eJPT - eLearnSecurity Junior Penetration Tester Information Gathering and Reconnaissance Questions and Answers

Question 1

A penetration tester is in the initial phase of an assessment and wants to gather information about a target company without directly interacting with its systems. Which of the following approaches is most appropriate?

Accepted Answer

Querying public WHOIS records and analyzing DNS information.

Answer

Querying public WHOIS records and analyzing DNS information are forms of passive reconnaissance. This method relies on publicly available data and does not involve sending packets directly to the target's infrastructure, making it ideal for initial, non-intrusive information gathering. The other options are all forms of active reconnaissance which involve direct interaction.

Question 2

During a web application reconnaissance, a tester discovers a `robots.txt` file. What is the primary purpose of this file from a security perspective?

Accepted Answer

To suggest which directories search engines should not index, potentially revealing sensitive paths.

Answer

The `robots.txt` file is used to instruct search engine crawlers on which pages or directories of a website should not be indexed. For a penetration tester, this can be a valuable source of information, as it often points to directories that the website owner wants to keep private, such as administrative panels or resource folders, which may not be as hardened as public-facing parts of the site.

Question 3

A junior penetration tester is tasked with finding subdomains for a target domain. Which of the following tools is specifically designed for subdomain enumeration using various public sources and brute-force techniques?

Accepted Answer

Sublist3r

Answer

Sublist3r is a Python-based tool specifically created to enumerate subdomains of websites by leveraging OSINT. It aggregates results from various search engines like Google and Bing, as well as services like VirusTotal and Netcraft, and can also perform brute-forcing to find more subdomains. Nmap is for network scanning, Wireshark for packet analysis, and Metasploit is an exploitation framework.

Question 4

Which of the following Nmap commands would be used to perform a fast scan of the 100 most common ports on a target, discover service versions, and run default scripts, while treating the host as online and skipping the host discovery phase?

Accepted Answer

nmap -Pn -F -sV -sC 192.168.1.100

Answer

The command `nmap -Pn -F -sV -sC 192.168.1.100` breaks down as follows: `-Pn` skips host discovery and assumes the host is online. `-F` specifies a fast scan, which covers the 100 most common ports. `-sV` enables service version detection. `-sC` runs the default set of Nmap scripts. This combination precisely meets all the requirements of the scenario.

Question 5

A penetration tester is performing OSINT on a target company and wants to gather employee names, email addresses, and subdomains from public sources like search engines. Which tool is best suited for this task?

Accepted Answer

theHarvester

Answer

theHarvester is an OSINT tool designed to gather emails, names, subdomains, IPs, and URLs from various public sources like search engines (Google, Bing) and PGP key servers. It's a staple in the passive information gathering phase of a penetration test. Gobuster is for directory/subdomain brute-forcing, Nikto is a web scanner, and Hydra is a password cracker.

eJPT - eLearnSecurity Junior Penetration Tester Practice Test

eJPT - eLearnSecurity Junior Penetration Tester Practice Test

eJPT - eLearnSecurity Junior Penetration Tester Information Gathering and Reconnaissance Questions and Answers