GCIH · Question #532
An attacker configured nmap with command line options that specified the destination port, destination IP address, and TCP flags to be set to SYN/FIN/PSH/URG. No other command line options were specif
The correct answer is C. OS fingerprinting. The RFC's do not define how systems are supposed to respond to illegal combinations of TCP flags, such as SYN/FIN/PSH/URG. Therefore, various operating systems will respond differently, and this technique could be used to identify the OS. Version/service scanning tries to determi
Question
An attacker configured nmap with command line options that specified the destination port, destination IP address, and TCP flags to be set to SYN/FIN/PSH/URG. No other command line options were specified. He then sent the packet to an open port on a host at the destination address. Which of the following could he be trying to accomplish?
Options
- ATCP Window Scan
- BService exploitation
- COS fingerprinting
- DVersion detection
How the community answered
(41 responses)- A5% (2)
- B5% (2)
- C78% (32)
- D12% (5)
Explanation
The RFC's do not define how systems are supposed to respond to illegal combinations of TCP flags, such as SYN/FIN/PSH/URG. Therefore, various operating systems will respond differently, and this technique could be used to identify the OS. Version/service scanning tries to determine the program number of the listening service, and does not use this illegal combination of TCP flags. The attacker is not trying to exploit the service because he did not use the nmap scripting engine (NSE). A TCP Window Scan is similar to an ACK scan (in that the ACK flag is the only one set), but it looks at the size of the Window in the return packet.
Topics
Community Discussion
No community discussion yet for this question.