1. An IPv4 address looks like?

• Answer: A sequence of four numbers separated by dots, each ranging

from 0-255. E.g., 192.168.1.1
2. An IPv6 address looks like?
• Answer: A sequence of eight groups of four hexadecimal digits, separated
by colons. E.g., 1200:0000:AB00:1234:0000:2552:7777:1313
3. What is the RFC that declares reserved IPv4 addresses?
• Answer: RFC 1918
4. What is the IP of the localhost or loopback adapter in IPv4 format?
• Answer: 127.0.0.1
5. What is the link local address in IPv4 format?
• Answer: Typically starts with 169.254.x.x
6. How many potential IP addresses are available in a class A network?
• Answer: 16,777,216
7. How many potential IP addresses are available in a class B network?
• Answer: 65,536
8. How many potential IP addresses are available in a class C network?
• Answer: 256
9. What is the IP of the localhost or loopback adapter in IPv6 format?
• Answer: ::1
10. What is the link local address in IPv6 format?
• Answer: Begins with FE80::
11. What is the appropriate CIDR notation for 256 available addresses?
• Answer: /24
12. How many hosts does a CIDR notation of /23 provide?
• Answer: 510 hosts
13. Which of the following is used to identify wireless networks across multiple
Access Points?
• Answer: SSID
14. Which of the following is the MAC address of the Access Point Radio?
• Answer: BSSID
15. Which of the following is not an Authentication Method?
• Answer: This requires options to choose from.
16. What command line tool is used to view a system's network information?
• Answer: ipconfig (Windows) or ifconfig (Unix/Linux).
17. What command do I run to see what services/ports are in use and what is
connected?
• Answer: netstat
18. In Windows, I would use which NET command to connect/map a network
drive?
• Answer: net use
19. Using the simple RISK equation, what is the risk of not applying a patch that
costs $100 per system in an environment with 200 systems with a 50%
probability of occuring?
• Answer: Risk = Threat x Vulnerability x Cost. Assuming the given figures:
Risk = 0.5 x 200 x $100 = $10,000
20. What Act, from 1974, was updated in 2004 to provide further restrictions on
the use of an individual's Social Security Number?
• Answer: The Privacy Act
1. What Act, from 1984, established criminal offenses for password trafficking,
insertion of malicious code, and knowledgeable and unauthorized access to
Government systems?
• Answer: The Computer Fraud and Abuse Act (CFAA) of 1984.
2. What Act, from 1987, established the National Information Assurance
Partnership which establishes an international common criteria to evaluate
them?
• Answer: This is a bit of a mix-up. The National Information Assurance
Partnership (NIAP) was not established by an act in 1987. The NIAP is
associated with the Common Criteria Recognition Arrangement (CCRA) for
product evaluations.
3. What Act, from 1996, implemented electronic healthcare transactions?
• Answer: The Health Insurance Portability and Accountability Act (HIPAA) of
1996.
4. What Act, from 1998, made it legal to crack copyright protection to conduct
encryption research, assess product interoperability, and test computer
security systems?
• Answer: The Digital Millennium Copyright Act (DMCA) of 1998. However,
it's worth noting that while DMCA provides exceptions, it primarily
criminalizes the circumvention of digital rights management.
5. What Act, from 1999, implemented protection and usage rules for Financial
Electronic transactions?
• Answer: The Gramm-Leach-Bliley Act (GLBA) of 1999.
6. What Act, from 2002 and based on California's SB1386, requires protection
of Personally Identifiable Information (PII)?
• Answer: California's SB1386 is itself the legislation that mandates the
disclosure of data breaches where PII might have been compromised.
7. In Maryland, damage caused in a computer related crime dictates a Felony
charge if the amount is over what amount?
• Answer: As of my last update in 2022, this information might be subject to
change. It's advisable to consult current Maryland state laws or a legal
professional for up-to-date information.
8. If you have been contracted to perform an attack against a target system,
you are what type of hacker?
• Answer: Ethical Hacker or Penetration Tester.
9. Which of the following describes an attacker who goes after a target to
draw attention to a cause?
• Answer: Hacktivist.
10. What level of knowledge about hacking does a script kiddie have?
• Answer: Minimal. Script kiddies typically use pre-made tools and scripts without a
deep understanding of how they work.
11. Which of the following does an ethical hacker require to start evaluating a
system?
• Answer: Written permission or a contract from the system's owner or custodian.
12. A white box test means the tester has which of the following?
• Answer: Comprehensive knowledge of the system, including architecture, source
code, and other internal data.
13. Which of the following describes a hacker who attacks without regard for
being caught or punished?
• Answer: Black Hat Hacker.
14. What is a code of ethics?
• Answer: A set of guidelines or principles designed to dictate proper behavior and
decision-making in a specific profession or group.
15. The group Anonymous is an example of what?
• Answer: Hacktivist collective.
16. Companies may require a penetration test for which of the following
reasons?
• Answer: To identify vulnerabilities in their systems, ensure compliance with
regulatory standards, and improve overall security posture.
1. What should a pentester do prior to initiating a new penetration test?
• Answer: Obtain written permission or a contract from the organization
they are testing.
2. Which of the following best describes what a hacktivist does?
• Answer: A hacktivist uses hacking to promote or support a political or
social cause.
3. Which of the following best describes what a suicide hacker does?
 • Answer: A suicide hacker is someone who launches attacks without
concern for being caught or the repercussions they might face.
4. Which type of hacker may use their skills for both benign and malicious
goals at different times?
• Answer: Gray Hat Hacker.
5. What separates a suicide hacker from the other hackers?
• Answer: A lack of concern for repercussions or getting caught.
6. Which of the following would most likely engage in the pursuit of
vulnerability research?
• Answer: Security researchers or ethical hackers.
7. Vulnerability research deals with which of the following?
• Answer: Identifying, analyzing, and addressing weaknesses in systems and
software.
8. How is black box testing performed?
• Answer: Without knowledge of the internal workings of the system being
tested.
9. A contract is important because it does what?
• Answer: Clearly defines the scope, terms, and conditions of the
engagement and protects both parties legally.
10. What does TOE stand for?
• Answer: Target of Evaluation.
11. Which of the following best describes a vulnerability?
• Answer: A weakness or flaw in a system that can be exploited.
12. In which phase of the attack methodology do we try to identify hosts that
we can then look for vulnerabilities on?
• Answer: Discovery.
13. In which phase of the attack methodology do we use google and social
media to learn about our target?
• Answer: Reconnaissance.
14. In which phase of the attack methodology do we correlate open ports and
running services to a potential attack vector?
• Answer: Scanning.
15. In which phase of the attack methodology do we actually "break in" to a
system?
• Answer: Gaining Access.
16. Which of the following best describes footprinting?
• Answer: Gathering information about a target to find ways to infiltrate it.
17. Which of the following is not typically used during footprinting?
 • Answer: This requires context; multiple tools and methods could be considered
typical or atypical based on the specifics of the footprinting scenario.
18. Why use Google hacking?
• Answer: To find vulnerabilities, exposed information, or misconfigurations using
specialized search queries.
19. What is the role of social engineering?
• Answer: Manipulating people into divulging confidential information or
performing actions that compromise security.
20. What is EDGAR used to do?
• Answer: It's a database maintained by the U.S. Securities and Exchange
Commission (SEC) that provides free access to corporate information, including
financial statements and other important data.
21. Which of the following can be used to tweak or fine-tune search results?
• Answer: Search operators or advanced search parameters.
22. Which of the following can an attacker use to determine the technology and
structure within an organization?
• Answer: Network scanning tools, banner grabbing, and website enumeration.
23. Which of the following can be used to assess physical security?
• Answer: Site surveys, physical penetration tests, and surveillance.
24. Which of the following can help you determine business processes of your
target through human interaction?
• Answer: Social engineering techniques.
he Wayback Machine is used to access archived versions of web pages from the past.

• Answer: Archive old versions of websites.

Which record will reveal information about a mail server for a domain?

• Answer: MX (Mail Exchange) record.

Which tool can be used to view web server information?

• Answer: WHOIS.

What can be configured in most search engines to monitor and alert you of changes to
content?

• Answer: Alert or notification settings.

What phase comes after footprinting?

 • Answer: Scanning.

If you can't gain enough information directly from a target, what is another option?

• Answer: Social Engineering.

What is the purpose of social engineering?

• Answer: To manipulate individuals into divulging confidential information.

Which of the following would be a very effective source of information as it relates to

social engineering?

• Answer: Human interaction or communication channels.

Footprinting can determine all of the following except?

• Answer: A target's future actions.

Footprinting has two phases. What are they?

• Answer: Passive and active.

Which tool can trace the path of a packet?

• Answer: Traceroute.

Which of the following is an example of Technical Reconnaissance?

• Answer: Port scanning.

Which of the following is an example of "Low-Tech" Reconnaissance?

• Answer: Dumpster diving.

Baiting is an example of Social Engineering using?

• Answer: Enticing the target with something they want.

Pretending to be a vendor or recruiter and calling a target is an example of?

 • Answer: Pretexting.

The Domain Name Registration records provide which of the following?

• Answer: Owner's information, registration and expiration date.

Open Source Intelligence requires us to access the target systems directly?

• Answer: False, it uses publicly available information.

Shodan is an example of?

• Answer: A search engine for internet-connected devices.

Which of the following is the best search engine to find all Linksys WRT54G routers
attached to the internet?

• Answer: Shodan.

Bing can be BEST used to identify?

• Answer: Websites and their associated metadata.

In Google Hacking, what would you use to find all PDF documents within HCC's
website?

• Answer: site:HCC.edu filetype:pdf

In Google Hacking, what would you use to find all webservers with Directory Browsing
enabled?

• Answer: intitle:"index of"

What file is available on most websites that tells you about portions of the website that
may be sensitive in an administrator's attempt to "secure" the site?

• Answer: robots.txt.

Using the Harvester, what command would allow me to search for the first 500 google
results for HCC email addresses?
 • Answer: theharvester -d HCC.edu -l 500 -b google

Using the Harvester, what command would allow me to search for the first 200 Linkedin
results for Microsoft employees?

• Answer: theharvester -d microsoft.com -l 200 -b linkedin

Which of the following is used for banner grabbing?

• Answer: Netcat.

Which of the following is used for identifying a web server OS?

• Answer: Nmap.

Which of the following is used to perform customized network scans?

• Answer: Nmap with specific flags.

Which of the following is not a flag on a packet?

• Answer: Stealth.

A SYN attack used which protocol?

• Answer: TCP.
Which of the following types of attack has no flags set?

**Answer:** A NULL scan.

What is missing from a half-open scan?

**Answer:** The ACK (Acknowledgment) from the initiator to complete the 3-way handshake.

During a FIN scan, what indicates that a port is closed?

**Answer:** A RST (Reset) response from the target.

During a XMAS tree scan, what indicates a port is closed?

**Answer:** A RST (Reset) response.

What is the three-way handshake?

**Answer:** It is a method used in a TCP/IP network to create a connection between a local host/client
and server. It involves three steps: SYN, SYN-ACK, ACK.

A full-open scan means that the three-way handshake has been completed. What is the difference
between this and a half-open scan?

**Answer:** A full-open scan completes the entire handshake process, while a half-open scan does not
send the final ACK to the target.

What is the sequence of the three-way handshake?

**Answer:** 1. SYN 2. SYN-ACK 3. ACK.

What is an ICMP echo scan?

**Answer:** It is a type of scan where an ICMP echo request packet (ping) is sent to the target, and a
response indicates the host is alive.

Which best describes a vulnerability scan?

**Answer:** It is a scan that identifies and classifies security weaknesses in a computer, network, or
infrastructure.

What is the purpose of a proxy?

**Answer:** A proxy acts as an intermediary for requests from clients seeking resources from other
servers, providing anonymity, security, and content control.

What is TOR used for?

**Answer:** TOR (The Onion Router) is used for anonymous communication over the internet.

Why would you need to use a proxy to perform scanning?

**Answer:** To hide the scanner's real IP address, bypass filtering, and provide an extra layer of
anonymity.

A vulnerability scan is a good way to do what?

**Answer:** Identify potential security weaknesses in a system or network.

A banner can do what?

**Answer:** Reveal information about a system or service, including its type, version, and other
relevant details.

NMAP is required to perform what type of scan?

**Answer:** Network discovery and security auditing.

In TCP/IP, what is the correct way to open a connection to a remote system using the 3-way handshake?

**Answer:** Send a SYN packet, wait for a SYN-ACK response, and then send an ACK packet.

In TCP/IP, what is the correct way to close a connection with a remote system using the 3-way
handshake?

**Answer:** Using the FIN and ACK packets.

Who created NMAP?

**Answer:** Gordon Lyon (also known by his pseudonym Fyodor).

Which NMAP scan type attempts to complete the 3-way handshake with each scanned port?

**Answer:** SYN scan (-sS).

Which NMAP scan type only sends the initial SYN request and waits for an ACK to detect the open port?

**Answer:** Half-open scan.

A NMAP scan type with FIN, URG, and PUSH code bits set is which type of scan type?
**Answer:** XMAS tree scan.

When using a NMAP TCP FIN (-sF) scan type, what response indicates the port may be open?

**Answer:** Lack of a response or a RST/ACK packet.

Which NMAP scan type allows an attacker to get past some packet filtering devices?

**Answer:** Fragmented packets scan (-f).

Which two scan types are known as NMAP PING scans?

**Answer:** ICMP echo request and TCP ACK to port 80.

Which of the following NMAP command line strings will scan a full class C network, perform version
detection, and output to a file?

**Answer:** nmap -sP -p- -sV -oN outputfile.txt 192.168.1.0/24

Which NMAP -T option would you use in a network where you want to minimize any detection and
potential unintended consequences of your scan?

**Answer:** -T2 (Polite)

Which NMAP -T option would you use in a network where you need to find out as much information as
quick as possible but don't want to encounter any traffic loss?

**Answer:** -T4 (Aggressive)

Which NMAP scan sends one packet ever 15 seconds?

**Answer:** Using the --scan-delay option set to 15s.

Which of the following NMAP command line strings will scan a target for specific web ports, and perform
version detection of those ports?

**Answer:** nmap -p 80,443 -sV target_ip

Enumeration is useful to system hacking because it provides which of the following?

**Answer:** Detailed information about the target system, such as user names, group names, network
resources, and other potential vulnerabilities.

Enumeration does not uncover which of the following pieces of information?

**Answer:** The underlying intentions or motivations of the system administrators.

_______ involves grabbing a copy of a zone file.

**Answer:** Zone transfer.

Which of the following would confirm a user named chell in SMTP?

**Answer:** Using the VRFY command.

VRFY is used to do which of the following?

**Answer:** Verify if a user exists on an SMTP server.

_______ is a method for expanding an email list.

**Answer:** Email harvesting.

An attacker can use ______ to enumerate users on a system.

**Answer:** Username guessing.

A _______ is used to connect to a remote system using NetBIOS.

**Answer:** NetBIOS session.

_______ is used to synchronize clocks on a network.

**Answer:** NTP (Network Time Protocol).

Port number _____ is used for SMTP.

**Answer:** 25.

Certainly! Here are the answers to the questions you've provided:

1. **Port number _____ is used by DNS for zone transfers.**

- Answer: 53

2. **Which command can be used to view NetBIOS information?**

- Answer: nbtstat

3. **SNScan is used to access information for which protocol?**

- Answer: SNMP

4. **SMTP is used to perform which function?**

- Answer: Sending and receiving emails

5. **Which ports does SNMP use to function?**

- Answer: 161 and 162

6. **LDAP is used to perform which function?**

- Answer: Directory services

7. **SNMP is used to do which of the following?**

- Answer: Network management

8. **SNMP is used to perform which function in relation to hardware?**

- Answer: Monitoring and management

9. **What is a SID used to do?**

- Answer: Identify users and groups in Windows systems

10. **A DNS zone transfer is used to do which of the following?**

- Answer: Copy DNS data from one server to another

11. **OpenVAS is an example of what?**

- Answer: Vulnerability scanner

12. **A vulnerability is known as the intersection of which three elements?**

- Answer: Exploiting a flaw, access to a flaw, and potential impact

13. **Which of the following is a publicly available vulnerability list?**

- Answer: CVE (Common Vulnerabilities and Exposures)

14. **What personal software inspection tool can you use to scan your own system to ensure your
applications are up to date?**

- Answer: Secunia PSI (Personal Software Inspector)

15. **What Microsoft based tool can you use to scan your Windows system to check for security
issues?**

- Answer: Microsoft Baseline Security Analyzer (MBSA)

16. **What network based vulnerability scanner can be used to audit your systems for vulnerabilities, as
well as compliance checks?**

- Answer: Nessus

17. **Enumeration is useful to system hacking because it provides ________.**

- Answer: Detailed information about the target

18. **What does the enumeration phase NOT discover?**

- Answer: Actual vulnerabilities

19. **How would you use Netcat to set up a server on a system?**

- Answer: `nc -l -p [port number]`

20. **_______ is the process of exploiting services on a system.**

- Answer: Exploitation

Sure, I'll provide answers to the questions you've listed:

How is a brute-force attack performed?

- A brute-force attack is performed by systematically trying every possible combination until the correct
one is found.

A _______ is a type of offline attack.

- Dictionary attack

An attacker can use a(n) ________ to return to a system.

- Backdoor

A _______ is used to represent a password.

- Hash

A _______ is a file used to store passwords.

- Password file or Shadow file

_______ is a hash used to store passwords in older Windows systems.

- LM (LanMan) hash

_______ is used to partially encrypt the SAM.

- Syskey
Which system should be used instead of LM or NTLM?

- Kerberos

NTLM provides what benefit versus LM?

- NTLM is more secure due to its stronger encryption methods compared to LM.

ADS requires what to be present?

- NTFS file system

What utility may be used to stop auditing or logging of events?

- Auditpol

On newer Windows systems, what hashing mechanism is disabled?

- LM hash

Which of the following is a utility used to reset passwords?

- Ophcrack (among others)

A good defense against password guessing is _______.

- Account lockout policies

If a domain controller is not present, what can be used instead?

- Local user account database

Alternate Data Streams are supported in which file systems?

- NTFS

What is an exploit?
- An exploit is a piece of software, data, or sequence of commands that takes advantage of a
vulnerability to cause unintended behavior in computer software or hardware.

Which of the following are types of exploits?

- There are many, including buffer overflows, SQL injection, cross-site scripting, etc.

Core Impact is an example of what?

- Penetration testing software

Exploit-DB is a resource to find?

- Exploits and vulnerable software

Packet Storm is a resource to find?

- Exploits, advisories, and security news

Who created Metasploit?

- HD Moore

Metasploit was originally written in which programming language?

- Perl

Metasploit was ported to which programming language in 2006?

- Ruby

Which company purchased Metasploit in 2009?

- Rapid7

In Metasploit, a port scanner module would be an example of what?

- An auxiliary module
In Metasploit, the Meterpreter shell is an example of what?

- Payload

In Metasploit, what command do you use to list the sessions of the systems you have exploited?

- `sessions`

Given the following set of Metasploit Commands, which command is missing in order to make this work?

- (You haven't provided a list of commands. I would need them to answer this.)

When using Meterpreter, what command shows all processes on the remote system?

- `ps`

When using Meterpreter, what command provides you with the Windows Password store?

- `hashdump`

What is the name of the Graphical Front End to Metasploit?

- Armitage