Appendix A

Answers to the “Do I Know This Already?” Quizzes and Q&A Sections

Answers to the “Do I Know This Already?” Quizzes

Chapter 1

1. a. With a black-box penetration test, the tester is provided with only a very limited amount of information. For instance, the tester may only be provided the domain names and IP addresses that are in scope for a particular target. The idea of this type of limitation is to have the tester take the perspective of an external attacker. Typically, an attacker would first determine a target and then begin to gather information about the target, using public information, and gaining more and more information to use in attacks. The tester would not have prior knowledge of the targets’ organization and infrastructure. Another aspect of black-box testing is that sometimes the network support personnel of the target may not be given information about exactly when the test is taking place. This allows for a defense exercise to take place as well. It also eliminates the issue of a target preparing for the test and not giving a real-world view of how the security posture really looks.

2. a. An attacker who takes advantage of a vulnerability to gain unauthorized access to a target network/system would be considered a nonethical hacker. An ethical hacker practices responsible disclosure, initially disclosing the vulnerability to the vendor and waiting a certain time for a fix or patch before disclosing publicly.

3. c. Ransomware is a type of malicious software that involves either encrypting or stealing the target’s data and holding it for ransom until the threat actor is paid.

4. c. A hacktivist is a type of threat actor who is not motivated by money but is looking to make a point or to further his or her beliefs by using cybercrime as a method of attack. Hacktivist attacks are often carried out by stealing sensitive data and then revealing it to the public for the purpose of embarrassing or financially affecting the target.

5. b. In a white-box penetration test, the tester starts out with a significant amount of information about the organization and its infrastructure, including network diagrams, credentials, and even source code.

6. c. The Internet of Things (IoT) is a network of devices such as vehicles, appliances, cameras, and many other embedded devices. Mirai targets certain consumer electronic devices such as routers and IP cameras.

7. c. Controlling access to and from the Internet is an important requirement in building a lab environment.

8. b. Using multiple tools of the same type is a good way to validate the findings of a penetration test. If the same finding is identified by two different tools, this can indicate that it wasn’t a false positive.

9. b. The Open Source Security Testing Methodology Manual (OSSTMM) has been around a long time. It was developed and released by Pete Herzog and is distributed by the Institute for Security and Open Methodologies (ISECOM). Its goal is to provide a document that lays out repeatable and consistent security testing.

10. d. The PCI DSS (Payment Card Industry Data Security Standard) was created to provide a minimum level of security requirements for handling credit card information. It was originally introduced in 2008, so it has been around a while and has gone through number of modifications over the years. The version 3.2 document made a point of distinguishing between a vulnerability scan and a penetration test.

Chapter 2

1. a. Information such as the testing timeline, locations where the penetration testing will take place, the time window of testing, and the preferred method of communication are typically parts of the rules-of-engagement document.

2. d. Target selection is part of the initial scope between the penetration tester and the client; however, it does not entail target reconnaissance using network scanners such as Nmap.

3. a. The base group represents the intrinsic characteristics of a vulnerability that are constant over time and do not depend on a user-specific environment. This is the most important information and the only information that is mandatory for obtaining a vulnerability score. The temporal group assesses the vulnerability as it changes over time. The environmental group represents the characteristics of a vulnerability, taking into account the organizational environment.

4. c. Swagger is a modern framework of API documentation and development that is now the basis of the OpenAPI Specification (OAS). Swagger documents can be extremely beneficial when testing APIs. Additional information about Swagger can be obtained at https://swagger.io. The OAS is available at https://github.com/OAI/OpenAPI-Specification.

5. a, b, and c. The contract is one of the most important documents in your engagement. It specifies the terms of the agreement and how you will get paid, and it provides clear documentation of the services that will be performed. The document should be very specific, easy to understand, and without ambiguities. Legal advice (by a lawyer) is always recommended for any contract. Your customer may also engage its own legal department or an outside agency to review the contract.

6. b. The SOW specifies the activities to be performed during the penetration testing engagement. It also specifies the penetration testing timelines, including the report delivery schedule and the location of the work. The non-disclosure agreement (NDA) defines confidential material, which is knowledge and information that should not be disclosed and should be kept confidential by both parties.

7. a. You might encounter scope creep when there is poor change management in the penetration testing engagement. In addition, scope creep can also surface when there is ineffective identification of what technical and nontechnical elements will be required for the penetration test. Poor communication among stakeholders, including your client and your own team, can also contribute to scope creep.

8. a and c. There are a few different types of penetration testing and security assessments. Two of the major types are goals-based (or objectives-based) and compliance-based assessments.

9. d. Examples of regulations or regulatory bodies applicable to the financial sector include Title 5 Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) and the corresponding interagency guidelines; the Federal Financial Institutions Examination Council (FFIEC); the Federal Trade Commission (FTC) Safeguards Act, Financial Institutions Letters (FILS); and New York’s Department of Financial Services Cybersecurity Regulation (23 NYCRR Part 500).

10. b. PCI DSS must be adopted by any organization that transmits, processes, or stores payment card data or directly or indirectly affects the security of cardholder data.

Chapter 3

1. d. In order to be successful, an attacker must first gather information about the target, so reconnaissance is always the initial step in a cyber attack.

2. a. Once you determine that a device is alive and reachable on a target network, the next step in gaining access would be to enumerate the services that are listening on the target device.

3. a. The DNSRecon tool, available in the Kali Linux distribution, is able to perform a number of DNS-related reconnaissance functions, including zone transfers, SRV record enumeration, wildcard resolution, subdomain brute forcing, and PTR record lookup.

4. a. Active reconnaissance is a method of information gathering whereby the tools used actually send out probes to the target network or systems in order to illicit a response that is then used to determine its posture. These probes can use various protocols and can also use varying levels of aggressiveness.

5. a. Passive reconnaissance is a method of information gathering whereby the tool does not interact directly with the target device or network. Multiple passive reconnaissance methods are discussed in this chapter. Some involve using third-party databases to gather information. Others may also use tools in such a way that they will not be detected by the target. Many of these tools work by simply listening to the traffic on the network and using intelligence to deduce information about the devices’ communication on the network. This approach is a much less invasive activity on a network.

6. c. If the SYN probe does not receive any response, Nmap will mark the port as filtered because it was unable to determine whether it was open or closed.

7. XX. TCP connect scan (-sT) uses the underlying operating system’s networking mechanism to establish a full TCP connection with the target device being scanned. It creates a full connection and more traffic, and thus it takes more time to run the scan.

8. a. There are times when a SYN scan may be picked up by a network filter or firewall. In this situation, you would need to operate a different type of packet in your port scan. With the TCP FIN scan, a FIN packet would be sent to a target port.

9. a. Recon-ng is a framework developed by Tim Tomes of Black Hills Information Security. This tool was developed in Python with Metasploit msfconsole in mind.

10. a. Open source intelligence gathering, also known as OSINT gathering, is a method of using publicly available intelligence sources to collect and analyze information about a target. Open source intelligence is “open source” because collecting the information does not require any type of covert methods.

11. a. The hackertarget module in Recon-ng can be used to enumerate subdomains. It uses the hackertarget.com API.

12. a. It is possible to use a vulnerability scanner to address specific policy requirements. Vulnerability scanners often have the capability to import a compliance policy file. This policy file typically will map to specific plugins/attacks that the scanner is able to perform. Once imported, the specific set of compliance checks can be run against a target system.

13. c. An authenticated scan requires you to provide the scanner with a set of credentials that have root-level access to the system. The reason for this is that the scanner will actually log in to the target via SSH or some other mechanism. It will then run commands like netstat to gather information from inside the host.

Chapter 4

1. b. A phishing attack is a social engineering attack in which the attacker presents to a user a link or an attachment that looks like a valid, trusted resource. When the user clicks it, he or she is prompted to disclose confidential information, such as his or her username and password.

2. d. A threat actor redirects a victim from a valid website or resource to a malicious one that could be made to look like the valid site to the user. From there, an attempt is made to extract confidential information from the user or to install malware in the victim’s system. Pharming can be done by altering the hosts file on a victim’s system, through DNS poisoning, or by exploiting a vulnerability in a DNS server.

3. a. Malvertising is very similar to pharming, but it involves using malicious ads. In other words, malvertising is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware.

4. b. Spear phishing is a phishing attempt that is constructed in a very specific way and directly targeted to specific individuals or companies. The attacker studies a victim and the victim’s organization in order to be able to make the emails look legitimate and perhaps make them appear to come from trusted users within the corporation.

5. c. SMS phishing is a type of social engineering attack that involves using Short Message Service (SMS) to send malware or malicious links to mobile devices; it is not carried over email.

6. d. Voice phishing is a social engineering attack carried out over a phone conversation. The attacker persuades the user to reveal private personal and financial information or information about another person or a company. Voice phishing is also referred to as “vishing.”

7. a. Whaling is similar to phishing and spear phishing; however, this type of attack is targeted at high-profile business executives and key individuals within a corporation.

8. c. An interrogator pays close attention to the victim’s posture or body language. The interrogator also pays attention to the color of the victim’s skin to see if the victim’s face color changes as you talk (for example, gets pale or red). The interrogator also pays attention to the direction of the victim’s head and eyes; movement of hands and feet; mouth and lip expressions; and voice pitch, rate, and changes.

9. b. It is possible to use scarcity to create a feeling of urgency in a decisionmaking context. Specific language can be used to heighten urgency and manipulate the victim. Salespeople often use scarcity to manipulate clients.

10. c. Shoulder surfing involves obtaining information such as PII, passwords, and other confidential data by looking over the victim’s shoulder.

11. d. USB key drop attacks are still a very effective method of infection.

Chapter 5

1. d. There are several name-to-IP address resolution technologies and protocols, such as Network Basic Input/Output System (NetBIOS), and Link-Local Multicast Name Resolution (LLMNR), and Domain Name System (DNS).

2. d. The following ports and protocols are used by NetBIOS-related operations:

• TCP port 135: Microsoft Remote Procedure Call (MS-RPC) endpoint mapper used for client-to-client and server-to-client communication

• UDP port 137: NetBIOS Name Service

• UDP port 138: NetBIOS Datagram Service

• TCP port 139: NetBIOS Session Service

• TCP port 445: Server Message Block (SMB) protocol, used for sharing files between different operating system, including Windows and Unix-based systems.

3. a. A common vulnerability in LLMNR involves an attacker spoofing an authoritative source for name resolution on a victim system by responding to LLMNR traffic over UDP port 5355 and NBT-NS traffic over UDP port 137. The attacker basically poisons the LLMNR service to manipulate the victim’s system. If the requested host belongs to a resource that requires identification or authentication, the username and NTLMv2 hash are sent to the attacker. The attacker can then gather the hash sent over the network by using tools such as sniffers. Subsequently, the attacker can brute-force or crack the hashes offline to get the plaintext passwords.

4. c. One of the most commonly used SMB exploits in recent times has been the Eternal-Blue exploit, which was leaked by an organization or an individual (nobody knows) that allegedly stole numerous exploits from the U.S. National Security Agency (NSA). Successful exploitation of EternalBlue allows an unauthenticated remote attacker to compromise an affected system and execute arbitrary code. This exploit has been used in ransomware such as Wannacry and Nyeta.

5. c. DNS cache poisoning involves manipulating the DNS resolver cache by injecting corrupted DNS data. This is done to force the DNS server to send the wrong IP address to the victim, redirecting the victim to the attacker’s system.

6. d. SNMPv2c uses two authenticating credentials: The first is a public community string to view the configuration or to obtain the health status of the device, and the second is a private community string to configure the managed device. SNMPv3 authenticates SNMP users by using usernames and passwords and can protect confidentiality. SNMPv2 does not provide any confidentiality protection.

7. c. ARP cache poisoning (or ARP spoofing) is an example of an attack that leads to a man-in-the-middle scenario. An ARP spoofing attack can target hosts, switches, and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet.

8. a. In an evil twin attack, an attacker creates a rogue access point and configures it exactly the same as the existing corporate network. Typically, the attacker uses DNS spoofing to redirect the victim to a cloned captive portal or website.

9. c. War driving is a methodology attackers use to find wireless access points wherever they may be. The term war driving is used because the attacker can just drive around (or even walk) and obtain a significant amount of information over a very short period of time.

10. d. WEP keys exists in two sizes: 40-bit (5-byte) and 104-bit (13-byte) keys. In addition, WEP uses a 24-bit IV, which is prepended to the PSK. When you configure a wireless infrastructure device with WEP, the IVs are sent in the clear.

11. a. KRACK attacks take advantage of a series of vulnerabilities in the WPA and WPA2 protocols.

12. d. KARMA is a man-in-the-middle attack that involves creating a rogue AP and allowing an attacker to intercept wireless traffic. KARMA stands for Karma Attacks Radio Machines Automatically. A radio machine could be a mobile device, a laptop, or any Wi-Fi-enabled device.

Chapter 6

1. d. REST or RESTful is a type of API technology. The following are examples of HTTP methods:

• GET: Retrieves information from the server

• HEAD: Basically the same as a GET but returns only HTTP headers and no document body

• POST: Sends data to the server (typically using HTML forms, API requests, and so on)

• TRACE: Does a message loopback test along the path to the target resource

• PUT: Uploads a representation of the specified URI

• DELETE: Deletes the specified resource

• OPTIONS: Returns the HTTP methods that the server supports

• CONNECT: Converts the request connection to a transparent TCP/IP tunnel

2. a. DVWA, WebGoat, and Hackazon are examples of intentionally vulnerable applications that you can use to practice your penetration testing skills. Cyber ranges are virtual or physical networks that mimic areas of production environments where you can safely practice your skills. Offensive security teams and cybersecurity defense teams (including security operation center [SOC] analysts, computer security incident response teams [CSIRTs], InfoSec, and many others) use cyber ranges.

3. d. SQL injections, HTML script injections, and object injections are examples of code injection vulnerabilities.

4. d. Ben’ or ‘1’=’1 is a string used in SQL injection attacks. In this particular attack, Ben is a username, and it is followed by an escape that is tailored to try to force the application to display to the attacker all records in the database table.

5. a, b, and c. DES, RC4, and MD5 are cryptographic algorithms that should be avoided. Refer to Table 6-2 for a complete list of recommended cryptographic algorithms and weak cryptographic algorithms that should be avoided.

6. b. Once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the application, such as usernames and passwords, one-time passwords, and client-based digital certificates. Also, in order to keep the authenticated state and track the user’s progress, an application provides a user with a session ID, or token. This token is assigned at session creation time and is shared and exchanged by the user and the web application for the duration of the session. The session ID is a name/value pair.

7. c. You can find HTTP parameter pollution (HPP) vulnerabilities by finding forms or actions that allows user-supplied input. Then you can append the same parameter to the GET or POST data—but inserting a different value assigned.

8. b. Insecure Direct Object Reference vulnerabilities can be used to execute a system operation. In the referenced URL, the value of the user parameter (chris) is used to have the system change the user’s password. An attacker can try other usernames and see if it is possible to modify the password of another user.

9. a. This string is an example of how to use hexadecimal HTML characters to potentially evade XSS filters. You can also use a combination of hexadecimal HTML character references to potentially evade XSS filters and security products such as web application firewalls (WAFs).

10. c. You should escape all characters (including spaces but excluding alphanumeric characters) with the HTML entity &#xHH; format to prevent XSS vulnerabilities.

11. c. CSRF attacks typically affect applications (or websites) that rely on a user’s identity. Also, CSRF attacks can occur when unauthorized commands are transmitted from a user that is trusted by the application. CSRF vulnerabilities are also referred to as “one-click attacks” or “session riding.” An example of a CSRF attack is a user that is authenticated by the application through a cookie saved in the browser unwittingly sending an HTTP request to a site that trusts the user, subsequently triggering an unwanted action.

12. a. The URL displayed is an example of a cross-site request forgery (CSRF or XSRF) attack against a vulnerable server.

13. d. Clickjacking involves using multiple transparent or opaque layers to induce a user to click on a web button or link on a page that he or she did not intend to navigate or click. Clickjacking attacks are often referred to “UI redress attacks.” User keystrokes can also be hijacked using clickjacking techniques. It is possible to launch a clickjacking attack by using a combination of CSS stylesheets, iframes, and text boxes to fool the user into entering information or clicking on links in an invisible frame that could be rendered from a site an attacker created.

14. b. A mitigation to prevent clickjacking could be to send the proper content security policy (CSP) frame ancestors directive response headers that instruct the browser not to allow framing from other domains. (This replaces the older X-Frame-Options HTTP headers.) All other options are examples of XSS mitigation techniques.

15. a. This URL is an example of a directory (path) traversal vulnerability and attack.

16. c. A best practice to avoid cookie manipulation attacks is to not dynamically write to cookies using data originating from untrusted sources.

17. b. Local file inclusion (LFI) vulnerabilities occur when a web application allows a user to submit input into files or upload files to a server. Successful exploitation could allow an attacker to read and (in some cases) execute files on the victim’s system. Some of these vulnerabilities could be critical if the web application is running with high privileges (or as root). This could allow the attacker to gain access to sensitive information and even enable the attacker to execute arbitrary commands in the affected system.

18. d. This URL is an example of a remote file inclusion attack, in which the attacker redirects the user to a malicious link to install malware.

19. b. A race condition takes place when a system or an application attempts to perform two or more operations at the same time. However, due to the nature of such a system or application, the operations must be done in the proper sequence in order to be done correctly. When an attacker exploits such a vulnerability, he or she has a small window of time between when a security control takes effect and when the attack is performed. The attack complexity in race condition situations is very high. In other words, race condition attacks are very difficult to exploit.

20. c. Swagger is a modern framework of API documentation and development that is the basis of the OpenAPI Specification (OAS). Additional information about Swagger can be obtained at https://swagger.io. The OAS specification is available at https://github.com/OAI/OpenAPI-Specification.

Chapter 7

1. d. Cisco Smart Install, Telnet, and Finger are insecure services and protocols.

2. c. The user omar has read, write, execute rights.

3. c. As documented in the chmod man pages, the restricted deletion flag or sticky bit is a single bit whose interpretation depends on the file type. For directories, the sticky bit prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the restricted deletion flag for the directory, and it is commonly found on world-writable directories such as /tmp. For regular files on some older systems, the sticky bit saves the program’s text image on the swap device so it will load more quickly when run. If the sticky bit is set on a directory, files inside the directory may be renamed or removed only by the owner of the file, the owner of the directory, or the superuser (even though the modes of the directory might allow such an operation); on some systems, any user who can write to a file can also delete it. This feature was added to keep an ordinary user from deleting another user’s files from the /tmp directory.

4. a. In “return-to-libc,” or ret2libc, attacks (the predecessor to return-oriented programming [ROP]), a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the executable memory of the process. This is done to potentially bypass the not-execute (NX) bit Linux feature and allow the attacker to execute arbitrary code. Operating systems that support non-executable stack help protect against code execution after a buffer overflow vulnerability is exploited. On the other hand, this cannot prevent a ret2libc attack because in this attack, only existing executable code is used. Another technique, called stack-smashing protection, can prevent or obstruct code execution exploitation since it can detect the corruption of the stack and may potentially “flush out” the compromised segment.

5. b. CPassword is a component of Active Directory’s Group Policy Preferences that allows administrators to set passwords via Group Policy.

6. c. It is possible to dump the LSASS process from memory to disk by using tools such as Sysinternals ProcDump. Attackers have been successful using ProcDump because it is a utility digitally signed by Microsoft. Therefore, this type of attack can evade many antivirus programs. ProcDump creates a minidump of the target process. An attacker can then use tools such as Mimikatz to mine user credentials.

7. b. Enforcement rules in SELinux and AppArmor mandatory access control frameworks restrict control over what processes are started, spawned by other applications, or allowed to inject code into the system. These implementations can control what programs can read and write to the file system.

8. a. OWASP often performs studies of the top mobile security threats and vulnerabilities. These are the top 10 mobile security risks at the time of this writing:

• Improper platform usage

• Insecure data storage

• Insecure communication

• Insecure authentication

• Insufficient cryptography

• Insecure authorization

• Client code quality

• Code tampering

• Reverse engineering

• Extraneous functionality

9. c. A cold boot attack is a type of side channel attack in which the attacker tries to retrieve encryption keys from a running operating system after using a system reload.

10. d. Tailgating (or piggybacking) is a breach in which an unauthorized individual follows an authorized individual to enter a restricted building or facility.

Chapter 8

1. d. You can maintain persistence of a compromised system by doing the following:

• Creating a bind or reverse shell

• Creating and manipulating scheduled jobs and tasks

• Creating custom daemons and processes

• Creating new users

• Creating additional backdoors

2. a. The Netcat utility is used to create a bind shell on the victim system and to execute the bash shell. The -e option executes the /bin/bash shell on the victim system so that the attacker can communicate using that shell.

3. d. The nc -lvp <port> command can be used to create a listener on a given TCP port.

4. c. Lateral movement (also referred to as pivoting) is a post-exploitation technique that can be performed using many different methods. The main goal of lateral movement is to move from one device to another to avoid detection, steal sensitive data, and maintain access to many devices to exfiltrate the sensitive data. Lateral movement involves scanning a network for other systems, exploiting vulnerabilities in other systems, compromising credentials, and collecting sensitive information for exfiltration. Lateral movement is possible if an organization does not segment its network properly. After compromising a system, you can use basic port scans to identify systems or services of interest that you can further attack in an attempt to compromise valuable information.

5. b. PowerSploit is not a legitimate Windows tool; rather, it is a collection of PowerShell scripts that can be used post-exploitation.

6. c. The New-ObjectSystem.Net.WebClient PowerShell script is downloading a file from 192.168.78.147.

7. a. The Invoke-ReflectivePEInjection PowerSploit script can reflectively inject a DLL in to a remote process.

8. a. Mimikatz, Empire, and PowerSploit are tools that are used in post-exploitation activities. The Social-Engineer Toolkit (SET) is typically used for social engineering attacks.

9. a. As a best practice, you can discuss post-engagement cleanup tasks and document them in the rules of engagement document during the pre-engagement phase. You should delete all files, executable binaries, scripts, and temporary files from compromised systems after the penetration testing engagement is completed. You should return any modified systems and their configuration to their original values and parameters.

10. d. After compromising a system, you should always cover your tracks to avoid detection by suppressing logs (when possible), deleting application logs, and deleting any files that were created.

Chapter 9

1. b. Nmap is a tool used for active reconnaissance. Maltego, Shodan, and Dig are tools used for passive reconnaissance.

2. c. Theharvester is used to enumerate DNS information about a given hostname or IP address. It is useful for passive reconnaissance. It can query several data sources, including Baidu, Google, LinkedIn, public Pretty Good Privacy (PGP) servers, Twitter, vhost, Virus Total, ThreatCrowd, CRTSH, Netcraft, Yahoo, and others.

3. d. Shodan is a search engine for devices connected to the Internet. It continuously scans the Internet and exposes its results to users via its website (https://www.shodan.io) and also via an API. Attackers can use this tool to identify vulnerable and exposed systems on the Internet (such as misconfigured IoT devices and infrastructure devices). Penetration testers can use Shodan to gather information about potentially vulnerable systems exposed to the Internet without actively scanning their victims.

4. a and c. Maltego and Recon-ng are tools that can be used to automate open source intelligence (OSINT) gathering.

5. b. The command nmap -sS 10.1.1.1 performs a TCP SYN scan.

6. c. Enum4linux is a great tool that can be used to enumerate SMB shares, vulnerable Samba implementations, and corresponding users.

7. a. OpenVAS is an open source vulnerability scanner that was created by Greenbone Networks. It is a framework that includes several services and tools that allows you to perform detailed vulnerability scanning against hosts and networks. Qualys, Nexpose, and Retina are commercial scanners.

8. a. SQLmap is a tool that helps automate the enumeration of vulnerable applications, as well as the exploitation of SQL injection vulnerabilities.

9. d. OWASP ZAP, W3AF, and Burp Suite are all examples of web application penetration testing tools.

10. a and b. Attackers can use rainbow tables to accelerate password cracking. They can use rainbow tables, which are precomputed tables for reversing cryptographic hash functions, to derive a password by looking at the hashed value. A tool called RainbowCrack can be used to automate the cracking of passwords using rainbow tables.

11. d. A shell is command-line tool that allows for interactive or non-interactive command execution. Having a good background in bash enables you to quickly create scripts, parse data, and automate different tasks and can be helpful in penetration testing engagements. The following websites provides examples of bash scripting concepts, tutorials, examples, and cheat sheets:

• LinuxConfig bash scripting tutorial: https://linuxconfig.org/bash-scripting-tutorial

• DevHints bash shell programming cheat sheet: https://devhints.io/bash

12. d. PowerShell and related tools can be used for exploitation and post-exploitation activities. Microsoft has a vast collection of free video courses and tutorials that include PowerShell at the Microsoft Virtual Academy (see https://mva.microsoft.com).

Chapter 10

1. c. A web application scanner is meant to discover issues such as input validation and SQL injection. To identify these types of flaws, an automated scanner needs to actually input information into the fields it is testing. The input can be fake data or even malicious scripts. As this information is being input, it is likely to make its way into the database that is supporting the web application you are testing. Once the testing is complete, this information needs to be cleaned from the database.

2. a and c. It is important to record all of the activities that are performed during a penetration test. Especially and activities performed on a compromised system. This will help you to clean up things like created usernames and database information during post-engagement activities.

3. a, b, and c. Although most of the modules used in Metasploit have the capability to do self-cleanup, there are times when a module errors out and does not complete the cleanup process. In such a situation, things like shells, files, and scripts may be left behind.

4. a. The results of your testing process should be fully documented for several reasons. First, documentation provides proof of the work you have completed. Second, it provides evidence of the efforts the company has made to identify any security issues within its environment. Documentation is more important than ever before in today’s world where executives of compromised companies are being held accountable for data breaches that happen while under their supervision. When a breach is exposed, you need to be able to prove that you are doing your due diligence to test and secure the company’s environment.

5. b. For a third-party penetration tester who has been hired to perform a test for a customer, the report the tester creates is the final deliverable. It is proof of the work the tester performed and the findings that came from the effort. It is similar to having a home inspection: The inspector will likely spend hours around the house, checking in the attic, crawl space, and so on. At the end of the day, you as the homeowner will want to have a detailed report on the inspector’s findings so that you can address any issues found. If the inspector were to provide you with an incomplete report or a report containing false findings, you would not feel that you had gotten your money’s worth.

6. a. Let’s say you note in your report that there is an SQL injection flaw in one of the input fields of the application, and you do not validate the finding. Typically, you turn over your report to management, who then tasks the application developer with addressing the issue. It is the application developer’s job to fix this defect as soon as possible. He or she is likely to commit time to researching and mitigating the issue. If after spending time and money on hunting down the cause of this flaw, it is determined to be a false positive, you can expect that the application developer will be coming back to you, the tester, and it will likely be noted that you wasted the company’s resources.

7. c. As you work through the testing phases of a penetration test, you will use various tools. Some of these tools will have the capability to output a pretty report in various formats. This is a good feature for a tool to have. However, just because a tool has this capability does not mean that you should use it to export the findings of the tool and simply regurgitate it in your final report. There are almost always going to be false positives or false negatives in the results of any tool. For this reason, you must carefully review the results of a tool’s output and try to determine what the actual vulnerabilities mean to the actual target. You must take into consideration the business of the target to be able to determine the on the environment. From there, you will be able to compile a plan for how the findings should be prioritized and addressed.

8. c. This is a common question when it comes to data collection and report writing: Exactly when should I start putting together this information? A report is the final outcome of a penetration testing effort. The most accurate and comprehensive way to compile a report is to start collecting and organizing the results while you are still testing. During the testing phase, as you come across findings that needs to be documented, take screenshots of the tools used, the steps, and the output. This will help you piece together exactly the scenario that triggered the finding and illustrate it for the end user. You should include these screenshots as part of the report because including visual proof is the best way for your audience to gain a full picture of and understand the findings. Sometimes it may even be necessary to create a video. In summary, taking screenshots, videos, and lots of notes will help you create a deliverable report. There are some great tools available to help you with this.

9. b. If an insecure protocol is exposed to the Internet, the finding would need to be classified with a high severity level. It is very important to analyze the results of your testing and correlate them to the actual environment because doing so is the only way to really understand the risk. You need to then convey your understanding in your written report. Most reports provide an indication of risk as high, medium, or low. A quality report will provide an accurate rating based on the risk to the actual environment.

10. c. When it comes to compiling a final penetration testing report, one of the biggest challenges is pulling together all the data and findings collected throughout the testing phases. This is especially true when the penetration test spans a long period of time. Very often, you will need to dig through the output of many tools to find the information you are looking to include in your report. This is where a tool like Dradis comes in. Dradis is a handy little tool that can ingest the results from many of the penetration testing tools you use and then help you compile and output reports in formats such as CSV, HTML, and PDF. It is very flexible because it includes many add-ons and also allows you to create your own. So if you need the ability to import from a new tool that is not yet compatible, you can simply write your own add-on to accomplish this.

Answers to the Q&A

Chapter 1

1. d. With a black-box penetration test, the tester is provided with only a very limited amount of information. For instance, the tester may only be provided the domain names and IP addresses that are in scope for a particular target. The idea of this type of limitation is to have the tester take the perspective of an external attacker. Typically, an attacker would first determine a target and then begin to gather information about the target, using public information, and gaining more and more information to use in attacks. The tester would not have prior knowledge of the targets’ organization and infrastructure. Another aspect of black-box testing is that sometimes the network support personnel of the target may not be given information about exactly when the test is taking place. This allows for a defense exercise to take place as well. It also eliminates the issue of a target preparing for the test and not giving a real-world view of how the security posture really looks.

2. c. Ransomware is a type of attack in which the threat actor demands payment for access to the encrypted or stolen data.

3. ethical hacker. An ethical hacker is a person who hacks into a computer network in order to test or evaluate its security rather than with malicious or criminal intent.

4. malicious intent. The term ethical hacker, as defined by the Oxford dictionary, is “a person who hacks into a computer network in order to test or evaluate its security, rather than with malicious or criminal intent.” The NIST Computer Security Resource Center defines a hacker as an “unauthorized user who attempts to or gains access to an information system.”

5. b. In 2016 the cybercrime industry took over the number-one spot, previously held by the drug trade, for the most profitable illegal industry. So, as you can imagine, it has attracted a new type of cybercriminal. Just as it did back in the days of Prohibition, organized crime goes were the money is. It consists of very well-funded and motivated groups. Organized crime typically uses any and all of the latest attack techniques. Whether ransomware or data theft, if it can be monetized, organized crime will used it.

6. d. Web application testing focuses on testing for security weaknesses in a web application. These weaknesses can include misconfigurations, input validation issues, injection issues, and logic flaws. Because a web application is typically built on a web server with a back-end database, the testing scope would normally include the database as well. But it would focus on gaining access to that supporting database through the web application compromise. A great resource that we mention a number of times in this book is the Open Web Application Security Project.

7. b. The OWASP Testing Project is a comprehensive guide focused on web application testing. It is a compilation of many years of work by OWASP members. It covers the high-level phases of web application security testing and also digs deeper into the testing methods used. For instance, it goes as far as providing injection strings for testing XSS and SQL injection attacks. From an application security testing perspective, the OWASP Testing Project is the most detailed and comprehensive guide available.

8. c. With a black-box penetration test, the tester is provided with only a very limited amount of information. For instance, the tester may only be provided the domain names and IP addresses that are in scope for a particular target. The idea of this type of limitation is to have the tester take the perspective of an external attacker. Typically, an attacker would first determine a target and then begin to gather information about the target, using public information, and gaining more and more information to use in attacks. The tester would not have prior knowledge of the targets’ organization and infrastructure. Another aspect of black-box testing is that sometimes the network support personnel of the target may not be given information about exactly when the test is taking place. This allows for a defense exercise to take place as well. It also eliminates the issue of a target preparing for the test and not giving a real-world view of how the security posture really looks.

9. d. An insider threat is a threat that comes from inside an organization. The motivations of these types of actors are normally different from those of many of the other common threat actors. Insider threats are often normal employees who are tricked into divulging sensitive information or mistakenly clicking on links that allow attackers to gain access to their computers. However, they could also be malicious insiders who are possibly motivated by revenge or money.

10. a. The majority of compromises today start with some kind of social engineering attack. This could be a phone call, an email, a website, an SMS message, and so on. For this reason, it is important to test how your employees handle these types of situations. This type of test is often omitted from the scope of a penetration testing engagement mainly because it primarily involves testing people instead of the technology. In most cases, management does not agree with this type of approach. However, it is important to get a real-world view of the latest attack methods. The result of a social engineering test should be to assess the security awareness program so that you can enhance it. It should not be to identify individuals who fail the test. One of the tools that we talk more in a later chapter is the Social-Engineer Toolkit (SET), created by Dave Kennedy. This is a great tool for performing social engineering testing campaigns.

Chapter 2

1. a. The HIPAA Security Rule is focused on safeguarding electronic protected health information, which is defined as individually identifiable health information (IIHI) that is stored, processed, or transmitted electronically.

2. c. Risk appetite is defined by the ISO 31000 risk management standard as the “amount and type of risk that an organization is prepared to pursue, retain or take.” In other words, it is how much risk you are willing to accept within your organization.

3. Risk acceptance. Risk acceptance indicates that an organization is willing to accept the level of risk associated with a given activity or process. Generally, but not always, this means that the outcome of the risk assessment is within tolerance. There may be times when the risk level is not within tolerance, but the organization will still choose to accept the risk because all other alternatives are unacceptable.

4. gray. Gray-box testing is a type of testing in which the penetration tester is given some information about the target, but he or she needs to perform additional reconnaissance to be able to find security flaws, configuration errors, or vulnerabilities in the application, system, or network to be tested.

5. a. A red team is a group of cybersecurity experts and penetration testers that are hired by an organization to mimic a real threat actor by exposing vulnerabilities and risks regarding technology, people, and physical security.

6. b. A blue team is a corporate security teams defends the organization against cybersecurity threats (such as the security operation center analysts, computer incident response teams [CSIRTs], and information security [InfoSec] teams).

7. b. You might encounter scope creep in the following situations:

• When there is poor change management in the penetration testing engagement

• When there is ineffective identification of what technical and nontechnical elements will be required for the penetration test

• When there is poor communication among stakeholders, including your client and your own team

8. d. The statement of work (SOW) is a document that specifies the activities to be performed during the penetration testing engagement. It can be used to define some of the following elements:

• Project (penetration testing) timelines, including the report delivery schedule

• The scope of the work to be performed

• The location of the work

• Special technical and nontechnical requirements

• The payment schedule

• Miscellaneous items that may not be part of the main negotiation but that need to be listed and tracked because they could pose problems during the overall engagement.

9. a. Simple Object Access Protocol (SOAP) is an application programming interface (API) standard that relies on XML and related schemas. REpresentational State Transfer (REST) is an architectural style and includes specifications for web services and APIs.

10. c. The text is an example of a disclaimer that you can include in pre-engagement documentation, as well as in the final report.

Chapter 3

1. a. An Nmap SYN scan sends a TCP SYN packet to the TCP port it is probing. This is also referred to as half-open scanning because it doesn’t open a full TCP connection. If the response is a SYN/ACK, this indicates that the port is in a listening state. If the response to the SYN packet is RST (reset), this indicates that the port is closed or not in a listening state. If the SYN probe does not receive any response, Nmap marks it as filtered because it was unable to determine if the port was open or closed.

2. a. A TCP connect scan (-sT) uses the underlying operating systems networking mechanism to establish a full TCP connection with the target device being scanned.

3. a. The Nmap smb-enum-shares NSE script uses MSRPC to retrieve information about remote shares.

4. b. Scapy is a very handy tool that is typically used for packet crafting. When Nmap sends a SYN scan, it must modify the way it is sending a normal TCP packet to send only the SYN first. This in itself is packet crafting. However, with Nmap you provide a simple option such as -sS, and it does the rest. However, if you want more control over what you are sending, you can use Scapy.

5. c. One way to begin to enumerate subdomains is simply by using search engines such as Google or Bing, with site: specified at the beginning of the search string.

6. a. Passive reconnaissance is a method of information gathering in which the tool does not interact directly with the target device or network. There are multiple methods of passive reconnaissance. Some involve using third-party databases to gather information. Others involve using tools in ways that they will not be detected by the target.

7. a. Although Nmap is the most well-known and used tool for network reconnaissance, others can be used in a similar way to gain the same results. One such tool is Scapy, a very handy tool that is typically used for packet crafting.

8. d. With an Nmap SYN scan, the tool sends a TCP SYN packet to the TCP port it is probing. This is also referred to as half-open scanning because it doesn’t open a full TCP connection. If the response is a SYN/ACK, this indicates that the port is actually in a listening state. If the response to the SYN packet is a RST (or reset), this indicates that the port is closed or not in a listening state. If the SYN probe does not receive any response, Nmap marks it as filtered because it was unable to determine if the port was open or closed.

9. c. With a TCP FIN scan, a FIN packet is sent to a target port. If the port is actually closed, the target system sends back an RST packet. If nothing is received from the target port, this could be considered open since the normal behavior would be to ignore the FIN packet. Note that this type of scan is not useful when scanning Windows-based systems, as they actually respond with RST packets, regardless of the port state.

10. c. Scanning for compliance purposes is typically driven by the market or governance that the environment serves. An example of this would be the information security environment for a healthcare entity, which would need to adhere to the requirements sent forth by HIPPA.

Chapter 4

1. d. Scarcity, urgency, social proof, likeness, and fear are motivation techniques that social engineers commonly use.

2. c. Pretexting or impersonation involves presenting yourself as someone else in order to gain access to information.

3. a. The main goal in all phishing attacks, including whaling, is to steal sensitive information or compromise the victim’s system and then target other key high-profile victims.

4. a. Spear phishing is a phishing attempt that is constructed in a very specific way and directly targeted to specific individuals or companies. The attacker studies a victim and the victim’s organization in order to be able to make the emails look legitimate and perhaps make them appear to come from trusted users within the corporation.

5. b. Malvertising is very similar to pharming, but it involves using malicious ads. In other words, malvertising involves incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware.

6. d. Whaling is similar to phishing and spear phishing.

7. d. An interrogator asks good open-ended questions to learn about the individual’s viewpoints, values, and goals. An interrogator uses any information revealed to continue to gather additional information or to obtain information from another victim. An interrogator uses closed-ended questions to gain more control of the conversation and to lead the conversation or to stop it.

Chapter 5

1. a. Open mail SMTP relays can be abused to send spoofed emails, spam, phishing, and other email-related scams

2. c. The Windows operating system and Windows applications ask users to enter their passwords when they log in. The system converts those passwords into hashes (in most cases using an API called LsaLogonUser). A pass-the-hash attack goes around this process and just sends the hash to the system for authentication.

3. c. Mimikatz is a tool used by many penetration testers, attackers, and even malware that can be useful for retrieving password hashes from memory. It is a very useful post-exploitation tool.

4. a. Empire is a popular tool that can be used to perform golden ticket and many other types of attacks.

5. b. A common mitigation for ARP cache poisoning attacks is to use dynamic Address Resolution Protocol (ARP) inspection (DAI) on switches to prevent spoofing of the Layer 2 addresses.

6. d. A downgrade attack involves an attacker forcing a system to favor a weak encryption protocol or hashing algorithm that may be susceptible to other vulnerabilities. An example of a downgrade vulnerability and attack is the Padding Oracle on Downgraded Legacy Encryption (POODLE) vulnerability in OpenSSL, which allowed an attacker to negotiate the use of a lower version of TLS between the client and server.

7. d. Route manipulation attacks can be performed using any routing protocol.

8. c. A botnet is a collection of compromised machines that an attacker can manipulate from a command and control (CnC, or C2) system to participate in a DDoS attack, send spam emails, and perform other illicit activities.

9. d. The following are a few examples of best practices for securing your infrastructure, including Layer 2:

• Select an unused VLAN (other than VLAN 1) and use it as the native VLAN for all your trunks. Do not use this native VLAN for any of your enabled access ports.

• Avoid using VLAN 1 anywhere because it is a default.

• Administratively configure access ports as access ports so that users cannot negotiate a trunk; also disable the negotiation of trunking (that is, do not allow Dynamic Trunking Protocol [DTP]).

• Limit the number of MAC addresses learned on a given port with the port security feature.

• Control Spanning Tree to stop users or unknown devices from manipulating it. You can do so by using the BPDU Guard and Root Guard features.

• Turn off Cisco Discovery Protocol (CDP) on ports facing untrusted or unknown networks that do not require CDP for anything positive. (CDP operates at Layer 2 and may provide attackers information you would rather not disclose.)

• On a new switch, shut down all ports and assign them to a VLAN that is not used for anything else other than a parking lot. Then bring up the ports and assign correct VLANs as the ports are allocated and needed.

10. b. The purpose of jamming wireless signals or causing wireless network interference is to cause a full or partial DoS condition on the wireless network.

Chapter 6

1. a. Fuzzing is a black box testing technique that consists of sending malformed/semi-malformed data injection in an automated fashion.

2. b. Web application parameter tampering attacks can be executed by manipulating parameters exchanged between the web client and the web server in order to modify application data. This can be achieved by manipulating cookies and by abusing hidden form fields. It may be possible to tamper the values stored by a web application in hidden form fields.

3. a. The attack shown is a directory (path) traversal attack. (%2e%2e%2f is the same as ../.)

4. a. The example shown is an XSS attack using embedded SVG files to attempt to bypass security controls including WAFs.

5. d. A CSRF attack occurs when a user who is authenticated by the application through a cookie saved in the browser unwittingly sends an HTTP request to a site that trusts the user, subsequently triggering an unwanted action.

6. a. In DOM-based XSS, the payload is never sent to the server. Instead, the payload is only processed by the web client (browser).

7. c. Reflected XSS attacks (non-persistent XSS attacks) occur when malicious code or scripts are injected by a vulnerable web application using any method that yields a response as part of a valid HTTP request.

8. d. You typically find XSS vulnerabilities in the following:

• Search fields that echo a search string back to the user

• HTTP headers

• Input fields that echo user data

• Error messages that return user-supplied text

• Hidden fields that may include user input data

• Applications (or websites) that displays user-supplied data

9. b. PHPSESSID and JSESSIONID are session ID names used by PHP and J2EE. They can be used to fingerprint those web application development frameworks and respective languages.

10. a. MD5 is a hashing algorithm that should be avoided. The rest of the options listed here should also be avoided, but they are encryption algorithms, not hashing algorithms.

Chapter 7

1. c. In dumpster diving, an unauthorized individual searches for and attempts to collect sensitive information from the trash. Piggybacking, or tailgating, involves an unauthorized individual following an authorized individual to enter a restricted building or facility. In fence jumping, an unauthorized individual jumps a fence or a gate to enter a restricted building or facility. Lockpicking is the act of manipulating or tampering with a lock to enter a building or obtain access to something else that is protected by a lock.

2. a. Static and dynamic binary analysis involves using disassemblers and decompilers to translate an app’s binary code or bytecode back into a more or less understandable format. By using these tools on native binaries, it is possible to obtain assembler code that matches the architecture for which the app was compiled.

3. b. seccomp (Secure Computing Mode) is a sandbox built in the Linux kernel to only allow the write(), read(), exit(), and sigreturn() system calls.

4. d. Modern web browsers provide sandboxing capabilities to isolate extensions and plugins. HTML5 has a sandbox attribute for use with iframes. Java virtual machines include a sandbox to restrict the actions of untrusted code, such as a Java applet. Microsoft’s .NET Common Language Runtime can indeed enforce restrictions on untrusted code.

5. c. An attacker may use a keylogger to capture every key stroke of a user in a system and steal sensitive data (including credentials). There are two main types of keyloggers: keylogging hardware devices and keylogging software. A hardware (physical) keylogger is usually a small device that can be placed between a user’s keyboard and the main system. Software keyloggers are dedicated programs designed to track and log user keystrokes.

6. a. If an executable (application binary) is enclosed in quotation marks (““), Windows knows where to find it. On the contrary, if the path where the application binary is located doesn’t contain any quotation marks, Windows will try to locate it and execute it inside every folder of this path until it finds the executable file. An attacker can abuse this functionality to try to elevate privileges if the service is running under SYSTEM privileges. A service is vulnerable if the path to the executable has a space in the filename and the filename is not wrapped in quotation marks; exploitation requires write permissions to the path before the quotation mark.

7. c. Windows stores password hashes in three places:

• The Security Account Manager (SAM) database

• The LSASS

• The Active Directory database

• Every version of Windows stores passwords as hashes in a file called the Security Accounts Manager file (SAM) database.

8. b. Mimikatz is an open source utility that allows an attacker to retrieve user credential information from the targeted system and potentially perform pass-the-hash and pass-the-ticket attacks.

Chapter 8

1. a. The following PSExec command interacts (-i) with the compromised system to launch the calculator application and returns control to the attacker (-d) before the launching of calc.exe is completed:

PSExec \VICTIM -d -i calc.exe

2. b. Malware can use WMI to perform different activities in a compromised system. It is also possible to use WMI to perform many data-gathering operations.

3. a. It is possible to start a simple web service by using the python -m SimpleHTTPServer Python command.

4. a. PowerSploit is a collection of PowerShell modules that can be used for post-exploitation and other phases of an assessment.

5. a. This PowerShell command is performing a port scan to the 10.1.2.3 host. It scans for ports 1 through 1024.

6. a. You can use remote access protocols to communicate with a compromised system. These protocols include Microsoft’s Remote Desktop Protocol (RDP), Apple Remote Desktop, VNC, and X server forwarding.

7. d. Lateral movement (also referred to as pivoting) is a post-exploitation technique that can be performed using many different methods. The main goal of lateral movement is to move from one device to another to avoid detection, steal sensitive data, and maintain access to many devices to exfiltrate the sensitive data.

8. d. Socat, Twittor, and DNSCat2 are all tools that can be used for command and control.

Chapter 9

1. a. SQLmap is often considered a web vulnerability and SQL injection tool. It helps automate the enumeration of vulnerable applications, as well as the exploitation of SQL injection vulnerabilities. However, it cannot be used as a port scanner.

2. b. Nikto is an open source web vulnerability scanner.

3. a. John the Ripper and other password cracking tools can use password wordlists. A wordlist is a compilation of words, known passwords, and stolen passwords. Kali Linux and other penetration testing Linux distributions come with several wordlists.

4. a. Hashcat is used to crack passwords.

5. a. Ncrack is being used to launch a brute-force attack against an SSH server showing the user’s password (password123).

6. a. CeWL is a tool that can be used to create your own wordlists. You can use CeWL to crawl websites and retrieve words.

7. d. Mimikatz is a tool used by many penetration testers, attackers, and even malware that can be useful for retrieving password hashes from memory and is a very useful post-exploitation tool.

8. d. Metasploit was created using the Ruby programming language, and you can use Ruby to create exploits, scripts, and modules within the Metasploit framework.

9. a. Ruby is used to create this script. The following websites provide examples of Python programming concepts, tutorials, examples, and cheat sheets: https://www.ruby-lang.org/en/documentation/quickstart and http://www.learnrubyonline.org. Metasploit was created in Ruby, and it also comes with the source code for exploits, modules, and scripts created in Ruby. Downloading Kali Linux or another penetration testing distribution and becoming familiar with the scripts and exploits that come with Metasploit will help you familiarize yourself with the structure of Ruby scripts.

10. a. The def keywords are methods. The programming language used is Ruby. The following website defines the Ruby methods: https://docs.ruby-lang.org/en/2.2.0/syntax/methods_rdoc.html.

Chapter 10

1. b and c. The following are some examples of how to control the distribution of reports:

• Produce only a limited number of copies.

• Define the distribution list in the scope of work.

• Label each copy with a specific ID or number that is tied to the person it is distributed to.

• Label each copy with the name of the person it is distributed to.

• Keep a log of each hard copy, including who it was distributed to and the date it was distributed. Table 10-2 shows an example of such a log.

• Ensure that each copy is physically and formally delivered to the designated recipient.

• If transferring a report over a network, ensure that the document is encrypted and that the method of transport is also encrypted.

• Ensure that the handling and distribution of an electronic copy of a report are even more restrictive than for a hard copy:

  • Control distribution on a secure server that is owned by the department that initially requested the penetration test.

  • Provide only one copy directly to the client or requesting party.

  • Once the report is delivered to the requesting party, use a documented, secure method of deleting all collected information and any copy of the report from your machine.

2. c. An electronic copy of a report should be even more restrictive with regards to handling and distribution than a hard copy:

• Control distribution on a secure server that is owned by the department that initially requested the penetration test.

• Provide only one copy directly to the client or requesting party.

• Once the report is delivered to the requesting party, use a documented, secure method of deleting all collected information and any copy of the report from your machine.

3. base. The CVSS exploitability metrics fall under the base metric group, which is one of three metric groups used in determining the scores.

4. findings and recommendations. The findings and recommendations section is the meat of the report. It contains all of the actionable information.

5. executive summary. The executive summary should provide enough information for anyone reading the report to get a clear idea of what the results are. Of course, the executive summary does not include the details of every finding; they are presented in another section. the executive summary must include enough information that a reader can skim through just this section and glean from it the gist of the overall findings.

The following are examples of what should be included in an executive summary:

• Brief summary of findings

• Timeline

• Summary of the test scope

• Who performed the testing

• Testing methodology used

• Summary of metrics and measures, including the number of findings, listed by severity level

• Objectives of the testing effort, including the main topic or purpose of the test and report

• Brief description of the most critical findings

6. 3000. On Kali Linux, after you run the command service dradis start, the Dradis Framework web interface is accessible via http://127.0.0.1:3000.

7. c. This is a common question when it comes to data collection and report writing: Exactly when should I start putting together this information? A report is the final outcome of a penetration testing effort. The most accurate and comprehensive way to compile a report is to start collecting and organizing the results while you are still testing. During the testing phase, as you come across findings that needs to be documented, take screenshots of the tools used, the steps, and the output. This will help you piece together exactly the scenario that triggered the finding and illustrate it for the end user. You should include these screenshots as part of the report because including visual proof is the best way for your audience to gain a full picture of and understand the findings. Sometimes it may even be necessary to create a video. In summary, taking screenshots, videos, and lots of notes will help you create a deliverable report. There are some great tools available to help you with this.

8. d. The fact that the server is exposed to the Internet and is vulnerable to a remotely exploitable defect would constitute a rating of critical.

9. audience. One of the most important aspects to keep in mind when writing a report is to know who your audience is. If you write a report that only a highly technical audience can understand and deliver it to an audience that is not very technical, the report will not show its value, and your hard work will go unnoticed. A clearly written executive summary is important because it breaks down the technical findings into summary explanations and provides enough information that all technical levels can understand the results and see value in the deliverable. Of course, you still need to cover all the technical details in other sections of the report. You can see that it is important to consider not only who you are delivering the report to but also who they will be passing it along to. You may end up presenting your final report to the executive or management level. Typically, they will turn over the findings of the report to other teams, such as IT, information security, or development to address the issues found. The technical sections of the report must provide enough information for those teams to be able to take action.

10. a, b, and c. The following list are some examples of the items you will want to be sure to clean from systems:

• User accounts created

• Shells spawned on exploited systems

• Database input created by automated tools or manually

• Any tools installed or run from the systems under test