Final 188 study guide

Which one of the following techniques is not an appropriate remediation activity for a SQL injection vulnerability? A. Network firewall B. Input sanitization C. Input validation D. Parameterized queries

A. Input sanitization (also known as input validation) and parameterized queries are both acceptable means for preventing SQL injection attacks. Network firewalls generally would not prevent such an attack.

Wendy is reviewing the results of a penetration test and learns that her organization uses the same local administrator password on all systems. Which one of the following tools can help her resolve this issue? A. LAPS B. Nmap C. Nessus D. Metasploit

A. The Local Administrator Password Solution (LAPS) from Microsoft provides a method for randomizing local administrator account credentials through integration with Active Directory.

Which one of the following activities is not commonly performed during the post-engagement cleanup phase? A. Remediation of vulnerabilities B. Removal of shells C. Removal of tester-created credentials D. Removal of tools

A. Vulnerability remediation is a follow-on activity and is not conducted as part of the test. The testers should, however, remove any shells or other tools installed during testing as well as remove any accounts or credentials that they created.

Biometric authentication technology fits into what multifactor authentication category? A. Something you know B. Something you are C. Somewhere you are D. Something you have

B. Biometric authentication techniques use a measurement of some physical characteristic of the user, such as a fingerprint scan, facial recognition, or voice analysis.

When should system hardening activities take place? A. When the system is initially built B. When the system is initially built and periodically during its life C. When the system is initially built and when it is decommissioned D. When the system is initially built, periodically during its life, and when it is decommissioned

B. System hardening should take place when a system is initially built and periodically dur-ing its life. There is no need to harden a system prior to decommissioning because it is being shut down at that point.

Gary ran an Nmap scan of a system and discovered that it is listening on port 22 despite the fact that it should not be accepting SSH connections. What finding should he report? A. Shared local administrator credentials B. Unnecessary open services C. SQL injection vulnerability D. No multifactor authentication

B. The only conclusion that Gary can draw from this information is that the server is offer-ing unnecessary services because it is listening for SSH connections when it should not be supporting that service.

Tom's organization currently uses password-based authentication and would like to move to multifactor authentication. Which one of the following is an acceptable second factor? A. Security question B. PIN C. Smartphone app D. Passphrase

C. Passphrases, security questions, and PINs are all examples of knowledge-based authen-tication and would not provide multifactor authentication when paired with a password, another knowledge-based factor. Smartphone apps are an example of "something you have" and are an acceptable alternative.

Who is the most effective person to facilitate a lessons learned session after a penetration test? A. Team leader B. CIO C. Third party D. Client

C. The most effective way to conduct a lessons learned session is to ask a neutral third party to serve as the facilitator, allowing everyone to express their opinions freely.

Which one of the following is not a normal communication trigger for a penetration test? A. Discovery of a critical finding B. Completion of a testing stage C. Documentation of a new test D. Identification of prior compromise

C. The three common triggers for communication during a penetration test are the comple-tion of a testing stage, the discovery of a critical finding, and the identification of indicators of prior compromise.

Which one of the following is not a common category of remediation activity? A. People B. Process C. Testing D. Technology

C. The three major categories of remediation activities are people, process, and technology.

Tom recently conducted a penetration test for a company that is regulated under PCI DSS. Two months after the test, the client asks for a letter documenting the test results for its compliance files. What type of report is the client requesting? A. Executive summary B. Penetration testing report C. Written testimony D. Attestation of findings

D. An attestation of findings is a certification provided by the penetration testers to docu-ment that they conducted a test and the results for compliance purposes.

Which one of the following items is not appropriate for the executive summary of a penetration testing report? A. Description of findings B. Statement of risk C. Plain language D. Technical detail

D. An executive summary should be written in a manner that makes it accessible to the layperson. It should not contain technical detail.

What value would be used to encode a space in a URL string? A. %20 B. %21 C. %22 D. %23

A. The %20 value is used to URL-encode spaces using the percent encoding scheme.

Chris wants to acquire a copy of the Windows SAM database from a system that he has compromised and is running the Metasploit Meterpreter on. What Mimikatz command will allow him to do this? A. meterpreter> mimikatz_command -f samdump::hashes B. meterpreter> msv C. meterpreter> mimikatz_command -f samdump::passwords D. meterpreter> kerberos

A. The Metasploit Meterpreter includes built-in Mimikatz functionality that can be called using the mimikatz_command -f invocation. Using sampdump::hashes will result in a dump of the SAM database, which can then be cracked using a variety of tools.

Which one of the following is a static code analysis tool? A. YASCA B. Peach C. Immunity D. WinDBG

A. YASCA is a source code analyzer used to perform static analysis of applications. Peach is a fuzzing tool, which is a type of dynamic analysis. Immunity and WinDBG are debug-gers, another class of dynamic security testing tool.

Which one of the following is a debugging tool compatible with Linux systems? A. WinDBG B. GDB C. OllyDbg D. SonarQube

B. GDB is a widely used open-source debugger for the Linux platform. WinDBG and OllyDbg are also debuggers, but they are only available for Windows systems. SonarQube is a continuous security assessment tool and is not a debugger.

Cassandra wants to attack a WPS-enabled system. What attack technique can she use against it? A. WPSnatch B. Pixie dust C. WPSmash D. e-Lint gathering

B. Pixie dust attacks use brute force to identify the key for vulnerable WPS-enabled routers due to poor key selection practices. The other options are made up!

Susan calls staff at the company she has been contracted to conduct a phishing campaign against, focusing on individuals in the finance department. Over a few days, she persuades an employee to send a wire transfer to an account she has set up after telling the employee that she has let their boss know how talented they are. What motivation technique has she used? A. Urgency B. Reciprocation C. Authority D. Fear

B. Susan is using the concept of reciprocation to persuade the employee that they should perform an action that benefits her, since she has done them a favor.

Cameron is preparing to travel to another state to perform a physical penetration test. What penetration testing gear should he review the legality of before leaving for that state? A. Metasploit B. Lockpicks C. Encryption tools D. SET

B. The legality of lockpicks varies from state to state in the U.S. While they are legal in most states, before he travels Cameron should check the legality of lockpicks in his destina-tion state and any states he will travel through.

Which of the following tools will not allow Alice to capture NTLM v2 hashes over the wire for use in a pass-the-hash attack? A. Responder B. Mimikatz C. Ettercap D. Metasploit

B. Unlike the other options listed here, Mimikatz pulls hashes from the lsass process. Since the question specifically notes "over the wire," Mimikatz is the only tool that cannot be used for that.

Analyze the following segment of code: Do { $test='mike' + $i $cracked = Test-Password $test $i++ } While($cracked -eq 0) In what language is this code written? A. Ruby B. PowerShell C. Python D. Bash

B. Use the flowchart in Figure 11.3 to answer this question. The code contains curly braces, so it is written in PowerShell.

Lisa wants to enumerate possible user accounts and has discovered an accessible SMTP server. What STMP commands are most useful for this? A. HELO and DSN B. EXPN and VRFY C. VRFY and TURN D. EXPN and ETRN

B. VRFY verifies that an address exists, while EXPN asks for the membership of a mailing list. Both may be used to validate user IDs.

Consider the following Python code: if 1 == 1: print("hello") elif 3 == 3: print("hello") else: print("hello") How many times will this code print the word "hello"? A. 0 B. 1 C. 2 D. 3

B. When using conditional execution, only one clause is executed. In this case, the code following the if clause will execute, making it impossible for the elif or else clause to execute.

Examine the code snippet below. In what language is this code written? begin system 'nmap ' + ip rescue puts 'An error occurred.' end A. Python B. PowerShell C. Ruby D. Bash

C. Among other characteristics, the rescue keyword for error handling is unique to Ruby.

What technique is required to use LSASS to help compromise credentials on a modern Windows system? A. Set storage to "unencrypted." B. Enable LSASS legacy support. C. Turn on WDigest. D. Disable LSASS 2.0

C. Enabling WDigest on a modern Windows system that you have already compromised will cause it to cache plaintext passwords when each user logs in next.

Where is the list of Linux users who can use elevated privileges via sudo typically found? A. /bin/sudo B. /etc/passwd C. /etc/sudoers D. /usr/sudoers

C. The sudoers file is typically found in the /etc/ directory in most Linux distributions.

Cynthia wants to use a phishing attack to acquire credentials belonging to the senior leader-ship of her target. What type of phishing attack should she use? A. Smishing B. VIPhishing C. Whaling D. Spear phishing

C. Whaling is a specialized form of phishing that targets important leaders and senior staff. If Cynthia was specifically targeting individuals, it would be spear phishing. Smishing uses SMS messages, and VIPhishing was made up for this question.

Which of the following operating systems support PowerShell interpreters? A. Linux B. Mac C. Windows D. All of the above

D. PowerShell interpreters are available on all major platforms, including Windows, Mac OS X, and many popular Linux variants.

Examine the following line of code. In what programming language is it written? print("The system contains several serious vulnerabilities.") A. Ruby B. PowerShell C. Bash D. Python

D. As you prepare for the exam, you should be able to identify the programming language used in code snippets. The print command is used to generate output in Python.

What is the default read-only community string for many SNMP devices? A. secret B. readonly C. private D. public

D. The default read-only community string for many devices is set to "public." The typical best practice is to change all community strings on devices to prevent them from being queried without permission.

Ron wants to use arpspoof to execute a man-in-the-middle attack between target host 10.0.1.5 and a server at 10.0.1.25, with a network gateway of 10.0.1.1. What commands does he need to run to do this? (Choose two.) A. arpspoof -i eth0 -t 10.0.1.5 -r 10.0.1.25 B. arpspoof -i eth0 -t 10.0.1.5 -r 10.0.1.1 C. arpspoof -i eth0 -t 255.255.255.255 -r 10.0.1.25 D. arpspoof -i eth0 -t 10.0.1.25 -r 10.0.1.5

A, D. To fully act as a man in the middle, Ron needs to spoof both the server and target so that they each think that his PC is the system they are sending to. Spoofing the gateway (10.0.1.1) or the broadcast address (255.255.255.255) will not serve his purposes.

What control is most commonly used to secure access to API interfaces? A. API keys B. Passwords C. Challenge-response D. Biometric authentication

A. API use may be restricted by assigning legitimate users unique API keys that grant them access, subject to their own authorization constraints and bandwidth limitations.

If Chris wants to set up a false AP, which tool is best suited to his needs? A. Aircrack-ng B. Kismet C. Wireshark D. WiFite

A. Aircrack-NG has fake-AP functionality built in, with tools that will allow Chris to iden-tify valid access points, clone them, disassociate a target system, and then act as a man in the middle for future traffic.

Once Chris has gained access to the network, what technique can he use to gather addi-tional credentials? A. ARP spoofing to become a man in the middle B. Network sniffing using Wireshark C. SYN floods D. All of the above

A. Chris can use ARP spoofing to represent his workstation as a legitimate system that other devices are attempting to connect to. As long as his responses are faster, he will then receive traffic and can act as a man in the middle. Network sniffing is useful after this to read traffic, but it isn't useful for most traffic on its own on a switched network. SYN floods are not useful for gaining credentials, thus both options C and D are incorrect.

Tom is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance? A. Code signing B. Code endorsement C. Code encryption D. Code obfuscation

A. Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer's public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.

Steve has set his penetration testing workstation up as a man in the middle between his tar-get and an FTP server. What is the best method for him to acquire FTP credentials? A. Capture traffic with Wireshark B. Conduct a brute-force attack against the FTP server C. Use an exploit against the FTP server D. Use a downgrade attack against the next login

A. FTP is an unencrypted protocol, which means that Steve can simply capture FTP traffic the next time a user logs into the FTP server from the target system. A brute-force attack may succeed, but it's more likely to be noticed. While an exploit may exist, the question does not mention it, and even if it does exist it will not necessarily provide credentials. Finally, downgrade attacks are not useful against FTP servers.

While Frank is performing a physical penetration test, he notices that the exit doors to the data center open automatically as an employee approaches them with a cart. What should he record in his notes? A. The presence of an egress sensor B. The presence of a mantrap C. A potential unlocked door D. Nothing because this is not a vulnerability

A. Frank should note the presence of an egress sensor. If he can return after hours and cause the sensor to trip from outside the door, he can likely gain access to the data center.

Use the following scenario for questions 4, 5, and 6. Jen has been contracted to perform a penetration test against Flamingo, Inc. As part of her penetration test, she has been asked to conduct a phishing campaign and to use the results of that campaign to gain access to Flamingo systems and networks. The scope of the pene-tration test does not include a physical penetration test, so Jen must work entirely remotely. Jen wants to send a phishing message to employees at the company. She wants to learn the user IDs of various targets in the company and decides to call them using a spoofed VoIP phone number similar to those used inside the company. Once she reaches her targets, she pretends to be an administrative assistant working with one of Flamingo's senior execu-tives and asks her targets for their email account information. What type of social engi-neering is this? A. Impersonation B. Interrogation C. Shoulder surfing D. Administrivia

A. Jen is impersonating an administrative assistant. Interrogation techniques are more aggressive and run the risk of making the target defensive or aware they are being interro-gated. Shoulder surfing is the process of looking over a person's shoulder to acquire infor-mation, and administrivia isn't a penetration testing term.

20. Elle wants to clone an RFID entry access card. Which type of card is most easily cloned using inexpensive cloning devices? A. Low frequency 125 to 134.2 KHz card B. Medium frequency 400 to 451 KHz card C. High frequency 13.56 MHz card D. Ultra high frequency 865 to 928 MHz card

A. Low frequency RFID cards are often used for entry access cards, and are easily cloned using inexpensive commodity cloning devices. Medium frequency cards in the 400 to 451 KHz range do not exist, while high frequency cards are more likely to be cloned using a phone's NFC capability. Ultra high frequency cards are less standardized, making cloning more complex.

Which one of the following lines of code would create an array in a PowerShell script? A. $ports = 22, 25, 80, 443 B. ports = (22,25,80,443) C. ports = [22,25,80,443] D. $ports= [22,25,80,443]

A. PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list. Option B would work in Bash, while option C would work in Ruby or Python.

Charles sends a phishing email to a target organization and includes the line "Only five respondents will receive a cash prize." Which social engineering motivation strategy is he using? A. Scarcity B. Social proof C. Fear D. Authority

A. Scarcity can be a powerful motivator when performing a social engineering attempt. The email that Charles sent will use the limited number of cash prizes to motivate respon-dents. If he had added "the first five," he would have also targeted urgency, which is often paired with scarcity to provide additional motivation.

Upon further inspection, Joe finds a series of thousands of requests to the same URL com-ing from a single IP address. Here are a few examples: http://www.mycompany.com/servicestatus.php?serviceID=1 http://www.mycompany.com/servicestatus.php?serviceID=2 http://www.mycompany.com/servicestatus.php?serviceID=3 http://www.mycompany.com/servicestatus.php?serviceID=4 http://www.mycompany.com/servicestatus.php?serviceID=5 http://www.mycompany.com/servicestatus.php?serviceID=6 What type of vulnerability was the attacker likely trying to exploit? A. Insecure direct object reference B. File upload C. Unvalidated redirect D. Session hijacking

A. The series of thousands of requests incrementing a variable indicate that the attacker was most likely attempting to exploit an insecure direct object reference vulnerability.

Which one of the following function calls is closely associated with Linux command injec-tion attacks? A. system() B. sudo() C. mkdir() D. root()

A. The system() function executes a command string against the operating system from within an application and may be used in command injection attacks.

Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting? A. Timing-based SQL injection B. HTML injection C. Cross-site scripting D. Content-based SQL injection

A. The use of the SQL WAITFOR command is a signature characteristic of a timing-based SQL injection attack.

A USB key drop is an example of what type of technique? A. Physical honeypot B. A humanitarian exploit C. Reverse dumpster diving D. A hybrid attack

A. USB key drops are sometimes referred to as physical honeypots. They tempt staff to plug unknown devices into their computers, which a well-trained and suspicious staff shouldn't do. The remaining options were made up for this question.

Jen wants to deploy a malicious website as part of her penetration testing attempt so that she can exploit browsers belonging to employees. What framework is best suited to this? A. Metasploit B. BeEF C. SET D. OWASP

B. The Browser Exploitation Framework, or BeEF, is specifically designed for this type of attack. Jen can use it to easily deploy browser exploit tools to a malicious website and can then use various phishing and social engineering techniques to get Flamingo employees to visit the site.

Michelle wants to attack the underlying hypervisor for a virtual machine. What type of attack is most likely to be successful? A. Container escape B. Compromise the administrative interface C. Hypervisor DoS D. VM escape

B. The most practical answer is to compromise the administrative interface for the underly-ing hypervisor. While VM escape would be a useful tool, very few VM escape exploits have been discovered, and each has been quickly patched. That means that penetration testers can't rely on one being available and unpatched when they encounter a VM host, and should instead target administrative rights and access methods.

Mike wants to enter an organization's high-security data center. Which of the following techniques is most likely to stop his tailgating attempt? A. Security cameras B. A mantrap C. An egress sensor D. An RFID badge reader

B. A mantrap allows only one individual through at a time, with doors at either end that unlock and open one at a time. It will prevent most piggybacking or tailgating behavior unless employees are willfully negligent.

Examine the following line of code. In what programming language is it written? Write-Host "The system contains several serious vulnerabilities." A. Ruby B. PowerShell C. Bash D. Python

B. As you prepare for the exam, you should be able to identify the programming language used in code snippets. The Write-Host command is used to generate output in PowerShell.

Which of the following pairs of languages allow the direct concatenation of a string and an integer? A. Python and Bash B. Bash and PowerShell C. Python and Ruby D. Ruby and PowerShell

B. Bash and PowerShell allow the direct concatenation of strings and numeric values. Ruby and Python require the explicit conversion of numeric values to strings prior to concatenation.

Charleen wants to conduct an attack that leverages unquoted service paths. Which of the following users is the most desirable to see listed under "Log On As" in the Services control panel? A. The service's service account B. system C. root D. poweruser

B. Charleen should look for a service that runs as system to have the greatest success. Root is not a commonly used username in Windows, poweruser accounts will typically not have the same access that system does, and the service's own service account will often be very limited

Chris sends a phishing email specifically to Susan, the CEO at his target company. What type of phishing attack is he conducting? A. CEO baiting B. Spear phishing C. Phish hooking D. Hook SETting

B. Chris is conducting a spear phishing attack. Spear phishing attacks target specific indi-viduals. If Chris was targeting a group of important individuals, this might be a whaling attack instead. CEO baiting, phish hooking, and Hook SETting were all made up for this question.

Cynthia attempted a DNS poisoning attack as shown here. After her attempt, she does not see any traffic from her target system. What most likely happened to cause the attack to fail? [Picture] A. The DNS information was incorrect. B. The injection was too slow. C. The DNS cache was not refreshed. D. The client did not receive a trusted response.

B. Cynthia's response needs to arrive before the legitimate DNS server. If her timing isn't right, the legitimate response will be accepted.

Alice has deployed physical keyloggers to target systems. What issue is most commonly associated with physical keyloggers? A. Hardware failure B. Discovery C. Software-based detection D. Storage exhaustion

B. Hardware keyloggers can be discovered, resulting in a failure of the penetration test. Fortunately for penetration testers, carefully placed or disguised physical keyloggers are more likely to go unnoticed in many environments. They are not known for hardware fail-ure, and most will either stop recording keystrokes or overwrite existing data when they are full. Software-based detection of keyloggers is difficult, as they are often disguised as keyboards or other common devices, making it difficult for administrators to find them through device logs.

Christina wants to use THC Hydra to brute-force SSH passwords. As she prepares to run the command, she knows that she recalls seeing the -t flag. What should she consider when using this flag? A. How many targets she wants to attack B. The number of tasks to run in parallel per target C. The time-out for the connections D. None of the above

B. Hydra uses 16 parallel tasks per target by default, but this can be changed using the -t flag.

Jim wants to crack the hashes from a password file he recovered during a penetration test. Which of the following methods will typically be fastest, presuming he knows the hashing method and has the appropriate files and tools to take advantage of each tool? A. John the Ripper B. Rainbow Crack C. Hashcat D. CeWL

B. If Jim has the right rainbow tables for the hashing method and password character set, Rainbow Crack should be the fastest. Hashcat would be the second fastest when taking advantage of a powerful graphic card, and John the Ripper will typically be the slowest of the password cracking methods listed. CeWL is a wordlist or dictionary generator and isn't a password cracker.

Which one of the following approaches, when feasible, is the most effective way to defeat injection attacks? A. Browser-based input validation B. Input whitelisting C. Input blacklisting D. Signature detection

B. Input whitelisting approaches define the specific input type or range that users may provide. When developers can write clear business rules defining allowable user input, whitelisting is definitely the most effective way to prevent injection attacks.

Why is JTAG access particularly useful for penetration testers who have physical access to systems? A. It provides unauthenticated remote access. B. JTAG offers debug access directly to memory. C. JTAG is automatically logged in as root. D. JTAG provides detailed system logging.

B. JTAG debugging ports can provide greater visibility into tightly integrated hardware and software solutions, including the ability to access memory directly. This can provide access to encryption keys, passwords, or other capabilities that would otherwise be difficult for penetration testers to access. JTAG access is at a firmware level, rather than as a logged-in user, and does not provide remote access or logging.

After attempting to lure employees at Flamingo, Inc., to fall for a phishing campaign, Jen finds that she hasn't acquired any useful credentials. She decides to try a USB keydrop. Which of the following Social Engineering Toolkit modules should she select to help her succeed? A. The website attack vectors module B. The Infectious Media Generator C. The Mass Mailer Module D. The Teensy USB HID attack module

B. Jen should use the infectious media generator tool, which is designed to create thumb drives and other media that can be dropped on site for employees to pick up. The Teensy USB HID attack module may be a tempting answer, but it is designed to make a Teensy (a tiny computer much like an Arduino) act like a keyboard or other human interface device rather than to create infected media. Creating a website attack or a mass mailer attack isn't part of a USB keydrop.

Charles wants to deploy a wireless intrusion detection system. Which of the following tools is best suited to that purpose? A. WiFite B. Kismet C. Aircrack-ng D. SnortiFi

B. Kismet is specifically designed to act as a wireless IDS in addition to its other wireless packet capture features. WiFite is designed for wireless network auditing, Aircrack provides a variety of attack tools in addition to its capture and injection capabilities for wireless traf-fic. SnortiFi was made up for this question.

Allan wants to gain access to a target company's premises but discovers that his original idea of jumping the fence probably isn't practical. Which factor is least likely to prevent him from trying to jump the fence? A. Barbed wire B. A gate C. Fence height D. Security guards

B. Organizations often attempt to decrease the likelihood of fence jumping by installing barbed wire, increasing the fence height, and using security guards or guard dogs. A gate does nothing to decrease the probability of fence jumping, and it may provide a means of entry for a good social engineer who isn't willing to climb over a tall barbed wire-equipped fence while a guard dog chases her!

What type of credential used in Kerberos is often referred to as the "golden ticket" because of its potential for widespread reuse? A. Session ticket B. Ticket granting ticket C. Service ticket D. User ticket

B. TGTs are incredibly valuable and can be created with extended life spans. When attack-ers succeed in acquiring TGTs, the TGTs are often called "golden tickets" because they allow complete access to the Kerberos-connected systems, including creation of new tickets, account changes, and even falsification of accounts or services.

What comparison operator tests to see if one number is greater than or equal to another number in Bash? A. -gt B. -ge C. > D. >=

B. The -ge operator tests whether one value is greater than or equal to another value in Bash and PowerShell, while the -gt operator tests whether one value is strictly greater than the other. The >= and > operators are used in Ruby and Python for the same purposes.

Scott wants to crawl his penetration testing target's website and then build a wordlist using the data he recovers to help with his password cracking efforts. Which of the following tools should he use? A. DirBuster B. CeWL C. OLLY D. Grep-o-matic

B. The Customer Wordlist Generator, or CeWL, is a tool designed to spider a website and then build a wordlist using the files and web pages that it finds. The wordlist can then be used to help with password cracking.

Where are the LSA Secrets stored on a Windows system? A. The $System folder B. The Registry C. The System32 folder D. They are only stored on an Active Directory controller.

B. The LSA secrets Registry location on Windows systems is found at HKEY_LOCAL_ MACHINE/Security/Policy/Secrets. It contains the password of the logged-in user in an encrypted form, but the password is stored in the Policy key!

Jessica wants to list the domain password policy for a Windows domain. What net com-mand can she use to do this? A. net view /domainpolicy B. net accounts /domain C. net /viewpolicy D. net domain /admin

B. The Windows net commands can display a wealth of information about a local domain, and the password policy can be reviewed by using the net accounts /domain command.

Charleen wants to attempt a kerberoasting attack. What should her first step be to accom-plish this attack? A. Identify the domain's Kerberos server IP address. B. Retrieve SPN values. C. Capture NTLM hashes from the wire. D. Extract service tickets from memory.

B. The first step in a kerberoasting attack is to scan for Active Directory accounts with ser-vice principal names (SPNs) set. Next, she should request service tickets using the SPNs and then extract the service tickets. Once she has the tickets, she can conduct an offline brute-force attack against them to recover the passwords used to encrypt the tickets.

Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain to ensure that her attack will be successful? A. Session ticket B. Session cookie C. Username D. User password

B. Websites use HTTP cookies to maintain sessions over time. If Wendy is able to obtain a copy of the user's session cookie, she can use that cookie to impersonate the user's browser and hijack the authenticated session.

Norm is performing a penetration test of a web application and would like to manipulate the input sent to the application before it leaves his browser. Which one of the following tools would assist him with this task? A. AFL B. ZAP C. GDB D. DOM

B. ZAP is an interception proxy developed by the Open Web Application Security Project (OWASP). Users of ZAP can intercept requests sent from any web browser and alter them before passing them to the web server.

Use the following scenario for questions 2, 3, and 4. Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. Which of the following NAC systems would be the easiest for Chris to bypass? A. A software client-based system B. A DHCP proxy C. A MAC address filter D. None of the above

C. If the NAC system relies only on MAC filtering, Chris only needs to determine the hard-ware address of a trusted system. This may be accessible simply by looking at a label on a laptop or desktop, or he may be able to obtain it via social engineering or technical methods.

Which one of the following PowerShell execution policies allows the execution of any PowerShell script that you write on the local machine but requires that scripts downloaded from the Internet are signed by a trusted publisher? A. Bypass B. Unrestricted C. RemoteSigned D. AllSigned

C. The RemoteSigned policy allows the execution of any PowerShell script that you write on the local machine but requires that scripts downloaded from the Internet are signed by a trusted publisher.

What occurs during a quid pro quo social engineering attempt? A. The target is offered money. B. The target is asked for money. C. The target is made to feel indebted. D. The penetration tester is made to feel indebted.

C. A quid pro quo attempt relies on the social engineer offering something of perceived value so that the target will feel indebted to them. The target is then asked to perform an action or otherwise do what the penetration tester wants them to do.

For what type of activity would you use the tools HULK, LOIC, HOIC, and SlowLoris? A. DDoS B. SMB hash capture C. DoS D. Brute-force SSH

C. All of these tools are denial of service tools. While some of them have been used for DDoS attacks, they are not DDoS tools on their own.

What type of Bluetooth attack attempts to send unsolicited messages via Bluetooth devices? A. Bluesnarfing B. Bluesniping C. Bluejacking D. Bluesending

C. Bluejacking is an attack technique that attempts to send unsolicited messages via Blue-tooth. Bluesnarfing attempts to steal information, while Bluesniping is a term for long-distance Bluetooth attacks. Bluesending is not a common term used for Bluetooth attacks at the time of the publication of this book.

After compromising a remote host, Cameron uses ssh to connect to port 4444 from his penetration testing workstation. What type of remote shell has he set up? A. A reverse shell B. A root shell C. A bind shell D. A blind shell

C. Cameron has set up a bind shell, which connects a shell to a service port. A reverse shell would have initiated a connection from the compromised host to his penetration test-ing workstation (or another system Cameron has access to). The question does not provide enough information to determine if the shell might be a root shell, and blind shell is not a common penetration testing term.

What vulnerability should Charles target if he discovers a service with the following line in its system invocation? Pathvariable = "C:\Program Files\Common Files\exampleapp\example.exe" A. DLL hijacking B. Writeable service C. Modified plain text D. Unquoted service path

C. Developers often inadvertently leave out quotes or forget to escape quotes properly, allowing penetration testers to insert programs in the path that will execute instead of the desired service. Charles should place his own program in the path and then attempt to cause the service or system to restart, replacing the running legitimate service with his own

Ben wants to conduct a DLL hijacking attack. Which directory will Windows search first for a DLL if it does not have a specific known location for it? A. The Windows directory B. The Windows system directory C. The directory the application is in D. The current directory

C. In order, Windows will search the directory the application is in, the current directory, the Windows system directory, the Windows directory, and then directories listed in the PATH variable for DLLs if it does not have a specific file location listed for it.

Joe's adventures in web server log analysis are not yet complete. As he continues to review the logs, he finds the request http://www.mycompany.com/../../../etc/passwd What type of attack was most likely attempted? A. SQL injection B. Session hijacking C. Directory traversal D. File upload

C. In this case, the .. operators are the telltale giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server's root directory and access the /etc/passwd file on the server.

What is required for Jason to conduct a cold-boot attack against a system? A. Remote access B. Temperatures below 32 degrees Celsius C. Physical access D. The system must have been off for more than 30 minutes

C. Jason needs physical access to the system. Some cold-boot attacks do take advantage of very low temperatures to provide a longer window of time in which data can be recovered from memory modules, but physical access is absolutely required.

Steve inadvertently sets off an alarm and is discovered by a security guard during an on-site penetration test. What should his first response be? A. Call the police B. Attempt to escape C. Provide his pretext D. Call his organizational contact

C. Once a penetration tester is caught, their first response should be to provide their pre-text. A successful social engineering attempt at this point can salvage the penetration test attempt. If that doesn't work, calling the organizational contact for a "get out of jail free" response may be the only option in a difficult situation.

Elle has placed her workstation as the man in the middle, shown in the following image. What does she need to send at point X to ensure that the downgrade attack works properly? [Picture] A. SYN, ACK B. PSH, URG C. FIN, ACK D. SYN, FIN

C. Sending FIN and ACK while impersonating the target workstation will cause the con-nection to close. This will cause the target to attempt to establish a less secure connection if supported.

Alexa carefully pays attention to an employee as they type in their entry code to her target organization's high security area and writes down the code that she observes. What type of attack has she conducted? A. A Setec Astronomy attack B. Code surveillance C. Shoulder surfing D. Keypad capture

C. Shoulder surfing takes many forms, including watching as an employee types in an entry access code. Setec Astronomy is a reference to the excellent hacking movie Sneakers, while both code surveillance and keypad capture were made up for this question.

Which social engineering motivation technique relies on persuading the target that other people have behaved similarly and thus that they could too? A. Likeness B. Fear C. Social proof D. Reciprocation

C. Social proof relies on persuading an individual that they can behave in a way similar to what they believe others have. A social proof scenario might involve explaining to the target that sharing passwords was commonly done among employees in a specific circumstance or that it was common practice to let other staff in through a secure door without an ID.

What value would be used to encode an ampersand in a URL string? A. %24 B. %25 C. %26 D. %27

C. The %26 value is used to URL-encode ampersands using the percent encoding scheme.

What comparison operator tests for equality in Ruby? A. -eq B. -ne C. == D. !=

C. The == operator tests for equality in Ruby and Python, while the != operator tests for inequality in those languages. The -eq operator tests for equality in Bash and PowerShell, while the -ne operator tests for inequality in those languages.

Jacob runs ls -l on a file and sees the following listing. What does he know about chsh? -rwsr-xr-x 1 root root 40432 Sep 27 2017 chsh A. It can be used for privilege escalation. B. It allows a reverse shell. C. It is a SUID executable. D. None of the above.

C. The letter s in -rwsr-xr-x indicates that this is a Set User ID (SUID) binary that allows the file to be executed with the permissions of its owner. Here, the owner and group is root, so this file isn't likely to be useful for privilege escalation, and it isn't a tool that can be used to allow a reverse shell.

Which one of the following attacks is an example of a race condition exploitation? A. XSRF B. XSS C. TOCTTOU D. SQLi

C. The time-of-check-to-time-of-use (TOCTTOU or TOC/TOU) issue is a race condition that occurs when a program checks access permissions too far in advance of a resource request.

While Angela is conducting a penetration test, she gains access to a Windows Deployment Services server for her target organization. What critical information can she expect to obtain from the unattended installation files she finds there? A. Domain administrator passwords B. Local user passwords C. Local administrator passwords D. Domain user passwords

C. The unattended installation files include local administrator passwords stored in either plain text or Base-64 form. Angela can easily acquire the passwords from those files using Metasploit's enum_unattend tool or manually if she chooses to.

During a penetration test, Bonnie discovers in a web server log that the testers attempted to access the following URL: http://www.mycompany.com/sortusers.php?file=C:\uploads\attack.exe What type of attack did they most likely attempt? A. Reflected XSS B. Persistent XSS C. Local file inclusion D. Remote file inclusion

C. This URL contains the address of a local file passed to a web application as an argu-ment. It is most likely a local file inclusion exploit, attempting to execute a malicious file that the testers previously uploaded to the server.

Joe checks his web server logs and sees that someone sent the following query string to an application running on the server: http://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892' ; DROP TABLE Services;-- What type of attack was most likely attempted? A. Cross-site scripting B. Session hijacking C. Parameter pollution D. Man-in-the-middle

C. This query string is indicative of a parameter pollution attack. In this case, it appears that the attacker was waging a SQL injection attack and tried to use parameter pollution to slip the attack past content filtering technology. The two instances of the serviceID parameter in the query string indicate a parameter pollution attempt.

Charleen has captured NTLM hashes and wants to conduct a pass-the-hash attack. Unfortunately, she doesn't know which systems on the network may accept the hash. What tool could she use to help her conduct this test? A. Hashcat B. smbclient C. Hydra D. None of the above

C. This situation calls for a tool that handles attacks against many machines effectively. Fortunately, Hydra is designed to do just that and includes support for NTLM hashes as a password—in fact, Medusa does too! Hashcat is a password cracking and recovery tool, while smbclient is a legitimate SMB client tool and isn't designed to conduct a network-wide test for pass-the-hash exploitability.

Analyze the following segment of code: for hst in range(0,256): ip= net + str(hst) print(ip, ': ', socket.gethostbyaddr(ip), '\n') In what language is this code written? A. Ruby B. PowerShell C. Python D. Bash

C. Use the flowchart in Figure 11.2 to answer this question. The code contains colons, so it is written in Python.

What type of attack depends upon the fact that users are often logged into many websites simultaneously in the same browser? A. SQL injection B. Cross-site scripting C. Cross-site request forgery D. File inclusion

C. XSRF attacks work by making the reasonable assumption that users are often logged into many different websites at the same time. Attackers then embed code in one website that sends a command to a second website.

Andrew knows that the employees at his target company frequently visit a football discus-sion site popular in the local area. As part of his penetration testing, he successfully places malware on the site and takes over multiple PCs belonging to employees. What type of attack has he used? A. A PWNie attack B. A watercooler attack C. A clone attack D. A watering hole attack

D. Andrew has used a watering hole attack, but he has also made what might be a criti-cal mistake. Placing malware on a third-party site accessed by many in the local area (or beyond!) is likely beyond the scope of his engagement and is likely illegal. A better plan would have been to target a resource owned and operated by the company itself and accessed only by internal staff members.

What type of cross-site scripting attack would not be visible to a security professional inspecting the HTML source code in a browser? A. Reflected XSS B. Stored XSS C. Persistent XSS D. DOM-based XSS

D. DOM-based XSS attacks hide the attack code within the Document Object Model. This code would not be visible to someone viewing the HTML source of the page. Other XSS attacks would leave visible traces in the browser.

What type of wireless attack focuses on tricking clients into using less secure protocols? A. A downfall attack B. A false negotiation attack C. A chutes and ladders attack D. A downgrade attack

D. Downgrade attacks work by causing the client and server or AP to negotiate to use a less-secure protocol. This may allow the attacker to more easily crack the encryption or other protection mechanisms used to secure traffic.

Emily wants to gather information about an organization, but does not want to enter the building. What physical data gathering technique can she use to potentially gather business documents without entering the building? A. Piggybacking B. File surfing C. USB drops D. Dumpster diving

D. Emily can try dumpster diving. An organization's trash can be a treasure trove of infor-mation about the organization, its staff, and its current operations based on the documents and files that are thrown away. She might even discover entire PCs or discarded media!

During a penetration test, Mike uses double tagging to send traffic to another system. What technique is he attempting? A. RFID tagging B. Tag nesting C. Meta tagging D. VLAN hopping

D. Mike is using nested tags inside a packet to attempt to hop VLANs. If he is successful, his packets will be delivered to the target system, but he will not see any response.

Which of the following technologies is most resistant to badge cloning attacks if imple-mented properly? A. Low frequency RFID B. Magstripes C. Medium frequency RFID D. Smart cards

D. Most organizations continue to use RFID or magnetic stripe technology for entry access cards, making a penetration tester's job easier, since both technologies can be cloned. Smart cards are far more difficult to clone if implemented properly.

Selah wants to use a brute-force attack against the SSH service provided by one of her tar-gets. Which of the following tools is not designed to brute-force services like this? A. Patator B. Hydra C. Medusa D. Minotaur

D. Patator, Hydra, and Medusa are all useful brute-forcing tools. Minotaur may be a great name for a penetration testing tool, but the authors of this book aren't aware of any tool named Minotaur that is used by penetration testers!

Tina is conducting a penetration test and is trying to gain access to a user account. Which of the following is a good source for obtaining user account credentials? A. Social engineering B. Default account lists C. Password dumps from compromised sites D. All of the above

D. Penetration testers may use a wide variety of sources when seeking to gain access to individual user accounts. These may include conducting social engineering attacks against individual users, obtaining password dumps from previously compromised sites, obtaining default account lists, and conducting password cracking attacks.

Which one of the following programming languages does not offer a built-in robust error-handling capability? A. PowerShell B. Python C. Ruby D. Bash

D. PowerShell, Python, and Ruby all support variants of the try..catch clause. Bash does not provide a built-in error handling capability.

Which one of the following statements does not correctly describe the Ruby programming language? A. It is a general-purpose programming language. B. It is an interpreted language. C. It uses scripts. D. It is a compiled language.

D. Ruby is a general-purpose programming language. It is an interpreted language that uses scripts rather than a compiled language that uses source code to generate executable files.

What attack technique can allow the pen-tester visibility into traffic on VLANs other than their native VLAN? A. MAC spoofing B. Dot1q spoofing C. ARP spoofing D. Switch spoofing

D. Switch spoofing relies on a switch interface that is configured as either dynamic desir-able, dynamic auto, or trunk mode, allowing an attacker to generate dynamic trunk proto-col messages. The attacker can then access traffic from all VLANs.

Susan wants to use a web application vulnerability scanner to help map an organization's web presence and to identify existing vulnerabilities. Which of the following tools is best suited to her needs? A. Paros B. CUSpider C. Patator D. w3af

D. The Web Application Attack and Audit Framework (w3af) is a web application testing and exploit tool that can spider the site and test applications and other security issues that may exist there. The Paros proxy is an excellent web proxy tool often used by web applica-tion testers, but it isn't a full-fledged testing suite like w3af. CUSpider and other versions of Spider are tools used to find sensitive data on systems, and Patator is a brute-force tool.

What is the default read-only community string for many SNMP devices? A. secret B. readonly C. private D. public

D. The default read-only community string for many devices is set to public. The typical best practice is to change all community strings on devices to prevent them from being que-ried without permission.

What Unix command can you use to listen for input on a network port? A. grep B. sed C. awk D. nc

D. The nc command allows you to open a network port for listening and then direct the input received on that port to a file or executable.

What is the limit to the number of elsif clauses in a Ruby script? A. 1 B. 2 C. 10 D. No limit

D. There is no limit to the number of elsif clauses that may be included in a Ruby script.

Sherry is concerned that a web application in her organization supports unvalidated redi-rects. Which one of the following approaches would minimize the risk of this attack? A. Requiring HTTPS B. Encrypting session cookies C. Implementing multifactor authentication D. Restricting redirects to her domain

D. Unvalidated redirects instruct a web application to direct users to an arbitrary site at the conclusion of their transaction. This approach is quite dangerous because it allows an attacker to send users to a malicious site through a legitimate site that they trust. Sherry should restrict redirects so that they only occur within her trusted domain(s).

Analyze the following segment of code: if [ $weekday==1 ] then /usr/local/bin/nmap 192.168.1.1 elif [ $weekday==3 ] then /usr/local/bin/nmap 192.168.1.2 else /usr/local/bin/nmap 192.168.1.0/24 fi In what language is this code written? A. Ruby B. PowerShell C. Python D. Bash

D. Use the flowchart in Figure 11.1 to answer this question. The code contains an fi state-ment, so it is written in Bash.

Examine the following network diagram. What is the most appropriate location for a web application firewall (WAF) on this network? [Picture] A. Location A B. Location B C. Location C D. Location D

D. Web application firewalls must be placed in front of web servers. This requirement rules out location C as an option. The next consideration is placing the WAF so that it can filter all traffic headed for the web server but sees a minimum amount of extraneous traffic. This makes location D the best option for placing a WAF

Which one of the following commands will allow the file owner to execute a Bash script? A. chmod o+e script.sh B. chmod o+x script.sh C. chmod u+e script.sh D. chmod u+x script.sh

D. You must set the user (owner) bit to execute (x) to allow the execution of a Bash script. The chmod u+x command performs this task.