Information Gathering

Question 1

What is the first lookup tool to run against a domain like www.megacorpone.com?

Answer 1

whois megacorpone.com

Question 2

What Google hack would allow you to just filter search results to those pages on www.megacorpone.com?

Answer 2

site:megacorpone.com

Question 3

What Google hack would allow you to just filter search results to php pages on www.megacorpone.com?

Answer 3

site:megacorpone.com filetype:php

Question 4

What Google hack would allow you to exclude HTML pages on www.megacorpone.com?

Answer 4

site:megacorpone.com -filetype:html

Question 5

What is recon-ng?

Answer 5

• module-based framework for web-based information gathering.
• stores results in a database
• startup by typing “recon-ng”

Question 6

Recon-ng: what command allows you to find modules?

Answer 6

marketplace search

Question 7

Recon-ng: what command allows you to find out information about a module?

Answer 7

marketplace info

Question 8

Recon-ng: what command allows you to install a module?

Answer 8

marketplace install

Question 9

Recon-ng: what command allows you to use an installed module?

Answer 9

modules load

Question 10

Recon-ng: what command allows you to find out information about a module after it has been loaded?

Answer 10

info

Question 11

Recon-ng: what is the Google module that uses the “site:” search operator?

Answer 11

recon/domain-hosts/google_site_web

Question 12

Recon-ng: what command in the Google module to find all subdomains for a site?

Answer 12

• options set SOURCE megacorpone.com

- run

Question 13

Recon-ng: what command allows discovered subdomains in the database to be displayed?

Answer 13

show hosts

Question 14

Recon-ng: what module allows you to resolve IP addresses to host domain names?

Answer 14

recon/hosts-hosts-resolve

Question 15

What does SSL Server Test do?

Answer 15

• analyzes a server’s SSL/TLS configuration and compares it against current best practices

Question 16

What is the name of the public site for storing and sharing text, that does not require an account for usage?

Answer 16

pastebin

Question 17

What is theHarvester?

Answer 17

information gathering tool that gathers, emails, names, subdomains, IPs, and URLs from multiple public data sources.

Question 18

What command would allow the use of theHarvester to search for information about the domain megacorpone.com?

Answer 18

theHarvester -d megacorpone.com -b google

Question 19

What is the site that allows you to search social media sites for users or a keyword?

Answer 19

social-searcher

Question 20

What is the process of DNS?

Answer 20

1. Hostname entered into browser
2. Browser passes the hostname to the OS’ DNS client, and the OS then forwards the hostname to the external DNS server configured for use
3. The first server in the chain is known as the DNS recursor and is responsible for interacting with the DNS infrastructure and returning the results to the DNS client.
4. The DNS recursor contacts one of the servers in the DNS root zone.
5. The root server then responds with the address of the server responsible for the zone containing the TLD (.com TLD)
6. Once the DNS recursor server receives the address of the TLD DNS server, it queries for the address of the authoritative nameserver for the .com domain.
7. The authoritative nameserver is the final step in the DNS lookup process and contains the DNS records in a local database known as the “zone file”.
8. Once the DNS recursor provides the DNS client with the IP address for the hostname, the browser can contact the correct web server at its IP address and load the webpage.

Question 21

What is the Zone File?

Answer 21

• The authoritative nameserver contains a zone file.
• The Zone File is a local database that contains DNS records
• Their are typically two zones for each domain:
  1) the forward lookup zone used to find the IP Address of a specified hostname
  2) the reverse lookup zone used to find the hostname of a specific IP Address

Question 22

DNS Records: NS

Answer 22

• Nameserver record

- contains the name of the authoritative servers hosting the DNS records for a domain

Question 23

DNS Records: A

Answer 23

• A record (aka host record)

- contains the IP address of a hostname

Question 24

DNS Records: MX

Answer 24

• Mail Exchange record

- contains the names of the servers responsible for handling email for the domain.

Question 25

DNS Records: PTR

Answer 25

• Pointer record

- used in reverse lookup zones and are used to find the records associated with an IP address

Question 26

DNS Records: CNAME

Answer 26

• Canonical name record

- used to create aliases for other host records

Question 27

DNS Records: TXT

Answer 27

• Text records

- contain any arbitrary data and can be used for various purposes, such as domain ownership verification

Question 28

What command can be used to find the IP address for megacorpone.com

Answer 28

host www.megacorpone.com

Question 29

What does the ‘host’ command look for?

Answer 29

A record

Question 30

How would you look for the MX and TXT records for megacorpone.com?

Answer 30

• host -t mx megacorpone.com

- host -t txt megacorpone.com

Question 31

What are some example hostnames to query against a domain such as megacorpone.com?

Answer 31

• www
• ftp
• mail
• owa
• proxy
• router

Question 32

If you had a list of possible hostnames in a list named “list.txt”, what is a one-liner to try Forward Lookup Brute Force against megacorpone.com?

Answer 32

for ip in $(cat list.txt); do host $ip.megacorpone.com; done

Question 33

What project has a comprehensive hostname wordlist? How can it be installed?
Where does it install?

Answer 33

• SecLists project
• sudo apt install seclists
• /usr/share/seclists

Question 34

What is a one-liner for Reverse Lookup Brute Force for IP addresses in the range 38.100.193.50-100?

Answer 34

for ip in $(seq 50 100); do host 38.100.193.$ip; done

grep -v “not found”

Question 35

What is the DNS Zone Transfer command?

Answer 35

host -l

Question 36

DNSRecon

Answer 36

• Kali tool

- advanced, modern DNS enumeration script written in Python

Question 37

Namp: Syn Scan

Answer 37

• nmap -sS
• default Nmap scan
• Sends a SYN packet to various ports
• If a port is open, a SYN-ACK packet is received back
• the ACK packet is NOT sent back

Question 38

What is a benefit of the Syn scan?

Answer 38

• Since there is not an ACK packet (three-way handshake is never completed) the information is not passed to the application layer.
• This means that the traffic will never appear in any application logs
• Syn scans are also faster

Question 39

Nmap: TCP Scan

Answer 39

nmap -sT

Question 40

Nmap: UDP Scan

Answer 40

nmap -sU

Question 41

Nmap: Network Sweep

Answer 41

nmap -sn 10.11.1.1-254

Question 42

Nmap: OS Fingerprint

Answer 42

nmap -0

Question 43

Nmap: Banner Grabbing/Service Enumeration

Answer 43

nmap -sV -sT -A

Question 44

Where are Nmap Scripts located?

Answer 44

/usr/share/nmap/scripts

Question 45

What does the NetBIOS service on TCP 139 do?

Answer 45

Session layer protocol and service that allows computers on the local network to communicate with each other.

Question 46

Nmap: Scanning for NetBIOS Service

Answer 46

nmap -v -p 139,445

Question 47

Tool used for identifying NetBIOS information?

Answer 47

• nbtscan

- sudo nbtscan -r 10.11.1.0/24

Question 48

How do you search for SMB Nmap Scripts?

Answer 48

ls -1 /usr/share/nmap/scripts/smb*

Question 49

What is NFS?

Answer 49

• Network File System
• Distributed file system protocol
• Allows a user on a client computer to access files over a computer network as if they were on locally-mounted storage
• Often used with Unix systems
• Very insecure

Question 50

How do you scan for NFS Shares?

Answer 50

• By using RPCbind on TCP port 111
• nmap -v -p 111 10.11.1.1-254
• nmap -sV -p 111 –script=rpcinfo 10.11.1.1-254

Question 51

How do you search for NFS Nmap Scripts?

Answer 51

ls -1 /usr/share/nmap/scripts/nfs*

Question 52

How do you run all NFS Nmap Scripts at the same time?

Answer 52

nmap -p 111 –script nfs* 10.11.1.72

Question 53

If your Nmap NFS scan uncovered a NFS mount (RPCbind) name “home”, how would you mount it to your machine?

Answer 53

• mkdir home

- sudo mount -o nolock 10.11.1.72:/home ~/home

Question 54

You locate a file on a mounted file share, that you don’t have access to, and belongs to user “1014”.
How could you access this share?

Answer 54

• Add a local user to our machine (where we have mounted the file share) using the “adduser” command
• Change the UUID to “1014”

Question 55

How do you change a user’s UUID from 1001 to 1014?

Answer 55

sudo sed -i -e ‘s/1001/1014/g’ /etc/password

Question 56

Why is SNMP a useful protocol for penetration testing?

Answer 56

• Simple Network Management Protocol
• Not well-understood by network administrators
• Often results in SNMP misconfigurations, which can result in information leaks
• SNMP is based on UDP, and is therefore susceptible to IP Spoofing and replay attacks
• SNMP protocols 1, 2, 2c offer no traffic encryption
• SNMP has weak authentication schemes and is commonly left configured with default public and private community strings

Question 57

What is SNMP MIB?

Answer 57

• SNMP Management Information Base
• Database containing information usually related to network management
• organized like a tree, where branches represent different organizations or network functions
• the leaves of the tree (final endpoints) correspond to specific variable values that can then be accessed, and probed, by an external user.

Question 58

Nmap: Scan for SNMP

Answer 58

sudo nmap -sU –open -p 161 10.111.1.1-254

Question 59

SNMP Brute Force Tool?

Answer 59

onesixtyone

Question 60

How to brute force a network with onesixtyone?

Answer 60

echo public > community
echo private&raquo_space; community
echo manager&raquo_space; community

for ip in $(seq 1 254); do echo 10.11.1.$ip; done > ips

onesixtyone -c community -i ips

Question 61

Once you find SNMP services, what can you do from there?

Answer 61

Start querying the discovered SNMP services for MIB data

Question 62

What is an SNMP Community String?

Answer 62

• similar to a user ID or password that is sent along with each SNMP Get-Request to get access to a devices’ information
• if the community string is correct, you’re given access to the devices’ statistics

Question 63

How do you use snmpwalk to enumerate the Entire MIB Tree of a discovered SNMP service?

Answer 63

• snmpwalk
• snmpwalk -c public -v1 -t 10 10.11.1.14
• • -c = specifies the community string
• • -v = specifies the SNMP version
• • -t = specifies the timeout value (seconds)

Question 64

How do you use snmpwalk to enumerate Windows users?

Answer 64

• snmpwalk -c public -v1 10.11.1.14 1.3.6.1.4.1.77.1.2.25

- 1.3.6.1.4.1.77.1.2.25 == MIB value for Windows User Accounts

Question 65

How do you use snmpwalk to enumerate Windows Processes?

Answer 65

• snmpwalk -c public -v1 10.11.1.73 1.3.6.1.2.1.25.4.2.1.2

- 1.3.6.1.2.1.25.4.2.1.2 = MIB value for Windows Process Path

Question 66

How do you use snmpwalk to enumerate Windows ope TCP ports?

Answer 66

• snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.6.13.1.3

- 1.3.6.1.2.1.6.13.1.3 = MIB value for Windows TCP Local Ports

Question 67

How do you use snmpwalk to enumerate installed software on a Windows machine?

Answer 67

• snmpwalk -c public -v1 10.11.1.50 1.3.6.1.2.1.25.6.3.1.2

- 1.3.6.1.2.1.25.6.3.1.2 = MIB value for Windows running programs

Question 68

What nmap one-liner shows what services are running?

Answer 68

sudo nmap 10.11.0.128 -p- -sV -vv –open –reason