Topic 19, Evading IDS, Firewalls and Honeypots
Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the
users have complained to Neil that there are a few employees who are visiting
offensive web site during work hours, without any consideration for others. Neil
knows that he has an up-to-date content filtering system and such access should
not be authorized. What type of technique might be used by these offenders to
access the Internet without restriction?
A.
They are using UDP that is always authorized at the firewall
B.
They are using an older version of Internet Explorer that allow them to bypass the proxy
server
C.
They have been able to compromise the firewall, modify the rules, and give themselves
proper access
D.
They are using tunneling software that allows them to communicate with protocols in a
way it was not intended
They are using tunneling software that allows them to communicate with protocols in a
way it was not intended
Explanation: This can be accomplished by, for example, tunneling the http traffic over
SSH if you have a SSH server answering to your connection, you enable dynamic
forwarding in the ssh client and configure Internet Explorer to use a SOCKS Proxy for
network traffic.
Jenny a well known hacker scanning to remote host of 204.4.4.4 using nmap. She
got the scanned output but she saw that 25 port states is filtered. What is the
meaning of filtered port State?
A.
Can Accessible
B.
Filtered by firewall
C.
Closed
D.
None of above
Filtered by firewall
Explanation: The state is either open, filtered, closed, or unfiltered. Filtered means that a
firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell
whether it is open or closed.
SSL has been seen as the solution to several common security problems.
Administrators will often make use of SSL to encrypt communication from point A to
point B. Why do you think this could be a bad idea if there is an Intrusion Detection
System deployed to monitor the traffic between point A and B?
A.
SSL is redundant if you already have IDS in place.
B.
SSL will trigger rules at regular interval and force the administrator to turn them off.
C.
SSL will slow down the IDS while it is breaking the encryption to see the packet content.
D.
SSL will mask the content of the packet and Intrusion Detection System will be blinded
SSL will mask the content of the packet and Intrusion Detection System will be blinded
Explanation: Because the traffic is encrypted, an IDS cannot understand it or evaluate the
payload.
Which of the following countermeasure can specifically protect against both the
MAC Flood and MAC Spoofing attacks?
A.
Port Security
B.
Switch Mapping
C.
Port Reconfiguring
D.
Multiple Recognition
Port Security
Explanation: With Port Security the switch will keep track of which ports are allowed to
send traffic on a port.
Which type of Nmap scan is the most reliable, but also the most visible, and likely to
be picked up by and IDS?
A.
SYN scan
B.
ACK scan
C.
RST scan
D.
Connect scan
E.
FIN scan
Connect scan
Explanation: The TCP full connect (-sT) scan is the most reliable.
What is a sheepdip?
A.
It is another name for Honeynet
B.
It is a machine used to coordinate honeynets
C.
It is the process of checking physical media for virus before they are used in a computer
D.
None of the above
It is the process of checking physical media for virus before they are used in a computer
Explanation: Also known as a footbath, a sheepdip is the process of checking physical
media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer.
Typically, a computer that sheepdips is used only for that process and nothing else and is
isolated from the other computers, meaning it is not connected to the network. Most
sheepdips use at least two different antivirus programs in order to increase effectiveness.
Because UDP is a connectionless protocol: (Select 2)
A.
UDP recvfrom() and write() scanning will yield reliable results
B.
It can only be used for Connect scans
C.
It can only be used for SYN scans
D.
There is no guarantee that the UDP packets will arrive at their destination
E.
ICMP port unreachable messages may not be returned successfully
There is no guarantee that the UDP packets will arrive at their destination
ICMP port unreachable messages may not be returned successfully
Explanation: Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP
scanners must also implement retransmission of packets that appear to be lost (or you will
get a bunch of false positives).
Eric notices repeated probes to port 1080. He learns that the protocol being used is
designed to allow a host outside of a firewall to connect transparently and securely
through the firewall. He wonders if his firewall has been breached. What would be
your inference?
A.
Eric network has been penetrated by a firewall breach
B.
The attacker is using the ICMP protocol to have a covert channel
C.
Eric has a Wingate package providing FTP redirection on his network
D.
Somebody is using SOCKS on the network to communicate through the firewall
Somebody is using SOCKS on the network to communicate through the firewall
Explanation:
Port Description:
SOCKS. SOCKS port, used to support outbound tcp services (FTP, HTTP, etc). Vulnerable
similar to FTP Bounce, in that attacker can connect to this port and \bounce\ out to another
internal host. Done to either reach a protected internal host or mask true source of attack.
Listen for connection attempts to this port - good sign of port scans, SOCKS-probes, or
bounce attacks. Also a means to access restricted resources. Example: Bouncing off a
MILNET gateway SOCKS port allows attacker to access web sites, etc. that were restricted
only to.mil domain hosts.
Destination unreachable administratively prohibited messages can inform the
hacker to what?
A.
That a circuit level proxy has been installed and is filtering traffic
B.
That his/her scans are being blocked by a honeypot or jail
C.
That the packets are being malformed by the scanning software
D.
That a router or other packet-filtering device is blocking traffic
E.
That the network is functioning normally
That a router or other packet-filtering device is blocking traffic
Explanation: Destination unreachable administratively prohibited messages are a good
way to discover that a router or other low-level packet device is filtering traffic. Analysis of
the ICMP message will reveal the IP address of the blocking device and the filtered port.
This further adds the to the network map and information being discovered about the
network and hosts.
Which of the following command line switch would you use for OS detection in
Nmap?
A.
-D
B.
-O
C.
-P
D.
-X
-O
Explanation: OS DETECTION: -O: Enable OS detection (try 2nd generation w/fallback to
1st) -O2: Only use the new OS detection system (no fallback) -O1: Only use the old (1st
generation) OS detection system -osscan-limit: Limit OS detection to promising targets -
osscan-guess: Guess OS more aggressively
You are conducting a port scan on a subnet that has ICMP blocked. You have
discovered 23 live systems and after scanning each of them you notice that they all
show port 21 in closed state.
What should be the next logical step that should be performed?
A.
Connect to open ports to discover applications.
B.
Perform a ping sweep to identify any additional systems that might be up.
C.
Perform a SYN scan on port 21 to identify any additional systems that might be up.
D.
Rescan every computer to verify the results.
Perform a SYN scan on port 21 to identify any additional systems that might be up.
Explanation: As ICMP is blocked you’ll have trouble determining which computers are up
and running by using a ping sweep. As all the 23 computers that you had discovered earlier
had port 21 closed, probably any additional, previously unknown, systems will also have
port 21 closed. By running a SYN scan on port 21 over the target network you might get
replies from additional systems.
Bob has set up three web servers on Windows Server 2003 IIS 6.0. Bob has followed
all the recommendations for securing the operating system and IIS. These servers
are going to run numerous e-commerce websites that are projected to bring in
thousands of dollars a day. Bob is still concerned about the security of this server
because of the potential for financial loss. Bob has asked his companys firewall
administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to
ensure that no malicious data is getting into the network.
Why will this not be possible?
A.
Firewalls cant inspect traffic coming through port 443
B.
Firewalls can only inspect outbound traffic
C.
Firewalls cant inspect traffic coming through port 80
D.
Firewalls cant inspect traffic at all, they can only block or allow certain ports
Firewalls cant inspect traffic at all, they can only block or allow certain ports
Explanation: In order to really inspect traffic and traffic patterns you need an IDS.
| Page 10 out of 64 Pages |
| Previous |