Udemy Practice Test answers PenTest+
You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the Apache server's logs if your organization uses the default naming convention?
access_log On Apache web servers, the logs are stored in a file named access_log. By default, the file can be located at /var/log/httpd/access_log. This file records all requests processed by the Apache server. The WebSphere Application Server uses the httpd_log file for z/OS, which is a very outdated server from the early 2000s. The http_log file is a header class file in C used by the Apache web server's pre-compiled code that provides the logging library but does not contain any actual logs itself. The file called apache_log is an executable program that parses Apache log files within in Postgres database.
If an administrator cannot fully remediate a vulnerability, which of the following should they implement?
compensating controls Based on the question's wording, a compensating control would be most accurate for the given scenario. Compensating controls may be considered when an entity cannot meet a requirement explicitly, as stated due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement by implementing other controls. Access requirements are a form of logical controls that can be implemented to protect a system and could be a form of compensating control if used appropriately. A policy is a statement of intent and is implemented as a procedure or protocol within an organization. An engineering tradeoff is a situational decision that involves diminishing or losing one quality, quantity, or property of a set or design in return for gains in other aspects. Often, an engineering tradeoff occurs when we trade security requirements for operational requirements or vice versa.
You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You attempted to run a Google hacking query by entering the following search options: "password inurl:diontraining.com". Which of the following results might be returned by your search parameters? https://www.comptia.org/diontraining.com https://www.dionsolutions.org/passwd https://www.jasondion.com/diontraining/password https://www.passworddumps.com/diontraining
https://www.comptia.org/diontraining.com The inurl modifier is used to search for any pages whose URLs include the term specified and have the search term anywhere on the page. For example, password inurl:diontraining.com would return only page results whose URLs include the text "diontraining.com" and have the text "password" somewhere on the page.
A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?
Active scanning engine installed on the enterprise console Since the college wants to ensure a centrally-managed enterprise console, an active scanning engine installed on the enterprise console would best meet these requirements. The college's cybersecurity analysts could then perform scans on any devices connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the agents' installation onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.
You have been hired to conduct a compliance-based, external network penetration test for an organization. During the engagement planning, you determined that the client has an IPS protecting their network and your team has spent 1 week already trying to bypass it. Since you only have 1 week left in the assessment, you have requested to have your source IP added to the allow list in the IPS during the engagement. The client states that they do not want to add you to their allow list since the IPS is properly blocking you as an attacker. Which of the following should you tell the client?
Adding the source IP to the allow list will allow the pen testers to focus on the discovery of the security issues within the systems instead of relying solely on the effectiveness of the IPS. If the source IP is not added to the allow list, the penetration tester will waste a lot of time and resources trying to bypass it before testing the rest of the systems in the assessment's scope. Instead, the client should add the source IP to the allow list so the penetration testers can focus on other vulnerabilities before this perimeter device. When drafting the final report, the penetration tester should indicate which discovered vulnerabilities would be a lower risk due to the IPS already being installed and working as a mitigating control.
A new piece of malware attempts to exfiltrate user data by hiding the traffic and sending it over a TLS-encrypted outbound traffic over random ports. What technology would be able to detect and block this type of traffic?
Application-aware firewall A web application firewall (WAF) or application-aware firewall would detect both the accessing of random ports and TLS encryption and identify it as suspicious. An application-aware firewall can make decisions about what applications are allowed or blocked by a firewall, and TLS connections are created and maintained by applications. A stateless packet inspection firewall allows or denies packets into the network based on the source and destination IP address or the traffic type (TCP, UDP, ICMP, etc.). A stateful packet inspection firewall monitors the active sessions and connections on a network. The process of stateful inspection determines which network packets should be allowed through the firewall by utilizing the information it gathered regarding active connections as well as the existing ACL rules. Neither a stateless nor stateful inspection firewall operates at layer 6 or layer 7, so they cannot inspect TLS connections. An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. An IDS only monitors the traffic on the network, it cannot block traffic.
According to the NIST SP 800-115, during which phase of an attack would a penetration tester seek to gain complete control of a system?
Attack During the attack phase, the attacker seeks to gain access to a system, escalate that access to obtain complete control, and then conduct browsing to identify mechanisms to gain access to additional systems. The planning phase is where the assignment's scope is defined, and management approvals, documents, and agreements are signed. The discovery phase is where the actual testing starts; it can be regarded as an information-gathering phase. The attack phase is at the heart of any penetration test; it is the part of the process where a penetration test attempts to exploit a system, conduct privilege escalation, and then pivot or laterally move around the network. The reporting phase is focused on developing the final report presented to management after the penetration test.
You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server?
Banner Grabbing Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server's response. This banner usually contains the server's operating system and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time-consuming and not fully accurate methods to determine the version being run.
Dion Training has contracted you to conduct a penetration test of its web application hosted within AWS Lamba. Part of the assessment will include stress testing the web application using a simulated DDoS attack. Which of the following entities would be the proper signing authority to approve this penetration test?
Both organization's representatives since one is your client and the other hosts the servers Written authorization documents help control the amount of liability incurred by the penetration tester. You must ensure you have the correct authorization in place before beginning your engagement. You ALWAYS need written authorization from your client. If the client uses a third-party service provider, then you may need to also get proper authorization from them in writing too. During your engagement planning, you should contact the third-party service provider to determine if written consent is required. In the case of Amazon, there are a handful of services that do not require prior authorization before conducting a penetration test on behalf of your client. DoS and DDoS attacks and simulations do require written authorization from both your client and Amazon. If you do not have this, you could be held liable for any negative consequences to Amazon and its client's servers or even be charged with criminal computer hacking.
Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont's discovery, what type of attack might occur?
Buffer overflow A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack.
You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You want to identify any revoked digital certificates that you may use as part of a phishing campaign. Which of the following should you review to identify user certificates that were revoked before their expiration date?
CRL The certificate revocation list (CRL) is a list of digital certificates that have been revoked before their expiration date and are now considered invalid. Subject alternative name (SAN) is a field in a digital certificate that allows a host to be identified by multiple host names or domain names. Certificates that use a SAN are referred to as a multi-domain certificate. A certificate signing request (CSR) is a Base64 ASCII file generated on the device that needs a certificate and contains information that the certificate authority needs to create the certificate. A robots.txt file tells search engine crawlers which URLs the crawler should index and access on your site.
What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software?
CVE The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
A hacker successfully modified the sale price of items purchased through your company's website. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items' sale price?
Changing hidden form values Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items' price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.
During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords?
Cognitive password attack A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this password type can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin's email account was hacked because a high schooler used the "reset my password" feature on Yahoo's email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).
A penetration tester has exploited an FTP server using Metasploit and now wants to pivot to the organization's LAN. What is the best method for the penetration tester to use to conduct the pivot?
Create a route statement in meterpreter: Since the penetration tester has exploited the FTP server from outside the LAN, they will need to set up a route statement in meterpreter. Metasploit makes this very simple since it also has an autoroute meterpreter script that will allow us to attack this second network through our first compromised machine (the FTP server) and then create the routes needed.
Dion Training wants to implement DNS protection on their mobile devices. Which of the following implementations would allow the device to use a specified DNS provider to block dangerous sites by refusing to resolve previously identified malicious hosts?
Custom DNS Custom DNS is often used to block dangerous sites by purposefully refusing to resolve to a previously identified malicious host. DNS over HTTPS (DoH) allows the DNS requests to be tunneled within the TLS traffic over port 443. This allows most of the DNS protocol traffic over port 53 to be eliminated after the first DNS request to the DoH provider is made. DoH is used mainly to provide privacy protections for the user and their web browsing activities. Device configuration profiles are XML files that contain configuration details defined at either the user or device level. These profiles can be manually installed or automatically deployed through an MDM solution. Token-based access requires an enrolled device to provide a token issued by an IAM solution to gain access to network resources. Mobile devices with an installed token are granted access to the network resources after being verified by a network access control (NAC) appliance.
You are conducting a wireless penetration test against an organization. During your attack, you created an evil twin of their wireless network. Many of the organization's laptops are now connected to your evil twin access point. Which of the following exploits should you utilize next to gather credentials from the victims browsing the internet through your access point?
Downgrade attack A downgrade attack forces a client to use a weaker SSL version that the attacker can crack. Since the devices are connected through your access point, you can establish a weaker SSL-based HTTPS connection between their web browser and the actual web server they wanted. This forcing of the client to use a weaker version is known as a downgrade attack, and it allows the attacker to capture the packets and later crack them offline since SSL-based HTTPS is weak enough to crack due to vulnerabilities in its design. A fragmentation attack obtains the pseudorandom generation algorithm (PRGA) of network packets used in WEP. Deauthentication attacks are used in the service of an evil twin, replay, cracking, denial of service, and other attacks. All 802.11 Wi-Fi protocols include a management frame that a client can use to announce that it wishes to terminate a connection with an access point. The victim's device will be kicked off the access point by spoofing the victim's MAC address and sending the deauthentication frame to the access point. A karma attack is a variant of the evil twin attack. A karma attack exploits the behavior of a wireless client trying to connect to its preferred network list. This list contains the SSIDs of access points the device has connected to in the past. When a wireless device is looking to connect to the internet, it firsts beacons to determine if any of these previously connected networks are within range.
You are conducting a social engineering attack against an organization as part of an engagement. You spoof your caller ID to appear to be from within the company, then you call up the company and ask to speak with the CIO's assistant. When they answer the phone, you tell them that you are from the IT department and that you detected a malicious intruder has taken over their account and is encrypting data all over the next. You offer to help them stop the attack quickly, but they first need to give you their password. The victim says they won't give that information to your over the phone, to which you respond, "Ok, fine, but when the boss finds out that you could have stopped this attack and chose to ignore me, don't say I didn't warn you." What type of social engineering principle is being exploited here?
Fear Fear is a visceral emotion that can motivate people to act in ways they normally would not. In this scenario, the social engineer tries to convince the victim that their actions must be taken immediately, or bad consequences might occur. This is an attempt to cause fear and anxiety in the victim to hand over their password. Authority is used to take advantage of people's willingness to act when directed to by someone with the power or right to give orders. For example, an attacker may pose as a police officer, government agent, or high-level executive to force an employee to take some form of action, whether it is ethically dubious or counter to their interests. Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as "supplies are limited," "only available for the next 4 hours", and other such artificial limitations being used.
Which of the following tools should a penetration tester use to identify hidden directories, files, or subdomains by brute force?
Gobuster Gobuster is a tool that can discover subdomains, directories, and files by brute-forcing from a list of common names. The Web Application Attack and Audit Framework (w3af) allows you to identify and exploit a large set of web-based vulnerabilities, such as SQL injection and cross-site scripting. Hydra is a password cracking tool that supports parallel testing of several network authentication types simultaneously. Mimikatz is a tool that gathers credentials by extracting key elements from memory such as cleartext passwords, hashes, and PIN codes.
Which of the following secure coding best practices ensures special characters like <, >, /, and ' are not accepted from the user via a web form?
Input validation: is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page.
You have been hired to conduct an external PCI-DSS audit of a merchant that processes over 6,000,000 credit card transactions per year. Which level would this merchant be categorized as?
Level 1 This is a level 1 merchant. Under the PCI-DSS compliance rules, a merchant who is categorized as a level 2, level 3, or level 4 must have an external auditor conduct an annual audit or submit documentation of a self-test proving they took active steps to secure their credit card processing infrastructure. Level 1 is a large merchant with over 6,000,000 transactions per year. Level 2 is a merchant with 1,000,000 to 5,999,999 transactions per year. Level 3 is a merchant with 20,000 to 1,000,000 transactions per year. Level 4 is a small merchant with under 20,000 transactions per year.
You have been hired to conduct an external PCI-DSS audit of a merchant that processes between 20,000 and 1,000,000 credit card transactions per year. Which level would this merchant be categorized as?
Level 3 This is a level 3 merchant. Under the PCI-DSS compliance rules, a merchant who is categorized as a level 2, level 3, or level 4 must have an external auditor conduct an annual audit or submit documentation of a self-test proving they took active steps to secure their credit card processing infrastructure. Level 1 is a large merchant with over 6,000,000 transactions per year. Level 2 is a merchant with 1,000,000 to 5,999,999 transactions per year. Level 3 is a merchant with 20,000 to 1,000,000 transactions per year. Level 4 is a small merchant with under 20,000 transactions per year.
You are working as part of a penetration testing team targeting Dion Training's Linux-based network. You want to determine if you can crack the password on their remote authentication servers. Which of the following tools should you use?
Medusa Medusa is a command-line-based free password cracking tool often used in brute force password attacks on remote authentication servers. W3AF (Web Application Attack and Audit Framework) is a Python tool included in Kali Linux that tries to identify and exploit any web app vulnerabilities. CeWL is a ruby app that crawls websites to generate word lists for use with other password crackers. Mimikatz is an open-source tool that enables you to view credential information stored on Microsoft Windows computers.
What tool can be used as an exploitation framework during your penetration tests?
Metasploit: The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. Autopsy is used in digital forensic investigations
Which of the following tools should a penetration tester use to enumerate user accounts, escalate privileges, and other tasks during the post-exploitation phase against an AWS-based cloud architecture?
Pacu Pacu is designed as a post-exploitation framework to assess the security configuration of an AWS account by enumerating user accounts, escalating privileges, launching additional attacks, or installing backdoors. Covenant is an open-source .NET framework with a focus on penetration testing and contains a development/debugging component. CeWL is a word list generate that automatically navigates a website and collects words from the text, metadata, and other files found on the site. The Wapiti is a web application vulnerability scanner that automatically navigates a web app to find areas where it can inject data.
An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system?
Pass the Hash: Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.
A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?
Perform a scan for the specific vulnerability on all web servers Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope. It would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs. Performing unauthenticated vulnerability scans on all servers is also too large in scope (all servers) while also being less effective (unauthenticated scan).
You are conducting a penetration test against an organization. You created an evil twin of their wireless network. Many of the organization's laptops are now connected to your evil twin access point. You want to capture all of the victim's web browsing traffic in an unencrypted format during your attack. Which of the following exploits should you utilize to meet this goal?
Perform an SSL stripping attack An SSL stripping attack, also known as an HTTP downgrade attack, forces the client to communicate with the web server in plain text (unencrypted) over HTTP instead of HTTPS. Both SSL downgrade and SSL stripping attacks are used to force the victim into using a weaker encryption mechanism (SSL downgrade to SSL-based HTTPS) or no encryption (SSL stripping to HTTP) for its web traffic.
A firewall administrator has configured a new screened subnet to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (Screened Subnet) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the screened subnet for the Chief Security Officer to work from his home office after hours. The CSO's home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall? Permit 143.27.43.32 161.212.71.0/24 RDP 3389 Permit 143.27.43.0/24 161.212.71.14 RDP 3389 Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389 Permit 143.27.43.32 161.212.71.14 RDP 3389
Permit 143.27.43.32 161.212.71.14 RDP 3389 Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ (screened subnet), so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only "permit 143.27.43.32 161.212.71.14 RDP 3389" could be correct.
You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. Which of the following is LEAST likely to contain publicly available source-code from the targeted organization?
Reddit: it is a social media website that provides posts separated into categories or forums. Reddit is useful when trying to build a social profile around a specific individual and is the least likely to contain source-code from the target organization. GitHub, Bitbucket, and SourceForge are public source-code repositories that allow developers to share code and collaborate. These source-code repositories are often used by commercial organizations and if they do not properly configure their privacy settings then their code can become public.
You are conducting a penetration test and have been asked to simulate an APT. You have established TLS network connections from a victimized host in the organization's intranet to your workstation which you are using to attempt data exfiltration from the server. The TLS connection is occurring from an end user's workstation over an ephemeral port to your workstation's listener setup on port 443. You have placed modified versions of svchost.exe and cmd.exe in the victimized host's %TEMP% folder and set up scheduled tasks to establish a connection from the victimized host to your workstation every morning at 3 am. Which of the following types of post-exploitation techniques is being used?
Reverse Shell A reverse shell is established when the target machine communicates with an attack machine that is listening on a specific port. Reverse shells are effective in bypassing firewalls, port filtering, and network address translations, unlike a bind shell. A bind shell allows a target system to bind its shell to a local network port and accept inbound connections. Bind shells may be blocked by a firewall filtering incoming traffic on the given port, though. A trojan is a malicious software program hidden within an innocuous-seeming piece of software. Usually, the Trojan is used to try to compromise the security of the target computer. A daemon is used on Linux systems to act as a service that runs in the background without being attached to a terminal.
You are currently conducting active reconnaissance in preparation for an upcoming penetration test against Dion Training. You want to identify the areas of the company's website that are not crawled by search engines. Which of the following should you review to determine these areas?
Robots.txt A robots.txt file tells search engine crawlers which URLs the crawler should index and access on your site. When conducting active reconnaissance, you may wish to manually evaluate the robots.txt file and then access those portions of the website. The certificate revocation list (CRL) is a list of digital certificates that have been revoked before their expiration date and are now considered invalid. A certificate signing request (CSR) is a Base64 ASCII file generated on the device that needs a certificate and contains information that the certificate authority needs to create the certificate. Subject alternative name (SAN) is a field in a digital certificate that allows a host to be identified by multiple host names or domain names. Certificates that use a SAN are referred to as a multi-domain certificate.
You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You want to identify any domain names also covered by the organization's digital certificate to include in your assessment. Which of the following should you review to determine any other domains that can use the same digital certificate?
SAN Subject alternative name (SAN) is a field in a digital certificate that allows a host to be identified by multiple host names or domain names. Certificates that use a SAN are referred to as a multi-domain certificate. A certificate signing request (CSR) is a Base64 ASCII file generated on the device that needs a certificate and contains information that the certificate authority needs to create the certificate. The certificate revocation list (CRL) is a list of digital certificates that have been revoked before their expiration date and are now considered invalid. A robots.txt file tells search engine crawlers which URLs the crawler should index and access on your site.
What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise? (Select TWO) Disabling unused services Patching NIDS Segmentation
Segmentation & Disabling unused services Segmentation is the best method to reduce the risk to an embedded ICS system from a network-based compromise. Additionally, you could disable unused services to reduce the footprint of the embedded ICS. Many of these embedded ICS systems have a large number of default services running. So, by disabling the unused services, we can better secure these devices. By segmenting the devices off the main portion of the network, we can also better protect them. A NIDS might detect an attack or compromise, but it would not reduce the risk of the attack succeeding since it can only detect it. Patching is difficult for embedded ICS devices since they usually rely on customized software applications that rarely provide updates.
Your organization's primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still shows the servers as vulnerable? (SELECT ALL THAT APPLY) The vulnerability assessment scan is returning a false positive This critical patch did not remediate the vulnerability You conducted the vulnerability scan without waiting long enough after the patch was installed The wrong IP address range was scanned during your vulnerability assessment
The vulnerability assessment scan is returning a false positive This critical patch did not remediate the vulnerability There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The other possibility is that the patch does not remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.
During the reconnaissance phase of a penetration test, you have determined that your client uses several networked devices that rely on an embedded operating system. Which of the following methods would MOST likely be the best method for exploiting these?
Use web-based exploits against the devices web interfaces Most embedded operating systems use a web interface to access their configurations for setup and installation. Focusing on this web interface and using common web-based exploits is usually one of the best methods of exploiting a device with an embedded OS. Jailbroken devices refer to iPhones and iPads that have been configured to give the user root access to the underlying operating system. Spearphishing campaigns are not usually used against an embedded operating system since many of these devices are not used directly by an end-user. A malicious APK would be used to target an Android-based operating system and most embedded operating systems are based on Linux and not Android.
You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against Dion Training. You want to identify any web pages that contain the term "password" and whose URL contains diontraining.com in the hyperlink displayed on the page. Which of the following Google hacking queries should you use?
password inanchor:diontraining.com The inanchor modifier is used to search for any pages whose anchor text includes the specified term and has the search term provider somewhere on the page. For example, password inanchor:diontraining.com would return only page results that contain diontraining.com in the anchor text and have the search term "password" anywhere on the page. The link modifier is used to search for any pages that link to the website provided and have the search term anywhere on the page. For example, password link:diontraining.com would return only page results that link to Dion Training's website and have the text "password" anywhere on the page. The inurl modifier is used to search for any pages whose URLs include the term specified and have the search term anywhere on the page. For example, password inurl:diontraining.com would return only page results whose URLs include the text "diontraining.com" and have the text "password" somewhere on the page. The site modifier is used to search only the specified website for results that contain the search term. For example, password site:diontraining.com would return only results for the word password on pages located on the Dion Training website.
After completing an assessment, you create a chart listing the associated risks based on the vulnerabilities identified with your organization's privacy policy. The chart contains listings such as high, medium, and low. It also utilizes red, yellow, and green colors based on the likelihood and impact of a given incident. Which of the following types of assessments did you just complete?
qualitative risk assessment This describes a qualitative risk assessment since it categorizes things based on the likelihood and impact of a given incident using non-numerical terms, such as high, medium, and low. If the risk assessment provided exact numbers or percentages of risk, then it would be a quantitative risk assessment.