1.4 Explain penetration testing concepts

Question 1

Which phase of a penetration test uses a phishing email and payload, or obtains credentials via social engineering to gain access to the target’s network?

Answer 1

Initial exploitation

Question 2

Which type of penetration test requires the tester to perform partial reconnaissance?

Answer 2

Gray box

Question 3

During which type of penetration test does the tester specifically include the reconnaissance phase of the test?

Answer 3

Black box

Question 4

What type of pen test allows the tester to use default credentials to log into the system, after discovering a vulnerability on a server?

Answer 4

Passive reconnaissance

Question 5

A pen tester gathers some information about a target to find ways for remote access. After gaining access, what other penetration techniques should a tester perform before performing further reconnaissance?

Answer 5

Persistence

Question 6

Which of the following is a system susceptible to, if a user with system access can obtain keys from the system memory or pagefiles and scratch disks?

Answer 6

Privilege escalation

Question 7

initial exploitation phase

Answer 7

In the initial exploitation phase, an exploit is used to gain access to the target’s network. This initial exploitation might be accomplished using a phishing email and payload, or by obtaining credentials via social engineering.

Question 8

Pen testing

Answer 8

active reconnaissance technique. Active techniques include gaining physical access or using scanning tools

Question 9

Open Source Intelligence (OSINT)

Answer 9

Publicly available information and tools for searching it, are referred to as Open Source Intelligence (OSINT). Gathering this kind of information is referred to as passive reconnaissance

Question 10

pivot point

Answer 10

system and/or set of privileges that allow the tester to compromise other network systems (lateral spread). The initial exploit might give the tester local administrator privileges, and use these to obtain privileges on other machines

Question 11

black box

Answer 11

During a black box pen test, the consultant is given no privileged information about the network, its security systems and its configuration. Black box tests are useful for simulating the behavior of an external threat

Question 12

white box pen test

Answer 12

During a white box pen test, the consultant is given complete access to information about the network. This type of test is sometimes conducted as a follow-up to a black box test, to fully evaluate flaws discovered during the black box test

Question 13

gray box pen test

Answer 13

During a gray box pen test, the consultant is given some information; this resembles the knowledge of junior or non-IT staff to model types of insider threats

Question 14

sandbox environment

Answer 14

Ideally, pen tests should be performed in a sandbox environment that accurately simulates the production environmentPassive reconnaissance

Question 15

Vulnerability scanning

Answer 15

passive reconnaissance techniques. Passive reconnaissance is not likely to alert the target of the investigation as it means querying publicly available information

Question 16

Active reconnaissance

Answer 16

more risk of detection. Active techniques might involve gaining physical access to premises or using scanning tools on the target’s web services and other networks

Question 17

Action on objectives

Answer 17

• refers to the adversary or penetration tester stealing data from one or more systems (data exfiltration)
• means carrying out the work as defined by the tester or client. Data exfiltration is an example of an objective

Question 18

initial exploitation (a.k.a. weaponization) phase

Answer 18

• an exploit is used to gain some sort of access to the target’s network
• occurs after gathering some initial information about the target to figure out what vulnerabilities are available to exploit. Persistence occurs after the initial exploitation

Question 19

Persistence

Answer 19

followed by further reconnaissance in a pen test attack life cycle. Persistence is the tester’s ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor

Question 20

Persistence

Answer 20

followed by further reconnaissance in a pen test attack life cycle. Persistence is the tester’s ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor

Question 21

SQL injection

Answer 21

An SQL injection attack inserts an SQL query as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code

Question 22

Directory traversal

Answer 22

when the attacker gets access to a file outside the web server’s root directory

Question 23

Transitive access

Answer 23

describes the problem of authorizing a request for a service that depends on an intermediate service

Question 24

Which of the following penetration steps should a tester perform after obtaining a persistent foothold on the network and internal reconnaissance?

Answer 24

Obtain a pivot point

Question 25

pivot point

Answer 25

Having obtained a persistent foothold on the network and performed internal reconnaissance, the next likely objective is to obtain a pivot point, and compromise other network systems (lateral spread)

Question 26

A pen tester discovered that a certain vulnerability did not get patched on an SQL server. The pen tester then exploited the vulnerability with code injection and owned the server. Which of the following best describes this technique?

Answer 26

Active reconnaissance

Question 27

What is the difference between vulnerability scanning and penetration testing?

Answer 27

Vulnerability scanning is passive and penetration testing is active

Question 28

During which type of penetration test does the tester skip the reconnaissance phase of the test?

Answer 28

white box

Question 29

During which type of penetration test does the tester skip the reconnaissance phase of the test?

Answer 29

White box

Question 30

What is the difference between vulnerability scanning and penetration testing?

Answer 30

Vulnerability scanning is passive and penetration testing is active