Topic 3, Scanning
A.
An SNMP Walk
B.
Hping2 diagnosis
C.
A Bo2K System query
D.
Nmap protocol/port scan
An SNMP Walk
Explanation: The snmpwalk command is designed to perform a sequence of chained
GETNEXT requests automatically, rather than having to issue the necessary snmpgetnext
requests by hand. The command takes a single OID, and will display a list of all the results
which lie within the subtree rooted on this OID.
A.
A Bo2k system query.
B.
nmap protocol scan
C.
A sniffer
D.
An SNMP walk
An SNMP walk
Explanation: SNMP lets you "read" information from a device. You make a query of the
server (generally known as the "agent"). The agent gathers the information from the host
system and returns the answer to your SNMP client. It's like having a single interface for all
your informative Unix commands. Output like system.sysContact.0 is called a MIB.
Study the log below and identify the scan type.
tcpdump -vv host 192.168.1.10
17:34:45.802163 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 36166)
17:34:45.802216 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 33796)
17:34:45.802266 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 47066)
17:34:46.111982 eth0 < 192.168.1.1 > victim: ip-proto-74 0 (ttl 48, id 35585)
17:34:46.112039 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 32834)
17:34:46.112092 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 26292)
17:34:46.112143 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 51058)
tcpdump -vv -x host 192.168.1.10
17:35:06.731739 eth0 < 192.168.1.10 > victim: ip-proto-130 0 (ttl 59, id 42060) 4500
0014 a44c 0000 3b82 57b8 c0a8 010a c0a8 0109 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000
A.
nmap -sR 192.168.1.10
B.
nmap -sS 192.168.1.10
C.
nmap -sV 192.168.1.10
D.
nmap -sO -T 192.168.1.10
nmap -sO -T 192.168.1.10
What does an ICMP (Code 13) message normally indicates?
A.
It indicates that the destination host is unreachable
B.
It indicates to the host that the datagram which triggered the source quench message
will need to be re-sent
C.
It indicates that the packet has been administratively dropped in transit
D.
It is a request to the host to cut back the rate at which it is sending traffic to the Internet
destination
It indicates that the packet has been administratively dropped in transit
Explanation: CODE 13 and type 3 is destination unreachable due to communication
administratively prohibited by filtering hence maybe they meant "code 13", therefore would
be C).
Note:A - Type 3B - Type 4C - Type 3 Code 13D - Typ4 4
Steve scans the network for SNMP enabled devices. Which port number Steve
should scan?
A.
69
B.
150
C.
161
D.
169
161
Explanation: The SNMP default port is 161. Port 69 is used for tftp, 150 is for SQL-NET
and 169 is for SEND.
You are having problems while retrieving results after performing port scanning
during internal testing. You verify that there are no security devices between you
and the target system. When both stealth and connect scanning do not work, you
decide to perform a NULL scan with NMAP. The first few systems scanned shows all
ports open.
Which one of the following statements is probably true?
A.
The systems have all ports open.
B.
The systems are running a host based IDS.
C.
The systems are web servers.
D.
The systems are running Windows.
The systems are running Windows.
Explanation: The null scan turns off all flags, creating a lack of TCP flags that should
never occur in the real world. If the port is closed, a RST frame should be returned and a
null scan to an open port results in no response. Unfortunately Microsoft (like usual)
decided to completely ignore the standard and do things their own way. Thus this scan type
will not work against systems running Windows as they choose not to response at all. This
is a good way to distinguish that the system being scanned is running Microsoft Windows.
You are scanning into the target network for the first time. You find very few
conventional ports open. When you attempt to perform traditional service
identification by connecting to the open ports, it yields either unreliable or no
results. You are unsure of which protocols are being used. You need to discover as
many different protocols as possible.
Which kind of scan would you use to achieve this? (Choose the best answer)
A.
Nessus scan with TCP based pings.
B.
Nmap scan with the –sP (Ping scan) switch.
C.
Netcat scan with the –u –e switches.
D.
Nmap with the –sO (Raw IP packets) switch.
Nmap with the –sO (Raw IP packets) switch.
Explanation: Running Nmap with the –sO switch will do a IP Protocol Scan. The IP
protocol scan is a bit different than the other nmap scans. The IP protocol scan is
searching for additional IP protocols in use by the remote station, such as ICMP, TCP, and
UDP. If a router is scanned, additional IP protocols such as EGP or IGP may be identified.
What is the proper response for a X-MAS scan if the port is closed?
A.
SYN
B.
ACK
C.
FIN
D.
PSH
E.
RST
F.
No response
RST
Explanation: Closed ports respond to a X-MAS scan with a RST.
Which Type of scan sends a packets with no flags set ?
Select the Answer
A.
Open Scan
B.
Null Scan
C.
Xmas Scan
D.
Half-Open Scan
Null Scan
Explanation:
The types of port connections supported are:
TCP Full Connect. This mode makes a full connection to the target's TCP ports
and can save any data or banners returned from the target. This mode is the most
accurate for determining TCP services, but it is also easily recognized by Intrusion
Detection Systems (IDS).
UDP ICMP Port Unreachable Connect. This mode sends a short UDP packet to
the target's UDP ports and looks for an ICMP Port Unreachable message in return.
The absence of that message indicates either the port is used, or the target does
not return the ICMP message which can lead to false positives. It can save any
data or banners returned from the target. This mode is also easily recognized by
IDS.
TCP Full/UDP ICMP Combined. This mode combines the previous two modes into
one operation.
TCP SYN Half Open. (Windows XP/2000 only) This mode sends out a SYN packet
to the target port and listens for the appropriate response. Open ports respond
with a SYN|ACK and closed ports respond with ACK|RST or RST. This mode is
less likely to be noted by IDS, but since the connection is never fully completed, it
cannot gather data or banner information. However, the attacker has full control
over TTL, Source Port, MTU, Sequence number, and Window parameters in the
SYN packet.
TCP Other. (Windows XP/2000 only) This mode sends out a TCP packet with any
combination of the SYN, FIN, ACK, RST, PSH, URG flags set to the target port
and listens for the response. Again, the attacker can have full control over TTL,
Source Port, MTU, Sequence number, and Window parameters in the custom TCP
packet. The Analyze feature helps with analyzing the response based on the flag
settings chosen. Each operating system responds differently to these special
combinations. The tool includes presets for XMAS, NULL, FIN and ACK flag
settings.
Which type of scan does not open a full TCP connection?
A.
Stealth Scan
B.
XMAS Scan
C.
Null Scan
D.
FIN Scan
Stealth Scan
Explanation: Stealth Scan: Instead of completing the full TCP three-way-handshake a full
connection is not made. A SYN packet is sent to the system and if a SYN/ACK packet is
received it is assumed that the port on the system is active. In that case a RST/ACK will be
sent which will determined the listening state the system is in. If a RST/ACK packet is
received, it is assumed that the port on the system is not active.
War dialing is one of the oldest methods of gaining unauthorized access to the
target systems, it is one of the dangers most commonly forgotten by network
engineers and system administrators. A hacker can sneak past all the expensive
firewalls and IDS and connect easily into the network. Through wardialing an
attacker searches for the devices located in the target network infrastructure that are
also accessible through the telephone line.
‘Dial backup’ in routers is most frequently found in networks where redundancy is
required. Dial-on-demand routing(DDR) is commonly used to establish connectivity
as a backup.
As a security testers, how would you discover what telephone numbers to dial-in to
the router?
A.
Search the Internet for leakage for target company’s telephone number to dial-in
B.
Run a war-dialing tool with range of phone numbers and look for CONNECT
Response
C.
Connect using ISP’s remote-dial in number since the company’s router has a
leased line connection established with them
D.
Brute force the company’s PABX system to retrieve the range of telephone
numbers to dial-in
Run a war-dialing tool with range of phone numbers and look for CONNECT
Response
Explanation: Use a program like Toneloc to scan the company’s range of phone numbers.
John has scanned the web server with NMAP. However, he could not gather enough
information to help him identify the operating system running on the remote host
accurately.
What would you suggest to John to help identify the OS that is being used on the
remote web server?
A.
Connect to the web server with a browser and look at the web page.
B.
Connect to the web server with an FTP client.
C.
Telnet to port 8080 on the web server and look at the default page code.
D.
Telnet to an open port and grab the banner.
Telnet to an open port and grab the banner.
Explanation: Most people don’t care about changing the banners presented by
applications listening to open ports and therefore you should get fairly accurate information
when grabbing banners from open ports with, for example, a telnet application.
| Page 7 out of 64 Pages |
| Previous |