SOLUTIONS MANUAL
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
COMPTIA PENTEST+ GUIDE TO PENETRATION 1ST EDITION BY ROB WILSON (MODULE 1_13) SOLUTIONS MANUAL MODULE 1-13 MODULE 01: INTRODUCTION TO PENETRATION TESTING
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1 Activities ...................................................................................................................................................... 5 Case Projects ............................................................................................................................................... 5
REVIEW QUESTIONS 1.
What are two other terms for penetration testing? a. Vulnerability testing b. Pen testing c. Ethical hacking d. Blue teaming Answer: b, c Penetration testing is also known as pen testing or ethical hacking and is an authorized series of security-related, non-malicious ―attacks‖ on targets such as computing devices, applications, or an organization‘s physical resources and personnel.
2.
The purpose of pen testing is to discover vulnerabilities in targets so that these vulnerabilities can be eliminated or mitigated. a. True b. False Answer: a The purpose of pen testing is to discover vulnerabilities in targets so that the vulnerabilities can be eliminated or mitigated before a threat actor with malicious intent exploits them to cause damage to systems, data, and the organization that owns them.
3.
Pen testing should be performed under which of the following circumstances? Choose all that apply. a. A new computer system has been installed. b. A new software system or an update to a software system has been installed. c. Following a regular schedule to make sure no unknown changes have impacted security. d. Performed as dictated by compliance standards such as PCI DSS. Answer: a, b, c, d
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Solution and Answer Guide:
Pen testing should be performed as a regular practice, to meet compliance standards, and after a major change in a computing environment, such as the installation of a new computer system, application, or update. 4.
Which of the following are possible targets for penetration testing? a. Web application. b. Computer. c. Staff. d. All of these are correct. Answer: d Web applications and other software, computers and related systems, and staff or other personnel can be targets for penetration testing.
5.
The targets under test and the actions that a pen tester is allowed to perform need to be well-defined, documented, and agreed upon by all parties before pen testing begins. True or false? a. True b. False Answer: a Because pen-testing activities are the same as illegal hacking activities, though with different goals, the pen-testing targets and actions must be well-defined, documented, and agreed upon by all parties before pen testing begins.
6.
Use your favorite search engine to research bug bounties. Find three different bug bounties that were paid, and in a one-page report, summarize these bounties. Make sure to include the vulnerability details, the organization that paid the bounty, and how much they paid. Answers will vary, but a good report will follow the instructions and have exactly three bug bounty examples. It will also describe the vulnerability details, the organization that paid the bounty, and the amount.
7.
The CIA triad expresses how the cornerstones of confidentiality, integrity, and accessibility are linked together to provide security for computer systems and their data. a. True b. False Answer: a In the CIA triad, confidentiality of information dictates that an object should only be accessible to authorized entities. Integrity of information or systems ensures that an object has not been corrupted or destroyed by unauthorized entities. Availability requires that objects and services must be accessible to authorized entities when needed and should not be made unavailable by threat actors or system failures.
8.
Which triad is the antithesis of the CIA triad? a. BAD b. SAD c. ADD d. DAD
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Solution and Answer Guide:
Answer: d The DAD (disclosure, alteration, destruction) triad is the antithesis of the CIA triad because it expresses the goals of disclosing confidential information, altering or corrupting the integrity of information, and destroying or denying the availability of access to resources. 9.
Which of the following are needed to properly maintain the ethical hacking mindset? a. Pen testers must be careful to conduct themselves ethically with professionalism and integrity. b. Pen testers must not accidentally stray into the realm of the malicious hacker and cause damage to systems or data. c. Pen testers must do no harm and stay within the boundaries of what activities have been specified and sanctioned in the penetration testing agreement documents. d. All of these are correct. Answer: d Pen testers must conduct themselves ethically with professionalism and integrity, cannot accidentally stray into the realm of the malicious hacker and cause damage to systems or data, and must do no harm by staying within the boundaries of the specified activities.
10. Which penetration testing team is responsible for launching ―authorized attacks‖ against an organization‘s resources/targets? a. Red team b. Blue team c. Purple team d. Other stakeholders Answer: a The red team launches authorized attacks against an organization‘s resources or targets to discover vulnerabilities and prove a vulnerability exists. 11. Which penetration testing team consists of defenders trying to detect and thwart attacks? a. Red team b. Blue team c. Purple team d. Other stakeholders Answer: b Blue team members are the defenders trying to detect, identify, and thwart red team attacks. 12. Which penetration testing team helps coordinate the pen- testing activities by providing an oversight role to bridge between other teams? a. Red team b. Blue team c. Purple team d. Other stakeholders Answer: c
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Solution and Answer Guide:
The purple team helps coordinate the pen testing activities. It provides oversight by observing red and blue team activities, offers guidance on how to make the teams and their operations more effective, and reports the results of pen testing activities. 13. Which of the following groups are considered to be other stakeholders? Choose all that apply. a. Management b. Development c. Legal d. IT Department Answer: a, b, c Other stakeholders are members of the organization with expertise in management, development, and legal areas. 14. Which phase of the pen-testing process includes activities such as active reconnaissance, vulnerability scanning, and social engineering? a. Planning and scoping b. Information gathering and vulnerability scanning c. Attacking and exploiting d. Reporting and communicating results Answer: b The information gathering and vulnerability scanning phase includes active reconnaissance (also called footprinting), vulnerability scanning and analysis, and social engineering. 15. Which phase of the pen-testing process includes activities such as getting written authorization, determining targets, defining goals, and building teams? a. Planning and scoping b. Information gathering and vulnerability scanning c. Attacking and exploiting d. Reporting and communicating results Answer: a The planning and scoping phase lays the groundwork for all the activities that follow and includes securing written authorization, determining targets, defining goals, and building teams. 16. You are a member of the penetration-testing red team. You are trying to get into the server room without authorization. What phase of pen testing are you in? a. Planning and scoping b. Information gathering and vulnerability scanning c. Attacking and exploiting d. Reporting and communicating results Answer: c The attacking and exploiting phase includes activities such as password cracking, SQL injection, circumventing security settings to access data, and physical attacks such as trying to break into the server room.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Solution and Answer Guide:
17. Using your favorite search engine, search for security products that use the cyber kill chain concept. In a one-page report, describe one of these products and its features. Be sure to highlight the product‘s capabilities and how they relate to specific cyber kill chain phases. Answers will vary, but a good report will be exactly one-page long and will cover the requirements of naming the product, describing its features and capabilities, and relating these to the cyber kill chain phases. 18. Choose one of the tools from Table 1-3: Penetration-testing tools and create a one-page report detailing what it does and how to use it. Include one small graphic that exemplifies this tool. The graphic can be no more than 1/6 of a page in size. Answers will vary, but a good report will be exactly one-page long and will describe what the tool is used for and how to use it. Good reports will contain one small graphic that shows the tool‘s interface or a command line capture of it being used.
ACTIVITIES ACTIVITY 1-3: IDENTIFYING COMPUTER STATUTES IN YOUR STATE, PROVINCE, OR COUNTY Solution: Answers will vary. The memo should include state laws that might affect how a penetration test could be conducted as well as problems that might arise because of state laws. The memo could also ask that management draw up a contract addressing any risks or possible network degradation that might occur during testing.
ACTIVITY 1-4: EXAMINING FEDERAL AND INTERNATIONAL COMPUTER CRIME LAWS Solution: Answers will vary. The summary should mention some key elements, such as (a)(2) ―…intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains….‖ Section (g) states: ―Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator…‖ The summary might also mention the possibility of a lawsuit. Students need to understand that this federal law addresses government computers and financial systems. Students should mention what nations are part of The Convention on Cybercrime (Budapest Convention).
CASE PROJECTS CASE PROJECT 1-1: DETERMINING LEGAL REQUIREMENTS FOR PENETRATION TESTING Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has contracted your computer consulting company to perform a penetration test on its computer network. The
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Solution and Answer Guide:
company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. Melinda May, the vice president, is your only contact at the company. To avoid undermining the tests you‘re conducting, you won‘t be introduced to any IT staff or employees. Melinda wants to determine what you can find out about the company‘s network infrastructure, network topology, and any discovered vulnerabilities without any assistance from her or company personnel. Based on this information, write a report outlining the steps you should take before beginning penetration tests of the Alexander Rocco Corporation. Research the laws applying to the state where the company is located, and be sure to reference any federal laws that might apply to what you have been asked to do. Solution: Answers will vary but the report could include the following possible steps: 1. Prepare a statement of work detailing what the penetration tests would include. 2. Verify that a contract exists between both companies authorizing you to perform the penetration test. 3. Review state laws for Hawaii and any applicable federal laws. 4. Discuss with management the formation of a red team.
CASE PROJECT 1-2: RESEARCHING HACKTIVISTS AT WORK Prompt: Hacktivism is hacking for the purpose of supporting an activist cause, such as hacking the computer systems of a repressive regime that violates human rights. A hacktivist is a person who uses hacktivism techniques. A recent U.S. News & World Report article discusses how a new wave of hacktivism is adding a twist to cybersecurity woes. At a time when U.S agencies and companies are fighting off hacking campaigns originating in Russia and China, activist hackers looking to make a political point are reemerging. The government‘s response shows that officials regard the return of hacktivism with alarm. An acting U.S. Attorney was quoted as saying, ―Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud.‖ A recent counterintelligence strategy states, ―ideologically motivated entities such as hacktivists, leaktivists, and public disclosure organizations, are now viewed as ‗significant threats‘, alongside five countries, three terrorist groups, and transnational criminal organizations.‖ Previous waves of hacktivism, notably by the collective known as Anonymous in the early 2010s, have largely faded away due to law enforcement pressure. Now a new generation of youthful hackers, angry about how the cybersecurity world operates and upset about the role of tech companies in spreading propaganda, is joining the fray. Research hacktivism, and write a one-page paper that answers the following questions:
Is hacktivism an effective political tool? Did any of the hacktivists you researched go too far? Can hacktivism ever be justified?
Solution: The paper is subjective in nature. The simple answer to the questions posed would be hacking is never justified. However, this should generate discussion and debates amongst the students.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Solution and Answer Guide:
Answers to questions: 1. Subjective question. Some might reference hacktivisim as civil disobedience. 2. Subjective. What is too far for someone might be not far enough for someone else. 3. The simple answer is no. Hacking is illegal.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
Solution and Answer Guide WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 02: SETTING UP A PENETRATION TESTING LAB
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1
REVIEW QUESTIONS 19. What is VirtualBox? a. A vulnerability testing tool. b. A virtualization platform. c. A set of cloud-based hacking tools. d. An online file storage solution. Answer: b VirtualBox is a software package provided free-of-charge by the Oracle company. It is arguably the best of the free-of-charge virtualization options. 20. Kali Linux is widely used by pen testers because it‘s free and comes with many pen-testing tools already installed. a. True b. False Answer: a Kali Linux is a free, open-sourced variant of Debian Linux and is popular with pen testers because it includes built-in pen-testing tools. 21. What is an OVA? a. An Open Virus Attack. b. An Online Virtual Application. c. An Oracle Virtual Appliance. d. An Open Virtual Appliance. Answer: d Open virtual appliances are preconfigured virtual machines that can be imported into virtualization platforms such as VirtualBox and VMware Workstation. 22. What is Metasploitable2? a. A purposefully vulnerable virtual machine useful for practicing pen testing. b. A pen-testing framework. c. A type of malware. d. A pen-testing application.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Solution and Answer Guide:
Answer: a Metasploitable2 was created and provided by the Rapid7 company so that pen testers could practice pen testing and using Rapid7 tools. 23. Which two of the following commands reveal IP address information on a Linux machine? a. ipconfig b. show ip addr brief c. ip addr d. ifconfig Answers: c, d These commands show slightly different information, but both show IP address details. 24. Use your favorite search engine to research virtualization platforms. Write a one-page report listing and describing three different virtualization platforms. A good answer will be approximately one-page long. Virtualization platforms such as Hyper-V, VMWare, Zen, ESXi, and VSphere are likely topics. 25. When did Windows 7 reach the end of its life? a. January 2022 b. April 2021 c. January 2020 d. Windows 7 is still supported. Answer: c All companies eventually end the life of their software products. Supporting them forever is administratively too demanding and financially unfeasible. 26. What percentage of computers still run Windows 7? a. 1 b. 5 c. 10 d. 12 Answer: d Many users find that Windows 7 is the best version of Microsoft Windows and are reluctant to switch. 27. What Windows command displays useful IP configuration information such as the IP address assigned to a network interface? a. ipconfig b. show ip addr brief c. ip addr d. ifconfig Answer: a
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
The ipconfig command provides IP information such as IP address, subnet mask, and default gateway. This command is similar to the Linux ifconfig command. 28. Approximately how many devices worldwide currently run Windows 10? a. 1 billion b. 10 billion c. 3.14159 billion d. 1.3 billion Answer: d Windows 10 is the most popular operating system worldwide and can be found in all kinds of devices including desktops, laptops, and Internet of Things (IoT) devices. 29. How can a Windows Server be made into a domain controller? a. By adding the Domain Controller role b. By adding the Active Directory Domain Services role c. By adding the Active Directory Domain Services feature d. It cannot be made into a domain controller. Answer: b The capabilities of an initial installation of Windows Server can be extended by adding supported roles and features, including the Active Directory Domain Services role. Roles are used to add large-scale and complex functional capabilities, and features are used to add simpler ones. 30. What kinds of pen-testing activities can you perform against the DVWA target? (Choose all that apply) a. Vulnerability discovery b. SQL injection exploits c. Brute force attack exploits d. Social engineering attacks Answers: a, b, c DVWA is the Damn Vulnerable Web Application provided by dvwa.co.uk. It has a variety of interfaces that can be used to practice many types of pen-testing attacks. 31. Perform an Internet search for mail server vulnerabilities affecting Axigen and Microsoft Exchange mail servers. Write a one-page report outlining your findings. Include CVE numbers and what versions of Axigen and Exchange they apply to. A good answer will be approximately one-page long. There will be dozens of Microsoft Exchange CVEs to choose from. Microsoft Exchange suffered serious security issues in 2020 and 2021.
Solution and Answer Guide WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 03: PLANNING AND SCOPING
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Solution and Answer Guide: ; Module 03: Planning and Scoping
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1 Activities ...................................................................................................................................................... 4 Case Projects ............................................................................................................................................... 5
REVIEW QUESTIONS 32. Before any hands-on pen- testing activities take place, the entire pen- testing engagement must be carefully and completely planned. a. True b. False Answer: a Planning helps determine what targets to test, what targets not to test, what tests to perform, and when to perform them. 33. What is governance? a. Government regulations that must be taken into consideration during pen testing. b. Practices that ensure organizational activities are aligned to support the organization‘s business goals. c. Governance is what the ―G‖ in ―GDPR‖ stands for. d. Confirming that all organizational activities meet organizational policies, jurisdictional laws, and regulations. Answer: b When you think of governance, think of governors overseeing the well-being of their states. Governors should encourage and execute activities that benefit their states and constituents, while discouraging and avoiding detrimental activities. 34. Which of the following are examples of regulatory compliances standards? Choose all that apply. a. PCI DSS b. GDPR c. PCI SCC d. DPO Answer: a, b The PCI DSS and GDPR are the two compliance standards discussed in the module. PCI SCC is the committee that oversees PCI DSS compliance. DPO stands for data protection officer, a requirement of GDPR. 35. Use your favorite search engine to find incidents of companies being fined for noncompliance under GDPR. Write a one-page report outlining one of these incidents. Include the name of the noncompliant organization, what was noncompliant, who was affected, and the amount of the fine.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Solution and Answer Guide: ; Module 03: Planning and Scoping
Answers will vary. The report should be no more than one page in length and contain a concise summary of the incident selected. 36. Use your favorite search engine to find security incidents where companies were comprised and client information covered under PCI DSS was breached. Write a one-page report outlining one of these incidents. Include the name of the organization, what data was breached, and what vulnerability was exploited to cause the breach. Answers will vary. The report should be no more than one page in length and contain a concise summary of the incident selected. 37. Which of the following is not a DPO responsibility? a. Educating the company and employees on important compliance requirements b. Conducting audits to ensure compliance and address potential issues proactively c. Maintaining comprehensive records of all data processing activities conducted by the company, including the purposes of all processing activities, which must be made public on request d. Implementing security changes to address GDPR requirements Answer: d DPO is an oversight role, not an implementation role. 38. In the event of a data breach, how long does an organization have to report the breach according to GDPR requirements? a. 24 hours b. 72 hours c. 48 hours d. 5 business days Answer: b This is spelled out in the GDPR report and disclosure requirements. 39. Data security and privacy rights are requirements of which compliance standard? a. PCI DSS b. GDPR c. FIPS d. ISO 27001 Answer: b These are just two of the main requirements of GDPR. Data security is mandated to keep personal information safe from unauthorized disclosure, and privacy rights give the individual control over their personal information. 40. Nmap is a globally recognized pen-testing tool that pen testers are allowed to use without restriction. a. True b. False Answer: b
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Solution and Answer Guide: ; Module 03: Planning and Scoping
The legal use of nmap is restricted to ethical hacking, and in some jurisdictions, using it without documented signed permission is a crime. 41. What document is a contractual agreement between two or more parties, where one party is the customer and the other a service provider, and outlines the services to be provided to the customer? a. NDA b. MSA c. SLA d. SOW Answer: c A service-level agreement (SLA) is an agreement between two or more parties, where one is the client and the other is a service provider. The SLA can be a separate document or a subsection of another legal agreement. In the case of pen testing, the pen tester is the service provider and the organization to pen test is the client. 42. What document is a contractual agreement between two or more parties that covers details such as scope, deliverables, price and payment schedule, project schedule, change management handling rules, locations of work, and liability disclaimers? a. NDA b. MSA c. SLA d. SOW Answer: d The statement of work (SOW) is the key document in a penetration testing agreement. Whereas the SLA details pen-testing services, the SOW focuses on the work to perform. It contains specific and detailed information outlining the scope and plan of testing. 43. What document is a legally enforceable agreement between pen testers and clients that states that any confidential or sensitive information disclosed by the client to the pen tester, or discovered during pen testing, will not be disclosed to parties outside of the agreement? a. NDA b. MSA c. SLA d. SOW Answer: a The nondisclosure agreement (NDA) attempts to protect the organization under test from any damage that disclosing confidential and sensitive information could cause. 44. Obtaining authorized permission to attack from an organization automatically provides permission to attack any resources that may be hosted by third-party service providers. a. True b. False Answer: b Third-party service providers should be contacted to obtain permission and schedule attacks.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Solution and Answer Guide: ; Module 03: Planning and Scoping
45. Which of the following is a free, globally accessible service that offers comprehensive and current cybersecurity threat information detailing threat activities, techniques, and models? a. The Penetration Testing Execution Standard (PTES) b. The MITRE ATT&CK framework c. The CVE website d. OWASP Answer: b PTES is a standard, not a service. The CVE website contains vulnerability information but not techniques and models. OWASP provides guidance for developing secure software. 46. What documented part of pen-test planning defines the dos and don‘ts, such as the types of tests that are being performed and the types of tests that are disallowed? a. SOW b. ROE c. SLA d. NDA Answer: b Rules of engagement (ROE) define the dos and don‘ts of pen testing. Some ROE are global in scope because they apply to all penetration tests, and other rules apply only to specific targets or tests. 47. Using a network that you have authorization to examine (such as your home network, or perhaps a classroom network if your instructor has given you permission), create nine brief target lists based on the nine list types described in the Defining Target Lists section of this module. If no targets apply to a particular list type, include the list heading anyway but leave the list blank. Answers will vary. The report should contain exactly nine lists, some of which may be empty lists.
ACTIVITIES ACTIVITY 3-1: RESEARCHING PCI DSS PEN TESTING REQUIREMENTS Solution: Answers will vary. The report should be no more than one page in length and should contain a brief summary of the case study.
ACTIVITY 3-2: INVESTIGATING GDPR NEWS Solution: Answers will vary. The report should be no more than one page in length and contain a concise summary of the article selected.
ACTIVITY 3-3: EXPLORING THE MITRE ATT&CK FRAMEWORK Solution: Answers will vary. The report should be no more than one page in length and contain a concise summary of the technique selected.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
ACTIVITY 3-4: DEFINING RULES OF ENGAGEMENT (ROE) Solution: Answers will vary. All fields in the provided PDF should be filled in. Several ROE items from the module text should have been added to the end of the PDF to complete it.
CASE PROJECTS CASE PROJECT 3-1: DETERMINING COMPLIANCE REQUIREMENTS FOR PENETRATION TESTING Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has
contracted your computer consulting company to perform a penetration test on its computer network. The company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. Melinda May, the vice president, is your only contact at the company. To avoid undermining the tests you‘re conducting, you won‘t be introduced to any IT staff or employees. Melinda wants to determine what you can find out about the company‘s network infrastructure, network topology, and any discovered vulnerabilities, without any assistance from her or company personnel. Based on this information, write a report outlining the compliance regulations that should be evaluated before beginning penetration tests of the Alexander Rocco Corporation. Include compliance requirements that are mandated by government and industry. Solution: Answers will vary but the report should mention PCI DSS, GDPR, and possibly other compliance standards.
CASE PROJECT 3-2: DETERMINING THE LEGALITY OF NMAP AND OPENVAS Prompt: Because threat actors use some pen-testing tools (such as nmap and OpenVAS), using these tools may be illegal in some jurisdictions even for pen testers. As a pen tester, you must be aware of these restrictions. Create a report listing the jurisdictions where the use of nmap or OpenVAS could break the law. Also list the laws that apply and report under what circumstances the laws allow these tools to be used legally. Solution: Answers will vary, but the report should at least mention Germany as it was highlighted in the module text.
Solution and Answer Guide WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 04: INFORMATION GATHERING
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Solution and Answer Guide:
Activities ...................................................................................................................................................... 5 Case Projects ............................................................................................................................................... 6
REVIEW QUESTIONS 48. Which of the following is not another term for information gathering? a. Performing reconnaissance b. Exploitation c. Gathering intelligence d. Footprinting Answer: b Exploitation is a later phase of pen testing that can be executed using intelligence obtained from information gathering. 49. Passive techniques don‘t directly engage targets but instead gather openly shared information from other sources. a. True b. False Answer: a Directly engaging targets to gather information is known as active reconnaissance. 50. What is OSINT? a. Operating system information b. Open source intelligence c. A tool for retrieving operating system details d. Office of Security Intelligence Answer: b Using OSINT is a key part of passive reconnaissance. 51. If you are gathering intelligence from information and items that a target organization has thrown out, what are you doing? a. Phishing b. Social engineering c. Dumpster diving d. Scraping Answer: c At its messiest, dumpster diving could actually involve getting inside a garbage dumpster, but usually it is just a figure of speech describing digging around in discarded information looking for intelligence. 52. Go to the OSINT Framework website at www.osintframework.com and explore the tree by opening nodes to discover what tools are available. Write a one-page report outlining three tools of your choice. Include the names of the tools, what they are used for, and where to find them.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Solution and Answer Guide:
A good answer will be exactly one page long describing three tools found on the OSINT Framework website. The description will include the tool name, use, and where to find it. 53. What type of information can be included in document metadata? Choose all that apply. a. Author b. Creation date c. Servers d. GPS coordinates Answer: a, b, c, d Depending on the file, some or all of the above could be hidden within the file‘s metadata. 54. People, including technical and administrative contacts, can be targets for pen testing. a. True b. False Answer: a Social engineering of people is a valid reconnaissance activity, provided it hasn‘t been precluded by the statement of work or rules of engagement. 55. What is social media scraping? a. The act of securing servers that are used for social media applications b. Hacking social media platforms c. Analyzing social media platforms (such as Facebook, Twitter, and LinkedIn) to gather useful intelligence d. Deleting unwanted posts from your social media feed Answer: c It‘s called scraping because you are trying to extract every last bit of actionable intelligence that may be hidden inside social media posts. 56. How is DNS information useful in pen testing? a. It may reveal servers that could be targeted for pen testing. b. It may reveal the IP address of devices that could be targets for pen testing. c. It may reveal that some devices are cloud based and third-party hosted. d. All the answers Answer: d DNS contains a database mapping device names to IP addresses and vice versa. This information could reveal servers, IP addresses for potential targets, and the fact that a device is cloud-based. 57. Which of the following tools cannot be used for DNS information gathering? a. nslookup b. dig c. host d. ipconfig /dnsregister Answer: d ipconfig/dnsregister is used from the command line on a host computer to register the host IP address and computer name with a DNS server.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Solution and Answer Guide:
58. PwnedorNot is a hacking website where hackers share password dumps. a. True b. False Answer: b PwnedorNot is a website that can be used to check whether email credentials have been compromised. 59. Which of the following are Internet search engines that can be used to find security issues for all types of devices that are connected to the Internet? Choose all that apply. a. Shodan b. Censys c. blackflag d. pwned Answer: a, b Although they sound like cool hacker sites, blackflag and pwned are not security search engines. 60. CVE and CWE websites are good sources of vulnerability intelligence. a. True b. False Answer: a CVE standards for common vulnerabilities and exposures, and CWE standards for Common Weakness Enumeration. CVE information provides intelligence on known vulnerabilities in products that can be exploited. CWE information provides intelligence on weaknesses in specific types of systems. 61. Which nmap flag is used to perform ping sweeps? a. -sT b. -sP c. -p d. -T Answer: b The –s flag tells nmap to perform a scan, and the P tells nmap to make that scan a ping sweep. Case matters for nmap flags, so the ―s‖ must be lowercase and the ―P‖ must be uppercase. 62. Which nmap flag is used to adjust scan timing? a. -sT b. -sP c. -p d. -T Answer: d You direct nmap to decrease or increase the speed of its scan by specifying a number between 0 and 5 after the –T flag. Case matters for nmap flags, so the ―T‖ must be uppercase. 63. theHarvester is a command-line tool that can be used to discover email addresses. a. True b. False
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Solution and Answer Guide:
Answer: a theHarvester is included in Kali Linux and can be used to find email addresses, subdomains, virtual hosts, ports, and banners. 64. What is web scraping? a. Cleaning up a website so that no sensitive information is exposed b. Thoroughly analyzing a website looking for information that can be extracted c. A type of cross-site scripting attack d. Removing unwanted software from a web server Answer: b Behind the scenes in the source code of a website and its directory structure is often actionable intelligence. 65. Which of the following terms describe the act of eavesdropping on network communication for the purpose of information gathering? Choose all that apply. a. Packet sniffing b. Packet interception c. White boxing d. Packet mapping Answer: a, b Neither white boxing nor packet mapping are information gathering terms. 66. Tokens acquired either by intercepting network traffic or scraping websites could be used for authentication purposes during pen testing. a. True b. False Answer: a One purpose of tokens is to simplify processes such as connecting and authenticating. Tokens help by storing data about connections and authentications that can be reused but also exploited. 67. Which of the following can be used as detection avoidance techniques? Choose all that apply. a. Scanning only a few targets at a time b. Limiting the number of ports being scanned c. Faking or changing the address of the scanning machine regularly d. Increasing times between scans Answer: a, b, c, d All the choices are correct answers. Scanning fewer targets, limiting the number of ports, and increasing times between scans all reduce the amount of traffic being generated which draws less attention. Faking or changing the scanning machine address makes it look like all the traffic isn‘t originating from one source, which also draws less attention.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Solution and Answer Guide:
ACTIVITIES ACTIVITY 4-1: USING DIG TO LOOK UP DNS INFORMATION Solution: Answers will vary but students should identify the name servers as being cloud-based and hosted by AWS.
ACTIVITY 4-2: USING CVE AND CWE TO FIND APACHE WEB SERVER VULNERABILITIES AND WEAKNESSES Solution: Answers will vary.
ACTIVITY 4-3: USING NMAP FOR ACTIVE RECONNAISSANCE Solution: Answers will vary but the information gathered should be similar to what is shown in the figures demonstrating the relevant nmap flags.
ACTIVITY 4-4: USING THE HARVESTER FOR ACTIVE RECONNAISSANCE Solution: Answers will vary. Students should indicate that the –l 200 flag was used to limit the search results to 200 hits, and the –b google flag told theHarvester to use Google as its search engine.
CASE PROJECTS CASE PROJECT 4-1: GATHERING INFORMATION ON A NETWORK’S ACTIVE SERVICES Prompt: After conducting a zone transfer and running security tools on the Alexander Rocco network, you‘re asked to write a memo to the IT manager, Jawad Safari, explaining which tools you used to determine the services running on his network. Mr. Safari is curious about how you gathered this information. Write a one-page memo to Mr. Safari explaining the steps you took to find this information. Your memo should include the tools, websites, and other resources you used. Solution: Answers will vary. A good answer will be exactly one-page long and should discuss tools such as nmap. Steps involved should discuss how targets were determined and what specific nmap commands were used.
CASE PROJECT 4-2: FINDING PORT-SCANNING TOOLS Prompt: Alexander Rocco Corporation, which has hired you as a security tester, asked you to research any new tools that might help you perform your duties. It has been noted that some open source tools your company is using lack simplicity and clarity or don‘t meet the company‘s expectations. Your manager, Gloria Estefan, has asked you to research new or improved products on the market. Based on this
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
information, write a one-page report for Ms. Estefan describing some port-scanning tools that might be useful to your company. The report should include available commercial tools and their costs. Solution: Answers will vary. A good answer will be exactly one-page long and should discuss commercial tools and not free open source tools. Possible tools include Nessus and shodan.io.
Solution and Answer Guide WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 05: PERFORMING VULNERABILITY SCANNING
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1 Activities ...................................................................................................................................................... 4 Case Projects ............................................................................................................................................... 5
REVIEW QUESTIONS 68. Vulnerability scanning can impact target systems detrimentally, so steps should be taken to mitigate this impact. a. True b. False Answer: a Vulnerability scanning can generate a lot of network traffic that could overwhelm a target system, especially a system already near maximum capacity. The extra load of responding to vulnerability scan queries could freeze or even crash a target system. 69. What are some of the reasons vulnerability scanning is executed? Choose all that apply. a. Regulatory requirements b. Proactive decision c. Corporate policy d. Reactive decision Answer: a, b, c, d Regulatory requirements and corporate policies may mandate vulnerability scanning. Reacting to a breach of security (reactive decision) should lead to vulnerability scanning. Proactively deciding to scan for vulnerabilities as a preventative measure, when done in a controlled fashion, is a good practice. 70. The CIA triad is an important consideration during vulnerability testing. a. True b. False
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Solution and Answer Guide:
Answer: a CIA stands for confidentially, integrity, and access, security principles that need to be maintained and can be compromised by vulnerabilities. 71. Use your favorite search engine to find incidents of industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems being hacked. Write a one-page report outlining one of these incidents. Describe the system, the vulnerability, the impact the hack had, and how it was fixed. Answers will vary but a good answer will be approximately one page in length. The Colonial Pipeline hack is a possible topic. 72. What type of vulnerability scan includes login information in its configuration? a. Full scan b. Discovery scan c. Credentialed scan d. Web application scan Answer: c Credentialed scans use supplied login information to attempt to authenticate with targets. Credentialed scans tend to return more information than noncredentialed scans, but both are important. 73. Which application testing methodology requires access to the source code? a. DAST b. SAST c. IAST d. BLAST Answer: b SAST is static analysis, meaning you are testing the code when it is not running. The only way to do that is by reading the source code. 74. What organization provides the ―Ten Most Critical Web Application Security Risks‖ paper? a. NIST b. FISMA c. CISA d. OWASP Answer: d OWASP publishes the ―Ten Most‖ list, along with other useful security guidelines. The other organizations are security-centric but aren‘t the creators of that paper. 75. The process of entering random data into all the input fields of applications to make sure input is validated is known as which of the following? a. Fuzzing b. Stress testing c. FIPS d. SQL injection
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Solution and Answer Guide:
Answer: a Stress testing is general software testing. FIPS is a security standard. SQL injection is a type of exploit. 76. Which of the following vulnerability scanning tools can do more than scan web applications? a. Nikto b. Wapiti c. Nessus d. WPScan Answer: c Nikto, Wapiti, and WPScan only scan web applications. Nessus scans everything. 77. What is the purpose of bandwidth considerations during vulnerability scanning? a. High network bandwidth use may indicate the network has been compromised. b. Vulnerability scanning can generate a lot of network traffic so steps should be taken to not overwhelm the network. c. Vulnerability scanning should be performed at both low -bandwidth and high-bandwidth times. d. Bandwidth isn‘t a vulnerability scanning consideration. Answer: b Scanning can generate a lot of network traffic and consume a lot of network bandwidth. If too much bandwidth is consumed, scanning normal business operations can be affected. 78. Write a one-page report identifying nontraditional systems that are connected to your current network. Include the type and manufacturer of the nontraditional system. Perform a CVE search for each item found and include a one-sentence summary of the CVE information. If you are on a school or work network, you must not perform vulnerability scans without first getting permission. Answers will vary, but devices such as mobile phones, smart TVs, and personal assistant devices are possible finds. 79. Which of the following CVSS base scores would map to medium severity vulnerabilities? Choose all that apply. a. 10 b. 7.0 c. 4.0 d. 6.9 Answer: c, d CVSS scores in the range of 4.0 to 6.9 are considered medium severity. 80. Some vulnerability scan results can also specify exploit frameworks that can be used against the vulnerability. a. True b. False Answer: a
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Solution and Answer Guide:
Nessus scan results include exploit framework references if they exist. 81. What does a CVSS AV metric value P mean? a. The attacker must be able to physically touch the device. b. The attack uses a privilege escalation attack. c. The attack exploits a specific well-known port number. d. The attack results in permanent damage to the system. Answer: a For CSVV AV, P means physical access, L means local access, A means adjacent network access, and N means remote network access. 82. If a vulnerability discovered is particularly tricky to exploit, requiring Mr. Robot-level skills, what AC value should it be assigned? a. T b. H c. M d. L Answer: b The AC value indicates attack complexity. H is for high, M is for medium, and L is for Low. There is no T. 83. What is an application container? a. An environment used to isolate applications for testing b. A way of providing applications to computers and end users that is similar to virtual machines c. A web applications vulnerability scanning tool d. A security requirement of FISMA Answer: b Application containers are self-contained execution environments that run on top of the existing operating system. Traditional virtualization requires a virtualization platform to be running on top of the existing operating system or directly integrated with system hardware.
ACTIVITIES ACTIVITY 5-1: NIKTO SCANNING IN THE PEN-TESTING LAB ENVIRONMENT Solution: Answers will vary but a variety of software version upgrades should be detected.
ACTIVITY 5-2: DOWNLOADING AND INSTALLING NESSUS ESSENTIALS Solution: No answers. A successful installation is the goal.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
ACTIVITY 5-3: EXECUTING A NESSUS SCAN Solution: No answers. A successful execution of the scan is the goal.
ACTIVITY 5-4: ANALYZING NESSUS SCAN RESULTS Solution: Answers will vary. The results will include many instances of software versions being out of date and requiring updating. There are several critical vulnerabilities, so the three results selected for analysis should be critical ones.
CASE PROJECTS CASE PROJECT 5-1: CREATING A PREVULNERABILITY SCANNING REPORT Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has asked you to perform a penetration test on its computer network. The company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. Elliot Alderson, the head of IT, is your current contact for this stage of the project. Elliot has agreed that your findings so far warrant continuing your penetration-testing project on to the vulnerability scanning phase. Before you begin vulnerability scanning, Elliot wants you to provide a documented outline of the tools you plan to use and the types of tests you plan to perform. Your pen testing has identified a group of three web servers, two web applications, and one SQL database server that you recommend should be scanned for vulnerabilities. Based on this information, write a report outlining the vulnerability tools and tests to perform on each target and the types of vulnerabilities you might find. Solution: Answers will vary but Nessus, Nikto or Wapiti, and SQLmap should be mentioned. Web application and SQL vulnerabilities should be the vulnerabilities being tested.
CASE PROJECT 5-2: SECURITY ISSUES IN SECURITY DEVICES Prompt: Network security devices (such as firewalls and intrusion detection systems) are computer systems comprised of custom software running on custom hardware. These devices can have security vulnerabilities just like traditional computing devices. Using resources such as cve.mitre.org and nvd.nist.gov, search for previously discovered vulnerabilities found in security devices such as the Fortinet Fortigate firewall or the Cisco ASA firewall. Create a one-page report outlining three of the most severe flaws discovered by your search. Include CVE numbers, CVSS scores, CVSS vector information, and the fix for each flaw. Solution: Answers will vary but vulnerabilities such as remote code execution, man in the middle, and data leaks may be mentioned.
Solution and Answer Guide WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 06: EXPLOITATION METHODS AND TOOLS
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
25
Solution and Answer Guide:
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1 Activities ...................................................................................................................................................... 4 Case Projects ............................................................................................................................................... 5
REVIEW QUESTIONS 84. Before attempting to exploit a vulnerability, you should always check the statement of work and rules of engagement to make sure the target is in scope. a. True b. False Answer: a If a computer system is not identified as a valid target in the statement of work, then you shouldn‘t attempt to exploit it. If the rules of engagement don‘t specify that the computer system in question may be exploited, then you shouldn‘t do it. 85. What are some of the ways of building a list of valid user accounts? Choose all that apply. a. Gathering usernames and email addresses using OSINT tools b. Using brute-force tools c. Extracting usernames from /etc/passwd or c:\users d. Guessing Answer: a, b, c, d All the above are possible ways of determining valid user account names. 86. Enumerating application and operating system versions can help with exploitation. a. True b. False Answer: a Specific versions of applications and operating systems may have known vulnerabilities that can be exploited whereas other versions may not. 87. Use the exploit database at https://exploit-db.com to search for Windows, Apple, and Android operating system exploits. Write a one-page report outlining the most current exploit for each of these operating systems. Describe each exploit, its impact, and what framework provides an exploit module. A good answer should be about one page in length and describe three current exploits, one for each operating system. 88. Metasploit can be used to gain access to targets and upload exploit payloads to them.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
26
Solution and Answer Guide:
a. b.
True False
Answer: a That is why Metasploit was created. 89. What command can be used to list available exploits in the Metasploit Framework? a. list b. show c. help d. ls Answer: b The other answer choices are commands that may work in other environments (such as a Linux/Unix shell). Show is the correct command in the Metasploit framework environment. 90. The PowerSploit framework can be used against targets running on the Linux operating system. a. True b. False Answer: b PowerSploit uses PowerShell which is a Microsoft Windows command line shell. 91. BloodHound can be used to query domain controllers and gather Active Directory information. a. True b. False Answer: b You must acquire the active directory information another way and use BloodHound to analyze it. 92. Which of the following exploit types can be used remotely against a target? Choose all that apply. a. PsExec b. WinRM c. WMI d. RPC Answer: a, b, c, d PSExec and RPC can be used to execute commands remotely. WinRM and WMI can be used to perform remote management operations. 93. What is fileless malware? a. Malware files that delete themselves after running b. Malware that is loaded directly into memory c. Malware that deletes all files on the target system d. Malware that hides its files Answer: b
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
27
Solution and Answer Guide:
By loading directly into memory no file has to be uploaded to the target‘s storage device. 94. Write a one-page report on the methods and tools used by threat actors to perform living off the land attacks. Outline the common utilities that are used and any special methods that are needed to use them. A good answer should be exactly one page in length. Tools such as PowerShell, WMI, and PsExec should be mentioned. Administrative level permission is needed for these utilities to be effective. 95. The SMB protocol can be exploited using hash replay techniques. a. True b. False Answer: a The SMB protocol is used for providing access to remotely shared folders. Most SMB shares require authentication before access is allowed. This authentication process transmits hashes of credentials and if intercepted they can be replayed to give the interceptor access to the share. 96. Which of the following cannot be used for password brute-force attacks? a. John the Ripper b. Thc-Hydra c. Gobuster d. pwdump Answer: d pwdump is a tool for extracting password hashes from the Security Account Manager (SAM) database. 97. Increasing the permissions that an attacker‘s shell environment has is known as which of the following? a. Vertical movement b. Privilege escalation c. Administrator grabbing d. Shell escape Answer: b There is no such thing as administrator grabbing or vertical movement. Shell escape refers to getting out of a restricted shell so that previously inaccessible commands are available. 98. Which of the following is an example of nontechnical post exploitation? a. Scheduled tasks b. Social engineering c. Data exfiltration d. Shell escape Answer: b Social engineering is the art of trickery and human manipulation. This can be accomplished without any special technology or technical skills. 99. Which of the following are ways to achieve persistence? Choose all that apply. a. Scheduled jobs or tasks b. Backdoors
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
28
Solution and Answer Guide:
c. d.
Service manipulation Creating accounts
Answer: a, b, c, d Scheduled tasks can be used to restart services or programs needed for exploitation. Backdoors are hidden control shells. Manipulating services can be used to replace secure services with vulnerable services. Creating accounts can provide a hidden method for authentication. 100. Using a compromised target to discover and compromise other targets is known as which of the following? a. Pivoting b. Shuffling c. Passing d. Evading Answer: a Just as in basketball where you can pivot and look for a player to pass the ball to, in exploitation you can pivot to look for another system to exploit. 101. Completely deleting log files to avoid being detected is a suggested evasion tactic. a. True b. False Answer: b Deleting an entire log file may be noticed. Deleting the records that your exploit created is likely to be unnoticed.
ACTIVITIES ACTIVITY 6-1: USING EXPLOIT DATABASES TO DISCOVER EXPLOITS Solution: Answers will vary. Exploit DB and Rapid 7 websites both have exploit modules that can be researched and used. Options include LHOST, LPORT, RHOSTS, RPORT, and several others.
ACTIVITY 6-2: USING AN EXPLOIT IN THE METASPLOIT FRAMEWORK Solution: RHOSTS and RPORT are used to specify the IP address(es), and port of the D-Link router to exploit. The payload used is a reverse_tcp meterpreter. If executed successfully the payload would provide a shell to access and control the D-Link router.
ACTIVITY 6-3: SEARCHING FOR DNS EXPLOIT MODULES Solution: There are modules that allow privilege escalation, command injection, and denial of service attacks. The DnsAdmin ServerLevelPluginDLL Feature Abuse Privilege Escalation allows for privilege escalation attacks and affects Windows Server Operating Systems. The payload is a reverse_tcp
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
29
Solution and Answer Guide:
meterpreter. Module options LHOST, LPORT are used to specify where the payload connects to. Log and traffic analysis can be used to mitigate APTs, as well as using active cyber defense and threat intelligence.
ACTIVITY 6-4: ADVANCED PERSISTENT THREATS Solution: A good answer will be exactly one-page in length. APT stands for Advanced Persistent Threat. Government, business, health, and financial organizations are common targets. Nation states or statesponsored groups are the usual perpetrators. The life cycle consists of defining a target, attempting to gain a foothold, using the compromised system to access the target network, deploying tools, and covering tracks. Persistence methods include backdoors, living off the land, corrupted services, and lateral movement.
CASE PROJECTS CASE PROJECT 6-1: CREATING A TARGET EXPLOITATION PLAN Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has contracted your computer consulting company to perform a penetration test on its computer network. The company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. Elliot Alderson, the head of IT, is your current contact for this stage of the project. Your pen testing identified a group of three web servers, two web applications, and one SQL database server, which you have scanned for vulnerabilities. Your scan results have revealed a number of vulnerabilities that you would like to attempt to exploit. Elliot has agreed that your findings warrant performing further testing on these systems, but before authorizing you to begin, Elliot wants you to provide a documented outline of the tools you plan to use and the types of exploits you plan to perform. Based on this information, write a report outlining the types of exploits you would like to attempt and the tools you would like to use. Solution: Answers will vary, but the report should include web application, web server, SQL, and SMB exploits. Tools such as the Metasploit framework should be mentioned.
CASE PROJECT 6-2: COMBATING ADVANCED PERSISTENT THREATS Prompt: Advanced Persistent Threats (APTs) are a family of malware that are the most difficult to deal with. APT malware is more sophisticated than other more common malware. APTs use highly advanced methods and programming to circumvent security systems and contain a level of intelligence that is often able to evade detection and remain on infected systems. Security solutions providers have been creating and providing solutions to help deal with this APT threat. Write a one-page report outlining APT products and solutions created by three different security companies. Outline the capabilities of these products and their cost. Solution: Answers will vary, but a good answer should be exactly one-page long. APT products and solutions from Microsoft, Mandiant, and Red Canary may be mentioned.
Solution and Answer Guide © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
30
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 07: NETWORK ATTACKS AND ATTACK VECTORS
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1 Activities ...................................................................................................................................................... 5 Case Projects ............................................................................................................................................... 5
REVIEW QUESTIONS 102. Before attempting a network attack, you should always check the scope and rules of engagement to make sure the target and the attack type are in scope. a. b.
True False
Answer: a If network attacks, specific types of network attacks, or the target is not in scope or precluded by the rules of engagement then those attacks should not be initiated at that target. 103. What are some ways of choosing targets for attack? Choose all that apply. a. Using information gathered during the reconnaissance phase. b. Using nmap open port information. c. Using vulnerability scanning results that indicate a usable exploit exists in an exploit framework. d. Using information gathered from exploit databases such as Exploit DB and Packet Storm. Answer: a, b, c, d All are part of reconnaissance and provide useful actionable intelligence. 104. IoT devices can be vulnerable to DNS spoofing attacks. a. True b. False Answer: a IoT devices use DNS just like regular computers do. 105. Use the exploit database at https://packetstormsecurity.com to search for ―Network Attack.‖ The hundreds of results returned include Metasploit framework modules, whitepapers, and toolkits. Choose two of the results and read their details. Write a one-page report summarizing their details and describing what type of network attack(s), frameworks, toolkits, and methods are discussed. A good answer will be about one-page long. Answers will vary.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
31
Solution and Answer Guide:
106. If a device cannot determine an IP address by asking a DNS server or checking its DNS cache, what method might it try next? a. NetBIOS b. ARP c. RARP d. Checking its hosts file Answer: a NetBIOS is the next step in name resolution if DNS fails. 107.What can the Responder tool be used for? Choose all that apply. a. Preventing DNS spoof attacks b. Performing DNS spoof attacks c. Performing NetBIOS spoof attacks d. Performing LLMNR spoof attacks Answer: b, c, d Responder can perform all these attacks and web server attacks. 108. What is ARP poisoning?
a. b. c. d.
Attacks against ARP servers Attacks that interfere with normal ARP broadcasts by returning fake MAC addresses Corrupted ARP packets that can poison a computer and cause it to crash Placing false entries into the ARP database
Answer: b ARP servers and ARP databases do not exist. ARP packets usually cannot be used to crash a computer. 109. MAC addresses are burned into wired and wireless network cards and therefore cannot be spoofed.
a. b.
True False
Answer: b Some tools can be used to spoof MAC addresses. 110. What is an on-path/MITM attack?
a. b. c. d.
An attack that prevents communication A family of attacks that involve threat actors intercepting and manipulating normal communications A network attack from the 1980s that targeted the Massachusetts Institute of Technology An attack using the on-path/MITM password cracking tool
Answer: b On-path/MITM attacks want to eavesdrop on communications so preventing communication is not the answer. No password cracking tool is named as an on-path/MITM attack tool. Although it is a cool story, there was no network attack from the 1980s that targeted the Massachusetts Institute of Technology.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
32
Solution and Answer Guide:
111. Which of the following are network access control mechanisms? Choose all that apply.
a. b. c. d. e.
Switch port security DHCP control Software agents Network traffic analysis SNMP traps
Answer: a, b, c, d, e All are valid network access control mechanisms, and all can be circumvented. 112. Read the Blackhat presentation at https://www.blackhat.com/presentations/bh-dc-07/Arkin/Paper/bh-
dc-07-Arkin-WP.pdf. Write a one-page report summarizing what you consider useful information contained in the presentation. Answer: A good answer will be about one-page long. Content will vary depending on what the learner has chosen. 113. Because Kerberos uses an elaborate and secure ticket granting system to control access to resources, it
cannot be exploited. a. True b. False Answer: b Kerberoasting is an example of exploiting Kerberos. 114. Which of the following CANNOT be used for SSH brute-force attacks?
a. b. c. d.
Metasploit framework THC-Hydra Demogorgon Cain and Abel
Answer: c A Demogorgon is a monster from Dungeons and Dragons and from the hit TV show Stranger Things. All the other tools can be used to brute-force SSH and other things. 115. Which of the following can be used for SMB attacks? Choose all that apply.
a. b. c. d.
Responder Metasploit Framework EternalBlue Public SMB shares
Answer: a, b, c, d Responder can intercept SMB hashes. The Metasploit Framework contains many modules that can be used to attack SMB. EternalBlue is a well-known SMB attack module. Public SMB shares don‘t require passwords to access them so you can simply access them and potentially read their contents. 116. Telnet can be used for SMTP attacks.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
33
Solution and Answer Guide:
a. b.
True False
Answer: a Using Telnet to connect to port 25, the default SMTP port, can be used to manipulate mail servers. 117. FTP communications are unencrypted, so attacks using tools such as WireShark might be able to intercept
unencrypted passwords. a. True b. False Answer: a FTP is unencrypted. SFTP, on the other hand, is a secure and encrypted version of FTP that can be used to provide better security. 118. What is a DoS attack?
a. b. c. d.
An attack against the Microsoft Windows command-line interface An attack that overwhelms a target with communication causing the target to be unable to perform its normal functions A password-cracking attack A directed on-site attack
Answer: b DoS stands for denial of service. The attack overwhelms a target, causing it to be unable to perform its normal functions and preventing users from using the target‘s services. 119. VLAN hopping corrupts layer 2 frame tagging rules to circumvent security and access previously
inaccessible LANs. a. True b. False Answer: a VLAN hopping is a sophisticated layer 2 attack used to circumvent the security that VLANs provide. 120. Using several exploits together to accomplish a goal is known as which of the following?
a. b. c. d.
Brute-forcing Exploit chaining Blitzing Exploit hopping
Answer: b Brute-forcing is typically a password attack. Blitzing is a military or football maneuver. There is no such thing as exploit hopping.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
34
Solution and Answer Guide:
ACTIVITIES ACTIVITY 7-1: USING THE PACKET STORM DATABASE TO DISCOVER EXPLOITS Solution: Answers will vary, but a good answer will be about two-pages long and discuss three entries from Packet Storm.
ACTIVITY 7-2: USING SETH TO PERFORM A MITM ATTACK Solution: Hopefully, the answer is ―yes,‖ credentials were captured.
ACTIVITY 7-3: BRUTE-FORCE PASSWORD ATTACK USING THC HYDRA Solution: This is a hands-on activity with no answers.
ACTIVITY 7-4: DOS ATTACKING THE METASPLOITABLE VM Solution: This is a hands-on activity with no answers.
CASE PROJECTS CASE PROJECT 7-1: CREATING A NETWORK ATTACK PLAN REPORT Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has
contracted your computer consulting company to perform a penetration test on its computer network. The company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. The project has reached the stage where you would like to perform some network-based attacks to test the security of the systems you have identified. Olivia Dunham, the head of network security, is your current contact for this stage of the project. Olivia wants to know exactly what you are planning on doing before she will allow you on her network. Your pen testing identified a group of three web servers, two web applications, and one SQL database server that you have scanned for vulnerabilities. Your scan results have revealed a number of vulnerabilities that you would like to attempt to exploit. The network vulnerabilities you have identified are related to SSH, poor SMB security, and poor password security in general. Based on this information, write a report outlining the types of network attacks you would like to perform and the tools you would like to use. Solution: Answers will vary, but the report should mention SSH and SMB attacks that may involve hash interception and password attacks. Also, brute-force attacks against server login credentials could be mentioned.
CASE PROJECT 7-2: DDOS ATTACK RESEARCH Prompt: DDoS attacks are a common occurrence, but some DDoS attacks have stood out due to the size of
the attacks and the scope of their impact. Use your favorite web browser to research the topic of ―World‘s Worst DDoS Attacks‖ or ―Most Famous DDoS Attacks‖ and write a one-page report summarizing three of these DDoS attacks. Include when it happened, what organization(s) were affected, the size and scope of the attack, and what methods were used by the perpetrators to perform the attack.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
35
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
Solution: Answers will vary, but the report should mention SSH and SMB attacks that may involve hash interception and password attacks. Also, brute-force attacks against server login credentials could be mentioned.
Solution and Answer Guide WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 08: WIRELESS AND SPECIALIZED SYSTEMS ATTACK VECTORS AND ATTACKS
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1 Activities ...................................................................................................................................................... 5 Case Projects ............................................................................................................................................... 6
REVIEW QUESTIONS 121. Before attempting a wireless network attack, you should always check the scope and rules of engagement to
make sure the target and the attack type are in scope. a. True b. False Answer: a The same procedural rules apply to wireless attacks as apply to wired attacks. You must always make sure the pen-testing attacks you plan to perform are allowed. 122. What are some ways of choosing targets for wireless attacks? Choose all that apply.
a. b. c. d.
Checking for available wireless networks that are available to connect to using a smartphone or wireless laptop Wardriving Using wireless scanning programs such as Vistumbler Using command utilities such as airodump-ng
Answer: a, b, c, d All of the above methods are effective ways of locating SSIDs, and these SSIDs indicate the presence of individual wireless network targets. 123. What is an SSID?
a. b. c. d.
Service set identifier, a name used to identify a wireless network that wireless access points often broadcast to indicate availability A wireless VLAN A wireless authentication protocol Software system identifier, a code used to identify the version of software running on an AP
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
36
Solution and Answer Guide:
Answer: a An SSID is the name of a wireless network that is broadcast to announce its presence and that it is available to receive connection requests. 124. Use the exploit database at https://packetstormsecurity.com to search for ―Wireless.‖ The hundreds of
results returned include Metasploit framework modules, whitepapers, and toolkits. Choose two of the results and read their details. Write a one-page report summarizing their details and describing what type of wireless attack(s), frameworks, toolkits, and methods are discussed. Answers will vary, but a good answer will be about one page long. Search results will return information on all the mentioned topics. 125. What is a supplicant?
a. b. c. d.
Term used to describe the victim of a wireless attack A wireless user trying to connect to a WLAN that uses 802.1X authentication A wireless hacking tool A wireless access point that uses 802.1X
Answer: b The 802.1X protocol can be used to add a layer of authentication, which can help keep unauthorized users from using wireless networks. 802.1X uses the term supplicant when referring to users trying to connect, and the term authenticator refers to the wireless AP the supplicant is trying to connect to. 126. What is WPS?
a. b. c. d.
A wireless encryption protocol Wireless Protection Service, a security feature of high-end APs Wardriving probe software, an application used for discovering APs Wi-Fi Protected Setup, a wireless standard that allows users to easily and securely add devices to a wireless network
Answer: d WPS was created so that users could press a button or enter a PIN number to add devices to a wireless network instead of having to remember complex authentication credentials. Unfortunately, WPS has proven to be extremely unsecure and in most circumstances should be disabled on WAPs. 127. What is Kismet?
a. b. c. d.
A wireless attack tool that can be used against wireless networks that were fated to be hacked A type of wireless attack that leap frogs from one AP to another A passive scanner that can detect hidden network SSIDs Kernel internet software metadata extraction token, an exploit used to compromise AP software
Answer: c WAPs can be configured to not broadcast their SSIDs, making them ―hidden.‖ Kismet can still detect wireless networks and their SSIDs even if the SSID is not being broadcast. 128. What type of wireless attack attempts to force systems to disconnect from an AP?
a. b.
Jamming Eavesdropping
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
37
Solution and Answer Guide:
c. d.
Spoofing Deauthentication
Answer: d To connect to WAPs that require authentication, users must provide credentials to the WAP. In other words, they must authenticate. A deauthentication attack first attempts to disconnect an authenticated user from a WAP and then attempts to intercept wireless packets containing the user‘s attempt to authenticate again. If successful, this captured authentication handshake can be used to crack the user‘s password. 129. What is an evil twin?
a. b. c. d.
A rogue AP that uses the same name as a legitimate AP A wireless packet duplication attack A wireless attack that can break WEP encryption A type of brute-force attack
Answer: a Threat actors and pen testers hope that users will unwittingly connect to an evil twin thinking that it is the real legitimate AP. If users do, a number of on-path/MITM attacks can be performed against the users. 130. Which of the following are wireless network attack tools? Choose all that apply.
a. b. c. d. e.
airmon-ng airodump-ng aireplay-ng aircrack-ng wash
Answer: a, b, c, d, e airmon-ng, airodump-ng, aireplay-ng, and aircrack-ng can be used against WEP and WPA/WPA2/WPA3 protocols. wash can be used against WPS. 131. Read about the top hacks from the Black Hat and DEF CON 2021 conferences at
https://portswigger.net/daily-swig/top-hacks-from-black-hat-and-def-con-2021. Write a one-page report summarizing the details of any hacks that involved wireless devices or protocols. Answers will vary but may include a wireless IoT hack, an attack named IPVSee You, and Frag Attacks. 132. The WPA3 protocol is so secure that it is impossible to exploit.
a. b.
True False
Answer: b WPA3 is vulnerable to a number of attacks including downgrade attacks that can get WAPs to use WPA2 instead. 133. Successful Bluetooth attacks can result in which of the following? Choose all that apply.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
38
Solution and Answer Guide:
a. b. c. d.
IoT devices being hacked Contact information being stolen from smartphones Hackers making phone calls from compromised phones Hackers sending messages from compromised devices
Answer: a, b, c, d All of the above are possible. IoT devices may be vulnerable to BLE attacks, and bluesnarfing and bluejacking tools can be used to execute the other attacks. 134. Which of the following can threat actors use as a bridge to access secure enterprise networks? Choose all
that apply. a. Rogue access points b. Compromised smartphones c. Captive portals d. 802.1X Answer: a, b, c Rogue access points, smartphones, and captive portals can be compromised to provide a way onto any secured networks they may be linked to. 802.1X is a standard that can be implemented to make wireless access points more secure. 135. NFC has such a short range that it is impossible to hack.
a. b.
True False
Answer: b Threat actors can take advantage of crowds and get close enough to a victim NFC-capable device to hack it. Threat actors can also use relay attacks to forward NFC signals to an accomplice farther away. 136. Mobile devices are prone to which of the following types of attacks? Choose all that apply.
a. b. c. d.
Spamming Reverse-engineering Sandbox analysis NFC attacks
Answer: a, b, c, d Mobile devices can be spammed with text messages or calls. Mobile applications and operating systems can be reverse engineered to discover vulnerabilities. Sandbox analysis can be used to observe the behavior of smart phone software in the hopes of finding flaws to exploit. NFC can be exploited at close range. 137. What is a BLE attack?
a. b. c.
A Backdoor Lock Embedded System attack, an attack that exploits poor authentication security of embedded systems Bluetooth Low Energy attack, an attack against a low-energy consumption Bluetooth protocol variant often found in IoT devices A brute-force attack against APs
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
39
Solution and Answer Guide:
d.
Bluetooth Long-distance Exploit, an amplification attack that enables Bluetooth devices to be attacked from distances outside their normal operating range
Answer: b Bluetooth Low Energy (BLE) is a Bluetooth variation with low-power requirements that can be found in some targets such as IoT devices. It has an authentication flaw that can be exploited. 138. What is IIoT?
a. b. c. d.
Integrated Internet of Things, IoT technology inside an embedded system Inspect Internet of Things, a hacking tool used for scanning IoT devices for vulnerabilities A spelling mistake Industrial Internet of Things, IoT devices and technology that are being used for industrial applications such as ICS and SCADA
Answer: d IoT devices have been integrated into some ICS and SCADA deployments, this type of use of IoT has been given its own category name of IIoT. 139. Which of the following are vulnerabilities known to affect mobile devices? Choose all that apply.
a. b. c. d.
Insecure storage Passcode vulnerabilities Biometric vulnerabilities Root-level access
Answer: a, b, c, d Mobile devices can be prone to each of the vulnerabilities listed above. Mobile devices are little computers, and they can have the same problems as big computers.
ACTIVITIES ACTIVITY 8-1: DISCOVERING ACCESS POINTS WITH WIFITE Solution: This is a hands-on activity with no answers.
ACTIVITY 8-2: ATTACKING WEP Solution: This is a hands-on activity with no answers.
ACTIVITY 8-3: ATTACKING A BLUETOOTH DEVICE Solution: This is a hands-on activity with no answers.
ACTIVITY 8-4: SPECIALIZED SYSTEM ATTACK REPORT Solution: Answers will vary, but a good report will be about one page long and include the who, what, where, when, and how information, along with the scope of the impact and what vulnerability was exploited.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
40
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
CASE PROJECTS CASE PROJECT 8-1: CREATING A WIRELESS ATTACK PLAN REPORT Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has contracted your computer consulting company to perform a penetration test on its computer network. The company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. The project has reached the stage where you would like to perform some network-based attacks to test the security of the systems you have identified. Olivia Dunham, the head of network security, is your current contact for this stage of the project. Olivia was pleased with the completeness and level of detail in your previous Network Attack Plan report; she now wants you to provide her with a similar report outlining your plans for pen testing her organization‘s wireless infrastructure. Your pen testing identified three areas of concern: 1. 2. 3.
The presence of several wireless network SSIDs, some of which do not follow the organization‘s standard naming convention Weak encryption protocols being used on some of these wireless networks WPS seems to be enabled on some WAPs
Based on this information, write a report outlining the types of wireless network attacks you would like to perform and the tools you would like to use.
Solution: Create a report to communicate the types of wireless attacks you would like to perform and the tools you would like to use.
CASE PROJECT 8-2: WIRELESS ATTACK RESEARCH Prompt: Wireless attacks are a common occurrence, but some wireless attacks have been noteworthy enough that they have made the news. Use your favorite web browser to research the topic of ―World‘s Worst Wireless Attacks‖ or any similar search phrase to locate information about major Wi-Fi cyberattacks. Write a one-page report summarizing three notable wireless attacks. Include when they happened, what organization(s) were affected, the size and scope of the attacks, and what methods were used by the perpetrators to perform the attack. Solution: Summarize three wireless attacks by researching the topic ―World‘s Worst Wireless Attacks.‖
Solution and Answer Guide WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 09: APPLICATION-BASED ATTACK VECTORS AND ATTACKS
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1 Activities ...................................................................................................................................................... 5
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
41
Solution and Answer Guide:
Case Projects ............................................................................................................................................... 6
REVIEW QUESTIONS 140. Which organization provides the ―Ten Most Critical Web Application Security Risks‖ paper?
a. b. c. d.
NIST OWASP MITRE CERT
Answer: b This list is also referred to as the OWASP Top 10 list. 141. Which secure coding practices can help to mitigate SQL injection attacks? Choose two.
a. b. c. d.
Sanitization Stored procedures Input validation Escaping
Answer: b, c Stored procedures are functional pieces of code that reside within a SQL database and can be called to perform operations on the database. This allows for the details of those operations to be hidden from users. Input validation can be used to detect and reject any SQL injected into input fields. 142. What type of attack is commonly used against web applications in an attempt to extract information from
its database? Choose all that apply. a. Injection attack b. SQL injection attack c. Boolean blind SQL injection attack d. Timing-based blind SQL injection Answer: a, b, c, d All are variations of the same attack. 143. Use the exploit database at https://www.exploit-db.com to search for ―sql injection‖. The hundreds of
results returned include Metasploit framework modules, whitepapers, and toolkits. Choose two of the results and read their details. Write a one-page report summarizing their details and describing what type of SQL injection attacks, frameworks, toolkits, and methods are discussed. Answer: A good answer will be exactly one-page long. There are many web applications in the list, many of them management systems, that the student might choose. 144. When examining the log file for a web server, you observe some entries that contain the characters 1' or
1=1 #. What might this indicate? a. Session hijack attacks b. SQL injection attacks
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
42
Solution and Answer Guide:
c. d.
Directory traversal attacks XSS attacks
Answer: b The characters in the log are the standard opening move of most blind SQL injection attacks. 145. What type of attack targets Microsoft Active Directory?
a. b. c. d.
LDAP attack Boolean blind SQL injection attack HTML injection attack Redirect attacks
Answer: a LDAP is the Lightweight Directory Access Protocol, which is used to send queries to an Active Directory database. It might be used by threat actors to retrieve information or change information. 146. What type of attack is being attempted with the following URL: https://mysite.com/cgi-
bin/getFile.pl?doc=/bin/ls| a. b. c. d.
XSS attack CSRF attack SQL injection attack Command injection attack
Answer: d The ls is the Linux directory listing command and /bin is the folder where the command can be found. 147. Session hijacking attacks often use stolen cookies.
a. b.
True False
Answer: a Session authentication cookies can be used to hijack existing communication sessions between web browsers and web servers. 148. When examining the log file for a web server, you observe an entry that contains the following:
https://www.someshoppingsite.com/orderform.php?redirect=http%3a//www.th reatactor.com/stealyourpassword.htm What type of attack is this? a. b. c. d.
Redirect attack Session hijack attack Command injection attack SQL injection attack
Answer: a
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
43
Solution and Answer Guide:
The redirect keyword in the URL indicates that redirection is being used, and since the URL associated with the redirect is going to a website that is not the original someshoppingsite.com, it is most likely an attack. 149. What type of attack is a ―pass-the-ticket‖ attack?
a. b. c. d.
Session hijacking attack Kerberos attack Authentication attack Password attack
Answer: b When stolen ticket-granting tickets are used to create access tickets, the attack is called a pass-theticket attack. 150. Which of the following are authorization attacks? Choose all that apply.
a. b. c. d. e.
Privilege escalation Directory traversal File inclusion Parameter pollution IDOR
Answer: a, b, c, d, e All are different types of authorization attacks. 151. Navigate to https://portswigger.net/daily-swig/sql-injection and read some of the news items involving
SQL injection security. Write a one-page report summarizing the details of one of these articles. Include relevant details such as what organization was impacted, what application was vulnerable, what type of SQL injection was involved, what data was exposed or potentially exposed, and what the fix is. A good answer will be exactly one-page long. There are articles discussing SQL injection flaws in security products such as Rapid7‘s Nexpose and Sophos‘ UTMs. 152. Cross-site scripting attacks cannot permanently alter the pages of a website.
a. b.
True False
Answer: b A persistent/stored XSS attack can embed code, permanently altering a webpage. The page can be restored by a web developer. 153. Which type of attack uses a compromised website that the user is authenticated with to send fake requests
to another website that the user is also authenticated with? a. Reflected XSS attack b. Persistent XSS attack c. CSRF/XSRF attack d. DOM attack Answer: c
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
44
Solution and Answer Guide:
CSRF/XSRF stands for cross-site scripting. It is the trust relationship established by the web browser with the individual web site that is being abused to successfully send fake requests. 154. Which type of attack hijacks hyperlinks so that when a user clicks the hyperlink, an unknown and
unexpected action occurs? a. Session hijacking b. Click jacking c. XSS d. SSRF Answer: b Click jacking is effectively ―hijacking the user‘s clicks.‖ The user is unaware that a hyperlink has been modified or added to the object they are clicking. 155. Which of the following tools can be used to intercept JavaScript responses from mobile devices and inject
custom code? a. Frida b. APKX c. Postman d. MobSF Answer: a Frida can also be used to inject your own custom code into these responses. 156. Mobile devices are prone to which of the following types of attacks?
a. b. c. d.
Spamming Reverse engineering Sandbox analysis Theft of information
Answer: a, b, c, d All are possible attacks. Spamming is the reception of unwanted messages. Reverse engineering can be used against mobile device code to discover vulnerabilities. Sandbox analysis can be used to observe the behavior of mobile device software to discover vulnerabilities. Information contained on mobile devices can be stolen if the device is sufficiently compromised. 157. Which of the following types of application testing tools can be used to modify web application traffic for
the purpose of performing on-path/MITM attacks? a. Scanner b. Debugger c. Fuzzer d. Interception proxy Answer: d Interception proxies, such as ZAP and Burp, can be used to intercept and modify communication between web applications and web servers. This, by definition, is an on-path/MITM attack. 158. What is fuzzing?
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
45
Solution and Answer Guide:
a. b. c. d.
Removing insecure comments from source code Correcting input validation flaws Testing application input fields with an overwhelming amount of input to see if the application crashes or perhaps fails some input validation tests A method of stealing cookies
Answer: c Injection attacks have been the number one web application attack for a long time. Fuzzing applications can help discover injection vulnerable input fields so that developers can correct them. 159. The automated process of scanning a server to discover directories, files, and possibly subdomains is
known as which of the following? a. Busting b. Command injection c. Brute-forcing d. Fuzzing Answer: a DirBuster and GoBuster are two busting tools discussed in this module that can be used to discover directories, files, and possibly subdomains.
ACTIVITIES ACTIVITY 9-1: RETRIEVE PASSWORDS USING SQL INJECTION Solution: This is a hands-on activity with no answers.
ACTIVITY 9-2: PERFORM A COMMAND INJECTION ATTACK Solution: This is a hands-on activity with no answers.
ACTIVITY 9-3: PERFORM A REFLECTED XSS ATTACK Solution: This is a hands-on activity with no answers.
ACTIVITY 9-4: PERFORM A PERSISTENT XSS ATTACK Solution: This is a hands-on activity with no answers.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
46
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
CASE PROJECTS CASE PROJECT 9-1: CREATING AN APPLICATION ATTACK PLAN REPORT Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has contracted your computer consulting company to perform a penetration test on its computer network. The company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. The project has reached the stage where you would like to perform some application-based attacks to test the security of the systems you have identified. Mo Saleh, the Senior Application Security Program Manager, is your current contact for this stage of the project. Management is pleased with the completeness and level of detail in your previous reports, and now wants you to provide a similar report outlining your plans for pen testing the organization‘s web applications. Your pen testing identified three areas of concern: 1. 2. 3.
Several web servers running older versions of Apache software Several SQL servers running older versions of MySQL No indications that software security and secure programming practices are part of the software development team‘s culture
Based on this information, write a report outlining the types of application attacks you would like to perform and the tools you would like to use. Solution: Create a report to communicate the types of application attacks you would like to perform and the tools you would like to use. Answers will vary, but the report should mention SQL injection, directory traversal (since we know Apache is being used). Every other application attack is worth trying since it is suspected that developer code may be insecure.
CASE PROJECT 9-2: APPLICATION ATTACK RESEARCH Prompt: Data breaches are a daily occurrence, many are the result of poor input validation in web applications, and many have made the news. Use your favorite web browser to research the topic of ―Famous SQL Injection Data Breaches‖ or any search phrase you can think of to locate information about major data breaches caused by SQL injection attacks. Write a one-page report summarizing one of your findings. Include when it happened, what organization(s) were affected, the size and scope of the attack, and what methods were used by the perpetrators to perform the attack. Solution: Research the topic of ―Famous SQL Injection Data Breaches‖ and write a one-page report summarizing a data breach that occurred due to a SQL injection attack. Answers will vary but should be exactly one-page long. Reports of the Freepik and 7-Eleven breaches are likely topics.
Solution and Answer Guide WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 10: Host ATTACK VECTORS AND CLOUD TECHNOLOGIES ATTACKS
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
47
Solution and Answer Guide:
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1 Activities ...................................................................................................................................................... 5 Case Projects ............................................................................................................................................... 6
REVIEW QUESTIONS 160. Which of the following are nonoperating system-specific exploits that can be used to attack hosts? Choose
all that apply. a. File system permission configuration errors b. Stored credentials c. Defaults d. Brute-force attacks Answer: a, b, c, d All the above are common to all operating systems. 161.
Which of the following can be used for attacking hosts remotely? Choose all that apply. a. SSH b. NETCAT c. Ncat d. Metasploit Framework Answer: a, b, c, d All the above can create remote connections to hosts that could be used for attacks. 162. Why is SSH useful in remote host attacks? Choose all that apply.
a. b. c. d.
All hosts accept SSH connections. SSH provides for encrypted communication that can be used to hide a threat actor‘s activities. SSH is often installed by default on Linux hosts. SSH can be used to encapsulate other types of traffic by using it for port forwarding.
Answer: b, c, d ―All hosts accept SSH connections‖ is not true because SSH is not enabled on Windows hosts by default. 163. Use the exploit database at https://www.exploit-db.com/ to search for ―SUID.‖ The results returned may
include Metasploit Framework modules, whitepapers, and toolkits. Choose two of the results and read their details. Write a one-page report summarizing their details and describing what type of SUID attacks, frameworks, toolkits, and methods are discussed. A good answer will be about one-page long and cover two items from the exploit-db.com website.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
48
Solution and Answer Guide:
164. What does it mean if the SUID bit is turned on (1) in an executable files permission setting?
a. b. c. d.
The file is enabled for sudo execution. The file is protected from copying because the Secure User ID bit is set. When executed, the file will run with the permissions of the owner of the file and not those of the user executing the file. The file is a system (kernel) file.
Answer: c When set to 1, the SUID bit of a file tells Linux/Unix to run the file using the file owner‘s permissions; when set to 0, the permissions of the user running the file are used. 165. Which of the following commands will find files that have the SUID bit turned on (1)?
a. b. c. d.
find / -perm -4000 find / -perm -2000 find / -perm -777 find –SUID 1
Answer: a When turned on, the position of the SUID bit in the overall set of permission bits results in the value 4 in the first position. 166. What does the sudo command do?
a. b. c. d.
Sets the SUID bit Executes a shell upgrade Opens the sudoer file for editing Attempts to run commands using root-level permissions
Answer: d sudo stands for ―Super User Do‖ and is a way for standard users to ―do‖ a command as if they were the ―Super User,‖ which is the root. 167. Which of the following two commands reveal distribution and version information, useful when attempting
Linux Kernel exploits? Choose two. a. uname -a b. lsb_release –a c. ls –al d. vi /etc/kernelinfo Answer: a, b uname -a displays the flavor of Linux you are using (Ubuntu, Kali, etc.) and lsb_release –a will tell you what version of that flavor (version 19.0, 6.1, etc.)
168. Mimikatz can be used to exploit Windows NTLM credential hashes.
a. b.
True False
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
49
Solution and Answer Guide:
Answer: a Mimikatz can be used to exploit many types of hashes (including NTLM) and databases (such as the SAM database). 169. What is an LSA secret?
a. b. c. d.
A type of SSH key The password for an encrypted file Information revealed by password-cracking tools A Windows registry location that stores the password of the currently logged-in user
Answer: d The Windows registry contains critical security information and analyzing it can tell you a lot about a Windows computer. 170. What is a SAM database?
a. b. c. d.
System Access Management database SSH Access Monitoring database Security Accounts Manager database A wordlist database used in password cracking
Answer: c Since Windows XP, Windows uses the SAM database to store password information. The SAM database is still used in Windows 10 and Windows 11. 171. Which of the following Linux tools can be used to acquire credentials from a Windows system? Choose all
that apply. a. cachedump b. lsadump c. pwdump d. /etc/passwd Answer: a, b, c All the correct answer items are useful for acquiring credentials from a Windows host. /etc/passwd is the Linux password file, so is not applicable to Windows. 172. Which of the following can be used to determine if a computer you are remotely connected to is a virtual
machine? Choose all that apply. a. wmic b. Device Manager c. ls –l /dev/disk/by-id d. system-detect-virt Answer: a, b, c, d wmic and Device Manager work on Windows hosts, and ls –l /dev/disk/by-id and system-detect-virt work on Linux hosts. 173. What is it called when a virtual machine is used to attack its host computer and perhaps other VMs on that
host?
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
50
Solution and Answer Guide:
a. b. c. d.
VM escape Shell escape VM escalation Hypervisor drift
Answer: a VMs are supposed to be isolated from their host computer and other VMs on the same host. If that isolation is broken, it‘s called an escape. 174. Which of the following is used to virtualize and isolate applications?
a. b. c. d.
Hypervisor Virtual machines Proxies Containers
Answer: d Virtual machines use hypervisors. Virtual machines aren‘t virtualized applications; they are entire systems. Proxies are used intercept, store, and forward network communication. Containers are used to virtualize and isolate applications. 175. Which term describes the compromise of a cloud account, allowing pen testers to assume control of that
account for their own purposes? a. Account takeover b. Account busting c. Cloud compromise d. Black cloud hacking Answer: a Account takeover is correct. The other answers are made up. 176. What cloud attack redirects victims to a threat actor‘s cloud-based VMs and services?
a. b. c. d.
Cloud redirect Cloud MITM D2O Malware injection
Answer: d The threat actor is compromising a cloud-based system by injecting malicious services and VMs into the environment. 177. What cloud attack is a form of distributed denial-of-service that targets content delivery networks and load
distribution systems? a. Cloud DDOS b. Direct-to-origin (D2O) c. Resource exhaustion d. proxychain Answer: b
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
51
Solution and Answer Guide:
D2O attacks first determine the originating IP address of the server using the content delivery network and then target that originating IP address. 178. What cloud attack targets shared resources on a cloud server?
a. b. c. d.
D2O Resource exhaustion Malware injection Side-channel
Answer: d It‘s considered a ―side-channel attack‖ because it‘s not targeting a cloud-based host ―directly‖ but attacking it from surrounding devices that it uses. 179. What type of attack might use a command of this format?
aws s3 ls s3://<somebucket> --region <region> a. b. c. d.
VM escape Data storage exploits Privilege escalation Denial of service
Answer: b The command retrieves information from an Amazon Web Services S3 storage bucket, making it useful in data storage exploits.
ACTIVITIES ACTIVITY 10-1: USING CEWL TO GENERATE A CUSTOM WORD LIST Solution: This is a hands-on activity with no answers.
ACTIVITY 10-2: SHELL ESCAPE FROM VI EDITOR Solution: This is a hands-on activity with no answers.
ACTIVITY 10-3: DUMPING THE SAM DATABASE Solution: This is a hands-on activity with no answers.
ACTIVITY 10-4: DETERMINING IF A HOST IS A VM Solution: This is a hands-on activity with no answers.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
52
Solution and Answer Guide:
CASE PROJECTS CASE PROJECT 10-1: CREATING A HOST ATTACK PLAN REPORT Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has contracted your computer consulting company to perform a penetration test on its computer network. The company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. The project has reached the stage where you would like to perform some pen testing directly targeting specific host computers you have identified in your reconnaissance phase. Some of these hosts are real computers, some are virtual machines, and some are hosted in the cloud. William Bishop, the company‘s cloud specialist, is your current contact for this stage of the project. Management is pleased with the completeness and level of detail in your previous reports and now wants you to provide a similar report outlining your plans for this stage of pen testing. Your pen testing identified three areas of concern: 1. 2. 3.
Some cloud-based resources may be using default settings. You suspect that the company‘s password policy is weak, and you may be able to crack passwords and gain access to systems. When you asked how many hosts were virtual machines and how many were real computers, nobody could give you a definitive answer.
Based on this information, write a report outlining the types of host attacks (against real, virtual, and cloudbased hosts) you would like to perform and the tools you would like to use. Solution: Identify the types of application attacks you would like to perform and the tools you would like to use. Answers will vary, but the report should mention the following: Attacks looking for defaults to exploit Brute-force attacks Using tools such as wmic and ls –al to check for setting that indicate that a host is a VM
CASE PROJECT 10-2: CLOUD ATTACK RESEARCH Prompt: Data breaches are a daily occurrence. Many are the result of poor security configuration of cloudbased resources, and many have made the news. Use your favorite web browser to research the topic of ―Famous Cloud Security Breaches‖ or a similar search phrase to locate information about major cloud security breaches. Write a one-page report summarizing one of your findings. Include when it happened, what organization(s) were affected, the size and scope of the attack, and what methods were used by the perpetrators to perform the attack. Solution: Summarize a data breach that occurred due to an attack on cloud-based resources by researching the topic ―Famous Cloud Security Breaches.‖ Answers will vary but should be about one-page long. Reports of the Facebook and Accenture breaches are likely topics.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
53
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
Solution and Answer Guide WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 11: SOCIAL ENGINEERING AND PHYSICAL ATTACKS
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1 Activities ...................................................................................................................................................... 5 Case Projects ............................................................................................................................................... 6
REVIEW QUESTIONS 180. Which type of pen testing exploits human vulnerabilities in order to gain access to sensitive information
and actionable intelligence? a. Physical attack b. Social engineering c. Pretexting d. Interrogation Answer: b Social engineering is the type of pen testing that targets people and exploits their vulnerabilities. Pretexting and interrogation are aspects of social engineering. Physical attack is a type of pen testing which targets facilities and infrastructure. 181. What term describes a threat actor manipulating a person with the intent to trick that person into doing
something that will compromise their personal security or the security of the organization they work for? a. Physical attack b. Social engineering c. Pretexting d. Interrogation Answer: b Another definition of social engineering. See previous explanation. 182. What is a pretext for an approach?
a. b. c. d.
A believable situation that legitimizes why the threat actor is asking the victim to do something Reconnaissance Permission given in the rules of engagement to perform social engineering The goal of the social engineering exercise
Answer: a With a good setup (pretext), social engineering efforts are more likely to be successful.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
54
Solution and Answer Guide:
183. Which principle of the psychology of social engineering is being used if the victim believes the threat actor
has the right and power to ask the victim to perform the desired action? a. Trust b. Authority c. Urgency d. Reciprocation Answer: b If the victim believes the person they are dealing with is a person of authority (such as a manager, executive, or law enforcement), they are more likely to comply with requests. 184. Which principle of the psychology of social engineering is being used if the victim believes the situation is
critical and needs to be fixed immediately? a. Trust b. Authority c. Urgency d. Reciprocation Answer: c Urgency can create the environment in which the victim thinks less about the implications of what they are being asked to do and simply comply. 185. Social engineering is never performed in person.
a. b.
True False
Answer: b Impersonating an employee to get past a security guard to enter a building is an example of in-person social engineering. 186. Which of the following are person-to-person social engineering methods? Choose all that apply.
a. b. c. d.
Impersonation Elicitation Interviews Quid pro quo
Answer: a, b, c, d All are correct. Impersonation is used to pretend to be someone who should be permitted to perform the act the social engineer is trying to perform. Elicitation is used to gather intel from a person in a round-about way. Interviews are used to gather intel from a person is a more direct way. Quid pro quo is used to make the victim feel like they are obligated to perform an action for the social engineer. 187. What is the social engineering term used to describe peeking at an activity a victim is performing in an
attempt to see what they are doing and gather information? a. Snoop dogging b. Ninja-ing c. Sneak attacking d. Shoulder surfing
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
55
Solution and Answer Guide:
Answer: d Shoulder surfing can be used to discover a variety of intel, such as the entry code for a secure door, a victim‘s password, or information that a victim has just written down. 188. What type of social engineering attack uses some form or messaging technology to send unsolicited
nefarious messages to targeted victims? a. Phishing b. Spoofing c. Spamming d. Fishing Answer: a Phishing can use a variety of technologies such as email, text messages (SMS), or phone calls. 189. What type of phishing attack uses phone calls?
a. b. c. d.
Tele-phishing Vishing Smishing Spear phishing
Answer: b Vishing stands for ―voice phishing.‖ 190. What type of website-based attack infects a legitimate website with malware hoping to infect employees of
a targeted organization? a. Clone website b. Watering hole c. Cross-site d. Proxy imposter Answer: b In a watering hole attack, a legitimate website is infected with malware and the website remains on its original server. In a cloned website attack, the entire website is copied and hosted by the threat actor. Cross-site is a type of website attack not relevant to this context. Proxy imposter is a made-up term. 191. What is BeEF?
a. b. c. d.
Browser Engineering Framework Browser Emulation Function Browser Exploitation Framework Browser Extension Framework
Answer: c BeEF (the Browser Exploitation Framework) is a pen-testing tool used to gain control over web browsers on the computer of a targeted victim. 192. What social engineering tool uses ―hooks‖ to gain control over web browsers on a victim‘s computer?
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
56
Solution and Answer Guide:
a. b. c. d.
BeEF SET Watering hole Web cloner
Answer: a BeEF (the Browser Exploitation Framework). The hook is a piece of JavaScript that when introduced to a website, allows BeEF to control and manipulate the victim‘s web browser. 193. Which of the following tools can be used for VoIP-based social engineering attacks? Choose all that apply.
a. b. c. d.
INVITE Viproy BeEF Metavoip
Answer: a, b INVITE and Viproy can be used to initiate and manage VoIP calls. 194. Before performing pen-testing physical attacks, you should alert the appropriate stakeholders and contacts.
a. b.
True False
Answer: a Attempting physical attacks without alerting stakeholders and contacts could get you detained or arrested. 195. Which social engineering term refers to questioning a person before you impersonate them?
a. b. c. d.
Interviewing ID harvesting Scoping Pretexting
Answer: d Pretexting is the correct answer. Interviewing is a social engineering activity, but interviewing doesn‘t necessarily mean you plan on impersonating the interviewee. 196. What is it called if a pen tester gains entry to a building or room by sneaking in behind someone who has
just opened a secure door? a. Jumping the fence b. Tailgating c. Piggybacking d. Shoulder surfing Answer: b Tailgating is the correct term. Piggybacking is almost identical but the person opening the secure door knows they are letting you in.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
57
Solution and Answer Guide:
197. It is always illegal to pick locks during pen testing.
a. b.
True False
Answer: b If the rules of engagement specify what locks are allowed to be picked, and stakeholders and contacts are aware, picking the allowed locks is not breaking the law. 198. Gathering information from a targeted facility by discovering unprotected or discarded items is known as
which of the following? a. Snoop dogging b. Dumpster diving c. Ninja-ing d. Treasure hunting Answer: b You may not have to dive into a dumpster, but you can find actionable intel in one. 199. Tapping a filed key into a lock in an attempt to open it is known as which of the following?
a. b. c. d.
Plugging Bumping Tapping Busting
Answer: b And the key is known as a ―bump‖ key.
ACTIVITIES ACTIVITY 11-1: SOCIAL ENGINEERING ATTACKS Solution: This is a hands-on activity with no answers.
ACTIVITY 11-2: SOCIAL ENGINEERING VISHING ATTACKS Solution: This is a hands-on activity with no answers.
ACTIVITY 11-3: USE SET TO PERFORM A SOCIAL ENGINEERING ATTACK Solution: This is a hands-on activity with no answers.
ACTIVITY 11-4: DUMPSTER DIVING Solution: This is a hands-on activity with no answers.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
58
Solution and Answer Guide:
CASE PROJECTS CASE PROJECT 11-1: CREATING A SOCIAL ENGINEERING ATTACK PLAN REPORT Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has contracted your computer consulting company to perform a penetration test on its computer network. The company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. The project has reached the stage where you would like to perform some social engineering pen testing to discover if the organization is vulnerable to social engineering attacks. Walter Kovacs, the company‘s training specialist, is your current contact for this stage of the project. Management is pleased with the completeness and level of detail in your previous reports and now wants you to provide a similar report outlining your plans for this stage of pen testing. Your pen testing identified three areas of concern: 1. 2. 3.
The company email system does not seem to have any anti-phishing features or phishing reporting capabilities. Your research has indicated that the majority of staff seem to use the same social media website several times a day. You have observed employees from a variety of delivery companies being allowed entry to the building with little or no security checks.
Based on this information, write a report outlining the types of social engineering attacks you would like to perform and the tools you would like to use. Solution: Identify the types of social engineering attacks you would like to perform and the tools you would like to use. Answers will vary, but the report should mention: 1. 2. 3. 4.
Phishing attacks A website attack (cloned) Physical attack to sneak into facility, possibly disguised as delivery person Using tools such as SET
CASE PROJECT 11-2: CREATING A PHYSICAL ATTACK PLAN REPORT Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has contracted your computer consulting company to perform a penetration test on its computer network. The company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. The project has reached the stage where you would like to perform some physical pen testing attacks to discover if the organization is vulnerable to such attacks. Beatrice Fleming, the company‘s facility security specialist, is your current contact for this stage of the project. Management is pleased with the completeness and level of detail in your previous reports, and now wants you to provide a similar report outlining your plans for this stage of pen testing. Your pen testing identified three areas of concern: 1. The main security entrance is unguarded and only requires a badge swipe to enter. 2. Documents appear to be thrown away unshredded. 3. A security fence protecting an unsecured back door would be easy to climb.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
59
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
Based on this information, write a report outlining the types of physical attacks you would like to perform and the tools you would like to use. Solution: Identify the types of physical attacks you would like to perform and the tools you would like to use. Answers will vary, but the report might mention: Impersonation Piggybacking and tailgating Dumpster diving Badge cloning Jumping the fence Attacks on locks and entry control systems
Solution and Answer Guide WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 12: REPORTING AND COMMUNICATION
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1 Activities ...................................................................................................................................................... 5 Case Projects ............................................................................................................................................... 6
REVIEW QUESTIONS 200. During pen testing, active two-way communication between the pen-testing team and stakeholders should
occur regularly and in real-time whenever required. a. True b. False Answer: a Often the pen tester will initiate communication but the organization under test can also initiate communication. It‘s important that the pen tester communicate their progress and any important discoveries. It‘s helpful when the organization initiates communication to alert pen testers of activities that may impact testing. 201. Which of the following are important contacts for a well-defined communication path? Choose all that
apply. a. b. c.
Primary contact Technical contact Emergency contact
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
60
Solution and Answer Guide: ; Module 12:
d.
Human Resources
Answer: a, b, c Primary contact identifies the individual(s) within the organization who are responsible for the day-today coordination and management of the penetration test. Technical contact identifies the individual(s) within the organization who can provide technical support during the test. Emergency contact identifies the individual or individuals that can be contacted in the event of an emergency. 202. Which of the following is not a communication trigger?
a. b. c. d.
Stage initiation Stage completion Indicators of prior compromise Critical findings
Answer: a It is not necessary to alert the organization when you are beginning a pen testing phase. All the other answer choices are common triggers requiring communication. 203. Pieces of evidence discovered during pen testing that indicate that a security breach may have already
occurred are called which of the following? a. Clues b. IOCs c. Indicators of prior compromise d. Footprints Answer: b, c Indicators of compromise (IOCs) and indicators of prior compromise are the common terms used to describe pieces of evidence that may indicate that a security breach may have already occurred. 204. Which of the following are other reasons for communication?
a. b. c. d.
Situational awareness De-escalation De-confliction Goal reprioritization
Answer: a, b, c, d Each of these scenarios merit communication between pen tester and client. 205. Which of the following are remediation control categories?
a. b. c. d.
Technical controls Administrative controls Operational controls Physical controls
Answer: a, b, c, d Each of the above are valid control categories, providing different types of control solutions to remediate security vulnerabilities.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
61
Solution and Answer Guide: ; Module 12:
206. Which type of control uses security intelligence in software or hardware solutions to detect and remediate
security threats? a. Technical controls b. Administrative controls c. Operational controls d. Physical controls Answer: a All technical controls use some form of software and/or hardware to provide automated detection and sometimes also remediation of security threats. 207. Which type of control uses formalized processes and policies to help improve an organization‘s security?
a. b. c. d.
Technical controls Administrative controls Operational controls Physical controls
Answer: b Administrative controls use formalized processes and policies to help improve an organizations security. Operational controls are just focused on improving individual security. 208. Which type of controls are standard procedures for various activities that are implemented to improve the
security of individual personnel? a. Technical controls b. Administrative controls c. Operational controls d. Physical controls Answer: c Setting standard procedures for security sensitive operations can help protect individuals from exploitation. 209. Which type of control prevents threat actors from gaining access to or damaging a facility and its
infrastructure? a. Technical controls b. Administrative controls c. Operational controls d. Physical controls Answer: d Physical controls (such as fences) prevent individuals from physically accessing or damaging a facility and its infrastructure. 210. Which of the following are common pen-testing findings? Choose all that apply.
a. b. c. d.
Shared local administrator credentials Authentication issues such as weak password complexity, plain text passwords, or lack of MFA SQL injection vulnerabilities Unnecessary open services
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
62
Solution and Answer Guide: ; Module 12:
Answer: a, b, c, d All the above are common security compromising vulnerabilities that may be found during pen testing. 211. Choosing a set scale and mapping the data from relevant sources to this chosen scale is known as which of
the following? a. Unification b. Risk scoring c. Normalization of data d. Balancing Answer: c Normalization of data is important so that risk levels and other threat metrics severities can be easily understood if the sources of information have differing scales. 212. Which section of a pen-testing report is written for C-suite executives?
a. b. c. d.
Executive summary Scope details Findings and remediation Conclusion
Answer: a The executive summary is a concise report of important pen testing findings, written in a non-technical way, meant for executives and stakeholders. 213. Which section of a pen-testing report should contain bulk data and lengthy code listings?
a. b. c. d.
Executive summary Scope details Findings and remediation Appendix
Answer: d The main body of a pen-test report should not be weighed down with bulk data or code listings, the appendix is the best place for such information. 214. Which stage of pen testing returns the client‘s systems to the state they were in before pen testing began?
a. b. c. d.
Follow-up actions Sign-off Post-engagement cleanup Reset
Answer: c Post-engagement cleanup attempts to return the client‘s systems to their original state. Removing installed tools and user accounts created for pen testing purposes are examples of post-engagement cleanup activities. 215. If the pen-testing engagement, or parts of it, were executed for regulatory or compliance reasons, what
might the client need? a. Sign-off b. Data validation
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
63
Solution and Answer Guide: ; Module 12:
c. d.
PenTest+ certification Attestation of findings
Answer: d The attestation of findings is proof that pen testing was performed. The organization can use this to show regulatory or compliance organizations as proof of compliance. 216. When a penetration-testing engagement is complete, the pen-test team should follow the directions in the
statement of work and destroy or retain the appropriate data. a. True b. False Answer: a All data and reports resulting from pen testing belong to the client organization. Unless otherwise stated, all this information should be destroyed by the pen tester after delivering what is required to the client organization. 217. Multiplying impact by probability equals which of the following?
a. b. c. d.
Risk rating Business impact Common Vulnerability Score Likelihood
Answer: a Impact (how much damage can be done to the organization if a specific vulnerability is exploited) multiplied by the probability (how likely a vulnerability is to be exploited) gives the overall risk rating for that vulnerability. 218. Newly discovered information may necessitate a change in the scope, work, and goals of the pen-testing
engagement. a. True b. False Answer: a For example, the reconnaissance phase may discover servers that weren‘t included in the scope of work but should be. 219. An organization‘s SOC may be a suitable emergency contact.
a. b.
True False
Answer: a The Security Operations Center (SOC) is responsible for security emergencies, so contacting them for a pen-testing emergency is reasonable.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
64
Solution and Answer Guide: ; Module 12:
ACTIVITIES ACTIVITY 12-1: COMMUNICATION PRACTICE Solution: This is a hands-on activity with no answers.
ACTIVITY 12-2: SUGGESTING CONTROLS Solution: Answers will vary but the report should be exactly one page long.
ACTIVITY 12-3: WRITING AN EXECUTIVE SUMMARY Solution: Answers will vary but the report should be exactly one page long and written in a nontechnical fashion for executives.
ACTIVITY 12-4: CREATING A PENETRATION-TESTING REPORT DOCUMENT TEMPLATE Solution: The document template must contain all the sections as outlined in this module. Headings are sufficient. Place holder text describing what each section is for is not a requirement, but if included by the student they should be praised for their completeness.
CASE PROJECTS CASE PROJECT 12-1: COMPLETING THE EXECUTIVE SUMMARY Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has contracted your computer consulting company to perform a penetration test on its computer network. The company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. The project has reached the stage where you now need to formalize your findings and begin the penetrationtesting report. Create a penetration-testing report document using the format and sections outlined in this module. Using information contained in the Case Projects of previous modules, complete the executive summary section of the penetration-testing report. Solution: Develop the Executive Summary section of a penetration-testing report. Answers will vary, but the report should contain high level details of issues expressed in previous Case Studies and must follow the content guidelines discussed in this module.
CASE PROJECT 12-2: SUGGESTING CONTROLS FOR REMEDIATING SECURITY ISSUES Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has contracted with your computer consulting company to perform a penetration test on its computer network. The company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. The project has reached the stage where you now need to formalize your findings and begin the penetrationtesting report. Using information contained in the Case Projects of previous modules, add content to the
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
65
Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
findings and remediation section of the penetration-testing report. Suggest technical controls that can be used to help mitigate the security issues outlined in your findings. Solution: Summarize results and suggestions in the Findings and Remediation section of a penetrationtesting report. Answers will vary, but the report should mention some of the mitigation techniques discussed in this book such as patching and input validation.
Solution and Answer Guide WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 13: WRITING AND UNDERSTANDING CODE
TABLE OF CONTENTS Review Questions ........................................................................................................................................ 1 Activities ...................................................................................................................................................... 5 Case Projects ............................................................................................................................................... 6
REVIEW QUESTIONS 220. A C program must contain which of the following?
a. b. c. d.
Name of the computer programmer A main() function The #include <std.h> header file A description of the algorithm used
Answer: b The main() function is the starting point for all C programs. Without it, the execution of the entire program cannot begin. 221. An algorithm is defined as which of the following?
a. b. c. d.
A list of possible solutions for solving a problem A method for automating a manual process A program written in a high-level language A set of instructions for solving a specific problem
Answer: d Algorithms are not just computer programing concepts. When you bake a cake, the recipe you follow is an algorithm. 222. A missing parenthesis or brace might cause a compiler or interpreter to return which of the following?
a.
System fault
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
66
Solution and Answer Guide:
b. c. d.
Interpreter error Syntax error Machine-language fault
Answer: c When a program is formatted incorrectly or is missing expected keywords or constructs, a syntax error occurs and is usually reported by the compiler or interpreter. 223. Write a program in C that politely asks the user to enter a string of characters (e.g., their name), and then
prints that string of characters backward. Execute the code, and test that your program works. The code will vary, but as long as the program does what the instructions requested, you have succeeded! If you remembered to add documentation/comments to your program that is great. 224. Most programming languages enable programmers to perform which of the following actions? (Choose all
that apply.) a. Branching b. Testing c. Faulting d. Looping Answer: a, b, d Faulting is not a known or common programming action. Error handling is, however, and some languages can generate ―faults‖ that can be handled by error handling code. 225. Before writing a program, many programmers outline it first by using which of the following?
a. b. c. d.
Pseudocode Machine code Assembly code Assembler code
Answer: a Pseudocode is not a programming language, but a human language outline of what a program is going to do. 226. Which of the following statements has the highest risk of creating an infinite loop?
a. b. c. d.
while (a > 10) while (a < 10) for (a = 1; a < 100; ++a) for (;;)
Answer: d This for loop has no defined check to determine when it should stop. If it is executed, it will not stop, creating an infinite loop. 227. To add comments to a Perl or Python script, you use which of the following symbols?
a. b.
// /*
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
67
Solution and Answer Guide:
c. d.
# <!—<!—
Answer: c The other answers are comment options for other programming languages. 228. Using a Windows computer, write a program in Perl that politely asks the user to enter a string of
characters (e.g., their name), and then prints that string of characters backward. Execute the code and test that your program works. The code will vary, but as long as the program does what the instructions requested, you have succeeded! If you remembered to add documentation/comments to your program that is great. Did you do it on a Windows computer (and not Linux) as asked? 229. Name two looping mechanisms used in Perl.
for loop, while loop All the programming languages discussed in this module have for and while loop mechanisms, the implementation of which may vary. 230. In C, which looping function performs an action first and then tests to see whether the action should
continue to occur? a. for loop b. while loop c. do loop d. unless loop Answer: c The condition test comes at the end of a do loop. In all the others, the condition test is done first. 231. What is the result of running the following C program?
main () { int a = 2; if (a = 1) printf("I made a mistake!"); else printf("I did it correctly!"); } a. b. c. d.
―Syntax error: illegal use of ,‖ is displayed. ―I made a mistake!‖ is displayed. ―Syntax error: variable not declared‖ is displayed. ―I did it correctly!‖ is displayed.
Answer: b a == 1 (logical equivalency check) should have been used instead of a = 1. A single equal sign assigns 1 to the variable a, which is true, so the first part of the if statement is executed.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
68
Solution and Answer Guide:
232. Using the following Perl code, how many times will ―This is easy...‖ be displayed onscreen?
for ($count=1; $count <= 5; $count++) { print "This is easy..."; } a. b. c. d.
6 4 None (syntax error) 5
Answer: d In the for loop, the variable count starts at 1 and is incremented after each iteration. The condition check in the middle allows the for loop to continue as long as count is less than or equal to 5. So, the loop iterates five times, printing ―This is easy…‖ each time. 233. Using a Linux computer, write a program in Perl that politely asks the user to enter a string of characters
(e.g., their name), and then prints that string of characters backward. Execute the code and test that your program works. The code will vary, but as long as the program does what the instructions requested, you have succeeded! If you remembered to add documentation/comments to your program that is great. Did you do it on a Linux computer (and not Windows) as asked? 234. Which of the following HTML tags is used to create a hyperlink to a remote website?
a. b. c. d.
<a href=http://URL> <a href="http://URL"> <a href="file:///c:/filename> <a href/>
Answer: b The href tag expects a string value containing a properly formatted link. In the answer(s), URL is a placeholder for an actual URL that you would use, such as google.com. 235. In object-oriented programming, classes are defined as the structures that hold data and functions.
a. b.
True False
Answer: a Classes can be used to create instances of objects of that class and those objects will have the data and the functions automatically defined in them. It is a convenient way of creating multiple things of the same type/class. 236. What are three looping mechanisms in JavaScript? (Choose all that apply.)
a. b. c. d.
for loop while loop if-then-else loop do loop
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
69
Solution and Answer Guide:
Answer: a, b, d If-then-else is not a looping construct, but a logical branching construct. All the other answers are valid ways to loop in JavaScript. 237. Which of the following is the Win32 API function for verifying the file system on a Windows computer?
a. b. c. d.
Filesystem( ) FsType( ) System( ) IsNT( )
Answer: b FsType() will return the file system type on a Windows computer. The other answers are not valid Win32 API functions. 238. Using a Windows computer, write a program in Python that politely asks the user to enter a string of
characters (e.g., their name), and then prints that string of characters backward. Execute the code and test that your program works. The code will vary, but as long as the program does what the instructions requested, you have succeeded! If you remembered to add documentation/comments to your program that is great. 239. Using a Linux computer, write a program in Ruby that politely asks the user to enter a string of characters
(e.g., their name), and then prints that string of characters backward. Execute the code and test that your program works. The code will vary, but as long as the program does what the instructions requested, you have succeeded! If you remembered to add documentation/comments to your program that is great.
ACTIVITIES ACTIVITY 13-1: Solution: Answers will vary. The algorithm might include the following steps: 1.
Get a bowl.
2.
Get two eggs.
3.
Get a fork.
4.
Get salt and pepper.
5.
Crack the eggs into the bowl.
6.
Remove the shells and dump them in the trash.
7.
Use the fork to stir the eggs vigorously until the mixture is yellow.
If a student forgets to remove the shells, he or she has missed an important step in creating the algorithm.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
70
Solution and Answer Guide:
ACTIVITY 13-6: Solution: Step 17: Answers will vary. Students might think of formatting the output so that descriptions of the information gathered are easy to recognize. For example, instead of just listing ―NTFS,‖ the program could display ―The file system of this computer is NTFS.‖ Step 19: Answers will vary. Students should think outside the box, not just look at what‘s available in the table of Win32 API functions. For example, is it possible to get the IP configuration from the computer? Could a script be written to display the IP address, MAC address, and default gateway configured for each computer?
ALL OTHER ACTIVITIES: Solution: All other activities are hands-on and do not have questions to be answered.
CASE PROJECTS CASE PROJECT 13-1: DETERMINING SOFTWARE ENGINEERING RISKS FOR ALEXANDER ROCCO Prompt: After reviewing all the applications Alexander Rocco uses, you notice that many have been modified or changed during the past couple of months. Two of the company‘s financial applications are written in C and, according to Jose Mendez, the IT security administrator, monitor the company‘s accounts and financial data. Mr. Mendez discovered that several modifications were made to one program, with no documentation indicating who made the changes or why. Based on this information, write a memo to Mr. Mendez with your findings and any recommendations you might have for improving the security of the company‘s software engineering practices. Search the Internet for any information on securing company software. Does the OSSTMM address any of these issues? What improvements should you recommend to better protect this information? Solution: Answers will vary. The memo should recommend giving only authorized personnel access to applications and suggest a company policy requiring that any program changes be documented with at least the programmer‘s name, date, and a brief description of the changes.
CASE PROJECT 13-2: DEVELOPING A SECURITY-TESTING TOOL Prompt: Your manager at Security Consulting Company has asked you to develop a tool that can gather information from several hundred computers running Windows 10 at Alexander Rocco. The tool needs to verify whether any computers are left running at certain hours in the evening, because management has requested that all computers be turned off no later than 6:00 p.m. Write a memo to your supervisor describing the programming language you would use to develop this tool and the method for verifying the information Alexander Rocco management requested. Solution: Answers will vary. The memo should mention the programming language the student chose (C, Python, Ruby, or Perl, for example. JavaScript would not be a common choice because it is better suited for exploit code not automation.) Discuss verifying whether Windows 10 is running after 6:00 p.m. Students can give information on how a ping statement could be programmed by using a loop and might also
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
71
Solution and Answer Guide:
include a snippet of code for performing this task. Instructors should emphasize that programming skills can help security testers perform many tasks.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
72