Active Information Gathering

Question 1

What is DNS?

Answer 1

The Domain Name System (DNS) is one of the most critical systems on the Internet and is a distributed database responsible for translating user-friendly domain names into IP addresses.

Question 2

Example of TLD?

Answer 2

.com

Question 3

How to control how long a server or client caches a DNS record?

Answer 3

Via TTL field of DNS record.

Question 4

What is NS?

Answer 4

NS - Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.

Question 5

What is A?

Answer 5

A - Also known as a host record, the “a record” contains the IP address of a hostname (such as www.megacorpone.com).

Question 6

What is MX?

Answer 6

MX - Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.

Question 7

What is PTR?

Answer 7

PTR - Pointer Records are used in reverse lookup zones and are used to find the records associated with an IP address.

Question 8

What is CNAME?

Answer 8

CNAME - Canonical Name Records are used to create aliases for other host records.

Question 9

What is TXT?

Answer 9

TXT - Text records can contain any arbitrary data and can be used for various purposes, such as domain ownership verification.

Question 10

How to to find the A host record for www.megacorpone.com?

Answer 10

host www.megacorpone.com

Question 11

How to find the MX records for megacorpone.com?

Answer 11

host -t mx megacorpone.com

Question 12

How to find the TXT records for megacorpone.com?

Answer 12

host -t txt megacorpone.com

Question 13

How to look up a valid host for megacorpone.com?

Answer 13

host www.megacorpone.com

Question 14

How to use host to look up an invalid host?

Answer 14

host idontexist.megacorpone.com

Question 15

What NXDOMAIN means?

Answer 15

Public DNS record does not exist for that hostname.

Question 16

How to use bash to brute force forward DNS name lookups for megacorpone.com? You have a wordlist called “list.txt”.

Answer 16

kali@kali:~$ for ip in $(cat list.txt); do host $ip.megacorpone.com; done

Question 17

How to use bash to bruteforce reverse DNS names? Let’s use a loop to scan IP addresses 38.100.193.50 through 38.100.193.100. We will filter out invalid results by showing only entries that do not contain “not found” (with grep -v).

Answer 17

for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v “not found”

Question 18

What “grep -v” do?

Answer 18

Select non-matching lines.

Question 19

What is DNS zone transfer?

Answer 19

A zone transfer is basically a database replication between related DNS servers in which the zone file is copied from a master DNS server to a slave server. The zone file contains a list of all the DNS names configured for that zone. Zone transfers should only be allowed to authorized slave DNS servers but many administrators misconfigure their DNS servers, and in these cases, anyone asking for a copy of the DNS server zone will usually receive one.

Question 20

How to use host to perform a DNS zone transfer?

Answer 20

host -l domain_name dns_server_address

Question 21

How to attempt zone transfer on “megacorpone.com” and on ns1 subdomain?

Answer 21

kali@kali:~$ host -l megacorpone.com ns1.megacorpone.com

Question 22

How to use host to do a DNS zone transfer on www.megacorpone.com and ns2 subdomain?

Answer 22

kali@kali:~$ host -l megacorpone.com ns2.megacorpone.com

Question 23

How to use host to obtain DNS servers for a given domain name?

Answer 23

host -t ns megacorpone.com | cut -d “ “ -f 4

Question 24

What ‘-t’ do in host command?

Answer 24

-t specifies the query type

Question 25

What is DNSRecon?

Answer 25

DNSRecon is an advanced, modern DNS enumeration script written in Python.

Question 26

What is ‘-d’ for in dnsrecon?

Answer 26

To specify a domain name.

Question 27

What is ‘-t’ for in dnsrecon?

Answer 27

To specify the type of enumeration to perform.

Question 28

How to use dnsrecon to perform a zone transfer on megacorpone.com?

Answer 28

kali@kali:~$ dnsrecon -d megacorpone.com -t axfr

Question 29

What is ‘-D’ for in dnsrecon?

Answer 29

To specify a file name containing potential subdomain strings.

Question 30

What is ‘-t’ for in dnsrecon?

Answer 30

To specify the type of enumeration to perform.

Question 31

How to brute force hostnames using dnsrecon and list.txt?

Answer 31

kali@kali:~$ dnsrecon -d megacorpone.com -D ~/list.txt -t brt

Question 32

What is DNSenum?

Answer 32

DNSEnum is another popular DNS enumeration tool.

Question 33

How to find a website’s DNS address?

Answer 33

host -t ns domain-name-com-here

Question 34

How to attempt a Zone transfer using dnsrecon on megacorpone.com?

Answer 34

dnsrecon -d megacorpone.com

Question 35

What is port scanning?

Answer 35

Port scanning is the process of inspecting TCP or UDP ports on a remote machine with the intention of detecting what services are running on the target and what potential attack vectors may exist.

Question 36

How to use netcat to perform a TCP port scan on ports 3388-3390? On address IP 10.11.1.220.

Answer 36

nc -nvv -w 1 -z 10.11.1.220 3388-3390

Question 37

What ‘-w’ option do in netcat?

Answer 37

Specifies connection timeout in seconds.

Question 38

What ‘-z’ option do in netcat?

Answer 38

Is used to specify zero-I/O mode, which will send no data.

Question 39

How to use netcat to perform a UDP port scan on ports 160-162, destination IP 10.11.1.115?

Answer 39

kali@kali:~$ nc -nv -u -z -w 1 10.11.1.115 160-162

Question 40

What ‘-u’ option do in netcat?

Answer 40

Indicate UDP port scan.

Question 41

What is nmap?

Answer 41

Is one of the most popular, versatile, and robust port scanners available.

Question 42

What is ‘-I’ option for in iptables?

Answer 42

To insert a new rule into a given chain which in this case includes both the INPUT (Inbound) and OUTPUT (Outbound) chains followed by the rule number.

Question 43

What is ‘-s’ option for in iptables?

Answer 43

Specify a source IP address.

Question 44

What is ‘-d’ option for in iptables?

Answer 44

Specify a destination IP address.

Question 45

What is ‘-j’ option for in iptables?

Answer 45

ACCEPT the traffic.

Question 46

What is ‘-z’ option for in iptables?

Answer 46

Zero the packet and byte counters in all chains.

Question 47

How to configure iptables rules for the scan on IP 10.11.1.220?

Answer 47

kali@kali:~$ sudo iptables -I INPUT 1 -s 10.11.1.220 -j ACCEPT
kali@kali:~$ sudo iptables -I OUTPUT 1 -d 10.11.1.220 -j ACCEPT
kali@kali:~$ sudo iptables -Z

Question 48

How to scan an IP 10.11.1.220 for the 1000 most popular TCP ports?

Answer 48

nmap 10.11.1.220

Question 49

What ‘-v’ option in iptables do?

Answer 49

Add some verbosity.

Question 50

What ‘-n’ option in iptables do?

Answer 50

Enable numeric output.

Question 51

What ‘-L’ option in iptables do?

Answer 51

List the rules present in all chains.

Question 52

How to to monitor nmap traffic for a top 1000 port scan?

Answer 52

sudo iptables -vn -L

Question 53

How to perform a SYN scan on ip 10.11.1.220?

Answer 53

kali@kali:~$ sudo nmap -sS 10.11.1.220

Question 54

How to perform a TCP connect scan on ip address 10.11.1.220?

Answer 54

nmap -sT 10.11.1.220

Question 55

How to perform a UDP scan on ip 10.11.1.115?

Answer 55

kali@kali:~$ sudo nmap -sU 10.11.1.115

Question 56

How to to perform a combined UDP and SYN scan?

Answer 56

sudo nmap -sS -sU 10.11.1.115

Question 57

How to perform a network sweep?

Answer 57

kali@kali:~$ nmap -sn 10.11.1.1-254

Question 58

How to perform a network sweep and then using grep to find live hosts?

Answer 58

nmap -v -sn 10.11.1.1-254 -oG ping-sweep.txt

grep Up ping-sweep.txt | cut -d “ “ -f 2

Question 59

How to scan for web servers using port 80?

Answer 59

kali@kali:~$ nmap -p 80 10.11.1.1-254 -oG web-sweep.txt

kali@kali:~$ grep open web-sweep.txt | cut -d” “ -f2

Question 60

How to perform a top twenty port scan, saving the output in greppable format?

Answer 60

nmap -sT -A –top-ports=20 10.11.1.1-254 -oG top-port-sweep.txt

Question 61

What ‘-O’ option do in nmap?

Answer 61

OS fingerprinting. This feature attempts to guess the target’s operating system by inspecting returned packets. This
is possible because operating systems often have slightly different implementations of the
TCP/IP stack (such as varying default TTL values and TCP window sizes) and these slight
variances create a fingerprint that Nmap can often identify.

Question 62

How to use nmap for OS fingerprinting on ip 10.11.1.220?

Answer 62

kali@kali:~$ sudo nmap -O 10.11.1.220

Question 63

How to use nmap for banner grabbing and/or service enumeration, destination ip address is 10.11.1.220?

Answer 63

kali@kali:~$ nmap -sV -sT -A 10.11.1.220

Question 64

What is NSE for?

Answer 64

To launch user-created scripts in order to automate various scanning tasks. These scripts perform a broad range of functions including DNS enumeration, brute force attacks, and even vulnerability identification.

Question 65

Where are NSE scripts?

Answer 65

NSE scripts are located in the /usr/share/nmap/scripts directory.

Question 66

How to use nmap’s scripting engine (NSE) for OS fingerprinting? Destination IP address is 10.11.1.220, and SMB is turned on.

Answer 66

kali@kali:~$ nmap 10.11.1.220 –script=smb-os-discovery

Question 67

How to use nmap to perform a DNS zone transfer on ns2.megacorpone.com, port 53.

Answer 67

nmap –script=dns-zone-transfer -p 53 ns2.megacorpone.com

Question 68

What service is on port 53?

Answer 68

DNS

Question 69

How to view more information about a script?

Answer 69

–script-help
which displays a description of the script and a URL where we can find more in-depth information, such as the script arguments and usage examples.

Question 70

How to use –script-help option to view more information about script?

Answer 70

kali@kali:~$ nmap –script-help dns-zone-transfer

Question 71

How to conduct a ping sweep 10.11.1.* addresses and save the output to a file “ping_sweep.txt”, and use grep to show only machines that are online?

Answer 71

nmap -sP 10.11.1.1-255 | grep “10.11.1.” | cut -d “ “ -f 5 > ping_sweep.txt

Question 72

How to scan the IP addresses from “ping_sweep.txt” for open webserver ports. Use Nmap to find the webserver and operating system versions.

Answer 72

sudo nmap -iL ping_sweep.txt -p 80 -O

Question 73

How to use NSE scripts to scan the machines in the labs that are running the SMB service?

Answer 73

sudo nmap –script smb-os-discovery.nse -iL ping_sweep.txt -p 445

Question 74

How to check IP address 10.11.1.5 and port 80 using netcat?

Answer 74

nc -zv 10.11.1.5 80

Question 75

How to perform nmap UDP scan on IP 10.11.1.5?

Answer 75

sudo nmap -sU 10.11.1.5

Question 76

What is Masscan?

Answer 76

Masscan is arguably the fastest port scanner; it can scan the entire Internet in about 6 minutes, transmitting an astounding 10 million packets per second! While it was originally designed to scan the entire Internet, it can easily handle a class A or B subnet, which is a more suitable target range during a penetration test.

Question 77

How to install Masscan on Linux?

Answer 77

sudo apt install masscan

Question 78

How to use masscan to look for all web servers within a class A subnet?

Answer 78

kali@kali:~$ sudo masscan -p80 10.0.0.0/8

Question 79

What is ‘–rate’ for in masscan?

Answer 79

To specify the desired rate of packet transmission.

Question 80

What is ‘-e’ for in masscan?

Answer 80

To specify the raw network interface to use.

Question 81

What is ‘–router-ip’ for in masscan?

Answer 81

Specify the IP address for the appropriate gateway.

Question 82

How to use masscan on port 80

Answer 82

kali@kali:~$ sudo masscan -p80 10.11.1.0/24 –rate=1000 -e tap0 –router-ip 10.11.0.1

Question 83

What is SMB?

Answer 83

Server Message Block

Question 84

On which port NetBIOS service listen?

Answer 84

139

Question 85

SMB port?

Answer 85

445

Question 86

What is NetBIOS?

Answer 86

NetBIOS is an independent session layer protocol and service that allows computers on a local network to communicate with each other.

Question 87

How to use nmap to scan for the NetBIOS service?

Answer 87

kali@kali:~$ nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254

Question 88

How to use nbtscan to collect additional NetBIOS information on IP 10.11.1.*?

Answer 88

kali@kali:~$ sudo nbtscan -r 10.11.1.0/24

Question 89

Where are Nmap SMB NSE Scripts?

Answer 89

/usr/share/nmap/scripts

Question 90

How to find various nmap SMB NSE scripts?

Answer 90

ls -1 /usr/share/nmap/scripts/smb*

Question 91

What is NetBIOS?

Answer 91

Network Basic Input/Output System

Question 92

How to use NSE to perform OS discovery?

Answer 92

kali@kali:~$ nmap -v -p 139, 445 –script=smb-os-discovery 10.11.1.227

Question 93

How to pass argument to NSE script?

Answer 93

–script-args

Question 94

How to pass “smb-vuln-ms08-067” argument to NSE script? Destination IP is 10.11.1.5 and destination ports are 139 and 445.

Answer 94

nmap -v -p 139,445 –script=smb-vuln-ms08-067 –script-args=unsafe=1 10.11.1.5

Question 95

What is NFS?

Answer 95

Network File System is a distributed file system protocol originally developed by Sun Microsystems in 1984. It allows a user on a client computer to access files over a computer network as if they were on locally-mounted storage.

Question 96

What is UDP?

Answer 96

User Datagram Protocol

Question 97

How to use nmap to identify hosts that have portmapper/rpcbind running?

Answer 97

kali@kali:~$ nmap -v -p 111 10.11.1.1-254

Question 98

How to query rpcbind in order to get registered services?

Answer 98

nmap -sV -p 111 –script=rpcinfo 10.11.1.1-254

Question 99

How to locate various NSE scripts for NFS?

Answer 99

kali@kali:~$ ls -1 /usr/share/nmap/scripts/nfs*

Question 100

How to run all NSE scripts for NFS on IP address 10.11.1.72?

Answer 100

nmap -p 111 –script nfs* 10.11.1.72

Question 101

How to use nmap to make a list of machines running NFS in the labs?

Answer 101

nmap –script=nfs-ls 10.11.1.1-255 -p 111

Question 102

What is SMTP and what it support?

Answer 102

The Simple Mail Transport Protocol (SMTP) supports several interesting commands, such as VRFY and EXPN.

Question 103

What VRFY do in SMTP?

Answer 103

A VRFY request asks the server to verify an email address.

Question 104

What EXPN do in SMTP?

Answer 104

EXPN asks the server for the membership of a mailing list.

Question 105

How to validate nc to validate SMTP users on ip address 10.11.1.217?

Answer 105

nc -nv 10.11.1.217 25
VRFY root
VRFY idontexist

Question 106

What is SNMP?

Answer 106

Simple Network Protocol

Question 107

SNMP is based on what?

Answer 107

UDP

Question 108

What is UDP?

Answer 108

Simple, stateless protocol, which is susceptible to IP spoofing and replay attacks.

Question 109

What is the SNMP MIB?

Answer 109

The SNMP Management Information Base (MIB) is a database containing information usually related to network management. The database is organized like a tree, where branches represent different organizations or network functions. The leaves of the tree (final endpoints) correspond to specific variable values that can then be accessed, and probed, by an external user. The IBM
Knowledge Center contains a wealth of information about the MIB tree.

Question 110

How to scan for open SNMP ports, which command would you use?

Answer 110

nmap

Question 111

Which option would you use to perform UDP scanning in nmap?

Answer 111

-sU

Question 112

Which option is used to limit the output to only display open ports in nmap?

Answer 112

–open

Question 113

How to use nmap to perform a SNMP scan on 10.11.1.*?

Answer 113

sudo nmap -sU –open -p 161 10.11.1.1-254 -oG open-snmp.txt

Question 114

What is onesixtyone?

Answer 114

Tool that will attempt a brute force attack against a list of IP addresses.

Question 115

How to use onesixtyone to brute force community strings?

Answer 115

onesixtyone -c community -i ips

Question 116

How to enumerate the entire MIB tree on IP address 10.11.1.14?

Answer 116

snmpwalk -c public -vl -t 10 10.11.1.14

Question 117

How to enumerate Windows Users using snmpwalk on address IP 10.11.1.14?

Answer 117

snmpwalk -c public -vl 10.11.1.14 1.3.6.1.4.1.77.1.2.25

Question 118

How to enumerate Windows processes using snmpwalk on address IP 10.11.1.73?

Answer 118

snmpwalk -c public -vl 10.11.1.73 1.3.6.1.2.1.25.4.2.1.2

Question 119

How to enumerate open TCP ports using snmpwalk on address IP 10.11.1.14?

Answer 119

snmpwalk -c public -vl 10.11.1.14 1.3.6.1.2.1.6.13.1.3

Question 120

How to enumerate installed software using snmpwalk on IP address 10.11.1.50?

Answer 120

snmpwalk -c public -vl 10.11.1.50 1.3.6.1.2.1.25.6.3.1.2

Question 121

How to scan network 10.11.1.0 to identify a SNMP servers?

Answer 121

sudo nmap -sU -p 161 10.11.1.0/24

Question 122

How to find SNMP Servers on network 148.32.42.*?

Answer 122

nmap -sU -p 161 148.32.42.0/24

Question 123

What is SNMP?

Answer 123

SNMP fullform is Simple Network Management Protocol and that is used for interchanging or exchanging management information between different network devices. SNMP allows an administrator to gather information about the host on which SNMP service is running. It is also possible to modify the information.

Question 124

What is an SNMP Community String?

Answer 124

The “SNMP Community string” is like user id and password that allows router’s to access other router’s statistics data. IPCheck Server Monitor sends the community string along with all SNMP requests. If the community string data is correct, the device responds with the requested information. If the community string is incorrect, the device simply discards the request and does not respond.
Important: SNMP Community strings are used only by those devices which support SNMP v1 and SNMP v2c protocol. The SNMP v3 uses the username and password authentication, along with an encryption key. Most SNMP v1 and v2c devices are set to default from the factory with a read-only community string set to “public“.

Question 124

What is an SNMP Community String?

Answer 124

The “SNMP Community string” is like user id and password that allows router’s to access other router’s statistics data. IPCheck Server Monitor sends the community string along with all SNMP requests. If the community string data is correct, the device responds with the requested information. If the community string is incorrect, the device simply discards the request and does not respond.
Important: SNMP Community strings are used only by those devices which support SNMP v1 and SNMP v2c protocol. The SNMP v3 uses the username and password authentication, along with an encryption key. Most SNMP v1 and v2c devices are set to default from the factory with a read-only community string set to “public“.

Question 125

How to Find SNMP Community String?

Answer 125

One can find the SNMP Community String using a tool called Onesixtyone. Onesixtyone will use a word list provided by the user and brute force the SNMP service.