Free CompTIA PenTest+ PT0-002: 04 Social Engineering – Free Anki Decks

Explanation: Sympathy is not mentioned in the passage as a technique or method of influence used by social engineers. Social engineers stick to manipulation tactics such as authority, scarcity and urgency, social proof, likeness, and fear.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: To protect sensitive information from being compromised through dumpster diving, it is advisable to store such documents in a secure place until they are no longer needed. At this point, they should be shredded, or even better, incinerated.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: With pretexting, or impersonation, an attacker presents as someone else in order to gain access to information. The attacker may impersonate someone within an organization or even create a whole new identity to manipulate the receipt of information.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: The Browser Exploitation Framework (BeEF) is a tool designed to manipulate users by leveraging XSS vulnerabilities. It is often used in conjunction with attacks that redirect users to malicious websites in order to steal sensitive information, such as session tokens.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: Vishing, short for voice phishing, is a kind of social engineering attack that occurs over a phone conversation. The objective is to get the user to reveal personal, financial or other kind of confidential information, including Social Security numbers and credit card numbers, which the attacker can use for identity theft purposes. During the attack, the attacker impersonates an individual and may use spoofed caller ID to conceal their identity.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 130 in PDF)

Explanation: The Social-Engineer Toolkit (SET) is a tool developed primarily to perform social engineering attacks, such as creating and managing spear phishing emails with embedded payloads. The passage illustrates a step-by-step process of creating an email with an embedded payload that, when executed, could spawn a command shell on the victim’s system.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: Avoiding clicking on any links sent via text messages if they were not expected is one way to help mitigate SMS phishing attacks. SMS Phishing, or Smishing, is a method of fraud where attackers trick the victim into downloading a Trojan horse, virus, or other form of malware onto their mobile device.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: The Social-Engineer Toolkit (SET) is primarily used in penetration testing to conduct various social engineering attacks, such as creating a spear phishing email. It can be integrated with third-party tools and frameworks like Metasploit, and it offers features like spawning a command shell on a victim’s machine after a successful exploitation.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: SET is not incompatible with third-party tools and frameworks. In fact, the text states that it can be integrated with third-party tools and the Metasploit framework, making this choice false.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: The Social-Engineer Toolkit (SET) is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow for easy and quick penetration testing. It gives the option to use third-party tools and frameworks like Metasploit, which aids in launching various social engineering attacks.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 20 in PDF)

Explanation: Using small hidden cameras and microphones is not mentioned as a prevention technique. Instead, it’s a method used by attackers to perpetrate the shoulder surfing technique.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 6 in PDF)

Explanation: The Social-Engineer Toolkit (SET) allows the penetration tester to perform several post-exploitation actions after a successful exploitation. These include spawning a command shell on the victim machine, initiating a Windows reverse VNC DLL, creating a reverse TCP shell, launching a Windows Shell Bind_ TCP, and setting up a Windows Meterpreter Reverse HTTPS.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: SpoofCard is a call spoofing tool that not only can be used to spoof a number, but also offers features such as voice changing, call recording, generation of different background noises, and sending calls directly to voicemail.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: The ’Scarcity and urgency’ technique involves creating a sense of urgency or loss in the victim, which manipulates them into making potentially risky decisions. This method is common in both sales and social engineering scenarios.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 53 in PDF)

Explanation: Fear influence technique in social engineering seeks to manipulate a victim’s emotions to coerce them into behaving in a particular way, often to avoid or rectify a perceived harmful scenario.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 44 in PDF)

Explanation: The fear method is a manipulation technique used by social engineers to force their victims to act quickly in order to avoid or rectify a dangerous or painful situation. The engineer uses the target’s unpleasant emotion, based on the belief that something bad or dangerous may take place, to manipulate them.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: A social engineering attack primarily leverages the human users in an organization. It depends on the attacker’s ability to exploit human behavior to reveal information that could be harmful to the organization.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: The Social-Engineer Toolkit (SET) gives the option to perform post-exploitation activities like spawning a Meterpreter shell, Windows reverse VNC DLL, reverse TCP shell, Windows Shell Bind_ TCP, and Windows Meterpreter Reverse HTTPS once the system has been successfully exploited.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: In the text, it is stated that social engineers strive to be liked. They work towards making their victims like the way they behave, look, and talk so as to enable manipulation. Therefore, being unlikable isn’t a known method used by social engineers.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: USB drop key attacks aim to trick users into inserting lost or abandoned USB devices into their systems. Once the user accesses the content on the USB, malware is unknowingly downloaded and installed onto their system, enabling the attacker to compromise their system.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 24 in PDF)

Explanation: In the context of generating a normal PDF with an embedded EXE using the Social-Engineer Toolkit (SET), you should select the option ’Use built-in BLANK PDF for attack’. This option will have SET generate a normal PDF with an embedded executable and use a built-in blank PDF file for the attack.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: In the context, the text is discussing the simulation of physical attacks by penetration testers or red teamers to identify vulnerabilities in an organization’s physical security measures. These vulnerabilities could potentially be exploited by a malicious actor to gain unauthorized access to infrastructure, buildings, systems, and employees.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: SpoofCard is a call spoofing tool that allows the user to generate different background noises, in addition to spoofing a number, changing the user’s voice, recording calls, and send calls straight to voicemail.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: The text indicates that attackers may use specialized software and hardware to clone a badge that provides access to a building. This suggests that the process involves some form of electronic copying or simulation.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page page in PDF)

Explanation: SpoofCard is a call spoofing tool that enables a user to spoof their number, change their voice, record calls, generate different background noises, and also send calls directly to voicemail.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: The email phishing attack involves convincing the recipient to open an attachment or click on a link that seems trustworthy. In the given email example, an attachment is included that appears like a valid document, potentially leading the recipient to open it and subsequently be prompted to disclose confidential information.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: Social proof is a psychological phenomenon where an individual is unsure of the appropriate behavior and thus mimics the behavior of others. This tactic is used by social engineers, particularly when an individual is in an unfamiliar situation.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 16 in PDF)

Explanation: Asterisk is a legitimate voice over IP (VoIP) management tool that can also be used to impersonate caller ID. It is a powerful tool that can be used by attackers to spoof caller ID in social engineering attacks.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: The Social-Engineer Toolkit (SET) was designed specifically for launching numerous social engineering attacks. It has features built into it that allow for the creation and handling of many different types of attacks.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: As the text explains, in spear phishing the attacker mimics trusted users within the company to make their emails appear legitimate to the victim. The attacker specifically targets individuals or groups in a particular organization and studies them carefully to craft convincing emails.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: In a watering hole attack, an attacker profiles websites that the intended victim accesses, and then injects a code into those websites to redirect the user to a site with an exploit code. The key purpose of this attack is to infect computers within an organization’s network, hence gaining a foothold in the network. It’s mainly aimed at profiling users of specific organizations.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: In the context of social engineering, ’pretexting’ or impersonation is when an attacker presents as someone else in order to gain access to information.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: The Social-Engineer Toolkit (SET) is a tool used in social engineering attacks. It can execute various types of attacks and can also integrate with third-party tools like Metasploit.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: Pretexting, in the context of social engineering attacks, involves the attacker assuming a different identity or role to manipulate others and gain access to information. This can involve pretending to be someone within an organization, or creating a new, fake identity.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: Whaling attacks are a form of phishing that specifically targets high-profile individuals like CEOs or other key executives. They serve the same purpose of collecting sensitive information or compromising systems like other phishing attacks but the target audience and the construction of the communication differentiates them.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: In the given context, piggybacking is where an unauthorized person gains access to a restricted area by accompanying an authorized person, usually with their consent. On the other hand, tailgating is also a way for an unauthorized person to gain access, but it usually occurs without the consent of the authorized person.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)