1. What is the primary purpose of network scanning?
A) To launch a cyberattack
B) To identify live hosts and open ports
C) To encrypt network traffic
D) To bypass firewall rules
Answer: B) To identify live hosts and open ports
Explanation: Network scanning is used to discover active hosts, open ports, and services running on a network. This information helps in vulnerability assessment and penetration testing.
2. Which of the following tools is commonly used for network scanning?
A) Metasploit
B) Nmap
C) Burp Suite
D) Wireshark
Answer: B) Nmap
Explanation: Nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. It can identify open ports, services, and vulnerabilities.
3. What does a SYN scan in Nmap do?
A) Completes the three-way handshake
B) Sends a SYN packet and waits for a SYN-ACK response
C) Encrypts network traffic
D) Drops all incoming packets
Answer: B) Sends a SYN packet and waits for a SYN-ACK response
Explanation: SYN scans (also called half-open scans) send a SYN packet to a target port. If a SYN-ACK is received, the port is open. This scan is stealthy because it does not complete the TCP handshake.
4. Which Nmap option performs an aggressive scan, including OS detection, service version detection, and script scanning?
A) -sT
B) -A
C) -sS
D) -O
Answer: B) -A
Explanation: The -A flag enables aggressive scanning, which includes OS detection, service version detection, and the use of default Nmap scripts.
5. Which scanning technique is the least detectable by Intrusion Detection Systems (IDS)?
A) TCP Connect Scan
B) UDP Scan
C) Stealth (SYN) Scan
D) ICMP Echo Scan
Answer: C) Stealth (SYN) Scan
Explanation: SYN scans do not complete the full TCP handshake, making them harder to detect compared to full TCP connect scans.
6. What is the purpose of a banner grab during network enumeration?
A) To capture encrypted packets
B) To identify services and versions running on open ports
C) To test firewall rules
D) To execute a brute-force attack
Answer: B) To identify services and versions running on open ports
Explanation: Banner grabbing is a technique used to collect information about a system’s running services and software versions by sending requests to open ports.
7. Which command in Nmap is used for OS detection?
A) -p
B) -A
C) -O
D) -sP
Answer: C) -O
Explanation: The -O option in Nmap enables operating system detection by analyzing TCP/IP stack behavior.
8. Which protocol does a UDP scan in Nmap target?
A) TCP
B) UDP
C) ICMP
D) HTTP
Answer: B) UDP
Explanation: A UDP scan in Nmap is used to detect open UDP ports by sending packets to target ports and analyzing responses or lack thereof.
9. Which tool is best for enumerating shared resources on a Windows network?
A) Metasploit
B) enum4linux
C) Nikto
D) Wireshark
Answer: B) enum4linux
Explanation: enum4linux is a Linux tool used to enumerate information from Windows-based machines, including shared resources, users, and domain details.
10. What is the purpose of the -sV option in Nmap?
A) Detect vulnerabilities
B) Perform OS fingerprinting
C) Detect service versions
D) Capture network packets
Answer: C) Detect service versions
Explanation: The -sV option enables service version detection, allowing Nmap to identify the specific software and version running on open ports.
11. What is the purpose of a NULL scan in Nmap?
A) To scan UDP ports
B) To bypass firewalls
C) To send packets with no flags set
D) To perform brute-force attacks
Answer: C) To send packets with no flags set
Explanation: A NULL scan sends TCP packets with no flags set. If a response is received, the port is considered closed. If no response is received, the port might be open or filtered.
12. Which command in Nmap is used for scanning an entire subnet?
A) nmap -p 22
B) nmap -sV
C) nmap 192.168.1.0/24
D) nmap -sT
Answer: C) nmap 192.168.1.0/24
Explanation: The CIDR notation /24 tells Nmap to scan all 256 IPs in the subnet.
13. What is the purpose of a FIN scan?
A) To detect services
B) To bypass certain firewalls
C) To send a TCP FIN packet and detect open ports
D) To capture network traffic
Answer: C) To send a TCP FIN packet and detect open ports
Explanation: A FIN scan sends a TCP FIN packet to a target port. Closed ports respond with an RST, while open ports do not respond.
14. Which of the following is NOT a network enumeration technique?
A) ARP scanning
B) DNS zone transfer
C) SYN flooding
D) SNMP enumeration
Answer: C) SYN flooding
Explanation: SYN flooding is a denial-of-service (DoS) attack, not a network enumeration technique.
15. What is a primary weakness of UDP scans?
A) They are too fast
B) Many UDP services do not respond to probes
C) They always trigger firewalls
D) They do not detect TCP services
Answer: B) Many UDP services do not respond to probes
Explanation: UDP services do not always respond when open, making UDP scans less reliable than TCP scans.
16. Which tool is commonly used for SNMP enumeration?
A) dirb
B) onesixtyone
C) Nikto
D) Hydra
Answer: B) onesixtyone
Explanation: onesixtyone is a tool designed to enumerate SNMP information from devices using default or known community strings.
17. What is the function of the traceroute command?
A) To list open ports
B) To identify network paths between hosts
C) To exploit vulnerabilities
D) To detect wireless networks
Answer: B) To identify network paths between hosts
Explanation: traceroute maps the path packets take from the source to the destination, revealing intermediate network devices.
18. What does whois command provide?
A) Subdomain enumeration
B) Information about a domain’s ownership
C) Firewall bypass techniques
D) List of active connections
Answer: B) Information about a domain’s ownership
Explanation: whois queries domain registration databases for details about domain ownership.
19. Which Nmap scan is best for identifying all hosts on a network?
A) -sP
B) -sT
C) -A
D) -sV
Answer: A) -sP
Explanation: -sP (Ping Scan) discovers all live hosts on a network without scanning for open ports.
20. Which command enables scanning specific ports in Nmap?
A) -p 80,443
B) -T4
C) -O
D) -A
Answer: A) -p 80,443
Explanation: The -p flag specifies the exact ports to scan, such as 80 (HTTP) and 443 (HTTPS).
21. Which Nmap option enables scanning with custom scripts?
A) -sC
B) -O
C) -p
D) -A
Answer: A) -sC
Explanation: The -sC option runs default Nmap scripts using the Nmap Scripting Engine (NSE), which helps in vulnerability detection.
22. What does an ARP scan help detect in a local network?
A) Open TCP ports
B) Live hosts
C) Domain name details
D) Wireless networks
Answer: B) Live hosts
Explanation: ARP scans identify active devices on a local network by sending ARP requests and analyzing responses.
23. What is the significance of reverse DNS lookup in network enumeration?
A) It finds open ports
B) It resolves IP addresses to domain names
C) It scans for vulnerabilities
D) It identifies MAC addresses
Answer: B) It resolves IP addresses to domain names
Explanation: Reverse DNS lookup helps identify domain names associated with IP addresses, useful for footprinting a target.
24. Which tool is commonly used for SMB enumeration?
A) Wireshark
B) enum4linux
C) SQLmap
D) Nmap
Answer: B) enum4linux
Explanation: enum4linux is a Linux tool used for enumerating SMB (Server Message Block) information, including shares, users, and domain policies.
25. What is the primary function of SNMP enumeration?
A) Identifying open ports
B) Gathering system information
C) Bypassing firewalls
D) Exploiting SQL databases
Answer: B) Gathering system information
Explanation: SNMP enumeration allows attackers to retrieve valuable system details, such as running processes, network configurations, and hardware details.
26. Which of the following can be used to detect live hosts in a network without sending packets?
A) Wireshark
B) Nmap
C) Snort
D) Metasploit
Answer: A) Wireshark
Explanation: Wireshark can passively analyze network traffic to identify active hosts without actively scanning.
27. What type of scan is typically used to enumerate IPv6 networks?
A) TCP Connect Scan
B) UDP Scan
C) ICMPv6 Scan
D) Xmas Scan
Answer: C) ICMPv6 Scan
Explanation: ICMPv6 scanning helps identify live hosts and services in IPv6 networks.
28. What is a zombie host in a network scan?
A) A system used for reflection in idle scanning
B) A host with an open web server
C) A system that prevents enumeration
D) A compromised firewall
Answer: A) A system used for reflection in idle scanning
Explanation: A zombie host is a machine that is used in an Idle Scan to scan targets indirectly, reducing traceability.
29. What does an Xmas scan in Nmap do?
A) Sends packets with FIN, PSH, and URG flags set
B) Uses brute force to identify open ports
C) Encrypts scanning traffic
D) Sends malformed UDP packets
Answer: A) Sends packets with FIN, PSH, and URG flags set
Explanation: An Xmas scan sends packets with FIN, PSH, and URG flags set to detect open ports based on RFC 793 behavior.
30. What is the main purpose of an Idle Scan in Nmap?
A) To check for network redundancy
B) To perform a stealthy scan using a zombie host
C) To analyze DNS traffic
D) To perform brute-force enumeration
Answer: B) To perform a stealthy scan using a zombie host
Explanation: An Idle Scan allows an attacker to scan a target indirectly through a zombie host, making it difficult to trace the attack.
31. What is the purpose of TCP timestamp enumeration?
A) To identify active web servers
B) To determine system uptime and OS fingerprinting
C) To scan encrypted traffic
D) To analyze wireless networks
Answer: B) To determine system uptime and OS fingerprinting
Explanation: TCP timestamp values help attackers estimate a system’s uptime and fingerprint the operating system.
32. Which command in Nmap enables scanning for vulnerabilities using scripts?
A) nmap --script vuln
B) nmap -sU
C) nmap -A
D) nmap -p
Answer: A) nmap --script vuln
Explanation: The --script vuln option runs vulnerability detection scripts to identify weaknesses in a system.
33. What does the -Pn option in Nmap do?
A) Disables host discovery (assumes all hosts are up)
B) Performs a stealth scan
C) Encrypts scan results
D) Detects DNS vulnerabilities
Answer: A) Disables host discovery (assumes all hosts are up)
Explanation: The -Pn option tells Nmap to skip host discovery and scan all targets, useful when ICMP is blocked.
34. Which tool is best suited for enumerating DNS information?
A) dig
B) netstat
C) tcpdump
D) hashcat
Answer: A) dig
Explanation: The dig command is used for querying DNS records and obtaining domain information.
35. What is a primary defense against network enumeration?
A) Using weak passwords
B) Blocking unused ports and disabling unnecessary services
C) Disabling antivirus software
D) Keeping services outdated
Answer: B) Blocking unused ports and disabling unnecessary services
Explanation: Disabling unused services and blocking unused ports reduces the attack surface for enumeration.
36. What is the primary use of a NULL session in Windows enumeration?
A) To gain unauthenticated access to remote shares
B) To capture wireless packets
C) To decrypt SSL traffic
D) To spoof MAC addresses
Answer: A) To gain unauthenticated access to remote shares
Explanation: A NULL session allows unauthenticated users to retrieve information from a Windows system, making it a common enumeration technique.
37. What is the rpcinfo command used for?
A) Checking open ports
B) Enumerating RPC services
C) Running penetration testing scripts
D) Scanning database vulnerabilities
Answer: B) Enumerating RPC services
Explanation: The rpcinfo command queries remote RPC services, helping attackers identify running services.
38. Which technique is used to gather usernames from an Active Directory environment?
A) SQL Injection
B) LDAP Enumeration
C) SYN Flooding
D) Port Mirroring
Answer: B) LDAP Enumeration
Explanation: LDAP enumeration allows attackers to extract usernames, groups, and policies from an Active Directory setup.
39. What is the main risk associated with network enumeration?
A) It causes data loss
B) It can be used to map vulnerabilities before an attack
C) It slows down network speed
D) It encrypts communication
Answer: B) It can be used to map vulnerabilities before an attack
Explanation: Attackers use enumeration to gather intelligence before launching exploitation attempts.
40. What is the purpose of the host command in Linux?
A) To perform DNS lookups
B) To scan open ports
C) To intercept packets
D) To modify firewall rules
Answer: A) To perform DNS lookups
Explanation: The host command queries DNS records to resolve domain names to IPs and vice versa.
41. What does the -D option in Nmap do?
A) Performs a DNS enumeration
B) Enables decoy scanning to hide the attacker’s real IP
C) Disables host discovery
D) Detects running web applications
Answer: B) Enables decoy scanning to hide the attacker’s real IP
Explanation: The -D option in Nmap launches a decoy scan, making it difficult for the target to trace the attacker’s real IP.
42. Which enumeration technique is used to discover live hosts on a network without sending packets?
A) Passive DNS enumeration
B) SYN scan
C) UDP scan
D) Banner grabbing
Answer: A) Passive DNS enumeration
Explanation: Passive DNS enumeration uses external sources, such as DNS logs and WHOIS databases, to identify host details without directly scanning the target.
43. What does the -f option in Nmap do?
A) Enables fast scanning
B) Fragments packets to evade IDS detection
C) Scans firewall configurations
D) Captures network traffic
Answer: B) Fragments packets to evade IDS detection
Explanation: The -f option in Nmap splits packets into smaller fragments, making it harder for intrusion detection systems (IDS) to detect the scan.
44. What is the main purpose of the hping3 tool?
A) To analyze encrypted traffic
B) To send custom TCP/IP packets for scanning
C) To decrypt SSL communication
D) To brute-force passwords
Answer: B) To send custom TCP/IP packets for scanning
Explanation: hping3 is a command-line tool used for crafting custom TCP, UDP, and ICMP packets, making it useful for network scanning and enumeration.
45. In an Nmap scan, what does “filtered” mean in the results?
A) The port is open
B) The port is closed
C) The port is protected by a firewall
D) The port is responding with an error
Answer: C) The port is protected by a firewall
Explanation: Filtered means the scan could not determine if the port is open or closed because a firewall is blocking the request.
46. What is a common countermeasure against SNMP enumeration?
A) Changing default community strings
B) Using HTTP headers
C) Blocking TCP port 443
D) Running DNSSEC
Answer: A) Changing default community strings
Explanation: SNMP enumeration exploits default or weak SNMP community strings. Changing them to strong, unique values helps prevent enumeration.
47. What does -sO in Nmap scan for?
A) Open services
B) OS fingerprinting
C) Open protocols
D) Encrypted traffic
Answer: C) Open protocols
Explanation: The -sO scan checks which protocols (ICMP, TCP, UDP, etc.) are supported on the target system.
48. Which tool can enumerate users and shared resources on a Samba server?
A) dirbuster
B) nikto
C) smbclient
D) hydra
Answer: C) smbclient
Explanation: smbclient is a Linux utility used to list SMB shares and interact with Samba servers, making it useful for enumeration.
49. What is the primary use of nbtstat in network enumeration?
A) To scan for open ports
B) To list NetBIOS name table and active connections
C) To analyze SQL databases
D) To exploit buffer overflow vulnerabilities
Answer: B) To list NetBIOS name table and active connections
Explanation: nbtstat is used to enumerate NetBIOS names and sessions on Windows networks.
50. What is the key benefit of a FIN scan?
A) It scans UDP ports efficiently
B) It is useful for bypassing some firewalls
C) It can detect encrypted services
D) It reveals internal DNS records
Answer: B) It is useful for bypassing some firewalls
Explanation: FIN scans can sometimes bypass basic firewalls that block SYN packets but allow FIN packets.
51. Which tool can be used to enumerate subdomains of a target domain?
A) Nikto
B) sqlmap
C) sublist3r
D) aircrack-ng
Answer: C) sublist3r
Explanation: sublist3r is a tool designed to enumerate subdomains using search engines and other data sources.
52. Which command in Linux can be used for passive network enumeration?
A) netstat
B) hping3
C) nmap -sS
D) curl
Answer: A) netstat
Explanation: netstat provides network connection details, making it useful for passive enumeration.
53. What is a DNS zone transfer?
A) A technique to map a domain’s entire DNS records
B) A method to encrypt DNS requests
C) A way to bypass network firewalls
D) A process for updating IP addresses
Answer: A) A technique to map a domain’s entire DNS records
Explanation: A DNS zone transfer occurs when a DNS server shares all records with another system, which attackers exploit to gather intelligence.
54. What type of attack is prevented by disabling recursive DNS queries on a DNS server?
A) DNS spoofing
B) SQL injection
C) TCP SYN flood
D) Cross-site scripting
Answer: A) DNS spoofing
Explanation: Recursive DNS queries allow DNS servers to query other servers. Attackers can exploit this to poison caches or spoof responses.
55. What is the default port for SNMP enumeration?
A) 161
B) 443
C) 22
D) 53
Answer: A) 161
Explanation: SNMP (Simple Network Management Protocol) commonly runs on UDP port 161 for queries and 162 for traps.
56. What does the -T4 option in Nmap do?
A) Slows down the scan
B) Increases scan speed
C) Encrypts scan traffic
D) Detects web vulnerabilities
Answer: B) Increases scan speed
Explanation: The -T4 option sets Nmap to aggressive timing, making it scan faster.
57. What is an advantage of a TCP connect scan (-sT) over a SYN scan (-sS)?
A) It is faster
B) It does not require root privileges
C) It avoids detection by IDS
D) It scans UDP ports
Answer: B) It does not require root privileges
Explanation: Unlike SYN scans, TCP connect scans do not require root privileges since they use the full TCP handshake.
58. What type of enumeration attack exploits Windows null sessions?
A) SMB enumeration
B) ARP spoofing
C) DNS hijacking
D) SSL stripping
Answer: A) SMB enumeration
Explanation: Windows NULL sessions allow unauthenticated SMB queries, which attackers use to enumerate users and shares.
59. What does -sN in Nmap do?
A) Performs a NULL scan
B) Scans network devices
C) Detects web applications
D) Encrypts scanning traffic
Answer: A) Performs a NULL scan
Explanation: A NULL scan sends TCP packets with no flags, detecting open ports based on RFC behavior.
60. Which of the following is an active enumeration technique?
A) Packet sniffing
B) WHOIS lookup
C) Nmap scanning
D) Passive DNS resolution
Answer: C) Nmap scanning
Explanation: Active enumeration involves direct interaction with the target, such as Nmap scanning, unlike passive techniques.
61. Which of the following is an advantage of passive network enumeration over active enumeration?
A) It is faster
B) It does not alert IDS/IPS systems
C) It provides real-time scanning results
D) It always detects all live hosts
Answer: B) It does not alert IDS/IPS systems
Explanation: Passive enumeration relies on monitoring existing network traffic without actively probing the target, making it stealthier.
62. What is a major limitation of a UDP scan in Nmap?
A) It cannot detect open ports
B) It requires root privileges
C) Many services do not respond to probes
D) It is faster than TCP scanning
Answer: C) Many services do not respond to probes
Explanation: UDP services often do not send responses even when ports are open, making results unreliable.
63. What does an Nmap TCP Connect Scan (-sT) do when a port is open?
A) Sends a SYN packet only
B) Completes the full TCP three-way handshake
C) Sends a FIN packet
D) Ignores open ports
Answer: B) Completes the full TCP three-way handshake
Explanation: TCP Connect Scan completes the SYN, SYN-ACK, ACK handshake, making it more detectable than a SYN scan.
64. Which of the following is a countermeasure against ARP spoofing?
A) Enabling recursive DNS queries
B) Using static ARP entries
C) Disabling ICMP packets
D) Using UDP scanning
Answer: B) Using static ARP entries
Explanation: Static ARP entries prevent unauthorized devices from modifying MAC address mappings.
65. What is the purpose of the -iL option in Nmap?
A) Saves scan results to a file
B) Reads target IPs from a file
C) Scans an IP range
D) Ignores live hosts
Answer: B) Reads target IPs from a file
Explanation: The -iL option allows Nmap to load multiple target IPs from a file for scanning.
66. What is the main function of a TCP ACK scan?
A) To check firewall rules
B) To detect OS versions
C) To perform a stealth scan
D) To detect vulnerabilities
Answer: A) To check firewall rules
Explanation: A TCP ACK scan (-sA) helps determine whether a firewall is filtering packets.
67. Which tool is commonly used for network traffic analysis?
A) Netcat
B) Wireshark
C) Nikto
D) Burp Suite
Answer: B) Wireshark
Explanation: Wireshark captures and analyzes network packets, making it useful for passive enumeration.
68. What is the default port for DNS zone transfers?
A) 25
B) 53
C) 110
D) 443
Answer: B) 53
Explanation: DNS zone transfers typically occur over TCP port 53, unlike normal DNS queries that use UDP.
69. What does the -sU option in Nmap do?
A) Performs a UDP scan
B) Scans only encrypted traffic
C) Detects vulnerabilities
D) Runs NSE scripts
Answer: A) Performs a UDP scan
Explanation: The -sU option in Nmap scans UDP ports to identify open services.
70. Which enumeration method collects usernames and shares from a Windows domain?
A) DNS lookup
B) SMB enumeration
C) SYN scanning
D) Ping sweep
Answer: B) SMB enumeration
Explanation: SMB enumeration retrieves information like shared resources and usernames on Windows networks.
71. What is the primary function of the fierce tool in network enumeration?
A) DNS subdomain enumeration
B) Password cracking
C) TCP port scanning
D) Wireless network hacking
Answer: A) DNS subdomain enumeration
Explanation: fierce is a DNS enumeration tool used to discover subdomains and hosts.
72. What type of enumeration attack exploits weak SNMP configurations?
A) ICMP flooding
B) SNMP brute-force attacks
C) TCP Connect Scanning
D) SQL Injection
Answer: B) SNMP brute-force attacks
Explanation: Weak SNMP community strings allow attackers to brute-force access and retrieve system information.
73. What does the -sW option in Nmap do?
A) Performs a TCP Window scan
B) Detects web vulnerabilities
C) Captures DNS traffic
D) Launches a brute-force attack
Answer: A) Performs a TCP Window scan
Explanation: A TCP Window scan (-sW) identifies open ports by analyzing window size values in TCP responses.
74. What is a countermeasure against DNS zone transfer attacks?
A) Restricting zone transfers to authorized servers
B) Disabling UDP scanning
C) Enabling ICMP ping sweeps
D) Using HTTP-only security policies
Answer: A) Restricting zone transfers to authorized servers
Explanation: Configuring DNS servers to allow zone transfers only to trusted hosts prevents data leaks.
75. What does the -oN option in Nmap do?
A) Saves results in normal format
B) Runs an OS fingerprinting scan
C) Scans all network devices
D) Performs a full UDP scan
Answer: A) Saves results in normal format
Explanation: The -oN option saves Nmap scan results in a normal (human-readable) format.
76. What is an effective way to enumerate public cloud assets?
A) Brute-force scanning
B) Using cloud reconnaissance tools
C) SQL injection
D) ICMP flooding
Answer: B) Using cloud reconnaissance tools
Explanation: Tools like CloudBrute and AWSRecon can enumerate public cloud services.
77. Which tool is used for NetBIOS name enumeration?
A) Netcat
B) nbtstat
C) Nikto
D) aircrack-ng
Answer: B) nbtstat
Explanation: The nbtstat command lists NetBIOS names and shares on Windows networks.
78. What is the primary function of dnsrecon?
A) Web vulnerability scanning
B) DNS enumeration
C) Wireless penetration testing
D) Database enumeration
Answer: B) DNS enumeration
Explanation: dnsrecon is a DNS enumeration tool that helps discover subdomains and records.
79. What type of scan does -sI perform in Nmap?
A) Idle Scan
B) TCP Connect Scan
C) NULL Scan
D) UDP Scan
Answer: A) Idle Scan
Explanation: The -sI option in Nmap performs an Idle Scan, which uses a zombie host for stealthy scanning.
80. What is an effective countermeasure against network enumeration?
A) Using a strong firewall and disabling unused services
B) Allowing unrestricted access to all ports
C) Enabling anonymous FTP access
D) Keeping default credentials
Answer: A) Using a strong firewall and disabling unused services
Explanation: Firewalls, disabling unnecessary services, and restricting access reduce the attack surface for enumeration.
81. What is the main purpose of a NULL scan in Nmap?
A) It checks for weak SSL configurations
B) It sends packets without any TCP flags to detect open ports
C) It performs brute-force authentication
D) It captures wireless traffic
Answer: B) It sends packets without any TCP flags to detect open ports
Explanation: A NULL scan (-sN) sends TCP packets with no flags set. If a port does not respond, it is likely open, while a RST response means the port is closed.
82. What is the function of -p- in an Nmap scan?
A) Scans all 65535 ports
B) Performs a fast scan
C) Encrypts scan results
D) Scans only well-known ports
Answer: A) Scans all 65535 ports
Explanation: The -p- flag tells Nmap to scan all ports (1-65535) instead of the default 1-1000.
83. What does the -sL option in Nmap do?
A) Lists targets without scanning them
B) Performs a fast scan
C) Captures live traffic
D) Detects running web applications
Answer: A) Lists targets without scanning them
Explanation: The -sL option in Nmap only lists the target IPs/DNS names without sending any packets.
84. What is the role of rpcbind in network enumeration?
A) It maps remote procedure call (RPC) services
B) It identifies DNS vulnerabilities
C) It performs TCP fingerprinting
D) It scans for SQL injection flaws
Answer: A) It maps remote procedure call (RPC) services
Explanation: rpcbind is a service that helps enumerate RPC-based services, which can be targeted in enumeration attacks.
85. What is a primary use of the -sX option in Nmap?
A) Conducts an Xmas Tree Scan
B) Identifies web vulnerabilities
C) Performs OS fingerprinting
D) Exploits SQL databases
Answer: A) Conducts an Xmas Tree Scan
Explanation: An Xmas scan (-sX) sends packets with FIN, PSH, and URG flags set, which can detect open ports on systems that follow RFC 793.
86. What is the purpose of ldapsear.ch in enumeration?
A) To query LDAP directory services
B) To exploit HTTP misconfigurations
C) To scan DNS servers
D) To analyze SQL databases
Answer: A) To query LDAP directory services
Explanation: ldapsear.ch is a tool used to enumerate Active Directory LDAP servers, retrieving user and group details.
87. What does the -Pn option in Nmap do?
A) Skips host discovery and assumes all hosts are up
B) Scans for vulnerabilities
C) Identifies only TCP services
D) Captures network packets
Answer: A) Skips host discovery and assumes all hosts are up
Explanation: The -Pn option in Nmap disables ICMP ping checks and scans all provided IPs directly.
88. What is a major advantage of using an Idle Scan (-sI) in Nmap?
A) It scans faster than SYN scans
B) It avoids detection by firewalls and IDS
C) It scans all UDP ports
D) It performs a full TCP handshake
Answer: B) It avoids detection by firewalls and IDS
Explanation: An Idle Scan (-sI) uses a zombie host to perform scans, making it highly stealthy.
89. What is the primary function of the hping3 command?
A) To craft and send custom TCP/IP packets
B) To exploit web vulnerabilities
C) To analyze encrypted traffic
D) To perform SQL injection
Answer: A) To craft and send custom TCP/IP packets
Explanation: hping3 allows security professionals to send custom-crafted network packets, useful for testing firewalls and network enumeration.
90. What does -sU in Nmap do?
A) Scans for UDP services
B) Conducts an idle scan
C) Performs a fast TCP scan
D) Lists active connections
Answer: A) Scans for UDP services
Explanation: The -sU flag tells Nmap to scan for UDP services, which can be harder to detect than TCP services.
91. What is a countermeasure against NetBIOS enumeration?
A) Disabling NetBIOS over TCP/IP
B) Using recursive DNS queries
C) Enabling unrestricted SMB shares
D) Allowing guest access
Answer: A) Disabling NetBIOS over TCP/IP
Explanation: Disabling NetBIOS over TCP/IP prevents attackers from enumerating SMB shares and usernames.
92. Which tool is best for discovering exposed services on public cloud platforms?
A) CloudBrute
B) sqlmap
C) dirbuster
D) aircrack-ng
Answer: A) CloudBrute
Explanation: CloudBrute is a tool for enumerating exposed cloud services, such as AWS, Azure, and GCP.
93. What is a primary function of nmap --script dns-brute?
A) Brute-forces DNS subdomains
B) Scans for open TCP ports
C) Detects SNMP services
D) Intercepts DNS requests
Answer: A) Brute-forces DNS subdomains
Explanation: The dns-brute script in Nmap attempts to enumerate subdomains by brute-forcing DNS records.
94. What is a practical countermeasure against SNMP enumeration?
A) Disabling SNMP if not required
B) Using HTTP-only security policies
C) Allowing unrestricted access to UDP port 161
D) Using outdated firmware
Answer: A) Disabling SNMP if not required
Explanation: Disabling SNMP when not needed prevents attackers from retrieving sensitive system data.
95. Which type of scan is most likely to go undetected by IDS systems?
A) SYN scan
B) Passive scan
C) TCP Connect scan
D) UDP scan
Answer: B) Passive scan
Explanation: Passive enumeration monitors existing network traffic without actively scanning, making it stealthy.
96. What does the -sP option in Nmap do?
A) Performs a ping scan to detect live hosts
B) Encrypts network traffic
C) Conducts OS fingerprinting
D) Bypasses firewalls
Answer: A) Performs a ping scan to detect live hosts
Explanation: The -sP flag tells Nmap to send ICMP echo requests to identify active hosts.
97. What is the primary function of smbclient -L?
A) Lists SMB shared resources on a target system
B) Performs SQL enumeration
C) Scans for UDP services
D) Enumerates DNS records
Answer: A) Lists SMB shared resources on a target system
Explanation: smbclient -L <target> lists shared folders and resources available on an SMB server.
98. Which tool is best suited for LDAP enumeration?
A) ldapsearch
B) sqlmap
C) Nmap
D) Hydra
Answer: A) ldapsearch
Explanation: ldapsearch is a tool used to query and enumerate LDAP directories, often found in Active Directory environments.
99. What is a primary use of theHarvester tool?
A) Open-source intelligence (OSINT) gathering
B) Port scanning
C) Vulnerability scanning
D) Wireless network hacking
Answer: A) Open-source intelligence (OSINT) gathering
Explanation: theHarvester collects emails, subdomains, and public records related to a target.
100. What is a countermeasure against DNS brute-force enumeration?
A) Implementing rate-limiting for DNS queries
B) Allowing unrestricted DNS zone transfers
C) Using weak DNSSEC configurations
D) Disabling firewalls
Answer: A) Implementing rate-limiting for DNS queries
Explanation: Rate-limiting prevents attackers from brute-forcing subdomains and DNS records.
101. What does the -oX option in Nmap do?
A) Saves results in XML format
B) Performs an Xmas scan
C) Detects open UDP ports
D) Encrypts scan results
Answer: A) Saves results in XML format
Explanation: The -oX option in Nmap saves the scan output in XML format, making it easier to process with other tools.
102. What is the primary purpose of a SYN-ACK scan?
A) It detects vulnerabilities
B) It maps DNS records
C) It identifies web application firewalls
D) It checks for hosts that respond to SYN-ACK packets
Answer: D) It checks for hosts that respond to SYN-ACK packets
Explanation: A SYN-ACK scan sends SYN-ACK packets and detects responses to identify live hosts, even if ICMP is blocked.
103. What is an effective countermeasure against LDAP enumeration?
A) Restricting anonymous queries
B) Using weak passwords
C) Allowing unrestricted DNS zone transfers
D) Disabling all network logs
Answer: A) Restricting anonymous queries
Explanation: Limiting anonymous LDAP queries prevents attackers from gathering user and group information.
104. What is a benefit of using Masscan over Nmap?
A) It scans at a much faster rate
B) It performs vulnerability scanning
C) It detects web application misconfigurations
D) It supports encrypted scanning
Answer: A) It scans at a much faster rate
Explanation: Masscan is optimized for high-speed port scanning, making it significantly faster than Nmap.
105. What is the function of the -PS option in Nmap?
A) Sends TCP SYN probes to detect live hosts
B) Performs a slow scan
C) Captures all network traffic
D) Enumerates subdomains
Answer: A) Sends TCP SYN probes to detect live hosts
Explanation: The -PS option in Nmap sends SYN packets to check if hosts are responding.
106. What type of enumeration attack targets VoIP systems?
A) SIP enumeration
B) SQL injection
C) ARP spoofing
D) Cross-site scripting
Answer: A) SIP enumeration
Explanation: SIP enumeration helps attackers discover VoIP endpoints, users, and extensions, which can lead to call interception.
107. What does netdiscover primarily do?
A) Identifies live hosts on a local network
B) Enumerates subdomains
C) Exploits SQL injection vulnerabilities
D) Detects insecure HTTP headers
Answer: A) Identifies live hosts on a local network
Explanation: netdiscover is a passive and active ARP scanning tool used to find active devices on a LAN.
108. What is a common technique for bypassing firewalls during network scanning?
A) Using fragmented packets
B) Sending HTTP requests
C) Blocking all outgoing traffic
D) Enabling DNS caching
Answer: A) Using fragmented packets
Explanation: Fragmenting packets (-f in Nmap) makes it harder for firewalls to detect scans, improving stealth.
109. Which tool can enumerate services and vulnerabilities using pre-built scripts?
A) Nmap NSE
B) Wireshark
C) Sqlmap
D) Netstat
Answer: A) Nmap NSE
Explanation: Nmap Scripting Engine (NSE) runs custom scripts for service detection and vulnerability assessment.
110. What does the -PU option in Nmap do?
A) Sends UDP probes to discover live hosts
B) Conducts an aggressive scan
C) Captures encrypted traffic
D) Enumerates SMB shares
Answer: A) Sends UDP probes to discover live hosts
Explanation: The -PU flag in Nmap sends UDP probes to identify responsive hosts.
111. What is the main function of zmap?
A) High-speed internet-wide scanning
B) Web vulnerability assessment
C) Wireless network hacking
D) Brute-force attacks
Answer: A) High-speed internet-wide scanning
Explanation: zmap is a massive-scale scanning tool designed for fast, internet-wide port scanning.
112. What is an advantage of using dnsenum over dig?
A) It automates DNS enumeration
B) It decrypts SSL traffic
C) It scans for TCP vulnerabilities
D) It performs network traffic analysis
Answer: A) It automates DNS enumeration
Explanation: dnsenum automates the discovery of DNS records, subdomains, and zone transfers.
113. Which tool is best suited for identifying exposed API endpoints?
A) Amass
B) netcat
C) sqlmap
D) SMBclient
Answer: A) Amass
Explanation: Amass is an open-source reconnaissance tool for discovering exposed API endpoints, subdomains, and infrastructure.
114. What does the -oG option in Nmap do?
A) Saves results in grepable format
B) Runs OS fingerprinting
C) Generates detailed vulnerability reports
D) Scans for default credentials
Answer: A) Saves results in grepable format
Explanation: The -oG option outputs results in a grep-friendly format for easier parsing.
115. What is the purpose of fping?
A) To send ICMP echo requests to multiple hosts
B) To scan HTTP headers
C) To crack passwords
D) To encrypt network traffic
Answer: A) To send ICMP echo requests to multiple hosts
Explanation: fping is a fast pinging tool that can query multiple hosts simultaneously.
116. What does the --script vuln option in Nmap do?
A) Runs vulnerability detection scripts
B) Performs an aggressive scan
C) Captures network traffic
D) Detects SSL certificates
Answer: A) Runs vulnerability detection scripts
Explanation: The --script vuln option runs NSE scripts that scan for known vulnerabilities in the target system.
117. What is a countermeasure against SIP enumeration?
A) Enforcing strong authentication for VoIP endpoints
B) Using weak passwords
C) Disabling logging
D) Allowing unrestricted SIP connections
Answer: A) Enforcing strong authentication for VoIP endpoints
Explanation: Strong authentication ensures that unauthorized users cannot enumerate SIP extensions.
118. What does theHarvester primarily collect?
A) Open-source intelligence (OSINT) data
B) Network vulnerabilities
C) Password hashes
D) Wireless encryption keys
Answer: A) Open-source intelligence (OSINT) data
Explanation: theHarvester is used for OSINT gathering, collecting emails, subdomains, and related domain information.
119. What is the function of -T2 in Nmap?
A) Runs the scan at a polite speed
B) Enables aggressive scanning
C) Encrypts network traffic
D) Runs OS fingerprinting
Answer: A) Runs the scan at a polite speed
Explanation: The -T2 option sets the scan to polite mode, reducing the risk of detection.
120. What is a countermeasure against TCP ACK scanning?
A) Configuring firewalls to drop unsolicited ACK packets
B) Allowing unrestricted TCP traffic
C) Disabling encryption
D) Blocking ICMP responses
Answer: A) Configuring firewalls to drop unsolicited ACK packets
Explanation: Firewalls that drop unsolicited TCP ACK packets prevent attackers from mapping firewall rules.
121. What is the primary goal of a TCP Maimon scan (-sM in Nmap)?
A) To bypass firewalls by sending packets with FIN/ACK flags set
B) To perform a full three-way handshake
C) To scan for DNS records
D) To brute-force login credentials
Answer: A) To bypass firewalls by sending packets with FIN/ACK flags set
Explanation: The TCP Maimon scan (-sM) sends packets with FIN/ACK flags set, attempting to bypass certain firewall rules.
122. Which tool is commonly used for passive DNS monitoring?
A) PassiveTotal
B) sqlmap
C) Nikto
D) Nmap
Answer: A) PassiveTotal
Explanation: PassiveTotal is used for passive DNS reconnaissance, allowing security analysts to track domain name resolutions.
123. What does -T5 in Nmap do?
A) Increases scan speed to an aggressive level
B) Reduces scan speed to avoid detection
C) Encrypts scan results
D) Runs a UDP scan
Answer: A) Increases scan speed to an aggressive level
Explanation: The -T5 option sets Nmap to Insane mode, making scans much faster but highly detectable.
124. What does dnsmap primarily do?
A) Performs DNS subdomain brute-forcing
B) Scans TCP ports
C) Detects SQL vulnerabilities
D) Captures HTTP requests
Answer: A) Performs DNS subdomain brute-forcing
Explanation: dnsmap is a tool used to brute-force DNS subdomains to discover hidden assets.
125. What is a major countermeasure against nbtstat enumeration?
A) Disabling NetBIOS over TCP/IP
B) Allowing anonymous NetBIOS queries
C) Using weak passwords
D) Running outdated SMB services
Answer: A) Disabling NetBIOS over TCP/IP
Explanation: Disabling NetBIOS over TCP/IP prevents attackers from enumerating NetBIOS names and shared resources.
126. What does the -p80,443 option in Nmap do?
A) Scans only ports 80 (HTTP) and 443 (HTTPS)
B) Scans all ports
C) Performs OS fingerprinting
D) Enumerates NetBIOS shares
Answer: A) Scans only ports 80 (HTTP) and 443 (HTTPS)
Explanation: The -p option in Nmap allows users to specify exact ports to scan, such as 80 and 443.
127. What is an effective countermeasure against fping scans?
A) Disabling ICMP echo requests
B) Using weak encryption
C) Allowing unrestricted ICMP responses
D) Enabling NetBIOS over TCP/IP
Answer: A) Disabling ICMP echo requests
Explanation: Disabling ICMP echo requests makes it difficult for attackers to identify live hosts using fping.
128. What does nmap -sR scan for?
A) RPC services
B) UDP vulnerabilities
C) SSL misconfigurations
D) Open relay SMTP servers
Answer: A) RPC services
Explanation: The -sR option in Nmap is used to enumerate Remote Procedure Call (RPC) services.
129. What is a primary use of theHarvester?
A) To gather OSINT on a target organization
B) To scan for SQL vulnerabilities
C) To decrypt SSL traffic
D) To brute-force login credentials
Answer: A) To gather OSINT on a target organization
Explanation: theHarvester is an OSINT tool that collects emails, subdomains, and public records.
130. What does nmap -sO scan for?
A) Open protocols
B) TCP vulnerabilities
C) DNS misconfigurations
D) Active directory users
Answer: A) Open protocols
Explanation: The -sO option in Nmap scans for supported protocols on a target system.
131. What is the purpose of dnstracer?
A) To track the path of DNS queries
B) To detect web vulnerabilities
C) To scan UDP ports
D) To capture SSH traffic
Answer: A) To track the path of DNS queries
Explanation: dnstracer helps trace the path of DNS queries, useful for understanding DNS resolution chains.
132. Which tool is best for passive fingerprinting of operating systems?
A) p0f
B) sqlmap
C) dirb
D) smbclient
Answer: A) p0f
Explanation: p0f is a passive OS fingerprinting tool that analyzes network traffic to identify operating systems.
133. What is an advantage of a SYN scan over a TCP Connect scan?
A) It is stealthier and less likely to be logged
B) It completes the full three-way handshake
C) It scans only UDP ports
D) It detects web application vulnerabilities
Answer: A) It is stealthier and less likely to be logged
Explanation: SYN scans (-sS) do not complete the three-way handshake, making them less likely to be logged.
134. What is the primary purpose of enum4linux?
A) To enumerate SMB and NetBIOS information
B) To scan HTTP headers
C) To brute-force login credentials
D) To capture encrypted traffic
Answer: A) To enumerate SMB and NetBIOS information
Explanation: enum4linux is a Linux tool used for enumerating SMB and NetBIOS information from Windows systems.
135. What does nmap --top-ports 100 do?
A) Scans the top 100 most common ports
B) Scans all 65535 ports
C) Scans only web applications
D) Detects SQL vulnerabilities
Answer: A) Scans the top 100 most common ports
Explanation: The --top-ports flag scans the most frequently used ports to speed up reconnaissance.
136. What does nmap -sY scan for?
A) SCTP INIT scanning
B) TCP vulnerabilities
C) SMB enumeration
D) HTTP misconfigurations
Answer: A) SCTP INIT scanning
Explanation: The -sY option in Nmap performs an SCTP INIT scan, used to test Stream Control Transmission Protocol (SCTP) services.
137. What is a key countermeasure against brute-force DNS enumeration?
A) Implementing rate-limiting for DNS queries
B) Allowing unrestricted DNS queries
C) Using weak DNSSEC configurations
D) Disabling firewalls
Answer: A) Implementing rate-limiting for DNS queries
Explanation: Rate-limiting DNS queries helps prevent brute-force subdomain enumeration.
138. What does hping3 --scan do?
A) Performs port scanning
B) Captures WiFi packets
C) Analyzes SQL injections
D) Detects XSS vulnerabilities
Answer: A) Performs port scanning
Explanation: hping3 --scan allows manual port scanning using crafted TCP/IP packets.
139. Which scanning technique sends SYN/ACK packets to determine live hosts?
A) SYN-ACK Scan
B) Xmas Scan
C) UDP Scan
D) NULL Scan
Answer: A) SYN-ACK Scan
Explanation: A SYN-ACK scan sends SYN-ACK packets and detects which hosts respond, bypassing some firewalls.
140. What does nmap -sV --version-intensity 9 do?
A) Performs a deeper service version detection
B) Increases scan speed
C) Encrypts scanning results
D) Bypasses firewalls
Answer: A) Performs a deeper service version detection
Explanation: Increasing the version intensity to 9 forces Nmap to aggressively detect service versions.
141. What is the primary purpose of an ICMP Timestamp Request scan?
A) To determine the uptime of a target system
B) To detect open TCP ports
C) To enumerate NetBIOS shares
D) To exploit DNS misconfigurations
Answer: A) To determine the uptime of a target system
Explanation: An ICMP Timestamp Request scan can help determine system uptime, which can be useful for OS fingerprinting and attack planning.
142. What does nmap --packet-trace do?
A) Displays detailed packet information during a scan
B) Encrypts scan results
C) Performs DNS enumeration
D) Captures wireless packets
Answer: A) Displays detailed packet information during a scan
Explanation: The --packet-trace option in Nmap logs detailed packet exchanges, helping to analyze how the scan is performed.
143. What is the default timeout value for an Nmap scan?
A) 5 seconds
B) 10 seconds
C) 30 seconds
D) 15 seconds
Answer: B) 10 seconds
Explanation: By default, Nmap waits 10 seconds before considering a probe unsuccessful.
144. Which scanning technique sends TCP SYN packets but does not complete the handshake?
A) Half-open scan
B) Full-connect scan
C) UDP scan
D) NULL scan
Answer: A) Half-open scan
Explanation: A half-open scan (SYN scan) sends a SYN packet, but does not complete the three-way handshake, making it stealthier.
145. What does -A enable in an Nmap scan?
A) Aggressive scanning, including OS detection and version scanning
B) Stealth scanning to evade IDS
C) Passive enumeration
D) UDP scanning
Answer: A) Aggressive scanning, including OS detection and version scanning
Explanation: The -A flag enables aggressive scanning, combining OS detection, service version detection, and script scanning.
146. What is a primary advantage of passive network enumeration?
A) It does not generate network traffic
B) It completes a TCP handshake
C) It actively scans all network ports
D) It encrypts all scan data
Answer: A) It does not generate network traffic
Explanation: Passive enumeration relies on monitoring existing traffic rather than sending probes, making it stealthier.
147. What is the function of nmap -sI?
A) Conducts an Idle scan
B) Performs a SYN flood attack
C) Enumerates LDAP records
D) Exploits web vulnerabilities
Answer: A) Conducts an Idle scan
Explanation: The -sI flag is used for Idle scanning, a stealthy method that utilizes a zombie host.
148. What does --max-retries in Nmap do?
A) Sets the number of retries for timed-out probes
B) Increases scan intensity
C) Enables stealth mode
D) Enumerates NetBIOS shares
Answer: A) Sets the number of retries for timed-out probes
Explanation: The --max-retries option controls how many times Nmap retries a timed-out probe before marking it as failed.
149. What is an effective countermeasure against SNMP enumeration?
A) Changing default SNMP community strings
B) Allowing unrestricted SNMP access
C) Running outdated SNMP services
D) Disabling all network logs
Answer: A) Changing default SNMP community strings
Explanation: Default SNMP community strings like “public” or “private” are common enumeration targets, so they should be changed to strong, unique values.
150. Which tool can be used to identify misconfigured firewall rules?
A) Firewalk
B) sqlmap
C) John the Ripper
D) Wireshark
Answer: A) Firewalk
Explanation: Firewalk is used for firewall rule enumeration, helping identify which ports/services are allowed or blocked.
151. What does nmap -sT perform?
A) TCP Connect Scan
B) Stealth SYN Scan
C) UDP Scan
D) NULL Scan
Answer: A) TCP Connect Scan
Explanation: The -sT flag in Nmap performs a TCP Connect Scan, completing the full three-way handshake.
152. What is the purpose of whois in network enumeration?
A) To retrieve domain registration details
B) To scan for open ports
C) To detect SQL vulnerabilities
D) To intercept web traffic
Answer: A) To retrieve domain registration details
Explanation: The whois command queries domain registration databases, helping gather domain owner and infrastructure information.
153. What does nmap -sW perform?
A) TCP Window Scan
B) Wireless packet sniffing
C) Web vulnerability scanning
D) UDP service detection
Answer: A) TCP Window Scan
Explanation: The -sW flag in Nmap performs a TCP Window Scan, which detects open and closed ports based on window sizes.
154. What is an effective defense against DNS enumeration?
A) Restricting zone transfers to authorized servers
B) Disabling encryption
C) Allowing unrestricted DNS queries
D) Using default DNS configurations
Answer: A) Restricting zone transfers to authorized servers
Explanation: Restricting zone transfers ensures attackers cannot retrieve entire DNS records through enumeration.
155. What does nmap -sn do?
A) Performs a host discovery scan without port scanning
B) Runs an aggressive scan
C) Detects SQL vulnerabilities
D) Exploits SMB services
Answer: A) Performs a host discovery scan without port scanning
Explanation: The -sn flag in Nmap only discovers live hosts but does not scan for open ports.
156. What is a countermeasure against NetBIOS enumeration?
A) Disabling NetBIOS over TCP/IP
B) Using weak passwords
C) Allowing unrestricted NetBIOS queries
D) Running outdated SMB services
Answer: A) Disabling NetBIOS over TCP/IP
Explanation: Disabling NetBIOS over TCP/IP prevents attackers from enumerating shared network resources.
157. What is the function of rpcinfo?
A) Queries RPC services on a remote system
B) Performs web vulnerability scanning
C) Captures HTTP headers
D) Detects weak encryption
Answer: A) Queries RPC services on a remote system
Explanation: rpcinfo is used to enumerate Remote Procedure Call (RPC) services on a target system.
158. What does nmap -sL do?
A) Lists targets without scanning them
B) Performs a UDP scan
C) Detects web vulnerabilities
D) Enumerates SMB shares
Answer: A) Lists targets without scanning them
Explanation: The -sL flag only lists the target IPs/DNS names without actually scanning them.
159. What is a primary purpose of dig axfr?
A) To attempt a DNS zone transfer
B) To capture network packets
C) To exploit HTTP misconfigurations
D) To brute-force login credentials
Answer: A) To attempt a DNS zone transfer
Explanation: The dig axfr command tries to perform a DNS zone transfer, potentially revealing all domain records.
160. What is a common way to bypass firewall detection during scanning?
A) Using decoy IPs (-D in Nmap)
B) Running full-connect scans
C) Disabling logging
D) Encrypting DNS traffic
Answer: A) Using decoy IPs (-D in Nmap)
Explanation: The -D option in Nmap spoofs multiple decoy IP addresses, making it difficult for firewalls to detect the real attacker.
161. What is the main purpose of an inverse DNS lookup in network enumeration?
A) To resolve IP addresses to domain names
B) To detect open ports
C) To scan network traffic
D) To exploit SMB vulnerabilities
Answer: A) To resolve IP addresses to domain names
Explanation: An inverse DNS lookup helps resolve IP addresses to domain names, assisting attackers in identifying hostnames associated with a network.
162. What does the -R option in Nmap do?
A) Enables reverse DNS resolution for each IP
B) Performs a recursive scan
C) Encrypts the scan output
D) Detects SQL injection flaws
Answer: A) Enables reverse DNS resolution for each IP
Explanation: The -R flag in Nmap enables reverse DNS resolution, attempting to resolve hostnames for scanned IPs.
163. What is an effective countermeasure against brute-force LDAP enumeration?
A) Implementing account lockout policies
B) Allowing anonymous LDAP queries
C) Using default passwords
D) Keeping outdated LDAP configurations
Answer: A) Implementing account lockout policies
Explanation: Lockout policies prevent brute-force LDAP enumeration by blocking access after multiple failed login attempts.
164. What does nmap -sN perform?
A) NULL scan
B) TCP Connect scan
C) UDP Scan
D) DNS Enumeration
Answer: A) NULL scan
Explanation: The -sN flag in Nmap performs a NULL scan, sending TCP packets with no flags set to detect open ports.
165. Which tool is commonly used to enumerate subdomains using OSINT techniques?
A) Subfinder
B) Netcat
C) Sqlmap
D) Hydra
Answer: A) Subfinder
Explanation: Subfinder is an OSINT tool that discovers subdomains using passive enumeration techniques.
166. What is a countermeasure against passive DNS reconnaissance?
A) Using DNS privacy services
B) Disabling firewall logging
C) Allowing unrestricted zone transfers
D) Using weak passwords
Answer: A) Using DNS privacy services
Explanation: DNS privacy services reduce exposure of DNS query data, preventing passive enumeration.
167. What does nmap -sT -T2 accomplish?
A) Runs a TCP Connect scan at a polite speed
B) Performs an aggressive scan
C) Captures encrypted traffic
D) Enumerates SMB shares
Answer: A) Runs a TCP Connect scan at a polite speed
Explanation: The -T2 flag reduces scan speed to minimize detection by intrusion detection systems (IDS).
168. What is an advantage of using Zmap over Nmap?
A) It scans much faster
B) It performs vulnerability detection
C) It detects DNS misconfigurations
D) It runs stealth scans
Answer: A) It scans much faster
Explanation: Zmap is optimized for high-speed network scanning, allowing internet-scale port scanning.
169. Which of the following is a primary reason attackers perform NetBIOS enumeration?
A) To identify shared folders and resources
B) To detect SQL injection flaws
C) To intercept SSH traffic
D) To brute-force login credentials
Answer: A) To identify shared folders and resources
Explanation: NetBIOS enumeration helps attackers identify shared folders, printers, and user accounts.
170. What does nmap -p U:53,161,T:80,443 scan?
A) UDP ports 53 & 161 and TCP ports 80 & 443
B) All UDP and TCP ports
C) Only web application ports
D) ICMP packets
Answer: A) UDP ports 53 & 161 and TCP ports 80 & 443
Explanation: The -p U:<ports>,T:<ports> flag allows simultaneous TCP and UDP scanning.
171. What is the primary function of fierce in network enumeration?
A) Automated DNS enumeration
B) Web application vulnerability scanning
C) Wireless packet sniffing
D) SQL database scanning
Answer: A) Automated DNS enumeration
Explanation: Fierce is a DNS enumeration tool that finds subdomains and network information.
172. What does hping3 --icmp do?
A) Sends custom ICMP packets
B) Enumerates SMB shares
C) Performs an aggressive scan
D) Captures SSL traffic
Answer: A) Sends custom ICMP packets
Explanation: The --icmp flag in hping3 crafts and sends ICMP packets, useful for testing network responses.
173. Which tool can detect IPv6-enabled hosts on a network?
A) alive6
B) Netcat
C) John the Ripper
D) Hydra
Answer: A) alive6
Explanation: alive6 is part of the THC-IPv6 suite, designed to detect IPv6-enabled hosts.
174. What does nmap -sL 192.168.1.0/24 do?
A) Lists all target IPs without scanning
B) Performs a TCP SYN scan
C) Captures web requests
D) Detects encryption weaknesses
Answer: A) Lists all target IPs without scanning
Explanation: The -sL flag lists all target IP addresses without actually scanning them.
175. What is an effective countermeasure against brute-force SIP enumeration?
A) Implementing rate-limiting and authentication
B) Using default passwords
C) Allowing unrestricted SIP traffic
D) Keeping outdated SIP configurations
Answer: A) Implementing rate-limiting and authentication
Explanation: Rate-limiting prevents attackers from brute-forcing SIP credentials, reducing VoIP enumeration risks.
176. What does nmap --top-ports 500 do?
A) Scans the top 500 most commonly used ports
B) Scans all ports on a network
C) Captures HTTP traffic
D) Detects weak encryption
Answer: A) Scans the top 500 most commonly used ports
Explanation: The --top-ports 500 option scans the 500 most frequently used ports, improving speed.
177. What does nmap -sU -sS perform?
A) Simultaneous TCP SYN and UDP scanning
B) DNS enumeration
C) SMB authentication bypass
D) SQL injection testing
Answer: A) Simultaneous TCP SYN and UDP scanning
Explanation: The -sU -sS flags instruct Nmap to scan both TCP and UDP ports at the same time.
178. What is a common countermeasure against NULL scans?
A) Configuring firewalls to block TCP packets with no flags
B) Allowing unrestricted traffic
C) Using weak encryption
D) Running outdated services
Answer: A) Configuring firewalls to block TCP packets with no flags
Explanation: NULL scans send TCP packets with no flags, so firewall rules should block such traffic.
179. Which tool is best for identifying open relay email servers?
A) smtp-user-enum
B) Wireshark
C) sqlmap
D) dirbuster
Answer: A) smtp-user-enum
Explanation: smtp-user-enum is used to enumerate email accounts and detect open SMTP relay servers.
180. What is a primary defense against ARP spoofing enumeration?
A) Enabling dynamic ARP inspection (DAI)
B) Allowing unrestricted ARP requests
C) Using weak passwords
D) Running outdated network configurations
Answer: A) Enabling dynamic ARP inspection (DAI)
Explanation: Dynamic ARP Inspection (DAI) prevents ARP spoofing attacks, protecting against network enumeration.
181. What is the purpose of the -oA option in Nmap?
A) Saves scan results in all available output formats (XML, Grepable, Normal)
B) Encrypts scan results
C) Performs an advanced UDP scan
D) Scans for SQL vulnerabilities
Answer: A) Saves scan results in all available output formats (XML, Grepable, Normal)
Explanation: The -oA option in Nmap saves the scan output in all major formats, making it useful for further analysis.
182. What does hping3 --rand-source do?
A) Spoofs source IP addresses in packets
B) Performs a slow scan
C) Detects web vulnerabilities
D) Captures DNS requests
Answer: A) Spoofs source IP addresses in packets
Explanation: The --rand-source flag in hping3 allows randomizing source IPs to evade detection.
183. Which scanning technique is commonly used to detect load balancers?
A) TCP Timestamp Analysis
B) DNS Zone Transfer
C) SQL Injection
D) SSL Strip Attack
Answer: A) TCP Timestamp Analysis
Explanation: TCP timestamp analysis helps detect load balancers by identifying inconsistencies in packet responses.
184. What does nmap -f do?
A) Fragments packets to evade IDS detection
B) Performs a full TCP connect scan
C) Enumerates SMB shares
D) Captures HTTP headers
Answer: A) Fragments packets to evade IDS detection
Explanation: The -f option in Nmap fragments packets, making it harder for Intrusion Detection Systems (IDS) to detect scanning activity.
185. What is an effective countermeasure against TCP SYN scanning?
A) Enabling SYN flood protection on firewalls
B) Using default passwords
C) Allowing unrestricted network traffic
D) Disabling HTTPS
Answer: A) Enabling SYN flood protection on firewalls
Explanation: Firewalls can detect and block SYN scans by implementing SYN flood protection mechanisms.
186. Which Nmap option is used to specify a custom script for scanning?
A) --script <script-name>
B) -sP
C) -oX
D) -sA
Answer: A) --script <script-name>
Explanation: The --script option in Nmap runs custom NSE scripts, allowing advanced scanning.
187. What is the primary use of xprobe2 in network enumeration?
A) Active OS fingerprinting
B) SQL vulnerability scanning
C) Password brute-force attacks
D) Web application fuzzing
Answer: A) Active OS fingerprinting
Explanation: xprobe2 is a tool for active OS fingerprinting, analyzing network responses.
188. What does nmap --reason do?
A) Displays reasons why a port is marked open, closed, or filtered
B) Runs an aggressive scan
C) Performs a fast scan
D) Exploits DNS records
Answer: A) Displays reasons why a port is marked open, closed, or filtered
Explanation: The --reason flag in Nmap explains why a port is classified in a specific state.
189. What is the function of netstat -ano in Windows enumeration?
A) Lists active network connections with process IDs
B) Scans for SQL injection vulnerabilities
C) Captures wireless traffic
D) Intercepts HTTPS requests
Answer: A) Lists active network connections with process IDs
Explanation: The netstat -ano command displays active network connections along with process IDs, helping detect open connections.
190. What does nmap -sZ do?
A) Scans for IP Protocol 0 (used in DDoS attacks)
B) Enumerates NetBIOS shares
C) Performs an SSL handshake scan
D) Detects DNS vulnerabilities
Answer: A) Scans for IP Protocol 0 (used in DDoS attacks)
Explanation: The -sZ option scans for IP Protocol 0, which is sometimes used in malformed DDoS attacks.
191. Which tool is designed to detect IPv6-enabled hosts in a network?
A) scan6
B) sqlmap
C) aircrack-ng
D) hydra
Answer: A) scan6
Explanation: scan6 is part of the THC-IPv6 toolkit, used for enumerating IPv6-enabled hosts.
192. What is the function of dnsrecon -t axfr?
A) Attempts a DNS zone transfer
B) Performs an aggressive scan
C) Intercepts web traffic
D) Detects weak encryption
Answer: A) Attempts a DNS zone transfer
Explanation: The -t axfr flag in dnsrecon attempts a DNS zone transfer, which can reveal entire domain records.
193. What does nmap --script=broadcast-dhcp-discover do?
A) Detects rogue DHCP servers on the network
B) Captures HTTP headers
C) Exploits SQL vulnerabilities
D) Enumerates NetBIOS shares
Answer: A) Detects rogue DHCP servers on the network
Explanation: This Nmap script broadcasts DHCP requests to detect unauthorized DHCP servers.
194. What is an effective countermeasure against FTP enumeration?
A) Disabling anonymous FTP access
B) Allowing unrestricted FTP access
C) Using default credentials
D) Running outdated FTP services
Answer: A) Disabling anonymous FTP access
Explanation: Anonymous FTP access allows unauthenticated users to list directories, making it a security risk.
195. What does nmap --traceroute do?
A) Maps the network path to a target
B) Captures live network traffic
C) Scans only UDP ports
D) Enumerates SMB shares
Answer: A) Maps the network path to a target
Explanation: The --traceroute option in Nmap reveals the network path between the scanning machine and the target.
196. What is the primary purpose of ntpq -c peers?
A) Queries NTP servers for active peers
B) Detects DNS misconfigurations
C) Performs a brute-force attack
D) Captures SSL certificates
Answer: A) Queries NTP servers for active peers
Explanation: ntpq -c peers helps enumerate active NTP servers and their connections.
197. What does nmap -sA perform?
A) TCP ACK Scan
B) UDP Scan
C) NULL Scan
D) OS Fingerprinting
Answer: A) TCP ACK Scan
Explanation: The -sA option in Nmap performs a TCP ACK scan, helping to map firewall rules.
198. What is a primary countermeasure against ARP spoofing?
A) Enabling Dynamic ARP Inspection (DAI)
B) Allowing unrestricted ARP requests
C) Disabling firewalls
D) Running outdated network configurations
Answer: A) Enabling Dynamic ARP Inspection (DAI)
Explanation: DAI prevents ARP spoofing attacks, protecting networks from man-in-the-middle (MITM) attacks.
199. What does nmap -T0 do?
A) Runs a very slow scan to avoid detection
B) Increases scan speed
C) Performs an aggressive scan
D) Captures wireless traffic
Answer: A) Runs a very slow scan to avoid detection
Explanation: The -T0 option reduces scan speed, making it harder for IDS/IPS to detect the scan.
200. What is the function of enumiax in network enumeration?
A) Enumerates VoIP (SIP/IAX) users
B) Captures HTTP headers
C) Performs SQL injection testing
D) Detects XSS vulnerabilities
Answer: A) Enumerates VoIP (SIP/IAX) users
Explanation: enumiax is used to enumerate VoIP (SIP/IAX) users, often targeting VoIP infrastructure.