nerdexam
EC-Council

312-50V10 · Question #15

The following is part of a log file taken from the machine on the network with the IP address of 192.168.0.110: What type of activity has been logged?

The correct answer is C. Port scan targeting 192.168.0.110. Tests the ability to interpret a log file and correctly identify repeated inbound connection attempts to multiple ports on the logging host as a port scan.

Scanning Networks

Question

The following is part of a log file taken from the machine on the network with the IP address of 192.168.0.110:

What type of activity has been logged?

Exhibit

312-50V10 question #15 exhibit

Options

  • ATeardrop attack targeting 192.168.0.110
  • BDenial of service attack targeting 192.168.0.105
  • CPort scan targeting 192.168.0.110
  • DPort scan targeting 192.168.0.105

How the community answered

(32 responses)
  • A
    16% (5)
  • B
    3% (1)
  • C
    75% (24)
  • D
    6% (2)

Why each option

Tests the ability to interpret a log file and correctly identify repeated inbound connection attempts to multiple ports on the logging host as a port scan.

ATeardrop attack targeting 192.168.0.110

A Teardrop attack sends malformed, overlapping IP fragments to cause kernel crashes and would appear in logs as fragmented packet anomalies rather than sequential port probes.

BDenial of service attack targeting 192.168.0.105

A denial of service attack targeting 192.168.0.105 would be visible as outbound flood traffic originating from 192.168.0.110, not as inbound connection attempts recorded on that host.

CPort scan targeting 192.168.0.110Correct

A port scan is characterized by log entries showing sequential or rapid connection attempts to many different ports on a single target host - in this case 192.168.0.110, the machine that generated the log. Because the log is recorded on 192.168.0.110 itself, the destination of the probed ports is that machine, confirming it is the scan target. Port scanners work this way to enumerate open services and identify potential attack vectors.

DPort scan targeting 192.168.0.105

If 192.168.0.105 were the scan target, the destination address in the log entries would be 192.168.0.105, not 192.168.0.110 where the log was captured.

Concept tested: Port scan identification from network log analysis

Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection

Topics

#port scanning#log analysis#network scan detection#traffic interpretation

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice