OBJ-1.3: In a black box assessment, the penetration tester takes an average hacker’s role with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.

OBJ-2.5: There is minimal risk being assumed in this scenario since the cellular modem is configured for outbound connections only. This also minimizes the risk of an attacker gaining remote access to the generator. The generator is logically and physically isolated from the rest of the enterprise network, so even if an attacker could exploit the generator, they could not pivot into the production network. While there is a risk of the manufacturer using the data for purposes other than originally agreed upon, this is a minimal risk due to the manufacturer’s data minimization procedures and the type of data collected. Should the manufacturer choose to use usage statistics about the generator for some other purpose, it would have a negligible impact on the company since it does not contain any PII or proprietary company data.

OBJ-2.4: In this scenario, the only one of these techniques we know was used for certain is a proof of concept. A proof of concept is a benign exploit developed to highlight vulnerabilities in a system or product. Usually, a proof of concept is developed by security researchers to demonstrate a flaw of vulnerability in a widely used system, software, hardware, or protocol. The technical details may not be initially published until the researcher can provide the information to the companies affected, and they can release a patch. Other times, the security researchers will provide all the details in their security blogs so that both defenders and attackers know the exploit’s details.

OBJ-3.1: Vishing uses a phone call to conduct information gathering and phishing type of actions.

OBJ-3.5: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question’s details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.

OBJ-5.3: A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an airgap, or using a jumpbox.

OBJ-5.1: Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity. The HTTP TRACE/TRACK methods are normally used to return the full HTTP request to the requesting client for proxy-debugging purposes and allow the attacker to access sensitive information in the HTTP headers. Since this only exposes information in the headers, it minimizes the risk to our system’s data confidentiality. An SSL server with SSLv3 enabled is not ideal since this is an older encryption type, but it still provides some confidentiality. The phpinfo information disclosure vulnerability prints out detailed information on both the system and the PHP configuration. This information by itself doesn’t disclose any information about the data stored within the system, though, so it isn’t a great threat to our data’s confidentiality.

OBJ-4.1: The simplest way to scan multiple subnets adjacent to each other is to use the -Pn tells the command to conduct a host-only scan of every IP in this target space without using ping. Using the dash (-) in the IP address means to scan “this network through this network.” So, 10.0.0-3.0 will scan every IP from 10.0.0.0 through 10.0.3.255.

OBJ-3.4: This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.

OBJ-1.3: This is considered an internal covert test. It is internal because an employee of the company is part of the team and provides them with general user privileges. This will simulate an insider threat attack. It is also considered covert because the security staff and system administrators are unaware of the ongoing test.

OBJ-3.4: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user’s files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack.

OBJ-3.7: Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.

OBJ-3.4: The exact string used here was the attack string used in CVE-2019-11510 to compromise thousands of VPN servers worldwide using a directory traversal approach. However, its presence in the logs does not prove that the attack was successful, only that it was attempted. To verify that the attacker successfully downloaded the/etc/passwd file, a cybersecurity analyst would require additional information and correlation. If the server utilizes proper input validation on URL entries, then the directory traversal would be prevented. As no SQL or XML language elements are present, this is definitely not an SQL or XML injection attack.

OBJ-3.5: This penetration tester is attempting to exploit an unsecure SUDO vulnerability. First, they ran the find command and specified that it should look for permissions that follow the numerical representation of the SUID bit permission (+4000). It also looked for any files owned by the root user and were considered regular files (f), then it displays them to the screen. There were 4 files found in this example, one of which was the /usr/bin/sudo file. Next, the penetration tester attempted to perform a chmod against the /usr/bin/sudo file and set its permissions to 4111. If they were successful, this would change the permissions to allow the user, the group, and everyone else on this computer to execute the sudo command. When the sudo command is run, because it has the SUID bit set, the user can run the command as the root user. For this reason, the /usr/bin/sudo should have its permissions set to 4411 and not 4111.

OBJ-5.3: Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won’t affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server’s hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.

OBJ-1.3: An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. Based on the details provided in the question, it appears the employee’s legitimate credentials were used to conduct the breach. This would be classified as an insider threat. A zero-day is a vulnerability in software unpatched by the developer or an attack that exploits such a vulnerability. A known threat is a threat that can be identified using a basic signature or pattern matching. An advanced persistent threat (APT) is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware.

OBJ-1.3: Scope creep is the condition that occurs when a client requests additional services after a SOW has been signed, and the project scope has been documented. This is not a condition that is limited to penetration testing, either. Practically every project manager or building contractor can provide examples of scope creep that happened with various projects. The big problem with scope creep is that it takes resources away from those documented in the SOW. It can also become a source of contention when it comes time to bill the client or complete the engagement.

OBJ-2.5: Application containers are virtualized environments designed to package and run a single computing application or service and share the same host kernel. Since they share the same host kernel, they use common libraries, as well. If you can exploit the common libraries, you will gain access to every website on that server, even if they are in an application container. An application container does not use a hypervisor like a typical virtual machine. Configuration files are unique to each application container. The e-commerce website’s web application is likely hosted in a single application container and, therefore, would not provide you access to every website simultaneously if exploited.

OBJ-5.1: Metrics are a method of measuring something over time. If you wish to show the effect of security improvements over time, creating metrics would be a good option. For example, you may wish to look at the number of unpatched and known vulnerabilities. As this number decreases, your network would be considered to have improved security. Reports and testing tools alone cannot show progress. You must have measurable results using metrics.

OBJ-3.5: Kerberoasting is the dumping of the hash of the krbtgt (kerberos ticket-granting ticket) from a server’s memory using a domain-based user account. This is then used to create new golden tickets that allow any domain user to request the Ticket Granting Ticket from a domain service account. This can be cracked offline to reveal the plaintext password of the account. Many Windows services run with administrative privileges, and most system administrators don’t frequently change these passwords. This can lead to an attacker gaining access to a domain for a long period of time.

OBJ-1.1: A swagger document is the REST API equivalent of a WSDL document that defines a SOAP-based web service. Since Skillcertpro Training’s voucher fulfillment system uses a REST API, you should request a copy of the swagger document to conduct a more efficient assessment of their web application.

OBJ-4.2: Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It cannot perform any of the other three options.

OBJ-4.4: This command executes the PowerShell environment without loading the PowerShell profile (-nop) and in a hidden window (-w hidden). The command powershell.exe is running is shown after the -c, which stands for executing a command or script block and then exiting. This command in PowerShell to Invoke-Expression (IEX) creates a new web client object and then downloads the file located at the URL provided. This file could be malicious, and if it is another PowerShell script, it will be executed once downloaded.

OBJ-5.3: Two–factor authentication requires 2 out of 3 of the following: something you know, something you have, something you are. Therefore, the only correct answer is a password (something you know) and a key fob (something you have).

OBJ-1.3: In most cases, you will be unable to remove all risk. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.

OBJ-3.2: Windows computers do not rely on DNS for name resolution within the internal networks. Instead, they rely on NetBIOS Name Service (NBNS) queries. Since Windows Vista, though, NBNS queries have been replaced with the Link-Local Multicast Name Resolution (LLMNR) protocol. The Responder tool in Kali Linux is used to conduct NBNS, LLMNR, and DNS name resolution exploits. In this example, Responder is being used to answer the Windows host asking for name resolution for the system called “wpad” but provides the IP for the Kali Linux machine instead of the correct IP. The first highlighted section shows the LLMNR query for the host “wpad” being sent by the Windows 7 host and answered by the Kali host running Responder. The last highlighted section shows the Windows 7 host getting the wpad.dat file by providing their credentials to the Kali host. There are several clues in this question to the right answer. First, the question mentions that you waited 15 minutes. Within Windows networks, the older NetBIOS system, each Windows machine would send out a broadcast message with its IP and WINS name every 10-15 minutes. Some of this functionality remains within LLMNR, too. But, the easier clue to identify is from the Wireshark packet capture. It clearly shows the protocol being used in lines 1212 through 1216 as LLMNR during the query and response. For this question, I was even nice enough to highlight that portion is red, but don’t expect the exam to be nearly as kind!

OBJ-5.3: Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, a patch or mitigation is normally available. If a piece of malware has well-defined indicators of compromise, a patch or signature can be created to defend against it, as well.

OBJ-3.5: Apache web servers are run as a limited user by default, not as an administrative or root account. To be efficient and effective, the penetration tester should attempt to conduct a privilege escalation before pivoting into the DMZ. As a penetration tester, they would not likely patch the system, conduct a vulnerability scan, or install additional tools. This does not help them achieve their goal of pivoting into the DMZ.

OBJ-2.2: The Syslog server is a centralized log management solution. By looking through the Syslog server’s logs, the technician could determine which service failed on which server since all the logs are retained on the Syslog server from all of the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could help determine which server was offline, but not what caused the interruption. Firewall logs would only help determine why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.

OBJ-1.3: An insider threat is a type of threat actor assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or make crucial mistakes that can open up exploitable security vulnerabilities. Hacktivists, Organized Crimes, and advanced persistent threats (APT) entities do not accidentally or unwittingly target organizations. Instead, their actions are deliberate in nature. A hacktivist is an attacker that is motivated by a social issue or political cause. Organized crime is a type of threat actor that uses hacking and computer fraud for commercial gain. An advanced persistent threat (APT) is a type of threat actor who can obtain, maintain, and diversify access to network systems using exploits and malware.

OBJ-4.4: This simple Bash script is only 9 lines in length, but it creates a decent reconnaissance tool. The script asks the user for the starting and ending IP addresses to scan and then performs a nmap scan on each IP address to see if ports 80 and 443 are open. It logs this information to a greppable file called tempfile and then performs some filtering as it passes the data from tempfile to tempfile1. It then cleans up the format and overwrites the original tempfile. Then, it removes the tempfile1 that was used, leaving only the tempfile. Finally, it displays the tempfile to the screen, showing only the IP addresses with clients that have either port 80 or port 443 open.

OBJ-1.3: Penetration testing is the act of using a computer system, an individual network, or another application to find vulnerabilities that an attacker could use to compromise your systems. Penetration testing can also find endpoints with vulnerabilities, which makes the attack surface greater.

OBJ-4.1: The -sV option will scan the target by probing all the open ports to determine the service version they are running. The -sS option will scan the target using a TCP SYN packet and conduct a half-open scan. The -sT option will scan the target by conducting a full TCP 3-way handshake. The -sU option will scan the target by conducting a UDP scan.

OBJ-2.2: Since the analyst appears not to be installing the latest vulnerability signatures according to your instructions, it would be best to create a script and automate the process to eliminate human error. The script will always ensure that the latest signatures are downloaded and installed in the scanner every 24 hours without any human intervention. While you may want the analyst to manually validate the updates were performed as part of their procedures, this is still error-prone and likely not to be conducted properly. Regardless of whether the scanners are being run in uncredentialed or credentialed mode, they will still miss vulnerabilities if using out-of-date signatures. Finally, the option to test the vulnerability remediations in a sandbox is a good suggestion. Still, it won’t solve this scenario since we are concerned with the scanning portion or vulnerability management and not remediation.

OBJ-3.6: Since there are no employees around, the most effective method would be to pick a lock on a door to enter the building. Lock picking is a skill, and a penetration tester requires practice with the right tools to be effective at it.

OBJ-2.3: While the payroll server could be assumed to holds PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and Skillcertpro, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn’t contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don’t know which data they should focus on protecting or where the attacker is currently.

OBJ-3.4: The function SkillcertproCode may be subject to a buffer overflow as the user enters something over 20 characters as their input. In defining the char (character) type array, the programmer only allocated 20 characters worth of memory storage. To solve this problem, the programmer should create proper input validation to ensure that the input is less than 20 characters before passing the user_input variable to the strcpy (string copy) function.

OBJ-4.2: Dirbuster is a brute force tool included with Kali Linux that exposes directories and file names on web and application servers. Androzer is a security testing framework for Android apps and devices. APKX (Android Package Kit) is a Python wrapper for dex converters and Java decompilers included in the OWASP Mobile Testing Guide. APK Studio is a cross-platform IDE for reverse engineering Android applications.

OBJ-2.1: By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Manually review the Syslog server’s log would take too long, and would not find servers that don’t send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn’t indicate running Linux or Windows as the underlying server.

OBJ-2.5: Segmentation is the best method to reduce the risk to an embedded ICS system from a network-based compromise. Additionally, you could disable unused services to reduce the footprint of the embedded ICS. Many of these embedded ICS systems have a large number of default services running. So, by disabling the unused services, we can better secure these devices. By segmenting the devices off the main portion of the network, we can also better protect them. A NIDS might detect an attack or compromise, but it would not reduce the risk of the attack succeeding since it can only detect it. Patching is difficult for embedded ICS devices since they usually rely on customized software applications that rarely provide updates.

OBJ-3.4: SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications. The database server or operating system would normally be exploited by a remote code execution, a buffer overflow, or another type of server-side attack. The firewall would not be subject to an SQL injection.

OBJ-1.3: An on-site target type means that assets can be accessed physically where the attack is carried out. To conduct the attack, the attacker must be physically at the location. If the penetration test seeks to determine if an attacker could access their secure server room, an on-site target type would be required.

OBJ-5.1: The data’s asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value. The cost of acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware or system itself. This can be significantly different from the value of the information and data that the system stores and processes.

OBJ-4.3: A pass the hash attacks is a network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on. When authenticating with a username and password, the password is hashed once you type it in. Therefore, the computer doesn’t recognize a difference between the password and the hash itself. So, if you use psexec to send the hash to the system directly, it can be used to authenticate you as that user without actually knowing the user’s password. The key to answering this question is identifying that the smbpass parameter is being set to a password hash of a specified user.

OBJ-4.3: While we cannot be certain that any malicious activity is ongoing based solely on this netstat output, the three entries concerning port 53 are suspicious and should be further investigated. Port 53 is used for DNS servers to receive requests, and an employee’s workstation running DNS would be unusual. If the Foreign Address using port 53, this would indicate the workstation was conducting a normal DNS lookup, but based on the network traffic direction, this is not the case. The entry that is listening on port 135 is not suspicious for a Windows workstation since this is used to conduct file sharing across a local Windows-based network with NetBIOS. The two entries from a random high number port to a web server (port 80 and port 443) is normal network traffic. The web server listens on a well-known or reserved port (port 80 and port 443) and then responds to the random high number port chosen by the workstation to conduct two-way communications.

OBJ-3.1: While a malicious employee or insider could use all of the methods listed to obtain another user’s passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder. Since a malicious employee or insider can work close to their victims (other users), they could easily use this technique to collect the victimized users’ passwords.

OBJ-2.5: When targeting mobile devices, you must first determine if the company uses iPhones or Android-based devices. If they are using an iPhone, it becomes much more difficult to attack since iPhone users can only install trusted apps from the App Store. If the user has jailbroken their phone, they can sideload apps and other malware. After identifying a jailbroken device, you can use social engineering to trick the user into installing your malicious code and then take control of their device.

OBJ-3.4: This is an example of an XSS attack as recorded by a web server’s log. In this example, the XSS attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (‘ ‘). While you don’t need to be able to decode the exact string used in the logs, when you see HTML encoding on the exam, it is usually going to be an XSS attack unless you see SQL or XML statements in the string, which in this case there are neither of those. Cross-site scripting (XSS) attacks use a specially crafted URL that includes attack code that will cause user information entered into their web browser to be sent to the attacker. An attacker finds a web server vulnerable to XSS and sends a legitimate-looking URL with XSS attack code appended to the end of the URL through a phishing email or other message to trick the user into clicking the link. A buffer overflow attempts to write data to a buffer that overruns the buffer’s boundary and writes data into the adjacent memory locations, which is not occurring in this example.

OBJ-2.4: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this password type can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin’s email account was hacked because a high schooler used the “reset my password” feature on Yahoo’s email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).

OBJ-4.2: The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command “nc test.skillcertprotraining.com 80” was used to establish a connection to a target web server using netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the webserver. In this example, the server software version (Apache 2.0.46) and the operating system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A query to the WHOIS database would return information on the website owner, not the server’s operating system.

OBJ-5.3: There are two ways to approach this question. First, you can consider which is the right answer (if you know it). By adding the full URL of the phishing link to the browser’s group policy block list (or black hole list), the specific webpage will be blocked from being accessed by the employees while allowing the rest of the freephone.io domain to be accessible. Now, why not just block the entire domain? Well, maybe the rest of the domain isn’t suspect, but just this one page is. (For example, maybe someone is using a legitimate site like GitHub to host their phishing campaign. Therefore you only want to block their portion of GitHub.) The second approach to answering this question would be to rule out the incorrect answers. If you used DENY TCP to the firewall ACL answer, you would block all access to the domain, blocking legitimate traffic as well as possible malicious activity. If you used the DENY IP ANY ANY to filter traffic at the IPS, you would block any IP traffic to ANY website over port 8080. If you added the link to the load balancer, this would not block it either. Therefore, we are only left with the correct answer of using a group policy in this case.

OBJ-3.2: Based on the scenario, we can eliminate evil twin (focused on wireless access points) and IP spoofing (since this affects layer 3 traffic). While MAC spoofing the gateway’s address might work, it would also affect every computer on this subnet. By conducting an ARP cache poisoning attack, Rick can poison the cache and replace Mary’s computer’s MAC association with his own, allowing him to become the man-in-the-middle between Mary and the default gateway.

OBJ-3.4: Since cross-site scripting (XSS) relies on the HTML tags to launch, the system administrators had a good idea of creating input validation using a REGEX for those keywords. Unfortunately, they forgot to include a more inclusive version of this REGEX to catch all variants. For example, simply using [Ss][Cc][Rr][Ii][Pp][Tt] would have been much more secure, but even this would miss %53CRIPT would evade this filter. To catch all the letter S variants, you would need to use [%53%%73Ss], which includes the capital S in hex code, the lower case s in hex code, the capital S, and the lowercase s. As a penetration tester, it is important to remember that you can evade weak input validation using ASCII encoded characters, like %53 for the S character. As a cybersecurity analyst, you must build good input validations into your systems to prevent these types of attacks.

OBJ-1.4: While all of these may pose valid threats, this scenario is conducting a compliance-based assessment. Since this organization is a hospital, it falls under the health care industry. Health care is regulated in terms of patient privacy and the protection of their records. Therefore, your assessment should prioritize the PHI (personal health information) data being insecurely transmitted over HTTP and the database not properly using data at rest to protect patient data.

OBJ-5.3: First, you should change the username and default password since using default credentials is extremely insecure. Second, you should implement a whitelist for any specific IP blocks with access to this application’s administrative web frontend since it should only be a few system administrators and power users. Next, you should implement two-factor authentication to access the application since two-factor authentication provides more security than a simple username and password combination. You should not rename the URL to a more obscure name since security by obscurity is not considered a good security practice. You also should not require an alphanumeric passphrase for the application’s default password. Since it is a default password, you can not change the password requirements without the vendor conducting a software update to the application.  Finally, while it may be a good idea to conduct a penetration test against the organization’s IP space to identify other vulnerabilities, it will not positively affect remediating this identified vulnerability.

OBJ-4.2: Medusa is a command-line-based free password cracking tool often used in brute force password attacks on remote authentication servers. W3AF (Web Application Attack and Audit Framework) is a Python tool included in Kali Linux that tries to identify and exploit any web app vulnerabilities. CeWL is a ruby app that crawls websites to generate word lists for use with other password crackers. Mimikatz is an open-source tool that enables you to view credential information stored on Microsoft Windows computers.

OBJ-2.2: Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.

OBJ-2.4: The script is an example of a chained exploit because it combines several programs into one, including writing to a temporary file, netcat usage, and FTP usage. Chained exploits integrate more than one form of attack to accomplish their goal. A buffer overflow is an anomaly where a program that occurs while writing data to a buffer overruns the buffer’s boundary and overwrites adjacent memory locations. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions.

OBJ-5.3: Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS was developed in 1999 as SSLv3.1, but its name was changed to separate itself from Netscape, who developed the original SSL protocol. Because of this history, the terms TLS and SSL are often used interchangeably. Secure Socket Layer uses three versions: SSLv1, SSLv2, and SSLv3. All of these versions of SSL are considered obsolete and insecure.

OBJ-5.3: Application-aware firewall can analyze and verify protocols all the way up to layer 7 of the OSI reference model. It has the advantage of being aware of the details in the application layer. Since we desired to allow HTTP traffic, we must deal with the traffic at the application layer. This will prevent an attacker from sending SSH traffic over port 80, for example. By using an application-aware firewall, only HTTP traffic will be allowed over port 80.

OBJ-3.7: A scheduled task or scheduled job is an instance of execution, like initiating a process or running of a script, that the system performs on a set schedule. Once the task executes, it can prompt for user interaction or run silently in the background; it all depends on what the task is set up to do. Scheduled tasks in Linux use the crontab command. The correct answer for this persistence is to enter the command “(crontab -l ; echo “*/20 * * * * /tmp/beacon.sh”)| crontab -” that will run the script at “/tmp/beacon.sh every 20 minutes as the SYSTEM level user. The other variant of crontab is incorrect because it would run every 20 hours, not 20 minutes. The schtasks options are used in Windows, not in Linux.

OBJ-4.2: Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. Also, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems. The netstat (network statistics) tool is a command-line utility that displays network connections for incoming and outgoing TCP packets, routing tables, and some network interface and network protocol statistics. Still, it cannot identify open ports and services on a host with their version numbers. The ping tool is used to query another computer on a network to determine whether there is a valid connection. Wireshark is an open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.

OBJ-3.4: While there are many different formats used by attackers to obfuscate their malicious code, Base64 is by far the most popular. If you see a string like the one above, you can decode it using an online Base64 decoder. In fact, I recommend you copy the string above and decode it to see how easy it is to reverse a standard Base64 encoded message. Some more advanced attackers will also use XOR and a key shift in combination with Base64 to encode the message and make it harder to decode, but using a tool like CyberChef can help you decode those. Structured Query Language (SQL) is used to communicate with a database. Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a human-readable and machine-readable format. SQL and XML are not considered obfuscation techniques. A QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. QR coding is the process of converting some data into a single QR code. QR coding might be considered a form of obfuscation, but it is not shown in this question’s example output.

OBJ-2.1: Service and version identification are often performed by conducting a banner grab or by checking responses for services to known fingerprints for those services. UDP response timing and other TCP/IP stack fingerprinting techniques are used to identify operating systems only. Using nmap -O will conduct an operating system fingerprint scan, but it will not identify the other services being run.

OBJ-2.3: Cross-site scripting exploits a vulnerability with a malicious script injected into a trusted website and then downloaded and executed by a user’s browser. In this scan result, you can see that the parameter for the name that was posted included some javascript (onload, this.src). This result shows that this site is vulnerable to a cross-site scripting attack.