3.5.3 Quiz – Information Gathering and Vulnerability Scanning Answers

Oct 10, 2023 Last Updated: Oct 11, 2023 Ethical Hacker No Comments
Tweet Share Pin it

3.5.3 Quiz – Information Gathering and Vulnerability Scanning Answers

1. Which two tools could be used to gather DNS information passively? (Choose two.)

  • Recon-ng
  • Dig
  • Wireshark
  • Nmap
  • ExifTool

Explanation: Recon-ng and Dig can perform passive reconnaissance based on DNS data. Wireshark is packet capture software. ExifTool is used to extract metadata from files. Nmap is an active reconnaissance tool.

2. When performing passive reconnaissance, which Linux command can be used to identify the technical and administrative contacts of a given domain?

  • netstat
  • dig
  • whois
  • nmap

Explanation: The whois command identifies domain technical and administrative contacts, though it must be remembered that many organizations keep their registration details private and use domain register organization contacts. Nmap is an active reconnaissance tool. Dig can be used to perform passive reconnaissance based on DNS data. The netstat command displays active network connections on a host.

3. Which specification defines the format used by image and sound files to capture metadata?

  • Exchangeable Image File Format (Exif)
  • Extensible Image File Format (Exif)
  • Exchangeable File Format (EFF)
  • Interchangeable File Format (IFF)

Explanation: Exchangeable Image File Format (Exif) is a specification that defines the formats for images, sound, and supplementary tags used by digital devices and other systems that process image and sound files.

4. Why would a penetration tester perform a passive reconnaissance scan instead of an active one?

  • to collect information about a network without being detected
  • because the time to perform the scan is limited
  • because the root-level SSH credentials to a target have been compromised
  • to test whether specific services or protocols are available on the network

Explanation: Typically a passive reconnaissance scan of a target instead of an active reconnaissance scan would be performed when information is required to be collected in a way that does not alert any security measures that may be deployed on the network. Any scan that injects traffic onto the network or elicits service responses is an active scan that existing security measures could detect.

5. What type of server is a penetration tester enumerating when they enter the nmap -sU command?

  • DNS, SNMP, or DHCP server
  • HTTP or HTTPS server
  • POP3, IMAP, or SMTP server
  • FTP server

Explanation: A UDP scan would enumerate servers running protocols that use UDP, such as DNS, SNMP, or DHCP.

6. What is the disadvantage of conducting an unauthenticated scan of a target when performing a penetration test?

  • Vulnerability of services running inside the target may not be detected.
  • The scanner will report the port as open whether or not the service on that network segment is listening or not.
  • Unauthenticated scans are more likely to provide a lower rate of false positives than authenticated scans.
  • Unauthenticated scans are a form of passive reconnaissance that return little useful information.

Explanation: If the service is not listening on that network segment, or if it is firewalled, an unauthenticated scan will report the port as closed and move on, which means vulnerabilities may be missed.

7. What is required for a penetration tester to conduct a comprehensive authenticated scan against a Linux host?

  • user credentials with root-level access to the target system
  • system user credentials
  • physical on-premises access to the target system
  • unauthenticated scans are a form of passive reconnaissance that return little useful information.
  • backdoor access to the target system

Explanation: When conducting an authenticated scan against a target, many of the commands that the scanner runs require root-level access to gather the correct and most complete information from the system; system user credentials would only provide access to resources for which that user has privilege. An authenticated scan against a target does not have to be conducted on-premises; remote SSH access is typically used.

8. In which circumstance would a penetration tester perform an unauthenticated scan of a target?

  • when user credentials were not provided
  • when the number of false positive vulnerability reports is not required
  • when time is limited and faster scans are required
  • when only targets with UDP services are to be scanned

Explanation: Unauthenticated vulnerability scans do not use credentials to scan a target, so they are more likely to be used when a user or root-level credentials are unavailable or unknown.

9. Why would a penetration tester use the nmap -sF command?

  • when a TCP SYN scan is detected by a network filter or firewall
  • when the tester wants to conclude the scan
  • when a TCP SYN scan reports more than one open port
  • when the tester needs to time stamp the scan

Explanation: When a network filter or firewall detects a TCP SYN scan, a TCP FIN scan will send a FIN packet to a target port. TCP FIN packets are typically allowed through firewalls and filters.

10. What is the purpose of host enumeration when beginning a penetration test?

  • to identify all active IP addresses within the scope of the test
  • to count the total number of IP addresses within the scope of the test
  • to identify all vulnerable hosts within the scope of the test
  • to count the total number of vulnerable hosts within the scope of the test

Explanation: Host enumeration can be used to identify all active IP addresses within the scope of the penetration test. It may provide limited information about those devices, such as type and operating system version.

11. What can be deduced when a tester enters the nmap -sF command to perform a TCP FIN scan and the target host port does not respond?

  • that the port is not responding to TCP traffic
  • that the port is listening for UDP traffic
  • that the port is open
  • that the port is not ready to close the TCP connection

Explanation: If nothing is received from the target port in response to a TCP FIN scan, the port can be considered open because the normal behavior is to ignore the FIN packet. If the port is closed, the target system sends back an RST packet.

12. What is the disadvantage of running a TCP Connect scan compared to running a TCP SYN scan during a penetration test?

  • Both open and closed ports are detected.
  • Indeterminate ICMP messages are generated.
  • Hosts and addresses outside the scope of the test may be scanned.
  • The extra packets required may trigger an IDS alarm.

Explanation: Security tools and the underlying targeted system are more likely to log the full TCP connection of a TCP Connect Scan, and intrusion detection systems (IDSs) are more likely to trigger alarms on several TCP connections from the same host. Detecting open and closed ports is not a disadvantage of a TCP Connect Scan. It is the tester’s responsibility to ensure that hosts and addresses outside the scope of the penetration test are not scanned.

13. When a penetration test identifies a vulnerability, how should the vulnerability be further verified?

  • determine if the vulnerability is exploitable
  • prioritize the vulnerability severity
  • assess the business risk associated with the vulnerability
  • mitigate the vulnerability

Explanation: If a detected vulnerability can be exploited, it is verified as valid. The vulnerability should then be prioritized, mitigated, and risk assessed.

14. Why is the Common Vulnerabilities and Exposures (CVE) resource useful when investigating vulnerabilities detected by a penetration test?

  • It is a high level list of software weaknesses.
  • It is an international consolidation of cybersecurity tools and databases.
  • It has three vulnerability score components.
  • It is a dictionary of known attacks.

Explanation: Common Vulnerabilities and Exposures (CVE) was created in 1999 to consolidate cybersecurity tools and databases internationally. Common Weakness Enumeration (CWE) is a high-level list of software weaknesses. The Common Vulnerability Scoring System (CVSS) has three components: base, temporal, and environmental scores. Common Attack Pattern Enumeration and Classification (CAPEC) is a dictionary of known attacks seen in the real world.

15. What is the purpose of applying the Common Vulnerability Scoring System (CVSS) to a vulnerability detected by a penetration test?

  • to determine the priority of the vulnerability
  • to determine the attack vector that applies to the vulnerability
  • to accurately record how the vulnerability was detected
  • to calculate the severity of the vulnerability

Explanation: The Common Vulnerability Scoring System (CVSS) is a widely adopted standard for calculating the severity of a given vulnerability using three components: base, temporal, and environmental scores.

16. A threat actor is looking at the IT and technical job postings of a target organization. What would be the most beneficial information to capture from these postings?

  • the type of hardware and software used
  • the salaries of the positions listed
  • the hours of work required by the roles listed
  • the employment benefits offered by the company

Explanation: When advertising vacant IT and technical positions, businesses will typically list the hardware and software skills and qualifications required by the successful applicants. This information provides the attacker with helpful information about the hardware and software platforms operated by that business, which can then be used in planning an attack.

17. How is open-source intelligence (OSINT) gathering typically implemented during a penetration test?

  • by using public internet searches
  • by installing and running the OSINT API
  • by sending phishing emails
  • by using nmap for web page and web application enumerations

Explanation: Open-source intelligence (OSINT) gathering uses publicly available intelligence sources, such as Internet searches, to collect and analyze information about a target.

18. What initial information can be obtained when performing user enumeration in a penetration test?

  • the IP addresses of the target hosts
  • a valid list of users
  • the credentials of a specified user
  • access to the target internal network

Explanation: When access to the target internal network has been achieved, user enumeration tools will gather a valid list of users. A username is the first step in attempting to crack a set of credentials.

19. What useful information can be obtained by running a network share enumeration scan during a penetration test?

  • systems on a network that are sharing files, folders, and printers
  • the usernames and password credentials of users on the network
  • all vulnerable hosts on the network
  • lists of the attack vectors that can exploit the network

Explanation: A network share enumeration scan can identify network systems that share files, folders, and printers. This information helps build out the attack surface of an internal network.

20. A penetration tester must run a vulnerability scan against a target. What is the benefit of running an authenticated scan instead of an unauthenticated scan?

  • Authenticated scans can provide a more detailed picture of the target attack surface.
  • Authenticated scans are a form of passive reconnaissance that does not trigger target security alarms.
  • Authenticated scans are performed without user credentials.
  • Authenticated scans are less complex and are quicker than unauthenticated scans.

Explanation: Authenticated scans require credentials with root-level access to the system and can provide a complete picture of the target attack surface.

21. What are three considerations when planning a vulnerability scan on a target production network during a penetration test? (Choose three.)

  • the timing of the scan
  • the trained personnel available to analyze the scan results
  • the available network bandwidth
  • the network topology
  • authenticated scans are less complex and are quicker than unauthenticated scans
  • the available scanning tools
  • the scan reporting requirement

Explanation: To minimize disruption to a target production network, considerations to consider when planning a vulnerability scan include the timing of the scan, the available network bandwidth, and the network topology. The available scanning tools, trained personnel, and reporting requirements are a tester and customer procedural considerations, not scan target considerations.

22. When performing a vulnerability scan of a target, how can adverse impacts on traversed devices be minimized?

  • Unauthenticated vulnerability scans should be performed.
  • Only passive reconnaissance scans should be performed.
  • The scan should be performed as close to the target as possible.
  • Scanning policy options should include query throttling.

Explanation: To eliminate impacting devices that the scanner traffic is traversing and to ensure that these devices do not affect the scan results, the scan should be performed as close to the target as possible.

23. A company hires a cybersecurity consultant to conduct a penetration test to assess vulnerabilities in network systems. The consultant is preparing the final report to send to the company. What is an important feature of a final penetration test report?

  • It gives an accurate presentation of vulnerabilities.
  • It follows expected report presentation standards and style.
  • It is a summary of general information so non-technical managers can understand it.
  • It is made publicly available to all interested parties.

Explanation: The most important feature of a final penetration test report is that it is accurate, with all the vulnerabilities verified, and contains no false positive results.

24. What is the advantage of using the target Wi-Fi network for reconnaissance packet inspection?

  • The packet scan takes less time wirelessly compared to using the target wired network.
  • More information can be captured wirelessly compared to using the target wired network.
  • Fewer false positive vulnerabilities are detected.
  • Physical access to the building may not be required.

Explanation: The target wireless footprint can bleed beyond building walls; therefore, using the target Wi-Fi network to perform packet inspection in a penetration test often means that physical internal building access is not required. This reduces the chances of detection.

25. What guidance does the NIST Cybersecurity Framework provide to help improve an organization’s cybersecurity posture?

  • The framework provides a global consolidation of cybersecurity tools and databases.
  • The framework lists cyber attacks that have been seen in the real world.
  • The framework provides a vulnerability scoring system.
  • The framework outlines standards and industry best practices.

Explanation: The NIST Cybersecurity Framework outlines the standards and industry best practices that can be used to improve organizations’ cybersecurity posture.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x