A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running. Which of the following would BEST support this task?
A.
Run nmap with the ג€"o, -p22, and ג€"sC options set against the target
B.
Run nmap with the ג€"sV and ג€"p22 options set against the target
C.
Run nmap with the --script vulners option set against the target
D.
Run nmap with the ג€"sA option set against the target
I would take A in this case. It has the ssh port (22) and at the same time, it runs the default scripts (-sC) to check for vulnerabilities.
With B, only the version of SSH will be returned, and hence, you will have to go ahead to search for the corresponding CVEs.
C '--script vulners' is correct. While it does not reference Port 22, it is the only option that will conduct a scan against open ports for known vulnerabilities.
While A and B reference Port 22, -sV is only scanning for versions of services running on the ports that are open. -sC is simply running a set of default scripts within NMAP against the target network. So nothing in A,B will scan for known vulnerabilities on the target.
The "-sV" option enables version detection, which helps identify the services and their corresponding versions running on open ports.
The "-p22" option specifies that the scan should be performed specifically on port 22, which is the default port for SSH (Secure Shell) services.
By combining these options, the tester can obtain version information about the SSH service running on port 22. This can help identify any known CVEs associated with that particular version of SSH. The CVEs may include vulnerabilities that can be exploited to gain unauthorized execution on the target Linux server.
I would lean towards B on this one, the -sC option for default scripts does not seem to run NSE scripts that will actually find the CVE vulnerabilities (https://nmap.org/book/nse-usage.html#nse-category-default) in my research. In my testing the best command here would look something like, nmap -sV -p22 --script=vulners <target>, so my second best option would be to run a scan targeting port 22 and the version name/number, and cross reference that with exploit.db or other database. In the end, this is another one of "those" comptia questions that belong in the trash.
Read the following article that includes information on how to accomplish this:
https://securitytrails.com/blog/nmap-vulnerability-scan
In the above article, all scans include the -sV switch to identify service versions. All the the answers are missing the correct script scan database, as -sC means default scripts. The following command would do what they're looking for:|
nmap -sV -p22 --script=vulscan/vulscan.nse www.example.com
Correct answer is D.
-A scans for OS, version, and uses the default scripts (same as -sC).
We don't know for a fact that SSHD service is running on port 22 so we'll do a normal scan.
This section is not available anymore. Please use the main Exam Page.PT1-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
BinarySoldier
Highly Voted 3 years, 5 months ago[Removed]
Highly Voted 2 years, 4 months agobieecop
Most Recent 1 year, 9 months agoMysterClyde
1 year, 10 months agosaabik99
2 years, 5 months ago[Removed]
3 years agosome_specialist
3 years agosir_hiccup
3 years, 1 month agoBinarySoldier
3 years, 2 months agoDavar39
3 years, 3 months agoDavar39
3 years, 3 months agotokhs
3 years, 5 months agoNithish_s
3 years, 6 months agoIsuzu
3 years, 7 months ago