Question

There is strong evidence that a machine is compromised on your company network, but you have not determined which computer. You are going to try to pinpoint the host by scanning for any network devices that are in promiscuous mode. Which of the following Nmap scripts would you use?

a. sniffer-detect
b. promisc-detect
c. promiscuous-sweep
d. compromised-host-scan

Answer 1

option a.To detect devices in promiscuous mode on a network, use the Nmap 'sniffer-detect' script. This script identifies network sniffers by sending ARP packets and analyzing responses, although it may not always be definitive.

Step-by-step explanation:

If you are looking to pinpoint a compromised machine on a company network by scanning for devices in promiscuous mode, you would use Nmap, a network scanning tool. Among the various Nmap scripts for this purpose, the sniffer-detect script is designed specifically to detect hosts on a network that are in promiscuous mode. This mode is often used by network monitoring tools and network sniffers, and can also be a sign that an attacker is capturing network traffic.

The correct Nmap script to use in this scenario is sniffer-detect, which tests if the devices on a network are in promiscuous mode by sending ARP packets and analyzing the responses. Note that while this method can indicate which machines might be sniffing traffic, it may not always be reliable, as attackers can hide their presence, and some network cards do not respond to these probes in a way that clearly indicates promiscuous mode.