A penetration tester is scanning a corporate lab network for potentially vulnerable services.
Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?
A penetration tester is scanning a corporate lab network for potentially vulnerable services.
Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?
When scanning a network for potentially vulnerable services, a TCP SYN ping scan is appropriate. It sends SYN packets to specified ports to check if they are open. The option 'nmap 192.168.1.1-5 -PS22-25,80' performs a TCP SYN ping scan to the ports 22 through 25 and port 80 over the IP address range 192.168.1.1 to 192.168.1.5. This is effective for identifying live hosts with open ports that may be potentially vulnerable. Other options like 'PU' and 'PA' are used for UDP and ACK ping, respectively, which are less relevant for identifying open TCP ports.
D is the only answer that doesnt actually RUN so I dont see why that's the majority answer. Looking at nmap --help clearly shows: -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports We want TCP, so -PS will do the job. So I have to say C.
what you think about the question 18?
This is right, the command for D doesn't work so it wouldn't run. C is the best option here.
The correct answer is D. nmap 192.168.1.1-5 -Ss22-25,80. This command will perform a SYN scan of ports 22 through 25 and port 80 on the IP addresses 192.168.1.1 through 192.168.1.5. This scan will return any potentially vulnerable ports that might be of interest to an attacker. The capital 'S' stands for the SYN flag, which is used to initiate a connection on a TCP port. The lowercase 's' stands for the stealth flag, which is used to hide the source IP address of the scan and make it harder to detect.
The problem with that is the stealth scan flag is -sS not -Ss... It is not a valid flag the answer D
The Ports 22,25,80 are all tcp ports. A syn scan (-sS) would have done the job but since it is not listed, the -PS flag would also do a tcp syn scan.
yes C is correct
There is no -Ss switch unless is -sS.
https://www.examtopics.com/discussions/comptia/view/66643-exam-pt1-002-topic-1-question-42-discussion/
Looks like both according to this post. https://www.linuxquestions.org/questions/linux-newbie-8/difference-beween-nmap-ps-and-ss-4175534781/
D is incorrect for an obvious reason running -Ss would result in an error, it would be the correct answer if it were -sS
C. `nmap 192.168.1.1-5 -PS22-25,80` Explanation: - The `-PS` option performs a TCP SYN ping scan, which sends SYN packets to the specified ports (22-25,80) on the target hosts (192.168.1.1-5) to check if those ports are open. - While this does not perform a full vulnerability scan, it is useful for identifying live hosts with open ports, which can be the first step in identifying potentially vulnerable services. The other options (`-PU` for UDP ping and `-PA` for ACK ping) are less likely to be useful for identifying open ports and potentially vulnerable services in this context. If the -sS option (note the correct lowercase -sS instead of -Ss) is a SYN scan, which is the most effective and common way to scan for open ports. This type of scan sends SYN packets to the specified ports and determines if they are open based on the responses, making it useful for identifying potentially vulnerable services.
The correct answer to the question is option B: nmap 192.168.1.1-5 "PA22-25,80". The "PA" option specifies a port scan and identifies services based on their response to specific probes. This scan will return open ports 22-25 and 80, and attempt to identify potential vulnerabilities in those services.
C is correct. Ss is invalid syntax. But if it were sS, then the answer would be D for sure.
The -Ss scan will provide information about open ports, which is essential for assessing potential risks.
C is definitely the correct answer
Nmap is a widely used tool for network discovery and security auditing. Different options can be used to perform various types of scans. In the given context, you would likely want to use a stealthy SYN scan to identify open ports that might be running vulnerable services. The SYN scan is a popular method that's useful in port scanning as it doesn't complete the TCP handshake and is therefore considered "stealthier." The correct option for performing a SYN scan over the specified range of IPs and ports would be: D. `nmap 192.168.1.1-5 -sS 22-25,80` Note the correct flag for a SYN scan is `-sS`, not `-Ss`. Therefore, it appears there may be a typographical error in the options provided, and based on the context, option D should be the correct choice if corrected to `-sS`.
The -sS option tells the nmap command to perform a TCP SYN scan, which is a stealthy way to scan a network. The 22-25,80 option tells the nmap command to scan the specified ports, which are commonly used by vulnerable services. Option C, nmap 192.168.1.1-5 -PS22-25,80, will return all open ports that are listening for proxy services, which are not typically vulnerable.
C is correct answer
D is correct
The only issue is have is that it is write as -Ss instead of -sS
I think it's a typo.
C is corret
this has to be a typo. all -P* are host discovery scans. This will not identify vulnerable ports.
They do a host discovery first and then they scan the ports, so sS and PS are essentially the same thing and they both send TCP Syn packets, except PS does a host discovery beforehand
PS/PA/PU are host discovery scans, SS is a Scan Technique. https://nmap.org/book/man-briefoptions.html