PE 3 - Scanning and Enumeration

Question 1

Your team is hired to test a business named Matt’s Bait ‘n Tackle Shop (domain name mattsBTshop.com). A team member runs the following command:

metagoofil –d mattsBTshop.com –t doc, docx –l 50 –n 20 –f results.html

Which of the following best describes what the team member is attempting to do?

A. Extract metadata info from web pages in mattsBTshop.com, outputting results in Microsoft Word format.

B. Extract metadata info from the results.html page in mattsBTshop.com, outputting results in Microsoft Word format.

C. Extract metadata info from Microsoft Word documents found in mattsBTshop.com, outputting results in an HTML file.

D. Uploading results.html as a macro attachment to any Microsoft Word documents found in mattsBTshop.com.

Answer 1

A. Extract metadata info from web pages in mattsBTshop.com, outputting results in Microsoft Word format.

Question 2

Which of the following is true regarding the p0f tool?

A. It is an active OS fingerprinting tool.

B. It is a passive OS fingerprinting tool.

C. It is designed to extract metadata for Microsoft files.

D. It is designed for remote access.

Answer 2

B. It is a passive OS fingerprinting tool.

Question 3

You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?

A. Your IDLE scan results will not be useful to you.

B. The zombie system is a honeypot.

C. There is a misbehaving firewall between you and the zombie machine.

D. This is an expected result during an IDLE scan.

Answer 3

A. Your IDLE scan results will not be useful to you.

Question 4

You want to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option?

A. nmap 192.168.1.0/24

B. nmap -sT 192.168.1.0/24

C. nmap -sP 192.168.1.0/24

D. nmap -P0 192.168.1.0/24

Answer 4

C. nmap -sP 192.168.1.0/24

Question 5

A team member runs an Inverse TCP scan. What is the expected return for an open port?

A. Open ports respond with a SYN/ACK.

B. Open ports respond with a RST.

C. Open ports respond with a FIN.

D. Open ports do not respond at all.

Answer 5

D. Open ports do not respond at all.

Question 6

You are examining traffic to see if there are any network-enabled printers on the subnet. Which of the following ports should you be monitoring for?

A. 53

B. 88

C. 445

D. 514

E. 631

Answer 6

E. 631

Question 7

A colleague enters the following command:

root@mybox: # hping3 –A 192.168.2.x –p 80

What is being attempted here?

A. An ACK scan using hping3 on port 80 for a single address

B. An ACK scan using hping3 on port 80 for a group of addresses

C. Address validation using hping3 on port 80 for a single address

D. Address validation using hping3 on port 80 for a group of addresses

Answer 7

B. An ACK scan using hping3 on port 80 for a group of addresses

Question 8

You are examining traffic between hosts and note the following exchange:

Which of the following statements are true regarding this traffic? (Choose all that apply.)

A. It appears to be part of an ACK scan.

B. It appears to be part of an XMAS scan.

C. It appears port 4083 is open.

D. It appears port 4083 is closed.

Answer 8

B. It appears to be part of an XMAS scan.

C. It appears port 4083 is open.

Question 9

You are examining traffic and notice an ICMP Type 3, Code 13 response. What does this normally indicate?

A. The network is unreachable.

B. The host is unknown.

C. Congestion control is enacted for traffic to this host.

D. A firewall is prohibiting connection.

Answer 9

D. A firewall is prohibiting connection.

Question 10

Which port-scanning method presents the most risk of discovery but provides the most reliable results?

A. Full-connect

B. Half-open

C. Null scan

D. XMAS scan

Answer 10

A. Full-connect

Question 11

As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response?

A. The hosts might be turned off or disconnected.

B. ICMP is being filtered.

C. The destination network might be down.

D. The servers are Linux based and do not respond to ping requests.

Answer 11

B. ICMP is being filtered.

Question 12

A team member is using nmap and asks about the “scripting engine” in the tool. Which option switches can be used to invoke the nmap scripting engine? (Choose two.)

A. –script

B. -z

C. -sA

D. -sC

Answer 12

A. –script

D. -sC

Question 13

Which of the following commands is the best choice to use on a Linux machine when attempting to list processes and the UIDs associated with them in a reliable manner?

A. ls

B. chmod

C. pwd

D. lsof

Answer 13

D. lsof

Question 14

You want to display active and inactive services on a Windows Server machine. Which of the following commands best performs this service?

A. sc query

B. sc query type=all

C. sc query type=service

D. sc query state= all

Answer 14

D. sc query state= all

Question 15

An administrator enters the following command on a Linux system:

iptables -t nat -L

Which of the following best describes the intent of the command entered?

A. The administrator is attempting a port scan.

B. The administrator is configuring IP masquerading.

C. The administrator is preparing to flood a switch.

D. The administrator is preparing a DoS attack.

Answer 15

B. The administrator is configuring IP masquerading.

Question 16

What is being attempted with the following command?

nc –u –v –w2 192.168.1.100 1-1024

A. A full connect scan on ports 1–1024 for a single address

B. A full connect scan on ports 1–1024 for a subnet

C. A UDP port scan of ports 1–1024 on a single address

D. A UDP scan of ports 1–1024 on a subnet

Answer 16

C. A UDP port scan of ports 1–1024 on a single address

Question 17

You are told to monitor a packet capture for any attempted DNS zone transfer. Which port should you focus your search on?

A. TCP 22

B. TCP 53

C. UDP 22

D. UDP 53

Answer 17

B. TCP 53

Question 18

A team member issues the nbtstat.exe -c command. Which of the following best represents the intent of the command?

A. It displays the IP route table for the machine.

B. It displays the NetBIOS name cache.

C. It displays active and inactive services.

D. It puts a NIC into promiscuous mode for sniffing.

Answer 18

B. It displays the NetBIOS name cache.

Question 19

Consider the ports shown in the nmap output returned on an IP scanned during footprinting:

PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http
139/tcp open netbios-ssn 515/tcp open 631/tec open ipp 9100/tcp
open MAC Address: 01:2A:48:0B:AA:81

Which of the following is true regarding the output?

A. The host is most likely a router or has routing enabled.

B. The host is most likely a printer or has a printer installed.

C. The host is definitely a Windows Server.

D. The host is definitely a Linux Server.

Answer 19

B. The host is most likely a printer or has a printer installed.

Question 20

The following results are from an nmap scan:

Remote operating system guess: Too many signatures match to
reliably guess the OS.

Nmap run completed – 1 IP address (1 host up) scanned in 263.47 seconds

Which of the following is the best option to assist in identifying the operating system?

A. Attempt an ACK scan.

B. Traceroute to the system.

C. Run the same nmap scan with the -vv option.

D. Attempt banner grabbing.

Answer 20

D. Attempt banner grabbing.

Question 21

You want to run a scan against a target network. You’re concerned about it being a reliable scan, with legitimate results, but want to take steps to ensure it is as stealthy as possible. Which scan type is best in this situation?

A. nmap -sN targetIPaddress

B. nmap -sO targetIPaddress

C. nmap -sS targetIPaddress

D. nmap -sT targetIPaddress

Answer 21

C. nmap -sS targetIPaddress

Question 22

What is the second step in the TCP three-way handshake?

A. SYN

B. ACK

C. SYN/ACK

D. ACK-SYN

E. FIN

Answer 22

C. SYN/ACK

Question 23

You are enumerating a subnet. While examining message traffic, you discover SNMP is enabled on multiple targets. If you assume default settings in setting up enumeration tools to use SNMP, which community strings should you use?

A. Public (read-only) and Private (read/write)

B. Private (read-only) and Public (read/write)

C. Read (read-only) and Write (read/write)

D. Default (both read and read/write)

Answer 23

A. Public (read-only) and Private (read/write)

Question 24

Nmap is a powerful scanning and enumeration tool. What does the following nmap command attempt to accomplish?

nmap –sA –T4 192.168.15.0/24

A. A serial, slow operating system discovery scan of a Class C subnet

B. A parallel, fast operating system discovery scan of a Class C subnet

C. A serial, slow ACK scan of a Class C subnet

D. A parallel, fast ACK scan of a Class C subnet

Answer 24

D. A parallel, fast ACK scan of a Class C subnet

Question 25

You are examining a packet capture of all traffic from a host on the subnet. The host sends a segment with the SYN flag set in order to set up a TCP communications channel. The destination port is 80, and the sequence number is set to 10. Which of the following statements are not true regarding this communications channel? (Choose all that apply.)

A. The host will be attempting to retrieve an HTML file.

B. The source port field on this packet can be any number between 1024 and 65535.

C. The first packet from the destination in response to this host will have the SYN and ACK flags set.

D. The packet returned in answer to this SYN request will acknowledge the sequence number by returning 10.

Answer 25

A. The host will be attempting to retrieve an HTML file.

D. The packet returned in answer to this SYN request will acknowledge the sequence number by returning 10.

Question 26

Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data?

A. URG

B. PSH

C. RST

D. BUF

Answer 26

B. PSH

Question 27

You receive a RST-ACK from a port during a SYN scan. What is the state of the port?

A. Open

B. Closed

C. Filtered

D. Unknown

Answer 27

B. Closed