040020305-Penetration Testing 2014

Comprehensive Questions/Practical Based :- 040020305-Penetration Testing 2014 1. Demonstrate the installation of BackTrack using Live DVD. Also list all the steps. 2. Demonstrate the installation of BackTrack in your machine by installing it to hard disk. List all the steps for it. 3. Install BackTrack using portable method. Also list the steps carried out during the process. 4. According to you which security testing methodology among OSSTMM and ISSAF is better? Give your views supporting your justification. 5. Among OWASP and WASC-TC, which security method has more benefits and features? How can you differentiate both of them? 6. What are your views for cost analysis and resource allocation in context to preparing the test plan for target scooping? Is it necessary? Justify your answer giving one example. 7. Implement dnswalk, dnsenum, dnsmap, dnsrecon in your machine and differentiate each one of them giving two points. 8. Implement any ten tools which are used to get network routing information. Write the basic purpose also for each one of them. Unit-1: Beginning with BackTrack Short Answer Questions: 1. In which type of BackTrack 4.0 installation in machine is not necessary? 2. Is information gathering a basic tool of penetration testing? Why? 3. How network mapping tool analyse the type of operating system on the target machine? 4. Which tool is used for auditing web application? 5. Can we use privilege escalation without exploiting vulnerabilities? 6. Give two uses of Voice over IP (VoIP) tools. 7. What digital forensics tools do? 8. State any two purposes of using MD5 value. 9. Give one difference of black-box testing and white-box testing in context to their perimeter defences. 10. Who is referred as black-hat? 11. Which tool is used for auditing of wireless network and Bluetooth? 12. Give two differences between vulnerability assessment and penetration testing in context to the intrusive manner of testing security issues. 13. List four security testing methodologies. 14. Write any two key groups of Open Source Security Testing Methodology Manual (OSSTMM). 15. Write two standard security test types of OSSTMM. 16. Which OSSTMM test type follows the rules of penetration testing? 17. What is RAV? Is it necessary for cost analysis? 18. List any two application security risks. 19. How vulnerability assessment helps in the exploitation of weaknesses in the target environment? 20. List three different views to help developers and security auditors to understand Ms. Puja Kadam Page 1

the vision of web application security threats presented in WASC-TC. Long Answer Questions: 1. Describe BackTrack 4.0 penetration testing process in detail. 2. Penetration testing is an expensive service when compared to vulnerability assessment. Justify the statement. 3. Analyze the impact of not using unetbootin to download the image directly when creating the BackTrack portable. 4. Explain "Live DVD" method of using BackTrack. 5. Compare and contrast the use of VMWare image and ISO image to install BackTrack in virtual machine 6. Differentiate the installation of portable BackTrack and virtual box giving six points. 7. Discuss the process of VMWare image installation in detail. 8. Conclude the importance of measuring risks during penetration testing. 9. Consider a XYZ company which needs to test the network infrastructure. Which testing methodology that company should follow? Explain that testing method in detail. 10. Write a detailed note on Open Source Security Testing Methodology Manual. 11. How Information Systems Security Assessment Framework (ISSAF) method works? 12. Write working of Open Web Application Security Project (OWASP) Top Ten. 13. What points should be considered for Web Application Security Consortium Threat Classification? 14. Identify the impact of weak encryption algorithm and invalid security certificates applied in OWASP Top Ten. 15. Write a detailed note on BackTrack testing methodology. 16. Validate the significance of understanding the scope of target environment in context to BackTrack testing process. 17. Explain rules of ethics with examples. Give appropriate justification for the same. Fill in the blanks with appropriate answer: 1. is a Live DVD Linux distribution developed specifically for penetration testing. 2. contains tools that can be used to check the live host, fingerprint operating system, application used by the target. 3. Bluetooth and are used to audit wireless networks. 4. can be used to exploit the vulnerabilities found in the target machine. 5. is used for auditing web applications. 6. tool can be used to do digital forensics such as acquiring hard disk image, carving files, and analysing hard disk image. 7. Before installing BackTrack in real machine, you must make sure that the does not contain any useful data. 8. BackTrack 4.0 machine is using as the network connection. 9. is sometimes abbreviated as PenTest. 10. The approach is known as external testing. Ms. Puja Kadam Page 2

11. In approach the auditor should be aware of all the internal and underlying technologies used by the target environment. 12. The combination of and penetration testing provides a powerful insight for internal and external security viewpoints. 13. is a process for assessing the internal and external security controls by identifying the threats that pose serious exposure to the organizations assets. 14. The testing does not require any prior knowledge about the target system under OSSTMM methodology. 15. audit is an example of double grey box testing. 16. Red-teaming is an example of testing. 17. defines the set of steps necessary to follow during the test engagement. 18. Test plan concerns the amount of required to assess the security of a target system. 19. Scope definition should clearly define all the entities and the limits imposed to them during security assessment. 20. Test results and must be presented in a clear and consistent order. State whether the below given statements are True or False: 1. BackTrack cannot be used directly from the DVD without installing. 2. Network mapping contains tools that can be used to check the live host. 3. Digital forensics can be used to debug a program or disassemble an executable file. 4. BackTrack can be installed to hard disk. 5. BackTrack 5.0 virtual machine is using NAT as the network connection. 6. The combination of White-Box testing and Black-Box testing is known as Grey- Box testing. 7. The technical perspective of OSSTMM is comprised of only scope, index and vector. 8. In reversal testing, the auditor holds minimum knowledge to assess the target system. 9. Crystal box is an example of Tandem testing. 10. BackTrack cannot be considered as a versatile operating system. 11. Enumerating target deals with identifying the target s network status, operating system and its relative network architecture. 12. Test plan should clearly define all the contractual entities and the limits. 13. Test process defines the set of steps necessary to follow during the test engagement. 14. Target exploitation process coordinates three core areas which involve preexploitation, exploitation and post-exploitation. Unit-2: Target Scoping and Information Gathering Short Answer Questions: 1. What is the advantage of target scoping? 2. Catalogue three phases of target scoping. Ms. Puja Kadam Page 3

3. How to gather client s requirement and what is the advantage of it? 4. What do you mean by deliverables assessment form? Give example. 5. List any two steps involved in preparing the test plan. 6. How test process validation is performed? 7. What penetration testing contract contains? 8. How resource allocation works in the context of test plan preparation? 9. What is cost analysis? 10. Give the task performed by DNS information. 11. What is NDA in context of test plan preparation? 12. State four rules of engagement. 13. Write two technology limitations in context of profiling test boundaries. 14. How public resources are useful in information gathering? 15. What is passive information gathering? 16. Write the task performed by Metagoofil tool. Long Answer Questions: 1. Describe the phase of penetration testing in which the scope is to be identified. 2. Estimate the relationship between customer requirements form and deliverable assessment forms. 3. Discuss the basic steps for client requirement gathering with the help of customer requirement form. 4. Upto what extent test plan preparation is significant? Justify your answer. 5. Give the significance of questions for test plan checklist. 6. Explain profiling test boundaries. 7. Compare and contrast dnsmap and dnswalk for collecting DNS information. 8. Explain public resource for information gathering. 9. Discuss any three tools of passive information gathering. 10. Identify the role performed by Dradis acting as a central repository for information to keep track of what is done and what still needs to be done. 11. Describe six tools for DNS information. 12. Elucidate route information tools in detail. 13. Explain utilization of search engine for requirement gathering. 14. Write short note on All-in-one intelligence gathering. 15. Analyze the impact of limited knowledge of auditor for pentesting. 16. Explain the working of any five trace tools. 17. Validate the significance of term cost analysis in context to preparing the test plan. 18. What is goorecon and theharvester? Explain its usage. 19. Upto what extent project management tools help in project management and scheduling? Justify your answer. 20. Reconstruct the steps in sequential order for defining the business objectives before performing penetration testing. 21. What are Maltego and Dradis? Explain the task performed by them. 22. Create a scenario where dmitry can be considered as an all-in-one information gathering tool. Fill in the blanks with appropriate answer: Ms. Puja Kadam Page 4

1. is defined as an empirical process for gathering target assessment requirements and characterizing each of its parameters to generate a test plan. 2. Gathering requirements deals with accumulating information about the target environment through verbal or written communication. 3. boundaries determine the limitations associated with the penetration testing assignment. 4. Defining objectives is a process of aligning business view with technical objectives of the penetration testing program. 5. Project management and directs every other step of the penetration testing process with a proper timeline for test execution. 6. A can be any subject who is legally and commercially bounded to the target organization. 7. It is the duty of to verify the identity of the contracting party before taking any further steps. 8. Managing the project requires a thorough understanding of all the individual parts of the scope process. 9. The is defined as a piece of work undertaken by the penetration tester. 10. is a tool that utilizes the Google search engine to get metadata from documents available in the target domain. 11. The dnswalk can be used to find out information about the complete list of. 12. A is a mechanism used to replicate a DNS database from a master DNS server to another DNS server. 13. The tool can be used to brute force sub domains from a target domain. 14. is a tool that can be used to passively trace the network route between the penetration tester and the target device. 15. The is an all-in-one information gathering tool. 16. The itrace is a tool that has trace route functionality, but uses an echo request. 17. The tool is similar to itrace, but instead of using ICMP ECHO it uses TCP SYN packet. 18. The tool is an e-mail accounts, username, and hostname/subdomain gathering tool. 19. Maltego is an open source intelligence and application. 20. is a web application that acts as a central repository for information to keep track of what has been done and what still needs to be done. State whether the below given statements are True or False: 1. Target discovery is a process for gathering target assessment requirements and characterizing each of its parameters to generate a test report. 2. Project management and scheduling directs each and every step of the testing process with a proper timeline for test execution. 3. Gathering requirements from clients depends on different sets of variables. 4. A client can be any subject who is legally and commercially bounded to the target Ms. Puja Kadam Page 5

organization. 5. Number of servers, workstations and network devices are required to be considered while filling the customer requirement form. 6. Only employee and shareholders are responsible for delivering assessment forms. 7. Resource allocation is an important key variable for preparing the test plan. 8. The cost of penetration testing depends only on the technology used. 9. NDA needs to be signed before starting the test process. 10. The resource can be a person involved in the security assessment or an ordinary source. 11. Information gathering is the first phase in the penetration testing process. 12. Metagoofil supports documents such ad spreadsheet (xls, ods). 13. Extra names and sub domains utilizing the Google search engine can be done using dnsenum tool. 14. The dnsmap tool uses an approach similar to that of dnswalk and dnsenum. 15. In dnsmap-bulk, the domains text file should contain each domain in a separate file. 16. Otrace is a shell script that is able to obtain the route information of a network device protected by a stateful inspection firewall. 17. Host information can be gathered from Netcraft.com using dmitry tool. 18. The itrace will receive a SYN/ACK packet if the port is open. 19. Maltego is a non open source intelligence and forensic application. 20. In Maltego, personal group contains only OPEN-AP, Unknown-AP, WPA-AP and WPA2-AP. Unit-3: Target Discovery and Enumerating Short Answer Questions: 1. What is the purpose of target discovery process? 2. In BackTrack OS, where can we find target discovery tools? 3. Which tools are included in identifying the target machine process? 4. What is ping? How it works? 5. Give one difference between arping and arping2. 6. What is the discrepancy between hping3 and hping2? 7. Write the task performed by onesixtyone. 8. Is OSfingerprinting an important part for target discovery? 9. How xprobe2 tool works? 10. List two port states that are recognized by Nmap. 11. Write Nmap command that supports IPv4 address specification, TCP scan options and UDP scan options. 12. List two Nmap output options. 13. What is the purpose of Unicornscan? 14. What is Service enumeration? Why is it necessary for vulnerability assessment? Long Answer Questions: 1. Describe VPN enumeration in detail. Ms. Puja Kadam Page 6

2. Choose the tools that help to find out the target machines operating system. How can these tools be useful for target discovery? 3. Explain genlist and fping tool. 4. Discuss Netifera tool in detail giving an appropriate example. 5. Give significance of TCP header and UDP header. Also state the basic difference giving four points. 6. Compare and contrast nbtscan and nping with the help of commands. 7. How service enumeration is critically important for vulnerability management? 8. Estimate the relationship of target discovery with enumerating target. 9. Give diagrammatic representation of TCP and UDP header. 10. Conclude the importance of OSfingerprinting. How can it be resolved if any issues occur? Fill in the blanks with appropriate answer: 1. Stealth technique can also be applied for testing functionality. 2. The tool is the most famous tool to check whether a particular host is available. 3. The ping tool works by sending a packet to the target host. 4. The is used to ping a destination host in the LAN using ARP request. 5. The tool can be used to send an ARP and/or ICMP request to the target host. 6. The fping tool is used to send a ping request to several at once. 7. The tool can be used to get a list of hosts that respond to the ping probes. 8. The hping2 can be used to send packets and display replies from the target. 9. The tool works passively listening for any activities on the network. 10. The can be used to scan IP address for the NetBIOS name information. 11. The onesixtyone can be used as a scanner to find out if the SNMP string exists on a device. 12. and are the two methods for doing OSfingerprinting. 13. Active method of OSfingerprinting was pioneered by. 14. The tool is a tool used to fingerprint an operating system passively. 15. is a process used to find and collect information on ports and services available on the target environment. 16. can be defined as a method to determine TCP and UDP ports that are open on the target machines. 17. is a graphical based network scanning tool that can be used to find live hosts on a network. 18. is a popular VPN solution for connecting the branch office to the head office s LAN. 19. is a security tool that can be used to discover, fingerprint, and test IPSec VPN systems. 20. is a network security tool and also a modular platform to develop network security tools. Ms. Puja Kadam Page 7

State whether the below given statements are True or False: 1. The only purpose of target discovery is to find out underlying operating system that is used by the target machine. 2. OSfingerprinting is one of the sub menu of Network Mapping. 3. Stealth technique cannot be applied for IDS or IPS functionality. 4. The ping tool is used to ping a destination host in the LAN using the ARP. 5. #arping will display all the arping options with their descriptions. 6. The arping2 is used to send a ping request to several hosts at a one glance. 7. #genlist is used to get a list of hosts that respond to the ping probes. 8. hping2 tool supports TCP, UDP, ICMPand RAW-IP protocols. 9. The lanmap tool works by actively listening for any activities on the network. 10. nbtscan will produce a report which contains the IP address, NetBIOS computer name and service available. 11. pof can identify an operating system on machine you connect to (SYN+ACK mode). 12. Pot scanning is a method used to find and collect information on ports and services available on the target environment. 13. Network services usually use TCP or UDP for exchanging data in context of port scanning. 14. The source port and destination port each have a length of 16bits. 15. Rsvd is reserved for future use and is a 4 bit field and must be zero. 16. AutoScan is a non-graphical based network scanning tool that can be used to find live hosts on a network. 17. Filtered means that Nmap can t determine whether the port is open because there is a packet filtering device blocking the probe to reach the target. Ms. Puja Kadam Page 8