eJPT - eLearnSecurity Junior Penetration Tester Host and Network Auditing Questions and Answers

Question 1

After gaining initial access to a Windows host, a penetration tester wants to audit the system for missing security patches that could be leveraged for privilege escalation. Which of the following native Windows commands is most suitable for quickly listing the installed hotfixes?

Accepted Answer

wmic qfe list

Answer

The `wmic qfe list` command is the most direct and suitable method for this task. It uses the Windows Management Instrumentation Command-line (WMIC) to query the Quick Fix Engineering (QFE) database, providing a clear list of all installed patches and hotfixes. `systeminfo` provides general system information but the patch data is less structured. `netstat` lists network connections, and `tasklist` shows running processes.

Question 2

During a network audit, a junior penetration tester captures network traffic using Wireshark. They apply the display filter `http.request.method == "POST"`. What is the primary purpose of using this specific filter?

Accepted Answer

To identify potential login attempts or data submissions over HTTP.

Answer

The `http.request.method == "POST"` filter in Wireshark specifically isolates HTTP requests that use the POST method. This method is commonly used to send data from a client to a server, such as submitting login credentials, filling out forms, or uploading files. Analyzing this traffic is crucial for finding sensitive information being transmitted in cleartext.

Question 3

A penetration tester is auditing a Linux server and wants to review which commands a specific user, 'jdoe', has executed. Assuming the user's command history is being saved, which file should the tester examine?

Accepted Answer

~jdoe/.bash_history

Answer

The `.bash_history` file, located in a user's home directory (represented by `~`), stores a log of the commands entered into the Bash shell. By examining `~jdoe/.bash_history`, a tester can see the command history for the user 'jdoe'. `/etc/passwd` contains user account information, `/var/log/auth.log` tracks authentication events, and `/root/.profile` is a configuration file for the root user's shell.

Question 4

While auditing a network, you identify a device responding on UDP port 161. You suspect it might be running the Simple Network Management Protocol (SNMP) with a default community string. Which of the following actions would be the most effective next step to confirm this and enumerate information?

Accepted Answer

Use a tool like `snmp-check` or `onesixtyone` with a list of common community strings.

Answer

Tools like `snmp-check` and `onesixtyone` are specifically designed to query SNMP services. They can be used with a wordlist of common community strings (like 'public' and 'private') to test for access and, if successful, automatically dump a large amount of system and network information. This is far more effective than just confirming the port is open.

Question 5

A penetration tester is performing an internal network audit and needs to check for null sessions on a Windows host at 192.168.1.50. A null session vulnerability could allow an unauthenticated user to enumerate information. Which of the following commands would be used to attempt to establish a null session?

Accepted Answer

rpcclient -U "" -N 192.168.1.50

Answer

The `rpcclient` tool is designed to execute client-side MS-RPC functions. The command `rpcclient -U "" -N 192.168.1.50` attempts to connect to the target's RPC service using an anonymous username (`-U ""`) and no password (`-N`), which is the definition of a null session. `smbclient` is for SMB shares, `net view` lists shares but doesn't explicitly test the null session in this manner, and the Nmap command specified is for UDP scanning.

eJPT - eLearnSecurity Junior Penetration Tester Practice Test

eJPT - eLearnSecurity Junior Penetration Tester Practice Test

eJPT - eLearnSecurity Junior Penetration Tester Host and Network Auditing Questions and Answers