Pentest+ Practice Exam Chapter 3 Network Scanning and Enumeration (Jonathan Ammerman) Flashcards
Which component of the aircrack-ng suite of tools is used to put wireless adapters into monitor mode?
A. Aireplay-ng
B. Airmon-ng
C. Airodump-ng
D. Airdecap-ng
B. Airmon-ng
Explanation:
Airmon-ng is a component of the aircrack-ng suite of tools used to put wireless adapters into monitor mode
Which type of primary frame (defined by the IEEE 802.11 wireless standard) enables stations to establish and sustain communication over the network with an access point? A. Disassociation frame B. Management frame C. Data frame D. Control frame
B. Management frame
Explanation:
Management frames enable stations to establish and sustain communication over the network with an access point
Which nmap flag is used to disable DNS resolution of hostnames? A. -sL B. -n C. -oG D. -Pn
B. -n
Explanation:
The -n flag disables DNS resolution of hostnames
A is incorrect because the -sL flag is used when listing multiple targets to be scanned. C is incorrect because the -oG flag saves scan output to file in an easily grep-able format. D is incorrect because the -Pn flag disables ping and skips host discovery.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 61). McGraw-Hill Education. Kindle Edition.
What is the effect of the -PS flag in nmap?
A. Triggers SCTP discovery to named ports
B. Triggers TCP ACK discovery to named ports
C. Triggers UDP discovery to named ports
D.Triggers TCP SYN discovery to named ports
D.Triggers TCP SYN discovery to named ports
Explanation
The -PS flag ised used for TCP SYN discovery to declared ports
Which of the following is an active scanning technique used to aid in the process of information gathering, with the goal of identifying hosts that are alive and listening on the network? A. Port scanning B. Wardriving C. Stumbling D. Host discovery
D. Host discovery
Explanation:
Host discovery is an active scanning technique used to aid in the process of information gathering, with the goal of identifying hosts that are alive and listening on the network. The simplest method of host discovery is a discovery scan, which is typically a ping-only scan. A caveat must be given here, however, as oftentimes a target network will automatically drop all ICMP requests. In cases such as these, a stealth connection attempt to a common port or service such as SSH on port 22 or HTTP on port 80 can be an effective method of determining which hosts are up and available on a network.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 61). McGraw-Hill Education. Kindle Edition.
Which open-source command-line tool is used for several penetration test–focused activities on both wired and wireless networks, such as surveying hosts for open ports, fingerprinting operating systems, and collecting service banners? A.Shodan B. Nmap C. Aircrack-ng D. Theharvester
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 54-55). McGraw-Hill Education. Kindle Edition.
B. Nmap
Explanation:
B. Nmap is an open-source command-line tool that is used for several penetration test–focused activities, such as surveying hosts for open ports, fingerprinting operating systems, and collecting service banners. Nmap provides effective enumeration of networks (and identification of targets within the same), hosts (such as OS fingerprinting with the -O or -A flag), and services (with the -sV or -A flag) with its default options. With the use of NSE—the Nmap Scripting Engine—nmap can provide even greater levels of detail.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 62). McGraw-Hill Education. Kindle Edition.
What is the effect of the -v flag in nmap?
A.Denotes a list of targets to scan
B. Prevents DNS resolution
C.Increases the verbosity level of scan output
D.Disables ping and skips host discovery
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 55). McGraw-Hill Education. Kindle Edition.
C. Increases the verbosity level of scan output
Explanation:
The -v flag in nmap increases the verbosity level of scan output
A is incorrect because a network (in the form of a CIDR notation subnet, such as 10.0.1.0/24) to scan should follow the -sL flag in nmap. It is important to note that the -sL flag will result
result in nmap not sending any packets to the targets in question; rather, nmap will simply perform reverse-DNS resolution on the target IP addresses to learn the relevant hostnames. B is incorrect because DNS resolution of hostnames is disabled when the -n flag is used. D is incorrect because pings are disabled and host discovery is skipped when the -Pn flag is used.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 62). McGraw-Hill Education. Kindle Edition.
Which of the following is an open-source suite of tools useful for conducting RF communication monitoring and security testing of wireless networks? A. Shodan B. Aircrack-ng C. Nmap D. Theharvester
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 55). McGraw-Hill Education. Kindle Edition.
B. Aircrack-ng
Explanation:
Of the options listed, aircrack-ng is best described as an open-source suite of tools useful for conducting RF communication monitoring and security testing of wireless networks
Which popular tool is used for wireless discovery and offers many of the same features as airodump-ng? A. Kismet B. Nmap C. Shodan D. Onesixtyone
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 55). McGraw-Hill Education. Kindle Edition.
A. Kismet
Explanation:
Kismet is used for wireless discovery and has many of the same features as airodump-ng.
Kismet excelts at detecting existing networks in wireless channels, sniffing out data and detecting intrusions
Which type of primary frame (defined by the IEEE 802.11 wireless standard) facilitates delivery of data frames to each station? A. Deauthentication frame B. Disassociation frame C. Control frame D. Management frame
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 55). McGraw-Hill Education. Kindle Edition.
C. Control frame
Explanation:
Control frames facilitate data frame delivery to each station
A and B are incorrect because deauthentication and disassociation frames are subtypes of the management frame and do not facilitate data frame delivery. D is incorrect because management frames enable stations to establish and sustain communication.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 63). McGraw-Hill Education. Kindle Edition.
Which subtype of management frame contains details about a wireless access point (including but not limited to the SSID, encryption details, MAC address, and Wi-Fi channel) that can enable a malicious agent to eavesdrop on a wireless network? A. Authentication frame
B. Request to Send (RTS) frame
C. Beacon frame
D. Association request frame
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 55-56). McGraw-Hill Education. Kindle Edition.
C. Beacon frame
Explanation:
A beacon frame contains details about a wireless access point (such as the SSID, encryption details, MAC address, and Wi-Fi channel) that can enable a malicious agent to eavesdrop on a wireless network. This is because of the way devices “remember” wireless networks. A beacon frame says to all devices in the area, “This is $Company_Network,” whether the device represents that network or not. When a device tries to connect to a Wi-Fi network after powering on or checking for a signal, it runs through its internal list of remembered Wi-Fi networks until it finds a network that is broadcasting. The problem is that there is no verification mechanism that confirms that the source of the beacon frame is legitimately the network in question; therefore, a malicious agent could run a rogue access point with the same SSID name to trick devices into connecting to it, and then route all incoming traffic through Burp or another proxy to monitor network use, collect passwords, or identify shared storage on the host in question.
.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 64). McGraw-Hill Education. Kindle Edition.
What is the effect of the -Pn flag in nmap?
A.Disables ping and skips host discovery
B. Prevents DNS resolution
C.Disables port scanning and forces a simple ping scan
D.Outputs scan details in XML format
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 56). McGraw-Hill Education. Kindle Edition.
A. Disables ping and skips host discovery
Explanation:
The -Pn flag in nmap disables ping and skips host discovery
B is incorrect because the disabling of DNS resolution is the expected outcome of adding the -n flag to an nmap command. C is incorrect because the -sn flag in nmap disables port scanning, forcing a simple ping scan. D is incorrect because the -oX flag dumps scan output to an XML file for future use.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 64). McGraw-Hill Education. Kindle Edition.
Which nmap flag should precede a file containing a list of targets to be scanned? A. -Pn B. -iL C. -sn D. -oA
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 56). McGraw-Hill Education. Kindle Edition.
B. -iL
Explanation:
The -iL nmap flag should precede a file containing a list of targets to be scanned.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 65). McGraw-Hill Education. Kindle Edition.
Which of the following is not a primary type of frame defined by the IEEE 802.11 wireless communication standard? A. Control frame B. Beacon frame C. Data frame D. Management frame
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 56). McGraw-Hill Education. Kindle Edition.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 56). McGraw-Hill Education. Kindle Edition.
B. Beacon frame
Explanation:
A beacon frame is a subtype of the management frame. As such, it is not a primary frame type and is therefore the correct answer for this question.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 65). McGraw-Hill Education. Kindle Edition.
Which of the following nmap options would result in the ports shown being scanned? A. -sL B. -top-ports=200 C. -v D. -sS
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 56-57). McGraw-Hill Education. Kindle Edition.
B. -top-ports=200
Explanation:
The correct answer is -top-ports=200. The clue here is in the total count of ports listed as scanned; 11 open ports shown plus 189 closed ports not shown would mean that only 200 ports were probed in this scan.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 66). McGraw-Hill Education. Kindle Edition.
