GCIH Question #532: Real Exam Question with Answer & Explanation

The correct answer is C: OS fingerprinting. The RFC's do not define how systems are supposed to respond to illegal combinations of TCP flags, such as SYN/FIN/PSH/URG. Therefore, various operating systems will respond differently, and this technique could be used to identify the OS. Version/service scanning tries to determi

Reconnaissance, Scanning, and Enumeration

Question

An attacker configured nmap with command line options that specified the destination port, destination IP address, and TCP flags to be set to SYN/FIN/PSH/URG. No other command line options were specified. He then sent the packet to an open port on a host at the destination address. Which of the following could he be trying to accomplish?

Options

ATCP Window Scan
BService exploitation
COS fingerprinting
DVersion detection

Explanation

The RFC's do not define how systems are supposed to respond to illegal combinations of TCP flags, such as SYN/FIN/PSH/URG. Therefore, various operating systems will respond differently, and this technique could be used to identify the OS. Version/service scanning tries to determine the program number of the listening service, and does not use this illegal combination of TCP flags. The attacker is not trying to exploit the service because he did not use the nmap scripting engine (NSE). A TCP Window Scan is similar to an ACK scan (in that the ACK flag is the only one set), but it looks at the size of the Window in the return packet.

Topics

#OS fingerprinting#nmap#TCP flags#Xmas scan

Community Discussion

No community discussion yet for this question.

Full GCIH Practice