CC6051 Ethical Hacking quiz 5
When a TCP three-way handshake ends, both parties send a(n) ____ packet to end the connection. Answer SYN ACK FIN RST
FIN
The ____ vi command deletes the current line. Answer d dl dd dw
dd
The ____ option of Nmap is used to perform a TCP SYN stealth port scan. Answer -sS -sU -sV -S
-sS
HTTP uses port ____ to connect to a Web service. Answer 21 22 25 80
80
typically used to get past a firewall
ACK scan
___ is a reasonably priced commercial port scanner with a GUI interface. Answer AW Security Port Scanner Common Vulnerabilities and Exposures Ethereal Tcpdump
AW Security Port Scanner
Which ports should security professionals scan when doing a test? Why?
As a security tester, you need to know which ports attackers are going after so those ports can be closed or protected. Security professionals must scan all ports when doing a test, not just the well-known ports (Ports 1 to 1023, the most common, are covered in Chapter 2). Many computer programs use port numbers outside the range of well-known ports. For example, pcAnywhere operates on ports 65301, 22, 5631, and 5632. A hacker who discovers that port 65301 is open might want to check the information at the Common Vulnerabilities and Exposures Web site for a possible vulnerability in pcAnywhere. After a hacker discovers an open service, finding a vulnerability or exploit isn't difficult.
A closed port can be vulnerable to an attack. Answer True False
False
A closed port responds to a SYN scan with an RST packet, so if no packet is received, the best guess is that the port is open. Answer True False
False
A disadvantage of Nmap is that it is very slow because it scans all the 65,000 ports of each computer in the IP address range. Answer True False
False
If subnetting is used in an organization, you can include the broadcast address by mistake when performing ping sweeps. How might this happen?
If you decide to use ping sweeps, be careful not to include the broadcast address in your range of addresses. You can do this by mistake if subnetting is used in an organization. For example, if the IP address 193.145.85.0 is subnetted with a 255.255.255.192 subnet mask, four subnets are created: 193.145.85.0, 193.145.85.64, 193.145.85.128, and 193.145.85.192. The broadcast addresses for each subnet are 193.145.85.63, 193.145.85.127, 193.145.85.191, and 193.145.85.255, respectively. If a ping sweep was inadvertently activated on the range of hosts 193.145.85.65 to 193.145.85.127, an inordinate amount of traffic could flood through the network because the broadcast address of 193.145.85.127 was included. This would be more of a problem on a Class B address, but if you perform ping sweeps, make sure your client signs a written agreement authorizing the testing.
How does a SYN scan work?
In a normal TCP session, a packet is sent to another computer with the SYN flag set. The receiving computer sends back a packet with the SYN/ACK flag set, indicating an acknowledgment. The sending computer then sends a packet with the ACK flag set. If the port to which the SYN packet is sent is closed, the computer responds to the SYN packet with an RST/ACK packet. If a SYN/ACK packet is received by an attacker's computer, it quickly responds with an RST/ACK packet, closing the session. This is done so that a full TCP connection is never made and logged as a transaction. In this sense, it is "stealthy." After all, you don't want a transaction to be logged showing the IP address that connected to the attacked computer.
A common Linux rootkit is ____. Answer Back Orfice Kill Trojans Packet Storm Security Linux Rootkit 5
Linux Rootkit 5
Why is port scanning considered legal by most security testers and hackers?
Most security testers and hackers argue that port scanning is legal simply because it doesn't invade others' privacy; it merely discovers whether the party being scanned is available. The typical analogy is a person walking down the street and turning the doorknob of every house along the way. If the door opens, the person notes that the door is open and proceeds to the next house. Of course, entering the house would be a crime in most parts of the world, just as entering a computer system or network without the owner's permission is a crime.
TCP scan with all the packet flags are turned off
NULL scan
The ____ tool was originally written for Phrack magazine in 1997 by Fyodor. Answer Unicornscan Fping Nessus Nmap
Nmap
____ is currently the standard port-scanning tool for security professionals. Answer Unicornscan Fping Nessus Nmap
Nmap
a port scanning tool
Nmap
What makes the ____________________ tool unique is the ability to update security check plug-ins when they become available.
OpenVAS
____, an open-source fork of Nessus, functions much like a database server, performing complex queries while the client interfaces with the server to simplify reporting and configuration. Answer Unicornscan NetScanTools OpenVAS Nmap
OpenVAS
Why is port scanning useful for hackers?
Port scanning helps you answer questions about open ports and services by enabling you to quickly scan thousands or even tens of thousands of IP addresses. Many port-scanning tools produce reports of their findings, and some give you best-guess assessments of which OS is running on a system. Most, if not all, scanning programs report open ports, closed ports, and filtered ports in a matter of seconds. When a Web server needs to communicate with applications or other computers, for example, port 80 is opened. An open port allows access to applications and can be vulnerable to an attack. A closed port does not allow entry or access to a service. For instance, if port 80 is closed on a Web server, users wouldn't be able to access Web sites. A port reported as filtered might indicate that a firewall is being used to allow specified traffic in or out of the network.
A computer that receives a SYN packet from a remote computer responds to the packet with a(n) ____ packet if its port is open. Answer FIN RST SYN/ACK ACK
SYN/ACK
____ is a protocol packet analyzer. Answer Nmap Fping Tcpdump Nessus
Tcpdump
Port scanning is a method of finding out which services a host computer offers. Answer True False
True
You can search for known vulnerabilities in a host computer by using the Common Vulnerabilities and Exposures Web site. Answer True False
True
____ was developed to assist security testers in conducting tests on large networks and to consolidate many of the tools needed for large-scale endeavors. Answer Unicornscan NetScanTools Nessus Nmap
Unicornscan
What makes the OpenVAS tool unique?
What makes this tool unique is the capability to update security check plug-ins when they become available. An OpenVAS plug-in is a security test program (script) that can be selected from the client interface. The person who writes the plug-in decides whether to designate it as dangerous, and the author's judgment on what's considered dangerous might differ from yours.
Closed ports respond to a(n) ____ with an RST packet. Answer XMAS scan SYN scan Connect scan ACK scan
XMAS scan
n this type of scan, the FIN, PSH, and URG flags are set
XMAS scan
Nmap has a GUI version called ____________________ that makes it easier to work with some of the more complex options.
Zenmap
does not allow entry or access to a service
closed port
The ____ relies on the OS of the attacked computer, so it's a little more risky to use than the SYN scan. Answer NULL scan connect scan XMAS scan ACK scan
connect scan
similar to the SYN scan, except that it does complete the three-way handshake
connect scan
might indicate that a firewall is being used
filtered port
allows access to applications
open port
operates on ports 65301, 22, 5631, and 5632
pcAnywhere
Port scanners can also be used to conduct a(n) ____________________ of a large network to identify which IP addresses belong to active hosts.
ping sweep
An OpenVAS____________________ is a security test program (script) that can be selected from the client interface. Answer
plug-in
A ____ or batch file is a text file containing multiple commands that are normally entered manually at the command prompt. Answer script program snippet signature
script
Some attackers want to be hidden from network devices or IDSs that recognize an inordinate amount of pings or packets being sent to their networks, so they use ____________________ attacks that are more difficult to detect.
stealth
In an ACK scan, if the attacked port returns an RST packet the attacked port is considered to be "____". Answer open closed unfiltered unassigned
unfiltered
