Ch 6 Enumeration quiz review
Simple Mail Transfer Protocol (SMTP)
Simple Mail Transfer Protocol (SMTP) is the protocol used by most email servers and clients to send email messages.
Sniffing
Sniffing is the process of collecting information as it crosses a network.
Hugh, a security consultant, recommended the use of an internal and external DNS to provide an extra layer of security. Which of the following DNS countermeasures is being used?
Split DNS
What port does a DNS zone transfer use?
TCP 53
The Network Layer
The Network Layer (Layer 3) prides switching and routing technologies. Examples include AppleTalk, DDP, IP, and IPX.
The Transport Layer
The Transport Layer (Layer 4) provides transparent transfer of data between end systems or hosts. Examples include SPX, TCP, and UDP.
What is stored where?
The hashed passwords are stored in the /etc/shadow file. The list of groups is stored in the /etc/group file. The list of running services is stored in the /etc/services file. The username and ID is stored in the /etc/passwd file.
Diana, a penetration tester, executed the following command. Which answer describes what you learn from the information displayed? *Image*
This is a DNS zone transfer.
A hacker has managed to gain access to the /etc/passwd file on a Linux host. What can the hacker obtain from this file?
Usernames, but no passwords
Which of the following best describes IPsec enumeration?
Uses ESP, AH, and IKE to secure communication between VPN endpoints.
Finger
Using the finger command on Linux machines provides information about a user. When executed, it returns information such as the user's home directory, login time, idle times, office location, and the last time they received or read mail.
VoIP
VoIP uses SIP (Session Initiation Protocol) to enable voice and video calls over an IP network. SIP service generally uses UDP/TCP ports 2000, 2001, 5050, and 5061.
Jorge, a hacker, has gained access to a Linux system. He has located the usernames and IDs. He wants the hashed passwords for the users that he found. Which file should he look in?
/etc/shadow
Which of the following ports are used by null sessions on your network?
139 and 445
DNS zone transfer
A DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server.
Default passwords
All devices have default passwords. These passwords are often left in place, providing an easy access point for an attacker.
Brute Force attacks
Brute force attacks are usually automated. A program tries different combinations of usernames and passwords until it finds something that works.
Explaination
DNS splitting, splitting the DNS into internal and external groups, provides an added layer of security. DNS zone restrictions ensure that a server only provides copies of zone files to specific servers. Digital signatures help with DNS zone restriction. DNS zone transfers are designed to provide updated network and access information to the DNS servers.
Null session
Null Sessions are created when no credentials are used to connect to a Windows system. They are designed to allow clients access to limited types of information across a network.cat
PsTools
PsTools is a suite of very powerful tools that allow you to manage local and remote Windows systems. The package includes tools that can change account passwords, suspend processes, measure network performance, dump event log records, kill processes, view services, and control services.
Reconnaissance
Reconnaissance is the method of gathering publicly available information about a target.
Robby, a security specialist, is taking countermeasures for SNMP. Which of the following utilities would he most likely use to detect SNMP devices on the network that are vulnerable to attacks?
SNscan
Enumeration
Enumeration is the method of gathering information from a system to learn more about its configurations, software, and services.
SuperScan
SuperScan can be used to enumerate information from a Windows host. Information can be gathered about NetBIOS name table, services, NULL session, trusted domains, MAC addresses, logon sessions, workstation type, account policies, users, and groups.
LDAP is an internet protocol for accessing distributed directory services. If this port is open, it indicates that Active Directory or Exchange may be in use. What port does LDAP use?
TCP/UDP 389
The session layer
The Session Layer (Layer 5) establishes, manages, and terminates connections between applications. Examples include NFS, NetBIOS names, RPC, and SQL.
Scanning
Scanning is the method of using various tools to gather in-depth information on a network.
IPsec uses
IPsec uses ESP (Encapsulation Security Payload), AH (Authentication Header), and IKE (Internet Key Exchange) to secure communication between virtual private network endpoints. Using enumeration tools, attackers can pull sensitive information such as the encryption and hashing algorithm, authentication type, and key distribution algorithm.
Simple Mail Transfer Protocol (SMTP)
Simple Mail Transfer Protocol (SMTP) is the protocol used by most email servers and clients to send email messages. Scanning tools and commands can be used to verify the existence of specific email addresses and can even provide a list of all users on a distribution list.
Application layer
The Application Layer (Layer 7) supports application and end-user processes. Examples include NFS, SNMP, Telnet, HTTP, and FTP.
Simple Network Management Protocol (SNMP)
The Simple Network Management Protocol (SNMP) is used to manage devices such as routers, hubs, and switches. SNMP works with an SNMP agent and an SNMP management station. The agent is found on the device that is being managed, and the SNMP management station serves as the communication point for the agent.
The /etc/passwd file on a Linux host contains the following:
The username and user ID used to identify each user. Passwords that are encrypted and saved on the computer or on the network. Group identification numbers (GIDs).
TCP Ports
Port 53 is used for DNS zone transfers. Port 23 is used for the Telnet protocol/software. Port 139 is used by the NetBIOS Session Service . Port 445 is used by SMB over TCP.
Ports
A Null Session attack uses the Windows net command to map a connection using a blank username and password. These connections would take place over port 139 (NetBIOS sessions services) or 445 (runs SMB over TCP/IP without NetBIOS). Port 135 is used by the Remote Procedure Call service in Windows for client-server communications. Port 137 is used by the NetBIOS Name Server (NBNS). NBNS is used to associate names and IP addresses of systems and services. Port 443 is the standard TCP port that is used for websites that use SSL. Port 444 may use a defined protocol to communicate, depending on the application.
Securtiy identifier (SID)
The Guest account is a user account for people who do not have individual accounts. The SID ends with -501. The Administrator account is a user account for the system administrator. The SID ends with -500. The Domain Admins group is a global group whose members are authorized to administer the domain. The SID ends with -512. The Domain Guests group is a global group that, by default, has only one member, the domain's built-in Guest account. The SID ends with -514.
Which of the following is the most basic way to counteract SMTP exploitations?
Ignore messages to unknown recipients instead of sending back error messages.
After the enumeration stage, you are considering blocking port 389. Your colleague has advised you to use caution when blocking ports that could potentially impact your network. Which of the following necessary services could be blocked?
LDAP
Shawn, a malicious insider, has obtained physical access to his manager's computer and wants to listen for incoming connections. He has discovered the computer's IP address, 192.168.34.91, and he has downloaded netcat. Which of the following netcat commands would he enter on the two computers?
nc -l -p 2222 (manager's computer) and nc -nv 192.168.34.91 2222 (Shawn's machine) EXPLANATION On the manager's computer, Shawn would enter nc -l -p 2222 (the -l switch listens for an incoming connection, and the -p switch tells netcat to use specific source port). On Shawn's computer, he would enter nc -nv 192.168.34.91 2222 (the -n switch tells netcat not to use DNS lookups, and the -v switch uses verbose output). The -s switch tells netcat to use the source IP address.
Typically, you think of the username as being the unique identifier behind the scenes, but Windows actually relies on the security identifier (SID). Unlike the username, a SID cannot be used again. When viewing data in the Windows Security Account Manager (SAM), you have located an account ending in -501. Which of the following account types did you find?
the built-in guest
