- Email support@dumps4free.com
Topic 3, Scanning
Doug is conducting a port scan of a target network. He knows that his client target
network has a web server and that there is a mail server also which is up and
running. Doug has been sweeping the network but has not been able to elicit any
response from the remote target. Which of the following could be the most likely
cause behind this lack of response? Select 4.
A.
UDP is filtered by a gateway
B.
The packet TTL value is too low and cannot reach the target
C.
The host might be down
D.
The destination network might be down
E.
The TCP windows size does not match
F.
ICMP is filtered by a gateway
UDP is filtered by a gateway
The packet TTL value is too low and cannot reach the target
The host might be down
ICMP is filtered by a gateway
Explanation: If the destination host or the destination network is down there is no way to
get an answer and if TTL (Time To Live) is set too low the UDP packets will “die” before
reaching the host because of too many hops between the scanning computer and the
target. The TCP receive window size is the amount of received data (in bytes) that can be
buffered during a connection. The sending host can send only that amount of data before it
must wait for an acknowledgment and window update from the receiving host and ICMP is
mainly used for echo requests and not in port scans.
What does ICMP (type 11, code 0) denote?
A.
Unknown Type
B.
Time Exceeded
C.
Source Quench
D.
Destination Unreachable
Time Exceeded
Explanation: An ICMP Type 11, Code 0 means Time Exceeded [RFC792], Code 0 = Time
to Live exceeded in Transit and Code 1 = Fragment Reassembly Time Exceeded.
Which FTP transfer mode is required for FTP bounce attack?
A.
Active Mode
B.
Passive Mode
C.
User Mode
D.
Anonymous Mode
Passive Mode
Explanation: FTP bounce attack needs the server the support passive connections and
the client program needs to use PORT command instead of the PASV command.
Nathalie would like to perform a reliable scan against a remote target. She is not
concerned about being stealth at this point. Which of the following type of scans
would be the most accurate and reliable?
A.
A FIN Scan
B.
A Half Scan
C.
A UDP Scan
D.
The TCP Connect Scan
The TCP Connect Scan
Explanation: The connect() system call provided by your operating system is used to open
a connection to every interesting port on the machine. If the port is listening, connect() will
succeed, otherwise the port isn't reachable. One strong advantage to this technique is that
you don't need any special privileges. This is the fastest scanning method supported by
nmap, and is available with the -t (TCP) option. The big downside is that this sort of scan is
easily detectable and filterable.
Neil notices that a single address is generating traffic from its port 500 to port 500 of
several other machines on the network. This scan is eating up most of the network
bandwidth and Neil is concerned. As a security professional, what would you infer
from this scan?
A.
It is a network fault and the originating machine is in a network loop
B.
It is a worm that is malfunctioning or hardcoded to scan on port 500
C.
The attacker is trying to detect machines on the network which have SSL enabled
D.
The attacker is trying to determine the type of VPN implementation and checking for
IPSec
The attacker is trying to determine the type of VPN implementation and checking for
IPSec
Explanation: Port 500 is used by IKE (Internet Key Exchange). This is typically used for
IPSEC-based VPN software, such as Freeswan, PGPnet, and various vendors of in-a-box
VPN solutions such as Cisco. IKE is used to set up the session keys. The actual session is
usually sent with ESP (Encapsulated Security Payload) packets, IP protocol 50 (but some
in-a-box VPN's such as Cisco are capable of negotiating to send the encrypted tunnel over
a UDP channel, which is useful for use across firewalls that block IP protocols other than
TCP or UDP).
| Page 20 out of 153 Pages |
| Previous |