C Certs Club
Home
Oracle SAP Microsoft Cisco CompTIA Fortinet Salesforce Nutanix Linux Foundation Amazon View All Vendors →
Login Register

The SecOps Group CNPen - Certified Network Pentester (CNPen) Certification Exam

Download Exam View Entire Exam
Page: 1 / 1
Question #1 (Topic: demo questions)

You want to extract the technologies used by a target website. Explain how to do this using Wappalyzer
and WhatWeb.

A.
Install WhatWeb:
sudo apt install whatweb
B.
Scan a target website:
whatweb -v targetdomain.com
C.
Install Wappalyzer browser extension or use CLI:
wappalyzer https://targetdomain.com
D.
Identify backend frameworks, CMS, and JavaScript libraries.
Cross-check version numbers and search for known vulnerabilities.
Correct Answer: A, B, C, D
Explanation:

To extract the technologies used by a target website, you can use tools like WhatWeb and Wappalyzer. First, install WhatWeb on a Linux system using the command sudo apt install whatweb, then run a scan on the target website using whatweb -v targetdomain.com, which will reveal details such as the web server, CMS, programming languages, and other technologies used. Next, you can use Wappalyzer either as a browser extension or via its CLI by running wappalyzer https://targetdomain.com, which helps identify backend frameworks, CMS platforms, analytics tools, and JavaScript libraries. After gathering the results from both tools, you can cross-check the detected technologies, including version numbers, to validate accuracy and potentially identify known vulnerabilities associated with those versions.
Question #2 (Topic: demo questions)

You need to gather subdomains of a target domain without using brute force. Explain how to use crt.sh
and Sublist3r to extract subdomains efficiently

A.
Use crt.sh to list SSL certificates with subdomains:
curl -s "https://crt.sh/?q=%.targetdomain.com&output=json" | jq .
B.
Use Sublist3r to gather subdomains from public sources:
sublist3r -d targetdomain.com -o subdomains.txt
C.
Combine results with amass:
amass enum -passive -d targetdomain.com
D.
Cross-check findings using nslookup and dig.
E.
Test live subdomains using httprobe:
cat subdomains.txt | httprobe
Correct Answer: A, B, C, D, E
Explanation:

To efficiently gather subdomains of a target domain without brute-forcing, you can rely on passive reconnaissance tools like crt.sh and Sublist3r. First, crt.sh can be used to extract subdomains from public SSL certificate logs by querying https://crt.sh/?q=%.targetdomain.com&output=json using a command like curl -s "https://crt.sh/?q=%.targetdomain.com&output=json" | jq ., which returns all domain names found in certificate transparency records. This helps uncover hidden or forgotten subdomains that were issued SSL certificates. Next, Sublist3r can be used to gather subdomains from multiple public sources such as search engines and DNS databases by running sublist3r -d targetdomain.com -o subdomains.txt, which compiles a list of discovered subdomains into a file. These results can then be combined and validated using other passive tools like Amass or DNS resolution tools such as nslookup and dig to confirm active entries, and finally tested for responsiveness using tools like httprobe.
Question #3 (Topic: demo questions)

You want to find sensitive PDFs or DOCX files belonging to a target company. Explain how Google
Dorking can be used to locate these files.

A.
Open Google and use advanced search operators:
site:targetdomain.com filetype:pdf OR filetype:docx
B.
Use the intitle operator to find specific document types:
site:targetdomain.com intitle:confidential filetype:pdf
C.
Use inurl to find unsecured directories:
site:targetdomain.com inurl:"/docs/" filetype:xlsx
D.
Review indexed files and extract metadata using exiftool.
Analyze document properties for usernames and internal network details.
Correct Answer: A, B, C, D
Explanation:

To find PDF, DOCX, XLSX, and other documents belonging to a target company using Google Dorking, you can use Google's advanced search operators to locate files that are publicly indexed by search engines. For example, the query site:targetdomain.com filetype:pdf OR filetype:docx searches for PDF and Word documents hosted on the target domain, while site:targetdomain.com intitle:confidential filetype:pdf helps identify documents containing specific keywords in their titles. The inurl operator can be used to discover documents stored in particular directories, such as site:targetdomain.com inurl:"/docs/" filetype:xlsx. After locating publicly accessible files, you can review them and use metadata analysis tools such as ExifTool to examine document properties, which may reveal information such as author names, software versions, creation dates, and other organizational details. This process helps security professionals understand what information is publicly exposed through search engine indexing and assess potential information disclosure risks.
Question #4 (Topic: demo questions)

You need to gather publicly available email addresses related to a target organization for phishing and
credential stuffing attacks. Describe a step-by-step method using theHarvester to retrieve emails,
LinkedIn profiles, and subdomains.

A.
Install theHarvester if not available: sudo apt install theharvester.
B.
Run theHarvester with domain and data source:
theHarvester -d targetdomain.com -b all

C.
Extract and analyze the gathered emails and subdomains.
Cross-check email formats with known breaches using holehe or haveibeenpwned.
D.
Use OSINT techniques such as Google dorks ("@targetdomain.com") to find additional emails.
Correct Answer: A, B, C, D
Explanation:

To gather publicly available information about an organization's online presence during an authorized security assessment, theHarvester can be used to collect email addresses, employee names, subdomains, and other OSINT data from public sources. First, install the tool using sudo apt install theharvester if it is not already available. Then run a search against the target domain with theHarvester -d targetdomain.com -b all, which queries multiple public data sources and search engines for information related to the domain. The results can be reviewed to identify publicly exposed email addresses, employee information, and discovered subdomains. These findings can then be validated using legitimate breach-notification services and other OSINT techniques to understand the organization's external exposure. Additional publicly indexed information may also be found through search-engine queries that reference the organization's domain. This process helps security professionals assess what information is publicly available and identify potential areas where data exposure could increase security risks.
Download Exam
Page: 1 / 1
Next Page