2
Vulnerability Management Exam 2026 with precise || || || || || ||
detailed solutions ||
Enumeration Tools - ✔✔Used to identify and scan network ranges and hosts belonging to the || || || || || || || || || || || || || || ||
target and map out an attack surface.
|| || || || || || ||
This is performed to gather intelligence that can be turned into an attack strategy, or conversely,
|| || || || || || || || || || || || || || || ||
when used as a defensive tool, to reduce the attack surface and mitigate potential attack vectors.
|| || || || || || || || || || || || || || ||
Involve at least some sort of active connection to the target.
|| || || || || || || || || || ||
An active connection is one where the attacker transmits data to the target.
|| || || || || || || || || || || || ||
The attacker machine may make obvious TCP connections to a firewall, send repetitive DNS and
|| || || || || || || || || || || || || || ||
reverse DNS queries, or transmit phishing emails to targets within the network.
|| || || || || || || || || || || ||
Active techniques are those that will be discovered if the victim is logging or otherwise
|| || || || || || || || || || || || || || ||
monitoring network and host connections. || || || ||
Enumeration Tools: Open-source Intelligence (OSINT) - ✔✔These tools query publicly available || || || || || || || || || ||
information, mostly using web and social media search tools.
|| || || || || || || || || ||
This can be considered a fully passive approach.
|| || || || || || ||
Enumeration Tools: Footprinting - ✔✔These tools map out the layout of a network, typically in || || || || || || || || || || || || || || ||
terms of IP address usage, routing topology, and DNS namespace (subdomains and hostnames).
|| || || || || || || || || || || || ||
Can be performed in active, nonstealthy modes to obtain quick results at the risk of detection or
|| || || || || || || || || || || || || || || || ||
by using slow semi-passive and passive techniques.
|| || || || || ||
,2
Enumeration Tools: Fingerprinting - ✔✔These tools perform host system detection to map out || || || || || || || || || || || || ||
open ports, OS type and version, file shares, running services and applications, system uptime,
|| || || || || || || || || || || || || ||
and other useful metadata.
|| || || ||
Can be performed by active, semi-passive, and passive tools.
|| || || || || || || ||
Nmap Security Scanner - ✔✔Uses diverse methods of host discovery and fingerprinting.
|| || || || || || || || || || || ||
The tool is open-source software with packages for most versions of Windows, Linux, and
|| || || || || || || || || || || || || ||
macOS. ||
It can be run from the command line or via a GUI.
|| || || || || || || || || || ||
Nmap: List scan (-sL) - ✔✔This lists the IP addresses from the supplied target range(s) and
|| || || || || || || || || || || || || || || ||
performs a reverse-DNS query to discover any host names associated with those IPs.
|| || || || || || || || || || || || ||
This can be used to check that you have specified appropriate targets. No probes are directed at
|| || || || || || || || || || || || || || || || ||
the actual hosts.
|| ||
Nmap: TCP SYN ping (-PS <PortList>) - ✔✔To defeat a firewall, the attacker might want to
|| || || || || || || || || || || || || || || ||
probe ports other than the default HTTP/HTTPS ones.
|| || || || || || || ||
There are numerous other host detection techniques, including TCP ACK, UDP, SCTP INIT, and
|| || || || || || || || || || || || || ||
IP protocol ping.
|| ||
Nmap: Sparse scanning (--scan-delay <Time>) - ✔✔One of the principal means of making a scan
|| || || || || || || || || || || || || || ||
stealthy is to collect results over an extended period. || || || || || || || || ||
,2
You can set Nmap to issue probes with significant delays between each probe to try to defeat
|| || || || || || || || || || || || || || || || ||
intrusion detection systems. || || ||
Of course, this makes host discovery a lengthy process. You can also configure delays using a
|| || || || || || || || || || || || || || || ||
timing template (-Tn, where n is a number from 0 to 5, with 0 being slowest).
|| || || || || || || || || || || || || || || ||
Another IDS evasion technique is to scan the scope in a random order (--randomize-hosts).
|| || || || || || || || || || || || ||
Nmap: TCP Idle scanning (-sI) - ✔✔Another way to make a scan stealthy is to use a so-called
|| || || || || || || || || || || || || || || || || ||
"zombie" host to appear to start the scan, disguising the identity of the host used to launch the
|| || || || || || || || || || || || || || || || || ||
scan. ||
This type of scan takes much longer to complete than ordinary ping detection.
|| || || || || || || || || || || || ||
Another masking option is to use the -d switch to add a number of decoy source IP addresses.
|| || || || || || || || || || || || || || || || ||
Nmap: Fragmentation (-f or --mtu) - ✔✔This technique splits the TCP header of each probe
|| || || || || || || || || || || || || || ||
between multiple IP datagrams. || || || ||
The principle is that splitting the header will make it harder for intrusion detection software to
|| || || || || || || || || || || || || || || ||
analyze. ||
If the sensor attempts to reassemble the packets, that will consume more CPU cycles so that
|| || || || || || || || || || || || || || || ||
option is sometimes disabled to improve performance.
|| || || || || || ||
However, as security appliances become more powerful, fragmentation is less likely to succeed as
|| || || || || || || || || || || || ||
a tactic (and the IDS can be configured to look for unusual fragmentation patterns).
|| || || || || || || || || || || || || ||
Nmap Output: Interactive - ✔✔Human-readable output designed to be viewed on-screen.
|| || || || || || || || || ||
, 2
Nmap Output: Normal (-oN) - ✔✔Human-readable output directed to a file for analysis later.
|| || || || || || || || || || || || ||
Nmap Output: XML (-oX) - ✔✔Output using XML formatting to delimit the information.
|| || || || || || || || || || || ||
Nmap Output: Grepable output (-oG) - ✔✔This delimits the output using one line for each host
|| || || || || || || || || || || || || || || ||
and tab, slash, and comma characters for fields.
|| || || || || || || ||
This format makes it easier to parse the output using the grep Linux regular expressions command
|| || || || || || || || || || || || || || ||
(or any other regex tool).
|| || || || ||
Nmap Port Scan: TCP SYN (-sS) - ✔✔This is a fast technique also referred to as half-open
|| || || || || || || || || || || || || || || || ||
scanning as the scanning host requests a connection without acknowledging it.
|| || || || || || || || || || ||
The target's response to the scan's SYN packet identifies the port state.
|| || || || || || || || || || ||
Nmap Port Scan: TCP connect (-sT) - ✔✔A half-open scan requires Nmap to have privileged
|| || || || || || || || || || || || || || ||
access to the network driver so that it can craft packets.
|| || || || || || || || || || ||
If privileged access is not available, Nmap has to use the OS to attempt a full TCP connection.
|| || || || || || || || || || || || || || || || || ||
This type of scan is less stealthy.
|| || || || || ||
Nmap Port Scan: TCP flags - ✔✔You can scan by setting TCP headers in unusual ways.
|| || || || || || || || || || || || || || || ||
A Null (-sN) scan sets the header bit to zero, a FIN (-sF) scan sends an unexpected FIN packet,
|| || || || || || || || || || || || || || || || || || ||
and an Xmas scan (-sX) sets the FIN, PSH, and URG flags.
|| || || || || || || || || || || ||
This was a means of defeating early types of firewalls and IDS.
|| || || || || || || || || || ||
Vulnerability Management Exam 2026 with precise || || || || || ||
detailed solutions ||
Enumeration Tools - ✔✔Used to identify and scan network ranges and hosts belonging to the || || || || || || || || || || || || || || ||
target and map out an attack surface.
|| || || || || || ||
This is performed to gather intelligence that can be turned into an attack strategy, or conversely,
|| || || || || || || || || || || || || || || ||
when used as a defensive tool, to reduce the attack surface and mitigate potential attack vectors.
|| || || || || || || || || || || || || || ||
Involve at least some sort of active connection to the target.
|| || || || || || || || || || ||
An active connection is one where the attacker transmits data to the target.
|| || || || || || || || || || || || ||
The attacker machine may make obvious TCP connections to a firewall, send repetitive DNS and
|| || || || || || || || || || || || || || ||
reverse DNS queries, or transmit phishing emails to targets within the network.
|| || || || || || || || || || || ||
Active techniques are those that will be discovered if the victim is logging or otherwise
|| || || || || || || || || || || || || || ||
monitoring network and host connections. || || || ||
Enumeration Tools: Open-source Intelligence (OSINT) - ✔✔These tools query publicly available || || || || || || || || || ||
information, mostly using web and social media search tools.
|| || || || || || || || || ||
This can be considered a fully passive approach.
|| || || || || || ||
Enumeration Tools: Footprinting - ✔✔These tools map out the layout of a network, typically in || || || || || || || || || || || || || || ||
terms of IP address usage, routing topology, and DNS namespace (subdomains and hostnames).
|| || || || || || || || || || || || ||
Can be performed in active, nonstealthy modes to obtain quick results at the risk of detection or
|| || || || || || || || || || || || || || || || ||
by using slow semi-passive and passive techniques.
|| || || || || ||
,2
Enumeration Tools: Fingerprinting - ✔✔These tools perform host system detection to map out || || || || || || || || || || || || ||
open ports, OS type and version, file shares, running services and applications, system uptime,
|| || || || || || || || || || || || || ||
and other useful metadata.
|| || || ||
Can be performed by active, semi-passive, and passive tools.
|| || || || || || || ||
Nmap Security Scanner - ✔✔Uses diverse methods of host discovery and fingerprinting.
|| || || || || || || || || || || ||
The tool is open-source software with packages for most versions of Windows, Linux, and
|| || || || || || || || || || || || || ||
macOS. ||
It can be run from the command line or via a GUI.
|| || || || || || || || || || ||
Nmap: List scan (-sL) - ✔✔This lists the IP addresses from the supplied target range(s) and
|| || || || || || || || || || || || || || || ||
performs a reverse-DNS query to discover any host names associated with those IPs.
|| || || || || || || || || || || || ||
This can be used to check that you have specified appropriate targets. No probes are directed at
|| || || || || || || || || || || || || || || || ||
the actual hosts.
|| ||
Nmap: TCP SYN ping (-PS <PortList>) - ✔✔To defeat a firewall, the attacker might want to
|| || || || || || || || || || || || || || || ||
probe ports other than the default HTTP/HTTPS ones.
|| || || || || || || ||
There are numerous other host detection techniques, including TCP ACK, UDP, SCTP INIT, and
|| || || || || || || || || || || || || ||
IP protocol ping.
|| ||
Nmap: Sparse scanning (--scan-delay <Time>) - ✔✔One of the principal means of making a scan
|| || || || || || || || || || || || || || ||
stealthy is to collect results over an extended period. || || || || || || || || ||
,2
You can set Nmap to issue probes with significant delays between each probe to try to defeat
|| || || || || || || || || || || || || || || || ||
intrusion detection systems. || || ||
Of course, this makes host discovery a lengthy process. You can also configure delays using a
|| || || || || || || || || || || || || || || ||
timing template (-Tn, where n is a number from 0 to 5, with 0 being slowest).
|| || || || || || || || || || || || || || || ||
Another IDS evasion technique is to scan the scope in a random order (--randomize-hosts).
|| || || || || || || || || || || || ||
Nmap: TCP Idle scanning (-sI) - ✔✔Another way to make a scan stealthy is to use a so-called
|| || || || || || || || || || || || || || || || || ||
"zombie" host to appear to start the scan, disguising the identity of the host used to launch the
|| || || || || || || || || || || || || || || || || ||
scan. ||
This type of scan takes much longer to complete than ordinary ping detection.
|| || || || || || || || || || || || ||
Another masking option is to use the -d switch to add a number of decoy source IP addresses.
|| || || || || || || || || || || || || || || || ||
Nmap: Fragmentation (-f or --mtu) - ✔✔This technique splits the TCP header of each probe
|| || || || || || || || || || || || || || ||
between multiple IP datagrams. || || || ||
The principle is that splitting the header will make it harder for intrusion detection software to
|| || || || || || || || || || || || || || || ||
analyze. ||
If the sensor attempts to reassemble the packets, that will consume more CPU cycles so that
|| || || || || || || || || || || || || || || ||
option is sometimes disabled to improve performance.
|| || || || || || ||
However, as security appliances become more powerful, fragmentation is less likely to succeed as
|| || || || || || || || || || || || ||
a tactic (and the IDS can be configured to look for unusual fragmentation patterns).
|| || || || || || || || || || || || || ||
Nmap Output: Interactive - ✔✔Human-readable output designed to be viewed on-screen.
|| || || || || || || || || ||
, 2
Nmap Output: Normal (-oN) - ✔✔Human-readable output directed to a file for analysis later.
|| || || || || || || || || || || || ||
Nmap Output: XML (-oX) - ✔✔Output using XML formatting to delimit the information.
|| || || || || || || || || || || ||
Nmap Output: Grepable output (-oG) - ✔✔This delimits the output using one line for each host
|| || || || || || || || || || || || || || || ||
and tab, slash, and comma characters for fields.
|| || || || || || || ||
This format makes it easier to parse the output using the grep Linux regular expressions command
|| || || || || || || || || || || || || || ||
(or any other regex tool).
|| || || || ||
Nmap Port Scan: TCP SYN (-sS) - ✔✔This is a fast technique also referred to as half-open
|| || || || || || || || || || || || || || || || ||
scanning as the scanning host requests a connection without acknowledging it.
|| || || || || || || || || || ||
The target's response to the scan's SYN packet identifies the port state.
|| || || || || || || || || || ||
Nmap Port Scan: TCP connect (-sT) - ✔✔A half-open scan requires Nmap to have privileged
|| || || || || || || || || || || || || || ||
access to the network driver so that it can craft packets.
|| || || || || || || || || || ||
If privileged access is not available, Nmap has to use the OS to attempt a full TCP connection.
|| || || || || || || || || || || || || || || || || ||
This type of scan is less stealthy.
|| || || || || ||
Nmap Port Scan: TCP flags - ✔✔You can scan by setting TCP headers in unusual ways.
|| || || || || || || || || || || || || || || ||
A Null (-sN) scan sets the header bit to zero, a FIN (-sF) scan sends an unexpected FIN packet,
|| || || || || || || || || || || || || || || || || || ||
and an Xmas scan (-sX) sets the FIN, PSH, and URG flags.
|| || || || || || || || || || || ||
This was a means of defeating early types of firewalls and IDS.
|| || || || || || || || || || ||
