CompTIA PenTest+ PT0-002

A debugger included with Kali Linux that analyzes binary code found in 32-bit Windows applications.

OllyDbg

____ are artifacts which can provide evidence of a prior cybersecurity event and could be from malicious sources. Consider the following: When a PenTester encounters evidence of a compromised system, should the Incident Response Team be notified to ensure that the organization is aware of the attack... If the evidence appears to be "fresh," the PenTest might need to be suspended until the security breach is handled. If it is historical, the PenTest team may instead log the discovery and continue with the task at hand.

Indicators of Prior Compromise

CVSS Attack Vector Rating Vulnerabilities with this rating are not exploitable over a network. The attacker must access the system locally, remotely (via protocol like SSH or RDP), or requires use of social engineering or other techniques to trick an unsuspecting user to help initiate the exploit

Local (L)

What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately?

Log disposition

Command-line utility used to read from or write to TCP, UDP, or Unix domain socket network connections. Highly versatile but does not use encryption.

Netcat

CVSS Attack Vector Rating Vulnerabilities with this rating are remotely exploitable, from one or more hops away, up to, and including, remote exploitation over the Internet.

Network (N)

Proxy that allows for both automated and manual testing and identification of vulnerabilities. It has many components that allow for different tasks to be performed.

OWASP ZAP (Zed Attack Proxy)

Bash scripting starts with

#!/bin/bash

Note that ____ is the encoded version of a space because URLs cannot contain spaces.

%20

The most simple example of directory traversal involves sending a ____ command request to the application or API, which then traverses up one parent directory for each one of these commands.

..\ or ../

The ____ is a tool designed to exploit some functionality or vulnerability within a browser to launch XSS and injection attacks against a website. The goal is to gain access, gather information, use a proxy, and other utilities for the PenTester.

Browser Exploit Framework (or simply "BeEF")

Proxy with a wide range of options to test web applications for different vulnerabilities. Its components allow you to perform particular types of automated testing, manually modifying requests, and passive analysis.

Burp Suite Community Edition

IoT devices are small and have minimal power reserves using a small battery. If a device can be accessed without authorization, a malicious actor can launch a _____ attack. This attack continuously sends signals to the device, requiring the device to (continuously) respond and prevents the device from resting or sleeping, which then drains the battery.

Denial of Sleep

____ is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the application's response. This attack is often used when the web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.

Blind SQL injection

nmap -oG

Grepable output to the file grep.file

A debugger that includes both CLIs and GUIs and that can load and modify Python scripts during runtime.

Immunity Debugger

____ refers to the attack method that takes many usernames and loops them with a single password.

Password spraying

nmap -iL

Scan targets from a text file

____ is the BEST way to regularly prevent different security threats from occurring within your network?

User Awareness and Training

A ____ is the REST API equivalent of a WSDL document that defines a SOAP-based web service.

swagger document

The Open Web Application Security Project (OWASP) was created to improve software security. It is a nonprofit foundation formed in 2001 but became a US nonprofit charity in April 2004. What are the OWASP Top 10 most relevant critical security risks to web applications?

1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring

Once the PenTest is complete and all reporting is disseminated to the appropriate stakeholders, the team will need to ensure all traces of the test have been eradicated. That involves:

1. Removing any shells, credentials, and tools, along with log files, data, and evidence of compromise 2. Making sure the client has accepted the results; and then plan for the next test. 3. Gathering and review any lessons learned during the PenTest using a neutral facilitator.

In Linux, cron jobs are the primary method of scheduling tasks/jobs. Each line in this file represents a job, and is formatted as follows: * * * * * <command to execute> Describe what each field means

1. minute (0 - 59) 2. hour (0 - 23) 3. day of month (1 - 31) 4. month (1 - 12) 5. day of week (0 - 6) (Sunday = 0 or 7)

The following example schedules a task named ____ that runs a ____ file ____ a day for ____ days under the ____ account: schtasks /create /tn backdr /tr C:\Files\backdoor.bat /sc DAILY /mo 30 /ru SYSTEM

1. schtasks = scheduled tasks 2. /create = create a task 3. /tn backdr = task named "backdr" 4. /tr = trigger "C:\backdoor.bat 5. .bat = batch file 6. /sc DAILY = scheduled to run daily 7. /mo 30 = for 30 days out of the month 8. /ru SYSTEM = run as user SYSTEM

Another way to execute a syntactically correct query is to use a value that is always true, such as ____, and then use the built-in capability to insert inline comments within the query by inputting the -- characters.

1=1

____ dictates what types of actions an employee can or cannot do with company-issued IT equipment. An ____ is a set of rules applied by the owner, creator, or administrator of a network, website, or service, that restrict how the network, website, or system may be used and sets guidelines as to how it should be used.

Acceptable Use Policy

CVSS Attack Vector Rating A vulnerability with ____ rating requires network adjacency for exploitation. The attack must be launched from the same physical or logical network.

Adjacent (A)

The ____ suite of utilities is one of the early tools designed for wireless network security testing. The suite is made up of several command-line tools used for wireless monitoring, attacking, testing, and password cracking.

Aircrack-ng

____ is a technique used during reconnaissance to gather information about network hosts and the services running on open ports.

Banner grabbing

The following is an if statement in ____ with a second condition (else). Note that the condition is in brackets and the code to be executed is under a then statement: my_var=1 if [ $my_var == 1 ] then echo "Correct." else echo "Incorrect." fi

Bash

____ variables are assigned as follows: my_str="Hello, World!" Note the lack of whitespace around the equals sign—this is a strict rule in ____.

Bash

____ is an attack that introduces malicious code into a vulnerable application to compromise the security of that application. This is made possible by weak or completely absent input processing routines in the app.

Code injection

An open-source .NET framework with a focus on penetration testing but has a development and debugging component.

Covenant

____ is the automated injection of stolen username and password pairs ("credentials") in to website login forms, in order to fraudulently gain access to user accounts.

Credential stuffing

____ are identified issues that imply a very high risk to the client's organization. The team should identify things that are urgent enough to trigger special communications. These commonly refer to high-rated vulnerabilities that, if not addressed as soon as possible, can lead to a major cybersecurity incident. For example: uncovering an Internet-facing, high-rated vulnerability for which there are known public exploits, and it is actively being exploited by malicious actors

Critical findings

____ is the practice of accessing a file from a location that the user is not authorized to access. You can do this by inducing a web app to backtrack through the path so that the app reads or executes a file in a parent folder.

Directory traversal

In a ____, malicious scripts are not sent to the server at all, rather, they take advantage of a web app's client-side implementation of JavaScript to execute the attack solely on the client.

Document Object Model (DOM)-based XSS attack

The ____ can help to greatly reduce repetition and increase reach by allowing team members to share data and findings about their client organization. This will allow you to not only present the right data (and the right amount) but can also help with the consistency of the report when the different pieces have been actively worked by members from the beginning

Dradis framework

____ is a C2 framework that makes use of PowerShell for common post-exploitation tasks on Windows. It also has a Python component for Linux. From the GitHub page: It implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

Empire

An open-source debugger that works on most Unix and Windows versions, along with MacOS

GNU Debugger (GDB)

An open-source reverse engineering tool developed by the NSA. It has a disassembler and decompiler component and can make use of GDB and WinDbg for debugging.

Ghidra

____ is the catalyst for possible adjustments to the engagement . The nature of a PenTest is that it is a fluid process, and the PenTest team must be able to prioritize findings as they occur. Information that is discovered during the reconnaissance phase drives the decisions on what exploits to try and, ultimately, what solutions to propose. Awareness of the need for contingency planning for the PenTest engagement itself, enables you to incorporate it into your plans and to reprioritize the goals of one activity or large sections of the PenTest

Goal reprioritization

____ manages the virtual machine environment and facilitates interaction with the computer hardware and network.

Hypervisor/Virtual Machine Monitor (VMM)

You are interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true?

Exploiting the vulnerability requires the existence of specialized conditions

____ is the process of stripping user-supplied input of unwanted or untrusted data so that the application can safely process that input. It is the most common approach to mitigating the effects of code injection, particularly XSS and SQL injection.

Input sanitization

____ are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user's profile page in this scenario.

Insecure direct object references (IDOR)

When running an enterprise network, it's common to use an application, such as an ____. This enables the admin to more easily monitor and control servers on a centrally located interface. However, if it is not correctly configured, this can expose the network, which can provide a malicious actor with the ability to have direct access to the data.

Intelligent platform management interface (IPMI)

A commercial disassembler and debugging tool with support for numerous processors and file formats. It has a limited free version.

Interactive Disassembler (IDA)

The ____ provides a unique opportunity for manufacturers to build devices with the ability to communicate and perform specialized functions. However, because of the lack of rigorous testing, many devices have several insecure defaults that come preconfigured, such as the username and password. This can be dangerous, as once a malicious actor knows the type of device that is in use, they can then research the default username and password online.

Internet of Things

____ is the exception, the variable must be declared; however, you can declare it and assign a value on the same line: var my_str = "Hello, World!"

JavaScript

In a ____, also called a stored attack, you inject malicious code or links into a website's forums, databases, or other data. When a user views the stored malicious code, or clicks a malicious link on the site, the attack is perpetrated against them. As the name suggests, the injected code remains in the page because it is stored on the server.

persistent XSS attack

Tool developed for Nmap as an improvement over Netcat, not only retaining most of the functionality, but also adding more, of which an important one is support for SSL.

Ncat

The ____ penetration testing methodologies or frameworks is an open-source collection of documents that outlines every area of an organization that needs to undergo testing, as well as provides details on how those tests should be conducted?

Open Source Security Testing Methodology Manual (OSSTMM)

____ is a multi-purpose brute-forcer, with a modular design and a flexible usage. Currently it supports the following modules: ftp_login : Brute-force FTP ssh_login : Brute-force SSH telnet_login : Brute-force Telnet smtp_login : Brute-force SMTP smtp_vrfy : Enumerate valid users using SMTP VRFY smtp_rcpt : Enumerate valid users using SMTP RCPT TO finger_lookup : Enumerate valid users using Finger And more...

Patator

CVSS Attack Vector Rating In this type of attack, the adversary must physically interact with the target system

Physical (P)

The following is an if statement in ____: $my_var = 1 if ($my_var -eq 1) { Write-Host "Correct." } else { Write-Host "Incorrect." }

PowerShell

You must use a dollar sign for variable assignment in ____: $my_str = "Hello, World!"

PowerShell

The following is an if statement in ____: my_var = 1 if my_var == 1: print "Correct." else: print "Incorrect."

Python

No dollar sign is necessary when assigning variables in ____: my_str = "Hello, World!"

Python or Ruby

In a ____ attack, you can modify one, or more, of the four basic functions of SQL querying (selecting, inserting, deleting, and updating) by embedding code in some input within the web app, causing it to execute your own set of queries using SQL.

SQL injection (SQLi)

SQL Injection scanner tool. Automates several of the attacks and supports many databases. Some of its features include database search, enumeration, and command execution.

SQLmap

____ is the perfect replacement for old technologies like Telnet and a great way to securely issue commands and copy files over an unsecured network.

Secure Shell (SSH)

nc -p

Specifies the port that Netcat should start listening on in listen mode. In client mode it specifies the source port.

nc -e

Specifies the program to execute when a connection is made.

nc -w <seconds>

Specifies the timeout value for connections.

nc -u

Starts Netcat in UDP mode. The default is to use TCP.

nc -l

Starts Netcat in listen mode. The default mode is to act as a client.

nc -v

Starts Netcat in verbose mode.

nc -vv

Starts Netcat in very verbose mode.

nc -z

Starts Netcat in zero I/O mode, which instructs it to send a packet without a payload.

All facets of communication need to be evaluated and decided upon, prior to the PenTesting engagement, such as: what information to communicate and when? What should trigger official communications? What are a few examples of reasons to initiate communication?

Status Reports Critical Findings Indicators of Prior Compromise Goal reprioritization

____ might be exploited on a Windows server to conduct a privilege escalation?

Sticky Bits

A ____ system is a type of ICS that manages large-scale, multiple-site devices and equipment that are spread over geographically large areas from a host computer.

Supervisory control and data acquisition (SCADA)

You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You are reviewing the DNS records for the company and are trying to identify which third-party hosted services they may be using. Which of the following DNS records should you analyze to identify any human-readable records, domain verifications, and domain authentications

TXT

nc -n

Tells Netcat not to perform DNS lookups for host names on the other end of the connection.

An older remote protocol that does not support encryption and is disabled on most modern systems. However, some older or insecure systems may still have this service enabled

Telnet

You have been contracted to conduct a compliance-based assessment for an organization. ____ is the MOST important thing for you to understand.

The organization's industry

In an enterprise network, it's common to use a bare metal virtual platform. In this model, the ____ is installed directly onto the hardware and manages access to the host hardware without going through a host OS

Type I hypervisor

One commonly used virtualization method is a host-based model, where a ____ is installed onto a host operating system.

Type II hypervisor

If a third-party installs another guest OS with malware that can subvert the virtual server's hypervisor, they might be able to gain access to your server or to data held in the memory of the physical server. ____ is an attack where malware running in a VM is able to interact directly with the hypervisor or host kernel.

VM escape

____ refers to creating VMs without proper change control procedures, which can create a vulnerable environment. If an attacker gains unauthorized access to the VM's management interface, they can essentially take full control of all attached virtual systems.

VM sprawl

____ is the process of creating a simulation of a computing environment. It system can simulate the hardware, operating system, and applications of a typical system without being a separate physical computer.

Virtualization

The ____ CLI tool is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites.

WPScan

Dion Training has hired you to assess its voucher fulfillment web application on its e-commerce website. The web application relies on a SOAP-based web service. Which of the following support resources would be MOST helpful in conducting this known-environment assessment?

WSDL document

A free debugging tool created and distributed by Microsoft for Windows operating systems.

WinDbg

____ is a scripting language and shell for Microsoft® Windows® that is built on the .NET Framework. It is the default shell on Windows 10. It offers much greater functionality than the traditional Windows command prompt. Like Bash, the PowerShell scripting language supports a wide variety of programming elements.

Windows PowerShell

The ____ in the HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe. If the ____ header is not present, then a clickjacking exploit could be used against the web server's users.

X-Frame-Options

____ manipulates or compromises the logic of an application or service. The injection of unintended content and/or structures into a message can alter an application's intended logic.

XML injection

____ is the world's most widely used web application scanner. It is free, open-source, and provided by the Open Web Application Security Project (OWASP).

Zed Attack Proxy (ZAP)

A____ is a shell that is connected/attached to a specific port on the target host to listen for incoming connections. This is often created using Netcat.

bind shell

Vulnerability scanners typically cannot confirm that a ____ with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack.

blind SQL injection

A ____ is an attack which injects JavaScript that executes on the client's browser. The client's browser is unable to tell that the script is untrusted and will allow it to execute.

cross-site scripting (XSS) attack

To ensure you are not accidentally targeting another organization's wireless infrastructure during your penetration test, you should have the ____ of the wireless access points and ____ documented in the scoping documents.

frequencies; devices used by the client

Connecting a browser to another device, usually an attacker's tool or framework, to execute further attacks.

hooking

The basic syntax of Netcat is ____.

nc [options] [target address] [port(s)]

VLAN hopping is the act of illegally moving from one VLAN to another. A VLAN (virtual LAN) is a logical grouping of switch ports extending across any number of switches on an Ethernet network. One of the most common VLAN hopping methods is to ____ on a vulnerable switch. When this occurs, the switch defaults to operating as a hub and repeats all frames being received through all of its ports. This "fail open" method ensures the network can continue to operate, but it is a security risk that can be exploited by the penetration tester.

overflow the MAC table

In a ____, you craft a form or other request to be sent to a legitimate web server. This request includes your malicious script. You then send a link to the victim with this request and when the victim clicks that link, the malicious script is sent to the legitimate server and reflected off it. The script then executes on the victim's browser. Unlike a stored attack, the malicious code in a reflected attack does not persist on the server.

reflected XSS attack

A Linux command that is similar to Telnet, but if the server has an .rhosts file configured a certain way, you won't even need to supply credentials. The rsh command can open a shell, but it also gives you the ability to execute a command directly.

rsh/rlogin

By submitting the following request, you can successfully enumerate the system's user accounts: http://site.example/delete_file.php?$file_name=test.txt;cat%20/etc/passwd This is because adding a ____ at the end of the request will execute the command after the semicolon in the system shell.

semicolon

The simplest and most common method for identifying possible SQL injection vulnerabilities in a web app is to submit a single apostrophe and then look for errors. This is called the ____.

single quote method