CH 5 - Scanning Networks Flashcards

1
Q

If you receive a RST packet back from a target host, what do you know about your target?

A. The target is using UDP rather than TCP
B. The destination port is open on the target host
C. The source port in the RST message is closed
D. The target expects the PSH flag to be set

A

C.
The source port in the RST message is closed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the difference between a SYN scan and a full connect scan?

A. A SYN scan and a full connect scan are the same
B. A full connect scan sends an ACK message first
C. A SYN scan uses the PSH flag with the SYN flag
D. The SYN scan doesn’t complete the 3-way handshake

A

D.
The SYN scan doesn’t complete the 3-way handshake

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is 1 reason a UDP scan may take longer than a TCP scan of the same host?

A. UDP will retransmit more
B. UDP has more ports to scan
C. UDP is a slower protocol
D. UDP requires more messages to set up

A

A.
UDP will retransmit more

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why does an ACK scan not indicate clearly that ports are open?

A. The scanner has to guess
B. ACK is not a supported flag
C. The target system ignores the message
D. ACK scans cause a lot of retransmits

A

C.
The target system ignores the message

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is 1 reason for using a scan like an ACK scan?

A. It may get through firewalls and IDS devices
B. It is better supported
C. The code in nmap is more robust
D. An ACK scan is needed for scripting support

A

A.
It may get through firewalls and IDS devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does nmap look at for fingerprinting an operating system?

A. The operating system headers
B. The application version
C. The response from connecting to port 0
D. The IP ID field and the initial sequence number

A

D.
The IP ID field and the initial sequence number

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is nmap looking at when it conducts a version scan?

A. TCP and IP headers
B. Application banners
C. Operating system kernel
D. IP ID and TCP sequence number fields

A

B.
Application banners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is an advantage of using masscan over nmap?

A. masscan has been around longer
B. nmap is hard to use
C. masscan can scan more addresses faster
D. masscan has access to scan more of the internet

A

C.
masscan can scan more addresses faster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

If you were to see
hping -S -p 25 10.5.16.2,
what would you assume?

A. someone was trying to probe the web port of the target
B. someone was trying to probe an email port on the target
C. someone was trying to identify if SNMP was supported on 10.5.16.2
D. someone had mistyped ping

A

B.
someone was trying to probe an email port on the target

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

If you were to see that someone was using OpenVAS, followed by Nessus,
what might you assume?

A. They were trying to break into a system
B. They didn’t know how to use Nessus
C. They didn’t know how to use OpenVAS
D. They were trying to reduce false positives

A

D.
They were trying to reduce false positives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the difference between a false positive and a false negative?

A. A false positive indicates a finding that doesn’t exist, while a false negative doesn’t indicate a finding that does exist.

B. A false positive indicates a finding that does exist, while a false negative doesn’t indicate a finding that doesn’t exist.

C. A false positive doesn’t indicate a finding that does exist, while a false negative does indicate a finding that doesn’t exist.

D. A false negative does indicate a finding that doesn’t exist, while a false positive doesn’t indicate a finding that does exist.

A

A.
A false positive indicates a finding that doesn’t exist, while a false negative doesn’t indicate a finding that does exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What would be the purpose of running a ping sweep?

A. You want to identify responsive hosts without a port scan
B. You want to use something that is light on network traffic
C. You want to use a protocol that may be allowed through the firewall
D. All of the above

A

D.
All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of these may be considered worst practice when it comes to vulnerability scans?

A. Scanning production servers
B. Notifying operations staff ahead of time
C. Taking no action on the results
D. Using limited details in your scan reports

A

C.
Taking no action on the results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of these may be considered an evasive technique?

A. Scanning nonstandard ports
B. Encoding data
C. Using a proxy server
D. Using nmap in blind mode

A

B.
Encoding data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

If you were to notice operating system commands inside a DNS request while looking at a packet capture, what might you be looking at?

A. Tunneling attack
B. DNS amplification
C. DNS recursion
D. XML entity injection

A

A.
Tunneling attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is an Xmas scan?

A. TCP scan with SYN / ACK / FIN set
B. UDP scan with FIN / PSH set
C. TCP scan with FIN / PSH / URG set
D. UDP scan with SYN / URG / FIN set

A

C.
TCP scan with FIN / PSH / URG set

17
Q

What would you use MegaPing for?

A. Running exploits
B. Running a port scan
C. Issuing manual web requests
D. Crafting packets

A

B.
Running a port scan

18
Q

What would be a reason to use the Override feature in OpenVAS?

A. You want to run a different plugin for a vulnerability
B. You want to change the scanner settings
C. You want to use TCP rather than UDP
D. You want to change a severity rating on a finding

A

D.
You want to change a severity rating on a finding

19
Q

What would you use credentials for in a vulnerability scanner?

A. Better reliability in network findings
B. Authenticating through VPNs for scans
C. Scanning for local vulnerabilities
D. Running an Active Directory scan

A

C.
Scanning for local vulnerabilities

20
Q

What is fragroute primarily used for?

A. Altering network routes
B. Capturing fragmented packets
C. Fragmenting application traffic
D. Fragmenting layer 2 and layer 3 headers

A

C.
Fragmenting application traffic

21
Q

If you wanted to have nmap perform fragmentation for you, what command-line parameters could you use?

A. -f and –mtu
B. -f and -g
C. –mtu and -g
D. -g and -spoof-mac

A

A.
-f and –mtu

22
Q

What type of scan would you use to take advantage of firewall rules that may be in place to accommodate protocols like DNS and FTP?

A. Fragmentation
B. MAC spoofing
C. Source port spoofing
D. Idle scanning

A

C.
Source port spoofing

23
Q

When could you use MAC spoofing with your nmap scan?

A. If your target is running DNS
B. If you ran a fragmentation attack at the same time
C. If you were remote
D. If you were on the local network

A

D.
If you were on the local network

24
Q

What number does the MTU setting need to be a multiple of when you are using MTU fragmenting with nmap?

A. 2
B. 4
C. 6
D. 8

A

D.
8

25
Q

What command-line parameter would you use to perform a decoy scan with nmap?

A. -C
B. -D
C. -S
D. -F

A

B.
-D