Domain 2: Info Gathering and Vulnerability Identification

Question 1

What is Domain 2 of the Pentest+?

Answer 1

This domain covers information gathering and vulnerability identification

Question 2

What are the five main functions of Domain 2?

Answer 2

1. Conduct information gathering
2. Perform Vulnerability Scanning
3. Analyzing Results of Vuln Scan
4. Leveraging Information for Exploitation
5. Weaknesses in specialized systems

Question 3

What is information gathering also known as?

Answer 3

This is also know as Reconnaissance or foot printing

Question 4

What are some techniques of foot printing?

Answer 4

These are all techniques of this:

• Internet or open-source research
• Social Engineering
• Dumpster Diving
• Email Harvesting

Question 5

What kind of information are we looking for during reconnaissance?

Answer 5

During this step,we are looking for:

• Phone numbers
• Contact Names
• Email Addresses
• security-related information
• information systems used (windows, linux, apache, etc)
• jobs postings
• Resumes

Question 6

What are some reconnaissance tools?

Answer 6

These are tools for this step in the pentesting process:

• nslookup
• traceroute
• ping
• whois
• Domain Dossier
• Email Dossier
• Google
• Social Networking (FB, Linkedin, etc)
• Discover.sh
• Maltego

Question 7

What tools does centralops.net provide?

Answer 7

This website provides:

• Email Dossiers
• Domain Dossiers
• Owner of the domain name
• Technical Details
• Network Ranges for the domain

Question 8

What is to be done after footprinting & reconnaissance?

Answer 8

Scanning and enumeration is done after this step.

Question 9

What is scanning?

Answer 9

When we actively connect to a system and get a response. Identify open ports and services.

Question 10

What are the types of scanning?

Answer 10

These are types of this:

• Hosts
• Systems
• Networks
• Computers
• Mobile Devices
• Applications
• Printers

Question 11

What is enumeration?

Answer 11

Actively connecting to the systems to determine open shares, user accounts, software versions, and other detailed info.

Question 12

What types of enumerations are there?

Answer 12

There are types:

• hosts
• Networks
• Domains
• Users/Groups
• Network Shares
• Web Pages
• Application
• Services
• Tokens
• Social Networks

Question 13

What is fingerprinting?

Answer 13

This is identifying an operating system, server, service that is being used by a particular service or network.

Question 14

What is Banner Grabbing?

Answer 14

This is manual enumeration and fingerprinting. Using program such as telnet or netcat to connect to a target host. Commonly used for FTP, SSH, Telnet, & HTTP

Question 15

What is packet crafting also known as?

Answer 15

This is also known as packet manipulation

Question 16

What is packet crafting?

Answer 16

This entails sending modified packet headers to gather information from a system or host

Question 17

What is packet inspection?

Answer 17

This is manual enumeration performed by analyzing the captured packets to determine information

Question 18

When using nmap/zenmap, where do you typically want to start?

Answer 18

With these tools you’ll typically want to start with the least intrusive scan.

Question 19

What is one of the least intrusive scans you can perform?

Answer 19

This type of scan would be a ping scan.

Question 20

When scanning a network w/ nmap/zenmap, how would you list out a network with a /24? How about /16?

Answer 20

192. 168.52.0/24

192. 168.52.0/16

Question 21

When scanning a network with nmap/zenmap, how would scan a list of addresses?

Answer 21

192. 168.52.0-254

192. 168.52.0-224

Question 22

What would be the nmap command to run a simple ping scan on a network?

Answer 22

nmap -sn [network address]

nmap -sn 192.168.52.0

Question 23

What information will a ping scan provide?

Answer 23

This type of scan will provide information on what machines are up or down on a given network. Provides IP addresses and MAC addresses.

Question 24

We have two machines with the following IP addresses:

192. 168.52.100
193. 168.52.101

What would be the nmap command to run a quick scan?

Answer 24

nmap -T4 -F 192.168.52.100-101

Question 25

What does it mean to have ports filtered?

Answer 25

This means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.

Question 26

With Nmap, what would be an intrusive scan?

Answer 26

With this tool this would be considered an intense scan.

Question 27

We have two machines with the following IP addresses:

192. 168.52.100
193. 168.52.101

What would be the nmap command to run an intense scan?

Answer 27

nmap -T4 -A -v 192.168.52.100-101

Question 28

What is cryptographic Inspection?

Answer 28

This determines the indentification of the type of encryption being used by machines/hosts/services/etc during information gathering.

Question 29

What is certificate inspection?

Answer 29

Identify what type of encryption a web server is using. ie. SSL 2.0, TLS? Tools exist for this.

Question 30

Eavesdropping is considered what?

Answer 30

This is considered a method of information gathering

Question 31

How can you eavesdrop on a network?

Answer 31

You can do this by sniffing network traffic.

Question 32

What does it mean to sniff network traffic?

Answer 32

Intercepting and logging network traffic that can be seen via the wired or wireless network interface.

Question 33

Can you capture network information about other parts of a network if you gain access to a particular host?

Answer 33

Yes, if you can sniff additional network information by doing this.

Question 34

What are two commonly known tools to capture packets from a network & hosts?

Answer 34

Wireshark and TCP are this.

Question 35

When using Wireshark to capture packet, what type of file can be created to log the information?

Answer 35

This is a pcap file.

Question 36

What is decompiling?

Answer 36

This is the process of reverse engineering software using a decompiler.

Question 37

What is an issue with a Decompiler?

Answer 37

This tool will not always turn executables back into their source code, but can turn it back to Byte code or assembly.

Question 38

In pentesing, when can a decompiler be helpful?

Answer 38

This can be helpful during a pentest when you’re testing custom built tools or applications.

Question 39

What does CERT stand for?

Answer 39

Computer Emergency Response Team

Question 40

What are some open source resources that can be used for info gathering?

Answer 40

These resources can be used for this:

• CERT
• JPCERT
• NIST
• CVEs (mitre)
• CWE (mitre)
• CAPEC (mitre)
• Full Disclosure (nmap)

Question 41

When you see ‘CVE-2018-11232’, what does that mean?

Answer 41

This means that it is the 11232nd vulnerability of 2018.

Question 42

Who submits their Common Vulns into the CVE database?

Answer 42

All major vendors submit these to this location.

Question 43

What does CAPEC stand for?

Answer 43

Common Attack Pattern Enumeration & Classification

Question 44

What does -sC mean in Nmap?

Answer 44

This option is the default script scan

Question 45

What does -sV mean in Nmap?

Answer 45

This option probes open ports to determine service/version info

Question 46

What is a vulnerability scan?

Answer 46

This is a scan of a host, system, or network to determine what vulnerabilities exist.

Question 47

What is the primary thing to keep in mind in regards to vulnerabilities scanning?

Answer 47

The tools used to do this are only as good as their configurations.

Question 48

What types of vuln scans are there?

Answer 48

For this, there are two types of scans:

• Credentialed
• non-credentialed

Question 49

What are the four types of vuln scans?

Answer 49

For this, there are four types:

• Discovery Scan
• Full Scan
• Stealth Scan
• Compliance Scan

Question 50

What is the least intrusive type of vuln scan? What does it do?

Answer 50

This is a discovery scan. Used to create a network map to show connected devices on architecture.

Question 51

what would be the nmap command to run a simple discovery command?

Answer 51

This type of scan would be:

-nmap -sn 192.168.52.0

Question 52

What does a full scan vuln scan do?

Answer 52

This type of in-depth vuln scan includes ports, services, and vulns.

Question 53

What needs to be considered when running a full scan?

Answer 53

This type of scan is likely to set off alarms (IDS, NDS, etc).

Question 54

What is the purpose of a stealth scan? What does it do?

Answer 54

This type of scan is designed to not get picked up by the IDS. Sends SYN packets and then analyzes responses. If SYN/ACK response received, packet with RST is sent to attempt to connect on a port.

Question 55

What is the intent of a compliance scan? Where can this be done easily?

Answer 55

This type of scan is used to identify vulnerabilities that may affect compliance with regulations or policies. Commonly set up as a scanning template in your vulnerability scanner (PCI-DSS within Nessus)

Question 56

What are some common vuln scanners?

Answer 56

These are types of this:

• QualysGuard
• OpenVAS
• Nessus
• Nexpose
• Nikto (Web Application Scanner)

Question 57

What are some important scanning considerations?

Answer 57

These are…:

• When do you run the scan?
• What protocols will be used?
• Where do you scan from?
• How much bandwidth is dedicated to the scan?
• Should we scan or exempt these (systems)?

Question 58

How do you throttle a query in nmap?

Answer 58

To do this, you’ll use the ‘-T’ option within Nmap.

Question 59

What are the two types of application scanning?

Answer 59

The two types of this are:

• Dynamic
• Static

Question 60

What is dynamic application scanning?

Answer 60

This is a type of scan that occurs while application is running. Program is run in sandbox and changes noted.

Question 61

What is static application scanning?

Answer 61

This type of scan occurs in a non-runtime environment for applications. It inspects programming code; can be doen line-by-line.

Question 62

What are containers similar to?

Answer 62

These are similar to mini virtual machines

Question 63

What are some examples of containers?

Answer 63

These are examples of this:

• Docker
• Puppet
• Vagrant

Question 64

Do Containers require security? What could be a major issue?

Answer 64

Yes, these still require security. They all run on a single, standardized OS. A flaw in this OS would mean vulnerabilities across multiple containers.

Question 65

What are some ways to analyze your vulnerability scans?

Answer 65

These are ways to do this:

• Asset Categorization
• Adjudication
• Prioritize Vulnerabilities

Question 66

When categorizing assets, what do we typically want to categorize first?

Answer 66

When doing this, we want to identify high-value assets first. Domain controllers, Web Servers, Databases, etc

Question 67

What does Adjudication mean with respect to pentesting?

Answer 67

This is the process of considering which vulnerabilities to attack.

Question 68

What is a false positive relative to a vuln scan? What should be done with them?

Answer 68

This is a vulnerability that shows up in your scan, but is not an actual vuln on the system. False positives should filtered out of scan results.

Question 69

When scanning for vulns, what is important to find?

Answer 69

During this, it is important to find common themes. Common vulns, common lack of best (weak) practices, Observations.

Question 70

What is an important step after a vuln is found and has been categorized? What is a good question to ask?

Answer 70

Researching that particular vulnerability and find any/all exploits that exist. Does metasploit or nmap already have known exploits for this vuln?

Question 71

What are some examples of common attack techniques (vectors)?

Answer 71

These are some examples:

• cross-compiled code
• exploit modification
• exploit chaining
• proof-of-concept dev
• social engineering
• credential brute forcing
• dictionary attacks
• Rainbow tables
• Deception

Question 72

How can you create windows binary on a linux system?

Answer 72

This can be done with tools like Mingw-w64.

Question 73

What is an example of an exploit chain?

Answer 73

These are examples of this:

• Exploit to break past firewall
• Gain access to user system
• Escalate the privileges

Question 74

What does it mean to have a proof-of-concept development?

Answer 74

This involves building out and attacking a virtual environment that mimics the real system/environment.

Question 75

What does ICS stand for?

Answer 75

Industrial Control System

Question 76

What does SCADA Stand for?

Answer 76

Supervisory Control and Data Acquisition

Question 77

What does PLC stand for?

Answer 77

Programmable Logic Controller

Question 78

What does ICS, SCADA, & PLC all work together with?

Answer 78

These three work together with HVAC, Factories, pumps, etc. These three are old technologies that are integrated with old operating systems.

Question 79

Where are ICS, SCADA, & PLC often located?

Answer 79

These three things are often located off of and separate of a network.

Question 80

What items contain embedded devices? What do embedded devices contain?

Answer 80

Cars, ICS/SCADA contain These. These contain a special purpose computing system.

Question 81

What is an RTOS? Where are they found?

Answer 81

This is a Real-Time Operating system. These are often found in embedded devices. Usually stripped down version of linux.