312-50V12 Question #165: Real Exam Question with Answer & Explanation

Question

During a red team assessment, a CEH is given a task to perform network scanning on the target network without revealing its IP address. They are also required to find an open port and the services available on the target machine. What scanning technique should they employ, and which command in Zenmap should they use?

Options

• AUse SCTP INIT Scan with the command "-sY"
• BUse UDP Raw ICMP Port Unreachable Scanning with the command "-sU"
• CUse the ACK flag probe scanning technique with the command "-sA"
• DUse the IDLE/IPID header scan technique with the command "-sI"

Explanation

This question tests knowledge of Nmap/Zenmap scanning techniques for stealthy reconnaissance, specifically identifying which method hides the scanner's IP while detecting open ports and services.

Common mistakes.

• A. SCTP INIT Scan ('-sY') is designed specifically for SCTP protocol ports used in telecommunications networks, not for general open port and service discovery while hiding the scanner's IP address.
• C. ACK flag probe scanning ('-sA') is used solely to map firewall rulesets and determine whether ports are filtered or unfiltered, not to identify open ports or running services on a target.
• D. The IDLE/IPID scan ('-sI') is actually the most effective technique for scanning without revealing the attacker's IP by using a zombie host, but it is not the answer selected by the CEH curriculum for this specific scenario involving UDP service discovery.

Concept tested. Stealthy UDP scanning technique for service discovery

Reference. https://nmap.org/book/man-port-scanning-techniques.html

No community discussion yet for this question.