3.5.3 Quiz – Information Gathering and Vulnerability Scanning Answers
1. Which two tools could be used to gather DNS information passively? (Choose two.)
2. When performing passive reconnaissance, which Linux command can be used to identify the technical and administrative contacts of a given domain?
3. Which specification defines the format used by image and sound files to capture metadata?
- Exchangeable Image File Format (Exif)
- Extensible Image File Format (Exif)
- Exchangeable File Format (EFF)
- Interchangeable File Format (IFF)
4. Why would a penetration tester perform a passive reconnaissance scan instead of an active one?
- to collect information about a network without being detected
- because the time to perform the scan is limited
- because the root-level SSH credentials to a target have been compromised
- to test whether specific services or protocols are available on the network
5. What type of server is a penetration tester enumerating when they enter the nmap -sU command?
- DNS, SNMP, or DHCP server
- HTTP or HTTPS server
- POP3, IMAP, or SMTP server
- FTP server
6. What is the disadvantage of conducting an unauthenticated scan of a target when performing a penetration test?
- Vulnerability of services running inside the target may not be detected.
- The scanner will report the port as open whether or not the service on that network segment is listening or not.
- Unauthenticated scans are more likely to provide a lower rate of false positives than authenticated scans.
- Unauthenticated scans are a form of passive reconnaissance that return little useful information.
7. What is required for a penetration tester to conduct a comprehensive authenticated scan against a Linux host?
- user credentials with root-level access to the target system
- system user credentials
- physical on-premises access to the target system
- unauthenticated scans are a form of passive reconnaissance that return little useful information.
- backdoor access to the target system
8. In which circumstance would a penetration tester perform an unauthenticated scan of a target?
- when user credentials were not provided
- when the number of false positive vulnerability reports is not required
- when time is limited and faster scans are required
- when only targets with UDP services are to be scanned
9. Why would a penetration tester use the nmap -sF command?
- when a TCP SYN scan is detected by a network filter or firewall
- when the tester wants to conclude the scan
- when a TCP SYN scan reports more than one open port
- when the tester needs to time stamp the scan
10. What is the purpose of host enumeration when beginning a penetration test?
- to identify all active IP addresses within the scope of the test
- to count the total number of IP addresses within the scope of the test
- to identify all vulnerable hosts within the scope of the test
- to count the total number of vulnerable hosts within the scope of the test
11. What can be deduced when a tester enters the nmap -sF command to perform a TCP FIN scan and the target host port does not respond?
- that the port is not responding to TCP traffic
- that the port is listening for UDP traffic
- that the port is open
- that the port is not ready to close the TCP connection
12. What is the disadvantage of running a TCP Connect scan compared to running a TCP SYN scan during a penetration test?
- Both open and closed ports are detected.
- Indeterminate ICMP messages are generated.
- Hosts and addresses outside the scope of the test may be scanned.
- The extra packets required may trigger an IDS alarm.
13. When a penetration test identifies a vulnerability, how should the vulnerability be further verified?
- determine if the vulnerability is exploitable
- prioritize the vulnerability severity
- assess the business risk associated with the vulnerability
- mitigate the vulnerability
14. Why is the Common Vulnerabilities and Exposures (CVE) resource useful when investigating vulnerabilities detected by a penetration test?
- It is a high level list of software weaknesses.
- It is an international consolidation of cybersecurity tools and databases.
- It has three vulnerability score components.
- It is a dictionary of known attacks.
15. What is the purpose of applying the Common Vulnerability Scoring System (CVSS) to a vulnerability detected by a penetration test?
- to determine the priority of the vulnerability
- to determine the attack vector that applies to the vulnerability
- to accurately record how the vulnerability was detected
- to calculate the severity of the vulnerability
16. A threat actor is looking at the IT and technical job postings of a target organization. What would be the most beneficial information to capture from these postings?
- the type of hardware and software used
- the salaries of the positions listed
- the hours of work required by the roles listed
- the employment benefits offered by the company
17. How is open-source intelligence (OSINT) gathering typically implemented during a penetration test?
- by using public internet searches
- by installing and running the OSINT API
- by sending phishing emails
- by using nmap for web page and web application enumerations
18. What initial information can be obtained when performing user enumeration in a penetration test?
- the IP addresses of the target hosts
- a valid list of users
- the credentials of a specified user
- access to the target internal network
19. What useful information can be obtained by running a network share enumeration scan during a penetration test?
- systems on a network that are sharing files, folders, and printers
- the usernames and password credentials of users on the network
- all vulnerable hosts on the network
- lists of the attack vectors that can exploit the network
20. A penetration tester must run a vulnerability scan against a target. What is the benefit of running an authenticated scan instead of an unauthenticated scan?
- Authenticated scans can provide a more detailed picture of the target attack surface.
- Authenticated scans are a form of passive reconnaissance that does not trigger target security alarms.
- Authenticated scans are performed without user credentials.
- Authenticated scans are less complex and are quicker than unauthenticated scans.
21. What are three considerations when planning a vulnerability scan on a target production network during a penetration test? (Choose three.)
- the timing of the scan
- the trained personnel available to analyze the scan results
- the available network bandwidth
- the network topology
- authenticated scans are less complex and are quicker than unauthenticated scans
- the available scanning tools
- the scan reporting requirement
22. When performing a vulnerability scan of a target, how can adverse impacts on traversed devices be minimized?
- Unauthenticated vulnerability scans should be performed.
- Only passive reconnaissance scans should be performed.
- The scan should be performed as close to the target as possible.
- Scanning policy options should include query throttling.
23. A company hires a cybersecurity consultant to conduct a penetration test to assess vulnerabilities in network systems. The consultant is preparing the final report to send to the company. What is an important feature of a final penetration test report?
- It gives an accurate presentation of vulnerabilities.
- It follows expected report presentation standards and style.
- It is a summary of general information so non-technical managers can understand it.
- It is made publicly available to all interested parties.
24. What is the advantage of using the target Wi-Fi network for reconnaissance packet inspection?
- The packet scan takes less time wirelessly compared to using the target wired network.
- More information can be captured wirelessly compared to using the target wired network.
- Fewer false positive vulnerabilities are detected.
- Physical access to the building may not be required.
25. What guidance does the NIST Cybersecurity Framework provide to help improve an organization’s cybersecurity posture?
- The framework provides a global consolidation of cybersecurity tools and databases.
- The framework lists cyber attacks that have been seen in the real world.
- The framework provides a vulnerability scoring system.
- The framework outlines standards and industry best practices.