CertPentest+
A security tester has been using Shodan for several engagements but wants another source of reference similar to Shodan. Which of the following would best fit that? a) Censys b) OpenVAS c) Netcat d) ObfuscatedEmpire
a) Censys #When testing for vulnerabilities, one tool the team can use is Censys, an attack surface analyzer, similar to Shodan, to identify exposed systems. #A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested.
A security tester is looking for custom scripts against uncommon services which they can't find in MetaSploit. Which of the following could they look at to possibly find what they need? a) ExploitDB b) MSTG c) OWASP d) OSSTMM
a) ExploitDB #While there are many repositories available, the team can use the Exploit Database (Exploit DB) which provides a complete collection of public exploits and vulnerable software in a searchable database. #The MSTG (Mobile Security Testing Guide) provides an intuitive framework that steps you through the assessment process and includes a dashboard, security recommendations, and specifications for testing resiliency.
A threat actor designed a malicious cross-site scripting attack to execute on the client's browser. What type of attack does this represent? a) Persistent attack b) Reflected attack c) DOM-based attack d) Directory traversal
c) DOM-based attack
A client for a security assessment is worried about corruption of company information, as there are indications that data has been changed in some way, and wants to perform a health check. What is this called? a) Data exposure b) Risk gap c) Attack surface d) Data modification
d) Data modification #Data modification or corruption is when data has been altered in some way, which is a violation of integrity. #Exposing sensitive data occurs when someone or something exposes sensitive or personal data, which is a violation of confidentiality. #Until a patch is applied, the system is vulnerable and creates a risk gap, which is the time between when the vendor releases a patch, and the patch is applied. #Vulnerabilities exist in many different areas, called attack surfaces, which include software, hardware, networks, and users that can be exploited.
A threat actor has obtained a user's session ID (SID) and is impersonating the user. What type of session attack is this? a) Cross-site request forgery b) Server-side request forgery c) Session replay d) Session fixation
d) Session fixation #This represents a session fixation attack which requires the user to authenticate with a known session identifier that the threat actor will then use for impersonation. #Session replay requires having access to the user authentication process itself so that the threat actor can intercept it and repeat it.
Most common API's
1) RESTful: API based on REST (Representational state transfer) 2) XML-RPC: Extensible Markup Language-Remote Procedure Call 3) SOAP: Simple Object Access Protocol
Censys vs. Shodan
Censys conducting more horizontal scans (each scanner potentially scanning the entire IPv4 space), whereas for Shodan the IPv4 space appears divided among its scanners.
A security researcher is testing the disruption of a Wi-Fi signal by broadcasting on the same frequency as the target WAP. What is this called? a) Jamming b) Pineapple c) Deauthentication d) Slowloris
a) Jamming #Jamming is an attack that disrupts a Wi-Fi signal by broadcasting on the same frequency as the target WAP, and any signals that a wireless transceiver is attempting to send or receive will be blocked.
A security penetration tester wants to try exfiltrating data by synthesizing images into .wav files. Which tool should they use to do this? a) OpenStego b) Snow c) Coagula d) Ostinato
c) Coagula #Coagula is a tool used to synthesize an image into a .wav file. To achieve this, you'll need to download Coagula and Audacity, which are both free programs.
A penetration tester discovers a device during an engagement and needs to try conducting a Pixie attack or attempt to crack PMKID offline. Which tool should they use? a) Airmon-ng b) Spooftooph c) ScoutSuite d) Wifite2
d) Wifite2 #Wifite2 is a wireless auditing tool you can use to assess the WLAN. Wifite2 can launch a variety of attacks including Pixie attacks, PMKID cracking, and more. #ScoutSuite is an open-source tool written in Python that can be used to audit instances and policies created on multi-cloud platforms, such as AWS, Microsoft Azure, and Google Cloud.
Gobuster vs. DirBuster
#Gobuster can discover subdomains, directories, and files by brute-forcing from a list of common names. This can provide information that was otherwise not available. #DirBuster is a web application brute-force finder for directories and files that comes with nine different lists, including default directories and common names given by developers. Dirbuster is specifically geared towards website enumeration. There are numerous tools and techniques available to evaluate a website. NOTE: DirBuster is a web application but Gobuster is not.
Virtual environment attack types
#This represents a class 1 virtual environment attack in which the attack happens outside of the virtual machine and can affect the entire virtual environment. #A class 2 virtual environment attack directly affects the source, but not necessarily originating from the source. #A class 3 virtual environment attack is when the attack originates within the virtual machine and the virtual machine is the attack source.
Why Powershell?
PowerShell can make it easier for PenTesters to automate the process of exploiting the Registry, Active Directory (AD) objects, Group Policy , the Windows network stack, and more. NOTE: Powershell is not general-purpose interpreted programming language (IPL)
Wifite2
Wifite2 is the wireless tool that can survey WLAN frequencies and automate a wireless attack through a series of command-line selections.
A vulnerability has just gone through the mitigation phase of the vulnerability lifecycle. What is the next phase? a) Manage b) Document c) Discover d) Coordinate
a) Manage #Manage is when the patch has been released. It's now up to each organization to take the next step and apply the patch in order to remediate or mitigate the vulnerability. #Document is the final phase, in that the vulnerability has been tested, and everyone involved will take a moment to document what has been done. In addition, it's best to reflect on lessons learned. #Discover is the first phase of finding a potential vulnerability that can be exploited. It's important to recognize that a vulnerability exists in order to defend against a possible attack, now or in the future. #Coordinate is the next phase, where both the vulnerability and the potential to exploit the vulnerability are known. Discover Coordinate Manage Document
A team is conducting a physical assessment and uses a simple mechanism such as Styrofoam to bypass a certain control. Which control are they likely bypassing? a) Motion sensor b) Fences c) Security badges d) Locks
a) Motion sensor #The team can attempt to block the motion detector by using a piece of cardboard or Styrofoam over the sensor. #Many buildings have perimeter security, such as natural barriers or fences, to deter someone from simply entering the property. Cardboard would not be as helpful with this. #A radio-frequency identification (RFID) badge system can be used for physical security. These badges hold an individual's authorization credentials and use a proximity reader that reads data when in range. #Lock picking uses specialized tools to manipulate the components of a lock in order to gain access to a restricted area.
A security consultant is attempting to look for default passwords for a client's D-Link phones. Which of the following should they use? a) intitle:"DPH" "web login setting" b) inurl:"ccmuser/logon.asp" c) intitle:"Grandstream Device Configuration" password d) inurl:"CallManager"
a) intitle:"DPH" "web login setting" #intitle:"DPH" "web login setting" would be used to find information of D -Link Phones. If they don't have the password, they can search online for the default password to try on the targeted system. #inurl:"ccmuser/logon.asp" would be used to find Cisco CallManager instances. They can also try some other Google Hacking to find more information on VoIP phones that you can use to launch the attack. #intitle:"Grandstream Device Configuration" password would be used to find information about Grandstream phones. #inurl:"CallManager" would not be a valid instance of attempting to find CallManager instances, they would have to search for ccmuser.
A security researcher has detected anomalous timestamp entries where a system's log event microseconds have all been set to 0, and they suspect the system has been compromised and the timestamps modified. Which tool did the attacker probably use? a) Meterpreter b) TimeStomp c) Shred d) Wevtutil
b) TimeStomp #Changing time values is possible by using Metasploit's meterpreter tool called TimeStomp which allows you to delete or modify timestamp-related information on files. #TimeStomp is a tool inside of meterpreter which allows you to delete or modify timestamp-related information on files. #Shred is a command built into Linux to make sure that files are securely deleted and completely removed. Windows doesn't have a built-in command-line equivalent to file-based shredding. #When using the command-line interface (CLI) in Windows, you can also clear individual log categories. For example, wevtutil cl Application will clear the application log.
A security consultant is in the reconnaissance phase of a penetration test and believes there might be a non-stateful firewall blocking the scan. What nmap parameter could try to bypass the non-stateful firewall? a) -sS b) -oX c) -sF d) -sX
c) -sF #The -sF option sends a TCP FIN to bypass a non-stateful firewall. #When using Nmap, the TCP SYN scan (-sS) is the default and most popular option. It can be performed quickly and is able to scan thousands of ports per second on a fast network not hampered by restrictive firewalls. #XML output (-oX) is a format that can easily be analyzed by security automation tools, converted to HTML, imported into a database, or studied using Zenmap. #A Christmas tree scan sends a TCP segment with the FIN, PSH, and URG flags raised to bypass a firewall or IDS. This scan uses the option: -sX.
A security researcher is setting up an evil twin as part of a security conference demonstration. Which type of attack does an evil twin typically perform? a) Jamming b) Brute force c) Deauthentication d) Zone transfer
c) Deauthentication #Getting users to join an evil twin is often accomplished by using a deauthentication attack. Once the client is kicked off the network, they may be able to trick them into reconnecting to the rogue AP.
A PenTester exclusively tests macOS systems and wants to use the command and control tool that will consistently provide the best results for that operating system. Which tool will the PenTester select? a) Empire b) Covenant c) Mythic d) Nishang
c) Mythic #Mythic is a cross-platform C2 framework tool that works with macOS, Linux, and Windows, but it contains payloads that provide consistently good results when PenTesting macOS. #Empire is a C2 framework that makes use of PowerShell for common post-exploitation tasks on Windows. It also has a Python component for Linux. #Covenant is a .NET command and control framework and, in a similar fashion to Empire, it aims to show the attack surface of .NET and make attacks through this vector easier.
An employee refuses to apply updates to their mobile device for fear that it will change things on the device that will be annoying. What threat is the employee introducing? a) De-perimeterization b) Strained infrastructure c) Patching fragmentation d) Forensics complications
c) Patching fragmentation #Patching fragmentation occurs when device owners do not implement updates in a timely manner. This fragmented approach can lead to individuals using unsupported versions that leave the system vulnerable. #Deperimeterization occurs when employees take sensitive data outside of the corporate perimeter and do not properly secure their devices. This risks data exfiltration. #Strained infrastructure occurs when the addition of multiple devices places a strain on the network and causes it to stop functioning at optimum capacity and may lead to an unintentional Denial of Service. #Dealing with bring your own device during a forensic exercise may cause forensics complications and prove difficult or even impossible and compromise the integrity of an investigation.
A security engineer is trying to avoid Antivirus on a company's systems. Which tool could they use to modify the hash of their payloads? a) Wget b) theHarvester c) Dirbuster d) ObfuscatedEmpire
d) ObfuscatedEmpire #Obfuscating a known signature uses a tool such as ObfuscatedEmpire in a solution. It is a fork of Empire that has Invoke-Obfuscation baked directly into its functionality. #Wget is not designed to obfuscate malware, but it can be used to grab a banner using the following syntax: wget -S. When using this command, -S will print the HTTP headers that are sent by the server.
A security analyst is trying to find older versions of a company's website which contained sensitive information. They are worried that attackers might still be able to find older versions, so they want to try using web search commands. Which web search command would help them search? a) inanchor b) inurl c) site d) cache
d) cache #Use a standard cache search on a site, and you will see a recent view of the website. To do a quick check simply type cache: in the address bar. For example, cache:https://comptia.org. #inanchor searches anchor text. For example, use inanchor:Certification report to search for any pages whose anchor text includes the text "Certification" and have the text "report" anywhere on the page. #One would use inurl:Certification report to search for any pages whose URLs include the text "Certification" and have the text "report" anywhere on the page. #The security professional would enter the site:comptia.org report to search CompTIA's website only for results including the text "report."
SAN SET WiGLE Dirbuster
#A more useful field in a digital certificate from a reconnaissance perspective is the subject alternative name (SAN). SANs can identify specific subdomains that can be covered by the certificate. #The Social Engineering Toolkit (SET) is a Python-based collection of tools that can be used when conducting a social engineering PenTest. You can download SET and install it on a Linux, Unix, and Windows machine or use it within Kali Linux. #WiGLE is a site dedicated to mapping and indexing access points. When WiGLE first became available in 2001, many wardrivers used the site to locate open access points to use the "Free Internet." #Dirbuster is specifically geared towards website enumeration. There are numerous tools and techniques available to evaluate a website.
Netcat parameters
#The -l parameter starts Netcat in listen mode. The default mode is to act as a client. #The -L parameter starts Netcat in the Windows-only "listen harder" mode. This mode creates a persistent listener that starts listening again when the client disconnects. #The -e parameter specifies the program to execute when a connection is made.
A Jr. PenTester has difficulty using a Bash script. The script contains the following line: $my_str = "Password" , which keeps throwing an error. What does a senior PenTester identify as the problem? (Select all that apply.) a) The use of $ b) The use of "" c) The use of = d) The use of _
#When using Bash for scripting in Linux, a variable is not designated with a leading $. A leading $ is required when using PowerShell in a Windows environment. When scripting in Bash, there is strict use of the equals sign (=). In Bash, the equals sign must not have a leading or trailing space, also known as whitespace. When scripting in Bash and with other scripting tools the use of double quotes such as with the example "Password" is common to use. The use of the underscore character (_) is not restricted in Bash when using it as part of a variable name.
OSINT Tools
- WHOIS - Nslookup - FOCA - theHarvester - Shodan - Maltego - Recon -ng - Censys (Highlight Shodan, Maltego and Recon-ng)
Difference between DNS/MAC/ARP spoofing:
1) Domain Name System (DNS) cache poisoning sends bogus records to a DNS resolver. When the victim requests an IP address, the DNS server will send the wrong IP address. 2) Address Resolution Protocol (ARP) spoofing transmits spoofed ARP messages out on the LAN. The spoofed messages falsely report a malicious actor's MAC address as being the victim's address. 3) MAC address spoofing will modify the MAC address on the malicious actor's NIC card so that it matches the MAC address on the victim's machine.
Logical vulnerabilities
1) Location of a vulnerability 2) Exposure (but, overall exposure is technical vulnerability) 3)
Technical Vulnerabilities
1) OSI Layer vulnerabilities are a type of technical vulnerability that a PenTester may identify when creating a report based on the Penetration Testing Execution Standard (PTES). 2) Manually identified vulnerabilities are a type of technical vulnerability that a PenTester may include in a report based on the Penetration Testing Execution Standard (PTES). 3) Overall Exposure 4) Scanner found vulnerabilities
Three categories of XSS attacks
1) Persistent - injected code is permanently stored on the web server. For e.g: injection of malicious code or links into a website's forums, databases, or other data. 2) Reflected - code reflects from victim to server then back to attacker. For e.g: In a reflected attack, a threat actor crafts a form or other request that the system will send to a legitimate web server. This request includes the malicious script. 3) DOM-based - takes advantage of a web app's client-side implementation of JavaScript to execute the attack solely on the client. For e.g: In a Document Object Model (DOM)-based attack, the threat actor does not send malicious scripts to the server, instead, they take advantage of a web app's client-side implementation of JavaScript to execute the attack solely on the client.
1st step is network enumeration and can be done by using wget, netcat or nmap or curl
Banner grabbing: #For wget: wget <target IP> -S (where -S will print the HTTP headers that are sent by the servers.) #For Netcat (popular unix or linux tool) : Using an HTTP GET request to elicit the web server type and version: echo -en "GET / HTTP/1.0\n\n\n"|nc www.comptia.org 80|grep Server #For nmap: nmap -sV <target IP> -p <port number> NOTE: for nmap, no need to break out of the session, simply wait a few seconds for the scans to complete. #For curl: curl -I example.com
Reverse shell vs. bind shell
Bind shell is where the shell is started at the target first, and then the session is started at the machine afterwards. 1) Bind Shells have the listener running on the target and the attacker connects to the listener in order to gain remote access to the target system. In the reverse shell, the attacker has the listener running on his/her machine and the target connects to the attacker with a shell. So that attacker can access the target system. 2) In Bind shell, the attacker finds an open port on the server/ target machine and then tries to bind his shell to that port. In the reverse shell, the attacker opens his own port. So that victim can connect to that port for successful connection. 3) The attacker must know the IP address of the victim before launching the Bind Shell. The attacker doesn't need to know the IP address of the victim, because the attacker is going to connect to our open port. 4) In Bind shell, the listener is ON on the target machine and the attacker connects to it. The Reverse shell is opposite of the Bind Shell, in the reverse shell, the listener is ON on the Attacker machine and the target machine connects to it. 5) Bind Shell sometimes will fail, because modern firewalls don't allow outsiders to connect to open ports. Reverse Shell can bypass the firewall issues because this target machine tries to connect to the attacker, so the firewall doesn't bother checking packets.
Session Replay Attack vs. Session Fixation Attack.
Both fixation and hijacking have ultimately the same goal - gaining access to a session. They only differ in how you achieve that. #Session hijacking is simply the act of stealing an existing, valid session cookie. Most commonly through sniffing network traffic (a MITM attack), but also through any other ways that a session ID may be leaked. #Session fixation is similar, but inverted - a pre-defined session cookie is planted into the victim's browser. So after the victim logs into a website, they will use the same session cookie that the attacker already knows, and thus the attacker-owned cookie is now authenticated and can be exploited. Of course that requires an attacker to have temporary access to the victim's browser itself, but the principle is very simple - there's no need to steal the data if it is under your control in the first place.
For Pen testers, is cleaning up environment a follow up process or post-engagement cleanup?
Cleaning up environment after the Pen testing process is done is a post-engagement cleanup and not a follow-up process because it has to be done immediately after the Pen testing is completed to remove artifacts in the scene, that could later be exploited by the hackers.
Banner grabbing with nmap
In addition to basic commands, you can also use an Nmap Scripting Engine (NSE) script, which will attempt to grab banners from every service it can discover on a host. An example is shown in the screenshot using the following script: nmap -sV --script=banner <target>
Tools for aiding discovery of metadata
Metagoofil and Fingerprinting Organizations with Collected Archives (FOCA) NOTE: FOCA is Windows-only tool. In addition, it requires SQL server to store its' data in the database.
Meterpreter
Meterpreter keyscan_start and keyscan_dump as the PenTester can run this tool remotely to exfiltrate user's password and hence, doesn't need physical access to the device. Meterpreter is a payload within the Metasploit Framework that provides control over an exploited target host. Meterpreter resides completely in the memory of the exploited host and leaves no traces on the hard drive, making it very difficult to detect with conventional forensic techniques.
Network mapping tools (active reconnaissance phase)
Popular network mappers include SolarWinds, Intermapper, WhatsUp Gold, PRTG, Spiceworks, Nmap, and Zenmap.
Privilege escalation (Horizontal vs vertical)
Privilege escalation increases the access to a system either #vertically, to obtain access to an account of higher privileges, #or horizontally, to obtain access to a regular user account of different privilege.
Tools used for webpage assessment
SearchSpoit, brakeman and WPScan (a wordpress scanner)
Risk gap
The time between when the vendor releases the patch and the patch is applied. During this time, the malicious actor can exploit the zero-day vulnerability which could result in devastating results.
Intelligence Gathering
What is intelligence gathering?? #Intelligence gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future. Open Source Intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. Why do the intelligence gathering?? #Open Source Intelligence gathering is done to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that, many employees fail to take into account what information they place about themselves in public and how that information can be used to attack them or their employer. What is intelligence gathering not used for????? #OSINT (open-source intelligence) may not be accurate or timely. The information sources may be deliberately/accidentally manipulated to reflect erroneous data, information may become obsolete as time passes, or simply be incomplete. In addition, OSINT gathering does not encompass dumpster-diving or any methods of retrieving company information off of physical items found on-premises. Ref: http://www.pentest-standard.org/index.php/Intelligence_Gathering#Background_Concepts
A penetration tester is using Netcat and does not want the command to perform DNS lookups for host names on the other end of the connection. What option will accomplish this? a) -n b) -p c) -z d) -l
a) -n #The penetration tester can use the -n option to tell Netcat not to perform DNS lookups for host names on the other end of the connection. #Penetration testers can use the -p option to specify the port that Netcat should start listening on in listen mode. In client mode, it specifies the source port. #Penetration testers can use the -z option to start Netcat in zero I/O mode, which instructs it to send a packet without a payload. #Penetration testers can use the -l option to start Netcat in listen mode. The default mode is to act as a client.
An organization is implementing physical controls to secure access to its location. Which of the following are physical controls? (Select all that apply.) a) Access control vestibule b) System hardening c) Biometric controls d) Video surveillance
a) Access control vestibule c) Biometric controls d) Video surveillance
A PenTester developed a collapsed script and is now ready to inject it so it will download and execute a payload. What are some ways the PenTester can inject the script? (Select all that apply.) a) As a macro in Word document b) Via a USB implant c) Via a cookie d) Via a phishing email
a) As a macro in Word document b) Via a USB implant d) Via a phishing email #The PenTester can execute the collapsed script, which is also known as a one-liner, as a macro in a Word document that will execute when a user opens the document. #The PenTester can execute the collapsed script, which is also known as a one-liner, via a USB implant if the tester has physical access to the system. #The PenTester can execute the collapsed, or simplified, script via a phishing email which tricks the user into opening a document or clicking a link that executes it. NOTE: The PenTester cannot execute the collapsed script via a cookie as a cookie is a text file containing the session ID for a particular web session that a server gives to a client browser.
A PenTester wants to initiate persistence on a system. What are some options that the PenTester can use to do this? (Select all that apply.) a) Backdoor b) Reverse shells c) Log in to the system d) Run as a service
a) Backdoor b) Reverse shells d) Run as a service #The PenTester can use a backdoor which is a hidden mechanism that provides a PenTester with access to a system through some means that escapes the notice of the system's typical users. #The PenTester can use a reverse shell which the attack machine establishes when the target machine communicates with the attack machine that is listening on a specific port. #The PenTester can use services which automatically start when the system boots, but certain events can also activate them, or, less commonly, a PenTester can start and stop services manually. #Logging in to a system does not provide persistence access as the PenTester can lose access if the system reboots or if the password changes.
An administrator configured the system to lock out accounts for 30 minutes after 3 unsuccessful login attempts, but the system did not lock out accounts after three unsuccessful attempts and a threat actor took advantage of this failure to compromise a user's password. What does this represent? a) Business logic flaw b) Horizontal privilege escalation c) Vertical privilege escalation d) Session hijacking
a) Business logic flaw #This represents a business logic flaw which is a vulnerability that arises from implementation and design issues that lead to unintended behavior. Most common of services that are exploited due to business logic flaws is API. #Horizontal privilege escalation is obtaining access to a regular user account with different access or permissions than the one currently in use. NOTE: This approach has great potential for information gathering without raising possible suspicion, as irregular user activity is more likely to stay unnoticed than irregular admin activity. #Vertical privilege escalation is to obtain access to an account of higher privilege than the one we currently have, to enable resources that the regular user does not have permission for. NOTE: vertical PrivEsc is used when we need to upgrade "restrictive shell". The restricted shell is a Unix shell that restricts some of the capabilities available to an interactive user session, or to a shell script, running within it. It is intended to provide an additional layer of security, but is insufficient to allow execution of entirely untrusted software.
A penetration tester is using a framework to help manage available exploits and keep control of the devices the tester has targeted. What kind of framework is the tester using to accomplish this? a) C2 b) BeEF c) SQLi d) LDAP
a) C2 #The command and control (C2) frameworks manage available exploits, as well as help penetration testers keep control of the devices the tester has targeted. #SQLi is a SQL injection attack that allows the modification of any of the four basic functions of SQL querying by embedding code within the web application, causing it to execute your own set of queries using SQL. #The Lightweight Directory Access Protocol (LDAP) is a standard for networked devices on how to manage directory services.
A PenTesting company has provided an organization with a cost-benefit analysis to analyze the strengths and weaknesses of alternatives and determine the best options available. Where would the PenTesting company include the cost-benefit analysis? a) Client acceptance b) Attestation of findings c) Retest d) Lessons learned
a) Client acceptance #The cost-benefit analysis is part of the client acceptance which is a formal hand-off process where the client agrees that the testing is complete and that they accept the findings as presented in the report. #The purpose of a retest is to analyze the progress made in applying the mitigations to the attack vectors that the PenTesters found during the penetration test. NOTE: The primary goal of a lessons learned report (LLR) or after-action report (AAR) is to improve the PenTest processes and tools.
A threat actor passed input to a web server which the system shell then executed. What type of attack did the threat actor execute? a) Command injection b) Code injection c) Data exfiltration d) IoT data corruption
a) Command injection #The threat actor executed a command injection attack in which the threat actor supplied malicious input to the web server, which then passed this input to a system shell for execution. #Code injection is an attack that introduces malicious code into a vulnerable application to compromise the security of that application. #Data exfiltration involves threat actors covering tracks by deleting entries from an access device or retrieving sensitive information through less conspicuous channels to avoid detection. #IoT data corruption refers to faults in the information transmitted, stored, or otherwise managed by IoT devices.
A security tester wants to launch an attack on a WPA2-Enterprise 802.11a or 802.11n network in a free, easy-to-use platform. Which of the following should they use? a) EAPHammer b) Fern c) Spooftooph d) SOHO
a) EAPHammer #EAPHammer is another Python-based toolkit with a wide range of features. It provides options that the team can use to launch an attack on a WPA2-Enterprise 802.11a or 802.11n network in an easy-to-use platform. Fern runs on a Linux OS and can recover WEP/ WPS/WPA/ keys using a variety of methods. Fern is a commercial product; there is a free version as well that offers limited functionality.
Which of the following demonstrate policy recommendations a PenTesting company may provide to a client? (Select all that apply.) a) Enable channels of communication b) Implement logical controls c) Implement KPIs d) Review policies and procedures
a) Enable channels of communication c) Implement KPIs d) Review policies and procedures #Enable channels of communication is a policy recommendation as both end-users and managers will provide key information regarding the implementation of a security policy. #Implement key performance indicators (KPIs) is a policy recommendation so management can monitor the effectiveness of controls, see security process improvements and return on investment (ROI), and intervene in consistently weak areas. #Review policies and procedures is a policy recommendation to see if technical controls are working as expected. #Implement logical controls is not a policy recommendation but implementing technical controls in place to preempt the risk of poorly designed or implemented procedures is a policy recommendation.
A penetration tester is using a tool that is brute-forcing a list of common names to find subdomains, directories, and files. What tool is the penetration tester using? a) Gobuster b) OWASP ZAP c) DirBuster d) w3af
a) Gobuster #Gobuster can discover subdomains, directories, and files by brute-forcing from a list of common names. This can provide information that was otherwise not available. NOTE: theHarvestor and recon-ng can discover subdomains, employee names, email addresses, PGP key entries, open ports and service banners. #OWASP ZAP (Zed Attack Proxy) is a proxy that allows for both automated and manual testing and identification of vulnerabilities. #DirBuster is a web application brute-force finder for directories and files that comes with nine different lists, including default directories and common names given by developers. #w3af (Web Application Attack and Audit Framework) allows users to identify and exploit a large set of web-based vulnerabilities, such as SQL injection and cross-site scripting.
A malicious actor compromised a virtual machine host which allowed the malicious actor to gain control of the virtual environment. What type of attack does this represent? (Select all that apply.) a) Hyperjacking b) Class 1 c) VM escape d) Class 3
a) Hyperjacking b) Class 1 #This represents hyperjacking which is when a malicious actor takes control of the hypervisor that manages a virtual environment and then has all the required privileges to take full control of the environment. #VM escape is an attack where malware running in a VM is able to interact directly with the hypervisor or host kernel.
Security risks to web applications are common. Which does the OWASP deem as the most critical? (Select all that apply.) a) Insecure Data Transmission b) Lack of Error Handling c) User Input Sanitization d) Lack of Code Signing
a) Insecure Data Transmission b) Lack of Error Handling #Insecure data transmission is on the OWASP Top 10 as A6:2017-Security Misconfiguration where data transmission must be secure, but implementations in security measurements may leave gaps. #Lack of error handling is on the OWASP Top 10 in A3:2017-Sensitive Data Exposure as an application may not respond gracefully to unexpected input which can lead to crashing the application. #User input sanitation is not on the OWASP Top 10, but a lack of user input sanitation is and can lead to injection attacks, which is what OWASP Top 10: A1:2017-Injection addresses. #Lack of code signing is not on the OWASP Top 10, but code signing is and determines that a threat actor has not tampered with a script or executable.
A PenTester is developing a cross-site scripting (XSS) attack. What scripting language will the PenTester most likely use? a) JavaScript b) Ruby c) Python d) PowerShell
a) JavaScript #The PenTester will most likely use JavaScript which developers use alongside HTML and CSS on the World Wide Web and PenTesters use it heavily in XSS attacks and PenTesting. #Ruby, like Python, is a general-purpose interpreted programming language that PenTesters can also use as a scripting language, but JavaScript is most popular. #Python is a popular language for implementing all kinds of development projects, including automation tools and security tools, as well as malicious scripts. #PowerShell can make it easier for PenTesters to automate the process of exploiting the Registry, Active Directory objects, Group Policy, the Windows network stack, and more.
A student is studying cyber security and reads about a tool called Responder. The student sets it up on their home network to test on devices that they own. Which protocols should they filter during packet captures to see what is happening? (Select all that apply.) a) LLMNR b) NBT-NS c) SSH d) VNC
a) LLMNR b) NBT-NS #Responder is a man-in-the-middle type tool that can be used to exploit name resolution on a Windows network which poisons LLMNR (Link local Multicast Name Resolution). Remember to disable it using registry editor by going to the HKLM/Software/Policies/Microsoft/Windows NT/DNSclient and setting the data value to 0. #Responder is also designed to intercept and poison NBT-NS. Once a request is intercepted, Responder will return the attacker's host IP as the name record.
A company is using enterprise mobility management software (EMM) to make sure that all the devices employees bring and connect to the corporate network meet established security policies. What functions will the EMM software manage? (Select all that apply.) a) Locking and wiping employee devices b) Preventing employees from installing apps c) Reporting personal data usage back to the employer d) Pushing out updates to devices
a) Locking and wiping employee devices b) Preventing employees from installing apps d) Pushing out updates to devices #The EMM software will allow locking and wiping of employee devices through mobile device management (MDM) which sets device policies for authentication, feature use, and connectivity. #The EMM software will prevent employees from installing apps through mobile application management (MAM) which sets policies for apps and can prevent the installation of unauthorized apps. @The EMM software will push out updates to devices through mobile application management (MAM) which sets policies for apps that can automatically push out updates. NOTE: The enterprise mobility management software (EMM) software typically does not report employee personal data usage back to the employer. They may report back data usage within the enterprise side.
A penetration tester is analyzing entry to a network utilizing 802.1X authentication. Which of the following is NOT one of the three main components of this setup? a) Organizational Units b) Supplicant c) Authenticator d) AS
a) Organizational Units #Organizational Units are used with a domain to group similar objects such as the users, groups, computers, and other OUs and minimize the number of domains. #The Supplicant (or Wi-Fi client) is the first entity in 802.1X authentication. In a corporate WLAN, clients generally must authenticate prior to gaining access to the network using the 802.1X authentication protocol. #The Authenticator (or WAP) is the second entity in 802.1X authentication. Once authenticated, a virtual port is created on the access point and the client can then access network resources. #The Authentication Server (AS) is the last entity in 802.1X authentication. It is generally a RADIUS server that provides the authentication.
A script is any computer program that automates the execution of tasks for a particular runtime environment. Which of the following represent elements of a well-written script? (Select all that apply.) a) Parameters b) Branching and looping c) Unexpected checks d) Unit tests
a) Parameters b) Branching and looping d) Unit tests #An element of a well-written script is parameters that the script takes as input data and the system passes to the script as arguments. #An element of a well-written script is branching and looping statements that can alter the flow of execution based on conditions. #An element of a well-written script is unit tests to ensure that the script returns the expected outputs, given the expected inputs. NOTE: Unexpected checks is not an element of a well-written script but scripts should have validation and error handlers to check inputs and ensure robust execution.
A PenTester needs to write a script to exploit a system and wants to keep it simple by using a general-purpose interpreted programming language that any new PenTesters joining the team in the future can easily understand. What options are available to the PenTester? (Select all that apply.) a) Perl b) PowerShell c) Python d) Ruby
a) Perl c) Python d) Ruby #The PenTester can use Perl which is a general-purpose interpreted programming language that PenTesters can also use as a scripting language. #The PenTester can use Python which is a popular language for implementing all kinds of development projects, including automation tools and security tools, as well as malicious scripts. #The PenTester can use Ruby which is a general-purpose interpreted programming language that PenTesters can also use as a scripting language. NOTE: PowerShell is a scripting language and shell that Microsoft built on the .NET Framework and functions mainly through the use of cmdlets, which are specialized .NET commands that interface with PowerShell.
A PenTester has accessed a host with the purpose of compromising other hosts that are not accessible without the pivot. What are some methods the PenTester can use to spread out to the other hosts? (Select all that apply.) a) Port forwarding b) X Window System (X) c) Modifying routing tables d) Virtual Network Computing (VNC)
a) Port forwarding c) Modifying routing tables #The PenTester can use port forwarding which uses a host as a pivot and allows access to one of its open TCP/IP ports and then forwards traffic from this port to a port of a host on a different subnet. #The PenTester can modify routing tables after opening a shell on the pivot host to add a new route that defines the exploit session so that traffic sent to the subnet must tunnel through the session. #X Window System (X) allows for moving laterally and is a graphical display system for Unix-based computers and operates on a client and server model. #Virtual Network Computing (VNC) allows for moving laterally. It is cross-platform and enables full remote control of a desktop.
An organization must make some key decisions before a PenTesting team can launch an attack. Who will the PenTesting team expect to make these decisions? a) Primary contact b) Technical contact c) Emergency contact d) IT manager
a) Primary contact #The primary contact is the party responsible for handling the project on the client's end and is responsible for the major decisions surrounding the penetration test. #The technical contact is the party responsible for handling the technology elements of the activity as they have a more in-depth knowledge of the technical aspects of the system. #The emergency contact is the party that the PenTesters will contact in case of particularly urgent matters and should be available 24/7 or at least during the hours of active testing. #The IT manager is typically the person the designated lead of the PenTesting team should have close communication with and the two lead roles must both be hands-on.
A security professional is looking for an organization's code that might have been posted publicly by developers. Which of the following sources is least likely to contain accidental posts by a company's developers? a) Reddit b) Github c) Bitbucket d) CloudForge
a) Reddit #Reddit is less likely to contain code from developers, though it is possible it could exist on here. The other three options are specifically geared towards shared code repositories. #Github enables teams to work together, regardless of their location, is free to basic users, and has reasonable costs for teams and enterprise users. #Bitbucket allows inline comments, a secured workflow, and free to small teams, fee-based for larger groups. #CloudForge offers bug and issue tracking, discussion forums, and document management. You can get a free trial for 30 days, after which there is a nominal fee.
What are some actions a PenTesting company may need to perform for an organization as a follow-up? (Select all that apply.) a) Research vulnerabilities b) Schedule tests c) Work with the security team d) Clean up the environment
a) Research vulnerabilities b) Schedule tests c) Work with the security team #As a follow-up activity, the PenTesting company may need to research and test new vulnerabilities that your team discovered during the test or for which the team could not recommend a mitigation tactic. #The PenTesting company may need to schedule additional tests with the client organization as a follow-up activity to reporting. #The organization's security team will implement the PenTesting company's recommended mitigations and the PenTesting company may need to support that as a follow-up activity to reporting. NOTE: Cleaning up the environment is part of the post-engagement cleanup to ensure that there are no artifacts leftover that an attacker could exploit, it is not a follow-up activity.
A PenTesting team completed a penetration test and submitted their report to the organization. What will the team's next steps be? (Select all that apply.) a) Restore original log files b) Restore original files c) Make backups d) Document exploits
a) Restore original log files b) Restore original files #Restoring any original log files is an activity the PenTesting team would perform after completing testing and submitting their report. #After the PenTesting team completes testing and submits their report, they will restore any original files that the team modified or otherwise compromised. #After completing testing and submitting their report, the PenTesting team would not make backups, instead, they would restore a clean backup copy of any applications that the team compromised. #The PenTesting team documented all exploits and submitted them in the report so this is not an activity the team would need to repeat until they performed new testing.
A security professional is looking for interesting targets on a public-facing web server. When reviewing server files by the professional, what areas should not be crawled/searched? a) Robots b) Subject alternative name c) Revocation list d) Secret
a) Robots #The robots.txt file is a simple yet essential file that tells the bots where to search, and more importantly, where NOT to search. One of the more useful fields in a digital certificate from a reconnaissance perspective is the subject alternative name (SAN). The Certification Revocation List (CRL) is a list of certificates that in some way have been deemed invalid. Although the CRL is effective, most online services have moved to the newer OCSP to check the validity of the certificate. Secret.txt is not a common file but the Steganography example uses secret.txt as an example.
A penetration tester has established a foothold inside a network and wants to conduct reconnaissance inside while remaining anonymous. What could they use to best accomplish this? a) SOCKS b) masscan c) Ostinato d) Snow
a) SOCKS #Proxy servers are used on a network to mediate the communications between a client and another server. One method is to use Socket Secure (SOCKS). #masscan is not a tool meant for inside networks. It is extremely noisy and was designed for scanning the internet rapidly. This could actually take down a network if not careful. #Ostinato uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy or hping3 which allows users to craft their own packets.
A PenTester wants to test how easy it is to obtain passwords with physical access to an organization's offices. What methods can the PenTester use? (Select all that apply.) a) Shoulder surfing b) Fake login websites c) Meterpreter d) Hardware-based USB keyloggers
a) Shoulder surfing d) Hardware-based USB keyloggers
A military unit has adopted sending communications hidden in the white space of text files as a standard operating procedure. Which of the following tools uses white space to conceal data payloads? a) Snow b) Steghide c) OpenStego d) Yersinia
a) Snow #White space is the hint. #Snow is a CLI steganography tool that conceals a data payload within the whitespace of a text file that uses the ASCII format. #OpenStego is similar to most other tools in that you embed a message in a carrier file. To get started, youll need to make sure that you have the Java Runtime Environment (JRE) installed. #Yersinia uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy pr hping3 which allows users to craft their own packets.
An administrator is implementing multifactor authentication in an organization which will involve using at least two authentication types. Assuming one authentication type used by the organization is a password, which of the following would be a valid secondary authentication type to implement multifactor authentication? (Select all that apply.) a) Something you have b) Something you are c) Something you do d) Something you know
a) Something you have b) Something you are c) Something you do
A security consultant needs to gain information about executives during a penetration test. One method they want to attempt is by cloning Bluetooth devices of the executive personnel. Which of the following tools could they use to perform this? a) Spooftooph b) Airodump-ng c) Wifite2 d) Prowler
a) Spooftooph #One tool that can either spoof or clone a Bluetooth device is Spooftooph. Keep in mind, before making any changes to a Bluetooth adapter, you must run Spooftooph with root privileges.
An organization wants to implement video surveillance in all of its buildings but is concerned that threat actors may access the video feeds. Which of the following will NOT help the organization mitigate this threat? a) Segregate the network b) Patch the systems c) Use Wi-Fi d) Use physical controls
c) Use Wi-Fi #Wi-Fi attacks can disconnect the cameras from the network and lose video feed so organizations should use wired over Wi-Fi connections, not Wi-Fi.
An employee just started a new job and learns that the company uses a COBO policy for mobile devices. What does this mean? a) The company will issue the employee a mobile device that the employee can only use for company business. b) The company will allow the employee to bring their own device. c) The company will issue the employee a device that the employee can use for both company and personal business. d) The company will issue the employee a device that the employee can select from a curated list of devices.
a) The company will issue the employee a mobile device that the employee can only use for company business. #Corporate-owned, business only (COBO) means that the company will issue the employee a mobile device that the employee can only use for company business. #The company will allow the employee to bring their own device in the bring your own device (BYOD) deployment model. #The company will issue the employee a device that the employee can use for both company and personal business in the corporate-owned, personally enabled (COPE) deployment model. #The company will issue the employee a device that the employee can select from a curated list of devices in the choose your own device (CYOD) deployment model.
An organization hired a PenTesting company to launch a social engineering attack. Who will the organization most likely inform of the attack prior to the launch? (Select all that apply.) a) The organization's Chief Information Officer b) The organization's IT manager c) The organization's department managers d) The organization's employees
a) The organization's Chief Information Officer b) The organization's IT manager c) The organization's department managers #The organization should make sure the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) and IT managers are aware of the attack before it is launched. #The organization should make sure the department managers are aware of the attack before the PenTesting company launches it in case unforeseen incidents affect their departments. NOTE: The organization will most likely not inform the employees of the attack before the PenTesting company launches it if they want to check on the effectiveness of using social engineering tactics to penetrate a network.
A PenTester created an account in an organization's financial accounting system for testing, but the finance system does not provide a method to delete the account. Where will the PenTester need to remove this account when cleaning up after an exploit? a) User database b) AD c) Local machine d) DC
a) User database #Systems that place a strong emphasis on an audit trail or a change history might not provide a delete account feature. In this case, the PenTester may need to remove the accounts from the user database. #Since the PenTester created the account in the finance system, the account would not be an Active Directory (AD) domain account so the PenTester could not delete it there. #Since the PenTester created the account in the finance system, the account would not be on the local system so the PenTester could not delete it there. #Since the PenTester created the account in the finance system, the account would not be on the Active Directory (AD) domain controller (DC).
The results of a penetration test produced a large number of possible issues. What can a PenTesting team do to help identify false positives? (Select all that apply.) a) Validate results b) Rely on knowledge of the system c) Ignore common false positives d) Research every result
a) Validate results b) Rely on knowledge of the system #The PenTesting team can validate results by comparing what they've learned about the target environment to individual scan results to identify whether or not the results are truly applicable and accurate. The PenTesting team can rely on their knowledge of the system and understanding of the target environment if that knowledge is complete. DO NOT: #do not ignore common false positives because they may be relevant positives depending on the environment tested. #should not research every result but must be able to identify when results indicate a false lead on a vulnerability to avoid wasting time chasing a lead that takes them to a dead end.
A security professional is performing an assessment against web servers and is currently in the reconnaissance phase. They are performing initial service enumeration by attempting to open a session with service and getting the service to identify itself. Which of the following tools are suited for this? (Select all that apply.) a) netcat b) SET c) wget d) Shodan
a) netcat c) wget #Netcat (nc) is a popular tool for Unix and Linux. The following shows using an HTTP GET request to elicit the webserver type and version: echo -en "GET / HTTP/1.0\n\n\n"|nc www.comptia.org 80|grep Server. #Wget can be used to grab a banner using the following syntax: wget -S. When using this command, -S will print the HTTP headers that are sent by the server.
A security tester wants to disable monitor mode on a wireless interface. Which tool should they use? a) Aireplay-ng b) Airmon-ng c) Airodump-ng d) Pacu
b) Airmon-ng #Airmon-ng will enable and disable monitor mode on a wireless interface. Airmon-ng can also switch an interface from managed mode to monitor mode. #Aireplay-ng injects frames to perform an attack to obtain the authentication credentials for an access point, which is usually performed using a deauthentication attack. #Airodump-ng provides the ability to capture 802.11 frames and then use the output to identify the Basic Service Set ID (MAC address) of the access point along with the MAC address of a victim client device. #Pacu is designed as an exploitation framework to assess the security configuration of an AWS account. It includes several modules to attempt exploits such as obtaining API keys or gaining control of a VM instance.
A PenTesting company is in the follow-up phase of a client engagement. Which follow-up action is the most significant component of gaining client acceptance? a) Client acceptance b) Attestation of findings c) Retest d) Lessons learned
b) Attestation of findings #Attestation of findings is the most significant component of gaining client acceptance, as the client must believe that what the PenTesters have said about their people, processes, and technology is accurate.
A security professional is testing the Wi-Fi with MDK4 and wants to create the appearance of many wireless networks. Which of the following modes should they use? a) A b) B c) D d) W
b) B #Mode b creates the appearance of many wireless networks. MDK4 is a powerful Linux based tool that features a wide range of attacks. #In mode A authentication, DoS will send multiple authentication frames to WAP in range with the intent of overwhelming the AP. #Mode D will send a deauth to disconnect and disassociate all clients from an AP. MDK4 supports 2.4 to 5GHz and has nine attack modules. #Mode W will provoke an Intrusion Detection and Prevention Systems confusion attack. When testing with this tool use caution, as some of the attack modules can have a serious negative effect on the network.
A security professional wants to use SET for a targeted attack towards personnel. Which of the following can SET NOT do? a) Spear phishing b) Badge cloning c) Website attacks d) Wireless attacks
b) Badge cloning #Badge cloning is not currently a capability of The Social Engineering Toolkit (SET), but it does allow for third-party modules. #Spear phishing is the first option under social engineering attacks. You can download SET and install it on a Linux, Unix, and Windows machine or use it within Kali Linux. #Website attack vectors are the second option under social engineering attacks. SET allows you to select from a number of different options that include attacking websites, mass mailings, and spear phishing attacks. #Wireless attacks are the seventh option under social engineering attacks.
According to the OWASP Top 10, which of the following are among the most relevant critical security risks to web applications? (Select all that apply.) a) Secure deserialization b) Broken authentication c) Sufficient logging and monitoring d) Cross-site scripting
b) Broken authentication d) Cross-site scripting #Broken authentication is in the OWASP Top 10 as one the most relevant critical security risks to web applications and OWASP covers it in A2:2017-Broken Authentication. #Cross-site scripting (XSS) is in the OWASP Top 10 as one the most relevant critical security risks to web applications and OWASP covers it in A7:2017-Cross-Site Scripting (XSS). #Secure deserialization is not in the OWASP Top 10, but OWASP does cover insecure deserialization in A8:2017-Insecure Deserialization. #Sufficient logging and monitoring is not in the OWASP Top 10, but OWASP does cover insufficient logging and monitoring in A10:2017-Insufficient Logging & Monitoring.
A penetration tester likes the functionality of Armitage and wants to get a fuller paid version for use on client tests. What should they look into? a) MetaSploit Pro b) Cobalt Strike c) Responder d) Ostinato
b) Cobalt Strike #Cobalt Strike is a commercial version of Armitage with advanced features and reporting. Armitage itself is an intuitive GUI for the Metasploit framework. #Metasploit Pro is a full-featured graphical version that includes Quick Start wizards, easy vulnerability scanning and validation, phishing campaigns, and reporting.
A PenTester needs to have continuous persistent access to a Linux system. What method can the PenTester use to accomplish this? a) Cron b) Daemon c) Service d) Registry
b) Daemon #The PenTester can use a daemon which is always active and available for use and a daemon can also cache its state and sustain long sessions. #A cron job has the limitation of a maximum frequency of one minute so it will not provide the PenTester with continuous persistent access to a Linux system. #In the Windows world, a service is any program that runs in the background without directly interfering with the current user's desktop session.
A PenTester is reverse engineering code by translating low-level machine code into higher level assembly language code so that the PenTester can read it and understand how the application is functioning. What type of reverse engineering process is this? a) Decompilation b) Disassembly c) Debugging d) Static code analysis
b) Disassembly #This is disassembly which is the reverse engineering process of translating low-level machine code into higher level assembly language code that is human readable and can include familiar programming elements. #Decompilation is the reverse engineering process of translating an executable into high-level source code to help determine whether the application's logic will produce unintended results. #Debugging is the process of manipulating a program's running state in order to analyze it for general bugs, vulnerabilities, and other issues. #Static code analysis is the process of reviewing uncompiled source code either manually or using automated tools to correct errors.
A PenTesting team is using a tool that allows everyone on the team to share data and findings, including details about the information gathering phase, useful exploits, and report findings. What tool is the PenTesting team using? a) Nessus b) Dradis c) PTES d) SOW
b) Dradis #The PenTesting team is using Dradis which reduces repetition and increases reach by allowing team members to share data and findings about their client organization. #PTES (Penetration Testing Execution Standard) is a standard way for PenTesting teams to report their findings to client organizations.
An administrator is installing patches and updates, disabling unused ports, and uninstalling software that the organization doesn't use anymore. What is the administrator engaged in? a) Sanitization b) Hardening c) Escaping d) Process-level remediation
b) Hardening #The administrator is engaged in system hardening which is the process of securing a device or application, usually to match the standards of the current system or network. #Sanitization is the process of stripping user-supplied input of unwanted or untrusted data so that the application can safely process that input. #Escaping, also referred to as encoding, substitutes special characters in HTML markup with representations that the industry refers to as entities. #Process-level remediation is the concept of resolving a finding by changing how the system uses it or implements it, therefore changing it at the process level.
During a penetration testing engagement, one of the team members presents a fictitious situation as real. What is this tactic called? a) Elicitation b) Hoax c) Pretexting d) Phishing
b) Hoax #A hoax is another element of social engineering in which the attacker presents a fictitious situation as real. A hoax could be a link that leads to malicious code. #Elicitation is acquiring data from the target in order to launch an attack. This is different from information gathered about the target. #One social engineering tactic is to use pretexting, whereby the team will communicate, whether directly or indirectly, a lie or half-truth in order to get someone to believe a falsehood. #Phishing is a social engineering attack where the malicious actor communicates with the victim from a supposedly reputable source.
A digital forensics expert works for a large corporation and doesn't have enough time to manually analyze all the employee-returned mobile devices before administrators issue them to new employees. What tool can the forensics expert use to automate the evaluation of code and malware analysis on mobile devices? a) MSTG b) MobSF c) OWASP d) Kali
b) MobSF #The Mobile Security Framework (MobSF) can provide an automated evaluation of code and malware analysis using both static analysis and dynamic analysis. #The MSTG (Mobile Security Testing Guide) provides an intuitive framework that steps you through the assessment process and includes a dashboard, security recommendations, and specifications for testing resiliency.
An organization is using a testing framework to provide oversight and minimize risk with mobile devices. Which of the following are common elements of the testing framework when used on mobile devices? (Select all that apply.) a) COBO Approval b) Mobile Device Assessment c) Secure App Development d) Mobile App Testing
b) Mobile Device Assessment c) Secure App Development d) Mobile App Testing #A common element of the testing framework is mobile device assessment which provides an overview of compliance and business logic issues. #A common element of the testing framework is secure app development which creates organization-specific apps that are in line with organizational policy. #A common element of the testing framework is mobile app testing which includes Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).
Which of the following are types of logical vulnerabilities a PenTester may identify in a Penetration Testing Execution Standard (PTES) report? (Select all that apply.) a) Scanner found vulnerabilities b) NON-OSI vulnerabilities c) Overall exposure d) Type of vulnerability
b) NON-OSI vulnerabilities d) Type of vulnerability #NON-OSI vulnerabilities are a type of logical vulnerability that a PenTester may identify when creating a report based on the Penetration Testing Execution Standard (PTES). #The vulnerability type is a logical vulnerability. When creating a report based on the Penetration Testing Execution Standard (PTES), a PenTester would include the type of vulnerability.
A penetration tester wants to test exfiltrating data via encrypted mechanisms. What could they use to accomplish this? a) Netcat b) Ncat c) Coagula d) Yersinia
b) Ncat #Ncat is an Interactive CLI tool written for the Nmap Project. Ncat is used to read and write raw data over a network and includes support for proxy connections along with IPv6 and SSL communications. NOTE: it is built into nmap and can be installed in Windows, Linux and macOS. #Netcat is a command-line utility used to read from or write to a TCP or UDP network connection.
A PenTester is using a tool that allows the PenTester to pivot from one host to another exfiltrating files from each target to the PenTester's own host. What tool is the PenTester most likely using? a) Registry b) Netcat c) RAT d) Cron job
b) Netcat #The PenTester is using Netcat which allows the PenTester to pivot from one host to another exfiltrating files from each target to the PenTester's own host. #A PenTester can use Registry keys in Windows to get a particular program or command to start upon booting Windows. #A RAT is a remote access tool that a PenTester can use to create a backdoor or a remote access trojan and victims primarily download them through Trojan horse malware. #A cron job is a scheduled task that the Linux cron daemon manages and the PenTester could use it to execute a Netcat reverse shell command on a Linux target every so often.
A security professional is trying to evaluate a website for web-specific vulnerabilities. Which of the following is the tool most suited towards this objective? a) OpenVAS b) Nikto c) SQLmap d) Censys
b) Nikto #Nikto is an open-source web server scanner that can complete comprehensive testing on web servers for a variety of vulnerabilities, such as anti-clickjacking X-Frame-options header, and dangerous files and CGIs.
A PenTest technician sanitizes systems from a completed engagement. When overwriting data on disks, which statements are true regarding SSD drives? (Select all that apply.) a) Overwriting an SSD is more reliable than with an HDD b) Overwriting an HDD is more reliable than with an SSD c) An SSD uses a write algorithm to reduce wear d) An HDD uses a write algorithm to reduce wear
b) Overwriting an HDD is more reliable than with an SSD c) An SSD uses a write algorithm to reduce wear #Overwriting data on an HDD is more reliable than with an SSD. With an HDD, the target location is overwritten while on an SSD the data might be written elsewhere. Trying to write data onto the same location on an SSD may not always work, due to the nature of SSD write algorithms optimized to reduce wear. When trying to overwrite data, repeated attempts to write on the same SSD location might end up writing to a different location. While an HDD uses a technique to write data to available space on a disk, it does not use an algorithm like an SSD to reduce wear.
An attacker has sent an email where the victim navigates to a malicious web page that has been set up to look official. What is this called? a) Phishing b) Pharming c) Baiting d) Malvertising
b) Pharming #Pharming is when an attacker entices the victim into navigating to a malicious web page that has been set up to look official. #While this would fall under the phishing category, it more specifically falls under pharming. Phishing is a social engineering attack where the malicious actor communicates with the victim from a supposedly reputable source. #Baiting is where an attacker will leave bait, such as an infected physical media, in an area where a victim can find the device. #Spam can include malvertising, which is an email that looks like a normal ad, but instead includes malicious code.
An attacker is attempting to access a WPS device at a site in order to gain entry to a larger corporate network. Which of the following could they do? (Select all that apply.) a) HTTP flood b) Physical c) Side channel d) Brute force
b) Physical d) Brute force #At a site means the attacker is close to the device. #A physical attack takes advantage of the "push to connect" feature found on many routers. When launching this attack, the malicious actor will need to be physically close to the device. #In addition to a physical attack, a malicious actor can gain access to the network by determining the PIN number of the WPS device, using an online or offline brute force attack. #In a side-channel attack, this exploit is possible because of the shared nature of the cloud infrastructure, especially in a PaaS model.
An organization is following the recommendations on a PenTesting report by issuing all employees an RFID access card that each employee must use to proceed through the mantrap. What kind of control is this? a) Biometric Control b) Physical Access Control c) Video Surveillance Control d) Role-based Access Control
b) Physical Access Control #This is a physical access control (PAC) measure in the form of an access control vestibule which is the area in which the organization manages the ingress of people according to their permission to enter the building itself or different areas of it. #Biometric controls are enhanced forms of access control that rely on particular body features, such as the fingerprint or iris. Video surveillance involves monitoring through the use of cameras. A particular consideration for security is the use of networked surveillance for remote feed access. #Role-Based Access Control is the security approach to restricting the availability of a technological resource to authorized users only.
A team of software engineers need to build a set of APIs (application programming interfaces) between a customer relationship management system and a new web-based application that allows customer service representatives to create work orders and automatically populate the customer information. What is the best tool for the engineers to use to build and test the APIs? a) MSTG b) Postman c) APK Studio d) APKX
b) Postman #Postman is a tool that provides an interactive and automatic environment that allows teams to build, interact, analyze and report on, and test HTTP APIs. #The MSTG (Mobile Security Testing Guide) provides an intuitive framework that steps you through the assessment process and includes a dashboard, security recommendations, and specifications for testing resiliency. #APK Studio is an integrated development environment (IDE) designed so you can decompile and or edit an APK file. #APKX tool is an Android APK file decompiler that allows you to pull and analyze the Java source code to see what's going on inside.
An organization is using mobile device management (MDM) to ensure that its mobile infrastructure is secure. What are some common features of mobile device management solutions? (Select all that apply.) a) Fingerprint login b) Profiles c) Remote lock d) Encrypted containers
b) Profiles c) Remote lock d) Encrypted containers #A common feature of mobile device management solutions is configuring devices with specific profiles according to access control policies, enabling devices to use remote access technologies including remote lock and wipe capabilities and constructing an encrypted container on devices in which to keep sensitive organization data. NOTE: Implementing a fingerprint login is not a common feature of mobile device management solutions although enforcing a security policy layer on applications is a common feature of mobile device management.
A PenTesting company is researching vulnerabilities for which the team could not recommend a mitigation tactic. Which phase of follow-up actions is the organization in? a) Client acceptance b) Retest c) Attestation of findings d) Lessons learned
b) Retest #The organization is in the retest phase. During this time the focus should be on researching vulnerabilities for which the team could not recommend a mitigation tactic.
A PenTester is creating variants and combinations of word lists in an attempt to crack a user's password. What type of attack is this? a) Password spraying b) Rule attack c) Mask attack d) Dictionary attack
b) Rule attack #The PenTester is using a rule attack which can make use of word lists to create variants and combinations and can then try trimming or expanding words or substituting numbers or special characters for letters. #Password spraying is the concept of controlled brute-forcing by testing several accounts with common or targeted passwords. #In a mask attack the cracking tool can try specific combinations of characters using placeholders (i.e., ?a?a?d?d?d?d). #A dictionary attack is the most straightforward type of automated password attack. A password cracking tool goes through a list of words until it either finds the password or exhausts the list.
A PenTester is writing a script to shred data on drives by overwriting the storage with new data several times. Which of the following statements are true when it comes to shredding data on drives? (Select all that apply.) a) Shredding data on HDDs is slower because the write algorithm reduces wear b) Shredding data on HDDs is faster because the write process is more reliable c) Shredding data on SSDs is slower because the write algorithm reduces wear d) Shredding data on SSDs is faster because the write process is more reliable
b) Shredding data on HDDs is faster because the write process is more reliable c) Shredding data on SSDs is slower because the write algorithm reduces wear #When PenTesters shred data on HDDs (Hard Disk Drives) it is faster and more reliable because the process of writing to a hard drive is reliable. #When PenTesters shred data on SSDs (Solid State Drives) it is slower and less reliable because SSD write algorithms may write to different locations to reduce wear.
A penetration tester wants to try keeping multiple fake web connections open for as long as possible, until the maximum number of allowed connections is reached. They want to employ this method on a test server to see how much they will be able to handle before needing to scale outwards. What type of attack should they use to test this? a) HTTP flood b) Slowloris c) DNS amplification d) Prowler
b) Slowloris #A slowloris attack keeps multiple fake web connections open for as long as possible until the maximum number of allowed connections is reached. #An HTTP flood uses seemingly legitimate HTTP GET or POST requests to attack a web server. It does not require spoofing or malformed packets but can consume a high number of resources with a single request. #Prowler is an audit tool for use with Amazon Web Services only. It can be used to evaluate cloud infrastructure against the Center for Internet Security (CIS) benchmarks.
A PenTester is preparing to target a database but cannot find any code on the Internet to exploit it. What are some reasons why this would happen? (Select all that apply.) a) The Internet does not host exploit code. b) The administrator patched the database. c) It is not a common database type. d) It is a proprietary database.
b) The administrator patched the database. c) It is not a common database type. d) It is a proprietary database. #The penetration tester may find exploitation code difficult to locate because the administrator recently patched the database, and it is no longer vulnerable to known exploits. #The penetration tester may find exploitation code difficult to locate because it is not a common database type, therefore, there are no publicly available exploits for it. #The tester may find exploitation code difficult to locate because it is a proprietary database that the organization developed in-house so there are no exploit scripts freely available on the Internet for it. NOTE: Exploitation codes exist and are publicly available on the Internet or via other sources so it is highly likely a PenTester will be able to find exploit codes to use during a penetration test.
A PenTester is using Python to write a script in preparation for a PenTest. What can the PenTester do to complete the script quickly as well as take advantage of work that others have already completed? (Select all that apply.) a) Write each line of code from scratch b) Use classes c) Use modules d) Use pre-built libraries
b) Use classes c) Use modules d) Use pre-built libraries #The PenTester can use classes which are user-defined prototypes or templates from which PenTesters can create objects and they allow the PenTester to bundle data and functionality together. #The PenTester can use modules which are a way for the PenTester to code re-usable functions, variables, and classes that the tester can import into scripts. #The PenTester can use pre-built libraries. Importing and using existing modules in libraries can save the PenTester a lot of time because the tester is re-using modules that others have already created.
A PenTester is creating a vulnerability report based on the PTES. What information will the PenTester likely include in the report? (Select all that apply.) a) Tools used for PenTesting b) Vulnerability classification levels c) Technical vulnerabilities d) Summary of results
b) Vulnerability classification levels c) Technical vulnerabilities d) Summary of results #Vulnerability classification levels would be in a vulnerability report based on the Penetration Testing Execution Standard (PTES). #In a vulnerability report based on the Penetration Testing Execution Standard (PTES), the PenTester will likely include the technical vulnerabilities identified, such as OSI layer vulnerabilities and overall exposure. #A PenTester will include a summary of results for the client in a vulnerability report based on the Penetration Testing Execution Standard (PTES). #The PenTest team probably would not include the tools used for testing in a vulnerability report based on the Penetration Testing Execution Standard (PTES).
A security consultant is attempting to see users and potential passwords by using the following URL: http://comptia.com/resources/../../../../etc/passwd but receives a dropped packet. What is most likely preventing this? a) Router b) WAF c) Load balancer d) ACL
b) WAF #A web application firewall (WAF) is specifically designed to monitor web applications and guard against common attacks such as cross-site scripting (XSS) and SQL Injection (SQLi) attacks. #Routers act as control points for communications between network segments. A router is NOT preventing this activity. #A load balancer is used to stabilize network traffic across two or more servers. Balancing the load prevents any one server from getting too many requests. #An access control list (ACL) is essentially a list that tells devices the corresponding access rights that users have to various objects, such as file directories, or permissions to access network resources.
.NET is a cross-platform open-source software development framework. What operating system will the current version of .NET operate on? (Select all that apply.) a) Android b) Windows c) Linux d) macOS
b) Windows c) Linux d) macOS #The current version of .NET continues to run on Windows just as the old version of .NET did. It also continues to provide the basic functionality of the original .NET Framework. #The original .NET framework operated on Windows, but the current .NET will also operate on Linux. #.NET will run on macOS version 10.3 and higher and is made up of the runtime and the Software Development Kit. The .NET framework will not run on the Android operating system.
A penetration tester has landed a shell on a Linux box and wants to find out more about the users' login and idle time. Which built-in bash command should they use? a) cat /etc/passwd b) finger c) uname -a d) env
b) finger #The finger command views a user's home directory along with login and idle time. You can also use nmap -O or -sV scans to fingerprint the operating system and interrogate its services. #The cat /etc/passwd command lists all users on the system. If the Linux host is running the Samba service, you can use nmap smb-* NSE scripts against the target. #The uname -a command displays the OS name, version, and other details. If a Linux machine is compromised using Metasploit, the post/linux/enum_system module can be used to get information about the system. #The env command outputs a list of all the environmental variables.
A PenTester wants to use pre-existing libraries in a script. Which of the following will allow the PenTester to do that? a) def b) import c) my_str= d) $my_str =
b) import #import declares a pre-existing library that the script can use. If it is an external library module, the PenTester will need to download and install it before it can be imported #def defines a function in Python. Functions, or Procedures, produce modular, reusable code by grouping a block of code under a name that can call the function whenever needed. #my_str= is a Bash command used to assign a variable. The lack of whitespace around the equals signthis is a strict rule in Bash. PowerShell, Python, and Ruby allow whitespace. #$my_str = is a PowerShell command used to assign a variable. PowerShell requires the dollar sign for a variable assignment.
A security researcher wants to scan documents against a website for only pdf documents. What metagoofil parameter could they use? a) metagoofil -d b) metagoofil -t c) metagoofil -l d) metagoofil -n
b) metagoofil -t #metagoofil -t pdf scans for pdf documents. Metagoofil scrapes the metadata, and then displays the information using Hypertext Markup Language (HTML). #metagoofil -d comptia.org scans for documents on Comptia.org. Metagoofil uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir. #metagoofil -l 75 searches for 75 documents. The output can then be viewed in a standard browser. Another valuable tool is FOCA, which can discover metadata from a variety of sources. #metagoofil -n 25 downloads 25 files. You can download a copy of Metagoofil from GitHub. In addition, the tool is built into Kali Linux. NOTE: Metagoofil uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir to scrape the metadata, and then displays the information using Hypertext Markup Language (HTML).
A PenTester assigned variables in a script and, in testing, discovered that the variables were not working because the PenTester used whitespaces around the equal signs in the variable assignments. What scripting environment is the PenTester using? a) PowerShell b) Python c) Bash d) Ruby
c) Bash #The PenTester is using Bash as the scripting environment as Bash has a strict rule against using whitespace around the equals sign when the coder is assigning variables. NOTE: PenTester is not using any other scripting environments (Powershell, python and ruby), because using whitespaces around the equal signs in the variable assignments is allowed in all of those scripting environments.
A mobile user was in the food court of a shopping mall when suddenly a video advertising a new store opening was downloaded to their device. What kind of attack was the mobile user subjected to? a) Rootkit b) Bluesnarfing c) Bluejacking d) Worm
c) Bluejacking #Know the difference between bluejacking and bluesnarfing. #The mobile user was the victim of a bluejacking attack which attackers use to send out unwanted text messages, images, or videos to a mobile phone, tablet, or laptop using a Bluetooth connection. #Rootkits provide a backdoor for illegal access to a host. Software developers often create backdoors to allow access for correcting code, but developers should remove them before the software is released. #Bluesnarfing is an aggressive attack that allows a malicious actor to read information from a victim's Bluetooth device. The end goal is to glean sensitive data from the victim.
A PenTesting team launched an attack against a system without using a rate-limit making the system nearly unusable. What can the team do to mitigate this issue? a) Consult legal counsel b) Deconflict c) De-escalate d) Goal reprioritization
c) De-escalate #The PenTesting team can de-escalate to mitigate this issue. The team would work together to scale back on their efforts to de-escalate the effects of the test. #The team will consult with legal counsel in cases where the PenTesting team uncovered criminal conduct, in which case the law might require them to notify law enforcement. #Deconflicting is the process of providing situational awareness to key client personnel to resolve issues in order to resume the penetration test. #Goal reprioritization is the catalyst for possible adjustments to the engagement. The need for contingency planning for the PenTest engagement itself enables the reprioritization of goals.
A PenTester is writing a script and includes several blocks of code that the PenTester can use in multiple places in the script simply by calling the blocks of code by name. What kind of scripting component is the PenTester using? a) Tree b) Class c) Function d) Module
c) Function #The PenTester is using functions, or procedures, which produce modular, reusable code and allow the PenTester to group a block of code under a name and call this named function whenever needed. #Trees appear inverted in data representation, where the root is at the top and the branches go down, with a leaf object at the end of a branch. #A class is a user-defined prototype or template, which can hold its own functions and creates objects. Classes allow PenTesters to bundle data and functionality together. #Modules are a way to code re-usable functions, variables, and classes that PenTesters can import into multiple scripts.
A PenTester is running a scan and wants to save the results in a file that the PenTester will be able to perform searches on and filter results later. What type of file format will the PenTester use? a) Regular expressions (regex) b) Nmap c) Greppable d) GitHub
c) Greppable #The PenTester will save the scan results to a greppable file which is a Linux command for searching and filtering input. The PenTester can use this as a file search tool when combined with ls. #Regular expressions are a group of characters that describe how to execute a specific search pattern on a given text. #Nmap is a network discovery and security auditing tool that performs reverse-DNS resolution against every host that is online by default. #GitHub is a repository hosting service where PenTester can store and share scripts through a command-line tool or a graphical user interface.
A PenTester has completed testing on a Windows system and is cleaning up. Where will the PenTester go to remove any keys or scheduled tasks? (Select all that apply.) a) /etc/init.d/ b) crontab c) HKLM d) HKCU
c) HKLM d) HKCU #When cleaning up a Windows system, the PenTester must make sure they remove any values they added to the HKLM (HKEY_LOCAL_MACHINE) Run Registry keys that start a shell on a Windows system during boot. #When cleaning up a Windows system, the PenTester must make sure they remove any values they added to the HKCU (HKEY_CURRENT_USER) Run Registry keys that start a shell on a Windows system during boot. #On Linux, depending on the distribution, scripts in /etc/init.d/ and /etc/systemd/ are examples of shell run-on-boot functionality. #PenTesters would use a crontab file to schedule tasks on a Linux system and Windows Task Scheduler to schedule tasks on a Windows system.
An organization is following the recommendations in a PenTesting report and is moving people to different jobs within the organization in the afternoons. What operational control does this represent? a) Time of day restrictions b) Mandatory vacations c) Job rotation d) User training
c) Job rotation #This represents job rotation which is the practice of cycling employees through different assigned roles and helps with improving the understanding that staff has in the overall business. #Time of day restrictions are types of security controls that rely on normal operating hours for users and limit the access they have when the users don't usually need it.
A penetration testing team is planning an attack on an organization's IoT devices and discover that many of the devices are using an unencrypted protocol to communicate with each other which makes them susceptible to sniffing, modifying data, and becoming zombies. What protocol are the IoT devices using? a) SET b) UDP c) MQTT d) DTLS
c) MQTT #The devices are using the Message Queuing Telemetry Transport (MQTT) protocol which carries messages between devices, but the protocol does not encrypt the data which makes it vulnerable to attacks. #The Social Engineering Toolkit (SET) is a Python-based collection of tools that can be used when conducting a social engineering PenTest. #CoAP uses the User Datagram Protocol (UDP) as a transport layer protocol but has no method to provide security for group communication. #Datagram Transport Layer Security (DTLS) can use the Constrained Application Protocol (CoAP) to improve security, but there isn't any method to provide security for group communication.
A systems administrator for a small company is tasked with performing a vulnerability scan inside their network. They are not given a budget but instead are asked to find open-source tools. Which of the following could they use? a) theHarvester b) Metagoofil c) OpenVAS d) Scapy
c) OpenVAS #A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested. #theHarvester gathers information on subdomain names, employee names, email addresses, PGP key entries, and open ports and service banners. #Scapy is a tool to craft and send a malformed packet to your target.
A PenTester caused Windows to dump information from RAM that was not in cleartext but was able to use the information to log on to a target. What kind of attack did the PenTester launch? a) Lateral movement b) Upgrade of a restrictive shell c) Pass the hash d) Privilege escalation
c) Pass the hash #The PenTester launched a pass the hash attack in which the PenTester induced a password hash dump from RAM and then logged in to a target with the username and password hash. #Lateral movement is the process of moving from one part of a computing environment to another so the PenTester can spread the attack out to compromise additional resources. #Upgrading a restrictive shell happens when the PenTester obtains access to a confined shell and applies a workaround to upgrade shell access. #Privilege escalation increases the access to a system either vertically, to obtain access to an account of higher privileges, or horizontally, to obtain access to a regular user account of different privilege.
A PenTester is cleaning up after a penetration test. What must the PenTester do to remove a Meterpreter payload from a target system? a) Delete the file b) Shred the file c) Reboot the system d) Manually uninstall
c) Reboot the system #Because Metasploit files reside in memory, the PenTester would only need to reboot the target system in order to automatically remove it. #A PenTester does not need to delete Metasploit payload files because they reside in memory, although for exploit files that do not reside in memory a superficial deletion of the file may not be enough to rid the system of it. #Shredding Metasploit payloads is irrelevant because these files reside in memory, so a simple reboot is all that the system needs to remove them. #Metasploit payloads reside in memory so the PenTester would not need to delete them, but the PenTester may need to manually uninstall other exploit tools.
A digital forensics expert needs to analyze an infected mobile device. What approach can the expert use to do this? (Select all that apply.) a) SMiShing b) Biometric integration c) Reverse engineering d) Sandbox analysis
c) Reverse engineering d) Sandbox analysis #The forensics expert can use reverse engineering to step through the code to see what happens when the code runs on a device. #The forensics expert can use a sandbox analysis which is using virtualization to provide a safe environment to analyze the malware. #Biometric integration is a system that employs a biometric, such as a fingerprint or facial recognition when authenticating into a system and is not a forensic analysis tool.
A security tester is looking at vulnerabilities regarding shared accounts. Which of the following environments are shared accounts more likely to be found? a) SaaS b) IaaS c) SOHO d) CDN
c) SOHO #A shared account can be used in a small office home office (SOHO) environment, as many SOHO networking devices do not allow you to create multiple accounts. #Software as a Service (SaaS) is not as likely to have a shared account as a SOHO environment. Cloud identity and account types are personnel, endpoints, servers, software, or roles. #Infrastructure as a Service (IaaS) is not as likely to have a shared account as a SOHO environment. Cloud identity and account types are personnel, endpoints, servers, software, or roles. #Data in cloud storage can be used to serve static web content, such as HTML pages, images, and videos. The content is published from the container to a content delivery network (CDN).
A threat actor has accessed a web server and is compromising the trust from the server to reach back-end resources. What type of attack is this? a) Session hijacking b) XSRF/CSRF c) SSRF d) PrivEsc
c) SSRF #In a server-side request forgery (SSRF) attack, an attacker takes advantage of the trust established between the server and the resources it can access, including itself. #In a cross-site request forgery (XSRF/CSRF) attack, an attacker takes advantage of the trust established between an authorized user of a website and the website itself. #Privilege escalation (or simply PrivEsc) describes obtaining a higher privilege than the one the user currently has, to enable resources that the regular user does not have permission for.
The Social Engineering Toolkit is being employed for a targeted attack towards personnel. Which of the following can SET NOT do? a) Mass mail attacks b) Infectious media c) Scaling d) PowerShell attacks
c) Scaling #Scaling is a physical security attack that applies to perimeter security such as natural barriers or fences, to deter someone from simply entering the property. #Mass mail attacks are the fifth option under social engineering attacks. You can download SET and install it on a Linux, Unix, and Windows machine or use it within Kali Linux. #Infectious media generator is the third option under social engineering attacks. SET allows you to select from a number of different options that include attacking websites, mass mailings, and spear phishing attacks. #PowerShell attacks are the ninth option under social engineering attacks.
A penetration tester needs to craft a custom packet in order to bypass an Intrusion Prevention System (IPS). What tools could they use to craft custom packets? (Select all that apply.) a) OpenVAS b) Metagoofil c) Scapy d) Hping3
c) Scapy d) Hping3 #Scapy is a tool to craft and send a malformed packet to your target. The type of packet crafted will be dependent on security products and rules. #Hping3 is also a tool to craft and send a malformed packet to your target. For example, the Christmas (XMAS) scan might be able to bypass security mechanisms that follow strict interpretation of RFC 793.
A penetration tester is working on a project and sees a fairly recent VoIP vulnerability has come out. Which of the following records would best help them narrow down potential targets? a) TXT b) NS c) SRV d) MX
c) Service (SRV) record provides host and port information on services such as voice over IP (VoIP) and instant messaging (IM). #Text (TXT) record provides information about a resource such as a server or network in human readable form. Nameserver (NS) record lists the authoritative DNS server for a particular domain. A standard DNS query will use DNS servers to identify the Internet Protocol (IP) address behind a particular domain or resource name. Mail Exchange (MX) record provides the mail server that accepts email messages for a particular domain.
A project manager is researching migrating to the cloud, specifically a PaaS model. Which of the following attacks is PaaS particularly subject to? a) Malware injection b) Direct-to-origin c) Side-channel d) DNS Poisoning
c) Side-channel #In a side-channel attack, this exploit is possible because of the shared nature of the cloud infrastructure, especially in a PaaS model. #In a malware injection attack, a malicious actor injects malicious code into an application. Common attacks can include SQL injection (SQLi) and Cross-Site Scripting (XSS). ###In direct-to-origin attacks (D2O), malicious actors circumvent proxy protections by identifying the origin network or IP address and then launching a direct attack.
A Linux systems administrator is concerned about data exfiltration from one of their DMZ servers. What common service should they disable on these DMZ servers for externally facing assets? a) RDP b) SSH c) Telnet d) SFTP
c) Telnet #Telnet is a cleartext protocol, not an encrypted protocol. This should be disabled regardless and not used in the enterprise unless absolutely necessary. #When communicating with a remote, Linux-based machine, it's common to use Secure Socket Shell (SSH), a protocol that provides a way to communicate securely via a CLI (shell) over an encrypted connection. #Remote Desktop Protocol (RDP) is a service on Windows machines, not on Linux machines. The X11 protocol can be used over SSH to enable graphical interfaces to Linux machines. #SFTP provides a more secure option over File Transfer Protocol (FTP). FTP is a cleartext protocol and should not be used.
A PenTester used msfvenom to generate a payload that a simplified script will download and execute. Which option indicates that PowerShell will not load any particular profile? a) -p b) -w hidden c) -c d) -nop
d) -nop #The -nop option tells PowerShell not to load any particular profile, which may customize the way PowerShell behaves in the environment. #When a PenTester uses the -p option it specifies the payload, for instance, the PenTester can use the -p option to select reverse_powershell which is located inside cmd/windows." #The -w hidden option specifies that when the payload executes, the script will hide the PowerShell window. #A PenTester can use the -c option when executing PowerShell to specify that PowerShell will execute the following command block or script and then exit.
A security professional is setting up a netcat listener but they want to start up in UDP instead of TCP. What parameter should they use? a) -l b) -L c) -e d) -u
d) -u #The -u parameter starts Netcat in UDP mode. The default is to use TCP. Netcat is a command-line utility used to read from or write to a TCP or UDP network connection.
A PenTester is installing optional tools for Linux in preparation for a PenTest. Where do PenTesters store these tools? a) /vulscan b) https://github.com c) pip3 d) /opt
d) /opt #The PenTester will store these tools in the /opt folder as /opt is where PenTesters normally install optional tools for Linux. #The PenTester will not store optional tools for Linux in /vulscan, but may store one tool in the /vulscan folder underneath the /opt folder. #The PenTester can get scripts from https://github.com. For instance, the PenTester can get a nmap script from https://github.com/scipag/vulscan /opt/vulnscan. #The PenTester will not store optional tools for Linux in pip3 as pip3 is a Python installer that PenTesters use to get modules and install them so Python can access them.
A systems administrator is looking at migrating to the cloud and hears a bunch of new terminologies they are not familiar with. What makes up a cloud federation? a) Infrastructure b) Platform services c) Software d) A combination of all these
d) A combination of all these #The combination of infrastructure, platform services, and software represents a cloud federation. #Infrastructure is one component of cloud federation. With cloud computing, an organization can access and manage data and applications from any host, anywhere in the world. #Platform services are another component of cloud federation. In a cloud environment, the attacker may simply need to have an internet connection and a dictionary of stolen password hashes to cause a breach. #Software is the last component of cloud federation. A lack of oversight in the security procedures of cloud providers can dramatically increase the risk an organization takes.
A PenTester discovered a compromise to a financial institution's systems and uncovers that the systems may have compromised for years. What did the PenTester most likely uncover? a) Backdoor b) Bind shell c) Daemon d) APT
d) APT #The PenTester discovered an advanced persistent threat (APT) which is a breach that can go on for years, exfiltrating significant volumes of sensitive data from a target. #A backdoor is a hidden mechanism that provides a PenTester with access to a system through some means other than a credential login. #A system establishes a bind shell when the target system "binds" its shell to a local network port. For example, a Linux target might bind the Bash shell on port 12345. #A PenTester can install a remote access daemon on the target to shell into the target at any time and even regain that shell immediately after the system has rebooted.
A security tester is conducting an assessment on a new network where NAC is employed. What is the most common way to bypass NAC? a) Using decoys b) Advertise a fake MAC address c) Modify the port number d) Access an authenticated device
d) Access an authenticated device #The most common way to bypass NAC is by accessing an authenticated device and using the device to slip by the NAC appliance. #When conducting a port scan on a host, you can use decoys in order to make it appear as if the packets are coming from either a trusted or random device. #In some cases, it might be effective to make the probe appear to be coming from a specific device. In that case, the team can generate a bogus source hardware (or MAC) address. #Network security devices are tuned to either allow or deny specific packets based on several different parameters. One of those parameters is the source port number.
A security researcher is analyzing various on-path attack techniques to develop detection mechanisms against them. Which of the following is NOT an on-path attack? a) DNS poisoning b) ARP poisoning c) MAC spoofing d) Biometric spoofing
d) Biometric spoofing #Biometric spoofing is not an example of an on-path attack. An on-path attack is when a malicious actor sits in the middle or in the path of a connection.
Although PenTesters are in the middle of an attack, they supply the organization with the report identifying findings. What did the PenTesters report on? a) Status report b) Indicators of prior compromise c) Goal reprioritization d) Critical findings
d) Critical findings #The PenTesters reported on critical findings which are issues that imply a very high risk to the organization and are urgent enough to trigger special communications. #Status reports are regular progress briefings with the client. If the PenTest will take more than a few days, the client might want regular progress updates. #Indicators of Prior Compromise (IoC) are artifacts which can provide evidence of a prior cybersecurity event and could be from malicious sources. #Goal reprioritization is the catalyst for possible adjustments to the engagement. The need for contingency planning for the PenTest engagement itself enables the reprioritization of goals.
A PenTester is writing a script and is using if statements, else statements, and loops to determine how the code will execute. What is this component of a script known as? a) Variables b) Operators c) Data constructs d) Flow control
d) Flow control #Flow control, or the order in which code instructions execute, is one of the most important components of a script's logic and includes using if statements, else statements, and loops. #A variable is any value that a system stores in memory and a coder gives a name or an identifier. In code, you assign values to these variables. #Operators perform specific functions in order to produce a result. Three of the most common operations are Boolean, Arithmetic, and String. #Data constructs are components that PenTesters will use within a script and can include such constructs as variables, logic, operators, flow control, conditionals, and loops, to name but a few.
A digital forensics expert regularly evaluates both iOS and Android devices and often uses an open-source tool that allows the forensics expert to dump process memory, in-process fuzzing, and change a program's behavior. What tool does the forensics expert use? a) APK Studio b) Drozer c) Objection d) Frida
d) Frida #The forensics expert is using Frida which is an open-source tool that can work with a wide range of operating systems and allows the forensics expert to dump process memory, in-process fuzzing, and change a program's behavior. NOTE: Frida also has the ability to test if the system is jailbroken or not. Has anti-jailbreak or root detection capability. #APK Studio is an integrated development environment (IDE) designed so you can decompile and or edit an APK file. #Drozer is open-source software used for testing for vulnerabilities on Android devices. Drozer is an attack framework that allows you to find security flaws in the app and devices. #Objection is a runtime exploration toolkit that works on iOS devices. It is a scriptable debugger that allows digital forensic experts to perform various security-related tasks on unencrypted iOS applications.
The PenTesting team must keep close communication with the client organization for the testing process to provide an immediate response to issues without confusion. Who will the PenTesting team keep in constant communication with? a) Primary contact b) Technical contact c) Emergency contact d) IT manager
d) IT manager #The IT manager is typically the person the designated lead of the PenTesting team should have close communication with and the two lead roles must both be hands-on. #The primary contact is the party responsible for handling the project on the client's end and is responsible for the major decisions surrounding the penetration test. #The technical contact is the party responsible for handling the technology elements of the activity as they have a more in-depth knowledge of the technical aspects of the system. #The emergency contact is the party that the PenTesters will contact in case of particularly urgent matters and should be available 24/7 or at least during the hours of active testing.
A PenTester is attempting to use PowerShell remoting to issue commands to remote systems, but it is not working. What could be the cause? a) It is not a remote management system. b) It is deprecated. c) It requires PsExec. d) It requires WinRM.
d) It requires WinRM. #PowerShell remoting is not working because it requires that the target system has the WinRM service set up to receive remote PowerShell commands. #PowerShell is a remote management service that enables commands to be issued to remote systems and does not usually involve an interactive shell. #Microsoft has deprecated the Windows Management Instrumentation command-line (WMIC) although Microsoft has not deprecated the underlying WMI system. #PowerShell and PsExec are two different remote management systems, and one does not require the other. PsExec uses Server Message Block (SMB) to enable the PenTester to issue commands to a remote system.
A PenTesting team has undergone a debrief and is discovering things that will help them improve their tools and processes. Which follow-up phase does this fall under? a) Client acceptance b) Retest c) Attestation of findings d) Lessons learned
d) Lessons learned
A PenTester is gathering passwords by extracting them in cleartext from memory. What tool is the PenTester using? a) Hashcat b) Brutespray c) CeWL d) Mimikatz
d) Mimikatz #The PenTester is using mimikatz which gathers credentials by extracting key elements from memory such as cleartext passwords, hashes, and PIN codes. #Hashcat is a password and hash cracking tool that uses different attack methods (dictionary, mask, hybrid) to add complexity and variability. #Brutespray interprets results from an Nmap scan to automatically start medusa against the identified open ports and can also use results from nmap with option -sV to identify and target services on non-standard ports. #CeWL generates word lists based on automatically navigating a website and collecting words from text as well as author/creator metadata from files that the tool finds.
A mobile device user installed a new task management application and allowed the app to have access to all the access permissions requested without checking to see why it wanted them. What kind of attack is this? a) Execution of activities using root b) Drive by downloads c) Spyware d) Over-reach of permissions
d) Over-reach of permissions #This is an over-reach of permissions. Instead of using the principle of least privilege, a consumer may feel it is necessary to allow an app to access services and data stores that are generally restricted. #Execution of activities using root, which can occur when the user roots or jail breaks their system to improve the performance of the device, will leave the system vulnerable to an attack. #Drive by downloads can occur while browsing the internet, as a victim can click on a link that will download malicious software. Many times, the victim is unaware of this activity. #Spyware records all the keystrokes and other activity a user performs and sends to a data collection site.
A penetration tester has connected to a remote system using a tool that will keep the connection encrypted. Which tool is the penetration tester using? a) Telnet b) Netcat c) Ncat d) SSH
d) SSH #he penetration tester is using Secure Shell (SSH) which encrypts remote connections, and some configurations require the use of a digital certificate and keypair for authentication. #Telnet is an older remote protocol that does not support encryption. Most modern systems have telnet disabled by default. #Netcat is a command-line utility used to read from or write to TCP, UDP, or Unix domain socket network connections. It is highly versatile but does not use encryption. #Ncat is a tool developed for Nmap as an improvement over Netcat, not only retaining most of the functionality, but also adding more, of which an important one is support for SSL.
An administrator is implementing a solution that will control sensitive information in the organization. What solution is the administrator configuring? a) Certificate management b) Certificate pinning c) Key rotation d) Secret management
d) Secret management #The administrator is configuring a secret management solution which is a platform that controls passwords, key pairs, and other sensitive information that organizations must store securely. #Certificate management is the process of properly administering digital security certificates and includes managing proper storage and transmission of the certificate and the suspension and revocation of them. #Certificate pinning is the process of assigning a specific certificate to a particular element to avoid man-in-the-middle-attacks. #Key rotation is the process of periodically generating and implementing new access keys to a server/service. Many of the recommendations for passwords also apply to keys.
A secret double agent on a top-secret mission needs to conceal a payload in an audio file using tools built into Kali. What tool could they use to do this? a) SAST b) Bit-Twist c) Meterpreter d) Steghide
d) Steghide #Steghide is an open-source tool used to conceal a payload in either an image or audio file. The software can compress, conceal, and encrypt data. #Static Application Security Testing (SAST) is done early in the software development life cycle to examine the code for security vulnerabilities. #Bit-Twist uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy or hping3 which allows users to craft their own packets. #Meterpreter is a very popular payload of MetaSploit, which is an interactive, menu-based list of commands you can run on the target.
A network contractor is setting up wireless for a small coffee shop and wants to make sure they are secured with a standard that uses 192-bit encryption. Which of the following should they use? a) WEP b) WPA c) WPA2 d) WPA3
d) WPA3 #WPA3 includes advanced features to secure wireless transmissions such as 192-bit encryption when using WPA3-Enterprise mode (used in business LANs). #WPA features the Temporal Key Integrity Protocol (TKIP). TKIP dynamically generates a new 128-bit key for each packet. In addition, WPA includes a Message Integrity Check (MIC), which provides a stronger method (than a CRC) to ensure data integrity. #WPA2 is an improvement of WPA and replaced RC4 and TKIP with Counter Mode CBC-MAC Protocol (CCMP) using AES.
A penetration tester has discovered that a remote access tool can open a shell on a Linux system without even authenticating. What command is the penetration tester using? a) Telnet b) RDP c) SSH d) rsh
d) rsh #The penetration tester is using rsh which is a Linux command that can open a shell, and if the server has an .rhosts file configured a certain way, the penetration tester won't even need to supply credentials. #(RDP) is Microsoft's protocol for operating remote GUI connections to a Windows machine and requires authentication.
A penetration tester is looking for secrets in Git repositories that will allow the tester to modify code. What tool is the penetration tester using? a) Brakeman b) SearchSploit c) BeEF d) truffleHog
d) truffleHog #The penetration tester is using truffleHog which can automatically crawl through a repository looking for accidental commits of secrets that will allow an attacker to modify code in a Git repository. #Brakeman is a static code analysis security tool for Ruby on Rails applications which checks for vulnerabilities and provides confidence level of finding (high, medium, weak). #SearchSploit is an exploit finder that allows users to search through the information found in Exploit-DB. It also supports Nmap outputs in XML format to search for exploits automatically. #BeEF (Browser Exploit Framework) focuses on web browser attacks by assessing the actual security posture of a target by using client-side attack vectors.
