03 Scanning and Enumeration

Question 1

1. Your team is hired to test a business named Matt’s Bait ’n’ Tackle Shop (domain name mattsBTshop.com). A team member runs the following command:
   metagoofil -d mattsBTshop.com -t doc,docx -l 50 -n 20 -f results.html
   Which of the following best describes what the team member is attempting to do?
   A. Extracting metadata info from web pages in mattsBTshop.com, outputting results in Microsoft Word format
   B. Extracting metadata info from the results.html page in mattsBTshop.com, outputting results in Microsoft Word format
   C. Extracting metadata info from Microsoft Word documents found in mattsBTshop.com, outputting results in an HTML file
   D. Uploading results.html as a macro attachment to any Microsoft Word documents found in mattsBTshop.com

Answer 1

C. This is an example of good tool knowledge and use. Metagoofil, per www.edge-security.com/metagoofil.php, “is an information gathering tool designed for extracting metadata of public documents (.pdf, .doc, .xls, .ppt, .docx, .pptx, .xlsx) belonging to a target company. It performs a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.”
In the syntax given, Metagoofil will search mattsBTshop.com for up to 50 results (the -l switch determines the number of results) for any Microsoft Word documents (both .doc and .docx formats) it can find. It will then attempt to download the first 20 found (the -n switch handles that), and the -f switch will send the results where you want (in this case, to an HTML file).
And just what will those results be? Well, that’s where the fun comes in. Remember, Metagoofil tries to extract metadata from publicly available Microsoft Word documents available on the site. You might find e-mail addresses, document paths, software versions, and even usernames in the results.
A, B, and D are incorrect because they do not match the syntax provided.

Question 2

2. You are running multiple enumeration scans as part of an assessment. In one particular scan, you have nmap send an initial FIN packet followed immediately by an ACK packet. Which of the following best describes the type of scan you are running?
   A. Inverse TCP
   B. TCP Maimon
   C. XMAS
   D. Half-closed

Answer 2

B. According to nmap’s documentation on the scan (https://nmap.org/book/scan-methods-maimon-scan.html), way back in 1996 a gentleman named Uriel Maimon wrote an article titled “Port Scanning without the SYN flag.” The article described sending an initial FIN packet followed by an ACK packet, using discrepancies between their TTL values to evaluate ports.
EC-Council added TCP Maimon back to the official courseware and obviously wants you to know about it. Per the study material, if the port is open, you won’t get a response; however, if it’s in a closed state, you’ll receive a RST packet.
A is incorrect because an Inverse TCP Flag scan is one in which TCP probe flags are sent with or without flags. No response indicates an open port, whereas a RST is sent on a closed one. Flags typically used in this scan include FIN, URG, and PSH. As an aside, if no flags are used, this can also be referred to as a null scan.
C is incorrect because an XMAS scan is one where all TCP flags (FIN, URG, PSH) are turned on. This scan is ineffective against Windows systems and only works on devices that use an RFC-793-based TCP stack.
D is incorrect because this scan type simply doesn’t exist.

Question 3

3. You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?
   A. Your IDLE scan results will not be useful to you.
   B. The zombie system is a honeypot.
   C. There is a misbehaving firewall between you and the zombie machine.
   D. This is an expected result during an IDLE scan.

Answer 3

A. An IDLE scan makes use of a zombie machine and IP’s knack for incrementing fragment identifiers (IPIDs). However, it is absolutely essential the zombie remain idle to all other traffic during the scan. The attacker will send packets to the target with the (spoofed) source address of the zombie. If the port is open, the target will respond to the SYN packet with a SYN/ACK, but this will be sent to the zombie. The zombie system will then craft a RST packet in answer to the unsolicited SYN/ACK, and the IPID will increase. If this occurs randomly, then it’s probable your zombie is not in fact idle, and your results are moot. See, if it’s not idle, it’s going to increment haphazardly because communications from the device will be shooting hither and yon with wild abandon. You’re banking on the fact the machine is quietly doing your bidding—and nothing else.
B is incorrect because there is not enough information here to identify the zombie machine as anything at all—much less a machine set up as a “honeypot.”
C is incorrect because a firewall between you and the zombie won’t have any effect at all on the zombie’s IPIDs.
D is incorrect because this is definitely not expected behavior during an IDLE scan. Expected behavior is for the IPID to increase regularly with each discovered open port, not randomly, as occurs with traffic on an active system.

Question 4

4. You want to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option?
   A. nmap 192.168.1.0/24
   B. nmap -sT 192.168.1.0/24
   C. nmap -sP 192.168.1.0/24
   D. nmap -P0 192.168.1.0/24

Answer 4

C. The -sP switch within nmap is designed for a ping sweep. Nmap syntax is fairly straightforward: nmap<scan><target>. If you don’t define a switch, nmap performs a basic enumeration scan of the targets. The switches, though, provide the real power with this tool.
A is incorrect because this syntax will not perform a ping sweep. This syntax will run a basic scan against the entire subnet.
B is incorrect because the -sT switch does not run a ping sweep. It stands for a TCP Connect scan, which is the slowest—but most productive and loud—scan option.
D is incorrect because this syntax will not perform a ping sweep. The -P0 switch actually runs the scan without ping (ICMP). This is a good switch to use when you don’t seem to be getting responses from your targets. It forces nmap to start the scan even if it thinks the target doesn’t exist (which is useful if the computer is blocked by a firewall).</target></scan>

Question 5

5. A pen tester is performing banner grabbing and executes the following command:
   $ nmap -sV host.domain.com -p 80
   He gets the following output:
   Starting Nmap 6.47 ( http://nmap.org) at 2022-07-08 19:10 EST
   Nmap scan report for host.domain.com (108.61.158.211)
   Host is up (0.032s latency).
   PORT STATE SERVICE VERSION
   80/tcp open http Apache httpd
   Service detection performed. Please report any incorrect results at
   http://nmap.org/submit/.
   VCEConvert.com
   Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds

Which of the following is a true statement?
A. Nmap can’t perform banner grabbing, as it cannot retrieve the version number of any running remote service.
B. The pen tester was successful in banner grabbing.
C. Using nmap -O host.domain.com would have been a better choice for banner grabbing.
D. Banner grabbing failed because the result did not return the version of the Apache web server.

Answer 5

B. You can expect a few versions of this type of question on your exam. Not only are there bunches of ways to do banner grabbing, but the outputs of each method are different. In this case, the nmap attempt was successful in identifying an Apache server.
A is incorrect because nmap can most certainly perform banner grabbing.
C is incorrect because the -O flag enables OS detection.
D is incorrect because the lack of a version number is irrelevant (oftentimes Apache boxes won’t respond with a version number, even when the banner grab is correctly accomplished).

Question 6

6. You are examining traffic to see if there are any network-enabled printers on the subnet. Which of the following ports should you be monitoring for?
   A. 53
   B. 88
   C. 445
   D. 514
   E. 631

Answer 6

E. You will probably see three to five questions on port numbering alone. So just exactly how do you commit 1024 port numbers (0–1023 is the well-known range) to memory when you have all this other stuff to keep track of? You probably won’t, and maybe you can’t. The best advice I can give you is to memorize the really important ones—the ones you know beyond a shadow of a doubt you’ll see on the exam somewhere—and then use the process of elimination to get to the right answer.
For example, suppose you had no idea that TCP port 631 was used by the Internet Printing Protocol (IPP), but you did know what 53, 88, and 445 were for. Suddenly it’s not that difficult (now down to a 50/50 chance). By the way, 631 won’t be the only thing you’ll be monitoring for, but of the answers provided, it is the best choice.
A is incorrect because 53 is the port number used by DNS (TCP and UDP). The TCP side will be used for across-Internet traffic, where the loss of speed due to connection-oriented traffic is worth it to ensure delivery, and UDP will be mostly internal.
B is incorrect because 88 is the port number used by Kerberos.
C is incorrect because 445 is used for Microsoft SMB file sharing. You’ll definitely see SMB file sharing and this port somewhere on the exam, usually as part of a scenario like the one in this question.
D is incorrect because 514 is the (UDP) port number used by syslog—and trust me, you need to know this one. EC-Council loves syslog. You’ll definitely see it a couple of times on the exam.

Question 7

7. A colleague enters the following command:
   root@mybox: # hping3 -A 192.168.2.x -p 80
   What is being attempted here?
   A. An ACK scan using hping3 on port 80 for a single address
   B. An ACK scan using hping3 on port 80 for a group of addresses
   C. Address validation using hping3 on port 80 for a single address
   D. Address validation using hping3 on port 80 for a group of addresses

Answer 7

B. Hping is a great tool that provides a variety of options. You can craft packets with it, audit and test firewalls, and do all sorts of crazy man-in-the-middle stuff with it. In this example, you’re simply performing a basic ACK scan (the -A switch) using port 80 (-p 80) on an entire Class C subnet (the x in the address runs through all 254 possibilities). Hping3, the latest version, is scriptable (TCL language) and implements an engine that allows a human-readable description of TCP/IP packets.
A is incorrect because the syntax is for an entire subnet (or, I guess to be technically specific, all 254 addresses that start with 192.168.2). The x in the last octet tells hping to fire away at all those available addresses.
C and D are both incorrect because “address validation” is not a scan type.

Question 8

8. You are examining traffic between hosts and note the following exchange:
   Source Prot Port Flag Destination
   192.168.5.12 TCP 4082 FIN/URG/PSH 192.168.5.50
   192.168.5.12 TCP 4083 FIN/URG/PSH 192.168.5.50
   192.168.5.12 TCP 4084 FIN/URG/PSH 192.168.5.50
   192.168.5.50 TCP 4083 RST/ACK 192.168.5.12
   192.168.5.12 TCP 4085 FIN/URG/PSH 192.168.5.50
   Which of the following statements are true regarding this traffic? (Choose all that apply.)
   A. It appears to be part of an ACK scan.
   B. It appears to be part of an XMAS scan.
   C. It appears port 4083 is open.
   D. It appears port 4083 is closed.

Answer 8

B, D. The exam will ask you to define scan types in many, many ways. It may be a simple definition match; sometimes it’ll be some crazy Wireshark or tcpdump listing. In this example, you see a cleaned-up traffic exchange showing packets from one host being sent one after another to the second host, indicating a scan attempt. The packets have the FIN, URG, and PSH flags all set, which tells you it’s an XMAS scan. If the destination port is open, you won’t receive anything back; if it’s closed, you’ll see a RST/ACK. This tells you port 4083 looks like it’s closed (see line four of the response). As an addendum, did you know there are two reasons why it’s called an XMAS scan? The first is because it lights up an IDS like a Christmas tree, and the second is because the flags themselves are all lit. As an aside, you probably won’t see this much out in the real world because it just really doesn’t have much applicability. But on your exam? Oh yes—it’ll be there.
A is incorrect because there is no indication this is an ACK scan. An ACK scan has only the ACK flag set and is generally used in firewall filter tests: no response means a firewall is present, and RST means the firewall is not there (or the port is not filtered).
C is incorrect because you did receive an answer from the port (a RST/ACK was sent in the fourth line of the capture).

Question 9

9. You are examining traffic and notice an ICMP Type 3, Code 13 response. What does this normally indicate?
   A. The network is unreachable.
   B. The host is unknown.
   C. Congestion control is enacted for traffic to this host.
   D. A firewall is prohibiting connection.

Answer 9

D. ICMP types will be covered in depth on your exam, so know them well. Type 3 messages are all about “destination unreachable,” and the code in each packet tells you why it’s unreachable. Code 13 indicates “communication administratively prohibited,” which indicates a firewall filtering traffic. Granted, this occurs only when a network designer is nice enough to configure the device to respond in such a way, and you’ll probably never get that nicety in the real world, but the definitions of what the “type” and “code” mean are relevant here.
A is incorrect because “network unreachable” is Type 3, Code 0. It’s generated by a router to inform the source that the destination address is unreachable; that is, it does not have an entry in the route table to send the message to.
B is incorrect because “host unknown” is Type 3, Code 7. There’s a route to the network the router knows about, but that host is not there (this sometimes refers to a naming or DNS issue).
C is incorrect because “congestion control” ICMP messaging is Type 4.

Question 10

10. Which port-scanning method presents the most risk of discovery but provides the most reliable results?
    A. Full-connect
    B. Half-open
    C. Null scan
    D. XMAS scan

Answer 10

A. A full-connect scan runs through an entire TCP three-way handshake on all ports you aim at. It’s loud and easy to see happening, but the results are indisputable. As an aside, the -sT switch in nmap runs a full-connect scan (you should go ahead and memorize that one).
B is incorrect because a half-open scan involves sending only the SYN packet and watching for responses. It is designed for stealth but may be picked up on IDS sensors (both network and most host-based IDSs).
C is incorrect because a null scan sends packets with no flags set at all. Responses will vary, depending on the OS and version, so reliability is spotty. As an aside, null scans are designed for Unix/Linux machines and don’t work on Windows systems.
D is incorrect because although an XMAS scan is easily detectable (as our technical editor put it, “A fairly well-trained monkey would see it”), the results are oftentimes sketchy. The XMAS scan is great for test questions but won’t result in much more than a derisive snort and an immediate disconnection in the real world.

Question 11

11. As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response?
    A. The hosts might be turned off or disconnected.
    B. ICMP is being filtered.
    C. The destination network might be down.
    D. The servers are Linux based and do not respond to ping requests.

Answer 11

B. Admittedly, this one is a little tricky, and, yes, I purposefully wrote it this way (mainly because I’ve seen questions like this before). The key here is the “most likely” designator. It’s entirely possible—dare I say, even expected—that the systems administrator for those two important machines would ensure ICMP is filtered. Of the choices provided, this one is the most likely explanation.
A is incorrect, but only because there is a better answer. This is a major firm that undoubtedly does business at all times of day and with customers and employees around the world (the question did state it was an international business). Is it possible that both these servers are down? Sure, you might have timed your ping sweep so poorly that you happened to hit a maintenance window or something, but it’s highly unlikely.
C is incorrect because, frankly, the odds of an entire DMZ subnet being down while you’re pen testing are very slim. And I can promise you that if the subnet did drop while you were testing, your test is over.
D is incorrect because this is simply not true.

Question 12

12. A team member is using nmap and asks about the “scripting engine” in the tool. Which option switches can be used to invoke the nmap scripting engine? (Choose two.)
    A. –script
    B. -z
    C. -sA
    D. -sC

Answer 12

A, D. Nmap is a great scanning tool that provides numerous options, and you’ll need to know the syntax very well. The NSE (Nmap Scripting Engine) is a portion of the tool that allows the use of scripts in scanning. Directly from nmap’s site (https://nmap.org/book/nse.html): “NSE is activated with the -sC option (or –script if you wish to specify a custom set of scripts) and results are integrated into Nmap normal and XML output.”
I’ve seen mentioned in other study material that the -A switch is also considered as an NSE function. This switch turns on scanning that reports on version detection, operating system fingerprinting, and a variety of other activities. A pretty good wrap-up of nmap switches is located at https://nmap.org/book/port-scanning-options.html.
B is incorrect because -z isn’t an nmap switch.
C is incorrect because the -sA switch runs an ACK scan (ACK segments are sent to ports to determine their state).

Question 13

13. Which of the following commands is the best choice to use on a Linux machine when attempting to list processes and the UIDs associated with them in a reliable manner?
    A. ls
    B. chmod
    C. pwd
    D. lsof

Answer 13

D. Supported in most Unix-like flavors, the “list open files” command (lsof) provides a list of all open files and the processes that opened them. The lsof command describes, among other things, the identification number of the process (PID) that has opened the file, the command the process is executing, and the owner of the process. With optional switches, you can also receive all kinds of additional information. As an aside, the command ps (for process status) is probably an even better choice for the task listed.
A is incorrect because ls (list) simply displays all the files and folders in your current directory. Its counterpart in the PC world is dir.
B is incorrect because chmod is used to set permissions on files and objects in Linux.
C is incorrect because pwd (print working directory) is a command used to display the directory you are currently working in.

Question 14

14. You want to display active and inactive services on a Windows Server machine. Which of the following commands best performs this service?
    A. sc query
    B. sc query type=all
    C. sc query type=service
    D. sc query state= all

Answer 14

D. The sc command will definitely make an appearance or two somewhere on the exam. Per Microsoft, SC.exe retrieves and sets control information about services. You can use SC.exe for testing and debugging service programs. Service properties stored in the registry can be set to control how service applications are started at boot time and run as background processes. SC.exe parameters can configure a specific service, retrieve the current status of a service, as well as stop and start a service.
A sampling of uses for the sc command follows:
* sc config Determines the status of a service at system startup as well as sets a service to run automatically, manually, or not at all.
* sc query Displays information about services, drivers, and types of both. Without parameters, it returns a list of all running services and associated information. To create a list of all services, use sc query state= all.
* sc start Starts a service that is not running.
* sc stop Stops a running service.
* sc pause Pauses a service.
* sc continue Resumes a paused service.
* sc enumdepend Lists the services that cannot run unless the specified service is running.
* sc qc Displays the configuration of a particular service.
And finally, one more quick note: Remember there is always a space after the equals sign (and not one before). Syntax is important, and ECC will probably spring that on you.
A, B, and C all use incorrect syntax for the question asked.

Question 15

15. An administrator enters the following command on a Linux system:
    iptables -t nat -L
    Which of the following best describes the intent of the command entered?
    A. The administrator is attempting a port scan.
    B. The administrator is configuring IP masquerading.
    C. The administrator is preparing to flood a switch.
    D. The administrator is preparing a DoS attack.

Answer 15

B. Do you remember network address translation? It’s a neat little technology that allows lots of internal hosts, using nonroutable private addressing, to access the Internet by borrowing and using a single address (or a group of addresses) managed by a router or other system. IP masquerading is much the same thing; it’s just accomplished through a Linux host. In short, a Linux machine can act as a NAT translator by employing proper routing configuration, using one NIC to communicate with the internal network and one with the external network, and enabling IP masquerading.
Looking over the man page for the command (one copy can be found at http://ipset.netfilter.org/iptables.man.html), we see that iptables is an administration tool for IPv4 packet filtering and NAT. Per the man page, “Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined.” Each table contains a number of built-in chains and may be enabled by iptables -t tablename -switch, where tablename is filter, nat, mangle, raw, or security, and switch equates to the option you wish to enable. For example, -A appends rules, -D deletes rules, and -R replaces rules.
A, C, and D are incorrect because they do not accurately represent what is being attempted.

Question 16

16. What is being attempted with the following command?
    nc -u -v -w2 192.168.1.100 1-1024
    A. A full-connect scan on ports 1–1024 for a single address
    B. A full-connect scan on ports 1–1024 for a subnet
    C. A UDP scan of ports 1–1024 on a single address
    D. A UDP scan of ports 1–1024 on a subnet

Answer 16

C. In this example, netcat is being used to run a scan on UDP ports (the -u switch gives this away) from 1 to 1024. The address provided is a single address, not a subnet. Other switches in use here are -v (for verbose) and -w2 (defines the two-second timeout for connection, where netcat will wait for a response).
A is incorrect because the -u switch shows this as a UDP scan. By default (that is, no switch in place), netcat runs in TCP.
B is incorrect because the -u switch shows this as a UDP scan. Additionally, this command is aimed at a single address, not a subnet.
D is incorrect because this command is aimed at a single address, not a subnet.

Question 17

17. You are told to monitor a packet capture for any attempted DNS zone transfer. Which port should you focus your search on?
    A. TCP 22
    B. TCP 53
    C. UDP 22
    D. UDP 53

Answer 17

B. DNS uses port 53 in both UDP and TCP. Port 53 over UDP is used for DNS lookups. Zone transfers are accomplished using port 53 over TCP. Considering the reliability and error correction available with TCP, this makes perfect sense.
A is incorrect because TCP port 22 is assigned for SSH, not DNS.
C is incorrect because UDP port 22 simply doesn’t match up with SSH (SSH is TCP based). It has traditionally been used as an old pcAnywhere port.
D is incorrect because UDP port 53 is used for DNS lookups. Because lookups are generally a packet or two, and we’re concerned with speed on a lookup, UDP’s fire-and-forget speed advantage is put to use here.

Question 18

18. A team member issues the nbtstat.exe -c command. Which of the following best represents the intent of the command?
    A. It displays the IP route table for the machine.
    B. It displays the NetBIOS name cache.
    C. It displays active and inactive services.
    D. It puts a NIC into promiscuous mode for sniffing.

Answer 18

B. Per Microsoft, regarding the nbtstat command: “Nbtstat is designed to help troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses. It does this through several options for NetBIOS name resolution, including local cache lookup, WINS server query, broadcast, LMHOSTS lookup, Hosts lookup, and DNS server query. The nbtstat command removes and corrects preloaded entries using a number of case-sensitive switches.” Syntax for the command includes the following:
* nbtstat - a <name> Performs a NetBIOS adapter status command on the computer name specified by <name>. The adapter status command returns the local NetBIOS name table for that computer as well as the MAC address of the adapter card.
* nbtstat -A <IP> Performs the same function as the -a switch, but using a target IP address rather than a name.
* nbtstat - c Shows the contents of the NetBIOS name cache, which contains NetBIOS-name-to-IP-address mappings.
* nbtstat -n Displays the names that have been registered locally on the system by NetBIOS applications such as the server and redirector.
* nbtstat -r Displays the count of all NetBIOS names resolved by broadcast and by querying a WINS server.
* nbtstat -R Purges the name cache and reloads all #PRE entries from the LMHOSTS file (#PRE entries are the LMHOSTS name entries that are preloaded into the cache).
* nbtstat -RR Sends name release packets to the WINS server and starts a refresh, thus re-registering all names with the name server without a reboot being required.
* nbtstat -S Lists current NetBIOS sessions and their status, including statistics.
A, C, and D are incorrect because they do not match the command usage. If you wish to see the route table on a Windows system, use the route print command. The sc query state= all command will show all the active and inactive services on the system. To put the NIC in promiscuous mode, you’d need the WinPcap driver installed.</IP></name></name>

Question 19

19. Consider the ports shown in the nmap output returned on an IP scanned during footprinting:
    PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http
    139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp
    open MAC Address: 01:2A:48:0B:AA:81
    Which of the following is true regarding the output?
    A. The host is most likely a router or has routing enabled.
    B. The host is most likely a printer or has a printer installed.
    C. The host is definitely a Windows server.
    D. The host is definitely a Linux server.

Answer 19

B. So this output is pretty interesting, huh? There’s some FTP, Telnet, and HTTP open, and a little NetBIOS action going on there, too. The TCP ports 515 and 631, however, are the ones to note here. 515 corresponds to the Line Printer Daemon protocol/Line Printer Remote protocol (or LPD/LPR), which is used for submitting print jobs to a remote printer. Port 631 corresponds to the Internet Printing Protocol (IPP). Both of these point to printing. A final note on this: In our modern world, the definition of what constitutes a server and what does not is a blurred line. If your printer allows Telnet access to a terminal, is it really just a printer? For that matter, many printers actually work off of an embedded operating system. In other words, in real-world testing, your printer may actually be a Linux OS server of sorts. Your exam will stick with the academic memorization and evaluation of port numbers, but things are much more entangled in the real world.
A is incorrect because none of these ports show anything related to routing.
C and D are incorrect because there is simply not enough information to definitively identify the operating system in use. Yes, it is true that the Line Printer Daemon protocol was originally in the BSD UNIX operating system; however, it is used regardless of OS.

Question 20

20. The following results are from an nmap scan:
    Starting nmap V. 3.10A (www.insecure.org/nmap/ http://www.insecure.org/nmap/ )
    Interesting ports on 192.168.15.12:
    (The 1592 ports scanned but not shown below are in state: filtered)
    Port State Service
    21/tcp open ftp
    25/tcp open smtp
    53/tcp closed domain
    80/tcp open http
    443/tcp open https
    Remote operating system guess: Too many signatures match to
    reliably guess the Os.
    Nmap run completed – 1 IP address (1 host up) scanned in 263.47 seconds
    Which of the following is the best option to assist in identifying the operating system?
    A. Attempt an ACK scan.
    B. Traceroute to the system.
    C. Run the same nmap scan with the -vv option.
    D. Attempt banner grabbing.

Answer 20

D. Of the options presented, banner grabbing is probably your best bet. In fact, it’s a good start for operating system fingerprinting. You can telnet to any of these active ports or run an nmap banner grab. Either way, the returning banner may help in identifying the OS.
A is incorrect because an ACK scan isn’t necessarily going to help here. For that matter, it may have already been run.
B is incorrect because traceroute does not provide any information on fingerprinting. It will show you a network map, hop by hop, to the target, but it won’t help tell you whether it’s a Windows machine.
C is incorrect because the -vv switch provides only more (verbose) information on what nmap already has. Note that the original run presented this message on the OS fingerprinting effort: “Remote operating system guess: Too many signatures match to reliably guess the OS.”

Question 21

21. You want to run a scan against a target network. You’re concerned about it being a reliable scan, with legitimate results, but want to take steps to ensure it is as stealthy as possible. Which scan type is best in this situation?
    A. nmap -sN targetIPaddress
    B. nmap -sO targetIPaddress
    C. nmap -sS targetIPaddress
    D. nmap -sT targetIPaddress

Answer 21

C. A half-open scan, as defined by this nmap command line, is the best option in this case. The SYN scan was created with stealth in mind because the full-connect scan was simply too noisy (or created more entries in an application-level logging system, whichever your preference). As far as the real world is concerned, it’s a fact that most IDSs can pick up a SYN scan just as easily as a full connect, but if you go slow enough, both a SYN and a full connect can be almost invisible. A connect scan is indistinguishable from a real connection, whereas a SYN scan can definitely be distinguishable. In other words, the full connect will look like any other conversation—just bunches of them all at once—whereas a SYN scan will show a lot of systems answering a conversation starter only to be met with rude silence. The lesson is any scan can and probably will be seen in the real world by a monitoring IDS; however, the slower you go and the better you characterize your target without putting additional packets on the wire, the less chance you’ll have of being seen, all things being equal.
A is incorrect because a null scan may not provide the reliability you’re looking for. Remember, this scan won’t work on a Windows host at all.
B is incorrect because the -sO switch tells you this is an operating system scan. Fingerprinting scans are not stealthy by anyone’s imagination, and they won’t provide the full information you’re looking for here.
D is incorrect because the -sT option indicates a full-connect scan. Although this is reliable, it is noisy, and you will most likely be discovered during the scan.

Question 22

22. What is the second step in the TCP three-way handshake?
    A. SYN
    B. ACK
    C. SYN/ACK
    D. ACK-SYN
    E. FIN

Answer 22

C. Admittedly, this is an easy one, but I’d bet dollars to doughnuts you will see it in some form on your exam. It’s such an important part of scanning and enumeration because, without understanding this basic principle of communication channel setup, you’re almost doomed to failure. A three-way TCP handshake has the originator forward a SYN. The recipient, in step 2, sends a SYN and an ACK. In step 3, the originator responds with an ACK. The steps are referred to as SYN, SYN/ACK, ACK.
A is incorrect because SYN is the first step (flag set) in the three-way handshake.
B is incorrect because ACK is the last step (flag set) in the three-way handshake.
D is incorrect because of the order listed. True, both these flags are the ones set in the three-way handshake. However, in the discussion of this step-by-step process, at least as far as your exam is concerned, it’s SYN/ACK, not the other way around. And, yes, this distractor, in some form, will most likely be on your exam. You won’t care about the order in the real world since flags are a mathematical property of the packet and not some ridiculous order, but for your exam you’ll need to know it this way.
E is incorrect because the FIN flag brings an orderly close to a communication session.

Question 23

23. In which scanning method would an attacker send INIT chunks to targets and await responses?
    A. SCTP INIT scan
    B. SCTP COOKIE ECHO scan
    C. SCTP half-open scan
    D. SCTP full-connect scan

Answer 23

A. This one requires a bit of background knowledge, so read on.
In October 2000, SCTP (Stream Control Transmission Protocol) became an IETF Proposed Standard and was published as RFC 2960. It was originally designed within the IETF Signaling Transport (SIGTRAN) working group to address TCP’s shortcomings relating to telephony signaling over IP networks, and it has since evolved into a general-purpose IETF transport protocol. SCTP provides a connection-oriented, reliable, full-duplex, congestion- and flow-controlled layer 4 channel; however, unlike both TCP and UDP, SCTP offers new delivery options that better match diverse applications’ needs.
Whereas you’re probably familiar with the three-way handshake of TCP, SCTP uses a four-way handshake (you can read all the technical details at https://datatracker.ietf.org/doc/html/rfc4960):
1. The client sends an INIT signal to the server to initiate an association.
2. On receipt of the INIT signal, the server sends an INIT-ACK response to the client. This INIT-ACK signal also contains a “state cookie.” This cookie holds an assortment of information, including a message authentication code (MAC), a timestamp corresponding to the creation of the cookie, the life span of the state cookie, and other information necessary to establish the connection.
3. On receipt of this INIT-ACK signal, the client sends a COOKIE-ECHO response, which just echoes the state cookie.
4. The server verifies the state cookie’s authenticity and allocates the resources for the association, sends a COOKIE-ACK response acknowledging the COOKIE-ECHO signal, and moves the association to the ESTABLISHED state.
Shutdown for SCTP is just as graceful:
5. The client sends a SHUTDOWN signal to the server.
6. The server responds by sending a SHUTDOWN-ACK acknowledgement.
7. The client then sends a SHUTDOWN-COMPLETE signal back to the server.
SCTP can also abruptly close, using an ABORT signal due to an error in the SCTP stack or at the request of the client. SCTP does not support half-open connections.
An SCTP INIT scan sends SCTP INIT “chunks” to targets and awaits responses. If the response is INIT+ACK, the port is open; an ABORT response means the port is closed.
B is incorrect because in an SCTP COOKIE ECHO scan, a cookie echo is sent to the target. No response indicates the port is open, whereas closed ports will send an ABORT. As an aside, this scan may be very useful in evading IDS.
C and D are incorrect because SCTP half-open or full-connect scan types do not exist.

Question 24

24. Nmap is a powerful scanning and enumeration tool. What does the following nmap command attempt to accomplish?
    nmap -sA -T4 192.168.15.0/24
    A. A serial, slow operating system discovery scan of a Class C subnet
    B. A parallel, fast operating system discovery scan of a Class C subnet
    C. A serial, slow ACK scan of a Class C subnet
    D. A parallel, fast ACK scan of a Class C subnet

Answer 24

D. You are going to need to know nmap switches well for your exam. In this example, the -A switch indicates an ACK scan, and the -T4 switch indicates an “aggressive” scan, which runs fast and in parallel.
A is incorrect because a slow, serial scan would use the -T, -T0, or -T! switch. Additionally, the OS detection switch is -O, not -A.
B is incorrect because, although this answer got the speed of the scan correct, the operating system detection portion is off.
C is incorrect because, although this answer correctly identified the ACK scan switch, the -T4 switch was incorrectly identified.

Question 25

25. You are examining a packet capture of all traffic from a host on the subnet. The host sends a segment with the SYN flag set in order to set up a TCP communications channel. The destination port is 80, and the sequence number is set to 10. Which of the following statements are not true regarding this communications channel? (Choose all that apply.)
    A. The host will be attempting to retrieve an HTML file.
    B. The source port field on this packet can be any number between 1024 and 65535.
    C. The first packet from the destination in response to this host will have the SYN and ACK flags set.
    D. The packet returned in answer to this SYN request will acknowledge the sequence number by returning 10.

Answer 25

A, D. Yes, it is true that port 80 traffic is generally HTTP; however, there are two problems with this statement. The first is all that is happening here is an arbitrary connection to something on port 80. For all we know, it’s a listener, Telnet connection, or anything at all. Second, assuming it’s actually an HTTP server, the sequence described here would do nothing but make a connection—not necessarily transfer anything. Sure, this is picky, but it’s the truth. Next, sequence numbers are acknowledged between systems during the three-way handshake by incrementing by 1. In this example, the source sent an opening sequence number of 10 to the recipient. The recipient, in crafting the SYN/ACK response, will first acknowledge the opening sequence number by incrementing it to 11. After this, it will add its own sequence number to the packet (a random number it will pick) and send both off.
B is incorrect because it’s a true statement. Source port fields are dynamically assigned using anything other than the “well-known” port range (0–1023). IANA has defined the following port number ranges: ports 1024 to 49151 are the registered ports (assigned by IANA for specific service upon application by a requesting entity), and ports 49152 to 65535 are dynamic or private ports that cannot be registered with IANA.
C is incorrect because it’s a true statement. The requesting machine has sent the first packet in the three-way handshake exchange—a SYN packet. The recipient will respond with a SYN/ACK and wait patiently for the last step—the ACK packet.

Question 26

26. Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data?
    A. URG
    B. PSH
    C. RST
    D. BUF

Answer 26

B. This answer normally gets mixed up with the URG flag because we all read it as “urgent.” However, just remember the key word with PSH is “buffering.” In TCP, buffering is used to maintain a steady, harmonious flow of traffic. Every so often, though, the buffer itself becomes a problem, slowing things down. A PSH flag tells the recipient stack that the data should be pushed up to the receiving application immediately.
A is incorrect because the URG flag is used to inform the receiving stack that certain data within a segment is urgent and should be prioritized. As an aside, URG isn’t used much by modern protocols.
C is incorrect because the RST flag forces a termination of communications (in both directions).
D is incorrect because BUF isn’t a TCP flag at all.

Question 27

27. You receive a RST-ACK from a port during a SYN scan. What is the state of the port?
    A. Open
    B. Closed
    C. Filtered
    D. Unknown

Answer 27

B. Remember, a SYN scan occurs when you send a SYN packet to all open ports. If the port is open, you’ll obviously get a SYN/ACK back. However, if the port is closed, you’ll get a RST-ACK.
A is incorrect because an open port would respond differently (SYN/ACK).
C is incorrect because a filtered port would likely not respond at all. (The firewall wouldn’t allow the packet through, so no response would be generated.)
D is incorrect because you know exactly what state the port is in because of the RST-ACK response.

Question 28

28. A penetration tester is examining the following NMAP result:
    Starting NMAP 5.21 at 2022-07-08 11:06 NMAP scan report for 172.16.40.65
    Host is up (1.00s latency). Not shown: 993 closed ports
    PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp
    open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp
    open MAC Address: 00:00:48:0D:EE:8
    Which of the following is a true statement?
    A. The host is likely a printer.
    B. The host is likely a Windows machine.
    C. The host is likely a Linux machine.
    D. The host is likely a router.

Answer 28

A. Honestly there’s not a lot to go on here, so we take a look at the port numbers: 21, 23, and 80 don’t really tell us much, because loads of hosts can run FTP, Telnet, and HTTP, but 515 and 631? Those have printer written all over them: 515 is a well-known printer spooler port (and is often used by malware), and 631 is the Internet Printing Protocol (IPP) port.
B, C, and D are incorrect because there is no indication from this result the host is any of these.