Penetration Testing Final

______________ is a step beyond port scanning that establishes an active connection to help discover useful information such as; user names, service versions or settings, network shares, etc.

Enumeration

A _______ session, is a Windows feature designed to give access to information over the network, but can be used to collect information such as; password policy, user names and groups, shared folders, and host SIDs.

null

Often used by network administrators to monitor networks and devices, which protocol can be used to gather information such as ARP and routing tables, as well as, traffic statistics

SNMP

A common technique to enumerate DNS information on a system is known as _______________

Zone Transfers

A ______________ is a software program or hardware device that can be installed on a system to record what the user is typing. Often used in non-technical password attacks.

keylogger

When a password is stored on a local system, a _____ algorithm is run against it so that it is not stored as plain text.

hash

A technique of adding a random number to a value before hashing it is know as ____________.

salting

Which of the following can be used for passive password attacks?

Replay Attacks | Man-In-The-Middle

Match each type of password attack to the description of the attack.

1. An attack that uses a list of common words or combinations of characters to attempt to find a matching password.

2. An attack that uses every possible combination of characters to crack a password.

3. An attack that uses a precomputed table of hash values to recover the plain text of a password.

4. An attack that requires sniffing traffic from both sides of a connection in order intercept the password on the wire.

1. Dictionary Attack

2. Brute-Force

3. Rainbow Attack

4. Man-in-the-middle

The default hash used by modern Windows operating systems SAM database is ______________

NTLM

____________ is a non-profit organization with the primary goal of improving the security of software.

OWASP

Which of the following is NOT considered a vulnerability of web servers?

Poor end-user training

Which of the following statements is NOT true regarding Structured Query Language (SQL) injections?

They are specific to only one vendor's database and cannot force the application to reveal restricted information.

What type of attack relies on a variation of the input validation attack but has the goal of going after a user instead of the application or data?

Cross-site scripting (XSS)

A buffer overflow associated with a web application can result in data being corrupted or overwritten.

True

A denial of service (DoS) attack is considered a critical problem because it is very difficult to defeat.

False

A distributed denial of service (DDoS) attack is mostly an annoyance; however, a denial of service (DoS) attack is much more of a problem.

False

Input validation refers to restricting the type of input or data the website will accept so that mistakes will not be entered into the system.

True

Match the OWASP Top 10 Web Application Security Risks to their discriptions.

1. Injection

2. Broken Authentication

3. Sensitive Data Exposure

4. External Entities (XXE)

5. Broken Access Control

6. Security Misconfiguration

7. Cross-Site Scripting (XSS)

8. Insecure Deserialization

9. Using components with known vulnerabilites

10. Insufficient Logging and Monitoring

1. Injection flaws, such as

SQL, NOSQL, OS, and LDAP

injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended

commands or accessing data

without proper authorization.

2. Application functions related to authentication and session management are often

implementedincorrectly, allowing attackers to

compromise passwords,

keys, or session tokens, or to exploitother implementation flaws to assume other users identities temporarily or

permanently.

3. Many web applications

and APIs do not properly

protect sensitive data, such as financial,healthcare, and

PII. Attackers may steal or

modify such weakly protected data to conduct creditcard fraud, identity theft, or other crimes. Sensitive data may be compromised without

extraprotection, such as encryption at rest or in

transit, and requires special

precautions whenexchanged with the browser.

4. Many older or poorly

configured XML processors evaluate external entity references within

XMLdocuments. External

entities can be used to disclose internal files using the file URI internal port scanning, remote code execution, and denial of service attacks

5. Restrictions on what

to do are often not properly enforced.Attackers can

exploit these flaws to access unauthorizeded functionality and/

users' accounts, view sensitive files, modify other users' data, change access rights, etc.

6. This is commonly a result of insecuredefault configurations, incomplete or ad hoc

configurations, open cloud

storage, misconfiguredHTTP

headers, and verbose error messages containing sensitive information. Not only must alloperating systems, frameworks, libraries, and applications be securely configured, but they mustbe patched and upgraded in a timely fashion.

7. flaws occur whenever an

application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with usersupplied data using a browser API that can create HTML or JavaScript.

XSS allows attackers to execute scripts in thevictim's browser which can hijack user sessions, deface web sites, or redirect the user tomalicious sites.

8. often leads to remote

code execution. Even if

deserialization flaws do notresult in remote code execution, they can be used to perform attacks, including replay attacks,injection attacks, and privilege escalation attacks.

9. libraries, frameworks, and

other software modules,

run with the sameprivileges as the application. If a vulnerable component is exploited, such an attack can facilitateserious data loss or server takeover. Applications and APls using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

10. allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over200 days, typically detected by external parties rather than internal

processes or monitoring.

Using a ________ allows an attacker to intercept requests and response between a client and a web server.

proxy

Match the follow General-Purpose memory registers in an x86 architecture to the proper description.

1. ESP

2. EBP

3. EIP

4. Free Points!

1. Points to top of the stack

2. Points to the highest memory address in the stack

3. Hold the memory address of the next instruction to be executed

4. Free Points!

__________ is a technique designed to find bugs in software applications by sending random combinations of inputs, but can also be used to create exploits in the application using a debugger.

Fuzzing

A binary value that represents an instruction that can be executed by a CPU.

opcode

Which type of attack results in overwriting or corrupting data in a memory buffer?

Stack-Based Buffer Overflow

A tool that can be used to encode or create binaries from metasploit exploits is ___________.

Msfvenom

_____________ is a programming Language that makes a one to one human readable translation to machine code.

Assembly

Which type of exploit development takes advantage of how Windows operating system handle exceptions?

SEH Overwrites

Bob, a blackhat hacker, wants to gain a shell on Alice's machine.If Bob sends a malicious file to Alice in the hopes she will download and execute the file, which type of shell should Bob configure his exploit and payload to use?

Reverse Shell

Alice wants to gain a shell on Bob's machine. Both parties agree that Alice should initiate the connection and Bob's machine should be passively waiting for the incoming connection from Alice.

Bind Shell

The following technique is a viable option to use when attempting to create malicious files to bypass antivirus (AV) solutions on a potential victim.

Obfuscation with an encoder.This will help scramble the contents and intentions of the malicious code, making it more difficult for anti-virus products to classify the code as good or bad.

True

Which application protocol is the most popular when used in web-based client + server architecture?

HTTP(S)

Which of the following HTTP response codes indicates success/ok?

200

Which of the following can be broadly classified as an injection vulnerability?

All of These

Are there any topics in this course that you would have liked to see covered in more depth? Where there any topics not covered that you were hoping to learn about?

Freebie