Ethical Hacking and Countermeasures
Question No: 501 – (Topic 19)
What is the advantage in encrypting the communication between the agent and the monitor in an Intrusion Detection System?
Encryption of agent communications will conceal the presence of the agents
The monitor will know if counterfeit messages are being generated because they will not be encrypted
Alerts are sent to the monitor when a potential intrusion is detected
An intruder could intercept and delete data or alerts and the intrusion can go undetected
Question No: 502 – (Topic 19)
Which one of the following attacks will pass through a network layer intrusion detection system undetected?
A teardrop attack
A SYN flood attack
A DNS spoofing attack
A test.cgi attack
Answer: D Explanation:
Because a network-based IDS reviews packets and headers, it can also detect denial of service (DoS) attacks
Not A or B:
The following sections discuss some of the possible DoS attacks available.
Smurf Fraggle SYN Flood Teardrop
DNS DoS Attacks”
Question No: 503 – (Topic 19)
You have performed the traceroute below and notice that hops 19 and 20 both show the same IP address.
What can be inferred from this output?
1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms
2 ip68-98-176-1.nv.nv.cox.net (220.127.116.11) 12.169 ms 14.958 ms 13.416 ms
3 ip68-98-176-1.nv.nv.cox.net (18.104.22.168) 13.948 ms ip68-100-0-1.nv.nv.cox.net
(22.214.171.124) 16.743 ms 16.207 ms
4 ip68-100-0-137.nv.nv.cox.net (126.96.36.199) 17.324 ms 12.933 ms 20.938 ms
5 188.8.131.52 (184.108.40.206) 12.439 ms 220.166 ms 204.170 ms
6 so-6-0-0.gar2.wdc1.Level3.net (220.127.116.11) 16.177 ms 25.943 ms 14.104 ms
7 unknown.Level3.net (18.104.22.168) 14.227 ms 17.553 ms 15.415 ms
8 so-0-1-0.bbr1.NewYork1.level3.net (22.214.171.124) 17.063 ms 20.960 ms 19.512 ms
9 so-7-0-0-gar1.NewYork1.Level3.net (126.96.36.199) 20.334 ms 19.440 ms 17.938 ms
10 so-4-0-0.edge1.NewYork1.Level3.net (188.8.131.52) 27.526 ms 18.317 ms 21.202 ms
11 uunet-level3-oc48.NewYork1.Level3.net (184.108.40.206) 21.411 ms 19.133 ms
12 0.so-6-0-0.XL1.NYC4.ALTER.NET (220.127.116.11) 21.203 ms 22.670 ms 20.11 ms
13 0.so-2-0-0.TL1.NYC8.ALTER.NET (18.104.22.168) 30.929 ms 24.858 ms 23.108 ms
14 0.so-4-1-0.TL1.ATL5.ALTER.NET (22.214.171.124) 38.894 ms 33.244 33.910 ms
15 0.so-7-0-0.XL1.MIA4.ALTER.NET (126.96.36.199) 51.165 ms 49.935 ms 49.466 ms
16 0.so-3-0-0.XR1.MIA4.ALTER.NET (188.8.131.52) 50.937 ms 49.005 ms 51.055 ms
17 117.ATM6-0.GW5.MIA1.ALTER.NET (184.108.40.206) 51.897 ms 50.280 ms 53.647 ms
18 example-gwl.customer.alter.net (220.127.116.11) 51.921 ms 51.571 ms 56.855 ms
19 www.ABC.com (18.104.22.168) 52.191 ms 52.571 ms 56.855 ms
20 www.ABC.com (22.214.171.124) 53.561 ms 54.121 ms 58.333 ms
An application proxy firewall
A stateful inspection firewall
A host based IDS
Question No: 504 – (Topic 19)
Bob has set up three web servers on Windows Server 2003 IIS 6.0. Bob has followed all the recommendations for securing the operating system and IIS. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is still concerned about the security of this server because of the potential for financial loss. Bob has asked his company’s firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network.
Why will this not be possible?
Firewalls can’t inspect traffic coming through port 443
Firewalls can only inspect outbound traffic
Firewalls can’t inspect traffic coming through port 80
Firewalls can’t inspect traffic at all, they can only block or allow certain ports
Explanation: In order to really inspect traffic and traffic patterns you need an IDS.
Question No: 505 – (Topic 19)
There are two types of honeypots- high and low interaction. Which of these describes a low interaction honeypot?
Select the best answers.
Emulators of vulnerable programs
More likely to be penetrated
Easier to deploy and maintain
Tend to be used for production
Tend to be used for research
Answer: A,C,D,E Explanation: Explanations:
A low interaction honeypot would have emulators of vulnerable programs, not the real programs.
A high interaction honeypot is more likely to be penetrated as it is running the real program and is more vulnerable than an emulator.
Low interaction honeypots are easier to deploy and maintain. Usually you would just use a program that is already available for download and install it. Hackers don#39;t usually crash or destroy these types of programs and it would require little maintenance.
A low interaction honeypot tends to be used for production.
Low interaction honeypots are more detectable because you are using emulators of the real programs. Many hackers will see this and realize that they are in a honeypot.
A low interaction honeypot tends to be used for production. A high interaction honeypot tends to be used for research.
Question No: 506 – (Topic 19)
Bill has successfully executed a buffer overflow against a Windows IIS web server. He has been able to spawn an interactive shell and plans to deface the main web page. He first attempts to use the “Echo” command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tries to overwrite it with another page again in vain.
What is the probable cause of Bill’s problem?
The system is a honeypot.
There is a problem with the shell and he needs to run the attack again.
You cannot use a buffer overflow to deface a web page.
The HTML file has permissions of ready only.
Explanation: The question states that Bill had been able to spawn an interactive shell. By
this statement we can tell that the buffer overflow and its corresponding code was enough to spawn a shell. Any shell should make it possible to change the webpage. So we either don’t have sufficient privilege to change the webpage (answer D) or it’s a honeypot (answer A). We think the preferred answer is D
Question No: 507 – (Topic 19)
SSL has been seen as the solution to several common security problems. Administrators will often make use of SSL to encrypt communication from point A to point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between point A and B?
SSL is redundant if you already have IDS in place.
SSL will trigger rules at regular interval and force the administrator to turn them off.
SSL will slow down the IDS while it is breaking the encryption to see the packet content.
SSL will mask the content of the packet and Intrusion Detection System will be blinded.
Explanation: Because the traffic is encrypted, an IDS cannot understand it or evaluate the payload.
Question No: 508 – (Topic 19)
John runs a Web Server, IDS and firewall on his network. Recently his Web Server has been under constant hacking attacks. He looks up the IDS log files and sees no Intrusion attempts but the web server constantly locks up and needs rebooting due to various brute force and buffer overflow attacks but still the IDS alerts no intrusion whatsoever.
John become suspicious and views he firewall logs and he notices huge SSL connections constantly hitting web server.
Hackers have been using the encrypted HTTPS protocol to send exploits to the web server and that was the reason the IDS did not detect the intrusions.
How would Jon protect his network form these types of attacks?
Install a proxy server and terminate SSL at the proxy
Install a hardware SSL “accelerator” and terminate SSL at this layer
Enable the IDS to filter encrypted HTTPS traffic
Enable the firewall to filter encrypted HTTPS traffic
Explanation: By terminating the SSL connection at a proxy or a SSL accelerator and then use clear text the distance between the proxy/accelerator and the server, you make it possible for the IDS to scan the traffic.
Question No: 509 – (Topic 19)
Statistics from cert.org and other leading security organizations has clearly showed a steady rise in the number of hacking incidents perpetrated against companies.
What do you think is the main reason behind the significant increase in hacking attempts over the past years?
It is getting more challenging and harder to hack for non technical people.
There is a phenomenal increase in processing power.
New TCP/IP stack features are constantly being added.
The ease with which hacker tools are available on the Internet.
Explanation: Today you don’t need to be a good hacker in order to break in to various systems, all you need is the knowledge to use search engines on the internet.
Question No: 510 – (Topic 19)
John has a proxy server on his network which caches and filters web access. He shuts down all unnecessary ports and services. Additionally, he has installed a firewall (Cisco PIX) that will not allow users to connect to any outbound ports. Jack, a network user has successfully connected to a remote server on port 80 using netcat. He could in turn drop a shell from the remote machine. Assuming an attacker wants to penetrate John#39;s network, which of the following options is he likely to choose?
Use Monkey shell
Use reverse shell using FTP protocol
Use HTTPTunnel or Stunnel on port 80 and 443
Explanation: As long as you allow http or https traffic attacks can be tunneled over those protocols with Stunnel or HTTPTunnel.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|