T1

Question 1

What is an “exposed attack surface”

Answer 1

Parts of a system or device that can be accessed or attacked over a network, such as open ports, services or protocols

Question 2

What shuold be a basic network security procedure?

Answer 2

Precicesly determining exposed attack surface of devices in organization

Question 3

What is Nmap?

Answer 3

Nmap is an open-source network scanning tool used to discover hosts/devices, open ports, and vulnerabilities on a network

Question 4

What are 3 protocols we used to probe hosts/devices on our network?

Answer 4

1. TCP
2. UDP
3. ICMP (preferred)

Question 5

Why do attackers prefer ICMP scans ove TCP/UDP probes?

Answer 5

Less intrusive and more likely to bypass firewalls

Question 6

What is Netdiscover, and how is it different from Nmap?

Answer 6

A passive network discovey tool that listens for traffic, while Nmap actively probes devices. (sending actual packets)

Question 7

How does netdiscover find devices without probing them

Answer 7

Uses protocols based on broadcasts (like DHCP)

Question 8

After finding one or more hosts of interest, what is attakers next move?

Answer 8

Port scanning: To find services running on a device by identifying open ports

Question 9

What does the command sudo map -sT < ip_host_address > do?

Answer 9

Scans the host using the TCP protocol to find open ports

Question 10

What does the command sudo nmap -sU < ip_host_address > do?

Answer 10

Scans the host using the UDP protocol to find open ports.

Question 11

What is the purpose of sudo nmap -O < ip_host_address >?

Answer 11

O tag determines what OS and version is running on a chosen device/host

Question 12

Should you scan all ports?

Answer 12

Can also scan subset where services are typically running (so only scanning 1000 per host)

Question 13

What is the function of the Nmap “vuln” script?

Answer 13

Detects known vulnerabilities in the services running on the target host.

nmap –script vuln -v < ip address of host/device >

Question 14

What does it mean that nmap has a modular structure?

Answer 14

It can integrate adjunctive components to enable one or multiple scripts to find vulnerabilities on a target device

Question 15

What is Nikto, and what does it do?

Answer 15

Nikto is a web server scanner that identifies vulnerabilities on HTTP/HTTPS servers.

port 80 or 443

Question 16

How do you use Nikto to scan a web server on HTTP?

Answer 16

nikto -h < ip_host_address >

Question 17

Aggressive probe that can be used (with caution!) with nmap

Answer 17

brute force! Use oredefined set of common username and passwords

Question 18

What is the command to perform a brute-force attack on an SSH service using Nmap?

Answer 18

nmap -p 22 –script ssh-brute -v < ip_host_address >

Question 19

What is privilege escalation?

Answer 19

The process of gaining higher privileges (e.g., admin/root access) on a system by exploiting weak passwords, vulnerabilities, or misconfigurations.

Question 20

Lynis

Answer 20

Software tool used to spot local vulnerabilities without administrator privileges

lynis audit system

Question 21

What are some common scanning parameters in Nmap?

Answer 21

• -sT: TCP connect scan.
• -sU: UDP scan.
• -O: Detect operating system.
• -sV: Detect service versions.

Question 22

How many ports are typically scanned by Nmap by default?

Answer 22

1,000 commonly used ports

Question 23

What is the difference between active and passive scanning?

Answer 23

Active Scanning: Sends packets to devices to elicit responses (e.g., Nmap).
Passive Scanning: Observes network traffic without sending packets (e.g., Netdiscover).