PE 2 - Reconnaissance: Information Gathering

Question 1

You are attempting to find out the operating system and CPU type of systems in your target organization. The DNS server you wish to use for lookup is named ADNS_Server, and the target machine you want the information on is ATARGET_SYSTEM. Which of the following nslookup command series is the best choice for discovering this information? (The output of the commands is redacted.)

A.

> server ADNS_SERVER

…

> set type=HINFO

> ATARGET_SYSTEM

…

B.

> server ATARGET_SYSTEM

…

> set type=HINFO

> ADNS_SERVER

…

C.

> server ADNS_SERVER

…

> set ATARGET_SYSTEM

> type=HINFO

…

D.

> server type=HINFO

…

> set ADNS_SERVER

> ATARGET_SYSTEM

…

Answer 1

A.

> server ADNS_SERVER

…

> set type=HINFO

> ATARGET_SYSTEM

…

Question 2

A pen test team member sends an e-mail to an address that she knows is not valid inside an organization. Which of the following is the best explanation for why she took this action?

A. To possibly gather information about internal hosts used in the organization’s e-mail system

B. To start a denial-of-service attack

C. To determine an e-mail administrator’s contact information

D. To gather information about how e-mail systems deal with invalidly addressed messages

Answer 2

A. To possibly gather information about internal hosts used in the organization’s e-mail system

Question 3

From the partial e-mail header provided, which of the following represents the true originator of the e-mail message?

Return-path:

Delivery-date: Wed, 13 Apr 2011 00:31:13 +0200

Received: from mailexchanger.anotherbiz.com([220.15.10.254])

by mailserver.anotherbiz.com running ExIM with esmtp

id xxxxxx-xxxxxx-xxx; Wed, 13 Apr 2011 01:39:23 +0200

Received: from mailserver.anybiz.com ([158.190.50.254] helo=mailserver.anybiz.com)

by mailexchanger.anotherbiz.com with esmtp id xxxxxx-xxxxxx-xx

for USERJOE@anotherbiz.com; Wed, 13 Apr 2011 01:39:23 +0200

Received: from SOMEONEComputer [217.88.53.154] (helo=[SOMEONEcomputer])

by mailserver.anybiz.com with esmtpa (Exim x.xx)

(envelope-from

for USERJOE@anotherbiz.com; Tue, 12 Apr 2011 20:36:08 -0100

Message-ID:

Date: Tue, 12 Apr 2011 20:36:01 -0100

X-Mailer: Mail Client

From: SOMEONE Name

To: USERJOE Name

Subject: Something to consider

…

A. 220.15.10.254.

B. 158.190.50.254.

C. 217.88.53.154.

D. The e-mail header does not show this information.

Answer 3

C. 217.88.53.154.

Question 4

You are looking for pages with the terms CEH and V9 in their title. Which Google hack is the appropriate one?

A. inurl:CEHinurl:V9

B. allintitle:CEH V9

C. intitle:CEHinurl:V9

D. allinurl:CEH V9

Answer 4

B. allintitle:CEH V9

Question 5

You are on a Cisco router and wish to identify the path a packet travels to a specific IP. Which of the following is the best command choice for this?

A. ping

B. ifconfig

C. tracert

D. traceroute

Answer 5

D. traceroute

Question 6

Which of the following activities are not considered passive footprinting? (Choose two.)

A. Dumpster diving

B. Reviewing financial sites for company information

C. Clicking links within the company’s public website

D. Calling the company’s help desk line

E. Employing passive sniffing

Answer 6

D. Calling the company’s help desk line

E. Employing passive sniffing

Question 7

Examine the following command sequence:

Which of the following best describes the intent of the command sequence?

A. The operator is enumerating a system named someserver.

B. The operator is attempting DNS poisoning.

C. The operator is attempting a zone transfer.

D. The operator is attempting to find a name server.

Answer 7

A. The operator is enumerating a system named someserver.

Question 8

An organization has a DNS server located in the DMZ and other DNS servers located on the intranet. What is this implementation commonly called?

A. Dynamic DNS

B. DNSSEC

C. Split DNS

D. Auto DNS

Answer 8

C. Split DNS

Question 9

You are setting up DNS for your enterprise. Server A is both a web server and an FTP server. You want to advertise both services for this machine as name references your customers can use. Which DNS record type would you use to accomplish this?

A. NS

B. SOA

C. MX

D. PTR

E. CNAME

Answer 9

E. CNAME

Question 10

A company has a publicly facing web application. Its internal intranet-facing servers are separated and protected by a firewall. Which of the following choices would be helpful in protecting against unwanted enumeration?

A. Allowing zone transfers to ANY

B. Ensuring there are no A records for internal hosts on the public-facing name server

C. Changing the preference number on all MX records to zero

D. Not allowing any DNS query to the public-facing name server

Answer 10

B. Ensuring there are no A records for internal hosts on the public-facing name server

Question 11

Within the DNS system, a primary server (SOA) holds and maintains all records for the zone. Secondary servers will periodically ask the primary if there have been any updates, and if updates have occurred, they will ask for a zone transfer to update their own copies. Under what conditions will the secondary name server request a zone transfer from a primary?

A. When the primary SOA record serial number is higher than the secondary’s

B. When the secondary SOA record serial number is higher than the primary’s

C. Only when the secondary reboots or restarts services

D. Only when manually prompted to do so

Answer 11

A. When the primary SOA record serial number is higher than the secondary’s

Question 12

Examine the following SOA record:

If a secondary server in the enterprise is unable to check in for a zone update within an hour, what happens to the zone copy on the secondary?

A. The zone copy is dumped.

B. The zone copy is unchanged.

C. The serial number of the zone copy is decremented.

D. The serial number of the zone copy is incremented.

Answer 12

B. The zone copy is unchanged.

Question 13

Which protocol and port number combination is used by default for DNS zone transfers?

A. UDP 53

B. UDP 161

C. TCP 53

D. TCP 22

Answer 13

C. TCP 53

Question 14

Examine the following command-line entry:

Which statements are true regarding this command sequence? (Choose two.)

A. Nslookup is in noninteractive mode.

B. Nslookup is in interactive mode.

C. The output will show all mail servers in the zone somewhere.com.

D. The output will show all name servers in the zone somewhere.com.

Answer 14

B. Nslookup is in interactive mode.

C. The output will show all mail servers in the zone somewhere.com.

Question 15

Joe accesses the company website, www.anybusi.com, from his home computer and is presented with a defaced site containing disturbing images. He calls the IT department to report the website hack and is told they do not see any problem with the site—no files have been changed, and when accessed from their terminals (inside the company), the site appears normally. Joe connects over VPN into the company website and notices the site appears normally. Which of the following might explain the issue?

A. DNS poisoning

B. Route poisoning

C. SQL injection

D. ARP poisoning

Answer 15

A. DNS poisoning

Question 16

One way to mitigate against DNS poisoning is to restrict or limit the amount of time records can stay in cache before they’re updated. Which DNS record type allows you to set this restriction?

A. NS

B. PTR

C. MX

D. CNAME

E. SOA

Answer 16

E. SOA

Question 17

Which of the following may be a security concern for an organization?

A. The internal network uses private IP addresses registered to an Active Directory–integrated DNS server.

B. An external DNS server is Active Directory integrated.

C. All external name resolution requests are accomplished by an ISP.

D. None of the above.

Answer 17

B. An external DNS server is Active Directory integrated.

Question 18

Which of the following is a good footprinting tool for discovering information on a publicly traded company’s founding, history, and financial status?

A. SpiderFoot

B. EDGAR Database

C. Sam Spade

D. Pipl.com

Answer 18

B. EDGAR Database

Question 19

What method does traceroute use to map routes traveled by a packet?

A. By carrying a hello packet in the payload, forcing the host to respond

B. By using DNS queries at each hop

C. By manipulating the Time-To-Live (TTL) parameter

D. By using ICMP Type 5, Code 0 packets

Answer 19

C. By manipulating the Time-To-Live (TTL) parameter

Question 20

Brad is auditing an organization and is asked to provide suggestions on improving DNS security. Which of the following would be valid options to recommend? (Choose all that apply.)

A. Implementing a split-horizon operation

B. Restricting zone transfers

C. Obfuscating DNS by using the same server for other applications and functions

D. Blocking all access to the server on port 53

Answer 20

A. Implementing a split-horizon operation

B. Restricting zone transfers

Question 21

A zone file consists of which records? (Choose all that apply.)

A. PTR

B. MX

C. SN

D. SOA

E. DNS

F. A

G. AX

Answer 21

A. PTR

B. MX

D. SOA

F. A

Question 22

Examine the following SOA record:

How long will the secondary server wait before asking for an update to the zone file?

A. One hour

B. Two hours

C. Ten minutes

D. One day

Answer 22

A. One hour

Question 23

A colleague enters the following into a Google search string:

intitle:intranetinurl:intranet+intext:“human resources”

Which of the following is most correct concerning this attempt?

A. The search engine will not respond with any result because you cannot combine Google hacks in one line.

B. The search engine will respond with all pages having the word intranet in their title and human resources in the URL.

C. The search engine will respond with all pages having the word intranet in the title and in the URL.

D. The search engine will respond with only those pages having the word intranet in the title and URL and with human resources in the text.

Answer 23

D. The search engine will respond with only those pages having the word intranet in the title and URL and with human resources in the text.

Question 24

Amanda works as senior security analyst and overhears a colleague discussing confidential corporate information being posted on an external website. When questioned on it, he claims about a month ago he tried random URLs on the company’s website and found confidential information. Amanda visits the same URLs but finds nothing. Where can Amanda go to see past versions and pages of a website?

A. Search.com

B. Google cache

C. Pasthash.com

D. Archive.org

Answer 24

D. Archive.org

Question 25

Which of the following is a primary service of the U.S. Computer Security Incident Response Team (CSIRT)?

A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide.

B. CSIRT provides a computer security surveillance service to supply a government with important intelligence information on individuals traveling abroad.

C. CSIRT provides a penetration testing service to support exception reporting on incidents worldwide by individuals and multinational corporations.

D. CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling an individual’s property or company’s asset.

Answer 25

A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide.

Question 26

Your client’s business is headquartered in Japan. Which regional registry would be the best place to look for footprinting information?

A. APNIC

B. RIPE

C. ASIANIC

D. ARIN

E. LACNIC

Answer 26

A. APNIC