Exam PT0-002 topic 1 question 148 discussion

I agree that proxy can redirect you to spoofed host, however the question mentioned "not been able to establish an on-path position between the target host and the Internet." Modified DNS Server done during pentest must be cleanup during post engagement as thaught by the pentest+ lecture. Answer should be B.

The best method to support the objective is B. Exploit the local DNS server and add/update the zone records with a spoofed A record. This method allows the tester to redirect HTTP connections to a spoofed server IP, without gaining access to the target host or implanting malware. Using the Scapy utility to overwrite name resolution fields in the DNS query response is not recommended, as it is unreliable and can be detected. Proxying HTTP connections from the target host to that of the spoofed host is also not recommended, as it can easily be detected.

The penetration tester has already established an on-path (Man-in-the-Middle) position between the target and local network services (but not between the target and the Internet). This means the tester can intercept and manipulate local network traffic, including DNS requests.

It states that the penetration tester is between the target and the local network services. So he can already intercept the communication. Also the network services most likely include the DNS service. So he could easily use Scapy (C) and reply to the DNS queries with the spoofed server IP... All other answers require actual access to either the target machine or one of the network services.

One of the skills that a pentester needs is to establish an on-path position, which means to intercept and modify the traffic between two hosts. This can be done by using techniques such as ARP spoofing, DNS spoofing, or ICMP redirection. 🚧

C. Use the Scapy utility to overwrite name resolution fields in the DNS query response.

Explanation: - Option A: Implanting malware on the target host is a more overt and aggressive method, and it doesn't align with the subtle approach described in the scenario. - Option B: By exploiting the local DNS server to change the A record (Address Record), all queries for a specific domain name can be redirected to a different IP address, such as the spoofed server IP. This approach fits the requirement of subtly redirecting HTTP connections without needing to control the path between the target host and the Internet. - Option C: The Scapy utility could be used to craft and manipulate packets, but the scenario doesn't indicate that the tester has the ability to intercept and modify DNS responses between the target host and the Internet. - Option D: Proxying HTTP connections is a valid technique, but it generally requires the ability to intercept traffic between the target host and the Internet, which the scenario states the tester has not been able to achieve. in this case option B ftw

The penetration tester would set up a proxy server on their machine or on a compromised machine on the local network. The tester would then configure the target host to use the proxy server for all HTTP traffic. When the target host makes an HTTP request, the request would first go to the proxy server. The proxy server would then forward the request to the legitimate server and receive the response. Before forwarding the response to the target host, the proxy server would modify the response to point to the spoofed server IP instead of the legitimate server IP. The target host would then receive the modified response, which would contain the spoofed server IP, and would establish a connection to the spoofed server.

__BBB__

B is the correct answer

B is correct answer

dddddddddd

B is the best answer

B and D will work. If you want to do this subtly, you should not modify the local DNS server, because all users will be impacted. Proxy for one target is perfect for this task.

I would not want a pen tester to modify my local DNS server with bad records.