nerdexam
EC-Council

312-50V11 · Question #214

The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attac

The correct answer is C. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are. The attacker used a /28 prefix instead of the correct /26, so nmap scanned only 192.168.1.64-192.168.1.79, entirely missing the servers at .122, .123, and .124.

Scanning Networks

Question

The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using is: nmap 192.168.1.64/28 Why he cannot see the servers?

Options

  • AHe needs to change the address to 192.168.1.0 with the same mask
  • BHe needs to add the command ""ip address"" just before the IP address.
  • CHe is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are
  • DThe network must be down and the nmap command and IP address are ok

How the community answered

(30 responses)
  • A
    23% (7)
  • B
    7% (2)
  • C
    57% (17)
  • D
    13% (4)

Why each option

The attacker used a /28 prefix instead of the correct /26, so nmap scanned only 192.168.1.64-192.168.1.79, entirely missing the servers at .122, .123, and .124.

AHe needs to change the address to 192.168.1.0 with the same mask

Changing the base address to 192.168.1.0 with the same incorrect /28 mask would scan .0 to .15, a completely different subnet that also does not contain the servers at .122-.124.

BHe needs to add the command ""ip address"" just before the IP address.

There is no 'ip address' flag or prefix in nmap command syntax; this option does not exist and would cause a command error rather than extending the scan range.

CHe is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers areCorrect

A /28 mask (255.255.255.240) defines blocks of 16 addresses. Starting at 192.168.1.64, the scanned range is 192.168.1.64 to 192.168.1.79. The actual network uses a /26 mask (255.255.255.192), which covers 192.168.1.64 to 192.168.1.127 - the range that includes the servers at .122, .123, and .124. By specifying /28 instead of /26, the attacker instructed nmap to scan a range that ends at .79, so the servers were never reached.

DThe network must be down and the nmap command and IP address are ok

A network being down would cause nmap to report hosts as unreachable or show no responses, but the root cause here is a misconfigured CIDR prefix that excludes the server addresses from the scan range entirely.

Concept tested: Nmap CIDR prefix subnet range calculation and scanning

Source: https://nmap.org/book/man-target-specification.html

Topics

#nmap#CIDR subnet calculation#IP addressing#scan range

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice