Domain 4: Penetration Testing Tools Flashcards

1
Q

What is Nmap?

A

This is a command line tool that sends specifically crafted packets to target host(s) on a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does Nmap do?

A

This tool will discover the hosts and services being run based on responses received.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the three different results you can receive during a port scan?

A

You can receive these three results when doing this:

  • Open
  • Closed
  • Filtered (likely firewall)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How do you conduct a SYN scan within Nmap? What does it do?

A

nmap -sS

This scans 1000 ports per second, never completes the TCP connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does ‘nmap -sT’ do?

A

This is a TCP connect scan. Uses the operating system to send packets and completes TCP Connection which is less stealthy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the version detection option within Nmap?

A

nmap -sV

This attempts to determine the version of the services and applications being run on ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do you only scan specific ports on Nmap? What are some examples?

A

nmap -p

  • p22,25
  • p U:53,T:22,25
  • -exclude-ports 53
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does nmap -O do?

A

This command will enable operating system detection by using fingerprinting of the TCP/UDP packet received.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does the command ‘nmap -Pn’ do?

A

This command will skip host discovery. Treats all hosts within the range as online.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does the command ‘nmap -iL’ do?

A

This command will allow to scan from a text file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How do you set timing for an nmap scan?

A

To do this, you will use the ‘-T ‘ Option.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the timing options for Nmap scans?

A
These are as follows:
-T0 - Paranoid (one port every 5 minutes)
-T1 - Sneaky (one port every 15 seconds)
T2 - Polite
T3 - Normal
T4 - Aggressive
T5 - Insane
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the different output commands for nmap?

A

These are as follows:

  • oN Normal output file
  • oG Grepable output file
  • oX Xml outut file
  • oA Combined format of all the above
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are some common Reconnaissance tools? Name 5

A

These types of tools are as follows:

  • Whois
  • Nslookup
  • Theharvester
  • Shodan
  • Recon-NG
  • Censys
  • Aircrack-NG
  • Kismet
  • WiFite(2)
  • Wireshark
  • Hping
  • SET
  • Nmap
  • Metasploit
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are we trying to do during enumeration?

A

During this we are trying to establish an active connection to the targets to discover potential attack vectors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Name 3 enumeration tools

A

These types of tools include:

  • Nslookup
  • Nmap
  • Wireshark
  • Hping
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does vulnerability scanning entail?

A

This involves in-depth scanning of a target to determine these. Uses automated tools to determine missing patches and incorrect configs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Name 4 vulnerability scanning tools.

A

These types of tools are as follows:

  • Nikto
  • OpenVAS
  • Nessus
  • SQLmap
  • W3AF
  • OWASP ZAP
  • Nmap
  • Metasploit Framework
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are some offline password cracking tools? Name 3

A

These tools fit this type of password cracking tool set:

  • John the Ripper
  • Mimikatz
  • Cain and Abel
  • Hashcat
  • Aircrack-NG
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Name 4 brute-forcing services

A

These tools are this:

  • SQLmap (databases)
  • medusa
  • Hydra
  • W3AF
  • Mimikatz
  • Cain & Abel
  • Patator
  • Aircrack-NG
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What does it mean to have persistence during a pentest?

A

This is maintaining a foothold into the network or victim system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Name three tools used to maintain persistence.

A
  • SET
  • BeEF
  • SSH
  • NCAT
  • NETCAT
  • Drozer
  • Powersploit
  • Metasploit
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is configuration compliance?

A

This is ensuring a system meets a given security baseline or policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Name 3 Configuration compliance tools

A
  • Nikto
  • OpenVAS
  • Nessus
  • SQLmap
  • Nmap
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What does evasion mean with respect to pentesting?

A

This entails Hiding from system admins or defenders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Name 2 tools that assist with evasion.

A
  • Proxychains
  • SET
  • Metasploit Framework
  • Route
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Name 3 decompiler tools.

A
  • IDA
  • Hopper
  • Immunity Debugger
  • APK Studio
  • APKX
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What do forensics tools do?

A

These tools are used to collect and analyze digital evidence for crimes and analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Name 2 forensic tools that will be seen on the Pentest+ exam

A
  • foremost
  • FTK
  • EnCase
  • Tableau
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Name 4 Deubgging tools that will likely be seen on the exam

A
  • Ollydbg
  • Immunity Debugger
  • GDB
  • WinDBG
  • IDA pro
  • APK Studio
  • APKX
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are two methods to ensure software assurance?

A

Fuzzing and Security testing do this

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

How do you run nikto?

A

You run this vuln scanner as a perl script.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is SQL map?

A

This is an open-source pentest tool used to automate detecting/exploiting SQL injection flaws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What does Hashcat rely on?

A

This password recovery tool relies on CPU or GPU to crack passwords

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is an issue with an online brute service?

A

The issue with these is that the server will log all the attempts which can be noticed by admin/defenders/etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Why is Medusa faster than Hydra?

A

The first is faster than the second because it supports Multi-threading meaning it can attempt multiple logins at once.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is CeWL used for?

A

This tool is used to create a custom wordlist or dictionary. Searches a website for words meeting criteria set as inputs for this tool.

38
Q

What types of attacks does John the Ripper support?

A

This tool supports both Dictionary attacks and Brute Force attacks.

39
Q

What three functions does Cain and Abel provide?

A

This tool provides:

  • Password cracking on windows
  • Network sniffing
  • Hash Cracking
40
Q

What does Mimikatz target?

A

This tool specifically targets windows machines.

41
Q

What does Mimikatz do?

A

This tool targets windows machines to extract plaintext passwords, hashes, PIN codes, and kerberos tickets from the machines memory. Can be used for Pass-the-hash, pass-the-ticket, and creating Golden Tickets.

42
Q

What is W3AF used for?

A

This tool is used for Web App Attacks and auditing frameworks. Finds web app vulnerabilities

43
Q

Describe Ollydbg

A

This tool is an assembler level debugger for windows. Useful for binary code analysis without source code being available.

44
Q

Describe Immunity Debugger

A

This tool is used to write exploits, analyze malware, and reverse engineer binary files. Supports python APIs and execution.

45
Q

Describe GDB (GNU Debugger)

A

This tool runs on linux and Unix systems. Supports many languages such as Ada, C, C++, Obj-C, Pascal, etc. Not user friendly.

46
Q

What is WinDBG?

A

This tool is the debugger for Windows

47
Q

What is IDA?

A

Interactive Dissassembler. Generates assembly language code from executable code. GUI and supports executables from multiple OS.

48
Q

Describe Findbugs & Findsecbugs

A

These tools conduct security audits of Java apps before deployment

49
Q

Describe Peach

A

This is an automated security testing platform used to identify vulns by conducting fuzzing.

50
Q

Describe American Fuzzy Lop (AFL)

A

This is an open-source , text-based security fuzzer that requires nearly no configuration to operate.

51
Q

Describe SonarQube

A

This platform is open-source, performs automatic static code reviews to find vulns and bugs in over 20 different programming languages.

52
Q

Describe Yet Another Source-Code Analyzer (YASCA)

A

This is an open sourced software code scanner that uses plug-ins to add languages and features.

53
Q

What is Whois?

A

This is a query and response protocol for internet resources.

54
Q

Describe NSlookup

A

This is a command line tool for querying DNS

55
Q

Describe Foca (fingerprinting organizations with collected archives)

A

This is a tool used to find metadata and hidden info in docs

56
Q

Describe The Harvester

A

This is a program used to gather emails, subdomains, hosts, employees, open ports, and banners. Mix of OSINT and other scanning capabilities.

57
Q

What is Shodan?

A

Website that allows you find webcams, routers, servers, and more on the internet. IoT Devices is the primary focus.

58
Q

What is Maltego?

A

This is a commercial software for conducting open-source intelligence and visually connecting the relationships

59
Q

What is Recon-NG?

A

This is an open-source web recon framework written in python. Don’t need to know how to use this for Pentest+

60
Q

Describe Censys

A

This is a search engine for hosts and networks across the internet with data about their configuration. Contains search interface, report builder, and SQL engine.

61
Q

Describe Aircrack-NG

A

Wireless hacking suite that consists of a scanner, packet sniffer, and password cracker

62
Q

Describe Kismet

A

Wireless hacking suite that consists of scanner and packet sniffer, and Intrusion Detection

63
Q

Describe WiFite

A

This is an automated wireless attack tool. Menu-driven Python Script.

64
Q

Describe OWASP ZAP

A

This is an open-source web app security scanner. Can be used as a proxy to manipulate traffic running through it (even Https)

65
Q

What two platforms can be used for proxies?

A

OWAP ZAP & Burp Suite are the two platforms that can be used for this.

66
Q

What is Burpsuite?

A

Graphical tool for web app security. Platform that allows for the interception, inspection, and modification of raw traffic passing through it.

67
Q

Describe Social Engineering Toolki

A

SET is an open-source penetration testing framework for social engineering.

68
Q

What is Browser Exploitation Framework (BeEF?)

A

This is a pentest tool focused on the web browser. This is used to hook a web browser for launching command modules and attacks.

69
Q

What are the four remote access tools that you need to be aware of for the Pentest+?

A

These are:

  • SSH
  • Netcat
  • Ncat
  • Proxychains
70
Q

What is Secure Shell (SSH)?

A

This is works like telnet but uses encryption to create a secure channel between client and server. This should always be used instead of Telnet.

71
Q

What is Netcat?

A

This is the command-line tool for reading, writing, redirecting, and encrypting data over a network. This is referred to as the swiss army knife of pentesting.

72
Q

Describe Ncat

A

This is up the updated version of Netcat. Made by creators of Nmap. Command-line tool for reading, writing, redirecting, and encrypting data on a network. Allows secure encrypted tunnels where at Netcat didn’t support this.

73
Q

What is Proxychains?

A

This is a tool that forces TCP connections from all applications to run through a proxy. Can be TOR or other HTTP/SOCKS proxy. You can chain proxies (multiple hops), which makes it harder to track where you’re coming from.

74
Q

What are the two networking tools that are covered on the Pentest+?

A

These are the two tools:

  • Wireshark
  • Hping
75
Q

Describe Hping

A

This is a command line based TCP/IP packet assembler and analyzer. Can use TCP, UDP, ICMP, RAW-IP Protocols. Not n early as clean as Wireshark. This can be used during enumeration and fingerprinting phase.

76
Q

What are the mobile tools covered in the exam?

A

These are the tools:

  • Drozer
  • APKX
77
Q

What is Drozer

A

Complete security audit and attack framework. Provides tools to use and share public exploits for the Android OS

78
Q

Describe APKX

A

Android APK Decompilation for the lazy. This has a python wrapper to extract Java source code directly from Android APK Files

79
Q

What is APK studio?

A

This is a cross-platform IDE for reverse engineering and recompiling Android application binaries.

80
Q

What are the six Misc tools covered on the exam?

A

These are:

  • Searchsploit
  • Powersploit
  • Responder
  • Impacket
  • Empire
  • Metasploit Framework (MSF)
81
Q

What is Searchsploit?

A

This is a command line search tool for the Exploit-DB. Allows for offline searches through local repositories.

82
Q

What is Powersploit?

A

This is a collection of microsoft powershell modules for use in pentesting. Considered a post-exploitation framework.

83
Q

What is responder?

A

This tool is used to answer specific queries based on name suffix on the network. LLMNR, NBT-NS, and MDNA poisoner. Post-exploitation tool.

84
Q

What is impacket?

A

This is a collection of python classes for working with network protocols. Focused on low-level program access for SMB and MSRPC protocol implementation.

85
Q

What is empire?

A

This is a powershell and python post-exploitation agent.

86
Q

What is MSF?

A

This is an open-source framework that provides scanners, payloads, and other tools.

87
Q

What is programming?

A

Creating a sequence of instructions to tell a computer how to perform a specific task.

88
Q

What are the four programming languages that you’ll find on the Pentest+?

A

These are :

  • Bash
  • Python
  • Ruby
  • Powershell
89
Q

What are comments represented as in the programming languages covered on the Pentest+?

A

These are represented by #. Comments will not be shown on the pentest+

90
Q

What is a variable?

A

These are used to represent any value and can be changed during the execution of the program.

91
Q

What is the key difference of a variable in Ruby vs other programming languages?

A

Ruby uses the ‘_’ (underscore) for local variables.

92
Q

What is a named or associative array similar to?

A

These work more like a table in a database.