Apparently, the CompTIA SY0-501 Security+ exam is including as many as 6 or 8 multiple choice answers in multiple choice questions. Several readers have recently told me they were surprised to see so many questions requiring them to select multiple answers.
Analyzing their feedback and looking at the Security+ objectives, it looks like one more example where CompTIA is requiring test takers to apply critical thinking skills when answering the questions. As an example, see if you can answer this practice test question that I recently added to the online Extras test bank for the SY0-501 exam.
Q. You suspect that an attacker is performing a reconnaissance attack against servers in your organization’s DMZ. The attacker is attempting to gather as much information as possible on these servers. You decide to check the logs of these servers to determine if the attacker is attempting a banner grabbing attack. Which of the following commands MOST likely indicate that the attacker is launching a banner grabbing attack? (Select FOUR.)
A. netcat
B. ipconfig
D. ping
E. arp
F. grep
G. tcpdump
H. nmap
I. telnet
Do you know the correct answers? More, do you know why the correct answers are correct, and why the incorrect answers are incorrect? Check out the answer with the full explanation here.
Banner Grabbing & Security+ Multiple Choice Answers
If this was a valid domain name and Telnet was enabled on the server, you would likely see something like this:
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head><title>501 Method Not Implemented</title> </head><body> <h1>Method Not Implemented</h1> <p>GET to /index.html not supported.<br /></p> <p>Additionally, a 404 Not Found error was encountered.</p><hr> <p><address>Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips <br /></p>
<p>mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at <br /></p>
<p>72.52.230.233 Port 80</address><br /></p>
<p></body></html><br /></p>
Check out the Banner Grabbing post for more details on what this response tells you.
You can also check out a Banner Grabbing Exercise here.
Security+ Objectives and Multiple Choice Answers
Take a look at the SY0-501 objectives. They are in the introduction of the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide, and you can also download them from the CompTIA site.
Objective 2.2 “Given a scenario, use appropriate software tools to assess the security posture of an organization” includes a section titled “Command line tools.” It then lists the following tools.
- ping
- netstat
- tracert
- nslookup/dig
- arp
- ipconfig/ip/ifconfig
- tcpdump
- nmap
- netcat
Which of these tools can be used for banner grabbing?
Netcat, Nmap, and Ping
Netcat and nmap are two obvious tools. Chapter 8 of the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide mentions netcat specifically in the Banner Grabbing section. Additionally, one of the free online labs for Chapter 8 the Study Guide, shows the steps you’d use with both netcat and nmap.
Ping isn’t such an obvious answer. However, if you do the banner grabbing lab, you’ll see that netcat doesn’t resolve the hostname, but instead needs an IP address.
Which of the answers can resolve the hostname to an IP address? Ping.
While ping is typically used to test connectivity with a remote system, it can also resolve hostnames to IP addresses. Chapter 1 of the study guide includes a section titled “Using Ping to Check Name Resolution” and shows you how.
The last part of this lab shows you how to use nmap for banner grabbing.
Incorrect Answers
So at this point, you know that telnet, netcat, nmap, and ping can be used in a successful banner grabbing attack.
Telnet is often disabled on Internet facing systems, so it may not be available as a choice.
What about the other answers? If you understand their usage (and what banner grabbing is), you’ll know that they cannot be used for banner grabbing.
The ipconfig command (short for Internet Protocol configuration) shows the Transmission Control Protocol/Internet Protocol (TCP/IP) configuration information for the local system.
The arp command is used to resolve the IP address of a computer to its media access control (MAC) address, also known as its physical address.
The grep command (short for global regular expression in print) is used to search plain text files for words or phrases. While grep isn’t in the objectives, it is used so often in Linux, it’s a good distractor.
The tcpdump command is a command-line packet analyzer (sometimes called a protocol analyzer). It can capture live traffic, but not traffic that occurred in the past.
Answer to Security+ Multiple Answer Question
Q. You suspect that an attacker is performing a reconnaissance attack against servers in your organization’s DMZ. The attacker is attempting to gather as much information as possible on these servers. You decide to check the logs of these servers to determine if the attacker is attempting a banner grabbing attack. Which of the following commands MOST likely indicate that the attacker is launching a banner grabbing attack? (Select FOUR.)
A. netcat
B. ipconfig
D. ping
E. arp
F. grep
G. tcpdump
H. nmap
I. telnet
Some tools used for banner grabbing are ping, netcat, nmap, and telnet.
The ping command resolves the hostname to an IP address. If you already know the IP address, you wouldn’t need to use the ping command.
Netcat (often abbreviated as nc), nmap, and telnet can use the IP address to grab a banner from a system.
Due to its vulnerabilities, telnet is often disabled on servers so it may not work.
The ipconfig command (short for Internet Protocol configuration) shows the Transmission Control Protocol/Internet Protocol (TCP/IP) configuration information for the local system.
The arp command is used to resolve the IP address of a computer to its media access control (MAC) address, also known as its physical address.
The grep command (short for global regular expression in print) is used to search plain text files for words or phrases.
The tcpdump command is a command-line packet analyzer (sometimes called a protocol analyzer). It can capture live traffic, but not traffic that occurred in the past.
Two other tools that can perform banner grabbing are Zenmap and ZMap. Zenmap is the windows-based version of nmap. ZMap is a completely different scanning tool.
Chapter 1 of the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide covers various commands. Chapter 8 covers banner grabbing. The “Banner Grabbing with NetCat and Nmap” lab shows the steps to grab a banner from a remote system.
Objective 2.2 Given a scenario, use appropriate software tools to assess the security posture of an organization.