CompTIA PenTest+ Practice Questions: Information Gathering and Vulnerability Identification Domain

Correct Answer: C

Explanation: Network traffic analysis is non-intrusive as it involves monitoring and analyzing traffic without affecting the network. Credentialed scanning (A) is intrusive, social engineering (B) targets human factors, and a Denial of Service attack (D) is disruptive.

Correct Answer: C

Explanation: A DNS zone transfer can potentially reveal detailed information about a company's internal network structure, such as internal hostnames and IP addresses, if misconfigured. Phishing emails (A) and social media profiling (B) are more human-centric and do not directly reveal network structure. ARP scanning (D) requires internal network access and is not applicable for external information gathering.

Correct Answer: B

Explanation: TheHarvester (B) is a tool used in information gathering to collect email addresses, subdomains, and other related information from public sources. It is not used to scan for open ports (A), exploit web application vulnerabilities (C), or perform denial of service attacks (D).

Correct Answer: C

Explanation: Shodan is a search engine for Internet-connected devices and is used for passive reconnaissance because it allows you to gather information about devices and services exposed to the internet without actively probing the target network. Wireshark (A) is used for network traffic analysis, Nmap (B) is an active scanning tool, and Metasploit (D) is used for exploiting vulnerabilities.

Correct Answer: B

Explanation: Banner grabbing is used to identify services and versions running on open ports by capturing the initial communication banner from a service. This information can help in identifying potential vulnerabilities associated with those services. It does not intercept or modify network packets (A), encrypt communication (C), or perform denial-of-service attacks (D).

Correct Answer: B

Explanation: A DNS zone transfer is used to gather detailed information about a domain, including subdomains and hostnames. Capturing network traffic (A) is related to packet analysis, not DNS. Identifying open ports (C) is done through port scanning, and exploiting web applications (D) involves identifying and using vulnerabilities in web apps.

Correct Answer: B

Explanation: CVE identifiers provide a standardized reference for known vulnerabilities, allowing for consistent and reliable communication about vulnerabilities across various tools and platforms. They do not provide exploit code (A), encrypt data (C), or identify physical server locations (D).

Correct Answer: B

Explanation: OSINT is used to gather publicly available information about a target, which can be valuable in understanding the target's environment. It is not used to execute denial-of-service attacks (A), perform vulnerability scanning (C), or encrypt communications (D).

Correct Answer: A

Explanation: Performing a geolocation lookup (A) is the correct method for identifying the physical location of a server based on its IP address. Port scanning (B) identifies open ports, vulnerability scanners (C) identify security weaknesses, and SQL injection attacks (D) are used to exploit database vulnerabilities, none of which provide geolocation information.

Correct Answer: A

Explanation: Running a vulnerability scan on the FTP service (A) is the most appropriate next step to identify known vulnerabilities associated with the FTP service. Brute forcing (B) is an aggressive technique that should be used cautiously. Capturing network traffic (C) could be useful but doesn’t directly identify vulnerabilities. Checking for anonymous login (D) is a good step but should be part of a broader vulnerability assessment.