Information Gathering and Vulnerability Scanning

Question 1

What is the process of collecting as much information as you can about a target?

Answer 1

Reconnaissance

Question 2

When do pentesters typically conduct reconnaissance?

Answer 2

During the planning, initial access, and post-exploitation phases of pentesting.

Question 3

What is the process of assessing a target to collect preliminary knowledge about it without actively engaging it or its assets?

Answer 3

Passive reconnaissance

Question 4

Which information gathering technique involves expanding your knowledge of hostnames in use, breadth of network, and even information about some technical contacts within an organization?

Answer 4

DNS Recon

Question 5

What can you use to validate ownership of an IP address in your scope list?

Answer 5

The regional internet registry (RIR) like ARIN (for America)

Question 6

What are some command-line tools you can use to access information from DNS?

Answer 6

Commands such as dig or whois.

Question 7

What tool can you use to resolve the name of a domain to an IP address?

Answer 7

nslookup

Question 8

Which open-source Python framework is often included in Kali and is a powerful tool with independent modules and a database for storing engagement information during recons?

Answer 8

Recon-ng

Question 9

Which Python-based framework is useful for DNS recon, can be both active and passive, and can help gather information from webpages to discover domains, subdomains, and email addresses?

Answer 9

theHarvester

Question 10

What is an open-source framework that pentesters can use to aid in data mining process? It is a static web page focused on information gathering and provides web links and resources.

Answer 10

OSINT Framework

Question 11

What is an interactive data mining software tool that can help users visualize and analyze relationships using publicly accessible data from the Internet?

Answer 11

Maltego

Question 12

What is an automated discovery process that can help identify metadata and property information stored in the file info of Microsoft Products?

Answer 12

FOCA (Fingerprinting Organizations with Collected Archives)

Question 13

What is the name for queries you can use to find data about your targets?

Answer 13

Dorks

Question 14

What is an open-source repository where people can share source codes and collaborate with others?

Answer 14

GitHub

Question 15

Which tool was created by the University Of Michigan in 2015 and allows you to query host and certificate information from Internet-wide scans using full-text searches or field-base searches with regex and logic operators enriching your queries?

Answer 15

Censys

Question 16

Which search engine scans the entire Internet, parsing banners for services and categorizing the data returned by each device?

Answer 16

Shodan

Question 17

What is defined by actively engaging a target to detect open ports, web pages, services, and exploitable weaknesses?

Answer 17

Active reconnaissance

Question 18

What is the command-line tool that utilizes various network protocols and advanced features for surveying hosts for open TCP and UDP ports, fingerprinting operating systems, extracting service banners, and much more?

Answer 18

NMAP

Question 19

What is a simple method of determining if a host is alive on a network?

Answer 19

A ping scan

Question 20

What kind of scan can you run on a local network to perform host discovery using MAC addresses?

Answer 20

An ARP scan, like arp -a

Question 21

What type of port scan provides little reliability as to whether a port is available over a network?

Answer 21

UDP Scan

Question 22

What are the three states of a port, as returned by a port scan?

Answer 22

Open, Closed, Filtered

Question 23

Which ports range from 0 - 1023, require root/system-level privileges with the OS, and host standardized application services across operating system platforms?

Answer 23

System ports

Question 24

Which ports range from 1024 - 49151, are user-level, and host applications that do not require elevated privileges to run?

Answer 24

Registered ports

Question 25

Which protocol is connection-oriented and offers reliable data exchange between two network hosts?

Answer 25

Transmission Control Protocol (TCP)

Question 26

What is key about a TCP "half-open" scan?

Answer 26

It never completes the three-way handshake in the SYN process

Question 27

What kind of attack harnesses half-open scans as a form of denial of service?

Answer 27

SYN flood

Question 28

What is the extended framework in Nmap written in Lua to help automate a variety of networking tasks, including the ability to write scripts to tinker with and finagle network services?

Answer 28

Nmap Scripting Engine (NSE)

Question 29

What is the most basic way to identify a web server?

Answer 29

Look at the Server field in the HTTP response headed.

Question 30

What is on eof the most useful and underrated tools available to open a TCP connection to a remote host, to include a database server?

Answer 30

netcat

Question 31

What is the process of ingesting a web page and following all of the links on that page, and sublinks, and so on?

Answer 31

Crawling

Question 32

What is the process of looking at the content of a known web page to gather terms and information from the site for analysis?

Answer 32

Scraping

Question 33

What is a Java-based framework that can be used to find other pages that may not be directly linked on a webpage that you are crawling?

Answer 33

DirBuster

Question 34

Which file is found at the top-level directory of a host and is used to restrict web indexing capabilities from web crawlers like Google or Bing?

Answer 34

robots.txt

Question 35

What are the three types of APIs (Application Programming Interface)?

Answer 35

Local, Web, and Program

Question 36

What kind of security devices are designed to intercept web requests and block common attack patterns?

Answer 36

Web application firewalls (WAFs)

Question 37

Which kind of web load balancer takes traffic requests and sends them to a pool of systems, one at a time?

Answer 37

Round-robin

Question 38

Which kind of web load balancer frequently generates and stores some form of session variable and uses that to determine the target system for a given session?

Answer 38

Persistent, and is more likely to be abused

Question 39

What is the process of inspecting an information system for known security weaknesses?

Answer 39

Vulnerability scanning

Question 40

Which remote vulnerability scanning tool helps automate vulnerability scanning and is one of the most popular commercial products on the market?

Answer 40

Tenable Nessus

Question 41

Which organization provides best-practice security configuration baselines that can be used to apply configuration guidance to safeguard operating systems, software, and networks?

Answer 41

Center for Internet Security (CIS)

Question 42

Which standard defines vulnerabilities as "a weakness in computational logic found in software and hardware components that, when exploited, results in a negative impact to CIA"?

Answer 42

Common Vulnerabilities & Exposures (CVE)

Question 43

What is the de facto standard for documenting publicly disclosed vulnerabilities?

Answer 43

The CVE Dictionary

Question 44

Which organization maintains the National Vulnerability Database (NVD)?

Answer 44

NIST

Question 45

Which database documents analysis on vulnerabilities that have been published in the CVE dictionary, using the Common Vulnerability Scoring System (CVSS)?

Answer 45

National Vulnerability Database (NVD)

Question 46

Which calculator is a comprehensive tool that uses qualitative factors within an equation to severity ratings, given certain environmental conditions?

Answer 46

The Common Vulnerability Scoring System (CVSS)

Question 47

Nessus plugins are written in which type of proprietary language?

Answer 47

Nessus Attack Scripting Language (NASL)

Question 48

Which Nmap script could you use to enumerate popular web directories from the service hosted on port 80?

Answer 48

http-enum