312-50V11 · Question #661
Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is
The correct answer is A. Hardware, Software, and Sniffing.. Password retrieval during a security assessment can be accomplished through hardware keyloggers, software keyloggers, and network sniffing - all three are valid and commonly used techniques.
Question
Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers. Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers?
Options
- AHardware, Software, and Sniffing.
- BHardware and Software Keyloggers.
- CPasswords are always best obtained using Hardware key loggers.
- DSoftware only, they are the most effective.
How the community answered
(26 responses)- A88% (23)
- B4% (1)
- C4% (1)
- D4% (1)
Why each option
Password retrieval during a security assessment can be accomplished through hardware keyloggers, software keyloggers, and network sniffing - all three are valid and commonly used techniques.
All three methods are legitimate password retrieval techniques in a penetration testing context. Hardware keyloggers are physical devices intercepting keystrokes between keyboard and system, software keyloggers capture input at the OS or application level, and network sniffing captures credentials transmitted over the wire - particularly effective against cleartext or weakly-encrypted protocols such as FTP, Telnet, and HTTP. A thorough assessment leverages all three vectors.
Hardware and software keyloggers alone omit network sniffing, which is a distinct and independently effective technique for capturing credentials in transit across the network.
Hardware keyloggers are not always the best method - they require physical access to the target machine, making them impractical in many remote or large-scale assessment scenarios.
Software keyloggers alone are insufficient as a complete methodology; hardware keyloggers and network sniffing cover attack vectors that software keyloggers cannot address.
Concept tested: Password retrieval methods in penetration testing
Source: https://owasp.org/www-project-testing-guide/
Topics
Community Discussion
No community discussion yet for this question.