PenTest +

$ nc -lvnp 1234

-l - Listen mode, to wait for a connection to connect to us. -v - Verbose mode, so that we know when we receive a connection. -n - Disable DNS resolution and only connect from/to IPs, to speed up the connection. -p - 1234Port number netcat is listening on, and the reverse connection should be sent to.

A penetration tester is using Netcat and does not want the command to perform DNS lookups for host names on the other end of the connection. What option will accomplish this?

-n

Which file on a Linux system is modified to set the maximum number of days before a password must be changed?

/etc/shadow

Metagoofil

A Linux-based tool that can search the metadata associated with public documents located on a target's website

Shodan

A website search engine for web cameras, routers, servers, and other devices that are considered part of the Internet of things

Censys

A website search engine used for finding hosts and networks across the Internet with data about their configuration

PenTesters report that a firewall that is being tested is allowing for malicious data to be passed through. The target system on the internal side of the firewall is an email server and all related inbound email ports are scanned. Why does the malicious data pass through undetected? (Select all that apply.)

An ACL is not configured properly The packet matches a permit rule The payload is not scanned

A rogue system is suspected to be on a large network. A PenTester uses the -sY option with the nmap command and should expect what process to happen?

An SCTP Initiation Ping uses the Stream Control Transmission Protocol (SCTP), an alternative to using either a TCP or UDP scan to see if a host is alive. This scan requires using the -sY option.

A Pentest team performs an exercise at a large financial firm. During the process, it is discovered that a risk exists due to missing firmware updates on several hardware-based firewalls. The team concludes a risk rating during which step of the Pentest process?

Analysis

A Pentester crafts a packet to test vulnerabilities on a hardware firewall. Packets are fragmented so that a malicious signature is not recognized by an IDS. Considering the packet crafting stages, which stage captures the packets sent to assist in determining how the test went?

Decoding the capture of the packets sent will help to determine how the test went. The Pentester can analyze traffic generated using a packet analyzer such as Wireshark.

Which of the following is a custom developer tool that helps the PenTest team during the PenTesting application, allowing the team to examine the plaintext data passing through the system?

Frida is an open-source tool that can work with a wide range of operating systems and helps the team during the application phase.

A PenTester gains access to required resources in such a way that it has a greater potential for information gathering without raising possible suspicion since irregular user activity is more likely to remain unnoticed than irregular admin activity. Through what method is the PenTester gaining access?

Horizontal privilege escalation is obtaining access to a regular user account with different access or permissions than the one currently in use.

A penetration tester is looking for a tool to support the current task that supports parallel testing of several network authentication. What tool can the tester select that supports this requirement?

Hydra supports parallel testing of several network authentication. It comes bundled with a tool called pw-inspect that allows for analyzing a dictionary and printing only the ones that match password requirements.

Which of the following tools provides a penetration tester with Python classes with low-level program access to packets, protocols, and their implementation?

Impacket is a collection of Python classes that provide low-level program access to packets, as well as to protocols and their implementation.

Level 1

has over six million transactions a year. An external audit must be performed by an approved Qualified Security Assessor (QSA) and a Report on Compliance (RoC) must be completed.

Level 4

has under 20,000 transactions a year. A self-test or a report form for an external auditor is required to prove that the business is taking steps to secure the infrastructure.

Level 2

is a merchant with one to six million transactions a year. This level requires that a Report on Compliance (RoC) is completed.

theHarvester

is an intuitive tool that can search a company's visible threat landscape. The tool gathers information on the following: subdomain names, employee names, email addresses, PGP key entries, open ports, and service banners.

Recon-ng

is an open-source intelligence tool that can sift through metadata, such as whois information, PGP encryption keys, social media profiles, files, and DNS records.

ScoutSuite

is an open-source tool written in Python that can audit instances and policies created on multicloud platforms, such as AWS, Microsoft Azure, and Google Cloud.

Disassembly

is the reverse engineering process of translating low-level machine code into higher level assembly language code that is human readable and can include familiar programming elements.

phase is where the patch has been released. As such, the next step is to apply the patch in order to remediate or mitigate the vulnerability.

manage

phase is where vendors and software designers take a look at the vulnerability and devise a strategy. In most cases, a patch is developed and then released.

mitigate

Server-side request forgery (SSRF)

occurs when an attacker takes advantage of the trust established between an authorized user of a website and the website itself.

Direct-to-origin attack (D2O)

occurs when malicious actors bypass this protection by identifying the origin network or IP address and then launch a direct attack.

Document Object Model (DOM)-based attack

the threat actor does not send malicious scripts to the server, instead, they take advantage of a web app's client-side implementation of JavaScript to execute the attack solely on the client.

Airmon-ng

will enable and disable monitor mode on a wireless interface. Airmon-ng can also switch an interface from managed mode to monitor mode.

o Text (TXT) Record

▪ Adds text into the DNS

o Pointer (PTR) Record

▪ Correlates an IP address with a domain name

o Mail Exchange (MX) Record

▪ Directs emails to a mail server

o Nameserver (NS) Record

▪ Indicates which DNS nameserver has the authority

▪ Links a hostname to an IPv6 address

▪ Links a hostname to an IPv6 address

o Canonical Name (CNAME) Record

▪ Points a domain to another domain or subdomain

o Service (SRV) Record

▪ Specifies a host and port for a specific service

o Start of Authority (SOA) Record

▪ Stores important information about a domain or zone

An organization's legal team drafts a master service agreement (MSA) along with a PenTest team lead. What will the agreement include? (Select all that apply.)

Insurance information Safety guidelines Project scope

A PenTest team considers which issue as part of the lessons learned phase?

It is possible that the team found new unknown vulnerabilities during the testing. Additional personnel training or updated tools may be part of a lessons learned report.

While footprinting a system, a PenTester uses the finger command. What is true regarding this command? (Select all that apply.)

It is used on a Linux system It is used to view a user's home directory

A PenTester conducts a stealth scan of a network server from across a network. What does the tester know is true about scanning this way with Nmap? (Select all that apply.)

Limited effectiveness Credentials are not used

Address (A) Record

Links a hostname to an IPv4 address

While performing a PenTest at a customer site, engineers configure MAC address spoofing on a Windows system while trying to find vulnerabilities on a network. What will result from the engineer's actions?

MAC address spoofing modifies the MAC address on a system's NIC card so that it matches the MAC address of another machine. Once done, traffic will be directed to both the victim and the malicious actor.

A security engineer discovers that a malware injection attack has occurred on a server in a cloud infrastructure. What does the engineer discover has happened? (Select all that apply.)

Malicious code was concealed in a wrapper. A website experienced cross-site scripting.

is a command-line-based free password cracking tool often used in brute force password attacks on remote authentication servers.

Medusa

A security team plans a lateral move within a client's Windows network. The intent is to exploit a flaw in the Distributed Component Object Model (DCOM) during the move. How does the team achieve this?

The Remote Procedure Call (RPC) enables inter-process communications between local and remote systems. DCOM applications use RPC as a transport mechanism.

A penetration tester is using a framework to help manage available exploits and keep control of the devices the tester has targeted. What kind of framework is the tester using to accomplish this?

The command and control (C2) frameworks manage available exploits, as well as help penetration testers keep control of the devices the tester has targeted.

Metadata

The data about the data in the file

A PenTester shows a client how a cleartext password and other information can be extracted from system memory. Which tool does the PenTester demonstrate?

The mimikatz tool can be used to gather credentials by extracting key elements from memory such as cleartext passwords, hashes, and PIN codes.

A PenTester performs active reconnaissance as part of an exercise. The goal is to identify possible query formats for a web app that uses SQL. What method does the PenTester use when using a select query?

The most common method for identifying possible SQL injection vulnerabilities in a web app is to submit a single apostrophe and then look for errors. This is called the single quote method. If an error is returned, it may provide SQL syntax details.

A penetration tester has discovered that a remote access tool can open a shell on a Linux system without even authenticating. What command is the penetration tester using?

The penetration tester is using rsh which is a Linux command that can open a shell, and if the server has an .rhosts file configured a certain way, the penetration tester won't even need to supply credentials.

A penetration test has begun, the team has sent requests to the company to verify that specific targets are within the scope of the test. There has been discussion about the severity of damage if certain assets go down at certain times, and a decision needs to be made by the company. Who is responsible for making these decisions?

The primary contact is the party responsible for handling the project on the client's end. This can usually be a Chief Information Security Officer (CISO) or another party responsible for the penetration test's major decisions.

A PenTest team discovers that a DNS server responds to dynamic DNS updates without authentication. What causes this action?

The server uses recursion

A penetration tester recently signed a contract with a client. The penetration tester first checked for publicly identifiable information to help prepare to simulate an attack on the client. What publicly accessible information would be the most advantageous for the penetration tester?

When accounts are compromised, passwords tend to leak on the web. Scanning through these password dumps can help speed up malicious attacks by using known passwords.

A Jr. PenTester has difficulty using a Bash script. The script contains the following line: $my_str = "Password" , which keeps throwing an error. What does a senior PenTester identify as the problem? (Select all that apply.)

When using Bash for scripting in Linux, a variable is not designated with a leading $. A leading $ is required when using PowerShell in a Windows environment. When scripting in Bash, there is strict use of the equals sign (=). In Bash, the equals sign must not have a leading or trailing space, also known as whitespace.

Ruby

a general-purpose interpreted programming language that can also be used as a scripting language. is more flexible in its syntax and there are many ways to write the same program. Whereas, in Python, there is typically one "best" way to do something.

Frida

an open-source tool that can work with a wide range of operating systems and allows the forensics expert to dump process memory, in-process fuzzing, and change a program's behavior.

Libraries

are repositories of modules that are created by other people that can easily be referenced in script writing. Using libraries can save time as the modules have already been created and not required to be built up from scratch.

can be used by an attacker who has physical access to a computer whose hard drive is encrypted

cold boot attack

finger

command views a user's home directory along with login and idle time. You can also use nmap -O or -sV scans to fingerprint the operating system and interrogate its services.

Browser exploit framework (BeEF)

focuses on web browser attacks by assessing the actual security posture of a target by using client-side attack vectors.

approach uses assessments that have a particular purpose or reason. For example, if an organization is concerned with a sensitive server, the PenTest team will focus on that server.

goal based

Level 3

has 20,000 to one million transactions a year. This level may have an external auditor or submit a self-test that proves active steps are in place to secure the infrastructure.

A PenTest focuses on a particular server at a host organization. The server contains critical information and is of the highest priority to harden. What assessment type do the PenTesters utilize? (Select all that apply.)

A goal-based approach uses assessments that have a particular purpose or reason. For example, if an organization is concerned with a sensitive server, the PenTest team will focus on that server. An objective-based approach is the same as a goal-based approach. For example, before implementing a new point of sale (PoS) system that accepts credit cards, the PenTesting team might test the system for security issues before implementation.

Maltego

A piece of commercial software used for conducting open-source intelligence that visually helps connect those relationships It can automate the querying of public sources of data and then compare it with other info from various sources

The Harvester

A program for gathering emails, subdomains, hosts, employee names, email addresses, PGP key entries, open ports, and service banners from servers

What is the Open Web Application Security Project (OWASP)?

A resource for security risk awareness

A penetration tester is writing code to search for a specific output and wants to use a method that compares sequences of characters to perform a specific function. What can the tester use to complete the task?

A string operator is used for constructing strings of characters or comparing strings of characters to perform a specific function, such as searching or crafting a specific output.

Domain Name System (DNS)

A system that helps network clients find a website using human readable hostnames instead of numeric IP addresses

When defining the communication path, what should an IT manager establish for a PenTest team?

A testing threshold

A security engineer sees an increase of malicious spam emails masquerading as coming from their domain. What can the engineer implement to help mitigate these malicious emails?

Adding a specific TXT record (also known as an SPF record) to your DNS can help limit other systems using a domain for email. There is a limited length of an SPF record to be seen as valid by most network and email systems.

A PenTester uses the Nmap utility to scan for a particular host on the network. Without using any options, what does Nmap provide as a result to the PenTester? (Select all that apply.)

Address Resolution Protocol (ARP) requests are sent to hosts to obtain Media Access Control (MAC) address details. The MAC address can be used for purposes such as access control. By default, Nmap will perform a TCP scan. A UDP protocol scan can be initiated by using the -PU for port scanning.

controls are security measures implemented to monitor the adherence to organizational policies and procedures.

Administrative

A company hires a penetration testing team, expressing concern that their wireless access points (APs) could be vulnerable to insider attacks. Which tool would the team use to attempt to decipher the encryption key of the APs?

Aircrack-ng is the tool within the Aircrack-ng suite that would be used to attempt to decipher the encryption key of the APs. Aircrack-ng performs key cracking based on collected data, making it a suitable choice for this scenario.

A PenTester simulates an attack on a wireless network by capturing frames and then using the information to further an attack on a discovered Basic Service Set (ID) of an access point. What specific tool has the PenTester used to initiate the attack?

Airodump-ng

Waits for us to connect to it and gives us control once we do.

Bind Shell

Steganography requires three basic elements to work. Which elements are valid? (Select all that apply.)

Carrier Payload Tool

A penetration tester uses an attack surface analyzer to identify exposures in the organization's system. What tool is the tester using to identify these exposures?

Censys is an attack surface analyzer, similar to Shodan, to identify exposed systems.

What type of attack is possible due to weak or completely absent input processing routines in the application?

Code injection is an attack that introduces malicious code into a vulnerable application to compromise the security of the application.

Which technique is used with the ProxyChains command to allow a penetration tester to pivot to a new subnet?

OBJ-3.7: ProxyChains is a tool that allows a penetration tester to pivot to a new subnet, but it must be combined with the modification of the penetration tester's routing tables on their machine. For example, assume that the exploited client machine is located in the 192.168.5.0/24 subnet, but you need to access a server in the 10.0.0.0/24 subnet. You would then need to "route add 10.0.0.0 255.255.255.0 1" (1 is the ID of your Meterpreter session). Then, you can run "proxychains <command>" to target the new subnet. For example, "proxychains nmap -sT -Pn -p21,23,25,80,443 10.0.0.5" would perform a Nmap scan of the targeted server in the new subnet by chaining the connections together using a proxy on the localhost.

A public school system looks to educate its student population with cybersecurity knowledge. Which resource provides a holistic structured approach to PenTesting?

OSSTMM

Which of the following tools is considered a web application scanner?

OWASP Zed Attack Proxy (ZAP) is the world's most widely used web application scanner

approach is the same as a goal-based approach. For example, before implementing a new point of sale (PoS) system that accepts credit cards, the PenTesting team might test the system for any security issues before implementation.

Objective based

A PenTester remotely adds a user to a Windows system on one box and elevates a Linux user account to root on another. Which approach does the tester use? (Select all that apply.)

On a Windows system, the net user command is used to manipulate user accounts from the command line. The net user jjones /add command will add a user account named jjones. On a Linux system, there are several ways to give root privileges to a user, including editing the /etc/passwd file and changing the user's user ID (UID) and group ID (GID) to 0.

A PenTest technician sanitizes systems from a completed engagement. When overwriting data on disks, which statements are true regarding SSD drives? (Select all that apply.)

Overwriting an HDD is more reliable than with an SSD An SSD uses a write algorithm to reduce wear

What tool includes several modules so the team can attempt exploits, such as obtaining API keys or gaining control of a VM instance?

Pacu is an exploitation framework to assess the security configuration of an Amazon Web Services (AWS) account.

A security auditor reviews a small retailer's credit card data protection strategy. In which area would the auditor likely request more detailed information to see that industry recommendations are followed?

Password Policies

A penetration tester has briefed the executive branch of a company about its vulnerabilities. The penetration tester easily breached some services, and there was no patching option for them. What could the company use to complete remediation of these vulnerabilities?

Process-level remediation is the concept of resolving a finding by changing how it is used or implemented. There might be technical challenges to simply patching or modifying the underlying systems of a process, so the remediation done is at the process level.

Which might a security engineer use to illustrate the logic and functions of a script in a generic way?

Pseudocode is a made-up language used to show flow and logic but is not based on any programming or scripting language. Pseudocode can be used to easily illustrate the logic of a script.

You want to exploit the NETBIOS name service on a Windows-based network. Which of the following tools should you use?

Responder

Connects back to our system and gives us control through a reverse connection.

Reverse Shell

During a penetration testing exercise, a pen tester plans to exploit a system using Telnet. However, the PenTest Supervisor suggests using an alternative tool that supports encryption. Which of the following tools could the tester use to meet the supervisor's recommendation for secure, encrypted communication?

SSH

A team is using an open-sourced tool that collects data from the cloud using API calls. It then compiles a report of all the objects discovered, such as IAM accounts, data, VM instances, storage containers, and firewall ACLs. Which tool is the team using?

ScoutSuite is an open-source tool written in Python that can audit instances and policies created on multicloud platforms, such as AWS, Microsoft Azure, and Google Cloud.

An organization realizes the potential for an attack on their systems. As a result, a resiliency assessment takes place, and various controls are suggested to be put in place. If an access control list (ACL) is on a firewall, what type of control does the systems engineer implement?

Technical or logical controls automate protection to prevent unauthorized access or misuse and include Access Control Lists (ACL) that are implemented as software or hardware.

A security engineer uses Netcat to listen for connections on a particular port. Which command options does the engineer use to create a persistent listener on port 53 that triggers a script? (Select all that apply.)

The -L option starts Netcat in the Windows-only "listen harder" mode. This mode creates a persistent listener that starts listening again when the client disconnects. The -p option specifies the port that Netcat should start listening on in listening mode. When used in client mode, this value specifies the source port. The -e option specifies the program to execute when a connection is made. This is useful for alerts and logging.

A PenTester is creating variants and combinations of word lists in an attempt to crack a user's password. What type of attack is this?

The PenTester is using a rule attack which can make use of word lists to create variants and combinations and can then try trimming or expanding words or substituting numbers or special characters for letters.

A PenTester is gathering passwords by extracting them in cleartext from memory. What tool is the PenTester using?

The PenTester is using mimikatz which gathers credentials by extracting key elements from memory such as cleartext passwords, hashes, and PIN codes.

A PenTester is installing optional tools for Linux in preparation for a PenTest. Where do PenTesters store these tools?

The PenTester will store these tools in the /opt folder as /opt is where PenTesters normally install optional tools for Linux.

class 1

This represents a ____________________ virtual environment attack in which the attack happens outside of the virtual machine and can affect the entire virtual environment.

Fingerprinting Organizations with Collected Archives (FOCA)

Used to find metadata and hidden information in collected documents from an organization

A PenTest team prepares for an engagement at a customer site. Which assets could the team inventory as being in-scope for the test? (Select all that apply.)

Users are an in-scope asset, as they are susceptible to social engineering, and are generally considered to be the easiest attack vector. Domains and/or subdomains within the organization are a prime target for malicious activity and are an in-scope asset. Domains and subdomains are examples such as example.com and ftp.example.com. Service Set Identifiers (SSID) can be targeted when an attacker is attempting to access a wireless network. As such, they are an in-scope asset.

Recon-ng

Uses a system of modules to add additional features and functions for your use It is a cross-platform web reconnaissance framework

A malicious actor gains unauthorized access to a VM's management interface where the actor can take complete control of all attacked virtual systems. What is this called?

VM sprawls refers to creating virtual machines (VMs) without proper change control procedures, which can create a vulnerable environment.

A PenTest team looks to map a network for a customer. Which tools would be useful in creating a map? (Select all that apply.)

WMI SNMP ARP

Which of the following wireless security protocols is considered the most secure for protecting Wi-Fi networks?

WPA3

Communicates through a web server, accepts our commands through HTTP parameters, executes them, and prints back the output.

Web Shell