CCNA Scanning Networks and Enumeration Questions

19 questions · Scanning Networks and Enumeration · All types, answers revealed

1
MCQmedium

A penetration tester discovers that an Nmap SYN scan against a target host returns no open ports, but a TCP connect scan reveals port 443 open. Which of the following is the most likely reason for this discrepancy?

A.The target host has a host-based firewall that drops SYN packets but allows full connections.
B.A network firewall is performing stateful inspection and dropping unsolicited SYN packets while allowing established connections.
C.The target host has ICMP filtering enabled, preventing Nmap from identifying it as online.
D.Nmap's SYN scan requires root privileges, and the tester ran it without sudo.
AnswerB

Stateful firewalls track connections; a SYN scan sends unsolicited SYN packets that may be dropped, while a connect scan completes the handshake and appears as a normal connection.

Why this answer

The discrepancy occurs because a network firewall is performing stateful inspection. It drops unsolicited SYN packets (the first step of a SYN scan) but allows full TCP connections (SYN, SYN-ACK, ACK) to complete, as the connect scan establishes a full three-way handshake. This behavior is typical of stateful firewalls that track connection state and only permit packets belonging to established sessions.

Exam trap

The trap here is that candidates often assume a host-based firewall is the cause, but stateful network firewalls specifically differentiate between incomplete SYN probes and full TCP handshakes, making option B the correct answer.

How to eliminate wrong answers

Option A is wrong because a host-based firewall would typically block both SYN packets and full connection attempts consistently, not selectively allow full connections while dropping SYNs. Option C is wrong because ICMP filtering affects host discovery (ping sweeps), not port scan results; Nmap can still perform port scans without ICMP echo replies. Option D is wrong because while SYN scan requires root privileges, running without sudo would cause an error or fallback to connect scan, not produce a discrepancy between two scans—both would fail or both would show open ports.

2
Matchingmedium

Match each cloud security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Infrastructure as a Service - virtualized computing resources

Platform as a Service - development and deployment platform

Software as a Service - ready-to-use applications

Security duties split between provider and customer

Cloud Access Security Broker - policy enforcement between users and cloud

Why these pairings

Cloud security is a growing domain in CEH.

3
Multi-Selecteasy

Which TWO of the following Nmap scan types are typically used to evade firewalls and IDS systems by sending fragmented packets?

Select 2 answers
A.Fragment scan (-f)
B.SYN scan (-sS)
C.ACK scan (-sA)
D.Idle scan (-sI)
E.Xmas scan (-sX)
AnswersA, D

Correct: Fragments packets to bypass firewalls.

Why this answer

The Fragment scan (-f) is correct because it splits TCP headers into multiple small IP fragments, making it harder for firewalls and IDS systems to reassemble and inspect the full packet. This evasion technique exploits the fact that many filtering devices only check the first fragment and pass subsequent fragments without scrutiny, allowing the scan to bypass detection.

Exam trap

The trap here is that candidates often confuse the Fragment scan (-f) with the Idle scan (-sI) because both are evasion techniques, but the Idle scan uses a zombie host to spoof the source IP, not fragmentation, to evade detection.

4
MCQmedium

Refer to the exhibit. An Nmap scan shows that port 80 is 'filtered' while ports 22 and 443 are 'open'. What does the 'filtered' state indicate?

A.The port is closed and the target sent a RST packet.
B.The port is open but the service is not responding to the scan.
C.The port is open but Nmap cannot determine the service.
D.A firewall, router rule, or host-based firewall is blocking the probes.
AnswerD

Filtered indicates that probes are being dropped or blocked.

Why this answer

When Nmap reports a port as 'filtered', it means that the scan probes (e.g., SYN packets) were dropped or blocked before reaching the target service, typically by a firewall, router ACL, or host-based firewall. Unlike 'open' (which receives a SYN/ACK) or 'closed' (which receives a RST), 'filtered' indicates no response or an ICMP unreachable message, so Nmap cannot confirm whether the port is actually open or closed.

Exam trap

The trap here is that candidates often confuse 'filtered' with 'closed' or 'open', not realizing that 'filtered' specifically indicates a firewall or ACL is interfering with the probe, not the state of the service itself.

How to eliminate wrong answers

Option A is wrong because a closed port sends a RST packet in response to a SYN scan, which Nmap reports as 'closed', not 'filtered'. Option B is wrong because if a port is open but the service is not responding, Nmap would still receive a SYN/ACK from the TCP stack (since the OS handles the handshake), and the port would be reported as 'open' unless a firewall interferes. Option C is wrong because Nmap can determine the service on an open port via service version detection (-sV); 'filtered' does not relate to service identification failure.

5
MCQmedium

A network administrator needs to identify all devices on a large corporate network that are running a specific vulnerable version of OpenSSH. The administrator has network access and can use scanning tools. However, scanning the entire network might disrupt operations. Which approach minimizes disruption while accurately identifying the vulnerable hosts?

A.Conduct a full TCP port scan of the entire network using SYN scan.
B.Run a TCP SYN scan on port 22 only, with version detection enabled, across the target IP range.
C.Use a ping sweep to identify live hosts, then perform a version scan on each.
D.Perform an ARP scan of the entire subnet and then check each host manually.
AnswerB

Scanning only the relevant port with version detection minimizes traffic and focuses on the vulnerable service.

Why this answer

Option B is correct because it targets only TCP port 22 (the default SSH port) with a SYN scan, which is stealthier and faster than a full connect scan, and enables version detection to identify the specific vulnerable OpenSSH version. This minimizes disruption by avoiding scanning unnecessary ports and reduces network load, while accurately pinpointing vulnerable hosts.

Exam trap

The trap here is that candidates often choose a ping sweep (Option C) thinking it reduces disruption, but they overlook that ICMP may be blocked, and the subsequent version scan on each host still requires port-level scanning, making Option B more efficient and accurate.

How to eliminate wrong answers

Option A is wrong because a full TCP port scan of the entire network would generate excessive traffic, potentially disrupting operations, and is unnecessary when only port 22 is relevant. Option C is wrong because a ping sweep may miss hosts that block ICMP (e.g., firewalls), leading to incomplete identification, and then performing a version scan on each live host still requires scanning all ports on those hosts, which is less efficient than targeting port 22 directly. Option D is wrong because an ARP scan only works within the local subnet (Layer 2) and does not scale to a large corporate network across multiple subnets; manual checking is impractical and error-prone.

6
MCQhard

You are conducting a security assessment for a company that hosts a web application on AWS. The application consists of a public-facing load balancer, an EC2 instance running a Linux web server, and an RDS MySQL database in a private subnet. The web server is configured to allow SSH access only from the company's internal IP range (203.0.113.0/24). During initial reconnaissance, you discover that the load balancer's security group allows inbound HTTP/HTTPS from anywhere. You attempt an Nmap SYN scan against the EC2 instance's public IP but receive no response (host appears down). Using a TCP connect scan, you find that ports 80 and 443 are open on the EC2 instance's public IP, but port 22 is filtered. You then launch an EC2 instance in the same region and run a scan from that internal AWS IP, and you find that port 22 is open on the target EC2 instance's private IP. Which of the following is the most likely reason for the initial scan failure and the filtered SSH port?

A.The EC2 instance is behind a NAT gateway that only allows outbound traffic. The load balancer is in a public subnet, but the instance is in a private subnet and cannot be reached from the internet directly.
B.The VPC's network ACL is blocking inbound SYN packets to the EC2 instance's public IP, while allowing established connections. The TCP connect scan sends ACK packets, which bypass the ACL.
C.The EC2 instance's security group only allows HTTP/HTTPS traffic from the load balancer's security group and SSH from the internal IP range. The load balancer's security group allows internet traffic to the load balancer, but the EC2 instance's security group does not allow direct internet traffic to the instance.
D.The EC2 instance does not have a public IP assigned; the load balancer performs destination NAT. The initial scan targeted the load balancer's IP, not the instance's IP.
AnswerC

Why this answer

Option C is correct because the EC2 instance's security group is configured to allow HTTP/HTTPS only from the load balancer's security group (not from the internet directly) and SSH only from the internal IP range (203.0.113.0/24). The initial Nmap SYN scan against the EC2 instance's public IP failed because the instance's security group drops all inbound traffic not explicitly allowed, including SYN packets to port 22 from external IPs, making the host appear down. The TCP connect scan revealed ports 80 and 443 open because the load balancer forwards traffic to those ports on the instance, but the security group still blocks direct internet access to the instance's public IP for SSH, resulting in a filtered state.

The internal scan from another EC2 instance in the same VPC succeeded because the security group allows SSH from the internal IP range, and the private IP is reachable within the VPC.

Exam trap

The trap here is that candidates confuse the behavior of security groups (stateful, instance-level) with network ACLs (stateless, subnet-level) and incorrectly assume that a filtered port or unresponsive host must be due to a NACL blocking SYN packets, rather than recognizing that the security group's explicit deny of direct internet traffic to the instance's public IP causes the scan to fail.

How to eliminate wrong answers

Option A is wrong because a NAT gateway only handles outbound traffic from private instances to the internet; it does not block inbound traffic to an instance that has a public IP assigned, and the scenario confirms the EC2 instance has a public IP (since scans against it returned results). Option B is wrong because network ACLs are stateless and block or allow traffic based on rules, but they do not distinguish between SYN and ACK packets in a way that would allow a TCP connect scan (which uses SYN packets, not ACK) to bypass; additionally, the VPC's default NACL allows all inbound/outbound traffic, and custom NACLs would need explicit rules to block SYN packets, which is not indicated. Option D is wrong because the load balancer does perform destination NAT, but the initial scan targeted the EC2 instance's public IP (as stated in the scenario), not the load balancer's IP; the instance does have a public IP assigned, as evidenced by the successful TCP connect scan to ports 80 and 443 on that IP.

7
MCQeasy

You are conducting a security assessment and need to map the network topology and identify routers, firewalls, and other network devices. Which technique is specifically designed to discover the path packets take to reach a destination and can reveal intermediate devices?

A.Traceroute
B.Banner grabbing
C.DNS enumeration
D.SNMP walk
AnswerA

Traceroute increments TTL to get ICMP time-exceeded messages from routers, revealing the path.

Why this answer

Traceroute is the correct technique because it is specifically designed to map the path packets take from a source to a destination by manipulating the Time-to-Live (TTL) field in IP headers. As each hop decrements the TTL, routers along the path send ICMP Time Exceeded messages (or UDP responses in some implementations), revealing their IP addresses and thus identifying intermediate devices like routers and firewalls.

Exam trap

The trap here is that candidates often confuse traceroute with ping (which only tests reachability and RTT, not hop-by-hop path discovery) or assume banner grabbing can reveal network topology, but only traceroute systematically identifies each intermediate device along the route.

How to eliminate wrong answers

Option B is wrong because banner grabbing is used to retrieve service banners (e.g., HTTP Server header, SSH version) from open ports to identify running services and versions, not to discover network path or intermediate devices. Option C is wrong because DNS enumeration is a technique to gather DNS records (e.g., A, MX, NS) and subdomains from a DNS server to map domain infrastructure, not to trace packet routes. Option D is wrong because an SNMP walk retrieves the entire Management Information Base (MIB) tree from an SNMP-enabled device to read configuration and performance data, not to discover the path packets take through the network.

8
MCQhard

During an internal penetration test, you are tasked with enumerating services on a target server. You run a full TCP port scan and find that ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. You then perform version detection on these ports. Which additional enumeration step would provide the most valuable information for identifying potential vulnerabilities?

A.Perform banner grabbing on port 22 to identify the SSH version.
B.Perform SNMP enumeration to gather system information.
C.Attempt a DNS zone transfer from the server.
D.Enumerate NetBIOS names using `nbtstat`.
AnswerA

SSH version information can reveal outdated versions with known exploits.

Why this answer

Banner grabbing on port 22 (SSH) is the most valuable next step because it directly identifies the SSH server version (e.g., OpenSSH 7.4). Knowing the exact version allows you to cross-reference known vulnerabilities (CVEs) for that specific SSH implementation, which is a common high-risk attack vector during internal penetration tests. While version detection already identified the service, banner grabbing can reveal additional details like patch levels or configuration quirks that version detection might miss.

Exam trap

EC-Council often tests the misconception that SNMP, DNS zone transfers, or NetBIOS enumeration are universally applicable, but the trap here is that these techniques only work when the corresponding services are actually running and accessible — the question explicitly limits open ports to 22, 80, and 443, so only banner grabbing on those ports is directly actionable.

How to eliminate wrong answers

Option B is wrong because SNMP enumeration requires SNMP (UDP ports 161/162) to be open, and the scan only found TCP ports 22, 80, and 443 — no SNMP service was detected, so this step would fail or provide no useful data. Option C is wrong because DNS zone transfer requires a DNS server (typically port 53) to be present and configured to allow transfers; the target server does not have DNS open, so this attempt would be irrelevant. Option D is wrong because NetBIOS enumeration (using nbtstat) relies on NetBIOS over TCP/IP (ports 137-139, 445), which are not open on the target; this technique is only applicable to Windows systems with NetBIOS enabled, not to a server with only SSH, HTTP, and HTTPS.

9
Matchingmedium

Match each security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and enumeration

Packet capture and analysis

Exploitation framework

Password cracking

Web application security testing

Why these pairings

These tools are commonly used in penetration testing and ethical hacking.

10
Drag & Dropmedium

Drag and drop the steps to conduct a penetration test using the CEH methodology into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The CEH methodology follows: Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks.

11
MCQhard

You are a penetration tester for a financial institution. During the reconnaissance phase, you discover that the target network uses a firewall that only allows inbound TCP connections on ports 80, 443, and 8080. You need to identify live hosts and running services on the internal network (192.168.1.0/24) from an external perspective. To avoid detection, you must minimize the number of packets sent and ensure that your scanning technique does not complete the TCP three-way handshake. Additionally, you have limited time and need to scan all 65535 ports on the most promising target. Based on the firewall rules and the need for stealth, which of the following approaches should you take?

A.Perform a TCP connect scan (-sT) on all ports of the subnet to identify open ports and services.
B.Perform an Xmas scan (-sX) on all ports of the subnet to evade detection by sending packets with invalid flag combinations.
C.First, perform a TCP SYN scan (-sS) on the three allowed ports across the subnet. Once a live host is identified, perform a TCP SYN scan (-sS) on all 65535 ports of that host.
D.Perform a UDP scan (-sU) on all ports of the subnet because UDP is connectionless and less likely to be logged.
AnswerC

TCP SYN scan is stealthy (half-open) and efficient. Scanning only allowed ports first reduces traffic, then full port scan on the live host.

Why this answer

Option C is correct because a TCP SYN scan (-sS) sends only a SYN packet and does not complete the three-way handshake, making it stealthy. First scanning only the three allowed ports (80, 443, 8080) across the subnet minimizes packets and identifies live hosts. Once a promising target is found, a full SYN scan on all 65535 ports efficiently maps services while evading the firewall's restrictions.

Exam trap

The trap here is that candidates may choose an Xmas scan (Option B) thinking it is stealthy due to invalid flags, but fail to realize that modern firewalls and IDS systems easily detect and drop such anomalous packets, making it ineffective against port-based allow rules.

How to eliminate wrong answers

Option A is wrong because a TCP connect scan (-sT) completes the full three-way handshake, generating more packets and logs, which increases detection risk and violates the requirement to avoid completing the handshake. Option B is wrong because an Xmas scan (-sX) sends packets with FIN, URG, and PSH flags set, which many firewalls and intrusion detection systems (IDS) drop or log as anomalous; it is also ineffective against firewalls that only allow specific TCP ports (80, 443, 8080) and may not elicit responses from filtered ports. Option D is wrong because a UDP scan (-sU) is connectionless but is slow, unreliable, and often blocked or rate-limited by firewalls; it does not leverage the allowed TCP ports and would generate excessive packets without stealth benefits.

12
MCQeasy

Refer to the exhibit. A penetration tester runs the above Nmap scan. Which of the following statements is most accurate regarding the state of port 3389?

A.Port 3389 is open and running a Remote Desktop service, but the service version could not be identified.
B.Port 3389 is closed and the target is ignoring the probe.
C.The target is likely a honeypot designed to simulate a Windows machine.
D.A firewall is likely blocking the scan probes to port 3389, preventing Nmap from determining whether the port is open.
AnswerD

The 'filtered' state means Nmap could not determine if the port is open or closed, usually due to packet filtering.

Why this answer

The Nmap scan output shows port 3389 in a 'filtered' state, which means Nmap received no response or an ICMP unreachable error from the target. This typically indicates a firewall is blocking the probes, preventing Nmap from determining whether the port is actually open or closed. A filtered state does not confirm the port is open or closed, only that access is being obstructed.

Exam trap

The trap here is that candidates confuse 'filtered' with 'closed' or 'open', failing to recognize that Nmap's port states (open, closed, filtered) have distinct meanings based on the type of response received, and that a firewall can cause a filtered state without revealing whether the service is actually running.

How to eliminate wrong answers

Option A is wrong because Nmap reports port 3389 as 'filtered', not 'open', so it cannot confirm the service is running or identify its version. Option B is wrong because a 'closed' port would return a TCP RST packet, not the lack of response or ICMP unreachable that defines the 'filtered' state. Option C is wrong because a honeypot would typically respond to probes to simulate a service, not remain silent or return ICMP unreachables; the 'filtered' state does not indicate deception, only network-level filtering.

13
MCQmedium

During a penetration test, you discover that an internal web server responds to ICMP echo requests but does not respond to TCP SYN scans on port 80. However, when you browse to the server's IP using a browser, the web page loads successfully. What is the most likely reason for this behavior?

A.A stateful firewall is blocking inbound SYN packets to port 80 but allowing responses to outbound connections.
B.The web server is running on a non-standard port that you did not scan.
C.The server's TCP/IP stack is misconfigured and does not respond to SYN scans.
D.A web application firewall is blocking the SYN scan traffic.
AnswerA

Stateful firewalls track connection states; they may block unsolicited SYN but allow replies.

Why this answer

A stateful firewall tracks the state of network connections. When you browse to the server, your browser initiates an outbound TCP connection, and the firewall allows the return SYN-ACK packets as part of the established session. However, a standalone TCP SYN scan sends unsolicited SYN packets to port 80, which the firewall sees as a new inbound connection attempt and blocks, preventing the server from responding.

The server's ICMP echo reply is allowed because ICMP is stateless and not typically filtered by the same rules.

Exam trap

The trap here is that candidates assume a server that responds to ICMP and serves web pages must be fully reachable on all ports, overlooking how stateful firewalls differentiate between unsolicited inbound SYN packets and responses to outbound connections.

How to eliminate wrong answers

Option B is wrong because the web page loads successfully when browsing, which confirms the server is listening on the standard port 80 (or a port your browser automatically uses). Option C is wrong because a misconfigured TCP/IP stack would also prevent the browser from loading the page, as the browser relies on the same TCP handshake. Option D is wrong because a web application firewall (WAF) operates at the application layer (HTTP/HTTPS) and would not block raw TCP SYN packets; it inspects HTTP payloads, not the initial handshake.

14
MCQeasy

A security analyst is using Nmap to scan a network segment 192.168.1.0/24 and wants to identify live hosts without sending packets to every IP. Which scan type should the analyst use to minimize network traffic while discovering active hosts?

A.TCP SYN scan using `nmap -sS`
B.ARP scan using `nmap -PR`
C.Ping sweep using `nmap -sn`
D.UDP scan using `nmap -sU`
AnswerC

`-sn` disables port scan and sends only ICMP echo, TCP SYN to port 443, etc., minimizing traffic.

Why this answer

Option C is correct because `nmap -sn` (ping sweep) sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default, allowing the analyst to discover live hosts without scanning every port or sending packets to every IP individually. This minimizes network traffic compared to full port scans while still efficiently identifying active devices on the 192.168.1.0/24 subnet.

Exam trap

The trap here is that candidates often confuse 'minimizing network traffic' with using a stealth scan like `-sS`, but the question specifically asks for host discovery, not port scanning, and `-sn` is the correct low-traffic option for that purpose.

How to eliminate wrong answers

Option A is wrong because TCP SYN scan (`-sS`) performs a half-open scan on all specified ports, generating significantly more packets than a simple host discovery scan, which contradicts the goal of minimizing traffic. Option B is wrong because ARP scan (`-PR`) is only effective on the local Ethernet segment and cannot discover hosts across routers or subnets, making it unsuitable for a /24 network that may span multiple Layer 2 domains. Option D is wrong because UDP scan (`-sU`) sends UDP packets to many ports, often requiring retransmissions due to packet loss, and generates excessive traffic while being slower and less reliable for host discovery.

15
MCQhard

You are a penetration tester assessing a client's internal network. The client has provided you with a non-administrative domain user account. The target network consists of 200 Windows workstations and 5 Windows servers (one domain controller, one file server, two application servers, and one database server). All systems are fully patched and have host-based firewalls enabled. The client wants you to identify vulnerabilities that could be exploited from the internal network. After initial reconnaissance, you discover that all servers have SMB (port 445) open only to the domain controller and the file server has SMB open to all workstations. You have gained a foothold on a workstation via a phishing attack. From this workstation, you can reach the file server on port 445. What is the most effective next step to enumerate potential vulnerabilities on the file server?

A.Attempt to connect to the file server via RDP (port 3389) using the compromised user's credentials.
B.Use PsExec to execute commands remotely on the file server using the compromised user account.
C.Run a full vulnerability scan (e.g., Nessus) against the entire subnet to identify weaknesses.
D.Enumerate SMB shares and session information using `net view \\fileserver` and `smbclient -L //fileserver`.
AnswerD

This reveals accessible shares and potential misconfigurations like null sessions.

Why this answer

Option D is correct because the client's objective is to enumerate potential vulnerabilities on the file server from the compromised workstation. Since SMB (port 445) is open between workstations and the file server, using `net view \\fileserver` and `smbclient -L //fileserver` allows you to list SMB shares, sessions, and other information without requiring administrative privileges or additional tools. This is a standard enumeration technique that reveals accessible resources, which can then be tested for misconfigurations or weak permissions.

Exam trap

The trap here is that candidates often assume a full vulnerability scan (Option C) is always the best next step, but in a stealthy penetration test with limited credentials, targeted SMB enumeration (Option D) is more effective and less likely to be detected.

How to eliminate wrong answers

Option A is wrong because RDP (port 3389) is not mentioned as open on the file server, and even if it were, connecting via RDP with a non-administrative user would not provide the necessary enumeration of SMB-based vulnerabilities. Option B is wrong because PsExec requires administrative privileges on the target system, and the compromised user is non-administrative, so the command would fail. Option C is wrong because running a full vulnerability scan (e.g., Nessus) against the entire subnet is noisy, time-consuming, and may trigger alerts; the question asks for the most effective next step after initial reconnaissance, and targeted SMB enumeration is more appropriate.

16
Multi-Selecthard

Which THREE of the following are valid methods for enumerating users on a Windows domain without prior credentials? (Select exactly 3.)

Select 3 answers
A.Requesting a DNS zone transfer to obtain a list of user account names from the SRV records.
B.Performing an SMB null session and querying the SAM database.
C.Using RID cycling to enumerate users by brute-forcing relative identifiers.
D.Performing an anonymous LDAP query to the domain controller for objectClass=user.
E.Sending Kerberos AS-REQ packets and analyzing the error codes (e.g., KDC_ERR_PREAUTH_REQUIRED vs KDC_ERR_C_PRINCIPAL_UNKNOWN).
AnswersB, C, D

SMB null sessions are a known method for enumerating users on older Windows systems.

Why this answer

Option B is correct because an SMB null session (connecting to IPC$ without credentials) can be used to query the SAM database via the SAMR protocol, allowing an attacker to enumerate local user accounts and groups on a Windows system. This technique exploits the default configuration of older Windows versions or improperly secured systems where the null session is not restricted.

Exam trap

EC-Council often tests the distinction between enumeration techniques that require no prior credentials versus those that need a starting list of usernames, causing candidates to mistakenly select Kerberos-based enumeration (Option E) as a credential-less method when it actually requires a candidate username to test.

17
Drag & Dropmedium

Drag and drop the steps to perform a buffer overflow exploit in a controlled lab environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Identify vulnerability, find offset, generate shellcode, craft exploit, execute.

18
Multi-Selectmedium

Which THREE Nmap options are commonly used to evade firewall detection during a scan? (Choose three.)

Select 3 answers
A.-f (fragment packets)
B.-T0 (paranoid timing)
C.-D (decoy)
D.-sT (TCP connect scan)
E.-sV (version detection)
AnswersA, B, C

Fragmentation splits packet headers to evade simple packet filters.

Why this answer

Option A is correct because the -f flag fragments the IP packets into smaller pieces (typically 8-byte fragments) to bypass simple packet-filtering firewalls and intrusion detection systems that do not reassemble fragmented packets before applying filtering rules. This technique exploits the fact that many stateless firewalls only inspect the first fragment and allow subsequent fragments through unchecked, enabling the scan to reach the target.

Exam trap

The trap here is that candidates often mistake -sT (TCP connect scan) as a stealthy option because it is the default scan type, but it actually completes the full handshake and is highly detectable, whereas the correct evasion options focus on fragmentation, timing, and decoys.

19
Multi-Selecthard

Which TWO types of information can be obtained through SNMP enumeration on a target device if the community string is 'public'? (Choose two.)

Select 2 answers
A.List of running processes
B.Captured network packets
C.User account passwords
D.Modify network interface settings
E.Routing table entries
AnswersA, E

SNMP can retrieve hrSWRunTable which lists running processes.

Why this answer

SNMP enumeration with the default 'public' community string (read-only access) allows querying MIB objects that expose system information. The 'hostResources' MIB (RFC 2790) includes the 'hrSWRunTable', which lists running processes, and the 'ipRouteTable' (RFC 1213) provides routing table entries. These are standard read-only OIDs accessible without authentication.

Exam trap

The trap here is that candidates confuse the 'public' community string with full administrative access, assuming it can modify settings or retrieve sensitive data like passwords, when in fact it only provides read-only access to non-sensitive MIB objects.

Ready to test yourself?

Try a timed practice session using only Scanning Networks and Enumeration questions.