Reconnaissance and Intelligence Gathering

Question 1

What method is used to replicate DNS information for DNS servers but is also a tempting exploit target for attackers?

A. DNSSEC

B. AXR

C. DNS registration

D. Zone transfers

Answer 1

Answer:

D. DNS zone transfers provide a method to replicate DNS information between DNS servers, but they are also a tempting target for attackers due to the amount of information that they contain. A properly secured DNS server will only allow zone transfers to specific, permitted peer DNS servers. DNSSEC is a suite of DNS security specifications, AXR is a made-up term (AXFR is the zone transfer command), and DNS registration is how you register a domain name.

Question 2

What flag does nmap use to enable operating system identification?

A. –os

B. –id

C. –o

D. –osscan

Answer 2

Answer:

C. Nmap’s operating system identification flag is –o and it enables OS detection. –A also enables OS identification and other features. –osscan with modifiers like –limit and –guess set specific OS identification features. –os and –id are not nmap flags.

Question 3

What command-line tool can be used to determine the path that traffic takes to a remote system?

A. Whois

B. traceroute

C. nslookup

D. routeview

Answer 3

Answer:

B. Traceroute (or tracert on Windows systems) is a command-line tool that uses ICMP to trace the route that a packet takes to a host. Whois and nslookup are domain tools, and routeview is not a command-line tool.

Question 4

What type of data can frequently be gathered from images taken on smartphones?

A. Extended Graphics Format

B. Exif

C. JPIF

D. PNGrams

Answer 4

Answer:

B. Exif (Exchangeable Image Format) data often includes location and camera data, allowing the images to be mapped and identified to a specific device or type of camera.

Question 5

Which Cisco log level is the most critical?

A. 0

B. 1

C. 7

D. 10

Answer 5

Answer:

A. Log level 0 is used for emergencies in Cisco’s logging level scheme. Log level 7 is for debugging information and is at the bottom of the scale.

Question 6

During passive intelligence gathering, you are able to run netstat on a workstation located at your target’s headquarters. What information would you not be able to find using netstat on a Windows system?

A. Active TCP connections

B. A list of executables by connection

C. Active UDP connections

D. Route table information

Answer 6

Answer:

C. UDP connections are not shown by netstat because UDP is a connectionless protocol. Active TCP connections, executables that are associated with them, and route table information are all available via netstat.

Question 7

Which of the following options is the most likely used for the host listed in the dhcpd.conf entry?

host db1 {
option host-name “sqldb1.example.com”;
hardware ethernet 8a:00:83:aa:21:9f
fixed address 10.1.240.10

A. Active Directory server

B. Apache web server

C. Oracle database server

D. Microsoft SQL Server

Answer 7

Answer:

D. Although it is possible that a system named “db1” with a hostname “sqldb1” is not a Microsoft SQL Server, the most likely answer is that it is a Microsoft SQL Server.

Question 8

Which type of Windows log is most likely to contain information about a file being deleted?

A. httpd logs

B. Security logs

C. System logs

D. Configuration logs

Answer 8

Answer:

B. Microsoft Windows security logs can contain information about files being opened, created, or deleted if configured to do so. Configuration and httpd logs are not a type of Windows logs, and system logs contain information about events logged by Windows components.

Question 9

What organization manages the global IP address space?

A. NASA

B. ARIN

C. WorldNIC

D. IANA

Answer 9

Answer:

D. The Internet Assigned Numbers Authority manages the global IP address space. ARIN is the American Registry for Internet Numbers, WorldNIC is not an IP authority, and NASA tackles problems in outer space, not global IP space.

Question 10

Before Ben sends a Word document, he uses the built-in Document Inspector to verify that the file does not contain hidden content. What is this process called?

A. Data purging

B. Data remanence insurance

C. Metadata scrubbing

D. File cleansing

Answer 10

Answer:

C. Metadata scrubbing removes hidden information about a file such as the creator, creation time, system used to create the file, and a host of other information. The other answers are made up.

Question 11

What type of analysis is best suited to identify a previously unknown malware package operating on a compromised system?

A. Trend analysis

B. Signature analysis

C. Heuristic analysis

D. Regression analysis

Answer 11

Answer:

C. Heuristic analysis focuses on behaviors, allowing a tool using it to identify malware behaviors instead of looking for a specific package. Trend analysis is typically used to identify large-scale changes from the norm, and it is more likely to be useful for a network than for a single PC. Regression analysis is used in statistical modeling.

Question 12

Which of the following is not a common DNS antiharvesting technique?

A. Blacklisting systems or networks

B. Registering manually

C. Rate limiting

D. CAPTCHAs

Answer 12

Answer:

B. Registering manually won’t prevent DNS harvesting, but privacy services are often used to prevent personal or corporate information from being visible via domain registrars. CAPTCHAs, rate limiting, and blacklisting systems or networks that are gathering data are all common anti-DNS harvesting techniques.

Question 13

What technique is being used in this command?

dig axfr @dns-server example.com

A. DNS query

B. nslookup

C. dig scan

D. Zone transfer

Answer 13

Answer:

D. The axfr flag indicates a zone transfer in both the dig and host utilities.

Question 14

Which of the following is not a reason that penetration testers often perform packet capture while conducting port and vulnerability scanning?

A. Work process documentation

B. To capture additional data for analysis

C. Plausible deniability

D. To provide a timeline

Answer 14

Answer:

C. A packet capture can’t provide plausible deniability, as it provides evidence of action. Packet capture is often used to document work, including the time that a given scan or process occurred, and it can also be used to provide additional data for further analysis.

Question 15

What process uses information such as the way that a system’s TCP stack responds to queries, what TCP options it supports, and the initial window size it uses?

A. Service identification

B. Fuzzing

C. Application scanning

D. OS detection

Answer 15

Answer:

D. Operating system detection often uses TCP options support, IP ID sampling, and window size checks, as well as other indicators that create unique fingerprints for various operating systems. Service identification often leverages banners since TCP capabilities are not unique to a given service. Fuzzing is a code testing method, and application scanning is usually related to web application security.

Question 16

What tool would you use to capture IP traffic information to provide flow and volume information about a network?

A. libpcap

B. netflow

C. netstat

D. pflow

Answer 16

Answer:

B. Netflow is a Cisco network protocol that collects IP traffic information that allows analysis of traffic flow and volume. Netstat provides information about local connections, which applications have made them, and other useful local system information. Libpcap is the Linux packet capture library and would not be used alone. Pflow is a made-up term.

Question 17

What method used to replicate DNS information between DNS servers can also be used to gather large amounts of information about an organization’s systems?

A. traceroute

B. Zone transfer

C. DNS sync

D. dig

Answer 17

Answer:

B. Zone transfers are intended to allow DNS database replication, but an improperly secured DNS server can also allow third parties to request a zone transfer, exposing all of their DNS information. Traceroute is used to determine the path and latency to a remote host, whereas dig is a useful DNS query tool. DNS sync is a made-up technical term.

Question 18

Selah believes that an organization she is penetration testing may have exposed information about their systems on their website in the past. What site might help her find an older copy of their website?

A. The Internet Archive

B. WikiLeaks

C. The Internet Rewinder

D. TimeTurner

Answer 18

Answer:

A. The Internet Archive maintains copies of sites from across the Internet, and it can be used to review the historical content of a site. WikiLeaks distributes leaked information, whereas the Internet Rewinder and TimeTurner are both made-up names.

Question 19

During an information gathering exercise, Chris is asked to find out detailed personal information about his target’s employees. What is frequently the best place to find this information?

A. Forums

B. Social media

C. The company’s website

D. Creepy

Answer 19

Answer:

B. Social media can be a treasure trove of personal information. Company websites and forums are usually limited in the information they provide, and Creepy is a geolocation tool that gathers data from social media and geotagging.

Question 20

Which lookup tool provides information about a domain’s registrar and physical location?

A. nslookup

B. host

C. Whois

D. traceroute

Answer 20

Answer:

C. Whois provides information that can include the organization’s physical address, registrar, contact information, and other details. Nslookup will provide IP address or hostname information, whereas host provides IPv4 and IPv6 addresses as well as email service information. Traceroute attempts to identify the path to a remote host as well as the systems along the route.