Exam PT0-002 topic 1 question 220 discussion

B. –script “httpvuln”: • The --script option allows the tester to specify a selection of Nmap scripts to run. The pattern "http*vuln*" selects scripts that probe for HTTP vulnerabilities. This option directly targets vulnerability scanning, making it the most relevant for the task described.

The MOST correct answer for the penetration tester's vulnerability scan with stealth in mind is B. --script "httpvuln"` Here's a breakdown of why this option is the most suitable: **--script "httpvuln": This command leverages the Nmap Scripting Engine (NSE) to run scripts that specifically target potential HTTP vulnerabilities. The pattern"httpvuln"` instructs Nmap to execute all scripts whose names begin with "http" and contain "vuln" (likely vulnerability-related scripts). By focusing on HTTP vulnerabilities relevant to the website, this approach minimizes unnecessary checks and reduces the scan's overall footprint. By employing the --script "http*vuln*" option, the penetration tester can conduct a targeted vulnerability scan that prioritizes stealth while focusing on potential HTTP vulnerabilities relevant to the client's website.

MOST likely -sn (no port scan). Using http*vuln* will all run 27 scripts, 13 of which are categorized intrusive, another 11 are categorized exploit. It's http, so any security monitoring is going to catch injection and exploit related nmap scripts

In the context of performing a vulnerability scan with Nmap, particularly for probing for web vulnerabilities, option B would be the most appropriate choice. The other options don't directly relate to probing for web vulnerabilities or avoiding detection in the context provided:

The penetration tester will most likely utilize option B, "--script "httpvuln"", to run several Nmap scripts that probe for vulnerabilities while avoiding detection. Explanation: Option A, "-а8 -T0", sets the timing template to paranoid and sends packets with minimum delay, which may slow down the network or cause the scan to fail if the target is rate-limited or IDS/IPS is triggered. Option B, "--script "httpvuln"", allows the tester to run Nmap scripts that probe for vulnerabilities specific to the HTTP protocol. This is a targeted approach to scanning for vulnerabilities and helps to avoid detection by using only the relevant scripts. Option C, "-sn", is used for a ping scan to determine which hosts are up on a network. This option is not relevant for vulnerability scanning. Option D, "-O -A", performs operating system and service version detection, which may be useful for reconnaissance purposes, but not for vulnerability scanning.

The answer is B. The option --script "http*vuln*" allows the tester to run Nmap scripts that identify vulnerabilities while avoiding detection. O -A is an option for Nmap that enables operating system and application detection. This option is not recommended for a penetration tester, as it could be detected by the target system.

Uhh.. -a8 isn't a nmap switch. The question is also clearly stating "script". It can only be B.

-a8 is incorrect.

It says they want to run script and it indicates it's for HTTP

The -A flag is for aggressive scans. If you’re trying to avoid detection you would not want to use this. The -O is useful for host detection but the ‘low and slow’ T0 will also perform this action if I’m not mistaken.