Practice Exam 3

Question 1

PE3.1 Your team is hired to test a business named Matt’s Bait’n’ Tackle Shop (domain name mattsBTshop.com). A team member runs the following command:
metagoofil -d mattsBTshop.com -t doc,docx -l 50 -n 20 -f results.html

Which of the following best describes what the team member is attempting to do?
A.Extracting metadata info from web pages in mattsBTshop.com, outputting results in Microsoft Word format
B.Extracting metadata info from the results.html page in mattsBTshop.com, outputting results in Microsoft Word format
C.Extracting metadata info from Microsoft Word documents found in mattsBTshop.com, outputting results in an HTML file
D.Uploading results.html as a macro attachment to any Microsoft Word documents found in mattsBTshop.com

Answer 1

C
C. This is an example of good tool knowledge and use. Metgoofil, per www.edge-security.com/metagoofil.php, “is an information gathering tool designed for extracting metadata of public documents (.pdf, .doc, .xls, .ppt, .docx, .pptx, .xlsx) belonging to a target company. It performs a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.”
In the syntax given, metagoofil will search mattsBTshop.com for up to 50 results (the -l switch determines the number of results) of any Microsoft Word documents (in both doc and .docx format) it can find. It will then attempt to download the first 20 found (the -n switch handles that), and the -f switch will send the results where you want (in this case, to an HTML file). And just what will those results be? Well that’s where the fun comes in. Remember, metagoofil tries to extract metadata from publicly available Microsoft Word documents available on the site. You might find e-mail addresses, document paths, software versions, and even usernames in the results.

A, B, and D are incorrect because they do not match the syntax provided.

Question 2

PE3.2 Which of the following statements is true regarding the p0f tool?

A. It is an active OS fingerprinting tool.
B. It is a passive OS fingerprinting tool.
C.It is designed to extract metadata for Microsoft files.
D. It is designed for remote access.

Answer 2

B
B. p0f, per http://lcamtuf.coredump.cx/p0f3/, “is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to. Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellaneous forensics.”
When nmap scanning is blocked or otherwise unreliable, p0f can make use of a “vanilla” TCP connection to passively fingerprint. It can provide measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), and user language preferences. It also provides automated detection of connection sharing (NAT), load balancing, and application-level proxying setups.

A, C, and D are incorrect because these do not describe p0f. Active fingerprinting involves sending traffic in an effort to read responses and determine open ports and other goodies (like nmap does). p0f does not read metadata from available files for information purposes (like metagoofil does), and it’s definitely not a remote access tool (like netcat).

Question 3

PE3.3
You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?

A.Your IDLE scan results will not be useful to you.
B. The zombie system is a honeypot.
C.There is a misbehaving firewall between you and the zombie machine.
D.This is an expected result during an IDLE scan.

Answer 3

Ch 3.3
A. An IDLE scan makes use of a zombie machine and IP’s knack for incrementing fragment identifiers (IPIDs). However, it is absolutely essential the zombie remain idle to all other traffic during the scan. The attacker will send packets to the target with the (spoofed) source address of the zombie. If the port is open, the target will respond to the SYN packet with a SYN/ACK, but this will be sent to the zombie. The zombie system will then craft a RST packet in answer to the unsolicited SYN/ACK, and the IPID will increase. If this occurs randomly, then it’s probable your zombie is not, in fact, idle, and your results are moot. See, if it’s not idle, it’s going to increment haphazardly because communications from the device will be shooting hither and yon with wild abandon. You’re banking on the fact the machine is quietly doing your bidding—and nothing else.

B is incorrect because there is not enough information here to identify the zombie machine as anything at all—much less a machine set up as a “honeypot.”

C is incorrect because a firewall between you and the zombie won’t have any effect at all on the zombie’s IPIDs.

D is incorrect because this is definitely not expected behavior during an IDLE scan. Expected behavior is for the IPID to increase regularly with each discovered open port, not randomly, as occurs with traffic on an active system.

Question 4

PE3.4
4.You want to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option?

A. nmap 192.168.1.0/24
B. nmap -sT 192.168.1.0/24
C. nmap -sP 192.168.1.0/24
D. nmap -P0 192.168.1.0/24

Answer 4

Ch 3.4
Ch 3.4
C. The -sP switch within nmap is designed for a ping sweep. Nmap syntax is fairly straightforward: nmap. If you don’t define a switch, nmap performs a basic enumeration scan of the targets. The switches, though, provide the real power with this tool.

A is incorrect because this syntax will not perform a ping sweep. This syntax will run a basic scan against the entire subnet.

B is incorrect because the -sT switch does not run a ping sweep. It stands for a TCP Connect scan, which is the slowest—but most productive and loud—scan option.

D is incorrect because this syntax will not perform a ping sweep. The -P0 switch actually runs the scan without ping (ICMP). This is a good switch to use when you don’t seem to be getting responses from your targets. It forces nmap to start the scan even if it thinks that the target doesn’t exist (which is useful if the computer is blocked by a firewall).

Question 5

PE3.5 A pen tester is performing banner grabbing and executes the following command:
$ nmap -sV host.domain.com -p 80
He gets the following output:

Starting Nmap 6.47 ( heep://nmap.org ) at 2014-12-08 19:10 EST
Nmap scan . report for host.domain.com (108.61.158.211)
Host is up (0.032s latency) .
80/tcp open http Apache httpd
Service detection performed. Please report any incorrect results at http://namp.org/submit/ .
VCEConvert.com
Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds

Which of the following is a true statement?

A.Nmap can’t perform banner grabbing, as it cannot retrieve the version number of any running remote service.
B.The pen tester was successful in banner grabbing.
C.Using nmap -O host.domain.com would have been a better choice for banner grabbing.
D.Banner grabbing failed because the result did not return the version of the Apache web server.

Answer 5

Ch 3.5

B. You can expect a few versions of this type of question on your exam. Not only are there bunches of ways to do banner grabbing, but the outputs of each method are different. In this case, the nmap attempt was successful in identifying it as an Apache server.

A is incorrect because nmap can most certainly perform banner grabbing.

C is incorrect because the -O flag enables OS detection.

D is incorrect because the lack of a version number is irrelevant (oftentimes Apache boxes won’t respond with version number, even when the banner grab is correctly accomplished).

Question 6

PE3.6 You are examining traffic to see if there are any network-enabled printers on the subnet. Which of the following ports should you be monitoring for?

A.   53 
B.   88 
C.   445 
D.   514 
E.   631

Answer 6

Ch 3.6
E. You will probably see three to five questions on port numbering alone. So just exactly how do you commit 1024 port numbers (0–1023 is the well-known range) to memory when you have all this other stuff to keep track of? You probably won’t, and maybe you can’t. The best advice I can give you is to memorize the really important ones—the ones you know beyond a shadow of a doubt you’ll see on the exam somewhere—and then use the process of elimination to get to the right answer. For example, suppose you had no idea that TCP port 631 was used by the Internet Printing Protocol (IPP), but you did know what 53, 88, and 445 were for. Suddenly it’s not that difficult (now down to a 50/50 chance). By the way, 631 won’t be the only thing you’ll be monitoring for, but of the answers provided, it is the best choice.

A is incorrect because 53 is the port number used by DNS (TCP and UDP). The TCP side will be used for across-Internet traffic, where the loss of speed due to connection-oriented traffic is worth it to ensure delivery, and UDP will be mostly internal.

B is incorrect because 88 is the port number used by Kerberos.

C is incorrect because 445 is used for Microsoft SMB file sharing. You’ll definitely see SMB file sharing and this port somewhere on the exam, usually as part of a scenario like the one in this question.

D is incorrect because 514 is the (UDP) port number used by syslog—and trust me, you need to know this one. EC Council loves syslog. You’ll definitely see it a couple of times on the exam.

Question 7

PE3.7 A colleague enters the following command:

root@mybox: # hping3 -A 192.168.2.x -p 80

What is being attempted here?

A.An ACK scan using hping3 on port 80 for a single address
B.An ACK scan using hping3 on port 80 for a group of addresses
C.Address validation using hping3 on port 80 for a single address
D.Address validation using hping3 on port 80 for a group of addresses

Answer 7

B
B. Hping is a great tool that provides a variety of options. You can craft packets with it, audit and test firewalls, and do all sorts of crazy man-in-the-middle stuff with it. In this example, you’re simply performing a basic ACK scan (the -A switch) using port 80 (-p 80) on an entire Class C subnet (the x in the address runs through all 254 possibilities). Hping3, the latest version, is scriptable (TCL language) and implements an engine that allows a human-readable description of TCP/IP packets.

A is incorrect because the syntax is for an entire subnet (or, I guess to be technically specific, all 254 addresses that start with 192.168.2). The x in the last octet tells hping to fire away at all those available addresses.

C and D are both incorrect because “address validation” is not a scan type.

Question 8

SOURCE PROT PORT FLAG DESTINATION

PE3.8 You are examining traffic between hosts and note the following exchange:

192.168.5.12 TCP 4082 FIN/URG/PSH 192.168.5.50
192.168.5.12 TCP 4083 FIN/URG/PSH 192.168.5.50
192.168.5.12 TCP 4084 FIN/URG/PSH 192.168.5.50
192.168.5.50 TCP 4083 RST/ACK 192.168.5.50
192.168.5.12 TCP 4085 FIN/URG/PSH 192.168.5.50

Which of the following statements are true regarding this traffic? (Choose all that apply.)

A.It appears to be part of an ACK scan.
B.It appears to be part of an XMAS scan.
C. It appears port 4083 is open.
D. It appears port 4083 is closed.

Answer 8

B, D
B, D. The exam will ask you to define scan types in many, many ways. It may be a simple definition match; sometimes it’ll be some crazy Wireshark or tcpdump listing. In this example, you see a cleaned-up traffic exchange showing packets from one host being sent one after another to the second host, indicating a scan attempt. The packets have the FIN, URG, and PSH flags all set, which tells you it’s an XMAS scan. If the destination port is open, you won’t receive anything back; if it’s closed, you’ll see a RST/ACK. This tells you port 4083 looks like it’s open. As an addendum, did you know there are two reasons why it’s called an XMAS scan? The first is because it lights up an IDS like a Christmas tree, and the second is because the flags themselves are all lit. As an aside, you probably won’t see this much out in the real world because it just really doesn’t have much applicability. But on your exam? Oh yes—it’ll be there.

A is incorrect because there is no indication this is an ACK scan. An ACK scan has only the ACK flag set and is generally used in firewall filter tests: no response means a firewall is present, and RST means the firewall is not there (or the port is not filtered).

C is incorrect because you did receive an answer from the port (a RST/ACK was sent in the fourth line of the capture).

Question 9

PE3.9 You are examining traffic and notice an ICMP Type 3, Code 13 response. What does this normally indicate?

A. The network is unreachable.
B. The host is unknown.
C.Congestion control is enacted for traffic to this host.
D. A firewall is prohibiting connection.

Answer 9

D
D. ICMP types will be covered in depth on your exam, so know them well. Type 3 messages are all about “destination unreachable,” and the code in each packet tells you why it’s unreachable. Code 13 indicates “communication administratively prohibited,” which indicates a firewall filtering traffic. Granted, this occurs only when a network designer is nice enough to configure the device to respond in such a way, and you’ll probably never get that nicety in the real world, but the definitions of what the “type” and “code” mean are relevant here.

A is incorrect because “network unreachable” is Type 3, Code 0. It’s generated by a router to inform the source that the destination address is unreachable; that is, it does not have an entry in the route table to send the message to.

B is incorrect because “host unknown” is Type 3, Code 7. There’s a route to the network the router knows about, but that host is not there (this sometimes refers to a naming or DNS issue).

C is incorrect because “congestion control” ICMP messaging is Type 4.

Question 10

PE3.10 Which port-scanning method presents the most risk of discovery but provides the most reliable results?

A. Full-connect
B. Half-open
C. Null scan
D. XMAS scan

Answer 10

A
A. A full-connect scan runs through an entire TCP three-way handshake on all ports you aim at. It’s loud and easy to see happening, but the results are indisputable. As an aside, the -sT switch in nmap runs a full-connect scan (you should go ahead and memorize that one).

B is incorrect because a half-open scan involves sending only the SYN packet and watching for responses. It is designed for stealth but may be picked up on IDS sensors (both network and most host-based IDSs).

C is incorrect because a null scan sends packets with no flags set at all. Responses will vary, depending on the OS and version, so reliability is spotty. As an aside, null scans are designed for Unix/Linux machines and don’t work on Windows systems.

D is incorrect because although an XMAS scan is easily detectable (as our celebrated technical editor put it, “a fairly well-trained monkey would see it”), the results are oftentimes sketchy. The XMAS scan is great for test questions but won’t result in much more than a derisive snort and an immediate disconnection in the real world.

Question 11

PE3.11 As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response?

A.The hosts might be turned off or disconnected.
B. ICMP is being filtered.
C. The destination network might be down.
D.The servers are Linux based and do not respond to ping requests.

Answer 11

B
B. Admittedly, this one is a little tricky, and, yes, I purposefully wrote it this way (mainly because I’ve seen questions like this before). The key here is the “most likely” designator. It’s entirely possible—dare I say, even expected—that the systems administrator for those two important machines would turn off ICMP. Of the choices provided, this one is the most likely explanation.

A is incorrect, but only because there is a better answer. This is a major firm that undoubtedly does business at all times of day and with customers and employees around the world (the question did state it was an international business). Is it possible that both these servers are down? Sure, you might have timed your ping sweep so poorly that you happened to hit a maintenance window or something, but it’s highly unlikely.

C is incorrect because, frankly, the odds of an entire DMZ subnet being down while you’re pen testing are very slim. And I can promise you if the subnet did drop while you were testing, your test is over.

D is incorrect because this is simply not true.

Question 12

PE3.12 A team member is using nmap and asks about the “scripting engine” in the tool. Which option switches can be used to invoke the nmap scripting engine? (Choose two.)

A. –script
B. -z
C. -sA
D. -sC

Answer 12

A, D
A, D. Nmap is a great scanning tool, providing numerous options, and you’ll need to know the syntax very well. The NSE (Nmap Scripting Engine) is a portion of the tool that allows the use of scripts in scanning. Directly from nmap’s site (https://nmap.org/book/nse.html), “NSE is activated with the -sC option (or –script if you wish to specify a custom set of scripts) and results are integrated into Nmap normal and XML output.” I’ve seen mentioned in other study material that the -A switch is also considered as an NSE function. -A turns on “aggressive” scanning, which reports on version detection, operating system fingerprinting, and a variety of other activities. A pretty good wrap-up of nmap switches can be found on linuxcommand.org (http://linuxcommand.org/man_pages/nmap1.html).

B is incorrect because -z isn’t an nmap switch.

C is incorrect because the -sA switch runs an ACK scan (ACK segments are sent to ports to determine their state).

Question 13

PE3.13 Which of the following commands is the best choice to use on a Linux machine when attempting to list processes and the UIDs associated with them in a reliable manner ?

A . ls
B . chmod
C . pwd
D . lsof 

Answer 13

D . Supported in most Unix - like flavors , the “ list open files ” command ( lsof ) provides a list of all open files and the processes that opened them . The lsof command describes , among other things , the identification number of the process ( PID ) that has opened the file , the command the process is executing , and the owner of the process . With optional switches , you can also receive all kinds of additional information . As an aside , the command ps ( for process status ) is probably an even better choice for the task listed . 

A is incorrect because ls ( list ) simply displays all the files and folders in your current directory . Its counterpart in the PC world is dir . 

B is incorrect because chmod is used to set permissions on files and objects in Linux . 

C is incorrect because pwd ( print working directory ) is a command used to display the directory you are currently working in .

Question 14

PE3.14 You want to display active and inactive services on a Windows Server machine . Which of the following commands best performs this service ?

A . sc query
B . sc query type = all
C . sc query type = service
D . sc query state = all 

Answer 14

D . The sc command will definitely make an appearance or two somewhere on the exam . Per Microsoft , SC.exe retrieves and sets control information about services . You can use SC.exe for testing and debugging service programs . Service properties stored in the registry can be set to control how service applications are started at boot time and run as background processes . SC.exe parameters can configure a specific service , retrieve the current status of a service , as well as stop and start a service . A sampling of uses for the sc command follows : • sc config Determines the status of a service at system startup , and sets a service to run automatically , manually , or not at all . • sc query Displays information about services , drivers , and types of both . Without parameters , it returns a list of all running services and associated information . To create a list of all services , use sc query state = all . • sc start Starts a service that is not running . • sc stop Stops a running service . • sc pause Pauses a service . • sc continue Resumes a paused service . • sc enumdepend Lists the services that cannot run unless the specified service is running . • sc qc Displays the configuration of a particular service . And finally , one more quick note : Remember there is always a space after the equals sign ( and not one before ) . Syntax is important , and ECC will probably spring that on you . 

A , B , and C all use incorrect syntax for the question asked .

Question 15

PE3.15 An administrator enters the following command on a Linux system : iptables - t nat - L Which of the following best describes the intent of the command entered ?

A . The administrator is attempting a port scan .
B . The administrator is configuring IP masquerading .
C . The administrator is preparing to flood a switch .
D . The administrator is preparing a DoS attack . 

Answer 15

B . Do you remember network address translation ? It’s a neat little technology that allows lots of internal hosts , using nonroutable private addressing , to access the Internet by borrowing and using a single address ( or a group of addresses ) managed by a router or other system . IP masquerading is much the same thing ; it’s just accomplished through a Linux host . In short , a Linux machine can act as a NAT translator by employing proper routing configuration , using one NIC to communicate with the internal network and one for the external , and enabling IP masquerading . Looking over the man page for the command ( one copy can be found at http : / / ipset.netfilter.org / iptables.man.html ) , we see that iptables is an administration tool for IPv4 packet filtering and NAT . Per the man page , “ Iptables is used to set up , maintain , and inspect the tables of IPv4 packet filter rules in the Linux kernel . Several different tables may be defined . Each table contains a number of built - in chains and may be enabled by iptables - t tablename - switch , where tablename is filter , nat , mangle , raw , or security , and switch equates to the option you wish to enable . For example , - A appends rules , - D deletes rules , and - R replaces rules . 

A , C , and D are incorrect because they do not accurately represent what is being attempted .

Question 16

PE3.16 What is being attempted with the following command ?

nc - u - v - w2 192.168.1.100 1 - 1024

A . A full connect scan on ports 1 – 1024 for a single address
B . A full connect scan on ports 1 – 1024 for a subnet
C . A UDP port scan of ports 1 – 1024 on a single address
D . A UDP scan of ports 1 – 1024 on a subnet

Answer 16

C . In this example , netcat is being used to run a scan on UDP ports ( the - u switch gives this away ) from 1 to 1024 . The address provided is a single address , not a subnet . Other switches in use here are - v ( for verbose ) and - w2 ( defines the two - second timeout for connection , where netcat will wait for a response ) . 

A is incorrect because the - u switch shows this as a UDP scan . By default ( that is , no switch in place ) , netcat runs in TCP . 

B is incorrect because the - u switch shows this as a UDP scan . Additionally , this is aimed at a single address , not a subnet . 

D is incorrect because this is aimed at a single address , not a subnet .

Question 17

PE3.17 You are told to monitor a packet capture for any attempted DNS zone transfer . Which port should you focus your search on ?

A . TCP 22
B . TCP 53
C . UDP 22
D . UDP 53 

Answer 17

B . DNS uses port 53 in both UDP and TCP . Port 53 over UDP is used for DNS lookups . Zone transfers are accomplished using port 53 over TCP . Considering the reliability and error correction available with TCP , this makes perfect sense . 

A is incorrect because TCP port 22 is for SSH , not DNS . 

C is incorrect because UDP port 22 simply doesn’t exist ( SSH is TCP based ) . 

D is incorrect because UDP port 53 is used for DNS lookups . Because lookups are generally a packet or two and we’re concerned with speed on a lookup , UDP’s fire - and - forget speed advantage is put to use here .

Question 18

PE3.18 A team member issues the nbtstat.exe - c command . Which of the following best represents the intent of the command ?

A . It displays the IP route table for the machine .
B . It displays the NetBIOS name cache .
C . It displays active and inactive services .
D . It puts a NIC into promiscuous mode for sniffing . 

Answer 18

B . Per Microsoft , regarding the nbtstat command : “ Nbtstat is designed to help troubleshoot NetBIOS name resolution problems . When a network is functioning normally , NetBIOS over TCP / IP ( NetBT ) resolves NetBIOS names to IP addresses . It does this through several options for NetBIOS name resolution , including local cache lookup , WINS server query , broadcast , LMHOSTS lookup , Hosts lookup , and DNS server query . The nbtstat command removes and corrects preloaded entries using a number of case - sensitive switches . ” Syntax for the command includes the following :

• nbtstat - a < name > Performs a NetBIOS adapter status command on the computer name specified by < name > . The adapter status command returns the local NetBIOS name table for that computer as well as the MAC address of the adapter card .
• nbtstat - A < IP address > Performs the same function as the - a switch , but using a target IP address rather than a name .
• nbtstat - c Shows the contents of the NetBIOS name cache , which contains NetBIOS - name - to - IP - address mappings .
• nbtstat - n Displays the names that have been registered locally on the system by NetBIOS applications such as the server and redirector .
• nbtstat - r Displays the count of all NetBIOS names resolved by broadcast and by querying a WINS server .
• nbtstat - R Purges the name cache and reloads all # PRE entries from the LMHOSTS file ( # PRE entries are the LMHOSTS name entries that are preloaded into the cache ) .
• nbtstat - RR Sends name release packets to the WINS server and starts a refresh , thus re - registering all names with the name server without a reboot being required .
• nbtstat - S Lists current NetBIOS sessions and their status , including statistics . 

A , C , and D are incorrect because they do not match the command usage . If you wish to see the route table on a Windows system , use the route print command . The sc query state = all command will show all the active and inactive services on the system . To put the NIC in promiscuous mode , you’d need the WinPcap driver installed .

Question 19

PE3.19 Consider the ports shown in the nmap output returned on an IP scanned during footprinting : 
PORT STATE SERVICE 
21 / tcp open ftp 
23 / tcp open telnet 
80 / tcp open http 
139 / tcp open netbios - ssn 
515 / tcp open 
631 / tcp open ipp 
9100 / tcp open 
MAC Address : 01 : 2A : 48 : 0B:AA : 81 

Which of the following is true regarding the output ?

A . The host is most likely a router or has routing enabled .
B . The host is most likely a printer or has a printer installed .
C . The host is definitely a Windows server .
D . The host is definitely a Linux server .

Answer 19

B . So this output is pretty interesting , huh ? There’s some FTP , Telnet , and HTTP open , and a little NetBIOS action going on there , too . The TCP ports 515 and 631 , however , are the ones to note here . 515 corresponds to the Line Printer Daemon protocol / Line Printer Remote protocol ( or LPD / LPR ) , which is used for submitting print jobs to a remote printer . Port 631 corresponds to the Internet Printing Protocol ( IPP ) . Both of which point to printing . A final note on this : in our modern world the definition of what constitutes a server and what does not is a blurred line . If your printer allows Telnet access to a terminal , is it really just a printer ? For that matter , many printers actually work off of an embedded operating system . In other words , in real - world testing , your printer may actually be a Linux OS server of sorts . Your exam will stick with the academic memorization and evaluation of port numbers , but things are much more entangled in the real world . 

A is incorrect because none of these ports show anything related to routing . 

C and D are incorrect because there is simply not enough information to definitively identify the operating system in use . Yes , it is true that the Line Printer Daemon protocol was originally in the BSD UNIX operating system ; however , it is used regardless of OS .

Question 20

PE3.20 The following results are from an nmap scan :

Starting nmap v. 3.10 ( www.insecure.org/nmap/)
 )
Interesting ports on 192.168.15.12:
(The 1592 ports scanned but not shown below are in state: filtered)
Port    State    Service
21/tcp  open     ftp
25/tcp  open     smtp
53/tcp  closed   domain
80/tcp  open     http
443/tcp open     https

Remote operating systems guess: Too many signatures match to reliably guess the OS.
Nmap run completed – 1 IP address (1 host up) scanned in 263.47 seconds)

Which of the following is the best option to assist in identifying the operating system ?

A . Attempt an ACK scan .
B . Traceroute to the system .
C . Run the same nmap scan with the - vv option .
D . Attempt banner grabbing . 

Answer 20

D . Of the options presented , banner grabbing is probably your best bet . In fact , it’s a good start for operating system fingerprinting . You can telnet to any of these active ports or run an nmap banner grab . Either way , the returning banner may help in identifying the OS . 

A is incorrect because an ACK scan isn’t necessarily going to help here . For that matter , it may have already been run . 

B is incorrect because traceroute does not provide any information on fingerprinting . It will show you a network map , hop by hop , to the target , but it won’t help tell you whether it’s a Windows machine . 

C is incorrect because the - vv switch provides only more ( verbose ) information on what nmap already has . Note that the original run presented this message on the OS fingerprinting effort : “ Remote operating system guess : Too many signatures match to reliably guess the OS . ”