Lesson 3: Performing Security Assessments

1. Which statement best explains the differences between black box, white
box, and gray box attack profiles used in penetration testing?
A. A black box pen tester acts as a privileged insider and must perform no
reconnaissance. A white box pen tester has no access, and reconnaissance is
necessary. A gray box actor is a third-party actor who mediates between a
black box and white box pen tester.
B. A black box pen tester acts as the adversary in the test, while the white box
pen tester acts in a defensive role. A gray box pen tester is a third-party actor
who mediates between a black box pen tester and a white box pen tester.
C. In a black box pen test, the contractor receives no privileged information, so
they must perform reconnaissance. In contrast, a white box pen tester has
complete access and skips reconnaissance. A gray box tester has some, but not
all information, and requires partial reconnaissance.
D. In a white box pen test, the contractor receives no privileged information, so
they must perform reconnaissance. In contrast, a black box pen tester has
complete access and skips reconnaissance. A gray box tester has some, but not
all information, and requires partial reconnaissance.
2. Identify the command that can be used to detect the presence(存在) of a host on a
particular IP address.
A. ipconfig
B. ifconfig
C. ip
D. ping
3. A network manager needs a map of the network's topology. The network
manager is using Network Mapper (Nmap) and will obtain the visual map
with the Zenmap tool. If the target IP address is [Link], determine
the command within Nmap that will return the necessary data to build the
visual map of the network topology.
A. nmap -sn --ipconfig [Link]
B. nmap -sn --ifconfig [Link]
C. nmap -sn --traceroute [Link]
D. nmap -sn --nslookup [Link]
4. Select the statement which best describes the difference between a zero-day
vulnerability and a legacy platform vulnerability.
A. A legacy platform vulnerability is typically unpatchable, while a zero-day
vulnerability may be exploited before a developer can create a patch for it.
B. A zero-day vulnerability is unpatchable, while a legacy platform vulnerability
can always be patched, once detected.
C. A zero-day vulnerability can be mitigated by responsible patch management,
while a legacy platform vulnerability cannot likely be patched.
D. A legacy platform vulnerability can always be mitigated by responsible patch
management, while a zero-day vulnerability does not yet have a patch
solution.
5. An IT director reads about a new form of malware that targets a system
widely utilized in the company’s network. The director wants to discover
whether the network has been targeted, but also wants to conduct the
scan without disrupting company operations or tipping off potential
attackers to the investigation. Evaluate vulnerability scanning techniques
and determine the best option for the investigation.
A. Credentialed scan
B. Configuration review
C. Penetration testing
D. Threat hunting
6. A system administrator must scan the company’s web-based application to
identify which ports are open and which OS/CPE can be seen from the
outside world. Determine the syntax that should be used to yield the
desired information if the administrator will be executing this task from a
Linux command line.
A. netstat -a
B. nmap [Link] - O
C. nmap -sS [Link]/24
D. netstat -n
7. A contractor has been hired to conduct penetration testing on a company's internal
systems. The primary goal is to identify potential weaknesses in password policies
and to determine if critical data can be accessed with default or weak passwords.
 Evaluate the penetration steps and determine which are being utilized for this
task. (Select all that apply.)
A. Test security controls
B. Assess physical security measures
C. Determine network topology
D. Exploit vulnerabilities
8. Compare and contrast vulnerability scanning and penetration testing.
Select the true statement from the following options.
A. Vulnerability scanning is conducted by a “white hat” and penetration testing is
carried out by a “black hat.”
B. Vulnerability scanning by eavesdropping is passive, while penetration testing
with credentials is active.
C. Penetration testing and vulnerability scanning are considered “black hat”
practices.
D. Vulnerability scanning is part of network reconnaissance, but penetration
testing does not involve network reconnaissance.
9. Select the appropriate methods for packet capture. (Select all that apply.)
A. Wireshark
B. Packet analyzer
C. Packet injection
D. tcpdump
10. An outside security consultant updates a company’s network, including data cloud
storage solutions. The consultant leaves the manufacturer’s default settings when
installing network switches, assuming the vendor shipped the switches in a
default-secure configuration. Examine the company’s network security posture
and select the statements that describe key vulnerabilities in this network. (Select
all that apply.)
A. The default configurations of devices may not be optimized for the company's
specific security needs.
B. The default settings in the network switches represent a weak configuration.
C. The use of network switches leaves numerous unused ports open.
D. The recommended settings in the network switches represent secured
protocols.
11. Encryption vulnerabilities allow unauthorized access to protected data.
Which component is subject to brute-force enumeration?
A. An unsecured protocol
B. A software vulnerability
C. A weak cipher
D. A lost decryption key
12. Systems administrators from a large organization are assigned to support
an affiliated company's white team. Which role would they primarily
assume?
A. The systems administrators will oversee the test, establish rules of
engagement, and offer guidance.
B. The systems administrators will attempt to breach the target system.
C. The systems administrators will handle monitoring and alerting systems to
identify and thwart any infiltration attempts.
D. System administrators will facilitate cooperation between attacking and
defending teams to foster positive outcomes.
13. As the result of a recent breach, a cyber technician is tasked with
reviewing various attack vectors associated with escalation of privileges.
Which of the following vector escalation vulnerabilities can be associated
with an OS kernel file or shared library allowing malware code to run with
higher access rights?
A. Software
B. Operating System (OS)
C. Applications
D. Ports
14. Analyze and eliminate the item that is NOT an example of a reconnaissance
technique.
A. Initial exploitation
B. Open Source Intelligence (OSINT)
C. Social engineering
D. Scanning
15. In which of these situations might a non-credentialed vulnerability scan be more
advantageous than a credentialed scan? (Select all that apply.)
 A. When active scanning poses no risk to system stability
B. External assessments of a network perimeter
C. Detection of security setting misconfiguration
D. Web application scanning
16. A network administrator uses an automated vulnerability scanner. It regularly
updates with the latest vulnerability feeds. If the system regularly performs active
scans and returns the presence of vulnerabilities when they do not exist, what type
of error is the system most likely making?
A. False positive
B. False negative
C. Validation error
D. Configuration error
17. Which reconnaissance suite uses -sS to run TCP SYN scans?
A. tcpdump
B. nmap
C. Wireshark
D. nslookup
18. Which of the following statements summarizes a disadvantage to performing an
active vulnerability scan? (Select all that apply.)
A. Active scanning consumes more network bandwidth.
B. Active scanning runs the risk of causing an outage.
C. Active scanning will identify all of a system’s known vulnerabilities.
D. Active scanning techniques do not use system login.
19. A manufacturing company hires a pentesting firm to uncover any
vulnerabilities in their network with the understanding that the pen tester
receives no information about the company’s system. Which of the
following penetration testing strategies is the manufacturing company
requesting?
A. Black box
B. Sandbox
C. Gray box
D. White box
20. Following a data breach at a large retail company, their public relations
 team issues a statement emphasizing the company’s commitment to
consumer privacy. Additionally, the retail company took down its systems
to resolve the issue. Identify the true statements concerning this
event. (Select all that apply.)
A. The data breach must be an intentional act of corporate sabotage.
B. The privacy breach might have allowed the threat actor to sell the data to other
malicious actors.
C. The data breach might have caused the data to be exfiltrated.
D. The data breach event may compromise data integrity, but not information
availability.

1.C

A black box penetration tester receives no privileged information, while a

white box tester has complete access. A white box test may follow up on a
black box test.

In a black box pen test, the consultant receives no privileged information

about the network and its security systems. A gray box pen tester has partial
access and must perform some reconnaissance.

A red team performs an offensive role to try to infiltrate the target. A blue team
defends a target system by operating monitoring and alerting controls to
detect and prevent the infiltration.

White box tests are useful for simulating the behavior of a privileged insider
threat. Gray box tests are useful for simulating the behavior of an unprivileged
insider threat.

2.D

The ping command can be used to detect the presence of a host on a

particular IP address or that responds to a particular host name. This
command is a fast and easy way to determine if a system can communicate
over the network with another system.
The ipconfig command is used to report the configuration assigned to the
network adapter in Windows.

The ifconfig command can be used to report the adapter configuration in

Linux.

The ip command is a more powerful command in Linux and gives options for
managing routes as well as the local interface configuration.

3.C

The traceroute command is used to probe a path from one end system to
another, and lists the intermediate systems providing the link. The Nmap
combined with Zenmap tools will give a visual of the network topology.

The ipconfig and ifconfig commands are used for looking at the configuration
of a system's network adapter.

The primary difference between the ipconfig and ifconfig commands are the
type of systems the network is using. The ipconfig is designed for Windows,
while the ifconfig is designed for use on Linux systems.

The nslookup command is used to query the Domain Name System (DNS).

4.A

A zero-day vulnerability is exploited before the developer knows about it or

can release a patch. These can be extremely destructive, as it can take the
vendor some time to develop a patch, leaving systems vulnerable in the
interim.

A legacy platform is no longer supported with security patches by its

developer or vendor. By definition, legacy platforms are not patchable.

Legacy systems are highly likely to be vulnerable to exploits and must be

protected by security controls other than patching, such as isolating them to
networks that an attacker cannot physically connect to.

Even if effective patch management procedures are in place, attackers may

still be able to use zero-day software vulnerabilities, before a vendor develops
a patch.
5.D

Where a pen test attempts to demonstrate a system’s weakness or achieve

intrusion, threat hunting is based only on analysis of data within the system. It
is potentially less disruptive than pen testing.

A credentialed scan has a user account with logon rights to hosts and
permissions appropriate for the testing routines. Credentialed scans are
intrusive and allow in-depth analysis and insight to what an insider attack
might achieve.

A configuration review assesses the configuration of security controls and

application settings & permissions compared to established benchmarks.

Penetration testing, an intrusive, active scanning technique, does not stop at

detection, but attempts to gain access to a system.

6.B

The correct syntax is nmap [Link] -O. When the -O switch is used with
nmap, it displays open ports and the installed operating system, but does not
show the version.

The netstat command checks the state of ports on the local machine. In Linux,
the -a switch displays ports in the listening state, it does not enable software
and version detection.

Using nmap -sS [Link]/24 is a fast technique also referred to as half-open

scanning, as the scanning host requests a connection without acknowledging
it.

Netstat shows the state of TCP/UDP ports on the local machine. Netstat -n
suppresses name resolution, so host IP addresses and numeric ports are
shown in the output.

[Link]

Two penetration test steps are being utilized by actively testing security controls and
exploiting the vulnerabilities. Identifying weak passwords is actively testing security
controls.
In addition, exploiting vulnerabilities is being used by proving that a vulnerability is
high risk. The list of critical data obtained will prove that the weak passwords can
allow access to critical information.

This step typically involves evaluating the physical security controls in place to
prevent unauthorized access to a building or a server room. In this scenario, this step
is not being performed.

Determining the network topology involves identifying the arrangement of systems

and how they connect to one another within a network. In this scenario, this step is not
being performed.

8.B

Vulnerability scanning and penetration testing can use passive or active

reconnaissance techniques. A passive approach tries to discover issues
without causing an impact to systems, whereas an active approach may
cause instability on a scanned system.

Penetration testing is non-malicious; therefore, it is a “white hat” activity, not

“black hat.”

Penetration testing is considered “ethical hacking,” but vulnerability scanning

is not. Vulnerability scanning is used to uncover system weaknesses, not to
try to hack into the system.

Penetration testing involves network reconnaissance, or information

gathering. The hacker likely has to find some way of escalating the privileges
available to them.

[Link]

Wireshark and tcpdump are packet sniffers. A sniffer is a tool that captures
packets, or frames, moving over a network.

Wireshark is an open source graphical packet capture and analysis utility.

Wireshark works with most operating systems, where tcpdump is a command
line packet capture utility for Linux.
A packet analyzer works in conjunction with a sniffer to perform traffic
analysis. Protocol analyzers can decode a captured frame to reveal its
contents in a readable format, but they do not capture packets.

A packet injection involves sending forged or spoofed network traffic by

inserting (or injecting) frames into the network stream. Packets are not
captured with packet injection.

[Link]

Default configurations in devices, whether they come from vendors in a

secure state or not, may not cater to specific organizational needs. Such
configurations might have unnecessary services running or might not be
optimized for a particular business environment.

Relying on the manufacturer default settings when deploying an appliance or

software applications is a weak configuration. Although many vendors ship
products in secure default configurations, it is insufficient to rely on default
settings.

Default settings may leave unsecure interfaces enabled that allow an attacker
to compromise the device. Weak settings on network appliances can allow
attackers to move through the network unhindered and snoop on traffic.

An unsecure protocol transfers data across a network as cleartext. Having

secure protocols on a managed switch hardens the level of network security.

11.C

An unsecured protocol is one that transfers data as cleartext—that is, the

protocol does not use encryption for data protection.

Software vulnerabilities affect all types of code. Operating system and

firmware vulnerabilities may allow escalated permissions and unauthorized
access. Software and security researchers discover most vulnerabilities and
release patches to remedy them.

Weak encryption vulnerabilities allow unauthorized access to data. An

algorithm or cipher used for encryption has known weaknesses that allow
brute-force enumeration.
If a decryption key is not distributed securely, it can easily fall into the hands
of people who are not authorized to decrypt the data.

12.A

The white team is responsible for overseeing the penetration test, establishing rules of
engagement, providing arbitration, guidance, and if necessary, halting the exercise.
They may include representatives from a consultancy if the red team is external.

The red team is the one that takes an offensive role, attempting to breach the target
system, not the white team.

The blue team is tasked with the defensive role, operating monitoring and alerting
systems to detect and prevent infiltration, not the white team.

While the systems administrators in the white team do facilitate cooperation, the main
role of fostering constructive development and improvement through regular debriefs
during the exercise is characteristic of a purple team scenario, not exclusively the
white team's responsibility.

13.B

A vulnerability in an OS kernel file or shared library can allow privilege escalation,

where the malware code runs with higher access rights (system or root). Root or
system accounts are considered superuser accounts with administrative privileges.

Software exploitation means an attack that targets a vulnerability in software code.

An application vulnerability is a design flaw that can cause the security system to be
circumvented or that will cause the application to crash.

Security best practice for network configurations dictates that open ports should be
restricted to only necessary services. Running unnecessary open ports and services
increases the attack surface.

14.A
The initial exploitation phase (also referred to as weaponization) is not a
reconnaissance technique. It is an exploit that is used to gain some sort of
access to the target's network.

Open Source Intelligence (OSINT) refers to using web search tools and social
media to obtain information about the target.

Social engineering refers to obtaining information, physical access to

premises, or even access to a user account through the art of persuasion.

Scanning refers to using software tools to obtain information about a host or

network topology. Scans may be launched against web hosts or against wired
or wireless network segments, if the attacker can gain physical access to
them.

[Link]

Non-credentialed scanning is often the most appropriate technique for

external assessment of the network perimeter or when performing web
application scanning.

A non-credentialed scan proceeds by directing test packets at a host without

being able to log on to the OS or application. A non-credentialed scan
provides a view of what the host exposes to an unprivileged user on the
network.

A passive scan has the least impact on the network and on hosts but is less
likely to identify vulnerabilities comprehensively.

Configuration reviews investigate how system misconfigurations make

controls less effective or ineffective, such as antivirus software not being
updated, or management passwords left configured to the default.
Configuration reviews generally require a credentialed scan.

16.A

A false positive is something that is identified by a scanner or other assessment tool as

being a vulnerability, when in fact it is not.

False negatives are potential vulnerabilities that are not identified in a scan. This risk
can be mitigated somewhat by running repeat scans periodically and by using
scanners from more than one vendor.

Reviewing related system and network logs can enhance the vulnerability report
validation process. Using relevant data, such as event logs, can help confirm the
validity of vulnerabilities identified in a scan.

Some scanners measure systems and configuration settings against best practice
frameworks. This is called a compliance scan, which might be necessary for
regulatory compliance or voluntary conformance.

17.B

Nmap uses -sS to do a TCP SYN scan, which is a fast technique also referred to as
half-open scanning, as the scanning host requests a connection without
acknowledging it. The target's response to the scan's SYN packet identifies the port
state.

tcpdump is a command line packet capture utility for Linux

([Link]/man/8/tcpdump). The basic syntax of the command is tcpdump -i eth0,
where eth0 is the interface to listen on. It does not use the -sS command.

Wireshark ([Link]) is an open-source graphical packet capture and analysis

utility with installer packages for most operating systems. Having chosen the interface
to listen on, the output is displayed in a three-pane view. It does not use the -sS
command.

nslookup/dig is a utility to query name records for a given domain using a particular
DNS resolver under Windows (nslookup) or Linux (dig). An attacker may test a
network to find out if the DNS service is misconfigured. It does not use the -sS
command.

[Link]

Scan intrusiveness is a measure of how much the scanner interacts with the target.
Active scanning consumes more network bandwidth than passive scanning.

Active scanning means probing the device's configuration using some type of network
connection with the target. This type of scanning runs the risk of crashing the target of
the scan or causing some other sort of outage.

Active scanning has the possibility of failing due to any security settings that may
prevent certain scans.

A non-credentialed scan proceeds by directing test packets at a host without being

able to log on to the OS or application. A non-credentialed scan provides a view of
what the host exposes to an unprivileged user on the network

19.A

Black box (or blind) is when the pen tester receives no privileged information
about the network and its security systems. Black box tests are useful for
simulating the behavior of an external threat.

A sandbox is a test environment that accurately simulates a production

environment. It is not a penetration testing strategy.

Gray box describes the penetration strategy where the pen tester receives
some information. Typically, this would resemble the knowledge of junior or
non-IT staff to model particular types of insider threats.

White box (or full disclosure) is when the pen tester receives complete access
to information about the network. White box tests are useful for simulating the
behavior of a privileged insider threat.

[Link]

A privacy breach may allow the threat actor to perform identity theft or to sell
the data to other malicious actors. Malicious actors may obtain account
credentials or use personal details and financial information to make
fraudulent credit applications and purchases.

A data breach can cause a data exfiltration event to occur. A data exfiltration
event is always intentional and malicious.

A data breach event is where confidential data is read or transferred without

authorization. A data breach, unlike data exfiltration, can be
intentional/malicious or unintentional/accidental.

Availability means that information is accessible to those authorized to view or

modify it. If a data breach brings down processing systems, a company may
not be able to perform crucial workflows like order processing and fulfillment,
compromising information availability.