Chap 3

Question 1

What is network reconnaissance and discovery?

Answer 1

Mapping out the attack surface

Question 2

What is Topology discovery/ footprinting?

Answer 2

Scanning hosts, IP ranges, and routers between networks to map out the structure of the target network typically using command line tools.

Question 3

What tools are used to test routing config and connectivity with remote hosts and networks?

Answer 3

• Route
• tracert (Windows)
• traceroute (Linux)
• pathping (windows) / mtr (Linux)

Question 4

What is a SNMP?

Answer 4

Simple Network Management Protocol is a management protocol.

Question 5

What is the Nmap Security Scanner?

Answer 5

One of the most popular open-source IP scanners ( shows open ports on a connection)

Question 6

What is service discovery?

Answer 6

To discover what OS is running, which network services each host is running and potentially which app software is underpinning the services.

Question 7

Service discovery scan options?

Answer 7

• TCP SYN (-sS)
• UDP scans (-sU)
• Port range (-p)

Question 8

What is TCP SYN (-sS)?

Answer 8

A service discovery option that is the fastest technique aka half-open scanning.

Question 9

What is are UDP scans (-sU)?

Answer 9

scan UDP ports.

Question 10

What are Port ranges?

Answer 10

Allows for NMAP to select a port range instead of the default 1000 commonly used ports.

Question 11

What is fingerprinting?

Answer 11

Detailed analysis of services on a particular host

Question 12

What is banner grabbing?

Answer 12

The process of scanning software to guess art the software name and version, without having any sort of privileged access to the host.

Question 13

What information can be gathered by using the -sV or -A command in NMAP?

Answer 13

• Protocol
• Application name and version
• OS type and version
• Device type

Question 14

What is CPE

Answer 14

Common Platform Enumeration which is the standard syntax used to classify fingerprinting signatures in NMAP.

Question 15

What is netstat?

Answer 15

Shows the local state of TCP/UDP ports on local machines .

Question 16

What is Linux version of nslookup?

Answer 16

Dig

Question 17

What is the Harvester tool used for?

Answer 17

Tool for gathering open-source intelligence for a particular domain or company name.

Question 18

What is the curl command?

Answer 18

command-line client for performing data transfers over many types of protocols.

Question 19

What is Nessus?

Answer 19

One of the best-known commercial vulnerability scanners.

Question 20

What is Packet analyzing?

Answer 20

deep-down frame-by-frame scrutiny of captured frames

Question 21

What is protocol analyzing?

Answer 21

Using statistical tools to analyze a sequence of packets or packet trace.

Question 22

What type of file is used for packet captures?

Answer 22

.pcap

Question 23

What is Wireshark?

Answer 23

Open source graphical packet capture and analysis utility, with installer packages for most OS’s.

Question 24

What does Fellow TCP Stream do?

Answer 24

Reconstructs the packet contents for a TCP session.

Question 25

What are some well known packet injection tools?

Answer 25

• Dsniff
• Ettercap
• SCapy
• hping

Question 26

What is hping?

Answer 26

An open-source spoofing tool that provides a penetration tester with the ability to craft network packets to exploit vulnerable firewalls and IDSs.

Question 27

What does TCPreplay do?

Answer 27

It takes previously captured traffic that has been saved to a .pcap file and replays it through a network interface.

Question 28

What is a RAT?

Answer 28

Remote Access Trojan is malware that gives an adversary the means of remotely accessing the network.

Question 29

How does an exploitation framework expolit?

Answer 29

By using the vulnerabilities identified by an automated scanner and launching scripts or software to attempt to deliver matching exploits.
Can also inject malicious code past an IDSs and AVs

Question 30

What is the best-known exploit?

Answer 30

Metasploit

Question 31

What is Sn1per?

Answer 31

A framework designed for penetration test reporting and evidence gathering.

Question 32

Name other exploitation frameworks besides Sn1per and Metasploit?

Answer 32

• fireELF
• RouterSploit
• Browser Exploitation Framework (BeEF)
• Zed Attack Proxy (ZAP)
• Pacu

Question 33

What is Netcat?

Answer 33

tool to test for connectivity and can be used for port scanning and fingerprinting.

Question 34

What is software exploitation?

Answer 34

An attack that targets a vulnerability in software code

Question 35

What firmware does IOT and network appliances use?

Answer 35

OS code

Question 36

What is a Zero-Day?

Answer 36

A vulnerability that is exploited before the developer knows about it or can release a patch

Question 37

What is a legacy platform?

Answer 37

A platform that is no longer supported with security patches by its developer or vendor.

Question 38

Default settings is an example of what?

Answer 38

A weak configuration

Question 39

How can an adversary gain control of a root account?

Answer 39

guessing a weak password or using some local boot attack to change the set password.

Question 40

What is open permissions?

Answer 40

Provisioning data files or apps without differentiating access rights for user groups.

Question 41

Running unnecessary services or using weak encryption can do what?

Answer 41

Cause vulnerabilities

Question 42

What are some ways to harden services for a given role?

Answer 42

• Restrict endpoints that are allowed to access the service by IP address or address range.
• Disable services that are installed by default and not needed.
• block access to ports at border firewalls or segment the network to keep external access at a minimum.

Question 43

What is an unsecure protocol?

Answer 43

The transfer data is sent in plaintext (no encryption) which means there is no secure way to authenticate the endpoints.

Question 44

Data Breach vs Data exfiltration

Answer 44

Data Breach: an event where confidential data is read or transferred without authorization and can be a result of an exfiltration.

Data Exfiltration: the methods and tools by which an attacker transfers data without authorization.

Question 45

Data exfiltration’s are always intentional and malicious, unlike data breaches. T/F?

Answer 45

True

Question 46

What is data loss?

Answer 46

When information becomes unavailable either permanently or temporarily.

Question 47

What is vendor management?

Answer 47

Process of selecting supplier companies and evaluating the risks inherent in relying on a third-party product or service.

Question 48

What is system integration?

Answer 48

Process of using components/services from multiple vendors to implement a business workflow.

Question 49

T/F
A contracting company may a list of preferred vendors and ask 3rd parties to build and support the solution.

Answer 49

True

Question 50

What are the two risk to data when using 3rd parties?

Answer 50

• They will have access to the data
• They may service to host data or data backups and archives.

Question 51

What are the main types of security assessment classed as?

Answer 51

• Vulnerability Assessment
• Threat Hunting
• Penetration Testing

Question 52

What is a vulnerability assessment?

Answer 52

An evaluation of a system’s security and ability to meet compliance requirements based on the configuration state of the system. (Current config matches the baseline)

Question 53

What is a vulnerability scanner?

Answer 53

Test network hosts, including client PCs, mobile devices, servers, routers, and switches.

Question 54

What results come from vulnerability scans?

Answer 54

missing patches, deviations from baseline, and configuration templates.

Question 55

Each identified vulnerability is categorized and assigned an impact warning. T/F

Answer 55

True

Question 56

What are the best known application scanners?

Answer 56

web application scanners

Question 57

What does Nikto look for?

Answer 57

SQL injection and cross-site scripting (XSS)

Question 58

What is a vulnerability feed?

Answer 58

Up to date information from an automated scanner.

Question 59

How do Nessus and OpenVAS describe vulnerability feeds?

Answer 59

plug-ins and network vulnerability tests (NVT’s)

Question 60

What is SCAP?

Answer 60

Security Content Application Protocol obtains feed or plug-in updates for vulnerability scanners.

Question 61

Describe CVE.

Answer 61

Common Vulnerabilities and Exposures is a dictionary of vulnerabilities in published OSs’ and app software.

Question 62

What identifiers make up a CVE?

Answer 62

• An identifier
• A brief description of the vulnerability
• A reference list of URLs
• The date the vulnerability entry was created.

Question 63

Describe the CVSS

Answer 63

The Common Vulnerability Scoring System uses NIST’s National Vulnerability Database (NVD) data to develop a vulnerability score from 0-10 rating Low(.1+), Medium(4.0+), High(7.0+), and Critical(9.0+).

Question 64

What is scan intrusiveness?

Answer 64

How much the scanner interacts with the target.

Question 65

What is a Non-intrusive (or passive) scan?

Answer 65

Analyzing indirect evidence, such as the traffic generated by a device. Has the least impact but is less likely to ID vulnerabilities comprehensively.

Question 66

Describe active scanning

Answer 66

Probing the device’s configuration using some sort of network connection with the target. Consuming more bandwidth and has the ability to crash the target or cause an outage.

Question 67

Explain a non-credentialed scan

Answer 67

A scan that proceeds by directing test packets at a host w/o being able to log on to the OS or app and typically the most appropriate technique for external assessment of a network parameter.

Question 68

Explain a credentialed scan

Answer 68

Much more in-depth analysis, especially for misconfigurations and more intrusive than non-credentialed.

Question 69

What does RED denote in a vulnerability scan?

Answer 69

weakness that requires immediate attention.

Question 70

What is a false positive?

Answer 70

Something that is identified by a scanner or other assessment tool as being a vulnerability when it is not.

Question 71

What is a false negative?

Answer 71

Potential vulnerabilities that are not identified by a scan.

Question 72

What type of scan is required for a configuration review?

Answer 72

A credentialed scan.

Question 73

What components are used by a SCAP to determine if a computer meets configuration baseline?

Answer 73

• Open Vulnerability Assessment Language (OVAL)
• Extensible Configuration Checklist Description Format (XCCDF)

Question 74

Describe OVAL.

Answer 74

Open Vulnerability and Assessment Language is an XML schema for describing system security and querying vulnerability reports and info.

Question 76

Describe XCCDF.

Answer 76

Extensible Configuration Checklist Description Format is an XML schema for developing and auditing best-practice configuration checklists and rules.

Question 77

What is threat hunting?

Answer 77

An assessment technique that utilizes insights gained from threat intelligence to proactively discover where there is evidence of TTPs already present w/in a system.

Question 78

What might be the trigger for establishing a threat hunt?

Answer 78

Security bulletins and advisories from vendors, and security researchers about new TTPs and/or vulnerabilities.

Question 79

What is Intelligence fusion?

Answer 79

A process to correlate threat data via an SIEM tool and threat analytics to threat hunt.

Question 80

What is Maneuver in threat hunting?

Answer 80

A military doctrine to obtain positional advantage in a live threat situation.

Question 81

Describe a penetration test/pen test/ethical hacking.

Answer 81

The use of authorized hacking techniques to discover exploitable weaknesses in the target’s security systems.