Module 03 - Scanning Networks ( EC Mode )

Question 1

Which of the following TCP communication flags confirms the receipt of a transmission and identifies the next expected sequence number?

A. ACK flag
B. SYN flag
C. FIN flag
D. RST flag

Answer 1

Answer: A. ACK flag.

Synchronize or “SYN”:
It notifies the transmission of a new sequence number. This flag generally represents the establishment of a connection (three-way handshake) between two hosts.

Acknowledgement or “ACK”:
It confirms the receipt of the transmission and identifies the next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to “1,” thus implying that the receiver should pay attention to it.

Finish or “FIN”:
It is set to “1” to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated.

Reset or “RST”:
When there is an error in the current connection, this flag is set to “1” and the connection is aborted in response to the error. Attackers use this flag to scan hosts and identify open ports.

Question 2

Which of the following TCP communication flags notifies the transmission of a new sequence number and represents the establishment of a connection between two hosts?

A. PSH flag
B. RST flag
C. FIN flag
D. SYN flag

Answer 2

Answer: D. SYN flag.

Finish or “FIN”: It is set to “1” to announce that no more transmissions will be sent to the remote system, and the connection established by the SYN flag is terminated

Synchronize or “SYN”: It notifies the transmission of a new sequence number. This flag generally represents the establishment of a connection (three-way handshake) between two hosts

Push or “PSH”: When it is set to “1,” it indicates that the sender has raised the push operation to the receiver; this implies that the remote system should inform the receiving application about the buffered data coming from the sender. The system raises the PSH flag at the start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks.

Reset or “RST”: When there is an error in the current connection, this flag is set to “1” and the connection is aborted in response to the error. Attackers use this flag to scan hosts and identify open ports

Question 3

Which of the following types of scanning involves the process of checking the services running on a target computer by sending a sequence of messages to break in?

A. Port scanning
B. Banner grabbing
C. Vulnerability scanning
D. Network scanning

Answer 3

Answer: A. Port scanning.

Network Scanning: Network scanning is a procedure for identifying active hosts on a network, either to attack them or assess the security of the network.

Port Scanning: Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in.

Vulnerability Scanning: Vulnerability scanning is a method for checking whether a system is exploitable by identifying its vulnerabilities.

Banner Grabbing: Banner grabbing, or “OS fingerprinting,” is a method used to determine the OS that is running on a remote target system.

Question 4

Which of the following TCP communication flags is set to “1” to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated?

A. RST flag
B. FIN flag
C. SYN flag
D. ACK flag

Answer 4

Answer: B. FIN flag.

Explanation:

The following are the TCP communication flags:

Acknowledgement or “ACK”: It confirms the receipt of the transmission and identifies the next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to “1,” thus implying that the receiver should pay attention to it.

Reset or “RST”: When there is an error in the current connection, this flag is set to “1” and the connection is aborted in response to the error. Attackers use this flag to scan hosts and identify open ports.

Finish or “FIN”: It is set to “1” to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated.

Synchronize or “SYN”: It notifies the transmission of a new sequence number. This flag generally represents the establishment of a connection (three-way handshake) between two hosts.

Question 5

Which of the following is NOT an objective of network scanning?

A. Discover the services running
B. Discover usernames and passwords
C. Discover the network’s live hosts
D. All of the above are objectives of network scanning

Answer 5

Answer: B. Discover usernames and passwords

Explanation:

The more the information at hand about a target organization, the greater the chances of knowing a network’s security loopholes and consequently, for gaining unauthorized access to it. Below are some objectives for scanning a network:

Discover the network’s live hosts, IP addresses, and open ports of live. Using open ports, the attacker will determine the best means of entry into the system.

Discover the operating system and system architecture of the target. This is also known as fingerprinting. An attacker can formulate an attack strategy based on the operating system’s vulnerabilities.

Discover the services running/listening on the target system. Doing so gives the attacker an indication of vulnerabilities (based on the service) exploitation for gaining access to the target system.

Identify specific applications or versions of a particular service.

Identify vulnerabilities in any of the network systems. This helps an attacker to compromise the target system or network through various exploits.

Question 6

Which of the following hping commands is used by an attacker to collect the initial sequence number?

A. hping3 -S 72.14.207.99 -p 80 –tcp-timestamp
B. hping3 -2 10.0.0.25 –p 80
C. hping3 –A 10.0.0.25 –p 80
D. hping3 192.168.1.103 -Q -p 139 -s

Answer 6

Answer: D. hping3 192.168.1.103 -Q -p 139 -s

Explanation:

ACK scan on port 80: hping3 –A 10.0.0.25 –p 80

UDP scan on port 80: hping3 -2 10.0.0.25 –p 80

Collecting Initial Sequence Number: hping3 192.168.1.103 -Q -p 139 –s

Firewalls and Timestamps: hping3 -S 72.14.207.99 -p 80 –tcp-timestamp

Question 7

Which of the following scanning tools is a mobile app for Android and iOS that provides complete network information, such as the IP address, MAC address, device vendor, and ISP location?

A. Netcraft
B. Maltego
C. Fing
D. Nmap

Answer 7

Answer: C. Fing.

Netcraft provides Internet security services, including anti-fraud and anti-phishing services, application testing, and PCI scanning.

Nmap (“Network Mapper”) is a security scanner for network exploration and hacking. It allows you to discover hosts, ports, and services on a computer network, thus creating a “map” of the network.

Maltego is a program that can be used to determine the relationships and real-world links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc.

Fing is a mobile app for Android and iOS that scans and provides complete network information, such as IP address, MAC address, device vendor, and ISP location. It allows attackers to discover all devices connected to a Wi-Fi network along with their IP and MAC address as well as the name of the vendor/device manufacturer.

Question 8

An attacker is using the scanning tool Hping to scan and identify live hosts, open ports, and services running on a target network. He/she wants to collect all the TCP sequence numbers generated by the target host. Which of the following Hping commands he/she needs to use to gather the required information?

A. hping3 -Q -p 139 -s
B. hping3 -S -p 80 –tcp-timestamp
C. hping3 –A –p 80
D. hping3 –F –P –U 10.0.0.25 –p 80

Answer 8

Answer: A. hping3 -Q -p 139 -s

hping3 -Q -p 139 -s: By using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host.

hping3 –A –p 80: By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.

hping3 -S -p 80 –tcp-timestamp: By adding the –tcp-timestamp argument in the command line, Hping enables the TCP timestamp option and tries to guess the timestamp update frequency and uptime of the target host.

hping3 –F –P –U 10.0.0.25 –p 80: By issuing this command, an attacker can perform FIN, PUSH, and URG scans on port 80 on the target host.

Question 9

If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP?

A. TCP ping
B. Hping
C. Traceroute
D. Broadcast ping

Answer 9

Answer: B. Hping

Hping2/Hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It performs network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, and other functions.

In the above scenario, the host does not respond to a ping request. Here, the tester needs to use Hping tools and perform an ACK scan to get the response from a host using TCP.

Hping can be configured to perform an ACK scan by specifying the argument -A in the command line. Here, you are setting the ACK flag in the probe packets and performing the scan. You perform this scan when a host does not respond to a ping request. By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.

Question 10

Which of the following open-source tools would be the best choice to scan a network for potential targets?

A. Cain & Abel
B. John the Ripper
C. NMAP
D. hashcat

Answer 10

Answer: C. NMAP.

Explanation:
Nmap is an open-source security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a “map” of the network.

hashcat, Cain & Abel, and John the Ripper are the password cracking tools that allow you to reset unknown or lost Windows local administrator, domain administrator, and other user account passwords. In the case of forgotten passwords, it even allows users to get access to their locked computer instantly without reinstalling Windows.

Question 11

Which of the following Hping3 command is used to perform ACK scan?

A. hping3 -1 –p 80
B. hping3 –A –p 80
C. hping3 -8 50-60 –S –V
D. hping3 -2 –p 80

Answer 11

Answer: B. hping3 –A –p 80.

hping3 -1 –p 80: This command performs an ICMP ping on the target IP address on port 80.

hping3 –A –p 80: This command performs an ACK scan on port 80 of the target IP address.

hping3 -2 –p 80: This command performs a UDP scan on port 80 of the target IP address.

hping3 -8 50-60 –S –V: This command performs a SYN scan on ports 50-60 of the target IP address with verbose output enabled.

Question 12

Which of the following ping methods is effective in identifying active hosts similar to the ICMP timestamp ping, specifically when the administrator blocks the conventional ICMP ECHO ping?

A. ICMP ECHO ping sweep
B. ICMP ECHO ping scan
C. ICMP address mask ping scan
D. UDP ping scan

Answer 12

Answer: C. ICMP address mask ping scan

Explanation:
ICMP Address Mask Ping Scan: This type of ping method is also effective in identifying the active hosts similarly to the ICMP timestamp ping, specifically when the administrator blocks the traditional ICMP Echo ping.

ICMP ECHO Ping Scan: ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the host is alive, it will return an ICMP ECHO reply. This scan is useful for locating active devices or determining if ICMP is passing through a firewall.

ICMP ECHO Ping Sweep: A ping sweep (also known as an ICMP sweep) is a basic network scanning technique that is adopted to determine the range of IP addresses that map to live hosts (computers). Although a single ping will tell the user whether a specified host computer exists on the network, a ping sweep consists of ICMP ECHO requests sent to multiple hosts. If a specified host is active, it will return an ICMP ECHO reply.

UDP Ping scan: UDP ping scan is similar to TCP ping scan; however, in the UDP ping scan, Nmap sends UDP packets to the target host.

Question 13

Which of the following protocols uses the port number 88/TCP and can verify the identity of a user or host connected to a network?

A. TFTP
B. Finger
C. NTP
D. Kerberos

Answer 13

Answer: D. Kerberos.

The important reserved ports are listed below:

Name Port/Protocol Service Description
tftp 69/tcp Trivial File Transfer
finger 79/tcp Finger
kerberos 88/tcp Kerberos
ntp 123/tcp Network Time Protocol

Question 14

Which of the following scans detects when a port is open after completing the three-way handshake, establishes a full connection, and closes the connection by sending an RST packet?

A. ACK flag probe scan
B. TCP connect scan
C. IDLE/IPID header scan
D. Stealth scan

Answer 14

Answer: B. TCP connect scan.

Explanation:

TCP Connect scan detects when a port is open after completing the three-way handshake. TCP Connect scan establishes a full connection and then closes the connection by sending an RST packet.

Stealth Scan involves abruptly resetting the TCP connection between the client and server before the completion of three-way handshake signals, thus leaving the connection half-open. Scanning involves abruptly resetting the TCP connection between the client and server before the completion of three-way handshake signals, thus leaving the connection half-open.

ACK Flag Probe Scan is used by attackers to send TCP probe packets set with an ACK flag to a remote device and then analyze the header information (TTL and WINDOW field) of received RST packets to determine if the port is open or closed.

In IDLE/IPID Header Scan, every IP packet on the Internet has a fragment identification number (IPID); an OS increases the IPID for each packet sent; thus, probing an IPID gives an attacker the number of packets sent after the last probe. A machine that receives an unsolicited SYN|ACK packet will respond with an RST. An unsolicited RST will be ignored.

Question 15

Which of the following Nmap options is used by an attacker to perform an SCTP COOKIE ECHO scan?

A. -sY
B. -sL
C. -sU
D. -sZ

Answer 15

Answer: D. -sZ.

Explanation:
In Zenmap, the -sY option is used to perform the SCTP INIT scan.

In Zenmap, the -sU option is used to perform a UDP scan.

In Zenmap, the -sZ option is used to perform the SCTP COOKIE ECHO scan.
In Zenmap, the -sL option is used to perform a list scan.

Question 16

In which of the following scanning techniques does an attacker send a spoofed source address to a computer to determine the available services?

A. ACK flag probe scan
B. Inverse TCP flag scan
C. IDLE/IPID header scan
D. TCP Maimon scan

Answer 16

Answer: C. IDLE/IPID header scan

Inverse TCP Flag Scan: Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags. When the port is open, the attacker does not get any response from the host, whereas when the port is closed, he or she receives the RST from the target host.

ACK Flag Probe Scan: Attackers send TCP probe packets with the ACK flag set to a remote device and then analyze the header information (TTL and WINDOW field) of the received RST packets to find out if the port is open or closed. The ACK flag probe scan exploits the vulnerabilities within the BSD-derived TCP/IP stack. Thus, such scanning is effective only on those OSs and platforms on which the BSD derives TCP/IP stacks.

TCP Maimon scan: This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe.

IDLE/IPID Header Scan: The IDLE/IPID Header scan is a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available. It offers complete blind scanning of a remote host. Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. A port is considered “open” if an application is listening on the port.

Question 17

While performing a UDP scan of a subnet, you receive an ICMP reply of Code 3/Type 3 for all the pings you have sent out. What is the most likely cause of this?

A. UDP port is open.
B. The host does not respond to ICMP packets.
C. The firewall is dropping the packets.
D. UDP port is closed.

Answer 17

Answer: D. UDP port is closed.

Explanation:
In a UDP scan, user sends UDP packets to a target port and waits for the response.

When a user sends a UDP packet to the target, either of the following can occur:

If the UDP port is open, the target accepts the packet and does not send any response.

If the UDP port is closed, the ICMP packet is sent in response.

The user will receive an ICMP Type 3 Code 3 response if the port is closed, or if no response is received, then the port is either open | filtered.

Question 18

A security engineer is attempting to perform scanning on a company’s internal network to verify security policies of their networks. The engineer uses the following NMAP command: nmap –n –sS –P0 –p 80 …. What type of scan is this?

A. Quick scan
B. Stealth scan
C. Comprehensive scan
D. Intense scan

Answer 18

Answer: B. Stealth scan.

Explanation:
Nmap scanning techniques:
o -sS (TCP SYN/Stealth scan)
o -sT (TCP connect scan)
o -sU (UDP scans)
o -sY (SCTP INIT scan)
o -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans)
o -sA (TCP ACK scan)
o -sW (TCP Window scan)

In the above scenario, the security engineer uses -sS option to perform the scan. This means he is performing stealth scan.

Question 19

A penetration tester is conducting a port scan on a specific host. The tester found several open ports that were confusing in concluding the operating system (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS?

Starting NMAP 7.70 at 2018-03-15 11:06

NMAP scan report for 172.16.40.65

Host is up (1.00s latency).

Not shown: 993 closed ports

PORT STATE SERVICE

21/tcp open ftp

23/tcp open telnet

80/tcp open http

139/tcp open netbios-ssn

515/tcp open

631/tcp open ipp

9100/tcp open

MAC Address: 00:00:48:0D:EE:89

A. The host is likely a router.
B. The host is likely a Windows machine.
C. The host is likely a printer.
D. The host is likely a Linux machine.

Answer 19

Answer: C. The host is likely a printer.

Explanation:
The protocols TCP and UDP uses port 515 to interact with the printer. As port 515 is open in the above Nmap output, probably the host is a printer.

Question 20

Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection?

A. NMAP -PN -O -sS -p 1-1024 192.168.0/8
B. NMAP -P0 -A -O -p1-65535 192.168.0/24
C. NMAP -P0 -A -sT -p0-65535 192.168.0/16
D. NMAP -PN -A -O -sS 192.168.2.0/24

Answer 20

Answer: D. NMAP -PN -A -O -sS 192.168.2.0/24

Pn (also known as No ping) Assume the host is up, thus skipping the host discovery phase, whereas P0 (IP Protocol Ping) sends IP packets with the specified protocol number set in their IP header.

-A This option makes Nmap make an effort in identifying the target OS, services, and the versions. It also does traceroute and applies NSE scripts to detect additional information.

The -O option turns on Nmap’s OS fingerprinting system. Used alongside the -v verbosity options, you can gain information about the remote operating system and about its TCP sequence number generation (useful for planning idle scans).

-sS performs a TCP SYN connect scan. This just means that Nmap will send a TCP SYN packet just like any normal application would do. If the port is open, the application must reply with SYN/ACK; however, to prevent half-open connections Nmap will send an RST to tear down the connection again.

-sT is an Nmap TCP connect scan and it is the default TCP scan type when SYN scan is not an option.

Since a Class C network starts its IP address from 192.0.0.0, the correct command is “NMAP -PN -A -O -sS 192.168.2.0/24”.

Question 21

Which protocol and port number might be needed to send log messages to a log analysis tool that resides behind a firewall?

A. UDP 514
B. UDP 415
C. UDP 541
D. UDP 123

Answer 21

Answer: A. UDP 514.

The syslog protocol enables network devices to record event messages to the logging server or the syslog server. It is possible to log many events, and the syslog protocol can handle many different devices. Normally, Windows-based servers do not support syslog. However, there are many third-party tools available that can gather the Windows server log information and forward it to the syslog server.

Syslog is the standard for message logging and uses a facility code that determines the software used for generating the messages and also assigns a severity label to each. The syslog finds its application in system management, security auditing, and debugging messages. Many types of devices such as printers, routers, and so on use the syslog standard that enables a centralized method of logging data from different devices. The syslog server gathers information sent over the network over UDP port 514 using a syslog listener.

Question 22

Which of the following OS discovery techniques is used by an attacker to identify a target machine’s OS by observing the TTL values in the acquired scan result?

A. OS discovery using Unicornscan
B. OS discovery using Nmap Script Engine
C. OS discovery using IPv6 fingerprinting
D. OS discovery using Nmap

Answer 22

Answer: A. OS discovery using Unicornscan

Explanation:
OS Discovery using Nmap: Nmap is one of the effective tools for performing OS discovery activities. In Zenmap, the -O option is used to perform OS discovery, which displays the OS details of the target machine.

OS Discovery using Unicornscan: In unicornscan, the OS of the target machine can be identified by observing the TTL values in the acquired scan result. To perform Unicornscan, the syntax #unicornscan is used.

OS Discovery using Nmap Scripting Engine: NSE in Nmap can be used to automate a wide variety of networking tasks by allowing users to write and share scripts. These scripts can be executed parallelly with the same efficiency and speed as Nmap. Attackers can also use various scripts in the Nmap Script Engine for performing OS discovery on the target machine.

OS Discovery using IPv6 Fingerprinting: It is another technique used to identify the OS running on the target machine. It has the same functionality as IPv4, such as sending probes, waiting and collecting the responses, and matching them with the database of fingerprints.

Question 23

What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response?

A. Distributive
B. Passive
C. Reflective
D. Active

Answer 23

Answer: D. Active.

Explanation:
In active OS fingerprinting, specially crafted packets are sent to remote OS and the responses are noted. The responses are then compared with a database to determine the OS. Response from different OSes varies due to differences in TCP/IP stack implementation.

Question 24

Which of the following IDS/firewall evasion techniques helps an attacker increase their Internet anonymity?

A. Proxy chaining
B. Source routing
C. Source port manipulation
D. IP address decoy

Answer 24

Answer: A. Proxy chaining.

IP Address Decoy: The IP address decoy technique refers to generating or manually specifying IP addresses of the decoys to evade IDS/firewalls. It appears to the target that the decoys as well as the host(s) are scanning the network.

Source Routing: The attacker specifies the routing path for the malformed packet to reach the intended target.

Source Port Manipulation: The attacker manipulates the actual source port with the common source port to evade the IDS/firewall.

Proxy Chaining: Proxy chaining helps an attacker to increase their Internet anonymity. Internet anonymity depends on the number of proxies used for fetching the target application; the larger the number of proxy servers used, the greater is the attacker’s anonymity.

Question 25

Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network’s IDS?

A. ICMP ping sweep to determine which hosts on the network are not available
B. Timing options to slow the speed that the port scan is conducted
C. Fingerprinting to identify which operating systems are running on the network
D. Traceroute to control the path of the packets sent during the scan

Answer 25

Answer: B. Timing options to slow the speed that the port scan is conducted.

Explanation:
The tester needs to implement timing options in Nmap which allows the tester to set the given amount of time between each probe it sends to a given host. Timing option is used to evade threshold-based intrusion detection and prevention systems (IDS/IPS).

Some of the timing options are as follows:

–delay (Delay between probes)
–rate (Send probes at a given rate)
-d , –delay (Specify line delay)
-i , –idle-timeout (Specify idle timeout)
-w , –wait (Specify connect timeout)

Question 26

Which of the following commands allows attackers to auto-generate a random MAC address and attach it to the packets in place of the original MAC address while performing host scanning?

A. nmap -sU -v [Target IP]
B. Cewl www.certifiedhacker.com
C. nmap -sT -Pn –spoof-mac 0 [Target IP]
D. nmap -sT -Pn –spoof-mac [new MAC] [Target IP]

Answer 26

Answer: C. nmap -sT -Pn –spoof-mac 0 [Target IP].

nmap -sU -v [Target IP]: In Zenmap, the -sU option is used to perform a UDP scan.

nmap -sT -Pn –spoof-mac 0 [Target IP]: This command automatically generates a random MAC address and attaches it to the packets in place of the original MAC address while performing host scanning. Here, –spoof-mac 0 represents the randomization of the MAC address.

cewl www.certifiedhacker.com: Attackers use this command to gather a list of unique words present in the target URL.

nmap -sT -Pn –spoof-mac [new MAC] [Target IP]: This command allows attackers to manually choose or set a new MAC address for the packets sent during the scanning process. –spoof-mac [new MAC] represents manually setting the MAC address.

Question 27

Which of the following IDS/firewall evasion techniques is used by an attacker to bypass Internet censors and evade certain IDS and firewall rules?

A. Anonymizers
B. IP address decoy
C. Sending bad checksums
D. Source port manipulation

Answer 27

Answer: A. Anonymizers.

Explanation:

IP Address Decoy: The attacker generates or manually specifies IP addresses of decoys so that the IDS/firewall cannot determine the actual IP address

Sending Bad Checksums: The attacker sends packets with bad or bogus TCP/UPD checksums to the intended target.

Source Port Manipulation: The attacker manipulates the actual source port with the common source port to evade the IDS/firewall.

Anonymizers: The attacker uses anonymizers, which allows them to bypass Internet censors and evade certain IDS and firewall rules.

Question 28

Which of the following is the active banner grabbing technique used by an attacker to determine the OS running on a remote target system?

A. Banner grabbing from page extensions
B. Banner grabbing from error messages
C. TCP sequence ability test
D. Sniffing of network traffic

Answer 28

Answer: C. TCP sequence ability test.

Explanation:

Some of the active banner grabbing techniques are as follows:

TCP Sequence ability test

Port Unreachable

Some of the passive banner grabbing techniques are as follows:

Banner grabbing from error messages

Sniffing the network traffic
Banner grabbing from page extensions

Question 29

Which of the following is the best practice to follow to secure a system or network against port scanning?

A. Allow unwanted services running on the ports and update the service versions
B. Do not configure firewall and IDS rules to detect and block probes
C. Ensure that the versions of services running on the ports are non-vulnerable
D. Ensure that firewall and routers do not block source routing techniques

Answer 29

Answer: C. Ensure that the versions of services running on the ports are non-vulnerable.

Explanation:
Following are some of the port scanning countermeasures

Configure firewall and IDS rules to detect and block probes.

Block unwanted services running on the ports and update the service versions.

Ensure that the versions of services running on the ports are non-vulnerable.

Block inbound ICMP message types and all outbound ICMP type-3 unreachable messages at border routers arranged in front of a company’s main firewall.

Ensure that the anti-scanning and anti-spoofing rules are configured.
Some firewalls do a better job than others in terms of detecting stealth scans. For example, many firewalls have specific options to detect SYN scans, while others completely ignore FIN scans.

Ensure that the router, IDS, and firewall firmware are updated with their latest releases/versions.

Configure commercial firewalls to protect your network against fast port scans and SYN floods. You can run tools such as port entry to detect and stop port scan attempts on Linux/UNIX systems.

Ensure that the mechanism used for routing and filtering at the routers and firewalls, respectively, cannot be bypassed using a particular source port or source-routing methods.

Test your IP address space using TCP and UDP port scans as well as ICMP probes to determine the network configuration and accessible ports.

Question 30

Which of the following types of techniques is used to prevent IP spoofing by blocking outgoing packets with a source address that is not inside?

A. Ingress filtering
B. Access-control lists
C. Random initial sequence numbers
D. Egress filtering

Answer 30

Answer: D. Egress filtering.

Explanation:

Egress filtering refers to a practice that aims to prevent IP spoofing by blocking outgoing packets with a source address that is not inside.

Random initial sequence numbers: Most devices choose their ISN based on timed counters. This makes the ISNs predictable, as it is easy for an attacker to determine the concept of generating the ISN. The attacker can determine the ISN of the next TCP connection by analyzing the ISN of the current session or connection. If the attacker can predict the ISN, then he/she can establish a malicious connection to the server and sniff out your network traffic. To avoid this risk, use random initial sequence numbers.

Ingress filtering prevents spoofed traffic from entering the Internet. It is applied to routers because it enhances the functionality of the routers and blocks spoofed traffic. Configuring and using ACLs that drop packets with the source address outside the defined range is one method of implementing ingress filtering.

Access control lists (ACLs) blocks unauthorized access by specifying which users or system processes are granted access to objects, as well as what operations are allowed on given objects.

Question 31

Which of the following practices can make the organization’s network susceptible to port scanning attempts?

A. Avoid using proxy servers to block fragmented or malformed packets.
B. Configure commercial firewalls to protect the network against fast port scans and SYN floods.
C. Block inbound ICMP message types and all outbound ICMP type-3 unreachable messages at border routers arranged in front of the company’s main firewall.
D. Test how the network firewall and IDS manages fragmented packets using fragtest and fragroute.

Answer 31

Answer: A. Avoid using proxy servers to block fragmented or malformed packets.

Question 32

Which of the following practices helps security professionals prevent banner grabbing attempts on the host?

A. Never use server masking tools to disable or change banner information.
B. Never display false banners to mislead or deceive attackers.
C. Turn on unnecessary services on the network host to limit information disclosure.
D. Modify the value of Server Tokens from Full to Prod in Apache’s httpd.conf file to prevent disclosure of the server version.

Answer 32

Answer: D. Modify the value of Server Tokens from Full to Prod in Apache’s httpd.conf file to prevent disclosure of the server version.

Question 33

Which of the following practices allows attackers to spoof the IP addresses of users to enter a network illegitimately?

A. Enhance the integrity and confidentiality of websites by migrating from IPv4 to IPv6 during development.
B. Use a secure VPN while accessing public Internet services such as free Wi-Fi and hotspots.
C. Implement digital certificate authentication mechanisms such as domain and two-way auth certificate verification.
D. Avoid configuring routers to verify the data packets using their signatures by storing the arriving data packet digests.

Answer 33

Answer: D. Avoid configuring routers to verify the data packets using their signatures by storing the arriving data packet digests.

Explanation:

Some IP spoofing countermeasures that can be applied are as follows:

Enhance the integrity and confidentiality of websites by migrating from IPv4 to IPv6 during development.

Configure routers to verify the data packets using their signatures by storing the arriving data packet digests.

Use a secure VPN while accessing any type of public Internet service such as free Wi-Fi and hotspots.

Implement digital certificate authentication mechanisms such as domain and two-way auth certificate verification.

Employ application-specific mitigation devices such as Behemoth scrubbers for deep-level packet investigation at a high speed of nearly 100 million packets/s.

Question 34

Which of the following countermeasures is used to avoid banner grabbing attacks?

A. Enable the details of the vendor and version in the banners
B. Use ServerMask tools to disable or change banner information
C. Never display false banners to mislead or deceive attackers
D. Turn on unnecessary services on the network host to limit information disclosure

Answer 34

Answer: B. Use ServerMask tools to disable or change banner information

Explanation:

Following are some of the countermeasures against banner grabbing attacks:

Display false banners to mislead or deceive attackers.

Turn off unnecessary services on the network host to limit information disclosure.

Use ServerMask (https://www.port80software.com) tools to disable or change banner information.

The details of the vendor and version in the banners should be disabled.
Hide file extensions to mask the web technology.

Replace application mappings such as .asp with .htm or .foo, etc., to disguise the identity of the servers.

Apache users can use mod_negotiation directives.

IIS users can use tools such as PageXchanger to manage the file extensions.

Question 35

Which of the following practices helps security professionals defend a network or service against port scanning attempts?

A. Ensure that TCP wrappers limit access to the network based on domain names or IP addresses.
B. Never use port scanning tools against hosts on the network.
C. Never use a custom rule set to lock down the network and block unwanted ports at the firewall.
D. Never configure firewall and intrusion detection system (IDS) rules to block probes.

Answer 35

Answer: A. Ensure that TCP wrappers limit access to the network based on domain names or IP addresses.

Explanation:

Port Scanning Countermeasures:

Configure firewall and intrusion detection system (IDS) rules to detect and block probes.

Run the port scanning tools against hosts on the network to determine whether the firewall accurately detects the port scanning activity.

Ensure that the router, IDS, and firewall firmware are updated with their latest releases/versions.

Ensure that TCP wrappers limit access to the network based on domain names or IP addresses.

Keep as few ports open as possible and filter the rest, as an intruder may attempt to enter through any open port. Use a custom rule set to lock down the network, block unwanted ports at the firewall, and filter the following ports: 135–159, 256–258, 389, 445, 1080, 1745, and 3268.

Question 36

Which of the following practices can make the target device or system vulnerable to banner grabbing attacks?

A. Enable HTTP methods such as Connect, Put, Delete, and Options from web application servers.
B. For Apache 2.x with the mod_headers module, use a directive in the httpd.conf file to change the banner information header and set the server as New Server Name.
C. Change the ServerSignature line to ServerSignatureOff in the httpd.conf file.
D. Disable the details of the vendor and version in the banners.

Answer 36

Answer: A. Enable HTTP methods such as Connect, Put, Delete, and Options from web application servers.

Explanation:
The best practices to protect against banner grabbing are listed as follows:

For Apache 2.x with the mod_headers module, use a directive in the httpd.conf file to change the banner information header and set the server as New Server Name.

Alternatively, change the ServerSignature line to ServerSignatureOff in the httpd.conf file.

Disable HTTP methods such as Connect, Put, Delete, and Options from web application servers.

Disable the details of the vendor and version in the banners.

Use server masking tools to disable or change banner information.

Question 37

Which of the following practices allows attackers to spoof the IP addresses of users to enter a network illegitimately?

A. Implement digital certificate authentication mechanisms such as domain and two-way auth certificate verification.
B. Use a secure VPN while accessing public Internet services such as free Wi-Fi and hotspots.
C. Enhance the integrity and confidentiality of websites by migrating from IPv4 to IPv6 during development.
D. Avoid configuring routers to verify the data packets using their signatures by storing the arriving data packet digests.

Answer 37

Answer: D. Avoid configuring routers to verify the data packets using their signatures by storing the arriving data packet digests.

Explanation:
Some IP spoofing countermeasures that can be applied are as follows:

Enhance the integrity and confidentiality of websites by migrating from IPv4 to IPv6 during development.

Configure routers to verify the data packets using their signatures by storing the arriving data packet digests.

Use a secure VPN while accessing any type of public Internet service such as free Wi-Fi and hotspots.

Implement digital certificate authentication mechanisms such as domain and two-way auth certificate verification.

Employ application-specific mitigation devices such as Behemoth scrubbers for deep-level packet investigation at a high speed of nearly 100 million packets/s.