03 Scanning and Enumeration Flashcards
- Your team is hired to test a business named Matt’s Bait ’n’ Tackle Shop (domain name mattsBTshop.com). A team member runs the following command:
metagoofil -d mattsBTshop.com -t doc,docx -l 50 -n 20 -f results.html
Which of the following best describes what the team member is attempting to do?
A. Extracting metadata info from web pages in mattsBTshop.com, outputting results in Microsoft Word format
B. Extracting metadata info from the results.html page in mattsBTshop.com, outputting results in Microsoft Word format
C. Extracting metadata info from Microsoft Word documents found in mattsBTshop.com, outputting results in an HTML file
D. Uploading results.html as a macro attachment to any Microsoft Word documents found in mattsBTshop.com
C. This is an example of good tool knowledge and use. Metagoofil, per www.edge-security.com/metagoofil.php, “is an information gathering tool designed for extracting metadata of public documents (.pdf, .doc, .xls, .ppt, .docx, .pptx, .xlsx) belonging to a target company. It performs a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.”
In the syntax given, Metagoofil will search mattsBTshop.com for up to 50 results (the -l switch determines the number of results) for any Microsoft Word documents (both .doc and .docx formats) it can find. It will then attempt to download the first 20 found (the -n switch handles that), and the -f switch will send the results where you want (in this case, to an HTML file).
And just what will those results be? Well, that’s where the fun comes in. Remember, Metagoofil tries to extract metadata from publicly available Microsoft Word documents available on the site. You might find e-mail addresses, document paths, software versions, and even usernames in the results.
A, B, and D are incorrect because they do not match the syntax provided.
- You are running multiple enumeration scans as part of an assessment. In one particular scan, you have nmap send an initial FIN packet followed immediately by an ACK packet. Which of the following best describes the type of scan you are running?
A. Inverse TCP
B. TCP Maimon
C. XMAS
D. Half-closed
B. According to nmap’s documentation on the scan (https://nmap.org/book/scan-methods-maimon-scan.html), way back in 1996 a gentleman named Uriel Maimon wrote an article titled “Port Scanning without the SYN flag.” The article described sending an initial FIN packet followed by an ACK packet, using discrepancies between their TTL values to evaluate ports.
EC-Council added TCP Maimon back to the official courseware and obviously wants you to know about it. Per the study material, if the port is open, you won’t get a response; however, if it’s in a closed state, you’ll receive a RST packet.
A is incorrect because an Inverse TCP Flag scan is one in which TCP probe flags are sent with or without flags. No response indicates an open port, whereas a RST is sent on a closed one. Flags typically used in this scan include FIN, URG, and PSH. As an aside, if no flags are used, this can also be referred to as a null scan.
C is incorrect because an XMAS scan is one where all TCP flags (FIN, URG, PSH) are turned on. This scan is ineffective against Windows systems and only works on devices that use an RFC-793-based TCP stack.
D is incorrect because this scan type simply doesn’t exist.
- You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?
A. Your IDLE scan results will not be useful to you.
B. The zombie system is a honeypot.
C. There is a misbehaving firewall between you and the zombie machine.
D. This is an expected result during an IDLE scan.
A. An IDLE scan makes use of a zombie machine and IP’s knack for incrementing fragment identifiers (IPIDs). However, it is absolutely essential the zombie remain idle to all other traffic during the scan. The attacker will send packets to the target with the (spoofed) source address of the zombie. If the port is open, the target will respond to the SYN packet with a SYN/ACK, but this will be sent to the zombie. The zombie system will then craft a RST packet in answer to the unsolicited SYN/ACK, and the IPID will increase. If this occurs randomly, then it’s probable your zombie is not in fact idle, and your results are moot. See, if it’s not idle, it’s going to increment haphazardly because communications from the device will be shooting hither and yon with wild abandon. You’re banking on the fact the machine is quietly doing your bidding—and nothing else.
B is incorrect because there is not enough information here to identify the zombie machine as anything at all—much less a machine set up as a “honeypot.”
C is incorrect because a firewall between you and the zombie won’t have any effect at all on the zombie’s IPIDs.
D is incorrect because this is definitely not expected behavior during an IDLE scan. Expected behavior is for the IPID to increase regularly with each discovered open port, not randomly, as occurs with traffic on an active system.
- You want to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option?
A. nmap 192.168.1.0/24
B. nmap -sT 192.168.1.0/24
C. nmap -sP 192.168.1.0/24
D. nmap -P0 192.168.1.0/24
C. The -sP switch within nmap is designed for a ping sweep. Nmap syntax is fairly straightforward: nmap<scan><target>. If you don’t define a switch, nmap performs a basic enumeration scan of the targets. The switches, though, provide the real power with this tool.
A is incorrect because this syntax will not perform a ping sweep. This syntax will run a basic scan against the entire subnet.
B is incorrect because the -sT switch does not run a ping sweep. It stands for a TCP Connect scan, which is the slowest—but most productive and loud—scan option.
D is incorrect because this syntax will not perform a ping sweep. The -P0 switch actually runs the scan without ping (ICMP). This is a good switch to use when you don’t seem to be getting responses from your targets. It forces nmap to start the scan even if it thinks the target doesn’t exist (which is useful if the computer is blocked by a firewall).</target></scan>
- A pen tester is performing banner grabbing and executes the following command:
$ nmap -sV host.domain.com -p 80
He gets the following output:
Starting Nmap 6.47 ( http://nmap.org) at 2022-07-08 19:10 EST
Nmap scan report for host.domain.com (108.61.158.211)
Host is up (0.032s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/.
VCEConvert.com
Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds
Which of the following is a true statement?
A. Nmap can’t perform banner grabbing, as it cannot retrieve the version number of any running remote service.
B. The pen tester was successful in banner grabbing.
C. Using nmap -O host.domain.com would have been a better choice for banner grabbing.
D. Banner grabbing failed because the result did not return the version of the Apache web server.
B. You can expect a few versions of this type of question on your exam. Not only are there bunches of ways to do banner grabbing, but the outputs of each method are different. In this case, the nmap attempt was successful in identifying an Apache server.
A is incorrect because nmap can most certainly perform banner grabbing.
C is incorrect because the -O flag enables OS detection.
D is incorrect because the lack of a version number is irrelevant (oftentimes Apache boxes won’t respond with a version number, even when the banner grab is correctly accomplished).
- You are examining traffic to see if there are any network-enabled printers on the subnet. Which of the following ports should you be monitoring for?
A. 53
B. 88
C. 445
D. 514
E. 631
E. You will probably see three to five questions on port numbering alone. So just exactly how do you commit 1024 port numbers (0–1023 is the well-known range) to memory when you have all this other stuff to keep track of? You probably won’t, and maybe you can’t. The best advice I can give you is to memorize the really important ones—the ones you know beyond a shadow of a doubt you’ll see on the exam somewhere—and then use the process of elimination to get to the right answer.
For example, suppose you had no idea that TCP port 631 was used by the Internet Printing Protocol (IPP), but you did know what 53, 88, and 445 were for. Suddenly it’s not that difficult (now down to a 50/50 chance). By the way, 631 won’t be the only thing you’ll be monitoring for, but of the answers provided, it is the best choice.
A is incorrect because 53 is the port number used by DNS (TCP and UDP). The TCP side will be used for across-Internet traffic, where the loss of speed due to connection-oriented traffic is worth it to ensure delivery, and UDP will be mostly internal.
B is incorrect because 88 is the port number used by Kerberos.
C is incorrect because 445 is used for Microsoft SMB file sharing. You’ll definitely see SMB file sharing and this port somewhere on the exam, usually as part of a scenario like the one in this question.
D is incorrect because 514 is the (UDP) port number used by syslog—and trust me, you need to know this one. EC-Council loves syslog. You’ll definitely see it a couple of times on the exam.
- A colleague enters the following command:
root@mybox: # hping3 -A 192.168.2.x -p 80
What is being attempted here?
A. An ACK scan using hping3 on port 80 for a single address
B. An ACK scan using hping3 on port 80 for a group of addresses
C. Address validation using hping3 on port 80 for a single address
D. Address validation using hping3 on port 80 for a group of addresses
B. Hping is a great tool that provides a variety of options. You can craft packets with it, audit and test firewalls, and do all sorts of crazy man-in-the-middle stuff with it. In this example, you’re simply performing a basic ACK scan (the -A switch) using port 80 (-p 80) on an entire Class C subnet (the x in the address runs through all 254 possibilities). Hping3, the latest version, is scriptable (TCL language) and implements an engine that allows a human-readable description of TCP/IP packets.
A is incorrect because the syntax is for an entire subnet (or, I guess to be technically specific, all 254 addresses that start with 192.168.2). The x in the last octet tells hping to fire away at all those available addresses.
C and D are both incorrect because “address validation” is not a scan type.
- You are examining traffic between hosts and note the following exchange:
Source Prot Port Flag Destination
192.168.5.12 TCP 4082 FIN/URG/PSH 192.168.5.50
192.168.5.12 TCP 4083 FIN/URG/PSH 192.168.5.50
192.168.5.12 TCP 4084 FIN/URG/PSH 192.168.5.50
192.168.5.50 TCP 4083 RST/ACK 192.168.5.12
192.168.5.12 TCP 4085 FIN/URG/PSH 192.168.5.50
Which of the following statements are true regarding this traffic? (Choose all that apply.)
A. It appears to be part of an ACK scan.
B. It appears to be part of an XMAS scan.
C. It appears port 4083 is open.
D. It appears port 4083 is closed.
B, D. The exam will ask you to define scan types in many, many ways. It may be a simple definition match; sometimes it’ll be some crazy Wireshark or tcpdump listing. In this example, you see a cleaned-up traffic exchange showing packets from one host being sent one after another to the second host, indicating a scan attempt. The packets have the FIN, URG, and PSH flags all set, which tells you it’s an XMAS scan. If the destination port is open, you won’t receive anything back; if it’s closed, you’ll see a RST/ACK. This tells you port 4083 looks like it’s closed (see line four of the response). As an addendum, did you know there are two reasons why it’s called an XMAS scan? The first is because it lights up an IDS like a Christmas tree, and the second is because the flags themselves are all lit. As an aside, you probably won’t see this much out in the real world because it just really doesn’t have much applicability. But on your exam? Oh yes—it’ll be there.
A is incorrect because there is no indication this is an ACK scan. An ACK scan has only the ACK flag set and is generally used in firewall filter tests: no response means a firewall is present, and RST means the firewall is not there (or the port is not filtered).
C is incorrect because you did receive an answer from the port (a RST/ACK was sent in the fourth line of the capture).
- You are examining traffic and notice an ICMP Type 3, Code 13 response. What does this normally indicate?
A. The network is unreachable.
B. The host is unknown.
C. Congestion control is enacted for traffic to this host.
D. A firewall is prohibiting connection.
D. ICMP types will be covered in depth on your exam, so know them well. Type 3 messages are all about “destination unreachable,” and the code in each packet tells you why it’s unreachable. Code 13 indicates “communication administratively prohibited,” which indicates a firewall filtering traffic. Granted, this occurs only when a network designer is nice enough to configure the device to respond in such a way, and you’ll probably never get that nicety in the real world, but the definitions of what the “type” and “code” mean are relevant here.
A is incorrect because “network unreachable” is Type 3, Code 0. It’s generated by a router to inform the source that the destination address is unreachable; that is, it does not have an entry in the route table to send the message to.
B is incorrect because “host unknown” is Type 3, Code 7. There’s a route to the network the router knows about, but that host is not there (this sometimes refers to a naming or DNS issue).
C is incorrect because “congestion control” ICMP messaging is Type 4.
- Which port-scanning method presents the most risk of discovery but provides the most reliable results?
A. Full-connect
B. Half-open
C. Null scan
D. XMAS scan
A. A full-connect scan runs through an entire TCP three-way handshake on all ports you aim at. It’s loud and easy to see happening, but the results are indisputable. As an aside, the -sT switch in nmap runs a full-connect scan (you should go ahead and memorize that one).
B is incorrect because a half-open scan involves sending only the SYN packet and watching for responses. It is designed for stealth but may be picked up on IDS sensors (both network and most host-based IDSs).
C is incorrect because a null scan sends packets with no flags set at all. Responses will vary, depending on the OS and version, so reliability is spotty. As an aside, null scans are designed for Unix/Linux machines and don’t work on Windows systems.
D is incorrect because although an XMAS scan is easily detectable (as our technical editor put it, “A fairly well-trained monkey would see it”), the results are oftentimes sketchy. The XMAS scan is great for test questions but won’t result in much more than a derisive snort and an immediate disconnection in the real world.
- As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response?
A. The hosts might be turned off or disconnected.
B. ICMP is being filtered.
C. The destination network might be down.
D. The servers are Linux based and do not respond to ping requests.
B. Admittedly, this one is a little tricky, and, yes, I purposefully wrote it this way (mainly because I’ve seen questions like this before). The key here is the “most likely” designator. It’s entirely possible—dare I say, even expected—that the systems administrator for those two important machines would ensure ICMP is filtered. Of the choices provided, this one is the most likely explanation.
A is incorrect, but only because there is a better answer. This is a major firm that undoubtedly does business at all times of day and with customers and employees around the world (the question did state it was an international business). Is it possible that both these servers are down? Sure, you might have timed your ping sweep so poorly that you happened to hit a maintenance window or something, but it’s highly unlikely.
C is incorrect because, frankly, the odds of an entire DMZ subnet being down while you’re pen testing are very slim. And I can promise you that if the subnet did drop while you were testing, your test is over.
D is incorrect because this is simply not true.
- A team member is using nmap and asks about the “scripting engine” in the tool. Which option switches can be used to invoke the nmap scripting engine? (Choose two.)
A. –script
B. -z
C. -sA
D. -sC
A, D. Nmap is a great scanning tool that provides numerous options, and you’ll need to know the syntax very well. The NSE (Nmap Scripting Engine) is a portion of the tool that allows the use of scripts in scanning. Directly from nmap’s site (https://nmap.org/book/nse.html): “NSE is activated with the -sC option (or –script if you wish to specify a custom set of scripts) and results are integrated into Nmap normal and XML output.”
I’ve seen mentioned in other study material that the -A switch is also considered as an NSE function. This switch turns on scanning that reports on version detection, operating system fingerprinting, and a variety of other activities. A pretty good wrap-up of nmap switches is located at https://nmap.org/book/port-scanning-options.html.
B is incorrect because -z isn’t an nmap switch.
C is incorrect because the -sA switch runs an ACK scan (ACK segments are sent to ports to determine their state).
- Which of the following commands is the best choice to use on a Linux machine when attempting to list processes and the UIDs associated with them in a reliable manner?
A. ls
B. chmod
C. pwd
D. lsof
D. Supported in most Unix-like flavors, the “list open files” command (lsof) provides a list of all open files and the processes that opened them. The lsof command describes, among other things, the identification number of the process (PID) that has opened the file, the command the process is executing, and the owner of the process. With optional switches, you can also receive all kinds of additional information. As an aside, the command ps (for process status) is probably an even better choice for the task listed.
A is incorrect because ls (list) simply displays all the files and folders in your current directory. Its counterpart in the PC world is dir.
B is incorrect because chmod is used to set permissions on files and objects in Linux.
C is incorrect because pwd (print working directory) is a command used to display the directory you are currently working in.
- You want to display active and inactive services on a Windows Server machine. Which of the following commands best performs this service?
A. sc query
B. sc query type=all
C. sc query type=service
D. sc query state= all
D. The sc command will definitely make an appearance or two somewhere on the exam. Per Microsoft, SC.exe retrieves and sets control information about services. You can use SC.exe for testing and debugging service programs. Service properties stored in the registry can be set to control how service applications are started at boot time and run as background processes. SC.exe parameters can configure a specific service, retrieve the current status of a service, as well as stop and start a service.
A sampling of uses for the sc command follows:
* sc config Determines the status of a service at system startup as well as sets a service to run automatically, manually, or not at all.
* sc query Displays information about services, drivers, and types of both. Without parameters, it returns a list of all running services and associated information. To create a list of all services, use sc query state= all.
* sc start Starts a service that is not running.
* sc stop Stops a running service.
* sc pause Pauses a service.
* sc continue Resumes a paused service.
* sc enumdepend Lists the services that cannot run unless the specified service is running.
* sc qc Displays the configuration of a particular service.
And finally, one more quick note: Remember there is always a space after the equals sign (and not one before). Syntax is important, and ECC will probably spring that on you.
A, B, and C all use incorrect syntax for the question asked.
- An administrator enters the following command on a Linux system:
iptables -t nat -L
Which of the following best describes the intent of the command entered?
A. The administrator is attempting a port scan.
B. The administrator is configuring IP masquerading.
C. The administrator is preparing to flood a switch.
D. The administrator is preparing a DoS attack.
B. Do you remember network address translation? It’s a neat little technology that allows lots of internal hosts, using nonroutable private addressing, to access the Internet by borrowing and using a single address (or a group of addresses) managed by a router or other system. IP masquerading is much the same thing; it’s just accomplished through a Linux host. In short, a Linux machine can act as a NAT translator by employing proper routing configuration, using one NIC to communicate with the internal network and one with the external network, and enabling IP masquerading.
Looking over the man page for the command (one copy can be found at http://ipset.netfilter.org/iptables.man.html), we see that iptables is an administration tool for IPv4 packet filtering and NAT. Per the man page, “Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined.” Each table contains a number of built-in chains and may be enabled by iptables -t tablename -switch, where tablename is filter, nat, mangle, raw, or security, and switch equates to the option you wish to enable. For example, -A appends rules, -D deletes rules, and -R replaces rules.
A, C, and D are incorrect because they do not accurately represent what is being attempted.