Enumeration Tools

Question 1

Process to identify and scan network ranges and hosts belonging to the target and
map out an attack surface

Answer 1

Enumeration

Question 2

A connection is made from the attacker to a target and data is
transmitted

Answer 2

Active

Question 3

No connection is made from the attacker to a target and data
collected can be analyzed
Network sniffers are considered a passive form of enumeration
Wireshark
Zeek or Bro
p0f

Answer 3

Passive

Question 4

Tools that map out the layout of a network, typically in terms of IP address usage,
routing topology, and DNS namespace (subdomains and hostnames)

Answer 4

Footprinting

Question 5

Tools that perform host system detection to map out open ports, OS type and
version, file shares, running services and applications, system uptime, and other
useful metadata

Answer 5

Fingerprinting

Question 6

A versatile port scanner used for topology, host, service, and OS discovery and
enumeration
A nmap discovery scan is used to footprint the network

Answer 6

Nmap Security Scanner

Question 7

Lists the IP addresses from the supplied target range(s) and performs a
reverse-DNS query to discover any host names associated with those
IPs

Answer 7

List Scan (-sL)

Question 8

Probes specific ports from the given list using a TCP SYN packet instead
of an ICMP packet to conduct the ping

Answer 8

TCP SYN ping (-PS <PortList>)</PortList>

Question 9

Issues probes with significant delays to become stealthier and avoid
detection by an IDS or IPS

Answer 9

Sparse Scanning (–scan-delay <Time>)</Time>

Question 10

Issues probes with using a timing pattern with n being the pattern to
utilize (0 is slowest and 5 is fastest)

Answer 10

Scan Timing (-Tn)

Question 11

A technique that splits the TCP header of each probe between multiple
IP datagrams to make it hard for an IDS or IPS to detect

Answer 11

Fragmentation (-f or –mtu)

Question 12

After your footprinting is complete, it is time to begin fingerprinting hosts

Answer 12

Nmap Port Scans

Question 13

Conducts a half-open scan by sending a SYN packet to identify the port
state without sending an ACK packet afterwards

Answer 13

TCP SYN (-sS)

Question 14

Conducts a three-way handshake scan by sending a SYN packet to
identify the port state and then sending an ACK packet once the SYNACK is received

Answer 14

TCP Connect (-sT)

Question 15

Conducts a scan by sending a packet with the header bit set to zero

Answer 15

Null Scan (-sN)

Question 16

Conducts a scan by sending an unexpected FIN packet

Answer 16

FIN Scan (-sF)

Question 16

Conducts a scan by sending an unexpected FIN packet

Answer 16

FIN Scan (-sF)

Question 17

Conducts a scan by sending a packet with the FIN, PSH, and URG flags
set to one

Answer 17

Xmas Scan (-sX)

Question 18

Conducts a scan by sending a UDP packet to the target and waiting for a
response or timeout

Answer 18

UDP Scan (-sU)

Question 19

Conducts a scan by targeting the specified ports instead of the default
of the 1,000 most commonly used ports

Answer 19

Port Range (-p)

Question 20

An application on the host is accepting connections

Answer 20

Open

Question 21

The port responds to probes by sending a reset [RST] packet, but no application is
available to accept connections

Answer 21

Closed

Question 22

Nmap cannot probe the port, usually due to a firewall blocking the scans on the
network or host

Answer 22

Filtered

Question 23

Nmap can probe the port but cannot determine if it is open or closed

Answer 23

Unfiltered

Question 24

Nmap cannot determine if the port is open or filtered when conducting
a UDP or IP protocol scan

Answer 24

Open|Filtered

Question 25

Nmap cannot determine if the port is closed or filtered when
conducting a TCP Idle scan

Answer 25

Closed|Filtered

Question 26

Scheme for identifying hardware devices, operating systems, and
applications developed by MITRE

Answer 26

Common Platform Enumeration

Question 27

Scripts are written in the Lua scripting language that can be used to
carry out detailed probes

Answer 27

Nmap Scripting Engine (NSE)

Question 28

An open-source spoofing tool that provides a pen tester with the ability to craft
network packets to exploit vulnerable firewalls and IDS/IPS

Answer 28

hping

Question 29

Send a SYN or ACK packet to conduct detection and testing

Answer 29

Host/port Detection and Firewall Testing

Question 30

Used to determine the system’s uptime

Answer 30

Timestamping

Question 31

Use arbitrary packet formats, such as probing DNS ports using TCP or UDP, to
perform traces when ICMP is blocked on a given network

Answer 31

Traceroute

Question 32

Attempts to evade detection by IDS/IPS and firewalls by sending fragmented
packets across the network for later reassembly

Answer 32

Fragmentation

Question 33

A command-line tool used to poison responses to NetBIOS, LLMNR, and MDNS
name resolution requests in an attempt to perform a man-in-the-middle attack

Answer 33

Responder

Question 34

Tools used to detect the presence of wireless networks, identify the security type
and configuration, and try to exploit any weaknesses in the security to gain
unauthorized access to the network

Answer 34

Wireless Assessment Tools

Question 35

A suite of utilities designed for wireless network security testing

Answer 35

Aircrack-ng Suite

Question 36

A command-line tool used to perform brute force attacks against WPS-enabled
access points

Answer 36

Reaver

Question 37

A command-line tool used to perform brute force and dictionary attacks against password
hashes

Answer 37

Hashcat