Topic 3, Scanning
Which of the following systems would not respond correctly to an nmap XMAS
scan?
A.
Windows 2000 Server running IIS 5
B.
Any Solaris version running SAMBA Server
C.
Any version of IRIX
D.
RedHat Linux 8.0 running Apache Web Server
Windows 2000 Server running IIS 5
Explanation: When running a XMAS Scan, if a RST packet is received, the port is
considered closed, while no response means it is open|filtered. The big downside is that
not all systems follow RFC 793 to the letter. A number of systems send RST responses to
the probes regardless of whether the port is open or not. This causes all of the ports to be
labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco
devices, BSDI, and IBM OS/400.
A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different
sites. 77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the
ICMP_ECHO packets had an ICMP ID:0 and Seq:0. What can you infer from this
information?
A.
The packets were sent by a worm spoofing the IP addresses of 47 infected sites
B.
ICMP ID and Seq numbers were most likely set by a tool and not by the operating
system
C.
All 77 packets came from the same LAN segment and hence had the same ICMP ID
and Seq number
D.
13 packets were from an external network and probably behind a NAT, as they had an
ICMP ID 0 and Seq 0
ICMP ID and Seq numbers were most likely set by a tool and not by the operating
system
Exhibit:
Please study the exhibit carefully.
Which Protocol maintains the communication on that way?
A.
UDP
B.
IP
C.
TCP
D.
ARP
E.
RARP
TCP
Explanation: A TCP connection is always initiated with the 3-way handshake, which
establishes and negotiates the actual connection over which data will be sent.
Bob has been hired to perform a penetration test on ABC.com. He begins by looking
at IP address ranges owned by the company and details of domain name
registration. He then goes to News Groups and financial web sites to see if they are
leaking any sensitive information of have any technical details online.
Within the context of penetration testing methodology, what phase is Bob involved
with?
A.
Passive information gathering
.
B.
Active information gathering
C.
Attack phase
D.
Vulnerability Mapping
Passive information gathering
.
Explanation: He is gathering information and as long as he doesn’t make contact with any
of the targets systems he is considered gathering this information in a passive mode.
While doing fast scan using –F option, which file is used to list the range of ports to
scan by nmap?
A.
services
B.
nmap-services
C.
protocols
D.
ports
nmap-services
Explanation: Nmap uses the nmap-services file to provide additional port detail for almost
every scanning method. Every time a port is referenced, it's compared to an available
description in this support file. If the nmap-services file isn't available, nmap reverts to the
/etc/services file applicable for the current operating system.
Which of the following ICMP message types are used for destinations unreachables?
A.
0
B.
3
C.
11
D.
13
E.
17
3
Explanation: Type 3 messages are used for unreachable messages. 0 is Echo Reply, 8 is
Echo request, 11 is time exceeded, 13 is timestamp and 17 is subnet mask request.
Learning these would be advisable for the test.
What port scanning method involves sending spoofed packets to a target system
and then looking for adjustments to the IPID on a zombie system?
A.
Blind Port Scanning
B.
Idle Scanning
C.
Bounce Scanning
D.
Stealth Scanning
E.
UDP Scanning
Idle Scanning
Explanation:
from NMAP:-sI <zombie host[:probeport]> Idlescan: This advanced scan method allows
fora truly blind TCP port scan of the target (meaning no packets are sent tothe tar- get from
your real IP address). Instead, a unique side-channelattack exploits predictable "IP
fragmentation ID" sequence generation onthe zombie host to glean information about the
open ports on the target.
What does a type 3 code 13 represent?(Choose two.
A.
Echo request
B.
Destination unreachable
C.
Network unreachable
D.
Administratively prohibited
E.
Port unreachable
F.
Time exceeded
Destination unreachable
Administratively prohibited
Explanation: Type 3 code 13 is destination unreachable administratively prohibited. This
type of message is typically returned from a device blocking a port.
You are manually conducting Idle Scanning using Hping2. During your scanning you
notice that almost every query increments the IPID regardless of the port being
queried. One or two of the queries cause the IPID to increment by more than one
value. Why do you think this occurs?
A.
The zombie you are using is not truly idle.
B.
A stateful inspection firewall is resetting your queries.
C.
Hping2 cannot be used for idle scanning.
D.
These ports are actually open on the target system.
The zombie you are using is not truly idle.
Explanation: If the IPID is incremented by more than the normal increment for this type of
system it means that the system is interacting with some other system beside yours and
has sent packets to an unknown host between the packets destined for you.
You have initiated an active operating system fingerprinting attempt with nmap
against a target system:
[root@ceh NG]# /usr/local/bin/nmap -sT -O 10.0.0.1
Starting nmap 3.28 ( www.insecure.org/nmap/) at 2003-06-18 19:14 IDT
Interesting ports on 10.0.0.1:
(The 1628 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp filtered ftp
22/tcp filtered ssh
25/tcp open smtp
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
389/tcp open LDAP
443/tcp open https
465/tcp open smtps
1029/tcp open ms-lsa
1433/tcp open ms-sql-s
2301/tcp open compaqdiag
5555/tcp open freeciv
5800/tcp open vnc-http
5900/tcp open vnc
6000/tcp filtered X11
Remote operating system guess: Windows XP, Windows 2000, NT4 or 95/98/98SE
Nmap run completed - 1 IP address (1 host up) scanned in 3.334 seconds
Using its fingerprinting tests nmap is unable to distinguish between different groups
of Microsoft based operating systems - Windows XP, Windows 2000, NT4 or 95/98/98SE.
What operating system is the target host running based on the open ports shown
above?
A.
Windows XP
B.
Windows 98 SE
C.
Windows NT4 Server
D.
Windows 2000 Server
Windows 2000 Server
Explanation: The system is reachable as an active directory domain controller (port 389,
LDAP)
Lori has just been tasked by her supervisor conduct vulnerability scan on the
corporate network. She has been instructed to perform a very thorough test of the
network to ensure that there are no security holes on any of the machines. Lori’s
company does not own any commercial scanning products, so she decides to
download a free one off the Internet. Lori has never done a vulnerability scan before,
so she is unsure of some of the settings available in the software she downloaded.
One of the option is to choose which ports that can be scanned. Lori wants to do
exactly what her boos has told her, but she does not know ports should be scanned.
If Lori is supposed to scan all known TCP ports, how many ports should she select
in the software?
A.
65536
B.
1024
C.
1025
D.
Lori should not scan TCP ports, only UDP ports
65536
Explanation: In both TCP and UDP, each packet header will specify a source port and a
destination port, each of which is a 16-bit unsigned integer (i.e. ranging from 0 to 65535).
Which of the following Nmap commands would be used to perform a UDP scan of
the lower 1024 ports?
A.
Nmap -h -U
B.
Nmap -hU <host(s.>
C.
Nmap -sU -p 1-1024 <host(s.>
D.
Nmap -u -v -w2 <host> 1-1024
E.
Nmap -sS -O target/1024
Nmap -sU -p 1-1024 <host(s.>
Explanation: Nmap -sU -p 1-1024 <hosts.> is the proper syntax. Learning Nmap and its
switches are critical for successful completion of the CEH exam.
| Page 4 out of 64 Pages |
| Previous |