PenTest+ Pre-assessment

A reconnaissance technique used to identify a client website returns the response <address>Apache/2.4.29 (Ubuntu) Server at comptia.org Port 8080</address>. How does a PenTester focus any testing efforts? (Select all that apply.) A.Using Linux tools B.On a standard HTTP port C.Using Window tools D.On a non-standard HTTP port

A. Using Linux tools d. On a non standard HTTP port As the response includes information stating that Apache for Ubuntu is being used, the PenTester should use tools and techniques that are specific to Linux operating systems. The PenTester should not focus on a standard HTTP port, but rather port 8080 as indicated in the response output. The standard web port for HTTP is port 80. In this case, the port that is used and being reported is port 8080. This is the port the PenTester should target. The response states that the Apache server is being used. While Apache can run on Windows, Ubuntu is identified as the operating system in use. The PenTester should use tools for Linux.

An organization's legal team drafts a master service agreement (MSA) along with a PenTest team lead. What will the agreement include? (Select all that apply.) A.Team credentials and certifications B.Insurance information C.Safety guidelines D.Project scope

B.Insurance information C.Safety guidelines D.Project scope Conducting a PenTest for an organization is a business arrangement, and all terms of the test should be clearly defined. Any general and liability insurance should be outlined if something goes wrong and damages occur. Safety guidelines and environmental concerns should be part of a master service agreement. Such guidelines should outline prohibited areas and the use of the facility. The project scope is defined within the master service agreement. The project scope is a definition of the specific work that is to be performed and completed. Team member backgrounds and credentials would not be part of the master agreement but perhaps in other documentation that is provided during the interview process of doing business together.

A PenTester initiates a testing exercise by enumerating network hosts. Which Windows-native tool will provide the tester with valid OS info for Windows computers? a. PowerShell b. Nmap c. Metasploit d. uname -a

PowerShell (PS) uses cmdlets to achieve a task, such as Get-Help, and can enumerate info such as OS version, shares, files, and more. Nmap has a wide range of commands and NSE scripts for host enumeration to fingerprint the OS and interrogate its services, however, it is not native to Windows. Metasploit has several modules that can enumerate hosts. For example, the team can run the enum_applications module to determine what applications are installed on the target host. The uname -a command can be used on a Linux system to display the OS name, version, and other details.

A security engineer uses Netcat to listen for connections on a particular port. Which command options does the engineer use to create a persistent listener on port 53 that triggers a script? (Select all that apply.) a. -L b. -p c. -e d. -l

a. -L b. -p c. -e The -L options starts Netcat in the Windows-only "listen harder" mode. This mode creates a persistent listener that starts listening again when the client disconnects. The -p option specifies the port that Netcat should start listening on in listening mode. When used in client mode, this value specifies the source port. The -e option specifies the program to execute then a connection is made. This is useful for alerts and logging. The -l option starts Netcat in listen mode. This is a non-persistent mode. The default mode without this option is to act as a client.

A PenTester uses the Nmap utility to scan for a particular host on the network. Without using any options, what does Nmap provide as a result to the PenTester? (Select all that apply.) a. ARP requests b. SCTP Initiation Ping c. UDP Ping d. ICMP type 8

a. ARP requests d. ICMP type 8 Address Resolution Protocol (ARP) requests are sent to hosts on the same local network to obtain MAC address details. The MAC address can be used for purposes such as access control. By default, Nmap uses the ICMP Echo Request (ICMP type 8), especially during host discovery, to determine if hosts are up. This is the standard method employed for ICMP traffic when no specific options are set. By default, Nmap will perform a TCP scan. A UDP scan can be initiated by using the -PU for port scanning. An SCTP Initiation Ping uses the Steam Control Transmission Protocol (SCTP), and alternative to using either a TCP or UDP scan to see if a host is alive. This scan requires using the -sY options.

A new PenTester looks for a command and control (C2) tool that will provide consistently good results with Mac OS. Which tool does an experienced penetration tester suggest? A.Mythic B.Covenant C.Nishang D.Empire

a. Mythic Mythic is a C2 framework that contains payloads such as Apfel and Poseidon that provide consistently good results when PenTesting MacOS. Covenant is a .NET command and control framework and, in a similar fashion to Empire, it aims to show the attack surface of .NET and make attacks through this vector easier. Nishang is a specific PowerShell tool that includes a large set of scripts for Windows that can be post-exploitation. Empire is a C2 framework that makes use of PowerShell for common post-exploitation tasks on Windows. It also has a Python component for Linux.

How is the Penetration Testing Execution Standard (PTES) utilized by a PenTest team post-engagement? a. Presentation of findings b. Data sharing c. Vulnerability scanning d. Vulnerability exploiting

a. Presentation of findings A PenTester is free to show findings as it seems fit, however, it is highly recommended to at least start from a standard, such as PTES. When compiling findings, the Dradis framework can help to greatly reduce repitition and increase reach by allowing team members to share data and findings about client organizations. Vulnerability scanning would be performed long before showing findings. Looking for vulnerabilities would be a step that testers use in the dicovery phase of a test. Vulnerability exploiting would be a step that testers perform when looking to see if a system is subjet to vulnerability risk.

A client comments on a PenTest report by stating the amazement of how much info was found by them. The client asks which tool was used to find subdomains and their respective directories. Which tool does the PenTester explain? a. Wapiti b. truffleHog c. Gobuster d. BeEf

c. Gobuster Gobuster can discover subdomains, directories, and files b brute-forcing from a list of common names. This can provide info that was otherwise not available. Wapiti is a web application vulnerability scanner that will automatically navigate a web app looking for areas where it can inject data. TruffleHog is a Git secrets search tool. It can automatically crawl through a repository looking for accidental commits of secrets. BeEF focuses on web browser attacks by assessing the actual security posture of a target by using client side attack vectors.

Which might a security engineer use to illustrate the logic and functions of a script in a generic way? a. Operators b. Trees c. Pseudocode d. Flow control

c. Pseudocode Pseudocode is a made up language used to show flow and logic but is not based on any programming or scripting language. Pseudocode can be used to easily illustrate the logic os a script. Operators are used in code to perform calculations such as mathematical calculations. In data representation, a tree has the root at the top, and the branches go downn with a leaf object at the end of a branch. Controlling the flow of instructions (flow control) enables programmers to write a script so that it can follow one or more paths based on certain circumstances.

A PenTester remotely adds a user to a Windows system on one box and elevates a Linux user account to root on another. Which approach does the tester use? (Select all that apply.) A.net user jjones /add B.editing a file and changing the user's user ID (UID) and group ID C.net localgroup Administrators jjones /add D.useradd jjones

A.net user jjones /add B.editing a file and changing the user's user ID (UID) and group ID On a Windows system, the net user command is used to manipulate user accounts from the command line. The net user jjones /add command will add a user account named jjones. On a Linux system, there are several ways to give root privileges to a user, including editing the /etc/passwd file and changing the user's user ID (UID) and group ID (GID) to 0. On a Windows system, the net localgroup Administrators jjones /add command adds the account to the local Administrators group. On a Linux system, a user account can be added with the command useradd jjones.

An organization is hosting a presentation that includes highly confidential business data. The audience will consist of both external spectators and company employees. In light of the sensitive nature of the information being presented, the security team has advised external spectators against bringing personal or company electronics to the event and has designated specific seating areas for them. For security purposes, which of the following rules should external spectators be asked to comply with? (Select all that apply.) A.Adhere to the company computer use guidelines. B.Checking in all mobile devices with the front desk. C.Remaining in designated areas only. D.Do not ask the presenter any questions.

B.Checking in all mobile devices with the front desk. C.Remaining in designated areas only. Checking mobile devices is a good practice security measure. As mobile devices have the ability to record both images and audio, not allowing them within the office reduces the risk of unauthorized capture of information. Creating a designated area for spectators to occupy helps to maintain management during the event. By not having designated areas, individuals may wander into restricted areas. As the attendees are only spectators, there is no need for a computer use policy. A computer use policy would likely apply to employees. Asking questions is not a security concern. The presentation would likely generate some questions from the spectators.

PenTesters have completed a penetration test for a software development team, uncovering vulnerabilities specifically in password encryption methods and application-level security mechanisms. In their final report, what areas might the testers recommend for improvement? (Select the two best answers.) A.Enhancing physical security controls B.Using strong hash functions C.Avoiding hard-coded credentials D.Deploy data loss prevention tools

B.Using strong hash functions C.Avoiding hard-coded credentials Developers should use cryptographically strong hash functions, like SHA-256 and bcrypt, while avoiding cryptographically weak hash functions, like MD5 and SHA-1. Developers should be conscious and aware of the ramifications of hard-coding credentials into applications. It is best to allow the application to ask for credentials. While important, physical security controls are not directly related to the vulnerabilities identified in password encryption methods and application-level security mechanisms. Data loss prevention tools focus on network-level monitoring and is not directly relevant to the specific vulnerabilities identified in the question.

A security engineer uses Google hacking to gain knowledge about an organization's employees. What search results does the engineer retrieve by using the syntax: link:comptia.org about while practicing the command? A.To search for any pages whose anchor text includes the text "about" B.To search for any pages whose URLs include the text "about" C.To search for any pages that lead to the website with the text "about" on the page D.To search the website only for results including the text "about"

C.To search for any pages that lead to the website with the text "about" on the page To find a link to a specified page, the link operator is used. Searching link:comptia.org about will search for pages that link to CompTIA's website and have the text "about" on the page. When searching for anchor text, the inanchor operator is used. Searching inanchor:about employees will search for pages with the anchor text "about" and with the text "employees" on the page. A URL can be searched for text with the inurl operator. Searching inurl:about employees will search for pages whose URLs include the text "about" and have the text "employees" on the page. To search a site for text, the site operator is used. Searching site:comptia.org would be used to search CompTIA's website for the text "about."

PenTesters report that a firewall that is being tested is allowing for malicious data to be passed through. The target system on the internal side of the firewall is an email server and all related inbound email ports are scanned. Why does this malicious data pass through undetected? (Select all that apply.) a. An ACL is not configured properly b. The packet matches a permit rule c. The payload is not scanned d. The SMTP port is not being scanned

a. An ACL is not configured properly b. The packet matches a permit rule c. The payload is not scanned In some cases, packets may slip through a firewall because the ACL was not configured correctly. An ACL may disctate which source IP addresses are valid senders. A malicious packet may pass through a firewall is a specific permit rule passess the packet through to the internal network. If inbound email-related TCP ports are allowed, an actor could hide a payload in a packet header, or simply set the destination port of any malicious TCP packet to one of the inbound ports. The SMTP is not likely to be the cause, as the scenario specifies scanning of all related inbound email ports which includes SMTP.

Steganography requires three basic elements to work. Which elements are valid? (Select all that apply.) a. Carrier b. Decoder c. Payload d. Tool

a. Carrier c. Payload d. Tool The carrier must be able to pass as the original and appear harmless. A carrier might be music or an image file. The payload can contain any number of things, such as trade secrets or command and control activity. Once the payload is hidden, no one outside of the sender and the receiver should suspect anything. There are hundreds of steganography tools available that can conceal the activity. Most are freely available and have similar functions in that they can conceal and encrypt data using a wide range of carriers. A decoder is not a required element used in steganography. A steganography tool is used to work with files that contain a payload.

During a penetration testing engagement, a script is employed to collect critical information within a LAN segment to facilitate effective pivoting. Which types of details is this script likely to enumerate? (Select all that apply.) A.host names B.usernames C.subnets D.closed ports

a. Host names b. usernames Gathering host names is key for mapping the network's structure, an essential step for navigating and pivoting within the LAN segment. Enumerating usernames is crucial as it provides insights into potential targets within the network, aiding in further penetration testing steps. Although subnet information is valuable, it is not the primary focus of this script, which is more oriented towards identifying active devices and user details. Information about closed ports is relevant for vulnerability assessments but not the primary focus of this script, which is aimed at gathering actionable data for network traversal.

An organization that handles credit card payments must follow specific cardholder data environment (CDE) requirements to meet PCI DSS standards. Which approach would satisfy such requirements when it comes to cardholder data? (Select all that apply.) a. Isolated subnets b. Network segmentation c. ARP traffic d. Wireless LAN

a. Isolated subnets b. Network segmentation Subnets are isolated from one another using devices such as routers. Payment card data should be kept separate from other data on a network. Subnetting is an appropriate solution. Payment card industry data security standard (PCI DSS) requirements state that an org. must ensure the cardholder data environment (CDE) is properly segmented from other nonrelated areas of a network. ARP traffic is not associated with CDE, but can discover hosts on a network and assist in stopping ARP poisoning. Using a wireless network would not isolate cardholder data unless special provisions are made such as placing the wireless LAN in a different zone or subnet.

Businesses that process credit card transactions are required to follow guidelines to ensure compliance. Under standard PCI DSS compliance requirements, which levels of businesses are required to complete a Report on Compliance (RoC) or may be required to by a financial institution? (Select all that apply.) A.Level 1 B.Level 3 C.Level 2 D.Level 4

a. Level 1 c. Level 2 Level 1 merchants process over 6 million transactions annually, which categorizes them as high-risk. The PCI DSS mandates a RoC for these merchants, requiring a formal assessment by a Qualified Security Assessor (QSA) due to the high volume of transactions. Level 2 merchants process 1 to 6 million transactions annually and typically complete a Self-Assessment Questionnaire (SAQ), but an acquiring bank may require an audit and ROC. Level 3 merchants process 20,000 to 1 million transactions annually. They are not required to complete a RoC and typically do not choose this option. Level 4 merchants process fewer than 20,000 e-commerce transactions annually. They are low-risk and do not complete a RoC for PCI DSS compliance.

An org realizes the potential for an attack on their systems. As a result, a resiliency assessment takes place and various controls are suggested to be put in place. When a systems engineer implements an ACL on a firewall, which type of control does this action represent? a. Logical b. Administrative c. Physical d. Least privilege

a. Logical Technical or logical controls automate protection to prevent unauthorized access or misuse and include ACL that are implemented as software or hardware. Admin controls are security measures implemented to monitor the adherence to org policies and procedures. Physical controls restrict, detect, and monitor access to specific physical assets or areas. The principle of least privilege is a security approach where an object should only be allocated the minumum rights, privileges, or info in order to perform its purpose.

A security engineer discovers that a malware injection attack has occurred on a server in a cloud infrastructure. What does the engineer discover has happened? (Select all that apply.) a. Malicious code was concealed in a wrapper. b. A website experienced cross-site scripting. c. An origin network was identified behind a proxy. d. The hardware leaked sensitive info.

a. Malicious code was concealed in a wrapper. b. A website experienced cross-site scripting. In a malware injection attack, a service can fall victim to a wrapper attack, which wraps and conceals malicious code to bypass standard security methods. In a malware injection attack, a malicious actor injects malicious code into an application. Common attacks can include SQL injection (SQLi) and Cross Site Scripting (XSS). With direct-to-origin attacks (D2O), many orgs seek to reduce the threat of a DDoS attack by using methods such as reverse proxies. In a D2O attack, malicious actors circumvent this protection by identifying the origin network or IP address. In a side-channel attack, an exploit is possible because of the shared nature of the cloud. In this attack, the hardware leaks sensitive info such as cryptographic keys.

A PenTester performs active recon as part of an exercise. The goal is to identify possible query formats for a web app that uses SQL. What method identifies possible SQL injection vulnerabilities in a web app by submitting a single apostrophe and then looking for errors? a. Single quote b. Stack multiple c. Blind SQL d. Time-based blind SQL

a. Single quote The most common method for identifying possible SQL injection vulnerabilities in a web app is to submit a single apostrophe and then look for errors. This is called the single quote method. If an error is returned, it may provide SQL syntax details. Certain web app APIs also allow the stacking of multiple queries within the same call. This can be useful for injecting new query types into a form's existing query type. Blind SQL injection is injecting SQL when the web app's response does not contain the result of the query. Adding a time delay to a Blind SQL injection is known as time-based blind SQL.

A Jr. PenTester has difficulty using a Bash script. The script contains the following line: $my_str = "Password", which keeps throwing an error. What does a senior PenTester identify as the problem? (Select all that apply.) a. The use of '$' b. The use of "Password" c. The use of '=' d. The use of '_'

a. The use of '$' c. The use of '=' When using Bash for scripting in Linux, a variable is not designated with a leading $. A leading $ is required when using PowerShell in a Windows environment. When scripting in Bash, there is strict use of the equals sign. In Bash, the equals sign must not have a leading or trailing space, also known as whitespace. When scripting in Bash and with other scripting tools the use of double quotes such as with the example "Password" is common to use. The use of the underscore character (_) is not restricted in Bash when using it as part of a variable name.

While performing a PenTest at a customer site, engineers configure address resolution protocol spoofing on a Windows system while trying to find vulnerabilities on a network. What will result from the engineer's actions? a. Traffic will be directed to the spoofed system instead of the real system. b. The spoofed system will receive traffic from any NetBIOS resolution requests. c. Traffic will be directed to both the real system and the spoofed system. d. The incorrect IP address will be returned during a query form the real system.

a. Traffic will be directed to the spoofed system instead of the real system. Address Resolution Protocol (ARP) spoofing transmits spoofed ARP messages out on the LAN. The spoofed messages falsely report a malicious actor's MAC address as being the victim's address. During name resolution, if a Windows host cannot resolve a domain or host name via a DNS server, it will query other hosts on the local segment. By default, the process will first use LLMNR, and if that fails, it will try the NetBIOS Name Service (NBT-NS). In ARP spoofing, attackers redirect traffic from legitimate systems to their own by manipulating ARP messages. Traffic intended for the real system gets intercepted by the attacker's system, not simultaneously directed to both the real and spoofed systems. Domain Name System (DNS) cache poisoning sends bogus records to a DNS resolver. When the victim requests an IP address, the DNS server will send the wrong IP address.

An engineer scans a network for info that can be used in a mock exploit and discovers that all traffic is not visible on a switch or router. How can the engineer fix this issue? (Select all that apply.) a. Use port monitoring b. Use switched port analysis c. Use an ARP cache d. Use promiscuous mode

a. Use port monitoring b. Use switched port analysis d. Use promiscuous mode To capture all traffic on a switch port, port monitoring can be used. This typically required logging into the switch and enabling monitoring. To capture all traffic on a switch, an option is to use switched port analysis (SPAN). With SPAN, all ingress and egress traffic is copies between ports. This is also referred to as mirroring. Using promiscuous mode is required when trying to monitor all traffic on a network. Without this mode enabled, sniffing will not pick up all network traffic. An address resolution protocol (ARP) cache contains a list of media access control (MAC) addresses. This will not allow for sniffing all traffic through a switch.

A PenTest team prepares to perform an attack on an organization to test employee diligence. When spoofing a call, how might the team appear to be trusted? a. Utilizing caller ID b. Accessing voicemail c. Setting up a PBX d. Configuring a VoIP system

a. Utilizing caller ID When spoofing a call, the team can make the call appear to be coming from a trusted source, such as a vendor, a utility company, another employee, and more. This can be done by using a fake caller ID. Accessing voicemail will not trick the employees but is a type of attack that is possible from the team or malicious actor. Setting up a PBX gives the team the ability to configure a phone system for a variety of reasons, however, the goal can be achieved by using caller ID. Configuring a VoIP system gives the team the ability to configure an ID phone system for a variety of reasons, however, the goal can be achieved by using caller ID.

A PenTest team looks to map a network for a customer. Which tools would be useful in creating a map? (Select all that apply.) a. WMI b. SNMP c. ARP d. SMPT

a. WMI b. SNMP c. ARP Many mapping tools use Windows Management Instrumentation (WMI) to map and manage a network. WMI can help provide a system inventory that includes system statics and other info. The Simple Network Management Protocol (SNMP) is useful for managing many devices including those that are not computer workstations or laptops. The ARP command is useful Windows command line tool that can provide IP to MAC address mapping info for a host on a network. The SNMP is a mail delivery protocol. This would not be useful in mapping a network.

A Pentest team performs an exercise at a large financial firm. During the process, it is discovered that a risk exists due to missing firmware updates on several hardware-based firewalls. The team concludes a risk rating during which step of the Pentest process? a. Reporting b. Analysis c. Scanning d. Recon

b. Analysis Analysis occurs after a team has completed an exercise. A collection of all activities are analyzed, and a summary is derived of the risk ratings for each. Reporting will deliver the results and any remediation suggestions to the stakeholders, along with a realistic timeline of reducing risk and implementing corrective actions. Scanning is a critical phase as it provides more info about available network resources. Scanning identifies live hosts, listening ports, and more. Recon focuses on gathering as much info about the targets as possible. This process includes searching info on the Internet, using OSINT.

Security engineers lead a training session for employees on the safe use of mobile devices. During the training, an engineer is able to connect to an employee's phone and read data. What attack type has the engineer exposed and explained to the group? A.Bluejacking B.Bluesnarfing C.SMiShing D.Vishing

b. Bluesnarfing Bluesnarfing is an aggressive attack, as a malicious actor is able to read information from a victim's Bluetooth device. Bluesnarfing is ineffective against devices that set Bluetooth in non-discoverable mode. Bluejacking is a method used by attackers to send out unwanted text messages, images, or videos to a mobile phone, tablet, or laptop using a Bluetooth connection. SMiShing is a form of phishing that uses text messages to entice users to click on a link or provide information. Vishing is phishing using Voice over Internet Protocol (VoIP). This attack is possible as it is easy to spoof the sender's information when using a VoIP call.

A PenTester performs an Nmap scan on a host and concludes that a port is unreachable and responds with ICMP port unreachable error (type 3, code 3). What type of port is observed in this scenario? a. Open b. Closed c. Unfitered d. Filteres

b. Closed When a port is closed, probes reach the system, but the port itself is not reachable. Furthermore, the target will return an ICMP port unreachable error (type 3, code 3). Nmap reports that a port is open by making a valid connection to the system and to the port itself. When open, the system responds to any probes. An unfiltered port is reported when the system and the port are accessible; however, Nmap is unable to determine if the port is open or closed. A filtered port is reported by Nmap when it is concluded that the port is being blocked by a firewall.

A PenTest group performs an assessment exercise for a small business. If the exercise targets a particular subnet that is for VIP use only, which assessment approach does the group use when planning an attack? (Select all that apply.) a. Compliance b. Goals c. Objectives d. Teams

b. Goals c. Objectives A goal based approach uses assessments that have a particular purpose or reason. For example, if an org is concerned with a sensitive server, the PenTest team will focus on that server. An objective based approach is the same as a goal based approach. For example, before implementing a new point of sale (PoS) system that accepts credit cards, the PenTesting team might test the system for any security issues before implementation. Compliance based assessments are used as part of fulfilling the requirements of a specific law or standard, such as GDPR, HIPAA, or PCI DSS. Red team/blue team based assessments is a method that uses two opposing teams in a PenTest or incident response exercise. In this approach one team attacks while the other responds.

While footprinting a system, a PenTester uses the finger command. what is true regarding this command? (Select all that apply.) a. It is used to obtain OS info b. It is used on a Linux system c. It is used to view a user's home directory d. Is is used to output a list of all the environment variables

b. It is used on a Linux system c. It is used to view a user's home directory The finger command is a Linux command line utility. Similar functions are possible on a Windows system by using PowerShell commands or a PowerShell script. The finger command is a command line utility that allows the viewing of a user's home directory along with the login time and idle time. On a Linux system, the uname -a command can be used to display the OS name, version, and other details about the system. The Bash command env will output a list of all the environmental variables, not the finger command.

A PenTester conducts a stealth scan of a network server from across a network. What does the tester know is tru about scanning this way with Nmap? (Select all that apply.) a. Complete TCP three way handshake b. Limited effectiveness c. Credentials are not used d. Credentials are used

b. Limited effectiveness c. Credentials are not used A stealth scan uses techniques that try to exploit the expected behavior of TCP. When used alone, the scans may have limited effectiveness. Using other scans in conjunction can fill in the gaps of info. A noncredentialed scan is a scan that uses fewer permissions, and many times can only find missing patches or updates. A credentialed scan uses credentials such as usernames and passwords, to deep dive during the vulnerability scan, which will produce more info while auditing the network. A TCP SYN (or half open) scan is the original stealth scan that sends a packet to the target with the SYN flag. This is called "half open" scan; the attacker does not complete the TCP three way handshake.

A security expert uses a tool to scan and exploit a system from the command line while using a default Kali Linux install. Which tool does the expert use? a. Armitage b. Metasploit framework c. Cobalt Strike d. Metasploit Pro

b. Metasploit framework Metasploit framwork is a free open-source command line version of a popular PenTest tool. By default, it is installed with a fresh install of the popular Kali Linux image. Armitage is an intuitive third pary GUI for the Metasploit framework. This add on provides the ability to avoid using the utility with command line commands. Cobalt Strike is a third party commercial version of Armitage. Unlike Armitage, it includes many advanced features and detailed reporting is included. Metasploit Pro is a full featured graphical version that includes Quick Start wizards, easy vulnerability scanning and validation, phishing campaigns, and reporting.

A PenTest technician sanitizes systems from a completed engagement. When overwriting data on disks, which statements are true regarding SSD drives? (Select all that apply.) a. Overwriting an SSD is more reliable than with an HDD b. Overwriting an HDD is more reliable than with an SSD c. An SSD uses a write algorithm to reduce wear d. An HDD used a write algorithm to reduce wear

b. Overwriting an HDD is more reliable than with an SSD c. An SSD uses a write algorithm to reduce wear. Overwriting data on an HDD is more reliable than with an SSD. With an HDD, target location is overwritten while on an SSD the data might be written elsewhere. Trying to write data onto the same location on an SSD may not always work, due to the nature of SSD write algorithms optimized to reduce wear.

A small shop that sells novelty items begins taking credit card payments. An IT contractor configures the internal network to comply with cardholder data protection policies. What would the contractor consider as a questionable configuration? a. Hardware firewall b. Read/write share access c. Software firewall d. Password policy

b. Read/write share access The contractor should evaluate the provision of access control methods by using the principle of least privilege. Giving write access where it may not be needed violates the principle of least privilege. A hardware firewall is a recommended config. When possible, dedicated appliances should be used to secure infrastructure. A hardware firewall satisfies this requirement. A software firewall is acceptable. While dedicated appliances are preferred, there is no rule against using a software solution as a security measure. The contractor should employ good practice strategies, such as changing passwords from the vendor default on all devices and enforcing a user password policy.

A PenTest team discovers that a DNS server responds to dynamic DNS updates without authentication. What causes this action? a. The server has a poisoned cache b. The server contains recusion c. The server contains invalid records d. The server is authoritative

b. The server uses recursion A DNS server that allows recursion and is incorrectly configured might be more exposed to unauthorized updates because it's designed to query and cache results from other servers. It could be tricked into caching and then serving unauthorized updates if it's not well-secured. While a poisoned cache is a security concern, it is not directly related to the server's response to dynamic updates. Poisoning affects the server's response to queries, not its policy on accepting updates. If a DNS server contains invalid records, it suggests a problem has occurred, such as incorrect manual entries or a successful attack on the server (like cache poisoning). Being authoritative does not imply a lack of authentication for dynamic updates; it's a separate aspect of DNS server behavior. An authoritative server, just like any other, should be configured to authenticate dynamic updates properly to maintain security.

A security team plans a lateral move within a client's Windows network. The intent is to exploit a flaw in the Distributed Component Object Model (DCOM) during the move. How does the team achieve this? a. Issue commands using SMB b. Use RPC as a transport mechanism c. Install the WinRM service d. Use remote access services

b. Use RPC as a transport mechanism The Remote Procedure Call (RPC) enables inter-process communications between local and remote systems. DCOM applications use RPC as a transport mechanism. The PsExec utility uses the Server Message Block (SMB) protocol to enable the issuing of commands to a remote system across a network. Windows Remote Management (WinRM) is a technology that provides an HTTP Simple Object Access protocol (SOAP) standard for specific remote management services on Windows systems. The Remote Desktop Protocol (RDP) is the default remote desktop service that comes with Windows systems. It does not use RPC with DCOM.

A PenTester shows a client how a cleartext password and other information can be extracted from system memory. Which tool does the PenTester demonstrate? a. medusa b. mimikatz c. brutespray d. hydra

b. mimikatz The mimikatz tool can be used to gather credentials by extracting key elements from memory such as cleartext passwords, hashes, and PIN codes. The medusa tool is a parallel brute-forcer for network logins. Its focus is to support numerous network services that allow remote authentication. The brutespray tool allows for the interpretation of results from an Nmap scan to automatically start medusa against the identified open ports. It can also use results from nmap with option "-sV" to identify and target services on non-standard ports. The hydra tool is similar to medusa, in that it supports parallel testing of several network authentications. It comes bundled with a tool called pw-inspect.

What is the Open Worldwide Application Security Project (OWASP)? A.A resource of OSINT research B.A resource for PenTest project managers C.A resource for security risk awareness D.A resource for Exploit techniques

c. A resource for security risk awareness The Open Worldwide Application Security Project (OWASP) was created to improve software security. Its purpose is to raise awareness of what is viewed as the most relevant critical security risks to web applications. Open-source intelligence (OSINT) covers data that can be freely obtained online to learn and acquire data about an individual or organization. Social media sites are sources for OSINT. The Open Worldwide Application Security Project (OWASP) is not a project management site. It focuses on security and has free documents, forums, and chapters but is most famous for the OWASP Top Ten. The Open Worldwide Application Security Project (OWASP) covers and explains notable vulnerabilities, but is not a site dedicated to exploiting techniques.

When defining the communication path, what should an IT manager establish for a PenTest team? a. A testing scope b. A testing start time c. A testing threshold d. A testing asset

c. A testing threshold. The IT manager should establish a testing threshold and protocol for contacting the other side during a problem. Having an escalation path for communicating protects PenTesters from having to make risky or potentially damaging decisions. A testing scope would encompass the entirety of the testing project and what the testing covers and does not cover. This would be established prior to the beginning of the PenTest and is not a part of the communication delivery during a PenTest. A testing start time would be established beforehand and not during the PenTest. The same would be true in establishing a time to end the test. A testing asset is an entity that is in the scope of the test, such as a particular server or host system that will be probed. An asset list would be determined prior to the PenTest and is not a part of the communication delivery during a PenTest.

A PenTester bypasses an active network access control system by using an authenticated device. How might the tester accomplish this? a. Use a stealth scan b. Turn off firewall policies c. Configure a rogue access point d. Disable the NAC device

c. Configure a rogue access point The tester, like a malicious actor, can use a rogue wireless access point to connect to a network with an authorized device. The attacker machine slips by the NAC appliance and relays malicious traffic into the protected network. A stealth scan uses techniques that try to exploit the expected behavior of TCP on a remote host. This scan is done with a tool such as Nmap and is not in the scope of using a NAC device. Turing off firewall policies will only expose a system to other malicious activity and not impact the ability of network access control mechanisms. Disbling the network access control device is counterproductive as the goal is to gain access while it is active and authenticating access.

A public school system wishes to educate its student population with cybersecurity knowledge. They're particularly interested in a resource that provides a holistic, structured approach to Pentesting and offers its core materials without any cost. Which of the following is most suitable? a. OWASP b. NIST c. OSSTMM d. PTES

c. OSSTMM The Open-source security testing methodology manual (OSSTMM) provides a holistic, structured approach to Pentesting and is open source, meaning its core materials are available without cost. This makes it suitable for a public school system looking to provide cybersecurity education without incuffing added expenses. The Open Web Application Security Project (OWASP) is an org. aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. The National Institute of Standards and Technology (NIST) covers a large number of topics in areas such as climate, communication, and cybersecurity. NIST has many resources for cybersecurity pros that include the Special Publication (SP) 800 series. The Penetration Testing Execution Standard (PTES) has seven main sections that provide a comprehensive overview of the proper structure of a complete PenTest.

A PenTest team prepares a test for a global company with offices in several countries. What procedural info should the PenTest team include in the documented scope before starting? a. Differenct in power types. b. OS language barriers c. The regulation and use of tools d. Differences in time zones

c. The regulation and use of tools In the US, export controls regulate the transfer of certain services outside of the country. For example, Wireshark is a powerful open-source protocol analysis tool that falls under the US encryption export regulations, and it may be illegal to use in certain countries. Countries have varying voltage and electical standards and requirments for equipment, however, this falls outside the scope of the test. OSs may be set to different languages, however, this would not be a concern for any testing. Time zones may be a concern, however, a schedule can be formulated to identify testing times.

A rogue system is suspected to be on a large network. A PenTester uses the -sY option with the nmap command and should expect what process to happen? a. A TCP SYN packet is sent b. An ICMP type 13 is included c. A UDP Ping is sent d. A SCTP Initiation Ping Occurs

d. A SCTP Initiation Ping occurs An SCTP Initiation Ping uses the Stream Control Transmission Protocol (SCTP), an alternative to using either a TCP or UDP scan to see if a host is alive. This scan requires using the -sY option. A TCP SYN (synchronize) packet starts a communication session with a host by using TCP to initiate a conversation. This is a default action with Nmap. By default, Nmap will perform a TCP scan. A UDP protocol scan can be initiated by using the -PU for port scanning. By default, a Nmap scan will use the timestamp of 32 its of milliseconds since midnight UT during host discovery.

A company hires a pentesting team, expressing concern that their wireless access points (APs) could be vulnerable to insider attacks. Which tool would the team use to attempt to decipher the encryption key of the APs? a. Airmon-ng b. Airodump-ng c. Aireplay-ng d. Aircrack-ng

d. Aircrack-ng Aircrack-ng is the tool within the Aircrack-ng suite that would be used to attempt key cracking based on collected data, making it a suitable choice for this scenario. Airmon-ng is used to switch wireless network cards to monitor mode, which is a prerequisite for capturing data packets on your network but does not crack encryption keys itself. Airdump-ng is used to capture packets from a wireless router. While its important for the process because it gathers the data that Aircrack-ng will analyze, it doesn't decipher encryption keys on its own. Aireplay-ng is used to inject frames into wireless networks to generate traffic for later analysis. It is instrumental in certain types of attacks, but the actual cracking of encryption keys is not its function.

A Pentester crafts a packet to test vulnerabilities on a hardware firewall. Packets are fragmented so that a malicious signature is not recognized by an IDS. Considering the packet crafting stages, which stage captures the packets sent to assist in determining how the test went? A.Edit B.Assemble C.Play D.Decode

d. Decode Decoding the capture of the packets sent will help to determine how the test went. The Pentester can analyze traffic generated using a packet analyzer such as Wireshark. Editing a packet is similar to assembling a packet. The difference is that the packet content is modified after it was created or captured. Assembling a packet involves the creation of the packet to be sent. This may involve setting malformed information to see how the traffic is handled by certain devices on a network. Playing in the packet crafting process is the actual release of the packet into the wild. The packet is sent or resent (if edited) on the network.

An org. has incorporated severl voice assistants throughout its offices from a manufacturer known for liiting ongoing support and irregular security maintenance. What potential technological security concerns might arise from using these devices? a. Lack of physical security b. Lack of expandability c. Lack of performance d. Lack of automated updates

d. Lack of automated updates. Lack of automated updates is a technological security issue for man smart devices. When updates are not automatic, patches or firmware changes go neglected. Lack of expandability would cover the ability to integrate with other smart devices and hubs. while this might present itself as an issue down the road it is not a security issue. Lack of performance would be a result of poor design and manufacturing. This would not be a tech. security issue.

An org. plans to apply numerous software patches to remedy vulnerabilities found during a recent PenTest exercise. The PenTest team returns to assist and test that systems are secure. Which vulnerability lifecycle phase does the team participate in? a. Document b. Coordinate c. Discover d. Manage

d. Manage The manage phase is where the patch has been released. As such, the next step is to apply the patch in order to remediate or mitigate the vulnerability. The document phase is the final phase. In this phase, the vulnerability patch has been tested, and all involved will take a moment to document what has been done. In additions, it's best to reflect on lessons learned, in order to prevent further exposure. The coordinate phase occurs after discovering a vulnerability. During this phase, the vulnerability is defined, listed, and published. The discover phase is the first step in finding a potential vulnerability that can be exploited.

A PenTester wants to test APIs for a project prior to its' deployment. What tool provides an interactive and automatic environment to interact and test an HTTP API and additionally offers the features of building and running a test suite and analyzes results and run reports? a. Drozer b. APK Studio c. APKX tool d. Postman

d. Postman An API is a set of commands that is used to send and receive data between systems. Postman is a tool that provides an interactive and automatic environment used to interact and test an API. Drozer is an open source software used for testing for vulnerabilities on Android devices. APK Studio is an integrated development environment (IDE) designed to decompile and or edit an APK file (an Android install file). APKX tool is an Android APK decompiler that allows the pulling of Java source code to analyze and see what's going on inside.

Which technical control removed user-suppllied unwanted or untrusted data? a. Process level remediation b. Key rotation c. Escaping d. Sanitization

d. Sanitization Input sanitization is the process of stripping user supplied input of unwanted or untrusted data so that the app can safely process that input. It is the most common approach to mitigating the effects of code injection. Process-Level remediation is the concept of resolving a finding by changing how it is used or implemented and is not related to sanitization. Key rotation is the process of periodically generating and implementing new access keys to a server/service and is not related to sanitization. Escaping is a type of input sanitization, also referred to as encoding. It substitutes special characters in HTML markup with representations that are called entities.