3. Info Gathering & Vulnerability Scanning

Ref:📕CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

Press the Start button to begin the practice test.

PenTest+ (PT0-002) Chapter 03. Information Gathering and Vulnerability Scanning

1 / 102

What is the first step of how a typical vulnerability scanner works as described in the text?

A. The scanner tries to determine if the software that is listening on the target system is susceptible to any known vulnerabilities.

B. The scanner produces a report on what it suspects could be vulnerable.

C. In the discovery phase, the scanner uses a tool such as Nmap to perform host and port enumeration.

D. When the scanner has enough information about the open port to determine what software and version are running on that port, it records that information in a database for further analysis.

2 / 102

What is the difference between active and passive reconnaissance in a penetration testing engagement?

A. Active reconnaissance does not interact directly with the target device or network, while passive does.

B. Passive reconnaissance involves probing the network or systems for responses, while active does not.

C. Active reconnaissance involves sending probes to the target network or systems, while passive involves methods that do not directly interact with the target.

D. active and passive reconnaissance are the same in terms of their interaction with the target network or systems. They just use different tools.

3 / 102

Which of the following advanced operators in Google enables searching within the text of a particular file type?

A. Filetype

B. Inurl

C. Link

D. Intitle

4 / 102

What does Recon-ng use to gather information from various OSINT resources, such as Facebook, Indeed, Flickr, Instagram, Shodan, LinkedIn, and YouTube?

A. Web scraping

B. Application programming interfaces (APIs)

C. Network probes

D. Packet capture files

5 / 102

What is the primary function of Recon-ng as discussed in the text?

A. It is used for advanced network scanning activities.

B. It performs in-depth application vulnerability analysis.

C. It is used for integration of security tools in a central platform.

D. It is a tool that effectively gathers information using APIs from different sources.

6 / 102

Which tool can be used to find email addresses and passwords exposed in previous breaches?

A. GitHub

B. Pastebin

C. h8mail

D. pip3

7 / 102

Which Nmap timing template is ideal for a fast and reliable network but may overwhelm targets?

A. -T2 (Polite)

B. -T4 (Aggressive)

C. -T1 (Sneaky)

D. -T3 (Normal)

8 / 102

What happens when Nmap, during a UDP scan, receives no response from the target UDP port?

A. The port is marked as closed

B. The service is considered as not listening on the port

C. The port is marked as open/filtered

D. An ICMP error message is received

9 / 102

Which of the following Advanced Google Operators would you use to direct Google to search for a term within the title of a document?

A. Filetype

B. Inurl

C. Link

D. Intitle

10 / 102

According to the text, what could be a potential approach to scan fragile systems without causing them to crash?

A. Increasing the scan frequency and intensify the options used in the scan policy.

B. Exempt them from the scan completely.

C. Adjust the scanning options to reduce the risk of crashing the devices or throttle the scan frequency.

D. Only scan the fragile systems during business hours.

11 / 102

What is the primary difference between an unauthenticated scan and an authenticated scan when utilizing a vulnerability scanner?

A. Unauthenticated scans use SSH port forwarding, while authenticated scans do not.

B. Unauthenticated scans only show network services exposed to the network, while authenticated scans can access more information and have a lower rate of potential false positives.

C. Authenticated scans can’t access ports that are not exposed to the network.

D. Unauthenticated scans attempt to enumerate the ports open on the target host, while authenticated scans do not.

12 / 102

What command is used to retrieve the organization name (OrgName) of the owner for an IP address?

A. host

B. grep

C. whois

D. aspmx

13 / 102

What is Recon-ng and why is it effective?

A. A python framework used to collect information using APIs, making it very effective in social networking site enumeration

B. A marketplace for searching available modules in Kali Linux

C. A feature in Metasploit msfconsole used to gather information

D. A module in Censys database used to query for OSINT data

14 / 102

What is the primary role and responsibility of the National Institute of Standards and Technology (NIST)?

A. To ensure the security of private industry data

B. To promote innovation and industrial competitiveness

C. To act as a private security company for various institutions

D. To maintain international standards for measurements

15 / 102

What does the -T3 (Normal) option specify in an Nmap scan?

A. It makes the scan very slow and is used for IDS evasion

B. It runs the scan 10 times slower than the default to save bandwidth

C. It triggers a dynamic timing model based on target responsiveness

D. It makes the scan very aggressive, which can overwhelm targets or miss open ports

16 / 102

What is the process to eliminate false positives in a vulnerability scanning tool?

A. Ignore the scan results and rerun the scan

B. Manually confirm the version information of a reported service and cross-check the details of the vulnerability

C. Contact the manufacturer and ask for an upgrade

D. Change to a different scanning tool

17 / 102

Where should a vulnerability scan be performed in the network topology to ensure accuracy and minimal network impact?

A. Across a WAN connection

B. As far away from the target as possible

C. As close to the target as possible

D. Through a firewall device

18 / 102

What data can attackers leverage while trying to gather information about their victims?

A. eBook purchases

B. Personal hobbies

C. Password dumps and file metadata

D. Medical records

19 / 102

What function does Scapy offer to list all available formats and protocols?

A. show()

B. display()

C. ls()

D. reveal()

20 / 102

What is the primary purpose of the Common Weakness Enumeration (CWE)?

A. To compile a list of all software available on the market

B. To create a common language to describe software security weaknesses

C. To initialize a software updating service

D. To host a forum for ethical hackers to share exploits

21 / 102

Which of the following statements about the Recon-ng tool is not true?

A. Recon-ng is a modular framework developed in Python for information gathering

B. Recon-ng is effective in social networking site enumeration due to its use of application programming interfaces (APIs)

C. Recon-ng can be started by running the command ’recon-ng start’ in a new terminal window

D. Recon-ng includes a reporting feature that allows the exporting of data in different report formats

22 / 102

What are some of the qualities and uses of the Nikto web server enumeration tool?

A. It is a closed source tool used specifically for web application enumeration

B. It is a silent scanner that is difficult to detect

C. It is an open source tool that can perform quick enumeration of a web server

D. It is primarily used for network enumeration, not web server enumeration

23 / 102

Which of the following best describes the difference between Active Reconnaissance and Passive Reconnaissance in the context of cybersecurity?

A. Active Reconnaissance involves sending probes to elicit responses from the target network, whereas Passive Reconnaissance simply listens to the network traffic

B. Active Reconnaissance only involves listening to the network traffic, whereas Passive Reconnaissance sends out active probes to the network

C. Both Active and Passive Reconnaissance involve sending probes to the network

D. Active Reconnaissance is unlikely to be detected, whereas Passive Reconnaissance is more likely to raise flags on the network

24 / 102

What does a TCP SYN-ACK response indicate when performing a port scan using Nmap?

A. The service is not listening on the port.

B. The port is closed.

C. The service is listening on the port.

D. The port is firewalled.

25 / 102

What is the role of the JPCERT?

A. It’s responsible for CSIRT activities in the United States

B. It’s responsible for conducting security audits for private firms in Japan

C. It’s a non-profit that helps victims of cyber crimes in Japan

D. It’s responsible for CSIRT activities in the Japanese and Asia Pacific region

26 / 102

Which of the following accurately describes a passive vulnerability scanner?

A. A tool that detects vulnerabilities by using denial-of-service attacks

B. A security device that responds to any detected intrusion attempts

C. A tool that actively scans the network and its traffic in a noisy and easily detectable way

D. A tool that monitors and analyzes network traffic to identify vulnerabilities based on the traffic it sees

27 / 102

Which of the following is true about Recon-ng from the following statements?

A. It is a framework specially developed for IOS

B. It’s main function is to connect to various APIs for information gathering

C. It cannot be run on Kali Linux system

D. It does not provide a marketplace for installing additional modules

28 / 102

Which of the following tools are most accurate in finding email addresses and passwords exposed in previous breaches?

A. h8mail and WhatBreach

B. weleakinfo.com

C. snusbase.com

D. haveibeenpwned.com

29 / 102

What is the function of the ’ls()’ command in the Scapy Python-based framework?

A. It launches the Scapy interactive shell

B. It lists all available formats and protocols supported by Scapy

C. It is used to send a crafted ICMP packet

D. It is used to launch a TCP SYN scan

30 / 102

Which among the following Nmap timing templates is to be used when trying to be very aggressive, but this may likely overwhelm the targets or even miss open ports?

A. -T0 (Paranoid)

B. -T3 (Normal)

C. -T4 (Aggressive)

D. -T5 (Insane)

31 / 102

What does the base score in the Common Vulnerability Scoring System (CVSS) represent?

A. The severity of a vulnerability as it changes over time

B. The characteristics of a vulnerability that depend on a user-specific environment

C. The intrinsic characteristics of a vulnerability that are constant over time

D. The severity of the other systems that may be impacted by the vulnerability

32 / 102

What do you need to consider when deciding the best time to run a vulnerability scan on a production network?

A. The potential for heavy network traffic.

B. The possibility of the target device or network infrastructure crashing.

C. The impact on end users and servers.

D. All of the above.

33 / 102

What is the structure of a CVE ID?

A. CVE-YYYY-NNNN

B. CVN-YY-NNNN

C. CVE-NNNN-YYYY

D. CVD-YYYY-NN

34 / 102

Why would an attacker target h4cker.org use DNS lookups in the initial stages of preparing an attack?

A. To add confusion to the target organization’s SOC

B. To see what the website of h4cker.org looks like

C. To determine the IP addresses used by h4cker.org and any other subdomains

D. To spread a worm into h4cker.org’s network

35 / 102

What is the purpose of using the nmap -sC command in the context of pentesting?

A. It determines the Samba version and the operating system of the target system.

B. It modifies the security configurations of the target system.

C. It downloads and installs security updates on the target system.

D. It cleans up the target system to free up resources.

36 / 102

What functionality makes Recon-ng highly effective in social networking site enumeration during the Penetration Testing process?

A. Its capability to run on Windows and Mac OS.

B. Its integration with Metasploit msfconsole.

C. Its use of application programming interfaces (APIs) to gather information.

D. Its interface with SQL and Database Management Systems.

37 / 102

What does the -T4 (Aggressive) timing option in the Nmap scanner signify?

A. It is very slow and used for IDS evasion

B. It assumes a fast and reliable network and may overwhelm targets

C. It slows down to consume less bandwidth

D. It is the default timing model based on target responsiveness

38 / 102

What considerations must a penetration tester make in order to prioritize the vulnerabilities found?

A. The severity of the vulnerability and the number of systems it applies to

B. How the vulnerability was detected and whether it was found manually or automatically

C. The value of the device that the vulnerability was found on and if the device is critical to business

D. All of the above

39 / 102

What is the primary function of the SMB_COM_SESSION_SETUP_ANDX message in an SMB implementation?

A. It determines if the server is using share- or user-level authentication mechanisms

B. It serves to tell the server what protocols, flags, and options the client would like to use

C. It signals the start of the authentication process

D. It assigns a relative identifier (RID) to objects within a domain

40 / 102

What does the Nmap Humble Bundle smb-enum-shares NSE script use for network share enumeration?

A. Microsoft Active Directory

B. Microsoft Remote Procedure Call (MSRPC)

C. Microsoft Distributed File System (DFS)

D. Microsoft Dynamic Host Configuration Protocol (DHCP)

41 / 102

Which command is used to retrieve the organization name of the owner for particular IP addresses?

A. grep

B. host

C. whois

D. ping

42 / 102

Which Nmap timing template is used for IDS evasion and is very slow?

A. -T0 (Paranoid)

B. -T1 (Sneaky)

C. -T2 (Polite)

D. -T3 (Normal)

43 / 102

Which of the following can the information from a target’s SSL certificates potentially reveal?

A. Digital signature of the organization

B. IP address of the victim’s machine

C. Organizational structure and job roles

D. Cryptographic flaws and weak implementations

44 / 102

What is the purpose of the Nmap smb-enum-processes NSE script?

A. It is used to bypass network filters and obtain confidential data.

B. It is used to enumerate services on a Windows system given user credentials.

C. It is used to establish a secure connection to the remote system.

D. It is used to block specific ports on the targeted system.

45 / 102

What is one method to carry out query throttling during vulnerability scanning?

A. Increasing the number of attack threads

B. Sending additional attacks to the target

C. Reducing the scope of the plugins/attacks

D. Scanning multiple targets at the same time

46 / 102

What is the main purpose of using the -T0 (Paranoid) timing template with Nmap scanner?

A. To use less bandwidth during scanning

B. To evade IDS (Intrusion Detection Systems)

C. To overwhelm the targets with fast scans

D. To miss open ports intentionally

47 / 102

What is the primary method used by vulnerability scanners to determine if a service is susceptible?

A. The scanner sends fake virus to the service.

B. The scanner identifies the version of software running on the service.

C. The scanner tries to hack into the service.

D. The scanner checks if the server is operating under Linux.

48 / 102

What is the main advantage of using a wireless connection for packet inspection and eavesdropping during penetration testing?

A. It allows you to bypass firewalls

B. It eliminates the need to be physically inside the target building

C. It provides faster data collection

D. It guarantees success of the operation

49 / 102

What is the purpose of the Common Attack Pattern Enumeration and Classification (CAPEC)?

A. Creating a dictionary of potential malware threats

B. Cataloging attack patterns observed in the wild

C. Recommending cybersecurity standards

D. Compare and contrast different types of threats

50 / 102

What is the purpose of web page enumeration or web application enumeration during a penetration test?

A. To identify the web server running on a target host

B. To map out the attack surface of a web application

C. To authenticate to a web application that requires a username and password

D. To scan for vulnerabilities in the network infrastructure

51 / 102

What is the purpose of advanced operators used in Google hacking?

A. Direct Google to search only within specific parts of a document or URL.

B. Allow Google to perform more general searches.

C. Create more complex search queries that include boolean operators.

D. Enable the user to search within encrypted data/contents.

52 / 102

What is the purpose of running a port scan in a penetration test?

A. To check the internet speed of the target network

B. To confirm the location of the target network

C. To test the firewall strength of the target network

D. To enumerate the services running on the exposed hosts of the target network

53 / 102

What are the benefits of running an authenticated scan for penetration testing?

A. It does not require any special credentials

B. It provides a full picture of the attack surface

C. It can be run remotely without any access to the system

D. It avoids running commands which require root-level access

54 / 102

In the context of Penetration Testing, how can the SMB_COM_NEGOTIATE message be utilized?

A. It can be used to determine the protocols, flags, and options preferred by the server

B. It is used only for the actual network transmission of data

C. It can reveal the physical location of the server

D. It is used to decrypt the server’s encrypted communications

55 / 102

What factor typically determines the type of vulnerability scan to utilize?

A. The sophistication of the target system

B. The location of the target system

C. The scan policy set in the scanning tool

D. The vulnerability scanning frequency

56 / 102

Why is it important to determine what protocols are in use before running a vulnerability scan?

A. To know what speed the network operates at

B. To determine what operating system the target device uses

C. To decide which type of vulnerability scan to run

D. To know how many devices are on the network

57 / 102

Which of the following statements best describes TCP connect scan (-sT) in Nmap?

A. It is a lightweight scanning method that uses minimum network traffic.

B. It establishes a full TCP connection with the target and is the default scan type.

C. It does not rely on writing raw packets.

D. It can be used to bypass firewall filtering.

58 / 102

What is the primary purpose of discovery scan in penetration testing?

A. Identify the operating system of the target

B. Identify the attack surface of the target

C. Perform a vulnerability scan on the target

D. Identify the IP address of the target

59 / 102

Which advanced search operator directs Google to search only within the text of a particular type of file?

A. Filetype

B. Inurl

C. Link

D. Intitle

60 / 102

How do attackers gather information from social media for social engineering attacks?

A. By posting too much about their own information

B. By creating job posts and interviewing victims

C. By hacking into the social media accounts of their targets

D. By coercing information directly from the users

61 / 102

What is the use of ’modules load’ command in Recon-ng tool?

A. To find subdomains

B. To display module options

C. To install a module

D. To load the required module for use

62 / 102

What kind of Nmap scan is used to determine if a host is online and responding on a network?

A. Version Detection Scan

B. Port Scan

C. Host Discovery Scan

D. OS Detection Scan

63 / 102

Which department does the U.S. Computer Emergency Readiness Team (US-CERT) operate under?

A. The National Cybersecurity and Communications Integration Center (NCCIC)

B. The Department of Homeland Security

C. The Software Engineering Institute of Carnegie Mellon University

D. The National Institute of Standards and Technology (NIST)

64 / 102

What is the primary purpose of a discovery scan in a penetration testing process?

A. To identify cryptographic algorithms supported by a target device

B. To identify the attack surface of a target

C. To perform a vulnerability scan on a target device

D. To test the firewall and IPS of a target

65 / 102

Why might it be necessary to adjust scanner settings while performing a vulnerability scan?

A. To accomodate lower-bandwidth situations

B. To ensure faster scanning

C. To increase the accuracy of detection

D. To avoid compatibility issues with the target system

66 / 102

Which organization operates an internet repository known as the ’Wayback Machine’?

A. Cisco

B. Internet Archive

C. Microsoft

D. Google

67 / 102

What is the Nmap script smb-enum-shares.nse primarily used for?

A. Scanning for open ports on a network

B. Enumerating SMB shares on a network

C. Identifying the version of Samba installed on a network

D. Identifying the network’s IP address

68 / 102

Why is an authenticated scan often preferable when you need to gather in-depth information about a system’s vulnerabilities?

A. Because it allows you to operate at a deeper level, accessing data that unprivileged users cannot

B. Because it makes the scan faster

C. Because it bypasses security measures such as firewalls and intrusion detection systems

D. Because it enables you to remotely control the system

69 / 102

Why is a TCP connect scan (-sT) by Nmap not typically used unless a SYN scan is not an option?

A. It is slower than other scan types.

B. It creates too much traffic and could trigger alarms.

C. It requires the user to have raw packet privileges.

D. It only scans the 1000 most common ports.

70 / 102

What is the primary purpose of using the -T1 (Sneaky) timing template with the Nmap scanner?

A. To speed up the scanning process

B. To consume less bandwidth during a scan

C. To perform an IDS evasion scan

D. To overwhelm the target system

71 / 102

What is the main goal of US-CERT?

A. To protect the Internet infrastructure of the United States

B. To increase the efficiency of vulnerability data sharing

C. To regulate cyber activities in the United States

D. To prosecute cyber criminals

72 / 102

In the context of penetration testing, what additional information does an authenticated scan with root-level access provide compared to a scan by a non-privileged user when using the netstat command?

A. It shows additional active Internet connections.

B. It displays the process ID and name associated with each port.

C. It reveals new vulnerabilities within the system.

D. It enables the discovery of hidden network devices.

73 / 102

What does the lack of a response from TCP FIN scan (-sF) indicate about the target port?

A. The port is closed

B. The port is open

C. The port is blocked

D. The scan was unsuccessful

74 / 102

Why is it essential to customize your plugin selection when conducting a full scan using a vulnerability scanner?

A. To reduce the scan’s depth and quality

B. To increase traffic and slow down the scanning process

C. To reflect the environment that you are scanning, reducing unnecessary traffic and speeding up the scan

D. To ensure that all plugins are utilized during the scan

75 / 102

How can public source code repositories be beneficial for an attacker or a penetration tester?

A. They offer cheap software packages.

B. They give the recognition as reliable contributors.

C. They can provide insights into the architecture and underlying code used in an organization’s applications and infrastructure.

D. They allow users to store a large number of files for future use.

76 / 102

What is the main difference between active and passive reconnaissance techniques in a cyber attack?

A. Active reconnaissance sends probes to the target networks while passive reconnaissance does not.

B. Passive reconnaissance always leads to crashing the target system.

C. Active reconnaissance cannot be detected by the target system.

D. Passive reconnaissance does not involve gathering information about the target system.

77 / 102

Which of the following accurately describes a feature of vulnerability scanners in relation to compliance scans?

A. They can only examine compliance requirements for the healthcare industry

B. They always interpret all compliance requirements in the same way

C. They can import a compliance policy file and run specific compliance checks against a target system

D. They cannot handle complex compliance requirements and need manual review for accurate results

78 / 102

What does the ’nmap -sC’ command do in an information gathering and vulnerability scanning context?

A. It scans for open ports on the target system

B. It runs the most common NSE scripts based on the ports found to be open on the target

C. It determines whether a system is running Linux or Samba

D. It enumerates Samba shares, including user accounts, shares, and other configurations

79 / 102

What function in Scapy can be used to navigate the Scapy layers and protocols?

A. navigate()

B. travel()

C. move()

D. explore()

80 / 102

Which of the following best describes the use of h8mail?

A. It is a tool for generating complex passwords

B. It is a tool for finding leaked email addresses and passwords

C. It is a tool for discovering the vulnerability of a website

D. It is a tool for SQL injection attacks

81 / 102

What is the purpose of Scapy’s ls() function?

A. Send ICMP packets

B. Launch the Scapy interactive shell

C. List all available formats and protocols supported by Scapy

D. Capture the ICMP packet

82 / 102

What is the purpose of an active scan like a port scan during the enumeration stage of a penetration test?

A. To check the internet speed of the target network

B. To identify any unexpected services that are exposed to the internet

C. To identify the physical location of the target network

D. To intercept any data being transmitted over the target network

83 / 102

What is Google hacking and how can hackers use it?

A. It is an illegal manipulation of Google’s algorithm for website optimization

B. It is a search technique using advanced operators to reveal sensitive information

C. It is a hacking method that steals users’ Google account credentials

D. It is a process of attacking the Google servers and stealing user data

84 / 102

What function can you use in Scapy to list all available formats and protocols?

A. lp()

B. ap()

C. ls()

D. as()

85 / 102

What is the main purpose of the host enumeration during the process of the penetration testing?

A. To find out which hosts are available in the network

B. To identify the most vulnerable ship in the fleet

C. To conduct a complete vulnerability scan on all the available hosts

D. To fix vulnerabilities found on the network

86 / 102

What is Open-Source Intelligence (OSINT) Gathering as used in the context of Penetration Testing?

A. It is a method of obtaining privileged intelligence about a target via covert and illicit methods.

B. It involves gathering publicly available resources to collect and analyze information about a target.

C. It is a closed-source method of gathering highly classified intelligence.

D. It involves performing a deep dive into the target’s internal databases and systems.

87 / 102

What is the primary function of the SMB_COM_SESSION_SETUP_ANDX message in a Windows network?

A. It allows the client to tell the server what protocols, flags, and options it would like to use.

B. It is the beginning of the authentication process.

C. It determines if the server allows plaintext passwords.

D. It is used to enumerate the users who are configured on the Windows target.

88 / 102

What is the purpose of enumeration techniques in the information-gathering phase of a penetration test?

A. To identify software versions

B. To bypass security systems

C. To gather network services and user details, among others

D. To hack into the system

89 / 102

Which of the following information can be obtained from file metadata?

A. The creator of the file

B. The encoding process of the file

C. The camera model used to take a picture

D. All of the above

90 / 102

What is the role of the CERT Division of Carnegie Mellon University in cybersecurity?

A. They exclusively focus on training organizations to improve cybersecurity practices.

B. Their main goal is to coordinate vulnerability disclosures across the industry.

C. They only research security vulnerabilities.

D. They research security vulnerabilities, help coordinate vulnerability disclosures, and deliver training to organizations.

91 / 102

What should be in your attention when conducting a vulnerability scan based on the given text?

A. The architecture of the system

B. The quality of your scanning tools

C. Considerations when building a scanning policy and performing scans

D. The previous performance of your system

92 / 102

Which function in Scapy is used to list all available formats and protocols?

A. explore()

B. packet()

C. ls()

D. icmp()

93 / 102

What can Shodan be used to query for during Information Gathering and Vulnerability scanning?

A. Valid email addresses

B. Credit card details

C. Geo-locations of users

D. Vulnerable hosts and Internet of Things (IoT) devices

94 / 102

What does the letter ’D’ in the table header of Recon-ng’s module list indicate?

A. The module is deprecated

B. The module has dependencies

C. The module includes documentation

D. The module is in development

95 / 102

What does the Scapy function ’ls()’ demonstrate in network enumeration?

A. It launches the Scapy interactive shell

B. It crafts malicious payload ICMP packets

C. It lists all available formats and protocols supported by Scapy

D. It sends a TCP SYN packet to any given port

96 / 102

From the provided examples, what is one way organizations may prefer to protect their public Whois information?

A. They list the individual employee’s contact details

B. They make their registration details private and list the domain registrar organization contacts instead

C. They provide false contact information

D. They do not register their domain at all

97 / 102

What is the purpose of the smb-enum-processes NSE script used in Nmap?

A. It enumerates services on a Linux system

B. It scans the ports on a remote system

C. It enumerates services on a Windows system

D. It provides information about a directly connected network segment

98 / 102

Which of the following correctly describes host enumeration in the context of a penetration test?

A. It only needs to be performed externally

B. It is only done using Nmap or Masscan

C. It involves scanning the full subnet when performed internally

D. It does not need to be part of the scope of the test

99 / 102

What is the purpose of using Nmap’s http-enum NSE script in web application enumeration?

A. To identify the IP address of the web server.

B. To scan the contents of the web server’s database.

C. To brute force the username and password of the web application.

D. To brute force the directory and file paths of web applications.

100 / 102

What tool is used to determine the organization name of the owners of specific IP addresses?

A. netstat

B. nmap

C. whois

D. traceroute

101 / 102

What is the primary limitation of unauthenticated scans with vulnerability scanners?

A. They can only enumerate network services that are exposed to the network.

B. They require a high degree of technical expertise to execute.

C. They can only work if you provide the target’s IP address.

D. They increase the likelihood of false positives.

102 / 102

What is the purpose of the ’-sC’ option when used with the ’nmap’ command?

A. It disables all scripts from running.

B. It runs only the critical NSE scripts.

C. It runs the most common NSE scripts.

D. It automatically updates the nmap script database.

Your score is

Free CompTIA Pentest+ Anki decks are now available!

Click the download button after filling out the form below
to get your free practice exam Anki deck!

3. Info Gathering & Vulnerability Scanning

Press the Start button to begin the practice test.

Free CompTIA Pentest+ Anki decks are now available!

Related Posts

The Affordable, Hands-On Josh Madakor IT Course that gets Results!

The Affordable, Hands-On Cyber Security that gets Results!

JOIN OUR

NEWSLETTER