312-50V13 Question #485: Real Exam Question with Answer & Explanation

Question

During a penetration testing assignment, a Certified Ethical Hacker (CEH) used a set of scanning tools to create a profile of the target organization. The CEH wanted to scan for live hosts, open ports, and services on a target network. He used Nmap for network inventory and Hping3 for network security auditing. However, he wanted to spoof IP addresses for anonymity during probing. Which command should the CEH use to perform this task?

Options

• AHping3 -1 10.0.0.25 -ICMP
• BNmap -sS -Pn -n -vw --packet-trace -p- --script discovery -T4
• CHping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 -flood
• DHping3 -2 10.0.0.25-p 80

Explanation

Explanation

Option C (Hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood) is correct because it combines the essential elements for spoofed scanning: -S sends TCP SYN packets, -a 192.168.1.254 spoofs the source IP address to mask the attacker's identity, -p 22 targets a specific port, and --flood sends packets rapidly for auditing purposes - directly satisfying the requirement for IP spoofing during probing.

Why the distractors are wrong:

• Option A uses -1 (ICMP mode) with -ICMP as a flag, which performs a simple ICMP ping sweep with no spoofing capability specified.
• Option B is an Nmap command focused on comprehensive port/service discovery with scripting; while powerful, it does not spoof the source IP address and uses the wrong tool for this specific requirement.
• Option D uses -2 (UDP mode) targeting port 80, which is a UDP scan - but critically, it contains no -a flag, meaning no IP spoofing occurs.

Memory Tip 🧠

Think of the "-a" flag in Hping3 as "anonymous" - whenever you need to spoof (anonymize) your IP address in Hping3, the -a flag is your go-to option. If you don't see -a, there's no spoofing happening!

No community discussion yet for this question.