Pentest+ 10/9

Insider threat

A company has been hacked, and several e-mails that are embarrassing to the CFO and potentially indicative of criminal activity on their part have been leaked to the press. Incident response has determined that only three user accounts accessed the organization's mail server in the 24 hours immediately preceding the disclosure. One of these accounts was assigned to an employee who was fired two weeks before the incident. No other access to the system has been found by incident response. What type of threat actor should be considered a likely culprit for this breach first?

Government restriction

A defense contractor that manufactures hardware for the U.S. military has put out a request for proposal for penetration tests of a new avionics system. The contractor indicated that penetration testers for this project must hold a security clearance. Which of the following is the most likely explanation for this requirement?

It's an active scanning technique. It performs a simple ping test to determine if a host is up and alive on the network.

A discovery scan in nmap is described by which of the following statements? (Choose two.)

-sS, SYN and RST packets

A stealth scan in nmap is denoted by the __________ flag and leverages the use of __________ when probing ports.

threat actor

A(n) __________ is an individual or group with the capability and motivation necessary to manifest a threat to an organization and deploy exploits against its assets.

Identify assets

According to Microsoft's published procedures, what is the first step in threat modeling?

Employee bank accounts managed by a different company

All the following assets may be candidates for target selection for a penetration test except:

Rival corporations Third-party media organizations

All the following may typically be considered stakeholders in the findings of a penetration test except which two?

Zmap

Censys was created at the University of Michigan by the team of researchers who also developed what wide-scale Internet-scanning tool?

Domain administrator fax

Domain registration information returned on a WHOIS search does not include which of the following?

Session hijacking

During a penetration test of a web application, you determine that user session IDs (or tokens) are revealed in the URL after authentication. You further discover that these session IDs are predictably incremented values, and not randomly generated numbers or strings. To which of the following attack types would this application likely be susceptible?

Exploit chaining

During a penetration test, you identify a live local file inclusion (LFI) vulnerability on a web application that allows you to see any file on the target system, including the /etc/passwd and /etc/shadow files. With this information, you feed password hashes from the shadow file into hashcat and crack them with a dictionary attack, ultimately finding a match that allows you to obtain a low-privilege shell on the target system. What is this an example of?

Brute force

During a penetration test, you identify and harvest encrypted user passwords from a web application database. You do not have access to a rainbow table for the encryption algorithm used, and do not have any success with dictionary attacks. What remaining attack method—typically one of last resort—could you leverage as an attacker to attempt to decrypt the passwords you have harvested?

Communication escalation path

Found in the ROE, which component tells the penetration tester(s) who to contact in the event of an issue during an engagement, and how?

Master service agreement

General terms for future agreements and conditions such as payment schedules, intellectual property ownership, and dispute resolution are typically addressed in which contractual document between a penetration tester and their client?

technical constraint

Identified by the target audience of a penetration test, a(n) __________ is a specific technological challenge that could significantly impact an organization (for example, a mission-critical host or delicate legacy equipment that is scheduled for replacement).

Identify threats

In Microsoft's guidance on threat modeling, which step involves the categorization of external and internal threats to an organization?

IP addresses Domain names

In a penetration test, it often occurs that a great deal of information pertinent to attacking target systems and goals is provided to the penetration tester. Which of the following are often provided by the target organization? (Choose two.)

Command injection

In a text field on a web application, you discover that by entering a semicolon and the *nix command `id`, you can find the username context for the application on the server. What is this an example of?

Assisting the organization with asset categorization and implementation of industry best practices

In addition to their value in compliance-based penetration tests, which of the following is another benefit of the use of testing an environment against CIS preconfigured operational baseline scan templates?

The tester requires sufficient access to the information and resources necessary to successfully complete a full audit.

In compliance-based testing, why is it problematic for a penetration tester to have only limited or restricted access to an organization's network or systems?

Sending a pre-engagement survey (also known as a scoping document) to the client for them to fill out

In the scoping phase of a penetration testing engagement, how might a penetration tester effectively obtain the information necessary to begin testing?

Populating graphs with data for press releases

Nessus incorporates NVD's CVSS when producing vulnerability severity information. Which of the following is not a use for this information for a penetration tester?

Press release drafts found on an undocumented web page inside a company's intranet

Open-source intelligence (OSINT) collection frameworks are used to effectively manage sources of collected information. Which of the following best describes open-source intelligence?

Medium

Per Microsoft's threat modeling system, what would the final risk prioritization be for this vulnerability?

Compliance scan

Security Content Automation Protocol (SCAP) aware scanners, such as Tenable's Nessus, test the implementation of best-practice security configuration baselines from the Center for Internet Security (CIS). For which type of scan are these baselines most helpful?

Industrial control systems (ICS) used in manufacturing, power generation, water treatment, and other public works

Supervisory Control and Data Acquisition (SCADA) is a real-time control system that monitors the health and status of components of what type of infrastructure?

Password complexity Data isolation

Systems governed by compliance frameworks such as PCI DSS and HIPAA are often required to meet standards of which of the following? (Choose two.)

Firmware

The CAPEC details thousands of known attack patterns and methodologies. Which of the following is not an attack domain recognized by CAPEC?

National Vulnerability Database (NVD)

The National Institute of Standards and Technology (NIST) maintains what public resource for analysis on vulnerabilities published to the CVE dictionary, using the Common Vulnerability Scoring System (CVSS)?

SOAP project file

The function of which support resource is to define a format used for sending and receiving messages?

Network threats Host threats Application threats

The types of threats identified during the threat modeling process include which of the following? (Choose three.)

Impact analysis

This key aspect of requirements management is the formal approach to assessing the potential pros and cons of pursuing a course of action.

Triggers TCP SYN discovery to named ports

What is the effect of the -PS flag in nmap?

Disables ping and skips host discovery

What is the effect of the -Pn flag in nmap?

Increases the verbosity level of scan output

What is the effect of the -v flag in nmap?

Active information gathering

What is the process by which large data sets are analyzed to reveal patterns or hidden anomalies?

Threat modeling

What is the process by which risks associated with an organization's information systems are identified, quantified, and addressed?

Passive information gathering

What is the process of assessing a target to collect preliminary knowledge about systems, software, networks, or people without directly engaging the target or its assets?

Enumeration

What is the process of finding all available information on a target system or service in support of developing a plan of attack?

Compliance-based

What type of assessment gauges an organization's implementation of and adherence to a given set of security standards defined for a given environment?

A reverse DNS query will be run for all discovered ranges.

When used as part of a search through theharvester, what will be the effect of the -n flag?

Supply Chain

Which CAPEC-recognized domain of attack focuses on the manipulation of computer hardware and software within their respective lifecycles?

Proof-of-concept development

Which act describes the writing of a first-of-its-kind exploit to demonstrate or weaponize a vulnerability?

Advanced persistent threat

Which category of threat actor is highly skilled, frequently backed by nation-state-level resources, and is often motivated by obtaining sensitive information (such as industrial or national secrets) or financial gain?

Airmon-ng

Which component of the aircrack-ng suite of tools is used to put wireless adaptors into monitor mode?

Statement of work

Which document outlines the project-specific work to be executed by a penetration tester for an organization?

REST API

Which feature in Shodan is a collection of documentation that may be useful for developers who want to integrate Shodan searching into tools or applications they have developed or are currently developing?

FOCA

Which free and GNU-licensed tool written for the Windows operating system family gathers information by scraping metadata from Microsoft Office documents, which can include usernames, e-mail addresses, and real names?

File excavation

Which method of collecting open-source intelligence consists of the collection of published documents, such as Microsoft Office or PDF files, and parsing the information hidden within to reveal usernames, e-mail addresses, or other sensitive data?

-n

Which nmap flag is used to disable DNS resolution of hostnames?

-iL

Which nmap flag should precede a file containing a list of targets to be scanned?

smb-enum-shares nfs-showmount

Which of the following NSE scripts would be best used to enumerate shared storage volumes on a network? (Choose two.)

Dispute resolution practices Indemnification clauses

Which of the following are items typically addressed in a master service agreement (MSA)? (Choose two.)

Compliance-based Goals-based

Which of the following are types of point-in-time assessments? (Choose two.)

Facebook

Which of the following data sources is not a valid option in theharvester?

Admin passwords may be easily guessed. Admin passwords are almost guaranteed to be in any major wordlist used in dictionary attacks. Admin passwords will be found with a brief Internet search for the service in question.

Which of the following is a danger associated with the use of default authentication credentials on a system or service?

Uncredentialed vulnerability scans are known to more commonly produce false positives.

Which of the following is a major benefit of running a credentialed vulnerability scan over a uncredentialed scan?

Full Disclosure

Which of the following is a public, vendor-neutral forum and mailing list that publishes vulnerability analysis details, exploitation techniques, and other relevant information for the security community?

Host discovery

Which of the following is an active scanning technique used to aid in the process of information gathering, with the goal of identifying hosts that are alive and listening on the network?

HTTP Strict Transport Security is not enabled on a system web application.

Which of the following is an example of a failure to apply best practices typical of those detailed in the results of a vulnerability scan?

OS fingerprinting reveals a system running Windows XP SP2, suggesting susceptibility to MS08-067.

Which of the following is an example of a vulnerability identification that is typical of those detailed in the results of a vulnerability scan?

A web application's robots.txt file specifically denies all access to the /cgi-bin/ directory.

Which of the following is an example of an observation typical of those detailed in the results of a vulnerability scan?

Fuzzing a running web application with garbage input to assess the application's reaction

Which of the following is an example of dynamic application analysis?

Analyzing the written code for an application outside of an actively running instance

Which of the following is an example of static application analysis?

Shift

Which of the following is an external resource or API that may be installed in Maltego to expand its capabilities?

Weakness ID Modes of introduction Likelihood of exploit

Which of the following is an identifier provided for CWE entries?

Aircrack-ng

Which of the following is an open-source suite of tools useful for conducting RF communication monitoring and security testing of wireless networks?

theharvester

Which of the following is an open-source, Python-based tool that runs strictly from the standard user command line and includes both passive and active options for intelligence collection (numerous command-line switches enable or disable functionality such as limiting queries to a specific search engine or running searches for identified IP addresses and hostnames in Shodan)?

Thorough review of application code outside of a running system for details on the vulnerability

Which of the following is not a benefit of performing vulnerability scanning during a penetration test?

Exploits

Which of the following is not a commonly reported theme or issue in vulnerability scan results?

PoC exploit code

Which of the following is not a detail of CVEs maintained by the CVE Numbering Authority?

Password is over 50 characters long with a large character set.

Which of the following is not a potential characteristic of weak authentication credentials?

Clickjacking

Which of the following is not a potential consequence of a lack of error handling or excessively verbose error handling in servers, web applications, and databases?

Beacon frame

Which of the following is not a primary type of frame defined by the IEEE 802.11 wireless communication standard?

The Japan Computer Emergency Response Team (JPCERT)

Which of the following is not a publicly accessible list used for vulnerability research and analysis?

Programming concepts

Which of the following is not a security weakness category as maintained by CWE?

Linux servers

Which of the following is not an example of a nontraditional asset?

The public reputation of the developers of the software or operating system being tested

Which of the following is not an issue to consider when performing a vulnerability scan?

Google

Which of the following search engines is not used by FOCA when searching for documents?

Nmap

Which open-source command-line tool is used for several penetration test-focused activities on both wired and wireless networks, such as surveying hosts for open ports, fingerprinting operating systems, and collecting service banners?

Dictionary attack

Which password-cracking method leverages wordlists that are expanded with discovered real-world passwords as they are discovered?

Rainbow tables

Which password-cracking method requires extensive storage capacity, sometimes more than 300 GB in total?

White box

Which penetration testing methodology may require valid authentication credentials or other information granting intimate knowledge of an environment or network?

Kismet

Which popular tool is used for wireless discovery and offers many of the same features as airodump-ng?

show modules

Which recon-ng command can be used to identify available modules for intelligence collection?

Shodan

Which static web page is focused on information gathering, providing web links and resources that can be used during the reconnaissance process, and can greatly aid penetration testers in the data-mining process?

Beacon frame

Which subtype of management frame contains details about a wireless access point (including but not limited to the SSID, encryption details, MAC address, and Wi-Fi channel) that can enable a malicious agent to eavesdrop on a wireless network?

Architecture diagram

Which support resource details an organization's network or software design and infrastructure as well as defines the relationships between those elements?

DNS zone transfer

Which technique is used during passive reconnaissance to map a user-defined hostname to the IP address or addresses with which it is associated?

Vulnerability mapping

Which term describes the process of detailing identified security flaws and their locations?

Red team

Which type of assessment is marked by a longer-than-typical engagement time and significant risk or cost to the organization without effective expectation management?

Management frame

Which type of primary frame (defined by the IEEE 802.11 wireless standard) enables stations to establish and sustain communication over the network with an access point?

Control frame

Which type of primary frame (defined by the IEEE 802.11 wireless standard) facilitates delivery of data frames to each station?

Script kiddies, or "skids"

Which type of threat actor is generally unskilled, is typically motivated by curiosity or personal profit, and is frequently indicated by the use of publicly available exploits?

HTTP parameter pollution

Which type of web application test attempts to provoke unexpected responses by feeding arbitrary values into web page parameters?

FTP:14147

While footprinting an organization for a penetration test, you discover that a service it relies on uses FTP across port 14147 for data transfers. How could you refine a Shodan search to only reveal FTP servers on that port?

To avoid taking down a system or service through effectively running a denial-of-service attack, or to avoid detection by not tripping log sensors or other alerts

Why might it be necessary to throttle queries to a target system during a penetration test?

The penetration tester is only provided with initial, basic connectivity to target systems.

With respect to penetration testing conducted behind perimeter defenses, what does it mean to be provided limited access?

Scope creep

You have been contracted to perform a penetration test for an organization. The initial meetings went well, and you have well-defined rules of engagement (ROE) and target-scoping documents. Two weeks later, you are asked if you can "squeeze in another /22 subnet" for the given assessment time frame. This is a potential example of: