Post Exam Material

Question 1

Is ScoutSuite open-scource?

Answer 1

Yes

Question 2

ScoutSuite can

Answer 2

assess the security posture and perform security assessment on multiple cloud environments

Question 3

Is ScoutSuite agentless?

Answer 3

Yes - it doesn’t require install or making changes to the cloud environment

Question 4

What format are Scoutsuite reports in?

Answer 4

HTML

Question 5

ScoutSuite can be used to check your cloud setup to make sure that it is

Answer 5

following best practices and any compliance standards

Question 6

Use cases for ScoutSuite are:

Answer 6

cloud security security auditing, performing compliance checks, intergration into CI/CD

Question 7

In Pivot lateral movement the initial compromised system is called the

Answer 7

foothold

Question 8

What is local port forwarding used for in a pivot?

Answer 8

to redirect traffic from a local system to remote system

Question 9

What is remote port forwarding used for in a pivot?

Answer 9

enables a remote system to connect to a local service on the user’s machine

Question 10

What is dynamic port forwarding in a pivot?

Answer 10

it creates a dynamic tunnel that acts as a SOCKS proxy server

Question 11

What is VPN pivoting?

Answer 11

A VPN is set up on a compromised machine. Allows the bypassing of IDS and firewalls

Question 12

What is proxy pivoting?

Answer 12

Traffic routed through a proxy server.

Question 13

Proxy pivoting can capture?

Answer 13

credentials and cookies

Question 14

What is the proxychains tool?

Answer 14

allows users route their internet traffic through multiple proxies to obfuscate their activities

Question 15

sshuttle is refered to as the

Answer 15

poorman’s VPN

Question 16

sshuttle tool is used for

Answer 16

lateral movement

Question 17

sshuttle will not work on

Answer 17

Windows systems natively

Question 18

The general syntax used for sshuttle

Answer 18

sshuttle -r user@remote-server 0.0.0.0/0 (-r = remote server, zeros IP address=route all traffic through)

Question 19

Does sshuttle support DNS fordwarding?

Answer 19

Yes (–dns in the CLI)

Question 20

sqlmap will automate

Answer 20

SQL injections with web pages and APIs

Question 21

Karma attack is a variant of the

Answer 21

evil twin wireless attack

Question 22

Command to scan a network for ports, etc using metasploit is:

Answer 22

db_nmap [-xX]

Question 23

msfvenon option for different encoding

Answer 23

-e (helps to evade detection)

Question 24

Hydra option to stop when a password is found

Answer 24

-f

Question 25

Wfuzz tool is for

Answer 25

web attacks

Question 26

Wfuzz is used for

Answer 26

brute-forcing directories and files, API requests,

Question 27

Which language is WPscan based on?

Answer 27

Ruby

Question 28

Kerberoasting is an attack that

Answer 28

tries to get the password hash of an active directory account that has a service principle name(SPN) associated with it

Question 29

SPN (service principle name) is an attribute (in AD) that associates an account with

Answer 29

a service on the network

Question 30

How is an SPN used?

Answer 30

in Kerberos authentication for clients to obtain a ticket to access a service

Question 31

In Kerberos anyone can request a ticket from the service being used that contains what?

Answer 31

password hash

Question 32

Rubeus is a tool that can request what?

Answer 32

Kerberos service ticket

Question 33

BeEF is to

Answer 33

exploit a web browser

Question 34

Step one in BeEF is to

Answer 34

hook the target's browser

Question 35

BeEF will execute what on the victums browser in hooking?

Answer 35

Java Script

Question 36

BeEF tool can be used for:

Answer 36

Social Engeening attacks

Question 37

Pass the Hash attack allows you to log into a system without knowing the

Answer 37

plain text password

Question 38

Mimikatz can be used for what type of attack

Answer 38

pass the hash

Question 39

Mimikatz can be used for

Answer 39

Credential dumping, Pass-the-Hash (PtH), Pass-the-Ticket (PtT), Over-Pass-the-Hash, Kerberos Ticket Extraction & Manipulation, Golden Ticket Attack, Silver Ticket Attack, SAM / LSA Secrets Dumping

Question 40

Extracts plaintext passwords, NTLM hashes, and Kerberos tickets from memory (LSASS process).

Answer 40

Credential Dumping

Question 41

Allows authentication using NTLM hash instead of plaintext password.

Answer 41

Pass-the-Hash (PtH)

Question 42

Reuses Kerberos tickets (TGT/TGS) to impersonate users on the network.

Answer 42

Pass-the-Ticket (PtT)

Question 43

Combines PtH and PtT by using an NTLM hash to request a Kerberos ticke

Answer 43

Over-Pass-the-Hash

Question 44

Extracts, exports, and injects Kerberos tickets for lateral movement.

Answer 44

Kerberos Ticket Extraction & Manipulation

Question 45

Creates forged Kerberos tickets using a domain’s KRBTGT account hash, granting domain admin access.

Answer 45

Golden Ticket Attack

Question 46

Creates forged service tickets (TGS) for specific services within a domain.

Answer 46

Silver Ticket Attack

Question 47

Airodump-ng is a

Answer 47

wireless packet capture and monitoring tool

Question 48

aireplay-ng does what in the wireless attack?

Answer 48

deauthentication

Question 49

aircrack-ng with a wordlist is used to

Answer 49

crack the password

Question 50

Kismet tool is for

Answer 50

wireless attack

Question 51

Is Kismet open source

Answer 51

Yes

Question 52

What does Kismet do?

Answer 52

Sniffer, wardriver for capturing activity over Wi-Fi or Bluetooth

Question 53

Does Kismet do active or passive scanning?

Answer 53

Passive

Question 54

What do you use to analyse Kismet files

Answer 54

sqllite3

Question 55

Prowler tool is for

Answer 55

Cloud-based attack

Question 56

Prowler is used to assess

Answer 56

the cloud security posture of AWS environments

Question 57

SpiderFoot is an open-source reconnaissance (OSINT) tool used to automate information gathering about a target — such as a

Answer 57

domain, IP address, email, username, subnet, or organization.

Question 58

recon-ng is an open-source, modular

Answer 58

web reconnaissance framework (written in Python)

Question 59

Power Tools is a collection of

Answer 59

Powershell scripts used for tasks like port scans and ping sweeps

Question 60

Powersploit is a

Answer 60

post exploitation framework using script

Question 61

Nishang is a set of offensive security powershell scripts

Answer 61

that can be used by red teams

Question 62

theHarvester is used to gather open source intelligence (OSINT)

Answer 62

on a company or domain

Question 63

Pin cylinder locks are the more common locks. They use a series of pins that

Answer 63

need to be aligned

Question 64

Pin cylinder locks can be picked by the following techniques

Answer 64

single pin picking or raking

Question 65

Disc detainer locks are higher security than

Answer 65

pin cylinder locks

Question 66

Lever locks are more commonly used in

Answer 66

safes and older doors

Question 67

Are wafer locks the simplest to pick

Answer 67

Yes

Question 68

Warded locks are highly vulnerable to

Answer 68

skeleton keys

Question 69

Auto jiggles are designed to bypass

Answer 69

wafer locks

Question 70

Bump keys are modified keys that can open

Answer 70

pin tumbler locks

Question 71

Enumeration activities: To find out the current username use

Answer 71

whoami command or printing out via username% variable with echo

Question 72

Enumeration activities: View user privileges

Answer 72

whoami/priv

Question 73

Enumeration activities: View local users

Answer 73

net user command

Question 74

Nikto is a tool used to scan

Answer 74

web servers for potential security issues

Question 75

Is Nikto good for preliminary assessments

Answer 75

Yes

Question 76

Nitko scans can check for:

Answer 76

vulnerabilities and configuration errors

Question 77

BloodHound collects and visualizes relationships within

Answer 77

Active Directory

Question 78

SDP can be used for

Answer 78

network service discovery

Question 79

Tools to scan certificate transparency logs (CT)

Answer 79

CTFR (command line tool) and crt.sh,

Question 80

Hunter.io specializes in finding and verifying

Answer 80

professional email addresses

Question 81

Is Hunter.io a web based or CLI tool?

Answer 81

Web based

Question 82

CREST (Council of Registered Ethical Security Testers) is an international, not-for-profit organization that represents the cybersecurity industry, particularly focusing on

Answer 82

ethical penetration testing and cybersecurity testing services.

Question 83

Censys.io is like

Answer 83

Shodan

Question 84

Censys.io more advanced than

Answer 84

Shodan