MODULE 3: Scanning Networks

Question 1

What is the go to tool for extracting info such as live hosts on network, open ports, services, type of packet filters, firewalls, and OS/Versions used?

Answer 1

NMAP

Question 2

NMAP Switches:
Match the switch to its meaning/use.

1. -s output
2. -p Fast Scan (top 100 ports)
3. -O port
4. -o scan
5. -T Operating System
6. -F Time
7. -oX XML Output to the file “xml.file”

Answer 2

1. -s 4. output
2. -p 6. Fast Scan (top 100 ports)
3. -O 2. port
4. -o 1. scan
5. -T 3. Operating System
6. -F 5. Time
7. -oX 7. XML Output to the file “xml.file”

Question 3

Match the nmap scan to its description.

1. -sT XMAS scan, uses the Fin, Urg, Psh flags
2. -sS TCP Scan, full connect
3. -sX SYN scan, stealth scan, “half-open”
4. -sn idle scan
5. -sI ping scan

Answer 3

1. -sT 3. XMAS scan, uses the Fin, Urg, Psh flags
2. -sS 1. TCP Scan, full connect
3. -sX 2. SYN scan, stealth scan, half-open connection
4. -sn 5. idle scan
5. -sI 4. ping scan

Question 4

If a hacker’s objective was to port scan a target network, what would they first do to cut down on time and their footprint in the network by making sure hosts are alive first?

Answer 4

Ping Sweep

Question 5

What type of privileges does nmap require to fully function correctly?

Answer 5

root/sudo

Question 6

nmap -sV host.domain.com -p 80

is an example of ______ ________?

Answer 6

banner grabbing

Question 7

What command line network scanning and packet crafting tool for TCP/IP can be used for network security auditing, firewall testing, ect.?

Answer 7

Hping2/3

Question 8

What type of hping2/3 scan can a hacker use to spoof the source IP address and source ports?

Answer 8

ACK scan

ex: hping3 -a 10.10.10.25 -p 80

Question 9

hping2 -1 host.domain.com

is an example of:

Answer 9

an ICMP scan on a remote computer using hping2 syntax

Question 10

What type of scan sends ARP request probes to target hosts where receiving an ARP response back indicates that the host is alive?

Answer 10

ARP Ping Scan

Question 11

In an IDLE IPID scan what indicates an open port?

a. target sends SYN/ACK, zombie responds with RST, and IPID increases by 2
b. target sends RST, no response from zombie, IPID increases by 1

Answer 11

a. target sends SYN/ACK, zombie responds with RST, and IPID increases by 2

Question 12

If an attacker's computer sends an IPID of 31400 to a zombie (Idle Scanning) computer on an open port, what will be the response?
A. 31400
B. 31402
C. The zombie will not send a response
D. 31401

Answer 12

B. 31402

Question 13

TCP SYN Flood attack uses the three-way handshake mechanism.
1. An attacker at system A sends a SYN packet to victim at system B.
2. System B sends a SYN/ACK packet to victim A.
3. As a normal three-way handshake mechanism system A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A.
This status of client B is called _________________
A. “half-closed”
B. “half open”
C. “full-open”
D. “xmas-open”

Answer 13

B. “half open”

Question 14

What type of port scan is shown below?
Scan directed at open port:
Client Server
192.5.2.92:4079—————–FIN——————-192.5.2.110:23
192.5.2.92:4079 <——–NO RESPONSE——- 192.5.2.110:23
Scan directed at closed port:
Client Server
192.5.2.92:4079—————–FIN——————-192.5.2.110:23
192.5.2.92:4079 <———–RST/ACK————- 192.5.2.110:23
A. Idle Scan
B. FIN Scan
C. XMAS Scan
D. Windows Scan

Answer 14

B. FIN Scan

Question 15

An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254 addresses. In which order should he perform these steps?
A. The sequence does not matter. Both steps have to be performed against all hosts.
B. First the port scan to identify interesting services and then the ping sweep to find hosts responding to icmp echo requests.
C. First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he saves time.
D. The port scan alone is adequate. This way he saves time.

Answer 15

C. First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he saves time.

Question 16

To maintain compliance with regulatory requirements, a security
audit of the systems on a network must be performed to
determine their compliance with security policies. Which one of
the following tools would most likely be used in such an audit?
A. Vulnerability scanner
B. Protocol analyzer
C. Port scanner
D. Intrusion detection system

Answer 16

A. Vulnerability scanner

Question 17

The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106:
Mar 13 17:30:15 Port:20 Source:192.168.1.103 Destination:192.168.1.106 TCP
Mar 13 17:30:17 Port:21 Source:192.168.1.103 Destination:192.168.1.106 TCP
Mar 13 17:30:19 Port:22 Source:192.168.1.103 Destination:192.168.1.106 TCP
Mar 13 17:30:21 Port:23 Source:192.168.1.103 Destination:192.168.1.106 TCP
Mar 13 17:30:22 Port:25 Source:192.168.1.103 Destination:192.168.1.106 TCP
Mar 13 17:30:23 Port:80 Source:192.168.1.103 Destination:192.168.1.106 TCP
Mar 13 17:30:30 Port:443 Source:192.168.1.103 Destination:192.168.1.106 TCP

What type of activity has been logged?
A. Port scan targeting 192.168.1.103
B. Teardrop attack targeting 192.168.1.106
C. Denial of service attack targeting 192.168.1.103
D. Port scan targeting 192.168.1.106

Answer 17

D. Port scan targeting 192.168.1.106

Question 18

NMAP -sn 192.168.11.200-215

The NMAP command above performs which of the following?
A. A ping scan
 B. A trace sweep
 C. An operating system detect
 D. A port scan

Answer 18

A. A ping scan

Question 19

You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best nmap command you will use?

A. nmap -T4 -F 10.10.0.0/24

B. nmap -T4 -r 10.10.1.0/24

C. nmap -T4 -O 10.10.0.0/24

D. nmap -T4 -q 10.10.0.0/24

Answer 19

A. nmap -T4 -F 10.10.0.0/24

Question 20

During a UDP scan, does the target system respond with a message when the port is open?

Answer 20

No, the target system will not respond with any message when the target system’s port is open

Question 21

What is the term for the method used to determine the operating system running on a remote target system? (passive and active)

Answer 21

OS Discovery/Banner Grabbing

Question 22

What type of banner grabbing involves sending specially crafted packets to a target, noting responses, then comparing with a database in order to determine OS?

Answer 22

Active Banner Grabbing

Question 23

What type of banner grabbing ascertains OS type by banner grabbing from error messages, sniffing network traffic, and banner grabbing from page extensions?

Answer 23

Passive banner grabbing

Question 24

A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using?

A. Banner grabbing
B. Port scanning
C. Packet sniffing
D. Virus scanning

Answer 24

A. Banner grabbing

Question 25

64 TTL and a TCP windows size of 5840 is indicative of what OS?

Answer 25

Linux

Question 26

128 TTL and TCP Windows sizes of 16384 and 65535 are indicative of what OS?

Answer 26

Windows 2000 and XP, respectively

Question 27

What technique refers to splitting a packet into several other smaller packets and sending it to a network instead of one whole packet in order to evade packet filters?

Answer 27

Packet Fragmentation

Question 28

What term refers to sending a packet to the intended destination with a partially or completely specified route in order to evade an IDS or firewall?

Answer 28

Source Routing

Question 29

What is the most reliable way to detect IP spoofing and even works if the attacker is within the same subnet?

Answer 29

sending a probe to the host of suspected spoofed traffic, comparing IPIDS with suspected traffic, if IPIDS are not close in value, then the traffic is being spoofed

Question 30

What removes all identity information from the user's computer while the user surfs the internet making your activity on the internet untraceable? (allows you to bypass internet censors)

Answer 30

Anonymizers

Question 31

What is the key difference between anonymizers and VPNs?

Answer 31

VPNs encrypt traffic, anonymizers do not.

Question 32

``` Stephanie works as a records clerk in a large office building in downtown Chicago. On Monday, she went to a mandatory security awareness class (Security5) put on by her company's IT department. During the class, the IT department informed all employees that everyone's Internet activity was thenceforth going to be monitored. Stephanie is worried that her Internet activity might give her supervisor reason to write her up, or worse get her fired. Stephanie's daily work duties only consume about four hours of her time, so she usually spends the rest of the day surfing the web. Stephanie really enjoys surfing the Internet but definitely does not want to get fired for it. What should Stephanie use so that she does not get in trouble for surfing the Internet? A. Stealth IE B. Stealth Anonymizer C. Stealth Firefox D. Cookie Disabler ```

Answer 32

B. Stealth Anonymizer

Question 33

What tool can be used to discover a network and produce a comprehensive network diagram?

Answer 33

Network Topology Mapper

Question 34

What vulnerability scanner tool can identify weaknesses in a system such as weak passwords, default configs, and can also be used to demonstrate a system's compliance to the security policy?

Answer 34

Nessus

Question 35

``` A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using? A. Spoofing an IP address B. Tunneling scan over SSH  C. Tunneling over high port numbers D. Scanning using fragmented IP packets ```

Answer 35

B. Tunneling scan over SSH