Pentest Chapter 2
During an on-site penetration test, what scoping element is critical for wireless assessments when working in shared buildings? A. Encryption type B. Wireless frequency C. SSIDs D. Preshared keys
. C. Knowing the SSIDs that are in scope is critical when working in shared buildings. Penetrating the wrong network could cause legal or even criminal repercussions for a careless penetration tester!
During a penetration test specifically scoped to a single web application, Chris discovers that the web server also contains a list of passwords to other servers at the target location. After he notifies the client, they ask him to use them to validate those servers, and he proceeds to test those passwords against the other servers. What has occurred? A. Malfeasance B. Pivoting C. Scope creep D. Target expansion
. C. Scope creep occurs when additional items are added to the scope of an assessment. Chris has gone beyond the scope of the initial assessment agreement. This can be expensive for clients or may cost Chris income if the additional time and effort is not accounted for in an addendum to his existing contract.
What does an MSA typically include? A. The terms that will govern future agreements B. Mutual support during assessments C. Micro-services architecture D. The minimum service level acceptable
A. A master services agreement (MSA) is a contract that defines the terms under which future work will be completed. Specific work is then typically handled under a statement of work or SOW.
What type of assessment most closely simulates an actual attacker's efforts? A. A red-team assessment with a black box strategy B. A goals-based assessment with a white box strategy C. A red-team assessment with a crystal box strategy D. A compliance-based assessment with a black box strategy
A. A red-team assessment actively seeks to act like an attacker, and a black box strategy means the attacker has no foreknowledge or information about the organization. This best simulates an actual attacker's efforts to penetrate an organization's security.
Which of the following threat actors is the most dangerous based on the adversary tier list? A. APTs B. Hacktivists C. Insider threats D. Organized crime
A. Advanced persistent threats are often nation state-sponsored organizations with significant resources and capabilities. They provide the highest level of threat on the adversary tier list.
What penetration testing strategy is also known as "zero knowledge" testing? A. Black box testing B. Grey box testing C. Red-team testing D. White box testing
A. Black box testing is often called "zero knowledge" testing because testers do not have any knowledge of the systems or their settings as they would with white box or even the limited knowledge provided by a gray box test.
Elaine wants to ensure that the limitations of her red-team penetration test are fully explained. Which of the following are valid disclaimers for her agreement? (Choose two.) A. Risk tolerance B. Point-in-time C. Comprehensiveness D. Impact tolerance
B, C. Both the comprehensiveness of the test and the limitation that it is only relevant at the point in time it is conducted are appropriate disclaimers for Elaine to include. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.
What type of legal agreement typically covers sensitive data and information that a penetration tester may encounter while performing an assessment? A. A noncompete B. An NDA C. A data security agreement D. A DSA
B. A nondisclosure agreement, or NDA, covers the data and other information that a penetration tester may encounter or discover during their work. It acts as a legal agreement preventing disclosure of that information.
The penetration testing agreement document that Greg asks his clients to sign includes a statement that the assessment is valid only at the point in time at which it occurs. Why does he include this language? A. His testing may create changes. B. The environment is unlikely to be the same in the future. C. Attackers may use the same flaws to change the environment. D. The test will not be fully comprehensive.
B. Assessments are valid only when they occur. Systems change due to patches, user changes, and configuration changes on a constant basis. Greg's point-in-time validity statement is a key element in penetration testing engagement contracts
Susan's organization uses a technique that associates hosts with their public keys. What type of technique are they using? A. Key boxing B. Certificate pinning C. X.509 locking D. Public key privacy
B. Certificate pinning associates a host with an X.509 certificate or public key. The rest of the answers were made up!
What type of adversary is most likely to use only prewritten tools for their attacks? A. APTs B. Script kiddies C. Hacktivists D. Organized crime
B. Script kiddies are most likely to only use prebuilt attack tools and techniques. More advanced threats will customize existing tools or even build entirely new tools and techniques to compromise a target.
What type of language is WSDL based on? A. HTML B. XML C. WSML D. DIML
B. Web Services Description Language is an XML-based language used to describe the functionality that a web service provides. XML is a common basis for many descriptive languages used for a variety of documents and service definitions that a penetration tester may encounter.
What term describes a document created to define project-specific activities, deliverables, and timelines based on an existing contract? A. NDA B. MSA C. SOW D. MOD
C. A statement of work covers the working agreement between two parties and is used in addition to an existing contract or master services agreement (MSA). An NDA is a nondisclosure agreement, and the acronym MOD was made up for this question.
During the scoping phase of a penetration test, Lauren is provided with the IP range of the systems she will test, as well as information about what the systems run, but she does not receive a full network diagram. What type of assessment is she most likely conducting? A. A white box assessment B. A crystal box assessment C. A gray box assessment D. A black box assessment
C. Lauren has limited information about her target, which means she is likely conducting a gray box assessment. If she had full knowledge, she would be conducting a white, or crystal, box assessment. If she had no knowledge, it would be a black box assessment.
While performing an on-site penetration test, Cassandra plugs her laptop into an accessible network jack. When she attempts to connect, however, she does not receive an IP address and gets no network connectivity. She knows that the port was working previously. What technology has her target most likely deployed? A. Jack whitelisting B. Jack blacklisting C. NAC D. 802.15
C. The organization that Cassandra is testing has likely deployed network access control, or NAC. Her system will not have the proper NAC client installed, and she will be unable to access that network jack without authenticating and having her system approved by the NAC system.
Charles has completed the scoping exercise for his penetration test and has signed the agreement with his client. Whose signature should be expected as the counter signature? A. The information security officer B. The project sponsor C. The proper signing authority D. An administrative assistant
C. While the ISO or the sponsor may be the proper signing authority, it is important that Charles verify that the person who signs actually is the organization's proper signing authority. That means this person must have the authority to commit the organization to a penetration test. Unfortunately, it isn't a legal term, so Charles may have to do some homework with his project sponsor to ensure that this happens correctly.
Which of the following types of penetration test would provide testers with complete visibility into the configuration of a web server without having to compromise the server to gain that information? A. Black box B. Gray box C. White box D. Red box
C. White box testing, also known as "crystal box" or "full knowledge" testing, provides complete access and visibility. Black box testing provides no information, while gray box testing provides limited information. Red box testing is not a common industry term.
What type of penetration test is not aimed at identifying as many vulnerabilities as possible and instead focuses on vulnerabilities that specifically align with the goals of gaining control of specific systems or data? A. An objectives-based assessment B. A compliance-based assessment C. A black-team assessment D. A red-team assessment
D. A red-team assessment is intended to simulate an actual attack or penetration, and testers will focus on finding ways in and maximizing access rather than comprehensively identifying and testing all the vulnerabilities and flaws that they can find.
During a penetration test, Alex discovers that he is unable to scan a server that he was able to successfully scan earlier in the day from the same IP address. What has most likely happened? A. His IP address was whitelisted. B. The server crashed. C. The network is down. D. His IP address was blacklisted.
D. The IP address or network that Alex is sending his traffic from was most likely blacklisted as part of the target organization's defensive practices. A whitelist would allow him in, and it is far less likely that the server or network has gone down.
Lucas has been hired to conduct a penetration test of an organization that processes credit cards. His work will follow the recommendations of the PCI DSS. What type of assessment is Lucas conducting? A. An objectives-based assessment B. A red-team assessment C. A black-team assessment D. A compliance-based assessment
D. The PCI DSS standard is an industry standard for compliance for credit card processing organizations. Thus, Lucas is conducting a compliance-based assessment.
