Module 4 - Enumeration Flashcards
Which protocol can secure an LDAP service against anonymous queries?
A) RADIUS
B) SSO
C) NTLM
D) WPA
C
SNMP uses a databases called MIB’s (Management Information Base) to list all the devices that can be managed by SNMP. Which type of MIB contains object types for workstations and server services?
A) DHCP.MIB
B) LNMIB2.MIB
C) MIB_II.MIB
D) WINS.MIB
B
Which Windows command lists all the shares you have access to?
Note: Try running this command from a Windows machine! If nothing shows up, then you don’t have access to any shares at the moment.
A) NET CONFIG
B) NET VIEW
C) NET USE
D) NET FILE
B
Which of these commands would you use to enumerate the user accounts on an SMTP server?
A) EXPN
B) CHK
C) RCPT
D) VRFY
D
NetBIOS enumeration can get you valuable information such as the names of computers, groups, services, shares, and more. Which of these NetBIOS codes would show you the messenger service running for a logged-in user?
A) <00>
B) <1B>
C) <20>
D) <03>
D
Which tool would you use to query LDAP services for sensitive info like user and computer names?
A) Zabasearch
B) Ike-scan
C) Jxplorer
D) EarthExplorer
C
If you were doing a pen-test for BigCorp and wanted to enumerate the network, you’d first attempt a zone transfer. If you were on a Windows machine, you’d use the nslookup command. Assuming the DNS server is at 10.10.10.10 and the domain name is bigcorp.local, what command would you type in the nslookup shell to achieve the zone transfer?
Note: In NSLOOKUP, the -d switch “dumps” all the records for requested zone (domain).
A) lserver 10.10.10.10 -t all
B) ls -d bigcorp.local
C) list server=10.10.10.10 type=all
D) list domain=bigcorp.local type=zone
B
Which of these commands would tell you if there is already a specific DNS entry in your DNS cache? For example, you want to see if the cache has already queried for update.adobe.com.
Note: The -norecursive switch tells nslookup to look for the entry in the cache without going out to the internet to ask other servers for the answer. If the specified entry is present in the cache, then the user must have queried for that information earlier.
A) dnsnooping -rt update.adobe.com
B) dns –snoop update.adobe.com
C) nslookup -norecursive update.adobe.com
D) nslookup -fullrecursive update.adobe.com
C
Which of these Linux commands will resolve the domain amazon.com to an IP address?
A) host -t soa amazon.com
B) host -t AXFR amazon.com
C) host -t ns amazon.com
D) host -t a amazon.com
D
What info can you gain via SMTP enumeration?
A) The two internal commands VRFY and EXPN provide a confirmation of valid users, email addresses, aliases, and mailing lists.
B) The internal command RCPT provides a list of ports open to message traffic.
C) A list of all mail proxy server addresses used by the targeted host.
D) Reveals the daily outgoing message limits before mailboxes are locked.
A
The SNMP Read-Only Community String is like a password. The string is sent along with each SNMP Get-Request and allows (or denies) access to a device. Most network vendors ship their equipment with a default password of “public”. This is the so-called “default public community string”. How would you keep intruders from getting sensitive information regarding the network devices using SNMP? (Select 2 answers)
A) Enable SNMPv3 which encrypts username/password authentication.
B) Use your company name as the public community string replacing the default ‘public’.
C) Enable IP filtering to limit access to SNMP device.
D) The default configuration provided by device vendors is highly secure and you don’t need to change anything.
A C
What is the name of the technique where you can find out the sites visited by the employees of an organization by querying the DNS server for specific cached DNS records?
A) DNSSEC zone walking
B) DNS cache snooping
C) DNS cache poisoning
D) DNS zone walking
B
