03 CEH: Scanning Networks

Ace your homework & exams now with Quizwiz!

What *nmap flag* can be used to scan ports consecutively as opposed to scanning them in a random order?

-r

What nmap flag is used by an attacker to perform an SCTP COOKIE ECHO scan?

-sZ

What nmap flag allows an attacker to perform a ping sweep?

-sn (n == no port scan)

What is the purpose of the TCP *URG* flag?

To designate that the data contained in the packet should be processed immediately

According to the material, what is the purpose of *banner grabbing*?

To determine the target's operating system

What is the purpose of the TCP *SYN* flag?

To initiate a connection between hosts

What is an *ICMP ECHO Ping Sweep*?

When an ICMP ECHO Ping Scan is performed against multiple targets

What scanning tool identifies a target's operating system by observing the TTL values in its responses?

unicornscan

What *nmap flag* can be used to scan fewer ports than the default scan?

-F

What *nmap* flags are used to spoof source port numbers?

-g --source-port

What is the flow of an ACK scan when a stateful firewall filters the packets?

1. Client sends ACK probe 2. Client receives no response or receives ICMP error message

What is the flow of an ACK scan when the remote port is closed?

1. Client sends ACK probe 2. Server responds with RST

What is the flow of an ACK scan when the remote port is open?

1. Client sends ACK probe 2. Server responds with RST

What three different types of packets will be sent to <target> when the attacker executes the following nmap command: nmap -PO <target>

1. ICMP 2. IGMP 3. IP-in-IP

What are the 6 network discovery and mapping tools the material recommends?

1. Network Topology Mapper 2. OpManager 3. The Dude 4. NetSurveyor 5. NetBrain 6. Spiceworks Network Mapping Tool

What are the 3 mobile network discovery and mapping tools the material recommends?

1. Scany 2. Network Analyzer 3. PortDroid Network Analysis

What 2 tools does the material recommend for OS detection?

1. nmap 2. unicornscan

What is the layer 3 limited broadcast address?

255.255.255.255

What type of scan is *best* for determining whether a host is filtered by a stateful firewall?

ACK scan

What type of scan should be performed to quickly and effectively discover live hosts in a large IPv4 network?

ARP ping scan (nmap -PR)

What is the purpose of the TCP *PSH* flag?

All buffered data is sent immediately

What is an address that can be used to broadcast messages to all addresses on a broadcast domain, and these messages are forwarded by routers?

Directed broadcast address

What is the layer 2 limited broadcast address?

FF:FF:FF:FF:FF:FF

In what scanning techniques does an attacker send a spoofed source address to a computer to determine the available services?

IDLE/IPID header scan

What is an address that can be used to broadcast messages to all addresses on a broadcast domain, but these messages aren't forwarded by routers?

Limited broadcast address

What is a command line tool that can craft many types of Layer 2 and Layer 3 packets, including ARP, Ethernet, TCP, and UDP packets?

Nemesis

What type of scanning technique is used by an attacker to check whether a machine is vulnerable to UPnP exploits?

SSDP scanning

What *hping3* flag(s) would you use to set each of the 6 TCP flags?

SYN: -S ACK: -A PSH: -P RST: -R URG: -U FIN: -F

TTL and TCP Window Size of *Windows 2000*

TTL: 128 Window Size: 16384

TTL and TCP Window Size of *Windows XP*

TTL: 128 Window Size: 65535

TTL and TCP Window Size of *Windows 98, Vista, 7, and Server 2008*

TTL: 128 Window Size: 8192

TTL and TCP Window Size of *iOS 12.4* and *Cisco Routers*

TTL: 255 Window Size: 4128

TTL and TCP Window Size of *Solaris 7*

TTL: 255 Window Size: 8760

TTL and TCP Window Size of *Windows 95*

TTL: 32 Window Size: 8192

TTL and TCP Window Size of *AIX 4.3*

TTL: 64 Window Size: 16384

TTL and TCP Window Size of *OpenBSD*

TTL: 64 Window Size: 16384

TTL and TCP Window Size of *Google Linux*

TTL: 64 Window Size: 5720

TTL and TCP Window Size of *Linux (Kernel 2.4 and 2.6)*

TTL: 64 Window Size: 5840

TTL and TCP Window Size of *FreeBSD*

TTL: 64 Window Size: 65535

What is the purpose of the TCP *FIN* flag?

There will be no further communications

While performing a UDP scan of a subnet, you receive an ICMP reply of Code 3/Type 3 for all the pings you have sent out. What is the most likely cause of this?

UDP port is closed

An attacker sends a TCP packet to the target with the ACK flag set and then analyzes the window size of the ACK packet it receives back from the target. If the window size falls in a particular range (non-zero in the book), the port is open. What type of scanning was performed?

Window-based ACK Flag Probe Scanning

What is the tool for network scanning and packet crafting that the material recommends?

hping2/hping3

What *nmap* command attempts to perform *OS detection* using *IPv6 fingerprinting* against a <target>?

nmap -6 -O <target>

What *nmap* command attempts to perform *OS detection* against a <target>?

nmap -O <target>

What *nmap* command allows you to perform service version discovery against a <target>?

nmap -sV <target>

What is a graphical user interface tool for generating TCP/IP packets and can manipulate the sequence of packets by adjusting the delay or number of packets that are sent?

packETH

What *hping3* flag(s) allows you to send as many packets as fast as possible to the target?

--flood

What *hping3* flag(s) would you use to get firewalls and timestamps (whatever that means)?

--tcp-timestamp

What *hping3* flag designates raw IP mode?

-0

What *hping3* flag designates ICMP mode?

-1

What *hping3* flag designates UDP mode?

-2

What *nmap* flag allows you to perform IPv6 scanning?

-6

What *hping3* flag designates *scan mode*, allowing you to scan a particular <range of ports>?

-8 <range of ports>

What *hping3* flag designates *listen mode*, allowing you to listen on an interface for a particular <signature>?

-9 <signature>

What *hping3 flag* is used to perform an *ACK scan*?

-A

What *nmap* flag is used to spoof the source IP address?

-D

What *hping3* flag(s) allows you to specify a particular network <interface>?

-I <interface>

What *hping3* flag(s) would you use to collect the initial sequence number?

-Q

What flag of *hping3* is used by an attacker to collect the initial sequence number?

-Q

What *hping3* flag(s) allows you to spoof the source IP address?

-a <address>

What *hping3* flag(s) allows you to specify a particular <port>

-p <port>

What operating system can be identified when scan results show a TTL value of 64 and TCP window size of 5840?

Linux (Kernel 2.4 and 2.6)

What tool is a network scanner for iPhone and iPad that is used to scan LAN, Wi-Fi networks, websites, open ports, and network devices and can support several networking protocols?

Scany

What tool can be used to disable or change banner information of services running on open ports?

ServerMask

What is the network protocol that works in conjunction with the UPnP protocol to detect plug and play devices?

Simple Service Directory Protocol (SSDP)

An attacker sends a TCP packet to the target with the ACK flag set and then analyzes the TTL of the ACK packet it receives back from the target. If the TTL falls in a particular range (< 64 in the book), the port is open. What type of scanning was performed?

TTL-based ACK Flag Probe Scanning

What is the purpose of the TCP *RST* flag?

The connection is being reset

What are the 5 types of host discovery scanning techniques?

1. ARP Ping Scan 2. UDP Ping Scan 3. ICMP Ping Scan 4. TCP Ping Scan 5. IP Protocol Ping Scan

When administrators have blocked ICMP ECHO pings, what other two ICMP ping methods can you use to discover hosts?

1. ICMP Timestamp Ping 2. ICMP Address Mask Ping

What 3 mobile scanning tools does the material recommend?

1. IP Scanner 2. Fing 3. Network Scanner

In TCP communication, how does one acknowledge a message in their response?

By setting the acknowledge sequence number to the received sequence number plus one

You are performing a port scan with Nmap. You are in a hurry and conducting the scans at the fastest possible speed. What type of scan should you run to get *very reliable* results?

Connect scan

What TCP communication flag is set to "1" to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated?

FIN

True or false: a TCP Connect / Full Open Scan requires superuser privileges?

False

What scanning tool is a mobile app for Android and iOS that provides complete network information, such as the IP address, MAC address, device vendor, and ISP location?

Fing

What Metasploit information discovery module can you use to check if the target is vulnerable to UPnP exploits?

UPnP SSDP M-Search: auxiliary/scanner/upnp/ssdp_amp

What *nmap* command is used to perform an IDLE/IPID header scan on <target>?

namp -sI <target> (I is an uppercase i)

What *nmap* command would you use to perform a TCP ACK Flag probe scan against a <target>?

nmap -sA <target>

What *nmap* command would you use to perform a List Scan against a <target>?

nmap -sL <target>

What *nmap* command would you use to perform a TCP Mainmon against a <target>?

nmap -sM <target>

What *nmap* command allows you to perform a *protocol scan* against a <target>?

nmap -sO <target>

What is the flow of list scanning?

1. Generate a list of IP addresses 2. Perform reverse DNS lookups on all IP addresses in the list

What are the 3 types of ICMP Ping scans?

1. ICMP ECHO Ping (ICMP Echo Ping Sweep) 2. ICMP Timestamp Ping 3. ICMP Address Mask Ping

Walk through the flow of an IDLE/IPID Header Scan.

1. Attacker sends SYN+ACK packet to zombie machine to probe its IPID number (i.e., IPID = 100) 2. Attacker sends a SYN packet to the target machine and spoofs the source IP address with the zombie's IP address 3. If the port is open, the target will send a SYN+ACK packet to the zombie, and the zombie will respond with a RST packet (i.e., IPID = 101) 4. If the port is closed, the target will send a RST to the zombie and the zombie will ignore it (i.e., IPID = 100) 5. The attacker probes the zombie's IPID again, which will increment it. If the port was open, IPID == 102. If the port was closed, IPID == 101. AKA, an IPID difference of 2 indicates the port is open and an IPID difference of 1 indicates the port is closed

How can ACK Flag Probe Scanning be used to check the filtering system of a target?

1. Attacker sends an ACK packet with a random sequence number 2. No response indicates that the port is filtered (statement firewall is present) 3. RST response indicates that the port is not filtered

What's the flow for terminating a TCP session?

1. Client --[FIN]--> Server 2. Client <--[ACK]-- Server 3. Client <--[FIN]-- Server 4. Client --[ACK]--> Server

What does a TCP Connect / Full Open scan flow look like when the remote port is *open*?

1. Client and server complete three-way handshake 2. Client closes connection with RST packet

What does a SCTP COOKIE ECHO Scanning flow look like when the remote port is *open*?

1. Client sends COOKIE ECHO chunk 2. Server doesn't respond

What does a SCTP COOKIE ECHO Scanning flow look like when the remote port is *closed*?

1. Client sends COOKIE ECHO chunk 2. Server responds with ABORT chunk

What does a TCP Maimon flow look like when the remote port is *open*?

1. Client sends FIN+ACK packet 2. Server doesn't respond

What does a TCP Maimon flow look like when the remote port is *closed*?

1. Client sends FIN+ACK probe 2. Server responds with RST packet

What does an Xmas Scan flow look like when the remote port is *open*?

1. Client sends FIN+URG+PSH packet 2. Server doesn't respond

What does an Xmas Scan flow look like when the remote port is *closed*?

1. Client sends FIN+URG+PSH packet 2. Server responds with RST packet

What does a SCTP INIT Scanning flow look like when the remote port is *filtered*?

1. Client sends INIT chunk 2. No response from server

What does a SCTP INIT Scanning flow look like when the remote port is *closed*?

1. Client sends INIT chunk 2. Server responds with ABORT chunk

What does a SCTP INIT Scanning flow look like when the remote port is *open*?

1. Client sends INIT chunk 2. Server responds with INIT+ACK chunk

What does a TCP Connect / Full Open scan flow look like when the remote port is *closed*?

1. Client sends SYN packet 2. Server responds with RST packet

When performing a TCP Connect / Full Open Scan, what is the expected response when the remote port is *closed*?

1. Client sends SYN packet 2. Server responds with RST packet

What does a TCP Stealth Scan flow look like when the remote port is *open*?

1. Client sends SYN packet 2. Server responds with SYN+ACK packet 3. Client sends RST packet

What does a UDP Scanning flow look like when the remote port is *open*?

1. Client sends UDP packet 2. Server doesn't respond

What does a UDP Scanning flow look like when the remote port is *closed*?

1. Client sends UDP packet 2. Server responds with *ICMP Port Unreachable* message

What does a FIN, URG, or PSH Scan flow look like when the remote port is *open*?

1. Client sends probe packet 2. Server doesn't respond

What does a FIN, URG, or PSH Scan flow look like when the remote port is *closed*?

1. Client sends probe packet 2. Server responds with RST+ACK packet

What are the 6 types of Inverse TCP Flag Scanning port scanning techniques?

1. FIN Scan: only FIN flag set 2. URG Scan: only URG flag set 3. PSH Scan: only PSH flag set 4. NULL Scan: no flags set 5. Xmas Scan: FIN, URG, PSH flags set 6. Maimon Scan: only FIN-ACK flags set

What are the 3 types of TCP Scanning port scanning techniques?

1. Open TCP Scanning Methods (TCP Connect / Full Open Scan) 2. Stealth TCP Scanning Methods 3. Third Party and Spoofed TCP Scanning Methods (IDLE/IPID Header Scan)

What are the 2 types of SCTP Scanning port scanning techniques?

1. SCTP INIT Scanning 2. SCTP COOKIE ECHO Scanning

What are the 2 types of TCP Ping scans?

1. TCP SYN Ping 2. TCP ACK Ping

What are the 5 types of port scanning techniques?

1. TCP Scanning 2. UDP Scanning 3. SCTP Scanning 4. SSDP Scanning 5. IPv6 Scanning

Which of the following is the active banner grabbing technique used by an attacker to determine the OS running on a remote target system? 1. TCP sequence ability test 2. Banner grabbing from error messages 3. Sniffing of network traffic 4. Banner grabbing from page extensions

1. TCP sequence ability test

What are the 2 types of ACK Flag Probe Scanning port scanning techniques?

1. TTL-based Scan 2. Window Scan

What are the 8 tools the material recommends for performing a ping sweep?

1. nmap 2. hping3 3. Angry IP Scanner 4. SolarWinds Engineer's Toolset 5. NetScanTools Pro 6. Colasoft Ping Tool 7. Visual Ping Tester 8. OpUtils

What 8 tools does the material recommend for network scanning?

1. nmap 2. hping3 3. Metasploit 4. NetScanTools Pro 5. Unicornscan 6. SolarWinds Port Scanner 7. PRTG Network Monitor 8. OmniPeek Network Protocol Analyzer

Which of the following ping methods is effective in identifying active hosts similar to the ICMP timestamp ping, specifically when the administrator blocks the conventional ICMP ECHO ping? 1. UDP ping scan 2. ICMP address mask ping scan 3. ICMP ECHO ping scan 4. ICMP ECHO ping sweep

2. ICMP address mask ping scan

Which of the following countermeasure should be used to prevent a ping sweep? 1. Avoiding the use of DMZ and disallowing commands such as ICMP ECHO_REPLY, HOST UNREACHABLE, and TIME EXCEEDED in DMZ 2. Limiting ICMP traffic with access-control lists (ACLs) to the ISP's specific IP addresses 3. Disabling the firewall 4. Allowing connection with any host performing more than 10 ICMP ECHO requests

2. Limiting ICMP traffic with access-control lists (ACLs) to the ISP's specific IP addresses

Which of the following IDS/firewall evasion techniques helps an attacker increase their Internet anonymity? 1. IP address decoy 2. Proxy chaining 3. Source port manipulation 4. Source routing

2. Proxy chaining

Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network's IDS? 1. Traceroute to control the path of the packets sent during the scan 2. ICMP ping sweep to determine which hosts on the network are not available 3. Fingerprinting to identify which operating systems are running on the network 4. Timing options to slow the speed that the port scan is conducted

4. Timing options to slow the speed that the port scan is conducted

What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response? 1. Passive 2. Distributive 3. Active 4. Reflective

Active

What *nmap* command allows you to perform a TCP Stealth Scan against a <target>?

nmap -sS <target>

What *nmap* command allows you to perform a TCP Connect / Full Open scan against a <target>?

nmap -sT <target>

What *nmap* command would you use to perform a UDP scan against a <target>?

nmap -sU <target>

What *nmap* command would you use to perform an Xmas scan against a <target>?

nmap -sX <target>

What *nmap* command would you use to perform a SCTP INIT scan against a <target>?

nmap -sY <target>

What *nmap* command would you use to perform a SCTP COOKIE ECHO scan against a <target>?

nmap -sZ <target>

What *nmap* command would you use to perform a TCP ACK Ping Scan against a <target>?

nmap -sn -PA <target>

What *nmap* command is used to perform an ICMP ECHO Ping Scan against a <target>?

nmap -sn -PE <target>

What *nmap* command would you use to perform an ICMP Address Mask Ping Scan against a <target>?

nmap -sn -PM <target>

What *nmap* command would you use to perform a IP Protocol Ping Scan against a <target>?

nmap -sn -PO <target>

What *nmap* command would you use to perform an ICMP Timestamp Ping Scan against a <target>?

nmap -sn -PP <target>

What *nmap* command is used to perform an ARP Ping Scan against a <target>?

nmap -sn -PR <target>

What *nmap* command would you use to perform a TCP SYN Ping Scan against a <target>?

nmap -sn -PS <target>

What *nmap* command is used to perform an UDP Ping Scan against a <target>?

nmap -sn -PU <target>


Related study sets

AP GOV UNIT 4 practice charts and graphs

View Set

Describe the five types of audit tests. Identify which of the five types are substantive tests, and which are used to reduce assessed control risk.

View Set

physical assessment final practice Qs

View Set

Intrapartum Complication (8 questions)

View Set

Chapter 14: Warm Up and Flexibility Training

View Set