Exam PT1-002 All Questions

View all questions & answers for the PT1-002 exam

Exam PT1-002 topic 1 question 12 discussion

Actual exam question from CompTIA's PT1-002

Question #: 12
Topic #: 1

SIMULATION -
You are a penetration tester running port scans on a server.

INSTRUCTIONS -
Part 1: Given the output, construct the command that was used to generate this output from the available options.
Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Show Suggested Answer

Suggested Answer: See explanation below.
Part 1 - nmap 192.168.2.2 -sV -O
Part 2 - Weak SMB file permissions

by BinarySoldier at Nov. 22, 2021, 7:42 p.m.

Comments

Submit Cancel

BinarySoldier

Highly Voted 3 years, 8 months ago

For Part 1, the command MUST include the restriction for 100 ports, since we see only for ports in the result, and a comment saying "96 ports closed"... Part 1 becomes - nmap --top-ports=100 192.168.2.2 -sV -O For part 2, going for SMB vulnerabilities would be a better call. Remember the OS results usually returned by NMAP are guesses, and therefore, mentioning Linux could be a false positive. With this, Part 2 remains correct.

upvoted 8 times

Davar39

3 years, 7 months ago

I don't agree with the -sV switch, no application versioning shown. Good catch on the "96 ports closed." I would say nmap 192.168.2.2 -O --top-ports=100 and SMB vulns.

upvoted 4 times

Davar39

3 years, 7 months ago

I stand corrected, based on the following link, service scan has been performed. The correct answer would be : nmap 192.168.2.2 -O -sV --top-ports=100 and SMB vulns https://subscription.packtpub.com/book/networking-and-servers/9781786467454/1/ch01lvl1sec13/fingerprinting-os-and-services-running-on-a-target-host

upvoted 14 times

...

MeisAdriano

Most Recent 1 year ago

here is an explanation of each attack vector and how it applies to the provided Nmap scenario: - Weak SMB File Permissions: This attack exploits weak file permission configurations on an SMB (Server Message Block) share. However, the Nmap output does not show any indication of an open SMB share, so this attack vector may not be applicable. - FTP Anonymous Login: This attack exploits FTP servers configured to allow anonymous access. The Nmap output does not show any indication of an open FTP server, so this attack vector may not be applicable. - WebDAV File Upload: This attack exploits vulnerabilities in a WebDAV server to upload malicious files. The Nmap output does not show any indication of an open WebDAV server, so this attack vector may not be applicable. - Weak Apache Tomcat Credentials: This attack exploits weak credentials on an Apache Tomcat server. The Nmap output does not show any indication of an open Apache Tomcat server, so this attack vector may not be applicable.

upvoted 1 times

MeisAdriano

1 year ago

- Null Session Enumeration: This attack exploits null sessions in Windows to enumerate system information. However, the Nmap output indicates that the operating system is Linux, not Windows, so this attack vector may not be applicable. - Fragmentation Attack: This attack exploits IP packet fragmentation to evade intrusion detection systems. This attack vector could be applicable, but there are no specific indications in the Nmap output suggesting it would be particularly effective. - SNMP Enumeration: This attack exploits the SNMP protocol to enumerate system information. The Nmap output does not show any indication of an open SNMP service, so this attack vector may not be applicable.

upvoted 1 times

MeisAdriano

1 year ago

- ARP Spoofing: This attack exploits the ARP protocol to intercept network traffic. This attack vector could be applicable, but there are no specific indications in the Nmap output suggesting it would be particularly effective. Based on the provided Nmap output, the open services are Kerberos, NetBIOS, LDAP, and Microsoft DS. Therefore, the most likely attack vectors to investigate might involve these technologies, such as Kerberos attacks like Pass the Ticket or Golden Ticket, NetBIOS attacks like NBNS spoofing, or LDAP attacks like directory enumeration.

upvoted 1 times

MeisAdriano

1 year ago

139 and 445 are associated to SMB(Server Mesasge Block) protocol, used for file and printers share in a network. A "null session attack" could be made creating a SMB session witouth authentication or with null credentials. Could be the only valid answer.

upvoted 1 times

...

RightAsTain

2 years, 10 months ago

I ran the command and it worked like this nmap -O -sV 192.168.2.2 --top-ports=100 SMB and Null Session

upvoted 3 times

MeisAdriano

1 year ago

"Null session Enumeration" works on windows, but here the operating system is linux. So can't be the right answer :-)

upvoted 1 times

...

shakevia463

3 years ago

nmap -sV -O --top-ports 100 192.168.2.2 Null Session Not sure if weak SMB as well

upvoted 1 times

...

Bostonrock03

3 years, 1 month ago

Why are some answer placing the -sV & -O tags after the ip address? The exam is drag and drop and requires placing the answers in the correct order? Does the exam want the tags before the ip address or after?

upvoted 2 times

MeisAdriano

1 year ago

in nmap the order of the parameters is not necessary, except for the parameter -p that is used for --ports, in this situation if you specify multiple values, order is sensitive.

upvoted 1 times

...

am2005

3 years, 4 months ago

nmap -sV -O --top-ports 100 192.168.2.2 Looking at the output you can see ports 139 and 445 are opened. This is wide open for a Null session attack.

upvoted 2 times

...

DrChats

3 years, 8 months ago

I think part B Null Session

upvoted 1 times

...