- “Do I Know This Already?” Quiz
- Foundation Topics: Exploiting Local Host Vulnerabilities
- Understanding Physical Security Attacks
- Review All Key Topics
- Define Key Terms
- Q & A
In this sample chapter from CompTIA PenTest+ PT0-001 Cert Guide, you will learn how to take advantage of insecure services and protocol configurations during a penetration testing engagement.
In this chapter you will learn about exploiting local host vulnerabilities, as well as physical security flaws. This chapter provides details on how to take advantage of insecure services and protocol configurations during a penetration testing engagement. You will also learn how to perform local privilege escalation attacks as part of penetration testing. This chapter provides details to help you gain an understanding of Set-UID, Set-GID, and Unix programs, as well as ret2libc attacks. This chapter also covers privilege escalation attacks against Windows systems and the security flaws of Android and Apple iOS mobile devices. In this chapter you will also gain an understanding of physical security attacks such as piggybacking, tailgating, fence jumping, dumpster diving, lock picking, and badge cloning.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 7-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Q&A Sections.”
Table 7-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section |
Questions |
Exploiting Local Host Vulnerabilities |
1–8 |
Understanding Physical Security Attacks |
9–10 |
Which of the following is not an insecure service or protocol?
Cisco Smart Install
Telnet
Finger
Windows PowerSploit
Consider the following example:
omar@ares:~$ ls -l topsecret.txt -rwxrwxr-- 1 omar omar 15 May 26 21:15 topsecret.txt
What permissions does the user omar have in the topsecret.txt file?
Read only
Write only
Read, write, execute
Write, execute
Which of the following is not true about sticky bits?
A restricted deletion flag, or sticky bit, is a single bit whose interpretation depends on the file type.
For directories, the sticky bit prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the restricted deletion flag for the directory, and is commonly found on world-writable directories such as /tmp.
If the sticky bit is set on a directory, files inside the directory cannot be renamed or removed by the owner of the file, the owner of the directory, or the superuser (even though the modes of the directory might allow such an operation).
For regular files on some older systems, the sticky bit saves the program’s text image on the swap device so it will load more quickly when run.
Which of the following is a type of attack in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the executable memory of the process?
Ret2libc
ASLR bypass
CPassword
Sticky-bit attack
Which of the following is a component of Active Directory’s Group Policy Preferences that allows administrators to set passwords via Group Policy?
Ret2libc
CPassword
Sticky-bit
GPO crack
Which of the following tools allows an attacker to dump the LSASS process from memory to disk?
John the Ripper
SAMsploit
Sysinternals ProcDump
Windows PowerShell
The SELinux and AppArmor security frameworks include enforcement rules that attempt to prevent which of the following attacks?
Lateral movement
Sandbox escape
Cross-site request forgery (CSRF)
Cross-site scripting (XSS)
Which of the following is not one of the top mobile security threats and vulnerabilities?
Cross-site request forgery (CSRF)
Insecure data storage
Insecure communication
Insecure authentication
Which of the following is an attack in which the attacker tries to retrieve encryption keys from a running operating system after using a system reload?
Hot-boot
Rowhammer
Cold boot
ASLR bypass
Which of the following is the term for an unauthorized individual following an authorized individual to enter a restricted building or facility?
Lockpicking
Dumpster diving
Badge cloning
Tailgating