nerdexam
EC-Council

312-50V10 · Question #198

The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106: What type of activity has been logged?

The correct answer is D. Port scan targeting 192.168.1.106. The log file shows sequential connection attempts across multiple ports originating from an external host directed at 192.168.1.106, which is characteristic of a port scan against that machine.

Scanning Networks

Question

The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106:

What type of activity has been logged?

Exhibit

312-50V10 question #198 exhibit

Options

  • APort scan targeting 192.168.1.103
  • BTeardrop attack targeting 192.168.1.106
  • CDenial of service attack targeting 192.168.1.103
  • DPort scan targeting 192.168.1.106

How the community answered

(36 responses)
  • A
    3% (1)
  • B
    8% (3)
  • C
    3% (1)
  • D
    86% (31)

Why each option

The log file shows sequential connection attempts across multiple ports originating from an external host directed at 192.168.1.106, which is characteristic of a port scan against that machine.

APort scan targeting 192.168.1.103

A port scan targeting 192.168.1.103 would appear in logs on that machine, not on 192.168.1.106, and 192.168.1.103 would be the destination address.

BTeardrop attack targeting 192.168.1.106

A Teardrop attack exploits fragmented IP packets to crash a system and would show malformed fragment log entries, not sequential port connection attempts.

CDenial of service attack targeting 192.168.1.103

A denial of service attack would manifest as a flood of traffic overwhelming the target, not as the methodical port-by-port probe pattern characteristic of a scan.

DPort scan targeting 192.168.1.106Correct

A port scan is identified in logs by a single source IP making rapid, sequential connection attempts to many different ports on a single destination IP. Since the log was captured on the machine at 192.168.1.106 and shows this pattern of inbound probes, the target of the scan is 192.168.1.106 itself. This distinguishes it from an outbound scan, where 192.168.1.106 would appear as the source.

Concept tested: Port scan identification from network log analysis

Source: https://nmap.org/book/man-port-scanning-basics.html

Topics

#port scanning#log analysis#network reconnaissance#intrusion detection

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice