CompTIA Pentest+ for Dummies Chapter 3 Prep Test

Question 1

You are performing a penetration test of Company XYZ whose network ID is 10.1.0.0/24.
You are in the information gathering phase and would like to do a port scan identifying any open ports on the systems and the version of the software running on those ports.
What command would you use?
A.nmap -sT 10.1.0.0/24
B.nmap -sV 10.1.0.0/24
C.nmap -sS 10.1.0.0/24
D.nmap -sP 10.1.0.0/24

Answer 1

B.nmap -sV 10.1.0.0/24

Explanation:
To perform a port scan and identify the version of the software running on those systems, you can use an -sV switch on the Nmap tool

Question 2

During your information gathering, you are looking at discovering hosts on the network using a passive approach.
What tool will monitor for ARP traffic on the network and list the active hosts on the network as a result?
A.recon-ng
B.theHarvester
C.Maltego
D.netdiscover

Answer 2

D.netdiscover

Explanation:
You can use netdiscover, which is a tool that comes with Kali Linux that identifies systems on the network yb sniffing ARP packets

Question 3

You are starting your hist discovery stage of the information gathering process and would like to identify the systems that are running on the network.
What command would you use?
A.nmap -sT 10.1.0.0/24
B.nmap -sV 10.1.0.0/24
C.nmap -sS 10.1.0.0/24
D.nmap -sP 10.1.0.0/24

Answer 3

D.nmap -sP 10.1.0.0/24

Explanation:
You can identify systems that are up and running on a network by performing a ping sweep with Nmap.
To do this, you use the -sP switch on the Nmap command.

Question 4

You would like to attempt to enumerate the shares on a Windows server that has the IP address of 10.1.0.10.
What command would you use?
A. nmap –script smb-enum-shares.nse 10.1.0.10
B.nmap -sS 10.1.0.10
C.hping -c 3 -p 53 -S 10.1.0.10
D.thehasrvester -d 10.1.0.10 -b all - 1 100

Answer 4

A. nmap –script smb-enum-shares.nse 10.1.0.10

Explanation:
The Nmap program has a number of scripts available that can be used to enumerate the network.
You can execute an Nmap script by using the –script paramter

Question 5

You are performing a SYN port scan on a customers network that falls into the scope of the pentest.
You would like to disable pings before enumerating the ports on each of the systems.
What command would you use?
A. nmap -sS 10.1.0.0/24 -p 80
B.nmap -sS 10.1.0.0/24 -T0
C.nmap -sS 10.1.0.0/24 -Pn
D.nmap -sS 10.1.0.0/24 -oX customerabc_scanresults.xml

Answer 5

C.nmap -sS 10.1.0.0/24 -Pn

Explanation:
When performing a port scan with Nmap, you can disable pings that are done before the port scan to determine if there is a system at the IP address.

To do this, you use the -Pn switch on the Nmap program

Question 6

You are performing a port scan on the network and wish to go with the most accurate scan possible.
What scan type would you use?
A.nmap -sT 10.1.0.0/24
B.nmap -sA 10.1.0.0/24
C.nmap -sS 10.1.0.0/24
D.nmap -sP 10.1.0.0/24

Answer 6

A.nmap -sT 10.1.0.0/24

Explanation:
A full TCP connect scan has Nmap perform a full-three way handshake with each of ports being scanned to determine if the port is open

Question 7

You are performing a penetration test for one of your customers and you are familiar with an exploit against Remote Desktop Services.
What command would you use to identify any systems that have Remote Desktop Services running?
A. nmap -sS 10.1.0.0/24 -p 1433
B.nmap -sS 10.1.0.0/24 -p 3389
C.nmap -sS 10.1.0.0/24 -Pn
D.nmap -sS 10.1.0.0/24 -oX customerabc_scanresults.xml

Answer 7

B.nmap -sS 10.1.0.0/24 -p 3389

Explanation:
You can use -p with Nmap and specify the ports to scan.
This is useful when trying to find systems with a specific port open such as locating all the systems that have remote desktop

Question 8

You are using Nmap to discover systems and servicers on the network and would to identify the OS that is being used by the system with the IP address of
10.1.0.10.
What command would you use?
A. nmap -sS 10.1.0.10 -p 25,80,3389,1433 -Pn
B.nmap -sS 10.1.0.10 -p 25, 80, 3389, 1433 -T0
C.nmap -sS 10.1.0.10 -p 25, 80, 3389, 1433 -oX results.xml
D.nmap -sS 10.1.0.10 -p 25, 80, 3389, 1433 -O

Answer 8

D.nmap -sS 10.1.0.10 -p 25, 80, 3389, 1433 -O

Explanation:
To identify the operating system running on a system with Nmap, you can add the -O switch

Question 9

You are trying to ping a number of IP addresses that are in the scope of the pentest.
You are not getting any replies from the IP addresses, so you suspect the firewall is blocking ICMP traffic.
What command would you use to perform a ping request in hopes to bypass the firewall?
A.theharvester -d 10.1.0.10 -b all -1 100
B.hping3 -c 3 -p 53 -S 10.1.0.10
C.nmap -sS 10.1.0.10 -p 25, 80, 3389, 1433 -Pn
D.netdiscover

Answer 9

B.hping3 -c 3 -p 53 -S 10.1.0.10

Explanation:
The hping program is used to craft your own ping type packets and specify characteristics of the packet such as the protocol (it uses TCP by default), source port and destination port

Question 10

You are performing a black box pentest and would like to discover the public IP ranges used by an organization.
What tool would you use?
A.theHarvester
B.nmap
C.Whois
D.hping3

Answer 10

C.Whois

Explanation:
You can perform a Whois search on an organization to identify contact information and IP ranges being used by that company

Question 11

You have been hired to perform a pentest from a customer and would like to perform some OSINT information gathering on the company.
What tools would you use?
A.Nmap
B.Shodan
C.Wireshark
D.Maltego
E.BeEF

Answer 11

B.Shodan
D.Maltego

Explanation:
Shodan and Maltego are considered OSINT information-gathering tools