Day 3 76-114 Flashcards
3.76 Bob wants to search for a website title of “intranet” with part of the URL containing the word “intranet” and the words “human resources” somewhere in the webpage.
What Google search will accomplish this?
A. related:intranet allinurl:intranet:”human resources”
B. cache:”human resources” inurl:intranet(SharePoint)
C. intitle:intranet inurl:intranet+intext:”human resources”
D. site:”human resources”+intext:intranet intitle:intranet
C. intitle:intranet inurl:intranet+intext:”human resources”
3.77 Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers.
A. true
B. false
A. true
3.78 Why do attackers use proxy servers?
A. To ensure the exploits used in the attacks always flip reverse vectors
B. Faster bandwidth performance and increase in attack speed
C. Interrupt the remote victim’s network traffic and reroute the packets to attackers machine
D. To hide the source IP address so that an attacker can hack without any legal consequences
D. To hide the source IP address so that an attacker can hack without any legal consequences
3.79 Which of the following settings enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity?
A. Netstat WMI Scan
B. Silent Dependencies
C. Consider unscanned ports as closed
D. Reduce parallel connections on congestion
D. Reduce parallel connections on congestion
- 80 Which results will be returned with the following Google search query?
site: target.com -site:Marketing.target.com accounting
A. Results matching all words in the query
B. Results matching “accounting” in domain target.com but not on the site Marketing.target.com
C. Results from matches on the site marketing.target.com that are in the domain target.com but do not include the word accounting
D. Results for matches on target.com and Marketing.target.com that include the word “accounting”
B. Results matching “accounting” in domain target.com but not on the site Marketing.target.com
3.81 What happens when you do a TCP XMAS scan against an open port on a remote system?
A. The port will send an RST
B. The port will send an ACK
C. The port will send a SYN
D. The port will ignore the packet
D. The port will ignore the packet
3.82 What is the Shellshock bash vulnerability attempting to do on an vulnerable Linux host?
env x=(){ :;};echo exploit bash -c ‘cat /etc/passwd’
A. Changes all passwords in passwd
B. Display passwd content to prompt
C. Removes the passwd file
D. Add new user to the passwd file
B. Display passwd content to prompt
3.83 What file does an attacker need to modify if he wants you to go to a phishing site when you type www.paypal.com into your web-browser?
A. Networks
B. Boot.ini
C. Sudoers
D. Hosts
D. Hosts
3.84 What should you do if a client prospect wants to see reports from your previous pen-tests?
A. Share full reports, not redacted
B. Share full reports with redactions
C. Share reports, after NDA is signed
D. Decline, but provide references
D. Decline, but provide references
3.85 Your IP address is 192.168.1.10. Which nmap command will let you enumerate all machines on the same network quickly?
A. Nmap –T4 –q 192.168.1.0/24
B. Nmap –T4 –O 192.168.1.0/24
C. Nmap –T4 –F 192.168.1.0/24
D. Nmap –T4 –r 192.168.0.0/24
C. Nmap –T4 –F 192.168.1.0/24
3.86 Which software testing technique sends random data to a program in an attempt to crash it?
A. Randomizing
B. Fuzzing
C. Bounding
D. Mutating
B. Fuzzing
3.87 After being hired to do a pen-test, you and the customer fill out a document that describes all the details of the test. This document protects both the customer as well as your legal liabilities as the tester. Which document is being described?
A. Project scope
B. Service Level Agreement
C. Terms of engagement
D. Non-Disclosure Agreement
C. Terms of engagement
3.88 What is it called when you have one DNS server on your LAN for employees, and another DNS server in your DMZ for outside access?
A. DNSSEC
B. DNS Scheme
C. DynDNS
D. Split DNS
D. Split DNS
3.89 What should you do if during a pen-test you discover information on the network that implies the client is involved with human trafficking?
A. Copy the data to removable media and keep it in case you need it
B. Ignore the data and continue the assessment until completed as agreed
C. Confront the client in a respectful manner and ask her about the data
D. Immediately stop work and contact the proper legal authorities
E. Go all “Rambo” on the client and free the prisoners immediately.
D. Immediately stop work and contact the proper legal authorities
3.90 Which best describes white-box testing?
A. The internal operation of a system is only partly accessible to the tester
B. The internal operation of a system is completely known to the tester
C. Only the internal operation of a system is known to the tester
D. Only the external operation of a system is accessible to the tester
B. The internal operation of a system is completely known to the tester
3.91 Which best describes gray-box testing?
A. The internal operation of a system is only partly accessible to the tester
B. The internal operation of a system is completely known to the tester
C. Only the internal operation of a system is known to the tester
D. Only the external operation of a system is accessible to the tester
A. The internal operation of a system is only partly accessible to the tester
3.92 Which best describes black-box testing?
A. The internal operation of a system is only partly accessible to the tester
B. The internal operation of a system is completely known to the tester
C. Only the internal operation of a system is known to the tester
D. Only the external operation of a system is accessible to the tester
D. Only the external operation of a system is accessible to the tester
3.93 Which is the first step in Information Gathering, the step that tells you what the “landscape” looks like?
A. Network mapping
B. Footprinting
C. Gaining access
D. Escalating privileges
B. Footprinting
3.94 What does this command do?
> NMAP -sn 192.168.11.200-215
A. Port scan
B. Ping scan
C. Trace sweep
D. Operating system detection
B. Ping scan
In previous releases of Nmap,-snwas known as-sP
3.95 Which nmap script will scan a web server to let you know which HTTP Methods are available, like GET, POST, HEAD, PUT, DELETE, etc?
A. http-headers
B. http-methods
C. http enum
D. http-git
B. http-methods
https://nmap.org/nsedoc/scripts/http-methods.html
3.96 Which would be the best reason to do an un-announced penetration test?
A. Network security would be in a “best state” posture
B. It is best to catch critical infrastructure unpatched
C. The tester will have an actual security posture visibility of the target network
D. The tester could not provide an honest analysis
C. The tester will have an actual security posture visibility of the target network
3.97 When doing a pen-test for a new client, which should be the first step?
A. Scanning
B. Enumeration
C. Reconnaissance
D. Escalation
C. Reconnaissance
3.98 Which of these allows your NIC to send all traffic it receives to the CPU, instead of only sending traffic the NIC was intended to receive?
A. WEM
B. Multi-cast mode
C. Promiscuous mode
D. Port forwarding
C. Promiscuous mode
3.99 You’re hired by an admin to do a penetration test on his company. During testing you find child pornography on the admin’s computer. What should you do?
A. Say nothing and continue with the security testing.
B. Stop work immediately and contact the authorities.
C. Delete the pornography, say nothing, and continue security testing.
D. Bring the discovery to the company’s human resource department.
B. Stop work immediately and contact the authorities.
3.100 You find job listings for network administrators at your competitor’s company. How can reviewing this listing help you footprint their company?
A. To learn about the IP range used by the target network
B. To identify the number of employees working for the company
C. To test the limits of the corporate security policy enforced in the company
D. To learn about the operating systems, services and applications used on the network
D. To learn about the operating systems, services and applications used on the network
3.101 Of those listed, choose the most common method of automatically detecting host intrusions
A. File checksums
B. System CPU utilization
C. The host’s network interface usage
D. Network traffic analysis
A. File checksums
Programs such as Tripwire (and others) will check the checksums/hash-values of your critical systems files at shutdown and at bootup. If a checksum has changed, it is possible that an intruder has altered a system file.
3.102 Your users can’t reach internet sites for some reason, so you try pinging the sites and they do return a reply. You try putting an IP address into your browser and the sites display properly, but you can’t see the sites when you use their URL’s. What is the problem?
A. Traffic is blocked on TCP port 80
B. Traffic is blocked on UDP port 80
C. Traffic is blocked on UDP port 53
D. Traffic is blocked on TCP port 54
C. Traffic is blocked on UDP port 53
3.103 While trying to evade the IDS, which command would scan common ports with the least amount of “noise”?
A. Nmap –sT –O –T0
B. Nmap –A –Pn
C. Nmap –A –host-timeout 99 –T1
D. Nmap –sP –p-65535 –T5
A. Nmap –sT –O –T0
3.104 Which type of hacker sometimes works offensively, and sometimes works defensively?
A. Suicide hacker
B. Black hat
C. Gray hat
D. White hat
C. Gray hat
3.105 While scanning a network, which step comes immediately before using a Vulnerability Scanner?
A. Firewall detection
B. OS detection
C. Check to see if the remote host is alive
D. TCP / UDP port scanning
B. OS detection
The order of scanning would be:
1) Check for live systems (ping sweeps, etc)
2) Check for open ports (this tells you the likely services listening on the target)
3) Banner grabbing (tells you the OS)
4) Vulnerability scanning (looks for vulns & flaws on the target)
It helps to know the OS before doing a vulnerability scan because entering the target’s Operating System will help tune the vuln scanner so it can find more information and run scans relevant to that particular OS.
3.106 Which of these will do an nmap Xmas scan?
A. nmap –sV 192.168.5.10
B. nmap –sX 192.168.5.10
C. nmap –sA 192.168.5.10
D. nmap –sP 192.168.5.10
B. nmap –sX 192.168.5.10
3.107 What restriction is in place with White Box testing?
A. Only the external operation of a system is accessible to the tester.
B. Only the internal operation of a system is known to the tester.
C. The internal operation of a system is completely known to the tester.
D. The internal operation of a system is only partly accessible to the tester.
C. The internal operation of a system is completely known to the tester.
3.108 What is the collection of overt and publicly available information known as?
A. Real intelligence
B. Human intelligence
C. Open-source intelligence
D. Social intelligence
C. Open-source intelligence
Open-source intelligence(OSINT) is data collected from publicly available sources to be used in anintelligencecontext.In theintelligence community, the term “open” refers toovert, publicly available sources (as opposed to covert or clandestine sources).
3.109 Which of these are a set of DNS add-ons that can provide digitally signed DNS replies to your queries, so that you know the returned answers are authentic? This is in order to prevent things like DNS poisoning and spoofing.
A. Zone transfer
B. Resource records
C. Split-DNS
D. DNSSEC
D. DNSSEC
3.110 Which is the best way to find out which ports are open on your devices?
A. Physically go to each device.
B. Telnet to every port on each device.
C. Scan devices with Nmap.
D. Scan devices with MBSA
C. Scan devices with Nmap.
3.111 Which Nmap option would let you do a very fast scan, even though it might increase the chances of your activities being detected?
A. -O
B. -A
C. -T0
D. -T5
D. -T5
3.112 Which file would you modify on your victim’s machine if you wanted to send them to a malicious phishing site every time they typed “www.paypal.com” into their browser?
A. Sudoers
B. Hosts
C. Networks
D. Boot.ini
B. Hosts
3.113 Which is the most reliable type of TCP scan?
A. Half-open scan
B. Xmas scan
C. Null scan
D. TCP Connect / Full Open scan
D. TCP Connect / Full Open scan
3.114 Which of these would you use to prevent DNS cache poisoning?
A. The use of security agents in client computers
B. The use of DNSSEC
C. The use of double-factor authentication
D. Client awareness
C. The use of DNSSEC
