Chapter 3

Question 1

Megan runs the following Nmap scan:
nmap -sU -sT -p 1-65535 example.com

What information will she not receive?
A. TCP services
B. The state of the service
C. UDP services
D. A list of vulnerable services

Answer 1

D. A list of vulnerable services

Question 2

Tom wants to find metadata about an organization using a search engine.

What tool from the
following list should he use?
A. ExifTool
B. MetaSearch
C. FOCA
D. Nmap

Answer 2

C. FOCA (Fingerprinting Organizations with Collected Archives)

ExifTool is for individual files

Question 3

After running an Nmap scan of a system, Zarmeena discovers that TCP ports 139, 443, and
3389 are open. What operating system is she most likely to discover running on the system?
A. Windows
B. Android
C. Linux
D. iOS

Answer 3

A. Windows

Question 3

Charles runs an Nmap scan using the following command:
nmap -sT -sV -T2 -p 1-65535 example.com

After watching the scan run for over two hours, he realizes that he needs to optimize the
scan. Which of the following is not a useful way to speed up his scan?
A. Only scan via UDP to improve speed.
B. Change the scan timing to 3 or faster.
C. Change to a SYN scan.
D. Use the default port list

Answer 3

A. Only scan via UDP to improve speed.

Question 4

Karen identifies TCP ports 8080 and 8443 open on a remote system during a port scan.

What tool is her best option to manually validate the services running on these ports?
A. SSH
B. SFTP
C. Telnet
D. A web browser

Answer 4

D. A web browser
(Admins shift servicers from common ports to different ones, she can use a browser to check)

Question 4

Angela recovered a PNG image during the early intelligence-gathering phase of a penetration
test and wants to examine it for useful metadata.

What tool could she most successfully use
to do this?
A. ExifTool
B. Grep
C. PsTools
D. Nginx

Answer 4

A. ExifTool

Question 5

During an Nmap scan, Casey uses the -O flag. The scan identifies the host as follows:
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33

What can she determine from this information?

Answer 5

D. That the system is running a Linux 2.6 kernel between .9 and .33

Question 6

What is the full range of ports that a UDP service can run on?
A. 1–1024
B. 1–16,383
C. 1–32,767
D. 1–65,535

Answer 6

D. 1–65,535
(for both TCP and UDP)

Question 7

Steve is working from an unprivileged user account that was obtained as part of a penetration test. He has discovered that the host he is on has Nmap installed, and he wants to scan
other hosts in his subnet to identify potential targets as part of a pivot attempt.

What Nmap
flag will Steve probably have to use to successfully scan hosts from this account?
A. -sV
B. -u
C. -oA
D. -sT

Answer 7

D. -sT
(Used when an underprivileged account is the tester’s only option)

Question 8

Which of the following provides information about a domain’s registrar and
physical location?

A. Nslookup
B. host
C. WHOIS
D. traceroute

Answer 8

C. WHOIS

Question 9

Chris runs an Nmap scan of the 10.10.0.0/16 network that his employer uses as an internal
network range for the entire organization.

If he uses the -T0 flag, what issue is he likely to
encounter?
A. The scan will terminate when the host count reaches 0.
B. The scan will not scan IP addresses in the .0 network.
C. The scan will progress at a very slow speed.
D. The scan will only scan for TCP services.

Answer 9

C. The scan will progress at a very slow speed.

Question 10

Which of the following Nmap output formats is unlikely to be useful for a penetration tester?
A. -oA
B. -oS
C. -oG
D. -oX

Answer 10

B. -oS
(this is a script kiddie output format, should never be used for a real pen test.

Question 11

During an early phase of his penetration test, Mike recovers a binary executable file that he
wants to quickly analyze for useful information. Which of the following will quickly give him
a view of potentially useful information in the binary?
A. Netcat
B. strings
C. Hashmod
D. Eclipse

Answer 11

B. strings
(parses a file for strings of text and outputs them)

Question 12

Jack is conducting a penetration test for a customer in Japan. What NIC will he most likely
have to check for information about his client’s networks?
A. RIPE
B. ARIN
C. APNIC
D. LACNIC

Answer 12

C. APNIC
(covers Asia-Pacific Asia, Australia, New Zealand) RESEARCH THE OTHERS AS WELL

Question 13

Lin believes that the organization she is scanning may have load balancers in use.

Which of
the following techniques will help her detect them if they are DNS-based load balancers?
A. Use Nmap and look for service port differences.
B. Use ping and check for TTL and IP changes.
C. Use Nessus and check for service version differences.
D. Use WHOIS to check for multiple hostnames.

Answer 13

B. Use ping and check for TTL and IP changes.

Question 14

Charles uses the following hping command to send traffic to a remote system:
hping remotesite.com -S -V -p 80

What type of traffic will the remote system see?
A. HTTP traffic to TCP port 80
B. TCP SYNs to TCP port 80
C. HTTPS traffic to TCP port 80
D. A TCP three-way handshake to TCP port 80

Answer 14

B. TCP SYNs to TCP port 80
(-s is SYN traffic in verbose mode -v)

Question 15

What does a result of * * * mean during a traceroute?

A. No route to the host exists.
B. All hosts are queried.
C. There is no response to the query, perhaps a timeout, but traffic is going through.
D. A firewall is blocking responses.

Answer 15

C. There is no response to the query, perhaps a timeout, but traffic is going through.
(Many hosts are configured to not respond to this type of
traffic but will route traffic properly)

Question 16

Rick wants to describe flaws found in an organization’s internally developed web applications using a standard model. Which of the following is best suited to his need?

Answer 16

A. CWE
(Common Weakness Enumeration, community developed list of hardware and software weaknesses)

Question 17

Why would a penetration tester look for expired certificates as part of an information gathering and enumeration exercise?

A. They indicate improper encryption, allowing easy decryption of traffic.
B. They indicate services that may not be properly updated or managed.
C. Attackers install expired certificates to allow easy access to systems.
D. Penetration testers will not look for expired certificates; they only indicate procedural
issues.

Answer 17

B. They indicate services that may not be properly updated or managed.
(Attackers love indicators of improper maintenance)

Question 18

John has gained access to a system that he wants to use to gather more information about
other hosts in its local subnet. He wants to perform a port scan but cannot install other tools
to do so.
Which of the following tools isn’t usable as a port scanner?
A. Hping
B. Netcat
C. Telnet
D. ExifTool

Answer 18

D. ExifTool

Question 19

Important ports

22

23

25

53

80

88

110

443

1433

Answer 19

22 TCP,UDP SSH

23 TCP, UDP Telnet

25 TCP, UDP SMTP
(email)

53 UDP DNS

80 TCP, UDP HTTP

88 TCP, UDP Kerberos

110 TCP, UDP POP3

443 TCP, UDP HTTPS

1433 TCP Microsoft SQL Server

Question 20

What is nmap scan -sS?

Answer 20

TCP SYN scan, fast scan that tends to work through most firewalls

Question 21

What is nmap scan -sT

Answer 21

TCP connect “full connect” does a three-way handshake, used typically when the nmap account doesn’t have privilege needed create raw packets

Question 22

What is nmap scan -sU

Answer 22

UDP-only scan

Question 23

What is nmap scan -p

Answer 23

specifies a port range 1-65535

Question 24

What is nmap scan -sA

Answer 24

TCP ACK scan, tests firewall rulesets, is the firewall stateful

Question 25

What does -T0 to -T5 mean in an nMap scan?

Answer 25

Determines the impact speed, 0 is slow and 5 is fast.

Question 26

What are the regional NIC’s and what region do they envelop?

Answer 26

AFRINIC (Africa):

APNIC (Asia-Pacific):
Asia, Australia, New Zealand

ARIN (North America, parts of the Caribbean, and North Atlantic islands)

LACNIC (Latin America and the Caribbean):

RIPE (Europe, Russia, the Middle East, and parts of central Asia