Domain 4: Penetration Testing Tools Flashcards
What is Nmap?
This is a command line tool that sends specifically crafted packets to target host(s) on a network.
What does Nmap do?
This tool will discover the hosts and services being run based on responses received.
What are the three different results you can receive during a port scan?
You can receive these three results when doing this:
- Open
- Closed
- Filtered (likely firewall)
How do you conduct a SYN scan within Nmap? What does it do?
nmap -sS
This scans 1000 ports per second, never completes the TCP connection.
What does ‘nmap -sT’ do?
This is a TCP connect scan. Uses the operating system to send packets and completes TCP Connection which is less stealthy.
What is the version detection option within Nmap?
nmap -sV
This attempts to determine the version of the services and applications being run on ports.
How do you only scan specific ports on Nmap? What are some examples?
nmap -p
- p22,25
- p U:53,T:22,25
- -exclude-ports 53
What does nmap -O do?
This command will enable operating system detection by using fingerprinting of the TCP/UDP packet received.
What does the command ‘nmap -Pn’ do?
This command will skip host discovery. Treats all hosts within the range as online.
What does the command ‘nmap -iL’ do?
This command will allow to scan from a text file.
How do you set timing for an nmap scan?
To do this, you will use the ‘-T ‘ Option.
What are the timing options for Nmap scans?
These are as follows: -T0 - Paranoid (one port every 5 minutes) -T1 - Sneaky (one port every 15 seconds) T2 - Polite T3 - Normal T4 - Aggressive T5 - Insane
What are the different output commands for nmap?
These are as follows:
- oN Normal output file
- oG Grepable output file
- oX Xml outut file
- oA Combined format of all the above
What are some common Reconnaissance tools? Name 5
These types of tools are as follows:
- Whois
- Nslookup
- Theharvester
- Shodan
- Recon-NG
- Censys
- Aircrack-NG
- Kismet
- WiFite(2)
- Wireshark
- Hping
- SET
- Nmap
- Metasploit
What are we trying to do during enumeration?
During this we are trying to establish an active connection to the targets to discover potential attack vectors.
Name 3 enumeration tools
These types of tools include:
- Nslookup
- Nmap
- Wireshark
- Hping
What does vulnerability scanning entail?
This involves in-depth scanning of a target to determine these. Uses automated tools to determine missing patches and incorrect configs.
Name 4 vulnerability scanning tools.
These types of tools are as follows:
- Nikto
- OpenVAS
- Nessus
- SQLmap
- W3AF
- OWASP ZAP
- Nmap
- Metasploit Framework
What are some offline password cracking tools? Name 3
These tools fit this type of password cracking tool set:
- John the Ripper
- Mimikatz
- Cain and Abel
- Hashcat
- Aircrack-NG
Name 4 brute-forcing services
These tools are this:
- SQLmap (databases)
- medusa
- Hydra
- W3AF
- Mimikatz
- Cain & Abel
- Patator
- Aircrack-NG
What does it mean to have persistence during a pentest?
This is maintaining a foothold into the network or victim system.
Name three tools used to maintain persistence.
- SET
- BeEF
- SSH
- NCAT
- NETCAT
- Drozer
- Powersploit
- Metasploit
What is configuration compliance?
This is ensuring a system meets a given security baseline or policy.
Name 3 Configuration compliance tools
- Nikto
- OpenVAS
- Nessus
- SQLmap
- Nmap
What does evasion mean with respect to pentesting?
This entails Hiding from system admins or defenders.
Name 2 tools that assist with evasion.
- Proxychains
- SET
- Metasploit Framework
- Route
Name 3 decompiler tools.
- IDA
- Hopper
- Immunity Debugger
- APK Studio
- APKX
What do forensics tools do?
These tools are used to collect and analyze digital evidence for crimes and analysis.
Name 2 forensic tools that will be seen on the Pentest+ exam
- foremost
- FTK
- EnCase
- Tableau
Name 4 Deubgging tools that will likely be seen on the exam
- Ollydbg
- Immunity Debugger
- GDB
- WinDBG
- IDA pro
- APK Studio
- APKX
What are two methods to ensure software assurance?
Fuzzing and Security testing do this
How do you run nikto?
You run this vuln scanner as a perl script.
What is SQL map?
This is an open-source pentest tool used to automate detecting/exploiting SQL injection flaws.
What does Hashcat rely on?
This password recovery tool relies on CPU or GPU to crack passwords
What is an issue with an online brute service?
The issue with these is that the server will log all the attempts which can be noticed by admin/defenders/etc.
Why is Medusa faster than Hydra?
The first is faster than the second because it supports Multi-threading meaning it can attempt multiple logins at once.
What is CeWL used for?
This tool is used to create a custom wordlist or dictionary. Searches a website for words meeting criteria set as inputs for this tool.
What types of attacks does John the Ripper support?
This tool supports both Dictionary attacks and Brute Force attacks.
What three functions does Cain and Abel provide?
This tool provides:
- Password cracking on windows
- Network sniffing
- Hash Cracking
What does Mimikatz target?
This tool specifically targets windows machines.
What does Mimikatz do?
This tool targets windows machines to extract plaintext passwords, hashes, PIN codes, and kerberos tickets from the machines memory. Can be used for Pass-the-hash, pass-the-ticket, and creating Golden Tickets.
What is W3AF used for?
This tool is used for Web App Attacks and auditing frameworks. Finds web app vulnerabilities
Describe Ollydbg
This tool is an assembler level debugger for windows. Useful for binary code analysis without source code being available.
Describe Immunity Debugger
This tool is used to write exploits, analyze malware, and reverse engineer binary files. Supports python APIs and execution.
Describe GDB (GNU Debugger)
This tool runs on linux and Unix systems. Supports many languages such as Ada, C, C++, Obj-C, Pascal, etc. Not user friendly.
What is WinDBG?
This tool is the debugger for Windows
What is IDA?
Interactive Dissassembler. Generates assembly language code from executable code. GUI and supports executables from multiple OS.
Describe Findbugs & Findsecbugs
These tools conduct security audits of Java apps before deployment
Describe Peach
This is an automated security testing platform used to identify vulns by conducting fuzzing.
Describe American Fuzzy Lop (AFL)
This is an open-source , text-based security fuzzer that requires nearly no configuration to operate.
Describe SonarQube
This platform is open-source, performs automatic static code reviews to find vulns and bugs in over 20 different programming languages.
Describe Yet Another Source-Code Analyzer (YASCA)
This is an open sourced software code scanner that uses plug-ins to add languages and features.
What is Whois?
This is a query and response protocol for internet resources.
Describe NSlookup
This is a command line tool for querying DNS
Describe Foca (fingerprinting organizations with collected archives)
This is a tool used to find metadata and hidden info in docs
Describe The Harvester
This is a program used to gather emails, subdomains, hosts, employees, open ports, and banners. Mix of OSINT and other scanning capabilities.
What is Shodan?
Website that allows you find webcams, routers, servers, and more on the internet. IoT Devices is the primary focus.
What is Maltego?
This is a commercial software for conducting open-source intelligence and visually connecting the relationships
What is Recon-NG?
This is an open-source web recon framework written in python. Don’t need to know how to use this for Pentest+
Describe Censys
This is a search engine for hosts and networks across the internet with data about their configuration. Contains search interface, report builder, and SQL engine.
Describe Aircrack-NG
Wireless hacking suite that consists of a scanner, packet sniffer, and password cracker
Describe Kismet
Wireless hacking suite that consists of scanner and packet sniffer, and Intrusion Detection
Describe WiFite
This is an automated wireless attack tool. Menu-driven Python Script.
Describe OWASP ZAP
This is an open-source web app security scanner. Can be used as a proxy to manipulate traffic running through it (even Https)
What two platforms can be used for proxies?
OWAP ZAP & Burp Suite are the two platforms that can be used for this.
What is Burpsuite?
Graphical tool for web app security. Platform that allows for the interception, inspection, and modification of raw traffic passing through it.
Describe Social Engineering Toolki
SET is an open-source penetration testing framework for social engineering.
What is Browser Exploitation Framework (BeEF?)
This is a pentest tool focused on the web browser. This is used to hook a web browser for launching command modules and attacks.
What are the four remote access tools that you need to be aware of for the Pentest+?
These are:
- SSH
- Netcat
- Ncat
- Proxychains
What is Secure Shell (SSH)?
This is works like telnet but uses encryption to create a secure channel between client and server. This should always be used instead of Telnet.
What is Netcat?
This is the command-line tool for reading, writing, redirecting, and encrypting data over a network. This is referred to as the swiss army knife of pentesting.
Describe Ncat
This is up the updated version of Netcat. Made by creators of Nmap. Command-line tool for reading, writing, redirecting, and encrypting data on a network. Allows secure encrypted tunnels where at Netcat didn’t support this.
What is Proxychains?
This is a tool that forces TCP connections from all applications to run through a proxy. Can be TOR or other HTTP/SOCKS proxy. You can chain proxies (multiple hops), which makes it harder to track where you’re coming from.
What are the two networking tools that are covered on the Pentest+?
These are the two tools:
- Wireshark
- Hping
Describe Hping
This is a command line based TCP/IP packet assembler and analyzer. Can use TCP, UDP, ICMP, RAW-IP Protocols. Not n early as clean as Wireshark. This can be used during enumeration and fingerprinting phase.
What are the mobile tools covered in the exam?
These are the tools:
- Drozer
- APKX
What is Drozer
Complete security audit and attack framework. Provides tools to use and share public exploits for the Android OS
Describe APKX
Android APK Decompilation for the lazy. This has a python wrapper to extract Java source code directly from Android APK Files
What is APK studio?
This is a cross-platform IDE for reverse engineering and recompiling Android application binaries.
What are the six Misc tools covered on the exam?
These are:
- Searchsploit
- Powersploit
- Responder
- Impacket
- Empire
- Metasploit Framework (MSF)
What is Searchsploit?
This is a command line search tool for the Exploit-DB. Allows for offline searches through local repositories.
What is Powersploit?
This is a collection of microsoft powershell modules for use in pentesting. Considered a post-exploitation framework.
What is responder?
This tool is used to answer specific queries based on name suffix on the network. LLMNR, NBT-NS, and MDNA poisoner. Post-exploitation tool.
What is impacket?
This is a collection of python classes for working with network protocols. Focused on low-level program access for SMB and MSRPC protocol implementation.
What is empire?
This is a powershell and python post-exploitation agent.
What is MSF?
This is an open-source framework that provides scanners, payloads, and other tools.
What is programming?
Creating a sequence of instructions to tell a computer how to perform a specific task.
What are the four programming languages that you’ll find on the Pentest+?
These are :
- Bash
- Python
- Ruby
- Powershell
What are comments represented as in the programming languages covered on the Pentest+?
These are represented by #. Comments will not be shown on the pentest+
What is a variable?
These are used to represent any value and can be changed during the execution of the program.
What is the key difference of a variable in Ruby vs other programming languages?
Ruby uses the ‘_’ (underscore) for local variables.
What is a named or associative array similar to?
These work more like a table in a database.
