Ethical Hacking and Countermeasures
Question No: 511 – (Topic 19)
Neil monitors his firewall rules and log files closely on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web sites during work hours, without consideration for others. Neil knows that he has an updated content filtering system and that such access should not be authorized.
What type of technique might be used by these offenders to access the Internet without restriction?
They are using UDP which is always authorized at the firewall.
They are using tunneling software which allows them to communicate with protocols in a way it was not intended.
They have been able to compromise the firewall, modify the rules, and give themselves proper access.
They are using an older version of Internet Explorer that allows them to bypass the
Explanation: This can be accomplished by, for example, tunneling the http traffic over SSH if you have a SSH server answering to your connection, you enable dynamic forwarding in the ssh client and configure Internet Explorer to use a SOCKS Proxy for network traffic.
Question No: 512 – (Topic 19)
You are doing IP spoofing while you scan your target. You find that the target has port 23 open.Anyway you are unable to connect. Why?
A firewall is blocking port 23
You cannot spoof TCP
You need an automated telnet tool
The OS does not reply to telnet even if port 23 is open
Explanation: Explanation: The question is not telling you what state the port is being reported by the scanning utility, if the program used to conduct this is nmap, nmap will show you one of three states – “open”, “closed”, or “filtered” a port can be in an “open” state yet filtered, usually by a stateful packet inspection filter (ie. Netfilter for linux, ipfilter for bsd). C and D to make any sense for this question, their bogus, and B, “You cannot spoof TCP”, well you can spoof TCP, so we strike that out.
Question No: 513 – (Topic 19)
Bob, an Administrator at company was furious when he discovered that his buddy Trent, has launched a session hijack attack against his network, and sniffed on his communication, including administrative tasks suck as configuring routers,
firewalls, IDS, via Telnet.
Bob, being an unhappy administrator, seeks your help to assist him in ensuring that attackers such as Trent will not be able to launch a session hijack in company.
Based on the above scenario, please choose which would be your corrective measurement actions (Choose two)
Use encrypted protocols, like those found in the OpenSSH suite.
Implement FAT32 filesystem for faster indexing and improved performance.
Configure the appropriate spoof rules on gateways (internal and external).
Monitor for CRP caches, by using IDS products.
Explanation: First you should encrypt the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e- commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. By configuring the appropriate spoof rules you prevent the attacker from using the same IP address as the victim as thus you can implement secondary check to see that the IP does not change in the middle of the session.
Question No: 514 – (Topic 19)
The programmers on your team are analyzing the free, open source software being used to run FTP services on a server in your organization. They notice that there is excessive number of functions in the source code that might lead to buffer overflow. These C functions do not check bounds. Identify the line the source code that might lead to buffer overflow.
Line number 31.
Line number 15
Line number 8
Line number 14
Question No: 515 – (Topic 19)
The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. From the options given below choose the one best interprets the following entry:
Apr 26 06:43:05  IDS181/nops-x86: 18.104.22.168:1351 -gt; 172.16.1.107:53
(Note: The objective of this question is to test whether the student can read basic
information from log entries and interpret the nature of attack.)
Interpret the following entry:
Apr 26 06:43:05 : IDS181/nops-x86: 22.214.171.124:1351 -gt; 172.16.1.107.53
An IDS evasion technique
A buffer overflow attempt
A DNS zone transfer
Data being retrieved from 126.96.36.199.
Explanation: The IDS log file is depicting numerous attacks, however, most of them are from different attackers, in reference to the attack in question, he is trying to mask his activity by trying to act legitimate, during his session on the honeypot, he changes users two times by using the quot;suquot; command, but never triess to attempt anything to severe.
Question No: 516 – (Topic 19)
Blake is in charge of securing all 20 of his company’s servers. He has enabled hardware and software firewalls, hardened the operating systems and disabled all
unnecessary service on all the servers. Unfortunately, there is proprietary AS400 emulation software that must run on one of the servers that requires the telnet service to function properly. Blake is especially concerned about his since telnet can be a very large security risk in an organization. Blake is concerned about how his particular server might look to an outside attacker so he decides to perform some footprinting scanning and penetration tests on the server. Blake telents into the server and types the following command:
After pressing enter twice, Blake gets the following results: What has the Blake just accomplished?
Grabbed the banner
Downloaded a file to his local computer
Submitted a remote command to crash the server
Poisoned the local DNS cache of the server
Question No: 517 – (Topic 19)
1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms
2 ip68-98-176-1.nv.nv.cox.net (188.8.131.52) 12.169 ms 14.958 ms 13.416
3 ip68-98-176-1.nv.nv.cox.net (184.108.40.206) 13.948 ms
ip68-100-0-1.nv.nv.cox.net (220.127.116.11) 16.743 ms 16.207 ms
4 ip68-100-0-137.nv.nv.cox.net (18.104.22.168) 17.324 ms 13.933 ms
5 22.214.171.124 (126.96.36.199) 12.439 ms 220.166 ms 204.170 ms
6 so-6-0-0.gar2.wdc1.Level3.net (188.8.131.52) 16.177 ms 25.943 ms
7 unknown.Level3.net (184.108.40.206) 14.227 ms 17.553 ms 15.415 ms
8 so-0-1-0.bbr1.NewYork1.level3.net (220.127.116.11) 17.063 ms 20.960 ms
9 so-7-0-0.gar1.NewYork1.Level3.net (18.104.22.168) 20.334 ms 19.440 ms
10 so-4-0-0.edge1.NewYork1.Level3.net (22.214.171.124) 27.526 ms 18.317
ms 21.202 ms
11 uunet-level3-oc48.NewYork1.Level3.net (126.96.36.199) 21.411 ms
19.133 ms 18.830 ms
12 0.so-6-0-0.XL1.NYC4.ALTER.NET (188.8.131.52) 21.203 ms 22.670 ms
13 0.so-2-0-0.TL1.NYC8.ALTER.NET (184.108.40.206) 30.929 ms 24.858 ms
14 0.so-4-1-0.TL1.ATL5.ALTER.NET (220.127.116.11) 37.894 ms 33.244 ms
15 0.so-7-0-0.XL1.MIA4.ALTER.NET (18.104.22.168) 51.165 ms 49.935 ms
16 0.so-3-0-0.XR1.MIA4.ALTER.NET (22.214.171.124) 50.937 ms 49.005 ms
17 117.ATM6-0.GW5.MIA1.ALTER.NET (126.96.36.199) 51.897 ms 50.280 ms
18 target-gw1.customer.alter.net (188.8.131.52) 51.921 ms 51.571 ms
19 www.target.com lt;http://www.target.com/gt; (184.108.40.206) 52.191 ms
52.571 ms 56.855 ms
20 www.target.com lt;http://www.target.com/gt; (220.127.116.11) 53.561 ms
54.121 ms 58.333 ms
You perform the above traceroute and notice that hops 19 and 20 both show the same IP address. This probably indicates what?
A host based IDS
A stateful inspection firewall
An application proxying firewall
Question No: 518 – (Topic 19)
When referring to the Domain Name Service, what is denoted by a ‘zone’?
It is the first domain that belongs to a company.
It is a collection of resource records.
It is the first resource record type in the SOA.
It is a collection of domains.
Explanation: A reasonable definition of a zone would be a portion of the DNS namespace
where responsibility has been delegated.
Topic 20, Buffer Overflows
Question No: 519 – (Topic 20)
Which of the following built-in C/C functions you should avoid to prevent your program from buffer overflow attacks?
Explanation: When hunting buffer overflows, the first thing to look for is functions which write into arrays without any way to know the amount of space available. If you get to define the function, you can pass a length parameter in, or ensure that every array you ever pass to it is at least as big as the hard-coded maximum amount it will write. If you#39;re using a function someone else (like, say, the compiler vendor) has provided then avoiding functions like gets(), which take some amount of data over which you have no control and stuff it into arrays they can never know the size of, is a good start. Make sure that functions like the str…() family which expect NUL-terminated strings actually get them – store a #39;\0#39; in the last element of each array involved just before you call the function, if necessary.
Strscock() is not a valid C/C function.
Question No: 520 – (Topic 20)
Choose one of the following pseudo codes to describe this statement:
If we have written 200 characters to the buffer variable, the stack should stop
because it cannot hold any more data.
If (I gt; 200) then exit (1)
If (I lt; 200) then exit (1)
If (I lt;= 200) then exit (1)
If (I gt;= 200) then exit (1)