Untitled Quiz

Questions and Answers

Which of these are types of information you are looking to collect about an organization during the information gathering phase? (Select all that apply)

• Open ports on those target systems (correct)
• Software used on the target systems (correct)
• Public IP addresses used by the organization (correct)
• Email addresses and phone numbers of employees (correct)
• Target systems that are up and running (correct)
• Whether software is running in the cloud (correct)

What is the term used for discovering information from public data sources available on the Internet?

• Open Source Internet (OSI)
• Open Source Network (OSN)
• Open Source Information (OSI)
• Open Source Intelligence (OSINT) (correct)

Which of these are techniques used for website reconnaissance? (Select all that apply)

• Robots.txt (correct)
• Scraping Websites (correct)
• Manual Inspection of Web Links (correct)
• Crawling Websites (correct)

What is the term used for an information gathering technique in which specific keywords are used to search Google or other search engines?

Google hacking (D)

What is the name of a program in Kali Linux used to collect public information from resources such as Google, LinkedIn, Twitter and Bing?

TheHarvester

What is the name of a widely used database search used to discover domain name information and IP address information about a company?

Whois (B)

Which of these are common tools used for DNS profiling? (Select all that apply)

dig (B), nslookup (C)

Which of these methods can modify the timing of a Nmap scan?

-T4 (A), -T0 (B)

Which Nmap switch is used to perform a port scan and identify the version of the software running on each port?

-sV (C)

Which of these tools are typically used to identify systems that are running on a network? (Select all that apply)

netdiscover (C), nmap (D)

Which of these tools are often used to gather information for OSINT? (Select all that apply)

Whois (A), theHarvester (B), Maltego (C), Shodan (D)

Vulnerability scanning is considered a passive assessment because you are not actively trying to exploit the system.

True (A)

What is the term used to describe the process of connecting to and interrogating a network or system to retrieve information about that network or system?

Enumeration (D)

Nmap can be used to identify hosts and services, along with identifying the operating system and the version of the software running on those systems?

True (A)

Which Nmap switch is often used to perform a basic ping sweep across a network?

-sP (A)

A TCP connect scan is considered more stealthy, compared to a SYN scan, as it does not perform a full handshake?

False (B)

Which Nmap switch allows you to specify the ports to scan?

-p (B)

Which Nmap switch is used to specify a file containing a list of targets to scan?

-iL (C)

Which of these are common techniques used to detect and avoid security solutions like WAFs (web application firewalls) and intrusion detection systems?

Packet crafting (A), Timing (D)

What is the purpose of a ping sweep within the context of active reconnaissance?

To identify which systems on a network are actively responding (D)

What is the primary purpose of using the '-sT' flag within Nmap?

To establish a full TCP connection to each target port (B)

Which of these are common steps involved in enumeration? (Select all that apply)

Enumerating networks (A), Enumerating services (B), Enumerating domains (C), Enumerating hosts on the network (D), Enumerating users (E)

Which of these are common tools or techniques used to detect load balancers? (Select all that apply)

Network topology analysis (B), IP address enumeration (C)

What is the purpose of using 'Recon-ng' in the context of OSINT gathering?

To collect information about a company's network and systems, such as domain names, IP addresses, and email addresses (B)

What is the primary purpose of using security tokens within an application?

To authorize users to perform specific actions within an application (C)

A common penetration testing technique is to fingerprint the target operating system as a first step in the vulnerability identification process.

True (A)

What is a primary advantage of using the '-sV' flag with Nmap?

Identifying known security vulnerabilities based on the identified software version (D)

Flashcards

Information Gathering

The process of collecting information about a target organization or company before a penetration test.

Passive Information Gathering

Collecting information from publicly available sources without interacting with the target systems.

Active Information Gathering

Collecting information by interacting with the target systems, potentially exposing them to risks.

OSINT (Open-Source Intelligence)

Gathering information from publicly available online sources.

DNS Profiling

Using DNS records to analyze system configurations and find publicly accessible services.

Nmap

A tool for active scanning and probing to discover open ports and running services on target systems.

Enumeration

The process of identifying all the accessible data of a target system.

Website Reconnaissance

Examining a target company's website to find useful information for penetration testing, such as software details or employee contact information.

Public IP Addresses

Internet addresses of servers or systems belonging to a target organization.

Target Systems

The systems or servers belonging to the target organization being assessed.

Open Ports

Communication channels (ports) on target systems that are accessible from the outside.

Software

The programs or applications running on the target systems.

Social Engineering

Manipulating people to gain access to sensitive information or systems.

Email addresses/phone numbers

Contact details of employees used for potential social engineering attacks.

Cloud-based systems

Servers, software, or data hosted and managed remotely by a third-party provider rather than locally on-site.

Self-hosted systems

Servers, software, or data run and managed by the target organization on their own servers or infrastructures.

Study Notes

Exam Objectives

• Knowing the difference between passive and active information gathering
• Understanding open-source intelligence (OSINT) gathering
• Using DNS profiling
• Using Nmap for active scanning
• Being familiar with enumeration techniques
• Understanding vulnerabilities in your targets
• Performing vulnerability scans and analyzing results
• Mapping vulnerabilities to exploits
• Learning the types of weaknesses in specialized systems

Chapter 3: Information Gathering

• After planning and scoping the penetration testing, the next phase is information gathering and vulnerability identification.
• Tools are used to discover information about an organization or company before penetration testing begins.
• Examples of information gathered during this phase:
  • Email addresses and phone numbers of employees (for social engineering)
  • Public IP addresses used by the organization
  • Target systems that are running
  • Open ports on target systems
  • Software used on target systems
  • Whether the software is running in the cloud or is self-hosted

Chapter 4: Vulnerability Identification

• After reconnaissance, the next phase is vulnerability identification.
• Vulnerability scanning is a passive assessment, not an attempt to exploit the system.
• A vulnerability is a weakness in a system that can be exploited to compromise security.