Topic 19, Evading IDS, Firewalls and Honeypots
Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw
traffic into a detection engine and rely on the pattern matching and/or statistical
analysis to determine what is malicious. Packets are not processed by the host's
TCP/IP stack allowing the NIDS to analyze traffic the host would otherwise discard.
Which of the following tools allows an attacker to intentionally craft packets to
confuse pattern-matching NIDS systems, while still being correctly assembled by the
host TCP/IP stack to render the attack payload?
A.
Defrag
B.
Tcpfrag
C.
Tcpdump
D.
Fragroute
Fragroute
Explanation: fragroute intercepts, modifies, and rewrites egress traffic destined for a
specified host, implementing most of the attacks described in the Secure Networks
"Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of
January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment,
overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound
packets destined for a target host, with minimal support for randomized or probabilistic
behaviour. This tool was written in good faith to aid in the testing of network intrusion
detection systems, firewalls, and basic TCP/IP stack behaviour
During the intelligence gathering phase of a penetration test, you come across a
press release by a security products vendor stating that they have signed a multimillion
dollar agreement with the company you are targeting. The contract was for
vulnerability assessment tools and network based IDS systems. While researching
on that particular brand of IDS you notice that its default installation allows it to
perform sniffing and attack analysis on one NIC and caters to its management and
reporting on another NIC. The sniffing interface is completely unbound from the
TCP/IP stack by default. Assuming the defaults were used, how can you detect these
sniffing interfaces?
A.
Use a ping flood against the IP of the sniffing NIC and look for latency in the responses.
B.
Send your attack traffic and look for it to be dropped by the IDS.
C.
Set your IP to that of the IDS and look for it as it attempts to knock your computer off the
network.
D.
The sniffing interface cannot be detected.
The sniffing interface cannot be detected.
Explanation: When a Nic is set to Promiscuous mode it just blindly takes whatever comes
through to it network interface and sends it to the Application layer. This is why they are so
hard to detect. Actually you could use ARP requests and Send them to every pc and the
one which responds to all the requests can be identified as a NIC on Promiscuous mode
and there are some very special programs that can do this for you. But considering the
alternatives in the question the right answer has to be that the interface cannot be
detected.
Exhibit:
Study the following log extract and identify the attack.
A.
Hexcode Attack
B.
Cross Site Scripting
C.
Multiple Domain Traversal Attack
D.
Unicode Directory Traversal Attack
Unicode Directory Traversal Attack
Explanation: The “Get /msadc/……/……/……/winnt/system32/cmd.exe?” shows that a
Unicode Directory Traversal Attack has been performed.
Angela is trying to access an education website that requires a username and
password to login. When Angela clicks on the link to access the login page, she gets
an error message stating that the page cant be reached. She contacts the websites
support team and they report that no one else is having any issues with the site.
After handing the issue over to her companys IT department, it is found that the
education website requires any computer accessing the site must be able to
respond to a ping from the educations server. Since Angelas computer is behind a
corporate firewall, her computer cant ping the education website back.
What ca Angelas IT department do to get access to the education website?
A.
Change the IP on Angelas Computer to an address outside the firewall
B.
Change the settings on the firewall to allow all incoming traffic on port 80
C.
Change the settings on the firewall all outbound traffic on port 80
D.
Use a Internet browser other than the one that Angela is currently using
Change the IP on Angelas Computer to an address outside the firewall
Explanation: Allowing traffic to and from port 80 will not help as this will be UDP or TCP
traffic and ping uses ICMP. The browser used by the user will not make any difference. The
only alternative here that would solve the problem is to move the computer to outside the
firewall.
Null sessions are un-authenticated connections (not using a username or
password.) to an NT or 2000 system. Which TCP and UDP ports must you filter to
check null sessions on your network?
A.
137 and 139
B.
137 and 443
C.
139 and 443
D.
139 and 445
139 and 445
Explanation: NULL sessions take advantage of “features” in the SMB (Server Message
Block) protocol that exist primarily for trust relationships. You can establish a NULL session
with a Windows host by logging on with a NULL user name and password. Primarily the
following ports are vulnerable if they are accessible:
139
TCP
NETBIOS Session Service
139
UDP
NETBIOS Session Service
445
TCP
SMB/CIFS
Basically, there are two approaches to network intrusion detection: signature
detection, and anomaly detection. The signature detection approach utilizes wellknown
signatures for network traffic to identify potentially malicious traffic. The
anomaly detection approach utilizes a previous history of network traffic to search
for patterns that are abnormal, which would indicate an intrusion. How can an
attacker disguise his buffer overflow attack signature such that there is a greater
probability of his attack going undetected by the IDS?
A.
He can use a shellcode that will perform a reverse telnet back to his machine
B.
He can use a dynamic return address to overwrite the correct value in the target
machine computer memory
C.
He can chain NOOP instructions into a NOOP "sled" that advances the processors
instruction pointer to a random place of choice
D.
He can use polymorphic shell code-with a tool such as ADMmutate - to change the
signature of his exploit as seen by a network IDS
He can use polymorphic shell code-with a tool such as ADMmutate - to change the
signature of his exploit as seen by a network IDS
Explanation: ADMmutate is using a polymorphic technique designed to circumvent certain
forms of signature based intrusion detection. All network based remote buffer overflow
exploits have similarities in how they function. ADMmutate has the ability to emulate the
protocol of the service the attacker is attempting to exploit. The data payload (sometimes
referred to as an egg) contains the instructions the attacker wants to execute on the target
machine. These eggs are generally interchangeable and can be utilized in many different
buffer overflow exploits. ADMmutate uses several techniques to randomize the contents of
the egg in any given buffer overflow exploit. This randomization effectively changes the
content or signature of the exploit without changing the functionality of the exploit.
Susan has attached to her company’s network. She has managed to synchronize her
boss’s sessions with that of the file server. She then intercepted his traffic destined
for the server, changed it the way she wanted to and then placed it on the server in
his home directory. What kind of attack is Susan carrying on?
A.
A sniffing attack
B.
A spoofing attack
C.
A man in the middle attack
D.
A denial of service attack
A man in the middle attack
Explanation: A man-in-the-middle attack (MITM) is an attack in which an attacker is able
to read, insert and modify at will, messages between two parties without either party
knowing that the link between them has been compromised.
What do you conclude from the nmap results below?
Staring nmap V. 3.10ALPHA0 (www.insecure.org/map/)
(The 1592 ports scanned but not shown below are in state: closed)
PortStateService
21/tcpopenftp
25/tcpopensmtp
80/tcpopenhttp
443/tcpopenhttps
Remote operating system guess: Too many signatures match the reliability guess the OS.
Nmap run completed – 1 IP address (1 host up) scanned in 91.66 seconds
A.
The system is a Windows Domain Controller.
B.
The system is not firewalled.
C.
The system is not running Linux or Solaris.
D.
The system is not properly patched.
The system is not firewalled.
Explanation: There is no reports of any ports being filtered.
Maurine is working as a security consultant for Hinklemeir Associate. She has asked
the Systems Administrator to create a group policy that would not allow null
sessions on the network. The Systems Administrator is fresh out of college and has
never heard of null sessions and does not know what they are used for. Maurine is
trying to explain to the Systems Administrator that hackers will try to create a null
session when footprinting the network.
Why would an attacker try to create a null session with a computer on a network?
A.
Enumerate users shares
B.
Install a backdoor for later attacks
C.
Escalate his/her privileges on the target server
D.
To create a user with administrative privileges for later use
Enumerate users shares
Explanation: The Null Session is often referred to as the "Holy Grail" of Windows hacking.
Listed as the number 5 windows vulnerability on the SANS/FBI Top 20 list, Null Sessions
take advantage of flaws in the CIFS/SMB (Common Internet File System/Server Messaging
Block) architecture. You can establish a Null Session with a Windows (NT/2000/XP) host
by logging on with a null user name and password. Using these null connections allows you
to gather the following information from the host:
- List of users and groups
- List of machines
- List of shares
- Users and host SID' (Security Identifiers)
What is the proper response for a NULL scan if the port is open?
A.
SYN
B.
ACK
C.
FIN
D.
PSH
E.
RST
F.
No response
No response
Explanation: A NULL scan will have no response if the port is open.
The programmers on your team are analyzing the free, open source software being
used to run FTP services on a server in your organization. They notice that there is
excessive number of functions in the source code that might lead to buffer overflow.
These C++ functions do not check bounds. Identify the line the source code that
might lead to buffer overflow.
A.
Line number 31.
B.
Line number 15
C.
Line number 8
D.
Line number 14
Line number 15
Which DNS resource record can indicate how long any "DNS poisoning" could last?
A.
MX
B.
SOA
C.
NS
D.
TIMEOUT
SOA
Explanation: The SOA contains information of secondary servers, update intervals and
expiration times.
| Page 16 out of 64 Pages |
| Previous |