

Question 17

What is a formal document that states what will and will not be performed during a penetration test?

Answer 17

Scope of work (SOW) is the document that states this.

Question 18

What programming language is most vulnerable to buffer overflow attacks? Why?

Answer 18

C++ is most vulnerable to these type of attacks. Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon.

Question 19

A pentester is trying to map the organization’s internal network. The analyst enters the following command (nmap -n -sS -T4 -p 80 10.0.3.0/24). What type of scan is this?

Answer 19

This type of scan is called a Stealth Scan

Question 20

What is a pentest? What does it check for?

Answer 20

This is an authorized simulated cyber attack against a network or computer system. It checks for vulnerabilities.

Question 21

Name 4 benefits of a pentest.

Answer 21

• Revealing vulns
• Ensuring Regulatory Compliance
• Maintaining Trust
• Identifying ROI
• Enhancing QA
• Supporting Risk management
• Protecting Organizational Reputation
• Plugging Security Holes before they can be exploited
• Testing Cyber-Defense Capabilities

Question 22

What are the pentest steps?

Answer 22

1. Planning
2. Reconnaissance
3. Scanning
4. Gaining Access
5. Maintaining Access
6. Covering Tracks
7. Analysis
8. Reporting

Question 23

What is the difference between an exploit and a payload?

Answer 23

These get you into a host/network while the other is the malicious code that you run on the host/network.

Think of the first as kicking a door open and the latter is throwing in a grenade.

Question 24

What is the CHECK framework?

Answer 24

This was developed in the UK. Ensures that government agencies and public entities can contract with government-approved pen testers.

Question 25

What is OSSTMM?

Answer 25

This Open Source Security Testing Methodology Manual. Framework for Security testing and analysis for operational security.

Question 26

What is PTES?

Answer 26

This is the Penetration Testing Execution Standard. Basic Lexicon and guidelines for Pentests. The PTES Technical Guide provides specifics.

Question 27

What is NIST-SP 800-115?

Answer 27

Technical guide to Information security Testing and Assessment. Developed by NIST. Practical Recommendations for designing, implementing, and maintaining pen test processes and procedures.

Question 28

What is NAC?

Answer 28

This is a collection of protocols, policies, and hardware governing device connection.

Question 29

What forms the basis of the SOW?

Answer 29

The scope forms the basis of this document.

Question 30

What are the two type of assessments?

Answer 30

Objective based (what needs protection?) and Compliance Based (Industry or Government Mandate).

Question 31

How is a compliance-based assessment usually assessed?

Answer 31

These are usually assessed using audits of Administrative, Technical, or physical controls.

Question 32

What is the focus of Compliance-based assessments?

Answer 32

This type of assessment focuses on:

• Password Policies
• Data Isolation
• Key Management

Question 33

What are some limitations of Client-based assessments?

Answer 33

Limitations of this type of assessment are:

• Network Access
• Storage Access

Question 34

What is another name for Passive Reconnaissance?

Answer 34

Another name for this is OSINT Gathering, Open Source Intelligence Gathering

Question 35

What is information gathering?

Answer 35

This is the process of identifying, discovering, and obtaining information that may have relevance to the penetration test.

Question 36

What is OSINT?

Answer 36

This is information that is not private. Anyone can obtain without breaking the law.

Question 37

What are some sources for OSINT?

Answer 37

Sources for this are:

• Whois
• Public Website
• Public Job Postings
• Google Search Results
• Online Blogs
• News Articles
• Social Media
• Info Gathered from DNS, Mail Records, & SSL/TLS Certs

Question 38

What is Whois?

Answer 38

This is a protocol that supports querying of data related to entities who register public domains and other internet resources.

Question 39

What do child domains imply?

Answer 39

These imply there could be less secure sub-domains or organizations.

Question 40

What are two very popular querying tools?

Answer 40

nslookup and dig are tools that perform this function.

Question 41

How would you query for MX records using dig?

Answer 41

dig comptia.org -q mx

Question 42

Using Nslookup, what command would we use to obtain additional servers & information?

Answer 42

nslookup -type=all example.com

Question 43

How do we view all of the options for Nslookup?

Answer 43

Type ‘nslookup’ to be taken the nslookup prompt and then type a question mark ‘?’ in the prompt field.

Question 44

What do MX records do? What would it mean to compromise this?

Answer 44

These identify which server handles incoming mail. Compromising this would mean to compromise the lines of communication.

Question 45

What do SPF records do?

Answer 45

This validates incoming mail from originating domain. Mitigates email spoofing in spam/phishing.

Question 46

What is shodan?

Answer 46

This is a search engine that enables anyone to connect to public or improperly secured devices that allow remote access through the internet.

Question 47

What does FOCA stand for? What does it do?

Answer 47

Fingerprinting Organizations with Collected Archives. This tool scans websites for security leaks. Discovers metadata hidden within website documents. Windows Based tool.