CompTIA PenTest+ Certification Practice Exam Chapter 2 ((Total Sem Online Material)) Flashcards
RTOSs are operating systems found in certain types of embedded devices. Which of the following are common weaknesses that affect RTOSs? (Choose two.)
A.Delay from vendors implementing upstream package updates in their own repositories
B.Embedded web applications with hard-coded default credentials
C.Difficulty of patching (typically requiring a firmware update rather than a relatively simple package installation)
D.Finding a time to deploy package updates that is not invasive to business operations
B.Embedded web applications with hard-coded default credentials
C.Difficulty of patching (typically requiring a firmware update rather than a relatively simple package installation)
Explanation:
RTOSs often feature websites or web applications that run with hard-coded default credentials and are difficult to update due to the requirement for a firmware update to make changes to the operating system.
A and D are incorrect. A is incorrect because a delay in implementing upstream package updates is an issue that can affect all operating systems, not just RTOSs. D is incorrect for much the same reason: the patching and updating of systems and software is a stressful procedure for most businesses, often requiring the sanction of a change-approval board (CAB). The reasons for this caution vary widely, but a common grievance among businesses is the hesitation to introduce new code that, while a net good for system security and the protection of company intellectual property, may break production systems that previously ran without issue, effectively losing the company money through lost productivity.
The use command in recon-ng is an alias for which other command? A.reload B.search C.load D.set
C.load
Explanation:
The command use is an alias for the command load in recon-ng, making them functionally identical.
A, B, and D are incorrect because the commands reload, search, and set are not aliases for the command load. The command reload is used to reload all modules, search allows a user to search through available modules, and set is used to configure module options.
Which category of vulnerability was number one on the OWASP Top 10 for 2017 and impacts many computer components such as databases, LDAP, and operating systems? A.Injection B.Cross-site scripting C.Insecure deserialization D.Broken authentication
A.Injection
Explanation:
Injection was the number one vulnerability for web applications in 2017, and in fact has been since 2010. This can impact SQL and NoSQL databases, LDAP, and operating systems, among other information system components.
B, C, and D are incorrect. Cross-site scripting (XSS), insecure deserialization, and broken authentication were number 7, number 8, and number 2, respectively, in 2017.
Which term is defined as a methodical approach used to validate the presence of a vulnerability on a target system? A.Vulnerability analysis B.Vulnerability scanning C.Scan validation D.Configuration validation
A.Vulnerability analysis
Explanation:
Vulnerability analysis is a methodical process by which the presence of a vulnerability on a system is confirmed.
B, C, and D are incorrect. B is incorrect because vulnerability scanning is the process of inspecting an information system for known security weaknesses. C is incorrect because scan validation is a decoy term for this question, in that it bears a similar meaning to the correct answer but is intended to mislead certification candidates. D is incorrect because while configuration validation may be a part of a penetration test or security assessment, it refers to the verification of implementation of security best practices in a given environment or for a given service.
Which of the following resources would be best to consult if you encounter difficulty while data mining for a penetration test? A.Shodan B.OSINT Framework C.dig D.theharvester
B.OSINT Framework
Explanation:
The OSINT Framework is an excellent resource for guiding data-mining efforts. The tool focuses on broad-scale information collection from numerous sites and sources, such as social media networks, corporate information leaks, and public and private records and news releases. The OSINT Framework casts a wide net in its efforts in data collection and analysis, making it an excellent guide for the data-mining process relative to the other choices.
A, C, and D are incorrect. A is incorrect because Shodan is an Internet of Things search engine used to find systems, services, and network devices exposed to the public internet. While some information can be collected from Shodan relevant to OSINT collection and data-mining efforts, it will generally be limited in scope, making this a poor answer compared to the other choices. C is incorrect because dig is a command for *nix operating systems used to perform DNS queries. As with Shodan, dig can produce useful information in the context of a penetration test, but it, too, will be somewhat limited in scope, making this a poor answer for this question. D is incorrect because theharvester is a python-based command-line tool used for both active and passive intelligence collection. It can provide a respectable amount of information when beginning collection efforts, but it has limitations in the sites it is able to query and the sorts of information it is designed to collect (generally IP ranges, subdomain names, and email addresses related to a given domain). Theharvester is a less effective choice for data mining efforts than the OSINT Framework and an incorrect answer to this question.
Which HTTP status code family is used to indicate a client-side (that is, requestor) error? A.2XX B.5XX C.4XX D.1XX
C.4XX
Explanation:
HTTP status codes in the 4XX range indicate a client-side error.
A, B, and D are incorrect. A is incorrect because HTTP status codes in the 2XX range indicate successful operation of a method or request. B is incorrect because HTTP status codes in the 5XX range are used to indicate a server-side error. D is incorrect because HTTP status codes in the 1XX range indicate informational responses.
Which command (valid in both *nix and Windows) can resolve a domain name to its IP address? A.nslookup B.ping C.dig D.host
A.nslookup
Explanation:
The nslookup command for both Windows and *nix systems that can query DNS servers to resolve a domain name to its associated IP address, and vice versa.
B, C, and D are incorrect. B is incorrect because the ping command only sends ICMP packets to a host to confirm that it is reachable. C and D are incorrect because although both dig and host are commands that can resolve a domain name to its IP address, they are only valid in *nix operating systems and are not recognized by default on Windows operating systems.
The ability of theharvester to identify hosts, IP addresses, and e-mail addresses based on a domain name alone makes it most valuable for which penetration testing methodology? A.Gray box B.Black box C.White box D.Red team
B.Black box
Explanation:
The ability to identify hosts, IP addresses, and e-mail addresses based on nothing more than a domain name means theharvester can be exceedingly valuable in penetration tests where one is provided little or no information. Because the black box testing methodology is marked by extremely limited starting information being provided to the tester, this is the correct answer.
A, C, and D are incorrect. A and C are incorrect because gray and white box testing both begin with some functional knowledge about the target environment. It should be noted that this does not mean theharvester is not useful during gray and white box engagements; it is simply that because theharvester excels at finding information with very little input, and because gray and white box assessments generally provide a significant amount of information to the penetration tester, the output of this tool will be less revealing in those engagements than it would in a black box assessment. D is incorrect because red team testing is a type of penetration test, rather than a penetration testing methodology.
Which vulnerability analysis and research discussion forum tends to provide a greater level of detailed analysis and researcher discussion for a vulnerability than searching MITRE’s CVE website, up to and including a proof-of-concept code sample? A.Full Disclosure B.CERT Vulnerability Reporting Form C.OWASP D.CAPEC
B.CERT Vulnerability Reporting Form
Explanation:
Full Disclosure is a public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques. It also provides tools, papers, news, and events of interest to the cybersecurity community.
B, C, and D are incorrect. B is incorrect because the CERT Vulnerability Reporting Form is a means of vulnerability disclosure that is managed by a team of security researchers based out of Carnegie Mellon University. C is incorrect because OWASP, or the Open Web Application Security Project, is an open community designed to enable organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. D is incorrect because CAPEC is a dictionary that serves to help classify various types of attacks so that they can be better understood by analysts, developers, testers, and educators.
Which vulnerability research and analysis resource consists of thousands of known attack patterns and methodologies, categorized by both the domain of attack and the mechanism of attack? It is focused on application security and describes common techniques used by adversaries in exploiting known weaknesses. A.CVE B.CAPEC C.CWE D.Full Disclosure
B.CAPEC
Explanation:
CAPEC (Common Attack Pattern Enumeration and Classification) is a publicly available vulnerability research resource that serves as a dictionary of common attack patterns and classifies various types of attacks so that they can be better understood by analysts, developers, penetration testers, and educators. Note that it can be particularly easy to confuse CAPEC with ATT&CK; the latter emphasizes general network defense rather than specific attack tactics, and may be broadly understood to be a tool better suited for use by network defenders rather than penetration testers. Refer to MITRE for further information on the differences between the two https://capec.mitre.org/about/attack_comparison.html.
A, C, and D are incorrect. A is incorrect because CVE (Common Vulnerabilities and Exposures) is a list of entries for publicly known cybersecurity vulnerabilities provided by MITRE. Each entry contains an identification number, a description, and at least one public reference for further information. Because this is a dictionary of known vulnerabilities rather than one of attack tactics used by adversaries targeting applications, it is incorrect. C is incorrect because CWE (Common Weakness Enumeration) is a community-developed list of common software security weaknesses managed by MITRE, providing a baseline for weakness identification, mitigation, and prevention efforts. While a list of potential software weaknesses is valuable for penetration testers, software developers, and educators, it does not focus on attack tactics used by adversaries in attacking applications, making it incorrect. D is incorrect because Full Disclosure is a public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, in addition to providing tools, papers, news, and events of interest to the cybersecurity community. While some discussion of attack tactics can be expected on Full Disclosure—indeed, proof-of-concept code is commonly found in posts there—it is not the sole focus of the site, making it an incorrect answer.
Which attack tactic as detailed by MITRE’s ATT&CK matrix covers methods for the transfer of sensitive information from a system? A.Lateral movement B.Defense evasion C.Exfiltration D.Execution
C.Exfiltration
Explanation:
Exfiltration methods as described by ATT&CK are attack techniques that seek to discover and remove sensitive information from within a system. An example of this would be to send harvested data in a netcat connection to a commonly used port and protocol (such as HTTP on port 80 or DNS on port 53) on an external system to avoid scrutiny by an otherwise alert defense team.
A, B, and D are incorrect. A is incorrect because attacks categorized as lateral movement methods are techniques by which an attacker or penetration tester transitions from one system over the network to another; passing the hash, or sending a hashed password to obtain access without needing the cleartext password, is an example of this. B is incorrect because attacks categorized as defense evasion methods are meant to escape detection or system security defenses; this could be as simple as deleting temporary files created in the process of attacking a target system. D is incorrect because attacks categorized as execution methods are techniques that result in the execution of malicious code on a local or remote system; an example of this would be the use of a native command-line interface, such as cmd.exe in a Windows environment or the terminal on a Linux host.
Which class of attack occurs when a web application loads resources from an external source and fails to verify the data source before execution, allowing an attacker to potentially load malicious content (such as a JavaScript or PHP file that results in the theft of data or system compromise) targeting either the hosting server or an unsuspecting visitor’s browser? A.Remote file inclusion B.Local file inclusion C.HTTP parameter pollution D.Unvalidated redirection
A.Remote file inclusion
Explanation:
This is an example of remote file inclusion (RFI). The loading of resources hosted outside of a target domain leaves an application potentially vulnerable to malicious remote file includes, which can result in the execution of malicious code on either the server or a visiting user. RFI vulnerabilities are best mitigated through the sanitization of user input, HTTP parameters, and URL parameters through means such as whitelists for authorized remote file inclusion source sites and file types.
B, C, and D are incorrect. B is incorrect because local file inclusion would consist of the disclosure of a file stored locally on the target web server, such as its /etc/hosts file or a SAM backup, in the case of *nix and Windows-based servers, respectively. Since the attack explicitly describes loading an unexpected file from outside of the targeted domain, this answer cannot be correct. C is incorrect because HTTP parameter pollution would require that multiple instances of a single HTTP parameter be sent to the remote system in order to trigger unexpected behavior. Instead, the attack described gets a target system to load a malicious file hosted outside of the target’s domain. Since there is no mention of HTTP parameter tampering being required for the attack, this answer is incorrect. D is incorrect because unvalidated redirection would require that an attacker create a malicious link that abuses an unsanitized redirect directive. Once loaded, the site the victim intended to visit will redirect them to a site of the attacker’s choosing, with a typical goal being the collection of user credentials or other sensitive information. Since the attack described smuggles a payload onto the web server directly and does not involve a client-side redirect, this answer is also incorrect.
In iOS applications, what is the net effect of App Transport Security (ATS) being enabled?
A.Requires the user to enter a PIN or password to use the device’s network connection
B.Ensures that data is encrypted with the bcrypt algorithm before data is sent
C.Forces verification of the logical address of the remote server with which the application communicates
D.Forces mobile applications to use HTTPS
D.Forces mobile applications to use HTTPS
Explanation:
The App Transport Security feature of iOS ensures that mobile applications use HTTPS for communication with remote systems.
A, B, and C are incorrect. A is incorrect because the requirement for a PIN or password is a user-configurable security enhancement for the user interface. B is incorrect because bcrypt is an algorithm used for encryption at rest; computing a bcrypt hash is computationally expensive, meaning it would be impractical to use for ongoing system communications due to the frequency of encryption operations in such a scenario. C is incorrect because verification of the logical address (that is, the IP address) of a remote server is a function of DNS (when not provided an IP address directly), which converts human readable domain names to IP addresses.
Which file system partition is used by the Android operating system to store frequently accessed data? A./system B./storage C./data D./cache
D./cache
Explanation:
The /cache partition is used by Android to store frequently accessed data.
A, B, and C are incorrect. A is incorrect because the /system partition on Android devices contains the operating system, except for the system kernel and RAM disk. B is incorrect because the /storage partition on Android devices contains internal and external (that is, emulated and SD card) storage locations. C is incorrect because the /data partition on Android contains user and system app data.
The WHOIS directory service provides what information with a proper query? A.Domain registration information B.Website administrator contacts C.Domain name resolution D.Reverse lookup
A.Domain registration information
Explanation:
The WHOIS directory service provides domain registration information, including registrant and administrator names, phone numbers, and e-mail addresses.
B, C, and D are incorrect. B is incorrect because website administrator information is not required for a WHOIS entry; that information can often be found on the website in question. C and D are incorrect because domain name resolution and reverse lookup services are both provided by DNS servers. Manual queries for this information may be completed via the use of the nslookup and dig commands.
