Penetration Testing Overview

Questions and Answers

What is the primary purpose of reconnaissance in penetration testing?

• To evaluate the effectiveness of security measures
• To gain unauthorized access to network devices
• To define the scope and gather information about the target (correct)
• To conceal evidence of an attack

Which phase of penetration testing checks if access can be maintained on the target device?

• Gaining Access
• Covering Tracks
• Scanning
• Maintaining Access (correct)

What is a key benefit of using VAPT tools?

• They can eliminate the need for a vulnerability assessment
• They operate independently of organizational policy compliance
• They combine vulnerability assessment and penetration testing functionalities (correct)
• They only assess physical security threats

How does red team operations differ from standard vulnerability assessments?

It simulates real-life adversarial techniques to test defenses comprehensively (B)

Which of the following tools is specifically known for network mapping?

Nmap (A)

What does a vulnerability assessment primarily focus on?

Identifying and classifying security risks (C)

What is the final stage of the penetration testing process?

Covering Tracks & Analysis (D)

The results of which tool help organizations comply with standards like PCI-DSS and GDPR?

VAPT Tools (B)

What is the primary function of Wireshark?

To capture and analyze network traffic (D)

Which tool is specifically designed to help exploit vulnerabilities found in browsers?

BeEF (C)

What type of reconnaissance involves directly interacting with a computer system?

Active reconnaissance (C)

Which of the following tools is designed to evaluate wireless network security?

Aircrack-ng (D)

SQLMap is primarily focused on which type of security issue?

SQL injection (A)

What is a key characteristic of passive reconnaissance?

It gathers information without direct interaction (C)

Which of the following is a purpose of the Burp Suite Pro?

Web application security testing (D)

What does Google dorking facilitate in terms of information retrieval?

Locating difficult-to-find information using advanced search techniques (A)

What is the purpose of the 'filetype:' search operator?

To restrict search results to a specific file type or extension. (C)

What does the 'inurl:' operator do in search queries?

Retrieves web pages with a specific character string in the URL. (B)

How would you search for exact matches of the phrase 'data breach' using quotes?

"data breach" (D)

Which command would you use to perform a basic Nmap scan against an IP address?

nmap 192.168.1.1 (B)

What does the 'imagesize:' operator restrict in image searches?

The resolution or dimensions of the images. (C)

When using 'weather:' in a search, what information can you obtain?

The current weather of a specified location. (B)

What is the function of the 'link:' operator in a search query?

To discover sites that link to a particular webpage. (D)

Which of the following commands would scan a range of IP addresses from 8.8.8.1 to 8.8.8.14?

nmap 8.8.8.1-14 (B)

What is the primary objective of the reconnaissance phase in the cyber kill chain?

To gather intelligence about the target's weaknesses (C)

During which phase do attackers create or modify malware to exploit a target's vulnerabilities?

Weaponization (A)

What is the primary purpose of the command and control phase in a cyber attack?

To enable remote tracking and guidance of cyberweapons (C)

Which tactic is primarily used during the delivery phase of the cyber kill chain?

Using social engineering tools like phishing emails (D)

What occurs during the exploitation phase of the cyber kill chain?

Attackers further infiltrate the network and identify additional vulnerabilities (D)

Which of the following best describes obfuscation in cybersecurity?

Making it appear that no threat is present (D)

What is a common end goal of a strategic cyberattack?

Data exfiltration (D)

Which of the following is NOT a tactic used during the installation phase?

Using automated scanners for reconnaissance (C)

What is the main goal of the installation phase in the cyber kill chain?

To escalate privileges and gain control over systems (C)

Which type of testing does penetration testing fall under?

Vulnerability Assessment and Penetration Testing (VAPT) (C)

What does denial of service (DoS) typically involve?

Distracting security teams from the main attack objective (A)

Which technique is commonly employed during the weaponization phase?

Modifying existing programs to exploit vulnerabilities (C)

At what stage do attackers typically begin to look for unprotected security credentials?

Installation (C)

Which type of penetration testing focuses solely on internal network vulnerabilities?

Internal infrastructure testing (D)

What is a characteristic of white box penetration testing?

The tester has complete knowledge of the system being tested (A)

Which method is NOT typically included in penetration testing?

Employee performance evaluation (D)

What command is used to scan all ports from 1 to 65535 on the localhost?

nmap -p 1-65535 localhost (D)

Which nmap command will save scan results in XML format?

nmap -oX output.xml securitytrails.com (D)

Which command allows the detection of service versions on a host?

nmap -sV localhost (C)

What option should be added to an nmap scan for detecting malware infections?

--script=http-malware-host (A)

If you want to scan using UDP protocol, which command would you use?

nmap -sU localhost (B)

Flashcards

Reconnaissance

The initial stage of a cyberattack where attackers gather information about their target, including vulnerabilities and potential entry points.

Weaponization

The attacker creates malware or exploits vulnerabilities to create malicious payloads to be used against the target.

Delivery

The attacker delivers the malware or exploit to the target's system. This usually involves social engineering, phishing emails or exploiting weaknesses in networking.

Exploitation

The malware is executed, exploiting the vulnerabilities identified in the previous stages. This allows deeper infiltration and identification of further vulnerabilities.

Installation

The attacker installs malware and gains control within the target's network. This often involves gaining access to sensitive data, accounts and escalate privileges.

Command and Control

The attacker uses the compromised system to launch further attacks against other systems, often within the same network.

Actions on Objectives

The attacker attempts to cover their tracks and erase evidence of the attack. This could involve wiping logs, deleting files or using anti-forensic techniques.

Persistence

The attacker maintains access to the target's system for future exploitation. This can involve establishing backdoors or using stealthy techniques to stay hidden.

Obfuscation

A technique used by attackers to hide their malicious activity, making it appear as if no threat is present.

Denial of Service (DoS)

A method used to divert attention from the main attack by causing problems in other systems.

Action

The final stage of a cyberattack where the attackers execute their intended goal.

Supply Chain Attack

A type of cyberattack that targets weaknesses in the supply chain of organizations.

Data Exfiltration

The unauthorized copying of data from a target system.

Data Encryption

The process of encrypting sensitive data to make it inaccessible to unauthorized individuals.

Data Compression

A process used to reduce the size of data to make it easier to store and transmit.

VAPT

A type of security testing designed to find and address vulnerabilities in systems, applications, and infrastructure.

Red Teaming

A way to evaluate an organization's security by mimicking the actions of real attackers. It involves using advanced techniques and intelligence to test the organization's ability to detect and respond to persistent threats.

VAPT (Vulnerability Assessment & Penetration Testing)

Utilizes a combination of vulnerability assessment (VA) and penetration testing (PT) to identify and exploit security weaknesses. VA helps to find vulnerabilities, while PT tries to gain access by exploiting them. Used for compliance with security standards like PCI-DSS, GDPR, and ISO27001.

Vulnerability Assessment (VA)

A security assessment where a tool scans for vulnerabilities in systems, networks, and applications. It identifies possible points of weakness, quantifies the risks, and recommends solutions to fix them.

Network Mapper (Nmap)

A specialized tool that scans for security vulnerabilities in computer networks. It helps to discover hosts and services on a network by sending packets and analyzing the responses. Used for network mapping and security audits.

Scanning

A technique used in penetration testing to understand how a target system reacts to different intrusion attempts. It involves analyzing the system's behavior and identifying potential vulnerabilities by using both static and dynamic methods.

Grey Box Testing

A type of penetration testing where testers have limited knowledge about the target system. They are only given basic information and must rely on their own skills and tools to discover vulnerabilities.

Black Box Testing

A type of penetration testing where testers have no prior knowledge about the target system. They are given no information and must rely entirely on their own skills and tools to find vulnerabilities.

What is Wireshark?

A network protocol analyzer used to capture and analyze data packets flowing through a network connection.

What is BeEF?

A framework that allows attackers to use a target's web browser as an attack point, gaining control and malicious access.

What's Burp Suite Pro?

A security tool used to scan web applications for vulnerabilities and test their security measures.

What is Aircrack-ng?

A collection of tools designed to probe and assess the security of wireless networks. It can be used for monitoring, cracking passwords and other attacks.

What is MetaSploit?

A framework that provides a collection of ready-to-use exploit code, enabling attackers to leverage known vulnerabilities.

What is SQLMap?

A tool designed to identify and exploit SQL injection vulnerabilities in web applications.

What is Nikto?

An online vulnerability scanner used to assess the security of web applications, servers, and content management systems.

What is W3af?

A framework used to audit and attack web applications, identifying over 200 potential vulnerabilities.

nmap -p 1-65535 localhost

Nmap command used to specify a range of ports for scanning, e.g., from port 1 to 65535.

nmap -oN output.txt securitytrails.com

Nmap command used to save scan results to a file, creating a text file with the output.

nmap -sT 192.168.1.1

Nmap option for scanning a specific host using TCP protocol. Detects services and ports accessible via TCP.

nmap -sV --script=http-malware-host 192.168.1.105

Nmap command used to identify malware infections on a remote device by checking for suspicious network activity or known malicious patterns.

nmap -sV localhost

Nmap option for detecting the versions of running services on a host. Helps to identify security vulnerabilities in specific software versions.

filetype:

A search operator to specify file type or extension in Google search.

inurl:

A search operator used with Google to find websites containing a specific character string in their URL.

intitle:

A search operator used with Google to find pages whose titles contain a specific string.

" "

A search operator that instructs Google to return exact matches of a query string enclosed in double quotes.

intext:

A search operator used with Google to find websites containing a specific string in their content.

nmap -oN output.txt

A command in Nmap, a network scanning tool, used to save the results of a scan to a file.

nmap -iL list.txt

A command used with Nmap for scanning a list of IP addresses or hostnames from a text file.

nmap --top-ports 20

A command used with Nmap to scan the most popular ports on a specific IP address or hostname.

Study Notes

The Cyber Kill Chain

• The Cyber Kill Chain is a framework describing the stages of a cyberattack.
• It involves seven stages, each building upon the previous one.

1. Reconnaissance

• This is the initial research phase.
• Attackers identify target vulnerabilities and potential entry points.
• Methods range from simple public data gathering to advanced automated scanning.
• Success depends on the amount of intelligence gathered.

2. Weaponization

• Attackers strategize to exploit target weaknesses.
• Malware or malicious payloads are designed.
• Techniques include creating new malware or modifying existing programs.

3. Delivery

• Cybercriminals infiltrate the target network.
• Malware is deployed using phishing emails or other social engineering methods.

4. Exploitation

• Following successful delivery, attackers exploit network vulnerabilities.
• Lateral movement is common, spreading across the network.

5. Installation

• Also known as the privilege escalation phase.
• Attackers install malware and deploy other cyberweapons.
• This allows them increased control over systems.

6. Command and Control

• Attackers establish a command and control (C2) channel.
• They remotely control deployed cyberweapons and tools.
• Two common methods used are obfuscation (hiding threat) and denial-of-service (disrupting operations) attacks.

7. Action

• Cybercriminals execute the attack's objective.
• Common end goals include supply chain attacks, data exfiltration, data encryption, and data compression.