Week 3

Question 1

What service runs on TCP/UDP port 53?

Answer 1

DNS - used for name resolution and zone transfers

Question 2

What service uses TCP/UDP port 135?

Answer 2

Microsoft RPC Endpoint Mapper – used to locate DCOM services on Windows.

Question 3

: Which service uses UDP port 137?

Answer 3

NetBIOS Name Service (NBNS) – used for resolving NetBIOS names on local networks.

Question 4

What is on TCP port 139?

Answer 4

NetBIOS Session Service – used for Windows file/printer sharing via SMB over NetBIOS.

Question 5

What service runs on TCP/UDP port 445?

Answer 5

SMB over TCP (Direct Host) – Windows file sharing without NetBIOS

Question 6

Which protocol uses UDP port 161?

Answer 6

SNMP (Simple Network Management Protocol) – for querying network device information

Question 7

What runs on TCP/UDP port 389?

Answer 7

LDAP

Question 8

What service is on TCP port 2049?

Answer 8

NFS (Network File System) – used to share directories and files over a network

Question 9

Which service uses TCP port 25?

Answer 9

SMTP (Simple Mail Transfer Protocol) – used for sending emails

Question 10

What uses UDP port 162?

Answer 10

SNMP Trap – used to receive alert messages from SNMP devices

Question 11

Which protocol runs on UDP port 500?

Answer 11

ISAKMP/IKE – used for establishing VPN tunnels (IPsec key exchange)

Question 12

What service runs on TCP port 22?

Answer 12

SSH (Secure Shell) – used for secure remote login and command execution

Question 13

What is NetBIOS ?

Answer 13

Identifies devices by giving them human-readable names.

Question 14

Why is NetBIOS enumeration important to attackers?

Answer 14

Reveals hostnames and often usernames as well as roles.

Question 15

What are some common tools for NetBIOS?

Answer 15

nbtscan, nmblookup

Question 16

What is SNMP?

Answer 16

Protocol used to monitor and manage devices.

Question 17

How does SNMP work?

Answer 17

It consists of an agent and a manager. The agent stores information about the device in a structure known as MIB. The manager is on a separate system and queries the agent to receive information.

Question 18

What are the 2 types of community strings used by SNMP?

Answer 18

Read community string and read-write

Question 19

Why is SNMP enumeration dangerous?

Answer 19

Attackers can extract sensitive information about the users, devices and with read-write access the attackers can reconfigure the devices remotely.

Question 20

What is LDAP?

Answer 20

Protocol to access directory services that contain information about the users, groups, computers, departments and access permissions.

Question 21

How does LDAP work?

Answer 21

Client sends requests to read or search directory entries.

Question 22

What is LDAP enumeration?

Answer 22

Attackers send queries to extract sensitive information from the directory.

Question 23

What are the 2 types of LDAP enumeration?

Answer 23

Manual : use Python to fetch information such as the domain name
Automated : use ldap-brute NSE script to brute force LDAP authentication

Question 24

What is NTP?

Answer 24

Protocol to synchronize time on computers over the network. Uses UDP 123.

Question 25

Why do attackers target NTP?

Answer 25

NTP keeps logs of the clients that recently queried, so using special commands attackers can get the IP addresses of the devices and sometimes the OS or system names.

Question 26

What commands do attackers use for NTP enumeration?

Answer 26

monlist : shows the last 600 clients on the NTP server ntptrace : traces a chain of NTP servers to the primary soucre ntpdc & ntpq : monitors NTP daemon operation

Question 27

What is NFS?

Answer 27

Protocol that allows devices to share files and folders over the network. Runs on TCP 2049.

Question 28

What is NFS enumeration?

Answer 28

Attacker scans and queries an NFS server to gain information like which directories or files were shared, permissions on those files shared and maybe gaining read or write access if files were not properly configured.

Question 29

What is SMTP?

Answer 29

Protocol to send emails between clients and servers. TCP port 25.

Question 30

What are the 3 SMTP commands?

Answer 30

VRFY : verify if a user exists EXPN : reveals the real username behind aliases RCPT TO : specify recipient

Question 31

How do attackers use the commands?

Answer 31

Observer server responses after typing commands to gain and compile a list of valid usernames.

Question 32

What do attackers use for SMTP enumeration?

Answer 32

nmap, metasploit, netscan tools pro and smtp-user-enum

Question 33

What is a DNS zone transfer?

Answer 33

Its when the DNS database is replicated from a primary DNS server to a secondary one.

Question 34

How can attackers exploit this?

Answer 34

If the zone transfer is improperly configured and allowed for unauthorized users, attackers can perform a full zone transfer and get all the info!!!

Question 35

How do attackers do it?

Answer 35

Try to request a zone transfer using tools like dig, nslookup and DNSRecon.

Question 36

What is DNS cache snooping?

Answer 36

Attacker queries a DNS server to see if a specified DNS record is already cached.

Question 37

What are the 2 methods of cache snooping?

Answer 37

Non-recursive : shows if record is currently cached Recursive : How long the record stays in the cache