Information Gathering

Question 1

Megan runs the following Nmap scan; nmap -sU -sT -p 1-65535 example.com. What information will she not receive?

a. TCP services
b. The state of the service
c. UDP services
d. A list of vulnerable services

Answer 1

d. This is a port scan, not a vulnerability scan, so Megan will not be able to determine if the services are vulnerable just from this scan. The Nmap scan will show the state of the ports, both TCP and UDP.

Question 2

Tom wants to find metadata about an organization using a search engine. What tool from the following list should he use?

a. ExifTool
b. MetaSearch
c. FOCA
d. Nmap

Answer 2

c. FOCA. Fingerprinting Organizations with Collected Archives, is a useful tool for searching for metadata via search engines. ExifTool is used for individual files. MetaSearch was made up for this question, and although Nmap has many functions, it isn’t used for metadata searches via search engines.

Question 3

After running an Nmap scan of a system, Zarmeena discovers that TCP ports 139, 443, and 3389 are open. What operating system is she most likely to discover running on the system?

a. Windows
b. Android
c. Linux
d. iOS

Answer 3

a. TCP ports 139, 443, and 3389 are all commonly used for Windows services. Although those ports could be open on a Linux, Android, or iOS device, Windows is her best bet.

Question 4

Charles runs an Nmap scan using the following command: nmap -sT -sV -T2 -p 1-65535 example.com. After watching the scan run for over two hours, he realizes that he needs to optimize the scan. Which of the following is not a useful way to speed up his scan?

a. Only scan via UDP to improve speed
b. Change the scan timing to 3 or faster
c. Change to a SYN scan
d. Use the default port list

Answer 4

a. Only scanning via UDP will miss any TCP services. Since the great majority of services in use today are provided as TCP services, this would not be a useful way to conduct the scan. Setting the scan to faster timing (3 or faster), changing from a TCP connect scan to a TCP SYN scan, or limiting the number of ports tested are all valid ways to speed up a scan. Charles needs to remain aware of what those changes can mean, since a fast scan may be detected or cause greater load on a network, and scanning fewer ports may miss some ports.

Question 5

Karen identifies TCP ports 8080 and 8443 open on a remote system during a port scan. What tool is her best option to manually validate the services running on these ports?

a. SSH
b. SFTP
c. Telnet
d. A web browser

Answer 5

d. A web browser. Karen knows that many system administrators move services from their common service ports to alternate ports and that 8080 and 8443 are likely alternate HTTP (TCP80) and HTTPS (TCP443) server port, and she will use a web browser to connect to those ports the check them. She could use Telnet for this testing, but it requires significantly more manual work to gain the same result, making it a poor second choice unless Karen doesn’t have another option.

Question 6

Angela recovered a PNG image during the early intelligence gathering phase of a penetration test and wants to examine it for useful metadata. What tool could she most sucessfully use to do this?

a. ExifTool
b. Grep
c. PsTools
d. Nginx

Answer 6

a. ExifTool is designed to pull metadata from images and other files. Grep may be useful to search for specific text in a file, but it won’t pull the range of possible metadata from the file. PsTools is a Windows Sysinternals package that includes a variety of process-oriented tools. Nginx is a web server, load balancer, and multipurpose application services stack.

Question 7

During an Nmap scan, Casey uses the -O flag. The scan identifies the host as follows:
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9-2.6.33
What can she determine from this information?

a. The Linux distribution installed on the target
b. The patch level of the installed Linux kernel
c. The date the remote system was last patched
d. That the system is running a Linux 2.6 kernel between .9 and .33

Answer 7

d. OS identification in Nmap is based on a variety of response attributes. In this case, Nmap’s best guess is that the remote host is running a Linux 2.6.9-2.6.33 kernel, but it cannot be more specific. It does not specify the distribution, the patch level, or when the system was last patched.

Question 8

What is the full range of ports that a UDP service can run on?

a. 1-1024
b. 1-16,383
c. 1-32,767
d. 1-65,535

Answer 8

d. The full range of ports available to both TCP and UDP services is 1-65,535. Although port 0 exists, it is a reserved port and shouldn’t be used.

Question 9

Steve is working from an unprivileged user account that was obtained as part of a penetration test. He has discovered that the host he is on has Nmap installed and he wants to scan other hosts in his subnet to identify potential targets as part of a pivot attempt. What Nmap flag will Steve probably have to use to successfully scan hosts from this account?

a. -sV
b. -u
c. -oA
d. -sT

Answer 9

d. The TCP connect scan is often used when an unprivileged account is the tester’s only option. Linux systems typically won’t allow an unprivileged account to have direct access to create packets, but they will allow accounts to send traffic. Steve probably won’t be able to use a TCP SYN scan, but a connect scan is likely to work. The other flags shown are for version testing -sV and output type selection -oA and -u doesn’t do anything

Question 10

Which of the following provides information about a domain’s registrar and physical location?

a. Nslookup
b. Host
c. WHOIS
d. Traceroute

Answer 10

c. WHOIS. WHOIS provides information that can include other organization’s physical address, registrar, contact information and other details. Nslookup will provide IP address or hostname information, whereas the host command provides IPv4 and IPv6 addresses as well as email service information. Traceroute attempts to identify the path to a remote host as well as the systems along the route.

Question 11

Chris runs an Nmap scan of the 10.10.0.0/16 network that his employer uses as an internal network range for the entire organization. If he uses the -T0 flag, what issue is he likely to encounter?

a. The scan will terminat when the host count reaches 0.
b. The scan will not scan IP addresses in the .0 network.
c. The scan will progress at a very slow speed.
d The scan will only scan for TCP services.

Answer 11

c. The -T flag in Nmap is used to set scan timing. Timing settings range from 0 (paranoid) to 5 (insane). By default, it operates at 3, or normal. With timing set to a very slow speed, Chris will run his scan for a very long time on a /16 network.

Question 12

Which of the following Nmap output formats is unlikely to be useful for a penetration tester?

a. -oA
b. -oS
c. -oG
d -oX

Answer 12

b. The Script Kiddie output format the Nmap supports is entirely for fun. You should never have a practical need to use the -oS flag for an actual penetration test.

Question 13

During an early phase of his penetration test, Mike recovers a binary executable file that he wants to quickly analyze for useful information. Which of the following will quickly give him a view of potentially useful information in the binary?

a. Netcat
b. strings
c. Hashmod
d. Eclipse

Answer 13

b. The strings command parses a file for strings of text and outputs them. It is often useful for analyzing binary files since you can quickly check for information with a single quick command-line tool. Netcat, while often called a pentester’s Swiss army knife, isn’t useful for this type of analysis. Eclipse is an IDE and would be useful for editing code or for managing a full decompiler in some cases.

Question 14

Jack is conducting a penetration test for a customer in Japan. What NIC will he most likely have to check for information about his client’s network?

a. RIPE
b. ARIN
c. APNIC
d. LACNIC

Answer 14

c. The Asia-Pacific NIC covers Asia, New Zealand, and other countries in the region. RIPE covers central Asia, Europe, the Middle East, and Russia. ARIN covers the U.S, Canada, parts of the Caribbean region and Antarctica. LACNIC, covers Latin America and the Caribbean.

Question 15

Lin believes that the organization she is scanning may have load balancers in use. Which of the following techniques will help her detect them if they are DNS-based load balancers?

a. Use Nmap and look for service port differences
b. Use ping and check for TTL and IP changes
c. Use Nessus and check for service version differences
d. Use WHOIS to check for multiple hostnames

Answer 15

b. Checking for DNS load balancing via ping requires checking time to live TTL and IP address differences. Using Nmap and Nessus is less likely to be successful, because most devices in a pool should provide the same services and service versions. WHOIS records do not show load balancing details.

Question 16

Charles uses the following hping command to send traffic to a remote system: hping remotesite.com -S -V -p 80. What type of traffic will the remote system see?

a. HTTP traffic to TCP port 80
b. TCP SYNs to TCP port 80
c. HTTPS traffic to TCP port 80
d. A TCP three-way handshake to TCP port 80

Answer 16

b. Charles has issued a command that asks hping to send SYN traffic -S in verbose mode -V to remotesite.com on port 80.

Question 17

What does a result of * * * mean during a traceroute?

a. No route to the host exists
b. All host are queried
c. There is no response to the query, perhaps a timeout, but traffic
is going through
d. A firewall is blocking the response

Answer 17

c. A series of three asterisks during a traceroute means that the host query has failed but that traffic is passing through. Many hosts are configured to not respond to this type of traffic but will route traffic properly.

Question 18

Rick wants to describe flaws found in an organization’s internally developed web applications using a standard model. Which of the following is best suited to his need?

a. CWE
b. The Diamond Model
c. CVE
d. OWASP

Answer 18

a. The Common Weakness Enumeration is community-developed list of hardware and software weaknesses. Although OWASP provides a massive amount of application security knowledge, it is not in and of itself a listing or standard for listing flaws. The Diamond Model is a model designed to evaluate intrusions, and CVE, the Common Vulnerabilities and Exposures database, focuses on vulnerabilities for commercial and open source projects and thus will not typically be used for internal applications and code.

Question 19

Why would a penetration tester look for expired certificates as part of an information gathering and enumeration exercise?

a. They indicate improper encryption, allowing easy decryption of
traffic.
b. The indicate services that may not be properly updated or
managed.
c. Attackers install expired certificates to allow easy access to
systems.
d. Penetration testers will not look for expired certificates, they
only indicate procedural issues.

Answer 19

b. Penetration testers are always on the lookout for indicators of improper maintenance. Lazy or inattentive administrators are more likely to make mistakes that allow penetration testers in.

Question 20

John has gained access to a system that he wants to use to gather more information about other hosts in its local subnet. He wants to perform a port scan but cannot install other tools to do so. Which of the following tools isn’t usable as a port scanner?

a. Hping
b. Netcat
c. Telnet
d. ExifTool

Answer 20

d. All of these tools except ExifTool are usable as port scanners with some clever use of command-line flags and options.