Chapter 3 Test questions
Which command in nmap is used to specify a port or range of ports to be scanned? -s -P -r -p
-p
In regards to vulnerability scanning, what is the purpose of using a proxy? Keep a scan hidden Assist in scanning Automate the discovery of vulnerabilities Perform a scan
Keep a scan hidden - A proxy is used to hide the party launching a scan. This is important since a defender will attempt in many cases to track an attack back to its source and thus may be able to reveal the identity of an attacker.
Which service is commonly associated with port 137? NetBIOS NTFS snmp nbstat
NetBIOS
Which technique can be used to determine which hosts are live on a network? Smurf attack Ping sweep Fraggle attack Session hijacking
Ping sweep - A ping sweep is used to determine which hosts are "up" or live on a network. Ping sweeps can be performed with tools such as Angry IP Scanner, nmap, and similar tools.
What is the proper sequence of the TCP three-way handshake? ACK, SYN-ACK, SYN SYN, SYN-ACK, ACK SYN-SYN, SYN-ACK, SYN SYN-ACK, ACK, ACK
SYN, SYN-ACK, ACK
What phase comes after footprinting and is used to gain information from the results of the initial investigation? Enumeration Scanning System hacking Analysis
Scanning -Scanning comes after the footprinting phase. Footprinting should be used to get a better idea of the target and what may be an issue during the scanning phase.
Which of the following is a connection-oriented protocol? UDP FTP TCP POP3
TCP
When working with nmap you initiate a scan using the syntax "nmap -sT 192.168.10.3", however, the scan appears to stall or hang and no information is returned when you press enter. When you cancel the command and ping the same address the host shows that it is available and online. What would you add to the nmap command to observe what is happening after you press enter? -x -i -o -v
-v -The -v or verbose option can be used to obtain more information from the scanning process than would be provided by default options. When used in a command, you will notice that the inclusion of the -v provides realtime feedback on the progress of the command rather than appearing to hang by not showing anything but the final results of a scan.
How do tools such as nmap and p0f determine which operating system is in use? (Choose all that apply.) By looking at UDP flags By looking at Window sizes By looking at TTL information By looking at TCP flags
By looking at TTL information By looking at TCP flags - Among many methods passive OS fingerprinting can use information about TCP flags, TTL settings and Window size to uniquely identify a client type. Each OS tends to have its own unique way of working with packets. Simple items such as the change of a number in the header of a packet can be enough to reveal the telltale signs of a host.
Port 443 is associated with which commonly used protocol or service? HTTP FTP HTTPS SMTP SHTTP
HTTPS
In nmap the command "nmap -T4 -sS <ip address>" switch is used to perform what function on behalf of the scanning party? To specify that the TCP protocol is to be used for the scan To define a specific number of targets to be scanned To define the speed or timing of the scan To specify the number of ports to scan simultaneously
To define the speed or timing of the scan -The -T switch is used to adjust the speed of the scan when it is executed. The valid values for this switch are 0-5, with lower numbers equaling slower and longer scan times and higher numbers equating to faster and shorter scans. This switch would be useful in situations where you may wish to attempt evasion of an NIDS by using a lower number.
Why might a network administrator configure ingress filtering on the firewall to block ICMP packets while not doing the same on egress? To prevent internal clients from targeting external hosts To reduce the amount of traffic that is entering the network To prevent the use of a ping flood as a Denial-of-Service technique To prevent an outsider from mapping the network or detecting live hosts
To prevent an outsider from mapping the network or detecting live hosts - A network administrator might configure an ingress filter to block ICMP packets from entering the network in an effort to prevent an outsider from mapping the network.
Why would you make use of HTTP tunneling to communicate with a remote system? To avoid detection To access a web server on the remote system To redirect traffic over port 80 to bypass a firewall To avoid triggering an intrusion detection system
To redirect traffic over port 80 to bypass a firewall - If an organization has configured a very restrictive firewall leaving only ports such as port 80 and 443 open, the use of HTTP tunneling may be used to bypass the firewall. This technique can allow communication when other ports are unavailable.
Which of the following commands can be used to determine the IP configuration on a Linux workstation? ipchains ifconfig ifchains ipconfig
ifconfig - Comments: ifconfig is used to view and modify the IP configuration settings on a Linux workstation or Linux based device such as Android as well as UNIX and the MacOS. The ipconfig command is for use on Windows systems and platforms based on Microsoft's technologies.
Which command in nmap is used to extract detailed information about a targeted host? nmap -A <ip address> nmap -sS <ip address> nmap -sX <ip address> nmap -sA <ip address>
nmap -A <ip address> - The use of the -A switch with nmap is designed to carry out attempts to determine services, versions and OS. The -A switch can be combined with many other switches in nmap such as the -Pn switch in order to adjust the performance and coverage of the scan.
Which of the following command lines would import a list of hosts from a file named test.txt? nmap -iL /tmp/test.txt nmap -iV /tmp/test.txt nmap -iN /tmp/test.txt nmap -iO /tmp/test.txt
nmap -iL /tmp/test.txt
If you wanted to perform a scan with nmap which offered the greatest amount of stealth which would you use? nmap -sI 192.168.1.4 nmap -sN 192.168.1.4 nmap -sS 192.168.1.4 nmap -sX 192.168.1.4
nmap -sI 192.168.1.4 - An idle scan would offer the highest degree of protection against detection, but would also be the slowest option on the list in most cases. The idle scan involves probing a third party and then using the information gathered about SEQ numbers on packets along the IP address of the third party to receive the results. By using a third party to receive the results from the target the actual scanning party is left hidden from detection.
Which command in nmap is used to determine if a host or range of hosts are live, but do so without port scanning the host? nmap -sn <ip address> nmap -sN <ip address> nmap -sS <ip address> nmap -A <ip address>
nmap -sN <ip address> - If a list of hosts that are live is something that you wish to obtain without performing a port scan against any of the hosts you would use the -sn switch. Use of this switch will perform a ping against any hosts designated by nmap allowing them to be determined as live or offline. Note that the command is case sensitive and -sN would perform a NULL scan instead.
Which port range is dynamically associated with third-party applications or services and can be used on demand without formally registering the port for use? 32768-49151 1-1024 1025-32767 49152-65535
49152-65535 -Ports 49152 to 65535 are also referred to as dynamic ports as opposed to lower port ranges. They are known as registered and well-known ports. Many third-party applications or custom applications use these ports on a temporary or as-needed basis. Registered ports can also be assigned to third-party vendors if they make a formal request to register the port with the appropriate organization.
As a pentester you are testing a network and detect an NIDS that is presenting an obstacle towards carrying out additional scans. You have decided to implement evasion techniques in an nmap scan in order to avoid triggering the generation of an alert to the administrator. Which of these nmap scans should you use? nmap -sS -T0 <ip address> nmap -sS -v <ip address> nmap -sT -T0 <ip address> nmap -sX -T5 <ip address>
nmap -sS -T0 <ip address> - Of the options presented in this question the use of a half-open scan using the -sS option with the -T0 switch is ideal. The half-open option is less invasive than the -sT for a full-connect scan and the -sX or xmas scan would potentially cause more chance of detection. The use of the -T0 switch with the -sS creates a slower and less detectable scan. The -T switch adjusts the timing of the scan with 0 being the slowest and 5 being the fastest. With faster scans having a greater chance of triggering an IDS 0 would be much safer instead.
Which of the following command lines can be used to scan an entire subnet with nmap? nmap 192.168.10.1-30 nmap 192.168.10.1/32 nmap 192.168.10.1/16 nmap 192.168.10.1/*
nmap 192.168.10.1/16 -The format nmap /subnet mask can be used to scan an entire subnet. In option B you would be scanning an entire class B subnet. However, in option C, the subnet mask would be invalid since it leaves no bits for the host itself. Note that answer A would also allow for the scanning of an entire subnet if the range separated by the dash represented the beginning and end of the subnet (which they do not in this case).