Topic 4, Enumeration
Sandra has been actively scanning the client network on which she is doing a
vulnerability assessment test. While conducting a port scan she notices open ports
in the range of 135 to 139. What protocol is most likely to be listening on those
ports?
A.
Finger
B.
FTP
C.
Samba
D.
SMB
SMB
Explanation: The SMB (Server Message Block) protocol is used among other things for
file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000,
Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of
NBT. For this they use TCP port 445.
If you come across a sheepdip machaine at your client site, what would you infer?
A.
A sheepdip computer is used only for virus checking.
B.
A sheepdip computer is another name for honeypop.
C.
A sheepdip coordinates several honeypots.
D.
A sheepdip computer defers a denial of service attack.
A sheepdip computer is used only for virus checking.
Explanation: Also known as a footbath, a sheepdip is the process of checking physical
media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer.
Typically, a computer that sheepdips is used only for that process and nothing else and is
isolated from the other computers, meaning it is not connected to the network. Most
sheepdips use at least two different antivirus programs in order to increase effectiveness.
SNMP is a protocol used to query hosts, servers, and devices about performance or
health status data. This protocol has long been used by hackers to gather great
amount of information about remote hosts.
Which of the following features makes this possible? (Choose two)
A.
It used TCP as the underlying protocol.
B.
It uses community string that is transmitted in clear text.
C.
It is susceptible to sniffing.
D.
It is used by all network devices on the market.
It uses community string that is transmitted in clear text.
It is susceptible to sniffing.
Explanation: Simple Network Management Protocol (SNMP) is a protocol which can be
used by administrators to remotely manage a computer or network device. There are
typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and
'WRITE' (or PUBLIC and PRIVATE). If an attacker is able to guess a PUBLIC community
string, they would be able to read SNMP data (depending on which MIBs are installed)
from the remote device. This information might include system time, IP addresses,
interfaces, processes running, etc. Version 1 of SNMP has been criticized for its poor
security. Authentication of clients is performed only by a "community string", in effect a type
of password, which is transmitted in cleartext.
What makes web application vulnerabilities so aggravating? (Choose two)
A.
They can be launched through an authorized port.
B.
A firewall will not stop them.
C.
They exist only on the Linux platform.
D.
They are detectable by most leading antivirus software
They can be launched through an authorized port.
A firewall will not stop them.
Explanation: As the vulnerabilities exists on a web server, incoming traffic on port 80 will
probably be allowed and no firewall rules will stop the attack.
Under what conditions does a secondary name server request a zone transfer from a
primary name server?
A.
When a primary SOA is higher that a secondary SOA
B.
When a secondary SOA is higher that a primary SOA
C.
When a primary name server has had its service restarted
D.
When a secondary name server has had its service restarted
E.
When the TTL falls to zero
When a primary SOA is higher that a secondary SOA
Explanation: Understanding DNS is critical to meeting the requirements of the CEH.
When the serial number that is within the SOA record of the primary server is higher than
the Serial number within the SOA record of the secondary DNS server, a zone transfer will
take place.
If you come across a sheepdip machine at your client’s site, what should you do?
A.
A sheepdip computer is used only for virus-checking.
B.
A sheepdip computer is another name for a honeypot
C.
A sheepdip coordinates several honeypots.
D.
A sheepdip computers defers a denial of service attack
A sheepdip computer is used only for virus-checking.
Explanation: Also known as a footbath, a sheepdip is the process of checking physical
media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer.
Typically, a computer that sheepdips is used only for that process and nothing else and is
isolated from the other computers, meaning it is not connected to the network. Most
sheepdips use at least two different antivirus programs in order to increase effectiveness.
What did the following commands determine?
C : user2sid \earth guest
S-1-5-21-343818398-789336058-1343024091-501
C:sid2user 5 21 343818398 789336058 1343024091 500
Name is Joe
Domain is EARTH
A.
That the Joe account has a SID of 500
B.
These commands demonstrate that the guest account has NOT been disabled
C.
These commands demonstrate that the guest account has been disabled
D.
That the true administrator is Joe
E.
Issued alone, these commands prove nothing
That the true administrator is Joe
Explanation: One important goal of enumeration is to determine who the true
administrator is. In the example above, the true administrator is Joe.
John runs a Web Server, IDS and firewall on his network. Recently his Web Server
has been under constant hacking attacks. He looks up the IDS log files and sees no
Intrusion attempts but the web server constantly locks up and needs rebooting due
to various brute force and buffer overflow attacks but still the IDS alerts no intrusion
whatsoever.
John become suspicious and views he firewall logs and he notices huge SSL
connections constantly hitting web server.
Hackers have been using the encrypted HTTPS protocol to send exploits to the web
server and that was the reason the IDS did not detect the intrusions.
How would Jon protect his network form these types of attacks?
A.
Install a proxy server and terminate SSL at the proxy
B.
Install a hardware SSL “accelerator” and terminate SSL at this layer
C.
Enable the IDS to filter encrypted HTTPS traffic
D.
Enable the firewall to filter encrypted HTTPS traffic
Install a proxy server and terminate SSL at the proxy
Install a hardware SSL “accelerator” and terminate SSL at this layer
Explanation: By terminating the SSL connection at a proxy or a SSL accelerator and then
use clear text the distance between the proxy/accelerator and the server, you make it
possible for the IDS to scan the traffic.
SSL has been as the solution to a lot of common security problems. Administrator
will often time make use of SSL to encrypt communications from points A to Point B.
Why do you think this could be a bad idea if there is an Intrusion Detection System
deployed to monitor the traffic between Point A to Point B?
A.
SSL is redundant if you already have IDS’s in place
B.
SSL will trigger rules at regular interval and force the administrator to turn them off
C.
SSL will make the content of the packet and Intrusion Detection System are blinded
D.
SSL will slow down the IDS while it is breaking the encryption to see the packet content
SSL will make the content of the packet and Intrusion Detection System are blinded
Explanation: An IDS will not be able to evaluate the content in the packets if it is
encrypted.
Sara is using the nslookup command to craft queries to list all DNS information
(such as Name Servers, host names, MX records, CNAME records, glue records
(delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc)
for a Domain. What do you think Sara is trying to accomplish? Select the best
answer.
A.
A zone harvesting
B.
A zone transfer
C.
A zone update
D.
A zone estimate
A zone transfer
Explanation: The zone transfer is the method a secondary DNS server uses to update its
information from the primary DNS server. DNS servers within a domain are organized
using a master-slave method where the slaves get updated DNS information from the
master DNS. One should configure the master DNS server to allow zone transfers only
from secondary (slave) DNS servers but this is often not implemented. By connecting to a
specific DNS server and successfully issuing the ls –d domain-name > file-name you have
initiated a zone transfer.
Which of the following represents the initial two commands that an IRC client sends
to join an IRC network?
A.
USER, NICK
B.
LOGIN, NICK
C.
USER, PASS
D.
LOGIN, USER
USER, NICK
Explanation: A "PASS" command is not required for either client or server connection to
be registered, but it must precede the server message or the latter of the NICK/USER
combination. (RFC 1459)
What type of attack changes its signature and/or payload to avoid detection by
antivirus programs?
A.
Polymorphic
B.
Rootkit
C.
Boot sector
D.
File infecting
Polymorphic
Explanation: In computer terminology, polymorphic code is code that mutates while
keeping the original algorithm intact. This technique is sometimes used by computer
viruses, shellcodes and computer worms to hide their presence.
| Page 15 out of 64 Pages |
| Previous |