Chapter 7: Active Information Gathering

Question 1

What does DNS stand for?

Answer 1

Domain Name System

Question 2

What is the DNS and what does it do?

Answer 2

A distributed database responsible for responsible for translating user-friendly domain names into IP addresses.

Question 3

Explain the process that goes on behind the scenes when a domain name is entered into a web browser.

Answer 3

Hostname sent to OS’s DNS client which passes it to an external DNS server known as the DNS recursor.

This server interacts with all the DNS infrastructure. The recursor contacts a server in the root zone, which then returns a TLD (top level domain), usually a .com

Once the recursor receives the TLD, it queries it and looks for the nameserver which contains the DNS records. There are two types - the forward lookup zone which finds IP address to a specific domain name and the reverse lookup zone which looks for domain names matches to an IP address.

Question 4

In terms of DNS records, what does NS stand for?

Answer 4

Name server.

Question 5

What do the nameserver records do?

Answer 5

Contain the name of the authoritative servers hosting the DNS records for a domain.

Question 6

In terms of DNS records, what does A stand for?

Answer 6

A stands for the host record.

Question 7

What does the host record do?

Answer 7

It contains the IP address for a given domain.

Question 8

In terms of DNS records, what does MX stand for?

Answer 8

MX stands for mail exchange.

Question 9

What do mail exchange records do?

Answer 9

Contain the names of the servers responsible for handling email for the domain.

Question 10

In terms of DNS records, what does CNAME stand for?

Answer 10

CNAME stands for Canonical Name Records and are used to create alias for other records.

Question 11

In terms of DNS records what does TXT stand for?

Answer 11

Text

Question 12

What do the Text records do?

Answer 12

Contain arbitary data and can be used for various purposes.

Question 13

What is a forward look up?

Answer 13

A forward look up is searching for an IP address based on a specific hostname.

Question 14

What is a reverse look up?

Answer 14

A reverse look up is searching for a host name based on a specific IP address.

Question 15

What is a DNS Zone Transfer?

Answer 15

A database replication between related DNS servers. The zone file is copied from the master server to a slave server.

Question 16

What does a zone file contain?

Answer 16

All DNS names configured for that zone.

Question 17

What is the command for performing a DNS zone transfer?

Answer 17

host -l

Question 18

What service is usually running on port 80?

Answer 18

http service

Question 19

What service is usually running on port 443?

Answer 19

SSL/TLS encrypted web service

Question 20

What nmap command will scan for the top 1000 ports and nothing else?

Answer 20

nmap

Question 21

What simple nmap command will scan for all ports?

Answer 21

nmap -p-

Question 22

In nmap, what does the -sC switch do?

Answer 22

All scripts

Question 23

In nmap, what does the -sV switch do?

Answer 23

Enumerate versions

Question 24

In nmap, what does the -sU switch do?

Answer 24

Scans for open UDP ports

Question 25

In nmap, what does the -oA switch do?

Answer 25

Output all formats

Question 26

In nmap, what does -sS do?

Answer 26

A SYN scan. This scan fails to complete the third part of the three way handshake present in the TCP protocol. This results in a faster and more efficient scan.

Question 27

In nmap, what does the -O switch do?

Answer 27

Fingerprint - determining the Operating Systems version.

Question 28

In nmap, what does the -A switch do?

Answer 28

Runs service enumeration and operating system enumeration scripts.

Question 29

What is the file path of the NSE scripts?

Answer 29

/usr/share/nmap/scripts

Question 30

What does SMB stand for?

Answer 30

Server Message Block

Question 31

What port does NetBIOS listen on?

Answer 31

Port 139 and several UDP ports

Question 32

What port does SMB listen on?

Answer 32

Port 445

Question 33

What is the difference between SMB and NetBIOS?

Answer 33

SMB is a file sharing protocol while NetBIOS is an older transport layer protocol designed to allow Windows computers to talk to each other on a local network.

Question 34

What does NFS stand for?

Answer 34

Network File System

Question 35

What is NFS?

Answer 35

NFS is a distributed file system protocol. It allows a user to access files over a computer network as if they were on locally mounted storage.

Question 36

What services are associated with NFS shares?

Answer 36

rpcbind and portmapper

Question 37

What port are NFS share found on?

Answer 37

Port 111

Question 38

How do we enumerate NFS shares using nmap?

Answer 38

nmap -p 111 --script nfs*

Question 39

On NFS shares, once we've found the mounting point, how do we mount?

Answer 39

Make a directory identical to the mount directory. Use the command: sudo mount -o nolock 10.11.1.72:/home ~/home/

Question 40

What does SMTP stand for?

Answer 40

Simple Mail Transport Protocol

Question 41

What command in SMTP verifies whether a user account exists?

Answer 41

VRFY

Question 42

What command in SMTP checks the membership of a mailing list?

Answer 42

EXPN

Question 43

What does SNMP stand for?

Answer 43

Simple Network Management Protocol

Question 44

What protocol does SNMP use?

Answer 44

UDP

Question 45

What is one flaw in the SNMP protocol?

Answer 45

It fails to use any sort of traffic encryption with versions 1, 2 and 2c.

Question 46

What is the SNMP MIB tree?

Answer 46

A database containing information related to network management within the SNMP protocol. The database is organised like a tree and the final endpoints (leaves of the tree) have specific variable values which can be accessed and probed by an external user.

Question 47

What port does SNMP use?

Answer 47

Port 161

Question 48

When scanning for SNMP, what protocol must be use?

Answer 48

UDP. We use -sU to ensure we pick it up.