CEHv9 Questions 201-300

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

215 DRAG DROP Drag the term to match with it's description Exhibit:

127

247 You are writing an antivirus bypassing Trojan using C++ code wrapped into chess.c to create an executable file chess.exe. This Trojan when executed on the victim machine, scans the entire system (c:\) for data with the following text "Credit Card" and "password". It then zips all the scanned files and sends an email to a predefined hotmail address. You want to make this Trojan persistent so that it survives computer reboots. Which registry entry will you add a key to make it persistent? A. HKEY_LOCAL_MACHINE\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices B. HKEY_LOCAL_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices C. HKEY_LOCAL_SYSTEM\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices D. HKEY_CURRENT_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices

A 149 Explanation: HKEY_LOCAL_MACHINE would be the natural place for a registry entry that starts services when the MACHINE is rebooted. Topic 7, Sniffers

212 How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction? A characteristic of this attack would be a continuous stream of small packets. A. Session Splicing B. Session Stealing C. Session Hijacking D. Session Fragmentation

A Explanation: 125

279 Which one of the following network attacks takes advantages of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack? A. Teardrop B. Smurf C. Ping of Death D. SYN flood E. SNMP Attack

A Explanation: 168 The teardrop attack uses overlapping packet fragments to confuse a target system and cause the system to reboot or crash.

257 John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame? A. 0xFFFFFFFFFFFF B. 0xAAAAAAAAAAAA C. 0xBBBBBBBBBBBB D. 0xDDDDDDDDDDDD

A Explanation: 0xFFFFFFFFFFFF is the destination MAC address of the broadcast frame. 155

243 Which definition below best describes a covert channel? A. Making use of a Protocol in a way it was not intended to be used B. It is the multiplexing taking place on communication link C. It is one of the weak channels used by WEP that makes it insecure D. A Server Program using a port that is not well known

A Explanation: A covert channel is a hidden communication channel not intended for information transfer at all. Redundancy can often be used to communicate in a covert way. There are several ways that hidden communication can be set up.

295 Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to her. This time she envisages using a different kind of method to attack Brownies Inc. Eve tries to forge the packets and uses the broadcast address. She launches an attack similar to that of fraggle. What is the technique that Eve used in the case above? A. Smurf B. Bubonic C. SYN Flood D. Ping of Death

A Explanation: A fraggle attack is a variation of the smurf attack for denial of service in which the attacker sends spoofed UDP packets instead of ICMP echo reply (ping) packets to the broadcast address of a large network. 177

274 165 Bob is conducting a password assessment for one of his clients. Bob suspects that password policies are not in place and weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weakness and key loggers. What are the means that Bob can use to get password from his client hosts and servers? A. Hardware, Software and Sniffing B. Hardware and Software Keyloggers C. Software only, they are the most effective D. Passwords are always best obtained using Hardware key loggers

A Explanation: All loggers will work as long as he has physical access to the computers. Topic 8, Denial of Service

291 When working with Windows systems, what is the RID of the true administrator account? A. 500 B. 501 C. 1000 D. 1001 E. 1024 F. 512

A Explanation: Because of the way in which Windows functions, the true administrator account always has a RID of 500.

237 John wishes to install a new application onto his Windows 2000 server. He wants to ensure that any application he uses has not been Trojaned. What can he do to help ensure this? A. Compare the file's MD5 signature with the one published on the distribution media B. Obtain the application via SSL C. Compare the file's virus signature with the one published on the distribution media D. Obtain the application from a CD-ROM disc

A Explanation: MD5 was developed by Professor Ronald L. Rivest of MIT. What it does, to quote the executive summary of rfc1321, is: [The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128- bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being 142 encrypted with a private (secret) key under a public-key cryptosystem such as RSA. In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods.

289 When working with Windows systems, what is the RID of the true administrator account? A. 500 B. 501 C. 512 D. 1001 E. 1024 F. 1000

A Explanation: The built-in administrator account always has a RID of 500.

229 What is a Trojan Horse? A. A malicious program that captures your username and password B. Malicious code masquerading as or replacing legitimate code C. An unauthorized user who gains access to your user database and adds themselves as a user D. A server that is to be sacrificed to all hacking attempts in order to log and monitor the hacking activity

B Explanation: A Trojan Horse is an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.

236 In Linux, the three most common commands that hackers usually attempt to Trojan are: A. car, xterm, grep B. netstat, ps, top C. vmware, sed, less D. xterm, ps, nc

B Explanation: The easiest programs to trojan and the smartest ones to trojan are ones commonly run by administrators and users, in this case netstat, ps, and top, for a complete list of commonly trojaned and rootkited software please reference this URL: http://www.usenix.org/publications/login/1999- 9/features/rootkits.html

276 Which one of the following instigates a SYN flood attack? 166 A. Generating excessive broadcast packets. B. Creating a high number of half-open connections. C. Inserting repetitive Internet Relay Chat (IRC) messages. D. A large number of Internet Control Message Protocol (ICMP) traces.

B Explanation: A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake. The attacker floods the target system's small "in-process" queue with connection requests, but it does not respond when a target system replies to those requests. This causes the target system to time out while waiting for the proper response, which makes the system crash or become unusable.

259 What port number is used by Kerberos protocol? 156 A. 44 B. 88 C. 419 D. 487

B Explanation: Kerberos traffic uses UDP/TCP protocol source and destination port 88.

250 A POP3 client contacts the POP3 server: A. To send mail B. To receive mail C. to send and receive mail D. to get the address to send mail to E. initiate a UDP SMTP connection to read mail

B Explanation: POP is used to receive e-mail.SMTP is used to send e-mail.

240 Sniffing is considered an active attack. A. True B. False

B Explanation: Sniffing is considered a passive attack.

256 Which of the following display filters will you enable in Ethereal to view the three-way handshake for a connection from host 192.168.0.1? A. ip == 192.168.0.1 and tcp.syn B. ip.addr = 192.168.0.1 and syn = 1 C. ip.addr==192.168.0.1 and tcp.flags.syn D. ip.equals 192.168.0.1 and syn.equals on

C Explanation:

260 Which of the following is not considered to be a part of active sniffing? A. MAC Flooding B. ARP Spoofing C. SMAC Fueling D. MAC Duplicating

C Explanation:

232 After an attacker has successfully compromised a remote computer, what would be one of the last steps that would be taken to ensure that the compromise is not traced back to the source of the problem? A. Install pactehs B. Setup a backdoor C. Cover your tracks D. Install a zombie for DDOS

C Explanation: As a hacker you don't want to leave any traces that could lead back to you.

210 _____ is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer A. Steganography B. Merge Streams C. NetBIOS vulnerability D. Alternate Data Streams

D 124 Explanation: ADS (or Alternate Data Streams) is a "feature" in the NTFS file system that makes it possible to hide information in alternate data streams in existing files. The file can have multiple data streams and the data streams are accessed by filename:stream.

213 Which of the following keyloggers cannot be detected by anti-virus or anti-spyware products? A. Covert keylogger B. Stealth keylogger C. Software keylogger D. Hardware keylogger

D Explanation: As the hardware keylogger never interacts with the Operating System it is undetectable by anti-virus or anti-spyware products.

235 You suspect that your Windows machine has been compromised with a Trojan virus. When you run anti-virus software it does not pick of the Trojan. Next you run netstat command to look for open ports and you notice a strange port 6666 open. What is the next step you would do? A. Re-install the operating system. B. Re-run anti-virus software. C. Install and run Trojan removal software. D. Run utility fport and look for the application executable that listens on port 6666.

D Explanation: Fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications. 141

241 A file integrity program such as Tripwire protects against Trojan horse attacks by: A. Automatically deleting Trojan horse programs B. Rejecting packets generated by Trojan horse programs C. Using programming hooks to inform the kernel of Trojan horse behavior D. Helping you catch unexpected changes to a system utility file that might indicate it had been replaced by a Trojan horse

D Explanation: Tripwire generates a database of the most common files and directories on your system. Once it is generated, you can then check the current state of your system against the 144 original database and get a report of all the files that have been modified, deleted or added. This comes in handy if you allow other people access to your machine and even if you don't, if someone else does get access, you'll know if they tried to modify files such as /bin/login etc.

203 Fingerprinting an Operating System helps a cracker because: A. It defines exactly what software you have installed B. It opens a security-delayed window based on the port being scanned C. It doesn't depend on the patches that have been applied to fix existing security holes D. It informs the cracker of which vulnerabilities he may be able to exploit on your system

D Explanation: When a cracker knows what OS and Services you use he also knows which exploits might work on your system. If he would have to try all possible exploits for all possible Operating Systems and Services it would take too long time and the possibility of being detected increases.

266 Daryl is a network administrator working for Dayton Technologies. Since Daryl's background is in web application development, many of the programs and applications his company uses are web-based. Daryl sets up a simple forms-based logon screen for all the applications he creates so they are secure. The problem Daryl is having is that his users are forgetting their passwords quite often and sometimes he does not have the time to get into his applications and change the passwords for them. Daryl wants a tool or program that can monitor web-based passwords and notify him when a password has been changed so he can use that tool whenever a user calls him and he can give them their password right then. What tool would work best for Daryl's needs? A. Password sniffer B. L0phtcrack C. John the Ripper D. WinHttrack

A 160 Explanation: L0phtCrack is a password auditing and recovery application (now called LC5), originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords. John the Ripper is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customisable cracker. It can be run against various encrypted password formats including several crypt password hash types WinHttrack is a offline browser. A password sniffer would give Daryl the passwords when they are changed as it is a web based authentication over a simple form but still it would be more correct to give the users new passwords instead of keeping a copy of the passwords in clear text.

230 You want to use netcat to generate huge amount of useless network data continuously for various performance testing between 2 hosts. Which of the following commands accomplish this? A. Machine A #yes AAAAAAAAAAAAAAAAAAAAAA | nc -v -v -l -p 2222 > /dev/null Machine B #yes BBBBBBBBBBBBBBBBBBBBBB | nc machinea 2222 > /dev/null B. Machine A cat somefile | nc -v -v -l -p 2222 Machine B cat somefile | nc othermachine 2222 138 C. Machine A nc -l -p 1234 | uncompress -c | tar xvfp Machine B tar cfp - /some/dir | compress -c | nc -w 3 machinea 1234 D. Machine A while true : do nc -v -l -s -p 6000 machineb 2 Machine B while true ; do nc -v -l -s -p 6000 machinea 2 done

A Explanation: Machine A is setting up a listener on port 2222 using the nc command and then having the letter A sent an infinite amount of times, when yes is used to send data yes NEVER stops until it recieves a break signal from the terminal (Control+C), on the client end (machine B), nc is being used as a client to connect to machine A, sending the letter B and infinite amount of times, while both clients have established a TCP connection each client is infinitely sending data to each other, this process will run FOREVER until it has been stopped by an administrator or the attacker.

281 What happens during a SYN flood attack? A. TCP connection requests floods a target machine is flooded with randomized source address & ports for the TCP ports. B. A TCP SYN packet, which is a connection initiation, is sent to a target machine, giving the target host's address as both source and destination, and is using the same port on the target host 169 as both source and destination. C. A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field. D. A TCP packet is received with both the SYN and the FIN bits set in the flags field.

A Explanation: To a server that requires an exchange of a sequence of messages. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending a SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message and then data can be exchanged. At the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message, there is a half-open connection. A data structure describing all pending connections is in memory of the server that can be made to overflow by intentionally creating too many partially open connections. Another common attack is the SYN flood, in which a target machine is flooded with TCP connection requests. The source addresses and source TCP ports of the connection request packets are randomized; the purpose is to force the target host to maintain state information for many connections that will never be completed. SYN flood attacks are usually noticed because the target host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It's also possible for the traffic returned from the target host to cause trouble on routers; because this return traffic goes to the randomized source addresses of the original packets, it lacks the locality properties of "real" IP traffic, and may overflow route caches. On Cisco routers, this problem often manifests itself in the router running out of memory.

263 How would you describe a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS's on a network? A. Covert Channel B. Crafted Channel C. Bounce Channel D. Deceptive Channel

A Explanation: A covert channel is described as: "any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy." Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information. 158

220 LAN Manager passwords are concatenated to 14 bytes and split in half. The two halves are hashed individually. If the password is 7 characters or less, than the second half of the hash is always: A. 0xAAD3B435B51404EE B. 0xAAD3B435B51404AA C. 0xAAD3B435B51404BB D. 0xAAD3B435B51404CC

A Explanation: A problem with LM stems from the total lack of salting or cipher block chaining in the 131 hashing process. To hash a password the first 7 bytes of it are transformed into an 8 byte odd parity DES key. This key is used to encrypt the 8 byte string "KGS!@". Same thing happens with the second part of the password. This lack of salting creates two interesting consequences. Obviously this means the password is always stored in the same way, and just begs for a typical lookup table attack. The other consequence is that it is easy to tell if a password is bigger than 7 bytes in size. If not, the last 7 bytes will all be null and will result in a constant DES hash of 0xAAD3B435B51404EE.

222 Which of the following is an attack in which a secret value like a hash is captured and then reused at a later time to gain access to a system without ever decrypting or decoding the hash. A. Replay Attacks B. Brute Force Attacks C. Cryptography Attacks D. John the Ripper Attacks

A Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it.

206 What hacking attack is challenge/response authentication used to prevent? 122 A. Replay attacks B. Scanning attacks C. Session hijacking attacks D. Password cracking attacks

A Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it. With a challenge/response authentication you ensure that captured packets can't be retransmitted without a new authentication.

221 Travis works primarily from home as a medical transcriptions. He just bought a brand new Dual Core Pentium Computer with over 3 GB of RAM. He uses voice recognition software is processor intensive, which is why he bought the new computer. Travis frequently has to get on the Internet to do research on what he is working on. After about two months of working on his new computer, he notices that it is not running nearly as fast as it used to. Travis uses antivirus software, anti-spyware software and always keeps the computer upto- date with Microsoft patches. After another month of working on the computer, Travis computer is even more noticeable slow. Every once in awhile, Travis also notices a window or two pop-up on his screen, but they quickly disappear. He has seen these windows show up, even when he has not been on the Internet. Travis is really worried about his computer because he spent a lot of money on it and he depends on it to work. Travis scans his through Windows Explorer and check out the file system, folder by folder to see if there is anything he can find. He spends over four hours pouring over the files and folders and can't find anything but before he gives up, he notices that his computer only has about 10 GB of free space available. Since has drive is a 200 GB hard drive, Travis thinks this is very odd. Travis downloads Space Monger and adds up the sizes for all the folders and files on his computer. According to his calculations, he should have around 150 GB of free space. What is mostly likely the cause of Travi's problems? A. Travis's Computer is infected with stealth kernel level rootkit B. Travi's Computer is infected with Stealth Torjan Virus 132 C. Travis's Computer is infected with Self-Replication Worm that fills the hard disk space D. Logic Bomb's triggered at random times creating hidden data consuming junk files

A Explanation: A rootkit can take full control of a system. A rootkit's only purpose is to hide files, network connections, memory addresses, or registry entries from other programs used by system administrators to detect intended or unintended special privilege accesses to the computer resources.

268 161 Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security-related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position. Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind of traffic is being passed around but the program he is using does not seem to be capturing anything. He pours through the sniffer's manual but can't find anything that directly relates to his problem. Harold decides to ask the network administrator if the has any thoughts on the problem. Harold is told that the sniffer was not working because the agency's network is a switched network, which can't be sniffed by some programs without some tweaking. What technique could Harold use to sniff agency's switched network? A. ARP spoof the default gateway B. Conduct MiTM against the switch C. Launch smurf attack against the switch D. Flood switch with ICMP packets

A Explanation: ARP spoofing, also known as ARP poisoning, is a technique used to attack an Ethernet network which may allow an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether (known as a denial of service attack). The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).

244 Spears Technology, Inc is a software development company located in Los Angeles, California. They reported a breach in security, stating that its "security defenses has been breached and exploited for 2 weeks by hackers. "The hackers had accessed and downloaded 90,000 address containing customer credit cards and password. Spears Technology found this attack to be so to law enforcement officials to protect their intellectual property. How did this attack occur? The intruder entered through an employees home machine, which was connected to Spears Technology, Inc's corporate VPN network. The application called BEAST Trojan was used in the attack to open a "Back Door" allowing the hackers undetected access. The security breach was discovered when customers complained about the usage of their credit cards without their knowledge. 146 The hackers were traced back to Beijing China through e-mail address evidence. The credit card information was sent to that same e-mail address. The passwords allowed the hackers to access Spears Technology's network from a remote location, posing as employees. The intent of the attacker was to steal the source code for their VOIP system and "hold it hostage" from Spears Technology, Inc exchange for ransom. The hackers had intended on selling the stolen VOIP software source code to competitors. How would you prevent such attacks from occurring in the future at Spears Technology? A. Disable VPN access to all your employees from home machines B. Allow VPN access but replace the standard authentication with biometric authentication C. Replace the VPN access with dial-up modem access to the company's network D. Enable 25 character complex password policy for employees to access the VPN network.

A Explanation: As long as there is a way in for employees through all security measures you can't be secure because you never know what computer the employees use to access recourses at their workplace.

214 _____ is the process of converting something from one representation to the simplest form. It deals with the way in which systems convert data from one form to another. A. Canonicalization B. Character Mapping C. Character Encoding D. UCS transformation formats

A Explanation: Canonicalization (abbreviated c14n) is the process of converting data that has more than one possible representation into a "standard" canonical representation. This can be done to compare different representations for equivalence, to count the number of distinct data structures (e.g., in combinatorics), to improve the efficiency of various algorithms by eliminating repeated calculations, or to make it possible to impose a meaningful sorting order. 126

265 159 You are sniffing as unprotected WiFi network located in a JonDonalds Cybercafe with Ethereal to capture hotmail e-mail traffic. You see lots of people using their laptops browsing the web while snipping brewed coffee from JonDonalds. You want to sniff their email message traversing the unprotected WiFi network. Which of the following ethereal filters will you configure to display only the packets with the hotmail messages? A. (http contains "hotmail") && ( http contains "Reply-To") B. (http contains "e-mail" ) && (http contains "hotmail") C. (http = "login.passport.com" ) && (http contains "SMTP") D. (http = "login.passport.com" ) && (http contains "POP3")

A Explanation: Each Hotmail message contains the tag Reply-To:<sender address> and "xxxx-xxxxxx. xxxx.hotmail.com" in the received tag.

208 Attackers can potentially intercept and modify unsigned SMB packets, modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data. Which of the following is NOT a means that can be used to minimize or protect against such an attack? 123 A. Timestamps B. SMB Signing C. File permissions D. Sequence numbers monitoring

A,B,D Explanation:

292 You have been called to investigate a sudden increase in network traffic at company. It seems that the traffic generated was too heavy that normal business functions could no longer be rendered to external employees and clients. After a quick investigation, you find that the computer has services running attached to TFN2k and Trinoo software. What do 175 you think was the most likely cause behind this sudden increase in traffic? A. A distributed denial of service attack. B. A network card that was jabbering. C. A bad route on the firewall. D. Invalid rules entry at the gateway.

A Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB). TFN2K and Trinoo are tools used for conducting DDos attacks.

299 Hackers usually control Bots through: A. IRC Channel B. MSN Messenger C. Trojan Client Software D. Yahoo Chat E. GoogleTalk

A Explanation: Most of the bots out today has a function to connect to a predetermined IRC channel in order to get orders.

226 Michael is the security administrator for the for ABC company. Michael has been charged with strengthening the company's security policies, including its password policies. Due to certain legacy applications. Michael was only able to enforce a password group policy in Active Directory with a minimum of 10 characters. He has informed the company's employes, however that the new password policy requires that everyone must have complex passwords with at least 14 characters. Michael wants to ensure that everyone is using complex passwords that meet the new security policy requirements. Michael has just logged on to one of the network's domain controllers and is about to run the following command: What will this command accomplish? A. Dumps SAM password hashes to pwd.txt B. Password history file is piped to pwd.txt C. Dumps Active Directory password hashes to pwd.txt D. Internet cache file is piped to pwd.txt

A Explanation: Pwdump is a hack tool that is used to grab Windows password hashes from a remote Windows computer. Pwdump > pwd.txt will redirect the output from pwdump to a text file named pwd.txt 136

245 William has received a Tetris game from someone in his computer programming class through email. William does not really know the person who sent the game very well, but decides to install the game anyway because he really likes Tetris. After William installs the game, he plays it for a couple of hours. The next day, William plays the Tetris game again and notices that his machines have begun to slow down. He brings up his Task Manager and sees the following programs running (see Screenshot): What has William just installed? 147 A. Remote Access Trojan (RAT) B. Zombie Zapper (ZoZ) C. Bot IRC Tunnel (BIT) D. Root Digger (RD)

A Explanation: RATs are malicious programs that run invisibly on host PCs and permit an intruder remote access and control. On a basic level, many RATs mimic the functionality of legitimate remote control programs such as Symantec's pcAnywhere but are designed specifically for stealth installation and operation. Intruders usually hide these Trojan horses in games and other small programs that unsuspecting users then execute on their PCs. Typically, exploited users either download and execute the malicious programs or are tricked into clicking rogue email 148 attachments.

223 You are the IT Manager of a large legal firm in California. Your firm represents many important clients whose names always must remain anonymous to the public. Your boss, Mr. Smith is always concerned about client information being leaked or revealed to the pres or public. You have just finished a complete security overhaul of your information system including an updated IPS, new firewall, email encryption and employee security awareness training. Unfortunately, many of your firm's clients do not trust technology to completely secure their information, so couriers routinely have to travel back and forth to and from the 133 office with sensitive information. Your boss has charged you with figuring out how to secure the information the couriers must transport. You propose that the data be transferred using burned CD's or USB flash drives. You initially think of encrypting the files, but decide against that method for fear the encryption keys could eventually be broken. What software application could you use to hide the data on the CD's and USB flash drives? A. Snow B. File Snuff C. File Sneaker D. EFS

A Explanation: The Snow software developed by Matthew Kwan will insert extra spaces at the end of each line. Three bits are encoded in each line by adding between 0 and 7 spaces that are ignored by most display programs including web browsers.

209 Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces? A. Snow B. Gif-It-Up C. NiceText D. Image Hide

A Explanation: The program snow is used to conceal messages in ASCII text by appending whitespace to the end of lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. And if the built-in encryption is used, the message cannot be read even if it is detected.

285 Clive has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the external gateway interface. Further inspection reveals that they are not responses from the internal hosts' requests but simply responses coming from the Internet. What could be the most likely cause? A. Someone has spoofed Clive's IP address while doing a smurf attack. B. Someone has spoofed Clive's IP address while doing a land attack. C. Someone has spoofed Clive's IP address while doing a fraggle attack. D. Someone has spoofed Clive's IP address while doing a DoS attack.

A Explanation: The smurf attack, named after its exploit program, is a denial-of-service attack that uses spoofed broadcast ping messages to flood a target system. In such an attack, a perpetrator sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet.

258 When Jason moves a file via NFS over the company's network, you want to grab a copy of it by sniffing. Which of the following tool accomplishes this? A. macof B. webspy C. filesnarf D. nfscopy

C Explanation: Filesnarf - sniff files from NFS traffic OPTIONS -i interface Specify the interface to listen on. -v "Versus" mode. Invert the sense of matching, to select non-matching files. pattern Specify regular expression for filename matching. expression Specify a tcpdump(8) filter expression to select traffic to sniff. SEE ALSO Dsniff, nfsd

224 You are the security administrator for a large online auction company based out of Los Angeles. After getting your ENSA CERTIFICATION last year, you have steadily been fortifying your network's security including training OS hardening and network security. One of the last things you just changed for security reasons was to modify all the built-in administrator accounts on the local computers of PCs and in Active Directory. After through testing you found and no services or programs were affected by the name changes. Your company undergoes an outside security audit by a consulting company and they said that even through all the administrator account names were changed, the accounts could still be used by a clever hacker to gain unauthorized access. You argue with the auditors and say that is not possible, so they use a tool and show you how easy it is to utilize the administrator account even though its name was changed. What tool did the auditors use? 134 A. sid2user B. User2sid C. GetAcct D. Fingerprint

A Explanation: User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more.

273 Steven is a senior security analyst for a state agency in Tulsa, Oklahoma. His agency is currently undergoing a mandated security audit by an outside consulting firm. The consulting firm is halfway through the audit and is preparing to perform the actual penetration testing against the agency's network. The firm first sets up a sniffer on the agency's wired network to capture a reasonable amount of traffic to analyze later. This takes approximately 2 hours to obtain 10 GB of data. The consulting firm then sets up a sniffer on the agency's wireless network to capture the same amount of traffic. This capture only takes about 30 minutes to get 10 GB of data. Why did capturing of traffic take much less time on the wireless network? A. Because wireless access points act like hubs on a network B. Because all traffic is clear text, even when encrypted C. Because wireless traffic uses only UDP which is easier to sniff D. Because wireless networks can't enable encryption

A Explanation: You can not have directed radio transfers over a WLAN. Every packet will be broadcasted as far as possible with no concerns about who might hear it.

267 Ethernet switches can be adversely affected by rapidly bombarding them with spoofed ARP responses. He port to MAC Address table (CAM Table) overflows on the switch and rather than failing completely, moves into broadcast mode, then the hacker can sniff all of the packets on the network. Which of the following tool achieves this? A. ./macof B. ./sniffof C. ./dnsiff D. ./switchsnarf

A Explanation: macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing).

249 A remote user tries to login to a secure network using Telnet, but accidently types in an invalid user name or password. Which responses would NOT be preferred by an experienced Security Manager? (multiple answer) 150 A. Invalid Username B. Invalid Password C. Authentication Failure D. Login Attempt Failed E. Access Denied

A,B Explanation: As little information as possible should be given about a failed login attempt. Invalid username or password is not desirable.

270 The network administrator at Spears Technology, Inc has configured the default gateway Cisco Router's access-list as below: You are tried to conduct security testing on their network. You successfully brute-force for SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. 163 You want to retrieve the Cisco Configuration from the router. How would you proceed? A. Send a customized SNMP set request with spoofed source IP Address in the range- 192.168.1.0 B. Run a network sniffer and capture the returned traffic with the configuration file from the router C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address D. Use the Cisco's TFTP default password to connect and download the configuration file

A,B Explanation: SNMP is allowed only by access-list 1. Therefore you need to spoof a 192.168.1.0/24 address and then sniff the reply from the gateway.

290 If you send a SYN to an open port, what is the correct response?(Choose all correct answers. 174 A. SYN B. ACK C. FIN D. PSH

A,B Explanation: The proper response is a SYN / ACK. This technique is also known as half-open scanning.

269 How do you defend against ARP spoofing? A. Place static ARP entries on servers, workstation and routers B. True IDS Sensors to look for large amount of ARP traffic on local subnets 162 C. Use private VLANS D. Use ARPWALL system and block ARP spoofing attacks

A,B,C Explanation: ARPWALL is a opensource tools will give early warning when arp attack occurs. This tool is still under construction.

298 The SYN Flood attack sends TCP connections requests faster than a machine can process them. Attacker creates a random source address for each packet. SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP Address Victim responds to spoofed IP Address then waits for confirmation that never arrives (timeout wait is about 3 minutes) Victim's connection table fills up waiting for replies and ignores new connection legitimate users are ignored and will not be able to access the server How do you protect your network against SYN Flood attacks? A. SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP Address port number and other information. When the client responds with a normal ACK, that special sequence number will be included, which the server then verifies. Thus the server first allocates memory on the third packet of the handshake, not the first. B. RST cookies - The server sends a wrong SYN|ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally. C. Micro Blocks. Instead of allocating a complete connection, simply allocate a micro-record of 16- bytes for the incoming SYN object. D. Stack Tweaking. TCP can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection.

A,B,C,D Explanation: All above helps protecting against SYN flood attacks. Most TCP/IP stacks today are already tweaked to make it harder to perform a SYN flood DOS attack against a target. 179

217 One of your junior administrator is concerned with Windows LM hashes and password cracking. In your discussion with them, which of the following are true statements that you would point out? Select the best answers. A. John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case. B. BY using NTLMV1, you have implemented an effective countermeasure to password cracking. C. SYSKEY is an effective countermeasure. D. If a Windows LM password is 7 characters or less, the hash will be passed with the following characters, in HEX- 00112233445566778899. E. Enforcing Windows complex passwords is an effective countermeasure.

A,C,E Explanation: Explanations: John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case. John the Ripper is a very effective password cracker. It can crack passwords for many different types of operating systems. However, one limitation is that the output doesn't show if the password is upper or lower case. BY using NTLMV1, you have implemented an effective countermeasure to password cracking. NTLM Version 2 (NTLMV2) is a good countermeasure to LM password cracking (and therefore a correct answer). To do this, set Windows 9x and NT systems to "send NTLMv2 responses only". SYSKEY is an effective countermeasure. It uses 128 bit encryption on the local copy of the Windows SAM. If a Windows LM password is 7 characters or less, the has will be passed with the following characters: 0xAAD3B435B51404EE Enforcing Windows complex passwords is an effective countermeasure to password cracking. Complex passwords are- greater than 6 characters and have any 3 of the following 4 items: upper case, lower case, special characters, and numbers.

278 What happens when one experiences a ping of death? A. This is when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header is set to 18 (Address Mask Reply). 167 B. This is when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset ' 8) + (IP data length) >65535. In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet. C. This is when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the source equal to destination address. D. This is when an the IP header is set to 1 (ICMP) and the "type" field in the ICMP header is set to 5 (Redirect).

B Explanation: A hacker can send an IP packet to a vulnerable machine such that the last fragment contains an offest where (IP offset *8) + (IP data length)>65535. This means that when the packet is reassembled, its total length is larger than the legal limit, causing buffer overruns in the machine's OS (becouse the buffer sizes are defined only to accomodate the maximum allowed size of the packet based on RFC 791)...IDS can generally recongize such attacks by looking for packet fragments that have the IP header's protocol field set to 1 (ICMP), the last bit set, and (IP offset *8) +(IP data length)>65535" CCIE Professional Development Network Security Principles and Practices by Saadat Malik pg 414 "Ping of Death" attacks cause systems to react in an unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and zero or more octets of optional information, with the rest of the packet being data. Ping of Death attacks can cause crashing, freezing, and rebooting.

207 What file system vulnerability does the following command take advantage of? type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe A. HFS B. ADS C. NTFS D. Backdoor access

B Explanation: ADS (or Alternate Data Streams) is a "feature" in the NTFS file system that makes it possible to hide information in alternate data streams in existing files. The file can have multiple data streams and the data streams are accessed by filename:stream.

294 Henry is an attacker and wants to gain control of a system and use it to flood a target system with requests, so as to prevent legitimate users from gaining access. What type of attack is Henry using? A. Henry is executing commands or viewing data outside the intended target path B. Henry is using a denial of service attack which is a valid threat used by an attacker C. Henry is taking advantage of an incorrect configuration that leads to access with higher-thanexpected privilege D. Henry uses poorly designed input validation routines to create or alter commands to gain access to unintended data or execute commands

B Explanation: Henry's intention is to perform a DoS attack against his target, possibly a DDoS attack. He uses systems other than his own to perform the attack in order to cover the tracks back to him and to get more "punch" in the DoS attack if he uses multiple systems.

283 What is the goal of a Denial of Service Attack? A. Capture files from a remote computer. B. Render a network or computer incapable of providing normal service. C. Exploit a weakness in the TCP stack. D. Execute service at PS 1009.

B Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB).

227 You have successfully brute forced basic authentication configured on a Web Server using Brutus hacking tool. The username/password is "Admin" and "Bettlemani@". You logon to the system using the brute forced password and plant backdoors and rootkits. After downloading various sensitive documents from the compromised machine, you proceed to clear the log files to hide your trace.. Which event log located at C:\Windows\system32\config contains the trace of your brute force attempts? A. AppEvent.Evt B. SecEvent.Evt C. SysEvent.Evt D. WinEvent.Evt

B Explanation: The Security Event log (SecEvent.Evt) will contain all the failed logins against the system. Topic 6, Trojans and Backdoors

262 ARP poisoning is achieved in _____ steps A. 1 B. 2 C. 3 D. 4

B Explanation: The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router, associating his computer's MAC address with your IP Address. Now your router thinks the hacker's computer is your computer. Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with the routers IP Address. Now your machine thinks the hacker's computer is your router. The hacker has now used ARP poisoning to accomplish a MitM attack.

231 In the context of Trojans, what is the definition of a Wrapper? A. An encryption tool to protect the Trojan. B. A tool used to bind the Trojan with legitimate file. C. A tool used to encapsulated packets within a new header and footer. D. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan.

B Explanation: These wrappers allow an attacker to take any executable back-door program and combine it with any legitimate executable, creating a Trojan horse without writing a single line of new code. 139

264 Exhibit: You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22. What filter will you apply? A. ip = 10.0.0.22 B. ip.src == 10.0.0.22 C. ip.equals 10.0.0.22 D. ip.address = 10.0.0.22

B Explanation: ip.src tells the filter to only show packets with 10.0.0.22 as the source.

261 What is the command used to create a binary log file using tcpdump? A. tcpdump -r log B. tcpdump -w ./log C. tcpdump -vde -r log D. tcpdump -l /var/log/

B Explanation: tcpdump [ -adeflnNOpqStvx ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ expression ] -w Write the raw packets to file rather than parsing and printing them out. 157

251 Samantha was hired to perform an internal security test of company. She quickly realized that all networks are making use of switches instead of traditional hubs. This greatly limits her ability to gather information through network sniffing. Which of the following techniques can she use to gather information from the switched network or to disable some of the traffic isolation features of the switch? (Choose two) 151 A. Ethernet Zapping B. MAC Flooding C. Sniffing in promiscuous mode D. ARP Spoofing

B,D Explanation: In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table.The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation. The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).

286 What would best be defined as a security test on services against a known vulnerability database using an automated tool? 172 A. A penetration test B. A privacy review C. A server audit D. A vulnerability assessment

D Explanation: Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the communications infrastructure or water infrastructure of a region).

204 In the context of Windows Security, what is a 'null' user? A. A user that has no skills B. An account that has been suspended by the admin C. A pseudo account that has no username and password D. A pseudo account that was created for security administration purpose

C 121 Explanation: NULL sessions take advantage of "features" in the SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Using these NULL connections allows you to gather the following information from the host:* List of users and groups * List of machines * List of shares * Users and host SID' (Security Identifiers) NULL sessions exist in windows networking to allow: * Trusted domains to enumerate resources * Computers outside the domain to authenticate and enumerate users * The SYSTEM account to authenticate and enumerate resources NetBIOS NULL sessions are enabled by default in Windows NT and 2000. Windows XP and 2003 will allow anonymous enumeration of shares, but not SAM accounts.

248 Exhibit: ettercap -NCLzs --quiet What does the command in the exhibit do in "Ettercap"? A. This command will provide you the entire list of hosts in the LAN B. This command will check if someone is poisoning you and will report its IP. C. This command will detach from console and log all the collected passwords from the network to a file. D. This command broadcasts ping to scan the LAN instead of ARP request of all the subnet IPs.

C Explanation: -N = NON interactive mode (without ncurses) -C = collect all users and passwords -L = if used with -C (collector) it creates a file with all the password sniffed in the session in the form "YYYYMMDD-collected-pass.log" -z = start in silent mode (no arp storm on start up) -s = IP BASED sniffing --quiet = "demonize" ettercap. Useful if you want to log all data in background.

205 What does the following command in netcat do? nc -l -u -p 55555 < /etc/passwd A. logs the incoming connections to /etc/passwd file B. loads the /etc/passwd file to the UDP port 55555 C. grabs the /etc/passwd file when connected to UDP port 55555 D. deletes the /etc/passwd file when connected to the UDP port 55555

C Explanation: -l forces netcat to listen for incoming connections. -u tells netcat to use UDP instead of TCP -p 5555 tells netcat to use port 5555 < /etc/passwd tells netcat to grab the /etc/passwd file when connected to.

277 Global deployment of RFC 2827 would help mitigate what classification of attack? A. Sniffing attack B. Denial of service attack C. Spoofing attack D. Reconnaissance attack E. Prot Scan attack

C Explanation: RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing

271 What does the following command in "Ettercap" do? ettercap -NCLzs -quiet A. This command will provide you the entire list of hosts in the LAN B. This command will check if someone is poisoning you and will report its IP C. This command will detach ettercap from console and log all the sniffed passwords to a file D. This command broadcasts ping to scan the LAN instead of ARP request all the subset IPs

C Explanation: -L specifies that logging will be done to a binary file and -s tells us it is running in script mode.

293 SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature for SYN Flood attack is: A. The source and destination address having the same value. B. The source and destination port numbers having the same value. C. A large number of SYN packets appearing on a network without the corresponding reply packets. D. A large number of SYN packets appearing on a network with the corresponding reply packets.

C Explanation: A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake. The attacker floods the target system's small "in-process" queue with connection requests, but it does not respond when a target system replies to those requests. This causes the target system to time out while waiting for the proper response, which makes the system crash or become unusable. 176

233 Which of the following statements would not be a proper definition for a Trojan Horse? A. An unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user. B. A legitimate program that has been altered by the placement of unauthorized code within it; this code perform functions unknown (and probably unwanted) by the user. C. An authorized program that has been designed to capture keyboard keystrokes while the user remains unaware of such an activity being performed. D. Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user.

C Explanation: A Trojan is all about running unauthorized code on the users computer without the user knowing of it.

297 Peter has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the External Gateway interface. Further inspection reveals they are not responses from internal hosts request but simply responses coming from the Internet. What could be the likely cause of this? A. Someone Spoofed Peter's IP Address while doing a land attack B. Someone Spoofed Peter's IP Address while doing a DoS attack C. Someone Spoofed Peter's IP Address while doing a smurf Attack D. Someone Spoofed Peter's IP address while doing a fraggle attack 178

C Explanation: An attacker sends forged ICMP echo packets to broadcast addresses of vulnerable networks with forged source address pointing to the target (victim) of the attack. All the systems on these networks reply to the victim with ICMP echo replies. This rapidly exhausts the bandwidth available to the target.

252 Ethereal works best on ____________. A. Switched networks B. Linux platforms C. Networks using hubs D. Windows platforms E. LAN's

C Explanation: Ethereal is used for sniffing traffic. It will return the best results when used on an unswitched (i.e. hub. network.

216 You are a Administrator of Windows server. You want to find the port number for POP3. What file would you find the information in and where? Select the best answer. A. %windir%\\etc\\services B. system32\\drivers\\etc\\services C. %windir%\\system32\\drivers\\etc\\services D. /etc/services E. %windir%/system32/drivers/etc/services

C Explanation: Explanations: %windir%\\system32\\drivers\\etc\\services is the correct place to look for this information. 128

288 How does a denial-of-service attack work? A. A hacker tries to decipher a password by using a system, which subsequently crashes the network B. A hacker attempts to imitate a legitimate user by confusing a computer or even another person 173 C. A hacker prevents a legitimate user (or group of users) from accessing a service D. A hacker uses every character, word, or letter he or she can think of to defeat authentication

C Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB).

246 John wants to try a new hacking tool on his Linux System. As the application comes from a site in his untrusted zone, John wants to ensure that the downloaded tool has not been Trojaned. Which of the following options would indicate the best course of action for John? A. Obtain the application via SSL B. Obtain the application from a CD-ROM disc C. Compare the files' MD5 signature with the one published on the distribution media D. Compare the file's virus signature with the one published on the distribution media

C Explanation: In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods.

284 What do you call a system where users need to remember only one username and password, and be authenticated for multiple services? A. Simple Sign-on B. Unique Sign-on C. Single Sign-on D. Digital Certificate 171

C Explanation: Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.

253 152 The follows is an email header. What address is that of the true originator of the message? Return-Path: <[email protected]> Received: from smtp.com (fw.emumail.com [215.52.220.122]. by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id h78NIn404807 for <[email protected]>; Sat, 9 Aug 2003 18:18:50 -0500 Received: (qmail 12685 invoked from network.; 8 Aug 2003 23:25:25 -0000 Received: from ([19.25.19.10]. by smtp.com with SMTP Received: from unknown (HELO CHRISLAPTOP. (168.150.84.123. by localhost with SMTP; 8 Aug 2003 23:25:01 -0000 From: "Bill Gates" <[email protected]> To: "mikeg" <[email protected]> Subject: We need your help! Date: Fri, 8 Aug 2003 19:12:28 -0400 Message-ID: <51.32.123.21@CHRISLAPTOP> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0052_01C35DE1.03202950" X-Priority: 3 (Normal. X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal 153 A. 19.25.19.10 B. 51.32.123.21 C. 168.150.84.123 D. 215.52.220.122 E. 8.10.2/8.10.2

C Explanation: Spoofing can be easily achieved by manipulating the "from" name field, however, it is much more difficult to hide the true source address. The "received from" IP address 168.150.84.123 is the true source of the

255 Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files? A. Snort B. argus C. TCPflow D. Tcpdump 154

C Explanation: Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

234 You have hidden a Trojan file virus.exe inside another file readme.txt using NTFS 140 streaming. Which command would you execute to extract the Trojan to a standalone file? A. c:\> type readme.txt:virus.exe > virus.exe B. c:\> more readme.txt | virus.exe > virus.exe C. c:\> cat readme.txt:virus.exe > virus.exe D. c:\> list redme.txt$virus.exe > virus.exe

C Explanation: cat will concatenate, or write, the alternate data stream to its own file named virus.exe

225 John Beetlesman, the hacker has successfully compromised the Linux System of Agent Telecommunications, Inc's WebServer running Apache. He has downloaded sensitive documents and database files off the machine. Upon performing various tasks, Beetlesman finally runs the following command on the Linux box before disconnecting. for ((i=0;i<1;i++));do ?dd if=/dev/random of=/dev/hda && dd if=/dev/zero of=/dev/hda done What exactly is John trying to do? A. He is making a bit stream copy of the entire hard disk for later download B. He is deleting log files to remove his trace C. He is wiping the contents of the hard disk with zeros D. He is infecting the hard disk with random virus strings

C Explanation: dd copies an input file to an output file with optional conversions. -if is input file, -of is output file. /dev/zero is a special file that provides as many null characters (ASCII NULL, 0x00; not ASCII character "digit zero", "0", 0x30) as are read from it. /dev/hda is the hard drive. 135

211 LM authentication is not as strong as Windows NT authentication so you may want to disable its use, because an attacker eavesdropping on network traffic will attack the weaker protocol. A successful attack can compromise the user's password. How do you disable LM authentication in Windows XP? A. Stop the LM service in Windows XP B. Disable LSASS service in Windows XP C. Disable LM authentication in the registry D. Download and install LMSHUT.EXE tool from Microsoft website

C Explanation: http://support.microsoft.com/kb/299656

275 The evil hacker, is purposely sending fragmented ICMP packets to a remote target. The total size of this ICMP packet once reconstructed is over 65,536 bytes. From the information given, what type of attack is attempting to perform? A. Syn flood B. Smurf C. Ping of death D. Fraggle

C Reference: http://insecure.org/sploits/ping-o-death.html

201 You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct assesments to protect the company's network. During one of your periodic checks to see how well policy is being observed by the employees, you discover an employee has attached a modem to his telephone line and workstation. He has used this modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. How would you resolve this situation? A. Reconfigure the firewall B. Conduct a needs analysis C. Install a network-based IDS D. Enforce the corporate security policy

D Explanation: The security policy is meant to always be followed until changed. If a need rises to perform actions that might violate the security policy you'll have to find another way to accomplish the task or wait until the policy has been changed.

242 Erik notices a big increase in UDP packets sent to port 1026 and 1027 occasionally. He enters the following at the command prompt. $ nc -l -p 1026 -u -v In response, he sees the following message. cell(?(c)????STOPALERT77STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION. Windows has found 47 Critical Errors. To fix the errors please do the following: 1. Download Registry Repair from: www.reg-patch.com 2. Install Registry Repair 3. Run Registry Repair 4. Reboot your computer FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION! What would you infer from this alert? A. The machine is redirecting traffic to www.reg-patch.com using adware B. It is a genuine fault of windows registry and the registry needs to be backed up C. An attacker has compromised the machine and backdoored ports 1026 and 1027 D. It is a messenger spam. Windows creates a listener on one of the low dynamic ports from 1026 to 1029 and the message usually promotes malware disguised as legitimate utilities

D 145 Explanation: The "net send" Messenger service can be used by unauthorized users of your computer, without gaining any kind of privileged access, to cause a pop-up window to appear on your computer. Lately, this feature has been used by unsolicited commercial advertisers to inform many campus users about a "university diploma service"...

287 A Buffer Overflow attack involves: A. Using a trojan program to direct data traffic to the target host's memory stack B. Flooding the target network buffers with data traffic to reduce the bandwidth available to legitimate users C. Using a dictionary to crack password buffers by guessing user names and passwords D. Poorly written software that allows an attacker to execute arbitrary code on a target system

D Explanation: B is a denial of service. By flooding the data buffer in an application with trash you could get access to write in the code segment in the application and that way insert your own code.

282 What is the term 8 to describe an attack that falsifies a broadcast ICMP echo request and includes a primary and secondary victim? A. Fraggle Attack B. Man in the Middle Attack C. Trojan Horse Attack D. Smurf Attack E. Back Orifice Attack

D Explanation: Trojan and Back orifice are Trojan horse attacks. Man in the middle spoofs the Ip and redirects the victems packets to the cracker The infamous Smurf attack. preys on ICMP's capability to send 170 traffic to the broadcast address. Many hosts can listen and respond to a single ICMP echo request sent to a broadcast address. Network Intrusion Detection third Edition by Stephen Northcutt and Judy Novak pg 70 The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf".

300 Bryce the bad boy is purposely sending fragmented ICMP packets to a remote target. The tool size of this ICMP packet once reconstructed is over 65,536 bytes. From the information given, what type of attack is Bryce attempting to perform? A. Smurf B. Fraggle C. SYN Flood D. Ping of Death

D Explanation: A ping of death (abbreviated "POD") is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 64 bytes in size (or 84 bytes when IP header is considered); many computer systems cannot handle a ping larger than the maximum IP packet size, which is 65,535 bytes. Sending a ping of this size can crash the target computer. Traditionally, this bug has been relatively easy to exploit. Generally, sending a 65,536 byte ping packet is illegal according to networking protocol, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.

280 A denial of Service (DoS) attack works on the following principle: A. MS-DOS and PC-DOS operating system utilize a weaknesses that can be compromised and permit them to launch an attack easily. B. All CLIENT systems have TCP/IP stack implementation weakness that can be compromised and permit them to lunch an attack easily. C. Overloaded buffer systems can easily address error conditions and respond appropriately. D. Host systems cannot respond to real traffic, if they have an overwhelming number of incomplete connections (SYN/RCVD State). E. A server stops accepting connections from certain networks one those network become flooded.

D Explanation: Denial-of-service (often abbreviated as DoS) is a class of attacks in which an attacker attempts to prevent legitimate users from accessing an Internet service, such as a web site. This can be done by exercising a software bug that causes the software running the service to fail (such as the "Ping of Death" attack against Windows NT systems), sending enough data to consume all available network bandwidth (as in the May, 2001 attacks against Gibson Research), or sending data in such a way as to consume a particular resource needed by the service.

238 Exhibit: * Missing* Jason's Web server was attacked by a trojan virus. He runs protocol analyzer and notices that the trojan communicates to a remote server on the Internet. Shown below is the standard "hexdump" representation of the network packet, before being decoded. Jason wants to identify the trojan by looking at the destination port number and mapping to a trojan-port number database on the Internet. Identify the remote server's port number by decoding the packet? A. Port 1890 (Net-Devil Trojan) B. Port 1786 (Net-Devil Trojan) C. Port 1909 (Net-Devil Trojan) D. Port 6667 (Net-Devil Trojan)

D Explanation: From trace, 0x1A0B is 6667, IRC Relay Chat, which is one port used. Other ports are in the 900's.

202 What is GINA? 120 A. Gateway Interface Network Application B. GUI Installed Network Application CLASS C. Global Internet National Authority (G-USA) D. Graphical Identification and Authentication DLL

D Explanation: In computing, GINA refers to the graphical identification and authentication library, a component of some Microsoft Windows operating systems that provides secure authentication and interactive logon services.

254 Bob wants to prevent attackers from sniffing his passwords on the wired network. Which of the following lists the best options? A. RSA, LSA, POP B. SSID, WEP, Kerberos C. SMB, SMTP, Smart card D. Kerberos, Smart card, Stanford SRP

D Explanation: Kerberos, Smart cards and Stanford SRP are techniques where the password never leaves the computer.

239 Which of the following Netcat commands would be used to perform a UDP scan of the lower 1024 ports? 143 A. Netcat -h -U B. Netcat -hU <host(s.> C. Netcat -sU -p 1-1024 <host(s.> D. Netcat -u -v -w2 <host> 1-1024 E. Netcat -sS -O target/1024

D Explanation: The proper syntax for a UDP scan using Netcat is "Netcat -u -v -w2 <host> 1-1024". Netcat is considered the Swiss-army knife of hacking tools because it is so versatile.

272 Windump is a Windows port of the famous TCPDump packet sniffer available on a variety of platforms. In order to use this tool on the Windows Platform you must install a packet capture library. What is the name of this library? 164 A. PCAP B. NTPCAP C. LibPCAP D. WinPCAP

D Explanation: WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

219 Samuel is the network administrator of DataX communications Inc. He is trying to configure his firewall to block password brute force attempts on his network. He enables blocking the intruder's IP address for a period of 24 hours time after more than three unsuccessful attempts. He is confident that this rule will secure his network hackers on the Internet. But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around the world. After some investigation he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall use. 130 Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the password is incorrect, it would take 45 seconds to return to the user to begin another attempt. Since an intruder may use multiple machines to brute force the password, he also throttles the number of connections that will be prepared to accept from a particular IP address. This action will slow the intruder's attempts. Samuel wants to completely block hackers brute force attempts on his network. What are the alternatives to defending against possible brute-force password attacks on his site? A. Enforce a password policy and use account lockouts after three wrong logon attempts even through this might lock out legit users B. Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of the intruder so that you can block them at the firewall manually C. Enforce complex password policy on your network so that passwords are more difficult to brute force D. You can't completely block the intruders attempt if they constantly switch proxies

D Explanation: Without knowing from where the next attack will come there is no way of proactively block the attack. This is becoming a increasing problem with the growth of large bot nets using ordinary workstations and home computers in large numbers.

228 Assuring two systems that are using IPSec to protect traffic over the internet, what type of general attack could compromise the data? A. Spoof Attack B. Smurf Attack C. Man in the Middle Attack D. Trojan Horse Attack E. Back Orifice Attack

D,E Explanation: To compromise the data, the attack would need to be executed before the encryption takes place 137 at either end of the tunnel. Trojan Horse and Back Orifice attacks both allow for potential data manipulation on host computers. In both cases, the data would be compromised either before encryption or after decryption, so IPsec is not preventing the attack.

218 In the following example, which of these is the "exploit"? 129 Today, Microsoft Corporation released a security notice. It detailed how a person could bring down the Windows 2003 Server operating system, by sending malformed packets to it. They detailed how this malicious process had been automated using basic scripting. Even worse, the new automated method for bringing down the server has already been used to perform denial of service attacks on many large commercial websites. Select the best answer. A. Microsoft Corporation is the exploit. B. The security "hole" in the product is the exploit. C. Windows 2003 Server D. The exploit is the hacker that would use this vulnerability. E. The documented method of how to use the vulnerability to gain unprivileged access.

E Explanation: Explanations: Microsoft is not the exploit, but if Microsoft documents how the vulnerability can be used to gain unprivileged access, they are creating the exploit. If they just say that there is a hole in the product, then it is only a vulnerability. The security "hole" in the product is called the "vulnerability". It is documented in a way that shows how to use the vulnerability to gain unprivileged access, and it then becomes an "exploit". In the example given, Windows 2003 Server is the TOE (Target of Evaluation). A TOE is an IT System, product or component that requires security evaluation or is being identified. The hacker that would use this vulnerability is exploiting it, but the hacker is not the exploit. The documented method of how to use the vulnerability to gain unprivileged access is the correct answer.

296 Peter is a Network Admin. He is concerned that his network is vulnerable to a smurf attack. What should Peter do to prevent a smurf attack? Select the best answer. A. He should disable unicast on all routers B. Disable multicast on the router C. Turn off fragmentation on his router D. Make sure all anti-virus protection is updated on all systems E. Make sure his router won't take a directed broadcast

E Explanation: Explanations: Unicasts are one-to-one IP transmissions, by disabling this he would disable most network transmissions but still not prevent the smurf attack. Turning of multicast or fragmentation on the router has nothing to do with Peter's concerns as a smurf attack uses broadcast, not multicast and has nothing to do with fragmentation. Anti-virus protection will not help prevent a smurf attack. A smurf attack is a broadcast from a spoofed source. If directed broadcasts are enabled on the destination all the computers at the destination will respond to the spoofed source, which is really the victim. Disabling directed broadcasts on a router can prevent the attack.


Kaugnay na mga set ng pag-aaral

Anatomy & Physiology Part 2 Exam 1

View Set

Formation and Elimination of Synapses

View Set

Respiratory (PrepU Ch17+19, Saunders, uWorld)

View Set

VOICE OVER INTERNET PROTOCOL (VoIP) FUNDAMENTALS BCOC D10

View Set

Trigonometry - Solving Trig Equations

View Set

Chapter 27: Life in Two City-States (Athens and Sparta)

View Set