Ethical Hacker: Course Final Exam Answers (Self-Paced)

Explanation: The following are several general best practices and recommendations for securing APIs:
– Secure API services to provide HTTPS endpoints with only a strong version of TLS.
– Validate parameters in the application and sanitize incoming data from API clients.
– Explicitly scan for common attack signatures; injection attacks often betray themselves by following common patterns.
– Use strong authentication and authorization standards.
– Use reputable and standard libraries to create the APIs.
– Segment API implementation and API security into distinct tiers; doing so frees up the API developer to focus completely on the application domain.
– Identify what data should be publicly available and what information is sensitive.
– If possible, have a security expert do the API code verification.
– Make internal API documentation mandatory.
– Avoid discussing company API development (or any other application development) on a public forum.

Explanation: Hacktivists are types of threat actors not motivated by money. Hacktivists are looking to make a point or to promote what they believe, using cybercrime as a method of attack. These types of attacks are often carried out by stealing sensitive data and then revealing it to the public to embarrass or financially affect a target.

Explanation: Implementing a firewall, an IPS, anti-malware, a VPN, a web application firewall (WAF), and other modern security defenses is not enough. The validity of these defensive techniques needs to be tested regularly. As networks and systems change, the attack surface can vary as well, and when it does, the reevaluation of the security posture must be conducted by way of a penetration test.

Explanation: The whois command can gather information about who owns a particular domain from public records.

Explanation: The command nmap -sn 192.168.0.0/24 is used to do a ping sweep of the 192.168.0.0/24 network for active hosts. This basic host discovery scan can be performed to determine what devices on a network are live. Such a scan for host discovery of an entire subnet is sometimes called a ping sweep.

Explanation: A TCP FIN scan is not useful when scanning Windows-based systems, as they respond with RST packets, regardless of the port state. The normal implication of an RST message would indicate a closed port. Since this is a Windows-based system, it will always respond with an RST message regardless of the port state.

Explanation: Scapy is a very comprehensive Python-based framework or ecosystem for packet generation. Scapy must be run with root permissions to be able to modify packets.

Explanation: To work around the issue of bandwidth limitations and vulnerability scanning, slowing down the traffic created by the scanner can help. This is often referred to as query throttling, and it can typically be achieved by modifying the options of the scanning policy. One way to do this is to reduce the number of attack threads being sent to the target simultaneously.

Explanation: A read team is a group of cybersecurity experts and penetration testers hired by an organization to mimic a real threat actor by exposing vulnerabilities and risks regarding technology, people, and physical security.

Explanation: The typical elements on the front of a credit card are an embedded microchip, PAN (primary account number), expiration date, and cardholder name. The typical elements on the back of a credit card are magnetic stripe and CAV2/CID/CVC2/CVV2, abbreviations for card security codes for the different payment brands.

Explanation: Gantt charts and work breakdown structures (WBS) can be used to demonstrate and document the testing timeline, an element of a rules of engagement document. Burp Suite and OWASP ZAP are tools to intercept communications between a browser and a web server. Recon-ng is a tool for passive reconnaissance.

Explanation: Protocols such as Secure Copy Protocol (SCP) or Secure File Transfer Protocol (SFTP) can be used by penetration testers to transfer files securely over the network. Pretty Good Privacy (PGP) keys or Secure/Multipurpose Internet Mail Extensions (S/MIME) keys can be used for encrypted email exchanges. Hypertext Transfer Protocol Secure (HTTPS) is the secure version of HTTP that provides secure communication between web browsers and web servers.

Explanation: The following is a list of requirements for a typical penetration testing environment:
– Closed network: Ensure controlled access to and from the lab environment and restricted access to the Internet.
– Virtualized computing environment: This allows for easy deployment and recovery of devices being tested.
– Realistic environment: Using a staging testing environment should match the real environment as closely as possible.
– Health monitoring: When something crashes, ensure the ability to determine how and why it happened.
– Sufficient hardware resources: Ensure that a lack of resources does not cause false results.
– Multiple operating systems: Test or validate a finding from another system. Testing from different operating systems is always good to see if the results differ.
– Duplicate tools: A great way to validate a finding is to run the same test with a different tool to see if the results are the same.
– Practice targets: Practice the penetration tools constantly. To do this, practice on targets that are known to be vulnerable.

Explanation: Gray-box penetration testing is when the test is run from within the internal network. Because most compromises start at the client and work their way throughout the network, a good approach would be a scope where the testers start inside the network and have access to a client machine. Then they could pivot throughout the network to determine the impact of a compromise. Gray-box testing is done in a partially known environment.
In black-box penetration testing, the tester is typically provided only limited information. (Unknown-environment testing.)
In white-box penetration testing, the tester starts with significant information about the organization and its infrastructure. (Totally known environment.)
The blue-box penetration testing is a box containing equipment for field quality testing and screening, with visual and written instructions for the users. CYBRI developed its own penetration testing services technology, called Blue-Box, which helps businesses and experts stay on the same page when it comes to testing, security controls, and security services.

Explanation: The following commands have to be entered to identify the local host and the remote host before the exploit command can be executed:
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 10.0.0.1
msf exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.0.0.111
msf exploit(ms17_010_eternalblue) > exploit

Explanation: SMTP open relay is the term used for an email server that accepts and relays (that is, sends) emails from any user. The script nmap –script smtp-open-relay.nse 10.0.0.1 is an Nmap NSEscript to test for open relay configurations on the target server.

Explanation: FTP Anonymous Login Verification can be done using the Metasploit script command:
use auxiliary/scanner/ftp/anonymous. The output displays that the FTP server is configured for anonymous login.

Explanation: An attacker can cause legitimate wireless clients to deauthenticate from legitimate wireless APs or wireless routers to try to make those clients connect to the rogue AP by reassociating.

Explanation: The Social-Engineer Toolkit (SET) is a tool that can be used to launch numerous social engineering attacks, such as infectious media generators, and create a payload and listener. Google phishing, simple hijacker, and fake flash update are social engineering attacks performed by Browser Exploitation Framework (BeEF) tool. BeEF is a tool that can manipulate users by leveraging XSX vulnerabilities.

Explanation: Social engineers use several motivation techniques/methods of influence. In this scenario, a social engineer explores the principle that a person tends to comply with people in positions of authority, such as doctors, lawyers, and experts in different fields. This is the authority method of influence.

Explanation: There are various types of physical attacks. Both piggybacking and tailgating can be defeated through the use of access control vestibules, and it is often used in conjunction with multifactor authentication. Turnstiles, double entry doors, and security guards can also eliminate piggybacking and tailgating. With dumpster diving, a person (threat actor) scavenges for victims’ private information in garbage and recycling containers. In badge cloning attacks, specialized software, hardware, and social engineering techniques can be used to perform such attacks. With shoulder surfing, someone obtains information such as personally identifiable information, passwords, and other confidential data by looking not only over the shoulder of the victim. It is also possible to carry out this type of attack from far away using binoculars or even a telescope.

Explanation: Pharming is an impersonation attack in which a threat actor redirects a victim from a valid website or resource to a malicious one that could be made to appear as a valid site to the user. From there, an attempt is made to extract confidential information from the user or install malware on the system of the victim.

Explanation: A watering hole attack is a targeted attack that occurs when an attacker profiles websites that the intended victim accesses. The attacker then scans those websites for possible vulnerabilities. Organizations should therefore develop policies to prevent these attacks. Such a policy requires updating anti-malware applications regularly and using secure virtual browsers with little connectivity to the rest of the system and the rest of the network.

Explanation: Since the string ‘1=1’ is always true, the search string serves as a Boolean value of TRUE, causing the database system to display all records.

Explanation: The best mitigation for SQL injection vulnerabilities is to use immutable queries, including:
– Static queries
– Parameterized queries
– Stored procedures (if they do not generate dynamic SQL)

Explanation: A command injection is an attack in which an attacker tries to execute OS commands that the attacker is not supposed to be able to execute on a system. In this case, the attacker tries to view the web server (httpd) configuration information.

Explanation: Attackers can leverage misconfigured cloud assets in several ways, including the following:
– Misconfigured identity and access management (IAM) implementations
– Federation misconfigurations

Explanation: The smtp-user-enum -M VRFY -u snp -t 10.0.0.1 command is used to verify whether the user snp exists on the smtp server 10.0.0.1.

Explanation: Threat actors can listen to BLE advertisements and leverage misconfigurations. You can analyze protocols such as BLE by using specialized antennas and equipment. Many devices that support BLE do not even implement BLE-layer encryption. BLE involves a three-phase process to establish a connection. BLE pairing is done at the operating system level.

Explanation: Many different techniques and utilities can be used to create a C2. Some examples are the following:

– socat – a C2 utility that can be used to create multiple reverse shells
– wsc2 – a Python-based C2 utility that uses WebSockets
– WMImplant – a PowerShell-based tool that leverages WMI to create a C2 channel
– TrevorC2 – a Python-based C2 utility

Explanation: The malicious activity described in the scenario is a reverse shell. Many tools allow the creation of reverse shells from a compromised host. Some of the most popular ones are the Meterpreter module in Metasploit and Netcat. Empire is an open-source framework with PowerShell Windows and Python Linux agents that allows rapid deployment of post-exploitation modules, including keyloggers, bind shells, reverse shells, Mimikatz, and adaptable communication to evade detection.

Explanation: After a system is compromised, basic port scans can identify systems or services of interest that can be further attacked to compromise valuable information. Remote access protocols can be used to communicate with a compromised system. Metasploit can be used to create an RDP connection. Using the Metasploit RDP Post-Exploitation Module enables RDP. It provides options to create and configure an account as a member of the Local Administrators and Remote Desktop Users group. Sysinternals is a suite of tools that can also communicate with a compromised system. It allows administrators to control Windows-based computers from a remote terminal.

Explanation: PowerSploit is a collection of PowerShell modules that can be used for post-exploitation and other phases of an assessment. Some popular PowerSploit modules and scripts are Get-SecurityPackages (enumerates all loaded security packages) and Get-Keystrokes (logs keys pressed, time, and the active window). PowerShell can be used for post-exploitation tasks, such as getting directory listings, copying and moving files, getting a list of running processes, and performing administrative tasks. Some of the most useful PowerShell commands are GetChildItem (list directories), GetProcess (gets a process listing), and Get-HotFix (obtains a list of all installed hotfixes).

Explanation: In a typical final report, the section Findings should document technical details about whether or how the system under testing and related components may be exploited based on each vulnerability found. Using industry-accepted risk ratings for each vulnerability is a good idea, such as the Common Vulnerability Scoring System (CVSS). CVSS has been adopted by many tools, vendors, and organizations. Using an industry standard such as CVSS will increase the value of the final report.

Explanation: Parameterized queries best prevent SQL injection. Using input validation (sanitizing user input) best practices is recommended to mitigate and prevent vulnerabilities such as cross-site scripting, cross-site request forgery, SQL injection, command injection, XML external entities, and other vulnerabilities.

Explanation: With the time-of-day restrictions policy, the company can restrict user access based on the time of the day.

Explanation: Biometric controls include fingerprint scanning, retinal scanning, and face recognition. Together with a strong password, biometric control can provide effective multifactor authentication.

Explanation: When a tester has completed all the testing phases for a penetration test, It is very important to perform the post-engagement cleanup. Having the client or system owner validate that the cleanup efforts are sufficient is also very important. This is not always easy to accomplish, but providing a comprehensive list of activities performed on any systems under test will help.

Examples of the items that a tester will want to be sure to clean from systems include:
– Tester-created credentials: Remove any user accounts you created to maintain persistent access or for any other post-exploitation activity.
– Shells: Remove shells spawned on exploited systems.
– Tools: Remove any tools installed or run from the systems under test.

Explanation: A dictionary is a collection of data values that are ordered using a key/value pair.

Explanation: Bash shell is a command shell and language interpreter available for operating systems such as Linux, macOS, and Windows. It allows for interactive or non-interactive command execution.

Explanation: Nslookup, Host, and Dig are DNS-based tools that can be used to perform passive reconnaissance. Nmap, Zenmap, and Enum4linux are active reconnaissance tools.

Explanation: John the Ripper is a popular tool for offline password cracking. John the Ripper can use search patterns and password files (or wordlists) to crack passwords. It supports different cracking modes and understands many ciphertext formats. To list the supported formats, the attacker can use the john –list=formats command.

Explanation: Metasploit is a popular exploitation framework. Metasploit is installed in /usr/share/metasploit-framework by default in Kali Linux. BeEF is an exploitation framework for web application testing. Tor, Proxychains, and Encryption are tools for evasion.