Topic 3, Scanning
What does ICMP (type 11, code 0) denote?
A.
Unknown Type
B.
Time Exceeded
C.
Source Quench
D.
Destination Unreachable
Time Exceeded
Explanation: An ICMP Type 11, Code 0 means Time Exceeded [RFC792], Code 0 = Time
to Live exceeded in Transit and Code 1 = Fragment Reassembly Time Exceeded.
Which FTP transfer mode is required for FTP bounce attack?
A.
Active Mode
B.
Passive Mode
C.
User Mode
D.
Anonymous Mode
Passive Mode
Explanation: FTP bounce attack needs the server the support passive connections and
the client program needs to use PORT command instead of the PASV command.
Nathalie would like to perform a reliable scan against a remote target. She is not
concerned about being stealth at this point. Which of the following type of scans
would be the most accurate and reliable?
A.
A FIN Scan
B.
A Half Scan
C.
A UDP Scan
D.
The TCP Connect Scan
The TCP Connect Scan
Explanation: The connect() system call provided by your operating system is used to open
a connection to every interesting port on the machine. If the port is listening, connect() will
succeed, otherwise the port isn't reachable. One strong advantage to this technique is that
you don't need any special privileges. This is the fastest scanning method supported by
nmap, and is available with the -t (TCP) option. The big downside is that this sort of scan is
easily detectable and filterable.
Neil notices that a single address is generating traffic from its port 500 to port 500 of
several other machines on the network. This scan is eating up most of the network
bandwidth and Neil is concerned. As a security professional, what would you infer
from this scan?
A.
It is a network fault and the originating machine is in a network loop
B.
It is a worm that is malfunctioning or hardcoded to scan on port 500
C.
The attacker is trying to detect machines on the network which have SSL enabled
D.
The attacker is trying to determine the type of VPN implementation and checking for
IPSec
The attacker is trying to determine the type of VPN implementation and checking for
IPSec
Explanation: Port 500 is used by IKE (Internet Key Exchange). This is typically used for
IPSEC-based VPN software, such as Freeswan, PGPnet, and various vendors of in-a-box
VPN solutions such as Cisco. IKE is used to set up the session keys. The actual session is
usually sent with ESP (Encapsulated Security Payload) packets, IP protocol 50 (but some
in-a-box VPN's such as Cisco are capable of negotiating to send the encrypted tunnel over
a UDP channel, which is useful for use across firewalls that block IP protocols other than
TCP or UDP).
You want to know whether a packet filter is in front of 192.168.1.10. Pings to
192.168.1.10 don't get answered. A basic nmap scan of 192.168.1.10 seems to hang
without returning any information. What should you do next?
A.
Use NetScan Tools Pro to conduct the scan
B.
Run nmap XMAS scan against 192.168.1.10
C.
Run NULL TCP hping2 against 192.168.1.10
D.
The firewall is blocking all the scans to 192.168.1.10
Run NULL TCP hping2 against 192.168.1.10
Ann would like to perform a reliable scan against a remote target. She is not
concerned about being stealth at this point.
Which of the following type of scans would be the most accurate and reliable
option?
A.
A half-scan
B.
A UDP scan
C.
A TCP Connect scan
D.
A FIN scan
A TCP Connect scan
Explanation: A TCP Connect scan, named after the Unix connect() system call is the most
accurate scanning method. If a port is open the operating system completes the TCP threeway
handshake, and the port scanner immediately closes the connection. Otherwise an
error code is returned.
Example of a three-way handshake followed by a reset:
Source Destination Summary
-------------------------------------------
[192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 SYN SEQ=3362197786 LEN=0
WIN=5840
[192.168.0.10] [192.168.0.8] TCP: D=49389 S=80 SYN ACK=3362197787 SEQ=58695210
LEN=0 WIN=65535
[192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 ACK=58695211 WIN<<2=5840
[192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 RST ACK=58695211 WIN<<2=5840
You are doing IP spoofing while you scan your target. You find that the target has port 23
open.Anyway you are unable to connect. Why?
A.
A firewall is blocking port 23
B.
You cannot spoof + TCP
C.
You need an automated telnet tool
D.
The OS does not reply to telnet even if port 23 is open
A firewall is blocking port 23
Explanation: Explanation: The question is not telling you what state the port is being
reported by the scanning utility, if the program used to conduct this is nmap, nmap will
show you one of three states – “open”, “closed”, or “filtered” a port can be in an “open”
state yet filtered, usually by a stateful packet inspection filter (ie. Netfilter for linux, ipfilter for
bsd). C and D to make any sense for this question, their bogus, and B, “You cannot spoof +
TCP”, well you can spoof + TCP, so we strike that out.
The following excerpt is taken from a honeyput log. The log captures activities
across three days. There are several intrusion attempts; however, a few are
successful. Study the log given below and answer the following question:
(Note: The objective of this questions is to test whether the student has learnt about
passive OS fingerprinting (which should tell them the OS from log captures): can
they tell a SQL injection attack signature; can they infer if a user ID has been created
by an attacker and whether they can read plain source – destination entries from log
entries.)
What can you infer from the above log?
A.
The system is a windows system which is being scanned unsuccessfully.
B.
The system is a web application server compromised through SQL injection.
C.
The system has been compromised and backdoored by the attacker.
D.
The actual IP of the successful attacker is 24.9.255.53.
The system is a windows system which is being scanned unsuccessfully.
What is a primary advantage a hacker gains by using encryption or programs such
as Loki?
A.
It allows an easy way to gain administrator rights
B.
It is effective against Windows computers
C.
It slows down the effective response of an IDS
D.
IDS systems are unable to decrypt it
E.
Traffic will not be modified in transit
IDS systems are unable to decrypt it
Explanation: Because the traffic is encrypted, an IDS cannot understand it or evaluate the
payload.
One of the ways to map a targeted network for live hosts is by sending an ICMP
ECHO request to the broadcast or the network address. The request would be
broadcasted to all hosts on the targeted network. The live hosts will send an ICMP
ECHO Reply to the attacker source IP address.
You send a ping request to the broadcast address 192.168.5.255.
[root@ceh/root]# ping -b 192.168.5.255
WARNING: pinging broadcast address
PING 192.168.5.255 (192.168.5.255) from 192.168.5.1 : 56(84) bytes of data.
64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time=4.1 ms
64 bytes from 192.168.5.5: icmp_seq=0 ttl=255 time=5.7 ms
--
--
--
There are 40 computers up and running on the target network. Only 13 hosts send a
reply while others do not. Why?
A.
You cannot ping a broadcast address. The above scenario is wrong.
B.
You should send a ping request with this command ping 192.168.5.0-255
C.
Linux machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO
request aimed at the broadcast address or at the network address.
D.
Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO
request aimed at the broadcast address or at the network address.
Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO
request aimed at the broadcast address or at the network address.
Explanation: As stated in the correct option, Microsoft Windows does not handle pings to
a broadcast address correctly and therefore ignores them.
A program that defends against a port scanner will attempt to:
A.
Sends back bogus data to the port scanner
B.
Log a violation and recommend use of security-auditing tools
C.
Limit access by the scanning system to publicly available ports only
D.
Update a firewall rule in real time to prevent the port scan from being completed
Update a firewall rule in real time to prevent the port scan from being completed
Which of the following ICMP message types are used for destinations unreachables?
A. 0
B. 3
C. 11
D. 13
E. 17
A.
0
B.
3
C.
11
D.
13
E.
17
3
Explanation: Type 3 messages are used for unreachable messages. 0 is Echo Reply, 8 is
Echo request, 11 is time exceeded, 13 is timestamp and 17 is subnet mask request.
Learning these would be advisable for the test.
| Page 9 out of 64 Pages |
| Previous |