CompTIA PenTest+ Certification Exam Objectives 4.0 Penetration Testing Tools

Question 1

What is reconnaissance?

Answer 1

Reconnaissance is the practice of covertly discovering and collecting information about a system or host

Question 2

What is enumeration?

Answer 2

Enumeration is defined as the process of extracting user names, machine names, network resources, shares and services from a system.

The gathered information is used to identify the vulnerabilities or weak points in system security and tries to exploit the system gaining phase

Question 3

What is vulnerability scanning?

Answer 3

Vulnerability scanning is used to identify and create an inventory of all systems, including servers, desktops, laptops, virtual machines, containers, firewalls, switches and printers that are connected to a network.

For each device that it identifies it also attempts to identify the operating system it runs and the software installed on it, along with other attributes such as open ports and user accounts.

Question 4

What is offline password cracking?

Answer 4

This is an attempt to recover one or more passwords from a password storage file that has been recovered from a target system.

This often times is utilized when time is limited in a system is limited and we obtain a list of password hashes, we will take the file and crack the hashes elsewhere instead of the target system.

Question 5

What is persistence?

Answer 5

Persistence allows an attacker to re-infect./re-enter a machine maintaining their existing connection after events such as a system reboot, changed credentials or even a re-imaging.

This can be done by modifying registries, daemons, and even creating ourselves a lil account.

Essentially a backdoor into a system!

Question 6

What is configuration compliance?

Answer 6

Configuration compliance essentially is ensuring system/host/applications are up to mandated standards.

This would include systems that process/maintain PCI DSS, healthcare information, PII.

Certain regulations such as encryption type and protocol must be met to be in compliance

Question 7

What is evasion?

Answer 7

Evasion techniques are regularly used by cyber attackers to avoid detection and hide malicious activity.

This could be bypassing controls or camouflaging within an environment using masquerading techniques

Question 8

What is forensics?

Answer 8

Forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation to either stakeholders or even fed-boys

Question 9

What is fuzzing?

Answer 9

Fuzzing or fuzz test is a black box software testing technique, which basically consists of finding implementation bugs using malformed data injection in an automated fashion

Question 10

What is Nikto?

Answer 10

Nikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including dangerous files/programs, outdated versions and version specific problems.

It also checks for server configuration items such as the presence of multiple index files, HTTP server options and will attempt to identify installed web servers and software

Question 11

What is OpenVAS?

Answer 11

OpenVAS is a open-source vulnerability scanner.

It’s capabilities include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability testing

Question 12

What is SQLMap?

Answer 12

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

This tool can affect any website or web app that may have a SQL database linked to it

It comes with a powerful detection engine, many features.

Supports:
MySQL
Oracle
PostgreSQL
MSSQL

Question 13

What is Nessus?

Answer 13

Nessus is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that hackers could use to gain access to any computer you have connected to a network.

It scores the vulnerability based on severity and even can provide remediation of said vulnerabilities

Question 14

What is hashcat?

Answer 14

Hashcat is a popular and effective password cracker widely used by both sysadmins and pentesters, as well as criminals

Hashcat is particularly fast, efficiient and versatile tool that assists in brute-forcing attack by conducting them with hash values of passwords that the tool is guessing or applying

Can be used for dictionary attacks and rainbow tables as well

Question 15

What is Medusa?

Answer 15

Medusa is a speedy parallel, and modular, login brute-forcer.

The goal is to support as many services which allow remote authentication as possible

Question 16

What is THC Hydra?

Answer 16

Hydra is a parallelized network login cracker.

This tool makes it possible to brute force services such as FTP, SSH, Telnet, MSSQL etc

Question 17

What is CeWL?

Answer 17

CeWL is a ruby app which spiders a given URL to a specified depth, optionally following external links and returns a list of words which can then be used for password crackers

Question 18

What is John the Ripper?

Answer 18

John The Ripper is an open source password cracking software tool.

It is designed to test password strength, brute-force encrypted (hash) password, and crack passwords via dictionary attacks.

Question 19

What is Cain and Abel?

Answer 19

Cain and Abel is a password “recovery” tool for M$.

It can recover many kinds of passwords using methods such as dictionary attacks, brute force and cryptanalysis attacks.

Cryptanalysis attacks are done via rainbow tables
Cain and Abel uses dictionary lists as a basis for cracking passwords, brute-force atacks by trying different passwords many times every second and decoding information stored on the hard drives, the packer attempts to determine the correct password

Question 20

What is Mimikatz?

Answer 20

Mimikatz is a leading post-exploitation tool that dumps passwords from memroy, as well as hashes, PINs and Kerberos tickets.

Other useful attacks Mimikatz enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets.

This is geared for Windows and is a method for post-exploitation lateral movement

Question 21

What is Patator?

Answer 21

Patator is a multi-purpose brute-forcer, with a modular design and flexible usage

Patator was written out of frustration from using Hydra, Medusa and Ncrack

Instead, Patator is written in Python that strives to be more reliable and flexible than the fellow predecessors

Question 22

What is DirBuster?

Answer 22

DirBuster is a multi-threaded Java application designed to brute force directories and file names on web/application servers.

DirBuster attempts to find pages and applications hidden within a web page

DirBuster uses list of common directories in hopes of revealing the same directories

Question 23

What is W3AF?

Answer 23

W3AF is a web application attack and audit framework

It is open source vulnerability scanner and exploitation tool geared towards web applications.

The scanner offers a graphical user interface

Question 24

What is OllyDBG?

Answer 24

OllyDBG is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available.

It traces registers, recognizes procedures, API calls, switches, tables, constants, and strings, as well as locates routines from object files and libraries.

This is useful for reverse engineering programs.

Question 25

What is Immunity Debugger?

Answer 25

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files.

It builds on a solid user interface with function graphing

Includes the GUI and command line.

Question 26

What is GDB?

Answer 26

GNU Project Debugger

GNU allows you to see what is going on ‘inside’ another program while it executes – or what another program was doing at the moment it crashed.

GNU can start your program, specifying anything that might affect its behavior
Make your program stop on specified conditions
Examine what has happened when you program has stopped
Change things in your program, so you can experiment with correcting the effects of one bug and go on to learn about another

Used for UNIX and Windows as well as MAC OS

Question 27

What is WinDBG?

Answer 27

WinDBG is a multipurpose debugger for the M$ computer OS

It can be used to debug user mode applications, device drivers and the OS itself in Kernel mode

Question 28

What is IDA?

Answer 28

Interactive Disassembler (IDA)

This is a disassembler for computer software which generates assembly language source code from machine executable code.

IDA performs automatic code analysis, using cross-references between code sections, knowledge of parameters of API calls and other information

Question 29

What is Peach in regards to software assurance?

Answer 29

Peach provides fuzzing and a way for one to define the format of data that should be generated and as well as how when the fuzz data should be generated.

It is a fuzzing platform/framework, not a fuzzer itself.

It provides an XML + PYthon way of quickly creating a fuzzer for a wide variety of data formats and situations/

Question 30

What is AFL?

Answer 30

American Fuzzy Lop (AFL) is a free software fuzzer that employs genetic algorithms in order to efficiently increase code coverage of the test cases.

AFL Program requires the user to provide a sample command that runs the tested application and at least one small example input file.

AFL applies various modifications to the input file

Question 31

What is SonarQube?

Answer 31

SonarQube is an open-source platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells and security vulnerabilities on 20+ programming languages.

SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs and security vulnerabilities

Question 32

What is YASCA?

Answer 32

YASCA is an open source program which looks for security vulnerabilities, code quality, performance and conformance to best practices in program source code.

YASCA is a command-line tool that generates reports in HTML, CSV, XML, MySQL, SQLite and other formats

Question 33

What is nslookup?

Answer 33

nslookup is a network command line tool for querying the Domain Name System to obtain the mapping between domain name and IP address, or other DNS records

Can be used in Linux and Windows

Question 34

What is FOCA?

Answer 34

Fingerprinting Organizations with Collected Archives

FOCA is a tool used mainly to find metadata and hidden information in the documents it scans.

It is capable of analysing a wide variety of documents, most common being M$ Office, Open Office or PDF Files

Question 35

What is theharvester?

Answer 35

theHarvester is a m command-line tool included in Kali Linux that acts as a wrapper for a variety of seach engines and is used to find email accounts, subdomain names, virtual hosts, open ports/ banners and employee names related to a domain from different public sources (such as search engines and PGP key servers)

Question 36

What is Maltego?

Answer 36

Maltego is an open source intelligence and forensic software.

Maltego is a comprehensive tools for graphical link analysis that offers real-time data mining and information gathering as well as the representation of this information on a node-based graph, making patterns and multiple order connections between said information easily identifiable.

With Maltego you can easily mine data from dispersed sources, automatically merge matching information in one graph and visually map it to explore your data landscape

Question 37

What is recon-ng?

Answer 37

Recon-ng is a full-featured web reconnaissance framework written in Python.

The goal of recon-ng is to provide a powerful environment to conduct open source web-based recon quickly and thoroughly.

Question 38

What is Censys?

Answer 38

Censys is a public search engine that enables researches to quickly ask questions about the host and networks that compose the Internet.

This includes devices, websites and certificates

Question 39

What is aircrack-ng?

Answer 39

Aircrack-ng is a complete suite of tools to access and test WiFi network security

This includes:
Monitoring - packet capture and export of data to text files for further processing by third party tools
Attacking - Replay attacks, deauthentication, fake access points and others via packet injection
Testing - Checking WiFi cards and driver capabilities (capture and injection)
Cracking - WEP and WPA PSK (WPA1 and WPA2)

Question 40

What is Kismet?

Answer 40

Kismet is an 802.11 wireless network detector, sniffer and IDS.

It will work with any wireless card that supports raw monitoring (rfmon) mode and can sniff 802.11a/b/g/n traffic

It can use other programs to play audio alarms for network events, read out network summaries or provide GPS coordinates

Question 41

What is Wifite?

Answer 41

Wifite is an automated wireless attack tool

Wifite was designed with pentesting Linux distros

It can attack WEP, WPA and WPS encrypted networks in a row.

This tool is customizable to be automated

Question 42

What is OWASP Zap?

Answer 42

OWASP Zap (Short for Zed Attack Proxy) is an open source web application security scanner.

It is intended to be used by both those new to application security as well as professional pentesters.

When used as a proxy server, it allows the user to manipulate all traffic that passes through it, including traffic using HTTPS

It can also run daemon mode which is then controlled via a REST API

Question 43

What is Burp Suite

Answer 43

Burp Suite is one of the most popular pentest and vulnerability finder tools

It is often used for checking web application security

Burp is a proxy-based tool used to evaluate the security of web-based applications and do hands on testing

Question 44

What is Ncat?

Answer 44

Netcat (ncat) is a useful network utility with which you can analyze and simulate the operation of many network protocols

Netcat can also execute commands on a remote machine and upload/download files from it, redirect traffic from one port to another or from one machine to another.

This is typicvally used as a backdoor

Question 45

What are ProxyChains

Answer 45

ProxyChain is a tool that forces anyu TCP connection made by any given application to go through proxies like TOR, SOCk4, SOCKS5 or HTTP proxies

Question 46

What is hping?

Answer 46

hping is an open-source packet generator and analyzer for the TCP/IP protocol

It is used to test firewalls and networks

You can customize certain packets to test if traffic is or isnt allowed over a certain port.

Question 47

What is Drozer?

Answer 47

Drozer allows you to assume the role of an Android app and interact with other apps.

It can do anything that an installed application can do, such as make use of Androids Inter-Process Communication (IPC) mechanism and interact with the underlying OS

This is good to learn, test and share Android exploits

Question 48

What is an APKX?

Answer 48

APKX is a APK file created for Android, Googles mobile operating system.

Its the file format that Android uses to distribute and install apps.

APKs contain all elements that an app needs to install correctly on your device

Some apps come preinstalled on Android devices while other apps can be downloaded from Google play

Question 49

What is APK Studio?

Answer 49

APK Studio is a tool used for reverse engineering 3rd party, closed, binary Android apps.

It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug small code step by step

Question 50

What is searchsploit?

Answer 50

searchsploit is a command line search tool that allows you to take a copy of Exploit Database with you, everywhere you go.

SearchSploit give you the power to perform detailed off-line searches through your locally checked-out copy of the repo.

This capability is particularly useful for security assessments on segregated or air-gaped network without Internet access

Question 51

What is PowerSploit?

Answer 51

PowerSploit is an open-source, offensive security framework compromised of PowerShell modules and scripts that perform a wide range of tasks related to pentesting such as code execution, persistence, bypassing anti-virus, recon and exfiltration

Question 52

What is Responder?

Answer 52

Responder is a python tool, capable of harvesting credentials through Man in the Middle (miTM) attack within the Windows networks,

The tool makes use of Windows default name resolution protocols and rogue servers to accomplish the task

The three protocols exploited by the tool include LLMNR, NBT-NS, MDNS

Question 53

What is Impacket?

Answer 53

Impacket is a collection of Python scripts that can be used by an attacker to target Windows network protocols.

This tool can be used to enumerate users, capture hashes and move laterally and escalate privileges.

Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing and relay attacks

Question 54

What is Empire?

Answer 54

Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and flexible architecture.

Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused frame.

Empire is a tool similar to Metasploit but specific to Powershell

It runs PowerShell scripts in memory and make a connection back to your machine

Question 55

What is Metasploit Framework?

Answer 55

Metasploit is a Ruby-based, modular penetration testing platform that enables you to write, test and execute exploit code.

Metasploit contains a suite of tools that you can use to test security vulnerabilities, enumerate networks, execute attacks, and evade detection.

Metasploit Framework is a collection of commonly used tools that provide a complete environment for pentesting and exploit development

Question 56

What is a bind shell?

Answer 56

A Bind shell is when the listener is running on the target and you are presented with a command shell when connecting to the target.

In other words, the target would be waiting for us to connect to it.

Command:

nc -nvlp -e cmd.exe’

Question 57

What is a reverse shell?

Answer 57

When we use a bind shell, we are able to connect to a target which is fine if there are no firewalls filtering inbound connections, where as in a reverse shell we would set up the listener on the attackers system and have the target connect to us and provide us with a command shell

Command:

nc -lvnp

Question 58

What is an example of a Bash loop?

Answer 58

#!/bin/bash
for i in {1..5}
do
   echo "Welcome $i times"
done

Question 59

What is an example of a loop in Python?

Answer 59

# Python program to illustrate
# while loop
count = 0
while (count < 3):   
    count = count + 1
    print("Hello Geek")

Question 60

What is an example of a loop in Ruby?

Answer 60

x =  1
y =  11
while x <  y  do
  print  x ,". Ruby while loop.\n"
  x +=1 
  end

Question 61

What is an example of a loop in PowerShell?

Answer 61

for ($num = 1 ; $num -le 10 ; $num++){ “I count $num”}

Question 62

What is an example of flow control in Bash?

Answer 62

if commands; then
    commands
[elif commands; then
    commands...]
[else
    commands]
fi

Question 63

What is an example of flow control in Python?

Answer 63

a=20
b=10
c=a-b
print(“Subtraction is : “,c)

Question 64

What is an example of flow control in Ruby?

Answer 64

!/usr/bin/ruby

num = gets.to_i

if num > 0 then

puts "num variable is positive"
puts "num variable equals to #{num}" end

Question 65

What is an example of flow control in PowerShell?

Answer 65

$ComputerName = ‘DC01’, ‘WEB01’
foreach ($Computer in $ComputerName) {
Get-ADComputer -Identity $Computer
}