312-50V11 · Question #600
A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using?
The correct answer is B. Tunneling scan over SSH. SSH tunneling encapsulates scan traffic inside an encrypted SSH session, making it appear as legitimate SSH traffic to border sensors and effectively evading detection while scanning internal targets.
Question
A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using?
Options
- ASpoofing an IP address
- BTunneling scan over SSH
- CTunneling over high port numbers
- DScanning using fragmented IP packets
How the community answered
(44 responses)- A5% (2)
- B73% (32)
- C7% (3)
- D16% (7)
Why each option
SSH tunneling encapsulates scan traffic inside an encrypted SSH session, making it appear as legitimate SSH traffic to border sensors and effectively evading detection while scanning internal targets.
Spoofing an IP address changes the apparent source of packets but does not hide the nature or volume of scan traffic, and responses would not be routable back to the tester, making it ineffective for a usable scan.
Tunneling a scan over SSH encapsulates the Nmap or other scan traffic within an encrypted SSH connection, which border IDS and IPS sensors typically classify as normal encrypted traffic rather than a port scan. This technique leverages an existing or established SSH session to pivot into the internal network, making it the most efficient and covert method for scanning without triggering signature-based alerts on the border sensor.
Using high port numbers may bypass some basic firewall rules but does not encrypt or disguise the traffic pattern, so a modern border sensor can still detect and alert on the scan behavior.
Scanning with fragmented IP packets can evade older or simpler IDS signatures, but modern border sensors reassemble fragments before inspection, making fragmentation an unreliable and inefficient evasion technique.
Concept tested: SSH tunneling for covert network scanning and IDS evasion
Source: https://nmap.org/book/firewall-subversion.html
Topics
Community Discussion
No community discussion yet for this question.