Day 3 76-114

Question 1

3.76 Bob wants to search for a website title of “intranet” with part of the URL containing the word “intranet” and the words “human resources” somewhere in the webpage.

What Google search will accomplish this?

A. related:intranet allinurl:intranet:”human resources”
B. cache:”human resources” inurl:intranet(SharePoint)
C. intitle:intranet inurl:intranet+intext:”human resources”
D. site:”human resources”+intext:intranet intitle:intranet

Answer 1

C. intitle:intranet inurl:intranet+intext:”human resources”

Question 2

3.77 Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers.

A. true
B. false

Answer 2

A. true

Question 3

3.78 Why do attackers use proxy servers?

A. To ensure the exploits used in the attacks always flip reverse vectors
B. Faster bandwidth performance and increase in attack speed
C. Interrupt the remote victim’s network traffic and reroute the packets to attackers machine
D. To hide the source IP address so that an attacker can hack without any legal consequences

Answer 3

D. To hide the source IP address so that an attacker can hack without any legal consequences

Question 4

3.79 Which of the following settings enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity?

A. Netstat WMI Scan
B. Silent Dependencies
C. Consider unscanned ports as closed
D. Reduce parallel connections on congestion

Answer 4

D. Reduce parallel connections on congestion

Question 5

3. 80 Which results will be returned with the following Google search query?
   site: target.com -site:Marketing.target.com accounting

A. Results matching all words in the query

B. Results matching “accounting” in domain target.com but not on the site Marketing.target.com

C. Results from matches on the site marketing.target.com that are in the domain target.com but do not include the word accounting

D. Results for matches on target.com and Marketing.target.com that include the word “accounting”

Answer 5

B. Results matching “accounting” in domain target.com but not on the site Marketing.target.com

Question 6

3.81 What happens when you do a TCP XMAS scan against an open port on a remote system?

A. The port will send an RST
B. The port will send an ACK
C. The port will send a SYN
D. The port will ignore the packet

Answer 6

D. The port will ignore the packet

Question 7

3.82 What is the Shellshock bash vulnerability attempting to do on an vulnerable Linux host?
env x=(){ :;};echo exploit bash -c ‘cat /etc/passwd’

A. Changes all passwords in passwd
B. Display passwd content to prompt
C. Removes the passwd file
D. Add new user to the passwd file

Answer 7

B. Display passwd content to prompt

Question 8

3.83 What file does an attacker need to modify if he wants you to go to a phishing site when you type www.paypal.com into your web-browser?

A. Networks
B. Boot.ini

C. Sudoers
D. Hosts

Answer 8

D. Hosts

Question 9

3.84 What should you do if a client prospect wants to see reports from your previous pen-tests?

A. Share full reports, not redacted
B. Share full reports with redactions
C. Share reports, after NDA is signed
D. Decline, but provide references

Answer 9

D. Decline, but provide references

Question 10

3.85 Your IP address is 192.168.1.10. Which nmap command will let you enumerate all machines on the same network quickly?

A. Nmap –T4 –q 192.168.1.0/24
B. Nmap –T4 –O 192.168.1.0/24
C. Nmap –T4 –F 192.168.1.0/24
D. Nmap –T4 –r 192.168.0.0/24

Answer 10

C. Nmap –T4 –F 192.168.1.0/24

Question 11

3.86 Which software testing technique sends random data to a program in an attempt to crash it?

A. Randomizing
B. Fuzzing
C. Bounding
D. Mutating

Answer 11

B. Fuzzing

Question 12

3.87 After being hired to do a pen-test, you and the customer fill out a document that describes all the details of the test. This document protects both the customer as well as your legal liabilities as the tester. Which document is being described?

A. Project scope
B. Service Level Agreement
C. Terms of engagement
D. Non-Disclosure Agreement

Answer 12

C. Terms of engagement

Question 13

3.88 What is it called when you have one DNS server on your LAN for employees, and another DNS server in your DMZ for outside access?

A. DNSSEC
B. DNS Scheme
C. DynDNS
D. Split DNS

Answer 13

D. Split DNS

Question 14

3.89 What should you do if during a pen-test you discover information on the network that implies the client is involved with human trafficking?

A. Copy the data to removable media and keep it in case you need it
B. Ignore the data and continue the assessment until completed as agreed
C. Confront the client in a respectful manner and ask her about the data
D. Immediately stop work and contact the proper legal authorities
E. Go all “Rambo” on the client and free the prisoners immediately.

Answer 14

D. Immediately stop work and contact the proper legal authorities

Question 15

3.90 Which best describes white-box testing?

A. The internal operation of a system is only partly accessible to the tester
B. The internal operation of a system is completely known to the tester
C. Only the internal operation of a system is known to the tester
D. Only the external operation of a system is accessible to the tester

Answer 15

B. The internal operation of a system is completely known to the tester

Question 16

3.91 Which best describes gray-box testing?

A. The internal operation of a system is only partly accessible to the tester
B. The internal operation of a system is completely known to the tester
C. Only the internal operation of a system is known to the tester
D. Only the external operation of a system is accessible to the tester

Answer 16

A. The internal operation of a system is only partly accessible to the tester

Question 17

3.92 Which best describes black-box testing?

A. The internal operation of a system is only partly accessible to the tester
B. The internal operation of a system is completely known to the tester
C. Only the internal operation of a system is known to the tester
D. Only the external operation of a system is accessible to the tester

Answer 17

D. Only the external operation of a system is accessible to the tester

Question 18

3.93 Which is the first step in Information Gathering, the step that tells you what the “landscape” looks like?

A. Network mapping
B. Footprinting
C. Gaining access
D. Escalating privileges

Answer 18

B. Footprinting

Question 19

3.94 What does this command do?

> NMAP -sn 192.168.11.200-215

A. Port scan
B. Ping scan
C. Trace sweep
D. Operating system detection

Answer 19

B. Ping scan

In previous releases of Nmap,-snwas known as-sP

Question 20

3.95 Which nmap script will scan a web server to let you know which HTTP Methods are available, like GET, POST, HEAD, PUT, DELETE, etc?

A. http-headers
B. http-methods
C. http enum
D. http-git

Answer 20

B. http-methods

https://nmap.org/nsedoc/scripts/http-methods.html

Question 21

3.96 Which would be the best reason to do an un-announced penetration test?

A. Network security would be in a “best state” posture
B. It is best to catch critical infrastructure unpatched
C. The tester will have an actual security posture visibility of the target network
D. The tester could not provide an honest analysis

Answer 21

C. The tester will have an actual security posture visibility of the target network

Question 22

3.97 When doing a pen-test for a new client, which should be the first step?

A. Scanning
B. Enumeration
C. Reconnaissance
D. Escalation

Answer 22

C. Reconnaissance

Question 23

3.98 Which of these allows your NIC to send all traffic it receives to the CPU, instead of only sending traffic the NIC was intended to receive?

A. WEM
B. Multi-cast mode
C. Promiscuous mode
D. Port forwarding

Answer 23

C. Promiscuous mode

Question 24

3.99 You’re hired by an admin to do a penetration test on his company. During testing you find child pornography on the admin’s computer. What should you do?

A. Say nothing and continue with the security testing.
B. Stop work immediately and contact the authorities.
C. Delete the pornography, say nothing, and continue security testing.
D. Bring the discovery to the company’s human resource department.

Answer 24

B. Stop work immediately and contact the authorities.

Question 25

3.100 You find job listings for network administrators at your competitor’s company. How can reviewing this listing help you footprint their company?

A. To learn about the IP range used by the target network
B. To identify the number of employees working for the company
C. To test the limits of the corporate security policy enforced in the company
D. To learn about the operating systems, services and applications used on the network

Answer 25

D. To learn about the operating systems, services and applications used on the network

Question 26

3.101 Of those listed, choose the most common method of automatically detecting host intrusions

A. File checksums
B. System CPU utilization
C. The host’s network interface usage
D. Network traffic analysis

Answer 26

A. File checksums

Programs such as Tripwire (and others) will check the checksums/hash-values of your critical systems files at shutdown and at bootup. If a checksum has changed, it is possible that an intruder has altered a system file.

Question 27

3.102 Your users can’t reach internet sites for some reason, so you try pinging the sites and they do return a reply. You try putting an IP address into your browser and the sites display properly, but you can’t see the sites when you use their URL’s. What is the problem?

A. Traffic is blocked on TCP port 80
B. Traffic is blocked on UDP port 80
C. Traffic is blocked on UDP port 53
D. Traffic is blocked on TCP port 54

Answer 27

C. Traffic is blocked on UDP port 53

Question 28

3.103 While trying to evade the IDS, which command would scan common ports with the least amount of “noise”?

A. Nmap –sT –O –T0
B. Nmap –A –Pn
C. Nmap –A –host-timeout 99 –T1
D. Nmap –sP –p-65535 –T5

Answer 28

A. Nmap –sT –O –T0

Question 29

3.104 Which type of hacker sometimes works offensively, and sometimes works defensively?

A. Suicide hacker
B. Black hat
C. Gray hat
D. White hat

Answer 29

C. Gray hat

Question 30

3.105 While scanning a network, which step comes immediately before using a Vulnerability Scanner?

A. Firewall detection
B. OS detection
C. Check to see if the remote host is alive
D. TCP / UDP port scanning

Answer 30

B. OS detection

The order of scanning would be:

1) Check for live systems (ping sweeps, etc)
2) Check for open ports (this tells you the likely services listening on the target)
3) Banner grabbing (tells you the OS)
4) Vulnerability scanning (looks for vulns & flaws on the target)

It helps to know the OS before doing a vulnerability scan because entering the target’s Operating System will help tune the vuln scanner so it can find more information and run scans relevant to that particular OS.

Question 31

3.106 Which of these will do an nmap Xmas scan?

A. nmap –sV 192.168.5.10
B. nmap –sX 192.168.5.10
C. nmap –sA 192.168.5.10
D. nmap –sP 192.168.5.10

Answer 31

B. nmap –sX 192.168.5.10

Question 32

3.107 What restriction is in place with White Box testing?

A. Only the external operation of a system is accessible to the tester.
B. Only the internal operation of a system is known to the tester.
C. The internal operation of a system is completely known to the tester.
D. The internal operation of a system is only partly accessible to the tester.

Answer 32

C. The internal operation of a system is completely known to the tester.

Question 33

3.108 What is the collection of overt and publicly available information known as?

A. Real intelligence
B. Human intelligence
C. Open-source intelligence
D. Social intelligence

Answer 33

C. Open-source intelligence

Open-source intelligence(OSINT) is data collected from publicly available sources to be used in anintelligencecontext.In theintelligence community, the term “open” refers toovert, publicly available sources (as opposed to covert or clandestine sources).

Question 34

3.109 Which of these are a set of DNS add-ons that can provide digitally signed DNS replies to your queries, so that you know the returned answers are authentic? This is in order to prevent things like DNS poisoning and spoofing.

A. Zone transfer
B. Resource records
C. Split-DNS
D. DNSSEC

Answer 34

D. DNSSEC

Question 35

3.110 Which is the best way to find out which ports are open on your devices?

A. Physically go to each device.
B. Telnet to every port on each device.
C. Scan devices with Nmap.
D. Scan devices with MBSA

Answer 35

C. Scan devices with Nmap.

Question 36

3.111 Which Nmap option would let you do a very fast scan, even though it might increase the chances of your activities being detected?

A. -O
B. -A
C. -T0
D. -T5

Answer 36

D. -T5

Question 37

3.112 Which file would you modify on your victim’s machine if you wanted to send them to a malicious phishing site every time they typed “www.paypal.com” into their browser?

A. Sudoers
B. Hosts
C. Networks
D. Boot.ini

Answer 37

B. Hosts

Question 38

3.113 Which is the most reliable type of TCP scan?

A. Half-open scan
B. Xmas scan
C. Null scan
D. TCP Connect / Full Open scan

Answer 38

D. TCP Connect / Full Open scan

Question 39

3.114 Which of these would you use to prevent DNS cache poisoning?

A. The use of security agents in client computers
B. The use of DNSSEC
C. The use of double-factor authentication
D. Client awareness

Answer 39

C. The use of DNSSEC