Domain 4: Penetration Testing Tools

Question 1

What is Nmap?

Answer 1

This is a command line tool that sends specifically crafted packets to target host(s) on a network.

Question 2

What does Nmap do?

Answer 2

This tool will discover the hosts and services being run based on responses received.

Question 3

What are the three different results you can receive during a port scan?

Answer 3

You can receive these three results when doing this:

• Open
• Closed
• Filtered (likely firewall)

Question 4

How do you conduct a SYN scan within Nmap? What does it do?

Answer 4

nmap -sS

This scans 1000 ports per second, never completes the TCP connection.

Question 5

What does ‘nmap -sT’ do?

Answer 5

This is a TCP connect scan. Uses the operating system to send packets and completes TCP Connection which is less stealthy.

Question 6

What is the version detection option within Nmap?

Answer 6

nmap -sV

This attempts to determine the version of the services and applications being run on ports.

Question 7

How do you only scan specific ports on Nmap? What are some examples?

Answer 7

nmap -p

• p22,25
• p U:53,T:22,25
• -exclude-ports 53

Question 8

What does nmap -O do?

Answer 8

This command will enable operating system detection by using fingerprinting of the TCP/UDP packet received.

Question 9

What does the command ‘nmap -Pn’ do?

Answer 9

This command will skip host discovery. Treats all hosts within the range as online.

Question 10

What does the command ‘nmap -iL’ do?

Answer 10

This command will allow to scan from a text file.

Question 11

How do you set timing for an nmap scan?

Answer 11

To do this, you will use the ‘-T ‘ Option.

Question 12

What are the timing options for Nmap scans?

Answer 12

These are as follows:
-T0 - Paranoid (one port every 5 minutes)
-T1 - Sneaky (one port every 15 seconds)
T2 - Polite
T3 - Normal
T4 - Aggressive
T5 - Insane

Question 13

What are the different output commands for nmap?

Answer 13

These are as follows:

• oN Normal output file
• oG Grepable output file
• oX Xml outut file
• oA Combined format of all the above

Question 14

What are some common Reconnaissance tools? Name 5

Answer 14

These types of tools are as follows:

• Whois
• Nslookup
• Theharvester
• Shodan
• Recon-NG
• Censys
• Aircrack-NG
• Kismet
• WiFite(2)
• Wireshark
• Hping
• SET
• Nmap
• Metasploit

Question 15

What are we trying to do during enumeration?

Answer 15

During this we are trying to establish an active connection to the targets to discover potential attack vectors.

Question 16

Name 3 enumeration tools

Answer 16

These types of tools include:

• Nslookup
• Nmap
• Wireshark
• Hping

Question 17

What does vulnerability scanning entail?

Answer 17

This involves in-depth scanning of a target to determine these. Uses automated tools to determine missing patches and incorrect configs.

Question 18

Name 4 vulnerability scanning tools.

Answer 18

These types of tools are as follows:

• Nikto
• OpenVAS
• Nessus
• SQLmap
• W3AF
• OWASP ZAP
• Nmap
• Metasploit Framework

Question 19

What are some offline password cracking tools? Name 3

Answer 19

These tools fit this type of password cracking tool set:

• John the Ripper
• Mimikatz
• Cain and Abel
• Hashcat
• Aircrack-NG

Question 20

Name 4 brute-forcing services

Answer 20

These tools are this:

• SQLmap (databases)
• medusa
• Hydra
• W3AF
• Mimikatz
• Cain & Abel
• Patator
• Aircrack-NG

Question 21

What does it mean to have persistence during a pentest?

Answer 21

This is maintaining a foothold into the network or victim system.

Question 22

Name three tools used to maintain persistence.

Answer 22

• SET
• BeEF
• SSH
• NCAT
• NETCAT
• Drozer
• Powersploit
• Metasploit

Question 23

What is configuration compliance?

Answer 23

This is ensuring a system meets a given security baseline or policy.

Question 24

Name 3 Configuration compliance tools

Answer 24

• Nikto
• OpenVAS
• Nessus
• SQLmap
• Nmap

Question 25

What does evasion mean with respect to pentesting?

Answer 25

This entails Hiding from system admins or defenders.

Question 26

Name 2 tools that assist with evasion.

Answer 26

• Proxychains
• SET
• Metasploit Framework
• Route

Question 27

Name 3 decompiler tools.

Answer 27

• IDA
• Hopper
• Immunity Debugger
• APK Studio
• APKX

Question 28

What do forensics tools do?

Answer 28

These tools are used to collect and analyze digital evidence for crimes and analysis.

Question 29

Name 2 forensic tools that will be seen on the Pentest+ exam

Answer 29

• foremost
• FTK
• EnCase
• Tableau

Question 30

Name 4 Deubgging tools that will likely be seen on the exam

Answer 30

• Ollydbg
• Immunity Debugger
• GDB
• WinDBG
• IDA pro
• APK Studio
• APKX

Question 31

What are two methods to ensure software assurance?

Answer 31

Fuzzing and Security testing do this

Question 32

How do you run nikto?

Answer 32

You run this vuln scanner as a perl script.

Question 33

What is SQL map?

Answer 33

This is an open-source pentest tool used to automate detecting/exploiting SQL injection flaws.

Question 34

What does Hashcat rely on?

Answer 34

This password recovery tool relies on CPU or GPU to crack passwords

Question 35

What is an issue with an online brute service?

Answer 35

The issue with these is that the server will log all the attempts which can be noticed by admin/defenders/etc.

Question 36

Why is Medusa faster than Hydra?

Answer 36

The first is faster than the second because it supports Multi-threading meaning it can attempt multiple logins at once.

Question 37

What is CeWL used for?

Answer 37

This tool is used to create a custom wordlist or dictionary. Searches a website for words meeting criteria set as inputs for this tool.

Question 38

What types of attacks does John the Ripper support?

Answer 38

This tool supports both Dictionary attacks and Brute Force attacks.

Question 39

What three functions does Cain and Abel provide?

Answer 39

This tool provides:

• Password cracking on windows
• Network sniffing
• Hash Cracking

Question 40

What does Mimikatz target?

Answer 40

This tool specifically targets windows machines.

Question 41

What does Mimikatz do?

Answer 41

This tool targets windows machines to extract plaintext passwords, hashes, PIN codes, and kerberos tickets from the machines memory. Can be used for Pass-the-hash, pass-the-ticket, and creating Golden Tickets.

Question 42

What is W3AF used for?

Answer 42

This tool is used for Web App Attacks and auditing frameworks. Finds web app vulnerabilities

Question 43

Describe Ollydbg

Answer 43

This tool is an assembler level debugger for windows. Useful for binary code analysis without source code being available.

Question 44

Describe Immunity Debugger

Answer 44

This tool is used to write exploits, analyze malware, and reverse engineer binary files. Supports python APIs and execution.

Question 45

Describe GDB (GNU Debugger)

Answer 45

This tool runs on linux and Unix systems. Supports many languages such as Ada, C, C++, Obj-C, Pascal, etc. Not user friendly.

Question 46

What is WinDBG?

Answer 46

This tool is the debugger for Windows

Question 47

What is IDA?

Answer 47

Interactive Dissassembler. Generates assembly language code from executable code. GUI and supports executables from multiple OS.

Question 48

Describe Findbugs & Findsecbugs

Answer 48

These tools conduct security audits of Java apps before deployment

Question 49

Describe Peach

Answer 49

This is an automated security testing platform used to identify vulns by conducting fuzzing.

Question 50

Describe American Fuzzy Lop (AFL)

Answer 50

This is an open-source , text-based security fuzzer that requires nearly no configuration to operate.

Question 51

Describe SonarQube

Answer 51

This platform is open-source, performs automatic static code reviews to find vulns and bugs in over 20 different programming languages.

Question 52

Describe Yet Another Source-Code Analyzer (YASCA)

Answer 52

This is an open sourced software code scanner that uses plug-ins to add languages and features.

Question 53

What is Whois?

Answer 53

This is a query and response protocol for internet resources.

Question 54

Describe NSlookup

Answer 54

This is a command line tool for querying DNS

Question 55

Describe Foca (fingerprinting organizations with collected archives)

Answer 55

This is a tool used to find metadata and hidden info in docs

Question 56

Describe The Harvester

Answer 56

This is a program used to gather emails, subdomains, hosts, employees, open ports, and banners. Mix of OSINT and other scanning capabilities.

Question 57

What is Shodan?

Answer 57

Website that allows you find webcams, routers, servers, and more on the internet. IoT Devices is the primary focus.

Question 58

What is Maltego?

Answer 58

This is a commercial software for conducting open-source intelligence and visually connecting the relationships

Question 59

What is Recon-NG?

Answer 59

This is an open-source web recon framework written in python. Don’t need to know how to use this for Pentest+

Question 60

Describe Censys

Answer 60

This is a search engine for hosts and networks across the internet with data about their configuration. Contains search interface, report builder, and SQL engine.

Question 61

Describe Aircrack-NG

Answer 61

Wireless hacking suite that consists of a scanner, packet sniffer, and password cracker

Question 62

Describe Kismet

Answer 62

Wireless hacking suite that consists of scanner and packet sniffer, and Intrusion Detection

Question 63

Describe WiFite

Answer 63

This is an automated wireless attack tool. Menu-driven Python Script.

Question 64

Describe OWASP ZAP

Answer 64

This is an open-source web app security scanner. Can be used as a proxy to manipulate traffic running through it (even Https)

Question 65

What two platforms can be used for proxies?

Answer 65

OWAP ZAP & Burp Suite are the two platforms that can be used for this.

Question 66

What is Burpsuite?

Answer 66

Graphical tool for web app security. Platform that allows for the interception, inspection, and modification of raw traffic passing through it.

Question 67

Describe Social Engineering Toolki

Answer 67

SET is an open-source penetration testing framework for social engineering.

Question 68

What is Browser Exploitation Framework (BeEF?)

Answer 68

This is a pentest tool focused on the web browser. This is used to hook a web browser for launching command modules and attacks.

Question 69

What are the four remote access tools that you need to be aware of for the Pentest+?

Answer 69

These are:

• SSH
• Netcat
• Ncat
• Proxychains

Question 70

What is Secure Shell (SSH)?

Answer 70

This is works like telnet but uses encryption to create a secure channel between client and server. This should always be used instead of Telnet.

Question 71

What is Netcat?

Answer 71

This is the command-line tool for reading, writing, redirecting, and encrypting data over a network. This is referred to as the swiss army knife of pentesting.

Question 72

Describe Ncat

Answer 72

This is up the updated version of Netcat. Made by creators of Nmap. Command-line tool for reading, writing, redirecting, and encrypting data on a network. Allows secure encrypted tunnels where at Netcat didn’t support this.

Question 73

What is Proxychains?

Answer 73

This is a tool that forces TCP connections from all applications to run through a proxy. Can be TOR or other HTTP/SOCKS proxy. You can chain proxies (multiple hops), which makes it harder to track where you’re coming from.

Question 74

What are the two networking tools that are covered on the Pentest+?

Answer 74

These are the two tools:

• Wireshark
• Hping

Question 75

Describe Hping

Answer 75

This is a command line based TCP/IP packet assembler and analyzer. Can use TCP, UDP, ICMP, RAW-IP Protocols. Not n early as clean as Wireshark. This can be used during enumeration and fingerprinting phase.

Question 76

What are the mobile tools covered in the exam?

Answer 76

These are the tools:

• Drozer
• APKX

Question 77

What is Drozer

Answer 77

Complete security audit and attack framework. Provides tools to use and share public exploits for the Android OS

Question 78

Describe APKX

Answer 78

Android APK Decompilation for the lazy. This has a python wrapper to extract Java source code directly from Android APK Files

Question 79

What is APK studio?

Answer 79

This is a cross-platform IDE for reverse engineering and recompiling Android application binaries.

Question 80

What are the six Misc tools covered on the exam?

Answer 80

These are:

• Searchsploit
• Powersploit
• Responder
• Impacket
• Empire
• Metasploit Framework (MSF)

Question 81

What is Searchsploit?

Answer 81

This is a command line search tool for the Exploit-DB. Allows for offline searches through local repositories.

Question 82

What is Powersploit?

Answer 82

This is a collection of microsoft powershell modules for use in pentesting. Considered a post-exploitation framework.

Question 83

What is responder?

Answer 83

This tool is used to answer specific queries based on name suffix on the network. LLMNR, NBT-NS, and MDNA poisoner. Post-exploitation tool.

Question 84

What is impacket?

Answer 84

This is a collection of python classes for working with network protocols. Focused on low-level program access for SMB and MSRPC protocol implementation.

Question 85

What is empire?

Answer 85

This is a powershell and python post-exploitation agent.

Question 86

What is MSF?

Answer 86

This is an open-source framework that provides scanners, payloads, and other tools.

Question 87

What is programming?

Answer 87

Creating a sequence of instructions to tell a computer how to perform a specific task.

Question 88

What are the four programming languages that you’ll find on the Pentest+?

Answer 88

These are :

• Bash
• Python
• Ruby
• Powershell

Question 89

What are comments represented as in the programming languages covered on the Pentest+?

Answer 89

These are represented by #. Comments will not be shown on the pentest+

Question 90

What is a variable?

Answer 90

These are used to represent any value and can be changed during the execution of the program.

Question 91

What is the key difference of a variable in Ruby vs other programming languages?

Answer 91

Ruby uses the ‘_’ (underscore) for local variables.

Question 92

What is a named or associative array similar to?

Answer 92

These work more like a table in a database.