You are assisting during an incident-response engagement. The team extracted the .bash_history file from a Linux web server that recently began communicating with unknown external IP addresses. A condensed excerpt of the command history is shown:
ls -la /var/www/html
nmap -sS -p- 10.10.20.0/24 --max-retries 1 -T4 -oG /tmp/scan.txt
grep -i 'password' /etc/passwd
ps aux | grep sshd
tar -czf /tmp/etc.tgz /etc
Based on the commands recorded, which line most clearly indicates that the attacker attempted to discover open ports and services across hosts in the local subnet?
The second line launches Nmap with a SYN scan ( -sS ) against every TCP port ( -p- ) on the entire 10.10.20.0/24 network, saving the results to a grepable output file. Nmap is purpose-built to enumerate hosts and identify which ports are open-precisely the kind of reconnaissance behavior incident responders look for. The other commands merely list directory contents (ls), search text within a file (grep), display running processes (ps), or archive configuration files (tar); none of them probe the network for listening ports.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the Nmap command used in the bash history?
Open an interactive chat with Bash
What does the `-sS` flag in Nmap do?
Open an interactive chat with Bash
What is the significance of the `10.10.20.0/24` in the Nmap command?