nerdexam
EC-Council

312-50V11 · Question #542

Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network's IDS?

The correct answer is A. Timing options to slow the speed that the port scan is conducted. NMAP timing options allow testers to slow down port scans, reducing the rate of packets sent and making the scan less likely to trigger IDS threshold-based detection rules.

Scanning Networks

Question

Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network's IDS?

Options

  • ATiming options to slow the speed that the port scan is conducted
  • BFingerprinting to identify which operating systems are running on the network
  • CICMP ping sweep to determine which hosts on the network are not available
  • DTraceroute to control the path of the packets sent during the scan

How the community answered

(26 responses)
  • A
    88% (23)
  • B
    4% (1)
  • C
    8% (2)

Why each option

NMAP timing options allow testers to slow down port scans, reducing the rate of packets sent and making the scan less likely to trigger IDS threshold-based detection rules.

ATiming options to slow the speed that the port scan is conductedCorrect

NMAP's timing templates (-T0 through -T5) control scan speed; lower settings like Paranoid (-T0) or Sneaky (-T1) introduce deliberate delays between probe packets, keeping traffic volume below the thresholds that most IDS engines use to classify activity as a port scan. Slower scans spread packets over a longer time window, making the pattern statistically harder to distinguish from normal traffic. This is a well-known evasion technique explicitly designed to avoid automated detection.

BFingerprinting to identify which operating systems are running on the network

OS fingerprinting (-O) generates additional probe packets to identify operating systems, which increases traffic and raises detection risk rather than reducing it.

CICMP ping sweep to determine which hosts on the network are not available

An ICMP ping sweep is used to discover live hosts, not to evade detection - it actually produces a recognizable burst of ICMP echo requests that many IDS systems alert on.

DTraceroute to control the path of the packets sent during the scan

Traceroute maps the network path packets take but does not control the rate or stealth of the port scan itself, providing no evasion benefit against an IDS.

Concept tested: NMAP timing options for IDS evasion

Source: https://nmap.org/book/man-performance.html

Topics

#NMAP timing#IDS evasion#port scanning#stealth scanning

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice