CompTIA PTO-002 PenTest+ WGU D153 Penetration Testing and Vulnerability Analysis
A penetration tester is conducting a test against external-facing websites. Which of the following tools is specifically geared towards website enumeration? nmap dirbuster SET WiGLE
Dirbuster Dirbuster is specifically geared towards website enumeration. There are numerous tools and techniques available to evaluate a website. Nmap is a powerful security scanner, which can be used alone or by using NSE scripts. Scanning the network for vulnerabilities is important when conducting active reconnaissance. The Social Engineering Toolkit (SET) is a Python-based collection of tools that can be used when conducting a social engineering PenTest. You can download SET and install it on a Linux, Unix, and Windows machine or use it within Kali Linux. WiGLE is a site dedicated to mapping and indexing access points. When WiGLE first became available in 2001, many wardrivers used the site to locate open access points to use the "Free Internet."
A security professional is conducting a nmap scan during the reconnaissance phase of a project and wants to save the results to a text file for later analysis. Which parameter should they use? No parameter is required -oX -oN -oG
-oN Normal output (-oN) is similar to interactive; however, with this format, you can save the results of an Nmap scan to a text file for later analysis. Interactive output is a human readable output that you would normally see on the screen when you run a scan. This is the default output, so no switch is needed. XML output (-oX) is a format that can easily be analyzed by security automation tools, converted to HTML, imported into a database, or studied using Zenmap. Grepable output (-oG) creates a grepable friendly file that can be searched using grep, awk, cut, and diff.
A penetration tester suspects a firewall is blocking their scan attempts and wants to try a TCP ACK scan to get around this. What nmap switch would they use? -sT -sX -sU -sA
-sA A TCP ACK scan is used to bypass firewall rulesets, determine which ports are filtered and if a firewall is stateful or not. This scan uses the option: -sA. A full (or TCP connect) scan will use a standard TCP three-way handshake. This scan uses the option: -sT. A Christmas tree scan sends a TCP segment with the FIN, PSH, and URG flags raised to bypass a firewall or IDS. This scan uses the option: -sX. Nmap can run a UDP scan using the option -sU. If the port is open, the target might return a UDP packet which provides proof that the port is open. However, if there is no response, the port is considered open or filtered.
A security consultant is in the reconnaissance phase of a penetration test and believes there might be a non-stateful firewall blocking the scan. What nmap parameter could try to bypass the non-stateful firewall? A.-sS B.-oX C.-sF D.-sX
-sF The -sF option sends a TCP FIN to bypass a non-stateful firewall. When using Nmap, the TCP SYN scan (-sS) is the default and most popular option. It can be performed quickly and is able to scan thousands of ports per second on a fast network not hampered by restrictive firewalls. XML output (-oX) is a format that can easily be analyzed by security automation tools, converted to HTML, imported into a database, or studied using Zenmap. A Christmas tree scan sends a TCP segment with the FIN, PSH, and URG flags raised to bypass a firewall or IDS. This scan uses the option: -sX.
A security professional is setting up a netcat listener but they want to start up in UDP instead of TCP. What parameter should they use? A.-l B.-L C.-e D.-u
-u The -u parameter starts Netcat in UDP mode. The default is to use TCP. Netcat is a command-line utility used to read from or write to a TCP or UDP network connection. The -l parameter starts Netcat in listen mode. The default mode is to act as a client. The -L parameter starts Netcat in the Windows-only "listen harder" mode. This mode creates a persistent listener that starts listening again when the client disconnects. The -e parameter specifies the program to execute when a connection is made.
A penetration tester is conducting a PCI DSS compliance report for a large company that does ten million transactions a year. What level should they comply with? 1 2 3 4
1 Level 1 is a large merchant with over six million transactions a year and must have an external auditor perform the assessment by an approved Qualified Security Assessor (QSA). Level 2 is a merchant with one to six million transactions a year. Both levels 1 and 2 must complete a Report on Compliance (RoC). Level 3 is a merchant with 20,000 to one million transactions a year. Levels 2 through 4 can either have an external auditor or submit a self-test that proves they are taking active steps to secure the infrastructure. Level 4 is a small merchant with under 20,000 transactions a year.
A systems administrator is looking at migrating to the cloud and hears a bunch of new terminologies they are not familiar with. What makes up a cloud federation? Infrastructure Platform services Software A combination of all these
A combination of all of these. The combination of infrastructure, platform services, and software represents a cloud federation. Infrastructure is one component of cloud federation. With cloud computing, an organization can access and manage data and applications from any host, anywhere in the world. Platform services are another component of cloud federation. In a cloud environment, the attacker may simply need to have an internet connection and a dictionary of stolen password hashes to cause a breach. Software is the last component of cloud federation. A lack of oversight in the security procedures of cloud providers can dramatically increase the risk an organization takes.
A security consultant is trying to redirect traffic at Layer 2 to conduct MitM attacks. Which of the following are they trying to perform? A.ARP Poisoning B.Piggybacking C.XMAS attack D.DNS Poisoning
ARP Poisioning This attack deliberately maps an incorrect MAC address to a correct IP address, which poisons the ARP cache. ARP poisoning is used to redirect traffic for malicious purposes. Piggybacking is essentially the same thing as tailgating, but in this case, the target knows someone is following behind them. The Christmas (XMAS) scan turns on the FIN, URG, and PSH flags all in the same TCP segment. This scan will be able to bypass firewalls that follow a strict interpretation of RFC 793. In a DNS cache poisoning attack, the malicious actor will corrupt the DNS cache of a recursion server to point a victim to a bogus IP address. This is not done at layer 2 though.
A penetration tester is currently reviewing the adherence to organizational policies and procedures. Which controls help to monitor this? Administrative Physical Technical Logical
Administrative Administrative controls are security measures implemented to monitor the adherence to organizational policies and procedures. These include activities such as hiring and termination policies, employee training. Physical controls restrict, detect and monitor access to specific physical areas or assets. Methods include barriers, tokens, biometrics, or other controls such as ensuring the server room doors are properly locked. Technical controls automate protection to prevent unauthorized access or misuse and include Access Control Lists (ACL), and Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) signatures. Logical is the same as technical and also covers antimalware protection that is implemented as system hardware, software, or firmware solution.
A security tester wants to disable monitor mode on a wireless interface. Which tool should they use? A.Aireplay-ng B.Airmon-ng C.Airodump-ng D.Pacu
Airmon-ng Airmon-ng will enable and disable monitor mode on a wireless interface. Airmon-ng can also switch an interface from managed mode to monitor mode. Aireplay-ng injects frames to perform an attack to obtain the authentication credentials for an access point, which is usually performed using a deauthentication attack. Airodump-ng provides the ability to capture 802.11 frames and then use the output to identify the Basic Service Set ID (MAC address) of the access point along with the MAC address of a victim client device. Pacu is designed as an exploitation framework to assess the security configuration of an AWS account. It includes several modules to attempt exploits such as obtaining API keys or gaining control of a VM instance.
A penetration test is being conducted on a Department of Motor Vehicles' vehicle. What should the testers take into consideration when performing the assessment? A. GLBA B. DPPA C. PTES D. OSSTMM
B. DPPA The Driver's Privacy Protection Act (DPPA) governs the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure the security and confidentiality of client information and take steps to keep customer information secure. The Penetration Testing Execution Standard (PTES) was developed by business professionals as a best practice guide to PenTesting. The PTES approaches the standard business aspect in that it doesn't have technical guidelines specifically addressed in the document. Open-Source Security Testing Methodology Manual (OSSTMM) provides a holistic structured approach to PenTesting. Written in 2000, the open-source document stresses auditing, validation, and verification.
A marketing coordinator meets with many high-profile companies to discuss penetration testing engagements. Which of the following is NOT something they might want to show to ensure confidence and trust in their team? A. Credentials B. Pre-Discovered information C. Background check D. Clearances
B. Pre-Discovered Information Penetration testing companies should never do work before entering into an agreement including scope. This could possibly lead to prosecution. One way to provide assurance is to provide credentials, such as certifications that prove they have the appropriate skills to conduct PenTesting. Another area of assurance is recent background checks, which can include credit scores and driving records. Make sure no one has a criminal record or felony conviction. If someone has a Top Secret clearance from the military, you'll want to provide recent information to reassure the client.
A security professional wants to use SET for a targeted attack towards personnel. Which of the following can SET NOT do? A.Spear phishing B.Badge cloning C.Website attacks D.Wireless attacks
Badge Cloning Badge cloning is not currently a capability of The Social Engineering Toolkit (SET), but it does allow for third-party modules. Spear phishing is the first option under social engineering attacks. You can download SET and install it on a Linux, Unix, and Windows machine or use it within Kali Linux. Website attack vectors are the second option under social engineering attacks. SET allows you to select from a number of different options that include attacking websites, mass mailings, and spear phishing attacks. Wireless attacks are the seventh option under social engineering attacks.
A security researcher is analyzing various on-path attack techniques to develop detection mechanisms against them. Which of the following is NOT an on-path attack? A.DNS poisoning B.ARP poisoning C.MAC spoofing D.Biometric spoofing
Biometric Spoofing Biometric spoofing is not an example of an on-path attack. An on-path attack is when a malicious actor sits in the middle or in the path of a connection. Domain Name System (DNS) cache poisoning sends bogus records to a DNS resolver. When the victim requests an IP address, the DNS server will send the wrong IP address. Address Resolution Protocol (ARP) spoofing transmits spoofed ARP messages out on the LAN. The spoofed messages falsely report a malicious actor's MAC address as being the victim's address. MAC address spoofing will modify the MAC address on the malicious actor's NIC card so that it matches the MAC address on the victim's machine.
A penetration tester is asked to conduct an assessment for security issues that occur during a web transaction. What tool could they use to interact as a local proxy to intercept and capture the HTTP requests? Burp OpenVAS Nmap SCAP scanner
Burp Acting as a local proxy, Burp Suite can intercept and capture the HTTP requests and responses so the team can analyze the traffic. When discovered, Burp Suite will list the vulnerabilities. A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested. While nmap is a tool available to evaluate a website, Burp Suite is more specifically geared towards acting as a proxy so that security people can manually evaluate each step of an interaction. The Security Content Automation Protocol (SCAP) is a US standard used to ensure applications are in line with mandated security requirements.
A company is setting up a new PoS system and wants to scan to be able to test the system for any security issues prior to implementation. What type of non-legal test should they have done? A. Red team B. Blue team C. Goal-based D. Compliance
C. Goal-based Goal-based / objective-based assessments have a particular purpose or reason. A point of sale (PoS) system would be an example of a goal-based assessment. Red Team represents the "hostile" or attacking team. With this type of assessment, the goal is to see if your (red) team is able to circumvent security controls. Blue Team represents the defensive team. It is a good way to determine how the security (blue) team will respond to the attack. Compliance-based assessments are used as part of fulfilling the requirements of a specific law or standard, such as GDPR, HIPAA, or PCI DSS.
A security student is analyzing how nmap determines a particular operating system. Which of the following is NOT a component of how the operating system is determined? CName DF WS TTL
CName The Canonical Name (CName) string is the username that is to be authenticated. This is not a component of how nmap determines what operating system is on a machine. A component of how nmap determines the operating systems is the Don't Fragment (DF) bit. Is the DF bit in the IPv4 header on or off? A component of how nmap determines the operating systems is the Window Size (WS). What does the OS use as a WS? A component of how nmap determines the operating systems is the Time to Live (TTL). What is the TTL value set on the outbound packet?
A security analyst is looking at a packet capture in Wireshark and trying to find activity based on a certain user. Which of the following would represent a user field? A.User-Agent B.Nbns C.CName D.SPAN
CName When assessing traffic on a Windows machine in an Active Directory (AD) environment, we can find user account names found in Kerberos traffic. The Canonical Name (CName) string is the username that is to be authenticated. A User-Agent string is associated with web browsers. We can use Wireshark to evaluate a TCP HTTP stream if we select a packet and then right-click to follow the HTTP stream. Using the display filter nbns, you can drill down into NetBIOS name service (NBNS) messages. To see all traffic on a switch, the network administrator can use port monitoring or Switched Port Analysis (SPAN).
A security tester has been using Shodan for several engagements but wants another source of reference similar to Shodan. Which of the following would best fit that? A.Censys B.OpenVAS C.Netcat D.ObfuscatedEmpire
Censys When testing for vulnerabilities, one tool the team can use is Censys, an attack surface analyzer, similar to Shodan, to identify exposed systems. A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested. Netcat (nc) is a popular tool for Unix and Linux. The following shows using an HTTP GET request to elicit the webserver type and version: echo -en "GET / HTTP/1.0\n\n\n"|nc www.comptia.org 80|grep Server. Obfuscating a known signature uses a tool such as ObfuscatedEmpire in a solution. It is a fork of Empire that has Invoke-Obfuscation baked directly into its functionality.
A company has contracted an independent penetration testing company to do API testing. Which of the following are they most likely testing? Cloud resources Web servers WLANs External assets
Cloud resources API testing is common with cloud resources. Companies recognize the vulnerabilities that exist when dealing with cloud assets. Many have turned to penetration testers to test the strength of the security mechanisms. It's common for a company to have a web presence today; however, many web applications and components have vulnerabilities. While these could be cloud resources, they could be on-prem as well. Teams will need to include a discussion with the stakeholders on how to proceed for both the wired and wireless networks. External assets are visible on the Internet, such as a website, web application, email, or DNS server. These could be cloud-based or on-prem as well.
A security penetration tester wants to try exfiltrating data by synthesizing images into .wav files. Which tool should they use to do this? A.OpenStego B.Snow C.Coagula D.Ostinato
Coagula Coagula is a tool used to synthesize an image into a .wav file. To achieve this, you'll need to download Coagula and Audacity, which are both free programs. OpenStego is similar to most other tools in that you embed a message in a carrier file. To get started, youll need to make sure that you have the Java Runtime Environment (JRE) installed. Snow is a CLI steganography tool that conceals a data payload within the whitespace of a text file that uses the ASCII format. Ostinato uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy pr hping3 which allows users to craft their own packets.
A penetration tester likes the functionality of Armitage and wants to get a fuller paid version for use on client tests. What should they look into? A.MetaSploit Pro B.Cobalt Strike C.Responder D.Ostinato
Cobalt Strike Cobalt Strike is a commercial version of Armitage with advanced features and reporting. Armitage itself is an intuitive GUI for the Metasploit framework. Metasploit Pro is a full-featured graphical version that includes Quick Start wizards, easy vulnerability scanning and validation, phishing campaigns, and reporting. Responder is a man-in-the-middle type tool that can be used to exploit name resolution on a Windows network. Ostinato uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy pr hping3 which allows users to craft their own packets.
A company is expanding operations to Europe and wants to make sure that they won't run into any security issues during expansion. What type of test should they have done? Red team Blue team Goal-based Compliance
Compliance Compliance-based assessments are used as part of fulfilling the requirements of a specific law or standard, such as GDPR, HIPAA, or PCI DSS. Red Team represents the "hostile" or attacking team. With this type of assessment, the goal is to see if your (red) team is able to circumvent security controls. Blue Team represents the defensive team. It is a good way to determine how the security (blue) team will respond to the attack. Goal-based / objective-based assessments have a particular purpose or reason. A point of sale (PoS) system would be an example of a goal-based assessment.
A security professional is conducting network reconnaissance and is trying to use advanced nmap scripts. Which of the following is NOT one of the main categories of nmap scripts? Malware Discovery Vulnerabilities Confidentiality
Confidentiality. Confidentiality is NOT a category of NMAP scripts. Confidentiality is one of the chief principles of cyber security and is an important consideration when conducting a pentest. The malware category are scripts capable of detecting a variety of different types of malware. Nmap can determine vulnerabilities by using specially crafted probes then, once detected, attempt to exploit the vulnerability. The discovery category are scripts that can discover networks, services, and hosts. Nmap scripts can perform advanced network discovery that can include protocol queries and whois lookups. The vulnerabilities category includes a variety of vulnerabilities and exploitation commands.
A penetration tester has joined a consulting company that performs tests for several varying clients. The company has stressed about staying within the scope of the project. What is the worst thing the tester could face if they go outside their scope? A. Contract negation B. Fees C. Fines D. Criminal charges
D. Criminal charges Even though a PenTest is performed with the mutual consent of the customer, the team may inadvertently violate a local, state, or regional law. This could result in up to criminal charges. Contract negation could be part of the results from going outside of scope. In addition to agreeing on the terms of the test, the team will carefully consider the scope and methods to be used while testing. Fees could be part of the ramifications as well. Before doing any active testing, the team will gather with the stakeholders and outline the terms of the PenTesting process. Fines could occur and could even be combined with criminal charges. Scope is a massive part of penetration tests.
A security tester is conducting an assessment on a new network where NAC is employed. What is the most common way to bypass NAC? A.Using decoys B.Advertise a fake MAC address C.Modify the port number D.Access an authenticated device
D.Access an authenticated device The most common way to bypass NAC is by accessing an authenticated device and using the device to slip by the NAC appliance. When conducting a port scan on a host, you can use decoys in order to make it appear as if the packets are coming from either a trusted or random device. In some cases, it might be effective to make the probe appear to be coming from a specific device. In that case, the team can generate a bogus source hardware (or MAC) address. Network security devices are tuned to either allow or deny specific packets based on several different parameters. One of those parameters is the source port number.
A security professional is checking for domains based on certificates that are no longer allowed. What could they check for this? A.ncpa.cpl B.SAN C.SET D.CRL
D.CRL The Certification Revocation List (CRL) is a list of certificates that in some way have been deemed invalid. Although effective, most online services have moved to the newer OCSP to check the validity of the certificate. Network Connections (ncpa.cpl) is a Control Panel applet for managing adapter devices, including IP address information. A more useful field in a digital certificate from a reconnaissance perspective is the subject alternative name (SAN). SANs can identify specific subdomains that can be covered by the certificate. The Social Engineering Toolkit (SET) is a Python-based collection of tools that can be used when conducting a social engineering PenTest.
A client for a security assessment is worried about corruption of company information, as there are indications that data has been changed in some way, and wants to perform a health check. What is this called? A.Data exposure B.Risk gap C.Attack surface D.Data modification
Data modification Data modification or corruption is when data has been altered in some way, which is a violation of integrity. Exposing sensitive data occurs when someone or something exposes sensitive or personal data, which is a violation of confidentiality. Until a patch is applied, the system is vulnerable and creates a risk gap, which is the time between when the vendor releases a patch, and the patch is applied. Vulnerabilities exist in many different areas, called attack surfaces, which include software, hardware, networks, and users that can be exploited.
A security researcher is setting up an evil twin as part of a security conference demonstration. Which type of attack does an evil twin typically perform? A.Jamming B.Brute force C.Deauthentication D.Zone transfer
Deauthentication Getting users to join an evil twin is often accomplished by using a deauthentication attack. Once the client is kicked off the network, they may be able to trick them into reconnecting to the rogue AP. Jamming is an attack that disrupts a Wi-Fi signal by broadcasting on the same frequency as the target WAP, and any signals that a wireless transceiver is attempting to send or receive will be blocked. An evil twin does not usually conduct a brute force attack, but this can be used by a malicious actor to gain access by determining the PIN number of the WPS device, using an online or offline brute force attack. DNS can fall victim to several threats including exposure of the zone file. A zone file is a text file that contains information and resource records for a specific namespace.
A security tester wants to launch an attack on a WPA2-Enterprise 802.11a or 802.11n network in a free, easy-to-use platform. Which of the following should they use? A.EAPHammer B.Fern C.Spooftooph D.SOHO
EAPHammer EAPHammer is another Python-based toolkit with a wide range of features. It provides options that the team can use to launch an attack on a WPA2-Enterprise 802.11a or 802.11n network in an easy-to-use platform. Fern runs on a Linux OS and can recover WEP/ WPS/WPA/ keys using a variety of methods. Fern is a commercial product; there is a free version as well that offers limited functionality. One tool that can either spoof or clone a Bluetooth device is Spooftooph. Before making any changes to a Bluetooth adapter, you must run Spooftooph with root privileges. A shared account can be used in a small office home office (SOHO), as many SOHO networking devices don't allow you to create multiple accounts.
A security tester is looking for custom scripts against uncommon services which they can't find in MetaSploit. Which of the following could they look at to possibly find what they need? A.ExploitDB B.MSTG C.OWASP D.OSSTMM
ExploitDB While there are many repositories available, the team can use the Exploit Database (Exploit DB) which provides a complete collection of public exploits and vulnerable software in a searchable database. The MSTG (Mobile Security Testing Guide) provides an intuitive framework that steps you through the assessment process and includes a dashboard, security recommendations, and specifications for testing resiliency. The Open Web Application Security Project (OWASP) is an organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. OSSTMM provides a holistic structured approach to PenTesting. Written in 2000, the open-source document stresses auditing, validation, and verification.
A project manager is reviewing the scope of a penetration test. Which of the following is least likely to be included? Location Target exclusions Framework Tools
Framework The penetration testing framework is not likely to be included in scoping discussions. However, this can be beneficial outside the scope. The details of the PenTest may also include other restrictions such as possible technical or location constraints. For example, there may be a legacy system that has had several issues with automated scanning. The legal documents will define what locations, systems, applications, or other potential targets are to be included or excluded. In some cases, the use of tools is defined by some governing body that outlines specifically what the team is to use when conducting the test.
A penetration test is being conducted on a financial institution. Which of the following is geared to ensure the security and confidentiality of client information? A.GLBA B.DPPA C.HIPAA D.ISSAF
GLBA The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure the security and confidentiality of client information and take steps to keep customer information secure. The Driver's Privacy Protection Act (DPPA) governs the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule establishes national standards to protect the privacy of individuals' medical records. The ISSAF contains a list of 14 documents that relate to PenTesting, such as guidelines on business continuity and disaster recovery along with legal and regulatory compliance.
During a penetration testing engagement, one of the team members presents a fictitious situation as real. What is this tactic called? A.Elicitation B.Hoax C.Pretexting D.Phishing
Hoax A hoax is another element of social engineering in which the attacker presents a fictitious situation as real. A hoax could be a link that leads to malicious code. Elicitation is acquiring data from the target in order to launch an attack. This is different from information gathered about the target. One social engineering tactic is to use pretexting, whereby the team will communicate, whether directly or indirectly, a lie or half-truth in order to get someone to believe a falsehood. Phishing is a social engineering attack where the malicious actor communicates with the victim from a supposedly reputable source.
A security researcher is testing the disruption of a Wi-Fi signal by broadcasting on the same frequency as the target WAP. What is this called? A.Jamming B.Pineapple C.Deauthentication D.Slowloris
Jamming Jamming is an attack that disrupts a Wi-Fi signal by broadcasting on the same frequency as the target WAP, and any signals that a wireless transceiver is attempting to send or receive will be blocked. In addition to software, a hardware tool like Wi-Fi Pineapple can launch a deauthentication attack. A deauthentication (deauth) attack will boot the victim(s) from an AP and force them to reauthenticate. A deauth is used so the victim generates the required traffic needed to capture the handshake. A slowloris attack keeps multiple fake web connections open for as long as possible until the maximum number of allowed connections is reached.
A student is studying cyber security and reads about a tool called Responder. The student sets it up on their home network to test on devices that they own. Which protocols should they filter during packet captures to see what is happening? (Select all that apply.) A.LLMNR B.NBT-NS C.SSH D.VNC
LLMNR and NBT-NS Responder is a man-in-the-middle type tool that can be used to exploit name resolution on a Windows network which poisons LLMNR. Responder is also designed to intercept and poison NBT-NS. Once a request is intercepted, Responder will return the attacker's host IP as the name record. Responder is not designed to work against SSH. Responder is a man-in-the-middle type tool that can be used to exploit name resolution on a Windows network. Responder does not work against VNC. By default, the process will first use LLMNR, and if that fails, it will try the NetBIOS Name Service (NBT-NS).
A security consultant is evaluating a website and finds out that the administrator has set up a device to stabilize network traffic across two or more servers. What is this called? A.Firewall B.WAF C.Load balancer D.ACL
Load Balancer A load balancer is used to stabilize network traffic across two or more servers. Balancing the load prevents any one server from getting too many requests. Firewalls are widely used to monitor and control traffic on a network and use rule sets to determine if traffic is allowed or denied. A web application firewall (WAF) is specifically designed to monitor web applications and guard against common attacks such as cross-site scripting (XSS) and SQL Injection (SQLi) attacks. An access control list (ACL) is essentially a list that tells devices the corresponding access rights that users have to various objects, such as file directories, or permissions to access network resources.
A vulnerability has just gone through the mitigation phase of the vulnerability lifecycle. What is the next phase? Manage Document Discover Coordinate
Manage Manage is when the patch has been released. It's now up to each organization to take the next step and apply the patch in order to remediate or mitigate the vulnerability. Document is the final phase, in that the vulnerability has been tested, and everyone involved will take a moment to document what has been done. In addition, it's best to reflect on lessons learned. Discover is the first phase of finding a potential vulnerability that can be exploited. It's important to recognize that a vulnerability exists in order to defend against a possible attack, now or in the future. Coordinate is the next phase, where both the vulnerability and the potential to exploit the vulnerability are known.
A vulnerability has just gone through the mitigation phase of the vulnerability lifecycle. What is the next phase? A.Manage B.Document C.Discover D.Coordinate
Manage Manage is when the patch has been released. It's now up to each organization to take the next step and apply the patch in order to remediate or mitigate the vulnerability. Document is the final phase, in that the vulnerability has been tested, and everyone involved will take a moment to document what has been done. In addition, it's best to reflect on lessons learned. Discover is the first phase of finding a potential vulnerability that can be exploited. It's important to recognize that a vulnerability exists in order to defend against a possible attack, now or in the future. Coordinate is the next phase, where both the vulnerability and the potential to exploit the vulnerability are known.
A team is conducting a physical assessment and uses a simple mechanism such as Styrofoam to bypass a certain control. Which control are they likely bypassing? Motion sensor Fences Security badges Locks
Motion Sensor The team can attempt to block the motion detector by using a piece of cardboard or Styrofoam over the sensor. Many buildings have perimeter security, such as natural barriers or fences, to deter someone from simply entering the property. Cardboard would not be as helpful with this. A radio-frequency identification (RFID) badge system can be used for physical security. These badges hold an individual's authorization credentials and use a proximity reader that reads data when in range. Lock picking uses specialized tools to manipulate the components of a lock in order to gain access to a restricted area.
A security researcher is testing the effects of a network scan with no flags set. What is this referred to as? A.NULL B.Half Open C.FIN D.XMAS
NULL A null scan is a packet sent without any flags set. This is not an actual stealth scan as security systems are set to look for these. TCP SYN (or half-open) scan is the original stealth scan. The scan sends a packet to the target with the SYN flag set. This is called a "half-open" scan because the attacker does not complete the TCP three-way handshake. FIN scan sends a packet to the target with only the FIN flag set. XMAS Tree scan sends a packet with the FIN, URG, and PSH flags set and appears to be "lit up like a Christmas Tree."
A security professional is researching the latest vulnerabilities that have been released. Where is a good resource they can go to in order to look at these? CVSS CVE NVD ISSAF
NVD (National Vulnerability Database) To learn more about the vulnerabilities, you can often click on CVE names, which have hyperlinks to the record in the National Vulnerability Database (NVD). Once there, you can read more details. As vulnerabilities are identified, they are first rated as to the severity using the Common Vulnerability Scoring System (CVSS). The score is derived using a set of metrics, which helps in prioritizing vulnerabilities. The information from the CVSS is fed into the Common Vulnerabilities and Exposures (CVE). The CVE is a listing of all publicly disclosed vulnerabilities. The ISSAF contains a list of 14 documents that relate to PenTesting, such as guidelines on business continuity and disaster recovery along with legal and regulatory compliance.
A penetration tester wants to test exfiltrating data via encrypted mechanisms. What could they use to accomplish this? A.Netcat B.Ncat C.Coagula D.Yersinia
Ncat Ncat is an Interactive CLI tool written for the Nmap Project. Ncat is used to read and write raw data over a network and includes support for proxy connections along with IPv6 and SSL communications. Netcat is a command-line utility used to read from or write to a TCP or UDP network connection. Coagula is a tool used to synthesize an image into a .wav file. To achieve this, you'll need to download Coagula and Audacity, which are both free programs. Yersinia uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy pr hping3 which allows users to craft their own packets.
A security student wants to start conducting vulnerability scans on their own network. They want to be able to use a commercial tool, but that is available for free for home use. Which of the following could they use? A.OpenVAS B.SAST C.Scapy D.Nessus
Nessus Nessus is a powerful scanning tool that can scan either enterprise or home networks. Nessus for home or personal use is free. If running on an enterprise network, you will need to purchase the product. The Open Vulnerability Assessment Scanner is an open-source scanner and is available regardless. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested. Static Application Security Testing (SAST) is done early in the software development life cycle to examine the code for security vulnerabilities. Scapy is a tool to craft and send a malformed packet to your target. The type of packet you craft will be dependent on the security products and rules.
A security professional is trying to evaluate a website for web-specific vulnerabilities. Which of the following is the tool most suited towards this objective? A.OpenVAS B.Nikto C.SQLmap D.Censys
Nikto Nikto is an open-source web server scanner that can complete comprehensive testing on web servers for a variety of vulnerabilities, such as anticlickjacking X-Frame-options header, and dangerous files and CGIs. A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested. SQLmap is an open-source database scanner that searches for and exploits SQL injection flaws. When testing for vulnerabilities, one tool the team can use is Censys, an attack surface analyzer, similar to Shodan, to identify exposed systems.
A security professional is trying to evaluate a website for web-specific vulnerabilities. Which of the following is the tool most suited towards this objective? OpenVAS Nikto SQLmap Censys
Nikto Nikto is an open-source web server scanner that can complete comprehensive testing on web servers for a variety of vulnerabilities, such as anticlickjacking X-Frame-options header, and dangerous files and CGIs. A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested. SQLmap is an open-source database scanner that searches for and exploits SQL injection flaws. When testing for vulnerabilities, one tool the team can use is Censys, an attack surface analyzer, similar to Shodan, to identify exposed systems.
A student is studying penetration testing methodologies and is trying to narrow in their skill sets to web application testing. Which of the following should they focus on? NIST OSSTMM Hacker Highschool OWASP
OWASP The Open Web Application Security Project (OWASP) is an organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. NIST has many resources for cybersecurity professionals that include the Special Publication (SP) 800 series, which deals with cybersecurity policies, procedures, and guidelines. OSSTMM provides a holistic structured approach to PenTesting. Written in 2000, the open-source document stresses auditing, validation, and verification. Hacker Highschool provides security awareness to teens. This can be a helpful resource to reference.
A security engineer is trying to avoid Antivirus on a company's systems. Which tool could they use to modify the hash of their payloads? A.Wget B.theHarvester C.Dirbuster D.ObfuscatedEmpire
ObfuscatedEmpire Obfuscating a known signature uses a tool such as ObfuscatedEmpire in a solution. It is a fork of Empire that has Invoke-Obfuscation baked directly into its functionality. Wget is not designed to obfuscate malware, but it can be used to grab a banner using the following syntax: wget -S. When using this command, -S will print the HTTP headers that are sent by the server. theHarvester gathers information on subdomain names, employee names, email addresses, PGP key entries, and open ports and service banners. Dirbuster is specifically geared towards website enumeration. There are numerous tools and techniques available to evaluate a website.
A systems administrator for a small company is tasked with performing a vulnerability scan inside their network. They are not given a budget but instead are asked to find open-source tools. Which of the following could they use? A.theHarvester B.Metagoofil C.OpenVAS D.Scapy
OpenVAS A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested. theHarvester gathers information on subdomain names, employee names, email addresses, PGP key entries, and open ports and service banners. Metagoofil uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir to scrape the metadata, and then displays the information using Hypertext Markup Language (HTML). Scapy is a tool to craft and send a malformed packet to your target.
A penetration tester is analyzing entry to a network utilizing 802.1X authentication. Which of the following is NOT one of the three main components of this setup? A.Organizational Units B.Supplicant C.Authenticator D.AS
Organizational Units Organizational Units are used with a domain to group similar objects such as the users, groups, computers, and other OUs and minimize the number of domains. The Supplicant (or Wi-Fi client) is the first entity in 802.1X authentication. In a corporate WLAN, clients generally must authenticate prior to gaining access to the network using the 802.1X authentication protocol. The Authenticator (or WAP) is the second entity in 802.1X authentication. Once authenticated, a virtual port is created on the access point and the client can then access network resources. The Authentication Server (AS) is the last entity in 802.1X authentication. It is generally a RADIUS server that provides the authentication.
A penetration tester wants to become more efficient and effective at penetration testing. What standard provides a comprehensive overview of the proper structure of a complete PenTest and includes discussion on several topics, such as pre-engagement interactions, threat modeling, vulnerability analysis, exploitation, and reporting? ISSAF OWASP PTES OSSTMM
PTES The Penetration Testing Execution Standard (PTES) has seven main sections that provide a comprehensive overview of the proper structure of a complete PenTest. Some of the sections include details on topics such as pre-engagement interactions, threat modeling, vulnerability analysis, exploitation, and reporting. The ISSAF contains a list of 14 documents that relate to PenTesting, such as guidelines on business continuity and disaster recovery along with legal and regulatory compliance. The Open Web Application Security Project (OWASP) is an organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. OSSTMM provides a holistic structured approach to PenTesting. Written in 2000, the open-source document stresses auditing, validation, and verification.
An attacker has sent an email where the victim navigates to a malicious web page that has been set up to look official. What is this called? Phishing Pharming Baiting Malvertising
Pharming Pharming is when an attacker entices the victim into navigating to a malicious web page that has been set up to look official. While this would fall under the phishing category, it more specifically falls under pharming. Phishing is a social engineering attack where the malicious actor communicates with the victim from a supposedly reputable source. Baiting is where an attacker will leave bait, such as an infected physical media, in an area where a victim can find the device. Spam can include malvertising, which is an email that looks like a normal ad, but instead includes malicious code.
A new penetration tester is creating a summary of their first upcoming process and wants to follow the standard process. What step takes place after planning? Scanning Recon Gaining access Analysis
Recon Reconnaissance is next and focuses on gathering as much information about the target as possible. This process includes searching information on the Internet, using Open-Source Information Gathering Tools (OSINT), and websites. Scanning is a critical phase as it provides more information about available network resources. Scanning identifies live hosts, listening ports, and running services. Gaining access occurs after the team has gathered information on the network. In this phase, the team will attempt to gain access to the system, to see how deep into the network they can travel. Analysis occurs after the team has completed the exercise, and will go through the results of all activities, analyze the findings, and derive a summary of their risk rating.
A security professional is looking for an organization's code that might have been posted publicly by developers. Which of the following sources is least likely to contain accidental posts by a company's developers? Reddit Github Bitbucket CloudForge
Reddit Reddit is less likely to contain code from developers, though it is possible it could exist on here. The other three options are specifically geared towards shared code repositories. Github enables teams to work together, regardless of their location, is free to basic users, and has reasonable costs for teams and enterprise users. Bitbucket allows inline comments, a secured workflow, and free to small teams, fee-based for larger groups. CloudForge offers bug and issue tracking, discussion forums, and document management. You can get a free trial for 30 days, after which there is a nominal fee.
A penetration tester is conducting an OSINT reconnaissance against key employees to try to find avenues into the network and notice that they belong to specific communities. Which of the following would most likely help them target these niche areas? Instagram Twitter Reddit LinkedIn
Reddit Reddit is often used to target marketing efforts toward specific communities. Instagram is used to publish images that market an organization's products, services, and/or brand. Individual profiles may reveal much about an employee's interests, habits, behavior, relationships, and other Personally Identifiable Information (PII). Twitter is used to promote products and services in short statements called tweets, as well as to provide casual customer service and bolster brand loyalty and recognition. LinkedIn is used primarily for networking opportunities and job searching. Beyond the organization's profile, social media is also a rich resource for extracting data about individuals.
A security professional is looking for interesting targets on a public-facing web server. What would show them areas of the server that are not supposed to be crawled? Robots Subject alternative name Revocation list Secret
Robots The robots.txt file is a simple yet essential file that tells the bots where to search, and more importantly, where NOT to search. One of the more useful fields in a digital certificate from a reconnaissance perspective is the subject alternative name (SAN). The Certification Revocation List (CRL) is a list of certificates that in some way have been deemed invalid. Although the CRL is effective, most online services have moved to the newer OCSP to check the validity of the certificate. Secret.txt is not a common file but the Steganography example uses secret.txt as an example.
A security assessor is trying to set up automated scans on applications that check against a predetermined security baseline that checks for vulnerabilities. Which of the following should they set up for this? A.DAST B.SAST C.OpenVAS D.SCAP
SCAP The Security Content Automation Protocol (SCAP) is a US standard used to ensure applications are in line with mandated security requirements. Dynamic Application Security Testing (DAST) is done after the code is placed in production. Unlike SAST, dynamic testing will unearth vulnerabilities that are evident after the code is in production. Static Application Security Testing (SAST) is done early in the software development life cycle to examine the code for security vulnerabilities. A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested.
A project manager for a penetration company has received a notice about a contract being terminated. The project manager wants to review the documentation to see specifically what is allowed under the termination clauses. Which document should they look at? A.SLA B.GLBA C.SOW D.MSA
SLA A service-level agreement (SLA) is a contract that outlines the detailed terms under which a service is provided, including reasons the contract may be terminated. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure the security and confidentiality of client information and take steps to keep customer information secure. The Statement of Work (SOW) is a document that defines the expectations for a specific business arrangement. It typically includes a list of deliverables, responsibilities of both parties, and others. The Master Service Agreement (MSA) is a contract that establishes guidelines for any business documents executed between two parties. It can be used to cover recurring costs and any unforeseen additional charges.
A network administrator is looking at the security of their Domain Name System servers and is researching common attacks against DNS. Which of the following is NOT as common of an attack geared towards DNS services? Flood attacks Cache Poisoning Zone transfer SMB attacks
SMB Attacks SMB attacks would not be conducted against the DNS service itself since they are inherently different services. SMB attacks could be conducted against the host itself but DNS should be hardened and any unnecessary services turned off. DNS can fall victim to several threats including a flood or amplification attack. Nmap has several methods that you can use to test the DNS structure for vulnerabilities. DNS can fall victim to several threats including cache poisoning. DNS can fall victim to several threats including exposure of the zone file. A zone file is a text file that contains information and resource records for a specific namespace.
A network engineer is measuring a wireless signal level in relation to any background noise to ensure efficient wireless communications. Which of the following should they look at? A.dBi B.SCAP C.SNR D.WAF
SNR The goal is to have a good Signal-to-Noise Ratio (SNR), which is the measurement of a wireless signal level in relation to any background noise. The signal strength of a wireless antenna is referred to as decibels per isotropic (dBi) and can vary according to the design. The Security Content Automation Protocol (SCAP) is a US standard used to ensure applications are in line with mandated security requirements. A web application firewall (WAF) is specifically designed to monitor web applications and guard against common attacks such as cross-site scripting (XSS) and SQL Injection (SQLi) attacks.
A penetration tester has established a foothold inside a network and wants to conduct reconnaissance inside while remaining anonymous. What could they use to best accomplish this? A.SOCKS B.masscan C.Ostinato D.Snow
SOCKS Proxy servers are used on a network to mediate the communications between a client and another server. One method is to use Socket Secure (SOCKS). masscan is not a tool meant for inside networks. It is extremely noisy and was designed for scanning the internet rapidly. This could actually take down a network if not careful. Ostinato uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy or hping3 which allows users to craft their own packets. Snow is a CLI steganography tool that conceals a data payload within the whitespace of a text file that uses the ASCII format.
A penetration tester has established a foothold inside a network and wants to conduct reconnaissance inside while remaining anonymous. What could they use to best accomplish this? SOCKS masscan Ostinato Snow
SOCKS Proxy servers are used on a network to mediate the communications between a client and another server. One method is to use Socket Secure (SOCKS). masscan is not a tool meant for inside networks. It is extremely noisy and was designed for scanning the internet rapidly. This could actually take down a network if not careful. Ostinato uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy or hping3 which allows users to craft their own packets. Snow is a CLI steganography tool that conceals a data payload within the whitespace of a text file that uses the ASCII format.
A security tester is looking at vulnerabilities regarding shared accounts. Which of the following environments are shared accounts more likely to be found? A.SaaS B.IaaS C.SOHO D.CDN
SOHO A shared account can be used in a small office home office (SOHO) environment, as many SOHO networking devices do not allow you to create multiple accounts. Software as a Service (SaaS) is not as likely to have a shared account as a SOHO environment. Cloud identity and account types are personnel, endpoints, servers, software, or roles. Infrastructure as a Service (IaaS) is not as likely to have a shared account as a SOHO environment. Cloud identity and account types are personnel, endpoints, servers, software, or roles. Data in cloud storage can be used to serve static web content, such as HTML pages, images, and videos. The content is published from the container to a content delivery network (CDN).
A penetration tester is working on a project and sees a fairly recent VoIP vulnerability has come out. Which of the following records would best help them narrow down potential targets? TXT NS SRV MX
SRV Service (SRV) record provides host and port information on services such as voice over IP (VoIP) and instant messaging (IM). Text (TXT) record provides information about a resource such as a server or network in human readable form. Nameserver (NS) record lists the authoritative DNS server for a particular domain. A standard DNS query will use DNS servers to identify the Internet Protocol (IP) address behind a particular domain or resource name. Mail Exchange (MX) record provides the mail server that accepts email messages for a particular domain.
The Social Engineering Toolkit is being employed for a targeted attack towards personnel. Which of the following can SET NOT do? A.Mass mail attacks B.Infectious media C.Scaling D.PowerShell attacks
Scaling Scaling is a physical security attack that applies to perimeter security such as natural barriers or fences, to deter someone from simply entering the property. Mass mail attacks are the fifth option under social engineering attacks. You can download SET and install it on a Linux, Unix, and Windows machine or use it within Kali Linux. Infectious media generator is the third option under social engineering attacks. SET allows you to select from a number of different options that include attacking websites, mass mailings, and spear phishing attacks. PowerShell attacks are the ninth option under social engineering attacks.
A penetration tester needs to craft a custom packet in order to bypass an Intrusion Prevention System (IPS). What tools could they use to craft custom packets? (Select all that apply.) OpenVAS Metagoofil Scapy Hping3
Scapy and Hping3 Scapy is a tool to craft and send a malformed packet to your target. The type of packet crafted will be dependent on security products and rules. Hping3 is also a tool to craft and send a malformed packet to your target. For example, the Christmas (XMAS) scan might be able to bypass security mechanisms that follow strict interpretation of RFC 793. Metagoofil uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir to scrape the metadata, and then displays the information using Hypertext Markup Language (HTML). A team can run vulnerability scans using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested.
A social engineering attack observes a target's behavior without them noticing in order to gain passwords and unauthorized entry to systems. What is this called? Dumpster diving Piggybacking Mantrap Shoulder surfing
Shoulder Surfing Shoulder surfing is a social engineering attack in which the malicious actor observes a target's behavior without them noticing. Dumpster diving is the act of searching the contents of trash containers for something of value. One may be able to discover actionable intel that can give you an insight into the target's business operations. Piggybacking is essentially the same thing as tailgating, but in this case, the target knows someone is following behind them. A man trap is a containment area between two separate sets of interlocking doors. This helps to control the flow of personnel into restricted areas.
A project manager is researching migrating to the cloud, specifically a PaaS model. Which of the following attacks is PaaS particularly subject to? A.Malware injection B.Direct-to-origin C.Side-channel D.DNS Poisoning
Side-Channel In a side-channel attack, this exploit is possible because of the shared nature of the cloud infrastructure, especially in a PaaS model. In a malware injection attack, a malicious actor injects malicious code into an application. Common attacks can include SQL injection (SQLi) and Cross-Site Scripting (XSS). In direct-to-origin attacks (D2O), malicious actors circumvent proxy protections by identifying the origin network or IP address and then launching a direct attack. Domain Name System (DNS) cache poisoning sends bogus records to a DNS resolver. When the victim requests an IP address, the DNS server will send the wrong IP address.
A penetration tester wants to try keeping multiple fake web connections open for as long as possible, until the maximum number of allowed connections is reached. They want to employ this method on a test server to see how much they will be able to handle before needing to scale outwards. What type of attack should they use to test this? A.HTTP flood B.Slowloris C.DNS amplification D.Prowler
Slowloris A slowloris attack keeps multiple fake web connections open for as long as possible until the maximum number of allowed connections is reached. An HTTP flood uses seemingly legitimate HTTP GET or POST requests to attack a web server. It does not require spoofing or malformed packets but can consume a high number of resources with a single request. A DNS amplification attack uses multiple public DNS servers to receive spoofed queries and respond to a target. Prowler is an audit tool for use with Amazon Web Services only. It can be used to evaluate cloud infrastructure against the Center for Internet Security (CIS) benchmarks.
A military unit has adopted sending communications hidden in the white space of text files as a standard operating procedure. Which of the following tools uses white space to conceal data payloads? Snow Steghide OpenStego Yersinia
Snow Snow is a CLI steganography tool that conceals a data payload within the whitespace of a text file that uses the ASCII format. Steghide is an open-source tool used to conceal a payload in either an image or audio file. The software can compress, conceal, and encrypt data. OpenStego is similar to most other tools in that you embed a message in a carrier file. To get started, youll need to make sure that you have the Java Runtime Environment (JRE) installed. Yersinia uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy pr hping3 which allows users to craft their own packets.
A penetration tester is conducting a physical test on-premise and is attempting to exploit human errors. What type of risk is the pen tester trying to exploit? Risk Threat Social Engineering Risk Management
Social Engineering Human errors can also be seen as Social Engineering, which attempts to leverage human mistakes to gain information used in attacks or breaches. Risk is equivalent to threat x vulnerability. Risk represents the consequence of a threat exploiting a vulnerability. When dealing with cybersecurity, a risk can result in financial loss, business disruption, or physical harm. A threat represents something such as malware or a natural disaster, that can accidentally or intentionally exploit a vulnerability and cause undesirable results. Risk analysis is part of a larger process called risk management, which is the cyclical process of identifying, assessing, analyzing, and responding to risks.
A secret double agent on a top-secret mission needs to conceal a payload in an audio file using tools built into Kali. What tool could they use to do this? A.SAST B.Bit-Twist C.Meterpreter D.Steghide
Steghide Steghide is an open-source tool used to conceal a payload in either an image or audio file. The software can compress, conceal, and encrypt data. Static Application Security Testing (SAST) is done early in the software development life cycle to examine the code for security vulnerabilities. Bit-Twist uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy or hping3 which allows users to craft their own packets. Meterpreter is a very popular payload of MetaSploit, which is an interactive, menu-based list of commands you can run on the target.
A penetration tester is conducting a nmap scan but wants to conserve bandwidth. Which setting should they use to perform this? A.T1 B.T2 C.T3 D.T4
T2 T2 slows the scan to conserve bandwidth. In some cases, network devices enforce rate limiting, which limits the data flow by either policing or shaping the traffic. T0 and T1 are the best options for IDS evasion but are extremely SLOW. Aggressive scans can cause congestion and disrupt fragile systems. T3 is the default and is the most stable option. T4 is the recommended choice for a fast scan that is still relatively stable. Network performance is essential. If the target has a healthy amount of bandwidth, and the client agrees, the team can scan using multiple concurrent scanners.
A security auditor is assessing SMB vulnerabilities and conducting a scan against the services. In order to speed up the scan, what port should they specify? A.TCP 25 B.TCP 53 C.TCP 139 D.TCP 80
TCP 139 Server Message Block (SMB) is TCP port 139. The tester can retrieve directory information, list, and transfer files. SMB is also over port 445 and is a common file and print service. Simple Mail Transfer Protocol (SMTP) is TCP port 25. The tester can extract email addresses, enumerate SMTP server information, and search for open relays. Domain Name System (DNS) is TCP port 53 for eliciting DNS zone transfers and discovering DNS subdomains. Hypertext Transfer Protocol (HTTP) is TCP port 80. They can manually request web pages, enumerate directories, files, WebDAV features, and versions.
A security engineer is trying to understand the default behavior of nmap scans during host discovery. What does nmap send to port 80? TCP ACK TCP SYN Echo request ARP request
TCP ACK During host discovery, nmap sends a TCP ACK packet to port 80. Because every network is unique, the team may need to use a variety of scans to get a solid grasp on the environment. During host discovery, nmap sends a TCP SYN packet to port 443. When using the TCP SYN Ping using multiple ports, there can be no space between -PS and the port list. During host discovery, nmap sends an ICMP type 8 (echo request). When scanning, the team may need to adjust if they run into problems. During host discovery, nmap sends ARP requests to obtain MAC address details.
A systems administrator wants to conduct a scan to identify which services are open on their machines in an attempt to try to disable unused services. Which of the following should they perform? A.Ping scan B.OS scan C.TCP scan D.NSE scan
TCP Scan TCP Scans will check for open and listening TCP ports to determine what services are in use. Ping Scans will ping a range of IP addresses to learn which machines are responding. This is useful to conduct a quick scan to see what is identifiable on the network. OS Footprinting will identify the operating systems in use on the network. While this does identify services, the administrator already knows what operating systems that they are administering. Nmap Scripting Engine (NSE) scripts are a core component of Nmap that allows users to customize activity and automate the scanning process. While these can enumerate services, there are several varying categories.
A systems administrator wants to conduct a scan to identify which services are open on their machines in an attempt to try to disable unused services. Which of the following should they perform? Ping scan OS scan TCP scan NSE scan
TCP Scan TCP Scans will check for open and listening TCP ports to determine what services are in use. Ping Scans will ping a range of IP addresses to learn which machines are responding. This is useful to conduct a quick scan to see what is identifiable on the network. OS Footprinting will identify the operating systems in use on the network. While this does identify services, the administrator already knows what operating systems that they are administering. Nmap Scripting Engine (NSE) scripts are a core component of Nmap that allows users to customize activity and automate the scanning process. While these can enumerate services, there are several varying categories.
A penetration tester covertly follows an authorized employee who is unaware that anyone is behind them. What is this called? A.Tailgating B.Piggybacking C.Badge cloning D.Scaling
Tailgating Tailgating is an attack where the malicious actor slips in through a secure area while covertly following an authorized employee who is unaware that anyone is behind them. Piggybacking is essentially the same thing as tailgating, but in this case, the target knows someone is following behind them. Badge cloning is the act of copying authentication data from an RFID badge's microchip to another badge. This can be done through handheld RFID writers. Scaling applies to perimeter security such as natural barriers or fences, to deter someone from simply entering the property.
A security professional is reviewing the results of a recent SYN scan and trying to understand the response results. What will happen if the port is open? Target sends RST Target sends SYN ACK Packet is dropped No response
Target sends SYN ACK If the port is open for a SYN scan, the target will return a SYN ACK. This is called a "half-open" scan because the attacker does not complete the TCP three-way handshake. If the port is closed for a SYN scan, the target will return a reset (RST). A stealth scan uses techniques that try to exploit the expected behavior of TCP. If the target is filtered using a firewall on a SYN scan, the packet will be dropped. When using a XMAS Tree, Null, or FIN scan and the port is open, there will be no response. Network devices are tuned to identify malicious activity, such as scanning the network.
A Linux systems administrator is concerned about data exfiltration from one of their DMZ servers. What common service should they disable on these DMZ servers for externally facing assets? A.RDP B.SSH C.Telnet D.SFTP
Telnet Telnet is a cleartext protocol, not an encrypted protocol. This should be disabled regardless and not used in the enterprise unless absolutely necessary. When communicating with a remote, Linux-based machine, it's common to use Secure Socket Shell (SSH), a protocol that provides a way to communicate securely via a CLI (shell) over an encrypted connection. Remote Desktop Protocol (RDP) is a service on Windows machines, not on Linux machines. The X11 protocol can be used over SSH to enable graphical interfaces to Linux machines. SFTP provides a more secure option over File Transfer Protocol (FTP). FTP is a cleartext protocol and should not be used.
A project manager is preparing documentation that covers recurring costs and any unforeseen additional charges that may occur during a project without the need for an additional contract. Which of the following should they prepare? SOW MSA SLA NVD
The Master Service Agreement (MSA) The Master Service Agreement (MSA) is a contract that establishes guidelines for any business documents executed between two parties. It can be used to cover recurring costs and any unforeseen additional charges. The Statement of Work (SOW) is a document that defines the expectations for a specific business arrangement. It typically includes a list of deliverables, responsibilities of both parties, and others. A service-level agreement (SLA) is a contract that outlines the detailed terms under which a service is provided, including reasons the contract may be terminated. To learn more about the vulnerabilities, you can often click on CVE names, which have hyperlinks to the record in the National Vulnerability Database (NVD). Once there, you can read more details.
A company is contracting a penetration test because they want to save money by going with a smaller, newer hosting company. However, they are worried the company may have fewer resources and less security expertise and may be easier to attack than larger, more mature providers. What is this called? First-party hosted Third-party hosted On-site APIs
Third-party hosted Third-party hosted includes assets that are hosted by a vendor or partner of the client organization, such as cloud-based hosting. First-party hosted includes assets that are hosted by the client organization. In some cases, first-party hosted assets might be easier to attack than third-party hosted services. On-site is an asset that is physically located where an attack is being carried out. On-site testing can include attempting to compromise a business's physical barriers to gain access to systems, personnel, and more. Application programming interfaces (APIs) can be either public-facing applications or those that allow access to the details of a specific user.
A security researcher has detected anomalous timestamp entries where a system's log event microseconds have all been set to 0, and they suspect the system has been compromised and the timestamps modified. Which tool did the attacker probably use? A.Meterpreter B.TimeStomp C.Shred D.Wevtutil
TimeStomp Changing time values is possible by using Metasploit's meterpreter tool called TimeStomp which allows you to delete or modify timestamp-related information on files. TimeStomp is a tool inside of meterpreter which allows you to delete or modify timestamp-related information on files. Shred is a command built into Linux to make sure that files are securely deleted and completely removed. Windows doesn't have a built-in command-line equivalent to file-based shredding. When using the command-line interface (CLI) in Windows, you can also clear individual log categories. For example, wevtutil cl Application will clear the application log.
A security consultant is attempting to see users and potential passwords by using the following URL: http://comptia.com/resources/../../../../etc/passwd but receives a dropped packet. What is most likely preventing this? A.Router B.WAF C.Load balancer D.ACL
WAF A web application firewall (WAF) is specifically designed to monitor web applications and guard against common attacks such as cross-site scripting (XSS) and SQL Injection (SQLi) attacks. Routers act as control points for communications between network segments. A router is NOT preventing this activity. A load balancer is used to stabilize network traffic across two or more servers. Balancing the load prevents any one server from getting too many requests. An access control list (ACL) is essentially a list that tells devices the corresponding access rights that users have to various objects, such as file directories, or permissions to access network resources.
A medium-sized company is worried about their access points at various field sites and has asked their employees to drive around to search for open access points using a laptop or smartphone. What is this referred to as? War driving WiGLE Attack surface Pharming
War Driving. War driving is a technique that involves driving around to search for open access points using a laptop or smartphone. WiGLE is a site dedicated to mapping and indexing access points. With improved devices and user education, there are significantly less open access points today. Vulnerabilities exist in many different areas, called attack surfaces, which include software, hardware, networks, and users that can be exploited. Pharming is when an attacker entices the victim into navigating to a malicious web page that has been set up to look official.
A penetration tester is gathering OSINT in an attempt to conduct a phishing campaign against an executive. Which of the following would be the least effective in an OSINT campaign? Who they manage Email addresses Social media profiles Web server vulnerabilities
Web server vulnerabilities Web server vulnerabilities are not as useful for a targeted phishing campaign. Campaigns are more effective with information like who they manage, email addresses, and profiles. Who the executive manages can sometimes be obtained from the organization's website. Email addresses are absolutely critical during an email phishing campaign. The penetration testers can attempt to either send emails that look similar to legitimate users and domains, or they could try to compromise accounts directly. Social media profiles can have very useful information like date of birth, relationships, interests, and more. They can then use these details in a wordlist to prepare a password cracking attempt with a more targeted approach.
A security tester is conducting war driving for several sites. Which of the following tools could they use to help in this effort? A.DAST B.WiGLE C.ARP Poisoning D.Censys
WiGLE WiGLE is a site dedicated to mapping and indexing access points. With improved devices and user education, there are significantly less open access points today. Dynamic Application Security Testing (DAST) is done after the code is placed in production. Unlike SAST, dynamic testing will unearth vulnerabilities that are evident after the code is in production. An ARP attack deliberately maps an incorrect MAC address to a correct IP address, which poisons the ARP cache. ARP poisoning is used to redirect traffic for malicious purposes. When testing for vulnerabilities, one tool the team can use is Censys, an attack surface analyzer, similar to Shodan, to identify exposed systems.
A penetration tester discovers a device during an engagement and needs to try conducting a Pixie attack or attempt to crack PMKID offline. Which tool should they use? A.Airmon-ng B.Spooftooph C.ScoutSuite D.Wifite2
Wifite2 Wifite2 is a wireless auditing tool you can use to assess the WLAN. Wifite2 can launch a variety of attacks including Pixie attacks, PMKID cracking, and more. Airmon-ng will enable and disable monitor mode on a wireless interface. Airmon-ng can also switch an interface from managed mode to monitor mode. One tool that can either spoof or clone a Bluetooth device is Spooftooph. Keep in mind, before making any changes to a Bluetooth adapter, you must run Spooftooph with root privileges. ScoutSuite is an open-source tool written in Python that can be used to audit instances and policies created on multi-cloud platforms, such as AWS, Microsoft Azure, and Google Cloud.
A security firm is looking at expanding operations outside the United States. Which of the following tools might be illegal to use due to U.S. encryption export regulations? InterMapper Nmap OpenVAS Wireshark
Wireshark Wireshark is a powerful open-source protocol analysis tool that can decrypt many of the protocols used to conceal data, such as IPsec, Kerberos, and SSL/TLS. It falls under the U.S. encryption export regulations, and it may be illegal to use in certain countries. Intermapper is a popular network mapper. Some mappers interface with drawing applications such as Microsoft Visio to create professional-looking diagrams. Nmap is a powerful security scanner, which can be used alone or by using NSE scripts. Scanning the network for vulnerabilities is an important task when conducting active reconnaissance. OpenVAS is an open-source scanner. Scanning probes potential targets on the network.
A network administrator is refreshing their network inventory after several major changes and wants to create an updated visual of the network topology. Which of the following tools could they use to create one? WiGLE Zenmap OpenVAS Metagoofil
Zenmap Zenmap can create a visual of the network topology. Using Zenmap is intuitive, and you can run scans within the application just as you would when using Nmap. WiGLE is a site dedicated to mapping and indexing access points. With improved devices and user education, there are significantly less open access points today. A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested. Metagoofil uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir to scrape the metadata, and then displays the information using Hypertext Markup Language (HTML).
A security analyst is trying to find older versions of a company's website which contained sensitive information. They are worried that attackers might still be able to find older versions, so they want to try using web search commands. Which web search command would help them search? inanchor inurl site cache
cache Use a standard cache search on a site, and you will see a recent view of the website. To do a quick check simply type cache: in the address bar. For example, cache:https://comptia.org. inanchor searches anchor text. For example, use inanchor:Certification report to search for any pages whose anchor text includes the text "Certification" and have the text "report" anywhere on the page. One would use inurl:Certification report to search for any pages whose URLs include the text "Certification" and have the text "report" anywhere on the page. The security professional would enter the site:comptia.org report to search CompTIA's website only for results including the text "report."
A network technician is reviewing signal strengths of wireless antennas to ensure that the signal does not extend beyond the buildings for anyone to attempt to gain access. What are they measuring? A.MSA B.SNR C.dBi D.NVD
dBi The signal strength of a wireless antenna is referred to as decibels per isotropic (dBi) and can vary according to the design. The Master Service Agreement (MSA) is a contract that establishes guidelines for any business documents executed between two parties. It can be used to cover recurring costs and any unforeseen additional charges. The goal is to have a good Signal-to-Noise Ratio (SNR), which is the measurement of a wireless signal level in relation to any background noise. To learn more about the vulnerabilities, you can often click on CVE names, which have hyperlinks to the record in the National Vulnerability Database (NVD). Once there, you can read more details.
A penetration tester has been contracted to do a test for a hospital and is looking at computerized electronic patient records. What are these referred to as? HIPAA e-PHI CCPA GDPR
e-PHI Computerized electronic patient records are referred to as electronic protected health information (e-PHI). With HIPAA, the e-PHI of any patient must be protected from exposure, or the organization can face a hefty fine. The Health Insurance Portability and Accountability Act (HIPAA) is a law that mandates rigorous requirements for anyone that deals with patient information. The California Consumer Privacy Act (CCPA) was enacted in 2020 and outlines specific guidelines on how to appropriately handle consumer data. In 2018 the EU enacted the General Data Protection Regulation (GDPR), which outlines specific requirements on how consumer data is protected.
A penetration tester has landed a shell on a Linux box and wants to find out more about the users' login and idle time. Which built-in bash command should they use? A.cat /etc/passwd B.finger C.uname -a D.env
finger The finger command views a user's home directory along with login and idle time. You can also use nmap -O or -sV scans to fingerprint the operating system and interrogate its services. The cat /etc/passwd command lists all users on the system. If the Linux host is running the Samba service, you can use nmap smb-* NSE scripts against the target. The uname -a command displays the OS name, version, and other details. If a Linux machine is compromised using Metasploit, the post/linux/enum_system module can be used to get information about the system. The env command outputs a list of all the environmental variables.
A security consultant is attempting to look for default passwords for a client's D-Link phones. Which of the following should they use? intitle:"DPH" "web login setting" inurl:"ccmuser/logon.asp" intitle:"Grandstream Device Configuration" password inurl:"CallManager"
intitle:"DPH" "web login setting" intitle:"DPH" "web login setting" would be used to find information of D -Link Phones. If they don't have the password, they can search online for the default password to try on the targeted system. inurl:"ccmuser/logon.asp" would be used to find Cisco CallManager instances. They can also try some other Google Hacking to find more information on VoIP phones that you can use to launch the attack. intitle:"Grandstream Device Configuration" password would be used to find information about Grandstream phones. inurl:"CallManager" would not be a valid instance of attempting to find CallManager instances, they would have to search for ccmuser.
A penetration tester is trying to use Google Hacking to find more instances of Cisco CallManager. What should they use? intitle:"DPH" "web login setting" inurl:"ccmuser/logon.asp" intitle:"Grandstream Device Configuration" password inurl:"CallManager"
inurl:"ccmuser/logon.asp" inurl:"ccmuser/logon.asp" would be used to find Cisco CallManager instances. They can also try some other Google Hacking to find more information on VoIP phones that you can use to launch the attack. intitle:"DPH" "web login setting" would be used to find information of D -Link Phones. If they don't have the password, they can search online for the default password to try on the targeted system. intitle:"Grandstream Device Configuration" password would be used to find information about Grandstream phones. inurl:"CallManager" would not be a valid instance of attempting to find CallManager instances, they would have to search for ccmuser.
A security researcher wants to scan documents against a website for only pdf documents. What metagoofil parameter could they use? A.metagoofil -d B.metagoofil -t C.metagoofil -l D.metagoofil -n
metagoofil -t metagoofil -t pdf scans for pdf documents. Metagoofil scrapes the metadata, and then displays the information using Hypertext Markup Language (HTML). metagoofil -d comptia.org scans for documents on Comptia.org. Metagoofil uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir. metagoofil -l 75 searches for 75 documents. The output can then be viewed in a standard browser. Another valuable tool is FOCA, which can discover metadata from a variety of sources. metagoofil -n 25 downloads 25 files. You can download a copy of Metagoofil from GitHub. In addition, the tool is built into Kali Linux.
A security professional is performing an assessment against web servers and is currently in the reconnaissance phase. They are performing initial service enumeration by attempting to open a session with service and getting the service to identify itself. Which of the following tools are suited for this? (Select all that apply.) A.netcat B.SET C.wget D.Shodan
netcat and wget Netcat (nc) is a popular tool for Unix and Linux. The following shows using an HTTP GET request to elicit the webserver type and version: echo -en "GET / HTTP/1.0\n\n\n"|nc www.comptia.org 80|grep Server. Wget can be used to grab a banner using the following syntax: wget -S. When using this command, -S will print the HTTP headers that are sent by the server. The Social Engineering Toolkit (SET) is not quite geared towards banner grabbing, though it is a handy tool to use during the social engineering aspect of tests. Shodan is a search engine designed to locate and index IoT devices that are connected to the Internet.
A penetration tester wants to gather email information for a targeted phishing campaign. Which of the following tools could they use to collect this? Shodan Dirbuster Metagoofil theHarvester
theHarvester theHarvester is an intuitive tool that can search a company's visible threat landscape. The tool gathers information on subdomain names, employee names, email addresses, PGP key entries, and open ports and service banners. Shodan is a search engine designed to locate and index IoT devices that are connected to the Internet. Dirbuster is specifically geared towards website enumeration. There are numerous tools and techniques available to evaluate a website. Metagoofil uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir to scrape the metadata, and then displays the information using Hypertext Markup Language (HTML).