312-50V12 Question #147: Real Exam Question with Answer & Explanation

Question

A skilled ethical hacker was assigned to perform a thorough OS discovery on a potential target. They decided to adopt an advanced fingerprinting technique and sent a TCP packet to an open TCP port with specific flags enabled. Upon receiving the reply, they noticed the flags were SYN and ECN-Echo. Which test did the ethical hacker conduct and why was this specific approach adopted?

Options

• ATest 3: The test was executed to observe the response of the target system when a packet with
• BTest 2: This test was chosen because a TCP packet with no flags enabled is known as a NULL
• CTest 1: The test was conducted because SYN and ECN-Echo flags enabled to allow the hacker to
• DTest 6: The hacker selected this test because a TCP packet with the ACK flag enabled sent to a

Explanation

An ethical hacker used an advanced OS fingerprinting technique by sending a crafted TCP packet, observing the target's reply containing SYN and ECN-Echo flags to determine its Explicit Congestion Notification (ECN) capability.

Common mistakes.

• A. This choice is incomplete and does not provide sufficient information to evaluate its technical merit or relation to the observed SYN and ECN-Echo flags in the response.
• B. A NULL scan (a TCP packet with no flags enabled) typically elicits a RST response from an open port on most operating systems, not a SYN and ECN-Echo flag combination.
• D. An ACK scan (a TCP packet with only the ACK flag enabled) is primarily used for firewall rule mapping and typically receives an RST response from unfiltered ports, which does not match the observed SYN and ECN-Echo flags.

Concept tested. OS fingerprinting using Explicit Congestion Notification (ECN)

Reference. https://learn.microsoft.com/en-us/windows-server/networking/technologies/network-subsystem/explicit-congestion-notification

No community discussion yet for this question.