Topic 19, Evading IDS, Firewalls and Honeypots
Once an intruder has gained access to a remote system with a valid username and
password, the attacker will attempt to increase his privileges by escalating the used
account to one that has increased privileges. such as that of an administrator. What
would be the best countermeasure to protect against escalation of priveges?
A.
Give users tokens
B.
Give user the least amount of privileges
C.
Give users two passwords
D.
Give users a strong policy document
Give user the least amount of privileges
Explanation: With less privileges it is harder to increase the privileges.
The following excerpt is taken from a honeypot log. The log captures activities
across three days. There are several intrusion attempts; however, a few are
successful. From the options given below choose the one best interprets the
following entry:
Apr 26 06:43:05 [6282] IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
(Note: The objective of this question is to test whether the student can read basic
information from log entries and interpret the nature of attack.)
Interpret the following entry:
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107.53
A.
An IDS evasion technique
B.
A buffer overflow attempt
C.
A DNS zone transfer
D.
Data being retrieved from 63.226.81.13.
A buffer overflow attempt
Explanation: The IDS log file is depicting numerous attacks, however, most of them are
from different attackers, in reference to the attack in question, he is trying to mask his
activity by trying to act legitimate, during his session on the honeypot, he changes users
two times by using the "su" command, but never triess to attempt anything to severe.
What ports should be blocked on the firewall to prevent NetBIOS traffic from not
coming through the firewall if your network is comprised of Windows NT, 2000, and
XP?(Choose all that apply.
A.
110
B.
135
C.
139
D.
161
E.
445
F.
1024
135
139
445
Explanation: NetBIOS traffic can quickly be used to enumerate and attack Windows
computers. Ports 135, 139, and 445 should be blocked.
Bill has successfully executed a buffer overflow against a Windows IIS web server.
He has been able to spawn an interactive shell and plans to deface the main web
page. He first attempts to use the “Echo” command to simply overwrite index.html
and remains unsuccessful. He then attempts to delete the page and achieves no
progress. Finally, he tries to overwrite it with another page again in vain.
What is the probable cause of Bill’s problem?
A.
The system is a honeypot.
B.
There is a problem with the shell and he needs to run the attack again.
C.
You cannot use a buffer overflow to deface a web page.
D.
The HTML file has permissions of ready only.
The HTML file has permissions of ready only.
Explanation: The question states that Bill had been able to spawn an interactive shell. By
this statement we can tell that the buffer overflow and its corresponding code was enough
to spawn a shell. Any shell should make it possible to change the webpage. So we either
dont have sufficient privilege to change the webpage (answer D) or it’s a honeypot (answer
A). We think the preferred answer is D
Why would an ethical hacker use the technique of firewalking?
A.
It is a technique used to discover wireless network on foot.
B.
It is a technique used to map routers on a network link
C.
It is a technique used to discover the nature of rules configured on a gateway.
D.
It is a technique used to discover interfaces in promiscuous mode
It is a technique used to discover the nature of rules configured on a gateway.
Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or
not a particular packet can pass from the attackers host to a destination host through a
packet-filtering device. This technique can be used to map open or pass through ports on
a gateway. More over, it can determine whether packets with various control information
can pass through a given gateway.
One of your team members has asked you to analyze the following SOA record.
What is the TTL?
Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600
3600 604800 2400.
A.
200303028
B.
3600
C.
604800
D.
2400
E.
60
F.
4800
2400
Explanation: The SOA includes a timeout value. This value can tell an attacker how long
any DNS "poisoning" would last. It is the last set of numbers in the record.
Carl has successfully compromised a web server from behind a firewall by
exploiting a vulnerability in the web server program. He wants to proceed by
installing a backdoor program. However, he is aware that not all inbound ports on
the firewall are in the open state.
From the list given below, identify the port that is most likely to be open and allowed
to reach the server that Carl has just compromised.
A.
53
B.
110
C.
25
D.
69
53
Explanation: Port 53 is used by DNS and is almost always open, the problem is often that
the port is opened for the hole world and not only for outside DNS servers
Jess the hacker runs L0phtCrack’s built-in sniffer utility which grabs SMB password
hashes and stores them for offline cracking. Once cracked, these passwords can
provide easy access to whatever network resources the user account has access to.
But Jess is not picking up hashed from the network.
Why?
A.
The network protocol is configured to use SMB Signing.
B.
The physical network wire is on fibre optic cable.
C.
The network protocol is configured to use IPSEC.
D.
L0phtCrack SMB filtering only works through Switches and not Hubs.
The network protocol is configured to use SMB Signing.
Explanation: To protect against SMB session hijacking, NT supports a cryptographic
integrity mechanism, SMB Signing, to prevent active network taps from interjecting
themselves into an already established session.
What is the advantage in encrypting the communication between the agent and the
monitor in an Intrusion Detection System?
A.
Encryption of agent communications will conceal the presence of the agents
B.
The monitor will know if counterfeit messages are being generated because they will not
be encrypted
C.
Alerts are sent to the monitor when a potential intrusion is detected
D.
An intruder could intercept and delete data or alerts and the intrusion can go undetected
The monitor will know if counterfeit messages are being generated because they will not
be encrypted
While examining a log report you find out that an intrusion has been attempted by a
machine whose IP address is displayed as 0xde.0xad.0xbe.0xef. It looks to you like a
hexadecimal number. You perform a ping 0xde.0xad.0xbe.0xef. Which of the following IP
addresses will respond to the ping and hence will likely be responsible for the the intrusion
?
A.
192.10.25.9
B.
10.0.3.4
C.
203.20.4.5
D.
222.273.290.239
E.
222.173.290.239
222.173.290.239
Explanation:
Convert the hex number to binary and then to decimal.
0xde.0xad.0xbe.0xef translates to 222.173.190.239 and not 222.273.290.239
0xef =
15*1 = 15
14*16 = 224
______
= 239
0xbe =
14*1 = 14
11*16 = 176
______
= 190
0xad =
13*1 = 13
10*16 = 160
______
= 173
0xde =
14*1 = 14
13*16 = 208
______
= 222
What is the proper response for a NULL scan if the port is closed?
A.
SYN
B.
ACK
C.
FIN
D.
PSH
E.
RST
F.
No response
RST
Explanation: Closed ports respond to a NULL scan with a reset.
There are two types of honeypots- high and low interaction. Which of these
describes a low interaction honeypot?
Select the best answers.
A.
Emulators of vulnerable programs
B.
More likely to be penetrated
C.
Easier to deploy and maintain
D.
Tend to be used for production
E.
More detectable
F.
Tend to be used for research
Emulators of vulnerable programs
Easier to deploy and maintain
Tend to be used for production
More detectable
Explanation: Explanations:
A low interaction honeypot would have emulators of vulnerable programs, not the real
programs.
A high interaction honeypot is more likely to be penetrated as it is running the real program
and is more vulnerable than an emulator.
Low interaction honeypots are easier to deploy and maintain. Usually you would just use a
program that is already available for download and install it. Hackers don't usually crash or
destroy these types of programs and it would require little maintenance.
A low interaction honeypot tends to be used for production.
Low interaction honeypots are more detectable because you are using emulators of the
real programs. Many hackers will see this and realize that they are in a honeypot.
A low interaction honeypot tends to be used for production. A high interaction honeypot
tends to be used for research.
| Page 14 out of 64 Pages |
| Previous |