CEH 1
What type of technique does exploit chaining often implement? A. Injecting parameters into a connection string using semicolons as a separator B. Inserting malicious JavaScript code into input parameters C. Setting a user's session identifier (SID) to an explicit known value D. Adding multiple parameters with the same name in HTTP requests
A. Injecting parameters into a connection string using semicolons as a separator Explanation OBJ-3.2: Connection String Parameter Pollution (CSPP) exploits specifically the semicolon-delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact). Exploit chaining involves multiple commands and exploits being conducted in a series to fully attack or exploit a given target.
Which of the following ports is used by the Service Location Protocol when organizing and locating printers, databases, and other resources in a network? A. 443 B. 427 C. 445 D. 389
B. 427 Explanation OBJ-2.3: Port 427 is used by SLP. The Service Location Protocol (SLP) is a protocol or method of organizing and locating the resources (such as printers, disk drives, databases, e-mail directories, and schedulers) in a network. This is an alternative protocol to LDAP in newer networks. While you may not have this port memorized, you should have memorized ports 389, 443, and 445 and identified that they were not associated with printers.
You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack's target? A. 389 B. 3389 C. 443 D. 21
C. 443 Explanation OBJ-2.2: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred? A. SQL injection B. Buffer overflow C. Directory traversal D. XML injection
C. Directory traversal Explanation OBJ-5.2: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input.
What is not an example of a type of support resource that a pentester might receive as part of a white box assessment? A. Network diagrams B. SOAP project files C. XSD D. PII of employees
D. PII of employees Explanation OBJ-1.1: White box support resources include architectural diagrams, sample application requests, SDK documentation, SOAP project files, Swagger documents, WSDL/WADL, and XML Scheme Definitions (XSD). The PII of employees should not be given to a penetration tester as this could violate laws and regulations regarding maintaining employee data confidentiality and privacy. White-box testing falls on the opposite end of the spectrum from black-box testing, and penetration testers are given full access to source code, architecture documentation, and so forth.
A network technician needs to monitor the network to find a user who is browsing websites against the company policy. What should the technician use to view the website and find the user browsing it? A. SNMP GET B. Top listener tool C. Intrusion detection system D. Packet sniffer
D. Packet sniffer Explanation OBJ-4.1: Packet Sniffers can capture and analyze network user traffic. This information can be queried to view website addresses, contents, and sometimes even the password information. This differs from an intrusion detection system in that IDS' wait to receive implicitly-malicious data in a network before logging the event.
You have received a laptop from a user who recently left the company. You went to the terminal in the operating system and typed 'history' into the prompt and see the following: > for i in seq 255; ping -c 1 10.1.0.$i; done Which of the following best describes what actions were performed by this line of code? A. Attempted to conduct a SYN scan on the network B. Conducted a ping sweep of the subnet C. Conducted a sequential ICMP echo reply to the subnet D. Sequentially sent 255 ping packets to every host on the subnet
B. Conducted a ping sweep of the subnet Explanation OBJ-2.2: This code is performing a ping sweep of the subnet 10.1.0.0/24. The code states that for every number in the sequence from 1 to 255, conduct a ping to 10.1.0.x, where x is the number from 1 to 255. When it completes this sequence, it is to return to the terminal prompt (done). The ping command uses an echo request and then receives an echo reply from the ping's target. A ping sweep does not use an SYN scan, which would require the use of a tool like nmap or hping.
You are working as part of a penetration testing team targeting Dion Training's mobile device software. Which of the following tools would NOT be helpful while trying to exploit their mobile applications? A. Androzer B. Dirbuster C. APKX D. APK studio
B. Dirbuster Explanation OBJ-7.1: Dirbuster is a brute force tool included with Kali Linux that exposes directories and file names on web and application servers. Androzer is a security testing framework for Android apps and devices. APKX (Android Package Kit) is a Python wrapper for dex converters and Java decompilers included in the OWASP Mobile Testing Guide. APK Studio is a cross-platform IDE for reverse engineering Android applications.
Which type of malware is used to actively attempt to steal confidential information by capturing a user's data when typed into a web browser or other application? A. Spyware B. Keylogger C. Trojan D. Rootkit
B. Keylogger Explanation OBJ-3.3: A keylogger actively attempts to steal confidential information by capturing the data when entered into the computer by the user. This is done by recording keystrokes entered into a web browser or other application. A software keylogger can be run in the background on a victim's computer. A hardware keylogger may be placed between the USB port and the wired keyboard.
Dion Training has just installed a brand new email server. Which of the following DNS records would need to be created to allow the new server to receive email on behalf of diontraining.com? A. CNAME B. MX C. PTR D. A
B. MX Explanation OBJ-2.1: An MX record is required in the DNS for a domain for the email server to accept emails on behalf of a registered domain name.
David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? A. MySQL B. RDP C. LDAP D. IMAP
B. RDP Explanation OBJ-2.2: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn't supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.
You are currently working as a firewall technician. You have received a request to open up a few ports on the firewall to allow a newly VoIP system to operate properly. The installer has requested that the ports associated with SIP, RDP, H.323, and RTP be opened to allow the new system to operate properly. Which of these ports are NOT used by a typical VoIP system? A. SIP B. RDP C. H.323 D. RTP
B. RDP Explanation OBJ-4.1: RDP is the protocol for the Remote Desktop Protocol and operates over port 3389. This is not used in a typical VoIP system. SIP (Session Initiation Protocol), H.323 (voice/video conferencing) protocol, and the RTP (Real-time Transport Protocol) are all used heavily in VoIP and video conferencing solutions.
Which of the following tools provides a penetration tester with a framework to conduct technical social engineering attacks like phishing against an organization's employees? A. Kismet B. SET C. Proxychains D. Censys
B. SET Explanation OBJ-4.2: SET (Social Engineer Toolkit) is an open-source penetration testing framework included with Kali Linux that supports the use of social engineering to penetrate a network or system. Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system included with Kali Linux. Proxychains is a command-line tool that enables pen testers to mask their identity and/or source IP address by sending messages through intermediary or proxy servers. Censys is a search engine that returns information about the types of devices connected to the Internet.
After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company's network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company's information security team. How would you best classify this threat? A. Advanced persistent threat (APT) B. Spear phishing C. Insider threat D. Privilege escalation
A. Advanced persistent threat (APT) Explanation OBJ-3.3: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. An APT attack intends to steal data rather than to cause damage to the network or organization. An APT refers to an adversary's ongoing ability to compromise network security, obtain and maintain access, and use various tools and techniques. They are often supported and funded by nation-states or work directly for a nation-states' government. Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization's security practices, data, and computer systems. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. While an APT may use spear phishing, privilege escalation, or an insider threat to gain access to the system, the scenario presented in this question doesn't specify what method was used. Therefore, APT is the best answer to select.
What tool is used to collect wireless packet data? A. Aircrack-ng B. John the Ripper C. Nessus D. Netcat
A. Aircrack-ng Explanation OBJ-6.1: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.
Which of the following will an adversary do during the reconnaissance phase of the Lockheed Martin kill chain? (SELECT THREE) A. Harvest email addresses B. Identify employees on Social Media Networks C. Release of malware on USB drives D. Acquire or develop zero-day exploits E. Select backdoor implants and appropriate command and control mechanisms F. Discover servers facing the public internet
A. Harvest email addresses, B. Identify employees on Social Media Networks, F. Discover servers facing the public internet Explanation OBJ-1.1: Passively harvesting information from a target is the main purpose of the reconnaissance phase. Harvesting email addresses from the public internet, identifying employees on social media (particularly LinkedIn profiles), discovering public-facing servers, and gathering other publicly available information can allow an attacker to develop a more thorough understanding of a targeted organization. Acquiring or developing zero-day exploits, selecting backdoor implants, and choosing command and control (C2) mechanisms will require the information gathered during reconnaissance to be effective. Still, these activities will actually occur during the weaponization phase.
You have been contracted by Dion Training to conduct a penetration test against its learning management system (LMS). The LMS is a web application that is hosted in the organization's DMZ. Which of the following appliances should the organization whitelist your source IP in before the engagement begins? A. WAF B. HIDS C. NIDS D. DLP
A. WAF Explanation OBJ-4.5: Whitelisting allows the IP address to be excluded from ACL rules and other signatures. This prevents an active device, like a web application firewall (WAF), layer 4 firewall, or an intrusion protection system (IPS) from blocking the penetration tester during the assessment. By having your IP added to the whitelist, you can focus your time and efforts on finding vulnerabilities with the servers themselves instead of trying to break through a compensating control like a WAF or IPS.
Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne's existing applications and infrastructure. During your analysis, you discover the following URL is used to access an application: ======================== https://www.whamiedyne.com/app/accountInfo?acct=12345 ======================== You change the URL to end with 12346 and notice that a different user's account information is displayed. Which of the following type of vulnerabilities or threats have you discovered? A. Insecure direct object reference B. XML injection C. Race condition D. SQL injection
A. Insecure direct object reference Explanation OBJ-5.2: This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types. Based on the URL above, you cannot determine if the application is vulnerable to an XML or SQL injection attack. An attacker can modify one or more of these four basic functions in a SQL injection attack by adding code to some input within the web app, causing it to execute the attacker's own set of queries using SQL. An XML injection is similar but focuses on XML code instead of SQL queries. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the developer's order and timing, which is not the case in this scenario.
You have just received an email that claims to be from the Federal Bureau of Investigation (FBI). The email claims that your computer was identified as part of a botnet being used to distribute pirated copies of a new movie. The email states that you must click the link below and pay a fine of $1000 within 24 hours, or federal agents will be sent to your home to arrest you for copyright infringement. What social engineering principle is this email relying on using? A. Intimidation B. Consensus C. Familiarity D. Trust
A. Intimidation Explanation OBJ-4.2: Intimidation is a commonly used technique during a social engineering campaign. It relies on trying to scare or frighten a person into clicking a link. Often, these emails will claim to be from the FBI, IRS, or other government agencies.
What type of wireless security measure can easily be defeated by a hacker by spoofing their network interface card's hardware address? A. MAC filtering B. WEP C. Disable SSID broadcast D. WPS
A. MAC filtering Explanation OBJ-4.1: Wireless access points can utilize MAC filtering to ensure only known network interface cards are allowed to connect to the network. If the hacker changes their MAC address to a trusted MAC address, they can easily bypass this security mechanism. MAC filtering is considered a good security practice as part of a larger defense-in-depth strategy, but it won't stop a skilled hacker for long. MAC addresses are permanently burned into the network interface card by the manufacturer and serve as the device's physical address. WEP is the Wired Equivalent Privacy encryption standard, which is considered obsolete in modern wireless networks. WEP can be broken using a brute force attack within just a few minutes by an attacker. Another security technique is to disable the SSID broadcast of an access point. While this prevents the SSID broadcast, a skilled attacker can still find the SSID using discovery scanning techniques. WPS is the WiFi Protected Setup. WPS is used to connect and configure wireless devices to an access point easily.
What technique is an attacker using if they review data and publicly available information to gather intelligence about the target organization without scanning or other technical information-gathering activities? A. Passive reconnaissance B. Active scanning C. Vulnerability scanning D. Patch management
A. Passive reconnaissance Explanation OBJ-2.1: Passive reconnaissance combines publicly available data from various sources about an organization and does not use active scanning or data gathering methods. Vulnerability scanning is an inspection of the potential points of exploitation on a computer or network to identify security holes. A vulnerability scan is usually conducted to detect and classify system weaknesses in computers, networks, and communications equipment and predict the effectiveness of countermeasures. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.
As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve information about an organization's network infrastructure without causing an IPS alert. Which of the following is his best course of action? A. Perform a DNS brute-force attack B. Use a nmap ping sweep C. Perform a DNS zone transfer D. Use a nmap stealth scan
A. Perform a DNS brute-force attack Explanation OBJ-2.1: The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. A ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.
An attacker is using a precomputed table of values to attempt to crack your Windows password. What type of password attack is this? A. Rainbow table B. Dictionary C. Hybrid D. Brute-force
A. Rainbow table Explanation OBJ-3.2: A rainbow table is a tool for speeding up attacks against Windows passwords by precomputing possible hashes. A rainbow table is used to authenticate users by comparing the hash value of the entered password against the one stored in the rainbow table. Using a rainbow table makes password cracking a lot faster and easier for an attacker.
You were interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? A. The attacker must have physical or logical access to the affected system B. Exploiting the vulnerability requires the existence of specialized conditions C. The attacker must have access to the local network that the system is connected to D. Exploiting the vulnerability does not require any specialized conditions
A. The attacker must have physical or logical access to the affected system Explanation OBJ-3.1: The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to locally exploit the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.
Your organization's primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still showing the servers as vulnerable? (SELECT ALL THAT APPLY) A. The vulnerability assessment scan is returning a false positive B. This critical patch did not remediate the vulnerability C. You conducted the vulnerability scan without waiting long enough after the patch was installed D. The wrong IP address range
A. The vulnerability assessment scan is returning a false positive, B. This critical patch did not remediate the vulnerability Explanation OBJ-3.1: There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.
You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output provided, which of the following statements is correct? ================ BEGIN OUTPUT ----------------- # nmap win2k16.local Nmap scan report for win2k16 (192.168.2.15) Host is up (0.132452s latency) Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http # nc win2k16.local 80 220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1) # nc win2k16.local 22 SSH-2.0-OpenSSH_7.2 Debian-2 # ------------------ END OUTPUT ================== A. Your email server is running on a non-standard port B. Your email server has been compromised C. Your organization has a vulnerable version of the SSH server software installed D. Your web server has been compromised
A. Your email server is running on a non-standard port Explanation OBJ-2.2: As shown in the nmap scans' output, only two standard ports being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.
Which command-line entry would be used on a Windows system to test if your system can reach diontraining.com? A. ping diontraining.com B. sfc diontraining.com C. net use diontraining.com D. ipconfig diontraining.com
A. ping diontraining.com Explanation OBJ-2.3: The ping command is used to test a host's reachability on an Internet Protocol network. Type "ping diontraining.com" to send a series of ICMP packets will be sent to the Dion Training server. If they are received successfully, your system will receive an echo reply. Your system will then report if the call and response were successful and how long it took in milliseconds.
A military defense contracting company has hired your company to conduct a penetration test against their networks. Their company has a strong vulnerability management program in place, but they are concerned that they may still be subject to remote hackers' intrusion. They have asked your company to create a red team with their most skilled hackers and conduct a long-term engagement over 6-12 months. The goal of this assessment is to emulate an attacking group that uses stealth while infiltrating the network, quietly maintaining persistence, and slowly exfiltrating data out of the network over time to determine if their cybersecurity analysts could detect this type of threat. Which of the following type of threat actors will your red team need to emulate? A. Hacktivists B. APT C. Script kiddies D. Insider threat
B. APT Explanation OBJ-3.3: An advanced persistent threat (APT) is a type of attacker that keeps a low profile while infiltrating a remote network. Once inside the network, they maintain their patience while gathering intelligence and slowly exfiltrating data out of the network. Many APTs work for a nation-state and focus on intelligence operations. Some APTs also perform corporate espionage to steal highly guarded trade secrets from competitors. APTs commonly use several attack vectors to ensure their success in gaining unauthorized access to information.
Christina is conducting a penetration test against Dion Training's network. The goal of this engagement is to conduct data exfiltration of the company's exam database without detection. Christina enters the following command into the terminal: ============== C:\database\exams.db>c:\Users\Christina\Desktop\beachpic.png:exams.db ============== Next, Christina emailed the beachpic.png file to her personal email account. Which of the following techniques did she use to exfiltrate the file? A. NTFS encryption B. Alternate data streams C. Unquoted service path D. DLL hijacking
B. Alternate data streams Explanation OBJ-3.2: An alternate data stream (ADS) is a feature of Microsoft's NT File System (NTFS) that enables multiple data streams for a single file name by forking one or more files to another. ADS can be abused by hiding one file into another, as shown in this scenario. Once received in her email, she could access the database by opening the file as "beachpic.png:exams.db".
A new piece of malware attempts to exfiltrate user data by hiding the traffic and sending it over a TLS-encrypted outbound traffic over random ports. What technology would be able to detect and block this type of traffic? A. Intrusion detection system B. Application-aware firewall C. Stateful packet inspection D. Stateless packet inspection
B. Application-aware firewall Explanation OBJ-4.5: A Web Application Firewall (WAF) or Application-Aware Firewall would detect both the accessing of random ports and TLS encryption and identify it as suspicious, whereas Stateless would inspect port number used by the traffic leaving. IDS only analyzes incoming traffic. Therefore it would not be able to see this activity as suspicious.
Your company's Security Operations Center (SOC) is currently detecting an ongoing DDoS attack against your network's file server. A cybersecurity analyst has identified forty internal workstations on the network conducting the attack against your network's file server. The cybersecurity analyst believes these internal workstations are infected with malware and places them into a quarantined network area. The analyst then submits a service desk ticket to have the workstations scanned and cleaned of the infection. What type of malware was the workstation likely a victim of based on the scenario provided? A. Spyware B. Botnet C. Rootkit D. Ransomware
B. Botnet Explanation OBJ-4.3: A botnet is many internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. A zombie (also known as a bot) is a computer or workstation that a remote attacker has accessed and set up to forward transmissions (including spam and viruses) to other computers on the internet.
A hacker successfully modified the sale price of items purchased through your company's web site. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items' sale price? A. SQL injection B. Changing hidden form values C. Buffer overflow attack D. Cross-site scripting
B. Changing hidden form values Explanation OBJ-5.2: Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items' price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.
You walked up behind a penetration tester in your organization and saw the following output on their Kali Linux terminal: ================== [ATTEMPT] target 192.168.1.142 - login "root" - pass "abcde" 1 of 10 [ATTEMPT] target 192.168.1.142 - login "root" - pass "efghi" 2 of 10 [ATTEMPT] target 192.168.1.142 - login "root" - pass "12345" 3 of 10 [ATTEMPT] target 192.168.1.142 - login "root" - pass "67890" 4 of 10 [ATTEMPT] target 192.168.1.142 - login "root" - pass "a1b2c" 5 of 10 [ATTEMPT] target 192.168.1.142 - login "user" - pass "abcde" 6 of 10 [ATTEMPT] target 192.168.1.142 - login "user" - pass "efghi" 7 of 10 [ATTEMPT] target 192.168.1.142 - login "user" - pass "12345" 8 of 10 [ATTEMPT] target 192.168.1.142 - login "user" - pass "67890" 9 of 10 [ATTEMPT] target 192.168.1.142 - login "user" - pass "a1b2c" 10 of 10 =================== What type of test is the penetration tester currently conducting? A. Conduc
B. Conducting a brute force login attempt of a remote service on 192.168.1.142 Explanation OBJ-3.2: The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.
A vulnerability scan has returned the following results: ============== Detailed Results 10.56.17.21 (APACHE-2.4) Windows Shares Category: Windows CVE ID: - Vendor Ref: - Bugtraq ID: - Service Modified - 8.30.2017 Enumeration Results: print$ c:\windows\system32\spool\drivers files c:\FileShare\Accounting Temp c:\temp ============== What best describes the meaning of this output? A. There is unknown bug in an Apache server with no Bugtraq ID B. Connecting to the host using a null session allows enumeration of the share names on the host C. Windows Defender has a known exploit that must be resolved or patched D. There is no CVE present, so this is a false positive caused by Apache running on a Windows server
B. Connecting to the host using a null session allows enumeration of the share names on the host Explanation OBJ-3.1: These results from the vulnerability scan conducted shows an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. Both the CVE and Bugtraq ID being blank is not suspicious since we are dealing with a null enumeration result.
Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name? A. SPF B. DKIM C. SMTP D. DMARC
B. DKIM Explanation OBJ-2.1: DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism. This can replace or supplement SPF. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server. Sender Policy Framework (SPF) uses a DNS record published by an organization hosting an email service. The SPF record identifies the hosts authorized to send email from that domain, and there must be only one per domain. SPF does not provide a cryptographic authentication mechanism like DKIM does, though. The Domain-Based Message Authentication, Reporting, and Conformance (DMARC) framework ensures that SPF and DKIM are being utilized effectively. DMARC relies on DKMI for the cryptographic authentication mechanism, making it the incorrect option for this question. The simple mail transfer protocol (SMTP) is a communication protocol for electronic mail transmission, which does not utilize cryptographic authentication mechanisms by default.
A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: ============================= 10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT " 10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] "GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1" 200 941 "-" "USERAGENT" 10.1.1.1 - - [10/Jan/2020:16:12:31 +0000] "POST /vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT" ============================== What type of attack was most likely being attempted by the attacker? A. SQL injection B. Directory traversal C. XML injection D. Password spraying
B. Directory traversal Explanation OBJ-5.2: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user's passwords by attempting a compromised password against multiple user accounts.
Which of the following would trigger the penetration test to stop and contact the system owners during an engagement? A. A production server is successfully exploited B. Discovery of a production server with its log files deleted C. A production server is unresponsive to ping requests D. Discovery of encrypted credit card data being stored in their database
B. Discovery of a production server with its log files deleted Explanation OBJ-1.1: The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. Suppose the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation. In that case, the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance. Deleted log files should be considered an indicator of compromise and should be investigated by the company's security team before you continue with your engagement.
You are trying to select the best device to install to proactively stop outside attackers from reaching your internal network. Which of the following devices would be the BEST for you to select? A. IDS B. IPS C. Proxy server D. Syslog server
B. IPS Explanation OBJ-4.5: An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about them. An IPS can block malicious network traffic, unlike an IDS, which can only log them.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs: ================== https://test.diontraining.com/profile.php?userid=1546 https://test.diontraining.com/profile.php?userid=5482 https://test.diontraining.com/profile.php?userid=3618 ================ What type of vulnerability does this website have? A. Race condition B. Insecure direct object reference C. Improper error handling D. Weak or default configurations
B. Insecure direct object reference Explanation OBJ-5.2: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user's profile page in this scenario. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system's potential flaws.
A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not really a vulnerability, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive? A. A finding that shows the scanner compliance plug-ins are not up-to-date B. Items classified by the system as Low or as For Informational Purposes Only C. A scan result showing a version that is different from the automated asset inventory D. A 'HTTPS entry that indicates the web page is securely encrypted
B. Items classified by the system as Low or as For Informational Purposes Only Explanation OBJ-3.1: When conducting a vulnerability scan, it is common for the report to include some findings that are classified as "low" priority or "for informational purposes only." These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. "An HTTPS entry that indicates the web page is securely encrypted" is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.
What kind of attack is an example of IP spoofing? A. SQL injections B. Man-in-the-middle C. Cross-site scripting D. ARP poisoning
B. Man-in-the-middle Explanation OBJ-4.1: The man-in-the-middle attack intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to MAC address table. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.
An attacker has issued the following command: nc -l -p 8080 | nc 192.168.1.76 443. Based on this command, what will occur? A. Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080 B. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443 C. Netcat will listen for a connection from 192.168.1.76 on port 443 and output anything received to port 8080 D. Netcat will listen on port 8080 and then anything received to local interface 192.168.1.76
B. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443 Explanation OBJ-3.2: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).
A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: ===================== [443] [https-get-form] host: diontraining.com login: admin password: P@$$w0rd! [443] [https-get-form] host: diontraining.com login: admin password: C0mpT1@P@$$w0rd [443] [https-get-form] host: diontraining.com login: root password: P@$$w0rd! [443] [https-get-form] host: diontraining.com login: root password: C0mpT1@P@$$w0rd [443] [https-get-form] host: diontraining.com login: root password: C0mpT1@P@$$w0rd [443] [https-get-form] host: diontraining.com login: dion password: C0mpT1@P@$$w0rd [443] [https-get-form] host: diontraining.com login: jason password: P@$$w0rd! [443] [https-get-form] host: diontraining.com login: jason password: P@$$w0rd! =================== What type of attack was most likely being attempted by the attacker? A. Session hijacking B. Password spraying C. Impersonation D
B. Password spraying Explanation OBJ-3.2: Password spraying refers to the attack method that takes many usernames and loops them with a single password. We can use multiple iterations using many different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraud. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack for their own purposes. Session hijacking exploits a valid computer session to gain unauthorized access to information or services in a computer system.
A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability? A. Perform an authenticated vulnerability scan on all servers in the environment B. Perform a scan for the specific vulnerability on all web servers C. Perform a web vulnerability scan on all servers in the environment D. Perform an authenticated scan on all web servers in the environment
B. Perform a scan for the specific vulnerability on all web servers Explanation OBJ-5.1: Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope. It would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs. Performing unauthenticated vulnerability scans on all servers is also too large in scope (all servers) while also being less effective (unauthenticated scan).
A firewall administrator has configured a new DMZ to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (DMZ) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ for the Chief Security Officer to work from his home office after hours. The CSO's home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall? A. Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389 B. Permit 143.27.43.32 161.212.71.14 RDP 3389 C. Permit 143.27.43.32 161.212.71.0/24 RDP 3389 D. Permit 143.27.43.0/24 161.212.71.14 RDP 3389
B. Permit 143.27.43.32 161.212.71.14 RDP 3389 Explanation OBJ-4.5: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ, so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only "permit 143.27.43.32 161.212.71.14 RDP 3389" could be correct.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10. What type of attack has likely occurred? A. Session hijacking B. SQL injection C. Buffer overflow D. XML injection
B. SQL injection Explanation OBJ-5.3: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic.
Your organization has been receiving many phishing emails recently, and you are trying to determine why they are effective in getting your users to click on their links. The latest email consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering principle is being exploited here? A. Familiarity B. Scarcity C. Intimidation D. Trust
B. Scarcity Explanation OBJ-4.2: Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as "supplies are limited," "only available for the next 4 hours", and other such artificial limitations being used.
You are performing a web application security test, notice that the site is dynamic, and must be using a back-end database. You decide you want to determine if the site is susceptible to a SQL injection. What is the first character that you should attempt to use in breaking a valid SQL request? A. Semicolon B. Single quote C. Exclamation mark D. Double quote
B. Single quote Explanation OBJ-5.3: The single quote character (') is the character limiter in SQL. With a single quote,' you delimit strings, and therefore you can test whether the programmer has properly escaped the strings in the targeted application. If not escaped directly, you can end any string supplied to the application and add other SQL code after it. This is a common technique for SQL injections. A semicolon is a commonly used character at the end of a line of code or command in many programming languages. An exclamation mark comments a line of code in several languages. Double quotes contain a string that is passed to a variable.
What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network? A. Vulnerability scanning B. Social engineering C. Application security testing D. Network sniffing
B. Social engineering Explanation OBJ-4.2: Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included in the organization. The other three options focus solely on technical controls. Therefore adding end-user training would not affect these technology options.
You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal? A. VPN B. VLAN C. WPA2 D. MAC filtering
B. VLAN Explanation OBJ-6.1: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network's data. A virtual private network (VPN) is a remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.
During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true? A. The server assumes you are conducting a DDoS attack B. You are scanning a CDN-hosted copy of the site C. The scan will not produce any useful information D. Nothing can be determined about this site with the information provided
B. You are scanning a CDN-hosted copy of the site Explanation OBJ-5.1: This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server's cache or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.
You are assisting a member of your organization's security team during an incident response. The team member asks you to determine if any strange TCP connections are occurring on a given workstation. You open the command prompt on the workstation. Which of the following tools would provide you with information on any TCP connections currently on the workstation? A. tracert B. netstat C. arp D. route
B. netstat Explanation OBJ-2.3: Netstat (network statistics) is a command-line network utility tool that displays network connections for the Transmission Control Protocol (incoming and outgoing), routing tables, and several network interface and network protocol statistics. It is useful when determining if a workstation is attempting outbound connections due to malware (beaconing activity) or has ports open and listening for inbound connections.
You are troubleshooting an issue with a Windows desktop and need to display the machine's active TCP connections. Which of the following commands should you use? A. net use B. netstat C. ipconfig D. ping
B. netstat Explanation OBJ-2.3: The netstat command is used to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols) on a Windows machine. This is a useful command when determining if any malware has been installed on the system and maybe maintaining a remote connection with a command and control server.
Which of the following nmap commands should be utilized by a penetration tester that wants to scan every TCP registered port with fingerprinting, service, and operating system detection on a Class B network that is blocking ICMP? A. nmap -Pn -A --sS -p 1024 -sS 172.16.1.0/16 B. nmap -Pn -A -O -p 1024 -sS 172.16.1.0/16 C. nmap -Pn -A -sT -p 0-65535 172.16.1.0/24 D. nmap -Pn -O -sS -p 1-65535 172.16.1.0/8
B. nmap -Pn -A -O -p 1024 -sS 172.16.1.0/16 Explanation OBJ-2.2: There are several ways to answer this question, even if you don't remember ever piece of the NMAP syntax. First, the question asks you to scan a Class B network, and if we want to scan the entire Class B, we would have to scan a /16. This removed two of our four choices. Now, considering the last two choices, we have a major differences: only one of these options would provide operating system detection (-O).
You are working as part of a penetration testing team conducting engagement against Dion Training's network. You have been given a list of targets to scan in nmap in a text file called servers.txt. Which of the following Nmap commands should you use to find all the servers from the list with ports 80 and 443 enabled and save the results in an XML formatted file called results.txt for importing into your team's report generation software? A. nmap -p80,443 -sL servers.txt -oX results.txt B. nmap -p80,443 -iL servers.txt -oX results.txt C. nmap -p80,443 -iL servers.txt -oG results.txt D. nmap -p80,443 -sL servers.txt -oG results.txt
B. nmap -p80,443 -iL servers.txt -oX results.txt Explanation OBJ-2.2: The command (nmap -p80,443 -iL servers.txt -oG results.txt) will only perform a nmap scan against ports 80 and 443. The -iL option will scan each of the listed server's IP addresses. The -oX option will save the results in an XML format to the file results.txt while still displaying the normal results to the shell. The option of -sL will only list the servers to scan, and it will not actually scan them. The option of -oG is for outputting the results to a file in a greppable format.
As a newly hired cybersecurity analyst, you are attempting to determine your organization's current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company's public-facing IP space? A. nmap B. shodan.io C. Google hacking D. Review network diagrams
B. shodan.io Explanation OBJ-2.1: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company's public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company's network. The nmap scanning tool can provide an analysis of the current state of public exposure but has no mechanism to determine the history, nor will it give the same depth of information that shodan.io provides. Google Hacking can determine if a public exposure occurred over public-facing protocols, but it cannot conclusively reveal all the exposures present. Google hacking relies on using advanced Google searches with advanced syntax to search for information across the internet. Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren't, they cannot show the current "as is" configuration. If you can only select one tool to find your attack surface's current and historical view, shodan is your best choice.
Fail to Pass Systems recently installed a break and inspect appliance that allows their cybersecurity analysts to observe HTTPS traffic entering and leaving their network. Consider the following output from a recorded session captured by the appliance: ===================== POST /www/default.php HTTP/1.1 HOST: <external IP address>.123 Content-Length: 147 Cache-Control: no-cache Origin: chrome-extension://ghwjhwrequsds User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 Content-Type: multipart/form-data; boundary=---- WebKitFormBoundaryaym16ehT29q60rUx Accept:*/* Accept-Language: zh, en-us; q=0.8, en; q=0.6 Cookie: security=low; PHPSESSID=jk3j2kdso8x73kdjhehakske ------WebKitFormBoundaryaym16ehT29q60rUx Content-Disposition: form-data; name="q" cat /etc/passwd ------WebKitFormBoundaryaym16ehT29q60rUx ===================== Which of the following statements is true? A. The etc/passw
C. A request to issue the command "cat/etc/passwd" occured but additional analysis is required to verify if the file was downloaded Explanation OBJ-5.2: This is a post request to run the "cat /etc/passwd" command from an outside source. It is not known from the evidence provided if this command were successful or not, but it should be analyzed further as this is not what would be expected, normal traffic. While the browser's default language was configured for Chinese (zh), this is easily changed and cannot be used to draw authoritative conclusions about the threat actor's true location or persona. The User-Agent used is listed as Mozilla, which is used by both Firefox and Google Chrome. For an in-depth analysis of the full attack this code snippet was taken from, please visit https://www.rsa.com/content/dam/en/solution-brief/asoc-threat-solution-series-webshells.pdf. This 6-page article is definitely worth your time to look over and learn how a remote access web shell is used as an exploit.
Which of the following weaknesses exist in WPS enabled wireless networks? A. Utilizes TKIP to secure the authentication handshake B. Utilizes a 24-bit initialization vector C. Brute force occurs within 11,000 combinations D. Utilizes a 40-bit encryption key
C. Brute force occurs within 11,000 combinations Explanation OBJ-6.1: The most prominent attack against WPS enabled wireless networks involves brute-forcing the 8-digit PIN that client uses to enroll their devices without knowing the pre-shared key. WPS checks each half of the PIN individually, reducing the number of possible combinations from a maximum of 100,000,000 to only 11,000. This only takes a few minutes to crack on most modern computers, as long as the WAP doesn't have a lockout after a certain number of failures. The lockout mechanism may also be triggered based on the client's MAC, so you can often spoof MAC to bypass this defense.
An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker could locate several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use? A. Nmap B. Nessus C. Cain and Abel D. Netcat
C. Cain and Abel Explanation OBJ-3.2: Cain and Abel is a popular password cracking tool. It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.
You are conducting a penetration test against the Dion Training test server. You have just run nikto against the server and received the results below: ============== root@DionTraining:~# nikto -h test.diontraining.com - Nikto v2.1.6 --------------- + Target IP: 164.201.54.34 + Target Hostname: test.diontraining.com + Target Port: 80 + Start Time: 2020-12-22 13:43:13 (GMT-5) ---------------- + Server: Apache/2.4.18 (Ubuntu) + Server leaks inodes via ETags, header found with file /, fields: 0x2c39 0x53a938fc104ed + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible di
C. Clickjacking Explanation OBJ-5.2: The X-Frame-Options in the HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe. If the X-Frame-Options header is not present, then a clickjacking exploit could be used against the web server's users. The only two vulnerabilities shown in the Nikto results are the clickjacking vulnerability and the MIME Type security issue.
You have just conducted an automated vulnerability scan against a static webpage without any user input fields. You have been asked to adjudicate the scanner's findings in the automated report. Which of the following is MOST likely to be a false positive? A. Reflected XSS B. Insecure HTTP methods allowed C. Command injection allowed D. Directory listing enabled
C. Command injection allowed Explanation OBJ-5.1: A command injection is unlikely since this is a static webpage and does not accept any user input. A command injection allows the user to supply malicious input to the web server and then passes that data to a system shell for execution. In this sense, command injection does create new instances of execution and can, therefore, leverage languages that the web app does not directly support.
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? A. Use of insecure functions B. Insufficient logging and monitoring C. Improper error handling D. Insecure object reference
C. Improper error handling Explanation OBJ-5.2: This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allows the attacker to execute code or perform an injection attack. One famous example of an improper error handling vulnerability is Apple's GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allow attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.
Edward's bank recently suffered an attack where an employee made an unauthorized modification to a customer's bank balance. Which tenant of cybersecurity was violated by this employee's actions? A. Confidentiality B. Authentication C. Integrity D. Availability
C. Integrity Explanation OBJ-1.1: The CIA Triad is a security model that helps people think about various parts of IT security. Integrity ensures that no unauthorized modifications are made to the information. The attack described here violates the integrity of the customer's bank account balance. Confidentiality is concerned with unauthorized people seeing the contents of the data. In this scenario, the employee is authorized to see the bank balance but not change its value. Availability is concerned with the data being accessible when and where it is needed. Again, this wasn't affected by the employee's actions. Authentication is concerned with only authorized people accessing the data. Again, this employee was authorized to see the balance.
You want to conduct OSINT against an organization in preparation for an upcoming engagement. Which of the following tools should you utilize? A. OpenVAS B. Social Engineer Toolkit (SET) C. Shodan D. Aircarck-NG
C. Shodan Explanation OBJ-2.1: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company's public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company's network. OpenVas, SET, and Aircrak-NG are not considered OSINT tools. OpenVas is a vulnerability scanner. SET is a social engineering tool. Aircrack-NG is a wireless hacking tool.
Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords? A. Cross-site scripting B. SQL injection C. Missing patches D. CRLF injection
C. Missing patches Explanation OBJ-3.2: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server's data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user's workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.
A network technician is responsible for the basic security of the network. Management has asked if there is a way to improve the level of access users have to the company file server. Right now, any employee can upload and download files with basic system authentication (username and password). What should he configure to increase security? A. Kerberos authentication B. MDS authentication C. Multi-factor authentication D. Single sign-on authentication
C. Multi-factor authentication Explanation OBJ-1.1: This security approach provides a defense layer that makes it difficult for unauthorized users to break into a system. It provides multiple factors that a user must know to obtain access. For instance, if one factor is successfully broken, there will be few others that the individual attempting to enter the system must overcome.
What tool can be used to scan a network to perform vulnerability checks and compliance auditing? A. nmap B. Metasploit C. Nessus D. BeEF
C. Nessus Explanation OBJ-3.1: Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
Matt is conducting a penetration test against Dion Training's network. This engagement aims to simulate an advanced persistent threat and demonstrate persistence for 30 days without their system administrators identifying the intrusion. Matt enters the following command into the terminal: ================= reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v beacon /d C: \Windows\Temp\beacon.bat ============ Which of the following types of persistence is Matt trying to utilize? A. Services B. Scheduled task C. Registry startup D. PS remoting
C. Registry startup Explanation OBJ-3.2: A penetration tester can use the "reg add" command to cause a particular program or command to start every time the Windows machine is booted up. To achieve this, the penetration tester stores the program in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry keys. The first one will cause the program to run whenever any user logs into the machine. The second will only cause the program to start when the victimized user logs in again.
Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? A. Fingerprint and retinal scan B. Password and security question C. Smartcard and PIN D. Username and password
C. Smartcard and PIN Explanation OBJ-1.1: Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.
A security analyst wants to implement a layered defense posture for this network, so he uses multiple antivirus defensive layers, including both an end-user desktop antivirus software and an email gateway scanner. What kind of attack would this approach help to mitigate? A. Forensic attack B. ARP spoofing attack C. Social engineering attack D. Scanning attack
C. Social engineering attack Explanation OBJ-4.2: By utilizing both endpoint protection (desktop antivirus software) and the email gateway scanner, the security analyst works to prevent phishing and other social engineering attacks. Emails are a common attack vector used in social engineering attacks.
A cybersecurity analyst working at a major university is reviewing the SQL server log of completed transactions and notices the following entry: ================= "select ID, GRADE from GRADES where ID=1235235; UPDATE GRADES set GRADE='A' where ID=1235235;" =================== Based on this transaction log, which of the following most likely occurred? A. The application and the SQL database are functioning properly B. A student with ID #1235235 used an SQL injection to give themselves straight A's C. Someone used an SQL injection to assign straight A's to the student with ID #1235235 D. The SQL server has insufficient logging and monitoring
C. Someone used an SQL injection to assign straight A's to the student with ID #1235235 Explanation OBJ-5.3: Based on this transaction log entry, it appears that the ID# field was not properly validated before being passed to the SQL server. This would allow someone to conduct an SQL injection and retrieve the student's grades and set all of this student's grades to an 'A' at the same time. It is common to look for a '1==1' type condition to identify an SQL injection. There are other methods to conduct an SQL injection attack that could be utilized by an attacker. If input validation is not being performed on user-entered data, an attacker can exploit any SQL language aspect and inject SQL-specific commands. This entry is suspicious and indicates that either the application or the SQL database is not functioning properly. Still, there appears to be adequate logging and monitoring based on what we can see and whether the question never indicates logging was an issue. An SQL database would not be designed to set ALL of a particular student's grades to A's, thus making this single entry suspicious. Most SQL statements in an SQL log will be fairly uniform and repetitive by nature when you review them. This leaves us with the question as to who person this SQL injection. Per the question choices, it could be the student with ID# 1235235 or "someone." While it seems as if student #1235235 had the most to gain from this, without further investigation, we cannot prove that it actually was student #1235235 that performed the SQL injection. Undoubtedly, student #125235 should be a person of interest in any ensuing investigations, but additional information (i.e., whose credentials were being used, etc.) should be used before making any accusations. Therefore, the answer is that "someone" performed this SQL injection.
You are working as a server administrator at Dion Training. You unlock the server room door using your proximity badge and walk through the door. Before the door shuts, another person walks in behind you. What social engineering technique did this person utilize? A. Impersonation B. Spoofing C. Tailgating D. Shoulder surfing
C. Tailgating Explanation OBJ-4.2: Tailgating (or piggybacking) is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint. This might be done without the target's knowledge or might be a means for an insider to allow access to someone without recording it in the building's entry log. Another technique is to persuade someone to hold a door open for them.
Your company was recently the victim of a cross-site scripting attack. The system administrators claim this wasn't possible since they performed input validation using REGEX to alert on any strings that contain the term "[Ss]cript" in them. Which of the following statements concerning this attack is true? A. An SQL injection must have occurred since their input validation would have prevented <*SCRIPT*> or <*script*> from being used B. The server has insufficient logging and monitoring configured C. The REGEX expression to filter using "[Ss]cript" is insufficient. As an attacker could use SCRIPT or SCRipt or %53CrIPT to evaded it D. The attacker has modified the logs to cover their tracks and prevent a successful investigation
C. The REGEX expression to filter using "[Ss]cript" is insufficient. As an attacker could use SCRIPT or SCRipt or %53CrIPT to evaded it Explanation OBJ-4.5: The most likely explanation is that the REGEX filter was insufficient to eliminate every single possible cross-site scripting attack that could occur. Since cross-site scripting relies on the <*script*> and <*/script*> HTML tags to launch, the system administrators had a good idea of creating input validation using a REGEX for those keywords. Unfortunately, they forgot to include a more inclusive version of this REGEX to catch all variants. For example, simply using [Ss][Cc][Rr][Ii][Pp][Tt] would have been much more secure, but even this would miss %53CrIPT would evade this filter. To catch all the letter S variants, you would need to use [%53%%73Ss], which includes the capital S in hex code, the lower case s in hex code, the capital S, and the lowercase s. While it is possible that an attacker used an SQL injection instead, their REGEX input validation would still have allowed a cross-site scripting attack to occurs, so this option must be eliminated. As for the logging options, both are possible in the real world, but they do not adequately answer this scenario. The obvious flaw in their input validation is their REGEX filter.
You are troubleshooting a user's workstation that is operating extremely slowly. You open the Task Manager and see that only Microsoft Word is currently running, but the CPU and network utilization is consistently running between 95-100%. Which of the following is MOST likely causing this issue? A. The computer is the victim of a DoS attack B. The network's firewall is blocking outbound traffic C. The computer has become a zombie D. The application is not compatible with this OS
C. The computer has become a zombie Explanation OBJ-4.3: The workstation has most likely become a zombie. A zombie is any workstation running unauthorized software that directs the device to participate in a DDoS attack as part of a larger botnet. A botnet is a network of computers that have been compromised by a Trojan, rootkit, or worm malware. This workstation would then attempt to flood the victim's computer with requests over the network. These requests would require CPU and network resources to make, causing the utilization to rise to 95-100% resource utilization.
You have just concluded a two-month engagement that targeted Dion Training's network. You have a detailed list of findings and have prepared your report for the company. Which of the following reasons explains why you must keep your report confidential and secure? A. The findings included may contain company intellectual property B. The findings contain privileged information about their customers C. The findings could be used by attackers to exploit the client's systems D. The findings could hurt the company's reputation if disclosed
C. The findings could be used by attackers to exploit the client's systems Explanation OBJ-1.1: To further reinforce the SOW, NDA, and any other legal documentation in effect, the client is likely to include confidentiality provisions within the engagement plan. This ensures that the information discovered during the penetration test is shared only with the appropriate entities. For example, if a penetration tester finds a major code injection vulnerability in the company's public-facing website, the organization may require them to keep this information confidential to minimize the risk of it being exploited by an attacker.
You are analyzing the SIEM for your company's e-commerce server when you notice the following URL in the logs of your SIEM: =============== https://www.diontraining.com/add_to_cart.php? itemId=5"+perItemPrice="0.00"+quantity="100"+/><item+id="5&quantity=0 ================== Based on this line, what type of attack do you expect has been attempted? A. SQL injection B. Buffer overflow C. XML injection D. Session hijacking
C. XML injection Explanation OBJ-5.2: This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application's intended logic. XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server's XML structure. The original XML structure would be: <addToCart> <item id="5" perItemPrice="50.00" quantity="1" /> </addToCart>. By using the URL above, this would be modified to the following: <addToCart> <item id="5" perItemPrice="0.00" quantity="10" /> <item id="5" perItemPrice="50.00" quantity="0" /> </addToCart>. The result would be that a new line was added in the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store's add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, shown by the bracketed data.
You are analyzing the logs of a web server and see the following entry: ====================== 192.168.1.25 - - [05/Aug/2020:15:16:42 -0400] "GET /%27%27;!- %22%3CDION%3E=&{()} HTTP/1.1″ 404 310 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en- US; rv:1.9.0.12)Gecko/2009070812 Ubuntu/19.04 (disco dingo) Firefox/3.0.12″ ====================== Based on this entry, which of the following attacks was attempted? A. XML injection B. Buffer overflow C. XSS D. SQL injection
C. XSS Explanation OBJ-5.2: This is an example of an XSS attack as recorded by a web server's log. In this example, the XSS attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (' '). While you don't need to be able to decode the exact string used in the logs, when you see HTML encoding on the exam, it is usually going to be an XSS attack unless you see SQL or XML statements in the string, which in this case there are neither of those. Cross-site scripting (XSS) attacks use a specially crafted URL that includes attack code that will cause user information entered into their web browser to be sent to the attacker. An attacker finds a web server vulnerable to XSS and sends a legitimate-looking URL with XSS attack code appended to the end of the URL through a phishing email or other message to trick the user into clicking the link. A buffer overflow attempts to write data to a buffer that overruns the buffer's boundary and writes data into the adjacent memory locations, which is not occurring in this example.
What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system? A. You should continue to apply additional controls until there is zero risk B. You should ignore any remaining risk C. You should accept the risk if the residual risk is low enough D. You should remove the current controls since they are not completely effective
C. You should accept the risk if the residual risk is low enough Explanation OBJ-1.1: In most cases, you will be unable to remove all risk. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.
Which command-line tool could you use on a Windows system to enable an inactive administrator account? A. taskkill B. robocopy C. net user D. gpresult
C. net user Explanation OBJ-3.2: There are several net command utilities that you can use to view and configure shared resources on a Windows network. The net user command allows system administrators to manage user accounts on Windows PCs. You can use the command to display account information or make changes to user accounts. It can be used, among other things, to enable the inactive administrator account of a Windows system.
You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don't have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation? A. nmap -sS B. nmap -O C. nmap -sT D. nmap -sX
C. nmap -sT Explanation OBJ-2.2: The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.
Which of the following Nmap commands would scan DionTraining.com and probe any open ports to determine the versions of the running services on those ports? A. nmap -sS DionTraining.com B. nmap -sT DionTraining.com C. nmap -sV DionTraining.com D. nmap -sL DionTraining.com
C. nmap -sV DionTraining.com Explanation OBJ-2.2: The -sV option will scan the target by probing all the open ports to determine the service version they are running. The -sS option will scan the target using a TCP SYN packet and conduct a half-open scan. The -sT option will scan the target by conducting a full TCP 3-way handshake. The -sU option will scan the target by conducting a UDP scan.
Which of the following commands can be used to resolve a DNS name to an IP address? A. dns B. query C. nslookup D. iplookup
C. nslookup Explanation OBJ-2.1: The nslookup command is used for DNS (Domain Name System) lookup operations. It is used to find the IP address of a particular domain name or the domain name of a particular IP address. Host and dig are also commands that can be used to lookup a domain name and convert it to an IP address within a Linux system.
A penetration tester is emulating an insider threat during an engagement. The penetration tester was given access to a regular user account and a basic Windows 10 client on the network. The penetration tester did not receive any network diagrams, maps, or target IP address. Their goal is to identify any possible Windows domain controllers on the intranet.diontaining.com domain. Which of the following commands should they use from the command prompt to achieve their goal? A. nslookup -type=any_lanman._tcp.intranet.diontraining.com B. nslookup -type=any_ntlm._tcp.intranet.diontraining.com C. nslookup -type=any_ldap._tcp.intranet.diontraining.com D. nslookup -type=any_smtp._tcp.intranet.diontraining.com E. nslookup -type=any_kerberos._tcp.intranet.diontraining.com
C. nslookup -type=any_ldap._tcp.intranet.diontraining.com, E. nslookup -type=any_kerberos._tcp.intranet.diontraining.com Explanation OBJ-2.1: There are several methods for locating Domain Controllers, depending on what you know about the environment you are using. If you are using a Windows client, you can use the nslookup command. You need to specify which protocol you are searching for in the name. Since we are trying to identify domain controllers, we need to look for Kerberos and LDAP based protocols on the intranet.diontraining.com domain. If you were using a Linux client, you could run a similar command syntax using dig.
What nmap switch would you use to perform operating system detection? A. -OS B. -s0 C. -sP D. -O
D. -O Explanation OBJ-2.2: The -O switch is used to tell nmap to conduct fingerprinting of the operating system based on the responses received during scanning. Nmap will then report on the suspected operating system of the scanned host. If you use -O -v, you will get additional details, as this runs the operating system scan in verbose mode. The -OS flag is made up and not supported by nmap. The -s0 flag conducts an IP protocol scan of the target. The -sP flag conducts a simple ping scan against the target.
What is the term for exploiting a weakness in a user's wireless headset to compromise their smartphone? A. Multiplexing B. Zero-day attack C. Smurfing D. Bluejacking
D. Bluejacking Explanation OBJ-6.1: Bluejacking sends unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs, or laptop computers.
A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: ==================== [443] [https-get-form] host: diontraining.com login: jason password: password [443] [https-get-form] host: diontraining.com login: jason password: CompTIACySA+ [443] [https-get-form] host: diontraining.com login: jason password: 123456 [443] [https-get-form] host: diontraining.com login: jason password: qwerty [443] [https-get-form] host: diontraining.com login: jason password: abc123 [443] [https-get-form] host: diontraining.com login: jason password: password1 [443] [https-get-form] host: diontraining.com login: jason password: P@$$w0rd! [443] [https-get-form] host: diontraining.com login: jason password: C0mpT1@P@$$w0rd =================== What type of attack was most likely being attempted by the attacker? A. Password spraying B. Impersonation C. Credential stuffing D. Brute force
D. Brute force Explanation OBJ-3.2: This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user's password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraudulent purposes. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack for their own purposes.
A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002 and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker? A. Rainbow table B. Dictionary C. Hybrid D. Brute-force
D. Brute-force Explanation OBJ-6.1: Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. It will take more time if it is larger, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.
What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software? A. XCCDF B. CPE C. CCE D. CVE
D. CVE Explanation OBJ-3.1: The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
A penetration tester has exploited an FTP server using Metasploit and now wants to pivot to the organization's LAN. What is the best method for the penetration tester to use to conduct the pivot? A. Issue the pivot exploit and setup meterpreter B. Reconfigure the network settings in meterpreter C. Set the payload to propagate through meterpreter D. Create a route statement in meterpreter
D. Create a route statement in meterpreter Explanation OBJ-5.1: Since the penetration tester has exploited the FTP server from outside the LAN, they will need to set up a route statement in meterpreter. Metasploit makes this very simple since it also has an autoroute meterpreter script that will allow us to attack this second network through our first compromised machine (the FTP server) and then create the routes needed.
What common technique is used by malicious individuals to perform a man-in-the-middle attack on a wireless network? A. ARP cache poisoning B. Amplified DNS attacks C. Session hijacking D. Creating an evil twin
D. Creating an evil twin Explanation OBJ-6.1: Evil Twin access points are the most common way to perform a man-in-the-middle attack on a wireless network. The evil twin is the wireless LAN equivalent of the phishing scam. This type of attack may be used to steal the passwords of unsuspecting users by monitoring their connections or phishing, which involves setting up a fraudulent web site and luring people there.
You are working as part of a penetration testing team targeting Dion Training's wireless network. Which of the following tools should you use to gather information about their wireless network? A. Whois B. Burp suite C. BeEF D. Kismet
D. Kismet Explanation OBJ-6.1: Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system included with Kali Linux. It can monitor wireless activity, identify device types, and capture raw packets for later password cracking. Whois is a protocol that queries databases that store registered users or assignees of an Internet resource, such as a domain name. YASCA (Yet Another Source Code Analyzer) is an open-source SAST program that inspects source code for security vulnerabilities, code quality, and performance. Burp Suite is an integrated platform included for testing web applications' security by acting as a local proxy so that the attacker can capture, analyze, and manipulate HTTP traffic. BeEF (Browser Exploitation Framework) is a penetration testing tool included with Kali Linux that focuses on web browsers and can be used for XSS and injection attacks against a website.
You have just finished running a vulnerability scan of the network and are reviewing the results. The first result in the report shows the following vulnerability: ============= Linux:~ diontraining$ cat results.txt Vulnerability scanning reults... IP: 192.168.2.51 Service: MySQL Version: 3.5.3 Details: Versions 3.0 - 3.2 may be vulnerable to code execution. Recommendation: Upgrade the MySQL server to version 3.3.x or above. ================ A. True negative B. True positive C. False negative D. False positive
D. False positive Explanation OBJ-3.1: You should categorize the results as a false positive. Based on the scenario and output, your server is not vulnerable to a remote code execution for the identified vulnerability. You are already running MySQL v3.5.3 that is greater than v3.3.x or above. This indicates that the vulnerability scanner falsely identified your MySQL version as an earlier and more vulnerable version. The system incorrectly identified a vulnerability, but the vulnerability doesn't exist on your system. Therefore this is a false positive.
You are trying to select the best device to install to detect an outside attacker trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select? A. Proxy server B. Authentication server C. IPS D. IDS
D. IDS Explanation OBJ-4.5: An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can stop malicious activity or policy violations, an IDS can only log these issues and not stop them.
What control provides the best protection against both SQL injection and cross-site scripting attacks? A. Hypervisors B. Network layer firewalls C. CSRF D. Input validation
D. Input validation Explanation OBJ-5.3: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.
Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. ============================= Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Proto
D. Port scan targeting 10.10.3.6 Explanation OBJ-2.2: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making "Port scan targeting 10.10.3.6" the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions.
Which type of method is used to collect information during the passive reconnaissance? A. Social engineering B. Network traffic sniffing C. Man in the middle attacks D. Publicly accessible sources
D. Publicly accessible sources Explanation OBJ-2.1: Passive reconnaissance focuses on collecting information that is widely and openly available from publicly accessible sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose. Man-in-the-middle attacks would involve a penetration tester coming in between the traffic source and destination, which would allow its active inception and possible modification. Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester.
Which of the following is usually not considered when evaluating the attack surface of an organization? A. External and internal users B. Websites and cloud entities C. Software applications D. Software development lifecycle model
D. Software development lifecycle model Explanation OBJ-2.1: The software development lifecycle model used by a company is purely an internal function relevant only to the development of custom software within the organization. Regardless of whether a waterfall or agile methodology is chosen, it does not directly affect the organization's attack surface. The attack surface represents the set of things that could be attacked by an adversary. External and internal users, websites, cloud entities, and software applications used by an organization are all possible entry points that an adversary could attempt an attack upon.
Which of the following is the LEAST secure wireless security and encryption protocol? A. AES B. WPA C. WPA2 D. WEP
D. WEP Explanation OBJ-6.1: Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. It is the oldest form of wireless security and the weakest form. WEP can be cracked with brute force techniques in less than 5 minutes with a normal end-user computer.
You just completed an nmap scan against a workstation and received the following output: ================= # nmap diontraining012 Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining012 (192.168.14.61) Not shown: 997 filtered ports PORT STATE 135/tcp open 139/tcp open 445/tcp open Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds ================= Based on these results, which of the following operating system is most likely being run by this workstation? A. Ubuntu B. macOS C. CentOS D. Windows
D. Windows Explanation OBJ-2.2: The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows. Since Windows 2000, the NetBIOS file and print sharing has been running over these ports on all Windows systems by default.
You are trying to open your company's internal shared drive from your Windows 10 laptop but cannot reach it. You open your web browser and can connect to DionTraining.com without any issues. Which of the following commands should you use to determine if the internal shared drive is mapped to your computer properly? A. ping B. tracert C. chkdsk D. net use
D. net use Explanation OBJ-2.3: There are several net command utilities that you can use to view and configure shared resources on a Windows network. The net use command will connect to a network resource, such as a shared drive, folder, or printer. For example, "net use S: \\SERVER\DATA /persistent:yes" would map the DATA folder on the SERVER to your local S: drive on a Windows computer.
