06/07 Penetration testing Flashcards
(20 cards)
What is the primary goal of penetration testing?
To simulate an adversary and uncover real-world risks in a system before actual attackers do.
Which standard is commonly followed for ethical pentesting processes?
The Penetration Testing Execution Standard (PTES).
What must be defined in the “Rules of Engagement”?
Scope, allowed tools, data handling procedures, testing windows, communication and escalation paths, and legal sign-off.
Name two key deliverables in the scoping & planning phase.
List of in-scope assets (networks, apps, endpoints) and agreed testing windows and communication channels.
Which legal/regulatory frameworks often need consideration before testing?
GDPR, PCI DSS, and any industry-specific privacy or security regulations.
What is OSINT in passive reconnaissance?
Open-Source Intelligence—gathering publicly available info (e.g., WHOIS, DNS, web archives, GitHub).
Give two examples of active reconnaissance techniques.
Network mapping with ping sweeps/traceroute and port/service enumeration using Nmap or masscan.
What is banner grabbing used for?
To identify service versions and software banners (using tools like netcat or curl).
How can LinkedIn be used in recon?
To gather employee data for crafting spear-phishing lures in social-engineering studies.
What is the purpose of vulnerability triage?
To weed out false positives and validate scanner findings through manual proof-of-concept testing.
What scoring system helps prioritize vulnerabilities?
CVSS (Common Vulnerability Scoring System), combined with business impact and exploitability.
Name two common exploitation techniques.
Buffer overflows (payload crafting) and injection flaws (SQL, OS/command injection).
What framework is popular for rapid exploit development?
Metasploit Framework.
Mention one Windows and one Linux privilege-escalation method.
Windows: Misconfigured services or Juicy Potato; Linux: SUID binaries enumeration (e.g., LinPEAS).
What are two lateral-movement techniques?
Pass-the-Hash and Pass-the-Ticket; RDP/SMB pivoting.
Name three post-exploitation activities.
Persistence (e.g., scheduled tasks), data exfiltration (compression/encryption), and cleanup (log removal).
What is the top-level section in a pentest report called?
Executive Summary.
What should the “Technical Findings” section include?
Detailed PoCs, screenshots, CVSS scores, and step-by-step exploitation paths.
What belongs in the “Remediation Roadmap”?
Prioritized action items with clear owners and ETAs.
How should pentest findings be delivered?
Through presentations tailored to both technical teams (deep dive) and management (high-level risks).
