nerdexam
EC-Council

312-50V10 · Question #600

A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using?

The correct answer is B. Tunneling scan over SSH. SSH tunneling encapsulates scan traffic inside encrypted SSH sessions, preventing border sensors from inspecting the packet payloads and detecting scan signatures.

Evading IDS, Firewalls, and Honeypots

Question

A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using?

Options

  • ASpoofing an IP address
  • BTunneling scan over SSH
  • CTunneling over high port numbers
  • DScanning using fragmented IP packets

How the community answered

(29 responses)
  • A
    3% (1)
  • B
    72% (21)
  • C
    7% (2)
  • D
    17% (5)

Why each option

SSH tunneling encapsulates scan traffic inside encrypted SSH sessions, preventing border sensors from inspecting the packet payloads and detecting scan signatures.

ASpoofing an IP address

Spoofing an IP address masks the tester's source identity but does not encrypt or alter the scan payload, leaving traffic signatures fully visible to border IDS sensors.

BTunneling scan over SSHCorrect

By establishing an SSH tunnel through a host with access to the internal network, all scan packets are wrapped in encrypted SSH traffic on port 22, which border sensors typically permit and cannot decrypt for deep-packet inspection. This hides the underlying scan signatures from IDS and border sensors entirely, making it the most efficient stealth technique. It also provides an authenticated, stable channel without requiring complex or fragile packet-level manipulation that could still be detected.

CTunneling over high port numbers

Using high port numbers may bypass simple firewall ACL rules but does not encrypt traffic, so signature-based border sensors can still inspect and alert on scan patterns within the packets.

DScanning using fragmented IP packets

Fragmented IP packets can evade some legacy or misconfigured firewalls, but modern border sensors and IDS systems reassemble IP fragments before inspection, meaning scan signatures remain detectable.

Concept tested: SSH tunneling for evading border sensor detection

Source: https://nmap.org/book/firewall-subversion.html

Topics

#SSH tunneling#stealth scanning#IDS evasion#border sensor

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice