Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CEH v12 Exam Prep "Hard" > Module 04 - Enumeration ( EC Mode ) > Flashcards

Module 04 - Enumeration ( EC Mode ) Flashcards

1
Q

In which of the following enumeration techniques does an attacker take advantage of different error messages generated during the service authentication process?

A. Extracting information using default passwords

B. Brute-force Active Directory

C. Extracting usernames using email IDs

D. Extracting usernames using SNMP

A

Answer: B. Brute-force Active Directory

Explanation:

Here are some methods attackers can use to extract usernames:

Using SNMP: Attackers can use the SNMP API to extract usernames by guessing read-only or read-write community strings.

Using email IDs: Every email address contains a username and a domain name in the format username@domainname. Attackers can take advantage of the first part to extract usernames.

Brute force Active Directory: A design error in the Microsoft Active Directory implementation allows attackers to brute force usernames by exploiting the “logon hours” feature, which results in different error messages.

Extracting information using default passwords: Users often fail to change the default usernames and passwords provided by the manufacturer or developer of a product. Attackers can use these default passwords to launch attacks on the target network or device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following protocols uses TCP port 179 to enable routers for establishing sessions between them?

A. BGP
B. LDAP
C. SNMP
D. SIP

A

Answer: A (BGP)

Explanation:

Here are some protocols and their associated port numbers:

LDAP: LDAP uses TCP or UDP as its transport protocol over port 389.

BGP: BGP routers establish sessions on TCP port 179.

SIP: SIP typically uses TCP/UDP port 5060 for non-encrypted signaling traffic or port 5061 for encrypted traffic with TLS when communicating with servers and other endpoints.

SNMP: The agent receives requests on port 161 from the managers and responds to the managers on port 162.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following port numbers is used by the Windows NetBIOS session service for both null-session establishment as well as file and printer sharing?

A. TCP/UDP 53
B. TCP/UDP 389
C. TCP 139
D. TCP 23

A

Answer: C (TCP 139)

Explanation:

Here are some ports and their associated protocols:

TCP 139: This port is used for null-session establishment as well as file and printer sharing on Windows systems.

TCP/UDP 53: DNS clients communicate with DNS servers on this port during the DNS resolution process.

TCP 23: This port is used by the Telnet protocol for managing networked devices remotely.

TCP/UDP 389: LDAP uses this port for accessing and maintaining distributed directory information services over an IP network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following ports provides a name-resolution service for computers running NetBIOS that is also known as the Windows Internet Name Service (WINS)?

A. TCP 22
B. UDP 161
C. UDP 137
D. TCP 135

A

Answer: C (UDP 137)

Explanation:

UDP 137: NBNS, also known as the Windows Internet Name Service (WINS), provides a name-resolution service for computers running NetBIOS.

TCP 135: Microsoft RPC Endpoint Mapper listens on TCP/IP port 135.

UDP 161: SNMP is widely used in network management systems to monitor network-attached devices such as routers, switches, firewalls, printers, and servers.

TCP 22: Secure Shell (SSH) is a command-level protocol mainly used for managing various networked devices securely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Jake, an attacker, is performing an attack on a target organization to gather sensitive information. In this process, he exploited the protocol running on port 23 to perform banner grabbing on other protocols, such as SSH and SMTP, as well as brute-forcing attacks on login credentials.

Which of the following protocols is running on port 23?
A. File Transfer Protocol
B. Secure Shell
C. Telnet
D. Border Gateway Protocol

A

Answer: C. Telnet

Explanation:

Secure Shell:
Secure Shell (SSH) is a command-level protocol mainly used for managing various networked devices securely. It is generally used as an alternative protocol to the unsecure Telnet protocol. SSH uses the client/server communication model, and the SSH server, by default, listens to its client on TCP port 22

File Transfer Protocol:
FTP is a connection-oriented protocol used for transferring files over the Internet and private networks. FTP is controlled on TCP port 21, and for data transmission, FTP uses TCP port 20 or some dynamic port numbers depending on the server configuration

Telnet:
The Telnet protocol is used for managing various networked devices remotely. It is an unsecure protocol because it transmits login credentials in the cleartext format. Therefore, it is mostly used in private networks. The Telnet server listens to its clients on port 23. Attackers can take advantage of the Telnet protocol to perform banner grabbing on other protocols such as SSH and SMTP, brute-forcing attacks on login credentials, port-forwarding attacks, etc.

Border Gateway Protocol:
BGP is widely used by Internet service providers (ISPs) to maintain huge routing tables and for efficiently processing Internet traffic. BGP routers establish sessions on TCP port 179

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following port number is used to exploit vulnerabilities within DNS servers to launch attacks?
A. UDP 137
B. TCP/UDP 53
C. TCP 139
D. TCP/UDP 135

A

Answer: B. TCP/UDP 53.

Explanation:
The DNS resolution process establishes communication between DNS clients and DNS servers. DNS clients send DNS messages to DNS servers listening on UDP port 53. In case, the DNS message size exceeds the default size of UDP (512 octets), the response contains only data that UDP can accommodate, and the DNS server sets a flag to indicate the truncated response. The DNS client can now resend the request via TCP over port 53 to the DNS server. In this approach, the DNS server uses UDP as a default protocol, and in case of lengthy queries where UDP fails, it uses TCP as a backup failover solution. Some malwares such as ADM worm and Bonk Trojan use port 53 to exploit vulnerabilities within DNS servers. This can help intruders to launch attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following protocols uses TCP or UDP as its transport protocol over port 389?

A. SIP
B. SMTP
C. SNMP
D. LDAP

A

Answer: D. LDAP.

Explanation:

LDAP is a protocol for accessing and maintaining distributed directory information services over an Internet protocol (IP) network. By default, LDAP uses TCP or UDP as its transport protocol over port 389.

Simple network management protocol (SNMP) is widely used in network management systems to monitor network-attached devices such as routers, switches, firewalls, printers, servers, and so on. It consists of a manager and agents. The agent receives requests on Port 161 from the managers and responds to the managers on Port 162.

SMTP is a TCP/IP mail delivery protocol. It transfers e-mail across the Internet and the local network. It runs on the connection-oriented service provided by transmission control protocol (TCP), and it uses the well-known port number 25.

Session initiation protocol (SIP) is used in the applications of Internet telephony for voice and video calls. It typically uses TCP/UDP port 5060 (nonencrypted signaling traffic) or 5061 (encrypted traffic with TLS) for SIP to servers and other endpoints.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following protocols provides reliable multiprocess communication service in a multinetwork environment?

A. SMTP
B. TCP
C. SNMP
D. UDP

A

Answer: B. TCP.

Explanation:

Transmission control protocol (TCP) is a connection-oriented protocol. It is capable of carrying messages or e-mail over the Internet. It provides reliable multiprocess communication service in a multinetwork environment.

UDP is a connectionless protocol, which provides unreliable service. It carries short messages over a computer network.

SMTP is a TCP/IP mail delivery protocol. It transfers e-mail across the Internet and the local network. It runs on connection-oriented service provided by TCP.

Simple network management protocol (SNMP) is widely used in network management systems to monitor network-attached devices such as routers, switches, firewalls, printers, servers, and so on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

An attacker identified that port 139 on the victim’s Windows machine is open and he used that port to identify the resources that can be accessed or viewed on the remote system. What is the protocol that allowed the attacker to perform this enumeration?

A. SNMP
B. SMTP
C. NetBIOS
D. LDAP

A

Answer: C. NetBIOS.

Explanation:
An attacker who finds a Windows OS with port 139 open can check to see what resources can be accessed or viewed on the remote system. However, to enumerate the NetBIOS names, the remote system must have enabled file and printer sharing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the default port used by IPSEC IKE protocol?

A. Port 4500
B. Port 500
C. Port 51
D. Port 50

A

Answer: B. Port 500.

Explanation:

IPSEC IKE: IP Security Internet Key Exchange Protocol is used for establishing Security Association for IPsec Protocol Suite. IKE uses UDP port 500 for establishing security association.

UDP port 4500 is used IPsec NAT-T

Remote Mail Checking Protocol uses UDP/TCP port 50

Port 51 is reserved by IANA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following protocols is widely used by Internet service providers (ISPs) to maintain huge routing tables and efficiently process Internet traffic?

A. SIP
B. BGP
C. TFTP
D. FTP

A

Answer: B. BGP (Border Gateway Protocol).

Explanation:

Border Gateway Protocol (BGP): BGP is widely used by Internet service providers (ISPs) to maintain huge routing tables and for efficiently processing Internet traffic. BGP routers establish sessions on TCP port 179. The misconfiguration of BGP may lead to various attacks such as dictionary attacks, resource-exhaustion attacks, flooding attacks, and hijacking attacks.

Trivial File Transfer Protocol (TFTP): TFTP is a connectionless protocol used for transferring files over the Internet. TFTP depends on connectionless UDP; therefore, it does not guarantee the proper transmission of the file to the destination. TFTP is mainly used to update or upgrade software and firmware on remote networked devices

File Transfer Protocol: FTP is a connection-oriented protocol used for transferring files over the Internet and private networks. FTP is controlled on TCP port 21, and for data transmission, FTP uses TCP port 20 or some dynamic port numbers depending on the server configuration

Session Initiation Protocol (SIP): The Session Initiation Protocol (SIP) is a protocol used in Internet telephony for voice and video calls. It typically uses TCP/UDP port 5060 (non-encrypted signaling traffic) or 5061 (encrypted traffic with TLS) for SIP to servers and other endpoints

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Jake, an attacker, is performing an attack on a target organization to gather sensitive information. In this process, he exploited the protocol running on port 23 to perform banner grabbing on other protocols, such as SSH and SMTP, as well as brute-forcing attacks on login credentials. Which of the following protocols is running on port 23?

A. File Transfer Protocol
B. Telnet
C. Border Gateway Protocol
D. Secure Shell

A

Answer: B. Telnet.

Explanation:

Secure Shell: Secure Shell (SSH) is a command-level protocol mainly used for managing various networked devices securely. It is generally used as an alternative protocol to the unsecure Telnet protocol. SSH uses the client/server communication model, and the SSH server, by default, listens to its client on TCP port 22

File Transfer Protocol: FTP is a connection-oriented protocol used for transferring files over the Internet and private networks. FTP is controlled on TCP port 21, and for data transmission, FTP uses TCP port 20 or some dynamic port numbers depending on the server configuration

Telnet: The Telnet protocol is used for managing various networked devices remotely. It is an unsecure protocol because it transmits login credentials in the cleartext format. Therefore, it is mostly used in private networks. The Telnet server listens to its clients on port 23. Attackers can take advantage of the Telnet protocol to perform banner grabbing on other protocols such as SSH and SMTP, brute-forcing attacks on login credentials, port-forwarding attacks, etc.

Border Gateway Protocol: BGP is widely used by Internet service providers (ISPs) to maintain huge routing tables and for efficiently processing Internet traffic. BGP routers establish sessions on TCP port 179

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following information is collected using enumeration?

A. Network resources, network shares, and machine names
B. Operating systems, location of web servers, users, and passwords
C. Open ports and services
D. Email recipient’s system IP address and geolocation

A

Answer: A. Network resources, network shares, and machine names.

Explanation:

Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system or network.

Enumeration allows you to collect following information:

Network resources

Network shares

Routing tables

Audit and service settings

SNMP and FQDN details

Machine names

Users and groups

Applications and banners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following command-line tools displays the CPU and memory information or thread statistics?

A. PsLogList
B. PsFile
C. PsGetSid
D. PsList

A

Answer: D. PsList.

Explanation:

PsLogList: The default function of PsLogList is to display the contents of the System Event Log on the local computer with visually friendly formatting.

PsList: It is a command-line tool that displays a central processing unit (CPU) and memory information or thread statistics.

PsFile: It is a command-line utility that shows a list of files on a system that opened remotely, and it can close opened files either by name or by a file identifier.

PsGetSid: It translates SIDs to their display name and vice versa. It works on built-in accounts, domain accounts, and local accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following tools supports the nbstat.nse script that allows attackers to retrieve the target’s NetBIOS names and MAC addresses?

A. Netcraft
B. Wireshark
C. Nmap
D. OpUtils

A

Answer: C. Nmap.

Explanation:

OpUtils: SNMP enumeration protocol that helps to monitor, diagonise, and troubleshoot the IT resources.

Wireshark: Wireshark lets you capture and interactively browse the traffic running on a computer network.

Nmap: Attackers use the Nmap Scripting Engine (NSE) for discovering NetBIOS shares on a network. The nbstat script of NSE allows attackers to retrieve the target’s NetBIOS names and MAC addresses.

Netcraft: Netcraft provides Internet security services, including anti-fraud and anti-phishing services, application testing, and PCI scanning. They also analyze the market share of web servers, operating systems, hosting providers and SSL certificate authorities, and other parameters of the Internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following NetBIOS service codes is used to obtain information related to the master browser name for the subnet?

A. <1D>
B. <1E>
C. <20>
D. <03>

A

Answer: A. <1D>.

Explanation:

Here are the NetBIOS service codes and the information obtained through them:

Name: , NetBIOS Code: <03>, Type: UNIQUE, Information Obtained: Messenger service running for the computer.

Name: , NetBIOS Code: <03>, Type: UNIQUE, Information Obtained: Messenger service running for the logged-in user.

Name: , NetBIOS Code: <20>, Type: UNIQUE, Information Obtained: Server service running.

Name: , NetBIOS Code: <1D>, Type: GROUP, Information Obtained: Master browser name for the subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following Nbtstat parameters is used to display the count of all names resolved by a broadcast or WINS server?

A. -n
B. -r
C. -R
D. -RR

A

Answer: B. -r.

Explanation:

Here are the Nbtstat parameters and their functions:

Parameter: -n, Function: Displays the names registered locally by NetBIOS applications such as the server and redirector.

Parameter: -r, Function: Displays a count of all names resolved by a broadcast or WINS server.

Parameter: -R, Function: Purges the name cache and reloads all #PRE-tagged entries from the Lmhosts file.

Parameter: -RR, Function: Releases and re-registers all names with the name server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following tools is not a NetBIOS enumeration tool?

A. Hyena
B. NetScanTools Pro
C. SuperScan
D. OpUtils

A

Answer: D. OpUtils.

Explanation:
Among the given options, Hyena, SuperScan, and NetScanTools Pro can be used to perform NetBIOS enumeration, whereas OpUtils is an SNMP enumeration tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following Windows utilities allow an attacker to perform NetBIOS enumeration?

A. nbtstat
B. GetRequest
C. ntpdate
D. SetRequest

A

Answer: A. nbtstat.

Explanation:
The nbtstat utility in Windows displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS names tables for both the local and remote computers, and the NetBIOS name cache. An attacker can run the nbtstat command, “nbtstat.exe –c” to get the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses. An attacker can also run the nbtstat command, “nbtstat.exe –a ” to get the NetBIOS name table of a remote computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following management information bases (MIBs) contains object types for workstation and server services?

A. WINS.MIB
B. MIB_II.MIB
C. HOSTMIB.MIB
D. LNMIB2.MIB

A

Answer: D. LNMIB2.MIB

Explanation:

WINS.MIB: For the Windows Internet Name Service (WINS)

HOSTMIB.MIB: Monitors and manages host resources.

MIB_II.MIB: Manages TCP/IP-based Internet using a simple architecture and system.

LNMIB2.MIB: Contains object types for workstation and server services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Robert, a professional hacker, was tasked with retrieving critical information from a target network. For this purpose, Robert employed a command-line tool to fetch information from all the network sub-nodes such as routers and switches in the form of an object identifier (OID), which is part of the management information base (MIB). Identify the tool employed by Robert in the above scenario.

A. SnmpWalk
B. Spokeo
C. Factiva
D. Tor Browser

A

Answer: A. SnmpWalk.

Explanation:

Spokeo: Attackers can use the Spokeo people search online service to search for people belonging to the target organization. Using this service, attackers obtain information such as phone numbers, email addresses, address history, age, date of birth, family members, social profiles, and court records.

Tor Browser: Tor Browser is used to access the deep and dark web, where it acts as a default VPN for the user and bounces the network IP address through several servers before interacting with the web. Attackers use this browser to access hidden content, unindexed websites, and encrypted databases present in the deep web.

Factiva: Factiva is a global news database and licensed content provider. It is a business information and research tool that gets information from licensed and free sources and provides capabilities such as searching, alerting, dissemination, and business information management.

SnmpWalk: SnmpWalk is a command-line tool that allows attackers to scan numerous Simple Network Management Protocol (SNMP) nodes instantly and identify a set of variables that are available for accessing the target network. Using this tool, attackers target the root node so that information from all the sub-nodes such as routers and switches can be fetched. The information can be retrieved in the form of an object identifier (OID), which is part of the management information base (MIB) associated with the devices having SNMP enabled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following SnmpWalk commands allows an attacker to identify configured software on the target network node?

A. snmpwalk -v2c -c public hrMemorySize
B. snmpwalk -v2c -c public
C. snmpset -v2c -c public <target_device> <OID> <datatype> <value>
D. snmpwalk -v2c -c public hrSWInstalledName</value></datatype></OID></target_device>

A

Answer: D. snmpwalk -v2c -c public hrSWInstalledName.

Explanation:
SnmpWalk Commands:

Command to search for installed software:
snmpwalk -v2c -c public hrSWInstalledName

Command to enumerate SNMPv2 with a community string of public:
snmpwalk -v2c -c public

Command to determine the amount of RAM on the host:
snmpwalk -v2c -c public hrMemorySize

Command to change an OID to a different value:
snmpwalk -v2c -c public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following commands allows attackers to fetch the SNMP server type and operating system?

A. nmap -sU -p 161 –script=snmp-processes
B. nmap -sU -p 161 –script=snmp-sysdescr
C. nmap -p 25 –script=smtp-enum-users
D. nmap -p 25 -script=smtp-open-relay

A

Answer: B. nmap -sU -p 161 –script=snmp-sysdescr .

Explanation:
Nmap commands to perform SNMP enumeration:

nmap -p 25 –script=smtp-enum-users à Enumerate all the mail users on the SMTP server.

nmap -p 25 -script=smtp-open-relay à Identifies SMTP open relays

nmap -sU -p 161 –script=snmp-processes à List of all the running SNMP processes along with the associated ports on the target host.

nmap -sU -p 161 –script=snmp-sysdescr à Retrieves information regarding SNMP server type and operating system details.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Alfred, a professional hacker, was performing SNMP enumeration on a target network. In this process, he executed an nmap command that lists all the running SNMP processes along with the associated ports on the target host. Identify the command executed by Alfred in the above scenario.

A. nmap -sU -p 161 –script=snmp-processes
B. snmpwalk -v2c -c public
C. nmap -p 25 –script=smtp-enum-users
D. nmap -p 25 -script=smtp-open-relay

A

Answer: A. nmap -sU -p 161 –script=snmp-processes .

Explanation:
Nmap commands to perform SNMP enumeration:

nmap -p 25 –script=smtp-enum-users -> Enumerate all the mail users on the SMTP server.

nmap -sU -p 161 –script=snmp-processes -> List of all the running SNMP processes along with the associated ports on the target host.

Command to change an OID to a different value:
snmpwalk -v2c -c public

nmap -p 25 -script=smtp-open-relay -> Identifies SMTP open relays.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following commands is used by an SNMP agent to meet a request made by the SNMP manager?

A. GetResponse
B. GetNextRequest
C. SetRequest
D. Trap

A

Answer: A. GetResponse.

Explanation:
The following are some commands associated with SNMP.

GetRequest: Used by the SNMP manager to request information from an SNMP agent
GetNextRequest: Used by the SNMP manager continuously to retrieve all the data stored in an array or table

GetResponse: Used by an SNMP agent to satisfy a request made by the SNMP manager

SetRequest: Used by the SNMP manager to modify the value of a parameter within an SNMP agent’s management information base (MIB)

Trap: Used by an SNMP agent to inform the pre-configured SNMP manager of a certain event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which protocol enables an attacker to enumerate user accounts and devices on a target system?

A. SNMP
B. TCP
C. NetBIOS
D. SMTP

A

Answer: A. SNMP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following SnmpWalk commands helps attackers change the object identifier of a network node?

A. snmpwalk -v2c -c public
B. snmpwalk -v2c -c public hrSWInstalledName
C. snmpwalk -v2c -c public
D. snmpwalk -v2c -c public sysContact

A

Answer: C. snmpwalk -v2c -c public .

Explanation:
SnmpWalk Commands:

Command to enumerate SNMPv2 with a community string of public:
snmpwalk -v2c -c public

Command to search for installed software:
snmpwalk -v2c -c public hrSWInstalledName

Command to change an OID to a different value:
snmpwalk -v2c -c public

Command to change the sysContact OID:
snmpwalk -v2c -c public sysContact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following LDAP enumeration tools is used by an attacker to access the directory listings within Active Directory or other directory services?

A. XOIC
B. Slowloris
C. HULK
D. AD Explorer

A

Answer: D. AD Explorer.

Explanation:
The major MIBs are as follows:

AD Explorer: Used to access the directory listings within Active Directory or other directory services. Using the LDAP enumeration tool, attackers can enumerate information such as valid usernames, addresses, and departmental details from different LDAP servers.

Slowloris, XOIC, and HULK are tools for performing DoS attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following protocols is responsible for accessing distributed directories and access information such as valid usernames, addresses, departmental details, and so on?

A. DNS
B. SMTP
C. LDAP
D. NTP

A

Answer: C. LDAP (Lightweight Directory Access Protocol).

Explanation:

Lightweight directory access protocol (LDAP) is an Internet protocol for accessing distributed directory services. Directory services may provide any organized set of records such as corporate e-mail directory, often in a hierarchical and logical structure. An attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, and so on that can be further used to perform attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which of the following tools can be used to perform LDAP enumeration?

A. SoftPerfect Network Scanner
B. SuperScan
C. Nsauditor Network Security Auditor
D. AD Explorer

A

Answer: D. AD Explorer.

Explanation:

Among the given options, AD Explorer can be used to perform LDAP enumeration, whereas SoftPerfect network scanner, SuperScan, and Nsauditor network security auditor are tools that are used to perform NetBIOS enumeration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Edward, a professional hacker, was tasked with hacking critical information of a target organization. For this purpose, Edward initiated an LDAP enumeration process. Using a Python script, he successfully established a connection with the target LDAP server and executed the following script:

> > > connection.search(search_base=’DC=DOMAIN,DC=DOMAIN’, search_filter=’(&(objectClass=))’, search_scope=’SUBTREE’, attributes=’’)

True

> > connection.entries

Which of the following did Edward accomplish using the above Python script?

A. Created a connection object
B. Retrieved all directory objects
C. Listed all applications
D. Retrieved the DSA-specific entry (DSE) naming contexts

A

Answer: B. He searched for objects with the search filter set to ‘objectClass=*’.

Explanation:
After obtaining the naming context, retrieve all the directory objects using the script given below:

> > > connection.search(search_base=’DC=DOMAIN,DC=DOMAIN’, search_filter=’(&(objectClass=))’, search_scope=’SUBTREE’, attributes=’’)

True

> > connection.entries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following tools allows attackers to perform LDAP enumeration on the target network?

A. nbtstat
B. DNSRecon
C. AD Explorer
D. Euromonitor

A

Answer: C. AD Explorer.

Explanation:

AD Explorer: AD Explorer allows attackers to perform LDAP enumeration.

DNSRecon: Attackers use DNSRecon to check all NS records of the target domain for zone transfers.

Euromonitor: Euromonitor provides strategy research capabilities for consumer markets. It publishes reports on industries, consumers, and demographics. It provides market research and surveys focused on the organization’s needs.

§nbtstat: nbtstat is a Windows utility that helps in troubleshooting NETBIOS name resolution problems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Identify the nmap NSE script that helps attackers in performing automated LDAP enumeration on a target network.

A. get_info = ldap3.ALL
B. pip3 install ldap3
C. ldap-brute
D. ntpdate

A

Answer: C. ldap-brute

Explanation:
get_info = ldap3.ALL
Retrieves the Directory System Agent (DSA)–specific entry (DSE) naming contexts

pip3 install ldap3
The above command will install LDAP in the target server

ntpdate
The above script can be used to perform NTP enumeration

ldap-brute
Attackers use the ldap-brute nmap NSE script to brute-force LDAP authentication

34
Q

Which of the following ntpdate parameters is used by an attacker to perform a function that can force the time to always be slewed?

A. -q
B. -d
C. -B
D. -b

A

Answer: C. -B

Here are the ntpdate parameters and their functions:

Parameter: -B, Function: Forces the time to always be slewed. This option is used to prevent large time jumps that may occur when the clock is first synchronized.

Parameter: -b, Function: Forces the time to be stepped. This option is used to reduce the time required to synchronize the clock, but it can cause large time jumps.

Parameter: -d, Function: Enables debugging mode. This option causes ntpdate to display debugging information, such as the responses received from the NTP server.

Parameter: -q, Function: Query only. This option causes ntpdate to query the NTP server for the time, but it does not set the system clock. This is useful for testing and troubleshooting NTP connectivity.

35
Q

Sam, an ethical hacker, is launching an attack on a target company. He performed various enumeration activities to detect any existing vulnerabilities on the target network and systems. In this process, he performed NTP enumeration and executed some commands to acquire the list of hosts connected to the NTP server.

Which of the following NTP enumeration commands helps Sam in collecting system information such as the number of time samples from several time sources?

A. ntptrace
B. ntpdc
C. ntpdate
D. ntpq

A

Answer: C. ntpdate

Explanation:

§ntptrace: This command determines where the NTP server obtains the time from and follows the chain of NTP servers back to its primary time source

§ntpdc: This command queries the ntpd daemon about its current state and requests changes in that state
§ntpdate: This command collects the number of time samples from several time sources

§ntpq: This command monitors the operations of the NTP daemon ntpd and determines performance

36
Q

George, a professional hacker, wanted to test his computer skills. So, he decided to execute an attack on a company and access important files of the company. In this process, he performed NFS enumeration using a tool to download important files shared through the NFS server.

Which of the following tools helps George perform NFS enumeration?

A. OllyDbg
B. RPCScan
C. Dependency Walker
D. KeyGrabber

A

Answer: B. RPCScan.

Explanation:
OllyDbg: OllyDbg is a 32-bit assembler-level analyzing debugger for Microsoft® Windows®. Its emphasis on binary code analysis makes it particularly useful when the source is unavailable. It debugs multithread applications and attaches to running programs. It recognizes complex code constructs, such as a call to jump to the procedure

Dependency Walker: Dependency Walker is useful for troubleshooting system errors related to loading and executing modules. It detects many common application problems, such as missing modules, invalid modules, import/export mismatches, circular dependency errors, etc.

RPCScan: RPCScan communicates with RPC services and checks misconfigurations on NFS shares.

KeyGrabber: A KeyGrabber hardware keylogger is an electronic device capable of capturing keystrokes from a PS/2 or USB keyboard. It comes in various forms, such as KeyGrabber USB, KeyGrabber PS/2, and KeyGrabber Nano Wi-Fi.

37
Q

Which of the following protocols is responsible for synchronizing clocks of networked computers?

A. LDAP
B. DNS
C. SMTP
D. NTP

A

Answer: D. NTP (Network Time Protocol).

Explanation:
Network time protocol (NTP) is designed to synchronize clocks of networked computers. NTP can maintain time to within 10 milliseconds (1/100 seconds) over the public Internet. It can achieve accuracies of 200 microseconds or better in local area networks under ideal conditions.

38
Q

Which of the following ntpdate parameters is used by an attacker to perform a function that can force the time to always be stepped?

A. -b
B. -q
C. -B
D. -d

A

Answer: A. -b

Explanation:

Here are the ntpdate parameters and their functions:

Parameter: -B, Function: Forces the time to always be slewed. This option is used to prevent large time jumps that may occur when the clock is first synchronized.

Parameter: -b, Function: Forces the time to be stepped. This option is used to reduce the time required to synchronize the clock, but it can cause large time jumps.

Parameter: -d, Function: Enables debugging mode. This option causes ntpdate to display debugging information, such as the responses received from the NTP server.

Parameter: -q, Function: Query only. This option causes ntpdate to query the NTP server for the time, but it does not set the system clock. This is useful for testing and troubleshooting NTP connectivity.

39
Q

Which of the following NTP commands determines where the NTP server obtains the time from and follows the chain of NTP servers back to its primary time source?

A. ntpdate
B. ntpg
C. ntpdc
D. ntptrace

A

Answer: D. ntptrace.

Explanation:

§ntpdate: This command collects the number of time samples from several time sources.

§ntpq: This command monitors the operations of the NTP daemon ntpd and determines performance.

§ntptrace: This command determines where the NTP server obtains the time from and follows the chain of NTP servers back to its primary time source.

§ntpdc: This command queries the ntpd daemon about its current state and requests changes in that state.

40
Q

Sam, an ethical hacker, is launching an attack on a target company. He performed various enumeration activities to detect any existing vulnerabilities on the target network and systems. In this process, he performed NTP enumeration and executed some commands to acquire the list of hosts connected to the NTP server.

Which of the following NTP enumeration commands helps Sam in collecting system information such as the number of time samples from several time sources?

A. ntpdate
B. ntpdc
C. ntpq
D. ntptrace

A

Answer: A. ntpdate

Explanation:

§ntptrace: This command determines where the NTP server obtains the time from and follows the chain of NTP servers back to its primary time source

§ntpdc: This command queries the ntpd daemon about its current state and requests changes in that state

§ntpdate: This command collects the number of time samples from several time sources

§ntpq: This command monitors the operations of the NTP daemon ntpd and determines performance

41
Q

Which of the following command is used by the attackers to query the ntpd daemon about its current state?

A. ntpdc
B. ntpdate
C. ntpq
D. ntptrace

A

Answer: A. ntpdc.

Explanation:

§ntpdate: This command collects the number of time samples from a number of time sources

§ntptrace: This command determines from where the NTP server gets time and follows the chain of NTP servers back to its prime time source

§ntpdc: This command queries the ntpd daemon about its current state and requests changes in that state

§ntpq: This command monitors NTP daemon ntpd operations and determine performance

42
Q

Which of the following tools is used by an attacker for SMTP enumeration and to extract all the email header parameters, including confirm/urgent flags?

A. Wireshark
B. NetScanTools Pro
C. JXplorer
D. Snmpcheck

A

Answer: B. NetScanTools Pro

Explanation:
NetScanTools Pro: NetScanTools Pro’s SMTP Email Generator tool tests the process of sending an email message through an SMTP server.

Wireshark: It is packet analyzer used for network examination, protocol inspection and trouble shooting.

JXplorer: It is java-based application used to search any LDAP directory.

Snmpcheck: Its goal is to automate the process of gathering information on any device with SNMP support (Windows, Unix-like, network appliances, printers, etc.)

43
Q

Which of the following smtp-user-enum options is used to select the file containing hostnames running the SMTP service?

A. -t host
B. -U file
C. -T file
D. -u user

A

Answer: C. -T file

Explanation:

smtp-user-enum options and its description:

-U file: Select the file containing usernames to check via the SMTP service

-t host: Specify the server host running the SMTP service

-T file: Select the file containing hostnames running the SMTP service
-u user: Check if a user exists on the remote system

44
Q

Which of the following SMTP in-built commands tells the actual delivery addresses of aliases and mailing lists?

A. RCPT TO
B. PSINFO
C. EXPN
D. VRFY

A

Answer: C. EXPN.

Explanation:

Mail systems commonly use SMTP with POP3 and IMAP that enables users to save the messages in the server mailbox and download them occasionally from the server. SMTP uses Mail Exchange (MX) servers to direct the mail via DNS. It runs on TCP port 25.

SMTP provides 3 built-in-commands:

VRFY - Validates users

EXPN - Tells the actual delivery addresses of aliases and mailing lists

RCPT TO - Defines the recipients of the message

SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users from which we can determine valid users on SMTP server. Attackers can directly interact with SMTP via the telnet prompt and collect list of valid users on the SMTP server.

45
Q

Given below are the various steps to perform SMTP enumeration.

  1. Launch the Metasploit msfconsole and switch to the relevant auxiliary scanner to initiate the process: auxiliary/scanner/smtp/smtp_enum.
  2. Use the command show advanced to view the complete list of available options in the SMTP user enumeration module.
  3. Use the command show options to view the entire list of options required to perform this task.
  4. Execute the run command to begin the enumeration process.
  5. Use the option set RHOST to set the target SMTP server’s IP address or a range of IP addresses.
  6. Set the USER _FILE option to use custom wordlists.

Identify the correct sequence of steps involved in performing SMTP enumeration.

A. 6 -> 5 -> 4 -> 3 -> 2 -> 1
B. 1 -> 5 -> 3 -> 2 -> 6 -> 4
C. 1 -> 3 -> 5 -> 6 -> 2 -> 4
D. 3 -> 2 -> 1 -> 4 -> 5 -> 6

A

Answer: A. C. 1 -> 3 -> 5 -> 6 -> 2 -> 4

Explanation:
Steps to Enumerate SMTP Users Using Metasploit:

Step 1: Launch Metasploit msfconsole and switch to the relevant auxiliary scanner to initiate the process: auxiliary/scanner/smtp/smtp_enum.
msf > use auxiliary/scanner/smtp/smtp_enum

msf auxiliary(smtp_enum) >

Step 2: Use the command show options to view the entire list of options required to perform this task. Alternatively, the command show evasion can be used to view the list of options to evade security solutions.

Step 3: Use the option set RHOST to set the target SMTP server’s IP address or a range of IP addresses.

Step 4: By default, the Metasploit framework uses default wordlists located at /usr/share/XXXetasploit-framework/data/wordlists/unix_users.txt to enumerate SMTP users. The USER _FILE option can be set to use custom wordlists.
msf auxiliary(smtp_enum) > set USER_FILE

Step 5: Use the command show advanced to view the complete list of available options in the SMTP user enumeration module.

Step 6: Execute the run command to begin the enumeration process. It scans the given wordlists with the SMTP server users and lists all the matched usernames.

46
Q

Which of the following tools allows an attacker to scan domains and obtain a list of subdomains, records, IP addresses, and other valuable information from a target host?

A. Experian
B. Nmap
C. cSploit
D. X-Ray

A

Answer: B. Nmap

Explanation:

Experian: Experian provides insights into competitors’ search, affiliate, display, and social marketing strategies and metrics to improve marketing campaign results.

Nmap: Attackers use Nmap to scan domains and obtain a list of subdomains, records, IP addresses, and other valuable information from the target host.

cSploit: cSploit is an Android network analysis and penetration suite that is used to map the local network, fingerprint hosts’ operating systems and open ports, perform integrated traceroute, forge TCP/UDP packets, and perform MITM attacks such as password sniffing, JavaScript injection, capturing real-time network traffic, DNS spoofing, and session hijacking.

X-Ray: X-Ray allows you to scan your Android device for security vulnerabilities that put your device at risk.

47
Q

Which of the following tools is a framework that contains an SMTP enumeration module that allows attackers to connect to the target SMTP server and enumerate usernames using predefined wordlists?

A. PortQry
B. Tasklist
C. LDNS
D. Metasploit

A

Answer: D. Metasploit.

Explanation:

LDNS: LDNS-walk enumerates the DNSSEC zone and obtains results on the DNS record files.

Metasploit: Attackers use the Metasploit framework to enumerate SMTP users. The framework contains an SMTP enumeration module that allows attackers to connect to the target SMTP server and enumerate usernames using predefined wordlists.

Tasklist: Tasklist displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer.

CeWL: Attackers can use CeWL tool to gather a list of words from the target website.

48
Q

Carter, a professional hacker, was tasked with fetching valuable information from the rival organization. For this purpose, Carter started enumerating the target network to identify existing vulnerabilities. He executed an nmap command to retrieve all the subdomains associated with the target network.

Identify the command executed by Carter in the above scenario.

A. nmap -Pn -sU -p 53 –script=dns-recursion 192.168.1.150
B. nmap -p 25 –script=smtp-enum-users
C. nmap -p 25 -script=smtp-open-relay
D. nmap -T4 -p 53 –script dns-brute

A

Answer: D. nmap -T4 -p 53 –script dns-brute

Explanation:
nmap -p 25 -script=smtp-open-relay

Run the above command to identify SMTP open relays.

nmap -p 25 –script=smtp-enum-users

Run the above command to enumerate all the mail users on the SMTP server.

nmap -T4 -p 53 –script dns-brute

Execute the above command to retrieve all the subdomains associated with the target host.

nmap -Pn -sU -p 53 –script=dns-recursion 192.168.1.150

Run the above command to check whether DNS recursion is enabled on the target server.

49
Q

Which of the following commands allows an attacker to list all the SMTP commands available in the nmap directory?
A. nmap -p 25, 365, 587 -script=smtp-commands
B. nmap -p 25 -script=smtp-open-relay
C. nmap -T4 -p 53 –script dns-brute
D. nmap -p 25 –script=smtp-enum-users

A

Answer: A. nmap -p 25, 365, 587 -script=smtp-commands .

Explanation:
Execute the following command to retrieve all the subdomains associated with the target host:

nmap -T4 -p 53 –script dns-brute

Run the following command to identify SMTP open relays:

nmap -p 25 -script=smtp-open-relay

Run the following command to enumerate all the mail users on the SMTP server:

nmap -p 25 –script=smtp-enum-users

The following command, when executed, lists all the SMTP commands available in the Nmap directory:

nmap -p 25, 365, 587 -script=smtp-commands

50
Q

A hacker is attempting to use nslookup to query domain name service (DNS). The hacker uses the nslookup interactive mode for the search. Which command should the hacker type into the command shell to request the appropriate records?

A. Transfer type=ns
B. Set type=ns
C. Locate type=ns
D. Request type=ns

A

Answer: B. Set type=ns.

Explanation:

Here are the values and their corresponding descriptions for the nslookup command:

Value: A, Description: Specifies a computer’s IP address.
Value: ANY, Description: Specifies any type of DNS record for a computer’s IP address.
Value: CNAME, Description: Specifies a canonical name for an alias.
Value: GID, Description: Specifies the group identifier of a group name.
Value: HINFO, Description: Specifies a computer’s CPU and type of operating system.
Value: MB, Description: Specifies a mailbox domain name.
Value: MG, Description: Specifies a mail group member.
Value: MINFO, Description: Specifies mailbox or mail list information.
Value: MR, Description: Specifies the mail rename domain name.
Value: MX, Description: Specifies the mail exchanger.
Value: NS, Description: Specifies a DNS name server for the named zone.
Value: PTR, Description: Specifies a computer name if the query is an IP address.
Value: SOA, Description: Specifies the start-of-authority for a DNS zone.
Value: TXT, Description: Specifies the text information.
Value: UID, Description: Specifies the user identifier.
Value: UINFO, Description: Specifies the user information.

51
Q

Which of the following enumeration techniques is used by a network administrator to replicate domain name system (DNS) data across many DNS servers, or to backup DNS files?

A. Extract usernames using e-mail IDs
B. Extract information using DNS zone transfer
C. Extract information using default passwords
D. Brute force active directory

A

Answer: B. Extract information using DNS zone transfer.

Explanation:
Extract information using DNS zone transfer: a network administrator can use DNS zone transfer to replicate DNS data across many DNS servers or to backup DNS files. The administrator needs to execute a specific zone transfer request to the name server.

52
Q

Which of the following tool is a DNS interrogation tool?

A. Hping
B. NetScan Tools Pro
C. SandCat Browser
D. DIG

A

Answer: D. DIG.

Explanation:

Hping2 / Hping3: Hping2/Hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It performs network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, and other functions.

DIG: DIG is the tool that can be used to perform DNS Interrogation. It can be used as a web-based equivalent of the Unix dig command.

NetScan Tools Pro: NetScanTools Pro is an integrated collection of internet information gathering and network troubleshooting utilities for Network Professionals. Research IPv4 addresses, IPv6 addresses, hostnames, domain names, email addresses and URLs automatically** or with manual tools. It is designed for the Windows operating system.

SandCat Browser: Sandcat is a lightweight multi-tabbed web browser packed with features for developers and pen-testers. The browser is built on top of Chromium, the same engine that powers the Google Chrome browser, and uses the Lua programming language to provide extensions and scripting support.

53
Q

Which of the following Nmap commands is used by an attacker to enumerate the SMB service running on the target IP address?

A. # nmap -p 23 –script telnet-ntlm-info
B. # nmap -p 445 -A
C. # nmap -sR
D. # nmap -sV -v –script nbstat.nse

A

nmap -sR [Used to identify the RPC service running on the network]

Answer: B. # nmap -p 445 -A .

Explanation:

54
Q

Which of the following Nmap commands is used by an attacker to enumerate the TFTP service running on the target domain?

A. # nmap -p 23
B. # nmap -T4 –A
C. # nmap -p 69
D. # nmap -p 21

A

nmap -p 69 [Used to enumerate the TFTP service running on the target domain]

Answer: C. # nmap -p 69 .

Explanation:

55
Q

Which of the following enumeration tools allows an attacker to fetch the IPv6 address of a machine through SNMP?

A. Svmap
B. ike-scan
C. Enyx
D. dig

A

Answer: C. Enyx

Explanation:

dig: Attackers use the dig command on Linux-based systems to query the DNS name servers and retrieve information about the target host addresses, name servers, mail exchanges, etc.

Enyx: It is an enumeration tool that fetches the IPv6 address of a machine through SNMP.

Svmap: Svmap is an open-source scanner that identifies SIP devices and PBX servers on a target network. It can be helpful for system administrators when used as a network inventory tool.

ike-scan: ike-scan discovers IKE hosts and can fingerprint them using the retransmission backoff pattern.

56
Q

Which of the following options in the finger command-line utility is used for preventing the matching of usernames?

A. -p
B. -l
C. -m
D. -s

A

Answer: C. -m

Explanation:
The options are as follows.

-m: Prevents the matching of usernames.

-s: Displays the user’s login name, real name, terminal name, idle time, login time, office location, and office phone number

-l: Produces a multi-line format displaying all of the information described for the -s option as well as the user’s home directory, home phone number, login shell, mail status, and the contents of the files “.plan,” “.project,” “.pgpkey,” and “.forward” from the user’s home directory

-p: Prevents the -l option of finger from displaying the contents of the “.plan,” “.project,” and “.pgpkey” files.

57
Q

Greg, a professional hacker, targeted an organization and performed user enumeration on a remote system of the target organization. In this process, he used a command-line utility to successfully gather the list of users who are logged into the remote system and their login times.

Which of the following command-line utilities was employed by Greg for user enumeration?

A. PortQry
B. Finger
C. PsKill
D. PsFile

A

Answer: B. Finger.

Explanation:

PortQry: The PortQry utility reports the port status of TCP and UDP ports on a selected target. Attackers can use the PortQry tool to perform TFTP enumeration. This utility reports the port status of target TCP and UDP ports on a local or remote computer.

PsFile: PsFile is a command-line utility that shows a list of files on a system that opened remotely, and it can close opened files either by name or by a file identifier

PsKill: PsKill is a kill utility that can kill processes on remote systems and terminate processes on the local computer. Running PsKill with a process ID directs it to kill the process of that ID on the local computer.

Finger: finger displays information about system users such as the user’s login name, real name, terminal name, idle time, login time, office location, and office phone numbers.

58
Q

Which of the following protocols is the technology for both gateway-to-gateway (LAN-to-LAN) and host to gateway (remote access) enterprise VPN solutions?

A. NetBios
B. SMTP
C. IPSec
D. SNMP

A

Answer: C. IPSec.

Explanation:
IPsec is the most commonly implemented technology for both gateway-to-gateway (LAN-to-LAN) and host-to-gateway (remote access) enterprise VPN solutions. IPsec provides data security by employing various components such as ESP (encapsulation security payload), AH (authentication header), and IKE (Internet key exchange) to secure communication between VPN end-points. Most Ipsec-based VPNs use ISAKMP (Internet security association key management protocol), a part of IKE, to establish, negotiate, modify, and delete security associations (SA) and cryptographic keys in a VPN environment. An attacker can perform simple direct scanning for ISAKMP at UDP port 500 with tools, such as Nmap, to acquire the information related to the presence of a VPN gateway.

59
Q

Which of the following commands allows attackers enumerate the SMB service running on the target IP address?

A. nmap -p 25 -script=smtp-open-relay
B. nmap -Pn -sU -p 53 –script=dns-recursion
C. nmap -p 445 -A
D. nmap -p 21

A

Answer: C. nmap -p 445 -A .

Explanation:
nmap -p 21

The above Nmap command is used by the attackers to enumerate the FTP service running on the target domain.

nmap -p 445 -A

Attackers can use the above Nmap command to enumerate the SMB service running on the target IP address.

nmap -p 25 -script=smtp-open-relay

Run the above command to identify SMTP open relays.

nmap -Pn -sU -p 53 –script=dns-recursion

Run the above command to check whether DNS recursion is enabled on the target server.

60
Q

Which of the following commands is used by an attacker to check all NS records of the target domain for zone transfers?

A. dig
B. RPCScan
C. ike-scan
D. ntpq

A

Answer: A. dig.

Explanation:

dig: Attackers use the dig command on Linux-based systems to query the DNS name servers and retrieve information about the target host addresses, name servers, mail exchanges, etc.

RPCScan: RPCScan communicates with RPC services and checks misconfigurations on NFS shares.

§ntpq: This command monitors the operations of the NTP daemon ntpd and determines performance.

ike-scan: ike-scan discovers IKE hosts and can fingerprint them using the retransmission backoff pattern.

61
Q

In which of the following enumeration steps does a penetration tester extract information about encryption and hashing algorithms, authentication types, key distribution algorithms, SA LifeDuration, etc.?

A. Perform DNS enumeration
B. Perform SMTP enumeration
C. Perform IPsec enumeration
D. Perform NTP enumeration

A

Answer: C. Perform IPsec enumeration.

Explanation:

IPsec provides data security by employing various components like ESP (Encapsulation Security Payload), AH (Authentication Header), and IKE (Internet Key Exchange) to secure communication between VPN end-points. Attacker can perform a simple direct scanning for ISAKMP at UDP port 500 with tools like Nmap, etc. to acquire the information related to the presence of a VPN gateway.

You can enter the following command to perform Nmap scan for checking the status of isakmp over port 500: # nmap –sU –p 500

Attackers can probe further using fingerprinting tools such as ike-scan to enumerate the sensitive information including encryption and hashing algorithm, authentication type, key distribution algorithm, SA LifeDuration, etc. In this type of scan, specially crafted IKE packets with ISAKMP header are sent to the target gateway and the responses are recorded.

62
Q

Which of the following countermeasures helps security professionals defend against SMTP enumeration?

A. Disabling EXPN, VRFY, and RCPT TO commands or restricting them to authentic users
B. Enabling the open relay feature
C. Allowing unlimited accepted connections from a source
D. Including sensitive information on mail servers and local hosts in mail responses

A

Answer: A. Disabling EXPN, VRFY, and RCPT TO commands or restricting them to authentic users.

Explanation:
SMTP Enumeration Countermeasures:

Ignore email messages to unknown recipients.
Exclude sensitive information on mail servers and local hosts in mail responses.

Disable the open relay feature.
Limit the number of accepted connections from a source to prevent brute-force attacks.

Disable EXPN, VRFY, and RCPT TO commands or restrict them to authentic users.

Ignore emails to unknown recipients by configuring SMTP servers.

63
Q

Which of the following practices can make a network vulnerable to DNS enumeration attacks?

A. Use a DNS change lock or client lock to restrict the alteration of DNS settings.
B. Use a VPN for secure communication.
C. Enforce two-factor authentication to provide secure access.
D. Host the application server along with the DNS server.

A

Answer: D. Host the application server along with the DNS server.

Explanation:
Discussed below are various measures to prevent DNS enumeration.

Use VPN: Use a VPN for secure communication. In addition, change default passwords.

Implement two-factor authentication: Enforce two-factor authentication to provide secure access when a DNS server is managed by a third party.

Use DNS change lock: Use DNS change lock or client lock to restrict the alteration of DNS settings without appropriate authorization.

Use isolated DNS servers: Avoid hosting the application server along with the DNS server. Use an isolated and dedicated server for DNS services to minimize the risk of web application attacks.

64
Q

Which of the following practices allows attackers to execute external SNMP enumeration attempts on the target network?

A. Encrypt credentials using the “AuthNoPriv” mode.
B. Avoid using the “NoAuthNoPriv” mode.
C. Never change the default or current passwords.
D. Regularly audit the network traffic.

A

Answer: C. Never change the default or current passwords.

Explanation:

SNMP Enumeration Countermeasures

Configure access-control lists (ACLs) for all SNMP connections to allow only legitimate users to access SNMP devices.

Regularly audit the network traffic.

Encrypt credentials using the “AuthNoPriv” mode, which uses MD5 and SHA for additional protection.

Modify the registry to allow only restricted or permitted access to the SNMP community name.

Change the default password and periodically change the current password.
Identify all the SNMP devices with read/write permissions and provide read-only permissions to specific devices that do not require read/write permissions.

Avoid using the “NoAuthNoPriv” mode as it does not encrypt communications.

65
Q

Which of the following practices makes an organizational network susceptible to SNMP enumeration attacks?

A. Configure access-control lists (ACLs) for all SNMP connections.
B. Regularly audit the network traffic.
C. Modify the registry to allow only restricted or permitted access to the SNMP community name.
D. Always use the “NoAuthNoPriv” mode.

A

Answer: D. Always use the “NoAuthNoPriv” mode.

Explanation:

SNMP Enumeration Countermeasures

Configure access-control lists (ACLs) for all SNMP connections to allow only legitimate users to access SNMP devices.

Regularly audit the network traffic.

Encrypt credentials using the “AuthNoPriv” mode, which uses MD5 and SHA for additional protection.

Modify the registry to allow only restricted or permitted access to the SNMP community name.

Change the default password and periodically change the current password.
Identify all the SNMP devices with read/write permissions and provide read-only permissions to specific devices that do not require read/write permissions.

Avoid using the “NoAuthNoPriv” mode as it does not encrypt communications.

66
Q

Identify the security practice that helps administrators prevent external SNMP enumeration attempts.

A. Never audit the network traffic.
B. Allow access to TCP/UDP port 161.
C. Encrypt credentials using the “AuthNoPriv” mode.
D. Configure the SNMP service with read-write authorization.

A

Answer: C. Encrypt credentials using the “AuthNoPriv” mode.

Explanation:

SNMP Enumeration Countermeasures

Regularly audit the network traffic.
Block access to TCP/UDP port 161.

Encrypt credentials using the “AuthNoPriv” mode, which uses MD5 and SHA for additional protection.

Do not misconfigure the SNMP service with read-write authorization.

Modify the registry to allow only restricted or permitted access to the SNMP community name.

Change the default password and periodically change the current password.

67
Q

Which of the following practices helps security experts prevent external LDAP enumeration attempts within a network?

A. Avoid using NT LAN Manager (NTLM), Kerberos, or any basic authentication mechanism.
B. Never deploy canary accounts, which resemble real accounts.
C. Log access to AD services.
D. Allow users to access certain AD entities by changing the permissions on those objects/attributes.

A

Answer: C. Log access to AD services.

Explanation:
LDAP Enumeration Countermeasures

Log access to Active Directory (AD) services.

Block users from accessing certain AD entities by changing the permissions on those objects/attributes.

Deploy canary accounts, which resemble real accounts, to mislead attackers.

Use NT LAN Manager (NTLM), Kerberos, or any basic authentication mechanism to limit access to legitimate users.

Restrict access to Active Directory (AD) by using software such as Citrix.

68
Q

Which of the following practices makes an organizational network susceptible to LDAP enumeration attacks?

A. Allow users to access certain AD entities by changing the permissions on those objects/attributes.
B. Use NT LAN Manager (NTLM), Kerberos, or any basic authentication mechanism.
C. Create decoy groups with the word “Admin” in the name to mislead attackers.
D. Log access to AD services.

A

Answer: A. Allow users to access certain AD entities by changing the permissions on those objects/attributes.

Explanation:

LDAP Enumeration Countermeasures

Use NT LAN Manager (NTLM), Kerberos, or any basic authentication mechanism to limit access to legitimate users.

Log access to Active Directory (AD) services.

Block users from accessing certain AD entities by changing the permissions on those objects/attributes.

Deploy canary accounts, which resemble real accounts, to mislead attackers.

Create decoy groups with the word “Admin” in the name to mislead attackers. Attackers typically search for LDAP admin accounts.

69
Q

Which of the following practices helps security professionals defend against NFS enumeration attempts?

A. Ensure that users are running suid and sgid on the exported file system.
B. Implement the principle of least privileges.
C. Implement firewall rules to allow NFS port 2049.
D. Never implement NFS tunneling through SSH.

A

Answer: B. Implement the principle of least privileges.

Explanation:
NFS Enumeration Countermeasures

Implement firewall rules to block NFS port 2049.

Implement NFS tunneling through SSH to encrypt the NFS traffic over the network.

Implement the principle of least privileges to mitigate threats such as data modification, data addition, and the modification of configuration files by normal users.

Ensure that users are not running suid and sgid on the exported file system.

Ensure that the NIS netgroup has a fully defined hostname to prevent the granting of higher access to other hosts.

70
Q

Which of the following practices makes an organizational network vulnerable to external FTP enumeration attacks?

A. Restrict login attempts and time.
B. Run regular public services such as mail or the web on a single FTP server.
C. Configure ingress and egress filtering rules for the FTP services.
D. Restrict access to the FTP server by IP or domain name.

A

Answer: B. Run regular public services such as mail or the web on a single FTP server.

Explanation:
FTP Enumeration Countermeasures

Restrict access by IP or domain name to the FTP server.

Configure access controls on authenticated FTP accounts using access-control lists (ACLs).

Restrict login attempts and time.

Configure ingress and egress filtering rules for the FTP services.
Use SSL/FTPS for authenticated FTP accounts.

Do not run regular public services such as mail or the web on a single FTP server.

Implement a Markov game-based analysis model for vulnerability assessment and penetration testing (VAPT) on cloud-based FTP servers.

71
Q

Which of the following practices allows an attacker to perform NFS enumeration attempts on a target network?

A. Log the requests to access the system files on the NFS server.
B. Ensure that users are not running suid and sgid on the exported file system.
C. Use the principle of least privileges.
D. Implement firewall rules to allow NFS port 2049.

A

Answer: D. Implement firewall rules to allow NFS port 2049.

Explanation:
NFS Enumeration Countermeasures

Implement firewall rules to block NFS port 2049.

Log the requests to access the system files on the NFS server.

Implement the principle of least privileges to mitigate threats such as data modification, data addition, and the modification of configuration files by normal users.

Ensure that users are not running suid and sgid on the exported file system.
Ensure that the NIS netgroup has a fully defined hostname to prevent the granting of higher access to other hosts.

72
Q

Which of the following practices helps security professionals defend a network against external SMB enumeration attempts?

A. Enable TCP ports 88, 139, and 445 and UDP ports 88, 137, and 138.
B. Never implement digitally signed data transmission and communication for accessing SMB resources.
C. Never perform regular audits of system logs.
D. Implement secure VPNs to secure the organizational data during remote access.

A

Answer: D. Implement secure VPNs to secure the organizational data during remote access.

Explanation:
SMB Enumeration Countermeasures

Install the latest security patches for Windows and third-party software
Implement secure VPNs to secure the organizational data during remote access

Perform regular audits of system logs
Implement a proper authentication mechanism with a strong password policy

Employ file behavioral analysis systems such as next-generation firewalls (NGFWs) to observe traffic patterns and obtain timely analysis reports on SMB resources.

Employ highly robust and secure monitoring systems such as global threat sensors for highly sensitive and top-secret data.

Implement digitally signed data transmission and communication for accessing SMB resources.

Block/disable TCP ports 88, 139, and 445 and UDP ports 88, 137, and 138 to prevent SMB attacks.

73
Q

Which of the following protocols can be protected from enumeration by simply blocking access to TCP/UDP port 161 on agent devices?

A. FTP
B. SMB
C. SMTP
D. SNMP

A

Answer: D. SNMP

Explanation:
SMTP: SMTP is a TCP/IP mail delivery protocol that uses the well-known TCP port number 25.

Secure Shell: SSH uses the client/server communication model, and the SSH server, by default, listens to its client on TCP port 22.

TFTP: It uses UDP port 69 for transferring files to a remote host.

SNMP: The agent receives requests on port 161 from the managers and responds to the managers on port 162.

74
Q

Which of the following is not a best practice to defend against DNS enumeration?

A. Using premium DNS registration services that hide sensitive information such as host information (HINFO) from the public
B. Using standard network admin contacts for DNS registrations to avoid social engineering attacks
C. Disabling DNS zone transfers to untrusted hosts
D. Ensuring that the private hosts and their IP addresses are published in the DNS zone files of the public DNS server

A

Answer: D. Ensuring that the private hosts and their IP addresses are published in the DNS zone files of the public DNS server.

Explanation:
DNS Enumeration Countermeasures

Disable DNS zone transfers to untrusted hosts.

Ensure that the private hosts and their IP addresses are not published in the DNS zone files of the public DNS server.

Use premium DNS registration services that hide sensitive information such as host information (HINFO) from the public.

Use standard network admin contacts for DNS registrations to avoid social engineering attacks.

Prune DNS zone files to prevent revealing unnecessary information.

75
Q

Which of the following security practices can help security experts prevent DNS enumeration attacks on a network?

A. Randomize source ports.
B. Open all the unused ports and services.
C. Never use isolated DNS servers.
D. Enable DNS recursion.

A

Answer: A. Randomize source ports.

Explanation:
Discussed below are various measures to prevent DNS enumeration.

Disable DNS recursion: Disable DNS recursion in the DNS server configuration to recursively restrict queries from other or third-party domains and mitigate DNS amplification and poisoning attacks.

Harden the OS: Harden the OS by closing unused ports and blocking unnecessary services.

Use isolated DNS servers: Avoid hosting the application server along with the DNS server. Use an isolated and dedicated server for DNS services to minimize the risk of web application attacks.

Randomize source ports: Ensure that the request packets exiting the network use random ports, rather than UDP port 53. In addition, randomize the query IDs and change the alphabet case of domain names to defend against cache poisoning.

76
Q

Which of the following practices allows security experts to defend against SMTP enumeration attempts on a network?

A. Never ignore email messages to unknown recipients.
B. Do not share internal IP/host information or mail relay system information.
C. Include sensitive information on mail servers and local hosts in mail responses.
D. Enable the open relay feature.

A

Answer: B. Do not share internal IP/host information or mail relay system information.

Explanation:
SMTP Enumeration Countermeasures

Ignore email messages to unknown recipients.

Exclude sensitive information on mail servers and local hosts in mail responses.

Disable the open relay feature.
Limit the number of accepted connections from a source to prevent brute-force attacks.

Disable the EXPN, VRFY, and RCPT TO commands or restrict them to authentic users.

Ignore emails to unknown recipients by configuring SMTP servers.

Identify spammers through machine learning (ML) solutions.

Do not share internal IP/host information or mail relay system information.

77
Q

Identify the practice that makes an organizational network susceptible to SMTP enumeration attacks.

A. Do not limit the number of accepted connections from a source.
B. Ignore emails to unknown recipients by configuring SMTP servers.
C. Disable the open relay feature.
D. Do not share internal IP/host information or mail relay system information.

A

Answer: A. Do not limit the number of accepted connections from a source.

78
Q

Rick, a professional hacker, targeted an organization and found that the organization uses FTP to transfer files over TCP. He exploited the FTP service to access the organization’s data. Greg, a security professional of the organization, noticed that someone is accessing the data and wants to strengthen the security of the FTP server.

Which of the following countermeasures should Greg employ to secure the organization’s information if an attacker has already exploited the FTP service?

A. Ensure that the unrestricted uploading of files on the FTP server is allowed
B. Never restrict login attempts and time
C. Implement a certification-based authentication policy
D. Allow access by IP or domain name to the FTP server

A

Answer: C. Implement a certification-based authentication policy.

Explanation:
FTP Enumeration Countermeasures

Implement secure FTP (SFTP, which uses SSH) or FTP secure (FTPS, which uses SSL) to encrypt the FTP traffic over the network.

Implement strong passwords or a certification-based authentication policy.

Ensure that the unrestricted uploading of files on the FTP server is not allowed.

Disable anonymous FTP accounts. If this is not possible, monitor anonymous FTP accounts regularly.

Restrict access by IP or domain name to the FTP server.

Configure access controls on authenticated FTP accounts with the help of access control lists (ACLs).

Restrict login attempts and time.

Configure filtering rules for the FTP services.

Use SSL/FTPS for authenticated FTP accounts.

79
Q

Which of the following practices helps security professionals defend the organizational network against DNS enumeration attempts?

A. Restrict the auditing of DNS zones.
B. Never restrict DNS zone transfers to specific slave nameserver IP addresses.
C. Ensure that the resolver can be accessed only by the hosts outside the network.
D. Disable DNS recursion in the DNS server configuration.

A

Answer: D. Disable DNS recursion in the DNS server configuration.

Explanation:

Discussed below are various measures to prevent DNS enumeration.

Restrict resolver access: Ensure that the resolver can be accessed only by the hosts inside the network to prevent external cache poisoning.

Restrict DNS zone transfers: Restrict DNS zone transfers to specific slave nameserver IP addresses because the zone transfer may include a master copy of the primary server’s database. Disable DNS zone transfers to untrusted hosts.

Audit DNS zones: Audit DNS zones to identify vulnerabilities in domains and subdomains and address DNS-related issues.

Disable DNS recursion: Disable DNS recursion in the DNS server configuration to recursively restrict queries from other or third-party domains and mitigate DNS amplification and poisoning attacks.

80
Q

Which of the following countermeasures allows security professionals to defend their organizational network against FTP enumeration attacks?

A. Never configure access controls on authenticated FTP accounts.
B. Implement a Markov game–based analysis model for vulnerability assessment.
C. Never restrict login attempts and time.
D. Run regular public services such as mail or the web on a single FTP server.

A

Answer: B. Implement a Markov game–based analysis model for vulnerability assessment.

Explanation:
FTP Enumeration Countermeasures

Implement secure FTP (SFTP, which uses SSH) or FTP secure (FTPS, which uses SSL) to encrypt the FTP traffic over the network.

Implement strong passwords or a certification-based authentication policy.
Ensure that the unrestricted uploading of files on the FTP server is not allowed.

Disable anonymous FTP accounts. If this is not possible, monitor anonymous FTP accounts regularly.

Restrict access by IP or domain name to the FTP server.

Configure access controls on authenticated FTP accounts using access-control lists (ACLs).

Restrict login attempts and time.

Configure ingress and egress filtering rules for the FTP services.
Use SSL/FTPS for authenticated FTP accounts.

Do not run regular public services such as mail or the web on a single FTP server.

Implement a Markov game-based analysis model for vulnerability assessment and penetration testing (VAPT) on cloud-based FTP servers.

CEH v12 Exam Prep "Hard" (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions