Upgrade to remove ads
Only $35.99/year

Ch. 6- Exploit and Pivot

Terms in this set (20)

B. TCP 445 is a service port typically associated with SMB services.
Alice discovers a rating that her vulnerability scanner lists as 9.3 out of 10 on its severity scale. The service that is identified runs on TCP 445. What type of exploit is Alice most likely to use on this service?

A. SQL injection
B. SMB exploit
C. CGI exploit
D. MIB exploit
A. The Ruby on Rails vulnerability is the only vulnerability that specifically mentions remote code execution, which is most likely to allow Charles to gain access to the system.
Which of the entries should Charles prioritize from this list if he wants to gain access to the system?

A. The Ruby on Rails vulnerability
B. The OpenSSH vulnerability
C. The MySQL vulnerability
D. None of these; he should find another target.
B. The OpenSSH vulnerability specifically notes that it allows user enumeration, making this the best bet for what Charles wants to accomplish.
If Charles wants to build a list of additional system user accounts, which of the vulnerabilities is most likely to deliver that information?

A. The Ruby on Rails vulnerability
B. The OpenSSH vulnerability
C. The MySQL vulnerability
D. Both the OpenSSH and MySQL vulnerabilities
C. Metasploit searching supports multiple common vulnerability identifier systems, including CVE, BID, and EDB, but MSF was made up for this question. It may sound familiar, as the Metasploit console command is msfconsole.
If Charles selects the Ruby on Rails vulnerability, which of the following methods cannot be used to search for an existing Metasploit vulnerability?

A. CVE
B. BID
C. MSF
D. EDB
A. Matt can safely assume that almost any modern Linux system will have SSH, making SSH tunneling a legitimate option. If he connects outbound from the compromised system to his and creates a tunnel allowing traffic in, he can use his own vulnerability scanner through the tunnel to access the remote systems.
Matt wants to pivot from a Linux host to other hosts in the network but is unable to install additional tools beyond those found on a typical Linux server. How can he leverage the system he is on to allow vulnerability scans of those remote hosts if they are firewalled against inbound connections and protected from direct access from his penetration testing workstation?

A. SSH tunneling
B. Netcat port forwarding
C. Enable IPv6
D. Modify browser plug-ins
C. Fred has used the scheduled tasks tool to set up a weekly run of av.exe from a user directory at 9 a.m. It is fair to assume in this example that Fred has gained access to SSmith's user directory and has placed his own av.exe file there and is attempting to make it look innocuous if administrators find it.
After gaining access to a Windows system, Fred uses the following command:

SchTasks /create /SC Weekly /TN "Antivirus" /TR C:\Users\SSmith\av.exe" /ST 09:00

What has he accomplished?

A. He has set up a weekly antivirus scan.
B. He has set up a job called "weekly."
C. He has scheduled his own executable to run weekly.
D. Nothing; this command will only run on Linux.
B. On most Linux systems, the /etc/passwd file will contain a list of users as well as their home directories. Capturing both /etc/passwd and /etc/shadow are important for password cracking, making both desirable targets for penetration testers.
After gaining access to a Linux system through a vulnerable service, Cassandra wants to list all of the user accounts on the system and their home directories. Which of the following locations will provide this list?

A. /etc/shadow
B. /etc/passwd
C. /var/usr
D. /home
C. Meterpreter is a memory resident tool that injects itself into another process. The most likely answer is that the system was rebooted, thus removing the memory resident Meterpreter process. Robert can simply repeat his exploit to regain access, but he may want to take additional steps to ensure continued access.
A few days after exploiting a target with the Metasploit Meterpreter payload, Robert loses access to the remote host. A vulnerability scan shows that the vulnerability that he used to exploit the system originally is still open. What has most likely happened?

A. A malware scan discovered Meterpreter and removed it.
B. The system was patched.
C. The system was rebooted.
D. Meterpreter crashed.
D. John includes automatic hash type detection, so Angela can simply feed John the Ripper the hashed password file. If it is in a format that John recognizes, it will attempt to crack the passwords.
Angela wants to run John the Ripper against a hashed password file she has acquired from a compromise. What information does she need to know to successfully crack the file?

A. A sample word list
B. The hash used
C. The number of passwords
D. None of the above
C. Cross-compiling code is used when a target platform is on a different architecture. Chris may not have access to a compiler on his target machine, or he may need to compile the code for an exploit from his primary workstation, which is not the same architecture as his target.
Chris cross compiles code for his exploit and then deploys it. Why would he cross-compile code?

A. To make it run on multiple platforms
B. To add additional libraries
C. To run it on a different architecture
D. To allow him to inspect the source code
B. Lauren may want to try a brute-force dictionary attack to test for weak passwords. She should build a custom dictionary for her target organization, and she may want to do some social engineering work or social media assessment up front to help her identify any common password selection behaviors that members of the organization tend to display.
Lauren has acquired a list of valid user accounts but does not have passwords for them. If she has not found any vulnerabilities but believes that the organization she is targeting has poor password practices, what type of attack can she use to try to gain access to a target system where those usernames are likely valid?

A. Rainbow tables
B. Dictionary attacks
C. Thesaurus attacks
D. Meterpreter
C. PSRemote, or PowerShell Remote, provides command-line access from remote systems. Once you have established a remote trust relationship using valid credentials, you can use PowerShell commands for a variety of exploit and information gathering activities, including use of dedicated PowerShell exploit tools.
What built-in Windows server administration tool can allow command-line PowerShell access from other systems?

A. VNC
B. PowerSSHell
C. PSRemote
D. RDP
A. The Windows task schedule is used for scheduled tasks. On Linux, cron jobs are set to start applications and other events on time. Other common means of creating persistent access to Linux systems include modifying system daemons, replacing services with trojaned versions, or even simply creating user accounts for later use.
John wants to retain access to a Linux system. Which of the following is not a common method of maintaining persistence on Linux servers?

A. Scheduled tasks
B. Cron jobs
C. Trojaned services
D. Modified daemons
D. Metasploit needs to know the remote target host, known as rhost, and this was not set. Tim can set it by typing set rhost [ip address] with the proper IP address. Some payloads require lhost, or local host, to be set as well, making it a good idea to use the show options command before running an exploit.
Tim has selected his Metasploit exploit and set his payload as cmd/unix/generic. After attempting the exploit, he receives the following output. What went wrong?

A. The remote host is firewalled.
B. The remote host is not online.
C. The host is not routable.
D. The remote host was not set.
B. Cameron has enabled PowerShell remote access, known as PSRemoting, and has configured it to allow unencrypted sessions using basic auth. This configuration should worry any Windows administrator who finds it!
Cameron runs the following command via an administrative shell on a Windows system he has compromised. What has he accomplished?

$command = 'cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force'

A. He has enabled PowerShell for local users.
B. He has set up PSRemoting.
C. He has disabled remote command-line access.
D. He has set up WSMan.
A. While it may seem odd, exploiting information gathering exploits early can help provide useful information for other exploits. In addition, most information gathering exploits leave very little evidence and can provide information on service configurations and user accounts, making them a very useful tool in a situation like the scenario described.
Mike discovers a number of information exposure vulnerabilities while preparing for the exploit phase of a penetration test. If he has not been able to identify user or service information beyond vulnerability details, what priority should he place on exploiting them?

A. High priority; exploit early.
B. Medium priority; exploit after other system and service exploits have been attempted.
C. Low priority; only exploit if time permits.
D. Do not exploit; information exposure exploits are not worth conducting.
C. Of the options listed, Annie's best bet is likely a thumb drive drop. Delivering thumb drives with malware on them to various locations around her target is likely to result in one or more being plugged in, and careful design can encourage staff at the target organization to click on her chosen malware packages. Once a local workstation is compromised with a tool that can reach out to her, she will have a means past the existing security, possibly allowing her to find other vulnerabilities inside the organization's network.
Part of Annie's penetration testing scope of work and rules of engagement allows her physical access to the facility she is testing. If she cannot find a remotely exploitable service, which of the following social engineering methods is most likely to result in remote access?

A. Dumpster diving
B. Phishing
C. A thumb drive drop
D. Impersonation on a help desk call
C. Metasploit's SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts. Impacket doesn't build this capability in but provides a wide range of related tools, including the ability to authenticate with hashes once you have captured them. If you're wondering about encountering this type of question on the exam, remember to eliminate the answers you are sure of to reduce the number of remaining options. Here, you can likely guess that Metasploit has a module for this, and Wireshark is a packet capture tool, so capturing broadcast traffic may require work, but would be possible. Now you're down to a 50/50 chance!
Jacob wants to capture user hashes on a Windows network. Which tool could he select to gather these from broadcast messages?

A. Metasploit
B. Responder
C. Impacket
D. Wireshark
A. Cynthia needs to use an exploit with a rating of Excellent, the highest level that Metasploit exploits can be ranked. Exploits that are lower than this level can run the risk of crashing a service.
Cynthia wants to find a Metasploit framework exploit that will not crash the remote service she is targeting. What ranking must the exploit she chooses meet or exceed to ensure this?

A. Excellent
B. Great
C. Good
D. Normal
B. Rainbow tables are lists of pre-computed hashes for all possible passwords for a given set of password rules. Rainbow table tools compare hashes to the previously calculated hashes, which match to known password values. This is done via a relatively fast database lookup, allowing fast "cracking" of hashed passwords, even though hashes aren't reversible.
Alex wants to use rainbow tables against a password file she has captured. How do rainbow tables crack passwords?

A. Un-hashing the passwords
B. Comparing hashes to identify known values
C. Decrypting the passwords
D. Brute-force testing of hashes
Other sets by this creator