312-50V11 · Question #214
The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attac
The correct answer is C. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are. The attacker used a /28 prefix instead of the correct /26, so nmap scanned only 192.168.1.64-192.168.1.79, entirely missing the servers at .122, .123, and .124.
Question
The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using is: nmap 192.168.1.64/28 Why he cannot see the servers?
Options
- AHe needs to change the address to 192.168.1.0 with the same mask
- BHe needs to add the command ""ip address"" just before the IP address.
- CHe is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are
- DThe network must be down and the nmap command and IP address are ok
How the community answered
(30 responses)- A23% (7)
- B7% (2)
- C57% (17)
- D13% (4)
Why each option
The attacker used a /28 prefix instead of the correct /26, so nmap scanned only 192.168.1.64-192.168.1.79, entirely missing the servers at .122, .123, and .124.
Changing the base address to 192.168.1.0 with the same incorrect /28 mask would scan .0 to .15, a completely different subnet that also does not contain the servers at .122-.124.
There is no 'ip address' flag or prefix in nmap command syntax; this option does not exist and would cause a command error rather than extending the scan range.
A /28 mask (255.255.255.240) defines blocks of 16 addresses. Starting at 192.168.1.64, the scanned range is 192.168.1.64 to 192.168.1.79. The actual network uses a /26 mask (255.255.255.192), which covers 192.168.1.64 to 192.168.1.127 - the range that includes the servers at .122, .123, and .124. By specifying /28 instead of /26, the attacker instructed nmap to scan a range that ends at .79, so the servers were never reached.
A network being down would cause nmap to report hosts as unreachable or show no responses, but the root cause here is a misconfigured CIDR prefix that excludes the server addresses from the scan range entirely.
Concept tested: Nmap CIDR prefix subnet range calculation and scanning
Source: https://nmap.org/book/man-target-specification.html
Topics
Community Discussion
No community discussion yet for this question.