CEHv8 BOOTCAMP: MODULE 04-ENUMERATION_SET-3

Question 1

Describe the UNIX/LINUX Enumeration command “rpcclient”?

Answer 1

can enumerate usernames on LINUX and OS X

Question 2

Describe the UNIX/LINUX Enumeration command “showmount”?

Answer 2

Finds the shared directories on the machine.

Question 3

What is Lightweight Directory Access Protocol?

Answer 3

An internet protocol for accessing distributer directory services.

Question 4

Network Time Protocol (NTP) is designed to, what?

Answer 4

Synchronize clocks of networked computers.

Question 5

What port does NTP use?

Answer 5

UDP port 123

Question 6

What valuable information does an attacker gather when they query a NTP server?

Answer 6

• List of hosts connected to NTP server
• Clients IP addresses in a network, their system names and Oss
• Internal IPs can also be obtained if NTP server is in the DMZ.

Question 7

Describe the NTP Enumeration command “ntptrace”.

Answer 7

• Traces a chain of NTP servers back to the primary sources.

* ntptrace [-vdn] [-r retries] [-t timeout] [server]

Question 8

Describe the NTP Enumeration command “ntpdc”.

Answer 8

• Monitors operation of the NTP daemon.

* /usr/bin/ntpdc [-n] [-v] host1 | IPaddress1…

Question 9

Describe the NTP Enumeration command “ntpq”.

Answer 9

• Monitore NTP daemon ntpd operations and determines performance.
• Ntpq [-inp] [-c command] [host] […]

Question 10

What are 3 built-in commands with SMTP?

Answer 10

• VRFY – Validates users
• EXPN – Tells the actual delivery addresses of aliases and mailing lists
• RCPT TO – Defines the recipients of the message

Question 11

Using “nslookup”, what valuable network information can an attacker gather?

Answer 11

• DNS server names
• Hostnames
• Machine names
• User names
• IP addresses of the potential targets

Question 12

What does an attacker try to retrieve during a DNS Zone Transfer Enumeration?

Answer 12

A copy of the entire zone file for a domain from a DNS server.

Question 13

What are 5 SNMP enumeration countermeasures?

Answer 13

• Remove the SNMP agent or turn off the SNMP service.
• If shutting off SNMP is not an option, then change the default “public” community’s name.
• Upgrade to SNMP3.
• Implement the Group Policy security option called “Additional restrictions for anonymous connections”.
• Access to null session pipes, null sessions shares, and IPSec filtering should also be restricted.

Question 14

What are 4 DNS enumeration countermeasures?

Answer 14

• Disable the DNS zone transfers to the untrusted host.
• Make sure that the private hosts and their IP addresses are not published into DNS zone files of public DNS server.
• Use premium DNS registration services that hide sensitive information such as HINFO from public.
• Use standard network admin contacts for DNS registrations in order to avoid social engineering attacks.

Question 15

What are 3 SMTP enumeration countermeasures?

Answer 15

Configure SMTP servers to:
• Ignore email messages to unknown recipients.
• Not include sensitive mail server and local host information in mail responses.
• Disable open relay feature.

Question 16

What are 3 LDAP enumeration countermeasures?

Answer 16

• Use NTLM or basic authentication to limit access to known users only.
• Use SSL technology to encrypt the traffic. (By default , LDAP traffic is transmitted unsecure).
• Select a user name different from your email address and enable account lockout.

Question 17

What are the 4 steps to disable SMB?

Answer 17

• Go to Ethernet Properties.
• Select the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks check boxes.
• Click Uninstall.
• Follow the uninstall steps.

Question 18

Enumeration Pen Testing is used to identify what?

Answer 18

Valid user accounts or poorly protected resource shares using active connections to systems and directed queries.

Question 19

What is the first step in Enumeration Pen Testing?

Answer 19

Find the network range.

Question 20

What is the last step in Enumeration Pen Testing?

Answer 20

Document findings.