Ethical Hacking Module 11
An attacker conducts a normal port scan on a host and detects protocols used by a Windows operating system and protocols used by a Linux operating system. Which of the following might this indicate? Protocol anomalies Cache poisoning A legitimate host A honeypot
A honeypot
Which of the following best describes a honeypot? A honeypot is a substitute for an IDS or firewall and protects a system. Virtual honeypots can only simulate one entity on a single device. A honeypot is a server/client-based application that manipulates packets. A honeypot's purpose is to look like a legitimate network resource.
A honeypot's purpose is to look like a legitimate network resource.
Frank, an attacker, has gained access to your network. He decides to cause an illegal instruction. He watches the timing to handle an illegal instruction. Which of the following is he testing for? A virtual machine A Snort inline A Fake AP A Tarpit
A virtual machine
Which of the following IDS detection types compare behavior to baseline profiles or network behavior baselines? Anomaly-based Cloud-based Signature-based Protocol-based
Anomaly-based
User-Mode-Linux (UML) is an open-source tool used to create virtual machines. It's efficient for deploying honeypots. One of the big issues with UML is that it doesn't use a real hard disk, but a fake IDE device called /dev/ubd*. How can an attacker find a UML system? Attackers detect a honeypot by measuring the execution time of the read() system call. Attackers cause an illegal instruction, then watch how it is handled. Attackers look for specific video cards, display adapters, and network cards. Attackers need to take a look at the /etc/fstab file or execute the mount command.
Attackers need to take a look at the /etc/fstab file or execute the mount command.
Firewalls, whether hardware or software, are only as effective as their __________? Configuration Footprint Location Organization
Configuration
An attacker is attempting to determine whether a system is a honeypot. Which of the following actions should the attacker take? Simulate echo, FTP, Telnet, SMTP, HTTP, POP3, and Radmin. Attempt to exploit or upload a rootkit or Trojan to a server. Craft a malicious probe packet to scan for services. Capture raw packet-level data, including the keystrokes.
Craft a malicious probe packet to scan for services.
Robin, an IT technician, has implemented identification and detection techniques based on the ability to distinguish legitimate traffic from illegitimate traffic over the network. Which of the following is he trying to achieve? Defend the network against natural disasters Defend the network against WPA/WPA2 cracking Defend the network from attacks Defend the network against IDS evasions
Defend the network against IDS evasions
Which of the following best describes a stateful inspection? Offers secure connectivity between many entities and uses encryption to provide an effective defense against sniffing. Determines the legitimacy of traffic based on the state of the connection from which the traffic originated. Allows all internal traffic to share a single public IP when connecting to an outside entity. Designed to sit between a host and a web server and communicate with the server on behalf of the host.
Determines the legitimacy of traffic based on the state of the connection from which the traffic originated.
Ping of death, teardrop, SYN flood, Smurf, and fraggle are all examples of which of the following? DoS attack categories DoS attack prevention DoS attack types DoS attack tools
DoS attack types
Which of the following is the process of determining the configuration of ACLs by sending a firewall TCP and UDP packets? Banner grabbing Packet filtering Port scanning Firewalking
Firewalking
You are working on firewall evasion countermeasures and are specifically looking for a tool to expose TTL vulnerabilities. Which of the following tools would you use? Tunneling Traffic IQ Professional KFSensor Firewalking
Firewalking
Jin, a penetration tester, was hired to perform a black box penetration test. He decides to test their firewall. Which of the following techniques should he use first? DoS attack Firewalking Footprinting Hoaxing
Footprinting
What are the two types of Intrusion Detection Systems (IDSs)? HIDS and NIDS HID and NID HIP and NIP HIS and NIS
HIDS and NIDS
Jessica needs to set up a firewall to protect her internal network from the Internet. Which of the following would be the best type of firewall for her to use? Software Hardware Tunneling Stateful
Hardware
Which of the following honeypot interaction levels simulate all service and applications and can be completely compromised by attackers to get full access to the system in a controlled area? Medium-level Low-level Critical-level High-level
High-level
Lorena, the CIO, wants to ensure that the company's security practices and policies match well with their firewall security configuration for maximum protection against hacking. Which of the following actions should Lorena take? Hire a penetration tester Purchase a different firewall Do nothing. The company's data is safe Implement new security practices and policies
Hire a penetration tester
Mark, an ethical hacker, is looking for a honeypot tool that will simulate a mischievous protocol such as devil or mydoom. Which of the following honeypot tools should he use? KFSensor HoneyBOT Honeyd HoneyDrive
HoneyBOT
Ports that show a particular service running but deny a three-way handshake connection indicate the potential presence of which of the following? Trojan Honeypot Cavity Zombie
Honeypot
Which of the following is a physical or virtual network device set up to masquerade as a legitimate network resource? Server Firewall Honeypot Switch
Honeypot
You are on a Windows system. You receive an alert that a file named MyFile.txt.exe had been found. Which of the following could this indicate? Compliance-based IDS Cloud-based IDS Host-based IDS Network-based IDS
Host-based IDS
Which of the following firewall limitations is a critical vulnerability because it means that packet filters cannot tell whether a connection was started inside or outside the organization? Inability to protect from internal attacks Inability to inspect the packet's payload Inability to detect the keep the state status Inability to prevent spoofing
Inability to detect the keep the state status
Which of the following honeypot interaction levels can't be compromised completely and is generally set to collect information about attacks like network probes and worms? Medium-level High-level Low-level Critical-level
Low-level
Which of the following is another name for the signature-based detection method? Digital signature Identity detection Obfuscation Misuse detection
Misuse detection
Which of the following is a sign of a network-based intrusion? Missing logs or logs with incorrect permissions/ownership Unknown files, altered file attributes, and/or alteration of the files themselves Suspect, unrecognized file extensions, or double extensions New or unusual protocols and services running
New or unusual protocols and services running
An older technique for defeating honeypots is to use tarpits, which sometimes operate at different levels of the OSI model, depending on their function. Which of the following layers of the OSI model do tarpits work at? OSI layers 2 (Data Link), 3 (Network), and 4 (Transport) OSI layers 1 (Physical), 4 (Transport), and 6 (Presentation) OSI layers 2 (DataLink), 4 (Transport), and 7 (Application) OSI layers 1 (Physical), 3(Network), and 5 (Session)
OSI layers 2 (DataLink), 4 (Transport), and 7 (Application)
Penetration testing is a practice conducted by an ethical hacker to see how an organization's security policies and security practices measure up to the organization's actual overall successful system security. When can an ethical hacker start the penetration test? Once all the legal contracts are signed, formalities are settled, and permissions are given Once all the legal contracts are signed and you scope out the penetration testing project Once you have established an extensive plan, formalities are settled, and permissions are given Once you have had the project planning meetings and all the legal contracts are signed
Once all the legal contracts are signed, formalities are settled, and permissions are given
Which of the following best describes a proxy server? Operates at Layers 5 (Session) and 7 (Application) of the OSI model. Operates at Layer 7 (Application) of the OSI model. Operates at Layers 3 (Network) and 4 (Transport) of the OSI model. Operates at Level 5 (Session) of the OSI model.
Operates at Layer 7 (Application) of the OSI model.
Which of the following firewall technologies operates at Layers 3 (Network) and 4 (Transport) of the OSI model? Packet filtering Circuit level gateway VPN Application level
Packet filtering
Allen, the network administrator, needs a tool that can do network intrusion prevention and intrusion detection, capture packets, and monitor information. Which of the following tools would he most likely select? Cain & Abel Nmap Nessus Snort
Snort
Julie is looking for a honeypot detection tool that is capable of packet manipulation. Which of the following tools should she use? Bait and switch Honeyd Sebek Snort inline
Snort inline
ARP, DNS, and IP are all examples of which of the following? IDS detection methods Session hijacking methods Malware detection methods Spoofing methods
Spoofing methods
IP address spoofing, fragmentation attacks, using proxy servers, ICMP tunneling, and ACK tunneling are all examples of which of the following firewall penetration testing techniques? Footprinting TCP packet filtering Banner grabbing Firewalking
TCP packet filtering
Which of the following best describes source routing? The packet's sender investigates the route that a packet takes through the network. The packet's sender designates the route that a packet should take through the network. The packet's sender eliminates the route that a packet should take through the network. The packet's sender has no control over the route that a packet takes through the network.
The packet's sender designates the route that a packet should take through the network.
An IDS can perform many types of intrusion detections. Three common detection methods are signature-based, anomaly-based, and protocol-based. Which of the following best describes protocol-based detection? This detection method analyzes network traffic for common patterns referred to as signatures. This detection method can include malformed messages and sequencing errors. This detection method notices when behavior goes outside an acceptable range. This detection compares behavior to baseline profiles or network behavior baselines.
This detection method can include malformed messages and sequencing errors.
Which of the following tools enables security professionals to audit and validate the behavior of security devices? Fragment Packets MTU offset TCP ACK Scan Traffic IQ Professional
Traffic IQ Professional
An IT technician receives an IDS alert on the company network she manages. A seemingly random user now has administration privileges in the system, some files are missing, and other files seem to have just been created. Which of the following alerts did this technician receive? False negative True positive False positive True negative
True positive
When it comes to obfuscation mechanisms, nmap has the ability to generate decoys, meaning that detection of the actual scanning system becomes much more difficult. Which of the following is the proper nmap command? nmap -D RND:01 target_IP_address nmap -D RND:10 target_IP_address nmap -S RND:20 target_IP_address nmap -S RND:11 target_IP_address
nmap -D RND:10 target_IP_address
Nmap provides many commands and scripts that are used to evade firewalls and intrusion detection systems. Which of the following is the proper nmap command to use the decoy option? nmap -P0 -sl 1.1.1.1:1234 10.10.10.1 nmap -D RND:25 10.10.10.1 nmap -f 10.10.10.1 nmap -sA 10.10.10.1
nmap -D RND:25 10.10.10.1
