Chapter 6: Security Assessment and Testing (Domain 6) 371
- C. Generational fuzzing relies on models for application input and conducts fuzzing
attacks based on that information. Mutation-based fuzzers are sometimes called “dumb”
fuzzers because they simply mutate or modify existing data samples to create new test
samples. Neither parametric nor derivative is a term used to describe types of fuzzers. - B. Flows, also often called network flows, are captured to provide insight into network
traffic for security, troubleshooting, and performance management. Audit logging
provides information about events on the routers, route logging is not a common network
logging function, and trace logs are used in troubleshooting specific software packages as
they perform their functions. - D. The IP addresses that his clients have provided are RFC 1918 nonroutable IP
addresses, and Jim will not be able to scan them from offsite. To succeed in his penetration
test, he will have to either first penetrate their network border or place a machine inside
their network to scan from the inside. IP addresses overlapping is not a real concern for
scanning, and the ranges can easily be handled by current scanning systems. - B. Karen can’t use MTD verification because MTD is the Maximum Tolerable Downtime.
Verifying it will only tell her how long systems can be offline without significant business
impact. Reviewing logs, using hashing to verify that the logs are intact, and performing
periodic tests are all valid ways to verify that the backups are working properly. - B. Group Policy enforced by Active Directory can ensure consistent logging settings and
can provide regular enforcement of policy on systems. Periodic configuration audits won’t
catch changes made between audits, and local policies can drift due to local changes or
differences in deployments. A Windows syslog client will enable the Windows systems to
send syslog to the SIEM appliance but won’t ensure consistent logging of events. - B. Windows systems generate logs in the Windows native logging format. To send syslog
events, Windows systems require a helper application or tool. Enterprise wireless access
points, firewalls, and Linux systems all typically support syslog. - B. Network Time Protocol (NTP) can ensure that systems are using the same time,
allowing time sequencing for logs throughout a centralized logging infrastructure. Syslog
is a way for systems to send logs to a logging server and won’t address time sequencing.
Neither logsync nor SnAP is an industry term. - A. When a tester does not have raw packet creation privileges, such as when they have
not escalated privileges on a compromised host, a TCP connect scan can be used. TCP
SYN scans require elevated privileges on most Linux systems due to the need to write raw
packets. A UDP scan will miss most services that are provided via TCP, and an ICMP is
merely a ping sweep of systems that respond to pings and won’t identify services at all. - B. Joseph may be surprised to discover FTP (TCP port 21) and Telnet (TCP port 23) open
on his network since both services are unencrypted and have been largely replaced by
SSH, and SCP or SFTP. SSH uses port 22, SMTP uses port 25, and POP3 uses port 110. - D. Black box testing is the most realistic type of penetration test because it does not
provide the penetration tester with inside information about the configuration or design
of systems, software, or networks. A gray box test provides some information, whereas a
white or crystal box test provides significant or full detail.