Network Scanning Techniques

Questions and Answers

What does a SYN-ACK response indicate about a port during a scan?

• The port is unresponsive
• The port is filtered
• The port is open (correct)
• The port is closed

In an Xmas scan, what combination of flags is set?

• URG and PSH only
• PSH, FIN, and URG (correct)
• SYN and RST
• ACK and FIN

What is the main purpose of the tool Traceroute?

• To ping multiple IP addresses simultaneously
• To identify the path data takes to reach a device (correct)
• To measure network speed between devices
• To scan open ports on a server

What does an unresponsive server typically indicate in a FIN scan?

The port is considered open or filtered (B)

How does the TTL (Time-to-Live) value affect packet transmission?

It limits the number of routers a packet can pass through. (B)

What is a primary characteristic of a filtered port according to Nmap states?

There is a packet filtering device blocking the probe (B)

Which of the following states can Nmap determine when scanning ports?

Open and Filtered (A), Open and Closed (D)

Which scanning technique is considered less noisy than a TCP scan?

FIN scan (C)

What is the default timing option in Nmap when performing a scan?

-T3 (A)

Which state indicates that Nmap cannot determine whether a port is open or filtered?

Open|Filtered (D)

Which Nmap scan type is considered the least stealthy due to its detection signature?

TCP Connect Scan (A)

What is the purpose of sending an RST packet in the scanning process?

To terminate a connection attempt (D)

What is the key challenge of the Xmas and FIN scans?

They can confuse firewalls and detection systems (C)

In the context of network security, what does a filtered port state indicate?

The port's responses are being blocked or dropped. (B)

Which Nmap timing option sends a packet every 15 seconds, making it less noticeable?

-T1 (A)

What is the purpose of gradually decreasing the TTL values in the Traceroute process?

To identify each hop along the route by generating responses. (C)

What is the primary purpose of a Ping Sweep?

To identify live systems on a network (A)

Which of the following best describes the function of ports in networking?

They are logical access points for data communication (A)

What does vulnerability scanning aim to achieve?

To generate a report on weaknesses in the environment (C)

When running a port scan, what type of systems are typically targeted?

Active IP addresses identified as potential targets (B)

What is the significance of the TTL (Time to Live) value in a traceroute command?

It specifies the maximum hops a packet can take before being discarded (C)

What type of information can be found through scanning a network?

Specific IP addresses and their port states (C)

Which scanning technique uses ICMP echo requests to identify active devices on a network?

ICMP scanning (B)

Which scenario best fits the function of stealth scanning?

Performing scans that do not alert security systems (A)

Flashcards are hidden until you start studying

Study Notes

Scanning Overview

• Scanning identifies live machines to ensure successful remote attacks.
• Determines which operating systems are being used on target machines for potential exploitation.

Types of Scans

• Ping Sweep:

  • Detects live systems by sending ICMP echo requests to multiple IP addresses.
  • Helps identify active devices on a network.

• Port Scanning:

  • Finds active IP addresses to target.
  • Determines open ports (e.g., port 80 for HTTP, port 443 for HTTPS).

• Vulnerability Scanning:

  • Identifies weaknesses in networks, systems, applications, and devices.
  • Generates a report detailing detected vulnerabilities.

Ports in Networking

• Ports are logical access points for data transmission between devices.
• Numbered ports correlate with specific services or protocols.

Information Gathered from Scanning

• IP addresses of devices.
• List of open and closed ports.
• Operating system versions and MAC addresses.
• Service information and network data.

ICMP Scanning

• Utilizes ICMP echo requests to locate active network devices.
• An echo request prompts a device to respond if operational.

Port Scanning Techniques

• Uses SYN-ACK responses to identify open ports during scans.
• Reset (RST) packets allow stealthy scans without establishing full connections.

Specific Scanning Methods

• Xmas Scan:

  • Combines PSH, FIN, and URG flags to confuse the target.
  • Lack of response indicates the port may be open or filtered.

• FIN Scan:

  • Sends a FIN flag packet to probe ports.
  • Non-response suggests potential openness or filtering.

• ACK Scan:

  • It determines if ports are filtered or unfiltered based on responses.

Nmap States Summary

• Open: An application is accepting connections.
• Closed: No application is listening on the port.
• Filtered: A filtering device is blocking the probe.
• Unfiltered: The port is accessible; its state is undetermined.
• Open|Filtered: Nmap cannot distinguish if the port is open or filtered.
• Closed|Filtered: Rare state indicating ambiguity.

Scanning Tools

• Fping:

  • Pings multiple IP addresses quickly via saved files.

• Traceroute:

  • Examines the path data takes to a device using TTL values.
  • Gradually decreases TTL to identify each hop, revealing network delays.

Nmap Scanning Options

• Scans the most common 1000 ports randomly.
• Timing options allow for varied scanning speeds from paranoid to insane.

TCP and SYN Scanning

• TCP scan determines port states through a three-way handshake.
• SYN scan is noisy and detectable due to multiple probing attempts.