Chapter 3 Information Gathering
Which of the following Nmap output formats is unlikely to be useful for a penetration tester? -oA -oS -oG -oX
-oS flag is script kiddie output and you would never have a practical reason to use it
Steve is working from an un-privileged user account that was obtained as part of a penetration test. He has discovered that the host he is on has Nmap installed and wants to scan other hosts in his subnet to identify potential targets as part of a pivot attempt. What Nmap flag is he likely to have to use to successfully scan hosts from this account?
-sT uses TCP connect which is useful for unprivileged users
What is the full range of ports that a UDP service can run on?
1 - 65535
After running an SNMP sweep, Greg finds that he didn't receive any results. If he knows there are no network protection devices in place and that there are devices that should respond to SNMP queries, what problem does he most likely have?
?? A or B
Rick wants to look at the advertised routes to his target. What type of service should he look for to do this?
A BGB looking glass is used to look at the advertised routes to a target.
Angela recovered a PNG image during the early intelligence-gathering phase of a penetration test and wants to examine it for useful metadata. What tool could she most successfully use to do this?
A ExifTool
Charles runs an Nmap scan using the following command: nmap -sT -sV -T2 -p 1-65535 example.com After watching the scan run for over two hours, he realizes that he needs to optimize the scan. Which of the following is not a useful way to speed up his scan? A.Only scan via UDP to improve speed. B.Change the scan timing to 3 or faster. C.Change to a SYN scan. D.Use the default port list.
A Only scan via UDP to improve speed
After running an Nmap scan of a system, Lauren discovers that TCP ports 139, 443, and 3389 are open. What operating system is she most likely to discover running on the system?
A Windows
Jack is conducting a penetration test for a customer in Japan. What NIC is he most likely to need to check for information about his client's networks?
APNIC
Chris runs an Nmap scan of the 10.10.0.0/16 network that his employer uses as an internal network range for the entire organization. If he uses the -T0 flag, what issue is he likely to encounter?
Chris will run his scan for a long time. -T specifies the time with 0 being the slowest and 5 being the fastest.
Mika runs the following Nmap scan:nmap -sU -sT -p 1-65535 example.com What information will she NOT receive?
D MOD
Karen identifies TCP ports 8080 and 8443 open on a remote system during a port scan. What tool is her best option to manually validate running on these ports?
D a web browser
During an Nmap scan, Casey uses the -O flag. The scan identifies the host as follows: Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 What can she determine from this information?
D system running kernel
During an early phase of his penetration test, Mike recovers a binary executable file that he wants to quickly analyze for useful information. Which of the following tools will quickly give him a view of potentially useful information in the binary?
The strings tool will give him information about the binary.
What does a result of * * * mean during a traceroute?
The three * means no response to the query, but traffic is going through
Why would a penetration tester look for expired certificates as part of an information-gathering and enumeration exercise?
They indicate services that may not be properly updated or managed.
Which of the following tools provides information about a domain's registrar and physical location?
WHOIS provides info about organizations physical address, registrar, contact info
What technique is being used in the following command: host -t axfr domain.com dns1.domain.com
axfr flag indicates a zone transfer in both dig and host utilities
Charles uses the following hping command to send traffic to a remote system. hping remotesite.com -S -V -p 80
hping -S flag sends TCP SYN to TCP 80
John has gained access to a system that he wants to use to gather more information about other hosts in its local subnet. He wants to perform a port scan but cannot install other tools to do so. Which of the following tools isn't usable as a port scanner?
w
