Module 3 - Scanning Networks

Question 1

Which type of message would begin a TCP 3-way handshake?

A) SYN-ACK
B) SYN
C) ACK
D) RST

Answer 1

B

Question 2

Which one of these activities would allow an attacker to create a map or outline of the network infrastructure to learn about the environment before attempting to hack it?

A) Enumeration
B) Vulnerability analysis
C) Scanning networks
D) Malware analysis

Answer 2

C

Question 3

If you want to check if a host is up and running on your network using nmap, you can perform a “ping scan”. There are several methods for doing this, such as an ARP ping, an ACK ping, etc. Which command below will tell nmap to perform a TCP SYN ping scan?

A) nmap -sn -PO <target>
B) nmap -sn -PA <target>
C) nmap -sn -PS <target>
D) nmap -sn -PP <target></target></target></target></target>

Answer 3

C

Question 4

Which scanning technique will use a spoofed IP address and a SYN flag to generate port responses?

A) FIN
B) SYN
C) IDLE (side-channel)
D) XMAS

Answer 4

C

Question 5

What type of scan is this?
Open port:
SYN->
<-SYN + ACK
RST->

Closed port:
SYN->
<-RST

A) Stealth Scan
B) Full Scan
C) XMAS Scan
D) FIN Scan

Answer 5

A

Question 6

You are scanning a network to ensure it is as secure as possible. You send a TCP probe packet to a host with a FIN flag and you receive a RST/ACK response. What does this mean about the port you are scanning?

A)This response means the port is open.
B) The RST/ACK response means the port is disabled.
C) This means the port is half open.
D) This means that the port is closed.

Answer 6

D

Question 7

TCP SYN Flood attack abuses the three-way handshake mechanism.

An attacker at system A sends a SYN packet to victim at system B.
System B sends a SYN/ACK packet to A.
Normally, A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A.
This status of client B is called _________________

A) “half-closed”
B) “half open”
C) “full-open”
D) “xmas-open”

Answer 7

B

Question 8

The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106:

Time:Mar 13 17:30:15 Port:20 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP
Time:Mar 13 17:30:17 Port:21 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP
Time:Mar 13 17:30:19 Port:22 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP
Time:Mar 13 17:30:21 Port:23 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP
Time:Mar 13 17:30:22 Port:25 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP
Time:Mar 13 17:30:23 Port:80 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP
Time:Mar 13 17:30:30 Port:443 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

What type of activity has been logged?

A) Port scan targeting 192.168.1.103
B) Teardrop attack targeting 192.168.1.106
C) Denial of service attack targeting 192.168.1.103
D) Port scan targeting 192.168.1.106

Answer 8

D

Question 9

Which Nmap option would let you do a very fast scan, even though it might increase the chances of your activities being detected?

A) -O
B) -A
C) -T0
D) -T5

Answer 9

D

Question 10

What is typically the default TTL value for a Windows system?

A) 64
B) 128
C) 142
D) 255

Answer 10

B

Question 11

While trying to evade the IDS, which command would scan common ports with the least amount of “noise”?

A) Nmap –sT –O –T0
B) Nmap –A –Pn
C) Nmap –A –host-timeout 99 –T1
D) Nmap –sT –p -65535 –T5

Answer 11

A

Question 12

After doing an nmap scan you see some open ports on your webserver, including port 80. Which nmap switch would also include the type and version number of the server?

A) -V
B) -sV
C) -Pn
D) -sS

Answer 12

B

Question 13

What results will the following command yield: ‘NMAP –sS –O –p 123-153 192.168.100.3?

A) A stealth scan, checking open ports 123 to 153.
B) A stealth scan, checking all open ports excluding ports 123 to 153.
C) A stealth scan, opening port 123 and 153.
D) A stealth scan, determine operating system, and scanning ports 123 to 153.

Answer 13

D

Question 14

After scanning a network, you find that a machine has port 80 open, indicating that it’s a web server. You want more information about the service and its version number, so you run an nmap scan with the -sV switch. It returns the following information:
80/tcp open http-proxy Apache Server 2.4.43
What’s the name of this method of information-gathering?

A) Banner grabbing
B) WHOIS lookup
C) Brute forcing
D) Dictionary attack

Answer 14

A

Question 15

While performing an Xmas scan, which of these would indicate that the target’s port is closed?

A) SYN
B) ACK
C) RST
D) No return response.

Answer 15

C

Question 16

What does this command do?

> NMAP -sn 192.168.11.200-215

A) Port scan
B) Ping scan
C) Trace sweep
D) Operating system detection

Answer 16

B

Question 17

Which OS uses a default TTL value of 64 and a default TCP Window size of 5840?

A) Solaris OS
B) Windows OS
C) Linux OS
D) Mac OS

Answer 17

C

Question 18

How would you classify an operating-system fingerprinting method where you send traffic to the remote device and analyze the responses?

A) Passive
B) Reflective
C) Active
D) Distributive

Answer 18

C

Question 19

Which scanning technique uses a zombie system that has low network activity, and utilizes fragment identification numbers to help with the scan?

A) Decoy scanning
B) Packet fragmentation scanning
C) Spoof source address scanning
D) Idle scanning

Answer 19

D

Question 20

What does FIN in TCP flag define?

A) Used to abort a TCP connection abruptly.
B) Used to close a TCP connection.
C) Used to acknowledge receipt of a previous packet or transmission.
D) Used to indicate the beginning of a TCP connection.

Answer 20

B

Question 21

Which of these is a way for a hacker on the outside of a network to target a host on the inside of the network, and to see which ports are open and if the packets can pass through the packet-filtering of the firewall?

A) Network sniffing
B) Session hijacking
C) Firewalking
D) Man-in-the-middle

Answer 21

C

Question 22

Which nmap option scans fewer ports than the default?

A) -P
B) -r
C) -T0
D) -sP
E) -F

Answer 22

E

Question 23

Which NMAP switch does operating system detection?

A) -OS
B) -sO
C) -sP
D) -O

Answer 23

D

Question 24

Your IP address is 192.168.1.10. Which nmap command will let you enumerate all machines on the same network quickly?

A) Nmap –T4 –q 192.168.1.0/24
B) Nmap –T4 –O 192.168.1.0/24
C) Nmap –T4 –F 192.168.1.0/24
D) Nmap –T4 –r 192.168.0.0/24

Answer 24

C

Question 25

Which nmap option would you use to determine if a firewall was Stateful or Stateless?

A) -sA
B) -sF
C) -sT
D) -sX

Answer 25

A

Question 26

Which nmap switch will scan a target using a set of spoofed source IP addresses in order to evade the IDS or firewalls?

A) The -A flag
B) The -D flag
C) The -f flag
D) The -g flag

Answer 26

B

Question 27

Which Zenmap option will perform an ICMP timestamp ping scan?

An ICMP timestamp ping is a good option if the admin has blocked ICMP ECHO pings. The ICMP timestamp feature is used to synchronize clocks. If you send a timestamp packet, and get a reply, you know the host is up!

A) -Pn
B) -PU
C) -PY
D) -PP

Answer 27

D

Question 28

Which type of port scan should you not attempt if an IDS is in-use on the network?

Note: An Idle scan is very stealthy and helps evade an IDS. A Connect scan mimics normal network traffic and is unlikely to be flagged as suspicious. There’s no such thing as a “spoof scan”. A TCP SYN scan, also called a Stealth scan or a Half-Open scan, “attempts” to be stealthy, but it’s an old trick, and is very likely to be flagged by an Intrusion Detection System (IDS).

A) Idle scan
B) TCP Connect scan
C) TCP SYN
D) Spoof scan

Answer 28

C

Question 29

Nmap reports that one of your hosts at 10.10.10.20 has an IP ID sequence of “incremental”. Because of this finding, you run this command:
nmap -Pn -p 80 -sI 10.10.10.20 10.10.10.50

What does the “-sI” (that’s a capital “i” ) switch do with Nmap?

A) Conducts an ICMP scan
B) Conducts an IDLE scan
C) Conducts a stealth scan
D) Conducts a silent scan

Answer 29

B

Question 30

During an Idle-Scan of a port on a target computer, an attacker receives an IPID of 24333 from a zombie. If the target’s port is closed, what will be the final response from the zombie?

A) The zombie computer will respond with an IPID of 24334.
B) The zombie computer will respond with an IPID of 24333.
C) The zombie computer will not send a response.
D) The zombie computer will respond with an IPID of 24335.

Answer 30

A

Question 31

Which technique can reveal the OS of your target system?

A) UDP scanning
B) IDLE/IPID scanning
C) Banner grabbing
D) SSDP scanning

Answer 31

C

Question 32

From an outside IP, you perform an XMAS scan against your company using Nmap. Almost every port scanned does not generate a response. What can you infer from this kind of response?

A) These ports are open because they do not send a response.
B) These ports are in stealth mode.
C) If a port does not respond to an XMAS scan using NMAP, that port is closed.
D) The scan was not performed correctly using NMAP since all ports, no matter what their state, will send some sort of response from an XMAS scan.

Answer 32

A

Question 33

Which flags are set in an XMAS scan?

A) FIN, RST, URG
B) PSH, ACK, RST
C) FIN, URG, PSH
D) URG, PSH, RST

Answer 33

C

Question 34

Which type of port scan sends FIN/ACK probes, and if a RST comes back, it means the port is closed?

A) Xmas scan
B) TCP Maimon scan
C) IDLE/IPID header scan
D) ACK flag probe scan

Answer 34

B

Question 35

ICMP ping and ping sweeps are used to check for active systems and to check what?

A) if ICMP ping traverses a firewall.
B) the route that the ICMP ping took.
C) the location of the switchport in relation to the ICMP ping.
D) the number of hops an ICMP ping takes to reach a destination.

Answer 35

A

Question 36

Which type of scan would you run to find all the active devices hidden by a restrictive firewall in the IPv4 range on your LAN?

Note: ACK scan packets wouldn’t make it to the devices if ports are filtered on that firewall. Nor would a UDP scan. A Maimon scan is an older version of an XMAS, Fin, or Null scan, and also wouldn’t make it through a restrictive firewall. The ARP protocol, on the other hand, would not typically be blocked on a firewall or your network wouldn’t function properly. As long as the target systems are on your same subnet, an ARP ping scan is a great way to discover running hosts.

A) UDP scan
B) ACK flag probe scan
C) ARP ping scan
D) TCP Maimon scan

Answer 36

C

Question 37

Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this?

A) RST flag scanning
B) FIN flag scanning
C) SYN flag scanning
D) ACK flag scanning

Answer 37

D

Question 38

An attacker is attempting to telnet into a corporation’s system in the DMZ. The attacker doesn’t want to get caught and is spoofing his IP address. After numerous tries he remains unsuccessful in connecting to the system. The attacker rechecks that the target system is actually listening on Port 23 and he verifies it with both nmap and hping3. He is still unable to connect to the target system. What could be the reason?

A) The firewall is blocking port 23 to that system.
B) He needs to use an automated tool to telnet in.
C) He cannot spoof his IP and successfully use TCP.
D) He is attacking an operating system that does not reply to telnet even when open.

Answer 38

C

Question 39

If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP?

A) Hping
B) Traceroute
C) Ping -t
D) Broadcast ping

Answer 39

A

Question 40

During an Idle-Scan of a port on a target computer, an attacker receives an IPID of 31400 from a zombie. If the target’s port is open, what will be the final response from the zombie?

A) 31400
B) 31402
C) The Zombie will not send a response.
D) 31401

Answer 40

B

Question 41

Which nmap script will scan a web server to let you know which HTTP Methods are available, like GET, POST, HEAD, PUT, DELETE, etc?

Reference: https://nmap.org/nsedoc/scripts/http-methods.html

A) http-headers
B) http-methods
C) http enum
D) http-git

Answer 41

B

Question 42

What does the Nmap -oX flag do?

A) Performs an eXpress scan
B) Outputs the results in XML format to a file.
C) Outputs the results in truncated format to the screen.
D) Performs an Xmas scan.

Answer 42

B