Exam PT0-002 All QuestionsBrowse all questions from this exam
Go to Exam
Question 293

During a vulnerability scan a penetration tester enters the following Nmap command against all of the non-Windows clients:

nmap –sX –T4 –p 21-25, 67, 80, 139, 8080 192.168.11.191

The penetration tester reviews the packet capture in Wireshark and notices that the target responds with an RST packet flag set for all of the targeted ports. Which of the following does this information most likely indicate?

    Correct Answer: A

    The penetration tester used the -sX option in the Nmap command, which specifies a Xmas scan. A Xmas scan sends packets with the FIN, PSH, and URG flags set, and the target's response to this scan determines the state of its ports. Receiving an RST (reset) packet for all targeted ports suggests that these ports are closed. This is because, in a Xmas scan, if a port is closed, the target responds with an RST packet. Therefore, the information most likely indicates that all of the ports in the target range are closed.

Discussion
Etc_Shadow28000Option: A

The -sX option specifies a Xmas scan, which sends packets with the FIN, PSH, and URG flags set. The target’s response to such a scan provides information about the state of the ports. When the penetration tester reviews the packet capture in Wireshark and notices that the target responds with an RST (reset) packet for all of the targeted ports, this most likely indicates: A. All of the ports in the target range are closed. Explanation: B. The response received (RST packets) is definitive and indicates the state of the ports, so additional time would not change these results. C. The ports listed (21-25, 67, 80, 139, 8080) are primarily TCP ports (except for port 67 which is typically used for DHCP, a UDP service). However, the response being an RST indicates the scan was conducted over TCP. D. If the ports were open, the target would not send RST packets in response to a Xmas scan. Typically, open ports would simply ignore the Xmas scan packet (no response).

aee9303Option: A

There are a few circumstances in which a TCP packet might not be expected; the two most common are: The packet is an initial SYN packet trying to establish a connection to a server port on which no process is listening. The packet arrives on a TCP connection that was previously established, but the local application already closed its socket or exited and the OS closed the socket. Other circumstances are possible, but are unlikely outside of malicious behavior such as attempts to hijack a TCP connection.

Big_DreOption: A

all targeted ports are close