chapter1 domain 1 threat management
During the reconnaissance stage of a penetration test, Cynthia needs to gather information about the target organization's network infrastructure without causing an IPS to alert the target to her information gathering. Which of the following is her best option? A.Add a note hereAdd a note herePerform a DNS brute-force attack. B.Add a note hereAdd a note hereUse an nmap ping sweep. C.Add a note hereAdd a note herePerform a DNS zone transfer. D.Add a note hereAdd a note hereUse an nmap stealth scan.
A. While it may seem strange, a DNS brute-force attack that queries a list of IPs, common subdomains, or other lists of targets will often bypass intrusion detection and prevention systems that do not pay particular attention to DNS queries. Cynthia may even be able to find a DNS server that is not protected by the organization's IPS! Add a note hereAdd a note here nmap scans are commonly used during reconnaissance, and Cynthia can expect them to be detected since they are harder to conceal. Cynthia shouldn't expect to be able to perform a zone transfer, and if she can, a well-configured IPS should immediately flag the event.
Charles wants to use active discovery techniques as part of his reconnaissance efforts. Which of the following techniques fits his criteria? A.Add a note hereAdd a note hereGoogle searching B.Add a note hereAdd a note hereUsing a Shodan search C.Add a note hereAdd a note hereUsing DNS reverse lookup D.Add a note hereAdd a note hereQuerying a PGP key server
Add a note hereAdd a note hereC. DNS reverse lookup is an active technique. Google and Shodan are both search engines, while a PGP key server does not interact with the target site and is considered passive reconnaissance. If you're not immediately familiar with a technique or technology, you can often reduce the possible options. Here, ruling out a Google search or querying a PGP server are obviously not active techniques, and Shodan also says it is a search, making a DNS reverse lookup a good guess, even if you're not familiar with it.
A port scan of a remote system shows that port 3306 is open on a remote database server. What database is the server most likely running? A.Add a note hereAdd a note hereOracle B.Add a note hereAdd a note herePostgres C.Add a note hereAdd a note hereMySQL D.Add a note hereAdd a note hereMicrosoft SQL
C. MySQL uses port 3306 as its default port. Oracle uses 1521, Postgres uses 5432, and Microsoft SQL uses 1433/1434.
Charleen is preparing to conduct a scheduled reconnaissance effort against a client site. Which of the following is not typically part of the rules of engagement that are agreed to with a client for a reconnaissance effort? A.Add a note hereAdd a note hereTiming B.Add a note hereAdd a note hereScope C.Add a note hereAdd a note hereExploitation methods D.Add a note hereAdd a note hereAuthorization
C. Reconnaissance efforts do not include exploitation, and Charleen should not expect to need to include exploitation limitations in the rules of engagement. If she was conducting a full penetration test, she would need to make sure she fully understands any concerns or limitations her client has about exploitation of vulnerabilities.
Tiffany needs to assess the patch level of a Windows 2012 server and wants to use a freely available tool to check the system for security issues. Which of the following tools will provide the most detail about specific patches installed or missing from her machine? A.Add a note hereAdd a note here nmap B.Add a note hereAdd a note hereNessus C.Add a note hereAdd a note hereMBSA D.Add a note hereAdd a note hereMetasplo
C. The Microsoft Baseline Security Analyzer (MBSA) is a tool provided by Microsoft that can identify installed or missing patches as well as common security misconfigurations. Since it is run with administrative rights, it will provide a better view than normal nmap and Nessus scans and provides more detailed information about specific patches that are installed. Metasploit provides some limited scanning capabilities but is not the best tool for the situation.