Chapter 10 Quiz: Scanning and Enumeration

Test your understanding of port scanning, service enumeration, OS fingerprinting, and vulnerability scanning concepts. Select the best answer for each question.

Question 1. What is the primary difference between a TCP Connect scan (-sT) and a SYN scan (-sS)?

A) Connect scans are faster because they use fewer packets B) SYN scans complete the full three-way handshake; Connect scans do not C) Connect scans complete the full three-way handshake; SYN scans send RST after receiving SYN-ACK D) There is no practical difference between the two scan types

Question 2. A port scan returns no response from a target port. No ICMP unreachable message is received. What is the most likely port state?

A) Open B) Closed C) Filtered D) It is impossible to determine without additional probes

Question 3. Why is UDP scanning significantly slower than TCP scanning?

A) UDP packets are larger and take longer to transmit B) Operating systems rate-limit ICMP port unreachable responses C) UDP services always require authentication before responding D) Nmap's UDP scanning engine is less optimized than its TCP engine

Question 4. Which Nmap timing template would be most appropriate for scanning a network with fragile legacy medical devices?

A) -T5 (Insane) B) -T4 (Aggressive) C) -T3 (Normal) D) -T2 (Polite) or lower

Question 5. What type of scan does Nmap's -sA flag perform, and what information does it provide?

A) An aggressive scan that identifies all open ports and services B) An ACK scan that maps firewall rulesets by identifying filtered vs. unfiltered ports C) An application-layer scan that tests for web vulnerabilities D) An authentication scan that attempts default credentials

Question 6. Which Nmap option would you use to scan ALL 65,535 TCP ports on a target?

A) nmap --all-ports target B) nmap -p 1-65535 target C) nmap -p- target D) Both B and C are correct

Question 7. You run nmap -sV --version-all target on port 8080 and receive: 8080/tcp open http-proxy Squid http proxy 4.13. Which CVE database would you search to determine if this version has known vulnerabilities?

A) Common Vulnerability Scoring System (CVSS) B) Common Weakness Enumeration (CWE) C) National Vulnerability Database (NVD) / Common Vulnerabilities and Exposures (CVE) D) Open Web Application Security Project (OWASP)

Question 8. During an SMB enumeration using enum4linux, you discover that null sessions are enabled and can retrieve a full user list. Why is this a significant security finding?

A) Null sessions allow remote code execution on the target B) The user list can be used for password spraying and brute-force attacks C) Null sessions indicate the system is running an unpatched version of Windows D) Enumerated usernames automatically reveal their passwords

Question 9. What is the default SNMP community string that is most commonly found on misconfigured network devices?

A) admin B) private C) public D) community

Question 10. Which tool is specifically designed for high-speed port scanning and can scan the entire IPv4 address space in approximately six minutes?

A) Nmap with -T5 timing B) Masscan C) RustScan D) Zmap

Question 11. What is the key advantage of credentialed (authenticated) vulnerability scanning over unauthenticated scanning?

A) Credentialed scans are faster because they skip network discovery B) Credentialed scans can identify local vulnerabilities, missing patches, and misconfigurations not visible from the network C) Credentialed scans are less likely to crash target services D) Credentialed scans do not require authorization from the target owner

Question 12. You discover an NFS export configured with no_root_squash. Why is this a security concern?

A) It prevents the NFS service from running as root B) It allows any remote user to access the share as root on the server C) It disables encryption on NFS traffic D) It enables anonymous access to all system files

Question 13. Which of the following Nmap Scripting Engine categories should you exercise the most caution with during a real engagement?

A) safe B) default C) discovery D) intrusive

Question 14. Nuclei uses what format for its vulnerability detection templates?

A) JSON B) XML C) YAML D) TOML

Question 15. During a penetration test, your Nmap scan shows a port as "open|filtered." Under what circumstance does Nmap report this state?

A) When performing a TCP Connect scan against a firewalled port B) When performing a UDP scan and receiving no response (the port could be open or filtered) C) When a SYN scan receives both SYN-ACK and RST packets D) When the Nmap Scripting Engine produces contradictory results

Question 16. What is the primary purpose of performing an Nmap ACK scan (-sA) during a penetration test?

A) To identify open ports on the target B) To detect service versions running on open ports C) To map firewall rules and determine which ports are filtered vs. unfiltered D) To perform OS fingerprinting

Question 17. You are conducting a web enumeration and discover that gobuster found the path /admin returning HTTP 200, while nikto flagged the same path as containing default credentials. What should you do next?

A) Immediately attempt to log in with default credentials B) Report the finding and move on to the next target C) Verify the finding manually by navigating to the page and checking if default credentials work, within the authorized scope D) Run a vulnerability scanner against the admin page

Question 18. Which of the following best describes the difference between Nessus and Nuclei?

A) Nessus is open source; Nuclei is commercial B) Nessus excels at enterprise-grade authenticated scanning and compliance; Nuclei excels at fast, template-based web and cloud vulnerability detection C) Nuclei can perform credentialed patch audits; Nessus cannot D) They are functionally identical tools from different vendors

Answer Key

  1. C — A TCP Connect scan completes the full three-way handshake (SYN, SYN-ACK, ACK). A SYN scan sends SYN, receives SYN-ACK, and immediately sends RST to abort the connection before it completes.

  2. C — No response and no ICMP unreachable typically indicates a firewall is silently dropping the packets, making the port "filtered." However, for UDP scans, this could also indicate "open" since open UDP ports may not respond.

  3. B — Operating systems rate-limit ICMP port unreachable messages (typically one per second on Linux). Since closed UDP ports respond with ICMP unreachable, and Nmap must wait for this response (or its absence), the rate limiting makes full UDP scans extremely slow.

  4. D — Fragile medical devices may crash or become unresponsive under aggressive scanning. -T2 (Polite) or even -T1 (Sneaky) reduces the scan rate to minimize impact on sensitive systems.

  5. B — The ACK scan does not determine open/closed status. It sends ACK packets and analyzes RST responses (unfiltered) vs. no response (filtered) to map firewall rulesets.

  6. D — Both -p 1-65535 and -p- scan all TCP ports. The -p- shorthand is simply more convenient.

  7. C — The NVD (nvd.nist.gov) and CVE system (cve.mitre.org) are the standard databases for looking up known vulnerabilities by software product and version.

  8. B — A user list obtained through null session enumeration is directly useful for password spraying attacks, where common passwords are tried against all known usernames.

  9. C — "public" is the most common default SNMP read community string. "private" is the common default read-write community string.

  10. B — Masscan uses its own custom TCP/IP stack to achieve rates of 25 million packets per second, enabling scanning of the entire IPv4 space in roughly six minutes.

  11. B — Credentialed scans log into targets and examine installed software, patch levels, local configurations, and services not exposed to the network, finding 5-10x more vulnerabilities than unauthenticated scans.

  12. Bno_root_squash means that a remote root user retains root privileges on the NFS server. Normally, NFS "squashes" remote root to nobody. With this option disabled, anyone with root on a client machine can read/write files as root on the server.

  13. D — The "intrusive" category contains scripts that may cause service disruption, consume significant resources, or trigger security alerts. They should only be run with explicit authorization and awareness of potential impact.

  14. C — Nuclei templates are written in YAML format, making them human-readable and easy to customize.

  15. B — The "open|filtered" state is reported during UDP scans when no response is received. The port could be open (service silently accepted the packet) or filtered (firewall dropped the packet).

  16. C — ACK scans cannot determine if ports are open or closed. Their purpose is firewall mapping — determining which ports are filtered by a stateful firewall and which are unfiltered (reachable).

  17. C — Manual verification is essential. Automated tools produce false positives. You should verify the finding within your authorized scope, document the evidence, and include it in your report with appropriate severity.

  18. B — Nessus is a commercial enterprise scanner excelling at authenticated scanning and compliance (200,000+ plugins). Nuclei is an open-source, template-based scanner that is very fast for web, API, and cloud targets (8,000+ community templates).