Topic 19, Evading IDS, Firewalls and Honeypots
All the web servers in the DMZ respond to ACK scan on port 80. Why is this happening ?
A.
They are all Windows based webserver
B.
They are all Unix based webserver
C.
The company is not using IDS
D.
The company is not using a stateful firewall
The company is not using a stateful firewall
Explanation: If they used a stateful inspection firewall this firewall would know if there has
been a SYN-ACK before the ACK.
Which of the following commands runs snort in packet logger mode?
A.
./snort -dev -h ./log
B.
./snort -dev -l ./log
C.
./snort -dev -o ./log
D.
./snort -dev -p ./log
./snort -dev -l ./log
Explanation: Note: If you want to store the packages in binary mode for later analysis use
./snort -l ./log -b
An attacker is attempting to telnet into a corporation’s system in the DMZ. The
attacker doesn’t want to get caught and is spoofing his IP address. After numerous
tries he remains unsuccessful in connecting to the system. The attacker rechecks
that the target system is actually listening on Port 23 and he verifies it with both
nmap and hping2. He is still unable to connect to the target system.
What is the most probable reason?
A.
The firewall is blocking port 23 to that system.
B.
He cannot spoof his IP and successfully use TCP.
C.
He needs to use an automated tool to telnet in.
D.
He is attacking an operating system that does not reply to telnet even when open.
He cannot spoof his IP and successfully use TCP.
Explanation: Spoofing your IP will only work if you don’t need to get an answer from the
target system. In this case the answer (login prompt) from the telnet session will be sent to
the “real” location of the IP address that you are showing as the connection initiator.
Statistics from cert.org and other leading security organizations has clearly showed
a steady rise in the number of hacking incidents perpetrated against companies.
What do you think is the main reason behind the significant increase in hacking
attempts over the past years?
A.
A. It is getting more challenging and harder to hack for non technical people.
B.
There is a phenomenal increase in processing power.
C.
New TCP/IP stack features are constantly being added.
D.
The ease with which hacker tools are available on the Internet.
The ease with which hacker tools are available on the Internet.
Explanation: Today you dont need to be a good hacker in order to break in to various
systems, all you need is the knowledge to use search engines on the internet.
Jack is conducting a port scan of a target network. He knows that his target network
has a web server and that a mail server is up and running. Jack has been sweeping
the network but has not been able to get any responses from the remote target.
Check all of the following that could be a likely cause of the lack of response?
A.
The host might be down
B.
UDP is filtered by a gateway
C.
ICMP is filtered by a gateway
D.
The TCP window Size does not match
E.
The destination network might be down
F.
The packet TTL value is too low and can’t reach the target
The host might be down
ICMP is filtered by a gateway
The destination network might be down
The packet TTL value is too low and can’t reach the target
Explanation: Wrong answers is B and D as sweeping a network uses ICMP
To scan a host downstream from a security gateway, Firewalking:
A.
Sends a UDP-based packet that it knows will be blocked by the firewall to determine
how specifically the firewall responds to such packets
B.
Uses the TTL function to send packets with a TTL value set to expire one hop past the
identified security gateway
C.
Sends an ICMP ''administratively prohibited'' packet to determine if the gateway will drop
the packet without comment.
D.
Assesses the security rules that relate to the target system before it sends packets to
any hops on the route to the gateway
Uses the TTL function to send packets with a TTL value set to expire one hop past the
identified security gateway
Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or
not a particular packet can pass from the attackers host to a destination host through a
packet-filtering device. This technique can be used to map open or pass through ports on
a gateway. More over, it can determine whether packets with various control information
can pass through a given gateway.
Which of the following would be the best reason for sending a single SMTP message
to an address that does not exist within the target company?
A.
To create a denial of service attack.
B.
To verify information about the mail administrator and his address.
C.
To gather information about internal hosts used in email treatment.
D.
To gather information about procedures that are in place to deal with such messages.
To gather information about internal hosts used in email treatment.
Explanation: The replay from the email server that states that there is no such recipient
will also give you some information about the name of the email server, versions used and
so on.
Paula works as the primary help desk contact for her company. Paula has just
received a call from a user reporting that his computer just displayed a Blue Screen
of Death screen and he ca no longer work. Paula walks over to the user’s computer
and sees the Blue Screen of Death screen. The user’s computer is running Windows
XP, but the Blue screen looks like a familiar one that Paula had seen a Windows 2000
Computers periodically.
The user said he stepped away from his computer for only 15 minutes and when he
got back, the Blue Screen was there. Paula also noticed that the hard drive activity
light was flashing meaning that the computer was processing some thing. Paula
knew this should not be the case since the computer should be completely frozen
during a Blue screen. She checks the network IDS live log entries and notices
numerous nmap scan alerts.
What is Paula seeing happen on this computer?
A.
Paula’s Network was scanned using FloppyScan
B.
Paula’s Netwrok was scanned using Dumpsec
C.
There was IRQ conflict in Paula’s PC
D.
Tool like Nessus will cause BSOD
Paula’s Network was scanned using FloppyScan
Explanation: Floppyscan is a dangerous hacking tool which can be used to portscan a
system using a floppy disk Bootsup mini Linux Displays Blue screen of death screen Port scans the network using NMAP Send the results by e-mail to a remote server.
Which of the following is not an effective countermeasure against replay attacks?
A.
Digital signatures
B.
Time Stamps
C.
System identification
D.
Sequence numbers
System identification
Explanation: A replay attack is a form of network attack in which a valid data transmission
is maliciously or fraudulently repeated or delayed. Effective countermeasures should be
anything that makes it hard to delay or replay the packet (time stamps and sequence
numbers) or anything that prove the package is received as it was sent from the original
sender (digital signature)
You are attempting to map out the firewall policy for an organization. You discover
your target system is one hop beyond the firewall. Using hping2, you send SYN
packets with the exact TTL of the target system starting at port 1 and going up to
port 1024. What is this process known as?
A.
Footprinting
B.
Firewalking
C.
Enumeration
D.
Idle scanning
Firewalking
Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or
not a particular packet can pass from the attacker’s host to a destination host through a
packet-filtering device. This technique can be used to map open or pass through ports on
a gateway. More over, it can determine whether packets with various control information
can pass through a given gateway.
Study the log below and identify the scan type.
tcpdump –w host 192.168.1.10
A.
nmap R 192.168.1.10
B.
nmap S 192.168.1.10
C.
nmap V 192.168.1.10
D.
nmap –sO –T 192.168.1.10
nmap –sO –T 192.168.1.10
Explanation: -sO: IP protocol scans: This method is used to determine which IP protocols
are supported on a host. The technique is to send raw IP packets without any further
protocol header to each specified protocol on the target machine.
War dialing is a very old attack and depicted in movies that were made years ago.
Why would a modem security tester consider using such an old technique?
A.
It is cool, and if it works in the movies it must work in real life.
B.
It allows circumvention of protection mechanisms by being on the internal network.
C.
It allows circumvention of the company PBX.
D.
A good security tester would not use such a derelict technique.
It allows circumvention of protection mechanisms by being on the internal network.
Explanation: If you are lucky and find a modem that answers and is connected to the
target network, it usually is less protected (as only employees are supposed to know of its
existence) and once connected you don’t need to take evasive actions towards any
firewalls or IDS.
| Page 12 out of 64 Pages |
| Previous |