3.5.3 Quiz – Information Gathering and Vulnerability Scanning Answers
1. Which two tools could be used to gather DNS information passively? (Choose two.)
- Recon-ng
- Dig
- Wireshark
- Nmap
- ExifTool
2. When performing passive reconnaissance, which Linux command can be used to identify the technical and administrative contacts of a given domain?
- netstat
- dig
- whois
- nmap
3. Which specification defines the format used by image and sound files to capture metadata?
- Exchangeable Image File Format (Exif)
- Extensible Image File Format (Exif)
- Exchangeable File Format (EFF)
- Interchangeable File Format (IFF)
4. Why would a penetration tester perform a passive reconnaissance scan instead of an active one?
- to collect information about a network without being detected
- because the time to perform the scan is limited
- because the root-level SSH credentials to a target have been compromised
- to test whether specific services or protocols are available on the network
5. What type of server is a penetration tester enumerating when they enter the nmap -sU command?
- DNS, SNMP, or DHCP server
- HTTP or HTTPS server
- POP3, IMAP, or SMTP server
- FTP server
6. What is the disadvantage of conducting an unauthenticated scan of a target when performing a penetration test?
- Vulnerability of services running inside the target may not be detected.
- The scanner will report the port as open whether or not the service on that network segment is listening or not.
- Unauthenticated scans are more likely to provide a lower rate of false positives than authenticated scans.
- Unauthenticated scans are a form of passive reconnaissance that return little useful information.
7. What is required for a penetration tester to conduct a comprehensive authenticated scan against a Linux host?
- user credentials with root-level access to the target system
- system user credentials
- physical on-premises access to the target system
- unauthenticated scans are a form of passive reconnaissance that return little useful information.
- backdoor access to the target system
8. In which circumstance would a penetration tester perform an unauthenticated scan of a target?
- when user credentials were not provided
- when the number of false positive vulnerability reports is not required
- when time is limited and faster scans are required
- when only targets with UDP services are to be scanned
9. Why would a penetration tester use the nmap -sF command?
- when a TCP SYN scan is detected by a network filter or firewall
- when the tester wants to conclude the scan
- when a TCP SYN scan reports more than one open port
- when the tester needs to time stamp the scan
10. What is the purpose of host enumeration when beginning a penetration test?
- to identify all active IP addresses within the scope of the test
- to count the total number of IP addresses within the scope of the test
- to identify all vulnerable hosts within the scope of the test
- to count the total number of vulnerable hosts within the scope of the test
11. What can be deduced when a tester enters the nmap -sF command to perform a TCP FIN scan and the target host port does not respond?
- that the port is not responding to TCP traffic
- that the port is listening for UDP traffic
- that the port is open
- that the port is not ready to close the TCP connection
12. What is the disadvantage of running a TCP Connect scan compared to running a TCP SYN scan during a penetration test?
- Both open and closed ports are detected.
- Indeterminate ICMP messages are generated.
- Hosts and addresses outside the scope of the test may be scanned.
- The extra packets required may trigger an IDS alarm.
13. When a penetration test identifies a vulnerability, how should the vulnerability be further verified?
- determine if the vulnerability is exploitable
- prioritize the vulnerability severity
- assess the business risk associated with the vulnerability
- mitigate the vulnerability
14. Why is the Common Vulnerabilities and Exposures (CVE) resource useful when investigating vulnerabilities detected by a penetration test?
- It is a high level list of software weaknesses.
- It is an international consolidation of cybersecurity tools and databases.
- It has three vulnerability score components.
- It is a dictionary of known attacks.
15. What is the purpose of applying the Common Vulnerability Scoring System (CVSS) to a vulnerability detected by a penetration test?
- to determine the priority of the vulnerability
- to determine the attack vector that applies to the vulnerability
- to accurately record how the vulnerability was detected
- to calculate the severity of the vulnerability
16. A threat actor is looking at the IT and technical job postings of a target organization. What would be the most beneficial information to capture from these postings?
- the type of hardware and software used
- the salaries of the positions listed
- the hours of work required by the roles listed
- the employment benefits offered by the company
17. How is open-source intelligence (OSINT) gathering typically implemented during a penetration test?
- by using public internet searches
- by installing and running the OSINT API
- by sending phishing emails
- by using nmap for web page and web application enumerations
18. What initial information can be obtained when performing user enumeration in a penetration test?
- the IP addresses of the target hosts
- a valid list of users
- the credentials of a specified user
- access to the target internal network
19. What useful information can be obtained by running a network share enumeration scan during a penetration test?
- systems on a network that are sharing files, folders, and printers
- the usernames and password credentials of users on the network
- all vulnerable hosts on the network
- lists of the attack vectors that can exploit the network
20. A penetration tester must run a vulnerability scan against a target. What is the benefit of running an authenticated scan instead of an unauthenticated scan?
- Authenticated scans can provide a more detailed picture of the target attack surface.
- Authenticated scans are a form of passive reconnaissance that does not trigger target security alarms.
- Authenticated scans are performed without user credentials.
- Authenticated scans are less complex and are quicker than unauthenticated scans.
21. What are three considerations when planning a vulnerability scan on a target production network during a penetration test? (Choose three.)
- the timing of the scan
- the trained personnel available to analyze the scan results
- the available network bandwidth
- the network topology
- authenticated scans are less complex and are quicker than unauthenticated scans
- the available scanning tools
- the scan reporting requirement
22. When performing a vulnerability scan of a target, how can adverse impacts on traversed devices be minimized?
- Unauthenticated vulnerability scans should be performed.
- Only passive reconnaissance scans should be performed.
- The scan should be performed as close to the target as possible.
- Scanning policy options should include query throttling.
23. A company hires a cybersecurity consultant to conduct a penetration test to assess vulnerabilities in network systems. The consultant is preparing the final report to send to the company. What is an important feature of a final penetration test report?
- It gives an accurate presentation of vulnerabilities.
- It follows expected report presentation standards and style.
- It is a summary of general information so non-technical managers can understand it.
- It is made publicly available to all interested parties.
24. What is the advantage of using the target Wi-Fi network for reconnaissance packet inspection?
- The packet scan takes less time wirelessly compared to using the target wired network.
- More information can be captured wirelessly compared to using the target wired network.
- Fewer false positive vulnerabilities are detected.
- Physical access to the building may not be required.
25. What guidance does the NIST Cybersecurity Framework provide to help improve an organization’s cybersecurity posture?
- The framework provides a global consolidation of cybersecurity tools and databases.
- The framework lists cyber attacks that have been seen in the real world.
- The framework provides a vulnerability scoring system.
- The framework outlines standards and industry best practices.