Ethical Hacking and Countermeasures
Question No: 221 – (Topic 5)
How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction? A characteristic of this attack would be a continuous stream of small packets.
Question No: 222 – (Topic 5)
You are the security administrator for a large online auction company based out of Los Angeles. After getting your ENSA CERTIFICATION last year, you have steadily been fortifying your network’s security including training OS hardening and network security. One of the last things you just changed for security reasons was to modify all the built-in administrator accounts on the local computers of PCs and in Active Directory. After through testing you found and no services or programs were affected by the name changes.
Your company undergoes an outside security audit by a consulting company and they said that even through all the administrator account names were changed, the accounts could still be used by a clever hacker to gain unauthorized access. You argue with the auditors and say that is not possible, so they use a tool and show you how easy it is to utilize the administrator account even though its name was changed.
What tool did the auditors use?
Explanation: User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more.
Question No: 223 – (Topic 5)
Which of the following are well know password-cracking programs?(Choose all that apply.
Jack the Ripper
John the Ripper
Explanation: L0phtcrack and John the Ripper are two well know password-cracking programs. Netcat is considered the Swiss-army knife of hacking tools, but is not used for password cracking
Question No: 224 – (Topic 5)
Windows LAN Manager (LM) hashes are known to be weak. Which of the following are known weaknesses of LM? (Choose three)
Converts passwords to uppercase.
Hashes are sent in clear text over the network.
Makes use of only 32 bit encryption.
Effective length is 7 characters.
Explanation: The LM hash is computed as follows.1. The user’s password as an OEM string is converted to uppercase. 2. This password is either null-padded or truncated to 14 bytes. 3. The “fixed-length” password is split into two 7-byte halves. 4. These values are used to create two DES keys, one from each 7-byte half. 5. Each of these keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values. 6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.
The hashes them self are sent in clear text over the network instead of sending the password in clear text.
Question No: 225 – (Topic 5)
You receive an e-mail with the message displayed in the exhibit.
From this e-mail you suspect that this message was sent by some hacker since you have using their e-mail services for the last 2 years and they never sent out an e-mail as this. You also observe the URL in the message and confirm your suspicion about 340590649. You immediately enter the following at the Windows 2000 command
You get a response with a valid IP address. What is the obstructed IP address in the e-mail URL?
Explanation: Convert the number in binary, then start from last 8 bits and convert them to decimal to get the last octet (in this case .5)
Question No: 226 – (Topic 5)
A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in.
What do you think is the most likely reason behind this?
There is a NIDS present on that segment.
Kerberos is preventing it.
Windows logons cannot be sniffed.
L0phtcrack only sniffs logons to web servers.
Explanation: In a Windows 2000 network using Kerberos you normally use pre- authentication and the user password never leaves the local machine so it is never
exposed to the network so it should not be able to be sniffed.
Question No: 227 – (Topic 5)
E-mail scams and mail fraud are regulated by which of the following?
18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers
18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices
18 U.S.C. par. 1362 Communication Lines, Stations, or Systems
18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral Communication
Explanation: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030– 000-.html
Topic 6, Trojans and Backdoors
Question No: 228 – (Topic 6)
You have hidden a Trojan file virus.exe inside another file readme.txt using NTFS streaming.
Which command would you execute to extract the Trojan to a standalone file?
c:\gt; type readme.txt:virus.exe gt; virus.exe
c:\gt; more readme.txt | virus.exe gt; virus.exe
c:\gt; cat readme.txt:virus.exe gt; virus.exe
c:\gt; list redme.txt$virus.exe gt; virus.exe
Explanation: cat will concatenate, or write, the alternate data stream to its own file named virus.exe
Question No: 229 – (Topic 6)
Exhibit: * Missing*
Jason#39;s Web server was attacked by a trojan virus. He runs protocol analyzer and notices that the trojan communicates to a remote server on the Internet. Shown below is the standard quot;hexdumpquot; representation of the network packet, before being decoded. Jason wants to identify the trojan by looking at the destination port number and mapping to a trojan-port number database on the Internet. Identify the remote server#39;s port number by decoding the packet?
Port 1890 (Net-Devil Trojan)
Port 1786 (Net-Devil Trojan)
Port 1909 (Net-Devil Trojan)
Port 6667 (Net-Devil Trojan)
Explanation: From trace, 0x1A0B is 6667, IRC Relay Chat, which is one port used. Other ports are in the 900#39;s.
Question No: 230 – (Topic 6)
Sniffing is considered an active attack.
Explanation: Sniffing is considered a passive attack.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|