1. Which of the following tools is commonly used for network scanning?
a) Metasploit
b) Nmap
c) Burp Suite
d) Wireshark
Answer: b) Nmap
Explanation: Nmap (Network Mapper) is widely used for network scanning to discover hosts, services, and vulnerabilities. Metasploit is mainly for exploitation, Burp Suite is for web security, and Wireshark is for packet analysis.
2. What type of scan would help identify open ports on a target system?
a) SYN Scan
b) ARP Spoofing
c) SQL Injection
d) Reverse Shell
Answer: a) SYN Scan
Explanation: SYN Scans (Stealth Scans) are used to identify open ports without completing the TCP handshake, making them stealthier compared to full connection scans.
3. Which protocol is often used for active enumeration of a Windows network?
a) ICMP
b) SNMP
c) SMB
d) FTP
Answer: c) SMB
Explanation: Server Message Block (SMB) is commonly used for Windows file sharing and can be exploited to enumerate shared resources, user lists, and vulnerabilities like EternalBlue.
4. What is the primary purpose of a vulnerability scan?
a) To find and exploit vulnerabilities
b) To identify security weaknesses
c) To conduct phishing attacks
d) To perform Denial-of-Service (DoS) attacks
Answer: b) To identify security weaknesses
Explanation: Vulnerability scanning is a proactive security measure that identifies system weaknesses but does not exploit them.
5. What does an ‘OS Fingerprinting’ scan detect?
a) Open ports
b) Operating system details
c) Running web applications
d) Database vulnerabilities
Answer: b) Operating system details
Explanation: OS Fingerprinting uses TCP/IP stack analysis to determine the operating system running on a target machine.
6. What is the default port for an SSH service?
a) 21
b) 22
c) 23
d) 25
Answer: b) 22
Explanation: Port 22 is the default port for SSH (Secure Shell), used for secure remote login.
7. What type of scan can identify live hosts on a network?
a) XMAS Scan
b) ICMP Ping Sweep
c) DNS Poisoning
d) SQL Injection
Answer: b) ICMP Ping Sweep
Explanation: ICMP Ping Sweep is used to check which hosts are active in a network by sending ICMP Echo Requests.
8. Which of the following best describes a ‘Banner Grabbing’ technique?
a) Capturing packets from a network
b) Identifying services running on a system
c) Exploiting an SQL vulnerability
d) Conducting a brute force attack
Answer: b) Identifying services running on a system
Explanation: Banner Grabbing is used to extract information about running services, versions, and potential vulnerabilities.
9. Which tool is best suited for performing DNS enumeration?
a) DirBuster
b) TheHarvester
c) Dig
d) Nikto
Answer: c) Dig
Explanation: Dig is a powerful tool used for DNS enumeration to gather subdomains, MX records, and NS records.
10. What is the significance of CVE (Common Vulnerabilities and Exposures)?
a) It is a type of malware
b) It is a vulnerability database
c) It is an encryption standard
d) It is a hacking tool
Answer: b) It is a vulnerability database
Explanation: CVE is a publicly available database of known vulnerabilities, maintained by MITRE.
11. What is an effective way to evade detection while performing network scans?
a) Using a VPN
b) Fragmenting packets
c) Conducting scans at night
d) Disabling the firewall
Answer: b) Fragmenting packets
Explanation: Packet fragmentation can bypass IDS/IPS detection by splitting scan packets into smaller parts.
12. What is the primary function of a ‘NULL Scan’?
a) To flood a server with requests
b) To scan ports without setting any flags
c) To exploit web applications
d) To perform a dictionary attack
Answer: b) To scan ports without setting any flags
Explanation: NULL scans send packets with no flags set, making them stealthier against firewalls.
13. What does the term ‘Passive Scanning’ refer to?
a) Scanning without sending packets
b) Scanning with aggressive techniques
c) Scanning using brute force
d) Scanning for ransomware
Answer: a) Scanning without sending packets
Explanation: Passive scanning relies on listening to network traffic without actively probing a target.
14. What is the main purpose of SNMP enumeration?
a) To gain unauthorized access
b) To identify user accounts, devices, and configurations
c) To perform privilege escalation
d) To execute remote code
Answer: b) To identify user accounts, devices, and configurations
Explanation: SNMP (Simple Network Management Protocol) can be used to gather information about devices and network configurations.
15. What type of scan attempts to detect hidden services on a system?
a) SYN Flood
b) UDP Scan
c) TCP Connect Scan
d) Port Knocking
Answer: d) Port Knocking
Explanation: Port Knocking is a technique used to detect and access hidden services by sending a specific sequence of connection attempts.
16. What is one limitation of a UDP scan?
a) It is easily detected
b) It is slower compared to TCP scans
c) It does not work on Windows
d) It cannot detect vulnerabilities
Answer: b) It is slower compared to TCP scans
Explanation: UDP scanning is slow because UDP does not provide error messages as reliably as TCP, making detection harder.
17. What tool can perform web application vulnerability scanning?
a) Wireshark
b) Nikto
c) Netcat
d) John the Ripper
Answer: b) Nikto
Explanation: Nikto is used for scanning web applications for vulnerabilities such as outdated software and misconfigurations.
18. What is a key characteristic of an ‘XMAS Scan’?
a) It sends packets with all flags set
b) It floods the target with pings
c) It only scans closed ports
d) It sends no packets
Answer: a) It sends packets with all flags set
Explanation: XMAS scans set all TCP flags, making it useful for firewall evasion.
19. Which of the following is a stealthy scanning technique?
a) SYN Scan
b) Full Connect Scan
c) OS Fingerprinting
d) SQL Injection
Answer: a) SYN Scan
Explanation: SYN scans do not complete the handshake, making them stealthier.
20. Which of these tools can perform SMB enumeration?
a) Hydra
b) Enum4linux
c) Sqlmap
d) Hashcat
Answer: b) Enum4linux
Explanation: Enum4linux is used for enumerating SMB shares, users, and services.
21. What does a FIN scan do in network scanning?
a) Sends a FIN flag to check for open ports
b) Sends a SYN-ACK response to establish a connection
c) Uses fragmented packets to evade firewalls
d) Floods the network with excessive packets
Answer: a) Sends a FIN flag to check for open ports
Explanation: FIN scans send packets with the FIN flag set, which is normally used to terminate TCP connections. Some systems respond differently to closed and open ports, allowing stealthy enumeration.
22. What is the main goal of a ‘Zombie Scan’ in Nmap?
a) To inject malware into a remote system
b) To use an intermediary host for scanning
c) To brute-force open ports
d) To perform SQL injection attacks
Answer: b) To use an intermediary host for scanning
Explanation: Zombie scanning (also known as Idle scanning) uses an intermediary host to scan a target, making the attacker’s identity harder to trace.
23. Which tool is best suited for SNMP enumeration?
a) Nessus
b) Snmpwalk
c) Wireshark
d) Aircrack-ng
Answer: b) Snmpwalk
Explanation: Snmpwalk is used to query SNMP-enabled devices and retrieve information about network configurations and user accounts.
24. What is the purpose of ‘PTR Record Enumeration’ in DNS?
a) To discover subdomains
b) To find reverse DNS mappings
c) To locate MX records
d) To analyze web application vulnerabilities
Answer: b) To find reverse DNS mappings
Explanation: PTR (Pointer) records provide reverse DNS lookups, allowing attackers to map IP addresses to domain names.
25. In a TCP Connect scan, what happens when a port is closed?
a) The target sends a RST packet
b) The connection completes successfully
c) The firewall blocks the request
d) The attacker gets full system access
Answer: a) The target sends a RST packet
Explanation: In a TCP Connect scan, if a port is closed, the target system responds with a RST (Reset) packet.
26. What is the primary objective of an ARP scan?
a) To find active hosts in a local network
b) To exploit SQL vulnerabilities
c) To perform password cracking
d) To encrypt traffic
Answer: a) To find active hosts in a local network
Explanation: ARP (Address Resolution Protocol) scanning helps attackers discover live hosts and MAC addresses on a LAN.
27. What is a key difference between active and passive scanning?
a) Active scanning does not send packets
b) Passive scanning gathers data without direct interaction
c) Passive scanning is always faster than active scanning
d) Active scanning only works on wireless networks
Answer: b) Passive scanning gathers data without direct interaction
Explanation: Passive scanning relies on listening to network traffic, while active scanning directly interacts with the target.
28. Which Nmap option performs a service version detection scan?
a) -O
b) -sV
c) -A
d) -sS
Answer: b) -sV
Explanation: The -sV option in Nmap helps identify the versions of services running on open ports.
29. Which vulnerability scanner is widely used for enterprise security?
a) Metasploit
b) Nessus
c) John the Ripper
d) Aircrack-ng
Answer: b) Nessus
Explanation: Nessus is one of the most commonly used vulnerability scanners for enterprise security assessments.
30. What kind of scan would help identify default credentials on a web application?
a) Directory brute-forcing
b) SQL Injection
c) Credential stuffing attack
d) XSS attack
Answer: c) Credential stuffing attack
Explanation: Credential stuffing uses default or leaked credentials to gain unauthorized access.
31. What does a ‘NULL Scan’ do differently from a SYN scan?
a) It sends packets with all flags set
b) It sends packets with no flags set
c) It performs OS fingerprinting
d) It encrypts scanning traffic
Answer: b) It sends packets with no flags set
Explanation: NULL scans send packets without any TCP flags, making them stealthier.
32. What kind of scan uses TCP Half-Open connections?
a) Full Connect Scan
b) SYN Scan
c) UDP Scan
d) XMAS Scan
Answer: b) SYN Scan
Explanation: SYN Scans (also called Half-Open scans) do not complete the handshake, reducing detection risk.
33. What is the primary use of Enum4linux?
a) Web application fuzzing
b) SMB enumeration
c) SQL Injection testing
d) DNS enumeration
Answer: b) SMB enumeration
Explanation: Enum4linux is used for enumerating SMB shares, users, and configurations.
34. Which tool helps in scanning HTTP security headers?
a) Nikto
b) Netcat
c) Aircrack-ng
d) Ettercap
Answer: a) Nikto
Explanation: Nikto helps identify missing or misconfigured security headers in web applications.
35. How does a UDP scan differ from a TCP scan?
a) It is faster
b) It does not require a handshake
c) It always bypasses firewalls
d) It detects OS versions
Answer: b) It does not require a handshake
Explanation: UDP scanning does not involve a handshake, making it slower but stealthier.
36. What does a ‘SYN Flood’ attack do?
a) Sends excessive SYN packets to overwhelm the target
b) Encrypts data on the target machine
c) Performs privilege escalation
d) Dumps a database
Answer: a) Sends excessive SYN packets to overwhelm the target
Explanation: SYN Flood attacks send multiple half-open connections to exhaust system resources.
37. What technique is used to find hidden directories on a web server?
a) Port scanning
b) Subdomain enumeration
c) Directory brute-forcing
d) ARP poisoning
Answer: c) Directory brute-forcing
Explanation: Tools like DirBuster or Gobuster brute-force hidden directories and files on web servers.
38. What does ‘SOA’ stand for in DNS enumeration?
a) Start of Authority
b) Security Over Addressing
c) Secure Online Authentication
d) Server of Attack
Answer: a) Start of Authority
Explanation: SOA (Start of Authority) records contain administrative details about a domain.
39. What command in Nmap performs an aggressive scan?
a) -sU
b) -A
c) -sS
d) -sN
Answer: b) -A
Explanation: -A in Nmap enables aggressive scanning with OS detection, version detection, and traceroute.
40. What does ‘whois’ command help in enumeration?
a) Scans open ports
b) Retrieves domain registration details
c) Exploits database vulnerabilities
d) Spoofs IP addresses
Answer: b) Retrieves domain registration details
Explanation: WHOIS provides information about domain ownership, contacts, and registration dates.
41. What is the primary purpose of NetBIOS enumeration?
a) To scan for open ports on a target
b) To gather shared resources and user details
c) To perform SQL Injection attacks
d) To capture network packets
Answer: b) To gather shared resources and user details
Explanation: NetBIOS enumeration helps identify shared files, printers, and user details on Windows systems.
42. What is the key purpose of performing a reverse DNS lookup in reconnaissance?
a) To determine the IP address of a target domain
b) To identify subdomains of a target
c) To find the domain name associated with an IP address
d) To inject malicious scripts into a website
Answer: c) To find the domain name associated with an IP address
Explanation: Reverse DNS lookup maps IP addresses back to domain names, helping attackers identify hosts.
43. What type of scan is typically blocked by intrusion detection systems (IDS)?
a) SYN Scan
b) UDP Scan
c) XMAS Scan
d) TCP Connect Scan
Answer: d) TCP Connect Scan
Explanation: TCP Connect Scans complete the full three-way handshake, making them easier to detect.
44. What is the main purpose of a ‘Stealth Scan’?
a) To perform vulnerability exploitation
b) To evade detection while scanning a network
c) To flood a target with packets
d) To take down a website
Answer: b) To evade detection while scanning a network
Explanation: Stealth scanning techniques (e.g., SYN scans, fragmented packets) help avoid IDS/IPS detection.
45. What is the default port for the SMB protocol?
a) 445
b) 3389
c) 22
d) 21
Answer: a) 445
Explanation: Port 445 is used for SMB (Server Message Block), commonly targeted in Windows enumeration.
46. What tool is used for scanning and enumerating WordPress vulnerabilities?
a) WPScan
b) Burp Suite
c) Hydra
d) Aircrack-ng
Answer: a) WPScan
Explanation: WPScan is a WordPress security scanner that helps identify vulnerabilities, themes, and plugins.
47. What is ‘Zone Transfer’ in DNS enumeration?
a) A method to move files across DNS servers
b) A process that replicates DNS records between servers
c) A brute-force attack on DNS servers
d) A way to spoof IP addresses
Answer: b) A process that replicates DNS records between servers
Explanation: Zone Transfer (AXFR) allows DNS records to be copied between servers, and misconfigured servers may leak sensitive data.
48. What is an effective way to detect hidden hosts within a network?
a) ARP Poisoning
b) MAC Address Spoofing
c) Idle Scanning
d) ICMP Echo Requests
Answer: c) Idle Scanning
Explanation: Idle scanning leverages an idle host to probe a target without revealing the attacker’s IP.
49. Which tool is commonly used for wireless network enumeration?
a) Aircrack-ng
b) Hydra
c) Sqlmap
d) WPScan
Answer: a) Aircrack-ng
Explanation: Aircrack-ng is used for wireless network scanning, packet capture, and cracking WPA keys.
50. What does a ‘SLOWLORIS’ attack do?
a) Brute-forces login credentials
b) Sends incomplete HTTP requests to exhaust server resources
c) Scans open ports in a network
d) Performs DNS spoofing
Answer: b) Sends incomplete HTTP requests to exhaust server resources
Explanation: Slowloris attack sends partial HTTP requests to hold server connections open, causing a DoS.
51. What is a ‘Ghost Port Scan’?
a) A type of scan that uses decoy IP addresses
b) A way to scan systems without generating logs
c) A scan performed using compromised IoT devices
d) A scan that targets only closed ports
Answer: a) A type of scan that uses decoy IP addresses
Explanation: Ghost Port Scanning uses decoy addresses to confuse IDS/IPS systems.
52. What is a key advantage of using ‘Decoy Scanning’ in Nmap?
a) It scans faster
b) It hides the attacker’s real IP address
c) It automatically exploits vulnerabilities
d) It avoids detection by all firewalls
Answer: b) It hides the attacker’s real IP address
Explanation: Decoy scanning in Nmap makes it appear as if multiple hosts are scanning, hiding the attacker’s identity.
53. Which port is typically scanned to check for FTP vulnerabilities?
a) 21
b) 80
c) 443
d) 3306
Answer: a) 21
Explanation: Port 21 is used by the File Transfer Protocol (FTP) and can be vulnerable to brute-force attacks.
54. What does the ‘A’ record in DNS represent?
a) Alias for another domain
b) IPv4 address of a domain
c) Mail server for a domain
d) Start of Authority for a domain
Answer: b) IPv4 address of a domain
Explanation: A records map domain names to IPv4 addresses.
55. What is a ‘Fragmentation Scan’?
a) A scan that breaks packets into smaller fragments
b) A scan that focuses only on certain IP ranges
c) A full TCP connection scan
d) A scan that only targets web applications
Answer: a) A scan that breaks packets into smaller fragments
Explanation: Fragmentation scanning sends split packets to bypass IDS/IPS detection.
56. Which tool is useful for subdomain enumeration?
a) Sublist3r
b) Nikto
c) Snmpwalk
d) Hydra
Answer: a) Sublist3r
Explanation: Sublist3r is widely used for subdomain enumeration via passive and active techniques.
57. What technique is used in ‘DNS Cache Snooping’?
a) Poisoning the DNS server
b) Checking if a DNS server has cached specific records
c) Stealing user credentials from DNS queries
d) Changing a DNS server’s configuration remotely
Answer: b) Checking if a DNS server has cached specific records
Explanation: DNS Cache Snooping determines if a DNS server has cached a particular domain.
58. Which command in Nmap helps detect hosts behind a firewall?
a) -sF
b) -PN
c) -sI
d) -D
Answer: b) -PN
Explanation: -PN disables ping checks, allowing Nmap to detect hosts even if ICMP is blocked.
59. What is the main advantage of a ‘NULL Scan’?
a) It avoids detection by many IDS/IPS systems
b) It is the fastest scanning method
c) It guarantees access to the system
d) It works on all operating systems
Answer: a) It avoids detection by many IDS/IPS systems
Explanation: NULL scans are stealthy because they do not use standard TCP flags.
60. Which vulnerability scanner can integrate with Metasploit?
a) OpenVAS
b) Nikto
c) Nmap
d) Aircrack-ng
Answer: a) OpenVAS
Explanation: OpenVAS is an open-source vulnerability scanner that integrates with Metasploit for exploitation.
61. Which of the following can be used to enumerate live hosts on a local network?
a) Nmap ARP Scan
b) SQL Injection
c) SSH Bruteforcing
d) DNS Cache Poisoning
Answer: a) Nmap ARP Scan
Explanation: Nmap ARP scan is useful for identifying active hosts in a local network, as ARP requests are not blocked by firewalls.
62. What is an advantage of using IPv6 for network scanning?
a) Fewer security vulnerabilities exist
b) Scanning takes less time
c) The large address space makes enumeration difficult
d) It bypasses IDS/IPS by default
Answer: c) The large address space makes enumeration difficult
Explanation: The huge IPv6 address space makes it harder for attackers to perform exhaustive scanning.
63. What does a ‘Passive DNS Replication’ technique help with?
a) Tracking past DNS records
b) Exploiting DNS servers
c) Poisoning DNS records
d) Enumerating live web services
Answer: a) Tracking past DNS records
Explanation: Passive DNS Replication stores historical DNS records, helping track domain movements and detect malicious changes.
64. What is the main goal of an ‘ACK Scan’ in Nmap?
a) To check if a firewall is filtering packets
b) To exploit network misconfigurations
c) To brute-force login credentials
d) To perform privilege escalation
Answer: a) To check if a firewall is filtering packets
Explanation: ACK scans help determine whether a firewall is actively filtering traffic by analyzing the responses.
65. What is ‘Network Footprinting’?
a) The process of hiding network activity
b) The technique of gathering information about a target network
c) The process of deleting logs after an attack
d) Encrypting network traffic
Answer: b) The technique of gathering information about a target network
Explanation: Footprinting is the first phase of reconnaissance where attackers collect information about a network.
66. Which Nmap scan option is best for performing UDP scanning?
a) -sU
b) -sT
c) -O
d) -A
Answer: a) -sU
Explanation: The -sU option in Nmap is used to perform UDP scanning, which is useful for detecting services like DNS, SNMP, and TFTP.
67. Which tool can help discover publicly exposed S3 buckets in AWS?
a) AWSBucketDump
b) Hydra
c) Nikto
d) WPScan
Answer: a) AWSBucketDump
Explanation: AWSBucketDump helps in enumerating open Amazon S3 buckets and their permissions.
68. What is a ‘TCP Window Scan’ used for?
a) To detect if a port is open or closed based on window size values
b) To brute-force login credentials
c) To perform an SQL injection attack
d) To flood the target with malicious packets
Answer: a) To detect if a port is open or closed based on window size values
Explanation: TCP Window scanning uses TCP window size differences to determine open or closed ports.
69. What does a ‘FQDN’ (Fully Qualified Domain Name) represent?
a) The complete domain name, including hostname and TLD
b) A private internal DNS record
c) A vulnerability in DNS servers
d) A specific type of DNS attack
Answer: a) The complete domain name, including hostname and TLD
Explanation: FQDN is a complete domain name, including hostname, subdomain, and top-level domain (TLD).
70. What is the purpose of a ‘Reverse Shell’?
a) To establish a connection from the victim to the attacker’s system
b) To scan for open ports
c) To spoof network traffic
d) To encrypt data at rest
Answer: a) To establish a connection from the victim to the attacker’s system
Explanation: A Reverse Shell allows an attacker to remotely control a compromised system by making the victim connect back.
71. What is the primary function of a ‘PTR Record’ in DNS?
a) To map an IP address to a domain name
b) To resolve a domain name to an IP address
c) To store email server settings
d) To provide DNS caching
Answer: a) To map an IP address to a domain name
Explanation: PTR (Pointer) records allow reverse DNS lookups, mapping IP addresses to domain names.
72. What is a ‘Fingerprinting Attack’ in scanning?
a) Identifying a system’s OS and software versions
b) Exploiting a database using SQL Injection
c) Manipulating biometric authentication systems
d) Executing a brute-force attack
Answer: a) Identifying a system’s OS and software versions
Explanation: Fingerprinting helps attackers identify OS, web servers, and running services for further exploitation.
73. What is ‘Null Session Enumeration’ used for?
a) Extracting user and share information from Windows systems
b) Performing privilege escalation
c) Exploiting web applications
d) Attacking DNS servers
Answer: a) Extracting user and share information from Windows systems
Explanation: Null sessions allow unauthenticated SMB access, enabling attackers to enumerate users, groups, and shares.
74. What is the significance of the ‘Robots.txt’ file in scanning?
a) It provides a list of directories that should not be crawled
b) It lists all the usernames and passwords
c) It prevents brute-force attacks
d) It enables SQL Injection attacks
Answer: a) It provides a list of directories that should not be crawled
Explanation: Robots.txt tells search engines which directories should not be indexed, but attackers use it to find hidden directories.
75. What is the main function of ‘NSE Scripts’ in Nmap?
a) To execute automated network vulnerability scans
b) To conduct brute-force attacks
c) To perform phishing attacks
d) To exploit web applications
Answer: a) To execute automated network vulnerability scans
Explanation: Nmap Scripting Engine (NSE) automates vulnerability detection and network reconnaissance.
76. What is ‘Zone Walking’ in DNS enumeration?
a) A technique to discover DNS records by exploiting misconfigured DNS servers
b) A way to brute-force a DNS server
c) A method to create fake DNS entries
d) A process to erase DNS logs
Answer: a) A technique to discover DNS records by exploiting misconfigured DNS servers
Explanation: Zone Walking is an attack that extracts hidden subdomains and records from improperly configured DNS servers.
77. Which of the following is a passive information gathering technique?
a) Whois Lookup
b) SYN Scan
c) UDP Scan
d) XMAS Scan
Answer: a) Whois Lookup
Explanation: Whois Lookups allow attackers to gather domain registration details without interacting with the target system.
78. What does an LDAP enumeration attack target?
a) Directory services and user accounts
b) Firewall misconfigurations
c) Web applications
d) Network routers
Answer: a) Directory services and user accounts
Explanation: LDAP (Lightweight Directory Access Protocol) enumeration helps attackers extract user account information.
79. What is the purpose of an IP ID Header Scan?
a) To determine the operating system of the target
b) To exploit buffer overflow vulnerabilities
c) To detect SQL Injection weaknesses
d) To enumerate subdomains
Answer: a) To determine the operating system of the target
Explanation: IP ID Header scanning helps in OS fingerprinting by analyzing the IP ID sequence numbers.
80. What is a ‘Service Enumeration Attack’?
a) Identifying running services on a target system
b) Conducting a phishing attack
c) Performing privilege escalation
d) Exploiting cross-site scripting vulnerabilities
Answer: a) Identifying running services on a target system
Explanation: Service enumeration identifies active services and versions, which can be used to detect vulnerabilities.
81. What is a ‘Time-to-Live (TTL) Analysis’ used for in network reconnaissance?
a) Identifying the operating system of a target
b) Brute-forcing login credentials
c) Performing SQL Injection
d) Attacking DNS servers
Answer: a) Identifying the operating system of a target
Explanation: TTL values vary between different operating systems, allowing OS fingerprinting.
82. What does a ‘Honeypot Detection Scan’ attempt to do?
a) Detect decoy systems used for monitoring attacks
b) Perform data exfiltration
c) Exploit vulnerabilities in web applications
d) Evade network encryption
Answer: a) Detect decoy systems used for monitoring attacks
Explanation: Honeypots are fake targets used to trap attackers, and detection scans help identify them.
83. What type of scanning technique is commonly used to evade IDS detection?
a) Slow and low scanning
b) SQL Injection
c) Credential stuffing
d) DNS Hijacking
Answer: a) Slow and low scanning
Explanation: Slow and low scanning sends requests at long intervals, avoiding detection by IDS systems.
84. What is the main function of ‘IP Fragmentation in Scanning’?
a) To bypass IDS and firewalls
b) To perform brute-force attacks
c) To manipulate DNS records
d) To scan only specific subdomains
Answer: a) To bypass IDS and firewalls
Explanation: Fragmenting packets can help bypass security devices that inspect full packet headers.
85. What is the default Nmap scan type if no options are specified?
a) TCP Connect Scan
b) SYN Scan
c) UDP Scan
d) XMAS Scan
Answer: b) SYN Scan
Explanation: Nmap defaults to a SYN scan (-sS), as it is fast and stealthy.
86. What is the main risk of allowing ICMP responses on a public network?
a) It allows network mapping and reconnaissance
b) It enables direct server access
c) It exposes password hashes
d) It automatically opens all ports
Answer: a) It allows network mapping and reconnaissance
Explanation: ICMP is used in ping sweeps to detect active hosts, aiding attackers in network reconnaissance.
87. What does an ‘SNMP Community String’ do in enumeration?
a) Acts as a password to access SNMP data
b) Encrypts network traffic
c) Performs SQL Injection
d) Creates fake DNS records
Answer: a) Acts as a password to access SNMP data
Explanation: SNMP Community Strings function like passwords, allowing access to network device data.
88. What type of enumeration attack targets LDAP directories?
a) Extracting user and group information
b) Brute-forcing login credentials
c) Poisoning DNS cache
d) Exploiting SSL vulnerabilities
Answer: a) Extracting user and group information
Explanation: LDAP enumeration extracts user, group, and organizational details from directory services.
89. What does a ‘Traceroute’ scan help determine?
a) Network path and hop details to a target
b) The type of firewall used on a target
c) The password policy of a target system
d) The encryption method used in HTTPS
Answer: a) Network path and hop details to a target
Explanation: Traceroute reveals the network path and intermediary hops between an attacker and a target.
90. Which command allows you to scan for IPv6 hosts using Nmap?
a) nmap -6
b) nmap -v
c) nmap -O
d) nmap -A
Answer: a) nmap -6
Explanation: The -6 flag in Nmap enables scanning of IPv6 hosts.
91. What does a ‘BGP Enumeration Attack’ target?
a) Border Gateway Protocol (BGP) to hijack routing paths
b) Brute-forcing SSH credentials
c) Extracting Active Directory users
d) Attacking TLS encryption
Answer: a) Border Gateway Protocol (BGP) to hijack routing paths
Explanation: BGP Enumeration attacks can alter routing tables, redirecting network traffic.
92. What kind of information does an ‘MX Record Lookup’ reveal?
a) Email servers associated with a domain
b) The full directory structure of a web server
c) The encryption method used in VPNs
d) The firewall type of a target network
Answer: a) Email servers associated with a domain
Explanation: MX Records define mail exchange servers for a domain.
93. What does an attacker use in a ‘PTR Enumeration Attack’?
a) Reverse DNS lookups to map IPs to hostnames
b) SQL Injection techniques
c) File inclusion vulnerabilities
d) Weak password lists
Answer: a) Reverse DNS lookups to map IPs to hostnames
Explanation: PTR records allow attackers to find domain names associated with IP addresses.
94. What tool is often used for SSH enumeration?
a) Nmap
b) Dirb
c) SNMPWalk
d) Sqlmap
Answer: a) Nmap
Explanation: Nmap scripts (ssh-hostkey, ssh-auth-methods) help enumerate SSH details.
95. What technique is used to extract the usernames of system accounts?
a) RID Cycling
b) DNS Spoofing
c) SQL Injection
d) ARP Poisoning
Answer: a) RID Cycling
Explanation: RID Cycling retrieves Windows user accounts by cycling through Relative Identifiers (RIDs).
96. What is a key risk of leaving port 161 (SNMP) open?
a) Attackers can enumerate network devices and configurations
b) It allows unauthorized file transfers
c) It enables remote code execution
d) It exposes database credentials
Answer: a) Attackers can enumerate network devices and configurations
Explanation: SNMP misconfigurations leak device information, allowing attackers to map networks.
97. What technique is used in ‘TCP Reset Scanning’?
a) Sending RST packets to detect active hosts
b) Brute-forcing SSH passwords
c) Injecting SQL queries
d) Performing DNS spoofing
Answer: a) Sending RST packets to detect active hosts
Explanation: TCP Reset scanning uses RST responses to determine active hosts and firewalls.
98. What is a key characteristic of a ‘Half-Open Scan’?
a) It completes the three-way handshake
b) It does not send an ACK packet
c) It only scans UDP ports
d) It requires administrative privileges
Answer: b) It does not send an ACK packet
Explanation: Half-open (SYN) scans do not send an ACK packet, making them stealthier.
99. What tool can be used to perform firewall evasion techniques in scanning?
a) Hping3
b) Netcat
c) WPScan
d) Hydra
Answer: a) Hping3
Explanation: Hping3 allows attackers to send custom-crafted TCP packets to bypass firewalls.
100. What type of enumeration technique is used to retrieve domain controller details?
a) LDAP Enumeration
b) SNMP Enumeration
c) ARP Poisoning
d) XSS Injection
Answer: a) LDAP Enumeration
Explanation: LDAP enumeration helps attackers retrieve Active Directory user and domain details.
101. What does a ‘NULL Session’ allow in Windows enumeration?
a) Unauthenticated access to SMB shares
b) Exploiting SQL Injection vulnerabilities
c) Decrypting password hashes
d) Injecting malicious DNS records
Answer: a) Unauthenticated access to SMB shares
Explanation: NULL sessions allow unauthenticated SMB connections, exposing user and share information.
102. Which protocol is most commonly targeted for VoIP enumeration?
a) SIP
b) SSH
c) HTTP
d) SMTP
Answer: a) SIP
Explanation: SIP (Session Initiation Protocol) is used in VoIP systems, making it a common target for enumeration.
103. What command in Nmap can be used to scan for vulnerabilities?
a) --script=vuln
b) -sF
c) -6
d) -Pn
Answer: a) --script=vuln
Explanation: Nmap’s --script=vuln option runs vulnerability detection scripts.
104. What is the primary purpose of performing ‘SMB Relay Attack’?
a) To intercept and relay NTLM authentication credentials
b) To brute-force SSH passwords
c) To launch DNS amplification attacks
d) To perform SQL Injection
Answer: a) To intercept and relay NTLM authentication credentials
Explanation: SMB Relay attacks capture NTLM hashes and relay them to authenticate attackers.
105. Which tool is commonly used for brute-forcing SNMP Community Strings?
a) Onesixtyone
b) Nikto
c) Gobuster
d) Nmap
Answer: a) Onesixtyone
Explanation: Onesixtyone is a tool for brute-forcing SNMP community strings.
106. What is a key advantage of using ‘Tor’ for network scanning?
a) It hides the attacker’s real IP address
b) It speeds up the scanning process
c) It guarantees successful exploitation
d) It allows scanning without sending packets
Answer: a) It hides the attacker’s real IP address
Explanation: Tor anonymizes network traffic, making it harder to trace attackers.
107. What does the ‘-f’ flag in Nmap do?
a) Enables packet fragmentation
b) Forces full TCP connections
c) Performs firewall evasion
d) Enables vulnerability scanning
Answer: a) Enables packet fragmentation
Explanation: The -f flag in Nmap fragments packets, helping bypass IDS/IPS systems.
108. What type of DNS record would an attacker query to find subdomains?
a) CNAME
b) TXT
c) MX
d) NS
Answer: d) NS
Explanation: NS (Name Server) records indicate subdomains and zone transfers.
109. What is the primary goal of ‘NetBIOS Enumeration’?
a) To gather hostnames and shared resources
b) To intercept VoIP calls
c) To manipulate SSL certificates
d) To extract email credentials
Answer: a) To gather hostnames and shared resources
Explanation: NetBIOS enumeration allows attackers to retrieve Windows hostnames, shares, and users.
110. What type of attack does ‘Ldapsearch’ help with?
a) Extracting information from Active Directory
b) Cracking hashed passwords
c) Exploiting web application vulnerabilities
d) Flooding DNS servers
Answer: a) Extracting information from Active Directory
Explanation: Ldapsearch is used to enumerate LDAP-based directory services.
111. What scanning technique uses ‘ACK Packets’ to detect firewall rules?
a) ACK Scanning
b) SYN Flooding
c) DNS Zone Transfer
d) ARP Poisoning
Answer: a) ACK Scanning
Explanation: ACK scanning detects firewall rules by analyzing packet responses.
112. What is the primary function of ‘Metasploit Auxiliary Modules’?
a) To perform scanning and enumeration
b) To exploit vulnerabilities
c) To generate malware
d) To encrypt network traffic
Answer: a) To perform scanning and enumeration
Explanation: Metasploit Auxiliary Modules assist in scanning, enumeration, and information gathering.
113. What tool is commonly used for subdomain brute-forcing?
a) Gobuster
b) Aircrack-ng
c) WPScan
d) Ettercap
Answer: a) Gobuster
Explanation: Gobuster is used for subdomain enumeration and brute-forcing directories.
114. Which of the following best describes ‘SID Enumeration’?
a) Extracting user and group identifiers from Windows systems
b) Performing SQL Injection attacks
c) Spoofing network packets
d) Manipulating DNS records
Answer: a) Extracting user and group identifiers from Windows systems
Explanation: SID (Security Identifier) Enumeration helps attackers identify user accounts in Windows systems.
115. What is ‘SNMPwalk’ primarily used for?
a) Querying SNMP devices for detailed information
b) Brute-forcing FTP credentials
c) Exploiting web vulnerabilities
d) Performing DoS attacks
Answer: a) Querying SNMP devices for detailed information
Explanation: SNMPwalk retrieves detailed information from SNMP-enabled network devices.
116. Which tool is commonly used to scan for outdated software versions on a web server?
a) Nikto
b) Hydra
c) Sqlmap
d) Netcat
Answer: a) Nikto
Explanation: Nikto scans web servers for outdated versions and misconfigurations.
117. What technique is used to avoid detection while performing an Nmap scan?
a) Using decoy hosts
b) Scanning during business hours
c) Executing commands via SSH
d) Modifying TLS headers
Answer: a) Using decoy hosts
Explanation: Decoy scanning (-D option in Nmap) hides the attacker’s identity.
118. What is the purpose of a ‘TTL Expiry Scan’?
a) To determine the number of hops to a target
b) To brute-force login credentials
c) To exploit SQL Injection vulnerabilities
d) To manipulate DNS records
Answer: a) To determine the number of hops to a target
Explanation: TTL Expiry scanning measures packet lifetimes to map network hops and routes.
119. What type of enumeration is performed using the rpcclient tool?
a) Windows SMB enumeration
b) Web application fuzzing
c) Brute-force password attacks
d) Subdomain discovery
Answer: a) Windows SMB enumeration
Explanation: rpcclient is used to enumerate SMB shares, users, and groups on Windows machines.
120. What is the purpose of ‘SPF Record Enumeration’?
a) To identify authorized mail servers for a domain
b) To extract FTP credentials
c) To detect SQL Injection vulnerabilities
d) To analyze firewall rules
Answer: a) To identify authorized mail servers for a domain
Explanation: SPF (Sender Policy Framework) records define which mail servers can send emails for a domain.
121. What does ‘smbmap’ help an attacker enumerate?
a) SMB shared folders and permissions
b) Web application vulnerabilities
c) Wireless network passwords
d) Domain name system records
Answer: a) SMB shared folders and permissions
Explanation: smbmap lists SMB shares, file permissions, and access rights.
122. What is the main purpose of the ‘sFlow’ protocol?
a) To monitor network traffic and flows
b) To encrypt database connections
c) To perform DNS enumeration
d) To bypass firewall restrictions
Answer: a) To monitor network traffic and flows
Explanation: sFlow is used for network traffic analysis and intrusion detection.
123. What is the primary use of ‘enum4linux’?
a) To enumerate SMB shares and users
b) To perform DNS poisoning
c) To inject malicious scripts into a website
d) To scan for outdated TLS configurations
Answer: a) To enumerate SMB shares and users
Explanation: enum4linux extracts Windows user accounts, SMB shares, and group policies.
124. What scanning technique does ‘XMAS Scan’ use?
a) TCP packets with all flags set
b) UDP packets with no flags set
c) ICMP packets with a hidden payload
d) ARP packets sent in fragmented mode
Answer: a) TCP packets with all flags set
Explanation: XMAS scans send TCP packets with FIN, PSH, and URG flags set, detecting open and closed ports.
125. Which protocol is commonly associated with ‘Zone Transfers’?
a) DNS
b) HTTP
c) SNMP
d) SMB
Answer: a) DNS
Explanation: Zone transfers (AXFR) allow DNS records to be copied between servers, revealing domain structure.
126. What information can be extracted using the finger command in Linux?
a) Logged-in users and last login times
b) Web application vulnerabilities
c) Encrypted network traffic
d) Wireless network passwords
Answer: a) Logged-in users and last login times
Explanation: The finger command retrieves user information, login times, and idle status.
127. Which scanning technique uses a ‘Zombie Host’?
a) Idle Scanning
b) ARP Spoofing
c) XMAS Scanning
d) Credential Stuffing
Answer: a) Idle Scanning
Explanation: Idle Scanning uses a zombie host to relay packets, hiding the attacker’s real IP address.
128. What is the purpose of a ‘Blackhole DNS Server’?
a) To sinkhole malicious traffic
b) To exploit misconfigured DNS servers
c) To hijack SSL certificates
d) To bypass firewall rules
Answer: a) To sinkhole malicious traffic
Explanation: Blackhole DNS servers redirect malicious traffic to a controlled environment for analysis.
129. What tool can be used to identify open MongoDB databases?
a) Mongoaudit
b) Hydra
c) WPScan
d) Gobuster
Answer: a) Mongoaudit
Explanation: Mongoaudit scans for misconfigured MongoDB databases that might be publicly accessible.
130. What is ‘RDAP’ (Registration Data Access Protocol) used for?
a) Querying domain registration information
b) Cracking password hashes
c) Manipulating SNMP data
d) Attacking SMTP servers
Answer: a) Querying domain registration information
Explanation: RDAP provides modernized WHOIS lookup for domain and IP information.
131. What type of enumeration is performed by ‘PowerView’ in PowerShell?
a) Active Directory enumeration
b) Wireless network sniffing
c) SQL Injection testing
d) File inclusion exploitation
Answer: a) Active Directory enumeration
Explanation: PowerView is used to enumerate Active Directory users, groups, and network shares.
132. What is a key feature of ‘Burp Suite Active Scanning’?
a) It automatically detects web application vulnerabilities
b) It encrypts web traffic
c) It manipulates DNS records
d) It scans open UDP ports
Answer: a) It automatically detects web application vulnerabilities
Explanation: Burp Suite’s Active Scanner detects SQLi, XSS, and security misconfigurations.
133. What is the function of amap (Application Mapper)?
a) Identifying application services running on open ports
b) Performing DNS tunneling
c) Brute-forcing admin credentials
d) Extracting encrypted payloads
Answer: a) Identifying application services running on open ports
Explanation: amap identifies application protocols running on unusual ports.
134. What does the theHarvester tool do?
a) Gathers emails, subdomains, and open-source intelligence
b) Performs brute-force attacks
c) Exploits web application vulnerabilities
d) Extracts encryption keys from memory
Answer: a) Gathers emails, subdomains, and open-source intelligence
Explanation: theHarvester collects emails, subdomains, and publicly available information.
135. What enumeration technique targets exposed Jenkins servers?
a) Extracting environment variables and credentials
b) Performing DNS zone transfers
c) Brute-forcing FTP credentials
d) Executing ARP poisoning
Answer: a) Extracting environment variables and credentials
Explanation: Exposed Jenkins servers may leak environment variables and stored credentials.
136. What is a primary risk of allowing ‘Anonymous FTP Access’?
a) Unauthorized users can upload/download files
b) It enables DNS hijacking
c) It exposes encrypted passwords
d) It allows brute-force SSH attacks
Answer: a) Unauthorized users can upload/download files
Explanation: Anonymous FTP access lets anyone access files, leading to data leaks.
137. What scanning technique does ‘IP Spoofing’ help with?
a) Evading detection by using a fake source IP
b) Injecting SQL commands into web applications
c) Capturing DNS queries from remote hosts
d) Scanning for hidden web directories
Answer: a) Evading detection by using a fake source IP
Explanation: IP spoofing alters the source IP address to evade firewalls and logging systems.
138. What is the primary function of the dnsrecon tool?
a) DNS enumeration and subdomain discovery
b) Performing a SYN flood attack
c) Enumerating SMB shares
d) Cracking wireless passwords
Answer: a) DNS enumeration and subdomain discovery
Explanation: dnsrecon is used for subdomain discovery, zone transfers, and DNS enumeration.
139. What is the key purpose of ‘Passive Reconnaissance’?
a) Gathering information without directly interacting with the target
b) Sending crafted packets to exploit vulnerabilities
c) Conducting brute-force attacks against SSH services
d) Manipulating DNS cache records
Answer: a) Gathering information without directly interacting with the target
Explanation: Passive reconnaissance involves monitoring public data sources (WHOIS, OSINT, etc.) without alerting the target.
140. What is the primary risk of an open Redis database?
a) Unauthorized access and data manipulation
b) Automatic privilege escalation
c) Exposing VPN credentials
d) DNS record poisoning
Answer: a) Unauthorized access and data manipulation
Explanation: Open Redis instances allow unauthenticated attackers to modify stored data and execute remote commands.
141. What scanning tool is primarily used for VoIP enumeration?
a) SIPVicious
b) Gobuster
c) sqlmap
d) Ldapsearch
Answer: a) SIPVicious
Explanation: SIPVicious is a toolset used for enumerating SIP-based VoIP systems.
142. What is the purpose of ‘TCP SYN Cookie Protection’?
a) To prevent SYN flood attacks
b) To encrypt network traffic
c) To evade IDS detection
d) To manipulate TCP sequence numbers
Answer: a) To prevent SYN flood attacks
Explanation: SYN cookies help mitigate SYN flood attacks by tracking TCP connection states.
143. What is the key function of ‘Wireshark’ in network scanning?
a) Capturing and analyzing network traffic
b) Performing brute-force password attacks
c) Conducting SQL injection
d) Extracting domain registration data
Answer: a) Capturing and analyzing network traffic
Explanation: Wireshark is a packet analyzer used to inspect network traffic in real time.
144. Which command in Linux lists open network connections?
a) netstat -an
b) ps aux
c) whoami
d) find / -name open_ports
Answer: a) netstat -an
Explanation: netstat -an displays active network connections, open ports, and listening services.
145. What does ‘Zone Transfer AXFR’ help an attacker enumerate?
a) DNS records, subdomains, and hostnames
b) Open ports on a web server
c) Active SSH connections
d) Hidden wireless networks
Answer: a) DNS records, subdomains, and hostnames
Explanation: Zone transfers (AXFR) allow attackers to copy DNS records and map the entire domain.
146. What is the main risk of an exposed Memcached server?
a) It can be used in amplification DDoS attacks
b) It allows brute-force password attacks
c) It enables SQL injection
d) It provides direct SSH access
Answer: a) It can be used in amplification DDoS attacks
Explanation: Misconfigured Memcached servers are exploited in DDoS reflection attacks.
147. Which tool is used to extract email addresses from public sources?
a) theHarvester
b) Nikto
c) Gobuster
d) Aircrack-ng
Answer: a) theHarvester
Explanation: theHarvester is an OSINT tool for gathering email addresses and subdomains.
148. What is a ‘TCP Maimon Scan’?
a) A type of scan that sends FIN/ACK packets
b) A tool for fuzzing web applications
c) A script to analyze web cookies
d) A technique to poison DNS caches
Answer: a) A type of scan that sends FIN/ACK packets
Explanation: Maimon scans use FIN/ACK packets to detect open ports on firewalled systems.
149. Which protocol is primarily targeted in SNMP enumeration attacks?
a) UDP
b) TCP
c) ICMP
d) HTTP
Answer: a) UDP
Explanation: SNMP primarily operates over UDP, making it a target for enumeration attacks.
150. What does ‘ICMP Timestamp Request Scanning’ help identify?
a) The system’s uptime and clock skew
b) Open UDP ports
c) Weak password policies
d) Misconfigured SSL certificates
Answer: a) The system’s uptime and clock skew
Explanation: ICMP timestamp requests reveal system uptime, which can help attackers determine maintenance cycles.
151. What tool is commonly used for extracting metadata from documents?
a) ExifTool
b) John the Ripper
c) Ldapsearch
d) sqlmap
Answer: a) ExifTool
Explanation: ExifTool extracts metadata such as author details, GPS coordinates, and timestamps.
152. What enumeration technique is used to discover NetBIOS names in a network?
a) nbtstat -A
b) arp -a
c) ping -t
d) tcpdump
Answer: a) nbtstat -A
Explanation: nbtstat -A <IP> retrieves NetBIOS names, shares, and user sessions.
153. Which port is commonly used by Elasticsearch services?
a) 9200
b) 3306
c) 1433
d) 21
Answer: a) 9200
Explanation: Elasticsearch instances often run on port 9200, making them a target for enumeration.
154. What technique is used in ‘Shellshock Enumeration’?
a) Exploiting vulnerable Bash versions
b) Bypassing SSL certificate validation
c) Injecting SQL payloads
d) Extracting DNS records
Answer: a) Exploiting vulnerable Bash versions
Explanation: Shellshock exploits vulnerabilities in older Bash versions, allowing remote command execution.
155. What is a key indicator of a system vulnerable to ‘LLMNR Poisoning’?
a) The system resolves hostnames via LLMNR
b) The system has an open FTP port
c) The system does not use a VPN
d) The system logs all ICMP packets
Answer: a) The system resolves hostnames via LLMNR
Explanation: LLMNR poisoning exploits Windows name resolution weaknesses to capture credentials.
156. What is the primary risk of having an exposed Jenkins server?
a) Attackers can execute remote commands
b) Attackers can bypass two-factor authentication
c) Attackers can manipulate SSL certificates
d) Attackers can exploit buffer overflow vulnerabilities
Answer: a) Attackers can execute remote commands
Explanation: Exposed Jenkins servers may allow unauthenticated attackers to execute arbitrary commands.
157. Which tool is used to analyze SMB signing misconfigurations?
a) CrackMapExec
b) Netcat
c) Gobuster
d) Nmap
Answer: a) CrackMapExec
Explanation: CrackMapExec is a post-exploitation tool that analyzes SMB signing settings and security flaws.
158. What is ‘Netcat’ primarily used for in enumeration?
a) Banner grabbing and network communication
b) Wireless packet sniffing
c) DNS hijacking
d) SQL injection exploitation
Answer: a) Banner grabbing and network communication
Explanation: Netcat (nc) is a versatile tool for network connections, banner grabbing, and backdoor communication.
159. What is the default port used by PostgreSQL databases?
a) 5432
b) 3306
c) 1521
d) 1433
Answer: a) 5432
Explanation: PostgreSQL uses port 5432 by default, making it a key target in database enumeration.
160. What is a key use case for the ldapsearch command?
a) Extracting information from Active Directory
b) Performing brute-force password attacks
c) Enumerating web directories
d) Spoofing network traffic
Answer: a) Extracting information from Active Directory
Explanation: ldapsearch queries LDAP directories, retrieving user, group, and computer details.
161. What scanning technique does ‘ARP Poisoning’ help facilitate?
a) Man-in-the-Middle (MITM) attacks
b) DNS enumeration
c) SQL Injection testing
d) Subdomain discovery
Answer: a) Man-in-the-Middle (MITM) attacks
Explanation: ARP poisoning manipulates network traffic, enabling MITM attacks and credential theft.
162. What is the purpose of the nbtscan tool?
a) Scanning and enumerating NetBIOS services
b) Cracking hashed passwords
c) Testing SQL Injection vulnerabilities
d) Extracting email addresses from documents
Answer: a) Scanning and enumerating NetBIOS services
Explanation: nbtscan retrieves NetBIOS names, MAC addresses, and shared resources on Windows networks.
163. What is the primary risk of exposing a MySQL database to the internet?
a) Unauthorized access and data leaks
b) Increased email phishing attempts
c) Automatic server crashes
d) Increased SSL encryption vulnerabilities
Answer: a) Unauthorized access and data leaks
Explanation: Public-facing MySQL databases risk unauthorized queries, data exfiltration, and brute-force attacks.
164. What tool is used for brute-forcing HTTP authentication?
a) Hydra
b) Nikto
c) Metasploit
d) SNMPWalk
Answer: a) Hydra
Explanation: Hydra is a powerful tool for brute-forcing various authentication services, including HTTP login forms.
165. What is the purpose of a ‘PTR Record Lookup’ in DNS enumeration?
a) Reverse mapping an IP address to a domain name
b) Identifying web application vulnerabilities
c) Extracting hashed passwords
d) Manipulating TLS certificates
Answer: a) Reverse mapping an IP address to a domain name
Explanation: PTR (Pointer) records help with reverse DNS lookups, mapping IP addresses to domain names.
166. Which of the following tools is best for searching for sensitive information leaked on public repositories?
a) GitRob
b) WPScan
c) Nikto
d) Aircrack-ng
Answer: a) GitRob
Explanation: GitRob helps identify sensitive data (API keys, credentials) leaked in GitHub repositories.
167. What is the primary goal of ‘SID Enumeration’ in Windows environments?
a) Identifying user and group security identifiers
b) Manipulating SSL handshakes
c) Bypassing login authentication
d) Injecting malicious JavaScript into browsers
Answer: a) Identifying user and group security identifiers
Explanation: SID enumeration allows attackers to map users, groups, and privileges on a Windows system.
168. What does ‘FOCA’ (Fingerprinting Organizations with Collected Archives) help an attacker find?
a) Metadata from public documents
b) Wireless network passwords
c) Open FTP servers
d) Encrypted VPN tunnels
Answer: a) Metadata from public documents
Explanation: FOCA extracts metadata from publicly available files, revealing usernames, emails, and document history.
169. What is a ‘DNS CNAME Record’ used for?
a) Aliasing one domain name to another
b) Storing SSL certificates
c) Logging failed authentication attempts
d) Identifying open ports on a web server
Answer: a) Aliasing one domain name to another
Explanation: CNAME (Canonical Name) records map one domain name to another, helping attackers track related subdomains.
170. What is the main risk of allowing public access to an Elasticsearch database?
a) Unauthorized data extraction
b) Automatic system updates
c) SSL certificate expiration
d) Increased ping latency
Answer: a) Unauthorized data extraction
Explanation: Open Elasticsearch instances allow anyone to query and extract stored data.
171. What is a common technique used in ‘IPv6 Enumeration’?
a) Scanning the /64 subnet for live hosts
b) Brute-forcing SSH credentials
c) Using ICMP Redirect attacks
d) Performing DNS cache poisoning
Answer: a) Scanning the /64 subnet for live hosts
Explanation: IPv6 networks have large address spaces, making exhaustive scans difficult, but attackers use specific range scanning techniques.
172. What does an ‘A Record’ in DNS mapping signify?
a) It maps a domain name to an IPv4 address
b) It provides an alias for a domain
c) It stores SSL encryption keys
d) It specifies the email server for a domain
Answer: a) It maps a domain name to an IPv4 address
Explanation: A Records associate domain names with IPv4 addresses, crucial for DNS enumeration.
173. What is the primary goal of ‘Host Fingerprinting’ in scanning?
a) Identifying the target’s operating system and services
b) Exploiting SQL Injection vulnerabilities
c) Injecting malicious JavaScript into web pages
d) Manipulating TLS certificates
Answer: a) Identifying the target’s operating system and services
Explanation: Host fingerprinting analyzes network responses to determine OS, software versions, and configurations.
174. What is the purpose of an ‘NS Record’ in DNS enumeration?
a) Identifies the authoritative name servers for a domain
b) Stores email server configurations
c) Encrypts DNS traffic
d) Logs failed login attempts
Answer: a) Identifies the authoritative name servers for a domain
Explanation: NS (Name Server) records list the authoritative DNS servers for a domain, useful for DNS enumeration.
175. What tool is commonly used for scanning Kubernetes clusters?
a) kube-hunter
b) sqlmap
c) John the Ripper
d) WPScan
Answer: a) kube-hunter
Explanation: kube-hunter identifies misconfigurations and vulnerabilities in Kubernetes clusters.
176. What is the function of the ‘rpcinfo’ command in Linux enumeration?
a) Queries Remote Procedure Call (RPC) services on a target system
b) Analyzes web application security headers
c) Captures wireless network traffic
d) Exploits misconfigured DNS servers
Answer: a) Queries Remote Procedure Call (RPC) services on a target system
Explanation: rpcinfo retrieves information about RPC services running on a remote system, helping attackers identify exploitable services.
177. What scanning method does ‘SMTP Enumeration’ use?
a) VRFY and EXPN commands to list valid email addresses
b) Brute-forcing login credentials
c) Extracting hidden web directories
d) Identifying network firewall rules
Answer: a) VRFY and EXPN commands to list valid email addresses
Explanation: SMTP enumeration involves using VRFY and EXPN commands to identify valid email addresses on a mail server.
178. What is a key risk of running an exposed Telnet service?
a) Data is transmitted in plaintext, allowing interception
b) It enables automatic privilege escalation
c) It allows brute-force authentication bypass
d) It prevents users from logging in remotely
Answer: a) Data is transmitted in plaintext, allowing interception
Explanation: Telnet transmits data in plaintext, making it vulnerable to MITM (Man-in-the-Middle) attacks.
179. What scanning tool is used to detect misconfigured cloud storage buckets?
a) CloudBrute
b) Nmap
c) Nikto
d) CrackMapExec
Answer: a) CloudBrute
Explanation: CloudBrute scans for misconfigured AWS S3, Google Cloud, and Azure storage buckets.
180. What is the purpose of ‘BGP Hijacking’ in network enumeration?
a) Manipulating internet routing to intercept traffic
b) Brute-forcing firewall rules
c) Injecting SQL commands into backend databases
d) Exploiting JavaScript vulnerabilities
Answer: a) Manipulating internet routing to intercept traffic
Explanation: BGP hijacking involves modifying routing tables to redirect internet traffic through malicious networks.
181. Which tool is used to scan for exposed Microsoft Exchange servers?
a) ExchangeRecon
b) Nikto
c) WPScan
d) Sqlmap
Answer: a) ExchangeRecon
Explanation: ExchangeRecon is used to scan for publicly exposed Microsoft Exchange servers.
182. What enumeration technique targets exposed Jenkins credentials?
a) Extracting API tokens and stored passwords
b) Brute-forcing login credentials
c) Exploiting SQL injection vulnerabilities
d) DNS cache poisoning
Answer: a) Extracting API tokens and stored passwords
Explanation: Exposed Jenkins instances often store API keys, passwords, and credentials that attackers can extract.
183. What command in Linux helps enumerate mounted NFS shares?
a) showmount -e <target>
b) df -h
c) ps aux
d) netstat -tulnp
Answer: a) showmount -e <target>
Explanation: showmount -e lists NFS (Network File System) shares exposed by a remote host.
184. What is the primary risk of an exposed RabbitMQ service?
a) Unauthorized users can send and receive messages
b) Remote attackers can perform privilege escalation
c) Attackers can execute remote shell commands
d) It allows SQL Injection
Answer: a) Unauthorized users can send and receive messages
Explanation: Exposed RabbitMQ instances may allow unauthenticated users to modify and intercept messaging queues.
185. What tool is used to detect exposed Jira instances?
a) JiraScan
b) Burp Suite
c) Hydra
d) Ldapsearch
Answer: a) JiraScan
Explanation: JiraScan is used to identify publicly exposed Jira issue trackers that may leak sensitive information.
186. What scanning technique does ‘SSH Banner Grabbing’ use?
a) Retrieving SSH server version information
b) Injecting payloads into SSH sessions
c) Exploiting buffer overflow vulnerabilities
d) Extracting SSL certificates
Answer: a) Retrieving SSH server version information
Explanation: SSH banner grabbing collects version details, helping attackers identify vulnerable SSH services.
187. What is the function of ‘DNS Brute-Forcing’?
a) Discovering hidden subdomains of a target domain
b) Exploiting DNS record misconfigurations
c) Capturing encrypted DNS queries
d) Manipulating browser session cookies
Answer: a) Discovering hidden subdomains of a target domain
Explanation: DNS brute-forcing tries common subdomain names (e.g., admin.example.com) to find hidden services.
188. What type of attack does ‘LLMNR/NBT-NS Poisoning’ facilitate?
a) Credential theft via name resolution spoofing
b) Cross-site scripting (XSS) attacks
c) SQL Injection
d) Remote code execution
Answer: a) Credential theft via name resolution spoofing
Explanation: LLMNR/NBT-NS poisoning tricks Windows systems into sending NTLM hashes to an attacker.
189. What scanning technique is used to detect Tor exit nodes?
a) Querying public Tor node lists
b) Running an Nmap SYN scan
c) Performing SSL handshake analysis
d) Extracting WHOIS records
Answer: a) Querying public Tor node lists
Explanation: Public Tor exit node lists help in detecting Tor-based traffic sources.
190. What tool is commonly used to scan misconfigured Docker containers?
a) Docker Scan
b) Gobuster
c) CrackMapExec
d) Metasploit
Answer: a) Docker Scan
Explanation: Docker Scan detects insecure container configurations and exposed services.
191. What is the primary risk of exposing an unauthenticated Apache Kafka instance?
a) Unauthorized users can publish and consume messages
b) Attackers can execute remote code directly
c) It enables brute-force attacks on admin passwords
d) It leads to automatic data encryption
Answer: a) Unauthorized users can publish and consume messages
Explanation: Apache Kafka is a messaging system. If misconfigured, attackers can read, delete, or inject fake messages into a data pipeline.
192. What does the masscan tool specialize in?
a) High-speed port scanning
b) Exploiting web vulnerabilities
c) Analyzing TLS configurations
d) Extracting metadata from documents
Answer: a) High-speed port scanning
Explanation: Masscan is a high-performance port scanner that can scan the entire internet in minutes.
193. What is the primary risk of exposing an MQTT broker without authentication?
a) Attackers can intercept and manipulate IoT messages
b) It allows privilege escalation on Linux servers
c) It facilitates SQL injection on web applications
d) It enables direct SSH access
Answer: a) Attackers can intercept and manipulate IoT messages
Explanation: MQTT (Message Queuing Telemetry Transport) is commonly used in IoT devices. If unsecured, attackers can eavesdrop, manipulate, or flood messages.
194. What scanning technique is used in ‘SSL/TLS Enumeration’?
a) Identifying supported SSL/TLS versions and cipher suites
b) Extracting DNS subdomains
c) Brute-forcing login credentials
d) Injecting JavaScript payloads
Answer: a) Identifying supported SSL/TLS versions and cipher suites
Explanation: SSL/TLS enumeration checks protocol versions, weak ciphers, and misconfigurations, helping detect vulnerabilities like SSL Stripping.
195. What is the purpose of the host command in Linux?
a) Performing DNS lookups
b) Cracking password hashes
c) Enumerating SMB shares
d) Scanning Wi-Fi networks
Answer: a) Performing DNS lookups
Explanation: The host command resolves domain names to IPs and retrieves DNS records.
196. What is a key characteristic of a ‘Fragmented Packet Scan’?
a) It breaks packets into smaller fragments to evade IDS/IPS detection
b) It injects hidden payloads into web requests
c) It manipulates firewall rule sets
d) It scans DNS servers for cache poisoning vulnerabilities
Answer: a) It breaks packets into smaller fragments to evade IDS/IPS detection
Explanation: Fragmented packet scanning splits packets into small chunks, bypassing some intrusion detection and firewall rules.
197. Which tool is commonly used for scanning and enumerating Oracle databases?
a) ODAT (Oracle Database Attacking Tool)
b) Hydra
c) sqlmap
d) Metasploit
Answer: a) ODAT (Oracle Database Attacking Tool)
Explanation: ODAT is used for scanning, enumerating, and exploiting misconfigured Oracle databases.
198. What is the main goal of ‘GraphQL Enumeration’?
a) Identifying exposed GraphQL queries and mutations
b) Bypassing SSL encryption
c) Scanning IoT devices for vulnerabilities
d) Detecting rogue DNS servers
Answer: a) Identifying exposed GraphQL queries and mutations
Explanation: GraphQL enumeration reveals available queries, sensitive fields, and potential misconfigurations.
199. What scanning tool is used to identify publicly exposed Jenkins build logs?
a) JenkinsHunter
b) Ldapsearch
c) CrackMapExec
d) Snmpwalk
Answer: a) JenkinsHunter
Explanation: JenkinsHunter identifies publicly exposed build logs that may contain secrets, credentials, or API tokens.
200. What is a primary risk of an exposed Redis database?
a) Attackers can execute arbitrary commands without authentication
b) It enables SQL Injection
c) It allows brute-force password attacks
d) It makes DNS lookups slower
Answer: a) Attackers can execute arbitrary commands without authentication
Explanation: Exposed Redis databases allow attackers to modify database values, execute Lua scripts, and persist backdoors.