You are having problems while retrieving results after performing port scanning during internal
testing. You verify that there are no security devices between you and the target system. When
both stealth and connect scanning do not work, you decide to perform a NULL scan with NMAP.
The first few systems scanned shows all ports open.
Which one of the following statements is probably true?
A.
The systems have all ports open.
B.
The systems are running a host based IDS.
C.
The systems are web servers.
D.
The systems are running Windows.
Explanation:
The null scan turns off all flags,creating a lack of TCP flags that should never occur
in the real world. If the port is closed,a RST frame should be returned and a null scan to an open
port results in no response. Unfortunately Microsoft (like usual) decided to completelyignore the
standard and do things their own way. Thus this scan type will not work against systems running
Windows as they choose not to response at all. This is a good way to distinguish that the system
being scanned is running Microsoft Windows.
I’d go for B.
A. although possible, but unlikely
C. makes no sense
D. Windows dos not follow RFC 793, so it should send RST, i.e. port closed.
I agree You.
reference to “http://www.ciscopress.com/articles/article.asp?p=469623&seqNum=3”.
When a Microsoft operating system receives a packet that has no flags set, it sends an RST packet in response, regardless of whether the port is open. With all NULL packets receiving an RST packet in response, you cannot differentiate open and closed ports.