SUMMARY

 Chap01: Introduction to “Pentest”

 Chap02: Gathering Target Information: Reconnaissance, Footprinting, and Social

Engineering

 Chap03: Gathering Network and Host Information: Scanning and Enumeration

 Chap04: System Pentesting: Password Cracking, Escalating Privileges, and Hiding Files

 Chap05: Trojans, Backdoors, Viruses, and Worms

 Chap06: Gathering Data from Networks: Sniffers

 Chap07: Web Pentesting: Google, Web Servers, Web Application Vulnerabilities,

 Chap08: Attacking web Applications: SQL Injection

 Chap09: Pentesting Linux Systems

 Chap10: Pentesting Mobile Platforms (Android)

Chap
Chap Gathering Network and Host Information:
Scanning and Enumeration

33 OBJECTIVES COVERED IN T H I S C H AP

07 Understand war-dialing

01 Define the terms port

scanning, network scanning,
techniques

and vulnerability scanning

08 Understand banner

02 Understand the CEH

scanning methodology
grabbing and OS
fingerprinting techniques

03 Understand ping sweep

techniques
09 Understand IP spoofing
techniques

04 Understand DNS
enumeration
10 What is
enumeration?

05 Understand nmap
command switches
11 What is meant by
null sessions?
SNMP enumeration ?

06 Identify different types of

DNS records
12 What are the steps involved in
performing enumeration?
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

Scanning

33 Scanning is the process of locating systems that are alive and responding on the network.
Ethical hackers use scanning to identify target systems’ IP addresses. Scanning is also
used to determine whether a system is on the network and available. Scanning tools are
used to gather information about a system such as IP addresses, the operating system,
and services running on the target computer

NETWORK • Identifies IP addresses on a given network or subnet

SCANNING

• Determines open ports and services

PORT • - Well-Known Ports: 0-1023
• - Registered Ports: 1024-49151
SCANNING • - Dynamic Ports: 49152-65535
•  C:\windows\system32\drivers\etc\services : well-known ports

• Discovers presence of known weaknesses on target systems:

VULNERABILITY • Generally, a vulnerability scanner first identifies the operating
system and version number, including service packs that may be
SCANNING installed. Then, the scanner identifies weaknesses or
vulnerabilities in the operating system
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

Scanning Methodology

33
Draw
Check for Service Network Attack
Live Systems Identification Diagrams

1 3 5 7

2 4 6

Check for OS Prepar

Open Ports Fingerprinting e
/ Proxies
Banner
Grabbing
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

Ping Sweep Techniques

33  Also known as Internet Control Message Protocol (ICMP) scanning, as ICMP is the
protocol used by the ping command, it is the process of sending an ICMP request or
ping to all hosts on the network to determine which ones are up and responding to
pings

 A benefit of ICMP scanning is that it can be run in parallel, meaning all systems are
scanned at the same time

 Personal firewall software and network-based firewalls can block a system from
responding to ping sweeps

Exercise 3.1 : using a Windows ping

1. Open a command prompt in Windows.

2. Type ping www.microsoft.com

3. Type ping /? And try to use other options

4. windows+R and Type wf.msc and try to block ping from personal firewall
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

Scanning Ports and Identifying Services

33  Port scanning is the method used to check for open ports. The process of port
scanning involves probing each port on a host to determine which ports are open.
 Port scanning generally yields more valuable information than a ping sweep about
the host and vulnerabilities on the system

TCP three-way handshake

SYN Synchronize. Initiates a connection between URG Urgent. Data in packets must be processed
hosts. quickly.
ACK Acknowledge. Established connection between FIN Finish. No more transmissions.
hosts. RST Reset. Resets the connection
PSH Push. System is forwarding buffered data.
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

NMAP

33  Nmap is a free, open source tool that quickly and efficiently performs ping sweeps, port
scanning, service identification, IP address detection, and operating system detection

Tcp connect Full scan xmas scan

Port Open
Port Open

SYN
FIN+PSH+URG

SYN+AC
K
No Response
ACK

RST

Port Closed Port Closed

SYN FIN+PSH+URG

RST RST
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

NMAP

33 SYN stealth scan Null scan

Port Open Port Open

SYN No Flags +PORT

SYN+AC
K No Response
RST

Port Closed Port Closed

SYN No Flags
+PORT

RST RST
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

NMAP

33 The TCP/IP network port number for IPv4 is an unsigned 16-bit

integer, which can be no more than 65535
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

NMAP CHEAT SHEET (1/6)

33
TARGET SPECIFICATION
Switch Example Description
nmap 192.168.1.1 Scan a single IP

nmap 192.168.1.1 192.168.2.1 Scan specific IPs

nmap 192.168.1.1-254 Scan a range

nmap scanme.nmap.org Scan a domain
nmap 192.168.1.0/24 Scan using CIDR notation
-iL nmap -iL targets.txt Scan targets from a file
-iR nmap -iR 100 Scan 100 random hosts
--exclude nmap --exclude 192.168.1.1 Exclude listed hosts
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

NMAP CHEAT SHEET (2/6)

33
SCAN TECHNIQUES
-sS nmap 192.168.1.1 -sS TCP SYN port scan (Default)
-sT nmap 192.168.1.1 -sT TCP connect port scan
-sU nmap 192.168.1.1 -sU UDP port scan
-sA nmap 192.168.1.1 -sA TCP ACK port scan
-sW nmap 192.168.1.1 -sW TCP Window port scan
-sM nmap 192.168.1.1 -sM TCP Maimon port scan
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

NMAP CHEAT SHEET (3/6)

33
HOST DISCOVERY
-sL nmap 192.168.1.1-3 -sL No Scan. List targets only
Disable port scanning. Host
-sn nmap 192.168.1.1/24 -sn discovery only.

Disable host discovery. Port scan

-Pn nmap 192.168.1.1-5 -Pn only.

TCP SYN discovery on port x.

-PS nmap 192.168.1.1-5 -PS22-25,80
Port 80 by default
TCP ACK discovery on port x.
-PA nmap 192.168.1.1-5 -PA22-25,80
Port 80 by default
UDP discovery on port x.
-PU nmap 192.168.1.1-5 -PU53
Port 40125 by default
-PR nmap 192.168.1.1-1/24 -PR ARP discovery on local network
-n nmap 192.168.1.1 -n Never do DNS resolution
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

NMAP CHEAT SHEET (4/6)

33
PORT SPECIFICATION
-p nmap 192.168.1.1 -p 21 Port scan for port x
-p nmap 192.168.1.1 -p 21-100 Port range
nmap 192.168.1.1 -p U:53,T:21- Port scan multiple TCP and UDP
-p
25,80 ports
-p- nmap 192.168.1.1 -p- Port scan all ports

-p nmap 192.168.1.1 -p http,https Port scan from service name

-F nmap 192.168.1.1 -F Fast port scan (100 ports)

nmap 192.168.1.1 --top-ports
--top-ports Port scan the top x ports
2000

Leaving off initial port in range

-p-65535 nmap 192.168.1.1 -p-65535
makes the scan start at port 1

Leaving off end port in range

-p0- nmap 192.168.1.1 -p0- makes the scan go through to
port 65535
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

NMAP CHEAT SHEET (5/6)

33
OS DETECTION

Remote OS detection using TCP/IP

-O nmap 192.168.1.1 -O
stack fingerprinting

If at least one open and one closed

-O --osscan-limit nmap 192.168.1.1 -O --osscan-limit TCP port are not found it will not try
OS detection against host

-O --osscan-guess nmap 192.168.1.1 -O --osscan-guess Makes Nmap guess more aggressively

Set the maximum number x of OS

-O --max-os-tries nmap 192.168.1.1 -O --max-os-tries 1
detection tries against a target

Enables OS detection, version detection,

-A nmap 192.168.1.1 -A
script scanning, and traceroute
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

NMAP CHEAT SHEET (6/6)

33
FIREWALL / IDS EVASION AND SPOOFING
Requested scan (including ping scans)
-f nmap 192.168.1.1 -f use tiny fragmented IP packets.
Harder for packet filters

--mtu nmap 192.168.1.1 --mtu 32 Set your own offset size

nmap -D 192.168.1.101,192.168.1.102,
-D Send scans from spoofed IPs
192.168.1.103,192.168.1.23 192.168.1.1

nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-
-D Above example explained
ip3,decoy-ip4 remote-host-ip

Scan Facebook from Microsoft (-e

-S nmap -S www.microsoft.com www.facebook.com
eth0 -Pn may be required)

-g nmap -g 53 192.168.1.1 Use given source port number

 Gathering Network and Host Information:
net view \\<computername>
Chap
Chap Exercise 3.2.1: NMAP SCANNING
Scanning and Enumeration

33 Prequisites:
- Kali-Linux VM
- Windows 7 VM

 Host dicovery using CIDR

 Ifconfig
 nmap -sn 192.168.227.0/24
 192.168.227.1 : @ your windows machine
 192.168.227.2 : default gateway and DNS (route -n and cat /etc/resolv.conf )
 192.168.227.169 : @ of Windows 7 VM
 192.168.227.254: DHCP server (see in Win 7 VM)
 192.168.227.168 : @ of Kali

 Port scan (all ports )

 nmap –p- 192.168.227.169
 OS Detection
 nmap -O 192.168.227.169
 Send scans from spoofed IPs
 In Windows 7 VM launch wireshark
 nmap -D 192.168.227.100 192.168.227.169
 In wireshark filter : ip.addr == 192.168.227.100
 Gathering Network and Host Information:
net view \\<computername>
Chap
Chap Scanning and Enumeration

Exercise 3.2.2: Hping3 SCANNING

33 Prequisites:
- Kali-Linux VM , Windows 7 VM:

Steps:

- hping3 --scan 1-3000 -S 192.168.253.129

- Launch wireshark in windows 7 VM
- Spoof an ip address and hpin3 to windows 7 VM
- Analyse Output of wireshark
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

33 Exercise 3.3 : Angry IP Scanner

1.Install Angry IP Scanner from \Tools\Chap 3

2.Enter the IP address of the target system in the Host or IP Address field
or enter a range or IP address for your lab systems and click Start to
perform a conventional (full connect) scan of standard ports
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

33 Banner Grabbing and OS Fingerprinting Techniques

 Hackers are looking for the easiest way to gain access to a system or network.
 Banner grabbing is the process of opening a connection and reading the banner or
response sent by the application.
 A simple but effective passive method is to inspect the initial Time To Live (TTL) in
the IP header and the TCP window size (the size of the receive window) of the first
packet in a TCP session, i.e. the SYN or SYN+ACK packet.

Linux Google's customized FreeBSD

(kernel 2.4 and 2.6) Linux
Window size : 5840 Window size : 5720 Window size : 65535
TTL: 64 TTL: 64 TTL: 64

Windows XP Windows 7, Vista and Cisco Router

Server 2008 (IOS 12.4)
Window size : 65535 Window size : 8192 Window size : 4128
TTL: 128 TTL: 128 TTL: 255
 Gathering Network and Host Information:
net view \\<computername>
Chap
Chap Scanning and Enumeration

Exercise 3.4: Identify OS using wireshark (TTL)

33 Prequisites:
- Kali-Linux VM , Windows 7 VM:

Steps:

- Start Windows 7 VM

- Start Kali-linux VM

- On Kali-Linux: Launch wireshark

- Ping windows 7 VM from Kali

- Analyse wireshark output

- choose ICMP echo reply line from used ip address and in Internet Protocol you can view

Time to live value (128)

- Install Wireshark on Windows 7 VM and ping Kali

 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

33
Exercise 3.5.1: using wappalyzer plugin
Part 1: use wappalyzer plugin to Identify the OS of a Web Server

1. add wappalyser to firefox : https://addons.mozilla.org/fr/firefox/addon/wappalyzer/

2. Open a target url and read information about target

Exercise 3.5.2: Os Grabbing with Telnet

Part 2: use Telnet comand to Banner Grab

1. Enable telnet on Windows

2. Type: telnet target.com 80
3. Type: HTTP / 1.1 and press Enter 2 times

shorturl.at/hS012
 Gathering Network and Host Information:
net view \\<computername>
Chap
Chap Scanning and Enumeration

33
Enumeration
 Enumeration occurs after scanning and is the process of gathering and
compiling user-names, machine names, network resources, shares, and
services.

Netbios enumeration with nbtscan

nbtscan 192.168.136.1

192.168.136.1 DESKTOP-TRV891Q <server> <unknown> 00:50:56:c0:00:08

 Gathering Network and Host Information:
net view \\<computername>
Chap
Chap Scanning and Enumeration

Exercise 3.7: Scanning networks with Colasoft packet builder

33 Prequisites:
- Local machine , Windows 7 VM:

Steps:

- Install Colasoft packet builder on your machine: Tools\Chap 3 \ pktbuilder_2.0.0.212.exe

- Install Wireshark on your machine: Tools\Chap 3 \ Wireshark-win64-2.4.4.exeStart Windows 7 VM

- Launch Wireshark and Colasoft as Administrator

- Analyse the traffic with Wireshark and you can get ip address of hosts in network

- Spoof an other MAC Address with colasoft

 Gathering Network and Host Information:
net view \\<computername>
Chap
Chap Scanning and Enumeration

Exercise 3.8: smbclient, enum4linux

33 PREQUISITES:
- Kali VM , West-WildVM
https://download.vulnhub.com/westwild/West-Wild-v1.1.ova

STEPS:

root@kali:~# enum4linux 192.168.1.104

[+] Attempting to map shares on 192.168.227.138

//192.168.227.138/print$ Mapping: DENIED, Listing: N/A

//192.168.227.138/wave Mapping: OK, Listing: OK

//192.168.227.138/IPC$ [E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
root@kali:~# smbclient //192.168.227.138/wave
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jul 30 01:18:56 2019
.. D 0 Thu Aug 1 19:02:20 2019
FLAG1.txt N 93 Mon Jul 29 22:31:05 2019
message_from_aveng.txt N 115 Tue Jul 30 01:21:48 2019

smb: \> get FLAG1.txt

getting file \FLAG1.txt of size 93 as FLAG1.txt (22.7 KiloBytes/sec) (average 22.7 KiloBytes/sec)
 Gathering Network and Host Information:
Chap Scanning and Enumeration

3
NMAP
NMAP VULNERABILITY SCAN USING NSE SCRIPTS

25
 Gathering Network and Host Information:
Chap Scanning and Enumeration

3 NMAP NMAP VULNERABILITY SCAN USING NSE SCRIPTS

CVE signifie Common Vulnerabilities and Exposures. En clair, cela

signifie simplement que c'est un moyen d'organiser et de catégoriser les
vulnérabilités logicielles. Ces informations peuvent être très utiles pour
les chercheurs en sécurité et les testeurs d'intrusion dans leurs tâches
quotidiennes.

En combinant les commandes Nmap avec quelques scripts NSE

Extraire les CVE
Exemple des scripts de détection de vulnérabilité/CVE :

 nmap-vulners
 Vulscan

 Détecter les informations CVE pertinentes à partir d'hôtes distants ou

locaux.
 Gathering Network and Host Information:
Chap 3 Scanning and Enumeration

NMAP NMAP VULNERABILITY SCAN USING NSE SCRIPTS

NMAP VULSCAN
Vulscan interroge ses propres bases de données CVE locales, hébergées sur le client effectuant l'analyse. Ces bases
de données locales incluent les fichiers suivants
 scipvuldb.csv - https://vuldb.com
 cve.csv - https://cve.mitre.org
 securityfocus.csv - https://www.securityfocus.com/bid/
 xforce.csv - https://exchange.xforce.ibmcloud.com/
 expliotdb.csv - https://www.exploit-db.com
 openvas.csv - http://www.openvas.org
 securitytracker.csv - https://www.securitytracker.com (end-of-life)
 osvdb.csv - http://www.osvdb.org (end-of-life)
Installation

git clone https://github.com/scipag/vulscan scipag_vulscan

ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan
Utilisation

nmap -sV --script=vulscan/vulscan.nse www.example.com

Possibilité d’utiliser une base de données locale CVE en utilisant l'argument vulscandb

--script-args vulscandb=your_own_database
 Gathering Network and Host Information:
Chap 3 Scanning and Enumeration

NMAP NMAP VULNERABILITY SCAN USING NSE SCRIPTS

NMAP VULSCAN UPDATE FILES

https://www.computec.ch/projekte/vulscan/download/cve.csv
https://www.computec.ch/projekte/vulscan/download/exploitdb.csv
https://www.computec.ch/projekte/vulscan/download/openvas.csv
https://www.computec.ch/projekte/vulscan/download/osvdb.csv
https://www.computec.ch/projekte/vulscan/download/scipvuldb.csv
https://www.computec.ch/projekte/vulscan/download/securityfocus.csv
https://www.computec.ch/projekte/vulscan/download/securitytracker.csv
https://www.computec.ch/projekte/vulscan/download/xforce.csv

Download the files into vulscan folder:

/vulscan/
 Gathering Network and Host Information:
Chap 3 Scanning and Enumeration

NMAP NMAP VULNERABILITY SCAN USING NSE SCRIPTS

LAB 1: VULSCAN
Objectifs:
• Installation et utilisation de vulscan script

git clone https://github.com/scipag/vulscan scipag_vulscan

sudo cp scipag_vulscan/* /usr/share/nmap/scripts/vulscan
sudo nmap --script-updatedb
sudo nmap -sS -sV --script=vulscan/vulscan.nse testphp.vulnweb.com
 Gathering Network and Host Information:
Chap 3 Scanning and Enumeration

NMAP NMAP VULNERABILITY SCAN USING NSE SCRIPTS

NMAP-VULNERS
Nmap-vulners est l'un des scanners de vulnérabilité les plus connus en cours d'utilisation

Installation

cd /usr/share/nmap/scripts/
git clone https://github.com/vulnersCom/nmap-vulners.git

Utilisation

nmap --script nmap-vulners/ -sV 11.22.33.44

Chap
Netcat technically used as “nc” – is a network utility that

3 uses the TCP and UDP connections in order to read and

write in a network. It can be used by both the attackers
and the security auditors.

1. It acts as a simple TCP/UDP/SCTP/SSL client for

interacting with web servers, telnet servers, mail
servers, and other TCP/IP network services.
2. It redirects the TCP/UDP/SCTP traffic to other
ports or hosts by acting as a SOCKS or HTTP
proxy such that the clients specify their
destinations.
3. Netcat can even connect to destinations through a
chain of anonymous or authenticated proxies.
4. Encrypts communication with SSL, and transport
it over IPv4 or IPv6.
5. It acts as a connection broker, allowing two (or far
more) clients to connect through a third
(brokering) server.
Chap
Netcat Basic command

Metasploitable 2
Chap
Netcat Basic command

3 Port Scanning
Netcat can be used as a port scanner, although it was not designed to function as. To
make it worth as a scanner, we need to set the “-z” flag, which tells netcat, to scan listing
daemon without sending any data. This makes it possible to understand the type of
service that is running on that specific port. Thus netcat can perform both the TCP and the
UDP scan

TCP Scan
nc -v –n –z 192.168.1.105 21-100

[-v]: indicates Verbose mode

[-n]: indicates numeric-only IP addresses
[-z]: indicates zero -I/O mode [used for scanning]

UDP Scan
nc –vzu 192.168.1.105 161

[- u ]: invoke the UDP mode.

Chap
Netcat Basic command

3 Banner Grabbing
Banner refers to a text message received from the host with information about the open ports and
services along with their version numbers.

Run the following command to grab the target’s ftp and ssh banners:

nc 192.168.1.105 21
nc 192.168.1.105 22
Chap
PowerShell | IPv4 network scanner

3 Link:
https://github.com/BornToBeRoot/PowerShell_IPv4NetworkScanner

Example 1

PS> .\IPv4NetworkScan.ps1 -StartIPv4Address 192.168.178.0 -

EndIPv4Address 192.168.178.20

IPv4Address Status Hostname

----------- ------ --------
192.168.178.1 Up fritz.box

Example 2

PS> .\IPv4NetworkScan.ps1 -IPv4Address 192.168.178.0 -Mask

255.255.255.0 -DisableDNSResolving
Chap
PowerShell | IPv4 port scanner

3 Link:
https://github.com/BornToBeRoot/PowerShell_IPv4PortScanner

.\IPv4PortScan.ps1 192.168.9.5 -StartPort 1 -EndPort 500 | ft

 Gathering Network and Host Information:
net view \\<computername>
Chap
Chap Scanning and Enumeration

Exercise 3.9: Scan with rapidscan (ALL in ONE Tool)

33 PREQUISITES:
- Kali VM

Install packages and install rapidscan:

root@kali:~# apt-get install wapiti,golismero,dnsmap,uniscan,dnswalk,xsser

root@kali:~# git clone https://github.com/skavngr/rapidscan.git

chmod +x rapidscan.py
root@kali:~# chmod +x rapidscan.py

Test SCAN

root@kali:~# python rapidscan.py scanme.nmap.org

 Gathering Network and Host Information:
net view \\<computername>
Chap
Chap Scanning and Enumeration

Exercise 3.10: Vul. Scan with archerysec

33
PREQUISITES:
- Kali VM

INSTALLATION:

git clone https://github.com/archerysec/archerysec.git

sudo apt-get install python3-pip
sudo apt-get install python3-venv
cd archerysec
NAME=User EMAIL=user@user.com PASSWORD=admin@123A bash setup.sh
./run.sh

 http://127.0.0.1:8000
 Gathering Network and Host Information:
Chap 3 Scanning and Enumeration

LAB ENVIRONMENT

Vmware Workstation
Kali-linux
 Gathering Network and Host Information:
Chap 3 Scanning and Enumeration

- Download GreenBone VM :

https://files.greenbone.net/download/delivery/5535f51d-0aff-41de-b8d3-d426f4d21918/GSM-
TRIAL-21.04.12-VMware-Workstation.ova

- Log in using the following login information: User name: admin | Password: admin

- Select Yes and press und Enter to open the Wizard.

- Enter the user name and password of the web administrator
- Skip
- Got to About and get ip address
- Test scan for metasploitable 2 vm
- Go to scans  results
- https://192.168.40.151/cvsscalculator

- (webadmin:123456)
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

33
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

33
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

33
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

33
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

33 Chap 3 Review Questions

 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

1. What port number does FTP use?

33 A.
B.
C.
D.
21
25
23
80
2. What port number does HTTPS use?
A. 80
B. 443
C. 22
3. Banner grabbing is an example of what?
A. Active operating system fingerprinting.
B. Passive operating system fingerprinting
C. Footprinting
D. Application analysis

4. What is the proper sequence of a TCP connection?

A. SY N-SY N-ACK-ACK
B. SY N-ACK-FI N
C. SYN-SYNACK-ACK
D. SY N-PSH-ACK
 Gathering Network and Host Information:
Chap
Chap Scanning and Enumeration

5. What is enumeration?

33 A. Identifying active systems on the network

B. Cracking passwords
C. Identifying users and machine names
D. Identifying routers and firewalls

6. Why would an attacker want to perform a scan on port 137?

A. To locate the FTP service on the target host
B. To discover a target system with the NetBIOS null session
vulnerability
7. A packet with all flags set is which type of scan?
A. Full Open.
B. Syn scan
C. XMAS
D. TCP connect

8. To prevent a hacker from using SMB session hijacking, which TCP and
UDP ports would you block at the firewall??
A. 167 and 137
B. 80 and 23
C. 139 and 445
D. 1277 and 1270