PenTest+
Tim has selected his Metasploit exploit and set his payload as cmd/unix/generic. After attempting the exploit, he receives the following output. What went wrong? "msf exploit (unix/misc/distcc_exec) > exploit Exploit failed: The following options failed to validate: RHOST. Exploit completed, but no session was created.
Metasploit needs to know the remote target host, known as rhost, and this was not set. Tim can set it by typing set rhost [ip address] with the proper IP address. Some payloads require lhost, or local host, to be set as well, making it a good idea to use the show options command before running exploit.
If Charles selects the Ruby on Rails vulnerability, which of the following methods cannot be used to search for an existing Metasploit Vulnerability?
Metasploit searching supports multiple common vulnerability identifier systems, including CVE (Common Vulnerabilities and Exposures), BID, and EDB (Exploit Database), but MSF was made up for this question. It may sound familiar, as the Metasploit console command is msfconsole.
Jacob wants to capture user hashes on a Windows network. Which tool could he select to gather these from broadcast message?
Metasploit's SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts. Impacket doesn't build this capability in but provides a wide range of related tools, including the ability to authenticate with hashes once you have captured them. If you're wondering about encountering this type of question on the exam, remember to eliminate the answers you are sure of, to reduce the number of remaining options. here you can likely guess that Metasploit has a module for this, and Wireshark is a packet capture tool, so capturing traffic may require work, but would be possible. Now you're down to a 50/50 chance.
Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized?
Moderate. Systems have a moderate impact from a confidentiality perspective if the unauthorized disclosure of information could be expected to have a serious adverse effect on organization operations, organizational assets, or individuals.
After running an SNMP sweep, Greg finds that he didn't receive any results. If he knows there are no network protection devices in place and that there are devices that should respond to SNMP queries, what problem does he most likely have?
Most modern SNMP deployments use a non-default community string. If Greg does not have the correct community string, he will not receive the information he is looking for.
Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What protocol is likely in use on this network that resulted in this vulnerability?
NAT
What does a result of *** mean during a traceroute?
No response to the query, perhaps a timout, but traffic going through.
Angela wants to run the John the Ripper against a hashed password file she has acquired from a compromise. What information does she need to know to successfully crack the file?
Nothing. John includes automatic hash type detection, so Angela can simply feed John the Ripper the hashed password file. If it is in a format that John recognizes, ti will attempt to crack the passwords.
Duran an Nmap scan, Casey uses the -o flag. The scan identifies the host as follows: Running Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 What can she determine from this information?
OS identification in Nmap is based on a variety of response attributes. In this case, Nmap's best guess is that the remote host is running a Linux 2.6.9-2.6.33 kernel, but it cannot be more specific.
After gaining access to a Linux system through a vulnerable service, Cassandra wants to list all of the user accounts on the system and their home directories. Which of the following locations will provide list?
On most Linux systems, the /etc/passwd file will contain a list of users as well as their home directories. Capturing both /etc/passwd and /etc/shadow are important for password cracking, making both desirable targets for penetration testers.
Charles runs an Nmap scan using the following command: Nmap -sT -sV -T2 -p 1-65535 example.com After watching the scan run for over two hours, he realizes that he needs to optimize the scan .Which of the following is not a useful way to speed up his scan?
Only scanning via UDP will not miss any TCP connections. Setting the scan to faster timing (3 or faster), changing from a TCP connect scan to a TCP SYN scan, or limiting the number of ports tested are all valid ways to speed up a scan.
What built-in Windows server administration tool can allow command-line PowerShell access from other systems?
PSRemote, or PowerShell Remote, provides command-line access from remote systems. Once you have established a remote trust relationship using valid credentials, you can use PowerShell commands for a variety of exploit and information gathering activities, including the use of dedicated PowerShell exploit tools.
Cassandra wants to attack a WPS-enabled system. What attack technique can she use against it?
Pixie dust
The Dirty COW attack is an example of what type of vulnerability?
Privilege Escalation
What is the default read-only community string for many SNMP devices?
Public
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?
Quarterly
Alex wants to use rainbow tables against a password file she has captured. How do rainbow tables crack passwords?
Rainbow tables are listed of pre-computed hashes for all possible passwords for a given set of password rules. Rainbow table tools compare hashes to the previously calculated hashes, which match to known values. This is done via a relatively fast database lookup, allowing fast "cracking" of hashed passwords, even though hashes aren't reversible.
Which one of the following activities is not part of the vulnerability management life cycle?
Reporting
What terms describes an organization's willingness to tolerate risk in their computing environment?
Risk appetite
Ryan is planning to conduct a vulnerability scan of a business-critical system using dangerous plug-ins. What would be the best approach for the initial scan?
Run the scan in a test environment
Alice discovers a rating that her vulnerability scanner lists as 9.3 out of 10 on its severity scale. The service that is identified runs on TCP 445. What type of exploit is Alice most likely looking to use on this server?
SMB exploit
Which of the following is not an example of a vulnerability scanning tool?
Snort
Ryan is conducting a penetration test and is targeting a database server. Which one of the following tools would best assist him in detecting vulnerabilities on that server?
Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool for use in this scenario.
Which one the following factors is least likely to impact vulnerability scanning schedules?
Staff availability
Adam is conducting a penetration test of an organization and is reviewing the source code of an application for vulnerabilities. What type of code testing is Adam conducting?
Static code analysis
What attack technique can allow the pen-tester visibility into traffic on VLANs other than their native VLAN?
Switch spoofing relies on a switch interface that is configured as either dynamic desirable, dynamic auto, or trunk mode, allowing an attacker to generate dynamic trunk protocol messages. The attacker can then access traffic from all VLANs.
Charles uses the following hping command to send traffic to a remote system. Hping remotesite.com -S -V -p 80 What type of traffic will the remote system see?
TCP SYNs to TCP port 80. Charles has issued a command that asks hping to send SYN traffic (-s) in verbose mode (-v) to remotesite.com on port 80.
Betty is selecting a transport encryption protocol for use in a new public website she is creating. Which protocol would be the best choice?
TLS 1.1
Which one of the following protocols should never be used on a public network?
Telnet
Chris runs an Nmap scan of 10.10.0.0/16 network that his employer uses as an internal network range for the entire organization. If he uses the -T0 flag, what issue is he likely to encounter?
The -T flag in Nmap is used to set scan timing. Timing setting range from 0 (paranoid) to 5 (insane). By default, it operates at 3, or normal. With timing set to a very slow speed, Chris will run his scan for a very, very long time on a /16 network.
Which type of organization is the most likely to be impacted by a law requiring them to conduct vulnerability test
The Federal Security Management Act (FISMA) requires that government agencies conduct vulnerability scans.
If Charles wants to build a list of additional system user accounts, which of the vulnerabilities is most likely to deliver that information?
The OpenSSH vulnerability
Charles has recently completed a vulnerability scan of a system, and needs to select the best vulnerability to exploit from the following listing: 1. Ruby on Rails Action Pack Remote Code Execution Vulnerability (Windows) 2. OpenSSH Denial of Service and User Enumeration Vulnerabilities (Windows) 3. MySQL/MariaDB weak password Which of the entries should Charles prioritize from this list if he wants to gain access to the system?
The Ruby on Rails vulnerability is the only vulnerability that specifically mentions remote code execution, which is most likely to allow Charles to gain access to the system.
Which of the following Nmap output formats is unlikely to be useful for a penetration tester?
The Script Kiddie output format that Nmap supports is entirely for fun-you should never have a practical need to use the -os flag for an actual penetration test.
During an early phase of his penetration test, Mike recovers a binary executable file he wants to quickly analyze for useful information. Which of the following tools will quickly give him a view of potentially useful information in the binary?
The Strings command parses a file for strings of text and outputs them. It is often useful for analyzing binary files, since you can quickly check for useful information with a single quick command-line too.
Jessica wants to list the domain password policy for a Windows domain. What net command can she use to do this?
The Windows net commands can display a wealth of information about a local domain, and the password policy can be reviewed by using the net accounts /domain command.
John wants to retain access to a Linux system. Which of the following is not a common method of maintaining persistence on Linux servers?
The Windows task schedule is used for scheduled tasks. On Linux, cron jobs are set to start applications and the other events on time. Other common means of creating persistent access to Linux systems include modifying system daemons, replacing services with trojaned versions, or even simply creating user accounts for later use.
Cynthia attempted a DNS poisoning attack as shown here. After her attempt, she does not see any traffic from her target system. What most likely happened to cause the attack to fail?
The injection was too slow.
A few days after exploiting a target with Metasploit Meterpreter payload, Robert loses access to the remote host. What most likely happened?
The system was rebooted
Why would a penetration tester look for expired certificates as part of an information-gathering and enumeration exercise?
They indicate services may not be properly updated or managed.
Ron wants to use arpspoof to execute a man-in-the-middle attack between target host 10.0.1.5 and a server at 10.0.1.25, with a network gateway of 10.0.1.1. What commands does he need to run to do this? (Choose two.)
To fully act as a man in the middle, Ron needs to spoof both the server and target so that they each think that his PC is the system they are sending to. Spoofing the gateway 10.0.1.1 or broadcast address 255.255.255.255 will not serve his purposes.
Which of the following tools will not allow Alice to capture NTLM v2 hashses over the wire for use in a pass-the-hash attack?
Unlike the other options listed here, Mimikatz pulls over hashes from the lsass process. Since the question specifically notes "over the wire," Mimikatz is the only tool that cannot be used for that.
During a penetration test, Mike uses double tagging to send traffic to another system. What technique is he attempting?
VLAN hopping
In what type of attack does the attacker seek to gain access to resources assigned to a different virtual machine?
VM escape
Which one of the following metrics is not included in the calculation of the CVSS exploitability score?
Vulnerability Age
Mika runs the following Nmap scan: Nmap -sU -sT -p 1-65535 example.com What information will she receive?
Vulnerability scanner. UDP scan. TCP connect/full connect scan, meaning the user can't create raw packets for a SYN scan or is scanning an IPv6 network. Results for ports 1-65535.
Which of the following tools provides information about a domain's registrar and physical location?
Whois provides information that can include the organiztion's physical address, registrar, contact information, and other details.
Which one the following OS should be avoided on production networks?
Windows Server 2003
After running an Nmap scan of a system, Lauren discovers that TCP ports 139, 443, and 3389 are open. What operating system is she most likely to discover running on the system?
Windows. Port 3389 is Remote Desktop Protocol (RDP).
What technique is being used in the following command: Host -t axfr domain.com dns1.domain.com
Zone Transfer. The axfr flag indicates a zone transfer in both dig and host utilities.
Steve is working from an unprivileged user account that was obtained as part of a penetration test. He has discovered that the host he is on has Nmap installed and wants to scan other hosts in his subnet to identify potential targets as part of a pivot attempt. What Nmap flag is he likely to have to use to successfully scan hosts from this account?
-sT the TCP connect scan is often used when an un-privileged account is the tester's only option.
What is the full range of ports that a UDP service can run on?
1-65,535
What is the most recent version of CVSS that is currently available?
3.0
Rick wants to look at advertised routes to his target. What type of service should he look for to do this?
A BGP looking glass
Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. Which of the following NAC systems would be the easiest for Chris to bypass?
A MAC address filter
What type of wireless attack focuses on tricking clients into using less secure protocols?
A downgrade attack
Part of Annie's penetration testing scope of work and rules of engagement allows her physical access to the facility she is testing. If she cannot find a remotely exploitable service, which of the following social engineering methods is most likely to result in remote access?
A thumb drive drop
Karen identifies TCP port 8080 and 8443 open on a remote system during a port scan. What tool is her best option to manually validate the services running on these ports?
A web browser. Many system administrators move services from their common service ports to alternate ports and 808 and 8443 are likely alternate HTTP (TCP 80) and HTTPS (TCP 443) server ports, and she will use a web browser to connect to those ports to check them.
Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. If Chris wants to set up a false AP, which tool is best suited to his needs?
Aircrack-ng has fake-AP functionality built in, with tools that will allow Chris to identify valid access points, clone them, disassociate a target system, and then act as a man in the middle for future traffic.
For what type of activity would you use the tools HULK, LOIC, HOIC, and Slow Loris?
All of these tools are DoS tools. While some of them have been used for DDoS attacks, they are not DDoS tools of their own.
What tool can white box penetration testers use to help identify the systems present on a network prior to conducting vulnerability scans?
Asset Inventory
Which one of the CVSS metrics would contain information about the number of times that an attacker must successfully authenticate to execute an attack?
Au
What type of Bluetooth attack attempts to send unsolicited messages via Bluetooth devices?
Bluejacking
In what type of attack does the attacker place more information in a memory location than is allocated for that use?
Buffer overflow
Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for total compromise of a system?
C (Complete)
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance?
CPE (Common Product Enumeration) is a SCAP (Security Content Automation Protocol) that provides standardized nomenclature for products names and versions.
Jessica is reading reports from vulnerability scans run by a different part of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task?
CVSS (Common Vulnerability Scoring System)
Steve has set his penetration testing workstation up as a man in the middle between his target and a FTP server. What is the best method for him to acquire FTP credentials?
Capture traffic with Wireshark
Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. Once Chris wants to set up a false AP, which tool is best suited to his needs?
Chris can use ARP spoofing to represent his workstation spoofing to represent his workstation as legitimate system that other devices are attempting to connect to. As long as his responses are faster, he will then receive traffic and can act as a man in the middle. Network sniffing is useful after this to read traffic, but it isn't useful for most traffic on its own on a switched network. SYN floods are not useful for gaining credentials.
Sarah is conducting a penetration test and discovers a critical vulnerability in an application. What should she do next?
Consult the SOW
What approach to vulnerability scanning incorporates information from agents running on the target servers?
Continuous monitoring
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?
Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.
Chris cross compiles code for his exploit and then deploys it. Why would he cross-compile code?
Cross-compiling code is used when a target platform is on a different architecture. Chris may not have access to a compiler on his target machine, or he may need to compile the code for an exploit from his primary workstation.
Monica discovers that an attacker posted a message in a web forum that she manages that is attacking users who visit the site. Which one of the following attack types is most likely to have occurred?
Cross-site scripting
Lisa wants to enumerate possible user accounts and has discovered an accessible SMTP server. What SMTP commands are most useful for this?
EXPN and VRFY
Which of the following technologies, when used within an organization, is the LEAST likely to interfere with vulnerability scanning results achieved by external penetration testers?
Encryption
Cynthia wants to find a Metasploit framework exploit that will not crash the remote service she is targeting. What ranking must the exploit she chooses meet or exceed to ensure this?
Excellent
John has gained access to a system that he wants to use to gather more information about other hosts in its local subnet. He wants to perform a a port scan but can not install other tools to do so. Which of the following tools is not usable as a port scanner?
ExifTool
Angela recovered a PNG image during the early intelligence-gathering phase of a penetration test and wants to examine it for useful metadata. What tool could she most successfully use to do this?
Exiftool is designed to pull metadata from images and other files.
Ellie has placed her workstation as the man in the middle, shown in the following image. What does she need to send at point X to ensure that the downgrade attack works properly?
FIN, ACK
Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?
False positive
Gary is conducting a black box penetration test against an organization and is being provided with the results of vulnerability scans that the organization already ran for use in his tests. Which one of the following scans is most likely to provide him with helpful information within the bounds of his test?
Full external scan. This is a black box test, so it would not be appropriate for Gary to have access to scans conducted on the internal network.
After gaining access to Windows system, Fred uses the following command: SchTAsks /create /SC Weekly /TN "Antivirus" /TR C:\Users\SSmith\av.exe" /ST 09:00 What has he accomplished?
He has scheduled his own executable to run weekly
Cameron runs the following command via an administrative shell on a Windows system he has compromised. What has he accomplished? $command = 'cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force'
He has set up PSRemoting.
Kevin recently identified a new security vulnerability and compute its CVSSv2 base score as 6.5. Which risk category would this vulnerability fall into?
High
Mike discovers a number of information exposure vulnerabilities while preparing for the exploit phase of a penetration test. If he has not been able to identify user or service information beyond vulnerability details, what priority should he place on exploiting them?
High priority; exploit early
Christina wants to use THC Hydra to brute-force SSH passwords. As she prepares to run the command, she knows that she recalls seeing the -t flag. What should she consider when using this flag?
Hydra uses 16 parallel tasks per target by default, but this can be changed using the -t flag.
What software component is responsible for enforcing the separation of guest systems in a visualized infrastructure?
Hypervisor
Which one of the following terms is not typically used to describe the connection of physical devices to a network?
IDS
Alan is reviewing web server logs after an attack and finds many records that contain semicolons and apostrophes in queries from end users. What type of attack should he suspect?
In a SQL injection attack, the attacker seeks to use a web application to gain access to an underlying database. Semicolons and
Which one the following conditions would not result in a certificate warning during a vulnerability scan of a web server?
Inclusion of a public encryption key
Which one of the following categories of systems is most likely to be disrupted during a vulnerability scan?
Internet of Thing (IoT) devices are examples of nontraditional systems that may be fragile and highly susceptible to failure during vulnerability scans.
Charles to deploy a wireless intrusion detection system. Which of the following tools is best suited to that purpose?
Kismet is specifically designed to act as a wireless IDS in addition to its other wireless packet capture features. WiFite is designed for wireless network auditing, Aircrack provides a variety of attack tools in addition to its capture and injection capabilities for wireless traffic. SnortiFi was made up for this question.
Which one the following values for the CVSS access complexity metric would indicate the specified attack is the simplest to exploit?
Low
Ellie wants to clone an RFID entry access card. Which type of card is most easily cloned using inexpensive cloning devices?
Low frequency 125 to 134.2 KHz card
Matt wants to pivot from a Linux host to other hosts in the network but is unable to install additional tools beyond those found on a typical Linux server. How can he leverage the system he is on to allow vulnerability scans of those remote hosts if they are firewalled against inbound connections and protected from direct access from his penetration testing workstation?
Matt can safely assume that almost any modern Linux system will have SSH, making SSH tunneling a legitimate option. If he connects outbound from the compromised system to his and creates a tunnel allowing traffic in, he can use his own vulnerability scanner through the tunnel to access the remote systems.
Jack is conducting a penetration test for a customer in Japan. What NIC is he most likely to need to check for information about his client's networks?
APNIC (Asian Pacific Network Interface Card)
Ken is planning to conduct a vulnerability scan of an organization as part of a penetration test. He is conducting a black box test. When would it be appropriate to conduct an internal scan of the network?
After compromising an internal host
Which one of the following is not a common source of information that may be correlated with vulnerability scan results?
Database Tables
Lauren has acquired a list of valid user accounts but does not have passwords for them. If she has not found any vulnerabilities but believes that the organization she is targeting has poor password practices, what type of attack can she use to try to gain access to a target system where those usernames are likely valid?
Dictionary attacks
