Network Host Discovery Techniques

Questions and Answers

What is the primary purpose of the Metasploit Framework?

Scanning network performance

Creating web applications

Penetration testing and exploiting vulnerabilities (correct)

Managing databases

NetScanTools Pro can only discover IPv4 addresses.

False

Which tool is used to perform a UDP scan on port 53?

hping3

The tool __________ provides packet-level network analysis for troubleshooting.

OmniPeek Network Analyzer

Match the following tools with their descriptions:

Fing = Provides details like IP addresses, device vendor, MAC addresses on iOS/Android SolarWinds Port Scanner = Scans open ports and identifies vulnerabilities in network devices IP Scanner = Scans local networks to identify active devices on iOS PRTG Network Monitor = Monitors network availability and usage

Which tool is a high-performance scanner aimed at large-scale network audits?

Unicornscan

Mobile device scanning tools can perform port scanning.

True

List one capability of the Metasploit Framework.

Vulnerability scanning

Which technique uses ARP requests to discover active devices?

ARP Ping Scan

ICMP Echo Ping Scan is ineffective for identifying active systems.

False

What command is used for a UDP Ping Scan?

nmap -sn -PU

The technique that sends TCP requests to initiate a 3-way handshake is called ______.

TCP SYN Ping Scan

What response indicates that a host is inactive when using an ICMP Timestamp Ping Scan?

No Response

Match the following scanning techniques with their respective commands:

ARP Ping Scan = nmap -sn -PR UDP Ping Scan = nmap -sn -PU ICMP Echo Ping Sweep = nmap -sn -PE TCP SYN Ping Scan = nmap -sn -PS

The TCP ACK Ping Scan creates actual connections.

False

What is the purpose of sending ICMP Address Mask requests?

To identify active hosts when ICMP Echo is blocked.

What does SSDP stand for?

Simple Service Discovery Protocol

A List Scan actively scans services and ports on a network.

False

What is one primary advantage of using SSDP scans?

Allows finding devices like routers, printers, etc.

SSDP uses multicast over _____ and _____ to communicate.

IPv4, IPv6

What vulnerability can SSDP scans expose?

Buffer overflow

List Scans utilize reverse DNS resolution to identify hostnames.

True

Name one disadvantage of using List Scans.

Does not provide detailed info about the hosts.

Match the scanning technique with its feature:

SSDP Scan = Detects UPnP vulnerabilities List Scan = Generates a list of IPs/hostnames Safety Concern = Vulnerable to exploitation if misconfigured

What type of attack can exploit vulnerabilities in UPnP?

Buffer Overflow

Active banner grabbing is a stealthy method of gathering OS information.

False

What is the main purpose of a List Scan?

To generate a list of IP addresses and perform Reverse DNS resolution.

The process of using a phone number to find someone's name is similar to _____ DNS resolution.

Reverse

Match the following OS discovery techniques with their descriptions:

Active Banner Grabbing = Sends crafted packets to analyze responses Passive Banner Grabbing = Analyzes network traffic without interaction List Scan = Generates a list of IPs with Reverse DNS resolution Buffer Overflow = Malfunction from excessive data sent to a device

Which of the following is a disadvantage of passive banner grabbing?

Slower and less detailed

Active banner grabbing is more detailed than passive methods.

True

What is the common term for OS fingerprinting?

Banner Grabbing

What is an advantage of using the hping3 command with IP spoofing?

Bypasses firewalls that block specific IPs

MAC address spoofing is effective even if the firewall doesn’t rely on MAC filtering.

False

What command in Nmap can be used to randomize the order of hosts being scanned?

--randomize-hosts

The attacker can send packets with __________ checksums to trick improperly configured firewalls.

incorrect

What is a disadvantage of using hping3 for IP spoofing?

It cannot establish TCP connections

Randomizing host order increases the chances of detection by network monitoring systems.

False

Match the following command options with their functions in Nmap:

--spoof-mac = Spoofs the MAC address --randomize-hosts = Randomizes the order of host scanning --badsum = Sends packets with incorrect checksums -a = Spoofs the source IP address

What is a potential disadvantage of sending packets with bad checksums?

Ineffectiveness against modern firewalls

Study Notes

Host Discovery Techniques

• ARP Ping Scan - Sends ARP requests to find active devices on a network.
• UDP Ping Scan - Sends UDP packets to identify active hosts.
• ICMP Echo Ping Scan - Sends ICMP Echo requests to check for active systems.
• ICMP Echo Ping Sweep - Used to find active hosts on a network by sending ICMP Echo requests to multiple hosts.
• ICMP Timestamp Ping Scan - Sends ICMP Timestamp requests (useful when ICMP Echo is blocked).
• ICMP Address Mask Ping Scan - Sends ICMP Address Mask requests (effective when ICMP Echo is blocked).
• TCP SYN Ping Scan - Initiates TCP connection handshake (without establishing actual TCP connections).
• TCP ACK Ping Scan - Sends TCP ACK requests - This can bypass firewalls that block SYN scans.

SSDP and List Scan

• SSDP Scan - Uses Simple Service Discovery Protocol (SSDP) to discover Universal Plug and Play (UPnP) devices on a network.
• List Scan - Creates a list of IP addresses and hostnames without actively scanning or pinging them.

OS Discovery/Banner Grabbing

• Active Banner Grabbing - Uses crafted packets to analyze responses from a target system based on OS characteristics.
• Passive Banner Grabbing - Gathers information from network traffic and error messages without interacting with a target system.

Other Techniques

• MAC Address Spoofing - Changes a device's MAC address to impersonate a legitimate user on a network.
• Randomizing Host Order - Scans network hosts in a random order to avoid detection.
• Sending Bad Checksums - Sends packets with incorrect checksums.

Description

Explore various host discovery techniques such as ARP, UDP, and ICMP scans. In this quiz, test your knowledge on methods used to identify active devices on a network. Learn about the nuances of different scanning techniques and their applications for network discovery.