Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:
Which of the following choices should the analyst look at first?
The analyst should prioritize investigating p4wnp1_aloa.lan (192.168.86.56) since it stands out as the most suspicious device based on the scan. The hostname and MAC address indicate that it is a Raspberry Pi, a device often employed for experimentation, hacking, or pentesting activities. Furthermore, it has several open ports typically associated with network services such as SSH (22), rpcbind (111), HTTP alternative service (8000), and netbios-ssn (139), which are not typically found together on a standard corporate device. This unusual configuration suggests that this device might be involved in unauthorized or potentially malicious activity.
It would be this user for two reasons. One, they are using a raspberry.pi, and two, because p4wnp1_aloa is a framework focused on red teaming on raspberry devices, making them a suspect immediately.
I vote E because it's running rpcbind and http-alt in addition to the OS raspberry pi. Admin should take a look at A second.
Agree. Besides the funky name, it's suspicious that a single machine is running both Linux endpoint mapper (TCP 111) and MS RPC (TCP 135). That is just NOT natural. The others are all arguably Microsoft machines. Don't mind the SSH (TCP 22) on one of them--could be an SSH server installed on the machine--unusual, but not impossible.
Agree with answer E. Take a look at the MAC address -- (Raspberry PI).
Correct The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on the network. https://github.com/RoganDawes/P4wnP1_aloa
Thats an awful lot to read, digest and evaluate in a timed exam! Im worried now :)
P4wnP1_aloa looks suspicious because of the open ports
Yep, these ports are all suss
A. wh4dc-748gy.lan (192.168.86.152) The analyst should look at the device with the hostname "wh4dc-748gy.lan" (192.168.86.152) first. This is because the Nmap scan report shows that this device has several open ports, including common services such as HTTP, HTTPS, and Microsoft-DS (SMB), which are often targeted by attackers. Additionally, the report indicates that there are several filtered ports on this device, which could indicate potential security measures or firewall rules in place. Investigating this device further may help identify any unauthorized or suspicious activity occurring on the network.
I like your reasoning, however, there is a more obvious answer. You can see that the MAC addresses correspond to Dell or Intel. However, one of them corresponds to a RasberryPi, which is a very very small computer often used for small attacks and pentestings. You need to investigate that one first as it is the MOST OBVIOUS and suspicious device. The answer is E...p4wnp1_aloa.lan
i choosed E because the nmap scan show Http Alt ( port 8000 ) open while the regular http port is closed