nerdexam
EC-Council

312-50V11 · Question #600

A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using?

The correct answer is B. Tunneling scan over SSH. SSH tunneling encapsulates scan traffic inside an encrypted SSH session, making it appear as legitimate SSH traffic to border sensors and effectively evading detection while scanning internal targets.

Evading IDS, Firewalls, and Honeypots

Question

A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using?

Options

  • ASpoofing an IP address
  • BTunneling scan over SSH
  • CTunneling over high port numbers
  • DScanning using fragmented IP packets

How the community answered

(44 responses)
  • A
    5% (2)
  • B
    73% (32)
  • C
    7% (3)
  • D
    16% (7)

Why each option

SSH tunneling encapsulates scan traffic inside an encrypted SSH session, making it appear as legitimate SSH traffic to border sensors and effectively evading detection while scanning internal targets.

ASpoofing an IP address

Spoofing an IP address changes the apparent source of packets but does not hide the nature or volume of scan traffic, and responses would not be routable back to the tester, making it ineffective for a usable scan.

BTunneling scan over SSHCorrect

Tunneling a scan over SSH encapsulates the Nmap or other scan traffic within an encrypted SSH connection, which border IDS and IPS sensors typically classify as normal encrypted traffic rather than a port scan. This technique leverages an existing or established SSH session to pivot into the internal network, making it the most efficient and covert method for scanning without triggering signature-based alerts on the border sensor.

CTunneling over high port numbers

Using high port numbers may bypass some basic firewall rules but does not encrypt or disguise the traffic pattern, so a modern border sensor can still detect and alert on the scan behavior.

DScanning using fragmented IP packets

Scanning with fragmented IP packets can evade older or simpler IDS signatures, but modern border sensors reassemble fragments before inspection, making fragmentation an unreliable and inefficient evasion technique.

Concept tested: SSH tunneling for covert network scanning and IDS evasion

Source: https://nmap.org/book/firewall-subversion.html

Topics

#SSH tunneling#stealth scanning#IDS evasion#penetration testing

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice