Topic 3, Scanning
While performing ping scans into a target network you get a frantic call from the
organization’s security team. They report that they are under a denial of service
attack. When you stop your scan, the smurf attack event stops showing up on the
organization’s IDS monitor. How can you modify your scan to prevent triggering this
event in the IDS?
A.
Scan more slowly.
B.
Do not scan the broadcast IP.
C.
Spoof the source IP address.
D.
Only scan the Windows systems.
Do not scan the broadcast IP.
Explanation: Scanning the broadcast address makes the scan target all IP addresses on
that subnet at the same time.
You are scanning into the target network for the first time. You find very few
conventional ports open. When you attempt to perform traditional service
identification by connecting to the open ports, it yields either unreliable or no
results. You are unsure of what protocols are being used. You need to discover as
many different protocols as possible. Which kind of scan would you use to do this?
A.
Nmap with the –sO (Raw IP packets) switch
B.
Nessus scan with TCP based pings
C.
Nmap scan with the –sP (Ping scan) switch
D.
Netcat scan with the –u –e switches
Nmap with the –sO (Raw IP packets) switch
Explanation: Running Nmap with the –sO switch will do a IP Protocol Scan. The IP
protocol scan is a bit different than the other nmap scans. The IP protocol scan is
searching for additional IP protocols in use by the remote station, such as ICMP, TCP, and
UDP. If a router is scanned, additional IP protocols such as EGP or IGP may be identified.
What are twp types of ICMP code used when using the ping command?
A.
It uses types 0 and 8.
B.
It uses types 13 and 14.
C.
It uses types 15 and 17.
D.
The ping command does not use ICMP but uses UDP.
It uses types 0 and 8.
Explanation: ICMP Type 0 = Echo Reply, ICMP Type 8 = Echo
You ping a target IP to check if the host is up. You do not get a response. You
suspect ICMP is blocked at the firewall. Next you use hping2 tool to ping the target
host and you get a response. Why does the host respond to hping2 and not ping
packet?
[ceh]# ping 10.2.3.4
PING 10.2.3.4 (10.2.3.4) from 10.2.3.80 : 56(84) bytes of data.
-- 10.2.3.4 ping statistics --
3 packets transmitted, 0 packets received, 100% packet loss
[ceh]# ./hping2 -c 4 -n -i 2 10.2.3.4
HPING 10.2.3.4 (eth0 10.2.3.4): NO FLAGS are set, 40 headers +
0 data bytes
len=46 ip=10.2.3.4 flags=RA seq=0 ttl=128 id=54167 win=0 rtt=0.8 ms
len=46 ip=10.2.3.4 flags=RA seq=1 ttl=128 id=54935 win=0 rtt=0.7 ms
len=46 ip=10.2.3.4 flags=RA seq=2 ttl=128 id=55447 win=0 rtt=0.7 ms
len=46 ip=10.2.3.4 flags=RA seq=3 ttl=128 id=55959 win=0 rtt=0.7 ms
-- 10.2.3.4 hping statistic --
4 packets tramitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.8/0.8 ms
A.
ping packets cannot bypass firewalls
B.
you must use ping 10.2.3.4 switch
C.
hping2 uses TCP instead of ICMP by default
D.
hping2 uses stealth TCP packets to connect
hping2 uses TCP instead of ICMP by default
Explanation: Default protocol is TCP, by default hping2 will send tcp headers to target
host's port 0 with a winsize of 64 without any tcp flag on. Often this is the best way to do an
'hide ping', useful when target is behind a firewall that drop ICMP. Moreover a tcp null-flag
to port 0 has a good probability of not being logged.
Name two software tools used for OS guessing.(Choose two.)
A.
Nmap
B.
Snadboy
C.
Queso
D.
UserInfo
E.
NetBus
Nmap
Queso
Explanation: Nmap and Queso are the two best-known OS guessing programs. OS
guessing software has the ability to look at peculiarities in the way that each vendor
implements the RFC's. These differences are compared with its database of known OS
fingerprints. Then a best guess of the OS is provided to the user.
What ICMP message types are used by the ping command?
A.
Timestamp request (13) and timestamp reply (14)
B.
Echo request (8) and Echo reply (0)
C.
Echo request (0) and Echo reply (1)
D.
Ping request (1) and Ping reply (2)
Echo request (8) and Echo reply (0)
Explanation: ICMP Type 0 = Echo Reply, ICMP Type 8 = Echo
When Nmap performs a ping sweep, which of the following sets of requests does it
send to the target device?
A.
ICMP ECHO_REQUEST & TCP SYN
B.
ICMP ECHO_REQUEST & TCP ACK
C.
ICMP ECHO_REPLY & TFP RST
D.
ICMP ECHO_REPLY & TCP FIN
ICMP ECHO_REQUEST & TCP ACK
Explanation: The default behavior of NMAP is to do both an ICMP ping sweep (the usual
kind of ping) and a TCP port 80 ACK ping sweep. If an admin is logging these this will be
fairly characteristic of NMAP.
You are conducting an idlescan manually using HPING2. During the scanning
process, you notice that almost every query increments the IPID- regardless of the
port being queried. One or two of the queries cause the IPID to increment by more
than one value. Which of he following options would be a possible reason?
A.
Hping2 can’t be used for idlescanning
B.
The Zombie you are using is not truly idle
C.
These ports are actually open on the target system
D.
A stateful inspection firewall is resetting your queries
The Zombie you are using is not truly idle
Explanation: If the IPID increments more than one value that means that there has been
network traffic between the queries so the zombie is not idle.
Bob is a Junior Administrator at ABC.com is searching the port number of POP3 in a
file. The partial output of the file is look like:
In which file he is searching?
A.
services
B.
protocols
C.
hosts
D.
resolve.conf
services
Explanation: The port numbers on which certain standard services are offered are defined
in the RFC 1700 Assigned Numbers. The /etc/services file enables server and client
programs to convert service names to these numbers -ports. The list is kept on each host
and it is stored in the file /etc/services.
Which of the following Nmap commands would be used to perform a stack
fingerprinting?
A.
Nmap -O -p80 <host(s.>
B.
Nmap -hU -Q<host(s.>
C.
Nmap -sT -p <host(s.>
D.
Nmap -u -o -w2 <host>
E.
Nmap -sS -0p target
Nmap -O -p80 <host(s.>
Explanation: This option activates remote host identification via TCP/IP fingerprinting. In
other words, it uses a bunch of techniques to detect subtlety in the underlying operating
system network stack of the computers you are scanning. It uses this information to create
a "fingerprint" which it compares with its database of known OS fingerprints (the nmap-osfingerprints
file. to decide what type of system you are scanning.
Which of the following is a patch management utility that scans one or more
computers on your network and alerts you if you important Microsoft Security
patches are missing. It then provides links that enable those missing patches to be
downloaded and installed.
A.
MBSA
B.
BSSA
C.
ASNB
D.
PMUS
MBSA
Explanation: The Microsoft Baseline Security Analyzer (MBSA) is a tool put out by
Microsoft to help analyze security problems in Microsoft Windows. It does this by scanning
the system for security problems in Windows, Windows components such as the IIS web
server application, Microsoft SQL Server, and Microsoft Office. One example of an issue
might be that permissions for one of the directories in the wwwroot folder of IIS could be set
at too low a level, allowing unwanted modification of files from outsiders.
You are concerned that someone running PortSentry could block your scans, and
you decide to slow your scans so that no one detects them. Which of the following
commands will help you achieve this?
A.
nmap -sS -PT -PI -O -T1 <ip address>
B.
nmap -sO -PT -O -C5 <ip address>
C.
nmap -sF -PT -PI -O <ip address>
D.
nmap -sF -P0 -O <ip address>
nmap -sS -PT -PI -O -T1 <ip address>
Explanation: -T[0-5]: Set timing template (higher is faster)
| Page 5 out of 64 Pages |
| Previous |