CompTIA Pentest+
How many stages in a cyber attack? What are the stages?
5 stages: Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Covering Tracks.
How many stages in a Pen Test? What are the stages?
8 stages: Planning, Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks, Analysis, and Reporting.
What is the CHECK Framework?
A Pen Testing framework used within the UK that ensures government agencies and public entities can contract with certified companies to identify vulnerabilities in the CIA triad by testing their network and other systems.
What is CeWL?
A Ruby app that crawls websites to generate wordlists that can be used with password crackers.
What is an XSD file?
A document that defines the structure and data types for an XML schema.
What are Rules of Engagment?
A document, or section of a document, that outlines how the pen test it to be conducted. Includes things like: Timeline, Location of test team, temporal restrictions, transparency of testing, and test boundaries.
What is Responder?
A fake server and relay tool. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries in order to possibly recover sensitive information.
What is a SOAP project file?
A file that enables you to test SOAP-based web services. These files are created from the information in a WSDL file or service.
What is the Open Web Application Security Project (OWASP) Framework?
A framework that provided pen testing and other testing techniques for each part of the software development lifecycle.
What is THC-Hydra?
A free network login password cracking tool.
What is hping?
A free packet generator and analyzer for TCP/IP networks.
What is Cain & Abel?
A free password recovery tool available for Windows. Sometimes classified as malware by some antivirus software.
What is John the Ripper?
A free password recovery tool.
What is HashCat?
A free password recovery tool. Includes a wide array of hashing algorithms and password cracking methods. Purports itself to be the fastest recovery tool available.
What is Burp Suite?
A local proxy that allows attackers to capture, analyze, and manipulate HTTP traffic.
What is the Open Source Security Testing Methodology Manual (OSSTMM)?
A peer-reviewed guide to security testing and analysis that enables you to tighten up operational security.
What is Maltego?
A proprietary software tool that assists with gathering OSINT and with forensics by analyzing relationships between people, groups, websites, domains, networks, and applications.
What is Nessus?
A proprietary vulnerability scanner developed by Tenable. Scans for vulnerabilities, misconfigurations, default passwords, and susceptibility to DoS attacks.
What is WhoIS?
A protocol that queries databases that store registered user or assignees of an Internet resource.
What is OLLYDBG?
A reverse-engineering tool that analyzes binary code found in 32-bit Windows applications.
What is Immunity Debugger?
A reverse-engineering tool that includes a command-line and GUI. Can load and modify Python scripts during runtime.
What is WiFi-Pumpkin?
A rogue wireless access point and MITM tool used to snoop traffic and harvest credentials.
What is Censys?
A search engine that returns information about the types of devices connected to the Internet.
What is Shodan?
A search engine that returns information about the types of devices connected to the Internet.
What is Drozer?
A security testing framework for Android apps and devices.
What is PowerSploit?
A series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios.
What is Aircrack-ng?
A suite of wireless tools that can sniff and attack wireless connections.
What is NIST SP 800-115?
A technical guide that provides practical recommendations for designing, implementing, and maintaining pen test processes and procedures.
What is SearchSploit?
A tool that enables you to search the Exploit Database archive.
What is theHarvester?
A tool that gathers information from publicly available sources.
What is Recon-ng?
A web reconnaissance tool that is written in Python. Uses over 80 modules to automate OSINT.
What is WiFite?
A wireless auditing tool that can attack multiple WEP, WPA, and WPS encrypted networks in a row.
What is AFL?
American Fuzzy Loop. An open-source DAST tool that feed input to a program to test for bugs and possible security vulnerabilities.
What is Kismet?
An 802.11 Layer 2 network detector, sniffer, and IDS. Can be used to monitor wireless activity, identify device types, and capture raw packets.
What is Point-In-Time Assessment?
An assessment that has an extremely limited life cycle or shelf life.
What is a Threat Actor?
An entity that is partially or wholly responsible for an incident that affects or can affect an organization's security.
What is SonarQube?
An open-source SAST platform that continuously inspects code quality to help discover bugs and security vulnerabilities.
What is NCat?
An open-source command-line tool for reading, writing, redirecting, and encrypting data across a network. Developed as an improved version of NetCat.
What is WireShark?
An open-source network protocol analyzer. Can be used to sniff traffic, re-create entire TCP sessions, and capture copies of files transmitted on the network.
What is Nmap?
An open-source network scanning tool used for network discovery and auditing.
What is NetCat?
An open-source networking utility for debugging and investigating that network.
What is FindSecBugs?
An open-source plugin that detects security issues in Java web applications.
What is FindBugs?
An open-source static code analyzer tool that detects possible bugs in Java programs.
What is Mimikatz?
An open-source tool that enables you to view credential information stored on Microsoft Windows computers.
What is Nikto?
An open-source web server scanner that searches for potentially harmful files, checks for outdated web server software, and looks for problems that occur with some web server software versions.
What is APKX?
Android Package Kit. A Python wrapper for dex converters and Java decompilers.
What is SDK documentation?
Documentation for a collection of development tools that support the creation of applications for a certain platform.
What is FOCA?
Fingerprinting and Organization with Collected Archives. A network infrastructure mapping tool that analyzes metadata from many file types to enumerate users, folders, software and OS information.
What is GDB?
GNU Project Debugger. An open-source reverse-engineering tool that works on most Unix and Windows versions, along with MacOS.
What happens in the Planning Phase of a Pen Test?
General planning and can also include: identifying the scope, documenting logistical details, and other preliminary activities that need to occur before the start of the pen test.
What happens in the Scanning Phase of a Pen Test?
Generally a bit more in-depth than the Reconnaissance phase. This is where vulnerability assessments take place using static and dynamic scanning tools.
What are Compliance-based assessments?
Government or industry required tests based on established compliance frameworks.
What are ICSs?
Industrial Control Systems. Networked systems that control critical infrastructure such as water, electrical, transportation, and telecommunication services.
What is IDA?
Interactive Disassembler. A reverse-engineering tool that generates source code from machine code for Windows, Mac OS X, and Linux applications.
What is an MSA?
Master Service Agreement. An agreement that establishes precedence and guidelines for any business documents that are executed between two parties. Can be used to cover recurring costs and foreseen additional charges without the need of an additional contract.
What is Peach?
Peach Tech offers several dynamic application security testing products.
What happens in the Analysis Phase of a Pen Test?
Pen Testers gather the info collected and then identifies root causes for any vulnerabilities detected and develops recommendations for mitigations
What is SANS's Pen Test Process?
Planning and prep, info gathering and analysis, vulnerability detection, penetration attempt, analysis and reporting, and cleaning up.
What is CompTIA's Pen Test Process?
Planning and scoping, info gathering and vulnerability identification, exploit vulns, perform post-exploit techniques, analyze tool output, and reporting.
What is NIST's Pen Test Process?
Planning, Execution, and Post-Execution
What is Empire?
PowerShell Empire. A post-exploitation framework for Windows devices. Allows the attacker to run PowerShell agents without need powershell.exe.
What is PTES's Pen Test process?
Pre-engagement activities, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post exploitation, and reporting.
What are Goal-based or Objective-based assessments?
Provides focus points for the Pen Test. Providers the PenTesters targets to acquire. This can mimic attacks launched by malicious actors.
What are RTOSs?
Real-Time Operating Systems. A specialized operating system that features a predictable and consistent process scheduler.
What is SSH?
Secure Shell. A program that enables a user or application to log on to another device over an encrypted connection.
What is SET?
Social Engineer Toolkit. An open-source pen testing framework that supports the use of social engineering to penetrate a network or system.
What happens in the Maintaining Access Phase of a Pen Test?
The Pen Testers install mechanisms allowing them to continue to access the system/network. This phase also includes reaching deeper into the network by accessing other systems.
What is a Swagger document?
The REST API equivalent to a WSDL document.
What happens in the Reporting Phase of a Pen Test?
The information from testing and analysis phases are communicated to the stakeholders. Most reports include: vulnerabilities detected/exploited, sensitive data accessed, how long the tester had access, and suggestions to counteract vulnerabilities.
What is Vulnerability Assessment?
The practice of evaluating a computer system, network, or application to identify potential weaknesses.
What happens in the Gaining Access Phase of a Pen Test?
This is where the actual exploit begins. By applying the info gained by reconnaissance and scanning to begin to attack the target systems.
What is Penetration testing?
To exploit vulnerabilities and produce evidence of success as part of the reprot.
What is the key difference between vulnerability assessments & penetration testing?
Validation.
What are Application Containers?
Virtualized environments that are designed to package and run a single computing application or service that can share the same host kernel.
What are Architectural diagrams?
Visual representations of an application's architecture.
What is W3AF?
Web Application and Audit Framework. A Python tool that tries to identify and exploit any web app vulnerabilities.
What are WSDL/WADL?
Web Services Description Language and Web Application Description Language. XML files that describe SOAP-based or RESTful web services.
What is WinDBG?
Windows Debugger. A free debugging tool created and distributed by Microsoft for Windows Operating Systems.
What is YASCA?
Yet Another Source Code Analyzer. An open-source SAST program that inspects source code for security vulns, code quality, and performance.
What is nslookup?
A Windows command line utility that queries DNS and displays domain names or IP address mappings.
What is Patator?
A brute force password cracking tool.
What is DirBuster?
A brute force tool that exposes directories and file names on web and application servers.
What is Impacket?
A collection of Python classes that provide low-level program access to packets.
What is the MetaSploit Framework?
A command-line based pen testing framework developed by Rapid7. Enables you to find, exploit, and validate vulnerabilities.
What are ProxyChains?
A command-line tool that enables pen testers to mask their identity and/or source IP address by sending messages through intermediary or proxy servers.
What is Medusa?
A command-line-based free password cracking tool that is often used in Brute Force attacks on remote authentication servers. Specializes in parallel attacks, with the ability to locally 2000 passwords per minute.
What is a Fragile System?
A computer or other system that is inherently unstable and has a tendency to crash. Or a system that needs to run an older unpatched version of an OS to support legacy applications.
What is APK Studio?
A cross-platform IDE for reverse engineering Android applications.
What is the Penetration Testing Execution Standard (PTES)?
A document for providing a basic lexicon and guidelines for performing pen tests. The PTES is the general standard, while the PTES Technical Guide is more detailed.
What is BeEF?
Browser Exploitation Framework. A pen test tool that focuses on web browsers and can be used to XSS and injection attacks against a website.
What are Embedded Systems?
Computer hardware and software that have a specific function within a larger system. Such as a home appliance or an industrial machine.
What happens in the Covering Tracks Phase of a Pen Test?
Concentrates on obliterating evidence that proves an exploit occurred. Generally consists of two facets: avoiding real-time response efforts, and avoiding post-exploit forensic liability.
What is an NDA?
Non-Disclosure Agreement. A document that stipulates the parties will not share confidential information, knowledge, or materials with unauthorized 3rd parties.
What is OpenVAS?
Open Vulnerability Assessment System. An open-source software framework for vulnerability scanning and management.
What is OWASP ZAP?
Open Web Application Security Project Zed Attack Proxy. An open-source web application security scanner.
What is a SOW?
Statement of Work. A business document that defines the highest level of expectations for a contractual agreement.
What are SCADA systems?
Supervisory Control and Data Acquisition. ICSs that send and receive remote-control signals to and from embedded systems.
What are Sample Application Requests?
Test code or code snippets. Can assist pen testers in gaining access to resources.
What happens in the Reconnaissance Phase of a Pen Test?
Testers gather info about the target organization and systems. This can include both passive and active information gathering techniques.
What are Red Team assessments?
Tests an organization's capabilities by emulating a malicious actor who uses targeted attacks and avoids detection. Functions like an APT.