This chapter includes questions from the following topics:
• Understand EC-Council’s scanning methodology
• Describe scan types and the objectives of scanning
• Understand the use of various scanning and enumeration tools
• Describe TCP communication (three-way handshake and flag types)
• Understand basic subnetting
• Understand enumeration and enumeration techniques
• Describe vulnerability scanning concepts and actions
• Describe the steps involved in performing enumeration
I love fishing. Scratch that—a better statement is that I am addicted to fishing. I dream about it. I think about it during my workday, I plan my weekends around it—heck, I even decorated my office with fishing paraphernalia, and occasionally catch myself staring at that sea trout picture over there to my right and sighing mournfully. And, on days like today where the lake behind my house looks like a mirror that God is using to comb his hair in as He looks down from above, it’s all I can do not to grab the rods and race out of the house. Instead, I’m sitting here in my little home office dedicating my morning to you and your needs, dear reader. You’re welcome.
All fishing is good, and I’ve tried most of it. I’m not really wild about catching fish with my hands (those noodling guys don’t have all the cheese on their crackers), and ice fishing isn’t a favorite of mine because I hate the cold—not to mention it just seems so dang boring, sitting there looking at a little hole and hoping you’ve drilled in just the right spot—but I love kayak fishing. Don’t get me wrong—I still really enjoy going out on a deep-sea boat or riding along in someone’s bass boat, flying across the top of the water—but being in a kayak just seems more personal. Sitting right on top of the water, sneaking up to fish, and watching them eat the bait is just short of a religious experience, and it cannot be beat.
Here on the flats of East-Central Florida, you can certainly catch fish just by paddling around and casting blindly all around you. But if you want to catch good fish and catch them with more regularity, you have to learn how to read the water, and since I can’t bring you all here and paddle around to give a hands-on lesson, we’ll have to run a little thought experiment instead. Sit back in our little virtual kayak, and we’ll paddle around to see what we can find. Look around in your mind’s eye with me and scan the water around us. See that little ripple over there? Those are mullet swimming around in lazy circles. Nothing is after them, or they’d be darting and running into the shallows, so there’s no point in paddling that way yet. That heavy wake over there that kind of looks like a small submarine underwater? That’s a redfish, and he’s definitely after something. We should definitely take a shot his way. And those things that look like tiny brooms poking out of the water over there? Yeah, that’s a bunch of redfish, nosed down into the muck eating crabs or shrimp. If we watch the school for a bit, it’ll make it easier to map out an approach and figure out the best casting opportunities without spooking them.
Much like the signs we can see by scanning the surface of the water here on the flats, your scanning and enumeration efforts in the virtual world will point you in the right direction and, once you get some experience with what you’re looking at, will improve your hook-up percentage. As stated in the companion book to this study guide, you know how to footprint your client; now it’s time to learn how to dig around what you found for relevant, salient information. After footprinting, you’ll need to scan for basics; then when you find a machine up and about, you’ll need to get to know it really well, asking some rather personal questions.
STUDY TIPS In previous versions of the exam, EC-Council focused a lot of attention on scanning and enumeration. I’m not saying it’s not the same in the current version, I’m just saying it’s… different. The new exam focuses a little more on network knowledge, how tools actually work, and in-the-weeds questions. Sure, you’ll still find a few freebies from this section, but most will be very focused.
First and foremost, get your network knowledge down pat. Know your port numbers, protocols, and communications handshakes like the back of your hand. Learn how routing/switching basics can affect your efforts: for example, knowing that a routing protocol (such as OSPF and BGP) determines how routers communicate with each other and make decisions on moving packets, and that routed protocols (such as IP) are the ones providing network layer addressing, will help you out. There won’t be a ton of them, but questions on subnetting will make an appearance, so know your math well.
When it comes to scanning, know your scanning tools very well. EC-Council absolutely adores nmap, so know syntax, responses, results, switches… all of it. You’ll be quizzed on use, output, syntax, and lots of scanning tools, so prep by practicing—it’s the absolute best way to prepare for this exam.
Lastly, Windows and Linux architecture basics aren’t going to make up the majority of your exam, but rest assured you will be tested on them—especially on anything that’s different between the two. For example, some tools will work with and on Windows, but not on Linux, and vice versa. Each has built-in tools and services (for example, know net command usage in Windows very well) that may work differently on the other, so be sure to focus on those for study.
1. Your team is hired to test a business named Matt’s Bait ‘n Tackle Shop (domain name A team member runs the following command:
metagoofil –d –t doc, docx –l 50 –n 20 –f results.html
Which of the following best describes what the team member is attempting to do?
A. Extract metadata info from web pages in, outputting results in Microsoft Word format.
B. Extract metadata info from the results.html page in, outputting results in Microsoft Word format.
C. Extract metadata info from Microsoft Word documents found in, outputting results in an HTML file.
D. Uploading results.html as a macro attachment to any Microsoft Word documents found in
2. Which of the following is true regarding the p0f tool?
A. It is an active OS fingerprinting tool.
B. It is a passive OS fingerprinting tool.
C. It is designed to extract metadata for Microsoft files.
D. It is designed for remote access.
3. You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?
A. Your IDLE scan results will not be useful to you.
B. The zombie system is a honeypot.
C. There is a misbehaving firewall between you and the zombie machine.
D. This is an expected result during an IDLE scan.
4. You want to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option?
A. nmap
B. nmap -sT
C. nmap -sP
D. nmap -P0
5. A team member runs an Inverse TCP scan. What is the expected return for an open port?
A. Open ports respond with a SYN/ACK.
B. Open ports respond with a RST.
C. Open ports respond with a FIN.
D. Open ports do not respond at all.
6. You are examining traffic to see if there are any network-enabled printers on the subnet. Which of the following ports should you be monitoring for?
A. 53
B. 88
C. 445
D. 514
E. 631
7. A colleague enters the following command:
root@mybox: # hping3 –A 192.168.2.x –p 80
What is being attempted here?
A. An ACK scan using hping3 on port 80 for a single address
B. An ACK scan using hping3 on port 80 for a group of addresses
C. Address validation using hping3 on port 80 for a single address
D. Address validation using hping3 on port 80 for a group of addresses
8. You are examining traffic between hosts and note the following exchange:
Which of the following statements are true regarding this traffic? (Choose all that apply.)
A. It appears to be part of an ACK scan.
B. It appears to be part of an XMAS scan.
C. It appears port 4083 is open.
D. It appears port 4083 is closed.
9. You are examining traffic and notice an ICMP Type 3, Code 13 response. What does this normally indicate?
A. The network is unreachable.
B. The host is unknown.
C. Congestion control is enacted for traffic to this host.
D. A firewall is prohibiting connection.
10. Which port-scanning method presents the most risk of discovery but provides the most reliable results?
A. Full-connect
B. Half-open
D. XMAS scan
11. As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response?
A. The hosts might be turned off or disconnected.
B. ICMP is being filtered.
C. The destination network might be down.
D. The servers are Linux based and do not respond to ping requests.
12. A team member is using nmap and asks about the “scripting engine” in the tool. Which option switches can be used to invoke the nmap scripting engine? (Choose two.)
A. --script
B. -z
C. -sA
D. -sC
13. Which of the following commands is the best choice to use on a Linux machine when attempting to list processes and the UIDs associated with them in a reliable manner?
A. ls
B. chmod
C. pwd
D. lsof
14. You want to display active and inactive services on a Windows Server machine. Which of the following commands best performs this service?
A. sc query
B. sc query type=all
C. sc query type=service
D. sc query state= all
15. An administrator enters the following command on a Linux system:
iptables -t nat -L
Which of the following best describes the intent of the command entered?
A. The administrator is attempting a port scan.
B. The administrator is configuring IP masquerading.
C. The administrator is preparing to flood a switch.
D. The administrator is preparing a DoS attack.
16. What is being attempted with the following command?
nc –u –v –w2 1-1024
A. A full connect scan on ports 1–1024 for a single address
B. A full connect scan on ports 1–1024 for a subnet
C. A UDP port scan of ports 1–1024 on a single address
D. A UDP scan of ports 1–1024 on a subnet
17. You are told to monitor a packet capture for any attempted DNS zone transfer. Which port should you focus your search on?
A. TCP 22
B. TCP 53
C. UDP 22
D. UDP 53
18. A team member issues the nbtstat.exe -c command. Which of the following best represents the intent of the command?
A. It displays the IP route table for the machine.
B. It displays the NetBIOS name cache.
C. It displays active and inactive services.
D. It puts a NIC into promiscuous mode for sniffing.
19. Consider the ports shown in the nmap output returned on an IP scanned during footprinting:
PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http
139/tcp open netbios-ssn 515/tcp open 631/tec open ipp 9100/tcp
open MAC Address: 01:2A:48:0B:AA:81
Which of the following is true regarding the output?
A. The host is most likely a router or has routing enabled.
B. The host is most likely a printer or has a printer installed.
C. The host is definitely a Windows Server.
D. The host is definitely a Linux Server.
20. The following results are from an nmap scan:
Remote operating system guess: Too many signatures match to
reliably guess the OS.
Nmap run completed -- 1 IP address (1 host up) scanned in 263.47 seconds
Which of the following is the best option to assist in identifying the operating system?
A. Attempt an ACK scan.
B. Traceroute to the system.
C. Run the same nmap scan with the -vv option.
D. Attempt banner grabbing.
21. You want to run a scan against a target network. You’re concerned about it being a reliable scan, with legitimate results, but want to take steps to ensure it is as stealthy as possible. Which scan type is best in this situation?
A. nmap -sN targetIPaddress
B. nmap -sO targetIPaddress
C. nmap -sS targetIPaddress
D. nmap -sT targetIPaddress
22. What is the second step in the TCP three-way handshake?
23. You are enumerating a subnet. While examining message traffic, you discover SNMP is enabled on multiple targets. If you assume default settings in setting up enumeration tools to use SNMP, which community strings should you use?
A. Public (read-only) and Private (read/write)
B. Private (read-only) and Public (read/write)
C. Read (read-only) and Write (read/write)
D. Default (both read and read/write)
24. Nmap is a powerful scanning and enumeration tool. What does the following nmap command attempt to accomplish?
nmap –sA –T4
A. A serial, slow operating system discovery scan of a Class C subnet
B. A parallel, fast operating system discovery scan of a Class C subnet
C. A serial, slow ACK scan of a Class C subnet
D. A parallel, fast ACK scan of a Class C subnet
25. You are examining a packet capture of all traffic from a host on the subnet. The host sends a segment with the SYN flag set in order to set up a TCP communications channel. The destination port is 80, and the sequence number is set to 10. Which of the following statements are not true regarding this communications channel? (Choose all that apply.)
A. The host will be attempting to retrieve an HTML file.
B. The source port field on this packet can be any number between 1024 and 65535.
C. The first packet from the destination in response to this host will have the SYN and ACK flags set.
D. The packet returned in answer to this SYN request will acknowledge the sequence number by returning 10.
26. Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data?
27. You receive a RST-ACK from a port during a SYN scan. What is the state of the port?
A. Open
B. Closed
C. Filtered
D. Unknown
1. A
2. B
3. A
4. C
5. D
6. E
7. B
8. B, C
9. D
10. A
11. B
12. A, D
13. D
14. D
15. B
16. C
17. B
18. B
19. B
20. D
21. C
22. C
23. A
24. D
25. A, D
26. B
27. B
1. Your team is hired to test a business named Matt’s Bait ‘n Tackle Shop (domain name A team member runs the following command:
metagoofil –d –t doc, docx –l 50 –n 20 –f results.html
Which of the following best describes what the team member is attempting to do?
A. Extract metadata info from web pages in, outputting results in Microsoft Word format.
B. Extract metadata info from the results.html page in, outputting results in Microsoft Word format.
C. Extract metadata info from Microsoft word documents found in, outputting results in an HTML file.
D. Uploading results.html as a macro attachment to any Microsoft Word documents found in
A. This is an example of good tool knowledge and use. Metgoofil ( “is an information gathering tool designed for extracting metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx) belonging to a target company. It performs a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner? and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.”
In the syntax above, metagoofil will search for up to 50 results (the -l switch determine the number of results) of any Microsoft Word documents (in both doc and docx format) it can find. It will then attempt to download the first 20 found (the -n switch handles that), and the -f switch will send the results where you want (in this case, to an HTML file).
And just what will those results be? Well that’s where the fun comes in. Remember, metagoofil tries to extract metadata from publicly available Microsoft Word documents available on the site. You might find e-mail addresses, document paths, software versions, and even user names in the results.
B, C, and D are incorrect because they do not match the syntax provided.
2. Which of the following is true regarding the p0f tool?
A. It is an active OS fingerprinting tool.
B. It is a passive OS fingerprinting tool.
C. It is designed to extract metadata for Microsoft files.
D. It is designed for remote access.
B. p0f, per, “is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to. Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellaneous forensics.”
When nmap scanning is blocked or otherwise unreliable, p0f can make use of a “vanilla” TCP connection to passively fingerprint. It can provide measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), and user language preferences. It also provides automated detection of connection sharing (NAT), load balancing, and application-level proxying setups.
A, C, and D are incorrect because these do not describe p0f. Active fingerprinting involves sending traffic in an effort to read responses and determine open ports and other goodies (like nmap does). p0f does not read metadata from available files for information purposes (like metagoofil does), and it’s definitely not a remote access tool (like netcat).
3. You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?
A. Your IDLE scan results will not be useful to you.
B. The zombie system is a honeypot.
C. There is a misbehaving firewall between you and the zombie machine.
D. This is an expected result during an IDLE scan.
A. An IDLE scan makes use of a zombie machine and IP’s knack for incrementing fragment identifiers (IPIDs). However, it is absolutely essential the zombie remain idle to all other traffic during the scan. The attacker will send packets to the target with the (spoofed) source address of the zombie. If the port is open, the target will respond to the SYN packet with a SYN/ACK, but this will be sent to the zombie. The zombie system will then craft a RST packet in answer to the unsolicited SYN/ACK, and the IPID will increase. If this occurs randomly, then it’s probable your zombie is not, in fact, idle, and your results are moot. See, if it’s not idle, it’s going to increment haphazardly because communications from the device will be shooting hither and yon with wild abandon. You’re banking on the fact the machine is quietly doing your bidding—and nothing else.
B is incorrect because there is not enough information here to identify the zombie machine as anything at all—much less a machine set up as a “honeypot.”
C is incorrect because a firewall between you and the zombie won’t have any effect at all on the zombie’s IPIDs.
D is incorrect because this is definitely not expected behavior during an IDLE scan. Expected behavior is for the IPID to increase regularly with each discovered open port, not randomly, as occurs with traffic on an active system.
4. You want to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option?
A. nmap
B. nmap -sT
C. nmap -sP
D. nmap -P0
C. The -sP switch within nmap is designed for a ping sweep. Nmap syntax is fairly straightforward: nmap<scan options><target>. If you don’t define a switch, nmap performs a basic enumeration scan of the targets. The switches, though, provide the real power with this tool.
A is incorrect because this syntax will not perform a ping sweep. This syntax will run a basic scan against the entire subnet.
B is incorrect because the -sT switch does not run a ping sweep. It stands for a TCP Connect scan, which is the slowest—but most productive and loud—scan option.
D is incorrect because this syntax will not perform a ping sweep. The -P0 switch actually runs the scan without ping (ICMP). This is a good switch to use when you don’t seem to be getting responses from your targets. It forces nmap to start the scan even if it thinks that the target doesn’t exist (which is useful if the computer is blocked by a firewall).
5. A team member runs an inverse TCP scan. What is the expected return for an open port?
A. Open ports respond with a SYN/ACK.
B. Open ports respond with a RST.
C. Open ports respond with a FIN.
D. Open ports do not respond at all.
D. ECC can get infuriating at times with nomenclature and semantics. Versions of the Inverse TCP Flag scan used to be called the FIN scan or the NULL scan. Stealth scans used to be known as SYN scans. Why? Well, other than the fact that EC-Council can do whatever they want with the certification, the reasoning for the Inverse scan name comes down to the way it behaves: it’s the inverse of all the other scans. This scan uses the FIN, URG or PSH flags (or, in one version, no flags at all) to poke at system ports. If the port is open, there will be no response at all. If the port is closed, a RST/ACK will be sent in response—you know, the inverse of the TCP connect scan.
In case you’re wondering, this scan is closely related to the so-called XMAS scan. A Christmas scan is so named because all flags are turned on, so the packet is “lit up” like a Christmas tree. Port responses are the same as with an Inverse TCP scan. XMAS scans do not work against Microsoft Windows machines due to Microsoft’s TCP/IP stack implementation (Microsoft TCP/IP is not RFC 793 compliant).
A is incorrect because this response for open ports would be seen in a TCP Connect (Full) or SYN (Half-Open) scan. In these scans, open ports will respond with a SYN/ACK, and closed ports will respond with a RST.
B is incorrect because this is the response for closed ports on TCP Connect and SYN scans.
C is incorrect because the FIN flag is used to bring a communications session to an orderly close.
6. You are examining traffic to see if there are any network-enabled printers on the subnet. Which of the following ports should you be monitoring for?
A. 53
B. 88
C. 445
D. 514
E. 631
E. You will probably see 3–5 questions on port numbering alone. So just exactly how do you commit 1024 port numbers (0–1023 is the well-known range) to memory when you have all this other stuff to keep track of? You probably won’t, and maybe you can’t. The best advice I can give you is to memorize the really important ones—the ones you know beyond a shadow of a doubt you’ll see on the exam somewhere, and then use the process of elimination to get to the right answer.
For example, suppose you had no idea that TCP port 631 was used for by Internet Printing Protocol (IPP), but you did know what 53, 88, and 445 were for. Suddenly it’s not that difficult (now down to a 50/50 chance). By the way, 631 won’t be the only thing you’ll be monitoring for, but of the answers provided, it is the best choice.
A is incorrect because 53 is the port number used by DNS (TCP and UDP). The TCP side will be used for across-Internet traffic, where the loss of speed due to connection-oriented traffic is worth it to ensure delivery, and UDP will be mostly internal.
B is incorrect because 88 is the port number used by Kerberos.
C is incorrect because 445 is used for Microsoft SMB file sharing. You’ll definitely see SMB file sharing and this port somewhere on the exam, usually as part of a scenario like the one in this question.
D is incorrect because 514 is the (UDP) port number used by syslog—and trust me, you need to know this one. EC Council loves syslog. You’ll definitely see it a couple of times on the exam.
7. A colleague enters the following command:
root@mybox: # hping3 –A 192.168.2.x –p 80
What is being attempted here?
A. An ACK scan using hping3 on port 80 for a single address
B. An ACK scan using hping3 on port 80 for a group of addresses
C. Address validation using hping3 on port 80 for a single address
D. Address validation using hping3 on port 80 for a group of addresses
B. Hping is a great tool providing all sorts of options. You can craft packets with it, audit and test firewalls, and do all sorts of crazy man-in-the-middle stuff with it. In this example, you’re simply performing a basic ACK scan (the -A switch) using port 80 (-p 80) on an entire Class C subnet (the x in the address runs through all 254 possibilities). Hping3, the latest version, is scriptable (TCL language) and implements an engine that allows a human-readable description of TCP/IP packets.
A is incorrect because the syntax is for an entire subnet (or, I guess to be technically specific, all 254 addresses that start with 192.168.2). The x in the last octet tells hping to fire away at all those available addresses.
C and D are both incorrect because “address validation” is not a scan type.
8. You are examining traffic between hosts and note the following exchange:
Which of the following statements are true regarding this traffic? (Choose all that apply.)
A. It appears to be part of an ACK scan.
B. It appears to be part of an XMAS scan.
C. It appears port 4083 is open.
D. It appears port 4083 is closed.
B, C. The exam will ask you to define scan types in many, many ways. It may be a simple definition match; sometimes it’ll be some crazy Wireshark or tcpdump listing. In this example, you see a cleaned-up traffic exchange showing packets from one host being sent one after another to the second host, indicating a scan attempt. The packets have the FIN, URG, and PSH flags all set, which tells you it’s an XMAS scan. If the destination port is open, you should receive a RST/ACK response; if it’s closed, you get nothing. This tells you port 4083 looks like it’s open. As an addendum, did you know there are two reasons why it’s called an XMAS scan? The first is because it lights up an IDS like a Christmas tree, and the second is because the flags themselves are all lit. As an aside, you probably won’t see this much out in the real world because it just really doesn’t have much applicability. But on your exam? Oh yes—it’ll be there.
A is incorrect because there is no indication this is an ACK scan. An ACK scan has only the ACK flag set and is generally used in firewall filter tests: no response means a firewall is present, and RST means the firewall is not there (or the port is not filtered).
D is incorrect because you did receive an answer from the port (a RST/ACK was sent in the fourth line of the capture).
9. You are examining traffic and notice an ICMP Type 3, Code 13 response. What does this normally indicate?
A. The network is unreachable.
B. The host is unknown.
C. Congestion control is enacted for traffic to this host.
D. A firewall is prohibiting connection.
D. ICMP types will be covered in depth on your exam, so know them well. Type 3 messages are all about “destination unreachable,” and the code in each packet tells you why it’s unreachable. Code 13 indicates “communication administratively prohibited,” which indicates a firewall filtering traffic. Granted, this occurs only when a network designer is nice enough to configure the device to respond in such a way, and you’ll probably never get that nicety in the real world, but the definitions of what the “type” and “code” mean are relevant here.
A is incorrect because “network unreachable” is Type 3, Code 0. It’s generated by a router to inform the source that the destination address is unreachable; that is, it does not have an entry in the route table to send the message to.
B is incorrect because “host unknown” is Type 3, Code 7. There’s a route to the network the router knows about, but that host is not there (this sometimes refers to a naming or DNS issue).
C is incorrect because “congestion control” ICMP messaging is Type 4.
10. Which port-scanning method presents the most risk of discovery but provides the most reliable results?
A. Full-connect
B. Half-open
C. Null Scan
D. XMAS scan
A. A full-connect scan runs through an entire TCP three-way handshake on all ports you aim at. It’s loud and easy to see happening, but the results are indisputable. As an aside, the -sT switch in nmap runs a full-connect scan (you should go ahead and memorize that one).
B is incorrect because a half-open scan involves sending only the SYN packet and watching for responses. It is designed for stealth but may be picked up on IDS sensors (both network and most host-based IDSs).
C is incorrect because a null scan sends packets with no flags set at all. Responses will vary, depending on the OS and version, so reliability is spotty. As an aside, null scans are designed for Unix/Linux machines and don’t work on Windows systems.
D is incorrect because although an XMAS scan is easily detectable (as our celebrated technical editor put it, “a fairly well-trained monkey would see it”), the results are oftentimes sketchy. The XMAS scan is great for test questions but won’t result in much more than a derisive snort and an immediate disconnection in the real world.
11. As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response?
A. The hosts might be turned off or disconnected.
B. ICMP is being filtered.
C. The destination network might be down.
D. The servers are Linux based and do not respond to ping requests.
B. Admittedly, this one is a little tricky, and, yes, I purposefully wrote it this way (mainly because I’ve seen questions like this before). The key here is the “most likely” designator. It’s entirely possible—dare I say, even expected—that the systems administrator for those two important machines would turn off ICMP. Of the choices provided, this one is the most likely explanation.
A is incorrect, but only because there is a better answer. This is a major firm that undoubtedly does business at all times of day and with customers and employees around the world (the question did state it was an international business). Is it possible that both these servers are down? Sure, you might have timed your ping sweep so poorly that you happened to hit a maintenance window or something, but it’s highly unlikely.
C is incorrect because, frankly, the odds of an entire DMZ subnet being down while you’re pen testing are very slim. And I can promise you if the subnet did drop while you were testing, your test is over.
D is incorrect because this is simply not true.
12. A team member is using nmap and asks about the “scripting engine” in the tool. Which option switches can be used to invoke the nmap scripting engine? (Choose two.)
A. --script
B. -z
C. -sA
D. -sC
A, D. Nmap is a great scanning tool, providing all sorts of options, and you’ll need to know the syntax very well. The NSE (Nmap Scripting Engine) is a portion of the tool that allows the use of scripts in scanning. Directly from nmap’s site (, “NSE is activated with the -sC option (or --script if you wish to specify a custom set of scripts) and results are integrated into Nmap normal and XML output.”
I’ve also seen mentioned in other study material that the -A switch is also considered as an NSE function. -A turns on “aggressive” scanning, which reports on version detection, operating system fingerprinting, and all sorts of other goodies. A pretty good wrap-up of nmap switches can be found on (
B is incorrect because -z isn’t an nmap switch.
C is incorrect because the -sA switch runs an ACK scan (ACK segments are sent to ports to determine their state).
13. Which of the following commands is the best choice to use on a Linux machine when attempting to list processes and the PIDs associated with them in a reliable manner?
A. ls
B. chmod
C. pwd
D. lsof
D. Supported in most Unix-like flavors, the “list open files” command (lsof) provides a list of all open files and the processes that opened them. The lsof command describes, among other things, the identification number of the process (PID) that has opened the file, the command the process is executing, and the owner of the process. With optional switches, you can also receive all sorts of other information.
A is incorrect because ls (list) simply displays all the files and folders in your current directory. Its counterpart in the PC world is dir.
B is incorrect because chmod is used to set permissions on files and objects in Linux.
C is incorrect because pwd (print working directory) is a command used to display the directory you are currently working in.
14. You want to display active and inactive services on a Windows Server. Which of the following commands best performs this service?
A. sc query
B. sc query type=all
C. sc query type=service
D. sc query state= all
D. The sc command will definitely make an appearance or two somewhere on the exam. Per Microsoft, SC.exe retrieves and sets control information about services. You can use SC.exe for testing and debugging service programs. Service properties stored in the registry can be set to control how service applications are started at boot time and run as background processes. SC.exe parameters can configure a specific service, retrieve the current status of a service, as well as stop and start a service.
A sampling of uses for the sc command follows:
• sc config Determines the status of a service at system startup, and sets a service to run automatically, manually or not at all.
• sc query Displays information about services, drivers, and types of both. Without parameters, it returns a list of all running services and associated information. To create a list of all services, use sc query state= all.
• sc start Starts a service that is not running.
• sc stop Stops a running service.
• sc pause Pauses a service.
• sc continue Resumes a paused service.
• sc enumdepend Lists the services that cannot run unless the specified service is running.
• sc qc Displays the configuration of a particular service.
And finally, one more quick note: Remember there is always a space after the equals sign. Syntax is important, and ECC will probably spring that on you.
A, B, and C all use incorrect syntax for the question asked.
15. An administrator enters the following command on a Linux system:
iptables -t nat -L
Which of the following best describes the intent of the command entered?
A. The administrator is attempting a port scan.
B. The administrator is configuring IP masquerading.
C. The administrator is preparing to flood a switch.
D. The administrator is preparing a DoS attack.
B. Do you remember Network Address Translation? It’s a neat little technology that allows lots of internal hosts, using nonroutable private addressing, to access the Internet by borrowing and using a single address (or a group of addresses) managed by a router or other system. IP masquerading is much the same thing; it’s just accomplished through a Linux host. In short, a Linux machine can act as a NAT translator by employing proper routing configuration, using one NIC to communicate with the internal network and one for the external, and enabling IP Masquerade.
Looking over the man page for the command (one copy can be found at, we see that iptables is an administration tool for IPv4 packet filtering and NAT. Per the man page, “Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.” Syntax is iptables -t tablename - switch, where tablename is filter, nat, mangle, raw, or security, and switch equates to the option you wish to enable. For example, -A appends rules, -D deletes rules, and -R replaces rules.
A, C, and D are incorrect because they do not accurately represent what is being attempted.
16. What is being attempted with the following command?
nc –u –v –w2 1-1024
A. A full connect scan on ports 1–1024 for a single address
B. A full connect scan on ports 1–1024 for a subnet
C. A UDP port scan of ports 1–1024 on a single address
D. A UDP scan of ports 1–1024 on a subnet
C. In this example, netcat is being used to run a scan on UDP ports (the -u switch gives this away) from 1 to 1024. The address provided is a single address, not a subnet. Other switches in use here are -v (for verbose) and -w2 (defines the two-second timeout for connection, where netcat will wait for a response).
A is incorrect because the -u switch shows this as a UDP scan. By default (that is, no switch in place), netcat runs in TCP.
B is incorrect because the -u switch shows this as a UDP scan. Additionally, this is aimed at a single address, not a subnet.
D is incorrect because this is aimed at a single address, not a subnet.
17. You are told to monitor a packet capture for any attempted DNS zone transfer. Which port should you focus your search on?
A. TCP 22
B. TCP 53
C. UDP 22
D. UDP 53
B. DNS uses port 53 in both UDP and TCP. Port 53 over UDP is used for DNS lookups. Zone transfers are accomplished using port 53 over TCP. Considering the reliability and error correction available with TCP, this makes perfect sense.
A is incorrect because TCP port 22 is for SSH, not DNS.
C is incorrect because UDP port 22 simply doesn’t exist (SSH is TCP based).
D is incorrect because UDP port 53 is used for DNS lookups. Because lookups are generally a packet or two and we’re concerned with speed on a lookup, UDP’s fire-and-forget speed advantage is put to use here.
18. A team member issues the nbtstat.exe -c command. Which of the following best represents the intent of the command?
A. It displays the IP route table for the machine.
B. It displays the NetBIOS name cache.
C. It displays active and inactive services.
D. It puts a NIC into promiscuous mode for sniffing.
B. Per Microsoft, regarding the nbtstat command: “Nbtstat is designed to help troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses. It does this through several options for NetBIOS name resolution, including local cache lookup, WINS server query, broadcast, LMHOSTS lookup, Hosts lookup, and DNS server query. The nbtstat command removes and corrects preloaded entries using a number of case-sensitive switches.” Syntax for the command includes the following:
• nbtstat - a <name> Performs a NetBIOS adapter status command on the computer name specified by <name>. The adapter status command returns the local NetBIOS name table for that computer as well as the MAC address of the adapter card.
• nbtstat -A <IP address> Performs the same function as the -a switch, but using a target IP address rather than a name.
• nbtstat - c Shows the contents of the NetBIOS name cache, which contains NetBIOS-name-to-IP-address mappings.
• nbtstat -n Displays the names that have been registered locally on the system by NetBIOS applications such as the server and redirector.
• nbtstat -r Displays the count of all NetBIOS names resolved by broadcast and by querying a WINS server.
• nbtstat -R Purges the name cache and reloads all #PRE entries from the LMHOSTS file (#PRE entries are the LMHOSTS name entries that are preloaded into the cache).
• nbtstat -RR Sends name release packets to the WINS server and starts a refresh, thus re-registering all names with the name server without a reboot being required.
• nbtstat -S Lists current NetBIOS sessions and their status, including statistics.
A, C, and D are incorrect because they do not match the command usage. If you wish to see the route table on a Windows system, use the route print command. The sc query state= all command will show all the active and inactive services on the system. To put the NIC in promiscuous mode, you’d need the WinPcap driver installed.
19. Consider the ports shown in the nmap output returned on an IP scanned during footprinting:
Which of the following is true regarding the output?
A. The host is most likely a router or has routing enabled.
B. The host is most likely a printer or has a printer installed.
C. The host is definitely a Windows server.
D. The host is definitely a Linux server.
B. So this output is pretty interesting, huh? There’s some FTP, Telnet, and HTTP open, and a little NetBIOS action going on there, too. The TCP ports 515 and 631, however, are the ones to note here. 515 corresponds to the Line Printer Daemon protocol/Line Printer Remote protocol (or LPD, LPR), which is used for submitting print jobs to a remote printer. Port 631 corresponds to the Internet Printing Protocol (IPP). Both of which point to printing.
A is incorrect because none of these ports show anything related to routing.
C and D are incorrect because there is simply not enough information to definitively identify the operating system in use. Yes, it is true that the Line Printer Daemon protocol was originally in the BSD UNIX operating system; however, it is used regardless of OS.
20. The following results are from an nmap scan:
Which of the following is the best option to assist in identifying the operating system?
A. Attempt an ACK scan.
B. Traceroute to the system.
C. Run the same nmap scan with the -vv option.
D. Attempt banner grabbing.
D. Of the options presented, banner grabbing is probably your best bet. In fact, it’s a good start for operating system fingerprinting. You can telnet to any of these active ports or run an nmap banner grab. Either way, the returning banner may help in identifying the OS.
A is incorrect because an ACK scan isn’t necessarily going to help here. For that matter, it may have already been run.
B is incorrect because traceroute does not provide any information on fingerprinting. It will show you a network map, hop by hop, to the target, but it won’t help tell you whether it’s a Windows machine.
C is incorrect because the -vv switch provides only more (verbose) information on what nmap already has. Note that the original run presented this message on the OS fingerprinting effort: “Remote operating system guess: Too many signatures match to reliably guess the OS.”
21. You want to run a scan against a target network. You’re concerned about it being a reliable scan, with legitimate results, but want to take steps to ensure it is as stealthy as possible. Which scan type is best in this situation?
A. nmap -sN targetIPaddress
B. nmap -sO targetIPaddress
C. nmap -sS targetIPaddress
D. nmap -sT targetIPaddress
C. A half-open scan, as defined by this nmap command line, is the best option in this case. The SYN scan was created with stealth in mind because the full connect scan was simply too noisy (or created more entries in an application-level logging system, whichever your preference). As far as the real world is concerned, it’s a fact that most IDSs can pick up a SYN scan just as easily as a full connect, but if you go slow enough, both a SYN and a full connect can be almost invisible. A connect scan is indistinguishable from a real connection, whereas a SYN scan can be. In other words, the full connect will look like any other conversation—just bunches of them all at once—where a SYN scan will show a lot of systems answering a conversation starter only to be met with rude silence. The lesson is any scan can and probably will be seen in the real world by a monitoring IDS, however the slower you go the less chance you’ll have of being seen, all things being equal.
A is incorrect because a null scan may not provide the reliability you’re looking for. Remember, this scan won’t work on a Windows host at all.
B is incorrect because the -sO switch tells you this is an operating system scan. Fingerprinting scans are not stealthy by anyone’s imagination, and they won’t provide the full information you’re looking for here.
D is incorrect because the -sT option indicates a full connect scan. Although this is reliable, it is noisy, and you will most likely be discovered during the scan.
22. What is the second step in the TCP three-way handshake?
C. Admittedly, this is an easy one, but I’d bet dollars to doughnuts you see it in some form on your exam. It’s such an important part of scanning and enumeration because, without understanding this basic principle of communication channel setup, you’re almost doomed to failure. A three-way TCP handshake has the originator forward a SYN. The recipient, in step 2, sends a SYN and an ACK. In step 3, the originator responds with an ACK. The steps are referred to as SYN, SYN/ACK, ACK.
A is incorrect because SYN is the first step (flag set) in the three-way handshake.
B is incorrect because ACK is the last step (flag set) in the three-way handshake.
D is incorrect because of the order listed. True, both these flags are the flags set in the three-way handshake. However, in the discussion of this step-by-step process, at least as far as your exam is concerned, it’s SYN/ACK, not the other way around. And, yes, this distractor, in some form, will most likely be on your exam. You won’t care about the order in the real world since flags are a mathematical property of the packet and not some ridiculous order, but for your exam you’ll need to know it this way.
E is incorrect because the FIN flag brings an orderly close to a communication session.
23. You are enumerating a subnet. While examining message traffic you discover SNMP is enabled on multiple targets. If you assume default settings in setting up enumeration tools to use SNMP, which community strings should you use?
A. Public (read-only) and Private (read/write)
B. Private (read-only) and Public (read/write)
C. Read (read-only) and Write (read/write)
D. Default (both read and read/write)
A. SNMP uses a community string as a form of a password. The read-only version of the community string allows a requester to read virtually anything SNMP can drag out of the device, whereas the read/write version is used to control access for the SNMP SET requests. The read-only default community string is public, whereas the read/write string is private. If you happen upon a network segment using SNMPv3, though, keep in mind that SNMPv3 can use a hashed form of the password in transit versus the clear text.
B is incorrect because the community strings are listed in reverse here.
C is incorrect because Read and Write are not community strings.
D is incorrect because Default is not a community string in SNMP.
24. Nmap is a powerful scanning and enumeration tool. What does this nmap command attempt to accomplish?
nmap –sA –T4
A. A serial, slow operating system discovery scan of a Class C subnet
B. A parallel, fast operating system discovery scan of a Class C subnet
C. A serial, slow ACK scan of a Class C subnet
D. A parallel, fast ACK scan of a Class C subnet
D. You are going to need to know nmap switches well for your exam. In this example, the -A switch indicates an ACK scan (the only scan that returns no response on a closed port), and the -T4 switch indicates an “aggressive” scan, which runs fast and in parallel.
A is incorrect because a slow, serial scan would use the -T, -T0, or -T! switch. Additionally, the OS detection switch is -O, not -A.
B is incorrect because although this answer got the speed of the scan correct, the operating system detection portion is off.
C is incorrect because although this answer correctly identified the ACK scan switch, the -T4 switch was incorrectly identified.
25. You are examining a packet capture of all traffic from a host on the subnet. The host sends a segment with the SYN flag set in order to set up a TCP communications channel. The destination port is 80, and the sequence number is set to 10. Which of the following statements are not true regarding this communications channel? (Choose all that apply.)
A. The host will be attempting to retrieve an HTML file.
B. The source port field on this packet can be any number between 1024 and 65535.
C. The first packet from the destination in response to this host will have the SYN and ACK flags set.
D. The packet returned in answer to this SYN request will acknowledge the sequence number by returning “10.”
A, D. Yes, it is true that port 80 traffic is generally HTTP; however, there are two problems with this statement. The first is all that is happening here is an arbitrary connection to something on port 80. For all we know, it’s a listener, Telnet connection, or anything at all. Second, assuming it’s actually an HTTP server, the sequence described here would do nothing but make a connection—not necessarily transfer anything. Sure, this is picky, but it’s the truth. Next, sequence numbers are acknowledged between systems during the three-way handshake by incrementing by 1. In this example, the source sent an opening sequence number of 10 to the recipient. The recipient, in crafting the SYN/ACK response, will first acknowledge the opening sequence number by incrementing it to 11. After this, it will add its own sequence number to the packet (a random number it will pick) and send both off.
B is incorrect because it’s a true statement. Source port fields are dynamically assigned using anything other than the “well-known” port range (0–1023). IANA has defined the following port number ranges: ports 1024 to 49151 are the registered ports (assigned by IANA for specific service upon application by a requesting entity), and ports 49152 to 65535 are dynamic or private ports that cannot be registered with IANA.
C is incorrect because it’s a true statement. The requesting machine has sent the first packet in the three-way handshake exchange—a SYN packet. The recipient will respond with a SYN/ACK and wait patiently for the last step—the ACK packet.
26. Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data?
B. This answer normally gets mixed up with the URG flag because we all read it as urgent. However, just remember the key word with PSH is “buffering.” In TCP, buffering is used to maintain a steady, harmonious flow of traffic. Every so often, though, the buffer itself becomes a problem, slowing things down. A PSH flag tells the recipient stack that the data should be pushed up to the receiving application immediately.
A is incorrect because the URG flag is used to inform the receiving stack that certain data within a segment is urgent and should be prioritized. As an aside, URG isn’t used much by modern protocols.
C is incorrect because the RST flag forces a termination of communications (in both directions).
D is incorrect because BUF isn’t a TCP flag at all.
27. You receive a RST-ACK from a port during a SYN scan. What is the state of the port?
A. Open
B. Closed
C. Filtered
D. Unknown
B. Remember, a SYN scan occurs when you send a SYN packet to all open ports. If the port is open, you’ll obviously get a SYN/ACK back. However, if the port is closed, you’ll get a RST-ACK.
A is incorrect because an open port would respond differently (SYN/ACK).
C is incorrect because a filtered port would likely not respond at all. (The firewall wouldn’t allow the packet through, so no response would be generated.)
D is incorrect because you know exactly what state the port is in because of the RST-ACK response.