Ethical Hacking Chapter 5
Which flags are set on a packet sent with the nmap -sX 193.145.85.202 command? (Choose all that apply.) a. FIN b. PSH c. SYN d. URG
a, b
Describe an XMAS scan.
In this type of scan, the FIN, PSH, and URG flags are set. Closed ports respond to this type of packet with an RST packet. This scan can be used to determine which ports are open. Windows does not follow the standard and responds randomly to XMAS scans
Nmap
a security tool used to identify open ports and detect services and OSs running on network systems.
What is Bash?
a type of interpreter that processes shell commands.
Which parameter can be added to nmap to run a script scan with the default scripts? a. -sC b. -oA c. -p d. -rT
a
Why does the fping -f 193.145.85.201 193.145.85.220 command cause an error? a. An incorrect parameter is used b. The IP range should be indicated as 193.145.85.201-220 c. There's no such command d. IP ranges aren't allowed with this command
a
OpenVAS
a security tool for conducting port scanning, OS identification, and network vulnerability assessments. A client computer (*nix or Windows) must connect to the server to perform the tests.
When would you use fping?
i. Used to send ICMP echo probes to network hosts, similar to ping, but much better performing when pinging multiple hosts. ii. Can ping a specified range of IP addresses iii. Can specify a file containing the lists of targets to ping iv. Meant to be used in scripts
How can you distinguish Bash code from Python code?
Bash code doesn't use import while Python does.
What type of port scan is this and is the port open or closed? student@kali:~$ sudo hping3 -S -c 1 -s 4444 -p 80 a.b.c.d IP 192.168.62.145.4444 > 192.162.62.131.http: Flags [S], seq 588793639, win 512, length 0 IP 192.168.62.131.http > 192.168.62.145.4444: Flags [S.], seq 3473620877, ack 597707422, win 5840, options [mss 1460], length 0
SYN scan, port is open
Security testers can use Hping to bypass filtering devices. True or False?
True
A(n) _____ scan sends a packet with all flags set to NULL. a. NULL b. VOID c. SYN d. XMAS
a
To see a brief summary of Nmap commands in a Linux shell, which of the following should you do? a. Type nmap -h b. Type nmap -summary c. Type help nmap d. Press the F1 key.
a
What is a potential mistake when performing a ping sweep on a network? a. Including a broadcast address in the ping sweep range b. Including a subnet IP address in the ping sweep range c. Including the subnet mask in the ping sweep range d. Including the intrusion detection system's IP address in the ping sweep range
a
Which of the following Nmap commands sends a SYN packet to a computer with the IP address 193.145.85.210? (Choose all that apply.) a. Nmap -sS 193.145.85.210 b. Nmap -v 193.145.85.210 c. Nmap -sA 193.145.85.120 d. Nmap -sF 193.145.85.210
a, b
Which Nmap command verifies whether the SSH port is open on any computers in the 192.168.1.0 network? (Choose all that apply.) a. Nmap -v 192.168.1.0-254 -p 22 b. Nmap -v 192.168.1.0-254 -p 23 c. Nmap -v 192.168.1.0-254 -s 22 d. Nmap -v 192.168.1.0/24 -p 22
a, d
Hping
an enhanced Ping utility for crafting TCP and UDP packets to be used in port-scanning activities.
Fping
an enhanced Ping utility for pinging multiple targets simultaneously
To bypass some ICMP-filtering devices on a network, an attacker might send which type of packets to scan the network for vulnerable services? (Choose all that apply.) a. PING packets b. SYN packets c. ACK packets d. Echo Request packets
b, c
When would you use a unicornscan?
i. A port scanner that utilizes its own TCP/IP stack ii. Allowing it to run an asynchronous scan 1. Can look for many open ports at a time iii. Used when regular port scanning doesn't work as the target might have enabled port scanning detection or has enabled IDS/IPS or honeypots iv. Uses different threads to send out packets and to receive them
When would you use nmap?
i. Quick scans of a network using SYN packets to a host ii. To get detailed information on every IP active on your networks iii. Provides information on your network as a whole iv. Valuable tool for users looking to protect personal and business websites
Ping sweep
pinging a range of IP addresses to identify live systems on a network.
Filtered ports
ports protected with a network-filtering device, such as a firewall
Closed ports
ports that aren't listening or responding to a packet
Open ports
ports that respond to ping sweeps and other packets.
Nessus
previously an open-source scanning tool; now licensed by Tenable Network Security. See OpenVAS.
What is a SYN scan?
stealthy scan
What is a XMAS scan?
- sends a packet with the FIN, PSH, and URG flags set. - a packet with so many flags set is said to be "lit up like a Christmas tree"
In a hping3 port scan, what does ack mean?
ACK
in a hping3 port scan, what does [F] mean?
FIN
What type of port scan is this and is the port open or closed? student@kali:~$ sudo hping3 -S -c 1 -s 4444 -p 80 a.b.c.d IP 192.168.62.145.4444 > 192.168.62.131.http: Flags [F] IP 192.168.62.131.http > 192.168.62.145.4444: Flags [R.]
FIN scan, port is closed
A NULL scan requires setting the FIN, ACK, and URG flags. True or False?
False
Fping doesn't allow pinging multiple IP addresses simultaneously. True or False?
False
What is Python?
High-level programming language
Describe a NULL scan.
In a NULL scan, all packets flags are turned off. A closed port responds to a NULL scan with an RST packet, so if no packet is received, the best guess is that the port is open. Windows, however, does not follow the standard and might respond in an unexpected way.
Describe a FIN scan.
In this type of scan, a FIN packet is sent to the target computer. If the port is closed, it sends back an RST packet. When a three-way handshake ends, both parties send a FIN packet to end the connection.
A FIN packet sent to a closed port responds with which of the following packets? a. FIN b. SYN-ACK c. RST d. SYN
c
What is the most widely used port-scanning tool? a. Netcat b. Netstat c. Nmap d. Nslookup
c
Which of the following is a tool for creating a custom TCP/IP packet and sending it to a host computer? a. Tracert b. Traceroute c. Hping d. Nmapping
c
what is a FIN scan?
closed port responds with an RST packet
A closed port responds to a SYN packet with which of the following packets? a. FIN b. SYN-ACK c. SYN d. RST
d
In basic network scanning, ICMP Echo Requests (type 8) are sent to host computers from the attacker, who waits for which type of packet to confirm that the host computer is live? a. ICMP SYN-ACK packet b. ICMP SYN packet c. ICMP Echo Reply (type 8) d. ICMP Echo Reply (type 0)
d
Port scanning provides the state for all but which of the following ports? a. Closed b. Open c. Filtered d. Buffered
d
When would you use hping3?
i. A network scanning tool and packet generator and analyzer for the TCP/IP protocol. ii. It supports TCP, UDP, ICMP, and RAW-IP protocols iii. Has a traceroute mode The ability to send files
In a hping3 port scan, what does a [R] mean?
RST
Port scanning
a method of finding out which services a host computer offers.
What is the purpose of port scanning?
to test the open ports on the system
What is an ACK scan?
used to get past a firewall
What is a "script". How, when, and why are scripts used in cybersecurity?
A script is a program that automates a task that takes too much time to perform manually. Most security testers rely on basic programming skills to write a script for creating an input file. A script is a text file containing multiple commands that would usually be entered manually at the command prompt.
What is a NULL scan?
A scan in which all flags are turned off
In a hping3 port scan, what does a [S] mean?
SYN
Describe an ACK scan.
i. Attackers typically use ACK scans to get past a firewall or other filtering device. A filtering device looks for the SYN packet, the first packet in the three-way handshake, that the ACK packet was part of. Remember this packet order: SYN, SYN/ACK, and ACK. If the attacked port returns an RST packet, the packet filter was fooled, or there's no packet-filtering device. In either case, the attacked port is considered to be "unfiltered"
Describe a SYN scan.
In a normal TCP session, a packet is sent to another computer with the SYN flag set. The receiving computer sends back a packet with the SYN/ACK flag set, indicating an acknowledgment. The sending computer then sends a packet with the ACK flag set. If the port the SYN packet is sent to is closed, the computer responds with an RST/ACK (reset/acknowledgment) packet. If an attacker's computer receives a SYN/ACK packet, it responds quickly with an RST/ACK packet, closing the session. This is done so that a full TCP connection is never made and logged as a transaction.
What is the purpose of Nessus and OpenVAS?
Nessus is a remote security scanning tool, which scans a computer and raises an alert is it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network. OpenVAS is the Open Vulnerability Assessment System which is a suite of tools that work together to run tests against client computers using a database of known exploits and weaknesses. The goal is to learn about how well your servers are guarded against known attack vectors.
How are Nessus and OpenVAS related?
Nessus is no longer under the GPL license but you can still download it free for noncommercial personal use. The open-source fork of Nessus is called OpenVAS.
Security testers and hackers use which of the following to determine the services running on a host and the vulnerabilities associated with these services? a. Zone transfers b. Zone scanning c. Encryption algorithms d. Port scanning
d
To find extensive Nmap information and examples of the correct syntax to use in Linux, which of the following commands should you type? a. Nmap -h b. Nmap -help c. Nmap? d. Man nmap
d