Network scanning, enumeration and vulnerability analysis
What are the four types of vulnerability assessment solutions?
-Product based -Service based -tree based -Inference based
What are two different types of information an attacker can look at to help identify the target system's OS?
-Time To Live (TTL) -TCP window size
Which Nmap option causes the requested scan to use tiny, fragmented IP packets?
-f
Which option can be used in Nmap/Zenmap to discover the target system's OS?
-o
What option can allow a user to utilize Nmap Scripting Engine (NSE) in Nmap/Zenmap?
-sC, --script
How many bits are used in a TCP flag
1 bit
How many bits does an IPv6 Address utilize?
128 bits
Which type of output is produced by a list scan?
A list of IP addresses and names
What is hping3?
A packet-crafting port scanner
Which scan is used by an attacker to determine if a firewall is stateful or stateless?
ACK flag probe scan
Which type of banner grabbing utilizes packets being sent to the target and evaluating the response?
Active banner grabbing
What is identified from a network scan?
Active hosts and their IP addresses on a network
What does an ARP response of an ARP Ping scan indicate?
An active host
Which three security protocols does IP Security (IPSec) use?
Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE)
What is the routing protocol used to exchange routing and reachability information among autonomous systems?
Border gateway protocol (BGP)
What is the public list or dictionary of standard identifiers for common software vulnerabilities?
Common Vulnerabilities and Exposures (CVE)
What is the name of the vulnerability scoring system that is used to rank information on a system vulnerabilities?
Common vulnerability scoring system (CVSS)
What is the DNS enumeration technique that happens when attackers query a DNS server for a specific cached DNS record?
DNS cache snooping
What is the purpose of NetBIOS port 138?
Datagram Services
Which TCP flags are set during a XMAS scan?
FIN, URG, and PSH
Which scanning tool can be used to determine live devices by sending ICMP packets and only works on Unix/Linux based networks?
ICMP ECHO ping scan
What is an old slow method used to find the range of IP addresses that make up hosts on a network?
ICMP ECHO ping sweep
Which type of scan sends an unsolicited SYN/ACK packet which in turn responds with RST?
IDLE/IPID header scan
Which attacker technique involves changing the source IP addresses to hide the attack origin?
IP address spoofing
What is the reason behind why someone tries to identify the target system's OS?
Identify vulnerabilities associated with that version of the OS
which method is used to determine the OS on remote systems by utilizing the unique 32-bit sequence number assigned to each new connection on a TCP-based Communication?
Initial sequence number (ISN) analysis
What is the default automated key-management protocol for IPSEC?
Internet Key Exchange (IKE)
Which protocol provides connectionless integrity, data orgin authentication, replay protection, and confiedtiality (encryption) using authentication header (AH) and encapulating security payload (ESP)?
Internet proto
What is the first step of vulnerability scanning?
Locate live hosts on the target network
Which proprietary Microsoft network service enables application on different computers to communicate with each other across a LAN?
NetBIOS
Which Unix-based protocol is used to mount file systems on a remote host over a network, and allows users to interact with the file systems as if they are mounted locally?
Network File System (NFS)
which tool can help map a network automatically, keep track of network changes, and can display layer 2 and 3 devices?
Network Topology Mapper
What does the acronym NetBIOS denote?
Network basic output/input system
Which tool is commonly used for ARP ping scans and vulnerability scans across targets?
Nmap
Which framework is useful for automating networking tasks and allows users to write and share Nmap scripts?
Nmap scripting Engine (NSE)
Which NTP command collects a number of time samples from several different time sources?
Ntpdate
What is the most valuable information you can gain from a banner grab?
Operating system and version
Which ports are used by SNMP?
Ports 161 and 162
Which four posts does SIP use?
Ports 2000, 2001, 5050, and 5061
Which four ports are used by LDAP?
Ports 389,636, 3268, and 3269
Which five ports are used by NetBIOS?
Ports 42, 137,138,139, and 1512
Which PSTool is used to end processes remotely?
PsKill
Which suite of tools is a collection of command-line utilities for windows administration of local and remote systems for enumerating user accounts?
PsTools
Which popular commercial cloud-based vulnerability assessment service continuously identifies and monitors changes in the network?
Qualys
which legacy communication protocol is used to create distributed client/server programs that allows communication between clients and servers?
Remote procedure call (RPC)
Which scanning technique is where an attacker sends an INIT chunk to a targeted host?
SCTP INIT ping scan
Which technique targets the specific vulnerable version of a port's service?
Service version discovery
Which protocol is used by VoIP?
Session Initiation Protocol (SIP)
What is the purpose of NetBIOS port 139?
Session services
What is SNMP
Simple Network Management Protocol
What are the three steps in the TCP three way handshake?
Syn, ACK, Syn-ACK
What is the purpose of NTP?
Synchronize system clocks between computers
Which port number is used by BGP?
TCP port 179
Which port is used by NFS?
TCP port 2049
Which port number is mainly used by FTP?
TCP port 21
Which is the port number used for telenet?
TCP port 23
Which port number is used by SMB
TCP port 445
Which port is used to perform domain name enumeration using a DNS zone transfer?
TCP/UDP port 53
Which port is used to perform file share enumeration sing SMB over TCP (direct Host)
TCP/UDP port445
Which term refers to voice communication over a digital network?
Telephony or Voice over IP (Vo-IP)
What is Initial sequence number (ISN) analysis used to discover on a remote system?
The OS and version
what does the vulnerability assessment report disclose?
The risks that are detected through scanning the network
What is the purpose of an ARP ping scan?
To find active hosts on a network.
What is the purpose of scanning and enumeration after identifying the target and performing an initial reconnaissance?
To find an entry point into the target system
Which SNMP command is used by the SNMP agent to inform the pre-configured SNMP manager of a certain event?
Trap
which port does NTP use?
UDP port 123
which port number is used by TFTP?
UDP port 69
What is the process of examining a system or application for potential weaknesses that could be exploited?
Vulnerability assessment
Which type of scannning searches for indicators of known weaknesses in the network or system?
Vulnerability scan
Which mobile vulnerability assessment tool is used on Android as a passive method for vulnerability detection?
Vulners scanner
What is a UDP scan used to discover?
Which ports on a target are closed
Which popular protocol analyzing tool is used to sniff a system's TTL and TCP window size?
Wireshark
Which GUI tool can be used to perform a UDP ping scan?
Zenmap
which type of vulnerability assessment focuses on testing databases for the presence of data exposure or injection type vulnerabilities?
database assessment
What is the process of listing available systems, networks, users, or programs that could be compromised?
enumeration
Which type of vulnerability assessment assesses the network form a hacker's perspective?
external assessment
What is the purpose of the TCP ACK flag?
indicates confirmation of an established connection between hosts
What is the purpose of the TCP SYN flag?
indicates connection initialization between hosts
What is the purpose of the TCP FIN flag?
indicates the closing of the connection between hosts
What is the virtual database that contains descriptions of all network objects that can be managed using SNMP?
management information database (MIB)
What is the use of NetBIOS port 137?
name services
How can a network diagram help an attacker?
provides network topology and composition.
Which step of the vulnerability assessment process is conducted to compile the results after scanning is completed?
reporting
what are the two classifications of vulnerability assessment reports?
security vulnerability report and security vulnerability summaries
What is the process of DNS Enumeration using zone transfer?
transfers a copy of the DNS zone file from the primary DNS server to a secondary DNS server.
What does an attacker use SSDP scanning for to find?
vulnerabilities with uPnP
which three types of assessments does Nessus Professional perform?
vulnerability assessment, configuration assessment, and compliance assessment.
What does a port scan reveal?
what ports are open and available services