While conducting an external assessment you use Netcat to grab the banner of a web service listening on TCP port 80 and simultaneously capture the 3-way handshake in Wireshark. The banner returns
Server: Microsoft-IIS/10.0
and the SYN/ACK packet shows an initial TTL value of 128. Based on this information, which of the following is the most accurate assessment of the remote host?
It is an Ubuntu 16.04 server running Apache 2.4 but misreports its banner.
A stateful firewall is normalizing TTL values, so the operating system cannot be determined.
It is a Linux system with a custom kernel that purposely increases its initial TTL to 128.
The system is most likely a Windows Server 2016/2019 host running IIS 10.0.
The banner explicitly identifies Microsoft-IIS version 10.0, a web server that ships with Windows Server 2016 and later (including Windows Server 2019/2022 and Windows 10/11). In addition, a default initial TTL of 128 is characteristic of Windows TCP/IP stacks. Together, the application banner and the network-layer fingerprint corroborate that the target is almost certainly running a modern Windows Server platform with IIS 10.0.
The Ubuntu/Apache option conflicts with both the IIS banner and the Windows-typical TTL. Claiming that a firewall masks the OS is unlikely here because the service banner would still reveal IIS 10.0, and most TTL normalization devices set values like 60 or 64, not 128. An "artificially raised TTL" on Linux could in theory be configured, but doing so while also serving IIS is implausible; nothing in the evidence suggests such deliberate spoofing. Therefore, concluding the host is a Windows Server offering IIS 10.0 is the best-supported interpretation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a banner in the context of network reconnaissance?
Open an interactive chat with Bash
How does the TTL value help identify an operating system during network analysis?
Open an interactive chat with Bash
What is Microsoft-IIS, and why does it appear in the server banner?
Open an interactive chat with Bash
What is the purpose of Netcat in penetration testing?
Open an interactive chat with Bash
What does TTL mean in networking, and why is it significant?
Open an interactive chat with Bash
How does Wireshark capture and analyze the 3-way handshake?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Reconnaissance Techniques
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .