Topic 19, Evading IDS, Firewalls and Honeypots
Given the following extract from the snort log on a honeypot, what service is being
exploited? :
A.
FTP
B.
SSH
C.
Telnet
D.
SMTP
FTP
Explanation: The connection is done to 172.16.1.104:21.
Exhibit
(Note: the student is being tested on concepts learnt during passive OS
fingerprinting, basic TCP/IP connection concepts and the ability to read packet
signatures from a sniff dump.)
Snort has been used to capture packets on the network. On studying the packets,
the penetration tester finds it to be abnormal. If you were the penetration tester, why
would you find this abnormal?
What is odd about this attack? Choose the best answer.
A.
This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
B.
This is back orifice activity as the scan comes form port 31337.
C.
The attacker wants to avoid creating a sub-carries connection that is not normally valid.
D.
These packets were crafted by a tool, they were not created by a standard IP stack.
This is back orifice activity as the scan comes form port 31337.
Explanation: Port 31337 is normally used by Back Orifice. Note that 31337 is hackers
spelling of ‘elite’, meaning ‘elite hackers’.
You have performed the traceroute below and notice that hops 19 and 20 both show
the same IP address.
What can be inferred from this output?
1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms
2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416 ms
3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms ip68-100-0-1.nv.nv.cox.net
(68.100.0.1) 16.743 ms 16.207 ms
4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 12.933 ms 20.938 ms
5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms
6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms 14.104 ms
7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms
8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms 19.512 ms
9 so-7-0-0-gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms 17.938 ms
10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317 ms 21.202
ms
11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms 19.133 ms
18.830 ms
12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms 20.11 ms
13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms 23.108 ms
14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 38.894 ms 33.244 33.910 ms
15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms 49.466 ms
16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms 51.055 ms
17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms 53.647 ms
18 example-gwl.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms 56.855 ms
19 www.ABC.com (65.195.239.22) 52.191 ms 52.571 ms 56.855 ms
20 www.ABC.com (65.195.239.22) 53.561 ms 54.121 ms 58.333 ms
A.
An application proxy firewall
B.
A stateful inspection firewall
C.
A host based IDS
D.
A Honeypot
A stateful inspection firewall
Blake is in charge of securing all 20 of his company’s servers. He has enabled
hardware and software firewalls, hardened the operating systems and disabled all
unnecessary service on all the servers. Unfortunately, there is proprietary AS400
emulation software that must run on one of the servers that requires the telnet
service to function properly. Blake is especially concerned about his since telnet can
be a very large security risk in an organization. Blake is concerned about how his
particular server might look to an outside attacker so he decides to perform some
footprinting scanning and penetration tests on the server. Blake telents into the
server and types the following command:
HEAD/HTTP/1.0
After pressing enter twice, Blake gets the following results:
What has the Blake just accomplished?
A.
Grabbed the banner
B.
Downloaded a file to his local computer
C.
Submitted a remote command to crash the server
D.
Poisoned the local DNS cache of the server
Grabbed the banner
Gerald, the systems administrator for Hyped Enterprise, has just discovered that his
network has been breached by an outside attacker. After performing routine
maintenance on his servers, his discovers numerous remote tools were installed
that no one claims to have knowledge of in his department.
Gerald logs onto the management console for his IDS and discovers an unknown IP
address that scanned his network constantly for a week and was able to access his
network through a high-level port that was not closed. Gerald traces the IP address
he found in the IDS log to proxy server in Brazil.
Gerald calls the company that owns the proxy server and after searching through
their logs, they trace the source to another proxy server in Switzerland. Gerald calls
the company in Switzerland that owns the proxy server and after scanning through
the logs again, they trace the source back to a proxy server in China.
What tool Geralds’s attacker used to cover their tracks?
A.
Tor
B.
ISA
C.
IAS
D.
Cheops
Tor
Explanation: Tor is a network of virtual tunnels that allows people and groups to improve
their privacy and security on the Internet. It also enables software developers to create new
communication tools with built-in privacy features. It provides the foundation for a range of
applications that allow organizations and individuals to share information over public
networks without compromising their privacy. Individuals can use it to keep remote
Websites from tracking them and their family members. They can also use it to connect to
resources such as news sites or instant messaging services that are blocked by their local
Internet service providers (ISPs).
Your are trying the scan a machine located at ABC company’s LAN named
mail.abc.com. Actually that machine located behind the firewall. Which port is used
by nmap to send the TCP synchronize frame to on mail.abc.com?
A.
443
B.
80
C.
8080
D.
23
443
John is using a special tool on his Linux platform that has a signature database and
is therefore able to detect hundred of vulnerabilities in UNIX, Windows, and
commonly-used web CGI scripts. Additionally, the database detects DDoS zombies
and Trojans. What would be the name of this multifunctional tool?
A.
nmap
B.
hping
C.
nessus
D.
make
nessus
Explanation: Nessus is the world's most popular vulnerability scanner, estimated to be
used by over 75,000 organizations world-wide. Nmap is mostly used for scanning, not for
detecting vulnerabilities. Hping is a free packet generator and analyzer for the TCP/IP
protocol and make is used to automatically build large applications on the *nix plattform.
Which of the following are potential attacks on cryptography? (Select 3)
A.
One-Time-Pad Attack
B.
Chosen-Ciphertext Attack
C.
Man-in-the-Middle Attack
D.
Known-Ciphertext Attack
E.
Replay Attack
Chosen-Ciphertext Attack
Man-in-the-Middle Attack
Replay Attack
Explanation: A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in
which the cryptanalyst chooses a ciphertext and causes it to be decrypted with an unknown
key. Specific forms of this attack are sometimes termed "lunchtime" or "midnight" attacks,
referring to a scenario in which an attacker gains access to an unattended decryption
machine. In cryptography, a man-in-the-middle attack (MITM) is an attack in which an
attacker is able to read, insert and modify at will, messages between two parties without
either party knowing that the link between them has been compromised. The attacker must
be able to observe and intercept messages going between the two victims. A replay attack
is a form of network attack in which a valid data transmission is maliciously or fraudulently
repeated or delayed. This is carried out either by the originator or by an adversary who
intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet
substitution (such as stream cipher attack).
Samantha has been actively scanning the client network for which she is doing a
vulnerability assessment test. While doing a port scan she notices ports open in the
135 to 139 range. What protocol is most likely to be listening on those ports?
A.
SMB
B.
FTP
C.
SAMBA
D.
FINGER
SMB
Explanation: Port 135 is for RPC and 136-139 is for NetBIOS traffic. SMB is an upper
layer service that runs on top of the Session Service and the Datagram service of NetBIOS.
John has a proxy server on his network which caches and filters web access. He
shuts down all unnecessary ports and services. Additionally, he has installed a
firewall (Cisco PIX) that will not allow users to connect to any outbound ports. Jack,
a network user has successfully connected to a remote server on port 80 using
netcat. He could in turn drop a shell from the remote machine. Assuming an attacker
wants to penetrate John's network, which of the following options is he likely to
choose?
A.
Use ClosedVPN
B.
Use Monkey shell
C.
Use reverse shell using FTP protocol
D.
Use HTTPTunnel or Stunnel on port 80 and 443
Use HTTPTunnel or Stunnel on port 80 and 443
Explanation: As long as you allow http or https traffic attacks can be tunneled over those
protocols with Stunnel or HTTPTunnel.
Which one of the following attacks will pass through a network layer intrusion
detection system undetected?
A.
A teardrop attack
B.
A SYN flood attack
C.
A DNS spoofing attack
D.
A test.cgi attack
A test.cgi attack
Explanation:
Because a network-based IDS reviews packets and headers, it can also detect denial of
service (DoS) attacks
Not A or B:
The following sections discuss some of the possible DoS attacks available.
Smurf
Fraggle
SYN Flood
Teardrop
DNS DoS Attacks”
While attempting to discover the remote operating system on the target computer,
you receive the following results from an nmap scan:
Starting nmap V. 3.10ALPHA9 ( www.insecure.org/nmap/
<http://www.insecure.org/nmap/> )
Interesting ports on 172.121.12.222:
(The 1592 ports scanned but not shown below are in state: filtered)
Port State Service
21/tcp open ftp
25/tcp open smtp
53/tcp closed domain
80/tcp open http
443/tcp open https
Remote operating system guess: Too many signatures match to reliably
guess the OS.
Nmap run completed - 1 IP address (1 host up) scanned in 277.483
seconds
What should be your next step to identify the OS?
A.
Perform a firewalk with that system as the target IP
B.
Perform a tcp traceroute to the system using port 53
C.
Run an nmap scan with the -v-v option to give a better output
D.
Connect to the active services and review the banner information
Connect to the active services and review the banner information
Explanation: Most people don’t care about changing the banners presented by
applications listening to open ports and therefore you should get fairly accurate information
when grabbing banners from open ports with, for example, a telnet application.
| Page 11 out of 64 Pages |
| Previous |