Penetration Testing Techniques | SSCP Exam Question

Not a Penetration Testing Technique

Prev Question Next Question

Question

Which of the following is NOT a technique used to perform a penetration test?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

Traffic padding is a countermeasure to traffic analysis.

Even if perfect cryptographic routines are used, the attacker can gain knowledge of the amount of traffic that was generated.

The attacker might not know what Alice and Bob were talking about, but can know that they were talking and how much they talked.

In certain circumstances this can be very bad.

Consider for example when a military is organising a secret attack against another nation: it may suffice to alert the other nation for them to know merely that there is a lot of secret activity going on.

As another example, when encrypting Voice Over IP streams that use variable bit rate encoding, the number of bits per unit of time is not obscured, and this can be exploited to guess spoken phrases.

Padding messages is a way to make it harder to do traffic analysis.Normally, a number of random bits are appended to the end of the message with an indication at the end how much this random data is.

The randomness should have a minimum value of 0, a maximum number of N and an even distribution between the two extremes.

Note, that increasing 0 does not help, only increasing N helps, though that also means that a lower percentage of the channel will be used to transmit real data.

Also note, that since the cryptographic routine is assumed to be uncrackable (otherwise the padding length itself is crackable), it does not help to put the padding anywhere else, e.g.

at the beginning, in the middle, or in a sporadic manner.

The other answers are all techniques used to do Penetration Testing.

References: KRUTZ, Ronald L.

& VINES, Russel.

D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 233, 238

and https://secure.wikimedia.org/wikipedia/en/wiki/Padding_%28cryptography%29#Traffic_analysis.

Penetration testing, also known as pen testing, is a simulated cyberattack that evaluates the security of an organization's systems, networks, and applications. The main objective of a pen test is to identify vulnerabilities and potential attack vectors that can be exploited by attackers to gain unauthorized access to sensitive information or systems.

The techniques used in a penetration test vary depending on the scope and objectives of the test. However, all techniques used in a pen test are legal and ethical, and they are performed with the permission of the organization being tested.

The following are brief descriptions of each of the techniques mentioned in the question:

A. Traffic Padding: This technique involves adding dummy data to network packets to make them appear larger than they actually are. The purpose of this technique is to make it more difficult for attackers to analyze and interpret the network traffic. However, this technique is not commonly used in penetration testing.

B. Scanning and Probing: This technique involves scanning the target system, network, or application for open ports, services, and vulnerabilities. The purpose of this technique is to identify potential attack vectors that can be exploited by attackers to gain unauthorized access.

C. War Dialing: This technique involves dialing a range of phone numbers to identify modems that are connected to the target system or network. The purpose of this technique is to identify potential entry points that can be exploited by attackers to gain unauthorized access.

D. Sniffing: This technique involves intercepting and analyzing network traffic to extract sensitive information such as usernames, passwords, and other confidential data. The purpose of this technique is to identify potential vulnerabilities in the network or application.

Therefore, based on the above description, the answer to the question is A. Traffic Padding, as it is not commonly used in a penetration test.