Chapter 2.2

Question 1

Kerberos

Answer 1

Kerberos is the preferred method in a Windows domain using a ticket granting system to login and access resources on the network.

Question 2

Zenmap

Answer 2

Zenmap is the GUI (Graphical User Interface) version for Nmap. Also known as Nmap Security Scanner, it uses diverse methods of host discovery.

Question 3

–traceroute

Answer 3

Using the –traceroute switch with Zenmap, the GUI can record the path to an IP target address and present the route in a graphical view, like a map.

Question 4

nmap

Answer 4

The basic syntax of an nmap command is to give the IP subnet (or IP address) to scan. When used without switches, it pings and sends a TCP ACK packet to ports 80 and 443 to determine whether a host is present. This is a command line view.

Question 5

-sn

Answer 5

Nmap, by default, does a host discovery and port scan. Using a -sn switch suppresses the port scanning.

Question 6

%SystemRoot%\NTDS\NTDS.DIT file

Answer 6

The %SystemRoot%\NTDS\NTDS.DIT file stores domain user passwords and credentials. Employees commonly use their domain credentials to login to do work and gain access to corporate information.

Question 7

netstat

Answer 7

The netstat command allows the admin to check the state of ports on the local machine (Windows or Linux). He or she may also be able to identify suspect remote connections to services on the local host or from the host to remote IP (Internet protocol) addresses.

Question 8

netcat

Answer 8

The netcat (or nc for short) is a remote access software that is available for both Windows and Linux. It can be used as a backdoor to other servers. Netcat (nc) is a remote access trojan (RAT) that is available for both Windows and Linux.

Question 9

ipconfig

Answer 9

The ipconfig command only provides network adapter information such as the IP address of the server.

Question 10

ip

Answer 10

The ip command is a replacement to the ifconfig command that is used on Linux servers. It serves the same functionality as the ipconfig command used on the Windows operating system.

Question 11

Microsoft Policy Analyzer

Answer 11

Microsoft’s Policy Analyzer is part of the Security Compliance Toolkit (SCT). It compares scanned hosts with a template of controls and configuration settings to determine system compliance.

Question 12

CVE

Answer 12

VEs (Common Vulnerabilities and Exposures) can be used by Nessus scanner to compare and find vulnerabilities in commonly used systems. Vulnerability scans and security compliance audits can be gathered all at once with Nessus.

Question 13

ping switches

Answer 13

The -t switch pings the specified server name or IP (Internet protocol) address until stopped. Typing CTL+C on the keyboard will stop the pings.

The -n switch sets the number of echo requests to send. The standard send count is four. The number can be specified after the -n switch.

The -S switch, which is a capital S, is used to specify a source address to use that is different from the server that the admin is initiating the ping command from.

The -r switch records route for count hops. This is used for IPv4 addresses.

Question 14

banner grabbing

Answer 14

Banner grabbing refers to probing a server like OS fingerprinting; however, it also involves opening random connections to common port or network protocols and gathering information from banner or error responses.

Question 15

OS fingerprinting

Answer 15

OS (operating system) fingerprinting is a method used by Nmap to probe hosts for running OS type and version, and even application names and device type (e.g., laptop or virtual machine).

Question 16

Meterpreter

Answer 16

Meterpreter is a very advanced and dynamic exploit module (or payload) that uses in-memory DLL injection stagers. Stagers create a network connection between the hacker and the target. Since the stagers are in memory and never written to disk, any trace can be removed with a restart of the server.

Question 17

Nessus

Answer 17

Nessus is a vulnerability scanner from Tenable. A hacker may use a vulnerability scanner to seek out easy targets (e.g., open ports) to plan for an attack.

Question 18

Nexpose

Answer 18

Managed by Rapid7 along with Metasploit, Nexpose is a vulnerability scanner that is similar to Nessus.

Question 19

credential scans

Answer 19

A credentialed scan is given a user account with logon rights to various hosts. This method allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured.

Question 20

non-credential scans

Answer 20

A non-credentialed scan is one that proceeds without being able to log on to a host. Consequently, the only view obtained is the one that the host exposes to the network.

Question 21

John the Ripper

Answer 21

John the Ripper is compatible with multiple platforms such as Windows, MAC OS X, Solaris, and Android, and is primarily used as a password hash cracker.

Question 22

Cain and Abel

Answer 22

Cain and Abel is used to recover Windows passwords and includes a password sniffing utility.

Question 23

THC Hydra

Answer 23

THC Hydra is often used against remote authentication using protocols such as Telnet, FTP (file transfer protocol), HTTPS (hypertext transfer protocol secure), SMB (server message protocol), etc.

Question 24

Aircrack

Answer 24

Aircrack-ng is a suite of utilities designed for wireless network security testing. The specific tool, which is also called aircrack-ng, can decode the authentication pre-shared key or password for WEP, WPA, and WPA2 using a dictionary word or a relatively short key.

Question 25

Microsoft Security Compliance Toolkit

Answer 25

The Microsoft Security Compliance Toolkit includes the Policy Analyzer Tool and the Local Group Policy Object (LGPO) Tool. Both are necessary to assess the local policies from a baseline and automate changes where needed.

Question 26

SCCM

Answer 26

Microsoft System Center Configuration Manager (SCCM) is a software management suite to manage a large amount of systems on multiple platforms. It does not include a policy analyzer tool and a LGPO tool.

Question 27

UPS

Answer 27

In general, the first step in restoring services involves enabling and testing power delivery systems, such as a power grid, generators, and even UPSs (uninterruptible power supplies). Without power, IT systems and network equipment cannot run.

Question 28

OUI Grabbing

Answer 28

OUI (Organizationally Unique Identifier) grabbing is like banner grabbing or OS fingerprinting. The OUI can identify the manufacturer of the network adapter and therefore, conclude other assumptions related to system type and/or purpose.

Question 29

inSSIDer

Answer 29

inSSIDer is a software that can survey Wi-Fi networks to determine SSID, BSSID (wireless access point MAC address), frequency band, and radio channel.