0 [{"id":183303,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 20:13:19","updated_at":"2017-03-28 20:13:19","questionName":"A penetration tester gains shell access to a target system through a remote exploit and executes the following batch script to pull a file from her attacking machine. How does this method compare to using the default ftp client interactively? ","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":"uploads\/sans-gpen\/q32.png","position":null,"explanation":"The script creates another file that contains the answers that the FTP client requires to non-interactively connect to the attacking machine and pull the file exploit.exe to the target system. Thus the script overcomes the restrictions imposed by a shell ","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183306,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 20:16:11","updated_at":"2017-03-28 20:16:11","questionName":"What is the main difference between LANMAN and NTLMv1 challenge\/responses?","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":null,"position":null,"explanation":"NTLMv1 starts with the NT hash, LANMAN starts with LANMAN. Otherwise the two are the same. ","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183315,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 20:32:42","updated_at":"2017-03-28 20:36:01","questionName":"1.\tA penetration tester wishes to stop the Windows Firewall process on a remote host running Windows Vista. She issues the following commands: c:\\Documents and Settings\\Owner>net use Z:\\\\Fileserver\\shared \/user Administrator The command completed successfully. C:\\Documents and Settings\\Owner>Z: Z:\\>sc stop MpsSvc [SC] ControlService FAILED 1062: The service has been stopped. Z:\\> A check of the remote host indicates that the Windows Firewall is still running. Why did the command fail?","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":null,"position":null,"explanation":"In order to issue the sc command against a remote server, the IP or system name (if it can be resolved) must be passed to the sc command on the command-line. Otherwise the command will work against the local machine. ","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183300,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 20:05:27","updated_at":"2017-03-28 20:05:27","questionName":" A penetration tester obtains telnet access to a target machine using a captured credential. While trying to transfer her exploit to the target machine, the network intrusion prevention systems keep detecting her exploit and terminating her connection. Which of the following actions will help the penetration tester transfer and exploit and compile it in the target system? ","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":null,"position":null,"explanation":"","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183301,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 20:06:45","updated_at":"2017-03-28 20:06:45","questionName":"Which nmap command would you use to reliably scan for open ports on a subnet and at the same time avoid detection by applications that log connections? ","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":null,"position":null,"explanation":"","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183296,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 19:50:18","updated_at":"2017-03-28 19:50:18","questionName":"You have gained shell on a Windows host and want to find out other machines to pivot to, but the rules of engagement state that you can only use tools that are already availabile. How could you find other machines on the target network? ","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":null,"position":null,"explanation":"","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183298,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 19:54:19","updated_at":"2017-03-28 19:54:19","questionName":"A penetration tester obtains a DHCP address on the internal client LAN, then sends manually crafted packets to a web server in the DMZ. Packets with malformed HTTP headers and packets with other protocols tunneled in the payload to not make it to the web server. Which technology would be used to block these types of packets?","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":null,"position":null,"explanation":"","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183297,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 19:52:19","updated_at":"2017-03-28 19:52:19","questionName":"Given the following Scapy information, how is default Layer 2 information derived?","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":"uploads\/sans-gpen\/q27.png","position":null,"explanation":"1.\tScapy relies on the underlying operating system to construct Layer 2 information to use as a default. If not explicitly define, scapy and the underlying operating system construct Layer 2 information which is used as default. ","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183299,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 19:57:42","updated_at":"2017-03-28 19:57:42","questionName":"Why does nmap perform a port scan even when only directed to run a specific NSE script? ","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":null,"position":null,"explanation":"","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183313,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 20:26:06","updated_at":"2017-03-28 20:26:06","questionName":"What meterpreter command is used to get the SAM database and its hashes from the target machine?","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":null,"position":null,"explanation":"","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183316,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 20:37:24","updated_at":"2017-03-28 20:37:24","questionName":"Analyze the command output below. Given this information, which is the next step for the tester?","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":"uploads\/sans-gpen\/q2.png","position":null,"explanation":"The nmap command shown only shows what ports responded, and what the best guess is for services running on the port. Requesting a list of shares from the scanned host, since the port is open, will verify that netbios-ssn services are running as well as ga","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183308,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 20:19:02","updated_at":"2017-03-28 20:19:02","questionName":"You have connected to a Windows system remotely and have shell access via netcat. While connected to the remote system you notice that some Windows commands work normally while others do not. An example of this is shown in the picture below. Which of the following best describes why this is happening?","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":"uploads\/sans-gpen\/q34.png","position":null,"explanation":"","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183312,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 20:26:06","updated_at":"2017-03-28 20:26:06","questionName":"What meterpreter command is used to get the SAM database and its hashes from the target machine?","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":null,"position":null,"explanation":"","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183307,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 20:16:11","updated_at":"2017-03-28 20:16:11","questionName":"What is the main difference between LANMAN and NTLMv1 challenge\/responses?","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":null,"position":null,"explanation":"NTLMv1 starts with the NT hash, LANMAN starts with LANMAN. Otherwise the two are the same. ","question_score_id":null,"lang":null,"questionAudioPath":null},{"id":183311,"quiz_id":"11050","answer_id":null,"answerType_id":"0","created_at":"2017-03-28 20:23:47","updated_at":"2017-03-28 20:24:46","questionName":"What difference would you expect to result from running the following commands:","questionTimeSeconds":"0","questionTimeMinutes":"2","questionImagePath":"uploads\/sans-gpen\/q35.png","position":null,"explanation":"To get dig to perform a zone transfer, we invoke it with the \u2013t AXFR notification as: $ dig @[server] [domain] \u2013t AXFR This syntax will pull all information about a given domain. Alternatively, dig can perform an incremental zone transfer, pulling only r","question_score_id":null,"lang":null,"questionAudioPath":null}]

block

A penetration tester gains shell access to a target system through a remote exploit and executes the following batch script to pull a file from her attacking machine. How does this method compare to using the default ftp client interactively?

Select the correct answer(s).  

(0/0)

Explanation

The script creates another file that contains the answers that the FTP client requires to non-interactively connect to the attacking machine and pull the file exploit.exe to the target system. Thus the script overcomes the restrictions imposed by a shell

---

Only this method guarantees the integrity of the file exploit.exe by using the command “binary”

Only this method protects the information exchanged by obfuscating the real intent of the script executed.

Only this method bypasses the restrictions imposed by firewalls and other IP header-based packet filtering technologies.

Only this method overcomes the restrictions of remote access which does not implement a terminal.

none

What is the main difference between LANMAN and NTLMv1 challenge/responses?

Select the correct answer(s).  

(0/0)

Explanation

NTLMv1 starts with the NT hash, LANMAN starts with LANMAN. Otherwise the two are the same.

---

NTLMv1 utilizes DES, whereas LANMAN utilizes MD4

NTLMv1 only pads 18 byes, whereas LANMAN pads to 21 bytes

NTLMv1 starts with the NT hash, whereas LANMAN starts with the LANMAN hash.

NTLMv1 splits the hash into 3 eight-byte pieces, whereas LANMAN splits the hash into 3 seven-byte pieces.

none

1. A penetration tester wishes to stop the Windows Firewall process on a remote host running Windows Vista. She issues the following commands: c:\Documents and Settings\Owner>net use Z:\\Fileserver\shared /user Administrator The command completed successfully. C:\Documents and Settings\Owner>Z: Z:\>sc stop MpsSvc [SC] ControlService FAILED 1062: The service has been stopped. Z:\> A check of the remote host indicates that the Windows Firewall is still running. Why did the command fail?

Select the correct answer(s).  

(0/0)

Explanation

In order to issue the sc command against a remote server, the IP or system name (if it can be resolved) must be passed to the sc command on the command-line. Otherwise the command will work against the local machine.

---

The user does not have the access level needed to stop the firewall.

The sc command needs to be passed the IP address of the target.

The remote server timed out and did not complete the command.

The kernel prevented the command from being executed.

none

A penetration tester obtains telnet access to a target machine using a captured credential. While trying to transfer her exploit to the target machine, the network intrusion prevention systems keep detecting her exploit and terminating her connection. Which of the following actions will help the penetration tester transfer and exploit and compile it in the target system?

Select the correct answer(s).  

(0/0)

---

Use the copy ability and paste the file directly onto the target machine.

Use the ftp service in passive mode to push the file onto the target machine.

Use the telnet service’s ECHO option to pull the file onto the target machine.

a. Use the scp service, protocol SSHv2 to pull the file onto the target machine.

none

Which nmap command would you use to reliably scan for open ports on a subnet and at the same time avoid detection by applications that log connections?

Select the correct answer(s).  

(0/0)

---

nmap –sT

nmap –sM

nmap –sA

nmap –sS

none

You have gained shell on a Windows host and want to find out other machines to pivot to, but the rules of engagement state that you can only use tools that are already availabile. How could you find other machines on the target network?

Select the correct answer(s).  

(0/0)

---

Use the “net share” utility to see who is connected to local shared drives.

Use the “edit” utility to read the target’s HOSTS file.

Use the “ping” utility in a “for” loop to sweep the network.

Use the “scapy” utility to automatically discover other hosts.

none

A penetration tester obtains a DHCP address on the internal client LAN, then sends manually crafted packets to a web server in the DMZ. Packets with malformed HTTP headers and packets with other protocols tunneled in the payload to not make it to the web server. Which technology would be used to block these types of packets?

Select the correct answer(s).  

(0/0)

---

Host based anti-virus signatures

A router with NAT configured

An application-layer firewall

A packet filtering device

none

Given the following Scapy information, how is default Layer 2 information derived?

Select the correct answer(s).  

(0/0)

Explanation

1. Scapy relies on the underlying operating system to construct Layer 2 information to use as a default. If not explicitly define, scapy and the underlying operating system construct Layer 2 information which is used as default.

---

If not explicitly define, the Ether type field value is created using the hex value of the destination port, in this case 80.

Scapy relies on the underlying operating system to construct Layer 2 information to use as default.

0x00 is randomly generated value for the Layer 2 Ether type field.

If not explicitly define, pseudo-random values are generated for the Layer 2 default information

none

Why does nmap perform a port scan even when only directed to run a specific NSE script?

Select the correct answer(s).  

(0/0)

---

The port scan is used to determine the remote network topology.

nmap will always run a port scan regardless of command line options

NSE scripts categorized as “safe” require a full TCP and UDP port scan.

It must check to see if the ports required by the NSE script are available

none

What meterpreter command is used to get the SAM database and its hashes from the target machine?

Select the correct answer(s).  

(0/0)

---

SAMdump

lanmandump

hashdump

dumpsam

none

Analyze the command output below. Given this information, which is the next step for the tester?

Select the correct answer(s).  

(0/0)

Explanation

The nmap command shown only shows what ports responded, and what the best guess is for services running on the port. Requesting a list of shares from the scanned host, since the port is open, will verify that netbios-ssn services are running as well as ga

---

Send spoofed packets to attempt to evade any firewall.

Request a list of shares from the scanned host.

Request a list of shares from the scanned host.

Determine the MAC address of the scanned host.

none

You have connected to a Windows system remotely and have shell access via netcat. While connected to the remote system you notice that some Windows commands work normally while others do not. An example of this is shown in the picture below. Which of the following best describes why this is happening?

Select the correct answer(s).  

(0/0)

---

Another application is already running on the port Netcat is listening on.

The listener executed command.com instead of cmd.exe

Netcat cannot properly interpret certain control characters or Unicode sequences.

The Netcat listener is running with SYSTEM level privileges.

none

What meterpreter command is used to get the SAM database and its hashes from the target machine?

Select the correct answer(s).  

(0/0)

---

hashdump

dumpsam

SAMdump

lanmandump

none

What is the main difference between LANMAN and NTLMv1 challenge/responses?

Select the correct answer(s).  

(0/0)

Explanation

NTLMv1 starts with the NT hash, LANMAN starts with LANMAN. Otherwise the two are the same.

---

NTLMv1 utilizes DES, whereas LANMAN utilizes MD4

NTLMv1 splits the hash into 3 eight-byte pieces, whereas LANMAN splits the hash into 3 seven-byte pieces.

NTLMv1 starts with the NT hash, whereas LANMAN starts with the LANMAN hash.

NTLMv1 only pads 18 byes, whereas LANMAN pads to 21 bytes

none

What difference would you expect to result from running the following commands:

Select the correct answer(s).  

(0/0)

Explanation

To get dig to perform a zone transfer, we invoke it with the –t AXFR notification as: $ dig @[server] [domain] –t AXFR This syntax will pull all information about a given domain. Alternatively, dig can perform an incremental zone transfer, pulling only r

---

Command (1) will display all information about a domain and command (2) will provide only incremental updates from SOA 1002200301

a. Command (1) will display all information about a domain and command (2) will provide only 1002200301 byes of information.

Command (1) will display incremental information about a domain and command (2) will provide only 1002200301 bytes of information

Command (1) will display all information about a domain and command (2) will provide only 1002200301 byes of information.