CompTIA PenTest+ MCQ's

 

(All-in-one) Nutting, Raymond - CompTIA PenTest+ certification all-in-one exam guide (exam PT0-001)-McGraw-Hill Education (2018_2019)

Chapter-1 Pre-Engagement Activities

1.        Select the stakeholders that are typically involved in a pentest
engagement. (Choose two.)

A. Users
B. Executive management
C. Pentesters
D. Human resources

2.        The impact analysis is a key aspect of requirements management and
the formal approach to assessing the pros and cons of pursuing a
course of action. Select two areas of concern that help support a
pentest engagement activity.
A. Organizational budget
B. Target selection
C. Technical constraints
D. FISMA

3.        An organization is defining the scope of a pentest and would like to see
the vulnerabilities from both outside and inside of the network. They
are willing to share some information with the service vendor who
will conduct the pentest, but would like to see how much information
a vendor can discover on their own in a given timeframe. Which type
of methodology would be best suited for this organization to use in
order to accomplish this objective?
A. White box testing
B. Gray box testing
C. Black box testing
D. Red team testing W2w

4.        During the threat modeling process, the organization finds that they are
mostly concerned about a persistent group of actors with sophisticated
capabilities. Which type of threat actor is this organization mostly
concerned with?
A. Pentester
B. Hacktivist
C. Insider threat
D. APT

5.        Use the following scenario to answer the next two questions. A
security group is quantifying the risk associated with a certain threat in
the organization. The probability of the threat is 6 and the damage
potential is 5. Using the proper formula to rate the risk of a threat,
what is the risk level for this type of threat?
A. 11
B. 33
C. 30
D. 45

6.        This risk is likely to be prioritized as a _________ priority.
A. Medium
B. Low
C. High
D. Urgent

7.        Custom systems hosted in third-party environments, such as those
offered through a cloud service provider (CSP), may require additional
approvals for penetration testing. Which testing document might
reflect this approval?
A. SOW
B. RoE
C. MSA
D. Scope

 

8.        Whitelisting and blacklisting are access control mechanisms that can
be implemented in all of the following except _______________.
A. Network firewalls
B. Application firewalls
C. SSIDs
D. Spam filters
E. Virus scanning software

 

9.        A master service agreement (MSA) is an overarching contract that can
include a statement of work (SOW) that describes specific project
work activities. In which section of the SOW will you find the project
work activities?
A. Scope of work
B. Deliverables schedule
C. Special requirements
D. Acceptance criteria

 

10.     Written authorization that gives the pentest team the authority to
proceed with an engagement can be found in which document?
A. MSA
B. RoE
C. SOW
D. MBA

 

Chapter-2 Getting to Know your Target

1.         __________ is the process of gathering information during a
penetration test, and the technique can be either passive or active.
A. Footprinting
B. Footpainting
C. Footscanning
D. Footgathering

 

2.        In the early stages of the passive collection process, the pentest team
comes across multiple telephone numbers from various websites
attributed to the target organization. However, the team does not know
if the phone numbers are for a landline or a cell. If it’s a cell phone,
the team may receive permission to execute SMS phishing attacks.
Using the OSINT Framework, which website could the team use to
determine if the phone numbers are on a landline or cell phone?
A. Reddit
B. CyberChef
C. Phone Validator
D. See All The Things

3.        Maltego allows the user to build visualizations between all of the
following except which one?
A. Names
B. Email addresses
C. Social networks
D. Archives
E. Websites

4.        While using Shodan, the pentest team is investigating open ports and
services for an organization’s public-facing web server. Which of the
following options could the pentest team use in the search criteria as a
filter to return only results with HTTP? (Select the best option.)
A. HTTP port:23
B. HTTP port:88
C. HTTP port:80
D. HTTPS port:443

5.        Under the IPv4 Hosts view in Censys, the user has the option to apply
a filter by clicking on a selection under the following categories
except which one?
A. Filter By AS
B. Filter By Port
C. Filter By Protocol
D. Filter By Tag

6.        During a pentest, you use theHarvester to conduct passive information
collecting to gather email addresses, hosts, and domain names. If you
wanted to use Shodan to search ports and service information for each
of the hosts you collected, which switch would you use within the
framework?
A. -b
B. -t
C. -H
D. -h

D. The -h option allows the user to use the Shodan database to query
for host information

 

7.        D. The -h option allows the user to use the Shodan database to query
for host information

A. search modules
B. help modules
C. search
D. show modules

D. Although you can use the search command to look for keywords
found in module names, the correct option to list all of the available
modules is show modules.

8.        All of the following file types (extensions) are supported in FOCA
except which one?
A. .exe
B. .xls
C. .doc
D. .pdf

E. .sxw

All of the following file types (extensions) are supported in FOCA
except which one?

 

Chapter-3 Network Scanning and Enumeration

1.        The Institute of Electrical and Electronics Engineers (IEEE) standards
association develops communication standards for different industries.
Which standard applies to wireless networking (Wi-Fi)?

A. 802.12
B. 802.3
C. 802.11
D. 802.15

                C. The IEEE 802.11 standard provides implementation specifications for
wireless networks

2.        Wi-Fi networks operate on specific wireless frequency bands in the wireless
spectrum. Which wireless frequency bands support Wi-Fi networks? (Select
all that apply.)

A.   2.4 GHz

B.    3.4 Ghz

C.    2.3 GHz

D.   5 GHz

A, D. Wi-Fi networks operate within the 2.4 and 5 GHz bands.

3.        How many wireless channels are available on the 2.4 GHz band within the
United States?

A.    12

B.     14

C.     11

D.    10

C. Each country has its own specifications on supported wireless channels.
A total of14 channels in the 2.4 GHz band are supported around the world.
However, only 1 to 11 are supported in the United States

4.        A suite of tools that provide capabilities for conducting RF communication
monitoring and wireless network security auditing is called?

A. airman-ng
B. aircrack-ng
C. airmon-ng
D. airmmn-ng
B. Aircrack-ng provides a suite of tools that can be used for monitoring and
attacking Wi-Fi networks.

 

5.        Before using airmon-ng, which mode should the wireless adapter be
configured in?
A. Management mode
B. Monitor mode
C. Injection mode
D. Cracking mode
B. The wireless adapter needs to be placed into monitor mode before
capturing and injecting packets on the network. In Kali, this can be
accomplished by using airmon-ng start <interface name>.

6.        IEEE defines three wireless frames within the wireless standard for Wi-Fi
network devices. Which frame is ultimately used for authentication?
A. Management frame
B. Control frame
C. Monitor frame
D. Data frame
A. Management frames enable stations or clients to maintain
communication with the AP and include multiple subtypes, including
authentication.

7.        In wireless networks, which frame is a type of management frame that
identifies the SSID, encryption type, and MAC address of an access point?
A. Beacon frame
B. Probe request frame
C. Data frame
D. Association response frame
A. The beacon frame includes the important connection and association
information with the other stations/clients from the AP. S

8.        Which port scan method is also known as a half-open scan that never
establishes a true connection with the target host over the network?
A. TCP scan
B. UDP scan
C. SYN ACK
D. SYN scan
D. The TCP SYN scan is also known as the half-open scan, as it never
completes the three-way handshake.

9.        When conducting a port scan against a target, which nmap flag is used to
specify a port range?
A. --p
B. -p
C. -Pn
D. -ports
B. The -p flag option in nmap will specify the port range. On the other
hand, using -p- will initiate a full port scan, targeting all possible ports
(65,535) that could be open.

10.     Which nmap flag was likely used to determine the state of each port?
A. -sV
B. –T5
C. --reason
D. -sT
C. Service detection (-sV) will attempt to retrieve banners from services;
however, the --reason option will provide the rationale as to why nmap
chose a given port state.

11.     Which nmap script could you use to enumerate popular web directories from
the service hosted on port 80?
A. http-grep
B. http-enum
C. web-enum
D. http-ntlm
B. The http-enum script is an NSE included with the installation of nmap.
This script will enumerate web folders commonly found within typical web
application services.

 

Chapter-4 Vulnerability Scanning and Analysis

1.        MITRE is a nonprofit organization that provides access to public
community resources for conducting vulnerability research and
analysis. Which community resources are provided by MITRE?
(Select all that apply.)
A. CWE
B. CEW
C. CEV
D. CVE
E. CAPEC
A, D, E. CWE, CVE, and CAPEC are the correct answers.

2.        The CVE Dictionary is a standard used for documenting which type of
vulnerabilities?
A. Public
B. Privately allowed
C. Privately disclosed
D. Publicly disclosed
D. The correct answer is publicly disclosed. Although CVE numbers
can be reserved for nonpublicly disclosed vulnerabilities, it is the
standard used for publicly known vulnerabilities.

3.        Nessus plugins are written in which type of proprietary language?
A. NCE
B. NASL
C. NSAL
D. Nessus
B. The Nessus Attack Scripting Language (NASL) is the correct
answer.

4.        SCADA systems are made up of components like the supervisory
workstation, RTUs, PLCs, communication infrastructure, and humanmachine interfaces. Modbus is a popular protocol that operates on
which default port?
A. 502/udp
B. 500/tcp
C. 302/udp
D. 502/tcp
D. Modbus is a popular SCADA protocol that operates on port
502/tcp.

5.        Real-time operating systems (RTOSs) are typically found in embedded
devices such as routers, IP cameras, health care devices, and so forth.
There are multiple classifications of RTOS devices. Which
classification must adhere to time constraints for an associated task?
A. Hard
B. Firm
C. Soft
D. All the above
D. All RTOSs must adhere to time constraints, regardless of impact.

6.        Burp Suite Pro is a web-based security assessment tool that provides
the ability to proxy and service manual testing requests during a
pentest. What is the name of a similar tool, developed by OWASP, that
provides similar web application testing abilities?
A. ZAP
B. DirBuster
C. Webgoat
D. Nessus
A. The correct answer is OWASP ZAP.

7.        During a pentest, you discover a sitemap.xml file and a
crossdomain.xml file. These files can provide useful information for
mapping out web directories and files that would otherwise have to be
brute-forced. What is the name of another file that can provide URLs
and URI locations that restricts search engines from crawling certain
locations?
A. policy.xml
B. site.txt
C. robots.txt
D. crossdomain.policy
C. The robots.txt file is the correct answer.

8.        DirBuster is a multithreaded Java application that can brute-force
filenames and directories on web and web application servers using
what type of dictionary?
A. List
B. Word list
C. Application list
D. Webster
B. Word list is the correct answer.

9.        Which of the following best describes a hash collision attack?
A. A hash value that provides weak encryption.
B. An attempt to find two inputs that produce the same hash value.
C. It is an attempt to decrypt messages.
D. It provides a method for circumventing the cryptographic system.
B. Collision attacks are caused by two inputs producing the same
hash value.

10.     Which type of XSS vulnerability is known as being persistent?
A. Reflected
B. Stored
C. DOM
D. All the above
B. Stored is the correct answer.

11.     What is the prefix name for Oracle database management system
errors?
A. OAR
B. MSG
C. ORA
D. CVE
C. ORA is the correct prefix for Oracle database errors.

 

Chapter-6 Social Engineering

1.        Elicitation is the process of _____________________.
A. Extracting meaningful information from a target.
B. Extracting information from a target.
C. Using solicited information to aid in a pentest.
D. Making a target do what you want them to do.
A. Elicitation is the process of extracting meaningful information
from a target, not just any type of information. Chaining these types
of attacks together can help an attacker get the information he
desires.

2.        There are different motivational techniques that pentesters can emulate
for social engineering attacks. During a pentest, the customer requests
that a specific email template be used to entice their employees to try
and buy something in response to a specific sale just for their
organization. This type of motivational technique is known as what?
A. Authority
B. Likeness
C. Scarcity
D. Social proof
C. Enticing targets to click on a link in response to a sale is a form of
scarcity.

3.        Select two types of social engineering attacks that use URLs to send
targets to web pages for further attacks against the computer network.
A. Vanishing
B. SMS phishing
C. Spear phishing
D. Pretexting
B, C. SMS phishing and spear phishing send URLs in text messages
and emails to send victims to web pages for further attacks against
their computer network. Vanishing has nothing to do with social
engineering attacks, and pretexting is a technique used to fabricate
scenarios during a social engineering attack.

4.        An employee gets out of the car and notices a USB drive lying on the
parking lot. The drive appears to be new and has “My music files”
written on the side of it in small font. The employee takes the drive
into work and attempts to play one of the music files. The antivirus
software alerts the user about potential malware after the computer
started acting a little strange. This type of social engineering method is
commonly known as what?
A. Luring
B. Shoulder surfing
C. Waterholing
D. Baiting
D. Baiting is the correct answer, and is a tactic used to lure victims
into doing something for a tangible award.

5.        The Social-Engineer Toolkit (SET) is a Python-based framework that
can do which of the following? (Select all that apply.)
A. Send emails to targets
B. Scan IP addresses
C. Produce SMS attacks
D. Engage in Wi-Fi calling
A, C. SET helps facilitate various types of social engineering attacks.
Two types of attacks it can be used for are email and SMS-based
social engineering attacks. Scanning IP addresses and making Wi-Fi
phone calls are not features found in SET.

6.        Many types of countermeasures can help organizations prepare for and
mitigate potential social engineering attacks. Which of the following
are valid countermeasures for social engineering attacks? (Select all
that apply.)
A. Training
B. Cameras
C. Shredders
D. All of the above
D. The correct answer is all of the above. All of these options help
mitigate physical and electronic methods of social engineering
attacks.

7.        Criminal impersonation is governed by state laws, and is a crime that
can involve identity theft, impersonating an officer or legal counsel,
and many other avenues of attack that involve a plot to defraud
another by pretending to be someone you are not. Which two
documents could you consult to determine if the social engineering
attack you would like to use during an engagement is approved by the
organization? (Select all that apply.)
A. Rules of enhancement (RoE)
B. Rules of engagement (RoE)
C. Statement of work (SOW)
D. Service level agreement (SLA)
B, C. Before engaging in a social engineering attack, it is best to
ensure that the organization undergoing this type of assessment
approves any and all web, email, SMS, etc., templates prior to
executing the test. The RoE and SOW are two documents that can
provide guidance on what may or may not be allowed during a social
engineering attack. A service level agreement defines the quality,
availability, and responsibilities of the agreeing parties but will most
likely not cover the details of how the social engineering attack
should be carried out or the list of authorized targets for the
assessment. The Rules of enhancement is not a valid document and is
an incorrect answer.

8.        Alice owns a very profitable consultant firm that handles a great deal
of privacy information for her clients. The company has over 50
employees but outsources their IT services to another company. One
afternoon while Alice was at lunch, her receptionist received a phone
call from a person claiming to be from the IT service provider and
saying that they are trying to work on a service ticket for Alice and
that they need her personal cell phone number in order to ask some
questions of a private nature. The receptionist knows that Alice
doesn’t have any computer problems. What type of social engineering
attack did Alice’s receptionist receive?
A. Spear phishing
B. Whaling
C. Baiting
D. Vishing
D. This is a common example of vishing, or voice phishing, where
the attacker attempts to play the role of another person who has an
urgent matter to discuss or requires the immediate attention of a
target in order to pressure the victim into providing the information
requested. Spear phishing and whaling are types of attacks carried
out via email, and baiting is a motivational technique to get someone
to do something for a reward.

 

Chapter-8 Wireless and RF Attacks

1.        WEP uses an encryption algorithm called RC4, which was developed by
Ronald Rivest. RC4 is a ________ cipher, which is a symmetric key cipher
used to expand a short key into an infinite pseudo-random keystream.
A. Stream
B. Asymmetric
C. Block
D. Secret
A. RC4 is an older encryption algorithm that helps encrypt WEP networks.
RC4 is a stream cipher used to combine plaintext with a pseudo-random
keystream.

2.        CRC-32 is an algorithm used to verify the integrity of network packets for
WEP and is also found in different applications to detect changes in
hardware. CRC-32 is based on the original cycle redundancy check and is
not recommended for verifying the integrity of modern-day technology due
to the fact that _____________. (Select the best answer.)
A. It is an older form of integrity checking software that has multiple
vulnerabilities.
B. CRC-32 is a variant of CRC, which is based on a noncryptographic
algorithm that offers very little assurance with regard to data
manipulation.
C. CRC is a variant of CRC-32, which is based on a cryptographic
algorithm that offers very little assurance with regard to data
manipulation.
D. It is an older form of integrity checking software that has few to no
vulnerabilities.
B. CRC-32 is a noncryptographic algorithm based off of CRC (cyclic
redundancy check). Since the algorithm is based on code generation and
cryptography, it provides little value with regard to integrity, as this value
can easily be reproduced.

3.        In order to crack WEP, you need to capture enough initialization vectors
(IVs) in the network packets to recover the secret key. WEP secret keys can
be one of two different lengths. 10-digit keys are 64 bits in lengths. How
many digits are in a key length of 128 bits?
A. 24
B. 16
C. 26
D. 28
C. A WEP key of 64 bits in length is 10 digits, and a 128-bit key length is
26 digits.

4.        With WPA, the wireless client and the access point both know the pre-shared
key in order to join the network. During the authorization process, each
device will use the PSK to generate a pairwise master key (PMK) in order to
derive a __________ which is used to encrypt packets sent to the receiving
host. What is this type of key called?
A. Pre-shared key
B. Pairwise share key
C. Pairwise transfer key
D. Pairwise transient key
D. The PMK is never exposed over the network; instead the pairwise
transient key (PTK) is derived from the PMK and used to encrypt network
communication.

5.        During a pentest, your team identifies an access point that is broadcasting the
SSID value and is protected with only WEP encryption. Your team attempts
to use aireplay-ng to replay an injected ARP packet over the network;
however, the tool has not captured any ARP replies over the network. This is
likely due to the fact that there are no clients talking over the network. In
order to speed up the cracking process, what could you recommend your
team to do? (Select the best answer.)
A. Use an MiTM tool in order to attack clients actively listening on the
network.
B. Use the ping command and ping nonexistent hosts on the network.
C. Try and telnet or remotely log in to other hosts over the network.
D. Navigate to web pages in your browser in order to generate some
network traffic.
B. The use of ping against nonexistent hosts repeatedly will generate
multiple IVs with the AP as the host, but will never be identified, and the
request will continue to propagate throughout the network.

6.        PBKDF2 is used to calculate the PMK using the following values, except for
which one?
A. The password/passphrase (PSK)
B. The access point SSID or ESSID
C. The length of the SSID or ESSID
D. The host name of the device
D. The PMK is derived from all of the options, with the exception of the
device host name. The missing values are 256 (length of the PMK) and
4096 (number of hashing iterations).

7.        In order to crack the WPA or WPA2 PSK you will need to capture the fourway handshake. During a pentest, your team identifies multiple clients on the
target network. What is the best way to capture the handshake?
A. Deauthenticate one of the clients
B. Send multiple ARP requests over the network
C. Deauthenticate all the clients on the network
D. Send multiple ARP requests to the access point
A. Deauthentication tells the client to disassociate from the wireless
network. Deauthenticating one client at a time until you capture the
handshake would be the recommended choice of action, as it helps to
remain quiet in your approach and would be the method that would cause
the least amount of resistance from customers during an engagement.

8.        The evil twin access point is a type of attack used to duplicate the existence
of a legitimate access point in order to entice victims to connect for the
purpose of targeting end-user devices or communications. Another way to
imitate all possible access points from client beacon requests is called what?
A. Karma attack
B. Replay attack
C. AP replay attack
D. Social engineering attack
A. The Karma attack will target any SSID it discovers in order to increase
the likelihood for exploitation.

9.        This command can be used to execute a type of “ping of death” against
Bluetooth devices.
A. L2PP
B. L2TP
C. L2PING
D. LPING
C. L2PING provides a method that can be used to identify Bluetooth
devices, as well as target them for DoS attacks, using the target MAC
address.

10.     All of the following are layers in the Bluetooth protocol stack except for
which one?
A. LMP
B. SDP
C. L2CAP
D. TC2
E. RCOMM
D. TC2 is not a valid layer of the Bluetooth protocol stack. TCS is,
however, a valid layer in the protocol stack and is used for controlling
telephone functions on the mobile device.

 

 

 

Chapter-9 Web and DB Attacks

1.        During a pentest engagement, the system developer approached you and
asked if you could help figure out what was going on in one of the Apache
HTTP log files on the server. The error.log file showed the following
message: <!ENTITY login SYSTEM "file:///home/user/.ssh/id_rsa" >
during an HTTP GET request. The developer knew that the request was not
from the ongoing pentest, since the IP addresses were outside of the scope of
engagement. Which type of attack was likely used against the target web
server?
A. DOM-based XSS attack
B. Cross-site request forgery (CSRF)
C. XXE injection
D. SQL injection
C. XML eXternal Entity (XXE) injection attacks target XML documents
and attempt to manipulate the declaration of an internal or external entity
that is parsed when the document is processed. The injection attempt
captured in the log file was an attempt from an attacker to target the local
SSH key for the User account. These types of attacks can lead to remote
command execution as well. These types of attacks can be mitigated by
disabling external entities or sanitizing the user-supplied input and
restricting where the document points its requests.

2.       One of the members of your pentest team is trying to insert a malicious
record in the MySQL database that will execute some proof-of-concept code
to steal cookies from a user’s web browser. However, the INSERT statement
is not working. Looking at the following syntax, what is the likely cause of
the error?
mysql> INSERT into app.data (header, body, message, webForm)
VALUES ("HACK", 404, "HACK");
A. The second column value is missing quotations.
B. The INSERT statement is missing a value for the fourth column and it
can’t be null.
C. One of the field values exceeds the size limitation.
D. There is no error in the INSERT statement.
B. The INSERT statement is missing a value for the fourth column. Each
column identified within the INSERT statement needs to have a field value.
If one of the fields is a required field, that field is not allowed to be null,
such as an empty value.

3.       A UDF can help facilitate command execution during a pentest if the
compromised database user has admin rights (e.g., root) or elevated
privileges and the database is configured with the sys_exec() and
__________ functions.
A. sys_eval()
B. system_eval()
C. exec_sys()
D. sys_udf()
A. The sys_eval() and sys_exec() functions are required to be configured
on the database server in order for a user-defined function (UDF) to be
created, which can ultimately lead to command execution against the
operating system with the privileges of the operating system user that owns
the process.

4.       Given the following URL, which two methods could be used to test for SQL
injection against the database within the web parameters? (Select two.)
http://example.com/page.php?
id=1&acct=162;jsessionid=567323456798
A. ?id=1'&acct=144;jsessionid=567323456798
B. ?id=1'&acct=162';jsessionid=567323456798
C. ?id=1;--&acct=162;jsessionid=567323456798
D. ?id=1'&acct=144';jsessionid=567323456798
B, D. The “‘”, “--”, and “;” are all definitely ways to help trigger an error
response from a database that lacks application or database filtering.

5.       You come across a web page that requires authentication with a valid
username and login. Using CeWL, you decide to build your own wordlist
using content derived from the website. The website has many pages, and
you decide to start from the index.html page and go five pages deeper into
the site to identify word lengths that are a minimum of eight characters.
Which command options will help you build the wordlist you are looking
for?
A. -d 5 -8
B. -w 8 -d 5
C. -m 8 -d 5
D. -a 8 -d 5
C. The -d option is used to specify how deep to traverse into the website,
and -m is used to specify the minimum amount of words the tool identifies.

6.       While testing a web application running on Windows Server 2016, you find a
web parameter vulnerability to a path traversal attack. Which of the
following choices would be the best choice at demonstrating a path traversal
attack?
A. ?id=C:\Windows\system32\etc/passwd
B. ?id=../../../../C:/Windows/etc/passwd
C. ?id=%20.%20C:/Windows/boot.ini
D. ?id=..\..\..\..\C:/Windows/boot.ini
D. The best answer is D, as it can help escape a basic forward-slash content
filter and potentially show the contents of the boot.ini file.

7.       Which of the following are valid client-side attacks? (Select all that apply.)
A. Clickjacking
B. Command injection
C. Directory traversal
D. Reflected HTML injection
E. DOM-based XSS
F. Session hijacking
A, D, E, F. All the answers are correct, with the exception of command
injection and directory traversal. Those types of attacks are for server-side
vulnerabilities.

8.       What is the purpose of the Document Object Model (DOM) within a user’s
web browser?
A. Structuring content in the browser
B. Passing messages to other entities
C. Storing encrypted values followed by the “#” sign
D. Helping to mitigate against XSS attacks
A. During runtime, the application will pass down the DOM to help
structure content within the browser. DOM modules may include JavaScript
code that can execute locally within the user’s browser.

9.       What is the purpose of the following PHP code?
A. Creates a loop to echo the contents of $data until it reaches 0 length
B. Creates a loop, declares $data, and validates the size of the variable
C. Creates a loop to echo the contents of the data
D. Creates a loop but kills the process if the data is less than 8192 bytes
B. The PHP code declares the $data variable by reading 8192 bytes of
$handle. Then, if the length of $data is equal to 0, the script either
terminates or will continue to echo the contents of $data and complete the
loop.

10.   Which of the following options could be an IDOR, given the following
URLs? (Select all that apply.)
A. http://example.com/index.php?emp_id=12345
B. http://example.com/index.php
C. http://example.com/sales.php?acct=4532345
D. http://example.com/profile.php?state=CA&zip=90001
A, C. The “acct=” and “emp_id=” parameters are somewhat of a dead
giveaway, in that they may be linked to another user’s information that
could be retrieved without the necessary access controls with the web
application or database. Option B was simply a URL with nothing to infer,
and option C provided what looked to be parameters associated with a state
and ZIP code and nothing of potential value with regard to an insecure
directory object reference.

 

Chapter-10 Attacking Local host Vulnerabilities

1.        One important step during postexploitation is to gain situational
awareness to gather important knowledge of the host and internal
network. Which of the following techniques from the MITRE
ATT&CK framework are identified as “discovery” tactics? (Select all
that apply.)
A. Enumerate files and directories on the local or shared file system.
B. Search for local or domain-level groups and permission settings.
C. Timestomp files and directories after exploitation.
D. Use a protocol native to the operating system like SSH or FTP to
transfer files.
A, B. Enumerating files and directories on local or shared file
systems (File and Directory Discovery: T1083) and searching for
local or domain-level groups and permission settings (Permission
Groups Discovery: T1069) are two techniques related to gaining
situational awareness. Timestomping files and directories is a defense
evasion technique (Timestomp: T1099), and transferring files using
native operating system protocols is a data exfiltration technique
(Exfiltration over Alternative Protocol: T1048).

2.        During a pentest, you successfully compromised user-level access to a
Linux host within your customer’s network. The user’s default shell is
BASH. Which command syntax could you use to suspend command
recording for your terminal session? (Select all that apply.)
A. unset HIST
B. unset HISTFILE
C. set +o history
D. export HIST=0
B, C. The unset HISTFILE technique will allow temporary history
but will prevent the command history from being written to
$HOME/.bash_history. The set +o history will prevent temporary
command history and subsequently prevent any command history
from being written to disk. Answers A and D are incorrect, as they
are improperly formatted commands.

3.        You find that the user account “user1” you just compromised might be
permitted to execute privileged commands on the system using sudo.
After you suspend command recording in your terminal window, you
execute the sudo -l command and are not prompted for a password.
To your surprise, the account can execute all commands on the
operating system and you still are not prompted for a password. Which
setting in the /etc/sudoers file would allow the user to execute
commands without a password?
A. %sudo ALL=(ALL:ALL) ALL
B. %sudo ALL=(ALL:ALL) NOPASSWD:ALL
C. user1 ALL=(ALL:ALL) ALL
D. user ALL=(ALL:ALL) NOPASSWD:ALL
B. The account “user1” is likely in the sudoers group called “sudo.”
The NOPASSWD:ALL option will allow any command on the operating
system to be executed without the need to prompt for a password.
Using the groups or id -a command syntax, you would be able to
see which groups the user was a part of. In the /etc/sudoers file,
groups or users can be configured with specific sudo privileges on
the local operating system. Answer D has the NOPASSWD:ALL option,
but is specified for the account called “user,” which is not the
account we currently have access to.

4.        Group Policy Preferences (GPP) was introduced in Windows 2008
Server and allows domain administrators to create domain policies to
automate tedious tasks, such as changing the local Administrator
account password on the host operating system. Each policy is created
with an encrypted password (cPassword) embedded within the policy,
and each policy is stored in SYSVOL, which is accessible to any user
that is a member of the domain. During a pentest, you successfully
mount the SYSVOL volume using user-level privileges on the
domain. The domain server is a Windows 2012 server. Which file will
contain the cPassword entry?
A. Group.xml
B. Users.xml
C. Groups.xml
D. Policy.xml
C. The groups.xml file will contain the encrypted cPassword entry.
The AES 256-bit key was disclosed online from Microsoft, which
allows the cPassword entry to be decrypted, thus disclosing the
sensitive password. Users.xml, policy.xml, and group.xml are likely
custom settings applied through Group Policy within the customer’s
domain.

5.        When using the GNU debugger (gdb), which command can you use to
pause program execution in a function when the assembly instruction
is reached?
A. break
B. nexti
C. info registers
D. x $rsp
A. The break * func+43 command can be used to cause the
program to stop executing (pause the program) when the assembly
instruction is reached at <+43>. This affords us the ability to inspect
the program state at the time of execution. The nexti command will
allow you to step into the next operation, and the info registers
command will print the contents of general process registers. The x
$rsp command will print the hexadecimal address for the $rsp
register.

6.        A ____________________ is unique and is used to identify each
instance of a Windows service. In Windows, Kerberos requires that
____________________ be associated with at least one service logon
account (i.e., the account that runs the service).
A. Hostname
B. Domain name
C. Unique identifier
D. Service principal name
D. The service principal name (SPN) is unique and is used to identify
each instance of a Windows service. In Windows, Kerberos requires
that the SPN be associated with at least one service logon account. A
hostname is the name of a host, and the domain name is a unique
name used to identify a realm on the Internet. A user ID or UID is a
unique integer assigned to each user on a Unix-like system. None of
these options have any relation to a Windows service.

7.        During a pentest, you use the wmic command to identify unquoted
service paths. You were able to find a path at C:\Program Files
(x86)\data\shared files\vulnerable.exe and used accesschk.exe
to find that you have write privileges in the “data” directory. To
escalate privileges the next time the service is executed, you need to
lay down an executable that will execute within the service path. What
is the correct name for the executable that you should create?
A. shared.exe
B. files.exe
C. Files.exe
D. Program.exe
A. When the service starts, it will follow the execution path to
C:\Program Files (x86)\data\shared files\vulnerable.exe to
run the executable. Since the path is not in quotations in the registry,
it will first look to load C:\Program Files (x86)\data\shared.exe
because there is a space between the directory “shared files.”
Files.exe/files.exe will not work, as there is no break after the
directory name. The Program.exe option would work; however, the
user does not have write access to the folder.

8.        During a pentest, you come across an SSH private key (id_rsa) in a
user’s home directory and suspect that this key can be used to
remotely log in to other Linux hosts. However, before you try to use
the key, you want to compare the key to the contents of the
authorize_keys file to ensure it matches one of the public keys stored
in the file. Which command would you run to generate a public key
from the private key?
A. ssh-keygen -y -f id_rsa
B. ssh-keygen -t rsa -b 2048
C. diff id_rsa.pub id_rsa
D. openssl rsa -in id_rsa | cat id_rsa.pub
A. The ssh-keygen command is used to generate keys. To compare
the private and public key values, you would generate a public key
from the private key using the following syntax: ssh-keygen -y -f
<private key>. Then, you could read the contents of the
authorized_keys file and compare/contrast the differences, if any.
Answer B will generate an RSA private and public key pair of 2048
bits. Answer C will read and differentiate the contents of the public
key and private key; however, they are not the same key values, so
that will not work. Answer D is incorrect, as openssl will validate
the contents of the RSA key and pipe the command output along with
the output from the cat id_rsa.pub command to the screen, which
will not help you find the public key value from the compromised
RSA private key.