CenPentestfinal
Full connect scan VS. Stealth scan
#A full connect scan will connect with the host and learn as much about the target as possible, however this type of scan can be noisier and alert devices of a possible intrusion. It is the complete 3-way handshake. #In contrast, a stealth scan doesn't create as much noise on the network so the team will have a better chance of remaining undetected. Stealth scan doesn't complete the 3-way handshake.
Daemons vs. services
#Daemons are the background service in the Linux operating system that runs as a process with the letter "d" after it (e.g., httpd, sshd, ftpd). sshd is the ssh daemon used in linux to provide SSH connectivity. Daemons don't restart automatically upon reboot, unless they're programmed that way. Daemons require extensive programming languages. #Services such as cron job have a specific schedule set and don't run continuously. Services can reboot automatically upon reboot. Services don't require extensive programming languages and are relatively simple to create. NOTE: Services are not the only way to add a program or a command to restart upon reboot, we can also add the same program or command to the registry keys. NOTE: When comparing daemons with services, remember the comparison between windows services and task scheduler. That's why daemons are very much similar to windows services.
Sanitization Escaping
#It is the process of stripping user-supplied input of unwanted or untrusted data so that the application can safely process that input. Sanitization protects the application from SQL injection, XSS and other injection attacks. #For XSS, the most prominent type of sanitization is escaping HTML special characters such as angle brackets (< and >) and the ampersand (&) to prevent them from being processed by the browser with the user input. Escaping or encoding. is the process of replacing HTML characters with entities. NOTE: encoding won't work in cases where the application needs to accept HTML.
Removing shells (post-engagement cleanup)
#Make sure to remove any values added to the HKLM and HKCU Run Registry keys that start a shell on a Windows system during boot. #On Linux, depending on the distribution, scripts in /etc/init.d/ and /etc/systemd/ are examples of similar run-on-boot functionality. #remove any scheduled task in task scheduler in Windows or in linux cron tab file that call a shell. Remove hidden daemons or services.
What is a good standard to use when presenting your team's penetration test findings? When using the PTES standard, what classifications of vulnerabilities might your team address?
#PTES (Penetration Testing Execution Standard) #Technical and Logical classifications of vulnerabilities should be addressed by the Pentest team members while using the PTES standard.
Protocols (in pentest+ version) risk gap Browser hijackers.
#Protocols are the rules and formats enabling systems to exchange data. A single network will involve the use of many different protocols. In general terms, a protocol defines header fields to describe each packet, a maximum length for the payload, and methods of processing information from the headers. #risk gap is when the system is at most risk. That is the duration when the vendor releases patch and the patch is "actually" finally applied. #Browser hijackers accept the web request and direct the users to a different browser (or search engine) and maybe display persistent advertisements in an attempt to steal their information.
PenTest engagement follow-ups
#The client has to accept your report and findings, backup with appropriate evidence of what's been found. Then, (to test mitigation recommendations again) 1) Scheduling additional tests with the client organization. 2) Working with the security team that will implement your recommended mitigations 3) Checking back with the client to see how their mitigation efforts are going. 4) Researching and testing new vulnerabilities that your team discovered during the test. 5) Researching the vulnerabilities for which the team could come up with the appropriate mitigation technique. 6) Informing the organization when/if a mitigation tactic is eventually found. NOTE: during mitigation suggestion to the client, provide them with cost base analysis (CBA) of implementing your recommended mitigations. Attestation is the most important component while gaining client acceptance. During retest is when you review lessons learned!!!!!!!!!!!!!!!! Gotta schedule for retest according to the client's schedule.
When your team begins creating their final PenTest report, what are some of the general considerations about the target audience that they must think about before they start writing?
#The systems that were tested #The stakeholders #Whether the team is an external or internal entity.
Post Exploitation
#The techniques performed after the initial attack are commonly referred to as post-exploitation phase. #Foothold gained is leveraged to access data or spread to other systems within the network #The primary goal is typically to demonstrate the impact that the vulnerability and access can pose to the organization Post exploitation activities includes the following: Lateral movement, workarounds in restrictive shells, pass the hash attack etc.
Overly verbose errors Verbose comments in source code lack of code signing. race conditions
#This falls under insecure coding practices. Whether intentional or not, some apps reveal a great deal about a code's structure and execution through error messages returned to the user. A simple form injection might return a SQL error revealing a table's column names, for example. #Comments are not supposed to be truly hidden from the client, just suppressed in the marked-up language. That's verbose comments in source code that are one of the ways coders execute insecure coding practices. #Lack of code signing means the lack of digital signature in the code. #These occur when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Issues arise if these events fail to execute in the order and timing intended by the developer. For example, an app can check that a file exists and then use it later. You may be able to replace the file after it is checked by the app but not yet used; this can trigger app instability or privilege escalation.
Mitigation strategies to secure passwords that should be addressed to the clients.
#Use SSH, not telnets, use HTTPS not HTTP, use FTPS not FTP. #Hash passwords instead of keeping it in plaintext. #Use SHA-256 or bcrypt (for cryptographic hash) #Use encryption standards such as AES-256 and RC6 #Avoid using network access protocols that use weak cryptographic hash such as DES and 3DES. #Ensure IDS and IPS can monitor "unencrypted" traffic.
Restrictive Shell
#changing directories is not allowed. #specifying absolute pathnames with slash (/) doesn't work and, #the output is being redirected. That's the restrictive shell situation in Linux. Use workarounds in this situation using python, perl or even vi. An e.g of python command to workaround: python -c 'import pty; pty.spawn ("/bin/bash")'
nmap -iL vs. nmap -sL
-iL : scans the list of the servers -sL : "only" lists the servers (doesn't scan)
-iL vs. -sL
-iL option in nmap will list the servers along with their IP addresses. -sL option will only list the servers that should be scanned.
Your client wants to harden their system. They have asked you for advice. What are some of the techniques available to achieve this?
1) Checking with any industry standards organizations that the client needs to comply with to see what guidelines they have for system hardening 2) General standards for hardening are offered by ISO, SANS, NIST, CIS (Center for Internet Security), and more. 3) Installing any patches and updates hardware manufacturers and software publishers have available 4) Incorporating a patch management/change management process to optimize the patching process 5) Ensuring systems are incorporating firewall and anti-malware solutions 6) Ensuring firewalls are configured to uphold the principle of least privilege 7) Disabling specific ports or services that aren't needed 8) Uninstalling any software that isn't needed 9) Ensuring hosts are properly segmented from other hosts on the network
Ways to obtain older website information
1) Do a quick check: for e.g: cache:https://comptia.org or cache:https://google.com 2) Do archived search using Wayback machine (a tool). 3) Use a web cache viewer extension, that allows you to quickly customize your search, visit recently viewed pages, or revert back to an older page, to see what information you can discover.
Suggestions abt how to store passwords or manage it.
1) Don't allow developers to hard-code credentials in apps. 2) Hash stored passwords rather than storing them in plaintext. 3) Use cryptographically strong hash functions, like SHA-256 and bcrypt. 4) Avoid cryptographically weak hash functions, like MD5 and SHA-1. 5) Use network access protocols that encrypt passwords in transit. For example, use SSH instead of Telnet, HTTPS instead of HTTP, FTPS instead of FTP, etc. 6) Ensure network access protocols are using strong ciphers, like AES-256 and RC6. 7) Avoid using network access protocols that incorporate weak cryptographic ciphers, like DES and 3DES. 8) Disallow or reconfigure services that allow themselves to be negotiated down to a weaker cryptographic or protocol version. 9) Ensure security solutions like IDS and data loss prevention (DLP) can monitor and manage unencrypted traffic in the network.
Some tools that can be used when working on a LAN:
1) Impacket tools is a open-source collection of tools used when PenTesting in a Windows environment. The Impacket library provides methods for several attacks such as an NTLM and Kerberos authentication attacks, pass the hash, credential dumping, and packet sniffing. 2) Responder is a command line tool in Kali Linux used to poison NetBIOS, LLMNR (Link-Local Multicast Name Resolution) , and MDNS name resolution requests. 3) mitm6 is an IPv6 DNS hijacking tool that works by first replying to DHCPv6 messages that set the malicious actor as DNS server. It will then reply to DNS queries with bogus IP addresses that redirect the victim to another malicious host. NOTE: Use the command "Searchsploit" ( the tool included in the exploitdb package in Kali Linux) to find all the exploits in the exploit database (ED) using Kali Linux.
Implementing people security controls
1) Implement technical controls 2) Have management set security tone and lead by the example. 3) Train people in proper security measures 4) Constant reinforcement and reminders 5) Implement penalties for non-compliance. 6) Reward groups that have no incidents 7) Avoid complacency (this is when incident that should not have avoided tend to occur) 8) Give users a sense of ownership in the process.
Cloud storage containers' vulnerabilities
1) Incorrect permissions : when cloud containers are created, the username/password maybe defaulted to public settings. So, proper configuration is required to change the default settings. 2) Incorrect origin settings: This is regarding sending info to CDN from the containers.
Your team has asked advice on some passwords they have found traces of, on Windows devices that are stored in the Security Account Manager (SAM). You inform the team that passwords are usually stored as one of two types of hashes. What are those two types?
1) LanMan (LM) hash: Before hashing, passwords are converted to uppercase and then either truncated or padded to become 14 characters long. The actual value that is stored is not the password hash itself. Instead, the hash is divided into two 7-byte parts, each of which is used as a 56-bit DES key to encrypt the fixed string "KGS!@#$%". Because the hash is unsalted, it is susceptible to dictionary and rainbow table attacks. 2) NT hash: This is a simple MD4 hash of the password (encoded as UTF-16 little endian). It is unsalted but allows passwords up to 128 characters long.
Securing physical access to the building.
1) RFID card in the elevator 2) Keypad/passcode outside the building 3) Biometric controls 4) Multifactor authentication (Combination of passcode and RFID Password) NOTE: for biometric controls comptia recommends fingerprint or iris scanners. Could use Face ID scanning too.
Findings that should be addressed during "remediation suggestion to client" phase.
1) Shared local administrator credentials 2) Weak password complexity 3) Plaintext passwords 4) NO multi-factor authentication 5) SQL injection, XSS and other code injection 6) Unnecessary open ports and services. 7) Physical intrusions NOTE: Appendix is the extra supporting documents or attestation of findings that could be valuable or add additional proof to the findings. For e.g: screenshots of network activity, test results etc.
Rafi has asked your team to review some of the basic options listed in the SET opening menu. When you launch SET, what will you see as options?
1) Social Engineering Attacks 2) Penetration Testing (Fast-Track) 3) Third Party Modules 4) Update the Social Engineer Toolkit 5) Update SET configuration 6) Help, Credits, and About 99) Exit the Social Engineer Toolkit
Vulnerability Classification Levels
1) Technical vulnerabilities: OSI layer vuln Scanner found Manually identified Overall exposure 2) Logical vulnerabilities: Non-OSI layer vuln Type of vulnerabilities How/Where it was found Exposure.
Once the team has gathered the intel on the target, you'll want to determine the best plan of attack when preparing the attack phase of the PenTest. List some of the guidelines that will help your team be better prepared.
1) Use gathered technology information to identify potential vulnerabilities and consider ways to weaponize them in future phases. 2) Focus on findings that are actionable and relevant. 3) Determine how public IP addresses map to resources like web servers that you can later target. 4) Leverage information from third-party sites to learn more about an organization and its people and consider ways the information can be used in a social engineering test. 5) Document your findings for future reference.
WPScan (WordPress Security Scanner) ScoutSuite OllyDbg truffleHog
1) WPScan (WordPress Security Scanner) is a tool that automatically gathers data about a WordPress site and compares its findings of plugins against a database of known vulnerabilities. 2) ScoutSuite is an open-source tool written in Python that can be used to audit instances and policies created on multi-cloud platforms, such as AWS, Microsoft Azure, and Google Cloud. 3) OllyDbg is a debugger included with Kali Linux that analyzes binary code found in 32-bit Windows applications. 4) The truffleHog tool is used to automatically crawl through a repository looking for accidental commits of secrets within GitHub.
Commands to avoid detection in nmap
1) sF nmap -sF www.company.tld This option sends a TCP FIN to bypass a non-stateful firewall. 2) -f nmap -f 192.168.1.50 This will split the packets into 8-byte fragments to make it harder for packet filtering firewalls and intrusion detection to identify the true purpose of the packets. 3) --randomize-hosts nmap --randomize-hosts 192.168.1.1-100 This option will randomize the order of the hosts being scanned.
null byte
A character with a value of zero that is used in most programming languages to indicate the termination of a string. Null byte can aide in making the directory traversal attack successful. For example, the web server enables users to access any file in the /var/www directory that has .php extension and nothing else. Even if you can traverse the file system to break out of that directory, you may not be able to access a specific file if it doesn't end in .php. The poison null byte, however, can get around this by using the following command: http://site.example/page.php?file=../../etc/passwd%00 This indicates to the web app to drop the .php extension that it otherwise expects, enabling you to retrieve the passwd file.
When communicating with a remote Linux-based machine, it's common to use SSH. What happens during an SSH session?
A client initiates the communication process by contacting the server. If the server accepts the request, the client will provide host information and appropriate credentials. A server has an SSH daemon that listens for client requests. When a client initiates a request, the server will check the host information and appropriate credentials, and then once accepted, both parties will establish a connection.
Dormant VM and it's risks
A dormant VM is one that is created and configured for a particular purpose and then shut down or even left running without being properly decommissioned, making it vulnerable to cloud-related attacks. VM sprawl is another risk involved with virtualized environment.
MITRE Corporation
A non-profit organization that manages research and development centers that receive federal funding from entities like the DoD and NIST.
LSA Secrets
A protected area in the Windows Registry that stores passwords and other secret data. The Windows Local Security Authority (WLSA) uses LSA secrets. NOTE: LSA protection is the best defense against the attack on local security authority or LSA.
What should your team recommend to the client to help analyze the progress made in applying the mitigations to the attack vectors that were found during the penetration test.
A retest for the confirmation of the existence of the attack vectors and that the mitigations that have been applied actually work.
allow list
A security configuration where access is denied to any entity (software process, IP/domain, and so on) unless the entity appears on a whitelist.
During fingerprinting the team can use passive or active OS scanning. Which is the preferred method and why?
Active scanning
VM escape
An attack that allows an attacker to access the host system from within a virtual machine. The primary protection is to keep hosts and guests up to date with current patches. The attacker must be able to detect the virtualized environment to undertake VM escape, so that should be safeguarded.
Certificate pinning
An attacker compromises a public CA and issues unauthorized X.509 certificates for Company.com. In the future, Company.com wants to mitigate the impact of similar incidents. Which of the following would assist Company.com with its goal? Ans: certificate pinning #A method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks. #Assigning a particular certificate public key to connect to a website, and if the different one is provided, connection is rejected without any further checks.
ScoutSuite
An open-source tool written in Python that can be used to audit instances and policies created on multi-cloud platforms, including Amazon Web Services, Microsoft Azure, and Google Cloud Platform. For e.g: the team can configure rulesets to categorize each object with a severity level, if a policy is violated. The rule such as : "allow-unauthenticated - access - to - S3 - bucket" : [{ "enabled" : true, "level" : "danger"}] would flag unauthenticated access to a Simple Storage Service (S3) bucket with a severity level of "danger". NOTE: other audit tools are Prawler (for AWS), Pacu (exploitation framework for testing security in AWS), Cloud Custodian (OS cloud security, governance, and management tool designed to help the administrator create policies based on resource types.)
schtasks
As a pen tester, it is highly effective to use schtask via CLI (command line interface) for maintaining persistence. For e.g: scheduling a file name "backdr" that runs once every 30 days would require the following command in the CLI. schtasks /create/tn backdr/tr C: \files\backdoor.bat /sc DAILY / mo 30 /ru Here, /ru specifies the user content under which the task runs. /sc specifies the schedule frequency. /mo is the modifier that refines the value by being more specific about the schedule type. Ref: https://learn.microsoft.com/en-us/windows/win32/taskschd/schtasks?redirectedfrom=MSDN
attack narrative
Attack narrative should be able to show the correlation between the methodology that was mentioned and the "actual" activity that was performed. It provides the detail steps of the activities performed during penetration testing procedures. In cases, where an event occurred which resulted in the change of the scope, the attack narrative will mention the steps and procedures of it. Change of scope affects the cost, so it's a good way to get some reference about what to expect in regards to cost.
Weaponizing IoT devices
Attackers try to leverage IoT protocols such as CoAP (Constraint Application Protocol) and MQTT (Message Queuing Telemetry Transport) to launch denial of service attack (DoS attack). If a device is vulnerable, a malicious actor can infect an IoT device with malware and then turn the device into a zombie. Once infected, the device will wait for instructions from the command-and-control (C2) server to launch a Denial-of-service attack on a target. One example is the Mirai bot, which was malware that spread to thousands of IoT devices like IP cameras and baby monitors that still had their default credentials set. #Denial of sleep attack on IoT makes the devices respond to requests constantly resulting in the drainage of the battery of the OS.
Hard coded credentials
Backdoor username/passwords left by programmers in production code. These username/passwords could be exposed via XSS and SQL injection.
Bind shell or reverse shell, which one is more effective while attacking in the modern network?
Bind shell could be blocked by firewall easily because firewalls don't allow outsiders to connect to open ports. So, try reverse shell during attack because it can bypass firewalls. The target itself tries to connect to the attacker so firewall doesn't care. Also, during bind shell, attacker must know IP address of the target.
BLE devices
Bluetooth low energy or BLE devices (almost same as bluetooth) are used in abundance in IoT devices because it uses bluetooth using very low energy. It is vulnerable to sensitive data leakage even though it transmits power in short range. So, it's best to do the assessment of BLE devices during Pentest even though the scope for hijacking BLE is quite complicated because of the short range it uses to transmit power.
BIA in pentest+
Business Impact Analysis in pentest+ is evaluating the consequence of the defects lingering in the client's system that could be exploited by the malicious actor. Different types of attack vectors discovered during penetration testing could have different cost and consequences involved and BIA should help the client understand that. NOTE: Suggesting remediation is Penetration testers duty, but either the client executes the suggestions or not doesn't fall under Pen testers duties.
CWE vs CVE of MITRE corporation
CWE: lists weaknesses in hardware and software. CVE: lists vulnerabilities in a particular products.
Types of attack in VMs
Class 1 : attack happens outside of the VM. Class 2: attack directly affects a VM Class 3: attack originates within the VM and is the attack source.
What are some of the techniques your team should look for to discover where the adversary is attempting to maintain a foothold?
Common persistence techniques include: 1) New user creation 2) Remote access services 3) Backdoors and Trojans 4) Bind and Reverse Shells 5) Services and Daemons 6) Registry Startup 7) Scheduled Tasks
During discovery, the team will most likely index network services and shares. List some common services to enumerate prior to exploiting the LAN.
Common services to enumerate include the following: File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Domain Name System (DNS) Hypertext Transfer Protocol (HTTP) Server Message Block (SMB)
CSV (comma-separated values)
Complex data files can be transported as a CSV file in plain text. Each entry in the CSV file is a field, and the fields are separated by commas.
Many companies adhere to a structured mobile device implementation model which describes the way employees are provided with devices and applications. Describe two or three deployment models.
Device deployment models can include: Bring your own device (BYOD)—the mobile device is owned by the employee; however, it must be corporate compliant in terms of OS version and functionality. Corporate owned, business only (COBO)—the device is the property of the company and may only be used for company business. Corporate owned, personally enabled (COPE)—the device is supplied and owned by the company. The employee may use it to access personal email, social media, and web browsing; however, they must be compliant with any acceptable use policies in force. Choose your own device (CYOD)—much the same as COPE; however, the employee can select a device from a curated list.
Just a quick info abt "directory traversal" via JD.
Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory.
When searching 515support.com's webpage, the team checks the robots.txt file. To make sure the web crawlers don't index the wp-admin directory, what should be added to the file?
Disallow: /wp-admin/
Dradis Framework
Dradis framework helps to reduce repetition and increase reach to the findings and outcomes of a client organization by allowing team members to share data and findings. https://dradisframework.com/ce/
Consequence of error and debugging messages
Error and debugging messages could contain the full pathname of the server, and as a result, it could initiate "Directory Traversal attack", which could allow access to commands, files and directories that may or may not be connected to web document root directory. That's why handling error messages correctly or securely is very important. Don't need to put all of those information about the system in the error message.
Mobile device security tools and frameworks
Examining mobile application code is done during forensic analysis by the reverse engineering team. It examines the code by analyzing what happens if it is executed. Tools that can be used for reverse engineering are Frida and objection. NOTE: Objection uses Friday to inject object into the application and then monitors the behavior. Can also simulate the environment by injecting the object into the iOS application secured by sandbox environment, to understand the behavior of the application. And the framework that is used for evaluating HTTP Application Programming Interface (API) is called Postman. #Drozer is the application testing framework for android devices. It lets you inject object into the application to observe the application's behavior as it interacts with the other app. NOTE: F-secure has discontinued use of Dozer.
Sections important during report
Executive summary Scope details Methodology Attack narrative Findings Risk rating Risk prioritization Metrics and measures Remediation Conclusion Appendix or supporting evidence
How to calculate actual RISK APPETITE?
First calculate risk by multiplying impact by probability i.e RISK = impact x probability Then compare the risk with the acceptance level of the risk of the company.
While comparing and contrasting written reports, how do the internal team and external team differ from each other?
For internal teams, their representatives from the upper management might overlap. For external teams, which are usually consultant management teams, hire different individuals for those upper level duties. There's less chance of it being overlapped. So, while addressing those individuals in the report, pentest team might have to jot down their individual expertise accordingly. NOTE: third-party stakeholders who need to be addressed in the pentest report are the investors, providers, regulators and similar entities.
Threat actors follow the same main process of hacking as a professional PenTester: Reconnaissance, Scanning, Gain Access, Maintain Access, and Cover Tracks. What steps are added during a structured PenTest?
Formalized or structured PenTesting includes: 1) Planning and scoping along with 3) Analysis and reporting.
Functions
Functions, or Procedures, are used to produce modular, reusable code. Functions allows us to group a block of code under a name and call this named function whenever we like. Function is defined using the following syntax: def fullname (name, surname): return name + " " + surname #This ends the function definition (comment in python)
KPIs
Have KPIs that management can use at-a-glance to see the security effectiveness of new technology. Examples include: 1) Overall security incident trends 2) Length of time between a discovered vulnerability and its remediation 3) Length of time between incident/problem and recovery/resolution 4) Rate of recurrence of the same security problem
When scanning, the team notices that a firewall is blocking the default ICMP pings. What other options can they try?
If a firewall is blocking the default ICMP pings, they can try using one of the following commands: TCP ACK Ping: -PA <portlist> UDP Ping: -PU <portlist> SCTP Initiation Ping: -sY <portlist> TCP SYN Ping: -PS <portlist>
Tailgaiting vs Pigg backing
If both terms appear on a question, the only difference between the two are tailgaters have (fake?) ID badge while piggy backers do not. So, in tailgaiting employees know, piggy backing is sneaking without acknowledgement. If these terms appear in separate questions, they mean the same thing.
Why is it essential to test to see if the DNS nameservers are properly secured and configured correctly?
If not properly configured, an unauthorized server can request the zone file from the host nameserver by posing as a client nameserver. If successful, this can leak resource record information.
While you are advising the PenTesting team on cleanup, you should remind them about a possible tricky situation when removing their active directory (AD) account from a workstation. What is the thing that they need to watch out for?
If they created an AD account from a domain controller (DC) and then used that account to sign into a workstation, simply removing the account from the workstation will not remove it from the domain. They will need access to the DC to delete the AD account, otherwise a real attacker might be able to leverage this account by using it to sign into a DC.
Pivot vs. lateral movement
In pivot, you compromise one host and use to spread to other hosts. In lateral movement, u move from one host to another looking for vulnerabilities to exploit.
Your new team wants to use scripting to aid in their PenTesting project. They have heard that Bash is a good option but don't know much about it. What are some of the reasons why Bash scripting is useful in the world of PenTesting - what useful features does it have?
In the world of PenTesting, Bash scripting is useful for a wide variety of purposes, including: 1) Automating the creation of files and directory structures. 2) Quickly scanning and identifying actionable information in log and other text files. 3) Manipulating the output of existing security tools like nmap, tcpdump, Metasploit, etc. 4) Extending the functionality of existing system utilities and security tools.
An IoT device is equipped with sensors, software, and network connectivity. List two ways IoT devices can communicate and exchange data.
IoT devices can communicate and pass data in one of two ways: Machine-to-machine (M2M)—communication between the IoT device and other traditional systems such as a server or gateway Machine-to-person (M2P)—communication between the IoT device and the user
SSRF (Server-Side Request Forgery)
It is the attack in which the attacker takes advantage of the access between the server and its resources.
Management at 515support.com has been working hard at ensuring employees are well trained in identifying a phishing email. Concurrently the IT team has implemented strong spam filters to prevent phishing emails from getting to their employees. What is the RISK of an employees falling victim to a phishing attack using the following information? 75% = THREAT of a phishing email reaching an employee 40% = VULNERABLE employees that might fall for a phishing attack
Knowing that RISK = THREAT x VULNERABILITY, there is a 30% chance that the employees will fall victim to a phishing attack.
Your team wants to ensure that their test encompasses more than just a narrow selection of resources. They would like to try to gain access to the initial part of the environment and then spread out their attack to compromise additional resources. What is this process called?
Lateral Movement
Storage for local usernames and passwords in Windows and linux
Linux : /etc/passwd (use sudo cat/etc/shadow to check the type of algorithm used for hashing. Expect to see the most recent one SHA-512 these days) Windows: Sam database. %WINDIR%\System32\config\SAM
Authoritative Transfer (AXFR)
Mechanism by which a secondary name server obtains a read-only copy of zone records from the primary server. See also: Zone Transfer
AD account removal (removing test credentials)
Need access to DC (domain controller) to delete the AD account. Removing it just from the workstation won't help.
You've been asked to strengthen your client's security posture using network segmentation. What is a basic or common method of doing this?
Need to determine which services need to be internet-facing, which ones need to be both internet-facing and internally accessible, and which should be kept internal only. Network segmentation would separate these into different locations and only certain users and services would be allowed to communicate between the different segments. NOTE: implement role-based access control for communicating between different segments.
For backdoor access, RAT (remote access trojans) types
NetBus, Sub7, Back Orifice, Blackshades, pupy and DarkComet.
In the graphic "Nmap scan to determine vulnerabilities" what does Nmap list as a likely vulnerability and how does Nmap help to explain the vulnerability to the analyst?
Nmap lists for the http -slowloris-check that the target is likely vulnerable. In addition to listing the Common Vulnerabilities Enumeration (CVE) number, Nmap outlines some basic information about the vulnerability.
In cases where the PenTest target was a project for which developers are particularly responsible, they will also be directly involved in implementing the resolution and mitigation techniques that need to be addressed. What type of practices would your team recommend that they adopt?
Often, that can be addressed through Secure Software Development Practices.
What is one way that the situation could be addressed if your team's PenTest attempt is discovered?
One option is to de-escalate the test i.e to scale back until the defense is halted. Next, the team on the client side who is aware of the Pentest could de-conflict the breach, letting the Pen-Testing procedures continue.
During the PenTest, the team may need to assess whether or not they are able to create an exploit that can bypass the antivirus protection. How will they achieve this?
One way to achieve this is by using the Social Engineering Toolkit (SET) in Kali Linux. Using SET along with Metasploit, the team can create a malicious payload, such as a virus, worm, or Trojan, and embed the payload in a PDF.
What is a major necessity, in regard to your client or employer, during the process of a PenTesting project?
Open "Lines of Communication" with the client or employer's IT security team. Some categories of contact that should be established while opening lines of communication are as follows: 1) Primary contact : CIO 2) Technical contact: IT manager 3) Emergency contact: IT manager
What's the most effective means of preventing SQL injection attack?
Parameterized Queries. It's the best form of input sanitization. also called prepared statement, processes SQL input by incorporating placeholders for some of a query's parameters. For e.g: if the query says x' or 'x' = 'x in the username field, the database will look for that query to compare with when the request to connect to the SQL database is executed
Shared folders vulnerability
Privilege escalation on both linux and windows OSs.
As part of the process of moving through the system, the PenTest team encounters a major challenge: they do not have access to the resources they need. What options should their manager recommend that they try?
Privilege escalation. There are two important ways in which this is performed that need to be taken into consideration 1) Vertical Privilege Escalation is to obtain access to an account of higher privilege than the one you currently have, in order to enable administrative resources that the regular user does not have permission for. 2) Horizontal Privilege Escalation is obtaining access to a regular user account of different privilege than the one currently in use, to enable private resources you otherwise do not have permission for.
With PCI DSS, a Level 1 merchant must have an external auditor perform the assessment by an approved _____.
QSA (Qualified Security Assessor)
The Onion Router (TOR)
Redirects connections through proxy servers in order to provide a method to exchange data anonymously. NOTE: proxychains4 is configured to use TOR by default, but it can also be downloaded later. Free routing software that has thousands of layers, all encrypted, relayed across thousands of networks to avoid detection.
Remove all evidence or just clear logs and entries to cover the traces?
Removing just logs and entries could fool the investigator, but still it will be evident that the attack has taken place. So, it's best to remove all the evidence, 100% of it.
MOST effective way to identify false positives.
Results validation #Through the validation process it's possible to compare the the environment with the individual vulnerability scan results and whether the vulnerabilities that have been discovered are valid and applicable or NOT. NOTE: If you're still in the reconnaissance phase and receiving numerous false positives. Try conducting another round of reconnaissance, just for the sake of understanding the environment in depth.
Automated scans have numerous false positives. What is the most effective way of identifying false positives.
Results validation. Through validation process, it's easy to compare what you've learned about the target environment from the automated scans with the individual scan results and identify whether or not the results are truly applicable and accurate.
What does Psexec utility use to enable you to issue commands to the remote systems?
SMB
List of security assessment tools for mobile devices
Security assessment tools for mobile devices include the following: Postman, Ettercap, and Frida, along with ApkX and APK Studio. Visibility in EMM or Enterprise Mobile Management: The challenge of identifying attached and mobile devices is called visibility. EMM software can to used to manage enterprise-owned devices and BYOD (bring your own device) to ensure complete visibility. Two main components of EMM suite are MDM (mobile device management) and MAM (Mobile application management).
Another regulation that affects data privacy is GDPR, which outlines specific requirements on how consumer data is protected. List two to three components of GDPR.
Some of the components of this law includes: 1) Require consent means a company must obtain your permission to share your information. 2) Rescind consent allows a consumer to opt out at any time. 3) Global reach—GDPR affects anyone who does business with residents of the EU and Britain. 4) Restrict data collection to only what is needed to interact with the site. 5) Violation reporting—a company must report a data breach within 72 hours.
You are on a PenTesting team. Your colleagues are discussing the strategy for moving forward with the project. The subject of communication comes up. The team is brainstorming what will be used as triggers for official communications with the client. What contributions can you make to the discussion?
Some reasons to initiate communication (any of the following is the correct answer): 1) Status Reports 2) Critical Findings 3) Indicators of Prior Compromise (artifacts) 4) Goal Reprioritization
Your client has asked about the common root causes of vulnerabilities. What are some recurring conditions or common themes that can cause vulnerabilities to emerge?
Some recurring conditions and/or common themes that can be the root cause of vulnerabilities are: 1) Lax physical security (Lax means not strict enough) 2) Employees not following corporate policy or best practices 3) Lack of adequate cybersecurity training 4) Lack of software patching and updating 5) Lack of operating system hardening 6) Poor software development practices 7) Use of outdated networking protocols 8) Use of obsolete cryptographic protocols
Disadvantage of biometric integration
Spoofing of the system by using "forged biometric" that allows easy and "confirmed" access into the device. NOTE: "Execution of activities using root" is possible if the user "jailbreaks" the device and the mobile developer has no control over it. In a system that has been jailbroken, any application can undertake root login/use access code. Similarly, "over-reach of permissions" during the installation of application is a problem. Read EULA before installing any app, don't allow the app to have more permissions than needed.
Five stages of vulnerability
Stage 1: Discover is when the vulnerability is identified. At this point, a malicious actor may create an exploit. Stage 2: Coordinate is when the vulnerability is defined, listed, and published in the CVE and CWE so that vendors and anyone involved is aware of the vulnerability. Stage 3: Mitigate is when vendors and software designers develop a patch, which is then released to the public. Stage 4: Manage is when the patch has been released and each individual organization applies the patch in order to remediate or mitigate the vulnerability. Stage 5: Document is the final phase, in that the results are recorded, and everyone takes a moment to reflect on lessons learned, in order to prevent further exposure.
Dynamic Application Security Testing (DAST)
Testing that is done after code is placed into production and is able to unearth vulnerabilities that are evident once the code is in production.
Before putting the app into production what should be done?
The app should go through fuzzing and input validation process to test and verify that it is not vulnerable to any attacks.
Your team's PenTest report should account for your client's risk appetite. At the beginning of the PenTest process, what kinds of questions could you ask them to assess the amount of risk they would be willing to accept?
The client's key stakeholders need to determine their risk appetite by answering questions such as: 1) What losses would be catastrophic to the organization? 2) What processes, technology, or other assets can be unavailable and still enable the organization to function, and for how long? 3) What assets, processes, information, or technology must be available at all times and cannot be made public or be accessed by unapproved persons? 4) Are there any circumstances that could result in personal harm to anyone dealing with the organization, be it employees, customers, business partners, or visitors?
Your colleague, who has just overseen and concluded a PenTest project, is requesting some advice on the best practices for the secure handling of their PenTest reports. What would you suggest?
The following are some best practices for the secure handling of reports: 1) Maintain the confidentiality of reports and their contents. 2) Maintain the integrity of reports and their contents. 3) Ensure reports are always available to the relevant audience. 4) Ensure reports are secure in transit (including across a network). 5) Minimize the transmission of reports across a public network like the internet. 6) Ensure reports are secure in storage. 7) Protect reports and their contents from accidental disclosure. 8) Maintain audit logs for users accessing reports. 9) Maintain a chain of custody when transferring ownership of reports. 10) Maintain version control for changes to reports.
Aircrack-ng Suite
The principal tools in the suite are as follows: #Airmon-ng: Will enable and disable monitor mode on a wireless interface. Airmon-ng can also switch an interface from managed mode to monitor mode. #Airodump-ng: Provides the ability to capture 802.11 frames and then use the output to identify the Basic Service Set ID (MAC address) of the access point along with the MAC address of a victim client device. #Aireplay-ng: Inject frames to perform an attack to obtain the authentication credentials for an access point, which is usually performed using a de-authentication attack. This is usually internal attack!!
Metaspoit modules (six basic modules)
The six basic types of Metasploit modules are: Exploits, Payloads, Post, Auxiliary, Encoders, and Nops.
While searching the social media profiles of a target organization, the team reads a series of Facebook posts by a network administrator. The employee is dissatisfied with their colleagues and complains that they have a lax attitude toward securing and monitoring the network. How could the team use this information?
The team can focus on finding the weaknesses that may exist due to the negligent employees.
Your team is tasked in evaluating the source code for 515web.net. They know that they are using a source-code repository. How should you proceed?
The team should check source-code repository sites such as GitHub, Bitbucket, CloudForge, and SourceForge. Once there, they should examine the code to see if the developers had added sensitive information in their code, such as usernames and passwords, or other information that can be used to frame an attack.
What are some of the sections you would suggest that they consider including in their report?
They should consider including the following sections in their report: Executive summary Scope details Methodology Attack narrative Findings Risk rating Risk prioritization Metrics and measures Remediation Conclusion Appendix or supporting evidence
Your colleagues come to you with a question. They want to develop a script to show basic flow and functionality, but they haven't yet decided which language to write the script in. Can you help?
They should write the script using Pseudocode. Pseudocode is a made-up language used to show flow and logic, but is not based on any programming or scripting language. Once the script is written in Pseudocode, it can easily be adapted to the actual language that will be used.
Metasploit Framework
This tool, which runs on Linux, BSD, MacOSX and Windows, creates a modular interface for tying together exploits, payloads and targeting information. Metasploit's meterpreter has the command to clear log entries by issuing the command clearev. Using metasploit's meterpreter, u can list available tokens and then impersonate one of the tokens to assume its privileges. Metasploit's meterpreter tool timestomp can also allow u to delete or modify timestamp-related information on files. Launch MSF in Kali linux using the command "msfconsole". meterpreter > timestomp example.txt -v NOTE: Meterpreter is the most popular payload. Part of the Metasploit Framework, the Meterpreter is an interactive, menu-based list of commands you can run on a target during a PenTest exercise.
Your team has asked for help in drafting a Lessons Learned Report (LLR). What fundamental questions should you ask and answer about the PenTest in the report?
Those questions can include: What about the test went well? What about the test didn't go well or didn't go as well as planned? What can the team do to improve its people skills, processes, and technology for future client engagements? What new vulnerabilities, exploits, etc., did the team learn about? Do the answers to these questions necessitate a change in approach or testing methodology? How will you remediate any issues that you identified?
The written report is likely to be read by a variety of audiences. This might include board members, end users, and technical administrators. They all need to be able to read and understand the information you provide. So you need to target your report to account for these differences. What is a common way of achieving this?
Through organizing the report into appropriate subdivisions. #There might be an executive section for those who only need a high-level understanding of the results and their impact. #There might be technical section with links to more specialized information that IT personnel can use to implement your recommendations. #You can also create an appendix, providing essential information in the report and provide separate files with all details. #Essentially, you want to normalize data in the report to make it as clear to the target audience as possible, all while minimizing extraneous information that just contributes to the noise.
Covering Tracks
To cover your tracks you can do any of the following: Clear log entries. Remove specific entries. Change log entries. Modify the timestamps. Remove the history. Shred or overwrite files.
Ongoing documentation during tests
To help in both the consistency and also simplicity of the procedure of ongoing documentation, screenshots can be employed and are highly recommended as an accompanying element. NOTE: You should aim to grab only the relevant sections to minimize capturing information that is not needed for the report.
List two or three tools that the PenTesting team can use to recover and attempt to crack a wireless access point key.
Tools that can be used to recover a WAP key include: Fern, EAPHammer and MDK4.
Type 1 and Type 2 Hypervisors
Type 1: Bare metal hypervisors. Type 1 hypervisor is installed right on top of the hardware and doesn't have to go through the host OS to communicate with the hardware. Type 2: Host-based. Type 2 hypervisor is installed on top of the operating system.
SPIT (spam over Internet telephony) Macof attack
Un-solicitated phone messages #Macof attack overflows the MAC table on a vulnerable switch so that it behaves like a hub, repeating frames out all ports.
What should a company with over 250 employees do to be compliant with the GDPR?
Under GDPR, any company with over 250 employees will need to audit their systems and take rigorous steps to protect any data that is processed within their systems, either locally managed or in the cloud.
Best way to use modules in python
Use "import" function to use it. IF external module, then download and install first before importing it. This saves time because you're using the module that has already been created rather than crafting it from the scratch. NOTE: to get some reference about the module repositories created and published by others publicly, just check GitHub.
To spoof a VoIP
Use asterisk server.
Risk rating
Use impact and likelihood in this case. #Consider using CVSS (common vulnerability scoring system) to enhance risk rating rather than just using impact and likelihood. #Also consider using different cybersecurity framework such as NIST, cyber security framework (NIST CSF)
To restrict availability of resources to the authorized users only.
Use role-based access control system.
Vertical privilege escalation vs. horizontal privilege escalation
Vertical privilege escalation is obtaining higher account privileges than you currently have, for gaining "administrative privileges". Horizontal privilege escalation is gaining regular but different user account privilege than you currently have, for the purpose of gaining access to private resources that you otherwise don't have permission to. NOTE: Horizontal privilege escalation is easier to be executed because it doesn't get noticed easily. That's why horizontal privilege escalation is able to avoid suspicion while attempting to gather information.
OpenStego
What tool can: Data Hiding-It can hide any data within a cover file (e.g. images) Watermarking-Watermarking files (e.g. Images) with an invisible signature. It can be used to detect unauthorized file copying. NOTE: Need Java Runtime Environment (JRE) installed coz the OpenStego software is written in Java.
Using DNS is common during the footprinting and reconnaissance phase of the PenTest. What protocol can be used to search for organizational information?
When an entity registers a domain name, the registrant will need to provide information, such as organizational and key contact details. The team can use the whois protocol to search for these details.
When the target audience of your team's final Pentest report are C-suite executives, what is the important consideration?
When the audience of the Pentest's report are C-suite executives, you need to make sure that they understand the impact of the findings. That's why it's important explain all the recommendations with clear evidence attached to it, because C-suite executives will make decisions according to the results and recommendations.
Indicators of Compromise (IOCs) exceptional cases
When to stop Pentest in regards to IOC situation? 1) If the IOC is "Fresh". In that situation, Pentest should be halted until the security breach is handled properly. If the IOC is historical then Pentest should be continued, but documentation of the existence of that specific historical IOC should be of high priority. (that documentation process could be a just a quick "log of that discovery")
What are some of the guidelines you could give to your team when they use persistence techniques?
When using persistence techniques, you should follow these guidelines: 1) Try to maintain a foothold in the organization to continue your attack after the main phase has concluded. 2) Demonstrate persistence to the client without necessarily keeping assets compromised for a long period of time. 3) Create new user accounts to bypass access control and account monitoring. 4) Escalate new accounts' privileges if you are able. 5) Install a RAT as a backdoor into a target system. 6) Create a shell using Netcat to open a backdoor for command execution. 7) Use reverse shells instead of bind shells whenever possible. 8) Use Netcat to exfiltrate files from a target host to your own host. 9) Use Netcat to set up a relay from one target host to another, for pivoting. 10) Use Task Scheduler in Windows to run a compromising command or program on a consistent schedule. Use cron jobs in Linux, to do likewise. 11) Consider using a backdoor as a daemon or service to have it constantly available. 12) Understand the disadvantages of creating and using a daemon or service. 13) Add commands or programs to the appropriate Registry startup keys to get them to run on Windows boot.
WMIC (Windows Management Instrumentation Command-line)
Windows Management Instrumentation (WMI), for example, provides an interface for querying data about remote systems. The following uses WMI command-line (WMIC) to get the name of the currently logged in user of a remote system: wmic /node:192.168.1.50 computersystem get username NOTE: Using Psexec or WMIC could be detected by security personnels or IDS systems. To evade being caught, use RPC (remote procedure call) /DCOM (direct component object model). How? DCOM applications use RPC as a transport mechanism for client requests. Flaws in DCOM can enable you to execute code on a remote system by assuming user privileges. DCOM is blocked by default by Windows Defender Firewalls, so can't expect it work efficiently.
For persistence, Creating new user and administrative user account
Windows: New user: net user jsmith /add Administrators group user: net localgroup Administrators jsmith /add Linux: New user: useradd jsmith gaining root privilege: editing the /etc/passwd file and changing the user's user ID (UID) and group ID (GID) to 0.
Robert is leading a PenTesting team and has asked you for advice. He is thinking about using the command-line utility NetCat. Would you recommend this, and why?
Yes. NetCat is highly versatile. It has been called the "Swiss Army knife" of hacking tools. It can create or connect to a TCP server, act as a simple proxy or relay, transfer files, launch executables when a connection is made, test services and daemons, and even port scan.
A PenTester succeeds with a brute force attack to crack a server password. How did the system become vulnerable to such an attack? a) A privilege escalation issue b) A session attack c) A server-side request forgery d) A business logic flaw
d) A business logic flaw
APKX and APK Studio
decompile Android application packages (APKs).
What is if and loop in scripting languages?
flow control #Flow control is the most important component of a script's logic, or the order in which code instructions are executed.
Your newest team member has been asked to use Python scripting for a PenTest project. They need to write a script but do not know how to make the program access the desired libraries that they have downloaded. What command do you recommend that they use?
import
Insecure direct object references (IDOR) Race condition
#Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user's profile page in this scenario. #A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. T
Difference between theHarvestor/recon-ng and maltego
#theHarvestor and Recon-ng use CLI #Maltego has a full GUI to help users visualize the gathered information. Maltego features an extensive library of "transforms", which automate the querying of public sources of data. Maltego then compares the data with other sets of information to provide commonalities among the sources.
Zone Transfer Attack
A zone transfer is when a host DNS nameserver passes a copy of the zone file to a client DNS nameserver. An attack occurs when an entity poses as a DNS client server and asks for a copy of the zone records. Some of the resource records found in a zone file are the following: A (32-bit IPv4), AAAA (128-bit IPv6), PTR (reverse lookups), MX (mail exchange records.)
Network segmentation testing facts
Can use Nessus since it has the capability to output a report that could verify if the network is PCI DSS compliant or not, along with the recommended remediation pertaining to the network flaws. Nmap can also be used to test network segmentation facts, by using it's TCP, UDP and ICMP port scans specifications.
Closed ports for pivoting LAN?
Closed ports would not be useful in pivoting LAN as they would not provide a method of connection.
Collecting API requests and responses is Active or passive?
Collecting API requests and responses would involve a penetration tester sending data to a given server and analyzing the responses received, which is considered an active reconnaissance method.
reaver
Command-line tool used to perform brute force attacks against WPS-enabled access points.
Filtered vs. unfiltered ports
Filtered is if it is blocked by the firewall. Unfiltered is if the ports are accessible, but nmap cannot detect it and determine if the ports are open or closed.
ARP fact
Gathering ARP traffic is only possible on LANs (both ethernet and Wifi) coz they're non-routable. Remember that ARP poisoning attack deliberately maps incorrect MAC address to the correct IP address in an attempt to poison the ARP cache. As a result, the correct IP address is redirected to the attackers incorrect MAC address. NOTE: Tool in Kali linux for ARP traffic scan is Arping. Arping sends a series of ARP requests to the target and the target replies with ARP replies. When using Arping, you will need to use Wireshark and use arp as the display filter to see the response.
Identity and access management (IAM)
Identity and access management (IAM) defines how users and devices are represented in the organization, as well as how they are granted access to resources based on this representation.
"TCP connect scan" used for the connection to the target.
TCP connect scan is the usual TCP three-way handshake done to connect. Once the connection occurs, the scanner will send the RST to reset the connection for the purpose of completely killing it or dismissing it. The scanner then logs the connection and moves on to the next port of the target. NOTE: full scan is the noisiest and are easily caught. It's best to slow it down or randomize the IP addresses to be unnoticed.
Exam tip
You should be able to identify a script or programming language based on a code snippet for the exam. #PowerShell uses keywords like Write-Host to output text to the display. #Python uses keywords like print to output text to the display. #Bash uses keywords like echo to output text to the display. You are not expected to be able to write programs or scripts for the exam, but you must be able to read, analyze, and understand their basic functionality.
A Pentest team performs an exercise at a large financial firm. During the process, it is discovered that a risk exists due to missing firmware updates on several hardware-based firewalls. The team concludes a risk rating during which step of the Pentest process? a) Reporting b) Analysis c) Scanning d) Reconnaissance
b) Analysis #Analysis occurs after a team has completed an exercise. A collection of the results of all activities are analyzed, and a summary is derived of the risk ratings for each. NOTE: #Reporting will deliver the results and any remediation suggestions to the stakeholders, along with a realistic timeline of reducing risk and implementing corrective actions. #Scanning is a critical phase as it provides more information about available network resources. Scanning identifies live hosts, listening ports, and more. #Reconnaissance focuses on gathering as much information about the target as possible. This process includes searching information on the Internet, using Open-Source Information Gathering Tools (OSINT).
A PenTester plans to use Telnet to exploit a system during an exercise. The PenTest Supervisor suggests using an alternative that supports encryption. Which tool will provide the encryption the supervisor suggests? a) Netcat b) Secure Shell c) rsh d) Ncat
b) Secure Shell #Secure Shell (SSH) is a modern answer to Telnet's lack of encryption and other security mechanisms. Some systems (particularly Linux systems) have SSH enabled by default.
What is the Open Web Application Security Project (OWASP)? a) A resource of OSINT research b) A resource for PenTest project managers c) A resource for security risk awareness d) A resource for Exploit techniques
c) A resource for security risk awareness #The Open Web Application Security Project (OWASP) was created to improve software security. Its purpose is to raise awareness of what is viewed as the most relevant critical security risks to web applications. #Open-source intelligence (OSINT) covers data that can be freely obtained online to learn and acquire data about an individual or organization. Social media sites are sources for OSINT. #The Open Web Application Security Project (OWASP) is not a project management site. It focuses on security and has free documents, forums, and chapters but is most famous for the OWASP Top Ten. #The Open Web Application Security Project (OWASP) covers and explains notable vulnerabilities, but is not a site dedicated to exploiting techniques.
What communication protocol does an IT manager establish for a PenTest team during a PenTest engagement? a) A testing scope b) A testing start time c) A testing threshold d) A testing asset
c) A testing threshold #A testing threshold communication policy would outline how each party contacts and communicates with each other in the event that a problem has occurred. #A testing scope would encompass the entirety of the testing project and what the testing covers and does not cover. This would be established prior to the beginning of the PenTest and not during. #A testing start time would be established beforehand and not during the PenTest. The same would be true in establishing a time to end the test. #A testing asset is an entity that is in the scope of the test, such as a particular server or host system that will be probed. An asset list would be determined prior to the PenTest.
PenTesters submit a report to a client after a successful engagement exercise. The report contains suggestions on improving business continuity. Which control type does the report address? a) Logical b) Physical c) Administrative d) Technical
c) Administrative #Administrative controls are security measures implemented to monitor the adherence to organizational policies and procedures. #Logical controls automate protection to prevent unauthorized access or misuse. An example of this includes an Access Control List (ACL) that may be implemented as software or hardware. #Physical controls restrict, detect and monitor access to specific physical areas or assets. Methods may include barriers, tokens, biometrics, or other controls. #Technical controls may include Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) signatures and antimalware protection. These are implemented as system hardware, software, or firmware solutions.
A PenTest team prepares a test for a global company with offices in several countries. What procedural information should the PenTest team include in the documented scope before starting? a) Differences in power types b) Operating system language barriers c) The regulation and use of tools d) Differences in time zones
c) The regulation and use of tools #In the United States, export controls regulate the transfer of certain services outside of the country. For example, Wireshark is a powerful open-source protocol analysis tool that falls under the U.S. encryption export regulations, and it may be illegal to use in certain countries. NOTE: #Countries have varying voltage and electrical standards and requirements for equipment, however, this falls outside the scope of the test. Operating systems may be set to different languages, however, this would not be a concern for any testing. Time zones may be a concern, however, a schedule can be formulated to identify testing times.
A security engineer uses Google hacking to gain knowledge about an organization's employees. What search results does the engineer retrieve by using the syntax: link:comptia.org about while practicing the command? a) To search for any pages whose anchor text includes the text "about" b) To search for any pages whose URLs include the text "about" c) To search for any pages that lead to the website with the text "about" on the page d) To search the website only for results including the text "about"
c) To search for any pages that lead to the website with the text "about" on the page #To find a link to a specified page, the link operator is used. Searching link:comptia.org about will search for pages that link to CompTIA's website and have the text "about" on the page. #When searching for anchor text, the inanchor operator is used. Searching inanchor:about employees will search for pages with the anchor text "about" and with the text "employees" on the page. #A URL can be searched for text with the inurl operator. Searching inurl:about employees will search for pages whose URLs include the text "about" and have the text "employees" on the page. #To search a site for text, the site operator is used. Searching site:comptia.org would be used to search CompTIA's website for the text "about."
A penetration testing team performs post-engagement activities after a PenTest exercise. The team addresses which area? a) Software upgrades b) Hardware replacement c) User accounts d) Network improvements
c) User accounts #Removing tester-created credentials should take place during post-engagement cleanup. It is possible that during the exercise high-level credentials were added or manipulated. The system should be returned to its previous state. NOTE: #Software upgrades are not carried out by the PenTest team. #The recommended upgrade of any software such as those that have security flaws should be included in a final report. #Hardware replacement is not carried out by the PenTest team. The recommended replacement of any hardware such as outdated firewalls should be included in a final report. #Network improvement is not carried out by the PenTest team. The recommended improvement of a network is not typically the scope of a Pentest although it may be noted in a report.
You are preparing for an upcoming penetration test. You want to begin your reconnaissance but need to validate the scope of the IP addresses and the times of day you can scan the network. Which of the following documents should you refer to find these details? a) MSA b) RFP c) NDA d) ROE
d) ROE #The rules of engagement (ROE) contain the timeline, location, temporal restrictions, transparency of testing, and test boundaries for the penetration test. Therefore, if you look at the temporal restrictions portion of the ROE, you will see what times of day you can perform your scans and exploits. If you reference the test boundaries section, it should contain what types of scanning and exploits are allowed to be used and which systems are and are not in the scope of the assessment.
An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only the name servers? a) transfer type = ns b) request type = ns c) locate type = ns d) set type = ns
d) set type = ns #The nslookup command is used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records. The "set type=ns" tells nslookup only reports information on name servers. If you used "set type=mx" instead, you would receive information only about mail exchange servers.
Bluejacking vs Bluesnarfing
1) In the bluejacking attack, attackers use to send out unwanted text messages, images, or videos to a mobile phone, tablet, or laptop using a Bluetooth connection. 2) In the bluesnarfing attack, attackers are allowed to read messages and data from the victim's bluetooth device. The end goal is to glean victim's sensitive data.
Information found after using wireshark
1) NBNS (NetBIOS name service). Just use the filter nbns. 2) TCP HTTP: 3) Active directory which uses Kerberos and can be seen in the CName string. Just filter using key word "Kerberos" 4) DHCP. While using DHCP, will be able to discover client identifier i.e the mac address!!!! cool.
Things Pentest team don't do.
1) Software upgrades 2) Hardware replacement 3) antivirus installation All of these things are recommended solutions and are listed in the final report.
De-confliction vs. de-escalation
#De-confliction in cybersecurity is the information sharing system which increases the effectiveness of the communication and decreases the possibility of conflicts or disagreement between parties. For e.g: Communication of the system stability situation to the appropriate clients. #De-escalation is slowing down of fast process. For example: adjustment of the automated process that has no limitation against the system.
Direct-to-origin attack vs. incorrect origin settings attack
#Incorrect origin settings attack: Incorrect origin settings use policies to trust domains that provide regular contents. Weak policies therefore can expose the network to XSS. #Direct-to-origin attack: In direct to origin attack, a point of origin such as host IP is found behind the safeguard, such as reverse proxy. And exploited!!!!
PTES OWASP OSSTMM ISSAF
1) The Penetration Testing Execution Standard (PTES) was developed by business professionals as a best practice guide for conducting penetration testing. The PTES contains seven main sections that are used to provide a comprehensive overview of the proper structure of a complete penetration test. 2) The Open Web Application Security Project (OWASP) is an organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. The OWASP Testing Guide (OTG) provides different steps for the testing process and outlines the importance of assessing the entire organization, including the people, processes, and technology, during a penetration test. 3) The Open Source Security Testing Methodology Manual (OSSTMM) was developed by the Institute for Security and Open Methodologies (ISECOM) and it outlines every area of an organization that needs testing and how to conduct the relevant tests. 4) The Information Systems Security Assessment Framework (ISSAF) is an open-source resource available to cybersecurity professionals. The ISSAF is comprised of documents that relate to penetration testing, such as guidelines on business continuity and disaster recovery along with legal and regulatory compliance.
our PenTest team has accessed an active directory environment. Which post-exploitation tool would you suggest the team use to identify vulnerabilities?
CrackMapExec
Most common tool used for enumeration
Meterpreter. Using this tool will help determine which hosts are available to pivot (attack other points) to. User enumeration gathers information on users so you can attack using any known usernames on a connected host system.
The team leader has tasked your group to test the targets physical security. The target has a main building, loading docks, a parking garage, and a warehouse. Which OSINT could provide the team with valuable intel?
When planning a physical PenTest, the team can use Shodan to attempt to locate the feed of a security camera outside the target's facilities. If successful, the team can get a better picture of the premises and any possible defenses that are in place. NOTE: Shodan is OSINT tool.
An organization installs an access control vestibule with a card reader at the recommendation of a PenTest report. What vulnerability does the organization need to keep in mind? a) Card Cloning b) Card Reader Theft c) Biometric Accuracy d) Biometric Reliability
a) Card Cloning #Certain access control methods like RFID cards may be vulnerable to cloning and replay attacks. The organization would need to routinely inspect the vestibule for any tampering with a cloning device. NOTE: #Card Reader Theft is likely not a concern with an access control vestibule due to the size construction of the device. Theft of the card reader itself would not create a vulnerability. #Accuracy is typically a concern with biometric access solutions. Some biometric access devices can have a higher rate of failure than others. Reliability is usually a concern with biometric access solutions. For example, a fingerprint reader can prove to be unreliable if the reader is not clean or if the initial setup did not obtain a good fingerprint image.
Steganography requires three basic elements to work. Which elements are valid? (Select all that apply.) a) Carrier b) Decoder c) Payload d) Tool
a) Carrier c) Payload d) Tool #The carrier must be able to pass as the original and appear harmless. A carrier might be music or an image file. #The payload can contain any number of things, such as trade secrets or command and control activity. Once the payload is hidden, no one outside of the sender and the receiver should suspect anything. #There are hundreds of steganography tools available that can conceal the activity. Most are freely available and have similar functions in that they can conceal and encrypt data using a wide range of carriers. NOTE: A decoder is not a required element used in steganography. A steganography tool is used to work with files that contain a payload.
You are preparing for the exploitation of Dion Training's systems as part of a penetration test. During your research, you determined that Dion Training is using application containers for each of its websites. You believe that these containers are all hosted on the same physical underlying server. Which of the following components should you attempt to exploit to gain access to all of the websites at once? a) Common libraries b) Their e-commerce website's web application c) Hypervisor vulnerability d) Configuration files.
a) Common libraries #Application containers are virtualized environments designed to package and run a single computing application or service and share the same host kernel. Since they share the same host kernel, they use common libraries, as well. If you can exploit the common libraries, you will gain access to every website on that server, even if they are in an application container. An application container does not use a hypervisor like a typical virtual machine. Configuration files are unique to each application container. The e-commerce website's web application is likely hosted in a single application container and, therefore, would not provide you access to every website simultaneously if exploited.
As an initial approach, a PenTest team enters a test with no knowledge of the environment. Where will the team focus most of their efforts? (Select all that apply.) a) Footprinting b) Infiltration c) Scanning d) Reconnaissance
a) Footprinting c) Scanning d) Reconnaissance #Footprinting is a technique that encompasses many different approaches to discovering the layout of systems and a network. #Scanning is a technique that is accomplished by using software to discover hosts on a network. Scanning can involve using IP addresses and ranges along with TCP and UDP port information. #Reconnaissance is an overall approach to gaining information about an organization. This can include using open-source intelligence and both passive and active scanning of on-premise systems. #Infiltration would be the attempted exploit of any discovered vulnerabilities and would not be part of a discovery process.
A PenTest lead explains to a client that a PenTest is a fluid process. As such, what is a common occurrence, but not necessarily planned for? a) Goal reprioritization b) Critical findings c) Indicators of prior compromise d) Status reports
a) Goal reprioritization #Goal reprioritization is the catalyst for possible adjustments to the engagement. The nature of a PenTest is that it is a fluid process, and the PenTest team must be able to prioritize findings as they occur. #Critical findings are identified issues that imply a very high risk to the client's organization. #Indicators of Prior Compromise are artifacts which can provide evidence of a prior cybersecurity event and could be from malicious sources. #Status reports are regular progress briefings with the client. If the PenTest will take more than a few days, the client might want regular progress updates.
A PenTest engagement focuses on a particular server at a host organization. The server contains critical information and is of the highest priority to harden. What engagement type do the PenTesters utilize? (Select all that apply.) a) Goals b) Compliance c) Teams d) Objectives
a) Goals d) Objectives #A goal-based approach uses assessments that have a particular purpose or reason. For example, if an organization is concerned with a sensitive server, the PenTest team will focus on that server. #An objective-based approach is the same as a goal-based approach. For example, before implementing a new point of sale (PoS) system that accepts credit cards, the PenTesting team might test the system for security issues before implementation. #Compliance-based assessments are used as part of fulfilling the requirements of a specific law or standard, such as GDPR, HIPAA, or PCI DSS. #Red team/blue team-based assessments is a method that uses two opposing teams in a PenTest or incident response exercise. In this approach, one team attacks while the other team respon
During the reconnaissance phase of a penetration test, you have determined that your client's employees all use iPhones that connect back to the corporate network over a secure VPN connection. Which of the following methods would MOST likely be the best method for exploiting these? a) Identify a jailbroken device for easy exploitation b) Use web-based exploits against the device's web interfaces c) Use a device such as ICSSPLOIT to target specific vulnerabilities. d) Use social engineering to trick a user into opening a malicious APK
a) Identify a jailbroken device for easy exploitation #When targeting mobile devices, you must first determine if the company uses iPhones or Android-based devices. If they are using an iPhone, it becomes much more difficult to attack since iPhone users can only install trusted apps from the App Store. If the user has jailbroken their phone, they can sideload apps and other malware. After identifying a jailbroken device, you can use social engineering to trick the user into installing your malicious code and then take control of their device.
An organization that handles credit card payments must follow specific cardholder data environment (CDE) requirements to meet PCI DSS standards. Which approach would satisfy such requirements when it comes to cardholder data? (Select all that apply.) a) Isolated subnets b) Network segmentation c) ARP traffic d) Wireless LAN
a) Isolated subnets b) Network segmentation #Subnets are isolated from one another using devices such as routers. Payment card data should be kept separate from other data on a network. Subnetting is an appropriate solution. #Payment card industry data security standard (PCI DSS) requirements state that an organization must ensure the cardholder data environment (CDE) is properly segmented from other nonrelated areas of a network. #ARP traffic is not associated with CDE, but can discover hosts on a network and assist in stopping ARP poisoning. #Using a wireless network would not isolate cardholder data unless special provisions are made such as placing the wireless LAN in a different zone or subnet.
A new business that anticipates processing roughly five million credit card transactions per year is mandated to complete a Report on Compliance (RoC). What PCI DSS security levels require a business to complete a RoC? (Select all that apply.) a) Level 1 b) Level 3 c) Level 2 d) Level 4
a) Level 1 c) Level 2 #Level 1 has over six million transactions a year. An external audit must be performed by an approved Qualified Security Assessor (QSA) and a Report on Compliance (RoC) must be completed. #Level 2 is a merchant with one to six million transactions a year. This level requires that a Report on Compliance (RoC) is completed.
An organization realizes the potential for an attack on their systems. As a result, a resiliency assessment takes place, and various controls are suggested to be put in place. If an access control list (ACL) is on a firewall, what type of control does the systems engineer implement? a) Logical b) Administrative c) Physical d) Least privilege
a) Logical #Technical or logical controls automate protection to prevent unauthorized access or misuse and include Access Control Lists (ACL) that are implemented as software or hardware. #Administrative controls are security measures implemented to monitor the adherence to organizational policies and procedures. #Physical controls restrict, detect and monitor access to specific physical areas or assets. Methods include barriers, tokens, biometrics, or other controls
A security engineer discovers that a malware injection attack has occurred on a server in a cloud infrastructure. What does the engineer discover has happened? (Select all that apply.) a) Malicious code was concealed in a wrapper. b) A website experienced cross-site scripting. c) An origin network was identified behind a proxy. d) The hardware leaked sensitive information.
a) Malicious code was concealed in a wrapper. b) A website experienced cross-site scripting. #In a malware injection attack, a service can fall victim to a wrapper attack, which wraps and conceals malicious code to bypass standard security methods. #In a malware injection attack, a malicious actor injects malicious code into an application. Common attacks can include SQL injection (SQLi) and Cross-Site Scripting (XSS). NOTE: With direct-to-origin attacks (D2O), many organizations seek to reduce the threat of a DDoS attack by using methods such as reverse proxies. In a D2O attack, malicious actors circumvent this protection by identifying the origin network or IP address. In a side-channel attack, an exploit is possible because of the shared nature of the cloud. In this attack, the hardware leaks sensitive information such as cryptographic keys.
A PenTest team discovers a new vulnerability in an application and reports the matter to the software developer. Considering the vulnerability lifecycle, in which phase will the developer create a software patch? a) Mitigate b) Manage c) Discover d) Document
a) Mitigate #The mitigate phase is where vendors and software designers take a look at the vulnerability and devise a strategy. In most cases, a patch is developed and then released. #The manage phase is where the patch has been released. As such, the next step is to apply the patch in order to remediate or mitigate the vulnerability.
A new PenTester looks for a command and control (C2) tool that will work with Mac OS. Which tool does an experienced test suggest? a) Mythic b) Covenant c) Nishang d) Empire
a) Mythic #Mythic is a C2 framework that contains payloads such as Apfel and Poseidon that provide consistently good results when PenTesting MacOS. Covenant is a .NET command and control framework and, in a similar fashion to Empire, it aims to show the attack surface of .NET and make attacks through this vector easier. Nishang is a specific PowerShell tool that includes a large set of scripts for Windows that can be post-exploitation. Empire is a C2 framework that makes use of PowerShell for common post-exploitation tasks on Windows. It also has a Python component for Linux.
A systems administrator tells security engineers that a recent server breach succeeded without warning. The engineers explain that the attack was a Living off the Land (LoTL) attack and the system did not throw any alerts for what reason? a) Native OS tools were used in the attack b) Definitions to detect malicious activity were out of date c) Any IDS or IPS solutions were not in place d) The attacker used a back door
a) Native OS tools were used in the attack #With a Living Off The Land (LoTL) attack, the toolkit that is used is the system's own native tools, which generally won't trigger any alarms and are harder to detect. NOTE: LoTL uses fileless malware. #Definitions are not useful as there is no discrete signature being used. A more proactive approach to fileless malware is to use a blend of behavioral-based detection and monitoring strategies.
A PenTester initiates a testing exercise by enumerating network hosts. Which Windows-native tool will provide the tester with valid operating system information for Windows computers? a) PowerShell b) Nmap c) Metasploit d) uname -a
a) PowerShell #PowerShell (PS) uses cmdlets to achieve a task, such as Get-Help, and can enumerate information such as OS version, shares, files, and more. NOTE: #Nmap has a wide range of commands and NSE scripts for host enumeration to fingerprint the operating system and interrogate its services, however, it is not native to Windows. #Metasploit has several modules that can enumerate hosts. For example, the team can run the enum_applications module to determine what applications are installed on the target host. #The uname -a command can be used on a Linux system to display the operating system (OS) name, version, and other details.
How does the Penetration Testing Execution Standard (PTES) benefit a PenTest team post-engagement? a) Presentation of findings b) Data sharing c) Vulnerability scanning d) Vulnerability exploiting
a) Presentation of findings #A PenTester is free to show findings as it seems fit, however, it is highly recommended to at least start from a standard, such as PTES (Penetration Testing Execution Standard).
An executive at an organization informs a PenTest team that users have started complaining about receiving numerous text messages throughout the day. The executive believes the organization has been hacked. What does a member of the team attribute the activity as? a) SMiShing b) Bluesnarfing c) Sandboxing d) Vishing
a) SMiShing #SMiShing is a form of phishing that uses text messages to entice users to click on a link or provide information. This may be a result of filling out a contact form online. #Bluesnarfing enables a malicious actor to read information from a victim's Bluetooth device. Bluesnarfing is ineffective against devices that set Bluetooth in non-discoverable mode. NOTE: Bluesnarfing is more aggressive than bluejacking. Bluejacking requires the device to be in close proximity of atleast 30 feet. But, in exceptional cases such as airport, it is possible because of the crowded scenario. BOTH are ineffective if the device is undiscoverable, SO TURN OFF THAT BLUETOOTH!!!!! LOL #Sandbox analysis is using virtualization to provide a safe environment to analyze malware. You can create a sandbox using a virtual machine, or use a pre-made sandbox designed to provide a full analysis of malware activity. Vishing is phishing using Voice over Internet Protocol (VoIP). This attack is possible as it is easy to spoof the sender's information when using a VoIP call.
A PenTester performs active reconnaissance as part of an exercise. The goal is to identify possible query formats for a web app that uses SQL. What method does the PenTester use when using a select query? a) Single quote b) Stack multiple c) Blind SQL d) Time-based blind SQLi
a) Single quote #The most common method for identifying possible SQL injection vulnerabilities in a web app is to submit a single apostrophe and then look for errors. This is called the single quote method. If an error is returned, it may provide SQL syntax details. #Certain web app APIs also allow the stacking of multiple queries within the same call. This can be useful for injecting new query types into a form's existing query type. #Blind SQL injection is injecting SQL when the web application's response does not contain the result of the query. Adding a time delay to a Blind SQL injection is known as time-based blind SQLi.
A PenTest group performs an assessment exercise at a client location using one group as an attacker and one group as a responder. Which assessment approach is used in this scenario? a) Teams-based assessments b) Goals-based assessments c) Compliance-based assessments d) Objective-based assessments
a) Teams-based assessments #Red team/blue team-based assessments is a method that uses two opposing teams in a PenTest or incident response exercise. In this approach, one team attacks while the other team responds. #A goal-based approach uses assessments that have a particular purpose or reason. For example, if an organization is concerned with a sensitive server, the PenTest team will focus on that server. #Compliance-based assessments are used as part of fulfilling the requirements of a specific law or standard, such as GDPR, HIPAA, or PCI DSS. #An objective-based approach is the same as a goal-based approach. For example, before implementing a new point of sale (PoS) system that accepts credit cards, the PenTesting team might test the system for security issues before implementation
A PenTest team creates a file on an organization with the goal of showing upper management how employees can be targeted. Which open-source intelligence (OSINT) resources does the team utilize to gather information? (Select all that apply.) a) The organization's website b) Twitter feed c) An employee's office location d) Internal network group memberships
a) The organization's website b) Twitter feed #The organization's website is an open-source resource that may reveal a good deal of information on the company and its employees. Information might include job promotions, personal bios, and more. #The company's social media presence is an open-source resource that may reveal both organization and employee information. The company's Twitter feed may share company blog articles that reveal information about employees. NOTE: An employee's office location is informational data and is not an open-source resource itself. #Internal network group memberships are not open-source information. Such memberships are used to grant users access to internal resources.
While performing a PenTest at a customer site, engineers configure MAC address spoofing on a Windows system while trying to find vulnerabilities on a network. What will result from the engineer's actions? a) Traffic will be directed to both the real system and the spoofed system. b) Traffic will be directed to the spoofed system. c) Spoofed ARP messages using the invalid MAC are transmitted on the LAN. d) The incorrect IP address will be returned during a query from the spoofed system.
a) Traffic will be directed to both the real system and the spoofed system. #MAC address spoofing modifies the MAC address on a system's NIC card so that it matches the MAC address of another machine. Once done, traffic will be directed to both the victim and the malicious actor. NOTE: #MAC address spoofing can be used to modify the MAC address on a system. Because it is a spoofed address, this means the address legitimately exists on the network. As a result, both systems receive the traffic. #Address Resolution Protocol (ARP) spoofing transmits spoofed ARP messages out on the LAN. #Domain Name System (DNS) cache poisoning sends bogus records to a DNS resolver. When the victim requests an IP address, the DNS server will send the wrong IP address. NOTE: It's not that the rest of the answers are incorrect, but the first one includes everything that's going to be spoofed due to MAC address spoofing on a Windows System.
An engineer scans a network for information that can be used in a mock exploit and discovers that all traffic is not visible on a switch and/or router. How can the engineer fix this issue? (Select all that apply.) a) Use port monitoring b) Use switched port analysis c) Use an ARP cache d) Use promiscuous mode
a) Use port monitoring b) Use switched port analysis d) Use promiscuous mode #To capture all traffic on a switch port, port monitoring can be used. This typically required logging into the switch and enabling monitoring. To capture all traffic on a switch, an option is to use switched port analysis (SPAN). With SPAN, all ingress and egress traffic is copied between ports. This is also referred to as mirroring. Using promiscuous mode is required when trying to monitor all traffic on a network. Without this mode enabled, sniffing will not pick up all network traffic. NOTE: An address resolution protocol (ARP) cache contains a list of media access control (MAC) addresses. This will not allow for sniffing all traffic through a switch.
A PenTest team prepares for an engagement at a customer site. Which assets does the team inventory as being in-scope for the test? (Select all that apply.) a) Users b) Domains c) Passwords d) Service Set Identifiers (SSID)
a) Users b) Domains d) Service Set Identifiers (SSID) #Users are an in-scope asset, as they are susceptible to social engineering, and are generally considered to be the easiest attack vector. #Domains and/or subdomains within the organization are a prime target for malicious activity and are an in-scope asset. Domains and subdomains are examples such as example.com and ftp.example.com. #Service Set Identifiers (SSID) can be targeted when an attacker is attempting to access a wireless network. As such, they are an in-scope asset. NOTE: Passwords are dynamic in nature and can be reset at any time. The systems that provide and require the passwords would be an in-scope asset.
A reconnaissance technique used to identify a client website returns the response <address>Apache/2.4.29 (Ubuntu) Server at comptia.org Port 8080</address>. How does a PenTester focus any testing efforts? (Select all that apply.) a) Using Linux tools b) On a standard HTTP port c) Using Window tools d) On a non-standard HTTP port
a) Using Linux tools d) On a non-standard HTTP port #As the response includes information stating that Apache for Ubuntu is being used, the PenTester should use tools and techniques that are specific to Linux operating systems. The PenTester should not focus on a standard HTTP port, but rather port 8080 as indicated in the response output. #The standard web port for HTTP is port 80. In this case, the port that is used and being reported is port 8080. This is the port the PenTester should target. #The response states that the Apache server is being used. While Apache can run on Windows, Ubuntu is identified as the operating system in use. The PenTester should use tools for Linux.
A PenTest team prepares to perform an attack on an organization to test employee diligence. When spoofing a call, how might the team appear to be trusted? a) Utilizing caller ID b) Accessing voicemail c) Setting up a PBX d) Configuring a VoIP system
a) Utilizing caller ID #When spoofing a call, the team can make the call appear to be coming from a trusted source, such as a vendor, a utility company, another employee, and more. This can be done by using a fake caller ID. #Accessing voicemail will not trick the employees but is a type of attack that is possible from the team or malicious actor. #Setting up a PBX gives the team the ability to configure a phone system for a variety of reasons, however, the goal can be achieved by using caller ID. #Configuring a VoIP system gives the team the ability to configure an IP phone system for a variety of reasons, however, the goal can be achieved by using caller ID.
A PenTester looks to automate some scanning that is required at a client site. What will the Nmap options -sV --script vulners accomplish? (Select all that apply.) a) Version detection on open ports b) OS detection on a target host c) Look for common vulnerabilities and exposures d) Exploit vulnerabilities
a) Version detection on open ports c) Look for common vulnerabilities and exposures #The first Nmap option, -sV, performs version detection on the open ports that are found. In its simple form, this process is generally known as banner grabbing. #The Nmap option --script allows the running of Nmap scripts. The vulners script is a script included in Nmap library and it has a vast database of known vulnerabilities. When using Nmap, by default it does not perform OS detection. Using the -O option will accomplish this. The provided Nmap options are not used to exploit a vulnerability. Once a vulnerability is found. Other methods may be used to exploit.
A PenTest team looks to map a network for a customer. Which tools would be useful in creating a map? (Select all that apply.) a) WMI b) SNMP c) ARP d) SMTP
a) WMI b) SNMP c) ARP #Many mapping tools use Windows Management Instrumentation (WMI) to map and manage a network. WMI can help provide a system inventory that includes system statics and other information. #The Simple Network Management Protocol (SNMP) is useful for managing many devices including those that are not computer workstations or laptops. #The ARP (Address Resolution Protocol) command is a useful Windows command-line tool that can provide IP to MAC address mapping information for a host on a network.
A script enumerates details on a network so PenTesters can pivot within a LAN segment during an engagement. What details were enumerated? (Select all that apply.) a) host names b) usernames c) subnets d) closed ports
a) host names b) usernames #For the enumeration of users and assets, there are a series of tools that can be used. One of the most common is Meterpreter. Using this tool will help determine which hosts are available to pivot (attack other points) to. User enumeration gathers information on users so you can attack using any known usernames on a connected host system. NOTE: #Asset enumeration would not identify subnets. Additionally, the pivoting is occurring within the local LAN segment. There are a number of services on a host system that can be used for pivoting (Telnet for example). However, closed ports would not be useful as they would not provide a method of connection.
A PenTester remotely adds a user to a Windows system on one box and elevates a Linux user account to root on another. Which approach does the tester use? (Select all that apply.) a) net user jjones /add b) editing a file and changing the user's user ID (UID) and group ID c) net localgroup Administrators jjones /add d) useradd jjones
a) net user jjones /add b) editing a file and changing the user's user ID (UID) and group ID #On a Windows system, the net user command is used to manipulate user accounts from the command line. The net user jjones /add command will add a user account named jjones. On a Linux system, there are several ways to give root privileges to a user, including editing the /etc/passwd file and changing the user's user ID (UID) and group ID (GID) to 0. On a Windows system, the net localgroup Administrators jjones /add command adds the account to the local Administrators group. On a Linux system, a user account can be added with the command useradd jjones.
How is a PenTest report tracked while it passes through many hands before delivery? a) Screenshots b) Chain of custody c) Version control d) Document properties
b) Chain of custody #Chain of custody is a process where the ownership of data is managed and tracked. As a report passes through hands, it would be documented as to who the new owner is.
An organization is hosting a presentation for external spectators, as well company employees that contains confidential business data. The security team has previously advised all external spectators to not bring personal or company electronics to the presentation and to sit in designated areas. For security purposes, spectators are asked to comply with which of the following rules? (Select all that apply.) a) Adhere to the company computer use guidelines. b) Checking in all mobile devices with the front desk. c) Remaining in designated areas only. d) Do not ask the presenter any questions.
b) Checking in all mobile devices with the front desk. c) Remaining in designated areas only. #Checking mobile devices is a good practice security measure. As mobile devices have the ability to record both images and audio, not allowing them within the office reduces the risk of unauthorized capture of information. #Creating a designated area for spectators to occupy helps to maintain management during the event. By not having designated areas, individuals may wander into restricted areas. #As the attendees are only spectators, there is no need for a computer use policy. A computer use policy would likely apply to employees. #Asking questions is not a security concern. The presentation would likely generate some questions from the spectators.
A PenTest group performs an assessment exercise for a small business. If the exercise targets a particular subnet that is for VIP use only, which assessment approach does the group use when planning an attack? (Select all that apply.) a) Compliance b) Goals c) Objectives d) Teams.
b) Goals c) Objectives
An organization's legal team drafts a master service agreement (MSA) along with a PenTest team lead. What will the agreement include? (Select all that apply.) a) Team credentials and certifications b) Insurance information c) Safety guidelines d) Project scope
b) Insurance information c) Safety guidelines d) Project scope #Conducting a PenTest for an organization is a business arrangement, and all terms of the test should be clearly defined. Any general and liability insurance should be outlined if something goes wrong and damages occur. #Safety guidelines and environmental concerns should be part of a master service agreement. Such guidelines should outline prohibited areas and the use of the facility. #The project scope is defined within the master service agreement. The project scope is a definition of the specific work that is to be performed and completed. NOTE: Team member backgrounds and credentials would not be part of the master agreement (MSA) but perhaps in other documentation that is provided during the interview process of doing business together.
While footprinting a system, a PenTester uses the finger command. What is true regarding this command? (Select all that apply.) a) It is used to obtain operating system information b) It is used on a Linux system c) It is used to view a user's home directory d) It is used on a Windows system
b) It is used on a Linux system c) It is used to view a user's home directory #The finger command is a Linux command-line utility. Similar functions are possible on a Windows system by using PowerShell commands or a PowerShell script. #The finger command is a command-line utility that allows the viewing of a user's home directory along with the login time and idle time. NOTE: On a Linux system, the uname -a command can be used to display the OS name, version, and other details about the system. The finger command is not a Windows command. To view a user's home directory (within a user profile), Windows Explorer and PowerShell can be used.
Which of the following penetration testing methodologies or frameworks is an open-source collection of documents that outlines every area of an organization that needs to undergo testing, as well as provides details on how those tests should be conducted? a) PTES (Penetration testing execution standard) b) OSSTMM (open-source security testing methodology manual) c) ISSAF (information systems security assessment framework) d) OTG (OWASP testing guide)
b) OSSTMM (open-source security testing methodology manual) #Open-source is the hint.
A security auditor reviews a small retailer's credit card data protection strategy. In which area would the auditor likely request more detailed information to see that industry recommendations are followed? a) Hardware firewall b) Password Policies c) Software firewall d) Principle of least privilege
b) Password Policies #A password policy can contain many elements such as password length, age, and more. The auditor will likely want to know more about these policies. #A hardware firewall is a recommended configuration. When possible, dedicated appliances should be used to secure the infrastructure. A hardware firewall satisfies this requirement. #A software firewall is acceptable. While dedicated appliances are preferred, there is no rule against using a software solution as a security measure.
A PenTest manager drafts multiple contact lists for a pending engagement. Which list does the lead finalize? a) Primary contact: CIO, Technical contact: PenTest manager, Emergency contact: Local law enforcement b) Primary contact: CIO, Technical contact: IT manager, Emergency contact: IT Manager c) Primary contact: PenTest manager, Technical contact: PenTest manager, Emergency contact: IT Manager d) Primary contact: IT manager, Technical contact: PenTest manager, Emergency contact: Local law enforcement
b) Primary contact: CIO, Technical contact: IT manager, Emergency contact: IT Manager #The primary contact handles the project on the client's end. This can usually be a CIO or other party responsible for major decisions surrounding the penetration test. #The technical contact handles the technology elements of the activity. This is usually someone that has in-depth knowledge of the client system, such as the IT manager. #The emergency contact is the party that can be contacted in case of particularly urgent matters, such as system and technical issues. This is often the same as the technical contact. NOTE: Having local law enforcement listed as an emergency contact is likely not required. However, having a list of essential numbers such as building management, security, and law enforcement may be helpful while being on-site.
A small shop that sells novelty items begins taking credit card payments. An IT contractor configures the internal network to comply with cardholder data protection policies. What would the contractor consider as a questionable configuration? a) Hardware firewall b) Read/write share access c) Software firewall d) Password policy
b) Read/write share access #The contractor should evaluate the provision of access control methods by using the principle of least privilege. Giving write access where it may not be needed violates the principle of least privilege. NOTE: #A hardware firewall is a recommended configuration. When possible, dedicated appliances should be used to secure infrastructure. A hardware firewall satisfies this requirement. #A software firewall is acceptable. While dedicated appliances are preferred, there is no rule against using a software solution as a security measure. #The contractor should employ good practice strategies, such as changing passwords from the vendor default on all devices and enforcing a user password policy.
A PenTest team discovers that a DNS server responds to dynamic DNS updates without authentication. What causes this action? a) The server has a poisoned cache b) The server uses recursion c) The server contains invalid records d) The server is authoritative
b) The server uses recursion #Enabling recursion on a DNS server can open the server to vulnerabilities. Denial of service attacks are possible as well as DNS cache poisoning (the recording of fraudulent DNS information). Recursion means repeated process of application. NOTE: #If a server has a poisoned cache, it contains invalid DNS information. This is possible if the server uses recursion. If a server contains invalid records, it is the result of cache poisoning or some other problem. The use of recursion on the DNS server can lead to having invalid records. The server in question is not authoritative as it does use recursion to look up and resolve IP to hostname mappings.
A security team plans a lateral move within a client's Windows network. The intent is to exploit a flaw in the Distributed Component Object Model (DCOM) during the move. How does the team achieve this? a) Issue commands using SMB b) Use RPC as a transport mechanism c) Install the WinRM service d) Use remote access services
b) Use RPC as a transport mechanism #The Remote Procedure Call (RPC) enables inter-process communications between local and remote systems. DCOM applications use RPC as a transport mechanism. The PsExec utility uses the Server Message Block (SMB) protocol to enable the issuing of commands to a remote system across a network. #Windows Remote Management (WinRM) is a technology that provides an HTTP Simple Object Access Protocol (SOAP) standard for specific remote management services on Windows systems. #The remote desktop protocol (RDP) is the default remote desktop service that comes with Windows systems. It does not use RPC with DCOM.
Alex is conducting a penetration test of Dion Training's network. They just successfully exploited a host on the network. Which of the following command should Alex utilize to establish persistence on the machine by creating a bind shell using netcat? a) nc -p 512154 /bin/sh b) nc -lp 512154 -e /bin/sh c) nc -lvp 512154 /bin/sh d) nc -p 512154 -e /bin/sh
b) nc -lp 512154 -e /bin/sh #A bind shell is a shell that binds to a specific port on the target host to listen for incoming connections. This is often created using Netcat. Netcat (nc) is an open-source networking utility for debugging and investigating the network, and that can be used to create TCP/UDP connections and investigate them. It is extremely popular with penetration testers and attackers alike due to its multiple use cases. You should be familiar with setting up a listener and establishing a connection to the listener using netcat. Using the -lp option sets up a listener on the machine using the port specified (52154 in this scenario). To start the connection to the listener, you would enter "nc <IPADDR> <PORT> -e <SHELL>", substituting the details for each parameter in each set of brackets.
A PenTester simulates an attack on a wireless network by capturing frames and then using the information to further an attack on a discovered Basic Service Set (ID) of an access point. What specific tool has the PenTester used to initiate the attack? a) Aircrack-ng b) Airmon-ng c) Airodump-ng d) Aireplay-ng
c) Airodump-ng #Airodump-ng is a tool that provides the ability to capture 802.11 frames and then use the output to identify the Basic Service Set ID (MAC address) of an access point. This is a specific tool that is part of the Aircrack-ng suite. #The Aircrack-ng suite of utilities is made up of several command-line tools used for wireless monitoring, attacking, testing and password cracking. #Airmon-ng will enable and disable monitor mode on a wireless interface. Airmon-ng can also switch an interface from managed mode to monitor mode. #Aireplay-ng Injects frames to perform an attack to obtain the authentication credentials for an access point (it's done internally)
Which of the following is the most difficult to confirm with an external vulnerability scan? a) XSRF/CSRF b) XSS c) Blind SQL injection d) Unpatched web server
c) Blind SQL injection #Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. The banner information can usually identify unpatched servers.
A PenTester bypasses an active network access control (NAC) system by using an authenticated device. How might the tester accomplish this? a) Use a stealth scan b) Turn off firewall policies c) Configure a rogue access point d) Disable the NAC device
c) Configure a rogue access point #The tester, like a malicious actor, can use a rogue wireless access point to connect to a network with an authorized device. The attacker machine slips by the NAC appliance and relays malicious traffic into the protected network. NOTE: can also bypass it using VoIP phone along with MAC address spoofing. #A stealth scan uses techniques that try to exploit the expected behavior of TCP on a remote host. This scan is done with a tool such as Nmap and is not in the scope of using a NAC device. Turning off firewall policies will only expose a system to other malicious activity and not impact the ability of network access control mechanisms. Disabling the network access control device is counterproductive as the goal is to gain access while it is active and authenticating access.
An employee loses a smartphone while on vacation. The device is used in a BYOD program and contains sensitive data related to the business. Which vulnerability does the company face with the loss of the phone? a) Strained infrastructure b) Forensics complications c) Deperimeterization d) Patching fragmentation
c) Deperimeterization #The organization faces and now realizes a deperimeterization vulnerability. Employees that take sensitive data outside of the corporate perimeter and do not properly secure their devices will risk data exfiltration. #A strained infrastructure is caused by too many devices taxing a network. The addition of multiple devices can place a strain on the network and cause it to stop functioning at optimum capacity. #Dealing with BYOD during a forensic exercise may prove difficult or even impossible and compromise the integrity of an investigation. #A threat that can affect a mobile device is patching fragmentation. This can occur, as in many cases, device updates are not implemented in a timely manner.
A public school system looks to educate its student population with cybersecurity knowledge. Which resource will staff suggest is part of the curriculum that is most applicable to their current environment? a) OWASP b) NIST c) OSSTMM d) PTES
c) OSSTMM (open-source security testing methodology manual) #The Open-source Security Testing Methodology Manual (OSSTMM) provides a holistic structured approach to PenTesting. Other cyber security resources include theHacker Highschool which provides security awareness training to teens. #The Open Web Application Security Project (OWASP) is an organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. #The National Institute of Standards and Technology (NIST) covers a large number of topics in areas such as climate, communication, and cybersecurity. NIST has many resources for cybersecurity professionals that include the Special Publication (SP) 800 series. #The Penetration Testing Execution Standard (PTES) has seven main sections that provide a comprehensive overview of the proper structure of a complete PenTest.
Which of the following tools should a penetration tester use to brute-force authentication on ftp, ssh, smb, vnc, or zip archive passwords? a) WinDbg b) Gobuster c) Patator d) CrackMapExec
c) Patator #Patator is a multi-purpose brute-force tool that supports several different methods, including ftp, ssh, smb, vnc, and zip passwords. #WinDbg is a free debugging tool created and distributed by Microsoft for Windows operating systems. #Gobuster is a tool that can discover subdomains, directories, and files by brute-forcing from a list of common names. #CrackMapExec is a post-exploitation tool to identify vulnerabilities in active directory environments.
Which might a security engineer use to illustrate the logic and functions of a script in a generic way? a) Operators b) Trees c) Pseudocode d) Flow control
c) Pseudocode #Pseudocode is a made-up language used to show flow and logic but is not based on any programming or scripting language. Pseudocode can be used to easily illustrate the logic of a script and is used to develop a script to show basic flow and functionality. #Operators are used in code to perform calculations such as mathematical calculations. #In data representation, a tree has the root at the top, and the "branches" go down, with a "leaf" object at the end of a branch. #Controlling the flow of instructions (flow control) enables programmers to write a script so that it can follow one or more paths based on certain circumstances.
A new receptionist at a financial firm answers a call from someone that claims to be a remote employee. The caller tries to obtain user account information of another employee with a claim that such information is allowed to be given to a Vice President of the firm. Which social engineering techniques does the caller use? (Select all that apply.) a) Survey b) Observation c) Request d) Interrogation
c) Request d) Interrogation #With a request, an attacker or social engineer pretends to be someone that is considered to be in a trusted position. Using the position, the attacker asks the target for information to be used in an attack. In an interrogation technique, the attacker or social engineer poses as an authority figure to obtain actionable intel. In this case, claiming to be a Vice President is an exercise of authority. Surveys are used to informally collect data from a target. This is a technique that may likely be utilized via email. Observation is a technique where an attacker or social engineer examines the target's behavior and day-to-day routine in a particular environment, with or without their knowledge.
The PenTest team has been conducting network scans using the default timing setting of T3 with no disruptions to the organization's network or systems. The team now wants to increase the scan timing to a recommended level that is still stable. Which Nmap timing option should the team choose to achieve this goal? a) T0 b) T5 c) T4 d) T1
c) T4 #The team will need to be aware of overburdening a network but can take advantage of a robust network.T4 is the recommended choice for a fast scan that is still relatively stable. NOTE: #In some cases, network devices enforce rate limiting. Using the Nmap command with a time option of T0 and T1 are the best choices for IDS evasion but are extremely slow. #T5 is the fastest option but can be unstable and should only be used on a network that can handle the speed.
A rogue system is suspected to be on a large network. A PenTester uses the -sY option and should expect what process to happen? a) A TCP SYN packet is sent b) An ICMP type 13 is included c) A UDP Ping is sent d) A SCTP Initiation Ping Occurs
d) A SCTP Initiation Ping Occurs #An SCTP Initiation Ping uses the Stream Control Transmission Protocol (SCTP), an alternative to using either a TCP or UDP scan to see if a host is alive. This scan requires using the -sY option. A TCP SYN (synchronize) packet starts a communication session with a host by using TCP to initiate a conversation. This is a default action with Nmap. By default, Nmap will perform a TCP scan. A UDP protocol scan can be initiated by using the -PU for port scanning. By default, a Nmap scan will use the timestamp of 32 bits of milliseconds since midnight UT during host discovery.
A business hires a PenTest team with a concern that wireless access points (AP) are vulnerable to an insider attack. Which tool do the testers use to gain access to an AP? a) Airmon-ng b) Airodump-ng c) Aircrack-ng d) Aireplay-ng
d) Aireplay-ng #Aireplay-ng Injects frames to perform an attack to obtain the authentication credentials for an access point (it's done internally)
An organization performs an analysis to determine its tolerance level for risk. What is this value known as? a) Metric b) Measure c) Rating d) Appetite
d) Appetite #Risk appetite refers to the amount and type of potential vulnerabilities and threats the organization is willing to tolerate and endure. #Metrics are quantifiable measurements of the status of results or processes. An example of a metric related to PenTesting is the criticality of vulnerability findings. #Measures are the specific data points that contribute to a metric. Values may be a percentage of systems that are susceptible to a particular vulnerability. #Risk rating is the process of assigning quantitative values to the identified risks. This is usually done by following a reference framework.
In a cloud environment, what does the combination of infrastructure, platform services, and software represent? a) Cloud service provider b) Content delivery network c) Identity and access management d) Cloud Federation
d) Cloud Federation #he combination of infrastructure, platform services, and software represents a cloud federation, which is a boon to attackers. The elastic computing power can be borrowed in a way that can make actions hard to trace. NOTE: #A cloud service provider (CSP) is a vendor that provides and provisions services such as infrastructure, servers, and storage in a virtualized manner. A content delivery network is a geographically distributed network of servers, infrastructure, and storage that provides services to consumers. #Identity and access management (IAM) defines how users and devices are represented in the organization, as well as how they are granted access to resources based on this representation.
A Pentester crafts a packet to test vulnerabilities on a hardware firewall. Packets are fragmented so that a malicious signature is not recognized by an IDS. Considering the packet crafting stages, which stage captures the packets sent to assist in determining how the test went? a) Edit b) Assemble c) Play d) Decode
d) Decode #Decoding the capture of the packets sent will help to determine how the test went. The Pentester can analyze traffic generated using a packet analyzer such as Wireshark. #Editing a packet is similar to assembling a packet. The difference is that the packet content is modified after it was created or captured. #Assembling a packet involves the creation of the packet to be sent. This may involve setting malformed information to see how the traffic is handled by certain devices on a network. #Playing in the packet crafting process is the actual release of the packet into the wild. The packet is sent or resent (if edited) on the network.
An organization utilizes a few dozen voice assistants throughout its offices. The devices are made and branded by an obscure manufacturer. What technological security issue might the organization encounter with these devices? a) Lack of physical security b) Lack of expandability c) Lack of performance d) Lack of automated updates
d) Lack of automated updates #Lack of automated updates is a technological security issue for many smart devices. When updates are not automatic, patches or firmware changes go neglected. Lack of physical security is related to the physical theft of or damage to the devices. As the devices are likely relatively small in size, this is an issue but not a technological issue. Lack of expandability would cover the ability to integrate with other smart devices and hubs. While this might present itself as an issue down the road it is not a security issue. Lack of performance would be a result of poor design and manufacturing. This would not be a technological security issue.
A PenTest team considers which issue as part of the lessons learned phase? a) Client follow-up b) Mitigation implementation c) Client acceptance d) New vulnerabilities
d) New vulnerabilities #It is possible that the team found new unknown vulnerabilities during the testing. Additional personnel training or updated tools may be part of a lessons learned report. #Client follow-up is not part of a lessons learned report but rather a revisit to a client after testing and mitigation techniques have been implemented. #Although a Pentest team may assist, a mitigation implementation is the responsibility of the client and is not part of a lesson learned. #During the formal hand-off process, confirmation from the client that they agree that the testing is complete and that they accept your findings as presented is important. This is not part of a lessons learned report.
A PenTester provides a client a high level of details on the company and its employees in a report. The PenTester mentions the use of Twitter, Facebook, and the company's website as its sources. What category of intelligence does the PenTester utilize during research? a) Private feeds b) A subscription service c) Job postings d) Open-source
d) Open-source #Open-source intelligence (OSINT) is the method and data that can be found freely and publicly accessible online. Examples include social media postings, company websites, and job boards. #Private feeds would not be freely and publicly available. While social media sites feature private areas, public areas are the concern.
A team of Pentesters look to use a tool that can observe and interact with an API on an Android device. Which tool does the team utilize to test an HTTP API? a) Drozer b) APK Studio c) APKX tool d) Postman
d) Postman #An API is a set of commands that is used to send and receive data between systems. Postman is a tool that provides an interactive and automatic environment used to interact and test an API. #Drozer is open-source software used for testing for vulnerabilities on Android devices. #APK Studio is an integrated development environment (IDE) designed to decompile and or edit an APK file (an Android install file). #APKX tool is an Android APK decompiler that allows the pulling of Java source code to analyze and see what's going on inside.
PenTest results recommend a change to passwords for a server system. One suggestion to harden the system is to add a randomly generated string to a password. What is the technique referred to as? a) Randomizing b) Encrypting c) Hashing d) Salting
d) Salting #A randomly generated string, known as a salt, can be added to a password before hashing. This salt can be stored along with the hashed password for verification purposes. NOTE: #Randomization is a technique used in many areas, including password generation. Of note, a salt is a randomly generated string of characters. #Password encryption uses one of a number of algorithms for protection. Otherwise, a password would be visible as clear text when transmitted across a network. #Hashing is a method that is used to encrypt passwords. A hashing algorithm takes a given value (password) and converts it into another value.
Which technical control removes user-supplied unwanted or untrusted data? a) Process-Level remediation b) Key Rotation c) Escaping d) Sanitization
d) Sanitization #Input sanitization is the process of stripping user-supplied input of unwanted or untrusted data so that the application can safely process that input. It is the most common approach to mitigating the effects of code injection. NOTE: #Process-Level remediation is the concept of resolving a finding by changing how it is used or implemented and is not related to sanitization. #Key rotation is the process of periodically generating and implementing new access keys to a server/service and is not related to sanitization. #Escaping is a type of input sanitization, also referred to as encoding. It substitutes special characters in HTML markup with representations that are called entities.
A PenTest exercise has concluded. The PenTest team now addresses which area? a) Software upgrades b) Antivirus installation c) Hardware replacement d) Shell Removal
d) Shell Removal #Removing shells should be part of the post-engagement cleanup process. It should be noted that some shells may be hidden on target systems. NOTE: #Software upgrades are not carried out by the Pentest team unless contracted to do so. The recommended upgrade of any software such as those that have security flaws should be included in a final report. Antivirus installation is not performed by the Pentest team unless requested by the client. The recommended installation of a new or updated antivirus solution should be included in a final report. Hardware replacement is not carried out by the Pentest team. The recommended replacement of any hardware such as outdated firewalls should be included in a final report.
Dion Training has hired you to assess its voucher fulfillment REST API on its e-commerce website. Which of the following support resources would be MOST helpful when conducting a known-environment assessment of the API? a) XSD file b) WSDL document c) SDK documentation d) Swagger document
d) Swagger document #A swagger document is the REST API equivalent of a WSDL document that defines a SOAP-based web service. Since Dion Training's voucher fulfillment system uses a REST API, you should request a copy of the swagger document to conduct a more efficient assessment of their web application since this is a known-environment assessment. SDK documentation is used to document the software development kit and is not relevant to the REST API being tested. An XML Schema Definition (XSD) is a recommendation that enables developers to define the structure and data types for XML documents. Refer to: https://swagger.io/tools/swagger-ui/
Which one is the stealth scan? a) FIN scan b) NULL scan c) XMAS tree scan d) TCP SYN scan
d) TCP SYN scan #TCP SYN scan is the original stealth scan. It sends the packet to the target with the SYN flag set. This is called a "half-open" scan because the attacker doesn't complete the three-way handshake like in the TCP connect scan. If the target is open, the target will send SYN/ACK and if closed, target will sent RST flag. If the target is filtered using a firewall, the packet will be dropped and no response is sent. NOTE: XMAS Tree scan sends a packet with the FIN, URG, and PSH flags set and appears to be "lit up like a Christmas Tree." Exception in XMAS tree scan is that, if the target is open, it will send "no response" (unlike TCP SYN scan). Closed and filtered firewall cases are the same for both.