Nmap and Scanning Review Quiz

Question 1

Which type of hacker is considered unethical?

1. White Hat
2. Grey Hat
3. Black Hat
4. Blue Hat

Answer 1

3. Black Hat

Question 2

What is the main difference between ethical and malicious hackers?

1. Ethical hackers have written permission
2. Ethical hackers have verbal permission
3. Ethical hackers don’t use real exploits
4. Malicious hackers never perform information gathering

Answer 2

1. Ethical hackers have written permission

Question 3

Which type of testing takes place when pentesters have no knowledge of the target network?

1. Grey Box
2. Black Box
3. White Box
4. Blind test

Answer 3

2. Black Box

Question 4

Suppose an attacker alters the contents of two files on the server. Which of the following best describes what was compromised?

1. Authentication
2. Confidentiality
3. Integrity
4. Availability

Answer 4

3. Integrity

Question 5

Which of the following is _not_ a part of information gathering?

1. Host Discovery
2. Finding Physical Addresses
3. Spidering the Client’s Website
4. Exploiting a Database Server

Answer 5

4. Exploiting a Database Server

Question 6

A SYN Scan is used in which kind of reconnaissance?

1. Active Reconnaissance
2. Passive Reconnaissance
3. Open Source Information Gathering
4. Internal Reconnaissance

Answer 6

1. Active Reconnaissance

Question 7

An ICMP Type 8 message indicates which of the following?

1. Ping Request
2. Router Advertisement
3. Host Unreachable Message
4. TTL Failure

Answer 7

1. Ping Request

Question 8

Suppose you run a SYN scan against a target host. Which of the following best describes the state of connections to the target machine after the scan?

1. Half-Open
2. Fully Open
3. Full Duplex
4. Half Duplex

Answer 8

1. Half-Open

Question 9

Which of the following is a Layer 2 attack?

1. ARP Spoofing
2. SQL Injection
3. BGP Hijacking
4. Ping Sweep

Answer 9

1. ARP Spoofing

Question 10

Which of the following Nmap flags is used for OS fingerprinting?

1. -A
2. oN
3. -sS
4. sU

Answer 10

1. -A

Question 11

Identify what the following Nmap command does: nmap -sn 192.168.12.0/24

1. Port-Scan all devices in `192.168.12.0/24
2. Perform a UDP scan on `192.168.12.0/24
3. Service-Scan `192.168.12.0/24
4. Perform a Ping Sweep on `192.168.12.0/24

Answer 11

4. Perform a Ping Sweep on `192.168.12.0/24

Question 12

Suppose you run the following command. If port 22 is open, which TCP flag is set on the response?

bash
 $ nmap -sS -p 22 192.168.12.7

1. ACK
2. SYN
3. RST
4. URG

Answer 12

2. SYN

Question 13

Which argument will be used for OS detection in Nmap?

1. -G
2. -L
3. -S
4. -O

Answer 13

4. -O

Question 14

What will the following nmap command accomplish?

NMAP -sS -O -p 123,153 192.168.100.4

1. A stealth scan, opening port 123 and 153
2. A stealth scan, determine the operating system, and scanning of ports 123 and 153
3. A stealth scan checking all open ports excluding ports 123 and 153

Answer 14

2. A stealth scan, determine the operating system, and scanning of ports 123 and 153

Question 15

Regarding port enumeration, which port does DNS zone transfer use?

1. UDP port 161
2. TCP/UDP port 389
3. TCP port 137
4. TCP port 53

Question 16

You are sent to scan a remote host using nmap. Which of the following scan types is the BEST choice to gather the most information while minimizing the chance of detection?

1. TCP connect scan (-sT)
2. Xmas scan (-sX)
3. UDP scan (-sU)
4. SYN scan (-sS)

Answer 16

4. SYN scan (-sS)

Question 17

You are asked to access a server at a particular IP address. The server does not respond to ping requests, what could be the reason(s)? Select all the apply.

1. The host is down
2. Server configured not to respond to ping
3. Firewall blocks TCP
4. Firewall blocks ICMP

Answer 17

1. The host is down
2. Server configured not to respond to ping
3. 4. Firewall blocks ICMP

Question 18

Which command would you issue to scan all TCP ports on 192.168.1.1?

1. nmap -p 0,65535 192.168.1.1
2. nmap -p 1,65536 192.168.1.1
3. nmap -p 192.168.1.1
4. nmap -p 0-65535 192.168.1.1

Answer 18

4. nmap -p 0-65535 192.168.1.1

Question 19

Which of the following nmap arguments are used to perform a Null scan:

1. -sS
2. -sP
3. -sN
4. -sF

Answer 19

3. -sN

Question 20

Most scan attempts can be detected and flagged by:

1. Proxy
2. IDS
3. Router
4. Switch

Answer 20

2. IDS

Question 21

Which of these scan types in nmap would make a full TCP connection to the target system?

1. XMAS scan
2. TCP connect scan
3. All of these
4. SYN stealth scan

Answer 21

2. TCP connect scan

Question 22

What does the Nmap -sU flag do?

1. Enable OS Scanning
2. Enable TCP scanning
3. Enable UDP Scanning
4. Enable Service Scanning

Answer 22

3. Enable UDP Scanning

Question 23

Which of the following is also known as a Zombie scan?

1. SYN Scan
2. IDLE Scan
3. UDP Scan
4. Full-Connect Scan

Answer 23

2. IDLE Scan

Question 24

Which of the following commands scans both TCP and UDP port 445?

1. nmap -sT -sU -p 445 192.168.12.75
2. nmap -p U:445,T:445 192.168.12.75
3. nmap -sU -pU 445 -pT 192.168.12.75
4. nmap -sS –all-protocols 192.168.12.75

Answer 24

2. nmap -p U:445,T:445 192.168.12.75

Question 25

Suppose you discover the following IP addresses on a target network: `192.168.1.24` and `192.168.1.35`. Both machines have a netmask of `255.255.255.0`. Which of the following is true? 1. The machines are on the same subnet. 2. The machines are on separate subnets. 3. The machines are unreachable from one another. 4. Neither machine is running Windows.

Answer 25

1. The machines are on the same subnet.

Question 26

Which of the following scan types is used to infer firewall rules? 1. Full Connect Scan 2. ACK Scan 3. SYN Scan 4. IDLE Scan

Answer 26

3. ACK Scan

Question 27

Suppose you dump a Linux machine's `/etc/passwd` file during the information gathering phase. You see the lines `/bin/nologin` and `/bin/false` for many users. What does this mean? 1. These users don't exist. 2. These users exist, but aren't stored in the database. 3. These users exist, but can't use an interactive shell. 4. These users exist, but their accounts have been disabled.

Answer 27

3. These users exist, but can't use an interactive shell.

Question 28

Identify one advantage of an IDLE scan. 1. They allow an attacker to get information about a target's open ports without actually sending packets. 2. They allow an attacker to scan a target without revealing their IP address. 3. They are undetectable. 4. They can find all open ports on a machine, including those that are filtered by a firewall.

Answer 28

2. They allow an attacker to scan a target without revealing their IP address.

Question 29

Which of the following commands runs all of Nmap's SMB scripts against a target? 1. nmap --smb-all -sV -p 445 192.168.12.17 2. nmap --script --smb-scripts 192.168.12.17 3. nmap --script smb-enum-\* -sV -p 445 192.168.12.17 4. nmap --script smb-enum-\* 192.168.12.17`

Answer 29

3. nmap --script smb-enum-\* -sV -p 445 192.168.12.17