Penetration

Question 1

How could you perform a ping sweep on the 172.16.10.0/24 subnet?

Answer 1

nmap -sn 172.16.10.0/24

The ‘-sn’ option instructs Nmap to perform host discovery via ICMP but not perform a port scan afterwards.

Question 2

How could you perform an ARP scan of hosts on the 172.16.10.0/24 subnet? Suppose your machine has multiple network interfaces and the relevant subnet is on the ‘br_public’ interface.

Answer 2

sudo arp-scan 172.16.10.0/24 -I br_public

arp-scan requires root privileges, hence the ‘sudo’

The ‘-I’ option is used to specify the interface for arp-scan to use.

The ‘-f’ option can also be used to specify a file as input.

The ‘-x’ or ‘–plain’ option suppresses header/footer text. This is good for when the results will be parsed by a script.

Question 3

When provided with no special options, what type of scan will Nmap provide by default? Assume we’re scanning a domain/subnet.

Answer 3

1. Half-open scan. (sending an initial SYN packet but not completing the full TCP handshake, meaning ACK won’t be sent back)
2. Scan the top 1000 most commonly used ports. It won’t scan the entire port range of 0–65,534, to conserve resources.
3. Scan only TCP ports. Nmap won’t scan UDP ports by default.

Question 4

Which Nmap option can be used to provide a file containing target hosts as input?

Suppose we want to scan all of the hosts listed in the ‘./known-hosts.txt’ file.

Answer 4

nmap -iL known-hosts.txt

The targets in this file must be separated by newlines.

Question 5

How could you use Nmap to scan the 192.168.0.0/24 subnet for the version of each detected service, only on open ports?

Answer 5

nmap -sV 192.168.0.0/24 –open

The ‘-sV’ option is used to determine version info of all detected services.

The ‘–open’ option filters for only ‘open’ ports.

Question 6

How could you use Rustscan to perform a port scan of ports 1-1024 on each host in the 172.16.10.0/24 subnet? The output should be in a format that makes for easy parsing by Bash.

Answer 6

rustscan -g -a 172.16.10.0/24 -r 1-1024

The ‘-g’ option stands for ‘greppable’ and forces Rustscan to output only the port information (useful for parsing with grep or outputting to a file).

The ‘-a’ option (address) takes a target address or address range.

The ‘-r’ option takes a range of ports to scan.

Question 7

How could you use Netcat to perform a scan of TCP ports 1-1024 on 172.16.10.11?

Answer 7

nc -zv 172.16.10.11 1-1024

The ‘z’ option stands for ‘zero I/O mode’ which tells Netcat not to send/receive any data. Aside from port scanning, Netcat can be used for sending/receiving raw data over network connections.

The ‘-v’ option simply stands for verbose, instructing Netcat to display port scanning results.

Question 8

Suppose you want to perform a default Nmap scan on the hosts listed in the ‘172-16-10-hosts.txt’ file. You want the output to be printed to the console in a format that is easily parsed. How can you do this?

Answer 8

nmap -iL 172-16-10-hosts.txt -oG -

Normally the ‘-oG’ option is used to tell Nmap to format its output in an easily ‘greppable’ format. Passing ‘-‘ to ‘-oG’ rather than a file name tells Nmap to print this ‘greppable’ output directly to the console rather than to an output file.

Nmap can also output its results in XML format with the ‘-oX’ option.

Question 9

The Nmap Scripting Engine (NSE) allows penetration testers to write scripts in the Lua language to extend Nmap’s capabilities.

Where are the preinstalled Lua scripts stored?

Answer 9

/usr/share/nmap/scripts

Nmap can use these scripts via the ‘–script’ option

Question 10

Which Nmap option instructs Nmap to attempt to figure out the operating system of the target host?

Answer 10

-O

Question 11

Suppose you’re scanning a web application with “WhatWeb” and you want to log the output as JSON to the terminal rather than log file. How can you do this?

Assume you’re scanning 172.16.10.10 on port 80.

Answer 11

whatweb 172.16.10.10:80 –log-json=/dev/stdout –quiet

This can then be easily parsed with ‘jq’

Sending data to the device file ‘/dev/stdout’ will force the output to go to STDOUT.

The ‘–quiet’ option will suppress whatweb’s normal output.

Question 12

What is Directory Indexing in web security?

Answer 12

Directory indexing is a server-side setting that, instead of
a web page, lists files located at certain web paths. When
enabled, the directory indexing setting lists the content of a
directory when an index file is missing (such as index.html or
index.php).

Directory indexing could highlight sensitive files in an application, such as configuration files with connection strings, local database files (such as SQLite files), and other environmental files.

Question 13

How could you run a basic Nikto scan of port 80 172.16.10.11?

Answer 13

nikto –host 172.16.10.11 –port 80

You can suppress Nikto from asking to submit updates by passing the following option at the command line:
~~~
–ask no
~~~

Question 14

What is a “robots.txt” file?

Answer 14

The “robots.txt” file is a text file placed on a web server that provides instructions to web and search engine crawlers for which pages on the site they are allowed to access and which ones they should not crawl or index, essentially managing how search engines interact with a website and preventing them from accessing sensitive areas like login pages or internal directories.

Question 15

How could you perform a directory search of the ‘172.16.10.10:80’ URL?

Answer 15

dirsearch -u 172.16.10.10:80

The ‘-u’ option stands for URL.

By default, dirsearch will create a subdirectory named ‘reports’ inside which it will create further subdirectories per URL to save directory search results.

Question 16

You suspect that a website is mistakenly hosting the contents of their ‘.git’ directory. How could you attempt to pull this repository and all of its associated metadata for local inspection?

The URL is ‘http:192.168.10.10’ and if successfully pulled, you want the Git repository stored in the ‘./192-168-10-10-git’ directory.

Answer 16

gitjacker http:192.168.10.10 -o 192-168-10-10-git

The ‘-o’ option takes an output directory.

Question 17

Suppose you’ve cloned a Git repository that had been mistakenly hosted on a target website. You’re now in your local copy of this repository. How can you print out, in a nice format, all of the authors and their respective emails that are present in the Git commit history?

Answer 17

git log --pretty=format:"%an %ae"

The ‘git log’ commands’ ‘–pretty’ option has many different built-in formats available for nicely printing log history.

If you’re not interested in one of the built-in formats, you could assemble your own format via the ‘–pretty=format:’ option, and make use of the built-in placeholder fields such as ‘%an’ for Author Name and ‘%ae’ for Author Email, just to name two.

Question 18

How can you install/update Nuclei’s template database?

Answer 18

nuclei -ut

The ‘-ut’ option stands for ‘update templates’

The long form of the option is ‘–update-templates’

Nuclei stores its built-in templates in the folder ‘~/.local/nuclei-templates’

Question 19

How could you list all available Nuclei templates?

Answer 19

nuclei -tl

The ‘-tl’ option stands for ‘list templates’

Question 20

Nuclei tags allow you to run specific subsets of templates against target hosts. How could you list all available Nuclei tags?

Answer 20

nuclei -tgl

Question 21

Suppose you want to run a Nuclei vulnerability scan against the 172.16.10.11 IP address. You already know that the server is running Apache and you suspect that it also has an available Git repository. How can you limit the scan to only cover these areas?

Answer 21

nuclei -tags apache,git -u 172.16.10.11

The ‘-u’ option is used to specify the target(s).

Question 22

How can you limit the number of requests sent per second during a Nuclei scan?

Answer 22

The ‘-rl’ option followed by an integer specifies the
number of allowed requests per second.

‘-rl’ stands for rate limit.

Question 23

Suppose a target server with the IP address 10.10.4.220 is running FTP with anonymous access enabled. How can you connect to this FTP server?

Answer 23

ftp ftp://anonymous:@10.10.4.220

This connects to the server as the anonymous user with an empty password.

Question 24

How could you do a Nuclei scan on the 192.168.20.230 server and only display vulnerabilities of medium/high/critical severity? You also want to only display the vulnerability findings rather than displaying all warnings.

Answer 24

nuclei -u 192.168.20.230 -silent -severity medium,high,critical

Question 25

Suppose you want to use ffuf to fuzz the ‘http://172.16.10.10:8081/files’ endpoint with a custom wordlist titled ‘files_wordlist.txt’

How can you do this?

Answer 25

ffuf -c -w files_wordlist.txt -u http://172.16.10.10:8081/files/FUZZ

The ‘-c’ option highlights the results in the terminal.
The ‘-w’ option is used to specify a custom wordlist.
The ‘-u’ option is used to specify the the path/URL to fuzz.

The word FUZZ at the end of the URL is a placeholder that tells the tool where to inject the words from the wordlist. In essence, it will swap the word FUZZ with each line from our file.

Question 26

Some commands generate colored output via ANSI escape sequences. How could you disable colored output for nuclei scans?

Disabling ANSI escape codes for colored output will make it easier to parse the output.

Answer 26

The -nc or -no-color option can be used on the commandline when running nuclei