Written by Pavs on August 21st, 2007                                        

---

 

Question 1: You just noticed a member of your pen test team sending an email to an address that you know does not exist within the company for which you are contracted to perform the penetration test. Why is he doing this?

A. To determine who is the holder of the root account

B. To determine if the email server is vulnerable to a relay attack

C. To test the network’s IDS systems

D. To generate a response back that will reveal information about email servers

 

Answer 1: D. Sending a bogus email is one way to find out more about internal servers, gather additional IP addresses, and learn how they treat mail. Answer A is incorrect, as this will not allow you to determine the holder of the root account. Answer B is incorrect, as this will not tell you if the mail server is vulnerable to a relay attack. Answer C is incorrect, as bounced email will not normally trigger an IDS.

 

Question 2: What is the range for dynamic random ports?

A. 102449151

B. 11024

C. 4915265535

D. 01023

Answer 2: C. Dynamic random ports range from 4915265535. Most established well-known applications range from 01023. Answers A, B, and D are incorrect because well-known ports range from 01023, registered ports range from 102449151, and dynamic ports range from 4915265535.

Question 3: What does the following command achieve?

Telnet <IP Address> <Port 80>
HEAD /HTTP/1.0
<Return>
<Return>

A. This command returns the home page for the IP address specified.

B. This command opens a backdoor Telnet session to the IP address specified.

C. This command returns the banner of the website specified by the IP address.

D. This command allows a hacker to determine if the server has a SQL database.

Answer 3: C. This command is used for banner grabbing. Banner grabbing helps identify the service and version of the web server running. Answer A is incorrect, as this command will not return the web server’s home page. Answer B is incorrect because it will not open a backdoor on the IP address specified. Answer D is incorrect, as this command will not allow an attacker to determine if there is a SQL server at the target IP address.

Question 4: You would like to perform a port scan that would allow you to determine if a stateless firewall is being used. Which of the following would be the best option?

A. XMAS scan

B. Idle scan

C. Stealth scan

D. ACK scan

Answer 4: D. An ACK scan would be the best choice to determine if stateless inspection is being used. If there is an ACL in place, the ACK would be allowed to pass. Answer A is incorrect because an XMAS scan is not used to bypass stateless inspection. It uses an abnormal flag setting. Answer B is incorrect, as an idle scan requires a third idle device and is used because it is considered stealthy. Answer C is incorrect, as a stealth scan simply performs the first two steps of the three-step handshake.

Question 5: You have become concerned that someone could attempt to poison your DNS server. What determines how long cache poisoning would last?

A. A record

B. CNAME

C. SOA

D. MX

Answer 5: C. The TTL is the value that would determine how long cache poisoning would last. It is typically found in the SOA record. Answer A is incorrect, as the A record maps a hostname to its IP address. Answer B is incorrect because the CNAME is an alias. Answer D is incorrect because the MX record maps to mail exchange servers.

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

Thank you for reading this post. You can now Leave A Comment (0) or Leave A Trackback.