Chapter 4 Test questions
An attacker can use ________ to find information about a firewall such as manufacturer and version. - NNTP - Banner grabbing - Packet mapping - Backdoors
- Banner grabbing - Banner grabbing using a program such as telnet can reveal information from services, giving an indication of the nature of a firewall. Some firewalls such as some from NetGuard actually report their specific information such as vendor and product details during a banner grab.
Which ports does SNMP use to function? - 160 and 161 - 160 and 162 - 161 and 162 - 389 and 160
- 161 and 162 - SNMP or Simple Network Management Protocol makes use of ports 161 and 162. If these ports are open and the service being used on a network it may be possible to gather information such as device details and other useful data.
Which ports, if open, indicate that a system may be vulnerable to a NULL session attack? - 445 and 139 - 443 and 139 - 445 and 138 - 161 and 162
- 445 and 139 - Ports 445 and 139 are intended for SMB over TCP/IP and NetBIOS services, respectively. If these ports are found open, the system may be vulnerable to NULL session attacks. If a system or environment does not need to use NetBIOS it should be shut off completely to avoid the associated security risks.
Port number ________ is used by DNS zone transfers between DNS servers to keep their information synchronized. - 53 TCP - 25 TCP - 53 UDP - 25 UDP
- 53 TCP - Port 53 TCP is used by DNS zone transfers. The use of this port allows DNS servers to keep their zone information updated via zone transfers and needs to be kept open. However, this port should not be kept open through firewalls to the outside world unless absolutely required.
What would the purpose of banner grabbing be during a test? - To identify a configuration - To open a port - To identify a service - To identify a firewall
To identify a service - Banner grabbing is useful as it allows the identification of services such as http, ftp and others.
In order to stop the successful creation of NULL sessions on Windows 2000 you have decided to reconfigure a registry setting. On Windows systems which setting should you alter in order to prevent NULL session attacks from being possible? - HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet1\Control\LSA\ RestrictAnonymous - HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\LSA\ RestrictAnonymousUser - HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\LSA\ RestrictAnonymous - HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\LSB\ RestrictAnonymous
- HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\LSA\ RestrictAnonymous - The correct location for RestrictAnonymous is at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous. This location is the same in all versions of Windows from 2000 forward. Value data set to 1 allows anonymous connections, whereas a value of 2 restricts them.
You are discussing a pentest with a client who brings up several concerns that they would like to have verified if they are present or not. One of the items they bring up is from an article they just read that NULL sessions can allow an attacker to scan and enumerate the services on a host without using credentials. When you are putting together a list of items to check on the network and its hosts which networking protocol or service would you add to the list knowing the client has this request? - IPX/SPX - IPSec - TCP/IP - NetBIOS
- NetBIOS - NetBIOS can be used to enhance network services, but it is also known to be very vulnerable and can be used to initiate an anonymous session which is known as a NULL session. If a NULL session can be established and the host is not configured properly another system may be able to learn additional information about a system without using credentials in some cases. The use of NetBIOS is something that is falling into disuse quite rapidly and in fact is not even supported in IPv6.
Which of the following protocols is designed to replace an older set of insecure mechanisms for connecting to servers, transferring data or sending commands to remote hosts? - IPsec - SST - SFTP - SSH
- SSH - SSH or Secure Shell is designed as a replacement for older, insecure protocols such as FTP and telnet that do not offer cryptographic protection for data or credentials.
What is considered a more secure replacement of telnet? - HTTPS - SSTP - SSH - SFTP - SSL - FTP
- SSH - Telnet is an old and reliable protocol, but it does not offer substantial security features and is considered a serious risk and should be replaced where possible. The de facto replacement for FTP is considered to be Secure Socket Shell or SSH which offers encryption and end to end security not offered by Telnet.
If you were to execute the command "nc -l -p 22 -e cmd.exe" what would you be attempting? - To execute the cmd.exe command to attach to a remote system - To execute the cmd.exe command when a connection is made to port 22 - To upload the cmd.exe to the remote system using port 22 - To execute a listener with the cmd.exe application
- To execute the cmd.exe command when a connection is made to port 22 - When using the netcat command in this example the application will wait for an inbound connection to port 22 using netcat from another system. When the connection is made netcat will automatically start the cmd.exe process which will allow for commands to be run remotely on the system.
Why would the command of "telnet 192.168.1.106 80" be used? - To fingerprint the remote system using the service on port 80 - To determine if port 80 is open on the remote system - To upload a file over port 80 to the specified ip address - To extract the banner of the service running on port 80
- To extract the banner of the service running on port 80 - Using the telnet command to attach to port 80 on the ip address will attempt to extract a banner from the service running on the port. In this case the telnet command will start the process of grabbing a banner from the http service if it is present.
Which command would you use to perform a zone transfer from coyote.com using nslookup? - ls -x coyote.com - ls -d coyote.com - s -n coyote.com - ls -t coyote.com
- ls -d coyote.com - Within the nslookup command using the sequence "ls -d " will transfer a copy of the zone if the DNS server supports it. However, in order to affect all of the zone records (if possible) the sequence "Set type-any" should be executed which will allow the transfer of all records.
If you run netcat on a system with the intention of opening a listener on the port assigned to SSH which command would you use? - nc -l -p 24 - nc -l -p 25 - nc -l -p 21 - nc -l -p 22
- nc -l -p 22 - The use of the command nc -l -p 22 will start a listener on port 22 which is commonly associated with SSH. Once this command is executed netcat will listen for inbound connections on port 22 which it will respond to.
Which command can be used to see which shares are available on computer 192.168.1.10? - net view \\192.168.1.10 - net view '\\192.168.1.10' - net use \\192.168.1.10 - net view "\\192.168.1.10"
- net view \\192.168.1.10 - Using the net view command followed by a double backslash and the IP address of a system will allow for the viewing of shares if available.
What command is used to display a list of the ports on a system that are open, idle or listening with netstat? - netstat -an - netstat -n - netstat -ports - netstat -s
- netstat -an - In order to display a list of ports and their status in netstat the -an switch can be used to show them all in list format.
Which would be used to retrieve a banner from the web server at the address 192.168.70.12? - telnet 192.168.70.12 110 - telnet 192.168.70.12 21 - telnet 192.168.70.12 80 - telnet 192.168.70.12 443
- telnet 192.168.70.12 80 - Providing or assuming that the default ports are used for hosting web services on the target 192.168.70.12 then "telnet 192.168.70.12 80" would be the ideal answer.