CompTIA PenTest+ Practice Test Chapter 2 Information Gathering and Vulnerability Identification (Sybex: Panek, Crystal, Tracy) Flashcards

Question

You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization’s servers and discover that several ports are open, including 88, 135, 139, 389, and 464. What does this indicate? A.It is a domain controller. B.It is a POP3 email server. C.It is an SSH server. D.It is an IMAP email server.

Answer 1

A.It is a domain controller. Explanation: A Windows domain controller hosts many domain-related services. Therefore, most domain controllers will have many ports open. Most will include the following: Port 88: Used for Kerberos authentication. Port 135: Used for communications between domain controllers and clients as well as between domain controllers. Ports 138 and 139: Used for file replication between domain controllers. Port 389: Used for LDAP queries. Port 445: Used for SMB/CIFS file sharing. Port 464: Used for Kerberos password change. Port 636: Used for secure LDAP queries. Ports 3268 and 3269: Used for Global Catalog communications. Port 53: Used for DNS name resolution.

Answer 2

D.It is an IMAP email server. Explanation: The default port used by the IMAP service is 143. The IMAP protocol is used by email servers to transfer messages between the mail server and mail clients.

Answer 3

C.It is an SSH server. Explanation: The default port used by the SSH service is 22. The SSH protocol is used to remotely manage systems using a command line interface. Unlike Telnet, SSH uses encryption to protect authentication credentials as well as the data being transmitted between the client and the server.

Answer 4

D.It is an HTTP server. Explanation: The default ports used by a web server are 80 (HTTP) and 443 (HTTPS). Data transmitted on port 80 is usually sent in the clear, while data sent on port 443 is encrypted using SSL/TLS.

Answer 5

A.It is an LDAP server. Explanation: The default ports used by an LDAP server are 389 (insecure) and 636 (secure). The LDAP protocol is used to query an LDAP-compliant directory server, such as Active Directory or eDirectory. Because directory information sent on port 389 is not encrypted, sniffing the traffic on this port could reveal user account information.

Answer 6

D.It is a DNS server. Explanation: The default port used by a DNS server is 53. The DNS service is used to resolve hostnames into IP addresses (and vice versa). If the DNS server has been poorly secured, you may be able to compromise it and poison the lookup tables, enabling you to redirect legitimate name resolution requests to a fake destination host where a variety of exploits could be implemented on client systems.

Answer 7

A.The associated devices have been configured to not respond to pings. Explanation: The *** characters in the output of the traceroute command indicate that the router for that particular hop of the route is up and forwarding traffic, but it isn’t allowed to respond to the pings used by the traceroute command.

Answer 8

C.Insecure web server D.Secure web server Explanation: A web server is associated with this domain name. It is configured to use the HTTP protocol (insecure) on port 80 and the HTTPS protocol (secure).

Answer 9

D.SHA256 was used to sign the organization’s certificate. E.The organization’s web server runs on Windows. Explanation: In this example, the organization’s SSL/TLS certificate was signed using the SHA256 cryptographic hash function. In addition, it can be seen that the organization uses the IIS web server, which runs on top of Windows Server.

Answer 10

A.This is a valid email address. Explanation: In this example, the line that reads “250 2.1.5 Recipient OK” indicates that this is a valid email address within the target organization’s domain. However, it does not reveal who the address belongs to. All you know is that it is a legitimate email. To use it in the penetration test, you would first need to triangulate it against a list of company executives, such as is sometimes found on an organization’s website.

Answer 11

B.The organization’s email naming convention is first_initial+lastname@company_name.com. Explanation: In this example, the line that reads “250 2.1.5 Recipient OK” indicates that this is a valid email address within the target organization’s domain. Because this is a valid email address, you now know that the organization most likely uses an email naming convention of first_initial+lastname@company_name.com. Using this information, you could reference the organization’s executive bio web page and construct email addresses for all of its management team members.

Answer 12

D.The organization’s email server responds to HELO commands. Explanation: In this example, the output tells us that the email server responds to SMTP HELO commands. Useful information can sometimes be gleaned from an email server using HELO commands.

Answer 13

A.Services installed D.The version of the operating system installed Explanation: The process of enumeration involves connecting to each host discovered on the network segment and identifying key information, including the services each host is running as well as the version number of the installed operating system.

Answer 14

D.It is an access point for a wireless network ``` Explanation: The process of enumeration involves connecting to each host discovered on the network segment and identifying key information. In this example, notice that the OS class of the device is as follows: Type: WAP Vendor: Belkin OS Family: Embedded From this information, you can reasonably infer that this device is a wireless access point. ```

Answer 15

B.It is running an HTTP service Explanation: Under Ports Used, notice that port 80 TCP is open on the device. This indicates that it most likely is running an HTTP web server.

Answer 16

A.The device’s default administrative password Explanation: By searching the Internet for the operating system version number displayed under Operating System, you can likely discover the default administrative username and password used by the device. Several high-profile exploits over the last few years have been facilitated by the fact that the system implementer failed to change the default username and password used by network infrastructure devices.

Answer 17

C.It is a mobile device. Explanation: Notice that the hostname of the device under Hostnames > Name begins with android. From this, you can reasonably infer that the device is most likely a mobile phone or tablet running the Android operating system.

Answer 18

C.It is a domain controller. Explanation: Notice that this device is running Windows Server 2012 and that it has port 53 open, which is the default port for a DNS server. It is reasonable to infer, therefore, that this server is a domain controller. The Active Directory role on a Windows server requires the DNS role. While the DNS role could be located on a different member server, the Active Directory is almost always installed on the same server as the DNS role.

Answer 19

E.None of the above. Explanation: None of the responses listed in this question can be reasonably inferred from the information displayed in Zenmap. You know that it is a Windows server and that it is most likely a domain controller, but you can’t infer much else from the information given.

Answer 20

A.Banner grabbing Explanation: Banner grabbing is the process of manually connecting to a device, such as a web server, using a utility such as a Telnet client or Ncat and using the information displayed to fingerprint the device.

Answer 21

B.It is a network printer. D.It is running a web server. Explanation: In this example, the device is running a web server on ports 80 and 443. Ports 515, 631, and 9100 are all used to provide network printing.

Answer 22

C.telnet 10.0.0.1 80 Explanation: In this example, you would enter telnet 10.0.0.1 80 at the shell prompt of your Linux system to grab the banner of the target web server.

Answer 23

C.It is running Apache. E.The device is likely a security device. Explanation: In this example, you know that the device is running the Apache web server. Also notice that the name of the device is “Untangle Server.” By searching the Internet, you can learn that Untangle sells security devices used to manage traffic coming in and out of a network. Therefore, you can reasonably assume that the device is a security device from this company.

Answer 24

B.It is most likely a Windows workstation. Explanation: The device in this example is most likely a Windows workstation. This is evidenced by the fact that the default SMB/CIFS file sharing ports are open on the system.

Answer 25

C.It is most likely a Windows domain controller. Explanation: The device in this example is most likely a domain controller running on Windows Server. This is evidenced by the fact that the default DNS server, LDAP, and Kerberos ports are open on the system.

Answer 26

C.It is running a DNS server. D.It is running a web server. Explanation: The device in this example is a little harder to analyze. You can clearly see that it is running a DNS server and a web server. However, not enough information is displayed here to infer much else. One possibility is that it is a wireless router that includes a caching-only DNS server and an embedded web server that is used to configure and manage the device. However, more information would be required to make this determination.

Answer 27

A.sslyze Explanation: The sslyze tool is a penetration testing tool that is commonly used to perform certificate inspection.

Answer 28

B.TLSv1_1 is supported by the web server. C.TLSv1_2 is supported by the web server. Explanation: The output of the sslyze command in this example shows that the web server responded to TLSv1_1 and TLSv1_2 queries but did not respond to SSLv2, SSLv3, or TLSv1 queries.

Answer 29

A.tcpdump C.Wireshark Explanation: You can use either tcpdump or Wireshark to capture packets on a wired network. Of the two, Wireshark is usually considered to have the most user-friendly interface.

Answer 30

A.aircrack-ng Explanation: The Aircrack-ng utility can be used to discover wireless networks in range and then crack their encryption. This process is very fast for old WEP networks, harder but doable for WPA networks, and quite challenging for WPA2 networks.

Answer 31

A.Set to monitor mode. Explanation: Before a wireless network interface can be used to capture wireless network traffic, it must be configured to run in monitor mode on the specific channel used by the transmitting access point.

Answer 32

A.airodump-ng Explanation: Before Aircrack-ng can be used to crack the encryption on a wireless network, you must first run the airodump-ng utility on the specific channel used by the transmitting access point to collect the authentication handshake.

Answer 33

B.aireplay-ng Explanation: Before Aircrack-ng can be used to crack the encryption on a wireless network, you must first run the airodump-ng utility on the specific channel used by the transmitting access point to collect the authentication handshake. Then, you need to de-authenticate the wireless client by running the aireplay-ng utility.

Answer 34

B.Set to promiscuous mode. Explanation: Before you can capture packets on a wired network, your network interface must be configured to run in promiscuous mode. Otherwise, it will discard all frames it receives that are not addressed specifically to its address.

Answer 35

D.The network uses a switch. Explanation: The issue here is that the network uses a switch instead of a hub. The switch learns the MAC addresses of each network interface connected to each switch port. It only transmits frames to the specific port to which the destination network interface is attached. Because of this, your laptop never sees frames transmitted to any other host on the network.

Answer 36

D.Connect your laptop to a mirror port on the switch. Explanation: The issue here is that the network uses a switch instead of a hub. The switch learns the MAC addresses of each network interface connected to each switch port. It only transmits frames to the specific port to which the destination network interface is attached. Because of this, your laptop never sees frames transmitted to other hosts on the network. While you could theoretically swap out the network switch for a hub, your client would probably not allow you to do this. The best option would be to connect the laptop to a mirror port on the switch. The mirror port contains copies of frames transmitted to all other switch ports. This allows your laptop to see frames addressed to other hosts. Before you do this, however, you need to make sure it is allowed under the rules of engagement for the test.

Answer 37

A.Decompile the application’s executable. Explanation: One option you could try in this scenario is to decompile the application’s executable. This process will reveal the application’s assembly-level code that you can analyze for weaknesses.

Answer 38

B.Decompilers usually produce assembly-level code. Explanation: Most decompilers produce assembly-level source code, not C++ code. For this information to be useful, you need extensive experience working with assembly language code. Typically, this will require you to hire a consultant with an extensive understanding of assembly programming.

Answer 39

B.Debug the application’s executable. Explanation: Debuggers allow you to analyze an application as it executes. Typically, you can pause the execution of the application step by step or you can allow it to run until it reaches a certain point in the code. Doing this may allow you to identify a vulnerability that can be exploited as a part of a penetration test. However, you must have a strong background in programming or application testing to do this effectively.

Answer 40

A.CERT Explanation: The U.S. government’s Computer Emergency Response Team (CERT) maintains a website at http://www.us-cert.gov that contains a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to CERT.

Answer 41

B.JPCERT Explanation: JPCERT is the Japanese government’s version of the U.S. government’s Computer Emergency Response Team (CERT). JPCERT maintains a website at https://www .jpcert.or.jp/english/ that provides a dynamic summary of current security alerts and advisories.

Answer 42

D.NVD Explanation: The National Vulnerability Database (NVD) is maintained by the U.S. government’s National Institute of Science and Technology. The NVD can be accessed at https://nvd .nist.gov. This website provides a summary of current security vulnerabilities ranked by their severity.

Answer 43

C.CVE Explanation: The Common Vulnerabilities and Exposures (CVE) database is a community-developed resource that can be accessed at http://cve.mitre.org. The CVE database contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor anywhere in the world discovers a vulnerability with their product, they add an entry to the CVE database. The goal is to make a common resource that everyone can use, instead of each individual vendor maintaining their own database containing just vulnerabilities associated with their products.

Answer 44

C.CWE Explanation: The Common Weakness and Enumeration (CWE) database is a community-developed resource that can be accessed at http://cwe.mitre.org. The CWE database contains a list of publicly known cybersecurity vulnerabilities associated with software in general instead of a specific product.

Answer 45

D.CAPEC Explanation: The Common Attack Pattern, Enumeration and Classification (CAPEC) database is a community-developed resource that can be accessed at http://capec.mitre.org. The CAPEC database contains a catalog of commonly used cyber attack patterns.

Answer 46

B.Full Disclosure Explanation: Full Disclosure is an open source research source that is published by the same organization that produces the nmap utility. It can be accessed at www.seclists.org/fulldisclosure

Answer 47

D.All of the above Explanation: Each of the open source research sources listed in this question may contain information that you could use to find

Answer 48

A.CERT Explanation: The CERT database contains information about recent security updates released by software and hardware vendors and a description of the vulnerabilities they are intended to address.

Answer 49

A.CAPEC Explanation: The CAPEC database contains information about known attack patterns used to exploit weaknesses, including physical security vulnerabilities.

Answer 50

D.NVD Explanation: The National Vulnerability Database (NVD) website provides a summary of current security vulnerabilities ranked by their severity.

Answer 51

A.CVE Explanation: The Common Vulnerabilities and Exposures (CVE) database is a community-developed resource that contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor anywhere in the world discovers a vulnerability with their product, they add an entry to the CVE database. You could search the CVE site for information about Server 2003 SP2.

Answer 52

A.Credentialed Explanation: A credentialed vulnerability scan requires you to first authenticate to the network, preferably with an administrative-level account. Because administrative credentials are used, this type of scan most closely approximates the perspective of an internal administrator.

Answer 53

B.Noncredentialed Explanation: A noncredentialed vulnerability scan is performed without authenticating to the network. Because of this, a noncredentialed scan most closely approximates the perspective an external hacker.

Answer 54

A.Credentialed Explanation: A credentialed vulnerability scan requires you to first authenticate to the network, preferably with an administrative-level account. Because administrative credentials are used, this type of scan usually identifies the most vulnerabilities.

Answer 55

B.Noncredentialed Explanation: A noncredentialed vulnerability scan is performed without authenticating to the network. Because of this, a noncredentialed scan usually identifies the least number of vulnerabilities.

Answer 56

A.Discovery Explanation: A ping sweep is an example of a discovery scan. The goal of a ping sweep is not to interrogate every system. Instead, it simply seeks to identify the presence of every reachable system on the network.

Answer 57

A.Discovery Explanation: A discovery scan is designed to simply map out every system on the target network. As such, it uses very nonintrusive mechanisms (such as ping) to enumerate the network.

Answer 58

B.Full Explanation: A full scan interrogates each host discovered on the target network. Because it uses intrusive methods to do this, a full scan is usually detected (and possibly blocked) quickly by IDS or IPS devices.

Answer 59

A.Discovery Explanation: A discovery scan is designed to simply map out every system on the target network using very nonintrusive mechanisms (such as ping) to enumerate the network. Because of this, this type of scan is the least likely to be detected by an IDS or IPS device.

Answer 60

B.Full Explanation: A full scan interrogates each host discovered on the target network using intrusive methods. A full scan is usually detected (and possibly blocked) quickly by IDS or IPS devices. Because of this, full scans are more likely to be used by a defender to thoroughly test his or her network. A penetration tester is less likely to use a full scan because it can be detected so quickly. The exception would be a white box test where everyone is already expecting the penetration tester to be running vulnerability scans.

Answer 61

C.Stealth Explanation: A stealth scan enumerates hosts on the target network by sending them a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. The SYN-ACK also contains a limited amount of information about the host that can be captured and analyzed by the scanner.

Answer 62

C.Stealth Explanation: A stealth scan enumerates hosts on the target network by manipulating the TCP three-way handshake. First, it sends the target a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. The SYN-ACK also contains a limited amount of information about the host that can be captured and analyzed by the scanner.

Answer 63

D.The scanning host responds to the target host with an RST packet. Explanation: A stealth scan enumerates hosts on the target network by manipulating the TCP three-way handshake. First, it sends the target a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. Rather than complete the connection by sending the target an ACK packet, the scanning host resets the connection by sending a RST packet.

Answer 64

A.The IDS will detect the stealth scan. Explanation: Stealth scans currently aren’t considered as stealthy as they used to be. Most modern IDS/IPS devices can detect the unusually high frequency of RST packets on the network created during a stealth scan and take the appropriate action. For example, an IDS can generate an alert. An IPS can generate an alert and also block traffic from the scanning host.

Answer 65

B.Full Explanation: Because full connections are established with each host during a full vulnerability scan, they can be thoroughly interrogated and fingerprinted. As a result, a full scan usually produces the most accurate information. However, they are also the easiest to detect by defenders.

Answer 66

D.Compliance Explanation: A compliance vulnerability scan is used to verify that the target organization is in compliance with the requirements of a given law or policy. In this example, a PCI-DSS penetration test usually requires a PCI-DSS compliance vulnerability scan.

Answer 67

D.All of the above Explanation: When enumerating a target network during a white box penetration test, you will likely gather a great deal of information. For example, you will probably want to enumerate all subnets, hosts, and domains on the network.

Answer 68

D.All of the above Explanation: When enumerating a target network during a white box penetration test, you will likely gather a great deal of information. For example, you will probably want to enumerate any user and group accounts that can be discovered. You will also want to enumerate any network shares that can be identified.

Answer 69

E.All of the above Explanation: When enumerating a target network during a white box penetration test, you will likely gather a great deal of information. For example, you will probably want to enumerate any web pages, applications, services, and tokens used on the network.

Answer 70

C.Throttle the scan to use minimal bandwidth. Explanation: Throttling the scan to use minimal bandwidth will slow down the scanning process considerably. However, it will also make the scans less visible to the IDS/IPS devices and also allow them time to more thoroughly fingerprint network devices.

Answer 71

B.Schedule the scan to run in the early hours of the morning. Explanation: By scheduling the scan to run during a time of day when few people are at work, you can minimize the impact on available network bandwidth for production traffic, and you can also avoid being seen by internal network administrators.

Answer 72

C.Conduct a spear phishing exploit to trick an internal user into revealing his or her credentials. Explanation: The fact that you don’t have administrative credentials doesn’t mean you have to forgo enumeration and fingerprinting nor does it mean you have to cancel the test. Instead, you could try to craft a spear phishing exploit to trick an internal user into revealing his or her logon credentials.

Answer 73

C.Restrict the vulnerability scan to just those protocols commonly used on web servers. Explanation: Because you are scanning only web servers, you can probably constrain the vulnerability scan to just those ports and protocols commonly used by web servers. Performing a thorough scan of all ports and protocols would take considerably longer.

Answer 74

A.From within the internal network C.From a location outside the organization’s firewall Explanation: From a network topology perspective, the PCI-DSS standard requires you to run vulnerability scans from both internal and external network locations. The results of both scans should be compared to identify vulnerabilities.

Answer 75

A.-Tn Explanation: The nmap –Tn option is used to specify a timing template, where n is a number between 0 and 5. The higher the number, the faster the vulnerability scan. The lower the number, the slower the scan.

Answer 76

C.Use the –T2 option with the nmap command. Explanation: Because a T1 line is limited to 1.54 Mbps, you must throttle the bandwidth used by the vulnerability scan. If you don’t, you could easily use up all the available bandwidth and not leave any for critical business operations. You can use the –Tn option with the nmap command to throttle down the scans. Because of the low bandwidth of the connection, you should consider using either the –T2 or possibly even the –T1 option with the nmap command. The –T0 option would probably throttle the scan too much, making it take an inordinate amount of time to complete.

Answer 77

C.Use the –T2 option with the nmap command. Explanation: Because the server is considered a fragile system, you should throttle the bandwidth used by the vulnerability scan. If you don’t, you could easily consume all the server’s resources with the scan and not leave any for critical business operations. You can use the -Tn option with the nmap command to throttle down the scans. In this scenario, you should consider using either the –T2 or possibly even the –T1 option with the nmap command. The –T0 option would probably throttle the scan too much, making it take an inordinate amount of time to complete.

Answer 78

A.Applications running within a container environment may not be detectable by traditional vulnerability scans. E.Vulnerabilities associated with the base operating system of the container host may be inherited by its containers. Explanation: A container can be used to create an isolated environment, much like a virtual machine. As a result, any applications running within a container environment may not be detectable by traditional vulnerability scans. Unlike a virtual machine, a container shares much of the base operating system with the container host. Therefore, vulnerabilities associated with the base operating system of the container host may be inherited by its containers.

Answer 79

A.Static code analysis Explanation: Static code analysis is conducted by analyzing an application’s source code. Obviously, this type of testing is usually performed only during a white box penetration test. Static code analysis does not involve actually running the program. Instead, it is focused on analyzing how the application is written.

Answer 80

B.Dynamic code analysis C.Fuzzing Explanation: Dynamic code analysis as well as fuzz testing are both performed on running code. Because the source code is not required to perform these tests, they can be performed during gray box or black box penetration tests.

Answer 81

B.Fuzzing Explanation: Fuzz testing involves sending random, unexpected, or invalid data to the inputs of an application to test how it handles that data. This is called exception handling. Many attacks can be deployed that exploit an application’s inability to properly handle unexpected data.

Answer 82

C.Web-enabled television monitor Explanation: A web-enabled television set is an example of a nontraditional system. These devices are considered fragile because they are difficult to manage in the traditional sense. and they are probably updated on an infrequent basis by the vendor. They may also have not been subjected to extensive security testing by the vendor.

Answer 83

B.Computer-controlled manufacturing equipment Explanation: Computer-controlled manufacturing devices are examples of nontraditional systems. These devices are considered fragile because they are difficult to manage in the traditional sense and they are probably updated on an infrequent basis by the vendor. They may also have not been subjected to extensive security testing by the vendor.

Answer 84

A.dig axfr @nameserver target_domain B.host -t axfr target_domain nameserver Explanation: nameserver command can be used to perform a zone transfer. If it works, then you can gather a fairly detailed list of all the network infrastructure hosts within the target network. Ideally, the target organization has disabled unauthenticated zone transfers on their DNS server. If this is the case, either of the previous commands will return some type of “Transfer Failed” error message.

Answer 85

A.hping Explanation: The hping utility is a tool commonly used by penetration testers for packet crafting. It allows you to make almost any kind of packet you want and send it to a designated host on the target network. Analyzing how the host responds can provide you with valuable information for the next phase of the penetration test.

Answer 86

A.Conduct a phishing exploit. C.Enumerate internal user accounts. Explanation: With a list of email addresses of users from the target organization, you could conduct any number of phishing exploits. You could also use the email addresses to enumerate internal user account names. In many (if not most) organizations, the email username is almost always the same as the user’s account name.

Answer 87

B.Windows Explanation: The host is most likely running Windows. TCP ports 139, 445, and 3389 are all commonly used for Windows file sharing services. While these ports could also be used on other operating systems (such as a Linux system with the SMB daemon running), it is more likely to be a Windows host.

Answer 88

D.It is probably a web server Explanation: The host is probably a web server. The system administrator has likely changed the default web server ports to nonstandard ports in an attempt to hide its function. This is an example of “security by obscurity.”

Answer 89

C.The –T0 option will cause the scan to take an inordinate amount of time on such a large subnet. Explanation: The –T option configures the speed at which nmap runs vulnerability scans. In this scenario, the subnet is potentially huge, with more than 16 million possible IP addresses. Running nmap with the –T0 option on a subnet this large will take a long time to complete.

Answer 90

A.whois Explanation: Whois can potentially reveal a great deal of information about a target organization, including the following: The domain registrar The registrant’s legal name The registrant’s address The registrant’s phone number A contact email address The name of the domain administrator Some organizations ask their registrar to hide this information from the public.

Answer 91

C.Try to compromise an internal host and use it as a pivot. Explanation: In this scenario, a black box penetration test is being run. By definition, the tester is located somewhere outside the target’s network. As such, she has to compromise an internal host first. Once done, she can pivot and use it to scan other internal hosts.

Answer 92

D.The SCADA devices Explanation: SCADA manufacturing equipment tends to be much more fragile than traditional network assets, such as servers and routers. They tend to be difficult to manage, update, and protect from exploits. As such, they can also be susceptible to vulnerability scans and may go offline during the scanning process.

Answer 93

A.Availability of internal IT staff Explanation: The time windows when you can run vulnerability scans most effectively are heavily influenced by regulatory requirements, peak traffic times, and hardware constraints. The internal IT staff, on the other hand, will most likely not be involved with running vulnerability scans during a penetration test.

Answer 94

B.Static code analysis Explanation: A static code analysis (also called a source code analysis) is happening in this scenario. In this type of test, the tester accesses an application’s source code and reviews it for weaknesses that could be exploited. Obviously, the tester must have a strong programming background to be able to do this kind of review.

Answer 95

A.Fuzzing Explanation: Fuzzing occurs when the tester sends random, unexpected information to an application’s inputs to see how it responds. For example, the tester could try to perform a buffer overflow exploit by sending overly large input that contains executable code. If the application doesn’t handle the malicious input properly, it may be possible for executable code to be stored in the RAM of the target system and for the attacker to then be able to execute it.

Answer 96

C.Run a test scan in a lab environment first. Explanation: Because this is a mission-critical server, it may be a good idea to run a test scan in a lab environment before scanning the live system. This will help the tester assess the impact the scan will have before running it on the live system.

Answer 97

C.The internal system administrator isn’t paying attention to this server. Explanation: The fact that the server’s administrator hasn’t renewed its security certificate indicates that they aren’t paying much attention to this server. This would make this system a ripe target for compromise because it is possible that there are other factors (such as updates) that the administrator has also neglected.

Answer 98

E.All of the above Explanation: The information gathered during a vulnerability scan can be categorized in many different ways. For example, it may be appropriate to categorize the information based on the operating system because different OSs have different inherent vulnerabilities. It may also be appropriate to categorize the information by the value of each associated asset. For example, vulnerabilities associated with a mission-critical database server would be of much higher value than the vulnerabilities associated with an end user’s desktop system. You could also categorize the scan results based on the number or severity of the vulnerabilities found.

Answer 99

A.The scanner generated a false positive. Explanation: Most likely, the vulnerability scanner generated a false positive error. The purpose of the adjudication process after a vulnerability scan is to determine the value and validity of the scan results. False positives, such as the one discussed in this scenario, should be filtered out in your final report to the client.

Answer 100

A.A domain controller is running on an older version of Window Server and is missing several critical security updates. D.A database server is vulnerable to the WannaCry exploit. Explanation: In this scenario, the value of compromising a vulnerable domain controller or a database server is much higher than the value of compromising an end user’s vulnerable workstation. For example, compromising a domain controller could expose multiple user accounts. Likewise, compromising a database server could expose valuable company information. On the other hand, the exposure created by a missing Windows feature update is probably minimal. Likewise, Linux provides a relatively high degree of system security, even on an older distribution.

Answer 101

A.Low Explanation: Any CVSS score less than 4.0 is considered to be in the Low Risk category. Therefore, a CVSS score of 3.8 indicates that this is a low-risk vulnerability.

Answer 102

D.Critical Explanation: D. Any CVSS score of 10.0 or higher is considered to be in the Critical Risk category. Therefore, a CVSS score of 10 indicates that this is a critical vulnerability.

Answer 103

B.Medium Explanation: Any CVSS score between 4.0 and 6.0 is considered to be in the Medium Risk category. Therefore, a CVSS score of 5.3 indicates that this is a medium-risk vulnerability.

Answer 104

C.High Explanation: Any CVSS score between 6.0 and 10.0 is considered to be in the High Risk category. Therefore, a CVSS score of 7.2 indicates that this is a high-risk vulnerability.

Answer 105

B.Investigate whether this creates any vulnerabilities that you could exploit. C.Document the common theme of missing updates in the final penetration test report. Explanation: Your first response to the common theme of missing updates would to be to investigate whether this creates any vulnerabilities that you could exploit later in your penetration test. Then, you should document the common theme of missing updates so the client can update their best practices to make sure systems are kept up-to-date.

Answer 106

A.Map vulnerabilities present in the older Linux servers to possible exploits. Explanation: The first response to your observation of outdated servers would to be to investigate whether this creates any vulnerabilities that you could exploit later in your penetration test. Then, you should recommend that the client upgrade their server in your final report.

Answer 107

A.Recommend that the client adopt a best practice of changing all default usernames and passwords. B.Exploit the devices that are using default usernames and passwords. Explanation: Your first response to the client’s lack of best practices would to be to exploit the devices with default usernames and passwords later in your penetration test. Then, you should recommend that the client adopt better best practices in your final report.

Answer 108

A.Write the code in C on your Linux system. D.Cross-compile the code. Explanation: Rather than purchasing a Windows system, you can simply create the exploit code on your Linux system and then cross-compile the code such that it can run on Windows systems. Various Linux utilities are available that can do this for you.

Answer 109

B.Exploit modification D.Mapping vulnerabilities to potential exploits Explanation: In this scenario, you first mapped vulnerabilities you found in your scans to possible exploits. Then you modified those exploits to work on the older server operating systems.

Answer 110

C.Exploit chaining Explanation: In this scenario, you linked several exploits together to compromise the target system. This is called exploit chaining.

Answer 111

B.Test the modified exploit on virtual machines in a lab environment. Explanation: In this scenario, you need to test the modified exploit before actually attacking the target servers to make sure it works and doesn’t have any unintended consequences. An effective way to do this is to use your enumeration information to re-create the target systems as virtual machines in a lab environment and test the modified exploit. This process is called proof-of-concept development.

Answer 112

A.Deception C.Social engineering Explanation: In this scenario, you used deception and social engineering to gain access to the target organization’s physical network.

Answer 113

C.Credential brute-forcing Explanation: Credential brute forcing is the process of trying one password after another until you finally hit the right one. This may be executed against user accounts or against other security systems, such as a WPA2 wireless network that uses a preshared key.

Answer 114

D.Dictionary attack Explanation: A dictionary attack is a type of brute-force attack. However, in a dictionary attack, a list of commonly used passwords is used, one after another, in an attempt to find the right password.

Answer 115

A.Rainbow table Explanation: A rainbow table contains a precomputed list of hash values for common passwords that can be used for offline password file cracking.

Answer 116

A.ICS B.SCADA Explanation: Industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) are commonly used in factory automation equipment and environmental controls. They tend to run on older operating systems, and their software/firmware tends to be updated very infrequently. This can make such systems more susceptible to security exploits. They are also usually quite fragile, so use caution when scanning them with a vulnerability scanner.

Answer 117

B.Rooting or jailbreaking E.Inconsistent updating Explanation: Mobile devices represent a significant security weakness in modern networks. Among the many issues associated with mobile devices, two that a penetration tester should be aware of the fact that they tend to be updated in an inconsistent manner. This is less of an issue with Apple devices because they have control of the hardware and software. However, this is a significant issue with Android devices. If you were to check the update level of a group of Android devices, you would likely not find two that are the same. In addition, some users root or jailbreak their devices so they can install apps outside of the approved store channels. This makes these devices susceptible to malware.

Answer 118

D.Embedded devices E.Smart IoT appliances Explanation: IoT devices, such as smart appliances, televisions, and so on, tend to have the weakest inherent security. They aren’t designed with security in mind, they are difficult to manage, and vendors rarely release security updates. Embedded devices used in industrial control devices tend to suffer from the same weaknesses.

Answer 119

C.Isolate the POS devices on their own subnet that doesn’t have Internet connectivity. D.Upgrade the POS devices to a newer version. Explanation: The greatest risks to the POS systems in this scenario are that they are exposed to the Internet and that they are running an unsupported (and therefore highly vulnerable) operating system. The client should isolate the POS systems on their own subnet away from the Internet. They should also upgrade their hardware and software to newer versions to eliminate risks from running an ancient operating system.

Answer 120

A.They can be fooled with fake fingerprints. Explanation: The greatest security risk associated with a biometric fingerprint reader is the fact that they can be fooled by a fake fingerprint. In an episode of the television show MythBusters several years ago, the cast was able to defeat a fingerprint

Answer 121

A.Developers who design IoT devices are not as concerned with security. Explanation: The Internet of Things (IoT) refers to the network of physical products and devices that connect to the Internet. Manufacturers and developers want to minimize costs to increase their profits. Hence, security is often not the key feature of the product or device. So, as with any other device on a network, IoT devices may have security vulnerabilities and may be subject to network-based attacks.

Answer 122

D.Sensitive information may be revealed on the web servers. Explanation: D. Port 21 is for TCP and FTP and is used as a control port. Port 80 is for TCP and HTTP and is used for transferring web pages. Port 443 is used for TCP, HTTPS, and is HTTP over TLS/SSL and is for encrypted transmission.

Answer 123

B.A discovery scan Explanation: A discovery scan identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems.

Answer 124

D.A read-only account Explanation: Credentialed scans require read-only access to target servers. The client should follow the principle of least privilege and limit the access available to the tester. You should consider asking for a specific “audit” account to be created with similar read-only access. A dedicated “audit” account has the advantage of showing up in the logs and instantly being recognized by everyone in IT as a potentially approved activity.

Answer 125

D.Static code analysis Explanation: Code testing is often done using static or dynamic code analysis along with testing methods like fuzzing and fault injection. Once changes are made to the code and it is deployed, it must be retested to ensure that the changes didn’t create any new security issues. Since we are only reviewing the code in this scenario, we will be conducting a static code analysis. Static code analysis, also known as source code analysis, is done by reviewing the code of an application. Since static analysis uses the source code, it can be seen as a type of white- box testing with full visibility. This can allow testers to find problems that other tests might fail to spot.

Answer 126

B.dsquery user -inactive 4 Explanation: Dsquery.exe is a command-line utility for finding information about various objects in the Active Directory domain. The utility is available in all Windows Server versions by default. The dsquery command allows you to query the LDAP directory to find objects that meet the specified criteria. As an attribute of the dsquery command, you need to specify the type of the AD object that you are searching for. In this scenario, you are looking for user accounts that have been inactive for the past 30 days, so you would use dsquery user -inactive < NumWeeks >.

Answer 127

D.Setting up a schedule of testing times to access their systems Explanation: The timeline for the engagement and when testing can be conducted will have the biggest impact on the observation and testing of the client’s systems during peak hours. Some assessments will be scheduled for noncritical time frames to minimize the impact of any potential outages, while others may be scheduled during normal business hours to help test the organization’s reaction to attacks.

Answer 128

D.The device is tuned more toward false positives Explanation: A false positive is when the system incorrectly accepts a biometric sample as being a match. Biometric sensors sometimes make mistakes for a number of reasons. The identification process compares a biometric, such as a fingerprint or iris scan that is presented to the system, against all entries in a database for a match. This is referred to as a one-to-many search. Live biometrics change due to age, climate, or a possible injury on a finger. Vendors refer to these threshold settings as false acceptance rates (FARs) and false rejection rates (FRRs).

Answer 129

C.Limited network access E.Storage access Explanation: Compliance scanning focuses on the configuration settings or the security hardening that is being applied to a system. When a compliance scan is performed against a single computing system, it produces a report that defines how well the system is hardened against the selected compliance framework. Compliance scans are not designed to locate vulnerabilities in software applications or operating systems but are designed to locate and assess vulnerabilities in system hardening configurations. In this scenario, since you are seeing more assets on the network than what was provided in the network architecture, you can attribute that to having limited network access or storage access.

Answer 130

D.Begin an SNMP password brute-force attack Explanation: An SNMP brute-force attack attacks an IP address with SNMP queries to determine the SNMP read-only and read-write community strings (or passwords). It does this by trying every possible password. The master information base (MIB) database that is created by SNMP contains important information on every device on the network. If a tester can crack the password on SNMP, they may be able to control each networked device. This would allow changes to configurations to taking devices offline.

Answer 131

A.Dictionary attack Explanation: A dictionary attack is a method of breaking into a password-protected computer or server by thoroughly entering every word in a dictionary as a password. Dictionary attacks work because many computer users use ordinary words as passwords. Dictionary attacks rely on a prebuilt dictionary of words. In many cases, penetration testers can add additional specific dictionary entries to a dictionary file for their penetration test based on knowledge, this can be very beneficial in performing a dictionary attack. In this scenario, the penetration tester used social media to find additional keywords that may be beneficial in a dictionary attack.

Answer 132

C.Expand the password length from seven to 14 characters and add special characters. Explanation: In this scenario, since the client’s employees are using dictionary words as passwords, the best way to defeat this is by expanding the password length and adding special characters. Special characters for use in passwords are a selection of punctuation characters that are present on standard U.S. keyboards. These include !"#$%&’()*+,-./:;<=>?@[\]^_’{|}~. This will make it harder for attackers to break into the client’s systems.

Answer 133

C.A full scan Explanation: A full scan will provide you with more useful results because it includes more tests. There is no requirement in the scenario that the tester should avoid detection, so a stealth scan is not necessary. But because this is a black box test, it would best to run a full scan on the network.

Answer 134

D.Passive scan Explanation: Passive scanning is a method of vulnerability detection that relies on information obtained from network data that is captured from a target computer without direct interaction. The main advantage of passive scanning for an attacker is that it does not leave a trail that could alert users or administrators.

Answer 135

A.Credentialed scan Explanation: Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that may not be seen from the network. Credentialed scans are widely used in enterprise vulnerability management programs and are a useful tool when performing a penetration test. Credentialed scans may access operating systems, databases, and applications. Credentialed scans typically only retrieve information from target servers and do not make changes to the server itself.

Answer 136

B.False positive Explanation: A false positive is an error in some evaluation processes in which a condition tested for is mistakenly found to have been detected. The scanner might not have sufficient access to the target system to confirm a vulnerability, or it might simply have an error in a plug-in that generates an erroneous vulnerability report. When a scanner reports a vulnerability that does not exist, this is known as a false positive error.

Answer 137

D.To run it on different architectures Explanation: Cross-compiling code is used when a target platform is on a different architecture. The tester may not have access to a compiler on the target machine or may need to compile the code for an exploit from the primary workstation, which is not the same architecture as the target.

Answer 138

A.Rainbow table attacks reduce compute cycles at attack time. B.Rainbow tables must include precompiled hashes. Explanation: Rainbow tables provide a powerful way to attack hashed passwords by performing a lookup rather than trying to use brute force. A rainbow table is a precomputed listing of every possible password for a given set of password requirements, which has then been hashed based on a known hashing algorithm like MD5. A rainbow table is used to attack a hashed password in reverse. A rainbow table is generally an offline-only attack. It uses fewer compute cycles than any other forms of attack. A brute-force attack is an attempt to crack a password or username by using a trial-and-error approach with an attacker submitting many passwords or passphrases with the chance of eventually guessing the password correctly.

Answer 139

A.By comparing hashes to identify known values Explanation: Rainbow tables are lists of precomputed hashes for all possible passwords for a given set of password rules. Rainbow table tools compare hashes to the previously calculated hashes, which match to known password values. This is done via a fairly fast database lookup, allowing “cracking” of hashed passwords, even though hashes aren’t reversible. The password file is a list of hashed values.

Answer 140

D.Open source intelligence (OSINT) Explanation: Open source intelligence (OSINT) tools and techniques are those that go through publicly available information for organizational and technical details that might prove useful during the penetration test. OSINT is information that can be gathered easily. OSINT is often used to determine the organization’s footprint, which includes a listing of all of the systems, networks, and other technology that an organization has.

Answer 141

B.Nessus Explanation: Nessus is a commercial vulnerability scanning tool used to scan a wide variety of devices and is not part of the tools available for OSINT gathering. There are a variety of tools that assist with this OSINT collection: Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine. Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Microsoft Office documents, PDFs, and other common file formats. Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts. Nslookup tools help identify the IP addresses associated with an organization. Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work. Shodan is a specialized search engine to provide the discovery of vulnerable Internet of Things (IoT) devices from public sources. theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization. Whois tool gathers information from public records about domain ownership.

Answer 142

B.Computer Emergency Response Team (CERT) Explanation: Computer Emergency Response Team (CERT) focuses on security breach and denial of service incidents, providing alerts and incident-handling and avoidance guidelines. CERT also conducts an ongoing public awareness campaign and engages in research aimed at improving security systems.

Answer 143

A.The Common Attack Pattern Enumeration and Classification (CAPEC) Explanation: The Common Attack Pattern Enumeration and Classification (CAPEC) list is a resource intended to help identify and document attacks and attack patterns. Users are allowed to search attacks by their mechanism or domain and then break down each attack by various attributes and prerequisites. CAPEC also suggests solutions and mitigations, which is useful in identifying controls when writing a penetration test report.

Answer 144

D.Stealth scan Explanation: During a penetration test, a tester may want to configure their scans to run as stealth scans, which go to great lengths to avoid using tests that might attract attention. Service disruptions, error messages, and log entries caused by scans may attract attention from the cybersecurity team that causes them to adjust defenses in a manner that obstructs the penetration test. Using stealth scans better approximates the activity of a skilled attacker, resulting in a more realistic penetration te