Domain 4: Penetration Testing Tools Flashcards
What is Nmap?
This is a command line tool that sends specifically crafted packets to target host(s) on a network.
What does Nmap do?
This tool will discover the hosts and services being run based on responses received.
What are the three different results you can receive during a port scan?
You can receive these three results when doing this:
- Open
- Closed
- Filtered (likely firewall)
How do you conduct a SYN scan within Nmap? What does it do?
nmap -sS
This scans 1000 ports per second, never completes the TCP connection.
What does ‘nmap -sT’ do?
This is a TCP connect scan. Uses the operating system to send packets and completes TCP Connection which is less stealthy.
What is the version detection option within Nmap?
nmap -sV
This attempts to determine the version of the services and applications being run on ports.
How do you only scan specific ports on Nmap? What are some examples?
nmap -p
- p22,25
- p U:53,T:22,25
- -exclude-ports 53
What does nmap -O do?
This command will enable operating system detection by using fingerprinting of the TCP/UDP packet received.
What does the command ‘nmap -Pn’ do?
This command will skip host discovery. Treats all hosts within the range as online.
What does the command ‘nmap -iL’ do?
This command will allow to scan from a text file.
How do you set timing for an nmap scan?
To do this, you will use the ‘-T ‘ Option.
What are the timing options for Nmap scans?
These are as follows: -T0 - Paranoid (one port every 5 minutes) -T1 - Sneaky (one port every 15 seconds) T2 - Polite T3 - Normal T4 - Aggressive T5 - Insane
What are the different output commands for nmap?
These are as follows:
- oN Normal output file
- oG Grepable output file
- oX Xml outut file
- oA Combined format of all the above
What are some common Reconnaissance tools? Name 5
These types of tools are as follows:
- Whois
- Nslookup
- Theharvester
- Shodan
- Recon-NG
- Censys
- Aircrack-NG
- Kismet
- WiFite(2)
- Wireshark
- Hping
- SET
- Nmap
- Metasploit
What are we trying to do during enumeration?
During this we are trying to establish an active connection to the targets to discover potential attack vectors.
Name 3 enumeration tools
These types of tools include:
- Nslookup
- Nmap
- Wireshark
- Hping
What does vulnerability scanning entail?
This involves in-depth scanning of a target to determine these. Uses automated tools to determine missing patches and incorrect configs.
Name 4 vulnerability scanning tools.
These types of tools are as follows:
- Nikto
- OpenVAS
- Nessus
- SQLmap
- W3AF
- OWASP ZAP
- Nmap
- Metasploit Framework
What are some offline password cracking tools? Name 3
These tools fit this type of password cracking tool set:
- John the Ripper
- Mimikatz
- Cain and Abel
- Hashcat
- Aircrack-NG
Name 4 brute-forcing services
These tools are this:
- SQLmap (databases)
- medusa
- Hydra
- W3AF
- Mimikatz
- Cain & Abel
- Patator
- Aircrack-NG
What does it mean to have persistence during a pentest?
This is maintaining a foothold into the network or victim system.
Name three tools used to maintain persistence.
- SET
- BeEF
- SSH
- NCAT
- NETCAT
- Drozer
- Powersploit
- Metasploit
What is configuration compliance?
This is ensuring a system meets a given security baseline or policy.
Name 3 Configuration compliance tools
- Nikto
- OpenVAS
- Nessus
- SQLmap
- Nmap
What does evasion mean with respect to pentesting?
This entails Hiding from system admins or defenders.
Name 2 tools that assist with evasion.
- Proxychains
- SET
- Metasploit Framework
- Route
Name 3 decompiler tools.
- IDA
- Hopper
- Immunity Debugger
- APK Studio
- APKX
What do forensics tools do?
These tools are used to collect and analyze digital evidence for crimes and analysis.
Name 2 forensic tools that will be seen on the Pentest+ exam
- foremost
- FTK
- EnCase
- Tableau
Name 4 Deubgging tools that will likely be seen on the exam
- Ollydbg
- Immunity Debugger
- GDB
- WinDBG
- IDA pro
- APK Studio
- APKX
What are two methods to ensure software assurance?
Fuzzing and Security testing do this
How do you run nikto?
You run this vuln scanner as a perl script.
What is SQL map?
This is an open-source pentest tool used to automate detecting/exploiting SQL injection flaws.
What does Hashcat rely on?
This password recovery tool relies on CPU or GPU to crack passwords
What is an issue with an online brute service?
The issue with these is that the server will log all the attempts which can be noticed by admin/defenders/etc.
Why is Medusa faster than Hydra?
The first is faster than the second because it supports Multi-threading meaning it can attempt multiple logins at once.