CompTIA Pentest+ Study Set Questions With Correct Answers

Methodology - Answer __ is a system of methods used in a particular area of study or activity. Pentest Methodology - Answer __: 1. Planning & Scoping 2. Info Gathering & Vulnerability ID 3. Attacks & Exploits 4. Reporting & Communication NIST SP 800-115 Methodology - Answer __: 1. Planning 2. Discovery 3. Attack 4. Reporting Planning a Penetration Test - Answer __, Questions to ask: ▪ Why Is Planning Important? ▪ Who is the Target Audience? ▪ Budgeting ▪ Resources and Requirements ▪ Communication Paths ▪ What is the End State? ▪ Technical Constraints ▪ Disclaimers Planning a Penetration Test - Budgeting - Answer __: ▪ Controls many factors in a test ▪ If you have a large budget, you can perform a more in-depth test __● Increased timeline for testing __● Increased scope __● Increased resources (people, tech, etc.) Planning a Penetration Test - Resources and Requirements - Answer __: ▪ What resources will the assessment require? ▪ What requirements will be met in the testing? __● Confidentiality of findings __● Known vs. unknown vulnerabilities __● Compliance-based assessment Planning a Penetration Test - Communication Paths - Answer __: ▪ Who do we communicate with about the test? ▪ What info will be communicated and when? ▪ Who is a trusted agent if testing goes wrong? Planning a Penetration Test - What is the End State? - Answer __: ▪ What kind of report will be provided after test? ▪ Will you provide an estimate of how long remediations would take? Planning a Penetration Test - Technical Constraints - Answer __: ▪ What constraints limited your ability to test? ▪ Provide the status in your report __● Tested __● Not Tested __● Can't Be Tested Planning a Penetration Test - Disclaimers - Answer __: ▪ Point-in-Time Assessment __● Results were accurate when the pentest occurred ▪ Comprehensiveness __● How complete was the test? __● Did you test the entire organization or only specific objectives? Rules of Engagement (RoE) - Answer __ are detailed guidelines and constraints regarding the execution of information security testing. The __ is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions. Rules of Engagement (RoE) Overview - Answer __: ▪ Timeline ▪ Locations ▪ Time restrictions ▪ Transparency ▪ Test boundaries RoE: Timeline - Answer __: ▪ How long will the test be conducted? _● A week, a month, a year ▪ What tasks will be performed and how long will each be planned for? RoE: Locations - Answer __: ▪ Where will the testers be located? _● On-site or remote location ▪ Does organization have numerous locations? ▪ Does it cross international borders? RoE: Time Restrictions - Answer __: ▪ Are there certain times that aren't authorized? ▪ What about days of the week? ▪ What about holidays? RoE: Transparency - Answer __: ▪ Who will know about the pentest? ▪ Will the organization provide resources to the testers (white box test)? RoE: Boundaries - Answer __: ▪ What will be tested? ▪ Is social engineering allowed to be used? ▪ What about physical security testing? ▪ How invasive can the pentest be? Legal Concepts (1) - Answer __ are laws and regulations regarding cyber-crime vary from country to country, check the local laws before conducting an assessment. Legal Concepts (2) - Answer __ refers to consulting your attorney before performing any penetration testing work to ensure you are within the legal bounds for the countries laws where you are operating. Crimes and Criminal Procedure - Answer __: ▪ Hacking is covered under United States Code, Title 18, Chapter 47, Sections 1029 and 1030 § 1029 Fraud & related activity w/ access devices - Answer __: ▪ Prosecute those who knowingly and with intent to defraud produce, use, or traffic in one or more counterfeit access devices. ▪ Access devices can be an application or hardware that is created specifically to generate any type of access credentials § 1030 Fraud and related activity with computers - Answer __: ▪ Covers just about any computer or device connected to a network ▪ Mandates penalties for anyone who accesses a computer in an unauthorized manner or exceeds one's access rights ▪ Can be used to prosecute employees using capability and accesses provided by their company to conduct fraudulent activity Obtain Written Authorization - Answer __: ▪ White hat hackers always get permission ▪ This is your get out of jail free card... ▪ Penetration tests can expose confidential information so permission must be granted ▪ Third-party authorization when necessary __● Ex: from a Cloud service provider Third-Party Authorization - Answer __: ▪ If servers and services are hosted in the cloud, you must request permission from the provider prior to conducting a penetration test __● Ex: from a Cloud service provider Pentest Contracts - Answer __: ▪ Statement of Work (SOW) ▪ Master Service Agreement (MSA) ▪ Non-Disclosure Agreement (NDA) Statement of Work (SOW) - Answer __ is a formal document stating scope of what will be performed during a penetration test. ▪ Clearly states what tasks are to be accomplished during an engagement Master Service Agreement (MSA) - Answer __ is a contract where parties agree to most of the terms that will govern future actions. ▪ High level contract between a service provider and a client that specifies details of the business arrangement Non-Disclosure Agreement (NDA) - Answer __ is a legal contract outlining confidential material or information that will be shared during the assessment and what restrictions are placed on it. ▪ Agreement that defines confidential material and restrictions on use and sharing sensitive information with other parties Corporate Policies - Answer __: ▪ What do corporate policies allow you to do? ▪ Have employees waived their privacy? ▪ What policies should be tested? __●Password strength/reuse __● Bring Your Own Device (BYOD) __● Encryption __● Update frequency Export Restrictions - Answer __: ▪ Wassenaar Agreement precludes the transfer of technologies considered "dual-use" ▪ Strong encryption falls under this restriction ▪ Penetration testing tools could be considered surveillance tools and fall under these rules Penetration Testing Strategies - Answer __: ▪ Black Box ▪ Gray Box ▪ White Box Black Box (No Knowledge Test) - Answer __: ▪ No prior knowledge of target or network ▪ Simulates an outsider attack ▪ Only focuses on what external attacks see and ignores the insider threat ▪ Takes more time and is much more expensive White Box (Full Knowledge Test) - Answer __: ▪ Full knowledge of network, systems, and the infrastructure ▪ Spend more time probing vulnerabilities and less time gathering information ▪ Tester is given support resources from the organization Gray Box (Partial Knowledge Test) - Answer __: ▪ Partial knowledge of target ▪ Can be used as an internal test to simulate an insider attack with minimal knowledge ▪ Can also be used to decrease the information gathering stage so more time can be spent on identifying vulnerabilities EX: IP Range provided or Company Emails for Phishing White Box Support Resources - Answer Generally provided only for a white box penetration test __● Architectural diagrams __● Sample application requests __● SDK documentation __● SOAP project files __● Swagger document __● WSDL/WADL __● XSD White Box Architectural Diagrams - Answer __: ▪ Network diagrams, software flow charts, physical maps of organizational facilities ▪ Assists the tester in mapping out network topologies, location of switch closets, and where key information systems are located White Box Sample Application Requests - Answer __: ▪ Generally used for testing web applications or other applications developed by organization White Box SDK Documentation - Answer __: ▪ Software Developer's Kit (SDK) provides a set of tools, libraries, documentation, code samples, processes, or guides to allow faster development of a new app on a platform ▪ SDK provides code libraries for use White Box SOAP Project File - Answer __: ▪ Simple Objective Access Protocol (SOAP) is a messaging protocol specification for exchanging structured information in the implementation of web services ▪ SOAP project files are created from WSDL files or a single service call White Box Swagger Document - Answer __: ▪ Open-source framework with a large system of tools to help design, build, document, test, and standardize REST Web Services ▪ Representational State Transfer (REST) has been replacing SOAP in most web applications in recent years ▪ REST is a web application architectural style based on HTTP White Box WSDL - Answer __: ▪ Web Services Description Language __● XML-based interface definition language used for describing the functionality offered by a web service such as a SOAP server __● Flexible and allows binding options __● Not useful for REST services with WSDL 1.1 White Box WADL - Answer __: ▪ Web Application Description Language __● XML-based machine-readable description of HTTP-based web services __● Easier to write than WSDL but not as flexible __● Typically used for REST services White Box XML Schema Definition (XSD) - Answer __: ▪ World Wide Web Consortium (W3C) recommendation that specifies how to formally describe elements in an Extensible Markup Language (XML) document Types of Pentest Assessments - Answer __: ▪ Goal-based Pentests ▪ Objective-based ▪ Premerger ▪ Supply Chain ▪ Red Team Goal-based Pentests Assessment - Answer __: ▪ Specific goals are defined before testing starts ▪ Pentester may attempt to find many unique methods to achieve thespecific goals Objective-based Assessment (1) - Answer __: ▪ Objective-based pentests seek to ensure the information remains secure ▪ Testing occurs using all methods and more accurately simulates a real attack ▪ Compliance-based ▪ Risk-based compliance assessment that is required to ensure policies or Objective-based Assessment (2) - Answer __: ▪ Objective-based pentests seek to ensure the information remains secure regulations are being followed properly ▪ Regulations and policies provide checklists, for example the PCI-DSS compliance assessment ▪ Objectives are clearly defined ▪ Focus is on password policies, data isolation, limited network/storage access, and key management Premerger Assessment - Answer __: ▪ Before two companies perform a merger, it is common to conduct penetration tests on them to identify weaknesses being inherited ▪ Can be a part of the due diligence efforts Supply Chain Assessment - Answer __: ▪ Pentest may be required of your suppliers to ensure they are meeting their cybersecurity requirements ▪ Can be required prior to allowing an interconnection between the supplier's systems and your organization's systems ▪ Minimize risk by purchasing only from trusted vendors Red Team - Answer __ is a Penetration test conducted by internal pentesters of an organization during security exercise to ensure defenders (blue team) can perform their jobs adequately Threat Actors - Answer __: ▪ Advanced Persistent Threat (APT) ▪ Hacktivist ▪ Insider Threat ▪ Script Kiddies Threat Actors - Tiers of Adversaries - Answer __: ▪ Not all threat actors are created equal ▪ Some are structured, some are unstructured ▪ Some are more skilled than others Threat Actors - Advanced Persistent Threat (APT) - Answer __: ▪ Group with great capability and intent to hack a particular network or system ▪ Target organizations for business or political motives and usually funded by nation states ▪ Conduct highly covert hacks over long periods of time Threat Actors - Hacktivist - Answer __: ▪ Conduct activities against governments, corporations, or individuals ▪ Can be an individual or member of a group Threat Actors - Insider Threat - Answer __: ▪ Already have authorized user access to the networks, making them extremely dangerous ▪ May be a skilled or unskilled attacker ▪ Might be a former or current employee Threat Actors - Script Kiddies - Answer __: ▪ Low-skilled attackers who use other's tools ▪ Use freely available vulnerability assessment and hacking tools to conduct attacks Threat Actors - What is the Intent? - Answer __: ▪ Greed or monetary gain ▪ Power, revenge, or blackmail ▪ Thrills, reputation, or recognition ▪ Espionage or political motivation Threat Actors - Threat Modeling - Answer __: ▪ What threat are you trying to emulate? ▪ Will you use open-source and openly available tools like a script kiddie, or create custom hacks like an Advanced Persistent Threat? ▪ Will you be given insider knowledge or perform a white box penetration test? Tiers of Adversaries - Answer __: 1 - Little Money & Rely on off-the-shell tools/known exploits 2 - Little Money & invested in own tools against known vulners 3 - Invests Lots of money to find vulners to steal for profit 4 - Organized, Technical, proficient, funded, working in teams 5 - Nation states investing tons of money to finding/creating vulners 6 - Nation stats investing tons to carry out military ops Target Selection - Answer __: ▪ Internal or External ▪ First-party or Third-party hosted ▪ Physical ▪ Users ▪ SSIDs ▪ Applications Target Selection - Internal - Answer __ focuses on targets inside the firewall ● Can be on-site or off-site ● Logically internal Target Selection - External - Answer __ focuses on publicly facing targets ● Webservers in the DMZ ● Outside the protected LAN Target Selection - First-party or Third-party - Answer __: ▪ Are the targets hosted by the organization or by a third-party service provider? ▪ DionT is hosted by Thinkific and might be outside the penetration test scope Target Selection - Physical - Answer __: ▪ Are we contracted to test physical security? ▪ Should we attempt to break into the facility? Target Selection - Users - Answer __: ▪ Is social engineering authorized? ▪ Are particular users being targeted or not considered part of the assessment? Target Selection - Wireless and SSIDs - Answer __: ▪ Is wireless pentesting being conducted? ▪ Are any SSID's out of scope? __● Guest or public network Target Selection - Applications - Answer __: ▪ Are we focused on a particular application? ▪ Is a particular application mission critical and cannot be targeted? __● Credit card processing system __● Health care system Scoping Considerations - Whitelist vs Blacklist - Answer __: ▪ Will your pentest systems be put on a list? ▪ Whitelist will allow you access, but blacklist will prevent your system from connecting Scoping Considerations - Security Exceptions - Answer __: ▪ Intrusion Prevention System (IPS) ▪ Web Application Firewall (WAF) ▪ Network Access Control ▪ Certificate Pinning __● Required if the organization relies on digital certificates as part of their security ▪ Company policies Scoping Considerations - Risk - Answer __: ▪ What is the risk tolerance of the organization? ▪ Avoidance __● Actions taken to eliminate risk completely ▪ Transference __● Risk is moved to another entity ▪ Mitigation __● Controls and countermeasures are put into place ▪ Acceptance __● Risk is identified, analyzed, and within limits Scoping Considerations - Tolerance to Impact - Answer __: ▪ What is the impact to operations going to be? ▪ Balance the assessment needs with the operational needs of the organization by placing things in or out of scope Scoping Considerations - Schedule - Answer __: ▪ Will the timing of the penetration test be known by the organization's defenders? ▪ Will it be performed during peak or off-peak hours? ▪ What about holidays? Scoping Considerations - Scope Creep - Answer __: ▪ Condition when a client requests additional services after the SOW and project scope have been agreed to and signed ▪ How will scope be contained? ▪ Document any changes to the scope of test ▪ Recommend signing a change order to SOW Information Gathering and Vulnerability Identification - Answer __: ▪ Conducting information gathering ▪ Performing vulnerability scanning ▪ Analyzing results of vulnerability scans ▪ Leveraging information for exploitation ▪ Weaknesses in specialized systems Information Gathering - Reconnaissance - Answer __ refers to the systematic attempt to locate, gather, identify, and record information about a target ▪ Also known as footprinting the organization Information Gathering - Reconnaissance Techniques - Answer __: ▪ Internet or open-source research ▪ Social engineering ▪ Dumpster diving ▪ Email harvesting What kind of information are we looking to find? - Answer __ - Reconnaissance : ▪ Phone numbers ▪ Contact names ▪ Email addresses ▪ Security-related information ▪ Information systems used ▪ Job postings ▪ Resumes Reconnaissance Tools - Answer __: ▪ Nslookup ▪ Traceroute ▪ Ping ▪ Whois ▪ Domain Dossier ▪ Email Dossier ▪ Google ▪ Social Networking ▪ D ▪ Maltego Nslookup - Answer __ is a command-line program in Windows used to determine exactly what information the DNS server is providing about a specific host name. ▪ is a Reconnaissance Tool Traceroute - Answer __ is a utility application that monitors the network path of packet data sent to a remote computer. ▪ is a Reconnaissance Tool Ping - Answer __ sends a message from one computer to another to check whether it is reachable and active. ▪ is a Reconnaissance Tool Whois - Answer __ is a public Internet database that contains information about Internet domain names and the people or organizations that registered the domains. ▪ It is a source of information that can be used to exploit system vulnerabilities. ▪ is a Reconnaissance Tool Domain Dossier - Answer __ is a tool used to investigate domains and IP address. ▪ It gathers registrant information, DNS records and other things, compiling it all into one report. ▪ is a Reconnaissance Tool Dossier - Answer __ is a specific collection of documents. ▪ is a Reconnaissance Tool Email Dossier - Answer __ is a tool used to investigate emails. ▪ is a Reconnaissance Tool Google - Answer __ is a search engine that can be used to find information about a target. ▪ is a Reconnaissance Tool Google hacking - Answer __ is the technique of using advanced operators in the Google search engine to locate specific strings of text within search results, including strings that identify software vulnerabilities and mis-configurations. ▪ is a Reconnaissance Tool Social Networking - Answer __ is a means by which people use the Internet to communicate and share information among their immediate friends, and meet and connect with others through common interests, experiences, and friends. ▪ is a Reconnaissance Tool D - Answer __ is a discovery framework was developed to quickly and efficiently identify passive information about a company or network. ▪ This framework is through a tool called Discover-scripts ▪ is a Reconnaissance Tool Maltego - Answer __ is a program that can be used to determine the relationships and real world links between: People. Groups of people (social networks) Companies ▪ Intelligence gathering and analysis platform ▪ is a Reconnaissance Tool Domain name squatting - Answer Cybersquatting (also known as __ ), according to the United States federal law known as the Anticybersquatting Consumer Protection Act, is registering, trafficking in, or using an Internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else Scanning - Answer __ is actively connecting to the system and get a response to identify open ports and services Types of Scanning - Answer __: ▪ Hosts ▪ Systems ▪ Networks ▪ Computers ▪ Mobile Devices ▪ Applications ▪ Printers Enumeration - Answer __ is actively connecting to the systems to determine open shares, user accounts, software versions, and other detailed info Types of Enumeration - Answer __: ▪ Hosts ▪ Networks ▪ Domains ▪ Users/Groups ▪ Network shares ▪ Web pages ▪ Applications ▪ Services ▪ Tokens ▪ Social networks How Do We Scan and Enumerate? - Answer __: ▪ Use specialized scanning/enumeration tools and public information sources Fingerprinting - Answer __ is identification of the operating system, service, software versions being used by a host ▪ Determining OS type and version a target is running Banner Grabbing - Answer __ is gathering information from messages that a service transmits when another program connects to it. ▪ Manual enumeration and fingerprinting ▪ Use telnet or Netcat to connect to target host ▪ Commonly used for FTP, SSH, Telnet, & HTTP telnet - Answer __ is a a network protocol that allows a user on one computer to log into another computer that is part of the same network. ▪ Port 23 ▪ Can be used for Banner Grabbing Netcat (nc) - Answer __ is a computer networking utility for reading from and writing to network connections using TCP or UDP. ▪ The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. ▪ Is a Packet Crafting Tool & Banner Grabbing Tool Packet Crafting - Answer __ is also known as packet manipulation ▪ Sending modified packet headers to gather information from a system or host ▪ Creating specific network packets to gather information or carry out attacks ▪ Tools - netcat, nc, ncat, hping Packet Crafting Tools - Answer __: ▪ Nmap ▪ Netcat (nc) ▪ Ncat (ncat) ▪ Hping Nmap - Answer __ use raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. ▪ is a Packet Crafting Tool Ncat (ncat) - Answer __ is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. __ is suitable for interactive use or as a network-connected back end for other tools. ▪ is a Packet Crafting Tool Hping - Answer __ is a TCP/IP packet assembler/analyzer, running on most *nix versions. It supports various protocols, including TCP, UDP and ICMP. ▪ Good guys commonly use it to scan ports for holes that bad guys try to exploit. ▪ It's also useful for testing network machines by firing precompiled exploits at them. ▪ is a Packet Crafting Tool Packet Inspection - Answer __ is Manual enumeration performed by analyzing the captured packets to determine information ▪ Capturing and analyzing network packets ▪ Tool - Wireshark Cryptographic Inspection - Answer __ is to determine the encryption is being used during your information gathering ▪ Do they have web servers with SSL or TLS? ▪ What about Wireless Networks using WEP, WPA, WPA2, or a WPS handshake? ▪ Are files encrypted on the network shares? Certificate Inspection - Answer __: ▪ Web-servers will identify the type of encryption they support (SSL 2.0, SSL 3.0, or TLS) ▪ Tools exists to automate this process SSLyze script comes with Kali Linux SSLyze - Answer __ is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers. ▪ Server certificate validation and revocation checking through OCSP stapling. ▪ Certificate Inspection Tool Eavesdropping - Answer __ is used to refer to the interception of communication between two parties by a malicious third party. ▪ Radio Frequency monitoring can be performed to determine the type of devices used in the facility (Cellular, WiFi, Bluetooth, etc) ▪ Radio frequencies can be captured and analyzed using specialized tools Sniffing Network Traffic - Answer __ is when you Intercepts and logs network traffic that can be seen via the wired or wireless network interface. ▪ If you gain access to one host computer, you could use it to capture traffic on other parts of the network, too! Packet Capture - Answer __ is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network. Once a packet is captured, it is stored temporarily so that it can be analyzed. Packet Capture Techniques - Answer __: Use Wireshark or TCPDump to conduct packet capturing of wired or wireless networks ▪ Connect to a mirrored port to capture wired network traffic ▪ Wireless networks can be captured and their encryption cracked to access the data using Aircrack-ng Wireshark - Answer __ is an open source tool for profiling network traffic and analyzing packets. ▪ This information can be useful for evaluating security events and troubleshooting network security device issues. __ will typically display information in three panels. TCPDump - Answer __ is an open source command-line tool for monitoring (sniffing) network traffic. __ works by capturing and displaying packet headers and matching them against a set of criteria. Aircrack-ng - Answer __ is a complete suite of tools to assess WiFi network security. ▪ It focuses on different areas of WiFi security: Monitoring: Packet capture and export of data to text files for further processing by third party tools. ▪ Wireless hacking suite that consists of scanner, packet sniffer, and password cracker