Chapter 6 Flashcards
Alice discovers a rating that her vulnerability scanner lists as 9.3 out of 10 on its severity
scale. The service that is identified runs on TCP 445. What type of exploit is Alice most likely
to use on this service?
An SMB exploit since 445 is typically associated with SMB services
Matt wants to pivot from a Linux host to other hosts in the network but is unable to install
additional tools beyond those found on a typical Linux server. How can he leverage the
system he is on to allow vulnerability scans of those remote hosts if they are firewalled
against inbound connections and protected from direct access from his penetration testing
workstation?
A. SSH tunneling
B. Netcat port forwarding
C. Enable IPv6
D. Modify browser plug-ins
SSH tunneling, because almost all Linux systems have SSH.
After gaining access to a Windows system, Fred uses the following command:
SchTasks /create /SC Weekly /TN “Antivirus” /TR “C:\Users\SSmith\av
.exe” /ST 09:00
What has he accomplished?
A. He has set up a weekly antivirus scan.
B. He has set up a job called “weekly.”
C. He has scheduled his own executable to run weekly.
D. Nothing; this command will only run on Linux
C. He has scheduled his own executable to run weekly.
A few days after exploiting a target with the Metasploit Meterpreter payload, Robert loses
access to the remote host. A vulnerability scan shows that the vulnerability that he used to
exploit the system originally is still open. What has most likely happened?
A. A malware scan discovered Meterpreter and removed it.
B. The system was patched.
C. The system was rebooted.
D. Meterpreter crashed.
C. The system was rebooted.
After gaining access to a Linux system through a vulnerable service, Cassandra wants to list
all of the user accounts on the system and their home directories. Which of the following
locations will provide this list?
A. /etc/shadow
B. /etc/passwd
C. /var/usr
D. /home
C. /var/usr
Angela wants to exfiltrate data from a Windows system she has gained access to during a
penetration test. Which of the following exfiltration techniques is least likely to be detected?
A. Send it via outbound HTTP as plaintext to a system she controls.
B. Hash the data, then send the hash via outbound HTTPS.
C. Use PowerShell to base64-encode the data, then post to a public HTTPS-accessible code
repository.
D. Use PowerShell to base64-encode the data, then use an SSH tunnel to transfer the data
to a system she controls.
D. Use PowerShell to base64-encode the data, then use an SSH tunnel to transfer the data
Tina has acquired a list of valid user accounts but does not have passwords for them. If she
has not found any vulnerabilities but believes that the organization she is targeting has poor
password practices, what type of attack can she use to try to gain access to a target system
where those usernames are likely valid?
A. Rainbow tables
B. Dictionary attacks
C. Thesaurus attacks
D. Meterpreter
B. Dictionary attacks
What built-in Windows server administration tool can allow command-line PowerShell
access from other systems?
A. VNC
B. PowerSSHell
C. PSRemote
D. RDP
PSRemote
. John wants to retain access to a Linux system. Which of the following is not a common
method of maintaining persistence on Linux servers?
A. Scheduled tasks
B. Cron jobs
C. Trojaned services
D. Modified daemons
A. Scheduled tasks
Tim has selected his Metasploit exploit and set his payload as cmd/unix/generic.
After attempting the exploit, he receives the following output. What went wrong?
Exploit failed: The following options failed to validate: RHOST
A. The remote host is firewalled.
B. The remote host is not online.
C. The host is not routable.
D. The remote host was not set.
D. The remote host was not set.
Cameron runs the following command via an administrative shell on a Windows system he
has compromised. What has he accomplished?
$command = ‘cmd /c powershell.exe -c Set-WSManQuickConfig
-Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;SetItem WSMan:\localhost\Service\AllowUnencrypted
-Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell
-Force’
A. He has enabled PowerShell for local users.
B. He has set up PSRemoting.
C. He has disabled remote command-line access.
D. He has set up WSMan.
B. He has set up PSRemoting.
Mike discovers a number of information exposure vulnerabilities while preparing for
the exploit phase of a penetration test. If he has not been able to identify user or service
information beyond vulnerability details, what priority should he place on exploiting them?
A. High priority; exploit early.
B. Medium priority; exploit after other system and service exploits have been attempted.
C. Low priority; only exploit if time permits.
D. Do not exploit; information exposure exploits are not worth conducting
A. High priority; exploit early.
Annie is using a collection of leaked passwords to attempt to log in to multiple user accounts
belonging to staff of the company she is penetration testing. The tool she is using attempts
to log into each account using a single password, then moves on to the next password,
recording failures and successes. What type of attack is Annie conducting?
A. A firehose attack
B. Password spraying
C. Pass the hash
D. A cloned password attack
B. Password spraying
Jacob wants to capture user hashes on a Windows network. Which tool could he select to
gather these from broadcast messages?
A. Metasploit
B. Responder
C. Impacket
D. Wireshark
C. Impacket
Madhuri has been asked to run BloodHound as part of her penetration testing efforts. What
will she be able to do with the tool?
A. Visualize Active Directory environments.
B. Capture encrypted network traffic.
C. Visualize network traffic flows.
D. Find encrypted files in network share drives
A. Visualize Active Directory environments.
