6.1.13 Practice Questions

Question 1

In which phase of the ethical hacking process do you gather information from a system to learn more about its configurations, software, and services?

answer

Enumeration

Reconnaissance

Sniffing

Scanning

Answer 1

Enumeration

Explanation
Enumeration is the method of gathering information from a system to learn more about its configurations, software, and services.

Scanning is the method of using various tools to gather in-depth information on a network.

Reconnaissance is the method of gathering publicly available information about a target.

Sniffing is the process of collecting information as it crosses a network.

Question 2

Which enumeration process tries different combinations of usernames and passwords until it finds something that works?

answer

Zone transfers

Default passwords

Exploiting SMTP

Brute force

Answer 2

Brute force

Explanation
Brute force attacks are usually automated. A program tries different combinations of usernames and passwords until it finds something that works.

Simple Mail Transfer Protocol (SMTP) is the protocol used by most email servers and clients to send email messages.

A DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server.

All devices have default passwords. These passwords are often left in place, providing an easy access point for an attacker.

Question 3

Which of the following best describes IPsec enumeration?

answer

Is used to manage devices such as routers, hubs, and switches.

Uses ESP, AH, and IKE to secure communication between VPN endpoints.

Is used by most email servers and clients to send email messages.

Uses SIP to enable voice and video calls over an IP network.

Answer 3

Uses ESP, AH, and IKE to secure communication between VPN endpoints.

Explanation
IPsec uses ESP (Encapsulation Security Payload), AH (Authentication Header), and IKE (Internet Key Exchange) to secure communication between virtual private network endpoints. Using enumeration tools, attackers can pull sensitive information such as the encryption and hashing algorithm, authentication type, and key distribution algorithm.

The Simple Network Management Protocol (SNMP) is used to manage devices such as routers, hubs, and switches. SNMP works with an SNMP agent and an SNMP management station. The agent is found on the device that is being managed, and the SNMP management station serves as the communication point for the agent.

VoIP uses SIP (Session Initiation Protocol) to enable voice and video calls over an IP network. SIP service generally uses UDP/TCP ports 2000, 2001, 5050, and 5061.

Simple Mail Transfer Protocol (SMTP) is the protocol used by most email servers and clients to send email messages. Scanning tools and commands can be used to verify the existence of specific email addresses and can even provide a list of all users on a distribution list.

Question 4

Which of the following enumeration tools provides information about users on a Linux machine?

answer

PsTools

finger

SuperScan

Null session

Answer 4

finger

Explanation
Using the finger command on Linux machines provides information about a user. When executed, it returns information such as the user’s home directory, login time, idle times, office location, and the last time they received or read mail.

PsTools is a suite of very powerful tools that allow you to manage local and remote Windows systems. The package includes tools that can change account passwords, suspend processes, measure network performance, dump event log records, kill processes, view services, and control services.

SuperScan can be used to enumerate information from a Windows host. Information can be gathered about NetBIOS name table, services, NULL session, trusted domains, MAC addresses, logon sessions, workstation type, account policies, users, and groups.

Null Sessions are created when no credentials are used to connect to a Windows system. They are designed to allow clients access to limited types of information across a network.

Question 5

The Simple Network Management Protocol (SNMP) is used to manage devices such as routers, hubs, and switches. SNMP works with an SNMP agent and an SNMP management station in which layer of the OSI model?

answer

Network Layer

Application Layer

Session Layer

Transport Layer

Answer 5

Application Layer

Explanation
The Application Layer (Layer 7) supports application and end-user processes. Examples include NFS, SNMP, Telnet, HTTP, and FTP.

The Session Layer (Layer 5) establishes, manages, and terminates connections between applications. Examples include NFS, NetBIOS names, RPC, and SQL.

The Transport Layer (Layer 4) provides transparent transfer of data between end systems or hosts. Examples include SPX, TCP, and UDP.

The Network Layer (Layer 3) prides switching and routing technologies. Examples include AppleTalk, DDP, IP, and IPX.

Question 5

Typically, you think of the username as being the unique identifier behind the scenes, but Windows actually relies on the security identifier (SID). Unlike the username, a SID cannot be used again. When viewing data in the Windows Security Account Manager (SAM), you have located an account ending in -501. Which of the following account types did you find?

answer

The domain admins

The built-in administrator

The domain guests

The built-in guest

Answer 5

The built-in guest

Explanation
The Guest account is a user account for people who do not have individual accounts. The SID ends with -501.

The Administrator account is a user account for the system administrator. The SID ends with -500.

The Domain Admins group is a global group whose members are authorized to administer the domain. The SID ends with -512.

The Domain Guests group is a global group that, by default, has only one member, the domain’s built-in Guest account. The SID ends with -514.

Question 6

Listen to exam instructions
A hacker has managed to gain access to the /etc/passwd file on a Linux host. What can the hacker obtain from this file?

answer

Usernames, but no passwords

Usernames and passwords

No usernames or passwords

The root username and password

Answer 6

Usernames, but no passwords

Explanation
The /etc/passwd file on a Linux host contains the following:

The username and user ID used to identify each user.
Passwords that are encrypted and saved on the computer or on the network.
Group identification numbers (GIDs).

Question 7

Jorge, a hacker, has gained access to a Linux system. He has located the usernames and IDs. He wants the hashed passwords for the users that he found. Which file should he look in?

answer

/etc/services

/etc/passwd

/etc/group

/etc/shadow

Answer 7

/etc/shadow

Explanation
The hashed passwords are stored in the /etc/shadow file.

The list of groups is stored in the /etc/group file.

The list of running services is stored in the /etc/services file.

The username and ID is stored in the /etc/passwd file.

Question 8

What port does a DNS zone transfer use?

answer

TCP 23

TCP 53

TCP 445

TCP 139

Answer 8

TCP 53

Explanation
Port 53 is used for DNS zone transfers.

Port 23 is used for the Telnet protocol/software.

Port 139 is used by the NetBIOS Session Service .

Port 445 is used by SMB over TCP.

Question 9

Which of the following ports are used by null sessions on your network?

answer

135 and 445

137 and 443

139 and 445

139 and 444

Answer 9

139 and 445

Explanation
A Null Session attack uses the Windows net command to map a connection using a blank username and password. These connections would take place over port 139 (NetBIOS sessions services) or 445 (runs SMB over TCP/IP without NetBIOS).

Port 135 is used by the Remote Procedure Call service in Windows for client-server communications.

Port 137 is used by the NetBIOS Name Server (NBNS). NBNS is used to associate names and IP addresses of systems and services.

Port 443 is the standard TCP port that is used for websites that use SSL.

Port 444 may use a defined protocol to communicate, depending on the application.

Question 10

LDAP is an internet protocol for accessing distributed directory services. If this port is open, it indicates that Active Directory or Exchange may be in use. What port does LDAP use?

answer

TCP/UDP 53

TCP/UDP 3268

TCP/UDP 389

TCP/UDP 445

Answer 10

TCP/UDP 389

Explanation
TCP/UDP port 389 is used by the Lightweight Directory Access Protocol (LDAP.)

TCP/UDP port 3268 is used by the Global Catalog Service.

TCP port 53 is used for DNS zone transfers. UDP port 53 is used for UDP queries about IP-to-name and name-to-IP mappings.

TCP port 445 is used by SMB over TCP.

Question 11

Listen to exam instructions
Shawn, a malicious insider, has obtained physical access to his manager’s computer and wants to listen for incoming connections. He has discovered the computer’s IP address, 192.168.34.91, and he has downloaded netcat. Which of the following netcat commands would he enter on the two computers?

answer

nc -l -p 2222 (manager’s computer) and nc -nv 192.168.34.91 2222 (Shawn’s machine)

nc -l -p 2222 (manager’s computer) and nc -sv 192.168.34.91 2222 (Shawn’s machine)

nc -n -s 2222 (manager’s computer) and nc -lp 192.168.34.91 2222 (Shawn’s machine)

nc -l -s 2222 (manager’s computer) and nc -pv 192.168.34.91 2222 (Shawn’s machine)

Answer 11

nc -l -p 2222 (manager’s computer) and nc -nv 192.168.34.91 2222 (Shawn’s machine)

Explanation
On the manager’s computer, Shawn would enter nc -l -p 2222 (the -l switch listens for an incoming connection, and the -p switch tells netcat to use specific source port). On Shawn’s computer, he would enter nc -nv 192.168.34.91 2222 (the -n switch tells netcat not to use DNS lookups, and the -v switch uses verbose output).

The -s switch tells netcat to use the source IP address.