PEN Testing Final

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

What comparison operator tests to see if one number is greater than or equal to another number in Bash?

-ge

Which of the following Nmap output formats is unlikely to be useful for a penetration tester?

-oS

Steve is working from an un-privileged user account that was obtained as part of a penetration test. he has discovered that the host he is on has Nmap installed and wants to scan other hosts in his subnet to identify potential targets as part of a pivot attempt. What flag is he likely to use to successfully scan hosts from this account?

-sT

After gaining access to a Linux system through a vulnerable service, Cassandra wants to list all of the user accounts on the system and their home directories. Which of the following location will provide this list?

/etc/password

Where is the list of Linux users who can use elevated privileges via sudo typically found?

/etc/sudoers

Consider the following Python code: if 1 == 1: print("hello") elif 3 == 3: print("hello") else: print("hello")

1

What is the full range of ports that a UDP service can run on?

1-65,535

Which is the most recent version of the CVSS that is currently available?

3.0

Rick wants to look at the advertised routes to his target. What type of service should he look for to do this?

A BGP looking glass

Lucas has been hired to conduct a penetration test of an organization that processes credit cards. His work will follow the recommendations of PCI DSS. What type of assessment is Lucas conducting?

A compliance-based assessment

During the scoping phase of a penetration test, Lauren is provided with the IP range of the systems she will test, as well as information about what the systems run, but she does not recieve a full network diagram. What type of assessment is she most likely conducting?

A gray box assessment

What type of penetration test is not aimed at identifying as many vulnerabilities as possible and instead focuses on vulnerabilities specifically align with the goals of gaining control of specific systems or data?

A red-team assessment

What type of assessment most closely simulates an actual attacker's efforts?

A red-team assessment with a black box strategy

Part of Annie's penetration testing scope of work and rules of engagement allows her physical access to the facility which she is testing. If she cannot rind a remotely exploitable service, which of the following social engineering methods is most likely to result in remote access?

A thumb drive drop

Karen identifies TCP ports 8080 and 8443 open on a remote system during a port scan. What tool is her best option to manually validate what is running on these ports?

A web browser

Jack is conducting a penetration test for a customer in Japan. What NIC is he most likely to need to check for information about his client's networks?

APNIC

Which of the following threat actors is the most dangerous based on the adversary tier list?

APTs

Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress.

ARP spoofing to become a man in the middle

Ken is planning to conduct a vulnerability scan of an organization as part of a penetration test. he is conducting a black box test. When would it be appropriate to conduct an internal scan of the network?

After compromising an internal host

Which of the following operating systems support Powershell interpreters?

All of the above

Assuming no significant changes in an organization's cardholder data environment, how often does PCI DSS require that a merchant accepting credit cards conduct penetration testing?

Annually

What tool can white box penetration testers use to help identify the systems present on a network prior to conducting vulnerability scans?

Asset inventory

Beth recently conducted a phishing attack against a penetration testing target in an attempt to gather credentials that she might use in later attacks. What stage in the penetration testing process is Beth in?

Attacking and Exploiting

Which one of the CVSS metrics would contain information about the number of times an attacker must successfully authenticate to execute and attack?

Au

What penetration testing strategy is also known as "zero knowledge" testing?

Black box testing

In what type of attack does the attacker place more information in a memory location than is allocated for that use?

Buffer overflow

Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for a total compromise of a system?

C

Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. What SCAP component can Jason turn to for assistance?

CPE

Jessica is reading reports from vulnerability scans run by different parts of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task.

CVSS

Scott wants to crawl his penetration testing target's website and then build a wordlist using the data he recovers to help with his password cracking efforts. Which of the following tools should he use?

CeWL

Elaine wants to ensure that the limitations of her red-team penetration test are fully explained. Which of the following are valid disclaimers for her agreements? (Choose two.)

Comprehensiveness Point-in-time

Sarah is conducting a penetration test and discovers a critical vulnerability in an application. What should she do next?

Consult the SOW

Which of the following is NOT a reason to conduct periodic penetration tests of systems and applications?

Cost

Monica discovers that an attacker posted a message attacking users who visit a web forum that she manages. Which one of the following attack types is most likely to have occurred?

Cross-site scripting

What type of cross-site scripting attack would not be visible to a security professional inspecting the HTML code in a browser?

DOM-based XSS

Which of the following is not a common source of information that may be correlated with vulnerability scan resorts?

Database tables

Tom is running a penetration test in a web application and discovers a flaw that allows him to shut down the web server remotely. What goal of penetration testing has Tom most directly acheived?

Denial

Lauren has acquired a list of valid user accounts but does not have the passwords for them. If she had not found any vulnerabilities but believes that the organization she is targeting has poor passwords practices, what type of attack can she use to try to gain access to a target system where those usernames are likely valid?

Dictionary attacks

Edward Snowden gathered a massive quantity of sensitive information from the National Security Agency and released it to the media. What type of attack did he wage?

Disclosure

Alice has deployed physical keyloggers to target systems. What issue is most commonly associated with physical keyloggers?

Discovery

Which of the following is not a normal communications trigger for a penetration test?

Documentation of a new test

Lisa wants to enumerate possible user accounts and has discovered an accessible SMTP server. What SMTP commands are most useful for this?

EXPN and VRFY

Angela recovered a PNG image during the early intelligence-gathering phase of a penetration test and wants to examine it for useful metadata. What tool could she most successfully use to do this?

ExifTool

John has gained access to a system that he wants to use to gather more information about other hosts in its local subnet. He wants to perform a port scan but cannot install other tools to do so. Which of the following tools isn't usable as a port scanner.

ExifTool

Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?

False positive

Which of the following is a debugging tool compatible with Linux systems?

GDB

Which one of the following debugging tools does not support Windows systems?

GDB

Which type of organization is the most likely to face a regulatory requirement to conduct vulnerability scans?

Government agency

After gaining access to a Windows system, Fred uses the following command: SchTasks /create /SC Weekly /TN "Antivirus" /TR C:\Users\SSmith\av.exe" /ST 09:00 What has he accomplished?

He has scheduled his own executable to run weekly.

Cameron runs the following command via an administrative shell on a Windows system he has compromised. What has he accomplished? $command = 'cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMAN:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMAn:\localhost\Service\AllowUnencrypted -Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force

He has set up PSRemoting

Kevin recently identified a new security vulnerability and computed the CVSSv2 base score as 6.5. Which risk category would this vulnerability fall into?

High

During a penetration test, Alex discovers that he is unable to scan a server that he was able to successfully scan earlier in the day from the same IP address. What has most likely happened?

His IP address was blacklisted.

What software component is responsible for enforcing hte separation of guest systems in a virtualized infrastructure?

Hypervisor

Which one of the following conditions would not result in a certificate warning during a vulnerability scan of a web server?

Inclusion of a public encryption key

Which of the following is NOT a benefit of using an internal penetration test team.

Independence

Which of the following approaches, when feasible, is the most effective way to defeat injection attacks?

Input whitelisting

Which of the following categories of systems is most likely to be disrupted during a vulnerability scan?

IoT device

Which of the following statements does not correctly describe the Ruby programming language?

It is a compiled language

Charles want to deploy a wireless intrusion detection system. Which of the following tools is best suited for that purpose?

Kismet

Examine the following network diagram. What is the most appropriate location for a web application firewall (WAF) on this network?

Location D

Cameron is preparing to travel to another state to perform a physical penetration test. What penetration testing fear should he review the legality of before leaving for that state?

Lockpicks

Which one of the following values for the CVSS access complexity metric would indicate that the specified attack is simplest to exploit?

Low

Mika runs the following Nmap scan: nmap -sU -sT -p 1-65535 example.com What information will she NOT recieve?

MOD

Which one of the following security assessment tools is not commonly used during the Information Gathering and Vulnerability Identification phase of a penetration test?

Metasploit

Which one of the following tools is an exploitation framework commonly used by penetration testers?

Metasploit

Selah wants to use a brute-force attack against the SSH service provided by one of her targets. Which of the following tools is not designed to brute-force services like this?

Minotaur

Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized?

Moderate impact

While performing an on-site penetration test, Cassandra plugs her laptop into an accessible network jack. When she attempts to connect, however, she does not receive an IP address and gets no network connectivity. She knows that the port was working previously. What technology has her target most likely deployed?

NAC

Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What protocol is likely in use on this network that resulted in this vulnerability?

NAT

Which one of the following is not an open source intelligence gathering tool?

Nessus

Which one of the following techniques is not an appropriate remediation activity for a SQL injection vulnerability?

Network firewall

Which of the following vulnerability scanners is specifically designed to test the security of web applications against a wide variety of attacks?

Nikto

What does a result of * * * mean during a traceroute?

No response to the query, perhaps a timeout, but traffic is going through.

Which one of the following is NOT a password cracking utility?

OWASP ZAP

What built-in Windows server administration tool can allow command-line PowerShell access from other systems?

PSRemote

What is required for Jason to conduce a cold-boot attack against a system?

Physical access

Analyze the following segment of code: Do { $test='mike' + $i $cracked = Test-Password $test $i++ } While ($cracked -eq 0) In what language is this code written?

PowerShell

Examine the following line of code. In what programming language is it written?

PowerShell

The Dirty COW attack is an example of what type of vulnerability?

Privilege escalation

Examine the code snippet below. IN what language is this code written? begin system 'nmap' + ip rescue puts "An error occurred.' end

Python

Examine the following line of code. In what programming language is it written? print("The system contains several serious vulnerabilities.")

Python

Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?

Quarterly

Jim wants to crack the hashes from a password file he recovered during a penetration test. Which of the following methods is typically the fastest, presuming he knows the hashing method and has the appropriate files and tools to take advantage of each tool?

Rainbow Crack

Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?

Read-only

Which of the following steps of the Cyber Kill Chain does not map to the Attacking and Exploiting stage of the penetration testing process?

Reconnaissance

Which one of the following activities is not commonly performed during the post engagement cleanup phase?

Remediation of vulnerabilities

Which of the following activities is not part of the vulnerability management lifecyle?

Reporting

What term describes an organization's willingness to tolerate risk in their computing environment?

Risk appetite

Ryan is planning to conduct a vulnerability scan of a business-critical system using dangerous plug-ins. What would the best approach be for the initial scan?

Run the scan in a test environment

Alice discovers a rating that her vulnerability scanner lists as a 9.3 out of 10 on its severity scale. The service that is identified runs on TCP 445. What type of exploit is Alice most likely to use on this service?

SMB exploit

What term describes a document created to define project-specific activities, deliverables, and timelines based on an existing contract?

SOW

Alan is reviewing web server logs after an attack and finds many records that contain semi-colons and apostrophes in queries from end users. What type of attack should he suspect?

SQL injection

Matt wants to pivot from a Linux host to other hosts in the network but is unable to install additional tools beyond those found on a typical Linux server. How can he leverage the system he is on to allow vulnerability scans of those remote hots if they are firewalled against inbound connections and protected from direct access from his penetration testing workstation?

SSH tunnelling

During an on-site penetration test, what scoping element is critical for wireless assessments when working in shared buildings?

SSIDs

Which one of the following is not an example of a vulnerability scanning tool?

Snort

Biometric authentication technology fits into what multifactor authentication category?

Something you are

Chris sends a phishing email specifically to Susan, the CEO at his target company. What type of phishing attack is he conducting?

Spear phishing

Adam is conducting a penetration test of an organization and is reviewing source code of an application for vulnerabilities. What type of code testing is Adam conducting?

Static code analysis

Charles uses the following hping command to send traffic to a remote system: hping remotesite.com -S -V -p 80 What type of traffic will the remote system see?

TCP SYNs to TCP port 80

Betty is selecting a transport encryption protocol for use in a new public website she is creating. Which protocol would be the best choice?

TLS 1.1

Which of the following attacks is an example of a race condition exploitation?

TOCTTOU

Which one of the following protocols should never be used on a public network?

Telnet

Which one of the following is not a common category of remediation activity?

Testing

Where are the LSA Secrets stored on a Windows system?

The Registry

The penetration testing agreement document that Greg asks his clients to sign includes a statement that the assessment is valid only at the point in time at which it occurs. Why does he include this language?

The environment is unlikely is to be the same in the future

Why would a penetration tester look for expired certificates as part of an information gathering and enumeration exercise?

The indicate services that may not be properly updated or managed.

Charles has completed the scoping exercise for his penetration test and has signed the agreement with hsi client. Whose signature should be expected as the counter signature?

The proper signing authority

Chris runs an Nmap scan against the 10.10.0.0/16 network that his employer uses as an internal network range for the entire organization. If he uses the -T0 flag, what issue is he likely to encounter?

The scan will progress at a very slow speed.

During an Nmap scan, Casey uses the -O flag. The scan identified the host as follows: RunningL Linux 2.6.xOS CPE: cpe:/o:linux:linux_kernel:2.6OS Details: Linux 2.6.9 - 2.6.33

The system is running a Linux 2.6 kernel between .9 and .33

What occurs during a quid pro quo social engineering attempt?

The target is made to feel indebted

What does an MSA typically include?

The terms that will govern future agreements.

After running an SNMP sweep, Greg finds that he didn't receive any results. If he knows there are not network protection devices in place and that there are devices that should respond to SNMP queries, what problem does he most likely have?

There is an incorrect community string.

Who is the most effective person to facilitate a lessons learned session after a penetration test?

Third party

Which one of the following activities assumes that an organization has already been compromised?

Threat hunting

Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?

Timing-based SQL injection

What technique is required to use LSASS to help compromise credentials on a modern Windows system?

Turn on WDigest

During a penetration test, Mike uses double tagging to send traffic to another system. What technique is he attempting?

VLAN hopping

In what type of attack does the attacker seek to gain access to resources assigned to a different virtual machine?

VM escape

Which of the following tools provides information about a domain's registrar and physical location?

WHOIS

Cynthia wants to use a phishing attack to acquire credentials belonging to the senior leadership of her target. What type of phishing attack should she use?

Whaling

When should system hardening activities take place?

When the system is initially built and periodically during its life

Which one of the following terms in not typically used to describe the connection of physical devices to a network?

Which one of the following terms in not typically used to describe the connection of physical devices to a network?

Which of the following types of penetration test would provide testers with complete visibility into the configuation of a web server without having to compromise the web server to gain that information?

White Box

After running an Nmap scan of a system, Lauren discovers that TCP ports 139, 443, and 3389 are open. What operating system is she most likely to discover running on the system?

Windows

Which one of the following operating systems should be avoided on production networks?

Windows Server 2003

What type of language is WSDL based on?

XML

Which of the following is a static code analysis tool?

YASCA

What technique is being used in the following command: host -t axfr domain.com dns1.domain.com

Zone transfer

Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. Which of the following NAC systems would be the easiest for Chris to bypass?

a MAC address filter

Allan wants to gain entrance to a target company's premises but discovers that his original idea of jumping the fence probably isn't practical. Which factor is least likely to prevent him from trying to jump the fence?

a gate

Mike wants to enter an organization's high-security data center. Which of the following techniques is most likely to stop his tailgating attempt?

a mantrap

Andrew know that the employees at his target company frequently visit a football discussion site popular in the local area. As part of his penetration testing, he successfully places malware on the site and takes over multiple PCs belonging to employees. What type of attack has he used?

a watering hole attack

During what phase of the Cyber Kill Chain does an attacker steal information, use computing resources, or alter information without permission?

actions on objectives

What is the final stage of the Cyber Kill Chain?

actions on objectives

Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. If Chris wants to set up a false AP, which tool is best sutied to his needs?

aircarck-ng

What type of legal assessment typically covers sensitive data and information that a penetration tester may encounter while performing an assessment?

an NDA

Tom recently conducted a penetration test for a company that is regulated under PCI DSS. Two months after the test, the client asks for a letter documenting the test results for its compliance files. What type of report is the client requesting?

attestation of findings

What type of Bluetooth attack attempts to send unsolicited messages via Bluetooth devices?

bluejacking

Susan's organization uses a technique that associates hosts with their public keys. What type of technique are they using?

certificate pinning

Which one of the following commands will allow the file owner to execute a Bash script?

chmod u+x script.sh

What approach to vulnerability scanning incorporates information from agents running on the target serrvers?

continuous monitoring

What type of attack depends upon the fact that users are often logged into many websites simultaneously in the same browser?

cross-site request forgery

Grace is investigating a security incident where attackers left USB drives containing infected files in the parking lot of an office building. What stage in the Cyber Kill Chain describes this action?

delivery

Which one of the following technologies, when used within an organization, is the LEAST likely to interfere with vulnerability scanning results achieved by external penetration testers?

encryption

Gary is conducting a black box penetration test against an organization and is gathering vulnerability scanning results for use in his tests. Which one of the following scans is most likely to provide him with helpful information withing the bounds of his test?

full external scan

Brian ran a penetration test against a school's grading system and discovered a flaw that would allow students to alter their grades by exploiting a SQL injection vulnerability. What type of control should he recommend to the school's cybersecurity team to prevent students from engaging in this type of activity?

integrity

Jacob runs ls -l on a file and sees the following listing. What does he know about chsh? -rwsr -xr x root root 40432 Sep 27 2017 chsh

it is a SUID executable

Chris wants to acquire a copy of the Windows SAM database from a system that he has compromised and is running the Metasploit Meterpreter on. What Mimikatz command will allow him to do this?

meterpreter> mimikatz_command -f samdump::hashes

Which of the following tools will not allow Alice to capture NTLM v2 hashes over the wire for use in a pass-the-hash attack?

mimikatz

What Unix command can you use to listed for input on a network port?

nc

Jessica wants to list the domain password policy for a Windows domain. What net command can she use to do this?

net accounts /domain

Angela wants to run John the Ripper against a hashed password file she acquired from a compromise. What information does she need to know to successfully crack the file?

none of the above

Charles runs an Nmap scan using the following command: nmap -sT -sV -T2 -P 1-65535 example.com After watching the scan run for over two hours, he realizes that he needs to optimize the scan. Which of the following is not a useful way to speed up the scan?

only scan via UDP to improve speed

Joe checks his web server logs and sees that someone sent the following query string to an application running on the server: https://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892' ;DROP TABLE Services;--

parameter pollution

Rich recently got into trouble with a client for using an attack tool during a penetration test that caused a system outage. During which stage of the penetration testing process should Rich and his clients have agreed upon the tools and techniques that he would use during the test?

planning and scoping

What is the default read-only community string for many SNMP devices?

public

Alan is creating a list of recommendations that his organization can follow to remediate issues identified during a penetration test. In what phase of the testing process is Alan participating?

reporting and communicating results

During a penetration test specifically scoped to a single web application, Chris discovers that the web server also contains a list of passwords to other servers at the target location. After he notifies the client, they ask him to use them to validate those servers, and he proceeds to test those passwords against the other servers. What had occurred?

scope creep

What type of adversary is most likely to use only prewritten tools for their attacks?

script kiddies

Alexa carefully pays attention to an employee as they type in their security code to her target organization's high security area and writes down the code that she observes. What type of attack has she conducted?

shoulder surfing

Which of the following technologies is most resistant to badge cloning attacks if implemented properly?

smart cards

Tom's organization currently sues password-based authentication and would like to move to multifactor authentication. Which one of the following is an acceptable second factor?

smartphone app

Ryan is conducting a penetration test and is targeting a database server. Which one of the following tools would best assist him in detecting vulnerabilities on that server?

sqlmap

Which one of the following factors is least likely to impact vulnerability scanning schedules?

staff availability

During an early phase of his penetration test, Mike recovers a binary executable file that he wants to analyze for useful information. Which of the following tools will quickly give him a view of potentially useful information in the binary?

strings

Which one of the following function calls is closely associated with Linux command injection attacks?

system()

Which of the following items is not appropriate for the executive summary of a penetration testing report?

technical detail

While Frank is performing a physical penetration test, he notices the exit doors to the data center automatically open as an employee approaches them with a cart. What should he record in his notes?

the presence of an egress sensor

Chris cross-compiles code for his exploit and deploys it. Why would he cross-compile code?

to run it on a different architecture

Which one of the following metrics is not included in the calculation of the CVSS exploitability score?

vulnerability age


Kaugnay na mga set ng pag-aaral

Assessment and Management of Patients with Diabetes

View Set

LI274 Answers to All Quizzes From First Half

View Set

CH 12 SOC: GENDER, SEX, AND SEXUALITY

View Set

Complementary and Alternative Medicine (CAM)

View Set