CompTIA PenTest+ Certification Exam Objectives 3.0 Attacks and Exploits

Question 1

What is spear phishing?

Answer 1

Spear phishing is an email or electronic communication scam targeted towards a specific individual, organization or business.

Typically intended to steal data for malicious purposes, but may also be utilized to install malware on a targets computer via a malicious attachment or link!

Question 2

What is SMS phishing?

Answer 2

Also known as smishing

This is the act of committing text message fraud to try to lure victims into revealing account information or installing malware.

Question 3

What is voice phishing?

Answer 3

Also known as vishing

This is the use of telephony to conduct phishing attacks.

Question 4

What is whaling?

Answer 4

Whaling occurs when an attacker utilizes spear phishing methods to go after a large, high profile target, such as suite, but this could also include Administrators of systems.

This depends heavily on compelling the target, usually under the guise of some urgency.

Question 5

What is a BEC?

Answer 5

Business Email Compromise

This is a special type of phishing attack that are designed to impersonate senior executives and trick employees, customers or vendors into wiring payment for goods or services to alternate bank accounts

Question 6

What is interrogation in relations to pentesting/hacking?

Answer 6

This would be interrogating a specific target in orded to gain or be pointed into the right direction of confidential information.

This may be a receptionist of the target company to acquire information such as when employees are present in the building, shift information etc

Question 7

What is impersonation in social engineering?

Answer 7

This is impersonating someone in order to trick targets into providing information or assisting with gaining access to authorized spaces within the target organization

This could be dressing up and a plumber or ISP worker

Question 8

What is shoulder surfing?

Answer 8

Should surfing is a type of social engineering technique used to obtain information such as personal identification numbers, passwords and other confidential data by looking over the victims shoulder

Question 9

What is USB Key Drop technique?

Answer 9

This technique includes leaving a USB device for people to find and plug into their computers.

When plugged into a computer, it injects keystrokes to command to the computer to give a hacker remote access to the victims computer

This preys on a victims curiosity, if a pentest does this tactic, they would typically configure the USB to simply send them an email to let them know which ass clown plugged in a rando USB

Question 10

IN social engineering, how is authority used?

Answer 10

Authority can be used to pretend you are a person of authority in order to make a organizations employee perform an unauthorized task.

OR this could be claiming you are someone who works with a person of authority and it was requested a certain task be completed.

This could be pretending to be from legal department and/or organizational

Question 11

In social engineering, how is scarcity used?

Answer 11

This would be emailing a target organizations employee claiming something must be completed today or only 1 iPhone is left to win, therefore click this link

ACT NOW

Question 12

In social engineering, how is social proof used?

Answer 12

This occurs in social situations when people are unable to determine the appropriate mode of behavior.

If you see a group of people doing something, maybe you should too?

This can lead to a shitload of people making mistaken choices

Question 13

In social engineering, how is likeness utilized?

Answer 13

This is where an adversary/pentester would use their likable influence to create a interpersonal relationship in hopes that the target will comply with poor decisions

Question 14

What is NETBIOS and how is this exploited?

Answer 14

NETBIOS is an acronym for Network Basic Input/Out System.

NETBIOS provides services related to session layer of the OSI model, allowing applications on separate computers to communicate over a LAN

Traditionally, NETBIOS operates on 137/TCP, 138/UDP 139/TCP

NetBIOS can reveal much information about a system such as computer name, contents of the remote name cache (inlcuding IP addresses), a list of local NetBIOS names, a list of names resolved by broadcast, contents of the session table with thew destination IP addresses

Question 15

What is LLMNR and what are some vulnerabilities associated with this?

Answer 15

Link-Local Multicast Name Resolution

This is a protocol based on the Domain Name System packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.
This can be found in windows and utilizes UDP port 5355

LLMNR can be vulnerable to spoofing/man-in-the-middle attacks.
When requests are intercepted the adversary/tester can say “I know where that server is, in fact, I am that server” allowing the attacker to capture whatever traffic comes next.

Question 16

What is SMB and what are some vulnerabilities associated with this?

Answer 16

Server Message Block is a communication protocol for providing shared access to files, printers and serial ports between nodes on a network.

It also provides authentication mechanisms.

SMBv1 has been known to be vulnerable to Eternal Blue as SMB mishandles specially crafted packets from remote attackers, allowing remote execution of arbitrary code on the target computer

Question 17

What is SNMP and what are some weaknesses associated with this?

Answer 17

Simple Network Management Protocol

SNMP is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior

Operates on Ports 161 and 162

There are three versions of SNMP:
SNMPv1 (Unencrypted)
SNMPv2 (Unecnrypted)
SNMPv3 (Encrypted and requires authentication)

So using SNMP1 and SNMPv2 can be insecure

Question 18

What is SMTP and what are some weaknesses associated with this?

Answer 18

Simple Mail Transfer Protocol

SMTP is an Internet Standard communication protocol for electronic mail transmission.

Mail servers and other message transfers agents use SMTP to send and receive mail messages and utilizes port 25

Weaknesses associated with SMTP:

• Unauthorized access to your emails and data leakage
• Spam and Phishing
• Malware
• DoS Attacks

Question 19

What is FTP?

Answer 19

File Transfer Protocol

FTP is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network.

FTP is built on a client-server model architecture using separate control and data connections between the client and the server

Uses port 21 for control and 20 for data transfer

Weaknesses associated with FTP:
FTP Lacks security as it is a non-secure way to transfer data
Encryption isnt a given
FTP can be vulnerable to attack
Compliance is an issue
Its difficult to monitor activity

Question 20

What is DNS Cache Poisoning?

Answer 20

Also known as DNS Spoofing

DNS Cache Poisoning is the act of entering false information into a DNS cache, so that DNS queries return an incorrect response and users are directed to the wrong websites.

Question 21

What is PtH?

Answer 21

Pass the Hash

This attack is a technique whereby an attacker captures a password hash (as opposed to password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.

The threat actor doesnt need to decrypt the hash to obtain a plain text password.

PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated.

Attackers commonly obtain hashes by scraping a systems active memory and other techniques.

While this can occur on Linux/Unix systems this is most prevalent in Windows SSO, NT Lan Manager (NTLM), Kerberos, and other authentication protocols.

Windows stores hashes in the Security Accounts Manager (SAM) and Local Security Authority Subsystem (LSASS)

Question 22

What is ARP Spoofing?

Answer 22

ARP Spoofing is a type of attack in which a malicious actor sends falsified ARP messages over a local area network.

This results in the linking of an attackers MAC address with the IP address of a legitimate computer or server on the network.

Once the attackers MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP Address

ARP Spoofing can enable malicious parties to intercept, modify or even stop data in-transit.

Question 23

What is a replay attack?

Answer 23

A replay attack occurs when a cybercriminal eavesdrops on a secure network communication, intercepts it and then fraudulently delays or resends it to misdirect the receiver into doing what the hacker wants.

Question 24

What is a relay attack?

Answer 24

An attacker intercepts communication between two parties and then, without viewing or manipulating it, relays it to another device.

For example, a thief could capture the radios signal from your vehicles key fob and relay it to an accomplice who could use it to open your car door.

The main difference between a MITM and a relay attack is neither the sender nor to receiver need to have initiated any communication between the two.

Question 25

What is SSL Stripping?

Answer 25

SSL stripping is a technique by which a website is downgraded from https to http.
In other words, the attack is used to circumvent the security which is enforced by SSL certificates on https sites. This is also known as SSL downgrading

Question 26

What is a NAC and how is it bypassed?

Answer 26

A Network Access Control

NACs operate on wired and wireless networks by finding and identifying the different devices that are connected to and can access the existing system

NACs restrict unauthorized access to internal networks based on identity and security posture

NACs can be bypassed by spoofing a device that has previously authenticated to the NAC

Question 27

What is VLAN Hopping?

Answer 27

VLAN Hopping a computer security exploit, a method of attacking networked resources on a virtual LAN.

The basic concept behind all VLAN hopping attack is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible

This can be achieved my switch spoofing and double tagging

Question 28

What is a karma attack?

Answer 28

A karma attack is an attack that exploits a behavior of some Wi-Fi devices, combines with the lack of access point authentication in numerous WiFi protocols.

This attack is a variant of the evil twin attack.

A hacker tricks you in joining a WiFi network under their control, these fake access points are configured to resemble legitimate access points such as Starbucks Wireless when the real one is just Starbucks

Question 29

What is a de-authentication attack?

Answer 29

Deauthentication attack is a disruptive technique against wireless connections.

These attacks represent fraudulent requests that interfere with the communication between routers and devices.

This attack focuses on 802.11-based wireless networks
as they require deauthentication frames whenever users terminate connections.

Question 30

What are fragmentation attacks?

Answer 30

Fragmentation occurs when IP datagrams are broken apart in small packets, then transmitted across a network, and finally reassembled into the original datagram as port of normal communications.

An attacker can employ IP fragmentation to target communications systems, as well as security components.

Question 31

What is a credential harvesting attack?

Answer 31

Credential harvesting comes in many forms, but the goal remains the same, obtain end user credentials.

This can be done with:
Man-in-the-middle attacks
DNS Poisoning
Phishing

This can also be done with CSRF when a user authenticates into a fake website created by a naughty mf

Question 32

What is bluejacking?

Answer 32

Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers

Question 33

What is bluesnarfing?

Answer 33

Bluesnarfing is the unauthorized access of information from a wireless device through Bluetooth connection

Question 34

What is RFID Cloning?

Answer 34

This is the act of utilizing a device that copies the data from one RFID tag and imprints it on another, allowing multiples of the same tag to be created and is used to access buildings/rooms as an ‘authorized’ user

Question 35

What is a SQL Injection?

Answer 35

Also known as SQLi

This is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not tended to be displayed

To test, use a single ‘ or there are Boolean SQL Injections like so:
http://www.estore.com/items/items.asp?itemid=999 or 1=1

We see 1=1 which is a true statement so the dumbass
database believes this is valid.

http://www.estore.com/items/iteams.asp?itemid=999; DROP TABLE (This would delete part of the database)

THIS CAN BE MITIGATED WITH INPUT VALIDATION AND SERIALIZED PARAMETRIZED, essentially the Web app/DB should be configured to know what to expect and where

Question 36

What is a HTML injection?

Answer 36

HTML injection is a vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.,

This could result in a users session cookie and/or modifications to the web page

The following example shows a snippet of vulnerable code that allows an invalidated input to be used to create dynamic HTML in the page context:

var userposition=location.href.indexOf("user=");
var user=location.href.substring(userposition+5);
document.getElementById("Welcome").innerHTML=" Hello, "+user;

The following example shows vulnerable code using the document.write() function:

var userposition=location.href.indexOf("user=");
var user=location.href.substring(userposition+5);
document.write("<h1>Hello, " + user +"</h1>");

Question 37

What is a command injection?

Answer 37

This is an attack which the goal is execution of arbitrary commands on the host operating system via a vulnerable application

Example would be:
system(“cd /var/yp && make &> /dev/null”);
or ‘cat /etc/passwd’ into the web application in hopes the local file on the backend system is exposed

Question 38

What is a code injection attack?

Answer 38

A code injection attack consist of injecting code that is then intercepted/executed by the application.

Code injection is different from command injection due to being limited by the functionality of the injected language itself.

If an attacker is able to inject PHP code into an application and have it executed, they are only limited by what PHP code is capable of.

Example:
The URL below passes a page name to the include() function.
http://testsite.com/index.php?page=contact.php

Question 39

What is session hijacking?

Answer 39

Session hijacking is an attack where a user session is taken over by an attacker.

A sessions when you log into a service, and ends when you logout, but if an attacker knows session ID (session key) this session can be HIJACKED

Session Hijacks can be achieved by some of the following methods:

• Predictable session token
• Session sniffing
• Client Side attacks (XSS, malicious JavaScript Codes, Trojans etc)
• Man-in-the-middle attack

Question 40

What is a redirect attack?

Answer 40

Also known as URL Redirection

This is a vulnerability which allows an attacker to force users of an application to an untrusted external site.

This attack is most often performed by delivering a link to a victim, who then clicks the link and is redirected to the malicious site.

Question 41

What is Kerberos?

Answer 41

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner

This has known vulnerabilities such as Kerberoasting and Golden ticket

Kerberoasting which is a post exploitation attack that extracts service account credential hashes from Active Directory for offline cracking.

A Golden Ticket Attack is a kind of attack that targets the access control privileges of a Windows environment where AD is in use.

A golden ticket is used by adversaries to take over key distribution service of a legit user

Question 42

What is parameter pollution?

Answer 42

HTTP Parameter Pollution (HPP) is a web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information.

Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways.

By exploiting this, an attacker may be able to bypass input validation, trigger application errors or modify internal variable values.

Example:
/index.aspx?page=select 1&page=2,3

Question 43

What is insecure direct object reference?

Answer 43

IDOR occurs when an application provides direct access to objects based on user-supplied input.

As a result of this, attackers can bypass authorization and access resources in the system directly, for example database records or files.

Example:

The following line is your invoice:
http://foo.bar/somepage?invoice=12345

But what if we do the following and the database provides?
http://foo.bar/somepage?invoice=12346

This is not or invoice, but if the DB does not require authentication to view this invoice, we have exploited IDOR

Question 44

What is Stored XSS?

Answer 44

Stored XSS attacks are where the injected script is permanently stored on the target services, such as in a database, in a message forum, visitor log, comment field, etc.

The victim then retrieves the malicious script (unknowingly) from the server where it requested the stored information.

This is also referred to as Persistent XSS

Question 45

What is reflected XSS?

Answer 45

Reflected XSS attacks are those where the injected scripted is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input send to the server as part of the request

Also known as Non-Persistent XSS

Question 46

What is DOM?

Answer 46

Document Object Model

DOM is a programming API for HTML and XML documents.

It defines the logical structure of documents and the way a document is accessed and manipulated.

This can be vulnerable when a website contains JavaScript that takes an attacker-controllable value known as a source and passes it into a dangerous function, known as sink

Question 47

What is CSRF?

Answer 47

Cross-Site Request Forgery

CSRF is an attacker that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

This can be achieved with the help of social engineering (such as sending a link) posing as a known site to the victim user.

Question 48

What is clickjacking?

Answer 48

This is the malicious practice of manipulating a website users activity by concealing hyperlinks beneath legitimate clickable content, therefore the user performs actions of which they are unaware

Question 49

What is a path/directory traversal?

Answer 49

This attack aims to access files and directories that are stored outside the web root folder.

By manipulating variables that reference files with “dot-dot-slash (../../../../) sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system includiing application source code or configuration and critical file systems.

Question 50

What is cookie manipulation?

Answer 50

Also known as cookie poisoning is the act of manipulating or forging a cookie (a small piece of data created and stored in a users browser that keeps track of important information regarding his or her session information for a particular site) for the purpose of bypassing security measures or sending false information to a server.

An attacker using cookie manipulation can gain unauthorized access to a users account on the particular site the cookie was created for, or potentially tricking a server into accepting a new version of the original intercepted cookie with modified values.

Question 51

What is LFI?

Answer 51

Local File Inclusion

This allows an attacker to read (and sometimes execute) files on the victim machine.

This can lead to the attacker gaining access to sensitive information if the web server is misconfigured and running with high privileges

Question 52

What is RFI?

Answer 52

Remote File Inclusion

This allows an attacker to be able to execute code hosted on remote host

Question 53

Why are comments in source code sometimes a vulnerability?

Answer 53

If an adversary can view the comments of a source code, it can reveal the function of each part of the code and can provide an excessive amount of information regarding the application

Question 54

What is improper error handling in coding?

Answer 54

Improper handling of errors can lead to detailed internal error messages such as stack traces, database dumps, and error codes displayed to the user (hacker)

These messages reveal implementation details that should never be revealed.

Such details can provide important clues on potential flaws in the site and such messages are also disturbing to normal users

Question 55

What are race condition in coding?

Answer 55

A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions.

If a application/program is still process one request and another one comes in during this process, this can lead to manipulation of the original request

Question 56

What is code signing and why is it important in software development?

Answer 56

Code singing is the process of digitally signing executable s and scripts to confirm the software author and protects the integrity of the code.

This typically employs the use of a cryptographic hash to validate authenticity

Question 57

What is a SUID and how can it be utilized in pentest?

Answer 57

A SUID bit is a flag on a file which states that whoever runs the file will have the privileges of the owner of the file.

So if you are a lower privilege user and run an executable owned by root, the code/executable runs with privileges of the root user.

This is only for Linux ELF executable, meaning this is worthless for Bash shell scripts, a Python script etc.

We can look at a files permissions with ‘ls -la’, if there is a ‘x’ then it is a SUID bit set.

This can be utilized in privilege escalations

To find all binaries with SUID permissions type the following:
‘find / -perm -u=s -type f 2>/dev/null’

Question 58

What is unsecure sudo?

Answer 58

This is where non-root users have the ability to execute commands that would TYPICALLY be reserved for the root user.

This includes:
SSH
ARP
Telnet
TCPDUMP
FIND
Service

Question 59

What is Ret2Libc?

Answer 59

A ret2libc attack is one in which the attacker does not require any shellcode to take control of a target, vulnerable process.

The purpose of this is a method of exploiting a bugger overflow on a system that has a non-executable stack, it is very similar to a standard buffer overflow, in that the return address is changed to point to a new location that we can control

Question 60

What is a stickybit?

Answer 60

A sticky bit is a permission that is a set on a file or directory that lets only the owner of the file/directory or the root user to delete or rename the file.

Question 61

What is cPassword?

Answer 61

cPassword is a component of Windows Active Directory Group Policy Preferences that allows administrators to set passwords via Group Policy.

Question 62

What are unattended installations in Windows?

Answer 62

An unattended installation is the traditional method of deploying Windows OS.

Unattended installation can lead to sets of insecure permissions for Users and Default User directories

Question 63

In Windows, what is a SAM database?>

Answer 63

Security Account Manager is a database file that stores users passwords/hashes.

It can be used to authenticate local and remote users

This can lead to overly permissive Access Control Lists on multiple system files including the SAM database.

An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges

Question 64

What is DLL Hijacking?

Answer 64

DLL Hijacking is a method on injecting malicious code into an application by exploiting the way some Windows applications search and load Dynamic Link Libraries (DLL)

Only M$ is susceptible to DLL hijacks

By replacing a required DLL file with an infected version and placing it within the search parameters of an application, the infected file will be call upon when the application loads, activating its malicious operations

Question 65

What are unquoted service paths?

Answer 65

When a service is created whose executable path contains spaces and isnt enclose within quotes, this leads to a vulnerability known as unquoted service path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is

Question 66

What are keyloggers?

Answer 66

This is a computer program that records every keystroke made by a computer user, especially used to gain fraudulent access to passwords and other confidential information

Question 67

What are scheduled tasks?

Answer 67

Task Scheduler is a component of Windows that allows predefined actions to be automatically executed whenever a certain set of conditions is met

This can be utilized for persistence by a adversary/pentester

Question 68

What is a sandbox and sandbox escape?

Answer 68

A sandbox is a tightly controlled environment in which semi-trusted programs or scripts can be safely ran in memory,

Sandbox’s are used to be a safeguard, but sometimes these can be exploited to allow malicious code to be executed from the sandbox to the outer system

Question 69

What is a VM escape?

Answer 69

A Virtual Machine escape is the process of a program breaking out of the virtual machine on which it is running and interacting with the host operating system.

Question 70

What is a cold boot attack?

Answer 70

A cold boot attack is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computers random access memory by performing a hard reset of the target machine

Question 71

What is a JTAG Debug?

Answer 71

JTAG is a common hardware interface that provides your computer with a way to communicate directly with the chips on a board.

Question 72

What is RPC?

Answer 72

Remote Procedure Call

RPC is when a computer program causes a procedure to execute in a different address space (commonly on another computer on a shared network) which is coded as it were a normal (local) procedure call, without the programmer explicitly coding the details for the remote interaction

Question 73

What is DCOM?

Answer 73

Distributed Component Object Model

DCOM is a programming construct that allows a computer to run programs over the network on a different computer as if the program was running locally.

Question 74

What is PsExec?

Answer 74

PsExec is a portable tool from Microsoft that lets you run processes remotely using any users credentials.

You can use PsExec to not only manage processes on the remote computer but also redirect an applications console output to your local computer, making it appear as though the process is running locally.,

Question 75

What is WMI?

Answer 75

Windows Management Instrumentation

WMI is the infrastructure for management data and operations on Windows based OS.

You can write WMI scripts or applications to automate administrative tasks on remote computers but WMI also supplies management data to other parts if the operating system and products

Question 76

What is VNC?

Answer 76

Virtual Network Computing

VNC is a graphical desktop sharing system that uses Remote Frame Buffer protocol (RFB) to remotely control another computer.

It transmits the keyboard and mouse input from one computer to another, relaying the graphical screen updates over a network

Question 77

What is X11 forwarding?

Answer 77

X11 forwarding is what gives you the ability to run GUIs from a server on your own local machine.

Question 78

What is RSH?

Answer 78

Remote shell is a command line computer program that can execute shell commands as another user, and on another computer across a computer network.

The remote system to which rsh connects runs the rsh daemon.

Operates on port 514