Lesson 5 - Preparing the Vulnerability Scan

Question 1

The points at which a network or application receives external connections or I/O that are potential vectors to be exploited by a threat actor

Answer 1

Attack Surface

Question 2

Name the stages of the lifecycle of a vulnerability

Answer 2

1. Discover - vuln exists
2. Coordinate - CVE & CWE
3. Mitigate - patch released
4. Manage - patch applied
5. Document -

Question 3

What is the time when a system is most at risk of a vulnerability, generally between patch release and patch applied is referred to as ________

Answer 3

Risk Gap

Question 4

What is one of initial active reconnaissance techniques to gather information about network hosts and services running on open ports

Answer 4

Banner Grabbing

Common Tools are Wget, Nmap, Curl and netcat (nc)

examples are
wget <target IP?> -S - Print HTTP Headers

nmap -sV <target> -p <port></port></target>

Question 5

What is the essential first step in active reconnaissance phase of the PenTest

Answer 5

Mapping the Network

Question 6

What do most mapping tools use for additional enumeration from hosts

Answer 6

Windows Management Instrumentation (WMI) and Simple Networking Monitoring Protocol (SNMP)

Question 7

Name some of the popular free and commercial network mapping tools

Answer 7

SolarWinds, Intermapper, WhatsUp Gold, PRTG, Spiceworks, Nmap and Zenmap

Question 8

Name a popular tool that can import results of a vulnerability scan and then attempt to exploit it

Answer 8

Metasploit

this tool is primarily used to exploit and not necessary a good choice for scanning

Question 9

What are some ways that a PenTester can identify if a Web App Firewall is in place

Answer 9

A WAF can give away their existence by adding a personal cookie in the HTTP packet

some WAF products such as Citrix Netscaler use a technique called Header alternation which changes the original response to confuse the attacker.

Other WAF will identify themselves by their response such as you have been blocked.

Question 10

T or F if a Firewall permits port 80 it is possible to attach a payload in a HTTP Header?

Answer 10

True

You can set any malicious packet to port 80.

Question 11

What is the technique that uses traceroute and port scanning to discover details of the internal network

Answer 11

Firewalking

Question 12

How can a PenTester avoid Anti-Virus during a test and what specific tools would they use.

Answer 12

Use a Metamorphic Virus which transforms as they propagate

Obfsucate a known signature using a tool such as ObfuscatedEmpire

Use specialized tools or payloads such as fileless malware that uses OS embedded functions.

Using SET with Metasploit would be the ticket

Question 13

What is a popular Attack Surface analyzer

Answer 13

Censys

Question 14

What is the method to test firewall rules, evade intrusion detection or cause a denial of service

Answer 14

Crafting Packets

Question 15

What are the 4 stages of Packet Crafting

Answer 15

1. Assemble - create
2. Edit - modify contents
3. Pay - send/resend
4. Decode - capture and analyze

Question 16

Name some popular hacking tools that use Packet Crafting

Answer 16

Metasploit
Scapy
hping - CLI

Question 17

What ports do WebServers use vs Database Servers?

Answer 17

Web - port 80/443

SQL Server will listen on TCP Port 1433 or UDP port 1434

Question 18

Name a popular SQL Scanning tool that is built into Kali Linuz

Answer 18

SQLmap

Question 19

Name another tool built into Kali Linux designed to scan webservers for known vulnerabilities

Answer 19

Nikto