SEC+ Chapter 4 Vulnerability Scanning and Penetration Testing
While validating a vulnerability, your colleague changes the password of the administrator account on the Windows Server she is examining (as proof of success). This is an example of what type of testing? Intrusive testing A. Credentialed testing B. Passive testing C. Security control testing D.
A. This is an example of intrusive testing. Intrusive testing to validate a vulnerability involves exploiting the vulnerability and then making changes to the tested item to prove the vulnerability is present and exploitable. In this case, changing the administrator password proves your colleague could exploit the vulnerability she found.
Your network traffic logs show a large spike in traffic to your DNS server. Looking at the logs, you see a large number of TCP connection attempts from a single IP address. The destination port of the TCP connections seems to increment by one with each new connection attempt. This is most likely an example of what activity? Active reconnaissance A. Passive reconnaissance B. Buffer overflow C. Initial exploitation D.
A. This is most likely an example of active reconnaissance. This particular traffic would be indicative of a TCP port scanning attempt where the attacker is probing the system for any open TCP ports.
Which of the following is a passive tool? Tripwire A. Nmap B. Zenmap C. Nessus D.
A. Tripwire is the only passive tool listed. Tripwire detects changes to files based on hash values. Nmap and Zenmap are active tools that generate and send packets to systems being examined. Nessus is a vulnerability scanning tool.
What is the main difference between a credentialed and non-credentialed vulnerability scan? A credentialed scan is performed by a certified professional. A. A credentialed scan is performed with a valid userid/password. B. A non-credentialed scan uses passive techniques. C. A non-credentialed scan will identify more vulnerabilities. D.
B. A credentialed scan is performed with a valid set of user credentials. Credentialed scans are performed with "valid user" access and have the potential to identify vulnerabilities inside an application or environment.
While examining log files on a compromised Linux system, you notice an unprivileged user account was compromised, followed by several processes crashing and restarting, and finally the shadow file was accessed and modified. Which of the following techniques might the attacker have used? Active scanning A. Escalation of privilege B. Passive scanning C. Credentialed attack D.
B. Escalation of privilege is the movement to an account that enables root-level activity. Typically, the attacker uses a normal user account to exploit a vulnerability on a process that is operating at root, enabling the attacker to assume the privileges of the exploited process—at root level. With root-level access, the attacker was able to access and modify the shadow file.
You've been asked to examine a custom web application your company is developing. You will have access to design documents, data structure descriptions, data flow diagrams, and any other details about the application you think would be useful. This is an example of what type of testing? Active testing A. White box testing B. Gray box testing C. Active testing D.
B. This is an example of white box testing. In white box testing, the tester has access to detailed knowledge of the things they are examining, whether it's an application, host, or network.
Which of the following would be an example of initial exploitation? Scanning a network using Nmap A. Using a SQL injection attack to successfully bypass a login prompt B. Using cracked credentials to delete customer data C. Installing a backdoor to provide future access if needed D.
B. Using a SQL injection attack to successfully bypass a login prompt is an example of initial exploitation. The vulnerability was identified and exploited, but no further action was taken. This proves the existence of the vulnerability and demonstrates the risk associated with the vulnerability.
A colleague shows you a scanning report indicating your web server is not vulnerable to the Heartbleed bug. You know this isn't true as you've personally verified that web server is vulnerable. You believe the scanner used to examine your web server is reporting which of the following? Common misconfiguration A. False positive B. False negative C. SSL mismatch D.
C. A false negative is when the scanner fails to report a vulnerability that actually does exist—the scanner simply missed the problem or didn't report it as a problem.
You've been asked to perform an assessment of a new software application. Your client wants you to perform the assessment without providing you any information about how the software was developed or how data is processed by the application. This is an example of what type of testing? White box testing A. Passive testing B. Black box testing C. Active testing D.
C. Black box testing is performed with no knowledge of the internal workings of the software being tested. The application is treated as a "black box"—the tester cannot see what's inside the box.
You are attempting to perform an external vulnerability assessment for a client, but your source IP addresses keep getting blocked every time you attempt to run a vulnerability scan. The client confirms this is "as expected" behavior. You aren't able to scan for vulnerabilities, but you have been able to do which of the following? Identify vulnerability controls A. Identify common misconfigurations B. Passively test security controls C. All of the above D.
C. If your source IP addresses are blocked every time you attempt a vulnerability scan, you've successfully done a passive test of the client's security controls. Your goal was to test for vulnerabilities, but the side effect of your testing validated the client's security controls were working as intended.
What is the primary difference between penetration tests and vulnerability scans? Penetration tests use active tools. A. Vulnerability scans are performed from internal and external perspectives. B. Penetration tests exploit discovered vulnerabilities. C. Vulnerability scans never use credentials. D.
C. Penetration testing is the examination of a system for vulnerabilities that can be exploited. The key is exploitation. There may be vulnerabilities in a system, in fact, one of the early steps in penetration testing is the examination for vulnerabilities, but the differentiation comes in the follow-on steps—the examination of the system in terms of exploitability. Discovered vulnerabilities are exploited during penetration testing.
A colleague calls you to ask for assistance. He is having trouble keeping an attacker out of his network. He tells you no matter what he tries, he can't seem to keep the attacker out of his network and he has no idea how the attacker keeps getting in. This is an example of what kind of attack? Gray box attack A. Whack-a-mole attack B. Advanced persistent threat C. Privilege escalation D.
C. This is most likely persistence efforts from an advanced persistent threat (APT). APTs typically try to avoid detection and employ methods that provide them with continued access to compromised systems.
You've been asked to examine network traffic for evidence of compromise. You have 1TB of tcpdump logs to review. Which of the following tools would you use to examine these logs? Nmap A. Zenmap B. Wireshark C. Nessus D.
C. Wireshark is a network protocol analyzer used for capturing and examining network traffic. Nmap and Zenmap are port scanners. Nessus is a vulnerability scanner.
While running a vulnerability scanner against a Windows 2016 server, the tool reports the server may be affected by an offset2lib patch vulnerability. You find this odd because the offset2lib patch vulnerability only applies to Linux-based systems. Your vulnerability scanner has most likely reported which of the following? System misconfiguration A. Overflow finding B. Actual negative C. False positive D.
D. A false positive is the erroneous reporting of an issue when none really exists. In this case the scanner incorrectly identified the presence of a Linux-specific vulnerability on a Windows system.
While responding to a security incident, your team examines network traffic logs. You see incoming connections to a web server in the DMZ. Several hours later in the same traffic logs you see connections from the web server to other systems in the DMZ as well as internal systems. This is an example of what type of technique? Buffer overflow A. SQL injection B. Passive injection C. Pivoting D.
D. This is an example of pivoting. Pivoting occurs when an attacker gains access to a system and then uses that system to scan/attack other systems on the same network.
