A penetration tester is performing an assessment for an organization and must gather valid user credentials. Which of the following attacks would be best for the tester to use to achieve this objective?
Answer : C
* Deauthentication attacks can force legitimate users to disconnect from a wireless network, prompting them to reconnect and, in the process, capture valid user credentials using a rogue access point or network monitoring tools.
* Details:
A . Wardriving: Involves driving around to discover wireless networks; it does not directly gather user credentials.
B . Captive portal: Requires users to log in but is not an attack method; it is a legitimate method to control network access.
C . Deauthentication: Forces users to reauthenticate, allowing an attacker to capture credentials during the reconnection process.
D . Impersonation: Involves pretending to be someone else to gain access but is less effective for directly capturing user credentials compared to deauthentication.
* Reference: Deauthentication attacks are well-documented in wireless security assessments and penetration testing guides.
A penetration tester enters a command into the shell and receives the following output:
C:\Users\UserX\Desktop>vmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v |C:\\Windows\\" I findstr /i /v""
VulnerableService Some Vulnerable Service C:\Program Files\A Subfolder\B Subfolder\SomeExecutable.exe Automatic
Which of the following types of vulnerabilities does this system contain?
Answer : A
* The provided output reveals a common vulnerability in Windows services known as an unquoted service path. When the service executable path is not enclosed in quotes and contains spaces, Windows may incorrectly interpret the spaces, potentially leading to the execution of unintended programs.
* Details:
Command The command vmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v 'C:\\Windows\\' | findstr /i /v '' filters services that are set to start automatically and are not located in the Windows directory.
Output Interpretation: The output shows a service with a path C:\Program Files\A Subfolder\B Subfolder\SomeExecutable.exe which is not quoted. If a malicious user places an executable in C:\Program.exe, C:\Program Files\A.exe, or similar, it might get executed instead.
* Reference: Common Windows privilege escalation vulnerabilities include unquoted service paths. This vulnerability is well-documented in security resources and penetration testing guides.
A penetration tester was able to gain access to a plaintext file on a user workstation. Upon opening the file, the tester notices some strings of randomly generated text. The tester is able to use these strings to move laterally throughout the network by accessing the fileshare on a web application. Which of the following should the organization do to remediate the issue?
Answer : B
The presence of plaintext strings that can be used to move laterally across the network suggests that passwords or sensitive tokens are stored insecurely. Implementing a password management solution would help mitigate this issue by ensuring that passwords are stored securely and are not exposed in plaintext. Password managers typically use strong encryption to protect stored credentials and provide secure access to them.
Sanitizing user input, rotating keys, and utilizing certificate management address different aspects of security but do not directly resolve the issue of insecure password storage.
Importance of password management: NIST Password Guidelines
Examples of security breaches due to poor password management practices: Forge.
A penetration tester is performing DNS reconnaissance and has obtained the following output using different dig comrr
;; ANSWER SECTION
company.com. 5 IN MX 10 mxa.company.com
company.com. 5 IN- MX 10 mxb.company.com
company.com. 5 IN MX 100 mxc.company.com
;; ANSWER SECTION company.com. 5 IN A 120.73.220.53
;; ANSWER SECTION company.com. 5 IN NS nsl.nsvr.com
Which of the following can be concluded from the output the penetration tester obtained?
Answer : B
The output of the DNS query shows the TTL (Time to Live) value for the company.com record as 5. This means that the DNS record can be cached for five minutes before it needs to be refreshed from the authoritative DNS server. The TTL value indicates how long a DNS resolver is allowed to cache the query before it must query the authoritative server again.
Understanding DNS TTL values: DNS TTL
Interpretation of DNS dig output from various penetration testing engagements: Horizontall.
After obtaining a reverse shell connection, a penetration tester runs the following command: www-data@server!2:sudo -1
User www-data may run the following commands on serverl2: (root) NOPASSWD: /usr/bin/vi
Which of the following is the fastest way to escalate privileges on this server?
Answer : C
When the penetration tester has NOPASSWD privileges to run vi as root, the quickest way to escalate privileges is to leverage vi to execute a shell. The command sudo vi -c ':!bash' opens vi as the root user and immediately spawns a shell within vi. This method is fast and effective because vi (or vim) has the capability to run shell commands.
Executing sudo vi -c ':!bash' will open vi and then immediately run the :!bash command, which spawns a Bash shell with root privileges.
GTFOBins - vi
Example from penetration testing reports where vi is used to escalate privileges: Writeup.
A penetration tester wants to perform a SQL injection test. Which of the following characters should the tester use to start the SQL injection attempt?
Answer : C
The single quote mark (') is a common character used to test for SQL injection vulnerabilities. This character is often used to terminate a string in SQL queries. By injecting a single quote mark into an input field, a penetration tester can determine whether the application is susceptible to SQL injection based on the resulting error messages or behavior of the application.
The single quote mark is typically used first because it is straightforward and effective in revealing SQL injection flaws. Other characters like double quotes or semicolons might also be useful in specific contexts, but the single quote is the standard starting point for SQL injection testing.
OWASP SQL Injection Guide: OWASP SQL Injection
Demonstrations of SQL injection techniques in various penetration testing scenarios.
A penetration tester managed to get control of an internal web server that is hosting the IT knowledge base. Which of the following attacks should the penetration tester attempt next?
Answer : B
A watering hole attack involves compromising a website that is frequently visited by the target organization or group. By gaining control of the internal web server hosting the IT knowledge base, a penetration tester could modify the content or introduce malicious code that would be downloaded or executed by employees who visit the site. This type of attack is effective because it leverages a trusted resource within the organization to spread malware or capture sensitive information.
Other options like vishing, whaling, and spear phishing involve direct social engineering attacks targeting individuals, whereas a watering hole attack leverages a compromised website to target multiple users within the organization.
Explanation of watering hole attacks: OWASP Watering Hole
Examples from penetration testing engagements where web server compromises were used to conduct watering hole attacks.