Chapter 3 Chapter Questions
(OMIT) Which of the following Nmap output formats is unlikely to be useful for a penetration tester? A.-oA B.-oS C.-oG D.-oX
-oS
Steve is working from an unprivileged user account that was obtained as part of a penetration test. He has discovered that the host he is on has Nmap installed, and he wants to scan other hosts in his subnet to identify potential targets as part of a pivot attempt. What Nmap flag will Steve probably have to use to successfully scan hosts from this account?
-sT (Connect() scan)
What is the full range of ports that a UDP service can run on?
1-65,535
Megan runs the following Nmap scan: nmap -sU -sT -p 1-65535 example.com What information will she not receive? A.TCP services B.The state of the service C.UDP services D.A list of vulnerable services
A list of vulnerable services
Karen identifies TCP ports 8080 and 8443 open on a remote system during a port scan. What tool is her best option to manually validate the services running on these ports? A.SSH B.SFTP C.Telnet D.A web browser
A web browser
Jack is conducting a penetration test for a customer in Japan. What NIC will he most likely have to check for information about his client's networks?
APNIC - Asia Pacific Network Information Centre
Rick wants to describe flaws found in an organization's internally developed web applications using a standard model. Which of the following is best suited to his need? A.CWE B.The Diamond Model C.CVE D.OWASP
CWE (Common Weakness Enumeration)
Angela recovered a PNG image during the early intelligence-gathering phase of a penetration test and wants to examine it for useful metadata. What tool could she most successfully use to do this? A.ExifTool B.Grep C.PsTools D.Nginx
ExifTool
John has gained access to a system that he wants to use to gather more information about other hosts in its local subnet. He wants to perform a port scan but cannot install other tools to do so. Which of the following tools isn't usable as a port scanner? A.Hping B.Netcat C.Telnet D.ExifTool
ExifTool
Tom wants to find metadata about an organization using a search engine. What tool from the following list should he use?
FOCA (Fingerprinting Organizations with Collected Archives)
Charles runs an Nmap scan using the following command: nmap -sT -sV -T2 -p 1-65535 example.com After watching the scan run for over two hours, he realizes that he needs to optimize the scan. Which of the following is not a useful way to speed up his scan? A.Only scan via UDP to improve speed. B.Change the scan timing to 3 or faster. C.Change to a SYN scan. D.Use the default port list.
Only scan via UDP to improve speed.
Charles uses the following hping command to send traffic to a remote system: hping remotesite.com -S -V -p 80 What type of traffic will the remote system see? A.HTTP traffic to TCP port 80 B.TCP SYNs to TCP port 80 C.HTTPS traffic to TCP port 80 D.A TCP three-way handshake to TCP port 80
TCP SYNs to TCP port 80
During an Nmap scan, Casey uses the -O flag. The scan identifies the host as follows: Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 -2.6.33 What can she determine from this information? A.The Linux distribution installed on the target B.The patch level of the installed Linux kernel C.The date the remote system was last patched D.That the system is running a Linux 2.6 kernel between .9 and .33
That the system is running a Linux 2.6 kernel between .9 and .33
Chris runs an Nmap scan of the 10.10.0.0/16 network that his employer uses as an internal network range for the entire organization. If he uses the -T0 flag, what issue is he likely to encounter?
The scan will progress at a very slow speed.
What does a result of * * * mean during a traceroute?
There is no response to the query, perhaps a timeout, but traffic is going through.
Why would a penetration tester look for expired certificates as part of an information-gathering and enumeration exercise?
They indicate services that may not be properly updated or managed.
Lin believes that the organization she is scanning may have load balancers in use. Which of the following techniques will help her detect them if they are DNS-based load balancers? A.Use Nmap and look for service port differences. B.Use ping and check for TTL and IP changes. C.Use Nessus and check for service version differences. D.Use WHOIS to check for multiple hostnames.
Use ping and check for TTL and IP changes.
Which of the following provides information about a domain's registrar and physical location? A.Nslookup B.host C.WHOIS D.traceroute
WHOIS
After running an Nmap scan of a system, Zarmeena discovers that TCP ports 139, 443, and 3389 are open. What operating system is she most likely to discover running on the system?
Windows
During an early phase of his penetration test, Mike recovers a binary executable file that he wants to quickly analyze for useful information. Which of the following will quickly give him a view of potentially useful information in the binary? A.Netcat B.strings C.Hashmod D.Eclipse
strings
