Quiz 5

Question 1

A disadvantage of Nmap is that it is very slow because it scans all the 65,000 ports of each computer in the IP address range

Answer 1

False

Question 2

A ____ or batch file is a text file containing multiple commands that are normally entered manually at the command prompt.

Answer 2

script

Question 3

A computer that receives a SYN packet from a remote computer responds to the packet with a(n) ____ packet if its port is open.

Answer 3

SYN/ACK

Question 4

A common Linux rootkit is ____.

Answer 4

Linux Rootkit 5

Question 5

A closed port responds to a SYN scan with an RST packet, so if no packet is received, the best guess is that the port is open.

Answer 5

False

Question 6

A closed port can be vulnerable to an attack.

Answer 6

False

Question 7

A ____ or batch file is a text file containing multiple commands that are normally entered manually at the command prompt.

Answer 7

script

Question 8

An OpenVAS____________________ is a security test program (script) that can be selected from the client interface.

Answer 8

plug-in

Question 9

Closed ports respond to a(n) ____ with an RST packet.

Answer 9

XMAS scan

Question 10

HTTP uses port ____ to connect to a Web service.

Answer 10

80

Question 11

How does a SYN scan work?

Answer 11

In a normal TCP session, a packet is sent to another computer with the SYN flag set. The receiving computer sends back a packet with the SYN/ACK flag set, indicating an acknowledgment. The sending computer then sends a packet with the ACK flag set. If the port to which the SYN packet is sent is closed, the computer responds to the SYN packet with an RST/ACK packet. If a SYN/ACK packet is received by an attacker’s computer, it quickly responds with an RST/ACK packet, closing the session. This is done so that a full TCP connection is never made and logged as a transaction. In this sense, it is “stealthy.” After all, you don’t want a transaction to be logged showing the IP address that connected to the attacked computer.

Question 12

If subnetting is used in an organization, you can include the broadcast address by mistake when performing ping sweeps. How might this happen?

Answer 12

If you decide to use ping sweeps, be careful not to include the broadcast address in your range of addresses. You can do this by mistake if subnetting is used in an organization. For example, if the IP address 193.145.85.0 is subnetted with a 255.255.255.192 subnet mask, four subnets are created: 193.145.85.0, 193.145.85.64, 193.145.85.128, and 193.145.85.192. The broadcast addresses for each subnet are 193.145.85.63, 193.145.85.127, 193.145.85.191, and 193.145.85.255, respectively. If a ping sweep was inadvertently activated on the range of hosts 193.145.85.65 to 193.145.85.127, an inordinate amount of traffic could flood through the network because the broadcast address of 193.145.85.127 was included. This would be more of a problem on a Class B address, but if you perform ping sweeps, make sure your client signs a written agreement authorizing the testing.

Question 13

In an ACK scan, if the attacked port returns an RST packet the attacked port is considered to be “____”.

Answer 13

unfiltered

Question 14

Nmap has a GUI version called ____________________ that makes it easier to work with some of the more complex options.

Answer 14

Zenmap

Question 15

Port scanning is a method of finding out which services a host computer offers.

Answer 15

True

Question 16

Port scanners can also be used to conduct a(n) ____________________ of a large network to identify which IP addresses belong to active hosts.

Answer 16

ping sweep

Question 17

Some attackers want to be hidden from network devices or IDSs that recognize an inordinate amount of pings or packets being sent to their networks, so they use ____________________ attacks that are more difficult to detect.

Answer 17

stealth

Question 18

The ____ option of Nmap is used to perform a TCP SYN stealth port scan.

Answer 18

sS

Question 19

The ____ relies on the OS of the attacked computer, so it’s a little more risky to use than the SYN scan.

Answer 19

connect scan

Question 20

The ____ vi command deletes the current line.

Answer 20

dd

Question 21

The ____ tool was originally written for Phrack magazine in 1997 by Fyodor.

Answer 21

Nmap

Question 22

What makes the ____________________ tool unique is the ability to update security check plug-ins when they become available.

Answer 22

OpenVAS

Question 23

What makes the OpenVAS tool unique?

Answer 23

What makes this tool unique is the capability to update security check plug-ins when they become available. An OpenVAS plug-in is a security test program (script) that can be selected from the client interface. The person who writes the plug-in decides whether to designate it as dangerous, and the author’s judgment on what’s considered dangerous might differ from yours.

Question 24

Which ports should security professionals scan when doing a test? Why?

Answer 24

As a security tester, you need to know which ports attackers are going after so those ports can be closed or protected. Security professionals must scan all ports when doing a test, not just the well-known ports (Ports 1 to 1023, the most common, are covered in Chapter 2). Many computer programs use port numbers outside the range of well-known ports. For example, pcAnywhere operates on ports 65301, 22, 5631, and 5632. A hacker who discovers that port 65301 is open might want to check the information at the Common Vulnerabilities and Exposures Web site for a possible vulnerability in pcAnywhere. After a hacker discovers an open service, finding a vulnerability or exploit isn’t difficult.

Question 25

Why is port scanning considered legal by most security testers and hackers?

Answer 25

Most security testers and hackers argue that port scanning is legal simply because it doesn’t invade others’ privacy; it merely discovers whether the party being scanned is available. The typical analogy is a person walking down the street and turning the doorknob of every house along the way. If the door opens, the person notes that the door is open and proceeds to the next house. Of course, entering the house would be a crime in most parts of the world, just as entering a computer system or network without the owner’s permission is a crime.

Question 26

Why is port scanning useful for hackers?

Answer 26

Port scanning helps you answer questions about open ports and services by enabling you to quickly scan thousands or even tens of thousands of IP addresses. Many port-scanning tools produce reports of their findings, and some give you best-guess assessments of which OS is running on a system. Most, if not all, scanning programs report open ports, closed ports, and filtered ports in a matter of seconds. When a Web server needs to communicate with applications or other computers, for example, port 80 is opened. An open port allows access to applications and can be vulnerable to an attack. A closed port does not allow entry or access to a service. For instance, if port 80 is closed on a Web server, users wouldn’t be able to access Web sites. A port reported as filtered might indicate that a firewall is being used to allow specified traffic in or out of the network.

Question 27

When a TCP three-way handshake ends, both parties send a(n) ____ packet to end the connection.

Answer 27

FIN

Question 28

You can search for known vulnerabilities in a host computer by using the Common Vulnerabilities and Exposures Web site.

Answer 28

True

Question 29

____ is a reasonably priced commercial port scanner with a GUI interface.

Answer 29

AW Security Port Scanner

Question 30

____ is a protocol packet analyzer.

Answer 30

Tcpdump

Question 31

____ was developed to assist security testers in conducting tests on large networks and to consolidate many of the tools needed for large-scale endeavors.

Answer 31

Unicornscan

Question 32

____ is currently the standard port-scanning tool for security professionals.

Answer 32

Nmap

Question 33

____, an open-source fork of Nessus, functions much like a database server, performing complex queries while the client interfaces with the server to simplify reporting and configuration.

Answer 33

OpenVAS

Question 34

Name a port scanning tool

Answer 34

Nmap