Information Gathering and Vulnerability Scanning Flashcards

1
Q

What is the process of collecting as much information as you can about a target?

A

Reconnaissance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When do pentesters typically conduct reconnaissance?

A

During the planning, initial access, and post-exploitation phases of pentesting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the process of assessing a target to collect preliminary knowledge about it without actively engaging it or its assets?

A

Passive reconnaissance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which information gathering technique involves expanding your knowledge of hostnames in use, breadth of network, and even information about some technical contacts within an organization?

A

DNS Recon

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What can you use to validate ownership of an IP address in your scope list?

A

The regional internet registry (RIR) like ARIN (for America)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are some command-line tools you can use to access information from DNS?

A

Commands such as dig or whois.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What tool can you use to resolve the name of a domain to an IP address?

A

nslookup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which open-source Python framework is often included in Kali and is a powerful tool with independent modules and a database for storing engagement information during recons?

A

Recon-ng

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which Python-based framework is useful for DNS recon, can be both active and passive, and can help gather information from webpages to discover domains, subdomains, and email addresses?

A

theHarvester

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is an open-source framework that pentesters can use to aid in data mining process? It is a static web page focused on information gathering and provides web links and resources.

A

OSINT Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is an interactive data mining software tool that can help users visualize and analyze relationships using publicly accessible data from the Internet?

A

Maltego

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is an automated discovery process that can help identify metadata and property information stored in the file info of Microsoft Products?

A

FOCA (Fingerprinting Organizations with Collected Archives)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the name for queries you can use to find data about your targets?

A

Dorks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is an open-source repository where people can share source codes and collaborate with others?

A

GitHub

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which tool was created by the University Of Michigan in 2015 and allows you to query host and certificate information from Internet-wide scans using full-text searches or field-base searches with regex and logic operators enriching your queries?

A

Censys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which search engine scans the entire Internet, parsing banners for services and categorizing the data returned by each device?

A

Shodan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is defined by actively engaging a target to detect open ports, web pages, services, and exploitable weaknesses?

A

Active reconnaissance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the command-line tool that utilizes various network protocols and advanced features for surveying hosts for open TCP and UDP ports, fingerprinting operating systems, extracting service banners, and much more?

A

NMAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a simple method of determining if a host is alive on a network?

A

A ping scan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What kind of scan can you run on a local network to perform host discovery using MAC addresses?

A

An ARP scan, like arp -a

21
Q

What type of port scan provides little reliability as to whether a port is available over a network?

22
Q

What are the three states of a port, as returned by a port scan?

A

Open, Closed, Filtered

23
Q

Which ports range from 0 - 1023, require root/system-level privileges with the OS, and host standardized application services across operating system platforms?

A

System ports

24
Q

Which ports range from 1024 - 49151, are user-level, and host applications that do not require elevated privileges to run?

A

Registered ports

25
Which protocol is connection-oriented and offers reliable data exchange between two network hosts?
Transmission Control Protocol (TCP)
26
What is key about a TCP "half-open" scan?
It never completes the three-way handshake in the SYN process
27
What kind of attack harnesses half-open scans as a form of denial of service?
SYN flood
28
What is the extended framework in Nmap written in Lua to help automate a variety of networking tasks, including the ability to write scripts to tinker with and finagle network services?
Nmap Scripting Engine (NSE)
29
What is the most basic way to identify a web server?
Look at the Server field in the HTTP response headed.
30
What is on eof the most useful and underrated tools available to open a TCP connection to a remote host, to include a database server?
netcat
31
What is the process of ingesting a web page and following all of the links on that page, and sublinks, and so on?
Crawling
32
What is the process of looking at the content of a known web page to gather terms and information from the site for analysis?
Scraping
33
What is a Java-based framework that can be used to find other pages that may not be directly linked on a webpage that you are crawling?
DirBuster
34
Which file is found at the top-level directory of a host and is used to restrict web indexing capabilities from web crawlers like Google or Bing?
robots.txt
35
What are the three types of APIs (Application Programming Interface)?
Local, Web, and Program
36
What kind of security devices are designed to intercept web requests and block common attack patterns?
Web application firewalls (WAFs)
37
Which kind of web load balancer takes traffic requests and sends them to a pool of systems, one at a time?
Round-robin
38
Which kind of web load balancer frequently generates and stores some form of session variable and uses that to determine the target system for a given session?
Persistent, and is more likely to be abused
39
What is the process of inspecting an information system for known security weaknesses?
Vulnerability scanning
40
Which remote vulnerability scanning tool helps automate vulnerability scanning and is one of the most popular commercial products on the market?
Tenable Nessus
41
Which organization provides best-practice security configuration baselines that can be used to apply configuration guidance to safeguard operating systems, software, and networks?
Center for Internet Security (CIS)
42
Which standard defines vulnerabilities as "a weakness in computational logic found in software and hardware components that, when exploited, results in a negative impact to CIA"?
Common Vulnerabilities & Exposures (CVE)
43
What is the de facto standard for documenting publicly disclosed vulnerabilities?
The CVE Dictionary
44
Which organization maintains the National Vulnerability Database (NVD)?
NIST
45
Which database documents analysis on vulnerabilities that have been published in the CVE dictionary, using the Common Vulnerability Scoring System (CVSS)?
National Vulnerability Database (NVD)
46
Which calculator is a comprehensive tool that uses qualitative factors within an equation to severity ratings, given certain environmental conditions?
The Common Vulnerability Scoring System (CVSS)
47
Nessus plugins are written in which type of proprietary language?
Nessus Attack Scripting Language (NASL)
48
Which Nmap script could you use to enumerate popular web directories from the service hosted on port 80?
http-enum