A compliance-based penetration test is primarily concerned with:
Correct Answer: B
Question 122
A penetration tester is conducting reconnaissance for an upcoming assessment of a large corporate client. The client authorized spear phishing in the rules of engagement. Which of the following should the tester do first when developing the phishing campaign?
Correct Answer: C
When developing a phishing campaign, the tester should first use social media to gather information about the targets. Social Media: Purpose: Social media platforms like LinkedIn, Facebook, and Twitter provide valuable information about individuals, including their job roles, contact details, interests, and connections. Reconnaissance: This information helps craft convincing and targeted phishing emails, increasing the likelihood of success. Process: Gathering Information: Collect details about the target employees, such as their names, job titles, email addresses, and any personal information that can make the phishing email more credible. Crafting Phishing Emails: Use the gathered information to personalize phishing emails, making them appear legitimate and relevant to the recipients. Other Options: Shoulder Surfing: Observing someone's screen or keyboard input to gain information, not suitable for gathering broad information for a phishing campaign. Recon-ng: A tool for automated reconnaissance, useful but more general. Social media is specifically targeted for gathering personal information. Password Dumps: Using previously leaked passwords to find potential targets is more invasive and less relevant to the initial stage of developing a phishing campaign. Pentest Reference: Spear Phishing: A targeted phishing attack aimed at specific individuals, using personal information to increase the credibility of the email. OSINT (Open Source Intelligence): Leveraging publicly available information to gather intelligence on targets, including through social media. By starting with social media, the penetration tester can collect detailed and personalized information about the targets, which is essential for creating an effective spear phishing campaign.
Question 123
Which of the following tools provides Python classes for interacting with network protocols?
Correct Answer: B
Impacket is a tool that provides Python classes for interacting with network protocols, such as SMB, DCE/RPC, LDAP, Kerberos, etc. Impacket can be used for network analysis, packet manipulation, authentication spoofing, credential dumping, lateral movement, and remote execution. Reference: https://github.com/SecureAuthCorp/impacket
Question 124
During a security assessment, a penetration tester gains access to an internal server and manipulates some data to hide its presence. Which of the following is the best way for the penetration tester to hide the activities performed?
Correct Answer: A
During a penetration test, one of the critical steps for maintaining access and covering tracks is to clear evidence of the attack. Manipulating data to hide activities on an internal server involves ensuring that logs and traces of the attack are removed. Here's a detailed explanation of why clearing the Windows event logs is the best method for this scenario: Understanding Windows Event Logs: Windows event logs are a key forensic artifact that records system, security, and application events. These logs can provide detailed information about user activities, system changes, and potential security incidents. Why Clear Windows Event Logs: Comprehensive Coverage: Clearing the event logs removes all recorded events, including login attempts, application errors, and security alerts. This makes it difficult for an investigator to trace back the actions performed by the attacker. Avoiding Detection: Penetration testers clear event logs to ensure that their presence and activities are not detected by system administrators or security monitoring tools. Method to Clear Event Logs: Use the built-in Windows command line utility wevtutil to clear logs. For example: shell Copy code wevtutil cl System wevtutil cl Security wevtutil cl Application These commands clear the System, Security, and Application logs, respectively. Alternative Options and Their Drawbacks: Modify the System Time: Changing the system time can create confusion but is easily detectable and can be reverted. It does not erase existing log entries. Alter Log Permissions: Changing permissions might prevent new entries but does not remove existing ones and can alert administrators to suspicious activity. Reduce Log Retention Settings: This can limit future logs but does not affect already recorded logs and can be easily noticed by administrators. Case Reference: HTB Writeups: Many Hack The Box (HTB) writeups demonstrate the importance of clearing logs post-exploitation to maintain stealth. For example, in the "Gobox" and "Writeup" machines, maintaining a low profile involved managing log data to avoid detection. Real-World Scenarios: In real-world penetration tests, attackers often clear logs to avoid detection by forensic investigators and incident response teams. This step is crucial during red team engagements and advanced persistent threat (APT) simulations. In conclusion, clearing Windows event logs is a well-established practice for hiding activities during a penetration test. It is the most effective way to remove evidence of the attack from the system, thereby maintaining stealth and ensuring that the tester's actions remain undetected.
Question 125
A penetration tester has obtained a low-privilege shell on a Windows server with a default configuration and now wants to explore the ability to exploit misconfigured service permissions. Which of the following commands would help the tester START this process?
Correct Answer: A
https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-whi --- https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk The certutil command is a Windows utility that can be used to manipulate certificates and certificate authorities. However, it can also be abused by attackers to download files from remote servers using the -urlcache option. In this case, the command downloads accesschk64.exe from http://192.168.2.124/windows-binaries/ and saves it locally. Accesschk64.exe is a tool that can be used to check service permissions and identify potential privilege escalation vectors. The other commands are not relevant for this purpose. Powershell is a scripting language that can be used to perform various tasks, but in this case it uploads a file instead of downloading one. Schtasks is a command that can be used to create or query scheduled tasks, but it does not help with service permissions. Wget is a Linux command that can be used to download files from the web, but it does not work on Windows by default.
