Question 51: In the following command, which flag is responsible for saving output to both XML and HTML files? theharvester -d example.com -b google -f foo -v -n
A. -v
B. -f
C. -n
D. -b
Correct Answer:
B. -f
Explanation:
The -f flag in theharvester will dump output into both an HTML and XML document (in this case, to foo.xml and foo.html).
The -v, -n, and -b flags, respectively, verify a hostname via DNS resolution, perform a reverse DNS query on the IP ranges discovered to be in use, and allow the user to define the data source (such as Google, Bing, or LinkedIn).
Question 52: Which technique is used during passive reconnaissance to map a user-defined hostname to the IP address or addresses with which it is associated?
A. DNS zone transfer
B. Reverse DNS lookup
C. Investigation
D. Forward DNS lookup
Correct Answer:
D. Forward DNS lookup
Explanation:
A forward DNS lookup queries the name server for a domain or hostname, for which the DNS server will then provide the associated IP address; this function is present at the heart of the internet, as the use of human-readable terms such as “google.com” in web browsers would fail without it. Put another way, in the absence of a service such as DNS, we would be required to use machine-readable logical addresses alone (that is, IP addresses) to do nearly anything across a network.
A DNS zone transfer is a type of DNS transaction wherein a DNS database is replicated to the requesting system. DNS zone transfers can be of great benefit to penetration testers if internal corporate name servers permit them; knowledge of the entirety of an organization’s IP space and hostnames can be of immense value in identifying potential targets during a penetration test. A reverse DNS lookup takes a user-provided IP address and then queries a name server for the host(s) or domain(s) with which that address is associated. Investigation is incorrect because it is not a term with an explicit definition in the lexicon of penetration testing.
Question 53: While footprinting an organization for a penetration test, you discover that a service it relies on uses FTP across port 14147 for data transfers. How could you refine a Shodan search to only reveal FTP servers on that port?
A. FTP port 14147
B. FTP:14147
C. FTP port:14147
D. FTP;port 14147
Correct Answer:
C. FTP port:14147
Explanation:
Search and filter terms in Shodan must be provided in the format search_string filter:value. In the example given, FTP port:14147 will search for FTP connections available on the open Internet and then filter all but those running on port 14147 from the search results.
The other options are incorrect because search and filter terms in Shodan must be provided in the format search_string filter:value.
Question 54: Which free and GNU-licensed tool written for the Windows operating system family gathers information by scraping metadata from Microsoft Office documents, which can include usernames, e-mail addresses, and real names?
A. Maltego
B. FOCA
C. recon-ng
D. theharvester
Correct Answer:
B. FOCA
Explanation:
FOCA is a free, GNU-licensed tool that gathers information by scraping metadata from Microsoft Office documents, which can include usernames, e-mail addresses, and real names. Note that while FOCA can be run in Linux and Unix variants using WINE (a compatibility layer or interface that allows Windows applications to run on *nix operating systems), the question specifically mentions that the tool was written for Windows, rather than stating that it only runs in Windows.
While Maltego and recon-ng are capable of scraping metadata from files with the use of transforms or modules, neither of these tools was written specifically for the Windows operating system family. Theharvester is limited to what can be pulled directly from a website; scraping the contents of files stored on a website is beyond its capabilities. In addition, theharvester is like Maltego and recon-ng in that it was not written specifically for the Windows operating system.
Question 55: Which of the following data sources is not a valid option in theharvester?
A. Google
B. LinkedIn
C. Facebook
D. Twitter
Correct Answer:
C. Facebook
Explanation:
Although theharvester can query many data sources, Facebook is not one of them, which makes it the correct answer. Pay careful attention to questions that are stated with a negating term such as “is not” or “are not.”
Google, LinkedIn, and Twitter are all valid data sources for theharvester, making these incorrect choices for this question.
Question 56: What is the process of assessing a target to collect preliminary knowledge about systems, software, networks, or people without directly engaging the target or its assets?
A. Reconnaissance
B. Passive information gathering
C. Web searching
D. Active information gathering
Correct Answer:
B. Passive information gathering
Explanation:
Passive information gathering is the process of assessing a target to collect preliminary knowledge about systems, software, networks, or people without directly engaging the target or its assets.
Reconnaissance is a broader term that can describe both passive and active information-gathering efforts. Web searching is just one specific activity which is performed while passive information gathering. Active information gathering is the process of collecting information about target systems, software, networks, or people in a manner which requires direct engagement with the target or its assets.
Question 57: Which of the following, dubbed Sunburst, was used by nation-state actors to bypass SolarWinds’ security mechanisms and gain access to its system?
A. Digital signature
B. Backdoor
C. Buffer overflow
D. Adware
Correct Answer:
B. Backdoor
Explanation:
A backdoor is used by both developers and attackers to bypass security mechanisms and gain access to a system or encrypted data. Notably, the massive SolarWinds supply chain attack originated with a critical backdoor, known as Sunburst, hidden in updates for its Orion software.
Question 58: Which of the following malicious programs, appearing to be legitimate, is commonly used to target banking and payment systems to access confidential information?
A. Social engineering
B. Backdoor
C. Ransomware
D. Trojan horse
Correct Answer:
D. Trojan horse
Explanation:
A Trojan horse is a malicious program installed on a device that evades detection by appearing legitimate. Common indicators of this type of malware include unexpected changes to settings or anomalous activity on a computer.
Question 59: Choose the correct malware term that describes a controversial program designed to propagate across networks for the purpose of distributing security patches for known vulnerabilities.
A. Keylogger
B. Patch management
C. Spyware
D. Ethical worm
Correct Answer:
D. Ethical worm
Explanation:
Unlike its malicious counterpart, an ethical worm spreads across a network to distribute security patches for known vulnerabilities. However, its drive-by download capability and potential for unexpected harm make ethical worms controversial among security experts.
Question 60: Made famous by the Maze gang in 2019, the name-and-shame tactic is most commonly used by cybercriminal groups in which of the following attacks?
A. Port scan
B. Logic bomb
C. Distributed denial of service (DDoS)
D. Ransomware
Correct Answer:
D. Ransomware
Explanation:
Name-and-shame campaigns are commonly used in ransomware attacks in which cybercriminal groups publicly announce their victims and threaten to leak sensitive data to compel victims to pay a ransom.