312-50 Practice Test

You have initiated an active operating system fingerprinting attempt with nmap
against a target system:
[root@ceh NG]# /usr/local/bin/nmap -sT -O 10.0.0.1
Starting nmap 3.28 ( www.insecure.org/nmap/) at 2003-06-18 19:14 IDT
Interesting ports on 10.0.0.1:
(The 1628 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp filtered ftp
22/tcp filtered ssh
25/tcp open smtp
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
389/tcp open LDAP
443/tcp open https
465/tcp open smtps
1029/tcp open ms-lsa
1433/tcp open ms-sql-s
2301/tcp open compaqdiag
5555/tcp open freeciv
5800/tcp open vnc-http
5900/tcp open vnc
6000/tcp filtered X11
Remote operating system guess: Windows XP, Windows 2000, NT4 or 95/98/98SE
Nmap run completed - 1 IP address (1 host up) scanned in 3.334 seconds
Using its fingerprinting tests nmap is unable to distinguish between different groups
of Microsoft based operating systems - Windows XP, Windows 2000, NT4 or 95/98/98SE.
What operating system is the target host running based on the open ports shown
above?

A.

Windows XP

B.

Windows 98 SE

C.

Windows NT4 Server

D.

Windows 2000 Server

Lori has just been tasked by her supervisor conduct vulnerability scan on the
corporate network. She has been instructed to perform a very thorough test of the
network to ensure that there are no security holes on any of the machines. Lori’s
company does not own any commercial scanning products, so she decides to
download a free one off the Internet. Lori has never done a vulnerability scan before,
so she is unsure of some of the settings available in the software she downloaded.
One of the option is to choose which ports that can be scanned. Lori wants to do
exactly what her boos has told her, but she does not know ports should be scanned.
If Lori is supposed to scan all known TCP ports, how many ports should she select
in the software?

A.

65536

B.

1024

C.

 1025

D.

 Lori should not scan TCP ports, only UDP ports

Which of the following Nmap commands would be used to perform a UDP scan of
the lower 1024 ports?

A.

Nmap -h -U

B.

 Nmap -hU <host(s.>

C.

Nmap -sU -p 1-1024 <host(s.>

D.

Nmap -u -v -w2 <host> 1-1024

E.

Nmap -sS -O target/1024

While performing ping scans into a target network you get a frantic call from the
organization’s security team. They report that they are under a denial of service
attack. When you stop your scan, the smurf attack event stops showing up on the
organization’s IDS monitor. How can you modify your scan to prevent triggering this
event in the IDS?

A.

Scan more slowly.

B.

 Do not scan the broadcast IP.

C.

 Spoof the source IP address.

D.

 Only scan the Windows systems.

You are scanning into the target network for the first time. You find very few
conventional ports open. When you attempt to perform traditional service
identification by connecting to the open ports, it yields either unreliable or no
results. You are unsure of what protocols are being used. You need to discover as
many different protocols as possible. Which kind of scan would you use to do this?

A.

Nmap with the –sO (Raw IP packets) switch

B.

 Nessus scan with TCP based pings

C.

 Nmap scan with the –sP (Ping scan) switch

D.

 Netcat scan with the –u –e switches