Ethical Hacking Final

Which file below, located in a user's home directory, holds a list of recently executed commands on Linux

.bash_history

The Windows .SCR format is actually a specialized form of what?

.exe

Where, by default, will screenshots taken by the root user on a Kali system be stored?

/root/Pictures

Where does Kali store video screen captures for the root user

/root/Videos

Which commonly installed software can sometimes be abused to aid in pivoting

All of the above

Which feature(s) of organizational culutre would be useful to know when creating social engineering attacks?

All of the above

Which of the following methods might a social engineer use to improve the effectiveness of their attack?

All of the above

Which of these might be a good place to look for plaintext passwords that could be usable for privilege escalation

All of the above

Which of the following should be avoided when briefing executives

All of the above should be avoided when briefing executives

What feature is most likely to make a phishing e-mail more believable

Appropriate branding for the company being targeted

Which of the following is closest to machine language

Assembly Language

What might be an issue with removing logs from a server

Both A and B

Where does a program store the data it is actively using?

Both A and B

Why might you want to make a backdoor that doesn't include persistence mechanisms?

Both A and B

Which of the attacks below can occur when the user can control some object or value before the program can use it

Both A and C

Why do social engineers often use time pressure as part of an attack

Both B and D

Which of the following Linux commands will immediately clear the history of the current user

Both a and C

Which of the following Windows commands will help you find the devices this device has recently connected to?

Both a and C

Which of these is not one of the OWASP top 10

Client-side scripting

What is the difference between a compiled language and an interpreted language

Compiled languages are translated to machine language by a compiler, and interpreted languages are read by an interpreter which executes its own code to interpret the meaning of the code

Which of these programs is a thick client application with a polished user interface, commercial-quality exploits, and built-in reporting features?

Core impact

The values A, B, C, and D are pushed onto the stack, in that order. When a pop command is issued, which value will be retrieved from the stack first

D - Last in first out

Why might you want to use a tool like DNSenum rather than directly scanning all IPs with NMAP?

DNSenum can be quieter than active scanning with NMAP

What does the Windows command auditpol /clear do?

Deletes audit policies applied to a user

Which of the following is the common term for going through an organization's trash looking for useful information?

Dumpster diving

What is the EAX register used for

EAX is a general purpose register and can hold anything, but most commonly holds intermediate data for math functions

What is the term which means "to increase the level of access the hacker has to the system"

Escalation of privilige

Which of these proxies is not included in Kali Linux?

Fiddler

What term is means "to gain command line access to a system"

Getting a shell

What is the EBP register used for

It points to the beginning of the current program's data on the stack

What is the ESP register used for?

It points to the top of the stack - point stacker

Of the items below, whcih would be most likely to be included in an executive summary section of the penetration test report

It was possible to extract the entire customer list using a SQL injection vulnerability on the public web site

What does DEP do

Lets the developer mark regions of memory as executable or non-executable, and will not execute commands placed in non-executable memory segments

What does MITM stand for?

Man in The Middle

Which of these sites offers a "what is this site running" feature which can help identify web servers and application frameworks in use on a web site?

Netcraft.com

Which of the following is not a notetaking app included in Kali

Notepad++

Which of the following is normally considered to be outside the scope of a penetration testing engagement, and may even be considered a conflict of interest

Offering to perform remediation of issues found

How should slides best be organized in the presentation

Order the slides to make it easy to match them to sections in the report

What is the difference between phishing and spear phishing

Phishing targets many people while spear phishing targets individuals or select groups

Which of the following includes creating a believable persona and a reason for being at the client's site?

Pretexting

What does ASLR do

Randomizes the location of programs in memory

In patching vulnerability MS14-025 what did many system admnistrators fail to do which led to ongoing vulnerability

Remove weakly protected credentials which had already been placed in the SYSVOL share

What command can be used from within Kali to search a local copy of the exploit-db

Searchsploit

A default install of a web application which includes unnecessary features enabled and default user accounts is an example of which OWASP top 10 item

Security Misconfiguration

Which of these is an example of a specialized search engine used to search for things like HTTP headers rather than web page content?

Shodan.io

Which of the following typically takes more time and research per subject

Spear phishing

What was Microsoft trying to protect users from, when it accidentally made all system memory (including kernel memory) readable and writable to all processes on the system

Spectre/Meltdown

What is a name for mapping a web site by visiting each link in the home page, then each link in every page that links to, and every link in every page that links to, etc.?

Spidering

A _____ cipher is used to perform bit-by-bit encryption of the plaintext, using a (hopefully) non-repeating pseudorandom key to XOR each bit of the plaintext with one bit of the key

Stream

The NVD uses several factors to classify vulnerabilities. Often these factors are compressed into a data structure called what?

The CVSS Vector

Which of the following is typically modified by a bootkit

The Master Boot Record (MBR)

When wrapping up it is good to set expectations for which of the items below

The length of the question and answer period following the test

In the follwing command: nc -l -p 9999 -e "nc target.host.com" -p 80 what is the -p parameter

The port the command should listen on or send to

The KRACK attack on WPA2 was an attack on which of the following:

The protocol

Which item in Windows, used to store settings, program state, and similar information for many Windows programs, can often contain sensitive information?

The registry

What is the purpose of vulnerability scanning?

To assess the most vulnerable vectors to attack and the reward for doing so.

The firewall on Linux can be configured to forward specific incoming traffic out to another device

True

What should not be assumed when briefing technical staff

Understanding security concepts

Which of these Linux text editors was pointed to in class as providing an option to launch a command shell, which, if the editor was setuid root, would be a root shell?

Vi

Which form of attack targets a site, business, etc. users of a target company may be more likely to visit?

Watering hole attacks

Which of the following Windows features can be abused to allow a logged in user to configure a way to bypass the login screen going forward?

Windows accessibility features

Is there useful information to be gathered from routers in a post-exploitation phase?

Yes

Which of these is a wireless protocol used in many industrial applications?

Zigbee

Which of these causes vulnerabilities in Bluetooth?

all of the above

Which of these events can be used to launch a backdoor or other script

all of the above

Which of these is a form of injection vulnerability

all of the above

Which of these is a security issue with home wireless routers

all of the above

Which of these would be a technique for making your story about why you are on the premesis believable?

all of the above

After the parameters to be passed to the function are pushed onto the stack, what command pushes the current value of EIP onto the stack?

call

Which Metasploit module is often used to clear history?

clearev

Which of the following Windows commands will show all of the recently typed commands from the windows command line?

doskey /history

What is the name for a program which provides access to multiple exploits organized under one user interface?

exploit framework

Which of these is a site that makes descriptions of vulnerabilities available along with proof of concept exploit code?

exploit-db.com

Which of the following commands will show you a list of local administrators

net localgroup administrators

Which of the following is referred to as the "network swiss army knife" and allows you to connect to arbitrary services, proxy traffic, and even listen on a given port and provide a shell?

netcat

What is considered one of the quickest ways to cover your tracks in a penetration test

remove all malware used in the attack

Which of these tools is used for finding domains and address ranges used by an organization?

whois

Which of the following stored procedures will allow you to run arbitrary operating system commands on a MS SQL Server if enabled

xp_cmdshell