Topic 3, Scanning
What is the disadvantage of an automated vulnerability assessment tool?
A.
Ineffective
B.
Slow
C.
Prone to false positives
D.
Prone to false negatives
E.
Noisy
Noisy
Explanation: Vulnerability assessment tools perform a good analysis of system
vulnerabilities; however, they are noisy and will quickly trip IDS systems.
ETHER: Destination address : 0000BA5EBA11 ETHER: Source address :
00A0C9B05EBD ETHER: Frame Length : 1514 (0x05EA) ETHER: Ethernet Type :
0x0800 (IP) IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP:
Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal
Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal
Reliability IP: Total Length = 1500 (0x5DC) IP: Identification = 7652
(0x1DE4) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in
datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset =
0
(0x0) bytes IP: Time to Live = 127 (0x7F) IP: Protocol = TCP -
Transmission Control IP: Checksum = 0xC26D IP: Source Address =
10.0.0.2 IP:
Destination Address = 10.0.1.201 TCP: Source Port = Hypertext Transfer
Protocol TCP: Destination Port = 0x1A0B TCP: Sequence Number =
97517760 (0x5D000C0) TCP: Acknowledgement Number = 78544373 (0x4AE7DF5)
TCP:
Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags =
0x10 : .A.... TCP: ..0..... = No urgent data TCP: ...1.... =
Acknowledgement field significant TCP: ....0... = No Push function TCP:
.....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No
Fin TCP: Window = 28793 (0x7079) TCP: Checksum = 0x8F27 TCP: Urgent
Pointer = 0 (0x0)
An employee wants to defeat detection by a network-based IDS application. He does
not want to attack the system containing the IDS application. Which of the following
strategies can be used to defeat detection by a network-based IDS application?
A.
Create a SYN flood
B.
Create a network tunnel
C.
Create multiple false positives
D.
Create a ping flood
Create a network tunnel
Explanation: Certain types of encryption presents challenges to network-based intrusion
detection and may leave the IDS blind to certain attacks, where a host-based IDS analyzes
the data after it has been decrypted.
This IDS defeating technique works by splitting a datagram (or packet) into multiple
fragments and the IDS will not spot the true nature of the fully assembled datagram.
The datagram is not reassembled until it reaches its final destination. It would be a
processor-intensive tasks for an IDS to reassemble all fragments itself and on a
busy system the packet will slip through the IDS onto the network.
What is this technique called?
A.
IP Fragmentation or Session Splicing
B.
IP Routing or Packet Dropping
C.
IDS Spoofing or Session Assembly
D.
IP Splicing or Packet Reassembly
IP Fragmentation or Session Splicing
Explanation: The basic premise behind session splicing, or IP Fragmentation, is to deliver
the payload over multiple packets thus defeating simple pattern matching without session
reconstruction. This payload can be delivered in many different manners and even spread
out over a long period of time. Currently, Whisker and Nessus have session splicing
capabilities, and other tools exist in the wild.
A.
Idle Scan
B.
Windows Scan
C.
XMAS Scan
D.
SYN Stealth Scan
XMAS Scan
Explanation: An Xmas port scan is variant of TCP port scan. This type of scan tries to
obtain information about the state of a target port by sending a packet which has multiple
TCP flags set to 1 - "lit as an Xmas tree". The flags set for Xmas scan are FIN, URG and
PSH. The purpose is to confuse and bypass simple firewalls. Some stateless firewalls only
check against security policy those packets which have the SYN flag set (that is, packets
that initiate connection according to the standards). Since Xmas scan packets are different,
they can pass through these simple systems and reach the target host.
You are performing a port scan with nmap. You are in hurry and conducting the
scans at the fastest possible speed. However, you don't want to sacrifice reliability
for speed. If stealth is not an issue, what type of scan should you run to get very
reliable results?
A.
XMAS scan
B.
Stealth scan
C.
Connect scan
D.
Fragmented packet scan
Connect scan
Explanation: A TCP Connect scan, named after the Unix connect() system call is the most
accurate scanning method. If a port is open the operating system completes the TCP threeway
handshake, and the port scanner immediately closes the connection.
Snort is an open source Intrusion Detection system. However, it can also be used for
a few other purposes as well.
Which of the choices below indicate the other features offered by Snort?
A.
IDS, Packet Logger, Sniffer
B.
IDS, Firewall, Sniffer
C.
IDS, Sniffer, Proxy
D.
IDS, Sniffer, content inspector
IDS, Packet Logger, Sniffer
Explanation: Snort is a free software network intrusion detection and prevention system
capable of performing packet logging & real-time traffic analysis, on IP networks. Snort was
written by Martin Roesch but is now owned and developed by Sourcefire
An Evil Cracker is attempting to penetrate your private network security. To do this,
he must not be seen by your IDS, as it may take action to stop him. What tool might
he use to bypass the IDS?
Select the best answer.
A.
Firewalk
B.
Manhunt
C.
Fragrouter
D.
Fragids
Fragrouter
Explanation: Explanations:
Firewalking is a way to disguise a portscan. Thus, firewalking is not a tool, but a method of
conducting a port scan in which it can be hidden from some firewalls. Synamtec Man-Hunt
is an IDS, not a tool to evade an IDS.
Fragrouter is a tool that can take IP traffic and fragment it into multiple pieces. There is a
legitimate reason that fragmentation is done, but it is also a technique that can help an
attacker to evade detection while Fragids is a made-up tool and does not exist.
You are the security administrator for a large network. You want to prevent attackers
from running any sort of traceroute into your DMZ and discover the internal
structure of publicly accessible areas of the network.
How can you achieve this?
A.
Block ICMP at the firewall.
B.
Block UDP at the firewall.
C.
Both A and B.
D.
There is no way to completely block doing a trace route into this area.
There is no way to completely block doing a trace route into this area.
Explanation: When you run a traceroute to a target network address, you send a UDP
packet with one time to live (TTL) to the target address. The first router this packet hits
decreases the TTL to 0 and rejects the packet. Now the TTL for the packet is expired. The
router sends back an ICMP message type 11 (Exceeded) code 0 (TTL-Exceeded) packet
to your system with a source address. Your system displays the round-trip time for that first
hop and sends out the next UDP packet with a TTL of 2.This process continues until you
receive an ICMP message type 3 (Unreachable) code 3 (Port-Unreachable) from the
destination system. Traceroute is completed when your machine receives a Port-
Unreachable message.If you receive a message with three asterisks [* * *] during the
traceroute, a router in the path doesnt return ICMP messages. Traceroute will continue to
send UDP packets until the destination is reached or the maximum number of hops is
exceeded.
1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms
2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416
ms
3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms
ip68-100-0-1.nv.nv.cox.net
(68.100.0.1) 16.743 ms 16.207 ms
4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 13.933 ms
20.938 ms
5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms
6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms
14.104 ms
7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms
8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms
19.512 ms
9 so-7-0-0.gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms
17.938 ms
10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317
ms 21.202 ms
11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms
19.133 ms 18.830 ms
12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms
20.111 ms
13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms
Question No : 484 - (Topic 19)
ECCouncil 312-50 : Practice Test
Best Solution to Pass Your Exam 315
23.108 ms
14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 37.894 ms 33.244 ms
33.910 ms
15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms
49.466 ms
16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms
51.055 ms
17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms
53.647 ms
18 target-gw1.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms
56.855 ms
19 www.target.com <http://www.target.com/> (65.195.239.22) 52.191 ms
52.571 ms 56.855 ms
20 www.target.com <http://www.target.com/> (65.195.239.22) 53.561 ms
54.121 ms 58.333 ms
You perform the above traceroute and notice that hops 19 and 20 both show the
same IP address. This probably indicates what?1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms
2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416
ms
3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms
ip68-100-0-1.nv.nv.cox.net
(68.100.0.1) 16.743 ms 16.207 ms
4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 13.933 ms
20.938 ms
5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms
6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms
14.104 ms
7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms
8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms
19.512 ms
9 so-7-0-0.gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms
17.938 ms
10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317
ms 21.202 ms
11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms
19.133 ms 18.830 ms
12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms
20.111 ms
13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms
23.108 ms
14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 37.894 ms 33.244 ms
33.910 ms
15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms
49.466 ms
16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms
51.055 ms
17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms
53.647 ms
18 target-gw1.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms
56.855 ms
19 www.target.com <http://www.target.com/> (65.195.239.22) 52.191 ms
52.571 ms 56.855 ms
20 www.target.com <http://www.target.com/> (65.195.239.22) 53.561 ms
54.121 ms 58.333 ms
You perform the above traceroute and notice that hops 19 and 20 both show the
same IP address. This probably indicates what?
A.
A host based IDS
B.
A Honeypot
C.
A stateful inspection firewall
D.
An application proxying firewall
A stateful inspection firewall
You may be able to identify the IP addresses and machine names for the firewall,
and the names of internal mail servers by:
A.
Sending a mail message to a valid address on the target network, and examining the
header information generated by the IMAP servers
B.
Examining the SMTP header information generated by using the –mx command
parameter of DIG
C.
Examining the SMTP header information generated in response to an e-mail message
sent to an invalid address
D.
Sending a mail message to an invalid address on the target network, and examining the
header information generated by the POP servers
Examining the SMTP header information generated in response to an e-mail message
sent to an invalid address
Neil monitors his firewall rules and log files closely on a regular basis. Some of the
users have complained to Neil that there are a few employees who are visiting
offensive web sites during work hours, without consideration for others. Neil knows
that he has an updated content filtering system and that such access should not be
authorized.
What type of technique might be used by these offenders to access the Internet
without restriction?
A.
They are using UDP which is always authorized at the firewall.
B.
They are using tunneling software which allows them to communicate with protocols in a
way it was not intended.
C.
They have been able to compromise the firewall, modify the rules, and give themselves
proper access.
D.
They are using an older version of Internet Explorer that allows them to bypass the
proxy server.
They are using tunneling software which allows them to communicate with protocols in a
way it was not intended.
Explanation: This can be accomplished by, for example, tunneling the http traffic over
SSH if you have a SSH server answering to your connection, you enable dynamic
forwarding in the ssh client and configure Internet Explorer to use a SOCKS Proxy for
network traffic.
When referring to the Domain Name Service, what is denoted by a ‘zone’?
A.
It is the first domain that belongs to a company.
B.
It is a collection of resource records.
C.
It is the first resource record type in the SOA.
D.
It is a collection of domains.
It is a collection of resource records.
Explanation: A reasonable definition of a zone would be a portion of the DNS namespace
where responsibility has been delegated.
| Page 13 out of 64 Pages |
| Previous |