Windows Forensics and Incident Recovery

Nmap Traffic Capture

Nmap was used to scan a Windows 2000 system with several services, including a netcat listener configured as a backdoor. The traffic generated by that scan is listed in nmap_capture.acp. The answers to the questions posed in Chapter 9 are listed below.

The nmap scan used against the target system was a SYN scan, launched using the -sS switch. To see this, click on any of the packets between 13 and 42 once the traffic captured has been opened in Ethereal. Reassemble the stream for any of these packets. For these packets, the remote system responds with a packet with the RST and ACK packets set, indicating the port is closed. Then locate a SYN packet that was sent to an open port, such as HTTP (i.e., port 80) in packet 11782. ...

Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Windows Forensics and Incident Recovery by Harlan Carvey

Nmap Traffic Capture

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly