Topic 2, Footprinting
System Administrators sometimes post questions to newsgroups when they run into
technical challenges. As an ethical hacker, you could use the information in
newsgroup posting to glean insight into the makeup of a target network. How would
you search for these posting using Google search?
A.
Search in Google using the key strings “the target company” and “newsgroups”
B.
Search for the target company name at http://groups.google.com
C.
Use NNTP websites to search for these postings
D.
Search in Google using the key search strings “the target company” and
“forums”
Search for the target company name at http://groups.google.com
Explanation: Using http://groups.google.com is the easiest way to access various
newsgroups today. Before http://groups.google.com you had to use special NNTP clients or
subscribe to some nntp to web services.
You are footprinting an organization to gather competitive intelligence. You visit the
company’s website for contact information and telephone numbers but do not find it
listed there. You know that they had the entire staff directory listed on their website
12 months ago but not it is not there.
How would it be possible for you to retrieve information from the website that is
outdated?
A.
Visit google’s search engine and view the cached copy.
B.
Visit Archive.org web site to retrieve the Internet archive of the company’s website.
C.
Crawl the entire website and store them into your computer.
D.
Visit the company’s partners and customers website for this information.
Visit Archive.org web site to retrieve the Internet archive of the company’s website.
Explanation: Explanation: Archive.org mirrors websites and categorizes them by date
and month depending on the crawl time. Archive.org dates back to 1996, Google is
incorrect because the cache is only as recent as the latest crawl, the cache is over-written
on each subsequent crawl. Download the website is incorrect because that's the same as
what you see online. Visiting customer partners websites is just bogus. The answer is then
Firmly, C, archive.org
According to the CEH methodology, what is the next step to be performed after
footprinting?
A.
Enumeration
B.
Scanning
C.
System Hacking
D.
Social Engineering
E.
Expanding Influence
Scanning
Explanation: Once footprinting has been completed, scanning should be attempted next.
Scanning should take place on two distinct levels: network and host.
You are footprinting the www.xsecurity.com domain using the Google Search
Engine. You would like to determine what sites link to www.xsecurity .com at the
first level of revelance.
Which of the following operator in Google search will you use to achieve this?
A.
Link: www.xsecurity.com
B.
serch?l:www.xsecurity.com
C.
level1.www.security.com
D.
pagerank:www.xsecurity.com
Link: www.xsecurity.com
Explanation: The query [link:] will list webpages that have links to the specified webpage.
For instance, [link:www.google.com] will list webpages that have links pointing to the
Google homepage. Note there can be no space between the "link:" and the web page url.
Snort has been used to capture packets on the network. On studying the packets,
the penetration tester finds it to be abnormal. If you were the penetration tester, why
would you find this abnormal?
(Note: The student is being tested on concept learnt during passive OS
fingerprinting, basic TCP/IP connection concepts and the ability to read packet
signatures from a sniff dumo.)
05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seq: 0XA1D95 Ack: 0x53 Win: 0x400
.
.
.
05/20-17:06:58.685879 192.160.13.4:31337 -> 172.16.1.101:1024
TCP TTL:44 TOS:0x10 ID:24242
***FRP** Seg: 0XA1D95 Ack: 0x53 Win: 0x400
What is odd about this attack? (Choose the most appropriate statement)
A.
This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
B.
This is back orifice activity as the scan comes from port 31337.
C.
The attacker wants to avoid creating a sub-carrier connection that is not normally valid.
D.
There packets were created by a tool; they were not created by a standard IP stack.
This is back orifice activity as the scan comes from port 31337.
Explanation: Port 31337 is normally used by Back Orifice. Note that 31337 is hackers
spelling of ‘elite’, meaning ‘elite hackers’.
A Company security System Administrator is reviewing the network system log files.
He notes the following:
Network log files are at 5 MB at 12:00 noon.
At 14:00 hours, the log files at 3 MB.
What should he assume has happened and what should he do about the situation?
A.
He should contact the attacker’s ISP as soon as possible and have the connection
disconnected.
B.
He should log the event as suspicious activity, continue to investigate, and take further
steps according to site security policy.
C.
He should log the file size, and archive the information, because the router crashed.
D.
He should run a file system check, because the Syslog server has a self correcting file
system problem.
E.
He should disconnect from the Internet discontinue any further unauthorized use,
because an attack has taken place.
He should log the event as suspicious activity, continue to investigate, and take further
steps according to site security policy.
Explanation: You should never assume a host has been compromised without verification.
Typically, disconnecting a server is an extreme measure and should only be done when it
is confirmed there is a compromise or the server contains such sensitive data that the loss
of service outweighs the risk. Never assume that any administrator or automatic process is
making changes to a system. Always investigate the root cause of the change on the
system and follow your organizations security policy.
The terrorist organizations are increasingly blocking all traffic from North America or
from Internet Protocol addresses that point to users who rely on the English
Language.
Hackers sometimes set a number of criteria for accessing their website. This
information is shared among the co-hackers. For example if you are using a machine
with the Linux Operating System and the Netscape browser then you will have
access to their website in a convert way. When federal investigators using PCs
running windows and using Internet Explorer visited the hacker’s shared site, the
hacker’s system immediately mounted a distributed denial-of-service attack against
the federal system.
Companies today are engaging in tracking competitor’s through reverse IP address
lookup sites like whois.com, which provide an IP address’s domain. When the
competitor visits the companies website they are directed to a products page
without discount and prices are marked higher for their product. When normal users
visit the website they are directed to a page with full-blown product details along
with attractive discounts. This is based on IP-based blocking, where certain
addresses are barred from accessing a site.
What is this masking technique called?
A.
Website Cloaking
B.
Website Filtering
C.
IP Access Blockade
D.
Mirrored WebSite
Website Cloaking
Explanation: Website Cloaking travels under a variety of alias including Stealth, Stealth
scripts, IP delivery, Food Script, and Phantom page technology. It’s hot- due to its ability to
manipulate those elusive top-ranking results from spider search engines.
Bill has started to notice some slowness on his network when trying to update his
company’s website while trying to access the website from the Internet. Bill asks the
help desk manager if he has received any calls about slowness from the end users,
but the help desk manager says that he has not. Bill receives a number of calls from
customers that can’t access the company website and can’t purchase anything
online. Bill logs on to a couple of this routers and notices that the logs shows
network traffic is at all time high. He also notices that almost all the traffic is
originating from a specific address.
Bill decides to use Geotrace to find out where the suspect IP is originates from. The
Geotrace utility runs a traceroute and finds that IP is coming from Panama. Bill
knows that none of his customers are in Panama so he immediately thinks that his
company is under a Denial of Service attack. Now Bill needs to find out more about
the originating IP Address.
What Internet registry should Bill look in to find the IP Address?
A.
LACNIC
B.
ARIN
C.
RIPELACNIC
D.
APNIC
LACNIC
Explanation: LACNIC is the Latin American and Caribbean Internet Addresses Registry
that administers IP addresses, autonomous system numbers, reverse DNS, and other
network resources for that region
Which one of the following is defined as the process of distributing incorrect
Internet Protocol (IP) addresses/names with the intent of diverting traffic?
A.
Network aliasing
B.
Domain Name Server (DNS) poisoning
C.
Reverse Address Resolution Protocol (ARP)
D.
Port scanning
Domain Name Server (DNS) poisoning
Explanation:
This reference is close to the one listed DNS poisoning is the correct answer.
This is how DNS DOS attack can occur. If the actual DNS records are unattainable to the
attacker for him to alter in this fashion, which they should be, the attacker can insert this
data into the cache of there server instead of replacing the actual records, which is referred
to as cache poisoning.
You are footprinting Acme.com to gather competitive intelligence. You visit the
acme.com websire for contact information and telephone number numbers but do
not find it listed there. You know that they had the entire staff directory listed on
their website 12 months ago but now it is not there. How would it be possible for you
to retrieve information from the website that is outdated?
A.
Visit google search engine and view the cached copy.
B.
Visit Archive.org site to retrieve the Internet archive of the acme website.
C.
Crawl the entire website and store them into your computer.
D.
Visit the company’s partners and customers website for this information.
Visit Archive.org site to retrieve the Internet archive of the acme website.
Explanation: The Internet Archive (IA) is a non-profit organization dedicated to
maintaining an archive of Web and multimedia resources. Located at the Presidio in San
Francisco, California, this archive includes "snapshots of the World Wide Web" (archived
copies of pages, taken at various points in time), software, movies, books, and audio
recordings (including recordings of live concerts from bands that allow it). This site is found
at www.archive.org.
How does Traceroute map the route that a packet travels from point A to point B?
A.
It uses a TCP Timestamp packet that will elicit a time exceed in transit message.
B.
It uses a protocol that will be rejected at the gateways on its way to its destination.
C.
It manipulates the value of time to live (TTL) parameter packet to elicit a time exceeded
in transit message.
D.
It manipulated flags within packets to force gateways into generating error messages.
It manipulates the value of time to live (TTL) parameter packet to elicit a time exceeded
in transit message.
Explanation: Traceroute works by increasing the "time-to-live" value of each successive
batch of packets sent. The first three packets have a time-to-live (TTL) value of one
(implying that they make a single hop). The next three packets have a TTL value of 2, and
so on. When a packet passes through a host, normally the host decrements the TTL value
by one, and forwards the packet to the next host. When a packet with a TTL of one reaches
a host, the host discards the packet and sends an ICMP time exceeded (type 11) packet to
the sender. The traceroute utility uses these returning packets to produce a list of hosts
that the packets have traversed en route to the destination.
Your company trainee Sandra asks you which are the four existing Regional Internet
Registry (RIR's)?
A.
APNIC, PICNIC, ARIN, LACNIC
B.
RIPE NCC, LACNIC, ARIN, APNIC
C.
RIPE NCC, NANIC, ARIN, APNIC
D.
RIPE NCC, ARIN, APNIC, LATNIC
RIPE NCC, LACNIC, ARIN, APNIC
Explanation: All other answers include non existing organizations (PICNIC, NANIC,
LATNIC). See http://www.arin.net/library/internet_info/ripe.html
| Page 2 out of 64 Pages |
| Previous |