Hands-On Ethical Hacking and Network Defense, Chapter 5
Nessus, a tool first released in
1998
Attackers typically use ______ scans to get past a firewall or other filtering device.
ACK scan
Which type of scan is usually used to bypass a firewall or packet-filtering device?
ACK scan
Why does the fping -f 193.145.85.201 193.145.85.220 command cause an error?
An incorrect parameter is used.
Port scanning provides the state for all but which of the following ports?
Buffered
This type of scan relies on the attacked computer's OS, so it's a little more risky to use. Complete the three-way handshake.
Connect scan
Which flags are set on a packet sent with the nmap -sX 193.145.85.202 command?
FIN PSH URG
In this type of scan, a ______ packet is sent to the target computer. If the port is closed, it sends back an RST packet.
FIN scan
Fping doesn't allow pinging multiple IP addresses simultaneously.
False
An enhanced Ping utility for pinging multiple targets simultaneously
Fping
nmap -O
IP Protocol Scans
What is a potential mistake when performing a ping sweep on a network?
Including a broadcast address in the ping sweep range
nmap -sP
Ping Scan
To bypass some ICMP-filtering devices on a network, an attacker might send which type of packets to scan the network for vulnerable services?
SYN packets ACK packets
nmap -sT
TCP connect scan
Unicornscan can handle _____, _____, and _____ port scanning
TCP, ICMP, and IP
To find extensive Nmap information and examples of the correct syntax to use in Linux, which of the following commands should you type?
man nmap
Which of the following Nmap commands sends a SYN packet to a computer with the IP address 193.145.85.210?
nmap -sS 193.145.85.210 nmap -v 193.145.85.210
Which Nmap command verifies whether the SSH port is open on any computers in the 192.168.1.0 network?
nmap -v 192.168.1.0-254 -p 22 nmap -v 192.168.1.0/24 -p 22
Ports that respond to ping sweeps and other packets.
open ports
Most, if not all, scanning programs report _________, __________, and __________ in a matter of seconds.
open ports, closed ports, and filtered ports in a matter of seconds.
A security tool used to identify open ports and detect services and OSs running on network systems.
NMAP
Originally written for Phrack magazine in 1997 by Fyodor
NMAP
Unicornscan optimizes ______ scanning beyond the capabilities of any other port scanner.
UDP
In this type of scan, a ______ packet is sent to the target computer. If the port sends back an ICMP "Port Unreachable" message, the port is closed.
UDP scan
Ports that aren't listening or responding to a packet.
closed ports
nmap -h
quick reference screen of nmap usage options.
The Hping tool is used for
bypass filtering devices
An open-source fork of Nessus developed in 2005
OpenVAS
A FIN packet sent to a closed port responds with which of the following packets?
RST
Pinging a range of IP addresses to identify live systems on a network.
ping sweep
Security testers and hackers use which of the following to determine the services running on a host and the vulnerabilities associated with these services?
Port scanning
A method of finding out which services a host computer offers.
port scanning
Method of finding out which services a host computer offers.
port scanning
nmap -sU
UDP Scan
A closed port responds to a SYN packet with which of the following packets?
RST
nmap -sS
stealth scan
What type is an ICMP Echo Reply
type (0)
Port scanning tool for large-scale endeavors.
Unicornscan
What can Security testers use to bypass filtering devices.
Hping
An enhanced Ping utility for crafting TCP and UDP packets to be used in portscanning activities.
Hping
Use it to bypass filtering devices by injecting crafted or otherwise modified IP packets.
Hping
Which of the following is a tool for creating a custom TCP/IP packet and sending it to a host computer?
Hping
Helpful tools for crafting IP packets
Hping, Fping
A(n) ________ scan sends a packet with all flags set to NULL.
NULL
In a ______scan, all packet flags are turned off. A closed port responds to a NULL scan with an RST packet, so if no packet is received, the best guess is that the port is open.
NULL scan
Previously an open-source scanning tool; now licensed by Tenable Network Security.
Nessus
Previously an open-source scanning tool; now licensed by Tenable Network Security.
Nessus
A security tool for conducting port scanning, OS identification, and vulnerability assessments. A client computer (*nix or Windows) must connect to the server to perform the tests.
OpenVAS
A security tool for conducting port scanning, OS identification, and vulnerability assessments. A client computer (*nix or Windows) must connect to the server to perform the tests.
OpenVAS
To see a brief summary of Nmap commands in a Linux shell, which of the following should you do?
Type nmap -h.
Was developed to assist security testers in conducting tests on large networks and to consolidate many of the tools needed for large-scale endeavors.
Unicornscan
OpenVAS functions much like a
database server
A reasonably priced commercial scanner with a GUI interface
AW Security Port Scanner
In basic network scanning, ICMP Echo Requests (type 8) are sent to host computers from the attacker, who waits for which type of packet to confirm that the host computer is live?
ICMP Echo Reply (type 0)
What is the most widely used port-scanning tool?
NMAP
Scanning tactic that a malicious hacker (or cracker) can use to determine the state of a communications port without establishing a full connection.
SYN scan
nmap -sV
Version Detection
In this type of scan, the FIN, PSH, and URG flags are set. Closed ports respond to this type of packet with an RST packet.
XMAS scan
What makes OpenVAS tool unique
capability to update security check plug-ins when they become available.
Ports protected with a network-filtering device, such as a firewall.
filtered ports
Port scanners can also be used to conduct a __________ of a large network to identify which IP addresses belong to active hosts.
ping sweep
An OpenVAS plug-in is a ______________________ that can be selected from the client interface.
security test program (script)
What type is a ICMP Echo Request
type (8)