Topic 4, Enumeration
What tool can crack Windows SMB passwords simply by listening to network traffic?
Select the best answer.
A.
This is not possible
B.
Netbus
C.
NTFSDOS
D.
L0phtcrack
L0phtcrack
Explanation: Explanations:
This is possible with a SMB packet capture module for L0phtcrack and a known
weaknesses in the LM hash algorithm.
What does FIN in TCP flag define?
A.
Used to close a TCP connection
B.
Used to abort a TCP connection abruptly
C.
Used to indicate the beginning of a TCP connection
D.
Used to acknowledge receipt of a previous packet or transmission
Used to close a TCP connection
Explanation: The FIN flag stands for the word FINished. This flag is used to tear down the
virtual connections created using the previous flag (SYN), so because of this reason, the
FIN flag always appears when the last packets are exchanged between a connection.
Exhibit
Study the log given in the exhibit,
Precautionary measures to prevent this attack would include writing firewall rules.
Of these firewall rules, which among the following would be appropriate?
A.
Disallow UDP 53 in from outside to DNS server
B.
Allow UDP 53 in from DNS server to outside
C.
Disallow TCP 53 in from secondaries or ISP server to DNS server
D.
Block all UDP traffic
Disallow TCP 53 in from secondaries or ISP server to DNS server
Explanation: According to the exhibit, the question is regarding the DNS Zone Transfer.
Since Zone Transfers are done with TCP port 53, you should not allow this connect
external to you organization.
Let's imagine three companies (A, B and C), all competing in a challenging global
environment. Company A and B are working together in developing a product that
will generate a major competitive advantage for them. Company A has a secure DNS
server while company B has a DNS server vulnerable to spoofing. With a spoofing
attack on the DNS server of company B, company C gains access to outgoing emails
from company B. How do you prevent DNS spoofing? (Select the Best Answer.)
A.
Install DNS logger and track vulnerable packets
B.
Disable DNS timeouts
C.
Install DNS Anti-spoofing
D.
Disable DNS Zone Transfer
Install DNS Anti-spoofing
Explanation: Explantion: Implement DNS Anit-Spoofing measures to prevent DNS Cache
Pollution to occur.
What is the purpose of firewalking?
A.
Its a technique used to discover Wireless network on foot
B.
Its a technique used to map routers on a network link
C.
ITs a technique used to discover interface in promiscuous mode
D.
Its a technique used to discover what rules are configured on a gateway
Its a technique used to discover what rules are configured on a gateway
Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or
not a particular packet can pass from the attackers host to a destination host through a
packet-filtering device. This technique can be used to map open or pass through ports on
a gateway. More over, it can determine whether packets with various control information
can pass through a given gateway.
A zone file consists of which of the following Resource Records (RRs)?
A.
DNS, NS, AXFR, and MX records
B.
DNS, NS, PTR, and MX records
C.
SOA, NS, AXFR, and MX records
D.
SOA, NS, A, and MX records
SOA, NS, A, and MX records
Explanation: The zone file typically contains the following records:
SOA – Start Of Authority
NS – Name Server record
MX – Mail eXchange record
A – Address record
An Employee wants to bypass detection by a network-based IDS application and
does not want to attack the system containing the IDS application. Which of the
following strategies can the employee use to evade detection by the network based
IDS application?
A.
Create a ping flood
B.
Create a SYN flood
C.
Create a covert network tunnel
D.
Create multiple false positives
Create a covert network tunnel
Explanation: HTTP Tunneling is a technique by which communications performed using
various network protocols are encapsulated using the HTTP protocol, the network protocols
in question usually belonging to the TCP/IP family of protocols. The HTTP protocol
therefore acts as a wrapper for a covert channel that the network protocol being tunneled
uses to communicate. The HTTP stream with its covert channel is termed a HTTP Tunnel.
Very few firewalls blocks outgoing HTTP traffic.
SNMP is a protocol used to query hosts, servers and devices about performance or
health status data. Hackers have used this protocol for a long time to gather great
amount of information about remote hosts. Which of the following features makes
this possible?
A.
It is susceptible to sniffing
B.
It uses TCP as the underlying protocol
C.
It is used by ALL devices on the market
D.
It uses a community string sent as clear text
It is susceptible to sniffing
It uses a community string sent as clear text
Explanation: SNMP uses UDP, not TCP, and even though many devices uses SNMP not
ALL devices use it and it can be disabled on most of the devices that does use it. However
SNMP is susceptible to sniffing and the community string (which can be said acts as a
password) is sent in clear text.
Study the following exploit code taken from a Linux machine and answer the
questions below:
echo “ingreslock stream tcp nowait root /bin/sh sh –I" > /tmp/x;
/usr/sbin/inetd –s /tmp/x;
sleep 10;
/bin/ rm –f /tmp/x AAAA…AAA
In the above exploit code, the command “/bin/sh sh –I" is given.
What is the purpose, and why is "SH" shown twice?
A.
The command /bin/sh sh –i appearing in the exploit code is actually part of an inetd
configuration file.
B.
The length of such a buffer overflow exploit makes it prohibitive for user to enter
manually.
The second sh automates this function.
C.
It checks for the presence of a codeword (setting the environment variable) among the
environment variables.
D.
It is a giveaway by the attacker that he is a script kiddy
The command /bin/sh sh –i appearing in the exploit code is actually part of an inetd
configuration file.
Explanation: Whats going on in the above question is the attacker is trying to write to the
unix filed /tm/x (his inetd.conf replacement config) - he is attempting to add a service
called ingresslock (which doesnt exist), which is "apparently" suppose to spawn a shell the
given port specified by /etc/services for the service "ingresslock", ingresslock is a nonexistant
service, and if an attempt were made to respawn inetd, the service would error out
on that line. (he would have to add the service to /etc/services to suppress the error). Now
the question is asking about /bin/sh sh -i which produces an error that should read "sh:
/bin/sh: cannot execute binary file", the -i option places the shell in interactive mode and
cannot be used to respawn itself.
Buffer X in an Accounting application module for Brownies Inc. can contain 200
characters. The programmer makes an assumption that 200 characters are more
than enough. Because there were no proper boundary checks being conducted, Bob
decided to insert 400 characters into the 200-character buffer. (Overflows the buffer).
Below is the code snippet.
How can you protect/fix the problem of your application as shown above?
A.
Because the counter starts with 0, we would stop when the counter is less than 200
B.
Because the counter starts with 0, we would stop when the counter is more than 200
C.
Add a separate statement to signify that if we have written 200 characters to the buffer,
the stack should stop because it cant hold any more data
D.
Add a separate statement to signify that if we have written less than 200 characters to
the buffer, the stack should stop because it can’t hold any more data
Because the counter starts with 0, we would stop when the counter is less than 200
Add a separate statement to signify that if we have written 200 characters to the buffer,
the stack should stop because it cant hold any more data
Explanation: I=199 would be the character number 200. The stack holds exact 200
characters so there is no need to stop before 200.
Drag the application to match with its correct description.
Exhibit:
While investigating a claim of a user downloading illegal material, the investigator
goes through the files on the suspects workstation. He comes across a file that is
called file.txt but when he opens it, he find the following:
What does this file contain?
A.
A picture that has been renamed with a .txt extension.
B.
An encrypted file.
C.
A uuencoded file.
D.
A buffer overflow.
A buffer overflow.
Explanation: This is a buffer overflow exploit with its “payload” in hexadecimal format
| Page 18 out of 64 Pages |
| Previous |