OBJ-3.1: A business email compromise (BEC) is a form of elicitation where the attacker impersonates a high-level executive or directly takes over their email account. The attacker then sends an email to elicit personnel to take actions on their behalf. In this example, the attacker is impersonating the company’s CEO by sending an email to the financial personnel requesting they send a money transfer for what appears to be a legitimate service. This example also uses the urgency and authority motivation factors to convince the employee to take action.

OBJ-5.3: This code takes the input of “id” directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like’ or ‘1’ =’1. This will cause the SQL statement to become: “SELECT * FROM CUSTOMER WHERE CUST_ID=” or ‘1’=’1′”. Because ‘1’ always equals ‘1’, the where clause will always return ‘true,’ meaning that EVERY record in the database could now become available to the attacker. When creating SQL statements, there are reasons for and against the use of the * operator. Its presence alone does not necessarily indicate a weakness. With only one line of code being reviewed, you cannot make any statement about whether it is vulnerable to a buffer overflow attack. You do not see the declaration values for the initialization of the id variable. This code is not using parameterized queries, but if it did, then it would eliminate this vulnerability. A parameterized query is a type of output encoding that relies on prepared statements to reduce the risk of an SQL injection.

OBJ-1.1: A technical constraint is any item that is specifically excluded from the penetration test engagement. In general, these constraints will be technical in nature. For example, a legacy server may be considered too fragile to withstand denial of service or buffer overflow attacks. Other technical constraints may focus on the tools used based on the cost that would be involved. For example, it may be too costly to perform a USB key drop in the parking lot of a remote data center, so there may be a technical constraint to only allow remote attacks during the engagement.

OBJ-3.7: A penetration tester can use the “reg add” command to cause a particular program or command to start every time the Windows machine is booted up. To achieve this, the penetration tester stores the program in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry keys. The first one will cause the program to run whenever any user logs into the machine. The second will only cause the program to start when the victimized user logs in again.

OBJ-3.6: A traditional door lock doesn’t require power to operate. Therefore, it will still protect the facility and keep the intruder out of the server room. The other options all require power to function and operate.

OBJ-1.3: Whitelisting allows the IP address to be excluded from ACL rules and other signatures. This prevents an active device, like a web application firewall (WAF), layer 4 firewall, or an intrusion protection system (IPS) from blocking the penetration tester during the assessment. By having your IP added to the whitelist, you can focus your time and efforts on finding vulnerabilities with the servers themselves instead of trying to break through a compensating control like a WAF or IPS.

OBJ-2.2: Compliance scanning verifies that a network adheres to certain policy requirements, such as a corporate baseline. These policies can be corporate, industry, or governmental regulations. In this scenario, you are asked to verify the servers comply with the company’s software baseline. Therefore, a compliance scan is the best option to select.

OBJ-4.2: Android apps come packaged as APKs (Android PacKages). The APK contains all the application files, including the DEX file (Android bytecode/binary). To reverse the APK into source code to conduct a static analysis, you can convert the DEX file to a JAR (Java Archive) file. Then, you can decompile the JAR file into Java source code using a decompiler. While the specifics on how to do all of this are beyond the exam’s scope, you should understand the concepts and basic steps involved per the exam objectives.

OBJ-1.3: An APT refers to an adversary’s ongoing ability to compromise network security by using various tools and techniques to obtain and maintain access. An APT is usually a highly sophisticated nation-state threat actor that quietly gathers information from compromised systems and can lay in waiting for several months during an ongoing attack. In general, an APT is primarily focused on espionage and strategic advantage, but some target companies purely for commercial gain. An APT is unlikely to conduct a DDoS attack, use worms to spread throughout the network, or use ransomware as part of their covert attacks.

OBJ-3.5: When running an exploit, sometimes you don’t receive a fully interactive shell in return. If you receive a “dumb shell”, you can use Python to spawn a pty. A pty is a pseudo-terminal utility that is built into Python and only works on Linux systems. From here, you can attempt a privilege escalation using su and other commands on the system.

OBJ-3.5: A cold boot attack can be used by an attacker who has physical access to a computer whose hard drive is encrypted. During a cold boot attack, it is possible to retrieve the encryption keys after starting the computer from its powered down state. When the operating system begins to load, you may capture the encryption keys stored in temporary memory by performing a RAM dump on the system and analyzing its contents.

OBJ-4.2: Maltego is an OSINT tool that is used to gather information from public resources. It has a graphical user interface (GUI) that visualizes the information gathered to help a penetration tester make logical connections between the different data sets collected.

OBJ-2.4: Attrition attacks employ brute-force methods to compromise, degrade, or destroy systems, networks, or services. An impersonation attack occurs when the attacker gains control of an employee’s account and uses it to convince other employees to perform fraudulent actions. Improper usage occurs when an employee or other authorized user utilizes the systems or networks not as intended or designed. The loss or theft of equipment usually relates to a smartphone, tablet, or laptop is lost or stolen, and then the data on it becomes compromised.

OBJ-3.4: A sophisticated adversary may discover the software’s embedded key through reverse engineering the source code. This inadvertent key disclosure could then allow an attacker to abuse the API in ways other than intended. Key management would still be required, even if the key is embedded in the source code. Permission levels of a software-embedded key are still controlled like any other key. While the added inconvenience of installing new software on the client side every time the key is changed would be inconvenient, this option does not address the underlying security issues with embedding API keys into the source code.

OBJ-1.3: The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to implicitly derive mitigation strategies. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.

OBJ-2.2: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on human-to-human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.

OBJ-1.1: During the attack phase, the attacker seeks to gain access to a system, escalate that access to obtain complete control, and then conduct browsing to identify mechanisms to gain access to additional systems. The planning phase is where the assignment’s scope is defined, and management approvals, documents, and agreements are signed. The discovery phase is where the actual testing starts; it can be regarded as an information-gathering phase. The attack phase is at the heart of any penetration test; it is the part of the process where a penetration test attempts to exploit a system, conduct privilege escalation, and then pivot or laterally move around the network. The reporting phase is focused on developing the final report presented to management after the penetration test.

OBJ-4.2: DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program being tested and run for analysis.

OBJ-5.3: A biometric reader would read the employee’s fingerprints. A mantrap is most often used in physical security to separate non-secure areas from secure areas and prevent unauthorized access.

OBJ-2.1: To conduct a banner grab using telnet, you first must connect to the server using “telnet webserver 80”. Once the connection establishes, you will receive a blank prompt, and you then issue the command “HEAD / HTTP/1.1”. It requests the document header from the server and provides information such as the server software version and the server’s operating system.

OBJ-2.1: Passive reconnaissance focuses on collecting information that is widely and openly available from publicly accessible sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose. Man-in-the-middle attacks would involve a penetration tester coming in between the traffic source and destination, which would allow its active inception and possible modification. Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester.

OBJ-2.1: Scanning and enumeration are used to determine open ports and identify the software and firmware/device types running on the host. This is also referred to as footprinting or fingerprinting. This technique is used to create a security profile of an organization by using a methodological manner to conduct the scanning. If this scan is conducted from outside of the organization’s network, it can be used to determine the network devices and information available to an unauthorized and external attacker. A DNS query log review, intranet portal review, or technical control audit would require internal access to the network, which is typically not accessible directly to an external attacker.

OBJ-2.1: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company’s public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company’s network. The nmap scanning tool can provide an analysis of the current state of public exposure but has no mechanism to determine the history, nor will it give the same depth of information that shodan.io provides. Google Hacking can determine if a public exposure occurred over public-facing protocols, but it cannot conclusively reveal all the exposures present. Google hacking relies on using advanced Google searches with advanced syntax to search for information across the internet. Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren’t, they cannot show the current “as is” configuration. If you can only select one tool to find your attack surface’s current and historical view, shodan is your best choice.

OBJ-3.4: This is an example of a URL-based XSS (cross-site scripting) attack. A cross-site scripting attack uses a specially crafted URL that includes attack code that will cause information that users enter into their web browser to be sent to the attacker. In this example, everything from ?param onward is part of the attack. You can see the base64 encoded string of PHNjcmlwdD5hbGVydCgnSSBsb3ZlIERpb24gVHJhaW5pbmcnKTwvc2NyaXB0Pg== being used. While you could not convert it during the exam without a base64 decoder, you should be able to tell that it is not a SQL injection nor an XML injection based on your studies. It is also not an attempt to conduct password spraying by logging into different usernames with the same password. So, by process of elimination, you can determine this is an XSS attack. If you did have a base64 decoder, you would have found that the parameter being passed would translate to , which is a simple method to cause your web browser to create a popup that displays the text “I love Skillcertpro Training.” If you attempt to load this URL in your browser, it may or may not function depending on your browser’s security.

OBJ-3.4: The function uses hard-coded credentials in the function, which is an insecure practice that can lead to compromise. The password for the application is shown in the source code as mR7HCS14@31&#. Even if this was obfuscated using encoding or encryption, it is a terrible security practice to include hard-coded credentials in the application since an attacker can reverse-engineer them. In this case, it could be used to rob the bank or its customers! There is no evidence of a SQL injection or buffer overflow attack vulnerability based on the code being shown. In fact, this code doesn’t even show any SQL or ability to connect to an SQL database. We cannot see the variable initiation in this code, either, so we cannot determine if it is vulnerable to a buffer overflow attack. Finally, a parameterized query is a security feature, not a vulnerability, and this source code does not show any evidence of parameterized queries being used.

OBJ-4.4: Python is a commonly used scripting language used in cybersecurity. PHP is used as a scripting language for web applications. C# and ASP.NET are both compiled languages, not scripting languages.

OBJ-3.1: Smishing (SMS phishing) is a phishing attack in which the attacker entices their victim through SMS text messages. If the messages are sent by text message, then the attack is considered smishing.

OBJ-1.3: Advanced Persistent Threats are a group of hackers with great capability and intent. Nation-states and other large organizations often fund them to conduct highly covert hacks over a long period of time for political or economic gain. Script kiddies are people who use existing computer scripts or code to hack into computers, lacking the expertise to write their own. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems. A hacktivist is someone who uses hacking to bring about political and social change.

OBJ-4.2: Dedicated GPUs are designed to conduct complex mathematical functions extremely quickly. If you want to build a system to perform cracking of a password, hash, or encryption algorithm, it is important to have a high-speed, dedicated GPU. The reason to use a GPU instead of a CPU for password cracking is that it is much faster for this mathematically intensive type of work. Cracking passwords, hashes, and encryption is a lot like mining cryptocurrency in that using dedicated GPUs will give you the best performance.

OBJ-4.2: YASCA (Yet Another Source Code Analyzer) is an open-source software assurance static test (SAST) program that inspects the source code for security vulnerabilities, code quality, and performance. FOCA, Hydra, and APK studio are not categorized as SAST tools. FOCA (Fingerprinting and Organization with Collected Archives) is a network infrastructure mapping tool that analyzes metadata from many file types to enumerate users, folders, software and OS information, and other information. Hydra is a free network login password cracking tool that is included with Kali Linux. It supports several authentication protocols. APK Studio is a cross-platform IDE for reverse engineering Android applications.

OBJ-4.4: The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.”. For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a “.”. Since the period is treated as a special character in a REGEX operator, the escape character (\) is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected. Now, on exam day, if you received a question like this, you can try to figure out the pattern as explained above, or you can take the logical shortcut. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don’t be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn’t a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn’t be an output of this complex-looking command, you should guess that one!

OBJ-3.2: HTTP is an unsecured protocol, and information is passed without encryption. If the user signed into their webmail over HTTP instead of HTTPS, a network sniffer could compromise the username and password. Additionally, if the user was using an email client, then the SMTP connection could have been compromised, but since that wasn’t an option in this question, we must assume Bobby used a webmail client over HTTP instead.

OBJ-5.3: Since the company is concerned with protecting data on the devices, you should enforce full storage encryption on the devices. Even if the device is lost or stolen, the device’s data would be inaccessible to the person who stole or found the device. Additionally, the company may wish to enable the capability to conduct remote wipes of the device if they are lost or stolen to protect the data further.

OBJ-3.1: This is an example of a phishing campaign. Phishing refers to obtaining user authentication or financial information through a fraudulent request for information. Phishing is specifically associated with emailing users with a link to a faked site (or some other malware that steals the information they use to try to authenticate). Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. In this example, the specific user wasn’t clearly targeted by their name or by their association with a particular store, company, or website.

OBJ-2.4: The largest and most immediate cybersecurity concern that the analyst should have is credential stuffing. Credential stuffing occurs when an attacker tests username and password combinations against multiple online sites. Since both companies share a common consumption group, it is likely that some of Yoyodyne’s consumers also had a user account at Whamiedyne. If the attackers compromised the username and passwords from Whamiedyne’s servers, they might attempt to use those credentials on Yoyodyne’s servers, too. There is no definitive reason to believe that both companies are using the same infrastructure. Therefore, the same vulnerability that was exploited by the attacker may not exist at Yoyodyne. The question doesn’t mention an SQL database. Therefore, there is no direct threat of an SQL injection. A man-in-the-middle (MitM) attack occurs when the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communications between the host. Nothing in this question indicates that a MitM was utilized or is a possible threat.

OBJ-2.2: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization’s network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices’ configurations accurately.

OBJ-5.3: If the encryption is insecure, then we must look for encryption software updates or patches. If they are available, we must install them.

OBJ-3.5: This output is an example of banner grabbing being conducted against your web server. To prevent valuable information from being sent in the response, you should configure the “RemoveServerHeader” in the Microsoft IIS configuration file (URLScan.ini). If you set “RemoveServerHeader” to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored. If you set “EnableLogging” to 1, UrlScan will log its actions in a file called UrlScan.log that will be created in the same directory that contains UrlScan.dll. If you set “PerProcessLogging” to 1, UrlScan will append the process ID of the IIS process that is hosting UrlScan.dll to the log file name; for example, UrlScan.1234.log. If you set “VerifyNormalization” to 1, UrlScan verifies the URL’s normalization and will defend against canonicalization attacks, where a URL contains a double encoded string in the URL. Please note, this question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s complete content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess, and move on!

OBJ-4.3: There are several methods for locating Domain Controllers, depending on what you know about the environment you are using. If you are using a Windows client, you can use the nslookup command. You need to specify which protocol you are searching for in the name. Since we are trying to identify domain controllers, we need to look for Kerberos and LDAP based protocols on the intranet.skillcertprotraining.com domain. If you were using a Linux client, you could run a similar command syntax using dig.

OBJ-3.4: The string aGVsbG8gd29ybGQNCg== is using Base64 encoding. Base64 encoding is commonly used to convert binary data, such as ASCII text characters, into an encoded string to bypass detection mechanisms in a network. While a Base64 string won’t always end with an equal or double equal sign, it is common to see them used. This is because the equal signs are used to pad the string to the proper length and complement the final processing of the message’s encoding.

OBJ-3.2: The man-in-the-middle attack intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to MAC address table. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.

OBJ-3.6: Based on the description, the ethical hacker conducted a very specialized type of social engineering attack known as tailgating. Sometimes on a certification exam, there are two correct answers, but one is more correct. This question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area. Social engineering uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder.

OBJ-1.1: An XML denial of service (or XML bomb) attempts to pull in entities recursively in a defined DTD and explode the amount of memory used by the system until a denial of service condition occurs. Service-Oriented Architecture (SOA) is an architectural paradigm, and it aims to achieve a loose coupling amongst interacting distributed systems. SOA is used by enterprises to efficiently and cost-effectively integrate heterogeneous systems. However, SOA is affected by several security vulnerabilities, affecting the speed of its deployment in organizations. SOA is most commonly vulnerable to an XML denial of service. While the other options could be used as part of an attack on SOAP, the SOAP message itself is formatted as an XML document making an XML denial of service the most common vulnerability. While SOAP requests are vulnerable to SQL injections, this occurs by submitting a parameter as a morphed SQL query that can authenticate or reveal sensitive information as an attack on the underlying SQL. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XPath Injections operate on web sites that use user-supplied information to construct an XPath query for XML data.

OBJ-1.1: The WSDL (Web Services Description Language) document is an XML formatted document defining a web service’s capabilities and how to access it. Since this scenario states that the company relies on a SOAP-based web service, the assessment’s best support resource would be a copy of their WSDL document.

OBJ-2.5: A face recognition system is a computer application capable of identifying or verifying a person from a digital image or a video frame from a video source. One way to do this is by comparing selected facial features from the image and a face database. By measuring the external facial features, such as the distance between your eyes and nose, you can uniquely identify the user. A retinal scan is a biometric technique that uses unique patterns on a person’s retina blood vessels. Iris recognition or iris scanning is the process of using visible and near-infrared light to take a high-contrast photograph of a person’s iris. A signature kinetics scan measures a user’s action when signing their name and compares it against a known-good example or baseline.

OBJ-2.4: A biometric lock is difficult to bypass unless the installer incorrectly configures it. If the biometric lock has a high false acceptance rate, it will allow unauthorized people to open the door. The crossover error rate (CER) is the point where the false acceptance and false rejection rates are equal. When charted on a graph, this point can lean more towards accepting false positives or rejecting true positives. If it leans more towards accepting false positives, the sensitivity has decreased to allow less frustration for its users.

OBJ-3.1: A privacy screen is a filter placed on a monitor to decrease the viewing angle of a monitor. This prevents the monitor from being viewed from the side and can help prevent shoulder surfing. The standard type of anti-glare filter consists of a coating that reduces the reflection from a glass or plastic surface.

OBJ-1.3: First-party hosted target types are used when a client organization hosts the targeted network or system in their own data center. Since the data center is owned by Skillcertpro Training and hosted internally, this would not be considered third-party hosted or off-site. Simultaneously, this may become an internal target type, depending on where the penetration tester attacks from, which is not clear just by the wording in this question. Therefore, the third-party target type is the BEST answer to this question.

OBJ-5.4: A penetration test is a fluid process based on the people, processes, and technology involved. When the company changed its architecture, it essentially invalidated much of the research your team conducted. The recommendation to whitelist the source IP addresses is a goal reprioritization. Without adequate preparation time, it is unlikely you will exploit or bypass the new UTM appliances. Therefore, you suggest that the client reprioritize the engagement to focus on the internal network during this assessment to make the best use of your time and resources.

OBJ-4.4: When evaluating the code s[4::-1], you would receive “TnoiD” in response. Within Python, characters in a string can be accessed by their index location. If the string (s) is “SkillcertproTraining.com”, then each letter from left to right is referenced as s[0] to s[15]. For example, if you enter s[5], you would receive the letter “r” in response. The format for the array is [start:end:increment], so s[4::-1] is evaluated as starting with the 4th position (T in SkillcertproTraining.com since computers start counting at 0), count until it reaches the beginning or end of the word, and then increment by one position each time to the left (since it was -1). This would display the 4th position (T), 3rd position (n), 2nd position (o), 1st position (i), the zero position (D), and then stop.

OBJ-5.3: To ensure that the field is not overrun by an input that is too long, input validation must occur. Checking if the shipping address is less than or equal to 75 characters before updating the field will prevent a buffer overflow from occurring in this program. If the input is 76 characters or more, then the field will not be updated, and the algorithm will exit the function.

OBJ-3.1: Social proof relies on the fact that people want to fit in and conform. If a victim sees or believes others are performing some action, they will believe it is okay for them to do it. In this case, the victim is convinced that “everyone else” is also using this website to watch a new movie, so they decide to join in. Little do they know, the penetration testing team set up this website to collect their information or load malicious code onto their laptop for a future exploit.

OBJ-2.3: CVSS metrics are categorized as critical, high, medium, low, or none based on their numerical score. Vulnerabilities with CVSS base scores rated 9.0 or above are classified as critical. CVSS scores between 7.0 and 8.9 are classified as high. CVSS scores between 4.0 and 6.9 are classified as medium. CVSS scores between 0.1 and 3.9 are classified as low. CVSS scores of 0.0 are classified as none.

OBJ-3.7: Netcat (nc) is an open-source networking utility for debugging and investigating the network, and that can be used to create TCP/UDP connections and investigate them. It is extremely popular with penetration testers and attackers alike due to its multiple use cases. You should be familiar with setting up a listener and establishing a connection to the listener using netcat. Using the -lp option sets up a listener on the machine using the port specified (52154 in this scenario). To start the connection to the listener, you would enter “nc -e “, substituting the details for each parameter in each set of brackets.

OBJ-5.3: A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website’s running process. The file is either constructed to be malicious or manipulated to serve the attacker’s malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker’s site.

OBJ-2.3: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other open ports are for SSH (port 22), DNS (port 53), and HTTPS (port 443).

OBJ-3.2: A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Pass the Hash (PtH) is the process of harvesting an account’s cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

OBJ-1.3: Penetration testing is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit. Penetration testers only do this with permission of the organization that owns the system, network, or web application and within the bounds of their scope of work. The person will not attempt to exploit a weakness during vulnerability scanning. Social engineering may be used as part of a penetration test, but it does not adequately describe the scenario provided. Hacktivism is when someone is hacking an organization without permission based on their own morals and values.

OBJ-4.2: Impacket is a collection of Python classes that provide low-level program access to packets, as well as to protocols and their implementation. Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Searchsploit is a tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to recover sensitive information such as user names and passwords.

OBJ-3.1: Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included in the organization. The other three options focus solely on technical controls. Therefore adding end-user training would not affect these technology options.

OBJ-5.3: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.

OBJ-4.1: The command (nmap -p80,443 -iL servers.txt -oG results.txt) will only perform an nmap scan against ports 80 and 443. The -iL option will scan each of the listed server’s IP addresses. The -oG option will save the results in a greppable format to the file results.txt while still displaying the normal results to the shell. The option of -sL will only list the servers to scan. It will not actually scan them. The option of -oX is for outputting the results to a file in an XML format.

OBJ-3.4: It is common for attackers to log in remotely using the ssh service and the root or other user accounts. The best way to protect your server is to disable password authentication over ssh. Since your company just enabled key-based authentication on the SSH server, all legitimate users should be logging in using their RSA key pair on their client machines, not usernames and passwords. Based on the logs, you see the server runs SSHv2, so there is no need to disable SSHv1 (it may already be disabled). You don’t want to fully disable remote root SSH logins, either, since this would make it difficult for administrators to conduct their work. Finally, based on the logs, it doesn’t appear that anonymous SSH logins are an issue, either, as we don’t see any anonymous attempts in the logs.

OBJ-2.2: When a vulnerability scanner analyzes the response received from services during a scan or probe, it can determine if the vulnerability exists on the given service on a particular host. Port Scanning is the name for the technique used to identify open ports and services available on a network host. Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. Banner grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports.

OBJ-1.2: Policies are formalized statements that apply to a specific area or task. Policies are mandatory, and employees who violate a policy may be disciplined. Guidelines are general, non-mandatory recommendations. Best practices are considered procedures that are accepted as being correct or most effective but are not mandatory to be followed. Configuration settings from the prior system could be helpful, but this is not a mandatory compliance area like a policy. Therefore, Jay should first follow the policy before the other three options if there is a conflict.