Topic 3, Scanning
Exhibit
Joe Hacker runs the hping2 hacking tool to predict the target host’s sequence
numbers in one of the hacking session.
What does the first and second column mean? Select two.
A.
The first column reports the sequence number
B.
The second column reports the difference between the current and last sequence
number
C.
The second column reports the next sequence number
D.
The first column reports the difference between current and last sequence number
The first column reports the sequence number
The second column reports the difference between the current and last sequence
number
home/root # traceroute www.targetcorp.com <http://www.targetcorp.com>
traceroute to www.targetcorp.com <http://www.targetcorp.com>
(192.168.12.18), 64 hops may, 40 byte packets
1 router.anon.com (192.13.212.254) 1.373 ms 1.123 ms 1.280 ms
2 192.13.133.121 (192.13.133.121) 3.680 ms 3.506 ms 4.583 ms
3 firewall.anon.com (192.13.192.17) 127.189 ms 257.404 ms 208.484 ms
4 anon-gw.anon.com (192.93.144.89) 471.68 ms 376.875 ms 228.286 ms
5 fe5-0.lin.isp.com (192.162.231.225) 2.961 ms 3.852 ms 2.974 ms
6 fe0-0.lon0.isp.com (192.162.231.234) 3.979 ms 3.243 ms 4.370 ms
7 192.13.133.5 (192.13.133.5) 11.454 ms 4.221 ms 3.333 ms
6 * * *
7 * * *
8 www.targetcorp.com <http://www.targetcorp.com> (192.168.12.18) 5.392
ms 3.348 ms 3.199 ms
Use the traceroute results shown above to answer the following question:
The perimeter security at targetcorp.com does not permit ICMP TTL-expired packets
out.
A.
True
B.
False
True
Explanation: As seen in the exhibit there is 2 registrations with timeout, this tells us that
the firewall filters packets where the TTL has reached 0, when you continue with higher
starting values for TTL you will get an answer from the target of the traceroute.
Mark works as a contractor for the Department of Defense and is in charge of
network security. He has spent the last month securing access to his network from
all possible entry points. He has segmented his network into several subnets and
has installed firewalls all over the network. He has placed very stringent rules on all
the firewalls, blocking everything in and out except ports that must be used. He does
need to have port 80 open since his company hosts a website that must be accessed
from the Internet. Mark is fairly confident of his perimeter defense, but is still worried
about programs like Hping2 that can get into a network through convert channels.
How should mark protect his network from an attacker using Hping2 to scan his
internal network?
A.
Blocking ICMP type 13 messages
B.
Block All Incoming traffic on port 53
C.
Block All outgoing traffic on port 53
D.
Use stateful inspection on the firewalls
Blocking ICMP type 13 messages
Explanation: An ICMP type 13 message is an ICMP timestamp request and waits for an
ICMP timestamp reply. The remote node is right to do, still it would not be necessary as it is
optional and thus many ip stacks ignore such packets. Nevertheless, nmap again achived
to make its packets unique by setting the originating timestamp field in the packet to 0.
John has performed a scan of the web server with NMAP but did not gather enough
information to accurately identify which operating system is running on the remote
host. How could you use a web server to help in identifying the OS that is being
used?
A.
Telnet to an Open port and grab the banner
B.
Connect to the web server with an FTP client
C.
Connect to the web server with a browser and look at the web page
D.
Telnet to port 8080 on the web server and look at the default page code
Telnet to an Open port and grab the banner
Explanation: Most Web servers politely identify themselves and the OS to anyone who
asks.
What is the proper response for a FIN scan if the port is open?
A.
SYN
B.
ACK
C.
FIN
D.
PSH
E.
RST
F.
No response
No response
Explanation: Open ports respond to a FIN scan by ignoring the packet in question.
Sandra is the security administrator of ABC.com. One day she notices that the
ABC.com Oracle database server has been compromised and customer information
along with financial data has been stolen. The financial loss will be estimated in
millions of dollars if the database gets into the hands of competitors. Sandra wants
to report this crime to the law enforcement agencies immediately.
Which organization coordinates computer crime investigations throughout the
United States?
A.
NDCA
B.
NICP
C.
CIRP
D.
NPC
E.
CIA
NPC
A distributed port scan operates by:
A.
Blocking access to the scanning clients by the targeted host
B.
Using denial-of-service software against a range of TCP ports
C.
Blocking access to the targeted host by each of the distributed scanning clients
D.
Having multiple computers each scan a small number of ports, then correlating the
results
Having multiple computers each scan a small number of ports, then correlating the
results
Explanation: Think of dDoS (distributed Denial of Service) where you use a large number
of computers to create simultaneous traffic against a victim in order to shut them down.
What are two things that are possible when scanning UDP ports? (Choose two.)
A.
A reset will be returned
B.
An ICMP message will be returned
C.
The four-way handshake will not be completed
D.
An RFC 1294 message will be returned
E.
Nothing
An ICMP message will be returned
Nothing
Explanation: Closed UDP ports can return an ICMP type 3 code 3 message. No response
can mean the port is open or the packet was silently dropped.
What are the default passwords used by SNMP?(Choose two.)
A.
Password
B.
SA
C.
Private
D.
Administrator
E.
Public
F.
Blank
Private
Public
Explanation: Besides the fact that it passes information in clear text, SNMP also uses
well-known passwords. Public and private are the default passwords used by SNMP.
An Nmap scan shows the following open ports, and nmap also reports that the OS
guessing results to match too many signatures hence it cannot reliably be identified:
21 ftp
23 telnet
80 http
443 https
What does this suggest ?
A.
This is a Windows Domain Controller
B.
The host is not firewalled
C.
The host is not a Linux or Solaris system
D.
The host is not properly patched
The host is not properly patched
Explanation: Explanation: If the answer was A nmap would guess it, it holds the MS
signature database, the host not being firewalled makes no difference. The host is not linux
or solaris, well it very well could be. The host is not properly patched? That is the closest;
nmaps OS detection architecture is based solely off the TCP ISN issued by the operating
systems TCP/IP stack, if the stack is modified to show output from randomized ISN's or if
your using a program to change the ISN then OS detection will fail. If the TCP/IP IP ID's
are modified then os detection could also fail, because the machine would most likely come
back as being down.
What port scanning method is the most reliable but also the most detectable?
A.
Null Scanning
B.
Connect Scanning
C.
ICMP Scanning
D.
Idlescan Scanning
E.
Half Scanning
F.
Verbose Scanning
Connect Scanning
Explanation: A TCP Connect scan, named after the Unix connect() system call is the most
accurate scanning method. If a port is open the operating system completes the TCP threeway
handshake, and the port scanner immediately closes the connection.
Doug is conducting a port scan of a target network. He knows that his client target
network has a web server and that there is a mail server also which is up and
running. Doug has been sweeping the network but has not been able to elicit any
response from the remote target. Which of the following could be the most likely
cause behind this lack of response? Select 4.
A.
UDP is filtered by a gateway
B.
The packet TTL value is too low and cannot reach the target
C.
The host might be down
D.
The destination network might be down
E.
The TCP windows size does not match
F.
ICMP is filtered by a gateway
UDP is filtered by a gateway
The packet TTL value is too low and cannot reach the target
The host might be down
ICMP is filtered by a gateway
Explanation: If the destination host or the destination network is down there is no way to
get an answer and if TTL (Time To Live) is set too low the UDP packets will “die” before
reaching the host because of too many hops between the scanning computer and the
target. The TCP receive window size is the amount of received data (in bytes) that can be
buffered during a connection. The sending host can send only that amount of data before it
must wait for an acknowledgment and window update from the receiving host and ICMP is
mainly used for echo requests and not in port scans.
| Page 8 out of 64 Pages |
| Previous |