During an assessment, a penetration tester exploits an SQLi vulnerability. Which of the following commands would allow the penetration tester to enumerate password hashes?
Correct Answer:B
To enumerate password hashes using an SQL injection vulnerability, the penetration tester needs to extract specific columns from the database that typically contain password hashes. The --dump command in sqlmap is used to dump the contents of the specified database table. Here??s a breakdown of the options:
✑ Option A: sqlmap -u www.example.com/?id=1 --search -T user
✑ Option B: sqlmap -u www.example.com/?id=1 --dump -D accounts -T users -C cred
✑ Option C: sqlmap -u www.example.com/?id=1 --tables -D accounts
✑ Option D: sqlmap -u www.example.com/?id=1 --schema --current-user --current-db
References from Pentest:
✑ Writeup HTB: Demonstrates using sqlmap to dump data from specific tables to retrieve sensitive information, including password hashes.
✑ Luke HTB: Shows the process of exploiting SQL injection to extract user credentials and hashes by dumping specific columns from the database.
=================
A penetration tester gains access to a host but does not have access to any type of shell. Which of the following is the best way for the tester to further enumerate the host and the environment in which it resides?
Correct Answer:B
If a penetration tester gains access to a host but does not have a shell, the best tool for further enumeration is Netcat. Here??s why:
✑ Netcat:
✑ Comparison with Other Tools:
Netcat??s ability to perform multiple network-related tasks without needing a shell makes it the best choice for further enumeration.
=================
A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes. Which of the following steps should the tester take next?
Correct Answer:A
Enabling monitoring mode on the wireless adapter is the essential step before capturing WPA2 handshakes. Monitoring mode allows the adapter to capture all wireless traffic in its vicinity, which is necessary for capturing handshakes.
✑ Preparation:
✑ Enable Monitoring Mode:
Step-by-Step Explanationairmon-ng start wlan0
✑ uk.co.certification.simulator.questionpool.PList@3327f1d6 iwconfig
✑ Capture WPA2 Handshakes: airodump-ng wlan0mon
✑ References from Pentesting Literature: References:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================
While conducting a peer review for a recent assessment, a penetration tester finds the debugging mode is still enabled for the production system. Which of the following is most likely responsible for this observation?
Correct Answer:A
✑ Debugging Mode:
✑ Common Causes:
✑ Best Practices:
✑ References from Pentesting Literature: References:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================
Which of the following is the most efficient way to infiltrate a file containing data that could be sensitive?
Correct Answer:D
When considering efficiency and security for exfiltrating sensitive data, the chosen method must ensure data confidentiality and minimize the risk of detection. Here??s an analysis of each option:
✑ Use steganography and send the file over FTP (Option A):
✑ Compress the file and send it using TFTP (Option B):
✑ Split the file in tiny pieces and send it over dnscat (Option C):
✑ Encrypt and send the file over HTTPS (Answer: D):
Conclusion: Encrypting the file and sending it over HTTPS is the most efficient and secure method for exfiltrating sensitive data, ensuring both confidentiality and reducing the risk of detection.