GIAC Penetration Tester (GPEN) — Question 14

Analyze the command output below. Given this information, which is the appropriate next step for the tester?
Starting Nmap4.53 (hnp://insecure.org I at2010-09-30 19:13 EDT interesting ports on 192.163.116.101:

PORT STATE SERVICE -
130/tcp filtered cisco-fna
131/tcp filtered cisco-tna
132/tcp filtered cisco-sys
133/tcp filtered statsrv
134/tcp filtered Ingres-net
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp open netbios-ssn
140/tcp filtered emfis-data
MAC Address: 00:30:1&:B8:14:8B (Shuttle)
warning: OSS can results may be unreliable because we could not find at least l open and l closed port

Device type, general purpose -

Running: Microsoft Windows XP -
OS details: Microsoft Windows XP SP2

Network Distance : 1 hop -
Nmap done: I IP address (I host up) scanned in l .263 seconds

Answer options

• A. Determine the MAC address of the scanned host.
• B. Send a single SYN packet to port 139/tcp on the host.
• C. Send spoofed packets to attempt to evade any firewall
• D. Request a list of shares from the scanned host.

Correct answer: D

Explanation

The correct action is D, as the output indicates that port 139/tcp is open, which is typically used for NetBIOS sessions and can provide access to shared resources. Options A and B do not leverage the information provided about the open port, and C involves unnecessary complexity when a direct approach to gather shares is already available.