Hands on Ethical Hacking and Network Defense

Chapter 4 Solutions Review Questions 1.

Which of the following is a fast and easy way to gather information about a company? (Choose all that apply.) c. View the company’s Web site. d. Look for company ads in phone directories.

2.

To find information about the key IT personnel for a company’s domain, you might use which of the following tools? (Choose all that apply.) a. Whois c. SamSpade

3.

_____ is one of the components most vulnerable to network attacks. d. DNS

4.

Which of the following contains host records for a domain? a. DNS

5.

Which of the following is a good Web site for gathering information on a domain? e. All of the above

6.

A cookie can store information about a Web site’s visitors. True or False? True

7.

Which of the following enables you to view all host computers on a network? c. Zone transfers

8.

What’s one way to gather information about a domain? a. View the header of an e-mail you send to an e-mail account that doesn’t exist.

9.

Which of the following is one method of gathering information about the operating systems a company is using? a. Search the Web for e-mail addresses of IT employees.

10. To determine a company’s primary DNS server, you can look for a DNS server containing which of the following? d. SOA record 11. When conducting competitive intelligence, which of the following is a good way to determine the size of a company’s IT support staff? a. Review job postings on Web sites such as www.monster.com or www.dice.com. 12. If you’re trying to find newsgroup postings by IT employees of a certain company, which of the following Web sites should you visit? a. http://groups.google.com 13. Which of the following tools can assist you in finding general information about an organization and its employees? (Choose all that apply.) a. www.google.com b. http://groups.google.com 14. What’s the first method a security tester should attempt to find a password for a computer on the network? c. Ask the user. 15. Many social engineers begin gathering the information they need by using which of the following? b. The telephone 16. Discovering a user’s password by observing the keys he or she presses is called which of the following? d. Shoulder surfing 17. Shoulder surfers can use their skills to find which of the following pieces of information? (Choose all that apply.)

a. Passwords b. ATM PINs c. Long-distance access codes 18. Entering a company’s restricted area by following closely behind an authorized person is referred to as which of the following? b. Piggybacking 19. What social-engineering technique involves telling an employee that you’re calling from the CEO’s office and need certain information ASAP? (Choose all that apply.) a. Urgency c. Position of authority 20. Before conducting a security test by using social-engineering tactics, what should you do? c. Get written permission from the person who hired you to conduct the security test.

Chapter 5 Solutions Review Questions 1.

Security testers and hackers use which of the following to determine the services running on a host and the vulnerabilities associated with these services? d. Port scanning

2.

What is the most widely used port-scanning tool? c. Nmap

3.

To find extensive Nmap information and examples of the correct syntax to use in Linux, which of the following commands should you type? d. man nmap

4.

To see a brief summary of Nmap commands in a Linux shell, which of the following should you do? a. Type nmap -h.

5.

Which of the following Nmap commands sends a SYN packet to a computer with the IP address 193.145.85.210? (Choose all that apply.) a. nmap -sS 193.145.85.210 b. nmap -v 193.145.85.210

6.

Which flags are set on a packet sent with the nmap -sX 193.145.85.202 command? (Choose all that apply.) a. FIN b. PSH d. URG

7.

Which Nmap command verifies whether the SSH port is open on any computers in the 192.168.1.0 network? (Choose all that apply.) a. nmap -v 192.168.1.0-254 -p 22 d. nmap -v 192.168.1.0/24 -p 22

8.

A closed port responds to a SYN packet with which of the following packets? d. RST

9.

Which type of scan is usually used to bypass a firewall or packet-filtering device? a. ACK scan

10. Security testers can use Hping to bypass filtering devices. True or False? True 11. A FIN packet sent to a closed port responds with which of the following packets?

c. RST 12. A(n) ________ scan sends a packet with all flags set to NULL. a. NULL 13. What is a potential mistake when performing a ping sweep on a network? a. Including a broadcast address in the ping sweep range 14. Port scanning provides the state for all but which of the following ports? d. Buffered 15. A NULL scan requires setting the FIN, ACK, and URG flags. True or False? False 16. Why does the fping -f 193.145.85.201 193.145.85.220 command cause an error? a. An incorrect parameter is used. 17. In basic network scanning, ICMP Echo Requests (type 8) are sent to host computers from the attacker, who waits for which type of packet to confirm that the host computer is live? d. ICMP Echo Reply (type 0) 18. To bypass some ICMP-filtering devices on a network, an attacker might send which type of packets to scan the network for vulnerable services? (Choose all that apply.) b. SYN packets c. ACK packets 19. Which of the following is a tool for creating a custom TCP/IP packet and sending it to a host computer? c. Hping 20. Fping doesn’t allow pinging multiple IP addresses simultaneously. True or False? False

Chapter 6 Solutions Review Questions 21. Which of the following testing processes is the most intrusive? b. Enumeration 22. Security testers conduct enumeration for which of the following reasons? (Choose all that apply.) a. Gaining access to shares and network resources b. Obtaining user logon names and group memberships 23. Which of the following tools can be used to enumerate Windows systems? (Choose all that apply.) a. OpenVAS b. DumpSec d. Hyena 24. Enumeration of Windows systems can be more difficult if port ____ is filtered. d. 139/TCP 25. A null session is enabled by default in all the following Windows versions except: b. Windows Server 2008 26. The Net view command can be used to see whether there are any shared resources on a server. True or False? True 27. To identify the NetBIOS names of systems on the 193.145.85.0 network, which of the following commands do you use? a. nbtscan 193.145.85.0/24

28. Which of the following is a Windows command-line utility for seeing NetBIOS shares on a network? c. Net view 29. To view eDirectory information on a NetWare 5.1 server, which of the following tools should you use? d. Novell Client 30. The Nbtstat command is used to enumerate *nix systems. True or False? False 31. A NetBIOS name can contain a maximum of ___ characters. c. 15 32. Which of the following commands connects to a computer containing shared files and folders? b. Net use 33. Which port numbers are most vulnerable to NetBIOS attacks? c. 135 to 139 34. Which of the following is the vulnerability scanner from which OpenVAS was developed? b. Nessus 35. Most NetBIOS enumeration tools connect to the target system by using which of the following? c. Null sessions 36. What is the best method of preventing NetBIOS attacks? a. Filtering certain ports at the firewall 37. Which of the following is a commonly used UNIX enumeration tool? d. Finger 38. Which of the following commands should you use to determine whether there are any shared resources on a Windows computer with the IP address 193.145.85.202? c. nbtstat -a 193.145.85.202 39. The Windows Net use command is a quick way to discover any shared resources on a computer or server. True or False? False