PT0-001 n0735 f02 h19h1y 3ff3c71v3 p30p13. Cha 4
Vulnerability scanning is not necessarily _______________________________ Some tools (like Tenable Nessus) provide plugins that connect to services and send actual exploits. It is important to understand the tool's capabilities while discussing scoping and the technical limitations as part of client relationship management, contracts, and reporting.
"no exploitation."
Adversarial Tactics, Techniques and Common Knowledge _____________ matrix
(ATT&CK)
Common Attack Pattern Enumeration and Classification ____________
(CAPEC)
A weakness in computational logic found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. _______ provides a list of identifiers for publicly disclosed vulnerabilities. Each ______ is maintained by the ______ Numbering Authority (CNA)
(CVE)
Common Weakness Enumeration _______
(CWE)
The OWASP Web Application Security Testing Cheat Sheet provides a list of activities to be performed during web application testing. It lists multiple steps to follow when assessing application password functionality:
-Test password quality rules -Test remember-me functionality -Test password reset and/or recovery -Test password change process -Test CAPTCHA -Test multifactor authentication -Test for logout functionality presence -Test for default logins -Test for out-of-channel notification of account lockouts and successful password changes -Test for consistent authentication across applications with shared authentication schemes -Test for weak security question/answer
SCADA systems are made up of components like the supervisory workstation, RTUs, PLCs, communication infrastructure, and human-machine interfaces. Modbus is a popular protocol that operates on which default port?
502/ TCP
CWE has over _______________________________________________ that are broken up into three categories, which evaluate each problem from a different point of view: Research concepts Intended for academic research Development concepts Weaknesses encountered during software development Architectural concepts Weaknesses encountered during software engineering
700 common software security weaknesses
______________________ must strictly adhere to time constraints for the associated task. Availability and time to react are extremely important in the design of these systems. In a medical application, such as a pacemaker, the device stimulates the heart muscle at just the right time. If the task is completed too late or too soon, the patient's life could be at risk.
A hard RTO
SCADA networks typically operate under the "if it ain't broke don't fix it" mentality and are not patched nearly as often as corporate networks. SCADA systems are delicate, fragile environments that were never really developed with security in mind. _________________________________________ against a SCADA component can cause catastrophic damage of mass proportion.
A single TCP or UDP port scan
Real-time operating systems (RTOSs) are typically found in embedded devices such as routers, IP cameras, health care devices, and so forth. There are multiple classifications of RTOS devices. Which classification must adhere to time constraints for an associated task?
All RTOS must adhere to these time constraints.
Which of the following best describes a hash collision attack?
An attempt to find two inputs that produce the same hash value.
__________________________________________ uses two different keys for both encryption and decryption. The secret key is only known by the author, and the public key is shared to anyone wishing to decrypt the messages. Common public/private key technologies are the Digital Signature Algorithm (DSA) and Rivest, Adi Shamir, and Leonard Adleman (RSA). This application is mostly found in client-server models for authenticating access using digital certificates (X.509) or public key infrastructure (PKI).
Asymmetric key encryption
Program APIs
Based on RPC technology that makes a remote program component appear to be local to the rest of the software.
2017 OWASP Top 10: A5
Broken Access Control- Restrictions on what authenticated users are allowed to do are often not properly enforced. Attacker can exploit these flaws to access unauthorized functionality and/ or data, such as gaining access to other users accounts, viewing sensitive files, modification of other user's data, alteration of user's data, modification of access rights, etc.
2017 OWASP Top 10: A2
Broken Authentication- Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently
_____________________________________________________________________________________________. However, tools like John the Ripper (JTR), Cain and Able, and Hashcat (https://github.com/hashcat) help increase the chances of successful password exploitation. JTR can conduct both dictionary and brute-force password attacks against common hashing algorithms. If you don't have a high-performance computing system composed of GPU clusters for Hashcat or RainbowCrack, using word lists is a quick and dirty way to find out what you are working with in regard to overall security.
Brute-force password attacks are very inefficient and are typically a last resort.
Tokens found within HTTP responses can be battle-tested for known security weaknesses, such as weak token attributes, session expirations, and token entropy (or lack thereof), using __________________________________.
Burp Sequencer
The _______________ is a comprehensive dictionary consisting of thousands of known attack patterns and methodologies that are broken up into two distinct categories: domains of attack and mechanisms of attack, which are common methods used to carry out exploitation.
CAPEC
The __________________________ is the de facto standard for documenting publicly disclosed vulnerabilities.
CVE Dictionary
The ____________ calculator is a comprehensive tool that uses qualitative factors within an equation to compute metrics, given certain environmental conditions. If there's one thing that management likes, it's numbers. It's not always easy as a security practitioner to plead the case as to why the organization needs more money in the budget to improve security. _____________ helps provide some justification for that cause.
CVSS
__________ provides a list of common software security weaknesses and mitigations for implementing good secure coding practices and software design.
CWE
MITRE is a nonprofit organization that provides access to public community resources for conducting vulnerability research and analysis. Which community resources are provided by MITRE?
CWE, CVE, CAPEC
NIST maintains the National Vulnerability Database (NVD) (https://nvd.nist.gov), which performs analysis on the vulnerabilities that have been published to the CVE Dictionary, using the _____________________________________________________.
Common Vulnerability Scoring System (CVSS)
A SCADA system can be made up of multiple components, including: __________________________________ Connects devices and facilitates communications using popular SCADA protocols such as DNP3 (UDP based) and ModBus (TCP based).
Communication infrastructure
2017 OWASP Top 10: A7
Cross-Site Scripting (XSS)- flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
___________________________________________ During this type of testing you are evaluating how well a website or web application processes and filters user-supplied input.
Data Validation Testing
Web APIs
Designed to represent widely used resources like HTML pages and are accessed using a simple HTTP protocol. Often called REST APIs or RESTful APIs.
Web servers, web applications, and databases produce __________________________________ when they receive a request that cannot be processed.
Error codes and stack traces
MSSQL errors contain the _______________________________________________________________________________, which can provide the location in source code that is throwing the error.
Error number, severity, error message string, line number, procedure name, and state.
HTTP Code Status Family 4xx
HTTP Code Status- Client error
HTTP Code Status Family 1xx
HTTP Code Status- Informational Response
HTTP Code Status Family 3xx
HTTP Code Status- Redirection
HTTP Code Status Family 5xx
HTTP Code Status- Server error
HTTP Code Status Family 2xx
HTTP Code Status- Success
If an HTTP request is not properly sanitized, it can cause unsafe user-supplied data processed from HTTP forms, parameters, cookies, and ____________________________ to be passed on to the system for execution
HTTP headers
HTTP parameters are assigned and typically managed and processed by the web application server. _____________________________________________ is used for entering arbitrary values into web parameters in an effort to cause an unexpected behavior that could lead to either a client- or server-side weakness such as HTML injection or command injection.
HTTP parameter pollution (HPP)
___________________________________________________________ are information gathering techniques that provide the necessary details to aid a pentester with vulnerability identification.
Host discovery, fingerprinting, and enumeration
A SCADA system can be made up of multiple components, including: _______________________________________ Operator application (typically a graphical user interface) installed on the supervisory system that is used to monitor and manage the supervisory control system.
Human-machine interface (HMI)
CVE identifiers:
ID number Brief description of the vulnerability References or advisories
The categories covered in the MITRE ATT&CK matrix are:
Initial access Execution Persistence Privilege escalation Defense evasion Credentialed access Discovery Lateral movement Collection Exfiltration Command and control
2017 OWASP Top 10: A1
Injection- SQL, noSQL, OS, and LDAP injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
2017 OWASP Top 10: A8
Insecure Deserialization- This type of flaw often leads to remote code execution. Serialization is the process of turning an object into a data format or byte stream that can be restored at a later time. It is done to allow data to be stored or transmitted in a serial format for transport. Serialization breaks the opacity of an abstract data type by potentially exposing private implementation details. Trivial implementations which serialize all data members may violate encapsulation. Deserialization takes this serialized data and transforms it back into a data object. Even if this type of flaw does not result in remote code execution, they can still be leveraged to preform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
2017 OWASP Top 10: A10
Insufficient Logging & Monitoring- Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days.
__________________ start with a four-digit error number followed by a "-" and the error description.
MySQL errors
Vulnerabilities found during a Nessus scan represent the specific _____________________ that was generated from the scan.
NASL output
_________________________________________ , Guide to Industrial Control Systems (ICS) Security (https://csrc.nist.gov), provides common weaknesses and vulnerabilities found in SCADA and ICS systems and how to apply necessary safeguards to the environment.
NIST Special Publication 800-82
Tenable ______________ is a remote vulnerability scanning tool that helps automate these processes and is one of the most popular commercial products on the market. _______________ provides a web-based user interface that enables users to execute either credentialed or noncredentialed scans, which are governed by ______________ policies.
Nessus
Nessus plugins are developed in Tenable's proprietary scripting language called the ___________________________________________________. Each plugin contains vulnerability information, remediation details, and the logic to determine the presence of a security weakness.
Nessus Attack Scripting Language (NASL)
_________________________________ scans show what the attack surface looks like to an untrusted user.
Noncredentialed
What is the prefix name for Oracle database management system errors?
ORA is the correct prefix for Oracle database errors.
_________________________________ help organizations with asset categorization and implementing industry best practices. Baselines help define a happy medium and tolerance to organizational policy, since not all technologies can be locked down as much as one would like.
Operating baselines
_______________________________ contain a prefix with the error code (i.e., ORA-0001), followed by a description of the problem.
Oracle errors
A SCADA system can be made up of multiple components, including: __________________________________ Similar to RTUs, with more sophisticated logic and configuration capabilities.
Programmable Logic Controller (PLC)
The CVE Dictionary is a standard used for documenting which type of vulnerabilities?
Publicly disclosed
Technology standards are enforceable and should ____________________________________________.
Reflect organizational policy
A SCADA system can be made up of multiple components, including: ____________________________________ Strategically placed on the network, close to the process being managed, and converts sensor signals and relays digital data back to the supervisory system.
Remote Terminal Unit (RTU)
2017 OWASP Top 10: A6
Security Misconfiguration- this is the most prevalent issue. Resulting from either insecure default configurations, incomplete ad-hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operation systems, frameworks, libraries, and applications be securely configured, but they all must be patched and upgraded in a timely fashion.
2017 OWASP Top 10: A3
Sensitive Data Exposure- Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare and PII. Attackers may steal or modify weakly protected data in order to commit credit card fraud, identity theft, other crimes. Sensitive data may be compromised without ancillary protections, such as encryption of data at rest or in transit. Additionally, special precautions must be taken when data is exchanged via a browser.
___________________________ should use random number generators rather than simply incrementing static numbers. Otherwise, the user's sessions could fall victim to session hijacking or replay attacks.
Session Tokens
Web sessions are designed to accompany the user's interaction within the web framework. A unique __________________________ is generated by the web server or web application and lasts for the duration of the user's visit. A ___________________ (or token) can be stored locally on the user's hard drive as a cookie, form field, or URL. Each token is used to validate a user's session and can have a time-to-live value, depending on how the web framework is configured. These types of sessions are dynamically generated numbers, which should be difficult to guess. Similar to a hashing function, the token is used to verify the integrity of the user's request.
Session identifier.
Which type of XSS vulnerability is known as being persistent?
Stored
CAPEC Domains
Social engineering Supply chain Communications Software Physical security Hardware
_____________ is an open-source penetration testing tool that automates the process of detecting and testing for SQL injection vulnerabilities.
Sqlmap
___________________________________________________ systems are a subset of ICS systems. The central purpose of a ______________ system is to pull data from ICS systems, coordinate transferring that data to a central place, and present it in a human-usable format so that components of the ICS can subsequently be controlled. A significant benefit from ______________ networks is alarm handling.
Supervisory Control and Data Acquisition (SCADA)
A SCADA system can be made up of multiple components, including: ________________________________ A computer or console, which is the core of the system that gathers data and sends commands to connected devices, such as RTUs and PLCs.
Supervisory workstation
Unlike hashing, encryption is reversible. By using a key, encryption allows plaintext data to be encrypted into ciphertext and decrypted back to plaintext. _______________________________________ relies on the same cryptographic key to both encrypt and decrypt the data. Common types of ___________________________________________ are the Advanced Encryption Standard (AES) and the Triple Data Encryption Standard (3DES).
Symmetric key encryption
____________________________________________ is the collection of various configuration attributes during layer-4 network communications.
TCP/IP stack fingerprinting
Nessus plugins are written in which type of proprietary language?
The Nessus Attack Scripting Language (NASL)
Local APIs
The original API, created to provide operating system or middleware services to application programs.
2017 OWASP Top 10: A9
Using Components with Known Vulnerabilities- Components, such as libraries, frameworks and other software modules, run with the same privileges as the application. If a vulnerable component is exploited such an attack can facilitate serious data loss or takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks.
________________________________ (or vulnerability assessment) is a methodical approach used to validate the existence of the vulnerability.
Vulnerability analysis
________________________________ is the process of prioritizing a vulnerability based on its usefulness to a malicious actor (i.e., does it allow remote code execution, facilitate privilege escalation, create data disclosure, or enable lateral movement?).
Vulnerability mapping
_________________________________ is the process of inspecting an information system for known security weaknesses. This process provides results with no validation.
Vulnerability scanning
CWE identifiers:
Weakness ID Description of the weakness Extended description of the weakness Relationships to other views Modes of introduction Applicable platforms Common consequences Likelihood of exploit Potential mitigations Memberships
____________________________ is the process of mapping out the application framework and attempting to brute-force directories and filenames using a dictionary-based attack scheme.
Web enumeration
___________________________ is a technique used to provide invalid or random data as inputs to form fields, URL parameters, and so forth in an effort to elicit an error and an unintentional response that could identify a potential injection flaw.
Web fuzzing
DirBuster is a multithreaded Java application that can brute-force filenames and directories on web and web application servers using what type of dictionary?
Word list
2017 OWASP Top 10: A4
XML External Entities (XXE)- Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
Burp Suite Pro is a web-based security assessment tool that provides the ability to proxy and service manual testing requests during a pentest. What is the name of a similar tool, developed by OWASP, that provides similar web application testing abilities?
Zed Attack Proxy (ZAP)
Nessus incorporates the CVSS scoring system from NVD when producing the risk information output. This helps with vulnerability mapping, prioritizing weaknesses, and identifying potential exploits for each host. A __________________________________ are provided along with an overall risk factor.
base and temporal score
Weaknesses that tend to be more prevalent in six common RTOSs are ___________________________________________________.
code execution, DoS, and overflows
Legacy hashing algorithms, such as MD4 and even MD5, are susceptible to ______________________________, where two unique inputs can produce the same hash value. In situations where security is not of primary concern, these hashing algorithms may be good enough for day-to-day use, depending on the organization's security requirements.
collision attacks
Authenticated scans, or ________________________________, helps to reduce the number of false positives reported by a vulnerability scanner, but there are good reasons other than lessening inaccuracy to run credentialed scans—for example, being able to determine a vulnerability based on impact if someone has a valid credential, or validating permissions, or specific configurations without the need for exploitation in fragile environments.
credentialed scanning
Modern-day Unix and Linux passwords are protected using a password hashing function called ____________, which is based on the Data Encryption Standard (DES)
crypt()
An _____________________________________ is made up of a combination of computer hardware and software designed and programmed for a specific purpose. Microcontrollers and microprocessors are _______________________________ built with processors and memory and are commonly found in home appliances, like refrigerators, washers, and dryers, as well as health care devices, point-of-sale systems, vehicles, multifunctional devices (printers and scanners), telephones, televisions, cameras, and other Internet of Things (IoT)-based devices.
embedded system
The nmap ______________________________ contains thousands of entries, which includes IoT network services and operating systems.
fingerprint database
Like hard RTOs, __________________________s are still time sensitive; however, they offer some flexibility, as missing a deadline may cause undesirable effects but nothing catastrophic.
firm and soft RTOS
Web servers have __________________________________ with many different individual status codes that fire off, depending on how the request was received or processed by the server.
five status code families
There are three classifications of RTOSs: _____________________________.
hard, firm, and soft
An _________________________________________ is a category of systems that relate to industry automation of all types, including manufacturing, power generation (power plants), water treatment and distribution systems, etc.
industrial control system (ICS)
There is an nmap NSE script that enumerates SCADA modules and collects device and vendor information available, called______________________________. ____________________________ typically operates on port 502/tcp.
modbus-discover
Web and database server fingerprinting is a critical task for a pentester. The objective is to determine the ______________________________________ of the underlying technology and to investigate if the version is susceptible to any publicly known vulnerabilities.
product and version number
Some embedded systems provide a user interface that closely resembles modern-day operating systems, called a _____________________________________________________________, which is a stripped-down version of commonly deployed operating systems, such as Linux and Microsoft Windows. An ___________ is required to adhere to deadlines associated with tasks, regardless of what happens in the system. Some common ___________s are LynxOS, OSE, QNX, Real Time (RT) Linux, VxWorks, and Windows CE (WinCE). There may be some similarities between ___________s, such as some of them are derived from Linux; however, not all __________s are the same.
real-time operating system (RTOS)
A _________________ file, found at the top-level directory of a host, is used to restrict web indexing capabilities for web crawlers like Google and Bing. Web crawlers look for this file first for instruction before traversing through a website.
robots.txt
During a pentest, you discover a sitemap.xml file and a crossdomain.xml file. These files can provide useful information for mapping out web directories and files that would otherwise have to be brute-forced. What is the name of another file that can provide URLs and URI locations that restricts search engines from crawling certain locations?
robots.txt
A cryptographic hash function is a type of algorithm that takes variable-length strings (message) of input and turns them into fixed-length hash values (message digest). The primary objective is message integrity, such that the hash value cannot be returned to its original string value. This makes hashing an ideal candidate for __________________________ The most common hashing algorithms today are Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1 and SHA-2).
storing passwords.