Selected PT0-003 PenTest+ Questions Answers

The tester is attempting to register a malicious DLL as a server-level plugin to escalate privileges.

Privilege escalation (Option B):

The command uses dnscmd.exe, a legitimate Windows tool for managing DNS servers.

By setting a malicious DLL (adduser.dll) as a server-level plugin, attackers can gain SYSTEM-level privileges.

This technique is a DLL hijacking attack.

The Common Vulnerability Scoring System (CVSS) provides a standardized way to evaluate the severity of security vulnerabilities. It includes:

Base Metrics: Inherent characteristics of a vulnerability (e.g., attack vector, complexity).

Temporal Metrics: Factors that change over time (e.g., exploit availability).

Environmental Metrics: Customization based on an organization’s environment.

Correct answers:

Helping to prioritize remediation based on threat context (Option B):

CVSS scores help organizations prioritize vulnerabilities based on real-world impact.

The Environmental metric allows customization based on business risk.

The tool that the penetration tester should use for further investigation is WPScan. This is because WPScan is a WordPress vulnerability scanner that can detect common WordPress security issues, such as weak passwords, outdated plugins, and misconfigured settings. WPScan can also enumerate WordPress users, themes, and plugins from the robots.txt file.

The two entries in the robots.txt file that the penetration tester should recommend for removal are:

Allow: /admin

Allow: /wp-admin

These entries expose the WordPress admin panel, which can be a target for brute-force attacks, SQL injection, and other exploits. Removing these entries can help prevent unauthorized access to the web application’s backend. Alternatively, the penetration tester can suggest renaming the admin panel to a less obvious name, or adding authentication methods such as two-factor authentication or IP whitelisting.

Operational Technology (OT) protocols are used in industrial control systems (ICS) to manage and automate physical processes. Here’s an analysis of each protocol regarding whether it sends information in cleartext:

TTEthernet (Option A):

Explanation: TTEthernet (Time-Triggered Ethernet) is designed for real-time communication and safety-critical systems.

Security: It includes mechanisms for reliable and deterministic data transfer, not typically sending information in cleartext.

DNP3 (Option B):

Explanation: DNP3 (Distributed Network Protocol) is used in electric and water utilities for SCADA (Supervisory Control and Data Acquisition) systems.

Security: While the original DNP3 protocol transmits data in cleartext, the DNP3 Secure Authentication extensions provide cryptographic security features.

Modbus (Answer: C):

Explanation: Modbus is a communication protocol used in industrial environments for transmitting data between electronic devices.

Security: Modbus transmits data in cleartext, which makes it susceptible to interception and unauthorized access.

References: The lack of security features in Modbus, such as encryption, is well-documented and a known vulnerability in ICS environments​​​​.

PROFINET (Option D):

Explanation: PROFINET is a standard for industrial networking in automation.

Security: PROFINET includes several security features, including support for encryption, which means it doesn’t necessarily send information in cleartext.

Conclusion: Modbus is the protocol that most commonly sends information in cleartext, making it vulnerable to eavesdropping and interception.