Chapter 5 - Scanning the networks Flashcards
If you receive a RST packet back from a target host, what do you know about your target?
A. The target is using UDP rather than TCP.
B. The destination port is open on the target host.
C. The source port in the RST message is closed.
D. The target expects the PSH flag to be set.
C. The source port in the RST message is closed.
A TCP scan sends messages to the target, expecting to get a response. With a SYN or full connect scan, the target will respond with a SYN/ACK message from an open port. With a closed port, the target will respond with a RST.
What is the difference between a SYN scan and a full connect scan?
A. A SYN scan and a full connect scan are the same.
B. A full connect scan sends an ACK message first.
C. A SYN scan uses the PSH flag with the SYN flag.
D. The SYN scan doesn’t complete the three-way handshake.
D. The SYN scan doesn’t complete the three-way handshake.
A SYN scan sends the first SYN message and then responds with a RST message after receiving the SYN/ACK from the target. A full connect scan completes the three-way hand- shake before sending the RST message. Since the full connect scan follows the correct order of the three-way handshake, it doesn’t send an ACK first. There is also no PSH flag sent with the SYN flag, since there is no data to push up the stack yet.
What is one reason a UDP scan may take longer than a TCP scan of the same host?
A. UDP will retransmit more.
B. UDP has more ports to scan.
C. UDP is a slower protocol.
D. UDP requires more messages to set up.
A. UDP will retransmit more.
There is no defined response to a message to a UDP port. It is left entirely up to the application. Since a lack of response can mean the message never reached its recipient,
the scanning system has to retransmit to closed ports. UDP is generally quicker than TCP because of a lack of overhead, it requires no messages to set up, and it has the same number of ports as TCP.
Why does an ACK scan not indicate clearly that ports are open?
A. The scanner has to guess.
B. ACK is not a supported flag.
C. The target system ignores the message.
D. ACK scans cause a lot of retransmits.
C.
When a system receives an ACK message, meaning a TCP segment with the ACK flag enabled (bit position storing a 1), it assumes there is an open connection and there is data that is being acknowledged. When there is no open connection, there is nothing to respond with. The system, not having anything else to do with the ACK, discards it. The scanner won’t receive a response if the port is open. However, the scanner can’t be certain that the message hasn’t just been discarded by a firewall. As a result, it indicates that the port is either open or filtered. Either would result in no response. The scanner isn’t guessing; it is providing two alternatives but can’t be certain which it is. ACK is a supported flag in the right circum- stances and ACK scans do not cause retransmits, since no response means one of two things.
What is one reason for using a scan like an ACK scan?
A. It may get through firewalls and IDS devices.
B. It is better supported.
C. The code in nmap is more robust.
D. An ACK scan is needed for scripting support.
A.
Evasion is an important concept. You may spend a lot of time working on evading detec- tion or getting blocked. Since an ACK without an open connection is aberrant, the firewall or IDS may ignore it, avoiding detection. As a result, you may be able to get ACK messages through. ACK scans are not better supported. In fact, there is really no support from the network stack for an ACK scan. The code is no more robust in nmap for an ACK scan than other scans, or at least there is no evidence of that being the case. ACK scans are not needed for scripting support.
What does nmap look at for fingerprinting an operating system?
A. The operating system headers
B. The application version
C. The response from connecting to port 0
D. The IP ID field and the initial sequence number
D.
When nmap performs an operating system scan, it is looking for fingerprints of the net- work stack in the operating system kernel. Some of the information that nmap will look at is
in the IP ID field to see what numbers are used. Similarly, it will look at the initial sequence number in TCP messages to see what numbers are used there. The application version isn’t relevant to an operating system scan, and there are no operating system headers that would be associated with network traffic. Operating system headers could be considered to be part of the source code for the operating system, but nmap wouldn’t be able to see those. Port 0 is considered an invalid port, so the response to a connection from that port is irrelevant.
What is nmap looking at when it conducts a version scan?
A. TCP and IP headers
B. Application banners
C. Operating system kernel
D. IP ID and TCP sequence number fields
B.
A version scan with nmap is looking to identify versions of the services/applications running on the target. The kernel is identified with an OS scan. TCP and IP headers don’t provide application versions. The IP ID field and TCP sequence number fields don’t provide version information either.
What is an advantage of using masscan over nmap?
A. masscan has been around longer.
B. nmap is hard to use.
C. masscan can scan more addresses faster.
D. masscan has access to scan more of the Internet.
C.
The program masscan is a port scanner, like nmap. However, masscan was developed to scan the entire Internet as quickly as possible. As a result, if speed is a consideration, and especially if you are scanning large address blocks, masscan is probably better suited for that task. Both nmap and masscan have access to the same address space, and masscan uses the same command-line parameters, for the most part, as nmap, so they are simi-
larly easy to use. nmap has also been around for considerably longer, since the 1990s, than masscan has.
f you were to see hping -S -p 25 10.5.16.2, what would you assume?
A. Someone was trying to probe the web port of the target.
B. Someone was trying to probe an email port on the target.
C. Someone was trying to identify if SNMP was supported on 10.5.16.2.
D. Someone had mistyped ping.
B. hping is a program used to send specially designed messages to a target. You use command-line parameters to tell hping what to include in the message being sent. The command hping -S -p 25 10.5.16.2 is used to have hping send SYN messages to port 25, the default SMTP port, at 10.5.16.2. It’s possible that someone mistyped ping, but those parameters aren’t used by ping programs, and since they are coherent for the previous action, it makes more sense that they were trying to use hping. SNMP and web traffic both use different ports than port 25.
If you were to see that someone was using OpenVAS, followed by Nessus, what might
you assume?
A. They were trying to break into a system.
B. They didn’t know how to use Nessus.
C. They didn’t know how to use OpenVAS.
D. They were trying to reduce false positives.
D.
Vulnerability scanners don’t exploit vulnerabilities to gain access to a system. They would only exploit a vulnerability to the extent necessary to determine whether a vulnerability exists. If they didn’t know how to use Nessus or OpenVAS, they likely wouldn’t be using them. It’s possible they are looking to compare results from the two, but it’s also likely they are trying to compare the results with the intention of reducing false positives.
What is the difference between a false positive and a false negative?
A. A false positive indicates a finding that doesn’t exist, while a false negative doesn’t indi-
cate a finding that does exist.
B. A false positive indicates a finding that does exist, while a false negative doesn’t indicate a finding that doesn’t exist.
C. A false positive doesn’t indicate a finding that does exist, while a false negative does indicate a finding that doesn’t exist.
D. A false negative does indicate a finding that doesn’t exist, while a false positive doesn’t indicate a finding that does exist.
A.
A false positive is when a finding is identified when it doesn’t actually exist. A false nega- tive is when there is no finding identified but, in fact, there is a vulnerability. A true positive is when a finding is identified that is a vulnerability. A true negative is when a finding isn’t iden- tified and there is no known vulnerability.
What would be the purpose of running a ping sweep?
A. You want to identify responsive hosts without a port scan.
B. You want to use something that is light on network traffic.
C. You want to use a protocol that may be allowed through the firewall.
D. All of the above.
D.
There may be several reasons for performing a ping sweep. You likely want to identify responsive hosts on the network segment you are targeting. You may not, though, want to use a full port scan. ICMP is a lightweight protocol, and there is a chance it will be allowed through the firewall, since it’s used for troubleshooting and diagnostics.
- Which of these may be considered worst practice when it comes to vulnerability scans?
A. Scanning production servers
B. Notifying operations staff ahead of time
C. Taking no action on the results
D. Using limited details in your scan reports
- C.
You would be expected to scan production servers, since that would be where you would be most interested to find vulnerabilities. Letting operations staff know ahead of time is polite since vulnerability scans may inadvertently knock over systems that would need to be stood back up. Being paged in the middle of the night unexpectedly isn’t fun. If you know it’s coming, it makes it easier. You may have reasons to use limited details in your scan reports,
. Which of these may be considered an evasive technique?
A. Scanning nonstandard ports
B. Encoding data
C. Using a proxy server
D. Using nmap in blind mode
B.
Scanning nonstandard ports isn’t evasive. It’s just as noisy as, and potentially more detect- able than, scanning standard ports. You could use a proxy for some tasks, but all it would do would be to hide your own IP address, which isn’t evasive. You could still be blocked or detected. nmap does not have a blind mode. When you encode data, though, you make it harder for the firewall or IDS to identify something bad that may be happening, since these devices can’t read the messages coming through.
If you were to notice operating system commands inside a DNS request while looking at a
packet capture, what might you be looking at?
A. Tunneling attack
B. DNS amplification
C. DNS recursion
D. XML entity injection
A.
Tunneling attacks can be used to hide one protocol inside another. They may be used to send operating system commands using a tunnel system. A DNS amplification attack is where a small DNS request results in much larger responses sent to the target. DNS recursion is used to look up information from DNS servers. An XML entity injection attack is a web- based attack and wouldn’t be found inside a DNS request.
