Pentest+ Jason Dions Practice Questions
What tool is used to collect wireless packet data? A.Aircrack -ng B.John the Ripper C.Netcat D.Nessus
A.Aircrack -ng Explanation: OBJ-3.3: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.
You walked up behind a penetration tester in your organization and saw the following output on their Kali Linux terminal: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [ATTEMPT] target 192.168.1.142 - login "root" - pass "abcde" 1 of 10 [ATTEMPT] target 192.168.1.142 - login "root" - pass "efghi" 2 of 10 [ATTEMPT] target 192.168.1.142 - login "root" - pass "12345" 3 of 10 [ATTEMPT] target 192.168.1.142 - login "root" - pass "67890" 4 of 10 [ATTEMPT] target 192.168.1.142 - login "root" - pass "a1b2c" 5 of 10 [ATTEMPT] target 192.168.1.142 - login "user" - pass "abcde" 6 of 10 [ATTEMPT] target 192.168.1.142 - login "user" - pass "efghi" 7 of 10 [ATTEMPT] target 192.168.1.142 - login "user" - pass "12345" 8 of 10 [ATTEMPT] target 192.168.1.142 - login "user" - pass "67890" 9 of 10 [ATTEMPT] target 192.168.1.142 - login "user" - pass "a1b2c" 10 of 10 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= What type of test is the penetration tester currently conducting? A. Conducting a brute force login attempt of a remote service on 192.168.1.142 B.Conducting a Denial of Service attack on 192.168.1.142 C.Conducting a port scan of 192.168.1.142 D.Conducting a ping sweep of 192.168.1.142/24
A.Conducting a brute force login attempt of a remote service on 192.168.1.142 Explanation: Explanation OBJ-2.4: The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack is an attempt to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. A ping sweep is a basic network scanning technique used to determine which of a range of IP addresses map to live hosts.
What should NOT be included in your final report for the assessment and provided to the organization? A.Detailed list of costs incurred B.Methodology used C.Executive summary D.Findings and recommendations
A.Detailed list of costs incurred Explanation: OBJ-5.1: A detailed list of costs incurred is not required as part of the final report, but instead would be included as part of your invoicing. Your report should contain an executive summary, your methodology used in the assessment, and your findings and prioritized recommendations.
An attacker was able to gain access to your organization's network closet while posing as a HVAC technician. While he was there, he installed a network sniffer in your switched network environment. The attacker now wants to sniff all of the packets in the network. What attack should he use? A.MAC Flood B.Fraggle C.Smurf D.Tear Drop
A.MAC Flood Explanation: OBJ-3.2: MAC flooding is a technique employed to compromise the security of switched network devices. The attack forcing legitimate MAC addresses out of the table of contents in the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go. Essentially, since the switch table of contents is flooding with bad information, the switch could fail open and begin to act like a hub, broadcasting all the frames out every port. This would allow the attacker to sniff all of the network packets since he is connected to one of those switch ports. A fraggle attack is a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router's broadcast address within a network. A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented TCP packets to a target machine. The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address.
Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords? A.Missing patches B.SQL Injection C.CRLF Injection D.Cross-site scripting
A.Missing patches Explanation: OBJ-2.3: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become a victim of the exploit, and the data contained on the server can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user's workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements, via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.
An ethical hacker has been hired to conduct a physical penetration test of a company. During the first day of the test, the ethical hacker dresses up like a plumber and waits in the main lobby of the building until an employee goes through the main turnstile. As soon as the employee enters his access number and proceeds to go through the turnstile, the ethical hacker follows them through the access gate. What type of attack did the ethical hacker utilize to access the restricted area of the building? A.Tailgating B.Shoulder surfing C.mantrap D.Social engineering
A.Tailgating Explanation: OBJ-3.6: Based on the description, the ethical hacker is conducting a very specialized type of social engineering attack known as tailgating. Sometimes on a certification exam, there are two correct answers, but one is more correct, this question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area. Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder.
You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output provided, which of the following statements is correct?-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- BEGIN OUTPUT ———————--------- # nmap win2k16.local Nmap scan report for win2k16 (192.168.2.15) Host is up (0.132452s latency) Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http # nc win2k16.local 80 220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1) # nc win2k16.local 22 SSH-2.0-OpenSSH_7.2 Debian-2 # ———————--------- END OUTPUT -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- A.Your email server is running on a non-standard port B.Your organization has a vulnerable version of the SSH server software installed C.Your email server has been compromised D.Your web server has been compromised
A.Your email server is running on a non-standard port Explanation: OBJ-2.2: As shown in the output of the nmap scans, only two standard ports are being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner that is provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) is running on a non-standard port.
A vulnerability scan has returned the following results:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Detailed Results 10.56.17.21 (APACHE-2.4) Windows Shares Category: Windows CVE ID: - Vendor Ref: - Bugtraq ID: - Service Modified - 8.30.2017 Enumeration Results: print$ c:\windows\system32\spool\drivers files c:\FileShare\Accounting Temp c:\temp -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What best describes the meaning of this output? A.There is no CVE present, so this is a false positive caused by Apache running on a Windows server B.Connecting to the host using a null session allows enumeration of the share names on the host C.Windows Defender has a known exploit that must be resolved or patched D.There is an unknown bug in an Apache server with no Bugtraq ID
B.Connecting to the host using a null session allows enumeration of the share names on the host Explanation: OBJ-2.2: This is the result of a vulnerability scan that conducted an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp), that have been found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. The fact that both the CVE and Bugtraq ID are blank is not suspicious since we are dealing with a null enumeration result.
What is a legal contract outlining the confidential material or information that will be shared by the pentester and the organization during an assessment? A.SOW B.NDA C.MSA D.Corporate Policy
B.NDA Explanation: OBJ-1.2: This is the definition of a non-disclosure agreement (NDA). There may be two NDAs in used: One from the organization to the pentester and another from the pentester to the organization. The Scope of Work is a formal document that states what will and will not be performed during a penetration test. It should also contain the size and scope of the assessment, as well as a list of the assessment's objectives. A master service agreement, or MSA, is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements. The MSA is used when a pentester will be on retainer for a multi-year contract, and an individual SOW will be issued for each assessment to define the individual scopes for each one. Corporate policy is a documented set of broad guidelines, formulated after an analysis of all internal and external factors that can affect an organization's objectives, operations, and plans.
A security engineer is using the Kali Linux operating system and is writing exploits in C++. What command should they use to compile their new exploit and name it notepad.exe? A.g++ --compile -i exploit.cpp -o notepad.exe B.g++ exploit.cpp -o notepad.exe C. g++ exploit.py -o notepad.exe D.g++ -i exploit.pl -o notepad.exe
B.g++ exploit.cpp -o notepad.exe Explanation: OBJ-2.4: g++ is free C++ compiler that is available across a wide variety of operating systems, and is installed by default as part of Kali Linux. The proper syntax to compile a C++ file (*.cpp) is "g++ filename -o outputfile", so "g++ exploit.cpp -0 notepad.exe" is correct.
An attacker is using the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only name servers? A.request type=ns B.set type=ns C.transfer type=ns D.locate type=ns
B.set type=ns Explanation: OBJ-4.2: The "set type=ns" tells nslookup to only report information on name servers. If you used "set type=mx" instead, you would receive information only about mail exchange servers.
During a penetration test, you conduct an exploit that creates a denial of service condition by crashing the httpd server. What should you do? A.Contact the organizations customer service department and conduct further information gathering B.Continue with the exploitation C.Immediately contact the organization and inform them of the issue D.Pivot to another machine
C.Immediately contact the organization and inform them of the issue Explanation: OBJ-5.4: If at any point during an assessment an issue arises due to your actions, then you should immediately stop exploitation and contact the trusted point of contact provided by the organization. You should not continue your exploitation or pivot to another machine. While you may contact the organziation's customer service department, you first need to verify if that is part of the allowed communication procedures outlined in the assessment plan. If you are conducting a red team event, the customer service team may be the target and not allowed to be informed of the issues directly. As a pentester, you should notify your trusted point of contact within the organization, per your approved test plan.
What is not one of the three categories of solutions that all of the pentester's recommended mitigations should fall into? A.People B.Technology C.Problems D.Process
C.Problems Explanation: OBJ-5.3: All possible solutions can be categorized as People, Process, or Technology solutions.
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation? A. Memorandum of understanding B.Service Level Agreement C.Rules of engagement D.Acceptable use policy
C.Rules of engagement Explanation: OBJ-1.1: While the network scope given in the contract documents will define what will be tested, the rules of engagement defines how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees' use of company equipment and internet services.
What programming language is most vulnerable to buffer overflow attacks? A.Swift B.Java C.Python D.C++
D.C++ Explanation: OBJ-3.4: Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon. Newer languages like Python, Java, and Swift do a better job of protecting against a buffer overflow, but even they are not perfect.
Your team is developing an update to a piece of code that allows customers to update their billing and shipping addresses in the web application. The shipping address field used in the database was designed with a limit of 75 characters. Your team's web programmer has brought you some algorithms that may help to prevent an attacker from trying to conduct a buffer overflow attack by submitting invalid input to the shipping address field. Which pseudo-code represents the best solution to prevent this issue? A. if (shippingAddress !=75) [update field] else exit B. if (shippingAddress = 75) [update field] else exit C. if (shippingAddress >= 75) {update field} else exit D. if (shippingAddress <= 75) {update field} else exit
D. if (shippingAddress <= 75) {update field} else exit Explanation: OBJ-3.4: In order to ensure that the field is not overrun by an input that is too long, input validation must occur. Checking if the shipping address is less than or equal to 75 characters before updating the field will prevent a buffer overflow from occurring in this program. If the input is 76 characters or more, then the field will not be updated and the algorithm will exit the function.
What tool can be used to scan a network to perform vulnerability checks and compliance auditing? A.NMAP B.Nessus C.BeEF D.Metasploit
B.Nessus Explanation: OBJ-4.2: Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can be used to perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
Your organization's networks contain 4 subnets: 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0. Using nmap, how can you scan all 4 subnets using a single command? A.nmap -Pn 10.0.0.0,1.0,2.0,3.0 B.nmap -Pn 10.0.0.0/23 C.nmap -Pn 10.0.0.0/25 D.nmap -Pn 10.0.0-3.0
D.nmap -Pn 10.0.0-3.0 Explanation: OBJ-4.1: The simplest way to scan multiple subnets that are adjacent to each other is to use the -Pn tells the command to conduct a host-only scan of every IP in this target space. By using the dash (-) in the IP address, it means to scan "this network through this network". So, 10.0.0-3.0 will scan every IP from 10.0.0.0 through 10.0.3.255.
