A distributed port scan operates by:
A. Blocking access to the scanning clients by the targeted host
B. Using denial-of-service software against a range of TCP ports
C. Blocking access to the targeted host by each of the distributed scanning clients
D. Having multiple computers each scan a small number of ports,then correlating the results
Think of dDoS (distributed Denial of Service) where you use a large number of computers to create simultaneous traffic against a victim in order to shut them down.
An nmap command that includes the host specification of 202.176.56-57.* will scan _______ number of hosts.
D. Over 10,000
The hosts with IP address 126.96.36.199-255 & 188.8.131.52-255 will be scanned (256+256=512)
A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets had an ICMP ID:0 and Seq:0. What can you infer from this information?
A. The packets were sent by a worm spoofing the IP addresses of 47 infected sites
B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system
C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq number
D. 13 packets were from an external network and probably behind a NAT,as they had an ICMP ID 0 and Seq 0
Which of the following commands runs snort in packet logger mode?
A. ./snort -dev -h ./log
B. ./snort -dev -l ./log
C. ./snort -dev -o ./log
D. ./snort -dev -p ./log
Note: If you want to store the packages in binary mode for later analysis use ./snort -l ./log -b
Which of the following command line switch would you use for OS detection in Nmap?
OS DETECTION: -O: Enable OS detection (try 2nd generation w/fallback to 1st) -O2: Only use the new OS detection system (no fallback) -O1: Only use the old (1st generation) OS detection system –osscan-limit: Limit OS detection to promising targets –osscan-guess: Guess OS more aggressively
You have initiated an active operating system fingerprinting attempt with nmap against a target system:
What operating system is the target host running based on the open ports shown above?
A. Windows XP
B. Windows 98 SE
C. Windows NT4 Server
D. Windows 2000 Server
The system is reachable as an active directory domain controller (port 389,LDAP)
Study the log below and identify the scan type.
A. nmap -sR 192.168.1.10
B. nmap -sS 192.168.1.10
C. nmap -sV 192.168.1.10
D. nmap -sO -T 192.168.1.10
Why would an attacker want to perform a scan on port 137?
A. To discover proxy servers on a network
B. To disrupt the NetBIOS SMB service on the target host
C. To check for file and print sharing on Windows systems
D. To discover information about a target host using NBTSTAT
Microsoft encapsulates netbios information withinTCP/Ip using ports 135-139.It is trivial for an attacker to issue thefollowing command:
nbtstat -A (your Ip address)
Fromtheir windows machine and collect information about your windowsmachine (if you are not blocking traffic to port 137 at your borders).
Which Type of scan sends a packets with no flags set? Select the Answer
A. Open Scan
B. Null Scan
C. Xmas Scan
D. Half-Open Scan
The types of port connections supported are:
TCP Full Connect. This mode makes a full connection to the target’s TCP ports and can save any
data or banners returned from the target. This mode is the most accurate for determining TCP services,but it is also easily recognized by Intrusion Detection Systems (IDS).
UDP ICMP Port Unreachable Connect. This mode sends a short UDP packet to the target’s UDP ports and looks for an ICMP Port Unreachable message in return. The absence of that message indicates either the port is used,or the target does not return the ICMP message which can lead to false positives. It can save any data or banners returned from the target. This mode is also easily recognized by IDS.
TCP Full/UDP ICMP Combined. This mode combines the previous two modes into one operation.
TCP SYN Half Open. (Windows XP/2000 only) This mode sends out a SYN packet to the target port and listens for the appropriate response. Open ports respond with a SYN|ACK and closed ports respond with ACK|RST or RST. This mode is less likely to be noted by IDS,but since the connection is never fully completed,it cannot gather data or banner information. However,the attacker has full control over TTL,Source Port,MTU,Sequence number,and Window parameters in the SYN packet.
TCP Other. (Windows XP/2000 only) This mode sends out a TCP packet with any combination of the SYN,FIN,ACK,RST,PSH,URG flags set to the target port and listens for the response. Again,the attacker can have full control over TTL,Source Port,MTU,Sequence number,and Window parameters in the custom TCP packet. The Analyze feature helps with analyzing the response based on the flag settings chosen. Each operating system responds differently to these special combinations. The tool includes presets for XMAS,NULL,FIN and ACK flag settings.
Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test. While conducting a port scan she notices open ports in the range of 135 to 139. What protocol is most likely to be listening on those ports?
The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP),which used the famous ports 137,138 (UDP) and 139 (TCP). In Windows 2000,Microsoft added the possibility to run SMB directly over TCP/IP,without the extra layer of NBT. For this they use TCP port 445.