CH 5 - Scanning Networks Flashcards
If you receive a RST packet back from a target host, what do you know about your target?
A. The target is using UDP rather than TCP
B. The destination port is open on the target host
C. The source port in the RST message is closed
D. The target expects the PSH flag to be set
C.
The source port in the RST message is closed
What is the difference between a SYN scan and a full connect scan?
A. A SYN scan and a full connect scan are the same
B. A full connect scan sends an ACK message first
C. A SYN scan uses the PSH flag with the SYN flag
D. The SYN scan doesn’t complete the 3-way handshake
D.
The SYN scan doesn’t complete the 3-way handshake
What is 1 reason a UDP scan may take longer than a TCP scan of the same host?
A. UDP will retransmit more
B. UDP has more ports to scan
C. UDP is a slower protocol
D. UDP requires more messages to set up
A.
UDP will retransmit more
Why does an ACK scan not indicate clearly that ports are open?
A. The scanner has to guess
B. ACK is not a supported flag
C. The target system ignores the message
D. ACK scans cause a lot of retransmits
C.
The target system ignores the message
What is 1 reason for using a scan like an ACK scan?
A. It may get through firewalls and IDS devices
B. It is better supported
C. The code in nmap is more robust
D. An ACK scan is needed for scripting support
A.
It may get through firewalls and IDS devices
What does nmap look at for fingerprinting an operating system?
A. The operating system headers
B. The application version
C. The response from connecting to port 0
D. The IP ID field and the initial sequence number
D.
The IP ID field and the initial sequence number
What is nmap looking at when it conducts a version scan?
A. TCP and IP headers
B. Application banners
C. Operating system kernel
D. IP ID and TCP sequence number fields
B.
Application banners
What is an advantage of using masscan over nmap?
A. masscan has been around longer
B. nmap is hard to use
C. masscan can scan more addresses faster
D. masscan has access to scan more of the internet
C.
masscan can scan more addresses faster
If you were to see
hping -S -p 25 10.5.16.2,
what would you assume?
A. someone was trying to probe the web port of the target
B. someone was trying to probe an email port on the target
C. someone was trying to identify if SNMP was supported on 10.5.16.2
D. someone had mistyped ping
B.
someone was trying to probe an email port on the target
If you were to see that someone was using OpenVAS, followed by Nessus,
what might you assume?
A. They were trying to break into a system
B. They didn’t know how to use Nessus
C. They didn’t know how to use OpenVAS
D. They were trying to reduce false positives
D.
They were trying to reduce false positives
What is the difference between a false positive and a false negative?
A. A false positive indicates a finding that doesn’t exist, while a false negative doesn’t indicate a finding that does exist.
B. A false positive indicates a finding that does exist, while a false negative doesn’t indicate a finding that doesn’t exist.
C. A false positive doesn’t indicate a finding that does exist, while a false negative does indicate a finding that doesn’t exist.
D. A false negative does indicate a finding that doesn’t exist, while a false positive doesn’t indicate a finding that does exist.
A.
A false positive indicates a finding that doesn’t exist, while a false negative doesn’t indicate a finding that does exist.
What would be the purpose of running a ping sweep?
A. You want to identify responsive hosts without a port scan
B. You want to use something that is light on network traffic
C. You want to use a protocol that may be allowed through the firewall
D. All of the above
D.
All of the above
Which of these may be considered worst practice when it comes to vulnerability scans?
A. Scanning production servers
B. Notifying operations staff ahead of time
C. Taking no action on the results
D. Using limited details in your scan reports
C.
Taking no action on the results
Which of these may be considered an evasive technique?
A. Scanning nonstandard ports
B. Encoding data
C. Using a proxy server
D. Using nmap in blind mode
B.
Encoding data
If you were to notice operating system commands inside a DNS request while looking at a packet capture, what might you be looking at?
A. Tunneling attack
B. DNS amplification
C. DNS recursion
D. XML entity injection
A.
Tunneling attack