312-50V10 · Question #600
A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using?
The correct answer is B. Tunneling scan over SSH. SSH tunneling encapsulates scan traffic inside encrypted SSH sessions, preventing border sensors from inspecting the packet payloads and detecting scan signatures.
Question
A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using?
Options
- ASpoofing an IP address
- BTunneling scan over SSH
- CTunneling over high port numbers
- DScanning using fragmented IP packets
How the community answered
(29 responses)- A3% (1)
- B72% (21)
- C7% (2)
- D17% (5)
Why each option
SSH tunneling encapsulates scan traffic inside encrypted SSH sessions, preventing border sensors from inspecting the packet payloads and detecting scan signatures.
Spoofing an IP address masks the tester's source identity but does not encrypt or alter the scan payload, leaving traffic signatures fully visible to border IDS sensors.
By establishing an SSH tunnel through a host with access to the internal network, all scan packets are wrapped in encrypted SSH traffic on port 22, which border sensors typically permit and cannot decrypt for deep-packet inspection. This hides the underlying scan signatures from IDS and border sensors entirely, making it the most efficient stealth technique. It also provides an authenticated, stable channel without requiring complex or fragile packet-level manipulation that could still be detected.
Using high port numbers may bypass simple firewall ACL rules but does not encrypt traffic, so signature-based border sensors can still inspect and alert on scan patterns within the packets.
Fragmented IP packets can evade some legacy or misconfigured firewalls, but modern border sensors and IDS systems reassemble IP fragments before inspection, meaning scan signatures remain detectable.
Concept tested: SSH tunneling for evading border sensor detection
Source: https://nmap.org/book/firewall-subversion.html
Topics
Community Discussion
No community discussion yet for this question.