Ethical Hacking and Countermeasures
Question No: 471 – (Topic 19)
Given the following extract from the snort log on a honeypot, what service is being exploited? :
Explanation: The connection is done to 172.16.1.104:21.
Question No: 472 – (Topic 19)
Which of the following are potential attacks on cryptography? (Select 3)
Explanation: A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst chooses a ciphertext and causes it to be decrypted with an unknown key. Specific forms of this attack are sometimes termed quot;lunchtimequot; or quot;midnightquot; attacks, referring to a scenario in which an attacker gains access to an unattended decryption machine. In cryptography, a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims. A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).
Question No: 473 – (Topic 19)
Angela is trying to access an education website that requires a username and password to login. When Angela clicks on the link to access the login page, she gets an error message stating that the page can’t be reached. She contacts the website’s support team and they report that no one else is having any issues with the site.
After handing the issue over to her company’s IT department, it is found that the education website requires any computer accessing the site must be able to respond to a ping from the education’s server. Since Angela’s computer is behind a corporate firewall, her computer can’t ping the education website back.
What ca Angela’s IT department do to get access to the education website?
Change the IP on Angela’s Computer to an address outside the firewall
Change the settings on the firewall to allow all incoming traffic on port 80
Change the settings on the firewall all outbound traffic on port 80
Use a Internet browser other than the one that Angela is currently using
Explanation: Allowing traffic to and from port 80 will not help as this will be UDP or TCP traffic and ping uses ICMP. The browser used by the user will not make any difference. The only alternative here that would solve the problem is to move the computer to outside the firewall.
Question No: 474 – (Topic 19)
While examining a log report you find out that an intrusion has been attempted by a machine whose IP address is displayed as 0xde.0xad.0xbe.0xef. It looks to you like a hexadecimal number. You perform a ping 0xde.0xad.0xbe.0xef. Which of the following IP addresses will respond to the ping and hence will likely be responsible for the the intrusion
Answer: E Explanation:
Convert the hex number to binary and then to decimal.
0xde.0xad.0xbe.0xef translates to 22.214.171.124 and not 222.273.290.239
0xef = 15*1 = 15
14*16 = 224
14*1 = 14
11*16 = 176
0xad = 13*1 = 13
10*16 = 160
0xde = 14*1 = 14
13*16 = 208
Question No: 475 – (Topic 19)
Which of the following countermeasure can specifically protect against both the MAC Flood and MAC Spoofing attacks?
Explanation: With Port Security the switch will keep track of which ports are allowed to send traffic on a port.
Question No: 476 – (Topic 19)
An Employee wants to bypass detection by a network-based IDS application and does not want to attack the system containing the IDS application. Which of the following strategies can the employee use to evade detection by the network based IDS application?
Create a ping flood
Create a SYN flood
Create a covert network tunnel
Create multiple false positives
Explanation: HTTP Tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol, the network protocols in question usually belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a covert channel that the network protocol being tunneled uses to communicate. The HTTP stream with its covert channel is termed a HTTP Tunnel. Very few firewalls blocks outgoing HTTP traffic.
Question No: 477 – (Topic 19)
This IDS defeating technique works by splitting a datagram (or packet) into multiple fragments and the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled until it reaches its final destination. It would be a processor-intensive tasks for an IDS to reassemble all fragments itself and on a busy system the packet will slip through the IDS onto the network.
What is this technique called?
IP Fragmentation or Session Splicing
IP Routing or Packet Dropping
IDS Spoofing or Session Assembly
IP Splicing or Packet Reassembly
Explanation: The basic premise behind session splicing, or IP Fragmentation, is to deliver the payload over multiple packets thus defeating simple pattern matching without session reconstruction. This payload can be delivered in many different manners and even spread out over a long period of time. Currently, Whisker and Nessus have session splicing capabilities, and other tools exist in the wild.
Question No: 478 – (Topic 19)
Network Intrusion Detection systems can monitor traffic in real time on networks.
Which one of the following techniques can be very effective at avoiding proper detection?
Fragmentation of packets.
Use of only TCP based protocols.
Use of only UDP based protocols.
Use of fragmented ICMP traffic only.
Explanation: If the default fragmentation reassembly timeout is set to higher on the client than on the IDS then the it is possible to send an attack in fragments that will never be reassembled in the IDS but they will be reassembled and read on the client computer acting victim.
Question No: 479 – (Topic 19)
Given the following extract from the snort log on a honeypot, what do you infer from the attack?
A new port was opened
A new user id was created
The exploit was successful
The exploit was not successful
Explanation: The attacker submits a PASS to the honeypot and receives a login incorrect before disconnecting.
Question No: 480 – (Topic 19)
You are attempting to map out the firewall policy for an organization. You discover your target system is one hop beyond the firewall. Using hping2, you send SYN packets with the exact TTL of the target system starting at port 1 and going up to port 1024. What is this process known as?
Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker’s host to a destination host through a packet-filtering device. This technique can be used to map ‘open’ or ‘pass through’ ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|