Network scanning, enumeration and vulnerability analysis

What are the four types of vulnerability assessment solutions?

-Product based -Service based -tree based -Inference based

What are two different types of information an attacker can look at to help identify the target system's OS?

-Time To Live (TTL) -TCP window size

Which Nmap option causes the requested scan to use tiny, fragmented IP packets?

-f

Which option can be used in Nmap/Zenmap to discover the target system's OS?

-o

What option can allow a user to utilize Nmap Scripting Engine (NSE) in Nmap/Zenmap?

-sC, --script

How many bits are used in a TCP flag

1 bit

How many bits does an IPv6 Address utilize?

128 bits

Which type of output is produced by a list scan?

A list of IP addresses and names

What is hping3?

A packet-crafting port scanner

Which scan is used by an attacker to determine if a firewall is stateful or stateless?

ACK flag probe scan

Which type of banner grabbing utilizes packets being sent to the target and evaluating the response?

Active banner grabbing

What is identified from a network scan?

Active hosts and their IP addresses on a network

What does an ARP response of an ARP Ping scan indicate?

An active host

Which three security protocols does IP Security (IPSec) use?

Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE)

What is the routing protocol used to exchange routing and reachability information among autonomous systems?

Border gateway protocol (BGP)

What is the public list or dictionary of standard identifiers for common software vulnerabilities?

Common Vulnerabilities and Exposures (CVE)

What is the name of the vulnerability scoring system that is used to rank information on a system vulnerabilities?

Common vulnerability scoring system (CVSS)

What is the DNS enumeration technique that happens when attackers query a DNS server for a specific cached DNS record?

DNS cache snooping

What is the purpose of NetBIOS port 138?

Datagram Services

Which TCP flags are set during a XMAS scan?

FIN, URG, and PSH

Which scanning tool can be used to determine live devices by sending ICMP packets and only works on Unix/Linux based networks?

ICMP ECHO ping scan

What is an old slow method used to find the range of IP addresses that make up hosts on a network?

ICMP ECHO ping sweep

Which type of scan sends an unsolicited SYN/ACK packet which in turn responds with RST?

IDLE/IPID header scan

Which attacker technique involves changing the source IP addresses to hide the attack origin?

IP address spoofing

What is the reason behind why someone tries to identify the target system's OS?

Identify vulnerabilities associated with that version of the OS

which method is used to determine the OS on remote systems by utilizing the unique 32-bit sequence number assigned to each new connection on a TCP-based Communication?

Initial sequence number (ISN) analysis

What is the default automated key-management protocol for IPSEC?

Internet Key Exchange (IKE)

Which protocol provides connectionless integrity, data orgin authentication, replay protection, and confiedtiality (encryption) using authentication header (AH) and encapulating security payload (ESP)?

Internet proto

What is the first step of vulnerability scanning?

Locate live hosts on the target network

Which proprietary Microsoft network service enables application on different computers to communicate with each other across a LAN?

NetBIOS

Which Unix-based protocol is used to mount file systems on a remote host over a network, and allows users to interact with the file systems as if they are mounted locally?

Network File System (NFS)

which tool can help map a network automatically, keep track of network changes, and can display layer 2 and 3 devices?

Network Topology Mapper

What does the acronym NetBIOS denote?

Network basic output/input system

Which tool is commonly used for ARP ping scans and vulnerability scans across targets?

Nmap

Which framework is useful for automating networking tasks and allows users to write and share Nmap scripts?

Nmap scripting Engine (NSE)

Which NTP command collects a number of time samples from several different time sources?

Ntpdate

What is the most valuable information you can gain from a banner grab?

Operating system and version

Which ports are used by SNMP?

Ports 161 and 162

Which four posts does SIP use?

Ports 2000, 2001, 5050, and 5061

Which four ports are used by LDAP?

Ports 389,636, 3268, and 3269

Which five ports are used by NetBIOS?

Ports 42, 137,138,139, and 1512

Which PSTool is used to end processes remotely?

PsKill

Which suite of tools is a collection of command-line utilities for windows administration of local and remote systems for enumerating user accounts?

PsTools

Which popular commercial cloud-based vulnerability assessment service continuously identifies and monitors changes in the network?

Qualys

which legacy communication protocol is used to create distributed client/server programs that allows communication between clients and servers?

Remote procedure call (RPC)

Which scanning technique is where an attacker sends an INIT chunk to a targeted host?

SCTP INIT ping scan

Which technique targets the specific vulnerable version of a port's service?

Service version discovery

Which protocol is used by VoIP?

Session Initiation Protocol (SIP)

What is the purpose of NetBIOS port 139?

Session services

What is SNMP

Simple Network Management Protocol

What are the three steps in the TCP three way handshake?

Syn, ACK, Syn-ACK

What is the purpose of NTP?

Synchronize system clocks between computers

Which port number is used by BGP?

TCP port 179

Which port is used by NFS?

TCP port 2049

Which port number is mainly used by FTP?

TCP port 21

Which is the port number used for telenet?

TCP port 23

Which port number is used by SMB

TCP port 445

Which port is used to perform domain name enumeration using a DNS zone transfer?

TCP/UDP port 53

Which port is used to perform file share enumeration sing SMB over TCP (direct Host)

TCP/UDP port445

Which term refers to voice communication over a digital network?

Telephony or Voice over IP (Vo-IP)

What is Initial sequence number (ISN) analysis used to discover on a remote system?

The OS and version

what does the vulnerability assessment report disclose?

The risks that are detected through scanning the network

What is the purpose of an ARP ping scan?

To find active hosts on a network.

What is the purpose of scanning and enumeration after identifying the target and performing an initial reconnaissance?

To find an entry point into the target system

Which SNMP command is used by the SNMP agent to inform the pre-configured SNMP manager of a certain event?

Trap

which port does NTP use?

UDP port 123

which port number is used by TFTP?

UDP port 69

What is the process of examining a system or application for potential weaknesses that could be exploited?

Vulnerability assessment

Which type of scannning searches for indicators of known weaknesses in the network or system?

Vulnerability scan

Which mobile vulnerability assessment tool is used on Android as a passive method for vulnerability detection?

Vulners scanner

What is a UDP scan used to discover?

Which ports on a target are closed

Which popular protocol analyzing tool is used to sniff a system's TTL and TCP window size?

Wireshark

Which GUI tool can be used to perform a UDP ping scan?

Zenmap

which type of vulnerability assessment focuses on testing databases for the presence of data exposure or injection type vulnerabilities?

database assessment

What is the process of listing available systems, networks, users, or programs that could be compromised?

enumeration

Which type of vulnerability assessment assesses the network form a hacker's perspective?

external assessment

What is the purpose of the TCP ACK flag?

indicates confirmation of an established connection between hosts

What is the purpose of the TCP SYN flag?

indicates connection initialization between hosts

What is the purpose of the TCP FIN flag?

indicates the closing of the connection between hosts

What is the virtual database that contains descriptions of all network objects that can be managed using SNMP?

management information database (MIB)

What is the use of NetBIOS port 137?

name services

How can a network diagram help an attacker?

provides network topology and composition.

Which step of the vulnerability assessment process is conducted to compile the results after scanning is completed?

reporting

what are the two classifications of vulnerability assessment reports?

security vulnerability report and security vulnerability summaries

What is the process of DNS Enumeration using zone transfer?

transfers a copy of the DNS zone file from the primary DNS server to a secondary DNS server.

What does an attacker use SSDP scanning for to find?

vulnerabilities with uPnP

which three types of assessments does Nessus Professional perform?

vulnerability assessment, configuration assessment, and compliance assessment.

What does a port scan reveal?

what ports are open and available services