ITN 261 - Chapter 5

What is one reason for using a scan like an ACK scan? 1. It may get through firewalls and IDS devices. 2. It is better supported. 3. The code in nmap is more robust. 4. An ACK scan is needed for scripting support.

1. It may get through firewalls and IDS devices. Evasion is an important concept. You may spend a lot of time working on evading detection or getting blocked. Since an ACK without an open connection is aberrant, the firewall or IDS may ignore it, avoiding detection. As a result, you may be able to get ACK messages through. ACK scans are not better supported. In fact, there is really no support from the network stack for an ACK scan. The code is no more robust in nmap for an ACK scan than other scans, or at least there is no evidence of that being the case. ACK scans are not needed for scripting support.

If you were to notice operating system commands inside a DNS request while looking at a packet capture, what might you be looking at? 1. Tunneling attack 2. DNS amplification 3. DNS recursion 4. XML entity injection

1. Tunneling attack Tunneling attacks can be used to hide one protocol inside another. They may be used to send operating system commands using a tunnel system. A DNS amplification attack is where a small DNS request results in much larger responses sent to the target. DNS recursion is used to look up information from DNS servers. An XML entity injection attack is a web-based attack and wouldn't be found inside a DNS request.

What is one reason a UDP scan may take longer than a TCP scan of the same host? 1. UDP will retransmit more. 2. UDP has more ports to scan. 3. UDP is a slower protocol. 4. UDP requires more messages to set up.

1. UDP will retransmit more. A SYN scan sends the first SYN message and then responds with a RST message after receiving the SYN/ACK from the target. A full connect scan completes the three-way handshake before sending the RST message. Since the full connect scan follows the correct order of the three-way handshake, it doesn't send an ACK first. There is also no PSH flag sent with the SYN flag, since there is no data to push up the stack yet.

What is nmap looking at when it conducts a version scan? 1. TCP and IP headers 2. Application banners 3. Operating system kernel 4. IP ID and TCP sequence number fields

2. Application banners A version scan with nmap is looking to identify versions of the services/applications running on the target. The kernel is identified with an OS scan. TCP and IP headers don't provide application versions. The IP ID field and TCP sequence number fields don't provide version information either.

Which of these may be considered an evasive technique? 1. Scanning nonstandard ports 2. Encoding data 3. Using a proxy server 4. Using nmap in blind mode

2. Encoding data Scanning nonstandard ports isn't evasive. It's just as noisy as, and potentially more detectable than, scanning standard ports. You could use a proxy for some tasks, but all it would do would be to hide your own IP address, which isn't evasive. You could still be blocked or detected. Nmap does not have a blind mode. When you encode data, though, you make it harder for the firewall or IDS to identify something bad that may be happening, since these devices can't read the messages coming through.

What would you use MegaPing for? 1. Running exploits 2. Running a port scan 3. Issuing manual web requests 4. Crafting packets

2. Running a port scan MegaPing can be used to perform a lot of different functions, but crafting packets, sending manual web requests, and running exploits are not functions it supports. It can, though, run a port scan.

If you were to see the following command run, what would you assume? hping -S -p 25 10.5.16.2 1. Someone was trying to probe the web port of the target. 2. Someone was trying to probe an email port on the target. 3. Someone was trying to identify if SNMP was supported on 10.5.16.2. 4. Someone had mistyped ping.

2. Someone was trying to probe an email port on the target. hping is a program used to send specially designed messages to a target. You use command-line parameters to tell hping what to include in the message being sent. The command hping -S -p 25 10.5.16.2 is used to have hping send SYN messages to port 25, the default SMTP port, at 10.5.16.2. It's possible that someone mistyped ping, but those parameters aren't used by ping programs, and since they are coherent for the action above, it makes more sense that they were trying to use hping. SNMP and web traffic both use different ports than port 25.

What is fragroute primarily used for? 1. Altering network routes 2. Capturing fragmented packets 3. Fragmenting application traffic 4. Fragmenting layer 2 and layer 3 headers

3. Fragmenting application traffic The program fragroute uses configuration statements to determine what should be done to packets destined for a specific host. This may include fragmenting application traffic as well as duplicating and delaying traffic. While there is a possibility of fragmenting layer 3 headers, if layer 2 headers were fragmented, there would be no way to get the message to the destination.

What would you use credentials for in a vulnerability scanner? 1. Better reliability in network findings 2. Authenticating through VPNs for scans 3. Scanning for local vulnerabilities 4. Running an Active Directory scan

3. Scanning for local vulnerabilities Credentials wouldn't give better reliability in network findings, and vulnerability scanners don't typically provide a way to directly authenticate through a VPN. The VPN client would be expected to be running ahead of time if the network is behind the VPN. An Active Directory scan is a vague answer, and it may not be something you can do with a vulnerability scanner. If you provide credentials, though, the scanner can authenticate against systems on the network and check for local vulnerabilities.

What is an XMAS scan? 1. TCP scan with SYN/ACK/FIN set 2. UDP scan with FIN/PSH set 3. TCP scan with FIN/PSH/URG set 4. UDP scan SYN/URG/FIN set

3. TCP scan with FIN/PSH/URG set The XMAS scan is a TCP scan that uses unusual flag settings in the TCP headers to attempt to evade firewalls or IDSs. The XMAS scan uses the FIN, PSH, and URG flags and is called an XMAS scan because it looks like the packet is lit up like a Christmas tree. None of the other answers match what an XMAS scan is.

Which of these may be considered worst practice when it comes to vulnerability scans? 1. Scanning production servers 2. Notifying operations staff ahead of time 3. Taking no action on the results 4. Using limited details in your scan reports

3. Taking no action on the results You would be expected to scan production servers, since that would be where you would be most interested to find vulnerabilities. Letting operations staff know ahead of time is polite since vulnerability scans may inadvertently knock over systems that would need to be stood back up. Being paged in the middle of the night unexpectedly isn't fun. If you know it's coming, it makes it easier. You may have reasons to use limited details in your scan reports, including trying to reduce the disk space used or the paper used in printing the reports. Taking no action on the results of a vulnerability scan is about the worst thing you can do when it comes to vulnerability scans. It's worse than not running them, since you could be considered liable because you know about the vulnerabilities but you aren't doing anything about them.

If you receive a RST (reset) packet back from a target host, what do you know about your target? 1. The target is using UDP rather than TCP. 2. The destination port is open on the target host. 3. The source port in the RST message is closed. 4. The target expects the PSH flag to be set.

3. The source port in the RST message is closed. A TCP scan sends messages to the target, expecting to get a response. With a SYN or full connect scan, the target will respond with a SYN/ACK message from an open port. With a closed port, the target will respond with a RST.

Why does an ACK scan not indicate clearly that ports are open? 1. The scanner has to guess. 2. ACK is not a supported flag. 3. The target system ignores the message. 4. ACK scans cause a lot of retransmits.

3. The target system ignores the message. When a system receives an ACK message, meaning a TCP segment with the ACK flag enabled (bit position storing a 1), it assumes there is an open connection and there is data that is being acknowledged. When there is no open connection, there is nothing to respond with. The system, not having anything else to do with the ACK, discards it. The scanner won't receive a response if the port is open. However, the scanner can't be certain that the message hasn't just been discarded by a firewall. As a result, it indicates that the port is either open or filtered. Either would result in no response. The scanner isn't guessing; it is providing two alternatives but can't be certain which it is. ACK is a supported flag in the right circumstances and ACK scans do not cause retransmits, since no response means one of two things.

What is an advantage of using masscan over nmap? 1. masscan has been around longer. 2. Nmap is hard to use. 3. masscan can scan more addresses faster. 4. masscan has access to scan more of the Internet.

3. masscan can scan more addresses faster. The program masscan is a port scanner, like nmap. However, masscan was developed to scan the entire Internet as quickly as possible. As a result, if speed is a consideration, and especially if you are scanning large address blocks, masscan is probably better suited for that task. Both nmap and masscan have access to the same address space, and masscan uses the same command-line parameters, for the most part, as nmap, so they are similarly easy to use. nmap has also been around for considerably longer, since the 1990s, than masscan has.

What would be the purpose of running a ping sweep? 1. You want to identify responsive hosts without a port scan. 2. You want to use something that is light on network traffic. 3. You want to use a protocol that may be allowed through the firewall. 4. All of the above.

4. All of the above. There may be several reasons for performing a ping sweep. You likely want to identify responsive hosts on the network segment you are targeting. You may not, though, want to use a full port scan. ICMP is a lightweight protocol and there is a chance it will be allowed through the firewall, since it's used for troubleshooting and diagnostics.

What does nmap look at for fingerprinting an operating system? 1. The operating system headers 2. The application version 3. The response from connecting to port 0 4. The IP ID field and the initial sequence number

4. The IP ID field and the initial sequence number When nmap performs an operating system scan, it is looking for fingerprints of the network stack in the operating system kernel. Some of the information that nmap will look at is in the IP ID field to see what numbers are used. Similarly, it will look at the initial sequence number in TCP messages to see what numbers are used there. The application version isn't relevant to an operating system scan, and there are no operating system headers that would be associated with network traffic. Operating system headers could be considered to be part of the source code for the operating system, but nmap wouldn't be able to see those. Port 0 is considered an invalid port, so the response to a connection from that port is irrelevant.

What is the difference between a SYN scan and a full connect scan? 1. A SYN scan and a full connect scan are the same. 2. A full connect scan sends an ACK message first. 3. A SYN scan uses the PSH flag with the SYN flag. 4. The SYN scan doesn't complete the three-way handshake.

4. The SYN scan doesn't complete the three-way handshake. A SYN scan sends the first SYN message and then responds with a RST message after receiving the SYN/ACK from the target. A full connect scan completes the three-way handshake before sending the RST message. Since the full connect scan follows the correct order of the three-way handshake, it doesn't send an ACK first. There is also no PSH flag sent with the SYN flag, since there is no data to push up the stack yet.

If you were to see that someone was using OpenVAS, followed by Nessus, what might you assume? 1. They were trying to break into a system. 2. They didn't know how to use Nessus. 3. They didn't know how to use OpenVAS. 4. They were trying to reduce false positives.

4. They were trying to reduce false positives. Vulnerability scanners don't exploit vulnerabilities in order to gain access to a system. They would only exploit a vulnerability to the extent necessary to determine whether a vulnerability exists. If they didn't know how to use Nessus or OpenVAS, they likely wouldn't be using them. It's possible they are looking to compare results from the two, but it's also very likely they are trying to compare the results with the intention of reducing false positives.

What would be a reason to use the Override feature in OpenVAS? 1. You want to run a different plug-in for a vulnerability. 2. You want to change the scanner settings. 3. You want to use TCP rather than UDP. 4. You want to change a severity rating on a finding.

4. You want to change a severity rating on a finding. Plug-ins are matched to vulnerabilities. A different plug-in would identify a different vulnerability and there is no way to change that. Scanner settings can be changed when you set up a scan. Using TCP rather than UDP is vague. If you want to change a severity rating from the one supplied by OpenVAS, you would override that rating. You may have mitigations in place or you may have investigated and found the finding to be a false positive.

What is the difference between a false positive and a false negative? 1. A false positive indicates a finding that doesn't exist, while a false negative doesn't indicate a finding that does exist. 2. A false positive indicates a finding that does exist, while a false negative doesn't indicate a finding that doesn't exist. 3. A false positive doesn't indicate a finding that does exist, while a false negative does indicate a finding that doesn't exist. 4. A false negative does indicate a finding that doesn't exist, while a false positive doesn't indicate a finding that does exist.

A false positive indicates a finding that doesn't exist, while a false negative doesn't indicate a finding that does exist. A false positive is when a finding is identified when it doesn't actually exist. A false negative is when there is no finding identified but, in fact, there is a vulnerability. A true positive is when a finding is identified that is a vulnerability. A true negative is when a finding isn't identified and there is no known vulnerability.