Pentest+

Ace your homework & exams now with Quizwiz!

Scope creep

Condition when a client requests additional services after the sow and the project scope have been agreed to and signed

Hacktivist

Conduct activities against governments, corporations or individuals canbe an individual or a member of a group

Red team

Conducted by internal pen-testers of an organization during a security exercise to ensure defenders (blueteam) can perform their job adequately

Advanced persistent threat (apt)

Group with great capability and intent to hack a particular network or target; target organization for business or political motives usually funded by nation states; highly covert attacks over a long period of time

Packet inspection

Manual enumeration performed by analyzing captured packets to determine information; pcap; wine-shark

Banner grabbing

Manual fingerprinting or enumeration; use telnet or net cat to connect to the target host; commonly used for FTP, SSH, Telnet, and HTTP

Sniffing network traffic

Most common eavesdropping; intercepts and logs network traffic that can be seen via wired and wireless connections

Objective-based testing example

Multiple ways to get to a file; break in, phishing, various hacks

Tier five of adversaries

Nation states investing tons of money creating vulnerabilities/exploits

Tier six of adversaries

Nation states investing tons of money to carry out cyber, military, and intelligence operations to achieve political, military, or economic goals

Representational state transfer (rest)

Replaces soap in recent years; web apparchitectual style based on http • a lot less communication between the server and the end client

point-in-time assessment

Results were accurate when the penetration testoccuned at that point in time

Compliance -based assessments

Risk-based compliance assessment that is required to ensure policies or regulations are being followed correctly

Goal - based assessments

Specific goals are defined before the test starts could try to find multiple ways to meet that goal

Architectural Diagrams

Supplied in white-box test; network diagrams, physical maps of organization facilities, assists in mapping out network topology, location of switch closets, and where key information systems are located

Certificate inspection

Try to identify what type of encryption a web server is using (tl s issl2.0, or ssl3.0)

Compliance Scan

Type of scan used to identify vulnerabilities that may affect compliance with regulations and policies

Connection String Parameter Polluttion (CSPP)

exploits the semicolon-delimited database connections strings that are constructed dynamically based on use inputs from web applications

Tier four of adversaries

Organized, highly technicals proficient, well-funded hackers, working inteams to develop new exploits

Resources and requirements

What resources are needed? What requirements Will be met during testing?

Goal-Based Testing

What type of assessment seeks to validate a systems security posture against a particular checklist?

Four steps of penetration testing

1. Planning t scoping, 2, info gathering,3. Attacks exploits, and 4. Reporting and communication

Conducted a ping sweep of the subnet

> for I in seq 255; ping -c 1 10.1.0.$i; done

Simple object access protocol isoap)

A messaging protocol specifically for exchanging structured information in the implementation of web services

Ajudication

A method of evaluating and considering which vulnerabilities to prioritize for attacks; can use multiple calculations such as which are the most critical. Which have the best or easiest exploits, which are false positives. Which fall under common themes, etc.

g++ exploit.cpp -o notepad.exe

A security engineer is using the Kali Linux operating system and is writing exploits in C++. What command should they use to compile their new exploit and name it notepad.exe?

Static Analysis

A type of analysis that is performed in a non-runtime environment; inspects the programming code for flaws or vulnerabilities; line-by-line inspection can be performed

Dynamic Analysis

A type of analysis that occurs while the program is running; could be that the program is run in a Sandbox and changes are noted; more likely type of analysis

Risk avoidance

Actions taken to eliminate risk completely; ex-decommission a server that has a vulnerability

Enumeration

Actively connecting to systems to determine open services, shares, user accounts, software versions, and others being used by a host

Scanning

Actively connecting to the system getting a response to identify open ports and services

Packet crafting

Aka packet manipulation; sending modified packet headers to gather information from a system or host

Decompiling

Allows you to reverse engineer software using a decompile; reverses the process of compiling; can NOT turn it back into the source code, but can get byte-code and assembly code

Insider threat

Already have authorized access to the networks; may be skilled or unskilled; former or current employee

Full Scan

An in-depth scan including ports, services, and vulnerabilities; easy to see in network traffic when the scan is performed; usually only tun by defenders not attackers

Time Restrictions

Are there certain times that are not authorized for testing? What about days of the week? What about holidays?

Containers

Basically mini virtual machines; built from a base OS image with unique apps on top of the OS and require way less resources to run

Pre-merger

Before two companies perform a merger it is common-to conduct a penetration tests on them to identify weaknesses being inherited can be part of the due diligence efforts

Radio frequency monitoring

Can be used to determine types of devices uses cellular, WiFi's Bluetooths

Asset Categorization

Categorizing by OS or function; discover high value assets then by most or lest vulnerabilities on a system; or by which has the most critical vulnerabilities

Non-credentialed Scans

Closer to a hacker's perspective for scanning; does not use an authenticated account

A vulnerability scan has returned the following results: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Detailed Results10.56.17.21 (APACHE-2.4) Windows SharesCategory: WindowsCVE ID: -Vendor Ref: -Bugtraq ID: -Service Modified - 8.30.2017 Enumeration Results: print$ c:\windows\system32\spool\driversfiles c:\FileShare\Accounting Temp c:\temp -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What best describes the meaning of this output?

Connecting to the host with a null session allows the enumeration of the share names on the host The enumeration results show three share names (print$, files, Temp) were found using a null session connection.

Master Services Agreement (MSA)

Contract where parties agree to most of the terms that will govern future actions.

Budgetting

Controls many factors in a test, larger budget = more time

Risk mitigation

Controls& countermeasures are put into place

Cryptographic inspection

Determine the encryption that is being used

Rules of engagement (roe)

Ground rules that you play by for the organization and the test, timeline, locations, time restrictions, transparency, and test boundaries

Test Boundaries

What will be tested? Is social Engineering allowed to be used? What about physical security testing? How invasive can the test be?

Statement of Work (SOW)

Formal document stating the scope of what will be performed during a penetration test.

White-Box Testing

Full knowledge test; full knowledge of network, systems, and the infrastructure; more time probing vulnerabilities and less time gathering information

Sample application requests

Generally used for testing web app or other apps developed by the organizations usually given inputs expected outputs

Timeline

How long will the test be conducted

Fingerprinting

Identification of the operating system, service, or software versions being used by the host

Risk transference

Insurance; risk is moved to another entity

Tier three of adversaries

Invest lots of money to find unknown vulnerabilities in order to steal data to sell for profit

Stealth Scan

Least intrusive kind of scans conducted through sending SYN packet and analyzing the result fo sending it out. If SYN/ACK is received, port is open, then the scanner sends a RST so that hopefully the handshake is never completed nor logged; some IDS will see this type of scan

LM Hash

Legacy hashes that are not generated when the password length exceeds 15 characters

Non-Disclosure Agreement (NDA)

Legal contract outlining confidential material or information that will be shared during the assessment and what restrictions are placed on it.

Tier two of adversaries

Little money and invest in own tools against KNOWN vulnerabilities

Tier one of adversaries

Little money and rely on off the shelf tools and known exploits

Script kiddies

Low-skilled attackers who use others' tools J use freely available vulnerability assessment and hacking tools to conduct an attack

Common Vulnerabilities and Exposures (CVE)

MITRE provided; every vendor submits to it; has vulnerabilities and exposures

Common Weakness Enumeration (CWE)

MITRE provided; software weaknesses and the different types of them; provides information about the actual weaknesses

Common Attack Pattern Enumeration and Classification (CAPEC)

MITRE provided; used to help understand and identify attack patterns to understand and potentially emulate them.

Web Application Scanner

Nikto

Black-Box Testing

No knowledge test; simulates an outsider attack; ignores internal threats; ; takes longer and costs more

Foot printing tools

Nslookup, traceroute, pings Whois, domain dossier, email dossier, Google, social networking discovery.sh, Maltego

Swagger documentation

Open- source framework with a large system of tools to help designs builds documents test, and style based on HTTP

Gray-Box Testing

Partial knowledge test, can be used as an internal test to simulate an insider with minimal knowledge, can decrease time spent on gathering info and more time on identifying vulnerabilities; this is the most likely type of pentest

Supply chain assessments

Pen-test may be received of your suppliers to ensure they are meeting their Cybersecurity requirements

NIST sp 800-115

Plan, discover, attack, and report

Wassenaar Agreement

Precludes the transfer of technology considered to be "dual use" (can be used commercial and weapon, like encryption)

Threat modeling

Pretending to be a certain kind of attacker and conducting an attack simulating they way that they would attack

Software development Kit (sdk)

Provides a set of tools, libraries, and documentation, code samples, processes or guides to allow faster development of a hew app on a platform

Discovery Scan

Scan that is the least intrusive; used to create a network map to show connected devices in the architecture

Credentialed Scans

Scanner uses an authorized user or admin account; closer to a system admin perspective; generally finds more vulnerabilities

Vulnerability scanning

Scanning a host, system, or network to determine what vulnerabilities exist; tools are only as good as their configuration

Objective - based assessments

Seek to ensure the information remains secure j testing occurs using all measures and more accurately simulates a real attack

Domain squatting

Take something close to actual website name cipher.com versus cypher.com make it look as close as possible, then host malware there

Packet capturing

Use wireshark or tep dump to conduct this j electronic eavesdropping

Debugging

Used to identify and remove errors from hardware, software, or systems; also allows you to run through the executable step-by-step

sc query

What command could be used to list the active services from the Windows command prompt?

Technical constraints

What constraints limit your ability to test?

XML Denial of Service Issues; this is due to the fact that SOAP message itself is formatted as an XML document

What is a common Service Oriented Architecture Protocol (SOAP) vulnerability?

End state/reporting

What kind of report will be provided? Will you provide an estimate of how long remediation will take?

Location

Where will the testers be located? Does the organization have multiple locations? Will it cross international borders? Will the testers be on-site or remote?

Communication paths

Who de we communicate with about the test? Who is our inside man to discuss about the test with?

Transparency

Who knows about the test? WIll there be any information provided to the testers?

XML schema definition (xSD)

World Wide Web consortium (W3C) recommendation that specifies how to formally describe elements in an extensible markup language (XML) document

Web services description language (wsdl)

Xml-based interface definition language used for describing the functionality offered by a web service such as SOAP server; flexible and allows binding; not useful for REST services

Web Application Description language (WADL)

Xml-based, machine readable description of HTTP-based web services, easier to write; not flexible; FOr REST

When conducting a Google search, using site:AAA in the query will return results only from that website (AAA). If you use -site:AAA, you will get results not explicitly on the website (AAA). In the case of this question, no results should show up from sales.webserver.com. All results should only come from webserver.com.

You have conducted a Google search for the "site:webserver.com -site:sales.webserver.com financial." What results do you expect to receive?

sc config

a Windows command to modify the value of a service's entries in the registry and the Service Control Manager

Japan's CERT (JCERT)

curated by the Japanese federal government; lists all vulnerabilities that are known

sc query

command to obtain information about running services in Windows

LanMan Hash (LM Hash)

compromised hashing password function was the primary hash that Microsoft LAN Manager and Windows versions before Windows NT used to store passwords.

Computer Emergency Response Team (CERT)

curated by the US federal government; lists all vulnerabilities that are known

Type of technique often used to implemetn exploit chaining

injecting parameters into a connection strong using semicolons as separators

Eavesdropping

part of info gathering that is listened on wired/wireless to see what you can pick up


Related study sets

Chapter 15- European Exploration and Conquest

View Set

Capsim Introductory Quiz--Business Policy (Williamson)

View Set

Acute Coronary Syndrome (ACS) EAQ

View Set

UF ECO 4104 Midterm 1 Practice Problems

View Set

Chapter 15 special senses (Set 2)

View Set

Test 1- Biogeochemical Cycling (Lecture 4) (CH #)

View Set

Quiz Reviews from Chapter 5,6,7,8,10

View Set

Chapter 5 PrepU Questions - Cultural Diversity

View Set