CEH Certified Ethical Hacker Practice Exams Second Edition (2014)

Scanning and Enumeration

This chapter includes questions from the following topics:

• Describe EC-Council’s scanning methodology

• Describe scan types and the objectives of scanning

• Understand the use of various scanning and enumeration tools

• Describe TCP communication (three-way handshake and flag types)

• Understand OS fingerprinting through banner grabbing

• Understand enumeration and its techniques

• Describe NULL sessions and their countermeasures

• Describe SNMP enumeration and its countermeasures

• Describe the steps involved in performing enumeration

I love fishing. Scratch that—a better statement is that I obsess over fishing. I dream about it. I think about it during my workday, and I plan my weekends around it. And, on days like today where the lake behind my house looks like a mirror that God is using to comb his hair in as He looks down from above, it’s all I can do not to grab the rods and race out of the house. Instead, I’m sitting here in my little home office dedicating my morning to you and your needs, Dear Reader. You’re welcome.

All fishing is good, and I’ve tried most of it. I’m not really wild about catching fish with your hands (those noodling guys don’t have all the cheese on their crackers), and ice fishing isn’t a favorite of mine because I hate the cold, but I love kayak fishing. Don’t get me wrong—I still really enjoy going out on a deep-sea boat or riding along in someone’s bass boat, flying across the top of the water—but being in a kayak just seems more personal. Sitting right on top of the water, sneaking up to fish, and watching them eat the bait is pure awesomeness.

Here on the flats of East-Central Florida, you can catch fish just by paddling around and casting blindly all around you. But if you want to catch good fish and catch them with more regularity, you have learned how to read the water. Look around in your mind’s eye with me and scan the water around us. See that little ripple over there? Those are mullet swimming around in circles lazily. Nothing is after them, so there’s no point in paddling that way. That heavy wake over there that kind of looks like a small submarine under water? That’s a redfish, and we should definitely take a shot his way. And those tails poking out of the water over there? Yeah, that’s a bunch of them.

Much like the signs we can see by scanning the surface of the water here on the flats, your scanning and enumeration efforts in the virtual world will point you in the right direction and, once you get some experience with what you’re looking at, will improve your hook-up percentage. As stated in the companion book to this study guide, you know how to footprint your client; now it’s time to learn how to dig around what you found for relevant, salient information. After footprinting, you’ll need to scan for basics; then when you find a machine up and about, you’ll need to get to know it really well, asking some rather personal questions.

STUDY TIPS There are certain things about each section that EC-Council just absolutely adores, and there are some sections it gets downright giddy about. This section is one of them, and there are definitely things to focus on. If you check EC-Council’s website, you’ll find that questions from scanning and enumeration can make up close to 70 percent of your exam (www.eccouncil.org/Certification/exam-information/ceh-exam-312-50). I’m not saying they will; I’m just saying that 70 percent of the exam matches this section, so you’d better pay attention.

First and foremost, get your basic network knowledge down pat. Know your port numbers, protocols, and communications handshakes like the back of your hand, and learn how routing/switching basics can affect your efforts. EC-Council absolutely adores the IDLE scan, so know your IPID action well. And brush up on sequence numbering because you’ll definitely see a couple questions about it.

Definitely get to know the scanning and enumeration tools very well, in particular, Nmap. You’re going to be quizzed on use, output, and syntax, so prep by practicing—it’s the absolute best way to prepare for this exam.

Windows and Linux architecture basics aren’t going to make up the majority of your exam, but rest assured you will be tested on them. Know netstat especially well, as well as your security identifiers (SIDs) and relative identifiers (RIDs).

1. Which of the following is not part of the CEH scanning methodology?

A. Check for live systems.

B. Check for open ports.

C. Perform banner grabbing.

D. Prepare proxies.

E. Check for social engineering attacks.

F. Scan for vulnerabilities.

G. Draw network diagrams.

2. What is the second step in the TCP three-way handshake?

A. SYN

B. ACK

C. SYN/ACK

D. ACK-SYN

E. FIN

3. Which of the following tools are used for enumeration? (Choose three.)

A. SolarWinds

B. User2SID

C. Snow

D. SID2User

E. DumpSec

4. You want to perform a ping sweep of a subnet within your target organization. Which of the following Nmap command lines is your best option?

A. nmap 192.168.1.0/24

B. nmap -sT 192.168.1.0/24

C. nmap –sP 192.168.1.0/24

D. nmap –P0 192.168.1.0/24

5. Which of the following TCP flags is used to reset a connection?

A. SYN

B. ACK

C. PSH

D. URG

E. FIN

F. RST

6. A pen test team member is attempting to enumerate a Windows machine and uses a tool called enum to enumerate user accounts on the device. Doubtful this can be done, a junior team member is shocked to see the local users enumerated. The output of his enum use is provided here:

The junior team member asks what type of connection is used by this tool to accomplish its task and is told it requires a NULL session to be established first. If the machine allows null connections, which of the following command strings will successfully connect?

A. net use "" /u: \\192.169.5.12\share ""

B. net use \\192.168.5.12\c$ /u:""

C. net use \\192.168.5.12\share "" /u:""

D. net use \\192.168.5.12\c$ /u:""

7. A colleague enters the following command:

What is being attempted here?

A. An ACK scan using hping3 on port 80 for a single address

B. An ACK scan using hping3 on port 80 for a group of addresses

C. Address validation using hping3 on port 80 for a single address

D. Address validation using hping3 on port 80 for a group of addresses

8. You are examining traffic between hosts and note the following exchange:

Which of the following statements are true regarding this traffic? (Choose all that apply.)

A. It appears to be part of an ACK scan.

B. It appears to be part of an XMAS scan.

C. It appears port 4083 is open.

D. It appears port 4083 is closed.

9. You are examining traffic and notice an ICMP type 3, code 13, response. What does this normally indicate?

A. The network is unreachable.

B. The host is unknown.

C. Congestion control is enacted for traffic to this host.

D. A firewall is prohibiting connection.

10. You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?

A. Your IDLE scan results will not be useful to you.

B. The zombie system is a honeypot.

C. There is a misbehaving firewall between you and the zombie machine.

D. This is an expected result during an IDLE scan.

11. As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response?

A. The hosts might be turned off or disconnected.

B. ICMP is being filtered.

C. The destination network might be down.

D. The servers are Linux based and do not respond to ping requests.

12. Which of the following tools is not the best choice for determining possible vulnerabilities on live targets you have identified?

A. SAINT

B. Nmap

C. Nessus

D. Retina

13. Which of the following commands is the best choice to use on a Linux machine when attempting to list processes and the UIDs associated with them in a reliable manner?

A. ls

B. chmod

C. pwd

D. lsof

14. Which of the following tools can be used for operating system prediction from network and communication analysis? (Choose all that apply.)

A. Nmap

B. Whois

C. Queso

D. ToneLoc

E. MBSA

15. You are in training for your new pen test assignment. Your trainer enters the following command:

After typing the command, he hits ENTER a few times. What is being attempted?

A. A DoS attack against a web server

B. A zone transfer

C. Banner grabbing

D. Configuring a port to “listening” state

16. What is being attempted with the following command?

A. A full connect scan on ports 1–1024 for a single address

B. A full connect scan on ports 1–1024 for a subnet

C. A UDP port scan of ports 1–1024 on a single address

D. A UDP scan of ports 1–1024 on a subnet

17. You are told to monitor a packet capture for any attempted DNS zone transfer. Which port should you focus your search on?

A. TCP 22

B. TCP 53

C. UDP 22

D. UDP 53

18. In the scanning and enumeration phase of your attack, you put tools such as ToneLoc, THC-Scan, and WarVox to use. What are you attempting to accomplish?

A. War dialing

B. War driving

C. Proxy discovery

D. Ping sweeping

19. Which of the following are SNMP enumeration tools? (Choose all that apply.)

A. Nmap

B. SNMPUtil

C. ToneLoc

D. OpUtils

E. Solar Winds

F. NSAuditor

20. The following results are from an Nmap scan:

Which of the following is the best option to assist in identifying the operating system?

A. Attempt an ACK scan.

B. Traceroute to the system.

C. Run the same Nmap scan with the -vv option.

D. Attempt banner grabbing.

21. You want to run a scan against a target network. You’re concerned about it being a reliable scan, with legitimate results, but want to take steps to ensure it is as stealthy as possible. Which scan type is best in this situation?

A. nmap –sN targetIPaddress

B. nmap –sO targetIPaddress

C. nmap –sS targetIPaddress

D. nmap –sT targetIPaddress

22. Which of the following ports are not required for a NULL session connection? (Choose all that apply.)

A. 135

B. 137

C. 139

D. 161

E. 443

F. 445

23. You are enumerating a subnet. While examining message traffic, you discover SNMP is enabled on multiple targets. If you assume default settings in setting up enumeration tools to use SNMP, which community strings should you use?

A. Public (read-only) and Private (read/write)

B. Private (read-only) and Public (read/write)

C. Read (read-only) and Write (read/write)

D. Default (both read and read/write)

24. Nmap is a powerful scanning and enumeration tool. What does the following Nmap command attempt to accomplish?

A. A serial, slow operating system discovery scan of a Class C subnet

B. A parallel, fast operating system discovery scan of a Class C subnet

C. A serial, slow ACK scan of a Class C subnet

D. A parallel, fast ACK scan of a Class C subnet

25. You are examining a packet capture of all traffic from a host on the subnet. The host sends a segment with the SYN flag set in order to set up a TCP communications channel. The destination port is 80, and the sequence number is set to 10. Which of the following statements are not true regarding this communications channel? (Choose all that apply.)

A. The host will be attempting to retrieve an HTML file.

B. The source port field on this packet can be any number between 1023 and 65535.

C. The first packet from the destination in response to this host will have the SYN and ACK flags set.

D. The packet returned in answer to this SYN request will acknowledge the sequence number by returning 10.

26. Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data?

A. URG

B. PSH

C. RST

D. BUF

27. You receive a RST-ACK from a port during a SYN scan. What is the state of the port?

A. Open

B. Closed

C. Filtered

D. Unknown

28. Which port-scanning method presents the most risk of discovery but provides the most reliable results?

A. Full-connect

B. Half-open

C. Null scan

D. XMAS scan

29. The following output appears on the screen after an attempted telnet session to a machine:

Which of the following best matches the output provided?

A. An attacker has attempted a zone transfer successfully.

B. An attacker has attempted a zone transfer unsuccessfully.

C. An attacker has successfully grabbed a banner.

D. An attacker has successfully uploaded a denial-of-service script.

1. E

2. C

3. B, D, E

4. C

5. F

6. C

7. B

8. B, C

9. D

10. A

11. B

12. B

13. D

14. A, C

15. C

16. C

17. B

18. A

19. B, D, E, F

20. D

21. C

22. A, B, C, F

23. A

24. D

25. A, D

26. B

27. B

28. A

29. C

1. Which of the following is not part of the CEH scanning methodology?

A. Check for live systems.

B. Check for open ports.

C. Perform banner grabbing.

D. Prepare proxies.

E. Check for social engineering attacks.

F. Scan for vulnerabilities.

G. Draw network diagrams.

E. OK, I’ll admit it—methodology questions aren’t my favorite either. But we’re covering them here and throughout the study guide for a couple of reasons. First, you’ll see these on the test, and you absolutely need to commit them to memory. Second, especially if you’re new to the field, a methodology ensures you don’t forget something. In this case, the scanning methodology defined by EC-Council includes the following:

1. Check for live systems.

2. Check for open ports.

3. Perform scanning beyond IDS.

4. Perform banner grabbing.

5. Scan for vulnerabilities.

6. Draw network diagrams.

7. Prepare proxies.

A, B, C, D, F, and G are incorrect because these are all parts of the scanning methodoloy.

2. What is the second step in the TCP three-way handshake?

A. SYN

B. ACK

C. SYN/ACK

D. ACK-SYN

E. FIN

C. Admittedly, this is an easy one, but I’d bet dollars to doughnuts you see it in some form on your exam. It’s such an important part of scanning and enumeration because, without understanding this basic principle of communication channel setup, you’re almost doomed to failure. A three-way TCP handshake has the originator forward a SYN. The recipient, in step 2, sends a SYN and an ACK. In step 3, the originator responds with an ACK. The steps are referred to as SYN, SYN/ACK, ACK.

A is incorrect because SYN is the first step (flag set) in the three-way handshake.

B is incorrect because ACK is the last step (flag set) in the three-way handshake.

D is incorrect because of the order listed. True, both these flags are the flags set in the three-way handshake. However, in the discussion of this step-by-step process, at least as far as your exam is concerned, it’s SYN/ACK, not the other way around. And, yes, this distractor, in some form, will most likely be on your exam. You won’t care about the order in the real world since flags are a mathematical property of the packet and not some ridiculous order, but for your exam you’ll need to know it this way.

E is incorrect because the FIN flag brings an orderly close to a communication session.

3. Which of the following tools are used for enumeration? (Choose three.)

A. SolarWinds

B. User2SID

C. Snow

D. SID2User

E. DumpSec

B, D, and E are correct. User2SID and SID2User are two of the old standbys in local enumeration tools. User2SID provides the SID for a given user, and the reverse is true for SID2User. DumpSec (from SomarSoft; www.system-tools.com/somarsoft/?somarsoft.com) “dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information.”

A is incorrect because SolarWinds is used more for network monitoring. EC-Council does not recognize this as a pure enumeration tool.

C is incorrect because Snow is a steganography tool.

4. You want to perform a ping sweep of a subnet within your target organization. Which of the following Nmap command lines is your best option?

A. nmap 192.168.1.0/24

B. nmap -sT 192.168.1.0/24

C. nmap –sP 192.168.1.0/24

D. nmap –P0 192.168.1.0/24

C. The –sP switch within nmap is designed for a ping sweep. Nmap syntax is fairly straightforward: nmap<scan options><target>. If you don’t define a switch, Nmap performs a basic enumeration scan of the targets. The switches, though, provide the real power with this tool.

A is incorrect because this syntax will not perform a ping sweep. This syntax will run a basic scan against the entire subnet.

B is incorrect because the –sT switch does not run a ping sweep. It stands for a TCP Connect scan, which is the slowest—but most productive and loud—scan option.

D is incorrect because this syntax will not perform a ping sweep. The –P0 switch actually runs the scan without ping (ICMP). This is a good switch to use when you don’t seem to be getting responses from your targets. It forces Nmap to start the scan even if it thinks that the target doesn’t exist (which is useful if the computer is blocked by a firewall).

5. Which of the following TCP flags is used to reset a connection?

A. SYN

B. ACK

C. PSH

D. URG

E. FIN

F. RST

F. The RST flag, when set, indicates to both parties that communications need to be closed and restarted. It forces a termination of communications in both directions and is used to reset a connection.

A is incorrect because the SYN flag is used to initiate a connection between hosts. The synchronize flag is set during initial communication establishment and indicates negotiation of parameters and sequence numbers.

B is incorrect because the ACK flag is used to acknowledge receipt of a packet. It is set as an acknowledgment to SYN flags and is set on all segments after the initial SYN flag.

C is incorrect because the PSH flag is used to instruct the sender to immediately send all buffered data: It forces the delivery of data without concern for any buffering.

D is incorrect because the URG flag is used to indicate a packet that needs to be processed immediately. When this flag is set, it indicates the data inside is being sent out of band.

E is incorrect because the FIN flag is used to tell the recipient there will be no more traffic. It signifies an ordered close to communications.

A. net use "" /u: \\192.169.5.12\share ""

B. net use \\192.168.5.12\c$ /u:""

C. net use \\192.168.5.12\share "" /u:""

D. net use \\192.168.5.12\c$ /u:""

C. You will definitely be asked about NULL sessions on the exam and will need to know the syntax well. A NULL session occurs when you log into a system with no user ID and password at all. This type of connection can’t be made to a regular share, but it can be done to the Interprocess Communication (IPC) administrative share, which is used by Windows processes under the SYSTEM username to communicate with other processes across the network. Some tools that make use of the null session are enum, SuperScan, User2SID, and SID2User. The correct syntax for establishing a NULL session is as follows: net use \\IPAddress\share "" /u: "".

A is incorrect because the correct syntax is not used.

B is incorrect because the correct syntax is not used. Additionally, see the C$ entry there? That’s a dead giveaway, and CEH test question writers love using it to confuse you, especially if the question has something about “a NULL session to exploit an administrative share.” This, of course, is referencing the IPC$, but some candidates immediately see that term and go for C$ every time. Don’t fall for it. Remember, NULL sessions = IPC$ share.

D is incorrect because the correct syntax is not used.

7. A colleague enters the following command:

What is being attempted here?

A. An ACK scan using hping3 on port 80 for a single address

B. An ACK scan using hping3 on port 80 for a group of addresses

C. Address validation using hping3 on port 80 for a single address

D. Address validation using hping3 on port 80 for a group of addresses

B. Hping is a great tool providing all sorts of options. You can craft packets with it, audit and test firewalls, and do all sorts of crazy man-in-the-middle stuff with it. In this example, you’re simply performing a basic ACK scan (the –A switch) using port 80 (–p 80) on an entire Class C subnet (the x in the address runs through all 254 possibilities). Hping3, the latest version, is scriptable (TCL language) and implements an engine that allows a human-readable description of TCP/IP packets.

A is incorrect because the syntax is for an entire subnet (or, I guess to be technically specific, all 254 addresses that start with 192.168.2). The x in the last octet tells hping to fire away at all those available addresses.

C and D are both incorrect because “address validation” is not a scan type.

8. You are examining traffic between hosts and note the following exchange:

Which of the following statements are true regarding this traffic? (Choose all that apply.)

A. It appears to be part of an ACK scan.

B. It appears to be part of an XMAS scan.

C. It appears port 4083 is open.

D. It appears port 4083 is closed.

B and C. The exam will ask you to define scan types in many, many ways. It may be a simple definition match; sometimes it’ll be some crazy Wireshark or tcpdump listing. In this example, you see a cleaned-up traffic exchange showing packets from one host being sent one after another to the second host, indicating a scan attempt. The packets have the FIN, URG, and PSH flags all set, which tells you it’s an XMAS scan. If the destination port is open, we should receive a RST/ACK response; if it’s closed, we get nothing. This tells us port 4083 looks like it’s open. As an addendum, did you know there are two reasons why it’s called an XMAS scan? The first is because it lights up an IDS like a Christmas tree, and the second is because the flags themselves are all lit. As an aside, you probably won’t see this much out in the real world because it just really doesn’t have much applicability. But on your exam? Oh yes—it’ll be there.

A is incorrect because there is no indication this is an ACK scan. An ACK scan has only the ACK flag set and is generally used in firewall filter tests: No response means a firewall is present, and RST means the firewall is not there (or the port is not filtered).

D is incorrect because you did receive an answer from the port (a RST/ACK was sent in the fourth line of the capture).

9. You are examining traffic and notice an ICMP type 3, code 13 response. What does this normally indicate?

A. The network is unreachable.

B. The host is unknown.

C. Congestion control is enacted for traffic to this host.

D. A firewall is prohibiting connection.

D. ICMP types will be covered in depth on your exam, so know them well. Type 3 messages are all about “destination unreachable,” and the code in each packet tells you why it’s unreachable. A code 13 indicates “communication administratively prohibited,” which indicates a firewall filtering traffic. Granted, this occurs only when a network designer is nice enough to configure the device to respond in such a way, and you’ll probably never get that nicety in the real world, but the definitions of what the “type” and “code” mean are relevant here.

A is incorrect because “network unreachable” is type 3, code 0. It’s generated by a router to inform the source that the destination address is unreachable; that is, it does not have an entry in the route table to send the message to.

B is incorrect because “host unknown” is type 3, code 7. There’s a route to the network the router knows about, but that host is not there (this sometimes refers to a naming or DNS issue).

C is incorrect because “congestion control” ICMP messaging is type 4.

A. Your IDLE scan results will not be useful to you.

B. The zombie system is a honeypot.

C. There is a misbehaving firewall between you and the zombie machine.

D. This is an expected result during an IDLE scan.

A. An IDLE scan makes use of a zombie machine and IP’s knack for incrementing fragment identifiers (IPIDs). However, it is absolutely essential the zombie remain idle to all other traffic during the scan. The attacker will send packets to the target with the (spoofed) source address of the zombie. If the port is open, the target will respond to the SYN packet with a SYN/ACK, but this will be sent to the zombie. The zombie system will then craft a RST packet in answer to the unsolicited SYN/ACK, and the IPID will increase. If this occurs randomly, then it’s probable your zombie is not, in fact, idle, and your results are moot. See, if it’s not idle, it’s going to increment haphazardly because communications from the device will be shooting hither and yon with wild abandon. You’re banking on the fact the machine is quietly doing your bidding—and nothing else.

B is incorrect because there is not enough information here to identify the zombie machine as anything at all—much less a machine set up as a “honeypot.”

C is incorrect because a firewall between you and the zombie won’t have any effect at all on the zombie’s IPIDs.

D is incorrect because this is definitely not expected behavior during an IDLE scan. Expected behavior is for the IPID to increase regularly with each discovered open port, not randomly, as occurs with traffic on an active system.

A. The hosts might be turned off or disconnected.

B. ICMP is being filtered.

C. The destination network might be down.

D. The servers are Linux based and do not respond to ping requests.

B. Admittedly, this one is a little tricky, and, yes, I purposefully wrote it this way (mainly because I’ve seen questions like this before). The key here is the “most likely” designator. It’s entirely possible—dare I say, even expected—that the systems administrator on those two important machines would turn off ICMP. Of the choices provided, this one is the most likely explanation.

A is incorrect, but only because there is a better answer. This is a major firm that undoubtedly does business at all times of day and with customers and employees around the world (the question did state it was an international business). Is it possible that both these servers are down? Sure, you might have timed your ping sweep so poorly that you happened to hit a maintenance window or something, but it’s highly unlikely.

C is incorrect because, frankly, the odds of an entire DMZ subnet being down while you’re pen testing are very slim. And I can promise you if the subnet did drop while you were testing, your test is over.

D is incorrect because this is simply not true.

12. Which of the following tools is not the best choice for determining possible vulnerabilities on live targets you have identified?

A. SAINT

B. Nmap

C. Nessus

D. Retina

B. Nmap is a great scanning tool, providing all sorts of options for you. It can do a great job of identifying “live” machines and letting you know what ports a machine has open—not to mention helping you to identify the operating system in use on the machine. But when it comes to identifying actual vulnerabilities the machine may be open to, other tools are designed for that purpose. Some super-talented folks can turn Nmap into a basic vulnerability scanner, but it’s not the best choice for the job (especially provided the other choices here).

A is incorrect because SAINT (Security Administrator’s Integrated Network Tool) is a vulnerability-scanning tool. It’s now commercially available (it used to be free and open source, but no longer) and runs on Linux and Mac OS X. SAINT is one of the few scanners that doesn’t provide a Windows version at all.

C is incorrect because Nessus is a very well-known and popular vulnerability assessment scanner. Also once free and open source, Nessus can now be purchased commercially. It is continually updated and has thousands of plug-ins available for almost any usage you can think of.

D is incorrect because Retina is a vulnerability-scanning application. Owned by eEye, Retina is a popular choice on Department of Defense (DoD) and government networks.

13. Which of the following commands is the best choice to use on a Linux machine when attempting to list processes and the UIDs associated with them in a reliable manner?

A. ls

B. chmod

C. pwd

D. lsof

D. Supported in most Unix-like flavors, the “list open files” command (lsof) provides a list of all open files and the processes that opened them. The lsof command describes, among other things, the identification number of the process (PID) that has opened the file, the command the process is executing, and the owner of the process. With optional switches you can also receive all sorts of other information.

A is incorrect because ls (list) simply displays all the files and folders in your current directory. Its counterpart in the PC world is dir.

B is incorrect because chmod is used to set permissions on files and objects in Linux.

C is incorrect because pwd (print working directory) is a command used to display the directory you are currently working in.

14. Which of the following tools can be used for operating system prediction from network and communication analysis? (Choose all that apply.)

A. Nmap

B. Whois

C. Queso

D. ToneLoc

E. MBSA

A and C. Operating system guessing—also known as fingerprinting or, if you’re really trying to impress someone, stack fingerprinting—can be accomplished by either Nmap or Queso. Granted, Queso is an older tool, but it’s still a staple of this certification.

B is incorrect because whois is used to look up registrar information for a web registration.

D is incorrect because ToneLoc is a war dialing tool used to look for open modems on an enterprise.

E is incorrect because Microsoft Baseline Security Advisor (MBSA) is a tool for examining the security posture of a Windows machine. MBSA can provide vulnerability information on the host, locally or remotely.

15. You are in training for your new pen test assignment. Your trainer enters the following command:

After typing the command, he hits ENTER a few times. What is being attempted?

A. A DoS attack against a web server

B. A zone transfer

C. Banner grabbing

D. Configuring a port to “listening” state

C. Banner grabbing is a great enumerating method. The tactic involves sending an unsolicited request to an open port to see what, if any, default message is returned. The returned banner can provide all sorts of details, depending on what application is actually on the port. Things such as error messages, HTTP headers, and login messages can indicate potential vulnerabilities. There are lots of ways to accomplish this. For example, with netcat you can use the following command:

However, using Telnet (to a port other than 23) is one of the easiest methods for accomplishing the task.

A is incorrect because the worse that can happen on this attempt is a closed session with no banner return. Nothing about this will create or bolster a DoS attack.

B is incorrect because this attempt is clearly not a zone transfer (accomplished on the command line using nslookup or dig).

D is incorrect because Telnet is not used in this fashion.

16. What is being attempted with the following command?

A. A full connect scan on ports 1–1024 for a single address

B. A full connect scan on ports 1–1024 for a subnet

C. A UDP port scan of ports 1–1024 on a single address

D. A UDP scan of ports 1–1024 on a subnet

C. In this example, netcat is being used to run a scan on UDP ports (the –u switch gives this away) from 1 to 1024. The address provided is a single address, not a subnet. Other switches in use here are –v (for verbose) and –w2 (defines the two-second timeout for connection, where netcat will wait for a response).

A is incorrect because the –u switch shows this as a UDP scan. By default (that is, no switch in place), netcat runs in TCP.

B is incorrect because the –u switch shows this as a UDP scan. Additionally, this is aimed at a single address, not a subnet.

D is incorrect because this is aimed at a single address, not a subnet.

17. You are told to monitor a packet capture for any attempted DNS zone transfer. Which port should you focus your search on?

A. TCP 22

B. TCP 53

C. UDP 22

D. UDP 53

B. DNS uses port 53 in both UDP and TCP. Port 53 over UDP is used for DNS lookups. Zone transfers are accomplished using port 53 over TCP. Considering the reliability and error correction available with TCP, this makes perfect sense.

A is incorrect because TCP port 22 is for SSH, not DNS.

C is incorrect because UDP port 22 simply doesn’t exist (SSH is TCP based).

D is incorrect because UDP port 53 is used for DNS lookups. Because lookups are generally a packet or two and we’re concerned with speed on a lookup, UDP’s fire-and-forget speed advantage is put to use here.

18. In the scanning and enumeration phase of your attack, you put tools such as ToneLoc, THC-Scan, and WarVox to use. What are you attempting to accomplish?

A. War dialing

B. War driving

C. Proxy discovery

D. Ping sweeping

A. ToneLoc, THC-Scan, and WarVox are all war dialing applications. In war dialing, the attacker dials an entire set of phone numbers looking for an open modem. Modems are designed to answer the call, and despite that they are for the most part outdated, they can easily provide backdoor access to a system otherwise completely secured from attack.

B is incorrect because war driving refers to a method of discovering wireless access points. Although you may not need a vehicle any longer to do so, war driving used to refer to, quite literally, driving around in a car looking for open access points. In the ethical hacking realm, it still indicates a search for open WAPs.

C is incorrect because the tools listed here have nothing to do with locating and identifying proxies.

D is incorrect because the tools listed here have nothing to do with ping sweeping. Tools such as Angry IP, Nmap, Solar Winds, and PingScannerPro are ping sweepers.

19. Which of the following are SNMP enumeration tools? (Choose all that apply.)

A. Nmap

B. SNMPUtil

C. ToneLoc

D. OpUtils

E. SolarWinds

F. NSAuditor

B, D, E, and F. SNMP (in all its versions) is a great protocol designed to help network managers get the most out of their devices and nets. Unfortunately, it’s so powerful and easy to use that hackers abuse it frequently, leading many administrators to simply turn it off. Enumerating a device using SNMP—crawling the Management Information Base (MIB) for the device—is relatively easy. SNMPUtil, SolarWinds, and OpUtils are probably the most well-known of this group. NSAuditor is probably better known for its vulnerability-scanning features, but it is listed by CEH as an SNMP enumerator.

A is incorrect because Nmap is not an SNMP enumerator; it’s a scanning tool.

C is incorrect because ToneLoc is a war-dialing tool used for discovering open modems.

20. The following results are from an Nmap scan:

Which of the following is the best option to assist in identifying the operating system?

A. Attempt an ACK scan.

B. Traceroute to the system.

C. Run the same Nmap scan with the -vv option.

D. Attempt banner grabbing.

D. Of the options presented, banner grabbing is probably your best bet. In fact, it’s a good start for operating system fingerprinting. You can telnet to any of these active ports or run an Nmap banner grab. Either way, the returning banner may help in identifying the OS.

A is incorrect because an ACK scan isn’t necessarily going to help here. For that matter, it may have already been run.

B is incorrect because traceroute does not provide any information on fingerprinting. It will show you a network map, hop by hop, to the target, but it won’t help tell you whether it’s a Windows machine.

C is incorrect because the –vv switch provides only more (verbose) information on what Nmap already has. Note that the original run presented this message on the OS fingerprinting effort: “Remote operating system guess: Too many signatures match to reliably guess the OS.”

A. nmap –sN targetIPaddress

B. nmap –sO targetIPaddress

C. nmap –sS targetIPaddress

D. nmap –sT targetIPaddress

C. A half-open scan, as defined by this Nmap command line, is the best option in this case. The SYN scan was created with stealth in mind because the full connect scan was simply too noisy (or created more entries in an application-level logging system, whichever your preference). Granted, most IDSs can pick it up; however, if you go slow enough, it is almost invisible: A connect scan is indistinguishable from a real connection where a SYN scan can be.

A is incorrect because a null scan may not provide the reliability you’re looking for. Remember, this scan won’t work on a Windows host at all.

B is incorrect because the –sO switch tells you this is a operating system scan. Fingerprinting scans are not stealthy by anyone’s imagination, and they won’t provide the full information you’re looking for here.

D is incorrect because the –sT option indicates a full connect scan. Although this is reliable, it is noisy, and you will most likely be discovered during the scan.

22. Which of the following ports are required for a NULL session connection? (Choose all that apply.)

A. 135

B. 137

C. 139

D. 161

E. 443

F. 445

A, B, C, and F. NULL sessions have been virtually eliminated from the hacking arsenal since Windows XP was released; however, many machine are still vulnerable to this attack and—more importantly to you—the CEH test loves covering it. NULL session connections make use of TCP ports 135, 137, 139, and 445.

D is incorrect because port 161 is used for SNMP, which has nothing to do with NULL session connections.

E is incorrect because port 443 is used for SSL connections and has nothing to do with NULL sessions.

23. You are enumerating a subnet. While examining message traffic you discover SNMP is enabled on multiple targets. If you assume default settings in setting up enumeration tools to use SNMP, which community strings should you use?

A. Public (read-only) and Private (read/write)

B. Private (read-only) and Public (read/write)

C. Read (read-only) and Write (read/write)

D. Default (both read and read/write)

A. SNMP uses a community string as a form of a password. The read-only version of the community string allows a requester to read virtually anything SNMP can drag out of the device, whereas the read/write version is used to control access for the SNMP SET requests. The read-only default community string is public, whereas the read/write string is private. If you happen upon a network segment using SNMPv3, though, keep in mind that SNMPv3 can use a hashed form of the password in transit versus the clear text.

B is incorrect because the community strings are listed in reverse here.

C is incorrect because Read and Write are not community strings.

D is incorrect because Default is not a community string in SNMP.

24. Nmap is a powerful scanning and enumeration tool. What does this Nmap command attempt to accomplish?

A. A serial, slow operating system discovery scan of a Class C subnet

B. A parallel, fast operating system discovery scan of a Class C subnet

C. A serial, slow ACK scan of a Class C subnet

D. A parallel, fast ACK scan of a Class C subnet

D. You are going to need to know Nmap switches well for your exam. In this example, the –A switch indicates an ACK scan (the only scan that returns no response on a closed port), and the –T4 switch indicates an “aggressive” scan, which runs fast and in parallel.

A is incorrect because a slow, serial scan would use the –T, –T0, or –T! switch. Additionally, the OS detection switch is –O, not –A.

B is incorrect because although this answer got the speed of the scan correct, the operating system detection portion is off.

C is incorrect because although this answer correctly identified the ACK scan switch, the –T4 switch was incorrectly identified.

A. The host will be attempting to retrieve an HTML file.

B. The source port field on this packet can be any number between 1023 and 65535.

C. The first packet from the destination in response to this host will have the SYN and ACK flags set.

D. The packet returned in answer to this SYN request will acknowledge the sequence number by returning “10.”

A and D. Yes, it is true that port 80 traffic is generally HTTP; however, there are two problems with this statement. The first is all that is happening here is an arbitrary connection to something on port 80. For all we know, it’s a listener, telnet connection, or anything at all. Second, assuming it’s actually an HTTP server, the sequence described here would do nothing but make a connection—not necessarily transfer anything. Sure, this is picky, but it’s the truth. Next, sequence numbers are acknowledged between systems during the three-way handshake by incrementing by 1. In this example, the source sent an opening sequence number of 10 to the recipient. The recipient, in crafting the SYN/ACK response, will first acknowledge the opening sequence number by incrementing it to 11. After this, it will add its own sequence number to the packet (a random number it will pick) and send both off.

B is incorrect because it’s a true statement. Source port fields are dynamically assigned using anything other than the “well-known” port range (0–1023). IANA has defined the following port number ranges: Ports 1024 to 49151 are the registered ports (assigned by IANA for specific service upon application by a requesting entity), and ports 49152 to 65535 are dynamic or private ports that cannot be registered with IANA.

C incorrect because it’s a true statement. The requesting machine has sent the first packet in the three-way handshake exchange—a SYN packet. The recipient will respond with a SYN/ACK and wait patiently for the last step—the ACK packet.

26. Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data?

A. URG

B. PSH

C. RST

D. BUF

B. This answer normally gets mixed up with the URG flag because we all read it as urgent. However, just remember the key word with PSH is “buffering.” In TCP, buffering is used to maintain a steady, harmonious flow of traffic. Every so often, though, the buffer itself becomes a problem, slowing things down. A PSH flag tells the recipient stack that the data should be pushed up to the receiving application immediately.

A is incorrect because the URG flag is used to inform the receiving stack that certain data within a segment is urgent and should be prioritized. As an aside, URG isn’t used much by modern protocols.

C is incorrect because the RST flag forces a termination of communications (in both directions).

D is incorrect because BUF isn’t a TCP flag at all.

27. You receive a RST-ACK from a port during a SYN scan. What is the state of the port?

A. Open

B. Closed

C. Filtered

D. Unknown

B. Remember, a SYN scan occurs when you send a SYN packet to all open ports. If the port is open, you’ll obviously get a SYN/ACK back. However, if the port is closed, you’ll get a RST-ACK.

A is incorrect because an open port would respond differently (SYN/ACK).

C is incorrect because a filtered port would likely not respond at all. (The firewall wouldn’t allow the packet through, so no response would be generated.)

D is incorrect because you know exactly what state the port is in because of the RST-ACK response.

28. Which port-scanning method presents the most risk of discovery but provides the most reliable results?

A. Full-connect

B. Half-open

C. Null scan

D. XMAS scan

A. A full-connect scan runs through an entire TCP three-way handshake on all ports you aim at. It’s loud and easy to see happening, but the results are indisputable. As an aside, the –sT switch in Nmap runs a full-connect scan (you should go ahead and memorize that one).

B is incorrect because a half-open scan involves sending only the SYN packet and watching for responses. It is designed for stealth but may be picked up on IDS sensors (both network and most host-based IDSs).

C is incorrect because a null scan sends packets with no flags set at all. Responses will vary, depending on the OS and version, so reliability is spotty. As an aside, null scans are designed for UNIX/Linux machines and don’t work on Windows systems.

D is incorrect because although an XMAS scan is easily detectable (as our celebrated technical editor put it, “a fairly well-trained monkey would see it”), the results are oftentimes sketchy. The XMAS scan is great for test questions but won’t result in much more than a derisive snort and an immediate disconnection in the real world.

29. The following output appears onscreen after an attempted telnet session to a machine:

Which of the following best matches the output provided?

A. An attacker has attempted a zone transfer successfully.

B. An attacker has attempted a zone transfer unsuccessfully.

C. An attacker has successfully grabbed a banner.

D. An attacker has successfully uploaded a denial of service script.

C. Alright, I admit it—this was a ridiculously easy one. The command output appears after a typical banner grabbing effort: telnet attempt to the box and press ENTER twice after seeing the standard HEAD / HTTP/1.0 response. You’ve probably already seen it a hundred times in your testing and in all your practice exams, so be confident you’ll see it on your exam too.

A and B are incorrect because this output obviously has nothing to do with a DNS zone transfer, successful or not.

D is incorrect because there is nothing here to indicate a script has been uploaded at all.