This free GCIH Scanning & Mapping practice test covers scanning and mapping — Nmap scan types, Masscan, service/version detection, OS fingerprinting, vulnerability scanning, and network topology mapping. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.
Which Nmap scan type is considered the most stealthy for reconnaissance?
Correct answer: C
Explanation: TCP FIN scans are considered more stealthy because they send unexpected FIN packets to closed ports. Many intrusion detection systems are not configured to detect FIN scans, making them useful for reconnaissance without triggering alerts.
During a routine network security assessment, you are tasked with discovering all active devices and open ports on a subnet. You decide to use Nmap for this task. Which of the following Nmap commands will provide you with the most comprehensive scan, including service versions and operating system detection, while being mindful of network stability?
Correct answer: A
Explanation: Option A is correct because the command 'nmap -sS -O -sV 192.168.1.0/24' performs a SYN scan (-sS), which is less intrusive than a full TCP connect scan, and includes OS detection (-O) and service version detection (-sV), providing a comprehensive overview of the network. Option B only performs a ping scan (-sP) to identify live hosts. Option C performs a full TCP connect scan (-sT) on all ports, which is more intrusive and can affect network stability. Option D only performs a host discovery scan (-sn), which does not provide port or service information.
You are investigating a potential security breach and need to identify all services running on a compromised server. The server is suspected to have multiple services running on non-standard ports. Which Nmap command will help you enumerate all open ports and identify the services running on those ports?
Correct answer: A
Explanation: Option A is correct because the command 'nmap -Pn -p- -sV 192.168.1.100' performs a scan that skips host discovery (-Pn), scans all 65535 ports (-p-), and detects service versions (-sV). This is suitable for identifying all open ports and the services running on them, even if they are on non-standard ports. Option B performs a UDP scan (-sU) on only the first 1024 ports, which may miss services on higher ports. Option C limits the scan to ports 80 and 443, which is insufficient for a comprehensive service enumeration. Option D only performs a ping scan (-sP) to identify live hosts without providing service information.
During an incident response, you suspect that unauthorized scanning is occurring on your network. What is the FIRST step you should take to identify the source of the scanning activity?
Correct answer: C
Explanation: The correct answer is C. Checking recent firewall logs for unusual connection attempts is the most effective initial action because it allows you to quickly identify any unauthorized access patterns or anomalies. This step is practical and provides immediate insights into the source of the scanning. Option A, running a full network scan, could be intrusive and might not directly pinpoint the source of the scanning. Option B, using Wireshark, is technically valid but may take longer to analyze and isn't the most immediate step for identifying the source. Option D, deploying Exiftool, is unrelated to network scanning and focuses on file metadata, making it irrelevant in this context.
During an incident response, you suspect that a compromised host is actively scanning the network. Which tool would be the most effective first step to confirm this activity?
Correct answer: A
Explanation: Wireshark is a network protocol analyzer that can capture and display packet data in real-time. It is the best first step to confirm scanning activity because it allows you to see the actual network traffic and identify patterns indicative of scanning, such as repeated connection attempts to multiple ports or IP addresses. Nmap, while useful for conducting scans, is not suited for detecting ongoing scans. Exiftool is irrelevant as it is used for metadata extraction from files, and Metasploit is primarily for exploitation rather than detection.
You are the first responder to a potential network intrusion. What is the most effective initial action to identify the scope of the attack?
Correct answer: D
Explanation: Reviewing firewall logs for unusual traffic patterns is the most effective initial action to quickly identify the scope of the attack. It provides immediate insights into potential malicious activity and helps in understanding the attack vectors used. Shutting down the network is too drastic and could disrupt operations unnecessarily. Conducting a full vulnerability assessment is time-consuming and not suitable for immediate response. Performing a network scan with Nmap is useful but secondary to understanding the existing traffic patterns.
Start the free GCIH Scanning & Mapping practice test now | 10-question quick start | All GCIH domains